Merge branch 'main' into KIWI-1638-ci-change

.github/workflows/pull-request-Dynamo.yml

@@ -38,7 +38,7 @@ jobs:
           submodules: true
 
       - name: Checks if commiting secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

.github/workflows/pull-request-KMS.yml

@@ -38,7 +38,7 @@ jobs:
           submodules: true
 
       - name: Checks if commiting secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

.github/workflows/pull-request-gov-notify-stub.yml

@@ -37,7 +37,7 @@ jobs:
           submodules: true
 
       - name: Checks if commiting secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

.github/workflows/pull-request-ipv-stub.yml

@@ -37,7 +37,7 @@ jobs:
           submodules: true
 
       - name: Checks if committing secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

.github/workflows/pull-request-outbound-proxy.yml

@@ -38,7 +38,7 @@ jobs:
           submodules: true
 
       - name: Checks if committing secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

.github/workflows/pull-request-postoffice-mock.yml

@@ -37,7 +37,7 @@ jobs:
           submodules: true
 
       - name: Checks if commiting secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

.github/workflows/pull-request-test-harness.yml

@@ -37,7 +37,7 @@ jobs:
           submodules: true
 
       - name: Checks if committing secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

.github/workflows/pull-request-yoti-stub.yml

@@ -37,7 +37,7 @@ jobs:
           submodules: true
 
       - name: Checks if commiting secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

.github/workflows/pull-request.yml

@@ -52,7 +52,7 @@ jobs:
           submodules: true
 
       - name: Checks if commiting secrets to repo
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].1
         with:
           extra_args: "detect-secrets --all-files"
 

deploy/template.yaml

@@ -999,6 +999,7 @@ Resources:
           TXMA_QUEUE_URL: !Ref TxMASQSQueue
           KMS_KEY_ARN:
             Fn::ImportValue: !Sub "${L2KMSStackName}-vc-signing-key"
+          DNSSUFFIX: !FindInMap [ EnvironmentVariables, !Ref Environment, DNSSUFFIX ]
       Policies:
         - AWSLambdaBasicExecutionRole
         - AWSXrayWriteOnlyAccess
@@ -2701,6 +2702,7 @@ Resources:
           YOTIBASEURL: !FindInMap [ EnvironmentVariables, !Ref Environment, YOTIBASEURL ]
           KMS_KEY_ARN:
             Fn::ImportValue: !Sub "${L2KMSStackName}-vc-signing-key"
+          DNSSUFFIX: !FindInMap [ EnvironmentVariables, !Ref Environment, DNSSUFFIX ]
           IPV_CORE_QUEUE_URL: !Ref IPVCoreSQSQueue
           YOTI_SESSION_TTL_DAYS: !FindInMap [EnvironmentVariables, !Ref Environment, YOTISESSIONTTLDAYS]
       Policies:
@@ -5801,6 +5803,10 @@ Outputs:
     Condition: IsNotProdLikeEnvironment
     Description: "F2F Test Harness"
     Value: !FindInMap [EnvironmentVariables, !Ref Environment, TESTHARNESSURL]
+  DNSSuffix:
+    Condition: IsNotProdLikeEnvironment
+    Description: "F2F DNS Suffix"
+    Value: !FindInMap [EnvironmentVariables, !Ref Environment, DNSSUFFIX]
   F2FGovNotifyURL:
     Condition: IsNotProdLikeEnvironment
     Description: "F2F Gov Notify API"
@@ -5809,3 +5815,8 @@ Outputs:
     Condition: IsNotProdLikeEnvironment
     Description: "F2F Post Office Stub API"
     Value: !FindInMap [EnvironmentVariables, !Ref Environment, POSTOFFICESTUBAPI]
+  VcSigningKeyId:
+    Condition: IsNotProdLikeEnvironment
+    Description: "Signing Key used to sign VC"
+    Value:
+      Fn::ImportValue: !Sub "${L2KMSStackName}-vc-signing-key-id"

