Merge pull request #1219 from NHSDigital/dtoss-12506-production-on-off-switch

gpeng · web-flow · commit 8cb690ad7335 · 2026-03-25T12:49:57.000Z
SERVICE_ENABLED
diff --git a/docs/infrastructure/environment-variables.md b/docs/infrastructure/environment-variables.md
@@ -173,6 +173,10 @@ This value [the SECRET_KEY setting] is the key to securing signed data – it is
 
 To rotate: generate a new random key
 
+## SERVICE_ENABLED
+
+When set to False disables all URLs except those decorated with `service_enabled_exempt`, e.g. /sha and /healthcheck
+
 ## SSL_MODE
 
 [SSL mode](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION) of the client connection to the Postgres server. Set to "require" on deployed environments.
diff --git a/infrastructure/environments/prod/variables.yml b/infrastructure/environments/prod/variables.yml
@@ -3,3 +3,4 @@ BASIC_AUTH_ENABLED: True
 CIS2_SERVER_METADATA_URL: https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/.well-known/openid-configuration
 CSRF_TRUSTED_ORIGINS: 'https://manage-breast-screening.nhs.uk'
 APPLICATIONINSIGHTS_IS_ENABLED: True
+SERVICE_ENABLED: True
diff --git a/manage_breast_screening/config/settings/base.py b/manage_breast_screening/config/settings/base.py
@@ -42,6 +42,8 @@ def list_env(key):
 # SECURE_SSL_REDIRECT is set to False because TLS termination is handled at the Azure Container Apps layer
 SECURE_SSL_REDIRECT = False
 
+SERVICE_ENABLED = boolean_env("SERVICE_ENABLED", default=True)
+
 # SECURITY WARNING: don't run with PERSONAS_ENABLED turned on in production!
 PERSONAS_ENABLED = boolean_env("PERSONAS_ENABLED", default=False)
 
@@ -79,6 +81,7 @@ def list_env(key):
     "django.middleware.security.SecurityMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",
     "manage_breast_screening.core.middleware.exception_logging.CorrelationIdMiddleware",
+    "manage_breast_screening.core.middleware.service_enabled.ServiceEnabledMiddleware",
     "manage_breast_screening.core.middleware.exception_logging.ExceptionLoggingMiddleware",
     "manage_breast_screening.core.middleware.robots.RobotsTagMiddleware",
     "manage_breast_screening.core.middleware.basic_auth.BasicAuthMiddleware",
diff --git a/manage_breast_screening/core/decorators.py b/manage_breast_screening/core/decorators.py
@@ -3,6 +3,7 @@
 
 _basic_auth_exempt_views = set()
 _current_provider_exempt_views = set()
+_service_enabled_exempt_views = set()
 
 
 def basic_auth_exempt(view_func: Callable) -> Callable:
@@ -33,6 +34,20 @@ def is_current_provider_exempt(view_func: Callable) -> bool:
     return view_func_identifier(view_func) in _current_provider_exempt_views
 
