Merge branch 'main' into dependabot/github_actions/main/pre-commit/ac…

…tion-3.0.1
govuk-one-login · Mar 5, 2024 · f407c99 · f407c99
2 parents 04734f2 + 0ddc449
commit f407c99
Show file tree

Hide file tree

Showing 95 changed files with 4,679 additions and 822 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -0,0 +1,13 @@
+name: pre-commit
+
+on: push
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
+    - uses: pre-commit/[email protected]
+      with:
+        extra_args: "detect-secrets --all-files"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,22 +1,24 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
----
-default_stages: [commit]
 repos:
   - repo: https://github.com/Yelp/detect-secrets
     rev: v1.4.0
     hooks:
       - id: detect-secrets
-        args: ['--baseline', '.secrets.baseline']
+        args: ["--baseline", ".secrets.baseline"]
   - repo: https://github.com/pre-commit/mirrors-eslint
-    rev: "v8.30.0" # Use the sha / tag you want to point at
+    rev: v8.55.0
     hooks:
       - id: eslint
         files: \.[jt]sx?$ # *.js, *.jsx, *.ts and *.tsx
         types: [file]
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: "v3.0.0-alpha.4"
+    rev: v3.1.0
     hooks:
       - id: prettier
         types_or: ["javascript", "ts", "json"]
-# - repo: https://github.com/mattlqx/pre-commit-sign
+  - repo: https://github.com/aws-cloudformation/cfn-lint
+    rev: v0.83.5
+    hooks:
+      - id: cfn-lint
+        files: .template\.ya?ml$
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -151,6 +147,22 @@
         "line_number": 67
       }
     ],
+    "src/tests/contract/data/session-items.json": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "src/tests/contract/data/session-items.json",
+        "hashed_secret": "2f926f5c3897276b38dbce0691766d2ced5f12b4",
+        "is_verified": false,
+        "line_number": 25
+      },
+      {
+        "type": "Hex High Entropy String",
+        "filename": "src/tests/contract/data/session-items.json",
+        "hashed_secret": "58169924a523ee2b149e0d04214511885b6725a7",
+        "is_verified": false,
+        "line_number": 40
+      }
+    ],
     "src/tests/unit/services/AccessTokenRequestProcessor.test.ts": [
       {
         "type": "Hex High Entropy String",
@@ -166,9 +178,9 @@
         "filename": "src/tests/unit/services/AuthorizationRequestProcessor.test.ts",
         "hashed_secret": "0d2014cdd47d3f9053abb0d85fecde96189eba65",
         "is_verified": false,
-        "line_number": 24
+        "line_number": 25
       }
     ]
   },
-  "generated_at": "2023-09-18T14:15:06Z"
+  "generated_at": "2024-02-21T15:19:52Z"
 }
diff --git a/README.md b/README.md
@@ -16,4 +16,77 @@ sam deploy --resolve-s3 --stack-name "YOUR_STACK_NAME" --confirm-changeset --con
 ```
 
 If you need the reserved concurrencies set in DEV then add `ApplyReservedConcurrencyInDev=\"true\"` in to the `--parameter-overrides`.
-Please only do this whilst you need them, if lots of stacks are deployed with these in DEV then deployments will start failing.
+Please only do this whilst you need them, if lots of stacks are deployed with these in DEV then deployments will start failing.
+
+### Code Owners
+
+This repo has a `CODEOWNERS` file in the root and is configured to require PRs to reviewed by Code Owners.
+
+## Pre-Commit Checking / Verification
+
+There is a `.pre-commit-config.yaml` configuration setup in this repo, this uses [pre-commit](https://pre-commit.com/) to verify your commit before actually committing, it runs the following checks:
+
+- Check Json files for formatting issues
+- Fixes end of file issues (it will auto correct if it spots an issue - you will need to run the git commit again after it has fixed the issue)
+- It automatically removes trailing whitespaces (again will need to run commit again after it detects and fixes the issue)
+- Detects aws credentials or private keys accidentally added to the repo
+- runs cloud formation linter and detects issues
+- runs checkov and checks for any issues
+- runs detect-secrets to check for secrets accidentally added - where these are false positives, the `.secrets.baseline` file should be updated by running `detect-secrets scan > .secrets.baseline`
+
+### Dependency Installation
+
+To use this locally you will first need to install the dependencies, this can be done in 2 ways:
+
+#### Method 1 - Python pip
+
