chore(v4): merge v4.0.1 into preview

.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.18.0
+  hooks:
+  - id: terraform_fmt

build.gradle

@@ -4,9 +4,9 @@ plugins {
   id 'java'
   id 'jacoco'
   id 'io.spring.dependency-management' version '1.0.9.RELEASE' apply false
-  id 'org.owasp.dependencycheck' version '5.1.1'
+  id 'org.owasp.dependencycheck' version '5.3.2.1'
   id 'org.sonarqube' version '2.6.2'
-  id 'org.springframework.boot' version '2.2.8.RELEASE' apply false
+  id 'org.springframework.boot' version '2.2.10.RELEASE' apply false
   id 'com.gorylenko.gradle-git-properties' version '1.4.21'
   id "info.solidsoft.pitest" version "1.4.6"
   id 'pmd'
@@ -35,6 +35,7 @@ allprojects {
   //TODO: Remove once spring boot have updated versions to match
   ext['tomcat.version'] = '9.0.37'
   ext['log4j2.version'] = '2.13.3'
+  ext['spring.boot.version'] = '2.2.10.RELEASE'
 
   dependencyManagement {
     imports {
@@ -59,6 +60,10 @@ allprojects {
     analyzers {
       // Disable scanning of .NET related binaries
       assemblyEnabled = false
+      nodeEnabled = false
+      nodeAudit {
+        enabled = false
+      }
     }
   }
 
@@ -74,12 +79,12 @@ allprojects {
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-client'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-resource-server'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis-reactive'
-    implementation group: 'org.springframework.session', name: 'spring-session-data-redis', version: '2.2.3.RELEASE'
+    implementation group: 'org.springframework.session', name: 'spring-session-data-redis', version: '2.2.4.RELEASE'
 
     implementation group: 'io.github.openfeign', name: 'feign-jackson', version: '10.11'
     implementation group: 'io.github.openfeign', name: 'feign-okhttp', version: '10.11'
-    implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '2.2.3.RELEASE'
-    implementation(group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.3.RELEASE') {
+    implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '2.2.5.RELEASE'
+    implementation(group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.5.RELEASE') {
       exclude(module: 'rxnetty-contexts')
       exclude(module: 'rxnetty-servo')
       exclude(module: 'rxnetty')

dependency-check-suppressions.xml

@@ -193,7 +193,7 @@
         <cve>CVE-2014-0119</cve>
         <cve>CVE-2016-5388</cve>
     </suppress>
-    
+
     <!--
     This vulnerability can only be exploited if polymorphic typing is enabled on the default
     object mapper, hence not relevant to us.
@@ -214,7 +214,7 @@
     ONLY UNTIL 2019-10-01. No invulnerable package currently
     -->
     <suppress>
-        <notes> 
+        <notes>
         https://www.cvedetails.com/cve/CVE-2019-12384/
         FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
         </notes>
@@ -280,6 +280,60 @@
         <cve>CVE-2019-16370</cve>
     </suppress>
 