run-tests.sh

@@ -19,6 +19,10 @@ export DEV_F2F_TEST_HARNESS_URL=$(remove_quotes "$CFN_F2FTestHarnessURL")
 export GOV_NOTIFY_API=$(remove_quotes "$CFN_F2FGovNotifyURL")
 # shellcheck disable=SC2154
 export DEV_F2F_PO_STUB_URL=$(remove_quotes "$CFN_F2FPostOfficeStubURL")
+# shellcheck disable=SC2154
+export VC_SIGNING_KEY_ID=$(remove_quotes "$CFN_VcSigningKeyId")
+# shellcheck disable=SC2154
+export DNS_SUFFIX=$(remove_quotes "$CFN_DNSSuffix")
 
 cd /src; npm run test:api
 cp -rf results $TEST_REPORT_ABSOLUTE_DIR

src/.env.example

@@ -7,3 +7,4 @@ DEV_F2F_MISSING_SUB_ACCESS_TOKEN=
 DEV_F2F_YOTI_STUB_URL=
 DEV_F2F_PO_STUB_URL=
 GOV_NOTIFY_API=
+DNS_SUFFIX=

src/jest.setup.ts

@@ -1,5 +1,6 @@
 process.env.SESSION_TABLE = 'SESSIONTABLE'
 process.env.KMS_KEY_ARN = 'MYKMSKEY'
+process.env.DNSSUFFIX = "DNSSUFFIX"
 process.env.ISSUER = 'https://XXX-c.env.account.gov.uk'
 process.env.TXMA_QUEUE_URL = "MYQUEUE"
 process.env.CLIENT_CONFIG = '[{"jwksEndpoint":"https://api.identity.account.gov.uk/.well-known/jwks.json","clientId":"ipv-core-stub","redirectUri":"http://localhost:8085/callback"}]'

src/package.json

@@ -67,7 +67,7 @@
     "dotenv": "^16.3.1",
     "eslint": "^8.32.0",
     "eslint-config-airbnb-typescript": "^17.0.0",
-    "eslint-config-prettier": "^8.6.0",
+    "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-jest": "^27.2.1",
     "eslint-plugin-jsdoc": "^39.6.8",

src/services/AccessTokenRequestProcessor.ts

@@ -95,7 +95,7 @@ export class AccessTokenRequestProcessor {
 				};
 				let accessToken;
 				try {
-					accessToken = await this.kmsJwtAdapter.sign(jwtPayload);
+					accessToken = await this.kmsJwtAdapter.sign(jwtPayload, this.environmentVariables.dnsSuffix());
 				} catch (error) {
 					this.logger.error("Failed to sign the accessToken Jwt", { messageCode: MessageCodes.FAILED_SIGNING_JWT });
 					return new Response(HttpCodesEnum.SERVER_ERROR, "Failed to sign the accessToken Jwt");

src/services/EnvironmentVariables.ts

@@ -40,6 +40,8 @@ export class EnvironmentVariables {
 
 	private readonly KMS_KEY_ARN = process.env.KMS_KEY_ARN;
 
+	private readonly DNSSUFFIX = process.env.DNSSUFFIX;
+
 	private readonly CLIENT_CONFIG = process.env.CLIENT_CONFIG;
 
 	private readonly ENCRYPTION_KEY_IDS = process.env.ENCRYPTION_KEY_IDS;
@@ -213,8 +215,10 @@ export class EnvironmentVariables {
 					!this.ISSUER || this.ISSUER.trim().length === 0 ||
 					!this.TXMA_QUEUE_URL || this.TXMA_QUEUE_URL.trim().length === 0 ||
 					!this.YOTI_KEY_SSM_PATH || this.YOTI_KEY_SSM_PATH.trim().length === 0 ||
-					!this.YOTIBASEURL || this.YOTIBASEURL.trim().length === 0) {
-					logger.error("Environment variable PERSON_IDENTITY_TABLE_NAME or YOTI_SDK or YOTICALLBACKURL or ISSUER is not configured");
+					!this.YOTIBASEURL || this.YOTIBASEURL.trim().length === 0 ||
+					!this.KMS_KEY_ARN || this.KMS_KEY_ARN.trim().length === 0 ||
+					!this.DNSSUFFIX || this.DNSSUFFIX.trim().length === 0) {
+					logger.error("Environment variable PERSON_IDENTITY_TABLE_NAME or YOTI_SDK or KMS_KEY_ARN or ISSUER or DNSSUFFIX is not configured");
 					throw new AppError(HttpCodesEnum.SERVER_ERROR, "Callback Service incorrectly configured");
 				}
 				if (!this.YOTI_SESSION_TTL_DAYS || this.YOTI_SESSION_TTL_DAYS < 10) {
@@ -354,6 +358,10 @@ export class EnvironmentVariables {
 		return this.KMS_KEY_ARN;
 	}
 
