Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow 'Internet' for data providers IP #2247

Merged
merged 8 commits into from
Nov 12, 2024
Merged

Allow 'Internet' for data providers IP #2247

merged 8 commits into from
Nov 12, 2024

Conversation

JimMadge
Copy link
Member

@JimMadge JimMadge commented Oct 21, 2024
edited
Loading

✅ Checklist

  • You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
  • You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
  • Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

🚦 Depends on

#2246

⤴️ Summary

Allows data providers (as well as research users) IP addresses to be defined as the Azure service tag 'Internet'.

🌂 Related issues

🔬 Tests

Tested on a new deployment. Ingress and Egress blobs anonymous access and with SAS token. Checked download from egress is possible with appropriate SAS token. Checked upload to ingress is possible with appropriate SAS token.

With the storage account set to allow all network connections and blob public access disabled (which is default, but also explicitly set here),

With the storage account URL, you cannot anonymously access the containers

Screenshot 2024-10-31 at 15 35 07

With a valid SAS token you can access the containers and manipulate the data according to the permissions the SAS allows

Screenshot 2024-10-31 at 15 36 09

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 21, 2024
edited
Loading

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)		Lines missing
  data_safe_haven/config
  config_sections.py
  data_safe_haven/infrastructure/components/wrapped
  nfsv3_storage_account.py 36-41
  data_safe_haven/infrastructure/programs/sre
  data.py 67, 109-120
  data_safe_haven/validators
  validators.py
Project Total  

This report was generated by python-coverage-comment-action

@JimMadge JimMadge mentioned this pull request Oct 21, 2024
Merged
3 tasks
@JimMadge JimMadge marked this pull request as ready for review October 21, 2024 15:29
@JimMadge JimMadge requested review from a team as code owners October 21, 2024 15:29
@JimMadge JimMadge marked this pull request as draft October 22, 2024 09:50
@JimMadge
Copy link
Member Author

This might be a bit more tricky as storage accounts use IP address ranges and not service tags for restricting external access.

It is possible to allow connection from any network.

@JimMadge JimMadge added this to the Release 5.0.1 milestone Oct 22, 2024
@JimMadge JimMadge added the release: non-essential Issues that at not essential to close for a release label Oct 22, 2024
Base automatically changed from release-v5.0.1rc1 to latest October 24, 2024 12:28
@JimMadge JimMadge modified the milestones: Release 5.0.1, Release 5.0.2 Oct 24, 2024
@JimMadge JimMadge added enhancement New functionality that should be added to the Safe Haven and removed release: non-essential Issues that at not essential to close for a release labels Oct 24, 2024
@JimMadge JimMadge modified the milestones: Release 5.0.2, Release 5.1.0 Oct 29, 2024
@JimMadge JimMadge removed this from the Release 5.1.0 milestone Oct 31, 2024
@JimMadge JimMadge added the hotfix An issue that should be fixed on a hotfix branch, with a point release label Oct 31, 2024
@JimMadge JimMadge marked this pull request as ready for review October 31, 2024 15:39
craddm
craddm approved these changes Nov 11, 2024
View reviewed changes
Copy link
Contributor

@craddm craddm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jemrobinson
jemrobinson requested changes Nov 11, 2024
View reviewed changes
Copy link
Member

@jemrobinson jemrobinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be targeting develop instead of latest?

@JimMadge
Copy link
Member Author

Should this be targeting develop instead of latest?

I did have it as a hotfix. However, happy to move it to the next minor release as that should be soon, and this does change networking somewhat.

@JimMadge JimMadge changed the base branch from latest to develop November 11, 2024 15:03
@JimMadge JimMadge merged commit 3263453 into develop Nov 12, 2024
11 checks passed
@JimMadge JimMadge deleted the data_providers_internet branch November 12, 2024 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craddm craddm craddm approved these changes

@jemrobinson jemrobinson jemrobinson approved these changes

Assignees
No one assigned
Labels
enhancement New functionality that should be added to the Safe Haven hotfix An issue that should be fixed on a hotfix branch, with a point release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JimMadge @jemrobinson @craddm