[runbook task] Merge 5.0 into master

Jenkinsfile_CNP

@@ -48,9 +48,9 @@ withPipeline(type, product, component) {
                 Using PREVIEW_ENVIRONMENT_NAME: ${env.PREVIEW_ENVIRONMENT_NAME}
                 Using NONPROD_ENVIRONMENT_NAME: ${env.NONPROD_ENVIRONMENT_NAME}""".stripIndent()
     }
-
+    
     before('smoketest-aks:idam-preview') {
-        env.PREVIEW_ENVIRONMENT_NAME = 'preview'
+        env.PREVIEW_ENVIRONMENT_NAME = 'preview'   
         env.NONPROD_ENVIRONMENT_NAME = 'preview'
         env.IDAMAPI = "https://idam-api.service.core-compute-preview.internal"
         println """\
@@ -68,7 +68,7 @@ withPipeline(type, product, component) {
                 Using NONPROD_ENVIRONMENT_NAME: ${env.NONPROD_ENVIRONMENT_NAME}
                 Using IDAMAPI: ${env.IDAMAPI}""".stripIndent()
     }
-
+    
     before('smoketest-aks:idam-aat') {
         env.NONPROD_ENVIRONMENT_NAME = 'aat'
         env.IDAMAPI = "https://idam-api-staging.service.core-compute-aat.internal"
@@ -84,7 +84,7 @@ withPipeline(type, product, component) {
                 Using NONPROD_ENVIRONMENT_NAME: ${env.NONPROD_ENVIRONMENT_NAME}
                 Using IDAMAPI: ${env.IDAMAPI}""".stripIndent()
     }
-
+    
     before('buildinfra:idam-ithc') {
         env.ITHC_ENVIRONMENT_NAME = 'ithc'
         println """\
@@ -98,7 +98,7 @@ withPipeline(type, product, component) {
                 Using PREVIEW_ENVIRONMENT_NAME: ${env.PREVIEW_ENVIRONMENT_NAME}
                 Using NONPROD_ENVIRONMENT_NAME: ${env.NONPROD_ENVIRONMENT_NAME}""".stripIndent()
     }
-
+    
     after('smoketest-aks:idam-preview') {
         env.PREVIEW_ENVIRONMENT_NAME = 'idam-preview'
         env.NONPROD_ENVIRONMENT_NAME = 'idam-aat'
@@ -115,7 +115,7 @@ withPipeline(type, product, component) {
                 Using NONPROD_ENVIRONMENT_NAME: ${env.NONPROD_ENVIRONMENT_NAME}""".stripIndent()
     }
     // End AKS Callbacks
-
+    
     after('test') {
         publishHTML target: [
             allowMissing         : true,
@@ -189,8 +189,4 @@ withPipeline(type, product, component) {
             reportName           : "IDAM Web Public E2E functional tests result"
         ]
     }
-
-    before('buildinfra:idam-prod') {
-        error('Stopping pipeline before Prod stages')
-    }
 }

build.gradle

@@ -31,9 +31,9 @@ allprojects {
   sourceCompatibility = 11
   targetCompatibility = 11
 
-  def idamBomVersion = '2.3.9'
+  def idamBomVersion = '2.5.1'
   //TODO: Remove once spring boot have updated versions to match
-  ext['tomcat.version'] = '9.0.37'
+  ext['tomcat.version'] = '9.0.39'
   ext['log4j2.version'] = '2.13.3'
   ext['spring.boot.version'] = '2.2.10.RELEASE'
 
@@ -116,6 +116,7 @@ allprojects {
 
     testCompileOnly("org.projectlombok:lombok")
     testAnnotationProcessor("org.projectlombok:lombok")
+    testCompile('pl.pragmatists:JUnitParams:1.1.1')
 
     testImplementation group: 'org.mockito', name: 'mockito-core'
     testImplementation group: 'org.springframework', name: 'spring-test'

src/main/java/uk/gov/hmcts/reform/idam/web/config/properties/FeaturesConfigurationProperties.java

@@ -5,4 +5,5 @@
 @Data
 public class FeaturesConfigurationProperties {
     private boolean federatedSSO;
+    private boolean stepUpAuthentication;
 }

src/main/java/uk/gov/hmcts/reform/idam/web/helper/ErrorHelper.java

@@ -39,6 +39,12 @@ public static void showError(String errorTitle, String errorMessage, String erro
         model.put(ERROR_LABEL_TWO, errorLabelTwo);
     }
 