+    <suppress>
+        <notes>
+            TODO: fix these: suppress some netflix CVEs to deploy a hotfix
+        </notes>
+        <gav regex="true">^com\.netflix\.servo:servo-core:0\.10\.1$</gav>
+        <cve>CVE-2014-0047</cve>
+        <cve>CVE-2014-0048</cve>
+        <cve>CVE-2014-5277</cve>
+        <cve>CVE-2014-5278</cve>
+        <cve>CVE-2014-5282</cve>
+        <cve>CVE-2014-6407</cve>
+        <cve>CVE-2014-8178</cve>
+        <cve>CVE-2014-8179</cve>
+        <cve>CVE-2014-9356</cve>
+        <cve>CVE-2014-9358</cve>
+        <cve>CVE-2015-3627</cve>
+        <cve>CVE-2015-3630</cve>
+        <cve>CVE-2015-3631</cve>
+        <cve>CVE-2016-3697</cve>
+        <cve>CVE-2017-14992</cve>
+        <cve>CVE-2019-13139</cve>
+        <cve>CVE-2019-13509</cve>
+        <cve>CVE-2019-15752</cve>
+        <cve>CVE-2019-16884</cve>
+        <cve>CVE-2019-5736</cve>
+    </suppress>
+
+    <suppress>
+        <notes>
+            TODO: fix these: suppress some netflix CVEs to deploy a hotfix
+        </notes>
+        <gav regex="true">^com\.netflix\.servo:servo-internal:0\.10\.1$</gav>
+        <cve>CVE-2014-0047</cve>
+        <cve>CVE-2014-0048</cve>
+        <cve>CVE-2014-5277</cve>
+        <cve>CVE-2014-5278</cve>
+        <cve>CVE-2014-5282</cve>
+        <cve>CVE-2014-6407</cve>
+        <cve>CVE-2014-8178</cve>
+        <cve>CVE-2014-8179</cve>
+        <cve>CVE-2014-9356</cve>
+        <cve>CVE-2014-9358</cve>
+        <cve>CVE-2015-3627</cve>
+        <cve>CVE-2015-3630</cve>
+        <cve>CVE-2015-3631</cve>
+        <cve>CVE-2016-3697</cve>
+        <cve>CVE-2017-14992</cve>
+        <cve>CVE-2019-13139</cve>
+        <cve>CVE-2019-13509</cve>
+        <cve>CVE-2019-15752</cve>
+        <cve>CVE-2019-16884</cve>
+        <cve>CVE-2019-5736</cve>
+    </suppress>
+
     <!--
     This dependency is a transitional dependency of spring-security-oauth2-client,
     as such could only be exploited by developers.

src/main/java/uk/gov/hmcts/reform/idam/web/AppController.java

@@ -29,7 +29,6 @@
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.HttpServerErrorException;
 import org.springframework.web.servlet.ModelAndView;
-import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 import org.springframework.web.servlet.view.RedirectView;
 import uk.gov.hmcts.reform.idam.api.internal.model.ErrorResponse;
 import uk.gov.hmcts.reform.idam.api.internal.model.Service;
@@ -74,6 +73,12 @@
 @Controller
 public class AppController {
 
+    private static final String REDIRECT_RESET_INACTIVE_USER = "redirect:/reset/inactive-user";
+    public static final String LOGIN_FAILURE_ERROR_CODE = "Login failure";
+    public static final String REDIRECT_PREFIX = "redirect:";
+    public static final String IDAM_AUTH_ID_COOKIE_PREFIX = "Idam.AuthId=";
+    public static final String ERROR_TITLE = "Error";
+
     @Autowired
     private SPIService spiService;
 
@@ -204,7 +209,7 @@ public ModelAndView upliftRegister(@ModelAttribute("registerUserCommand") @Valid
                     model.put("client_id", request.getClient_id());
                     model.put("redirect_uri", request.getRedirect_uri());
                     model.put("state", request.getState());
-                    return new ModelAndView("redirect:/reset/inactive-user", model);
+                    return new ModelAndView(REDIRECT_RESET_INACTIVE_USER, model);
                 }
 
                 msg = "PIN user not longer valid";
@@ -318,6 +323,8 @@ public String loginView(@ModelAttribute("authorizeCommand") AuthorizeRequest req
 
         model.addAttribute(RESPONSE_TYPE, request.getResponse_type());
         model.addAttribute(STATE, request.getState());
+        model.addAttribute(NONCE, request.getNonce());
+        model.addAttribute(PROMPT, request.getPrompt());
         model.addAttribute(CLIENT_ID, request.getClient_id());
         model.addAttribute(REDIRECT_URI, request.getRedirect_uri());
         model.addAttribute(SCOPE, request.getScope());
@@ -387,7 +394,7 @@ public ModelAndView login(@ModelAttribute("authorizeCommand") @Validated Authori
                 if (cookies == null) {
                     log.info("/login: Authenticate returned no cookies for user - {}", obfuscateEmailAddress(request.getUsername()));
                     model.addAttribute(HAS_LOGIN_FAILED, true);
-                    bindingResult.reject("Login failure");
+                    bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
                     return new ModelAndView(LOGIN_VIEW, model.asMap());
                 }
 