+	dnsSuffix(): any {
+		return this.DNSSUFFIX;
+	}
+
 	encryptionKeyIds(): any {
 		return this.ENCRYPTION_KEY_IDS;
 	}

src/services/VerifiableCredentialService.ts

@@ -20,6 +20,8 @@ export class VerifiableCredentialService {
 
   readonly issuer: string;
 
+  readonly dnsSuffix: string;	
+
   private readonly kmsJwtAdapter: KmsJwtAdapter;
 
   private static instance: VerifiableCredentialService;
@@ -29,21 +31,24 @@ export class VerifiableCredentialService {
   	kmsJwtAdapter: KmsJwtAdapter,
   	issuer: string,
   	logger: Logger,
+  	dnsSuffix: string,
   ) {
   	this.issuer = issuer;
   	this.tableName = tableName;
   	this.logger = logger;
   	this.kmsJwtAdapter = kmsJwtAdapter;
+  	this.dnsSuffix = dnsSuffix;
   }
 
   static getInstance(
   	tableName: string,
   	kmsJwtAdapter: KmsJwtAdapter,
   	issuer: string,
   	logger: Logger,
+  	dnsSuffix: string,
   ): VerifiableCredentialService {
   	if (!VerifiableCredentialService.instance) {
-  		VerifiableCredentialService.instance = new VerifiableCredentialService(tableName, kmsJwtAdapter, issuer, logger);
+  		VerifiableCredentialService.instance = new VerifiableCredentialService(tableName, kmsJwtAdapter, issuer, logger, dnsSuffix);
   	}
   	return VerifiableCredentialService.instance;
   }
@@ -52,7 +57,7 @@ export class VerifiableCredentialService {
   	try {
   		if (result) {
   			// Sign the VC
-  			const signedJwt = await this.kmsJwtAdapter.sign(result);
+  			const signedJwt = await this.kmsJwtAdapter.sign(result, this.dnsSuffix);
   			this.logger.info({ message: "Successfully Signed Generated Verified Credential jwt" });
   			return signedJwt;
   		}

src/services/YotiSessionCompletionProcessor.ts

@@ -53,7 +53,7 @@ export class YotiSessionCompletionProcessor {
   	this.yotiService = YotiService.getInstance(this.logger, this.environmentVariables.yotiSdk(), this.environmentVariables.resourcesTtlInSeconds(), this.environmentVariables.clientSessionTokenTtlInDays(), YOTI_PRIVATE_KEY, this.environmentVariables.yotiBaseUrl());
   	this.f2fService = F2fService.getInstance(this.environmentVariables.sessionTable(), this.logger, createDynamoDbClient());
   	this.kmsJwtAdapter = new KmsJwtAdapter(this.environmentVariables.kmsKeyArn());
-  	this.verifiableCredentialService = VerifiableCredentialService.getInstance(this.environmentVariables.sessionTable(), this.kmsJwtAdapter, this.environmentVariables.issuer(), this.logger);
+  	this.verifiableCredentialService = VerifiableCredentialService.getInstance(this.environmentVariables.sessionTable(), this.kmsJwtAdapter, this.environmentVariables.issuer(), this.logger, this.environmentVariables.dnsSuffix());
   	this.generateVerifiableCredential = GenerateVerifiableCredential.getInstance(this.logger);
   }
 

src/tests/api/CallbackApi.test.ts

@@ -84,7 +84,7 @@ describe("Callback API", () => {
 			sqsMessage = await getDequeuedSqsMessage(sessionResponse.data.sub);
 		} while (!sqsMessage);
 		const jwtToken = sqsMessage["https://vocab.account.gov.uk/v1/credentialJWT"][0];
-		validateJwtToken(jwtToken, vcResponseData, yotiMockId);
+		await validateJwtToken(jwtToken, vcResponseData, yotiMockId);
 
