Merge branch 'master' into v2-1-rc2-master-into-perftest

# Conflicts:
#	Jenkinsfile_CNP
#	security.sh
#	src/main/java/uk/gov/hmcts/reform/idam/web/config/properties/StrategicConfigurationProperties.java
#	src/main/resources/application.yaml

.gitignore

@@ -29,7 +29,7 @@ build
 out
 output/
 
-**/application-local.yaml
+**/application-local*.yaml
 
 ### VS Code ###
 bin
@@ -39,4 +39,7 @@ bin
 
 ### Helm ###
 **/charts/*.tgz
-charts/*/requirements.lock
+charts/*/requirements.lock
+
+### Jenkins Additions ###
+init.gradle

Jenkinsfile_CNP

@@ -36,7 +36,6 @@ static LinkedHashMap<String, Object> secret(String secretName, String envVar) {
 withPipeline(type, product, component) {
     loadVaultSecrets(secrets)
     enableSlackNotifications('#idam_tech')
-    installCharts()
     enableAksStagingDeployment()
     disableLegacyDeployment()
 
@@ -69,6 +68,22 @@ withPipeline(type, product, component) {
                 Using IDAMAPI: ${env.IDAMAPI}""".stripIndent()
     }
 
+    before('smoketest-aks:idam-aat') {
+        env.NONPROD_ENVIRONMENT_NAME = 'aat'
+        env.IDAMAPI = "https://idam-api-staging.service.core-compute-aat.internal"
+        println """\
+                Using NONPROD_ENVIRONMENT_NAME: ${env.NONPROD_ENVIRONMENT_NAME}
+                Using IDAMAPI: ${env.IDAMAPI}""".stripIndent()
+    }
+
+    before('functionalTest-aks:idam-aat') {
+        env.NONPROD_ENVIRONMENT_NAME = 'aat'
+        env.IDAMAPI = "https://idam-api-staging.service.core-compute-aat.internal"
+        println """\
+                Using NONPROD_ENVIRONMENT_NAME: ${env.NONPROD_ENVIRONMENT_NAME}
+                Using IDAMAPI: ${env.IDAMAPI}""".stripIndent()
+    }
+
     before('buildinfra:idam-ithc') {
         env.ITHC_ENVIRONMENT_NAME = 'ithc'
         println """\
@@ -173,8 +188,8 @@ withPipeline(type, product, component) {
             reportName           : "IDAM Web Public E2E functional tests result"
         ]
     }
-
-    before('buildinfra:idam-prod') {
-        error('Stopping pipeline before Prod stages')
-    }
+  
+  before('buildinfra:idam-prod') {
+      error('Stopping pipeline before Prod stages')
+  }
 }

Jenkinsfile_nightly

@@ -10,7 +10,7 @@ properties([
     ])
 ])
 
-@Library("Infrastructure")
+@Library("Infrastructure") _
 
 def type = "java"
 
@@ -36,38 +36,28 @@ static LinkedHashMap<String, Object> secret(String secretName, String envVar) {
 }
 
 withNightlyPipeline(type, product, component) {
-
     env.TEST_URL = params.URL_TO_TEST
-
     env.IDAMAPI = params.API_URL_TO_TEST
-
     loadVaultSecrets(secrets)
-
     enableSecurityScan()
-
     enableMutationTest()
-
     enableFullFunctionalTest(200)
+    enableCrossBrowserTest()
+
+    after('crossBrowserTest') {
+        try {
+            withSauceConnect("reform_tunnel") {
+                sh "./gradlew functionalSauce"
+                steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'functional-output/**/*'
+            }
+        }
+        finally {
+            steps.saucePublisher()
+        }
+    }
 
     after('fullFunctionalTest') {
 
-        sh "./gradlew smoke"
-
-        archiveArtifacts '**/build/test-results/**/*'
-
-        publishHTML target: [
-            allowMissing         : true,
-            alwaysLinkToLastBuild: true,
-            keepAll              : true,
-            reportDir            : "output",
-            reportFiles          : "idam-web-public-e2e-result.html",
-            reportName           : "IDAM Web Public E2E smoke tests result"
-        ]
-
-        sh "./gradlew functional"
-
-        archiveArtifacts '**/build/test-results/**/*'
-
         publishHTML target: [
             allowMissing : true,
             alwaysLinkToLastBuild: true,

audit.json

@@ -223,5 +223,7 @@
   "90033_Loosely Scoped Cookie_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore",
   "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/Copy of ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore",
   "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore",
+  "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/_GET" : "ignore",
+  "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET" : "ignore",
   "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore"
 }