@@ -416,11 +423,11 @@ public ModelAndView login(@ModelAttribute("authorizeCommand") @Validated Authori
                         log.info("/login: Successful login - {}", obfuscateEmailAddress(request.getUsername()));
                         List<String> secureCookies = authHelper.makeCookiesSecure(cookies);
                         secureCookies.forEach(cookie -> response.addHeader(HttpHeaders.SET_COOKIE, cookie));
-                        return new ModelAndView("redirect:" + responseUrl);
+                        return new ModelAndView(REDIRECT_PREFIX + responseUrl);
                     } else {
                         log.info("/login: There is a problem while logging in  user - {}", obfuscateEmailAddress(request.getUsername()));
                         model.addAttribute(HAS_LOGIN_FAILED, true);
-                        bindingResult.reject("Login failure");
+                        bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
                         return new ModelAndView(LOGIN_VIEW, model.asMap());
                     }
                 }
@@ -430,9 +437,11 @@ public ModelAndView login(@ModelAttribute("authorizeCommand") @Validated Authori
                     case ACCOUNT_LOCKED:
                         model.addAttribute(IS_ACCOUNT_LOCKED, true);
                         bindingResult.reject("Account locked");
+                        return new ModelAndView(LOGIN_VIEW, model.asMap());
                     case ACCOUNT_SUSPENDED:
                         model.addAttribute(IS_ACCOUNT_SUSPENDED, true);
                         bindingResult.reject("Account suspended");
+                        return new ModelAndView(LOGIN_VIEW, model.asMap());
                     case POLICIES_FAIL:
                         log.info("/login: User failed policy checks - {}", obfuscateEmailAddress(request.getUsername()));
                         model.addAttribute(HAS_POLICY_CHECK_FAILED, true);
@@ -443,19 +452,19 @@ public ModelAndView login(@ModelAttribute("authorizeCommand") @Validated Authori
                         staleUserResetPasswordParams.remove(USERNAME);
                         staleUserResetPasswordParams.remove(PASSWORD);
                         staleUserResetPasswordParams.remove(SELF_REGISTRATION_ENABLED);
-                        return new ModelAndView("redirect:/reset/inactive-user", staleUserResetPasswordParams);
+                        return new ModelAndView(REDIRECT_RESET_INACTIVE_USER, staleUserResetPasswordParams);
                     default:
                         model.addAttribute(HAS_LOGIN_FAILED, true);
-                        bindingResult.reject("Login failure");
+                        bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
                 }
             } else {
                 model.addAttribute(HAS_LOGIN_FAILED, true);
-                bindingResult.reject("Login failure");
+                bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
             }
         } catch (HttpClientErrorException | HttpServerErrorException | JsonProcessingException he) {
             log.info("/login: Login failed for user - {}", obfuscateEmailAddress(request.getUsername()));
             model.addAttribute(HAS_LOGIN_FAILED, true);
-            bindingResult.reject("Login failure");
+            bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
         }
         return new ModelAndView(LOGIN_VIEW, model.asMap());
     }
@@ -555,10 +564,10 @@ public ModelAndView verification(@ModelAttribute("authorizeCommand") @Validated
         try {
             final String authId = StringUtils.substringAfter(
                 cookies.stream()
-                    .filter(cookie -> cookie.startsWith("Idam.AuthId="))
+                    .filter(cookie -> cookie.startsWith(IDAM_AUTH_ID_COOKIE_PREFIX))
                     .findFirst()
                     .orElseThrow(),
-                "Idam.AuthId=");
+                IDAM_AUTH_ID_COOKIE_PREFIX);
             final List<String> responseCookies = spiService.submitOtpeAuthentication(authId, ipAddress, request.getCode());
             log.info("/verification: Successful OTP submission request");
 
