Merge pull request #272 from cabinetoffice/release/8.0

Release/8.0
cabinetoffice · Feb 7, 2024 · 546d464 · 546d464
2 parents 5085450 + 99ba6c1
commit 546d464
Show file tree

Hide file tree

Showing 248 changed files with 4,696 additions and 2,742 deletions.
diff --git a/.github/workflows/admin-prod-cd.yml b/.github/workflows/admin-prod-cd.yml
@@ -8,6 +8,7 @@ on:
       - "packages/admin/**"
       - "packages/gap-web-ui/**"
       - ".github/workflows/admin-prod-cd.yml"
+      - "Dockerfile"
       - "package.json"
       - "yarn.lock"
 
@@ -16,12 +17,16 @@ jobs:
     environment: AWS
     runs-on: ubuntu-latest
 
+    permissions:
+        id-token: write
+        contents: read
+
     steps:
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: gap-apply-admin-web
           aws-region: eu-west-2
 
       - name: Login to AWS ECR
@@ -32,4 +37,4 @@ jobs:
         # Based on steps described here - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-retag.html
         run: |
           MANIFEST=$(aws ecr batch-get-image --repository-name gap-apply-admin-web --image-ids imageTag=qa --output json | jq --raw-output --join-output '.images[0].imageManifest')
-          aws ecr put-image --repository-name gap-apply-admin-web --image-tag prod --image-manifest "$MANIFEST"
+          aws ecr put-image --repository-name gap-apply-admin-web --image-tag prod --image-manifest "$MANIFEST"
diff --git a/.github/workflows/admin-sandbox-qa-cd.yml b/.github/workflows/admin-sandbox-qa-cd.yml
@@ -10,6 +10,7 @@ on:
       - "packages/admin/**"
       - "packages/gap-web-ui/**"
       - ".github/workflows/admin-sandbox-qa-cd.yml"
+      - "Dockerfile"
       - "package.json"
       - "yarn.lock"
 
@@ -106,6 +107,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+        id-token: write
+        contents: read
+
     outputs:
       docker-image-name: ${{ steps.docker-image-name.outputs.name }}
 
@@ -116,10 +121,10 @@ jobs:
           fetch-depth: 0
 
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_FOR_ADMIN }}
+          role-session-name: gap-apply-admin-web
           aws-region: eu-west-2
 
       - name: Login to AWS ECR
@@ -158,6 +163,10 @@ jobs:
   deploy:
     needs: [build, test]
 
+    permissions:
+        id-token: write
+        contents: read
+
     environment: AWS
     runs-on: ubuntu-latest
 
@@ -168,10 +177,10 @@ jobs:
           fetch-depth: 0
 
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_FOR_ADMIN }}
+          role-session-name: gap-apply-admin-web
           aws-region: eu-west-2
 
       - name: Login to AWS ECR

diff --git a/.github/workflows/applicant-prod-cd.yml b/.github/workflows/applicant-prod-cd.yml
@@ -8,6 +8,7 @@ on:
       - "packages/applicant/**"
       - "packages/gap-web-ui/**"
       - ".github/workflows/applicant-prod-cd.yml"
+      - "Dockerfile"
       - "package.json"
       - "yarn.lock"
 
@@ -16,12 +17,16 @@ jobs:
     environment: AWS
     runs-on: ubuntu-latest
 
+    permissions:
+        id-token: write
+        contents: read
+
     steps:
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: gap-apply-applicant-web
           aws-region: eu-west-2
 
       - name: Login to AWS ECR
@@ -32,4 +37,4 @@ jobs:
         # Based on steps described here - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-retag.html
         run: |
           MANIFEST=$(aws ecr batch-get-image --repository-name gap-apply-applicant-web --image-ids imageTag=qa --output json | jq --raw-output --join-output '.images[0].imageManifest')
-          aws ecr put-image --repository-name gap-apply-applicant-web --image-tag prod --image-manifest "$MANIFEST"
+          aws ecr put-image --repository-name gap-apply-applicant-web --image-tag prod --image-manifest "$MANIFEST"
diff --git a/.github/workflows/applicant-sandbox-qa-cd.yml b/.github/workflows/applicant-sandbox-qa-cd.yml
@@ -10,6 +10,7 @@ on:
       - "packages/applicant/**"
       - "packages/gap-web-ui/**"
       - ".github/workflows/applicant-sandbox-qa-cd.yml"
+      - "Dockerfile"
       - "package.json"
       - "yarn.lock"
 