+    public static void showError(String errorLabelOne, String errorLabelTwo, Map<String, Object> model) {
+        model.put(ERROR, ERROR);
+        model.put(ERROR_LABEL_ONE, errorLabelOne);
+        model.put(ERROR_LABEL_TWO, errorLabelTwo);
+    }
+
     public static HttpStatusCodeException restException(@Nullable String message,
                                                         HttpStatus status, HttpHeaders headers,
                                                         String error, String description) {

src/main/java/uk/gov/hmcts/reform/idam/web/sso/SSOZuulFilter.java

@@ -19,6 +19,8 @@
 @Component
 public class SSOZuulFilter extends ZuulFilter {
 
+    public static final int FILTER_ORDER = 0;
+
     private final ConfigurationProperties configurationProperties;
     private final SSOService ssoService;
 
@@ -35,7 +37,7 @@ public String filterType() {
 
     @Override
     public int filterOrder() {
-        return 0;
+        return FILTER_ORDER;
     }
 
     @Override

src/main/java/uk/gov/hmcts/reform/idam/web/strategic/SPIService.java

@@ -128,15 +128,30 @@ public String uplift(final String username, final String password, final String
     }
 
     public ApiAuthResult authenticate(final String username, final String password, final String redirectUri, final String ipAddress) throws JsonProcessingException {
+        return authenticate(username, password, null, redirectUri, ipAddress);
+    }
+
+    public ApiAuthResult authenticate(final String tokenId, final String redirectUri, final String ipAddress) throws JsonProcessingException {
+        return authenticate(null, null, tokenId, redirectUri, ipAddress);
+    }
+
+    protected ApiAuthResult authenticate(final String username, final String password, final String tokenId, final String redirectUri, final String ipAddress) throws JsonProcessingException {
         MultiValueMap<String, String> form = new LinkedMultiValueMap<>(4);
-        form.add("username", username);
-        form.add("password", password);
+        if (username != null) {
+            form.add("username", username);
+        }
+        if (password != null) {
+            form.add("password", password);
+        }
         form.add("redirectUri", redirectUri);
         form.add("originIp", ipAddress);
 
         HttpHeaders headers = new HttpHeaders();
         headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
         headers.add(X_FORWARDED_FOR, ipAddress);
+        if (tokenId != null) {
+            headers.add(HttpHeaders.COOKIE, configurationProperties.getStrategic().getSession().getIdamSessionCookie() + "=" + tokenId);
+        }
 
         final ApiAuthResult.ApiAuthResultBuilder resultBuilder = ApiAuthResult.builder();
 
@@ -175,11 +190,11 @@ public ApiAuthResult authenticate(final String username, final String password,
      * @should not send state and scope parameters in form if they are not send as parameter in the service
      * @should return null if api response code is not 302
      */
-    public String authorize(final Map<String, String> params, final List<String> cookie) {
+    public String authorize(final Map<String, String> params, final List<String> cookies) {
         HttpHeaders headers = new HttpHeaders();
         headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
-        if (cookie != null) {
-            headers.add(HttpHeaders.COOKIE, StringUtils.join(cookie, ";"));
+        if (cookies != null) {
+            headers.add(HttpHeaders.COOKIE, StringUtils.join(cookies, ";"));
         }
         addUriHeaders(headers);
         MultiValueMap<String, String> form = new LinkedMultiValueMap<>(14);

src/main/java/uk/gov/hmcts/reform/idam/web/strategic/StepUpAuthenticationZuulFilter.java

