From 7d23fa7c756e2e2d17b3842b46f2209762f50237 Mon Sep 17 00:00:00 2001
From: Ryan Andrews <ryan.andrews@digital.cabinet-office.gov.uk>
Date: Tue, 24 Sep 2024 10:51:54 +0100
Subject: [PATCH 1/5] ATO-1063: Adds test basic auth constants

---
 express/tests/constants.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/express/tests/constants.ts b/express/tests/constants.ts
index 88d54dc2c..8c22f3ab6 100644
--- a/express/tests/constants.ts
+++ b/express/tests/constants.ts
@@ -247,3 +247,5 @@ export const TEST_PUBLIC_BETA_FORM_SUBMISSION = {
 };
 
 export const TEST_USER_ATTRIBUTES = ["phone", "email"];
+export const TEST_BASIC_AUTH_USERNAME = "4oxh6rwLNOPxRc_zK3SdY6X5mHHQhnW6V77PNJKowiA";
+export const TEST_BASIC_AUTH_PASSWORD = "uJojpxvIyBIDle1nHnI6Fk5czqcoICQlE4Nmj5s8Qgc";

From b647082cd991d4b6d6cdb7b78d9866abe4c2ee88 Mon Sep 17 00:00:00 2001
From: Ryan Andrews <ryan.andrews@digital.cabinet-office.gov.uk>
Date: Tue, 24 Sep 2024 10:53:59 +0100
Subject: [PATCH 2/5] ATO-1063: Adds basic auth creds to render opts

We're moving these from static content to environment variables,
so this passes the values into the render options and derives them
from the environment variables.
---
 express/src/controllers/clients.ts        |  4 +++
 express/tests/controllers/clients.test.ts | 32 +++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/express/src/controllers/clients.ts b/express/src/controllers/clients.ts
index 05813165e..64174aff1 100644
--- a/express/src/controllers/clients.ts
+++ b/express/src/controllers/clients.ts
@@ -94,6 +94,10 @@ export const showClient: RequestHandler = async (req, res) => {
             changeIdTokenSigningAlgorithm: `/services/${serviceId}/clients/${authClientId}/${selfServiceClientId}/change-id-token-signing-algorithm?algorithm=${encodeURIComponent(
                 idTokenSigningAlgorithm
             )}`
+        },
+        basicAuthCreds: {
+            username: process.env.BASIC_AUTH_USERNAME ?? "",
+            password: process.env.BASIC_AUTH_PASSWORD ?? ""
         }
     });
 
diff --git a/express/tests/controllers/clients.test.ts b/express/tests/controllers/clients.test.ts
index 05fa29132..97f7141ce 100644
--- a/express/tests/controllers/clients.test.ts
+++ b/express/tests/controllers/clients.test.ts
@@ -38,6 +38,8 @@ import {
     TEST_ACCESS_TOKEN,
     TEST_AUTHENTICATION_RESULT,
     TEST_BACK_CHANNEL_LOGOUT_URI,
+    TEST_BASIC_AUTH_PASSWORD,
+    TEST_BASIC_AUTH_USERNAME,
     TEST_CLAIM,
     TEST_CLAIMS,
     TEST_CLAIMS_OUT,
@@ -98,6 +100,8 @@ describe("showClient Controller tests", () => {
 
     beforeEach(() => {
         jest.clearAllMocks();
+        process.env.BASIC_AUTH_USERNAME = TEST_BASIC_AUTH_USERNAME;
+        process.env.BASIC_AUTH_PASSWORD = TEST_BASIC_AUTH_PASSWORD;
     });
 