build.gradle

@@ -6,7 +6,7 @@ plugins {
   id 'io.spring.dependency-management' version '1.0.9.RELEASE' apply false
   id 'org.owasp.dependencycheck' version '5.1.1'
   id 'org.sonarqube' version '2.6.2'
-  id 'org.springframework.boot' version '2.2.4.RELEASE' apply false
+  id 'org.springframework.boot' version '2.2.6.RELEASE' apply false
   id 'com.gorylenko.gradle-git-properties' version '1.4.21'
   id "info.solidsoft.pitest" version "1.3.0"
   id 'pmd'
@@ -17,7 +17,7 @@ gitProperties {
   dateFormat = "yyyy-MM-dd HH:mm:ssZ"
 }
 
-allprojects  {
+allprojects {
   apply plugin: 'java'
   apply plugin: 'io.spring.dependency-management'
   apply plugin: 'org.owasp.dependencycheck'
@@ -31,8 +31,7 @@ allprojects  {
   sourceCompatibility = 1.8
   targetCompatibility = 1.8
 
-  def idamBomVersion = '1.9.7'
-  ext['tomcat.version'] = '9.0.31'
+  def idamBomVersion = '2.1.0'
 
   dependencyManagement {
     imports {
@@ -43,7 +42,7 @@ allprojects  {
   repositories {
     mavenCentral()
     maven {
-       url "https://dl.bintray.com/hmcts/hmcts-maven"
+      url "https://dl.bintray.com/hmcts/hmcts-maven"
     }
     jcenter()
   }
@@ -66,18 +65,18 @@ allprojects  {
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security'
     // TODO: remove version once 2.2.2.RELEASE is out
-    implementation (group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.1.RELEASE') {
+    implementation(group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.1.RELEASE') {
       exclude(module: 'rxnetty-contexts')
       exclude(module: 'rxnetty-servo')
       exclude(module: 'rxnetty')
     }
     implementation group: 'org.springframework.security', name: 'spring-security-taglibs'
-    
+
     compileOnly("org.projectlombok:lombok")
-    
+
     annotationProcessor("org.projectlombok:lombok")
     annotationProcessor "org.springframework.boot:spring-boot-configuration-processor"
-    
+
     implementation group: 'javax.servlet', name: 'jstl'
     implementation group: 'javax.json', name: 'javax.json-api'
     implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind'
@@ -92,22 +91,21 @@ allprojects  {
     implementation group: 'org.pitest', name: 'pitest', version: '1.3.2'
     implementation group: 'org.owasp.encoder', name: 'encoder-jsp', version: '1.2.2'
     implementation group: 'info.solidsoft.gradle.pitest', name: 'gradle-pitest-plugin', version: '1.3.0'
-    implementation group: 'org.codehaus.sonar-plugins', name:'sonar-pitest-plugin', version: '0.5'
+    implementation group: 'org.codehaus.sonar-plugins', name: 'sonar-pitest-plugin', version: '0.5'
+    implementation group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: '0.0.4'
+    implementation group: 'uk.gov.hmcts.reform', name: 'health-spring-boot-starter', version: '0.0.4'
 
     // TODO mockito version is not correctly resolved from IdAM BOM. Remove version when this is fixed
     testCompileOnly("org.projectlombok:lombok")
-    
+
     testAnnotationProcessor("org.projectlombok:lombok")
-    
+
     testImplementation group: 'org.mockito', name: 'mockito-core'
     testImplementation group: 'org.springframework.boot', name: 'spring-boot-devtools'
-    testCompile(group: 'org.springframework.boot', name: 'spring-boot-starter-test') {
-        exclude(module: 'commons-logging')
+    testImplementation(group: 'org.springframework.boot', name: 'spring-boot-starter-test') {
+      exclude(module: 'commons-logging')
     }
     testImplementation group: 'org.springframework.security', name: 'spring-security-test'
-
-    compile group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: '0.0.4'
-    compile group: 'uk.gov.hmcts.reform', name: 'health-spring-boot-starter', version: '0.0.4'
   }
 
   tasks.withType(JavaCompile) {
@@ -153,6 +151,26 @@ allprojects  {
     commandLine 'node_modules/codeceptjs/bin/codecept.js', 'run', '--grep', '@functional', '--verbose', '--reporter', 'mocha-multi'
   }
 