@@ -103,6 +104,10 @@ jobs:
   build:
     # Need to check here as create event can't be filtered by branch name: https://github.com/orgs/community/discussions/54860
     if: github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release')
+
+    permissions:
+        id-token: write
+        contents: read
 
     runs-on: ubuntu-latest
 
@@ -116,10 +121,10 @@ jobs:
           fetch-depth: 0
 
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_FOR_APPLICANT }}
+          role-session-name: gap-apply-applicant-web
           aws-region: eu-west-2
 
       - name: Login to AWS ECR
@@ -158,6 +163,10 @@ jobs:
   deploy:
     needs: [build, test]
 
+    permissions:
+        id-token: write
+        contents: read
+
     environment: AWS
     runs-on: ubuntu-latest
 
@@ -168,10 +177,10 @@ jobs:
           fetch-depth: 0
 
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_FOR_APPLICANT }}
+          role-session-name: gap-apply-applicant-web
           aws-region: eu-west-2
 
       - name: Login to AWS ECR

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -1,9 +1,8 @@
 name: Security Vulnerabilites
 
 on:
-  pull_request:
-    branches:
-      - develop
+  schedule:
+    - cron: "0 0 * * *"
 
 jobs:
   build:

diff --git a/Dockerfile b/Dockerfile
@@ -6,8 +6,10 @@ ARG APP_NAME
 WORKDIR /usr/src/app
 
 COPY package.json .
-COPY packages/gap-web-ui ./packages/gap-web-ui
-COPY packages/${APP_NAME} ./packages/${APP_NAME}
+COPY yarn.lock .
+COPY packages ./packages
+COPY .yarnrc.yml .
+COPY .yarn ./.yarn
 
 ENV CI true
 ENV SUB_PATH /apply/${APP_NAME}

diff --git a/packages/admin/DUMMY b/packages/admin/DUMMY
diff --git a/packages/admin/package.json b/packages/admin/package.json
@@ -20,14 +20,14 @@
     "@contentful/rich-text-react-renderer": "^15.12.1",
     "@tinymce/tinymce-react": "4.3.2",
     "axios": "^0.27.2",
+    "body-parser": "1.20.2",
     "cookie-parser": "^1.4.6",
-    "csurf": "^1.11.0",
     "cypress-recurse": "^1.18.0",
     "fs-extra": "11.2.0",
     "gap-web-ui": "*",
     "govuk-frontend": "4.7.0",
     "moment": "^2.29.4",
-    "next": "12.3.4",
+    "next": "13.5.6",
     "next-logger": "3.0.1",
     "nookies": "^2.5.2",
     "number-to-words": "^1.2.4",
@@ -40,7 +40,6 @@
   "devDependencies": {
     "@types/cookie": "^0.5.1",
     "@types/cookie-parser": "^1.4.3",
-    "@types/csurf": "^1.11.2",
     "@types/number-to-words": "^1.2.1",
     "contentful-typescript-codegen": "^3.2.3",
     "cypress": "^9.5.0",