     it("calls render with the expected template and options from the first client returned from s4 listClients", async () => {
@@ -159,6 +163,10 @@ describe("showClient Controller tests", () => {
                     "/services/service#123/clients/ajedebd2343/456/change-id-token-signing-algorithm?algorithm=ES256",
                 changeClaims: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-claims?claims=${TEST_CLAIM}`,
                 changeScopes: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-scopes?scopes=${TEST_SCOPES_IN[0]}`
+            },
+            basicAuthCreds: {
+                username: TEST_BASIC_AUTH_USERNAME,
+                password: TEST_BASIC_AUTH_PASSWORD
             }
         });
         expect(mockRequest.session.serviceName).toStrictEqual(TEST_CLIENT.serviceName);
@@ -223,6 +231,10 @@ describe("showClient Controller tests", () => {
                 changeIdVerificationEnabledUri: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/enter-identity-verification`,
                 changeClaims: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-claims?claims=`,
                 changeScopes: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-scopes?scopes=${TEST_SCOPES_IN[0]}`
+            },
+            basicAuthCreds: {
+                username: TEST_BASIC_AUTH_USERNAME,
+                password: TEST_BASIC_AUTH_PASSWORD
             }
         });
         expect(mockRequest.session.serviceName).toStrictEqual(TEST_CLIENT.serviceName);
@@ -287,6 +299,10 @@ describe("showClient Controller tests", () => {
                 changeIdVerificationEnabledUri: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/enter-identity-verification`,
                 changeClaims: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-claims?claims=${TEST_CLIENT.claims}`,
                 changeScopes: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-scopes?scopes=${TEST_SCOPES_IN[0]}`
+            },
+            basicAuthCreds: {
+                username: TEST_BASIC_AUTH_USERNAME,
+                password: TEST_BASIC_AUTH_PASSWORD
             }
         });
         expect(mockRequest.session.serviceName).toStrictEqual(TEST_CLIENT.serviceName);
@@ -352,6 +368,10 @@ describe("showClient Controller tests", () => {
                     "/services/service#123/clients/ajedebd2343/456/change-id-token-signing-algorithm?algorithm=ES256",
                 changeClaims: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-claims?claims=${TEST_CLAIM}`,
                 changeScopes: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-scopes?scopes=${TEST_SCOPES_IN[0]}`
+            },
+            basicAuthCreds: {
+                username: TEST_BASIC_AUTH_USERNAME,
+                password: TEST_BASIC_AUTH_PASSWORD
             }
         });
         expect(mockRequest.session.serviceName).toStrictEqual(TEST_CLIENT.serviceName);
@@ -416,6 +436,10 @@ describe("showClient Controller tests", () => {
                     "/services/service#123/clients/ajedebd2343/456/change-id-token-signing-algorithm?algorithm=ES256",
                 changeClaims: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-claims?claims=${TEST_CLAIM}`,
                 changeScopes: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-scopes?scopes=${TEST_SCOPES_IN[0]}`
+            },
+            basicAuthCreds: {
+                username: TEST_BASIC_AUTH_USERNAME,
+                password: TEST_BASIC_AUTH_PASSWORD
             }
         });
         expect(mockRequest.session.serviceName).toStrictEqual(TEST_CLIENT.serviceName);
@@ -482,6 +506,10 @@ describe("showClient Controller tests", () => {
                     "/services/service#123/clients/ajedebd2343/456/change-id-token-signing-algorithm?algorithm=ES256",
                 changeClaims: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-claims?claims=${TEST_CLAIM}`,
                 changeScopes: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-scopes?scopes=${TEST_SCOPES_IN[0]}`
+            },
+            basicAuthCreds: {
+                username: TEST_BASIC_AUTH_USERNAME,
+                password: TEST_BASIC_AUTH_PASSWORD
             }
         });
         expect(mockRequest.session.serviceName).toStrictEqual(TEST_CLIENT.serviceName);
@@ -547,6 +575,10 @@ describe("showClient Controller tests", () => {
                     "/services/service#123/clients/ajedebd2343/456/change-id-token-signing-algorithm?algorithm=ES256",
                 changeClaims: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-claims?claims=`,
                 changeScopes: `/services/${TEST_SERVICE_ID}/clients/${TEST_CLIENT.authClientId}/${TEST_CLIENT.dynamoServiceId}/change-scopes?scopes=${TEST_SCOPES_IN[0]}`
+            },
+            basicAuthCreds: {
+                username: TEST_BASIC_AUTH_USERNAME,
+                password: TEST_BASIC_AUTH_PASSWORD
             }
         });
         expect(mockRequest.session.serviceName).toStrictEqual(TEST_CLIENT.serviceName);

