Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(attachments infrastructure): Bucket, file scanning, and presigned urls. #176

Merged
merged 2 commits into from
Oct 24, 2023
Merged

feat(attachments infrastructure): Bucket, file scanning, and presigned urls. #176

merged 2 commits into from
Oct 24, 2023

Conversation

mdial89f
Copy link
Contributor

Purpose

The backend has been updated with an uploads service that serves to hold user submitted blob data, along with file scanning capability.

Linked Issues to Close

Closes https://qmacbis.atlassian.net/browse/OY2-25155

Approach

An uploads service has been added. This is very similar to the service seen in other project, as it primarily consists of an S3 bucket and associated file scanning capability. There are some slight differences, and those will be included in the full details below:

  • An S3 bucket is built.
  • The S3 bucket policy blocks any access that's not over SSL
  • The policy blocks access to any object that is not tagged virusScanStatus:CLEAN, with the exception of the file scanning lambda function, who must access the untagged file to scan it.
  • Two lambdas, a second bucket, and a custom resource comprise the file scanning capability. On each PutObject, the clamav lambda is triggered. It will download the file, scan it, and then tag it as clean if no issues are detected.
  • The file scanning lambda gets its virus definitions from a definition bucket.
  • The definition bucket is populated by a a lambda function on a cron. On first deployment, a custom resource will trigger the definition bucket lambda, that does the population, to run immediately.
  • All files in typescript and bundled with esbuild.

A new api endpoint has been added to distribute presigned urls for object upload to the attachments bucket. This is a difference from how access is usually granted, full details below.

  • the new endpoint is added to the existing api.
  • it's a POST route at /getUploadUrl.
  • currently, we're posting an empty object, but may expand to send tags in the future.
  • the endpoint is protected by IAM... you must be authenticated for it to be reachable.
  • the endpoint generates a uuid4, creates a signed PutObject url for the attachments bucket and the uuid4 key, and returns an object consisting of url, bucket, and key.
  • the url is used by the client's browser to upload the file to the bucket, and the bucket and key are send in the payload to the /submit endpoint to store the files location

Assorted Notes/Considerations/Learning

None

hannasage
hannasage approved these changes Oct 24, 2023
View reviewed changes
Copy link

@hannasage hannasage left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oooweee! That's a nice PR ya got there!

@mdial89f mdial89f merged commit 328e650 into master Oct 24, 2023
@github-actions GitHub Actions
Copy link
Contributor

🎉 This PR is included in version 1.5.0-val.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hannasage hannasage hannasage approved these changes

@13bfrancis 13bfrancis Awaiting requested review from 13bfrancis

Assignees
No one assigned
Labels
released on @val
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mdial89f @hannasage