 
+def service_enabled_exempt(view_func: Callable) -> Callable:
+    """Mark a view function as exempt from ServiceEnabledMiddleware.
+
+    Uses a registry approach that is decorator-order independent.
+    """
+    _service_enabled_exempt_views.add(view_func_identifier(view_func))
+    return view_func
+
+
+def is_service_enabled_exempt(view_func: Callable) -> bool:
+    """Check if a view function is exempt from ServiceEnabledMiddleware."""
+    return view_func_identifier(view_func) in _service_enabled_exempt_views
+
+
 def view_func_identifier(view_func: Callable) -> str:
     if isinstance(view_func, partial):
         view_func = view_func.func
diff --git a/manage_breast_screening/core/jinja2/503.jinja b/manage_breast_screening/core/jinja2/503.jinja
@@ -0,0 +1,10 @@
+{% extends "layout-app.jinja" %}
+
+{% block content %}
+<div class="nhsuk-grid-row">
+    <div class="nhsuk-grid-column-two-thirds">
+        <h1>Sorry, this service is unavailable</h1>
+        <p>The service is unavailable due to planned maintenance.</p>
+    </div>
+</div>
+{% endblock %}
diff --git a/manage_breast_screening/core/middleware/service_enabled.py b/manage_breast_screening/core/middleware/service_enabled.py
@@ -0,0 +1,33 @@
+from typing import Callable, Optional
+
+from django.conf import settings
+from django.http import HttpResponse
+from django.shortcuts import render
+
+from manage_breast_screening.core.decorators import is_service_enabled_exempt
+
+
+class ServiceEnabledMiddleware:
+    """Returns 503 for all non-exempt views when SERVICE_ENABLED=False.
+
+    Exempt views (healthcheck, sha, robots.txt) continue to respond normally
+    so that Azure Container Apps health probes don't interpret the outage as a
+    container failure and attempt to restart instances.
+    """
+
+    def __init__(self, get_response: Callable):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        return self.get_response(request)
+
+    def process_view(
+        self, request, view_func, view_args, view_kwargs
+    ) -> Optional[HttpResponse]:
+        if getattr(settings, "SERVICE_ENABLED", True):
+            return None
+
+        if is_service_enabled_exempt(view_func):
+            return None
+
+        return render(request, "503.jinja", status=503)
diff --git a/manage_breast_screening/core/tests/middleware/test_service_enabled.py b/manage_breast_screening/core/tests/middleware/test_service_enabled.py
@@ -0,0 +1,53 @@
+from typing import Callable
+
+import pytest
+from django.http import HttpResponse
+from django.test import RequestFactory
+
+from manage_breast_screening.core.decorators import service_enabled_exempt
+from manage_breast_screening.core.middleware.service_enabled import (
+    ServiceEnabledMiddleware,
+)
+
+
+def _make_middleware(get_response: Callable | None = None) -> ServiceEnabledMiddleware:
+    return ServiceEnabledMiddleware(get_response or (lambda r: HttpResponse("OK")))
+
+
+@pytest.mark.django_db
+class TestServiceEnabledMiddleware:
+    def test_service_enabled_allows_request(self, settings):
+        settings.SERVICE_ENABLED = True
+        request = RequestFactory().get("/")
+
+        mw = _make_middleware()
+        assert mw.process_view(request, lambda r: None, (), {}) is None
+
+    def test_service_disabled_returns_503(self, settings):
+        settings.SERVICE_ENABLED = False
+        request = RequestFactory().get("/")
+
+        mw = _make_middleware()
+        resp = mw.process_view(request, lambda r: None, (), {})
+        assert resp is not None
+        assert resp.status_code == 503
+        assert b"Sorry, this service is unavailable" in resp.content
+
+    def test_service_disabled_exempt_view_allows_request(self, settings):
+        settings.SERVICE_ENABLED = False
+        request = RequestFactory().get("/healthcheck")
+
+        def view(_request):
+            return HttpResponse("OK")
+
+        service_enabled_exempt(view)
+
+        mw = _make_middleware()
+        assert mw.process_view(request, view, (), {}) is None
+
+    def test_missing_setting_defaults_to_enabled(self, settings):
+        del settings.SERVICE_ENABLED
+        request = RequestFactory().get("/")
+
+        mw = _make_middleware()
+        assert mw.process_view(request, lambda r: None, (), {}) is None
diff --git a/manage_breast_screening/core/urls.py b/manage_breast_screening/core/urls.py
@@ -22,7 +22,10 @@
 from django.views.decorators.http import require_GET
 from django.views.generic.base import RedirectView
 
-from manage_breast_screening.core.decorators import basic_auth_exempt
+from manage_breast_screening.core.decorators import (
+    basic_auth_exempt,
+    service_enabled_exempt,
+)
 
 from ..clinics import views as clinic_views
 from .admin import admin_site
@@ -35,13 +38,15 @@
 
 @require_GET
 @basic_auth_exempt
+@service_enabled_exempt
 @login_not_required
 def sha_view(request):
     return HttpResponse(settings.COMMIT_SHA)
 
 
 @require_GET
 @basic_auth_exempt
+@service_enabled_exempt
 @login_not_required
 def health_check(request):
     return HttpResponse("OK")
@@ -54,6 +59,7 @@ def health_check(request):
 
 @require_GET
 @basic_auth_exempt
+@service_enabled_exempt
 @login_not_required
 def robots_txt(request):
     return HttpResponse(ROBOTS_TXT, content_type="text/plain")