 	}, 20000);
 
@@ -108,7 +108,7 @@ describe("Callback API", () => {
 		} while (!sqsMessage);
 		const jwtToken = sqsMessage["https://vocab.account.gov.uk/v1/credentialJWT"][0];
 
-		validateJwtToken(jwtToken, vcResponseData, "0000");
+		await validateJwtToken(jwtToken, vcResponseData, "0000");
 	}, 20000);
 
 	describe("F2F CRI Callback Endpoint UnHappyPath - Verifiable Credential Error", () => {

src/tests/unit/services/EnvironmentVariables.test.ts

@@ -108,6 +108,17 @@ describe("EnvironmentVariables", () => {
 		});
 	});
 
+	describe("dnsSuffix", () => {
+		it("should return the value of DNSSUFFIX", () => {
+			process.env.DNSSUFFIX = "DNSSUFFIX";
+			const envVars = new EnvironmentVariables(logger, ServicesEnum.GOV_NOTIFY_SERVICE);
+
+			const result = envVars.dnsSuffix();
+
+			expect(result).toBe("DNSSUFFIX");
+		});
+	});
+
 	describe("encryptionKeyIds", () => {
 		it("should return the value of ENCRYPTION_KEY_IDS", () => {
 			process.env.ENCRYPTION_KEY_IDS = "ENCRYPTION_KEY_IDS_VALUE";

src/tests/unit/services/VerifiableCredentialService.test.ts

@@ -24,6 +24,7 @@ describe("VerifiableCredentialService", () => {
 	const issuer = "test-issuer";
 	const logger = mock<Logger>();
 	const kmsJwtAdapter = new KmsJwtAdapter("kid");
+	const dnsSuffix = "dnsSuffix123";
 
 	const credentialSubject = {
 		"birthDate": [
@@ -99,6 +100,7 @@ describe("VerifiableCredentialService", () => {
 			kmsJwtAdapter,
 			issuer,
 			logger,
+			dnsSuffix,
 		);
 	});
 
@@ -144,7 +146,7 @@ describe("VerifiableCredentialService", () => {
 			const result = await verifiableCredentialService.signGeneratedVerifiableCredentialJwt(jwt);
 
 			expect(getNow).toHaveBeenCalled();
-			expect(signMock).toHaveBeenCalledWith(payloadToSign);
+			expect(signMock).toHaveBeenCalledWith(payloadToSign, dnsSuffix);
 			expect(result).toBe(signedJwt);
 		});
 
@@ -218,7 +220,7 @@ describe("VerifiableCredentialService", () => {
 			}))
 				.rejects.toThrow(new AppError(HttpCodesEnum.SERVER_ERROR, "Failed to sign Jwt"));
 
-			expect(signMock).toHaveBeenCalledWith(payloadToSign);
+			expect(signMock).toHaveBeenCalledWith(payloadToSign, dnsSuffix);
 		});
 	});
 

src/tests/utils/ApiConstants.ts

@@ -8,4 +8,6 @@ export const constants = {
 	DEV_F2F_SESSION_TABLE_NAME: "session-f2f-cri-ddb",
 	GOV_NOTIFY_API: process.env.GOV_NOTIFY_API,
 	DEV_F2F_PO_STUB_URL: process.env.DEV_F2F_PO_STUB_URL,
+	VC_SIGNING_KEY_ID: process.env.VC_SIGNING_KEY_ID,
+	DNS_SUFFIX: process.env.DNS_SUFFIX,
 };