+  task smokeSauce(dependsOn: ':codeceptSmokeSauce') {
+    group = 'Delivery pipeline'
+    description = 'Executes non-destructive smoke tests against a running instance'
+  }
+
+  task codeceptSmokeSauce(type: Exec, dependsOn: ':yarnInstall') {
+    workingDir '.'
+    commandLine 'node_modules/codeceptjs/bin/codecept.js', 'run', '--config', 'saucelabs.conf.js', '--steps', '--grep', '@smoke', '--verbose', '--debug', '--reporter', 'mochawesome'
+  }
+
+  task functionalSauce(dependsOn: ':codeceptFunctionalSauce') {
+    group = 'Delivery pipeline'
+    description = 'Executes non-destructive smoke tests against a running instance'
+  }
+
+  task codeceptFunctionalSauce(type: Exec, dependsOn: [':yarnInstall', ':notifyClientInstall']) {
+    workingDir '.'
+    commandLine 'node_modules/codeceptjs/bin/codecept.js', 'run-multiple', '--all', '--config', 'saucelabs.conf.js', '--grep', '@crossbrowser', '--verbose', '--debug', '--reporter', 'mochawesome'
+  }
+
   task pa11y(type: Exec, dependsOn: 'pa11yInstall') {
     workingDir '.'
     commandLine './node_modules/.bin/pa11y', '--config', 'pa11y.conf.js', System.getenv('TEST_URL')
@@ -162,20 +180,20 @@ allprojects  {
 project.tasks['sonarqube'].dependsOn test
 
 def listFiles(String pattern) {
-    return new FileNameFinder()
-        .getFileNames("${project.rootDir}", pattern)
-        .stream()
-        .collect(Collectors.joining(","))
+  return new FileNameFinder()
+    .getFileNames("${project.rootDir}", pattern)
+    .stream()
+    .collect(Collectors.joining(","))
 }
 
 sonarqube {
   properties {
     property "sonar.projectName", "SIDAM-WEB-PUBLIC"
     property "sonar.exclusions", "**/uk/gov/hmcts/reform/idam/web/config/properties/*.java," +
-            "**/uk/gov/hmcts/reform/idam/web/model/*.java," +
-            "**/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java," +
-            "**/uk/gov/hmcts/reform/idam/web/Application.java," +
-            "**/*Exception.java"
+      "**/uk/gov/hmcts/reform/idam/web/model/*.java," +
+      "**/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java," +
+      "**/uk/gov/hmcts/reform/idam/web/Application.java," +
+      "**/*Exception.java"
     property "sonar.host.url", "https://sonar.reform.hmcts.net/"
     property "sonar.pitest.mode", "reuseReport"
     property "sonar.pitest.reportsDirectory", "build/reports/pitest"

charts/idam-web-public/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for HMCTS Reform IDAM Web Public
 name: idam-web-public
-version: 0.2.3
+version: 0.2.4
 maintainers:
   - name: Amido Reform SIDAM Team
     email: reform.idam@HMCTS.NET

charts/idam-web-public/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
   - name: java
-    version: ~2.16.0
+    version: ~2.18.0
     repository: '@hmctspublic'

charts/idam-web-public/values.aat.template.yaml

@@ -3,4 +3,8 @@ java:
   image: ${IMAGE_NAME}
   ingressHost: ${SERVICE_FQDN}
   ingressIP: ${INGRESS_IP}
-  consulIP: ${CONSUL_LB_IP}
+  consulIP: ${CONSUL_LB_IP}
+  replicas: 1
+  aadIdentityName: idam
+  environment:
+    STRATEGIC_SERVICE_URL: http://idam-api-staging.service.core-compute-aat.internal

charts/idam-web-public/values.yaml

@@ -6,6 +6,7 @@ java:
   ingressHost: "idam-web-public.service.core-compute-{{ .Values.global.environment }}.internal"
   replicas: 3
   applicationPort: 8080
+  aadIdentityName: idam
   keyVaults:
     "idam-idam":
       resourceGroup: idam-idam

dependency-check-suppressions.xml

@@ -238,4 +238,16 @@
         <cve>CVE-2019-16942</cve>
         <cve>CVE-2019-16943</cve>
     </suppress>
+
+    <!--
+    This can be exploited if file upload is used, hence not relevant to us
+    -->
+    <suppress>
+        <notes>
+            https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
+            When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
+        </notes>
+        <gav regex="true">^org\.apache\.tomcat\.embed:tomcat-embed-.+:9\.0\.34.*$</gav>
+        <cve>CVE-2020-9484</cve>
+    </suppress>
 </suppressions>

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
-#Thu Nov 07 15:26:14 GMT 2019
+#Fri May 01 15:54:14 BST 2020
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.3-all.zip
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.5-all.zip
+zipStoreBase=GRADLE_USER_HOME