Merge pull request #314 from nationalarchives/serve-static-assets-fro…

…m-s3

Serve static assets from cloudfront

.env.env_var.template

@@ -24,3 +24,7 @@ export RATELIMIT_STORAGE_URI=memory://
 # record bucket variables
 
 export RECORD_BUCKET_NAME=
+
+export FLASKS3_ACTIVE=False
+export FLASKS3_CDN_DOMAIN=
+export FLASKS3_BUCKET_NAME=

README.md

@@ -162,6 +162,10 @@ Properties configurable at runtime:
 - `SECRET_KEY`: Secret key used for Flask session and security.
 - `DEFAULT_PAGE_SIZE`: set value for no. of records to show on browse/search view.
 - `DEFAULT_DATE_FORMAT`: set value to show date in specific format cross the application. i.e. "DD/MM/YYYY"
+- `RECORD_BUCKET_NAME`: name of s3 bucket that holds all of the record objects themselves
+- `FLASKS3_ACTIVE`: whether to fetch static assets from s3/Cloudfront rather than the usual `url_for`.
+- `FLASKS3_CDN_DOMAIN`: CDN domain to fetch assets from if `FLASKS3_ACTIVE` is set to `True`
+- `FLASKS3_BUCKET_NAME`: S3 bucket assets are uploaded to and served to Cloudfront from.
 
 Calculated values:
 

app/__init__.py

@@ -2,6 +2,7 @@
 from flask_compress import Compress
 from flask_limiter import Limiter
 from flask_limiter.util import get_remote_address
+from flask_s3 import FlaskS3
 from flask_talisman import Talisman
 from govuk_frontend_wtf.main import WTFormsHelpers
 from jinja2 import ChoiceLoader, PackageLoader, PrefixLoader
@@ -14,6 +15,7 @@
     get_remote_address, default_limits=["2 per second", "60 per minute"]
 )
 talisman = Talisman()
+s3 = FlaskS3()
 
 
 def null_to_dash(value):
@@ -49,8 +51,7 @@ def create_app(config_class, database_uri=None):
 
     # Set content security policy
     csp = {
-        "default-src": "'self'",
-        "script-src": ["'self'"],
+        "default-src": f"'self' {app.config['FLASKS3_CDN_DOMAIN']}",
     }
 
     # setup database uri for testing
@@ -60,6 +61,7 @@ def create_app(config_class, database_uri=None):
     # Initialise app extensions
     setup_logging(app)
     db.init_app(app)
+    s3.init_app(app)
     compress.init_app(app)
     limiter.init_app(app)
     talisman.init_app(app, content_security_policy=csp, force_https=force_https)

app/tests/test_config.py

@@ -33,7 +33,10 @@ def test_local_env_vars_config_initialized(monkeypatch):
     monkeypatch.setenv("DEFAULT_PAGE_SIZE", "test_default_page_size")
     monkeypatch.setenv("DEFAULT_DATE_FORMAT", "test_default_date_format")
     monkeypatch.setenv("RATELIMIT_STORAGE_URI", "test_ratelimit_storage_uri")
-    monkeypatch.setenv("RECORD_BUCKET_NAME", "test-bucket")
+    monkeypatch.setenv("RECORD_BUCKET_NAME", "test_record_bucket_name")
+    monkeypatch.setenv("FLASKS3_ACTIVE", "False")
+    monkeypatch.setenv("FLASKS3_CDN_DOMAIN", "test_flasks3_cdn_domain")
+    monkeypatch.setenv("FLASKS3_BUCKET_NAME", "test_flasks3_bucket_name")
 
     config = EnvConfig()
 
@@ -52,6 +55,10 @@ def test_local_env_vars_config_initialized(monkeypatch):
     assert config.DEFAULT_PAGE_SIZE == "test_default_page_size"
     assert config.DEFAULT_DATE_FORMAT == "test_default_date_format"
     assert config.RATELIMIT_STORAGE_URI == "test_ratelimit_storage_uri"
+    assert config.RECORD_BUCKET_NAME == "test_record_bucket_name"
+    assert config.FLASKS3_ACTIVE is False
+    assert config.FLASKS3_CDN_DOMAIN == "test_flasks3_cdn_domain"
+    assert config.FLASKS3_BUCKET_NAME == "test_flasks3_bucket_name"
 
 
 @mock_aws
@@ -69,6 +76,9 @@ def test_aws_secrets_manager_config_initialized(monkeypatch):
             "KEYCLOAK_REALM_NAME": "test_keycloack_realm_name",
             "KEYCLOAK_CLIENT_SECRET": "test_keycloak_client_secret",  # pragma: allowlist secret
             "RECORD_BUCKET_NAME": "test_record_bucket_name",
+            "FLASKS3_ACTIVE": "False",
+            "FLASKS3_CDN_DOMAIN": "test_flasks3_cdn_domain",
+            "FLASKS3_BUCKET_NAME": "test_flasks3_bucket_name",
             "RATELIMIT_STORAGE_URI": "test_ratelimit_storage_uri",
             "DEFAULT_DATE_FORMAT": "test_default_date_format",
             "SECRET_KEY": "test_secret_key",  # pragma: allowlist secret
@@ -111,4 +121,8 @@ def test_aws_secrets_manager_config_initialized(monkeypatch):
     assert config.SECRET_KEY == "test_secret_key"  # pragma: allowlist secret
     assert config.DEFAULT_PAGE_SIZE == "test_default_page_size"
     assert config.DEFAULT_DATE_FORMAT == "test_default_date_format"
-    assert config.RATELIMIT_STORAGE_URI == "test_ratelimit_storage_uri"
+
+    assert config.RECORD_BUCKET_NAME == "test_record_bucket_name"
+    assert config.FLASKS3_ACTIVE is False
+    assert config.FLASKS3_CDN_DOMAIN == "test_flasks3_cdn_domain"
+    assert config.FLASKS3_BUCKET_NAME == "test_flasks3_bucket_name"

configs/base_config.py

@@ -82,5 +82,17 @@ def DEFAULT_DATE_FORMAT(self):
     def RECORD_BUCKET_NAME(self):
         return self._get_config_value("RECORD_BUCKET_NAME")
 
+    @property
+    def FLASKS3_ACTIVE(self):
+        return self._get_config_value("FLASKS3_ACTIVE") == "True"
+
+    @property
+    def FLASKS3_CDN_DOMAIN(self):
+        return self._get_config_value("FLASKS3_CDN_DOMAIN")
+
+    @property
+    def FLASKS3_BUCKET_NAME(self):
+        return self._get_config_value("FLASKS3_BUCKET_NAME")
+
     def _get_config_value(self, variable_name):
         pass

pyproject.toml

@@ -30,6 +30,7 @@ psycopg2-binary = "^2.9.9"
 setuptools = "^69.2.0"
 zappa = "^0.58.0"
 pytest-playwright-visual = "^2.1.2"
+flask-s3 = "^0.3.3"
 
 [tool.poetry.group.dev.dependencies]
 testing-postgresql = "^1.3.0"