@@ -0,0 +1,116 @@
+package uk.gov.hmcts.reform.idam.web.strategic;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.netflix.zuul.ZuulFilter;
+import com.netflix.zuul.context.RequestContext;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.http.HttpHeaders;
+import org.springframework.stereotype.Component;
+import uk.gov.hmcts.reform.idam.web.config.properties.ConfigurationProperties;
+import uk.gov.hmcts.reform.idam.web.helper.MvcKeys;
+import uk.gov.hmcts.reform.idam.web.sso.SSOZuulFilter;
+
+import javax.annotation.Nonnull;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import java.util.Arrays;
+import java.util.Optional;
+
+import static com.netflix.zuul.constants.ZuulHeaders.X_FORWARDED_FOR;
+import static org.springframework.cloud.netflix.zuul.filters.support.FilterConstants.PRE_TYPE;
+
+@Slf4j
+@Component
+@ConditionalOnProperty("features.step-up-authentication")
+public class StepUpAuthenticationZuulFilter extends ZuulFilter {
+
+    public static final String ZUUL_PROCESSING_ERROR = "Cannot process authentication response";
+    public static final String OIDC_AUTHORIZE_ENDPOINT = "/o/authorize";
+
+    private final SPIService spiService;
+    private final String idamSessionCookieName;
+
+    @Autowired
+    public StepUpAuthenticationZuulFilter(@Nonnull final ConfigurationProperties configurationProperties, @Nonnull final SPIService spiService) {
+        this.idamSessionCookieName = configurationProperties.getStrategic().getSession().getIdamSessionCookie();
+        this.spiService = spiService;
+    }
+
+    @Override
+    public String filterType() {
+        return PRE_TYPE;
+    }
+
+    /**
+     * {@inheritDoc}
+     *
+     * <p>Makes sure it runs AFTER the {@link SSOZuulFilter}.</p>
+     *
+     * @return
+     */
+    @Override
+    public int filterOrder() {
+        return SSOZuulFilter.FILTER_ORDER + 1;
+    }
+
+    @Override
+    public boolean shouldFilter() {
+        final HttpServletRequest request = RequestContext.getCurrentContext().getRequest();
+        return isAuthorizeRequest(request) && hasSessionCookie(request);
+    }
+
+    @Override
+    public Object run() {
+        final RequestContext ctx = RequestContext.getCurrentContext();
+        final HttpServletRequest request = ctx.getRequest();
+
+        log.info("StepUp filter triggered.");
+
+        final String tokenId = getSessionToken(request);
+
+        try {
+            final String originIp = ObjectUtils.defaultIfNull(request.getHeader(X_FORWARDED_FOR), request.getRemoteAddr());
+            final String redirectUri = request.getParameter(MvcKeys.REDIRECT_URI);
+            final ApiAuthResult authenticationResult = spiService.authenticate(tokenId, redirectUri, originIp);
+
+            if (authenticationResult.requiresMfa()) {
+                dropCookie(idamSessionCookieName, ctx);
+            }
+
+        } catch (final JsonProcessingException e) {
+            log.error(ZUUL_PROCESSING_ERROR, e);
+        }
+        // continue as usual (delegate to idam-api)
+        ctx.setSendZuulResponse(true);
+        return null;
+    }
+
+    protected void dropCookie(@Nonnull final String cookieName, @Nonnull final RequestContext context) {
+        context.addZuulRequestHeader(HttpHeaders.COOKIE, cookieName + "=");
+    }
+
+    protected String getSessionToken(@Nonnull final HttpServletRequest request) {
+        return Arrays.stream(getCookiesFromRequest(request))
+            .filter(cookie -> idamSessionCookieName.equals(cookie.getName()))
+            .map(Cookie::getValue)
+            .findAny()
+            .orElseThrow();
+    }
+
+    protected boolean isAuthorizeRequest(@Nonnull final HttpServletRequest request) {
+        return request.getRequestURI().contains(OIDC_AUTHORIZE_ENDPOINT) &&
+            ("post".equalsIgnoreCase(request.getMethod()) || "get".equalsIgnoreCase(request.getMethod()));
+    }
+
+    protected boolean hasSessionCookie(@Nonnull final HttpServletRequest request) {
+        return Arrays.stream(getCookiesFromRequest(request)).anyMatch(cookie -> idamSessionCookieName.equals(cookie.getName()));
+    }
+
+    @Nonnull
+    protected Cookie[] getCookiesFromRequest(@Nonnull final HttpServletRequest request) {
+        return Optional.ofNullable(request.getCookies()).orElse(new Cookie[]{});
+    }
+}

src/main/java/uk/gov/hmcts/reform/idam/web/strategic/ValidationService.java

@@ -16,9 +16,7 @@
 
 @Component
 public class ValidationService {
-
-    public static final String ERROR_TITLE = "Error";
-
+
     private final ObjectMapper mapper;
 
     private final int passwordMinLength;
@@ -45,36 +43,34 @@ public ValidationService(
      */
     public boolean validatePassword(final String password1, final String password2, Map<String, Object> model) {
 