+Run the following in a terminal:
+
+```
+sudo -H pip3 install checkov pre-commit cfn-lint
+```
+
+this should work across platforms
+
+#### Method 2 - Brew
+
+If you have brew installed please run the following:
+
+```
+brew install pre-commit ;\
+brew install cfn-lint ;\
+brew install checkov
+```
+
+### Post Installation Configuration
+
+once installed run:
+
+```
+pre-commit install
+```
+
+To update the various versions of the pre-commit plugins, this can be done by running:
+
+```
+pre-commit autoupdate && pre-commit install
+```
+
+This will install / configure the pre-commit git hooks, if it detects an issue while committing it will produce an output like the following:
+
+```
+ git commit -a
+check json...........................................(no files to check)Skipped
+fix end of files.........................................................Passed
+trim trailing whitespace.................................................Passed
+detect aws credentials...................................................Passed
+detect private key.......................................................Passed
+AWS CloudFormation Linter................................................Failed
+- hook id: cfn-python-lint
+- exit code: 4
+W3011 Both UpdateReplacePolicy and DeletionPolicy are needed to protect Resources/PublicHostedZone from deletion
+core/deploy/dns-zones/template.yaml:20:3
+Checkov..............................................(no files to check)Skipped
+- hook id: checkov
+```
+
diff --git a/deploy/f2f-spec.yaml b/deploy/f2f-spec.yaml
@@ -1034,10 +1034,11 @@ components:
               description: claimed expiry date for the document to be presented at the post office
         post_office_selection:
           type: object
-          additionalProperties: false
+          additionalProperties: true
           required:
             - address
             - post_code
+            - fad_code
           properties:
             name:
               type: string
@@ -1069,6 +1070,10 @@ components:
               description: Post code of post office
               example: "N1 2AA"
               pattern: ^[A-Za-z]{1,2}\d[A-Za-z\d]?\ ?\d[a-zA-Z]{2}$|^[Gg][Ii][Rr]\s?0[Aa]{2}$|^[Bb][Ff][Pp][Oo]\ ?\d{1,4}$
+            fad_code:
+              type: string
+              description: Fad code of post office
+              example: "004010X"
     JWKSFile:
       type: object
       required:

diff --git a/deploy/template.yaml b/deploy/template.yaml
@@ -293,7 +293,7 @@ Globals:
         DT_OPEN_TELEMETRY_ENABLE_INTEGRATION: "true"
         # These should always be alphabetically organised.
         AWS_STACK_NAME: !Sub ${AWS::StackName} # The AWS Stack Name, as passed into the template.
-        POWERTOOLS_LOG_LEVEL: DEBUG # The LogLevel for the AWS PowerTools LogHelper
+        POWERTOOLS_LOG_LEVEL: !If [IsNotProdLikeEnvironment, "DEBUG", "INFO"] # The LogLevel for the AWS PowerTools LogHelper
         POWERTOOLS_METRICS_NAMESPACE: F2F-CRI # The Metric Namespace for the AWS PowerTools MetricHelper
         RESOURCES_TTL_SECS: !FindInMap [EnvironmentVariables, !Ref Environment, RESOURCETTLSECS]
         SESSION_TABLE:
@@ -999,6 +999,7 @@ Resources:
           TXMA_QUEUE_URL: !Ref TxMASQSQueue
           KMS_KEY_ARN:
             Fn::ImportValue: !Sub "${L2KMSStackName}-vc-signing-key"
+          DNSSUFFIX: !FindInMap [ EnvironmentVariables, !Ref Environment, DNSSUFFIX ]
       Policies:
         - AWSLambdaBasicExecutionRole
         - AWSXrayWriteOnlyAccess
@@ -2016,9 +2017,9 @@ Resources:
     Properties:
       ActionsEnabled: true
       AlarmActions:
-        - !ImportValue platform-alarm-topic-critical-alert
+        - !ImportValue platform-alarm-topic-slack-warning-alert
       OKActions:
-        - !ImportValue platform-alarm-topic-critical-alert
+        - !ImportValue platform-alarm-topic-slack-warning-alert
       InsufficientDataActions: []
       AlarmDescription: !Sub "Trigger the alarm if over 80% of GovNotify concurrency is used. ${SupportManualURL}"
       AlarmName: !Sub "${AWS::StackName}-GovNotifyFunction-concurrency"
@@ -2701,6 +2702,7 @@ Resources:
           YOTIBASEURL: !FindInMap [ EnvironmentVariables, !Ref Environment, YOTIBASEURL ]
           KMS_KEY_ARN:
             Fn::ImportValue: !Sub "${L2KMSStackName}-vc-signing-key"
+          DNSSUFFIX: !FindInMap [ EnvironmentVariables, !Ref Environment, DNSSUFFIX ]
           IPV_CORE_QUEUE_URL: !Ref IPVCoreSQSQueue