@@ -568,7 +577,7 @@ public ModelAndView verification(@ModelAttribute("authorizeCommand") @Validated
                 log.info("/verification: Successful login");
                 List<String> secureCookies = authHelper.makeCookiesSecure(responseCookies);
                 secureCookies.forEach(cookie -> response.addHeader(HttpHeaders.SET_COOKIE, cookie));
-                return new ModelAndView("redirect:" + responseUrl);
+                return new ModelAndView(REDIRECT_PREFIX + responseUrl);
             } else {
                 log.info("/verification: There is a problem while logging in user");
                 return redirectToLoginOnFailedOtpVerification(request, bindingResult, model);
@@ -594,8 +603,8 @@ public ModelAndView verification(@ModelAttribute("authorizeCommand") @Validated
                             .get(HttpHeaders.SET_COOKIE))
                         .orElse(new ArrayList<>())
                         .stream()
-                        .filter(cookie -> cookie.startsWith("Idam.AuthId="))
-                        .map(cookie -> StringUtils.substringAfter(cookie, "Idam.AuthId="))
+                        .filter(cookie -> cookie.startsWith(IDAM_AUTH_ID_COOKIE_PREFIX))
+                        .map(cookie -> StringUtils.substringAfter(cookie, IDAM_AUTH_ID_COOKIE_PREFIX))
                         .findFirst()
                         .ifPresent(authId -> response.addCookie(new Cookie("Idam.AuthId", authId)));
                     return new ModelAndView(VERIFICATION_VIEW, model.asMap());
@@ -620,7 +629,7 @@ private ModelAndView redirectToLoginOnFailedOtpVerification(VerificationRequest
                                                                 BindingResult bindingResult,
                                                                 Model model) {
         model.addAttribute("hasOtpCheckFailed", true);
-        bindingResult.reject("Login failure");
+        bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
         model.addAttribute("authorizeCommand", request);
         model.addAttribute(USERNAME, null);
         return new ModelAndView("redirect:/" + LOGIN_VIEW, model.asMap());
@@ -651,7 +660,7 @@ public ModelAndView upliftLogin(@Validated UpliftRequest request, BindingResult
             return new ModelAndView(UPLIFT_LOGIN_VIEW, modelMap);
         }
 
-        String redirectUrl = "redirect:";
+        String redirectUrl = REDIRECT_PREFIX;
         try {
             final String jsonResponse = spiService.uplift(request.getUsername(), request.getPassword(), request.getJwt(),
                 request.getRedirect_uri(), request.getClient_id(), request.getState(), request.getScope());
@@ -666,7 +675,7 @@ public ModelAndView upliftLogin(@Validated UpliftRequest request, BindingResult
                 model.put("redirect_uri", request.getRedirect_uri());
                 model.put("state", request.getState());
                 model.put("scope", request.getScope());
-                return new ModelAndView("redirect:/reset/inactive-user", model);
+                return new ModelAndView(REDIRECT_RESET_INACTIVE_USER, model);
             } else {
                 log.error("Uplift process exception: {}", ex.getMessage(), ex);
 
@@ -709,7 +718,7 @@ public String loginWithPin(@RequestParam(value = "pin", required = false) String
 
         try {
 
-            return "redirect:" + spiService.loginWithPin(pin, redirectUri, state, clientId); //NOSONAR
+            return REDIRECT_PREFIX + spiService.loginWithPin(pin, redirectUri, state, clientId); //NOSONAR
 
