v2 rc1

.gitignore

@@ -29,7 +29,7 @@ build
 out
 output/
 
-**/application-local.yaml
+**/application-local*.yaml
 
 ### VS Code ###
 bin
@@ -39,4 +39,7 @@ bin
 
 ### Helm ###
 **/charts/*.tgz
-charts/*/requirements.lock
+charts/*/requirements.lock
+
+### Jenkins Additions ###
+init.gradle

Jenkinsfile_CNP

@@ -36,7 +36,6 @@ static LinkedHashMap<String, Object> secret(String secretName, String envVar) {
 withPipeline(type, product, component) {
     loadVaultSecrets(secrets)
     enableSlackNotifications('#idam_tech')
-    installCharts()
     enableAksStagingDeployment()
     disableLegacyDeployment()
 
@@ -189,4 +188,8 @@ withPipeline(type, product, component) {
             reportName           : "IDAM Web Public E2E functional tests result"
         ]
     }
+
+  before('buildinfra:idam-prod') {
+      error('Stopping pipeline before Prod stages')
+  }
 }

build.gradle

@@ -6,7 +6,7 @@ plugins {
   id 'io.spring.dependency-management' version '1.0.9.RELEASE' apply false
   id 'org.owasp.dependencycheck' version '5.1.1'
   id 'org.sonarqube' version '2.6.2'
-  id 'org.springframework.boot' version '2.2.4.RELEASE' apply false
+  id 'org.springframework.boot' version '2.2.6.RELEASE' apply false
   id 'com.gorylenko.gradle-git-properties' version '1.4.21'
   id "info.solidsoft.pitest" version "1.3.0"
   id 'pmd'
@@ -17,7 +17,7 @@ gitProperties {
   dateFormat = "yyyy-MM-dd HH:mm:ssZ"
 }
 
-allprojects  {
+allprojects {
   apply plugin: 'java'
   apply plugin: 'io.spring.dependency-management'
   apply plugin: 'org.owasp.dependencycheck'
@@ -31,8 +31,7 @@ allprojects  {
   sourceCompatibility = 1.8
   targetCompatibility = 1.8
 
-  def idamBomVersion = '1.9.7'
-  ext['tomcat.version'] = '9.0.31'
+  def idamBomVersion = '2.1.0'
 
   dependencyManagement {
     imports {
@@ -43,7 +42,7 @@ allprojects  {
   repositories {
     mavenCentral()
     maven {
-       url "https://dl.bintray.com/hmcts/hmcts-maven"
+      url "https://dl.bintray.com/hmcts/hmcts-maven"
     }
     jcenter()
   }
@@ -66,18 +65,18 @@ allprojects  {
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security'
     // TODO: remove version once 2.2.2.RELEASE is out
-    implementation (group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.1.RELEASE') {
+    implementation(group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.1.RELEASE') {
       exclude(module: 'rxnetty-contexts')
       exclude(module: 'rxnetty-servo')
       exclude(module: 'rxnetty')
     }
     implementation group: 'org.springframework.security', name: 'spring-security-taglibs'
-    
+
     compileOnly("org.projectlombok:lombok")
-    
+
     annotationProcessor("org.projectlombok:lombok")
     annotationProcessor "org.springframework.boot:spring-boot-configuration-processor"
-    
+
     implementation group: 'javax.servlet', name: 'jstl'
     implementation group: 'javax.json', name: 'javax.json-api'
     implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind'
@@ -92,22 +91,21 @@ allprojects  {
     implementation group: 'org.pitest', name: 'pitest', version: '1.3.2'
     implementation group: 'org.owasp.encoder', name: 'encoder-jsp', version: '1.2.2'
     implementation group: 'info.solidsoft.gradle.pitest', name: 'gradle-pitest-plugin', version: '1.3.0'
-    implementation group: 'org.codehaus.sonar-plugins', name:'sonar-pitest-plugin', version: '0.5'
+    implementation group: 'org.codehaus.sonar-plugins', name: 'sonar-pitest-plugin', version: '0.5'
+    implementation group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: '0.0.4'
+    implementation group: 'uk.gov.hmcts.reform', name: 'health-spring-boot-starter', version: '0.0.4'
 
     // TODO mockito version is not correctly resolved from IdAM BOM. Remove version when this is fixed
     testCompileOnly("org.projectlombok:lombok")
-    
+
     testAnnotationProcessor("org.projectlombok:lombok")
-    
+
     testImplementation group: 'org.mockito', name: 'mockito-core'
     testImplementation group: 'org.springframework.boot', name: 'spring-boot-devtools'
-    testCompile(group: 'org.springframework.boot', name: 'spring-boot-starter-test') {
-        exclude(module: 'commons-logging')
+    testImplementation(group: 'org.springframework.boot', name: 'spring-boot-starter-test') {
+      exclude(module: 'commons-logging')
     }
     testImplementation group: 'org.springframework.security', name: 'spring-security-test'
-
-    compile group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: '0.0.4'
-    compile group: 'uk.gov.hmcts.reform', name: 'health-spring-boot-starter', version: '0.0.4'
   }
 