diff --git a/packages/admin/setupJestMock.js b/packages/admin/setupJestMock.js
@@ -24,12 +24,3 @@ jest.mock('next/config', () => {
     }),
   };
 });
-
-jest.mock('csurf', () => {
-  return {
-    __esModule: true,
-    default: () => (req, res, callback) => {
-      callback({});
-    },
-  };
-});
diff --git a/packages/admin/src/components/pagination/helper.js b/packages/admin/src/components/pagination/helper.js
@@ -99,21 +99,20 @@ export const buildPaginationListItems = ({
               ...additionalQueryData,
             },
           }}
+          className="govuk-link govuk-pagination__link"
         >
-          <a className="govuk-link govuk-pagination__link">
-            <svg
-              className="govuk-pagination__icon govuk-pagination__icon--prev"
-              xmlns="http://www.w3.org/2000/svg"
-              height="13"
-              width="15"
-              aria-hidden="true"
-              focusable="false"
-              viewBox="0 0 15 13"
-            >
-              <path d="m6.5938-0.0078125-6.7266 6.7266 6.7441 6.4062 1.377-1.449-4.1856-3.9768h12.896v-2h-12.984l4.2931-4.293-1.414-1.414z"></path>
-            </svg>
-            {PAGINATION_PREVIOUS_ELEMENT}
-          </a>
+          <svg
+            className="govuk-pagination__icon govuk-pagination__icon--prev"
+            xmlns="http://www.w3.org/2000/svg"
+            height="13"
+            width="15"
+            aria-hidden="true"
+            focusable="false"
+            viewBox="0 0 15 13"
+          >
+            <path d="m6.5938-0.0078125-6.7266 6.7266 6.7441 6.4062 1.377-1.449-4.1856-3.9768h12.896v-2h-12.984l4.2931-4.293-1.414-1.414z"></path>
+          </svg>
+          {PAGINATION_PREVIOUS_ELEMENT}
         </Link>
       </li>
     ),
@@ -132,21 +131,20 @@ export const buildPaginationListItems = ({
               ...additionalQueryData,
             },
           }}
+          className="govuk-link govuk-pagination__link"
         >
-          <a className="govuk-link govuk-pagination__link">
-            {PAGINATION_NEXT_ELEMENT}
-            <svg
-              className="govuk-pagination__icon govuk-pagination__icon--next"
-              xmlns="http://www.w3.org/2000/svg"
-              height="13"
-              width="15"
-              aria-hidden="true"
-              focusable="false"
-              viewBox="0 0 15 13"
-            >
-              <path d="m8.107-0.0078125-1.4136 1.414 4.2926 4.293h-12.986v2h12.896l-4.1855 3.9766 1.377 1.4492 6.7441-6.4062-6.7246-6.7266z"></path>
-            </svg>
-          </a>
+          {PAGINATION_NEXT_ELEMENT}
+          <svg
+            className="govuk-pagination__icon govuk-pagination__icon--next"
+            xmlns="http://www.w3.org/2000/svg"
+            height="13"
+            width="15"
+            aria-hidden="true"
+            focusable="false"
+            viewBox="0 0 15 13"
+          >
+            <path d="m8.107-0.0078125-1.4136 1.414 4.2926 4.293h-12.986v2h12.896l-4.1855 3.9766 1.377 1.4492 6.7441-6.4062-6.7246-6.7266z"></path>
+          </svg>
         </Link>
       </li>
     ),
@@ -193,8 +191,9 @@ export const buildPaginationListItems = ({
               ...additionalQueryData,
             },
           }}
+          className="govuk-link govuk-pagination__link"
         >
-          <a className="govuk-link govuk-pagination__link">{currentPage}</a>
+          {currentPage}
         </Link>
       </li>
     ),

diff --git a/packages/admin/src/middleware.page.ts b/packages/admin/src/middleware.page.ts
@@ -2,6 +2,7 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { getLoginUrl } from './utils/general';
 import { isAdminSessionValid } from './services/UserService';
+import { csrfMiddleware } from './utils/csrfMiddleware';
 
 // It will apply the middleware to all those paths
 // (if new folders at page root are created, they need to be included here)
@@ -19,6 +20,8 @@ export const config = {
 export async function middleware(req: NextRequest) {
   const rewriteUrl = req.url;
   const res = NextResponse.rewrite(rewriteUrl);
+  await csrfMiddleware(req, res);
+
   const auth_cookie = req.cookies.get('session_id');
   //Feature flag redirects
   const advertBuilderPath = /\/scheme\/\d*\/advert/;
@@ -33,7 +36,7 @@ export async function middleware(req: NextRequest) {
 
   if (auth_cookie !== undefined) {
     if (process.env.VALIDATE_USER_ROLES_IN_MIDDLEWARE === 'true') {
-      const isValidAdminSession = await isAdminSessionValid(auth_cookie);
+      const isValidAdminSession = await isAdminSessionValid(auth_cookie.value);
       if (!isValidAdminSession) {
         return NextResponse.redirect(
           getLoginUrl({ redirectToApplicant: true }),
@@ -42,7 +45,7 @@ export async function middleware(req: NextRequest) {
       }
     }
 
-    res.cookies.set('session_id', auth_cookie, {
+    res.cookies.set('session_id', auth_cookie.value, {
       path: '/',
       secure: true,
       httpOnly: true,