From 64a86d4f248c487588b5e395be8d8541bc5fd1fc Mon Sep 17 00:00:00 2001
From: Ryan Andrews <ryan.andrews@digital.cabinet-office.gov.uk>
Date: Tue, 24 Sep 2024 10:55:23 +0100
Subject: [PATCH 3/5] ATO-1063: remove basic auth creds from static content

This removes the basic auth creds from the static content and
moves them to be derived from the render options passed in from
server side
---
 express/src/views/clients/client-details.njk | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/express/src/views/clients/client-details.njk b/express/src/views/clients/client-details.njk
index 8a4336a64..5d51d95e0 100644
--- a/express/src/views/clients/client-details.njk
+++ b/express/src/views/clients/client-details.njk
@@ -426,8 +426,8 @@
     <h3 class="govuk-heading-s">Details to view the end user journey in integration</h3>
     <p class="govuk-body">During the integration process, you’ll be prompted to enter the following details to see the end user journey. This is so the public do not confuse it with the live journey.</p>
     <p class="govuk-body">
-      <span class="govuk-!-font-weight-bold">Username</span>: integration-user<br>
-      <span class="govuk-!-font-weight-bold">Password</span>: winter2021
+      <span class="govuk-!-font-weight-bold">Username</span>: {{basicAuthCreds.username}}<br>
+      <span class="govuk-!-font-weight-bold">Password</span>: {{basicAuthCreds.password}}
     </p>
   </div>
 

From 0d04f99a59fe764a84171eb9f85bcaf5534a61ec Mon Sep 17 00:00:00 2001
From: Ryan Andrews <ryan.andrews@digital.cabinet-office.gov.uk>
Date: Tue, 24 Sep 2024 10:58:16 +0100
Subject: [PATCH 4/5] ATO-1063: Adds environment vars to task definition

Retrieves the environment variables from secrets manager and
passes them to the task definition, so that they are available
server side when generating static content
---
 infrastructure/frontend/frontend.template.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/infrastructure/frontend/frontend.template.yml b/infrastructure/frontend/frontend.template.yml
index afbfb4afc..d7abf834a 100644
--- a/infrastructure/frontend/frontend.template.yml
+++ b/infrastructure/frontend/frontend.template.yml
@@ -221,6 +221,10 @@ Resources:
                 - IsProd
                 - !Ref AWS::NoValue
                 - "{{resolve:secretsmanager:/self-service/frontend/fixed-otp-credentials}}"
+            - Name: BASIC_AUTH_USERNAME
+              Value: "{{resolve:secretsmanager:/self-service/frontend/basic-auth-username}}"
+            - Name: BASIC_AUTH_PASSWORD
+              Value: "{{resolve:secretsmanager:/self-service/frontend/basic-auth-password}}"
 
           PortMappings:
             - ContainerPort: !Ref ContainerPort

From 543b695ff093701dbd258bd05a3a855b2cef2e5f Mon Sep 17 00:00:00 2001
From: Ryan Andrews <ryan.andrews@digital.cabinet-office.gov.uk>
Date: Wed, 25 Sep 2024 12:15:40 +0100
Subject: [PATCH 5/5] ATO-1063: removes test scenario

---
 .../acceptance-features/clients/client-details.feature        | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ui-automation-tests/acceptance-features/clients/client-details.feature b/ui-automation-tests/acceptance-features/clients/client-details.feature
index 07727ca9a..94fcba69b 100644
--- a/ui-automation-tests/acceptance-features/clients/client-details.feature
+++ b/ui-automation-tests/acceptance-features/clients/client-details.feature
@@ -8,10 +8,6 @@ Feature: A page where users can view the details associated with a client
     Scenario: The user is able to see the value for the field Client ID
       Then they should see the value for the Client ID "P0_ZdXojEGDlaZEU8Q9Zlv-fo1s"
 
-    @ci @smoke
-    Scenario: The user wants to view the user name and password for end journey
-      Then they should see the text "Username: integration-user"
-      And they should see the text "Password: winter2021"
 
   Rule: The the hidden content and the links which open in a new tab, are available for the user to view
     @ci @smoke