         } catch (HttpClientErrorException | BadCredentialsException e) {
             log.error("Problem with pin: {}", e.getMessage());
@@ -797,14 +806,14 @@ public String resetPassword(final String action, final String password1, final S
         } catch (HttpClientErrorException e) {
             log.error("Error resetting password: {}", e.getResponseBodyAsString(), e);
             if (e.getStatusCode() == HttpStatus.PRECONDITION_FAILED) {
-                ErrorHelper.showError("Error", "public.common.error.invalid.password", "public.common.error.invalid.password", "", model);
+                ErrorHelper.showError(ERROR_TITLE, "public.common.error.invalid.password", "public.common.error.invalid.password", "", model);
             } else if (e.getStatusCode() == HttpStatus.BAD_REQUEST) {
                 if (validationService.isErrorInResponse(e.getResponseBodyAsString(), ErrorResponse.CodeEnum.PASSWORD_BLACKLISTED)) {
-                    ErrorHelper.showError("Error", "public.common.error.blacklisted.password", "public.common.error.blacklisted.password", "public.common.error.enter.password", model);
+                    ErrorHelper.showError(ERROR_TITLE, "public.common.error.blacklisted.password", "public.common.error.blacklisted.password", "public.common.error.enter.password", model);
                 } else if (validationService.isErrorInResponse(e.getResponseBodyAsString(), ErrorResponse.CodeEnum.PASSWORD_CONTAINS_PERSONAL_INFO)) {
-                    ErrorHelper.showError("Error", "public.common.error.containspersonalinfo.password", "public.common.error.containspersonalinfo.password", "public.common.error.enter.password", model);
+                    ErrorHelper.showError(ERROR_TITLE, "public.common.error.containspersonalinfo.password", "public.common.error.containspersonalinfo.password", "public.common.error.enter.password", model);
                 } else if (validationService.isErrorInResponse(e.getResponseBodyAsString(), ErrorResponse.CodeEnum.ACCOUNT_LOCKED)) {
-                    ErrorHelper.showError("Error", "public.common.error.previously.used.password", "public.common.error.password.details", "public.common.error.enter.password", model);
+                    ErrorHelper.showError(ERROR_TITLE, "public.common.error.previously.used.password", "public.common.error.password.details", "public.common.error.enter.password", model);
                 }
             } else if (e.getStatusCode() == HttpStatus.NOT_FOUND) {
                 return "redirect:expiredtoken";

src/main/java/uk/gov/hmcts/reform/idam/web/config/AppConfiguration.java

@@ -29,4 +29,4 @@ protected void configure(HttpSecurity http) throws Exception {
         // @formatter:on
     }
 
-}
+}

src/main/java/uk/gov/hmcts/reform/idam/web/config/FeignConfiguration.java

@@ -84,13 +84,13 @@ public Client client() {
         Dispatcher dispatcher = new Dispatcher();
         dispatcher.setMaxRequests(200);
         dispatcher.setMaxRequestsPerHost(200);
-        OkHttpClient httpClient = new OkHttpClient.Builder()
+        OkHttpClient newHttpClient = new OkHttpClient.Builder()
             .dispatcher(dispatcher)
             .readTimeout(20000, TimeUnit.MILLISECONDS)
             .followRedirects(false)
             .followSslRedirects(false)
             .build();
-        return new feign.okhttp.OkHttpClient(httpClient);
+        return new feign.okhttp.OkHttpClient(newHttpClient);
     }
 
     public Encoder feignFormEncoder() {

src/main/java/uk/gov/hmcts/reform/idam/web/config/IdamWebMvcConfiguration.java

@@ -5,7 +5,6 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.CacheControl;
 import org.springframework.http.MediaType;
-import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.ContentNegotiationConfigurer;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;

src/main/java/uk/gov/hmcts/reform/idam/web/config/SessionConfiguration.java

@@ -24,7 +24,7 @@ public CookieSerializer cookieSerializer() {
         DefaultCookieSerializer serializer = new DefaultCookieSerializer();
         serializer.setCookieName("Idam.SSOSession");
         serializer.setCookiePath("/");
-        serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
+        // serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
         serializer.setCookieMaxAge(FIVE_DAYS_IN_SECONDS);
         serializer.setUseSecureCookie(useSecureCookie);
         return serializer;

src/main/java/uk/gov/hmcts/reform/idam/web/helper/ErrorHelper.java

@@ -1,5 +1,6 @@
 package uk.gov.hmcts.reform.idam.web.helper;
 
+import lombok.experimental.UtilityClass;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.client.HttpClientErrorException;
@@ -11,6 +12,7 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+@UtilityClass
 public class ErrorHelper {
 
     private static final String ERROR = "error";