-        if (StringUtils.isEmpty(password1) && StringUtils.isEmpty(password2)) {
-            ErrorHelper.showError(ERROR_TITLE, "public.common.error.password.not.empty", "public.common.error.enter.password", "public.common.error.enter.password", model);
-            return false;
-        }
+        String errorForPassword1 = "";
+        String errorForPassword2 = "";
+
+        // check password 1
         if (StringUtils.isEmpty(password1)) {
-            ErrorHelper.showError(ERROR_TITLE, "public.common.error.password.not.empty", "public.common.error.enter.password", "", model);
-            model.put("password2", password2);
-            return false;
-        }
-        if (StringUtils.isEmpty(password2)) {
-            ErrorHelper.showError(ERROR_TITLE, "public.common.error.password.not.empty", "", "public.common.error.enter.password", model);
-            model.put("password1", password1);
-            return false;
+            errorForPassword1 = "public.common.error.enter.password";
+        } else if (password1.length() < passwordMinLength || password1.length() > passwordMaxLength || containsIllegalCharacters(password1)) {
+            errorForPassword1 = "public.common.error.password.details";
         }
 
-        if (!password1.equals(password2)) {
-            ErrorHelper.showError(ERROR_TITLE, "public.common.error.password.not.same", "", "public.common.error.password.should.match", model);
-            model.put("password1", password1);
-            return false;
+        // check password 2
+        if (StringUtils.isEmpty(password2)) {
+            errorForPassword2 = "public.common.error.enter.password";
+        } else if (!password2.equals(password1)) {
+            errorForPassword2 = "public.common.error.password.should.match";
         }
 
-        if (password1.length() < passwordMinLength || password1.length() > passwordMaxLength) {
-            ErrorHelper.showError(ERROR_TITLE, "public.common.error.invalid.password", "public.common.error.password.details", "", model);
-            model.put("password1", password1);
-            return false;
-        }
+        final boolean password1HasErrors = !errorForPassword1.isEmpty();
+        final boolean password2HasErrors = !errorForPassword2.isEmpty();
 
-        if (containsIllegalCharacters(password1)) {
-            ErrorHelper.showError(ERROR_TITLE, "public.common.error.invalid.password.illegal-characters", "public.common.error.password.details", "", model);
-            model.put("password1", password1);
+        if (password1HasErrors || password2HasErrors) {
+            if (!password1HasErrors) {
+                model.put("password1", password1);
+            }
+            if (!password2HasErrors) {
+                model.put("password2", password2);
+            }
+            ErrorHelper.showError(errorForPassword1, errorForPassword2, model);
             return false;
         }
         return true;

src/main/resources/application.yaml

@@ -124,6 +124,7 @@ azure:
 
 features:
   federated-s-s-o: ${federated.sso:true}
+  step-up-authentication: ${step.up.authentication:true}
 
 ssoEmailDomains:
   dummy: dummy

src/main/resources/messages.properties

@@ -125,11 +125,12 @@ public.error.page.already.activated.description=Your account is already activate
 public.login.heading=Sign in or create an account
 public.login.heading.no.self.register=Sign in
 public.login.subheading.sign.in=Sign in
+public.login.subheading.sign.in.with.security.code=Enter security code to sign in
 public.login.subheading.create.account=Create an account
 public.login.create.account.body=You need to
 public.login.create.account.body.to.use.service= to use this service.
 public.login.forgotten.password=Forgotten password?
-public.login.azure.link=Login with your eJudiciary account
+public.login.azure.link=Log in with your eJudiciary account
 public.login.azure.link.or=Or
 public.login.form.submit=Sign in
 
@@ -285,6 +286,11 @@ public.contactus.text_0036=Monday to Thursday, 8am to 5pm
 public.contactus.text_0037=Friday 8am to 4pm
 public.contactus.text_0038=No Saturday opening hours
 public.contactus.text_0039=Find out about call charges
+public.contactus.text_0040=Immigration and Asylum
+public.contactus.text_0041=Email: customer.service@justice.gov.uk
+public.contactus.text_0042=Phone: 0300 123 1711
+public.contactus.text_0043=Monday to Friday, 8:30am to 5pm
+public.contactus.text_0044=Find out about call charges
 
 # Cookies
 public.cookies.text_0001=Back

src/main/resources/messages_cy.properties

@@ -126,6 +126,7 @@ public.error.page.already.activated.description=Mae eich cyfrif wedi cael ei act
 public.login.heading=Mewngofnodwch neu crëwch gyfrif
 public.login.heading.no.self.register=Mewngofnodi
 public.login.subheading.sign.in=Mewngofnodi
+public.login.subheading.sign.in.with.security.code=Teipiwch y cod diogelwch i fewngofnodi.
 public.login.subheading.create.account=Creu cyfrif
 public.login.create.account.body=Bydd angen ichi
 public.login.create.account.body.to.use.service=i ddefnyddio’r gwasanaeth hwn.