           YOTI_SESSION_TTL_DAYS: !FindInMap [EnvironmentVariables, !Ref Environment, YOTISESSIONTTLDAYS]
       Policies:
@@ -5801,6 +5803,10 @@ Outputs:
     Condition: IsNotProdLikeEnvironment
     Description: "F2F Test Harness"
     Value: !FindInMap [EnvironmentVariables, !Ref Environment, TESTHARNESSURL]
+  DNSSuffix:
+    Condition: IsNotProdLikeEnvironment
+    Description: "F2F DNS Suffix"
+    Value: !FindInMap [EnvironmentVariables, !Ref Environment, DNSSUFFIX]
   F2FGovNotifyURL:
     Condition: IsNotProdLikeEnvironment
     Description: "F2F Gov Notify API"
@@ -5809,3 +5815,8 @@ Outputs:
     Condition: IsNotProdLikeEnvironment
     Description: "F2F Post Office Stub API"
     Value: !FindInMap [EnvironmentVariables, !Ref Environment, POSTOFFICESTUBAPI]
+  VcSigningKeyId:
+    Condition: IsNotProdLikeEnvironment
+    Description: "Signing Key used to sign VC"
+    Value:
+      Fn::ImportValue: !Sub "${L2KMSStackName}-vc-signing-key-id"
diff --git a/f2f-ipv-stub/src/handlers/startF2fCheck.ts b/f2f-ipv-stub/src/handlers/startF2fCheck.ts
@@ -16,6 +16,8 @@ export const v3KmsClient = new KMSClient({
   maxAttempts: 2,
 });
 
+let frontendURL: string; 
+
 export const handler = async (
   event: APIGatewayProxyEvent
 ): Promise<APIGatewayProxyResult> => {
@@ -24,6 +26,7 @@ export const handler = async (
   if (overrides?.target != null) {
     config.jwksUri = overrides.target;
   }
+	frontendURL = overrides?.frontendURL != null ? overrides.frontendURL : config.oauthUri
   const defaultClaims = {
     name: [
       {
@@ -71,7 +74,7 @@ export const handler = async (
       overrides?.gov_uk_signin_journey_id != null
         ? overrides?.gov_uk_signin_journey_id
         : crypto.randomBytes(16).toString("hex"),
-    aud: config.oauthUri,
+    aud: frontendURL,
     iss: "https://ipv.core.account.gov.uk",
     client_id: config.clientId,
     state: crypto.randomBytes(16).toString("hex"),
@@ -107,7 +110,7 @@ export const handler = async (
       request,
       responseType: "code",
       clientId: config.clientId,
-      AuthorizeLocation: `${process.env.OAUTH_FRONT_BASE_URI}/oauth2/authorize?request=${request}&response_type=code&client_id=${config.clientId}`,
+      AuthorizeLocation: `${frontendURL}/oauth2/authorize?request=${request}&response_type=code&client_id=${config.clientId}`,
       sub: payload.sub,
       state: payload.state,
     }),

diff --git a/package-lock.json b/package-lock.json
diff --git a/run-tests.sh b/run-tests.sh
@@ -19,6 +19,10 @@ export DEV_F2F_TEST_HARNESS_URL=$(remove_quotes "$CFN_F2FTestHarnessURL")
 export GOV_NOTIFY_API=$(remove_quotes "$CFN_F2FGovNotifyURL")
 # shellcheck disable=SC2154
 export DEV_F2F_PO_STUB_URL=$(remove_quotes "$CFN_F2FPostOfficeStubURL")
+# shellcheck disable=SC2154
+export VC_SIGNING_KEY_ID=$(remove_quotes "$CFN_VcSigningKeyId")
+# shellcheck disable=SC2154
+export DNS_SUFFIX=$(remove_quotes "$CFN_DNSSuffix")
 
 cd /src; npm run test:api
 cp -rf results $TEST_REPORT_ABSOLUTE_DIR
diff --git a/src/.env.example b/src/.env.example
@@ -7,3 +7,4 @@ DEV_F2F_MISSING_SUB_ACCESS_TOKEN=
 DEV_F2F_YOTI_STUB_URL=
 DEV_F2F_PO_STUB_URL=
 GOV_NOTIFY_API=
+DNS_SUFFIX=
diff --git a/src/jest.setup.ts b/src/jest.setup.ts
@@ -1,5 +1,6 @@
 process.env.SESSION_TABLE = 'SESSIONTABLE'
 process.env.KMS_KEY_ARN = 'MYKMSKEY'
+process.env.DNSSUFFIX = "DNSSUFFIX"
 process.env.ISSUER = 'https://XXX-c.env.account.gov.uk'
 process.env.TXMA_QUEUE_URL = "MYQUEUE"
 process.env.CLIENT_CONFIG = '[{"jwksEndpoint":"https://api.identity.account.gov.uk/.well-known/jwks.json","clientId":"ipv-core-stub","redirectUri":"http://localhost:8085/callback"}]'

diff --git a/src/models/YotiPayloads.ts b/src/models/YotiPayloads.ts
@@ -22,6 +22,7 @@ export interface PostOfficeInfo {
 		latitude: number;
 		longitude: number;
 	};
+	fad_code: string;
 }
 
 export interface CreateSessionPayload {

diff --git a/src/models/enums/MessageCodes.ts b/src/models/enums/MessageCodes.ts
@@ -14,7 +14,7 @@ export enum MessageCodes {
 	FAILED_DECRYPTING_JWE = "FAILED_DECRYPTING_JWE",
 	FAILED_VALIDATING_SESSION_ID = "FAILED_VALIDATING_SESSION_ID",
 	FAILED_DECODING_JWT = "FAILED_DECODING_JWT",
-	FAILED_VERIFYING_JWT = "FAILED_VERIFYING_JWT",
+	FAILED_VERIFYING_JWT = "F2F_FAILED_VERIFYING_JWT",
 	MISSING_HEADER = "MISSING_HEADER",
 	EXPIRED_SESSION = "EXPIRED_SESSION",
 	INCORRECT_SESSION_STATE = "INCORRECT_SESSION_STATE",