   tasks.withType(JavaCompile) {
@@ -160,7 +158,8 @@ allprojects  {
 
   task codeceptSmokeSauce(type: Exec, dependsOn: ':yarnInstall') {
     workingDir '.'
-    commandLine 'node_modules/codeceptjs/bin/codecept.js', 'run', '--config', 'saucelabs.conf.js','--steps', '--grep', '@smoke', '--verbose', '--debug', '--reporter', 'mochawesome'
+    commandLine 'node_modules/codeceptjs/bin/codecept.js', 'run', '--config', 'saucelabs.conf.js', '--steps', '--grep', '@smoke', '--verbose', '--debug', '--reporter', 'mochawesome'
+
   }
 
   task functionalSauce(dependsOn: ':codeceptFunctionalSauce') {
@@ -182,20 +181,20 @@ allprojects  {
 project.tasks['sonarqube'].dependsOn test
 
 def listFiles(String pattern) {
-    return new FileNameFinder()
-        .getFileNames("${project.rootDir}", pattern)
-        .stream()
-        .collect(Collectors.joining(","))
+  return new FileNameFinder()
+    .getFileNames("${project.rootDir}", pattern)
+    .stream()
+    .collect(Collectors.joining(","))
 }
 
 sonarqube {
   properties {
     property "sonar.projectName", "SIDAM-WEB-PUBLIC"
     property "sonar.exclusions", "**/uk/gov/hmcts/reform/idam/web/config/properties/*.java," +
-            "**/uk/gov/hmcts/reform/idam/web/model/*.java," +
-            "**/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java," +
-            "**/uk/gov/hmcts/reform/idam/web/Application.java," +
-            "**/*Exception.java"
+      "**/uk/gov/hmcts/reform/idam/web/model/*.java," +
+      "**/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java," +
+      "**/uk/gov/hmcts/reform/idam/web/Application.java," +
+      "**/*Exception.java"
     property "sonar.host.url", "https://sonar.reform.hmcts.net/"
     property "sonar.pitest.mode", "reuseReport"
     property "sonar.pitest.reportsDirectory", "build/reports/pitest"

charts/idam-web-public/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for HMCTS Reform IDAM Web Public
 name: idam-web-public
-version: 0.2.3
+version: 0.2.4
 maintainers:
   - name: Amido Reform SIDAM Team
     email: reform.idam@HMCTS.NET

charts/idam-web-public/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
   - name: java
-    version: ~2.16.0
+    version: ~2.18.0
     repository: '@hmctspublic'

charts/idam-web-public/values.yaml

@@ -6,6 +6,7 @@ java:
   ingressHost: "idam-web-public.service.core-compute-{{ .Values.global.environment }}.internal"
   replicas: 3
   applicationPort: 8080
+  aadIdentityName: idam
   keyVaults:
     "idam-idam":
       resourceGroup: idam-idam

dependency-check-suppressions.xml

@@ -238,4 +238,16 @@
         <cve>CVE-2019-16942</cve>
         <cve>CVE-2019-16943</cve>
     </suppress>
+
+    <!--
+    This can be exploited if file upload is used, hence not relevant to us
+    -->
+    <suppress>
+        <notes>
+            https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
+            When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
+        </notes>
+        <gav regex="true">^org\.apache\.tomcat\.embed:tomcat-embed-.+:9\.0\.34.*$</gav>
+        <cve>CVE-2020-9484</cve>
+    </suppress>
 </suppressions>

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
-#Thu Nov 07 15:26:14 GMT 2019
+#Fri May 01 15:54:14 BST 2020
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.3-all.zip
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.5-all.zip
+zipStoreBase=GRADLE_USER_HOME

gradlew

@@ -125,8 +125,8 @@ if $darwin; then
     GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
 fi
 
-# For Cygwin, switch paths to Windows format before running java
-if $cygwin ; then
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
     JAVACMD=`cygpath --unix "$JAVACMD"`
@@ -154,19 +154,19 @@ if $cygwin ; then
         else
             eval `echo args$i`="\"$arg\""
         fi
-        i=$((i+1))
+        i=`expr $i + 1`
     done
     case $i in
-        (0) set -- ;;
-        (1) set -- "$args0" ;;
-        (2) set -- "$args0" "$args1" ;;
-        (3) set -- "$args0" "$args1" "$args2" ;;
-        (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
-        (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
-        (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
-        (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
-        (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
-        (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+        0) set -- ;;
+        1) set -- "$args0" ;;
+        2) set -- "$args0" "$args1" ;;
+        3) set -- "$args0" "$args1" "$args2" ;;
+        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
     esac
 fi
 
@@ -175,14 +175,9 @@ save () {
     for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
     echo " "
 }
-APP_ARGS=$(save "$@")
+APP_ARGS=`save "$@"`
 
 # Collect all arguments for the java command, following the shell quoting and substitution rules
 eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
 
-# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
-if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
-  cd "$(dirname "$0")"
-fi
-
 exec "$JAVACMD" "$@"

gradlew.bat

@@ -29,6 +29,9 @@ if "%DIRNAME%" == "" set DIRNAME=.
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
 @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"