govuk-one-login · andrew-moores · Dec 20, 2024 · Dec 20, 2024 · Dec 20, 2024 · Dec 20, 2024
@@ -177,7 +177,7 @@ jobs:
       localstack:
         image: ${{ (needs.check-changed-files.outputs.java_changed == 'true') && 'localstack/localstack:3.0.0' || '' }}
         env:
-          SERVICES: "lambda, apigateway, iam, ec2, sqs, s3, sts, kms, sns, ssm, events"
+          SERVICES: "lambda, apigateway, iam, ec2, sqs, s3, sts, kms, sns, ssm, events, logs"
           GATEWAY_LISTEN: 0.0.0.0:45678
           LOCALSTACK_HOST: localhost:45678
           TEST_AWS_ACCOUNT_ID: 123456789012

@@ -28,9 +28,7 @@ dependencies {
 
 test {
     useJUnitPlatform()
-    filter {
-        includeTestsMatching "*"
-    }
+
     environment "AUDIT_SIGNING_KEY_ALIAS", "alias/local-audit-payload-signing-key-alias"
     environment "AWS_ACCESS_KEY_ID", "mock-access-key"
     environment "AWS_REGION", "eu-west-2"

@@ -21,9 +21,6 @@ dependencies {
 
 test {
     useJUnitPlatform()
-    filter {
-        includeTestsMatching "*"
-    }
 
     environment "AWS_ACCESS_KEY_ID", "mock-access-key"
     environment "AWS_REGION", "eu-west-2"
@@ -56,14 +53,15 @@ test {
 
     doLast {
         tasks.getByName("jacocoTestReport").sourceDirectories.from(
-                project(":account-management-api").sourceSets.main.java,
+                project(":delivery-receipts-api").sourceSets.main.java,
                 project(":shared").sourceSets.main.java)
 
         tasks.getByName("jacocoTestReport").classDirectories.from(
-                project(":account-management-api").sourceSets.main.output,
+                project(":delivery-receipts-api").sourceSets.main.output,
                 project(":shared").sourceSets.main.output)
     }
     dependsOn ":composeUp"
+    finalizedBy ":composeDown"
 }
 
 jacocoTestReport {

@@ -5,7 +5,7 @@ services:
     image: localstack/localstack:3.1.0@sha256:a47b435f876a100115d1d9f24e19b6b302cc7acb78b91e9258122116283ba462
     restart: no
     environment:
-      SERVICES: iam, ec2, sqs, s3, sts, kms, sns, ssm, cloudwatch, events
+      SERVICES: iam, ec2, sqs, s3, sts, kms, sns, ssm, cloudwatch, events, logs
       GATEWAY_LISTEN: 0.0.0.0:45678
       LOCALSTACK_HOST: localhost:45678
       TEST_AWS_ACCOUNT_ID: 123456789012

@@ -46,7 +46,8 @@ public APIGatewayProxyResponseEvent handleRequest(
     }
 
     public APIGatewayProxyResponseEvent mfaResetJarJwkHandler() {
-        LOG.info("MFA reset JAR Signing JWK request received");
+        LOG.info(
+                "Request for Auth reverification request JAR signature verification key received.");
         try {
 
             List<JWK> signingKeys = new ArrayList<>();
@@ -55,16 +56,20 @@ public APIGatewayProxyResponseEvent mfaResetJarJwkHandler() {
 
             JWKSet jwkSet = new JWKSet(signingKeys);
 
-            LOG.info("Generating MFA reset JAR signing JWK successful response");
+            LOG.info("Served Auth reverification request JAR signature verification key JWK set.");
 
             return generateApiGatewayProxyResponse(
                     200,
                     segmentedFunctionCall("serialiseJWKSet", () -> jwkSet.toString(true)),
                     Map.of("Cache-Control", "max-age=86400"),
                     null);
         } catch (Exception e) {
-            LOG.error("Error in MfaResetJarJwkHandler lambda", e);
-            return generateApiGatewayProxyResponse(500, "Error providing MFA Reset JAR JWK data");
+            LOG.error(
+                    "Failed to serve Auth reverification request JAR signature verification key.",
+                    e);
+            return generateApiGatewayProxyResponse(
+                    500,
+                    "Auth MFA reverification request JAR signature verification key not available.");
         }
     }
 }
@@ -49,25 +49,25 @@ public APIGatewayProxyResponseEvent handleRequest(
 
     public APIGatewayProxyResponseEvent mfaResetStorageTokenJwkHandler() {
         try {
-            LOG.info("MfaResetStorageTokenJwk request received");
+            LOG.info("Request for Auth MFA storage token signature verification key received.");
 
             List<JWK> signingKeys = new ArrayList<>();
 
             signingKeys.add(jwksService.getPublicMfaResetStorageTokenJwkWithOpaqueId());
 
             JWKSet jwkSet = new JWKSet(signingKeys);
 
-            LOG.info("Generating MfaResetStorageTokenJwk successful response");
+            LOG.info("Served Auth MFA storage token signature verification key JWK set.");
 
             return generateApiGatewayProxyResponse(
                     200,
                     segmentedFunctionCall("serialiseJWKSet", () -> jwkSet.toString(true)),
                     Map.of("Cache-Control", "max-age=86400"),
                     null);
         } catch (Exception e) {
-            LOG.error("Error in MfaResetStorageTokenJwk lambda", e);
+            LOG.error("Failed to serve Auth MFA storage token signature verification key.", e);
             return generateApiGatewayProxyResponse(
-                    500, "Error providing MfaResetStorageTokenJwk data");
+                    500, "Auth MFA storage token signature verification key not available.");
         }
     }
 }
@@ -39,7 +39,7 @@ public class IPVReverificationService {
     private static final Logger LOG = LogManager.getLogger(IPVReverificationService.class);
     private static final JWSAlgorithm SIGNING_ALGORITHM = JWSAlgorithm.ES256;
     private static final String MFA_RESET_SCOPE = "reverification";
-    private static final String STATE_STORAGE_PREFIX = "mfaReset:state:";
+    public static final String STATE_STORAGE_PREFIX = "mfaReset:state:";
     private final ConfigurationService configurationService;
     private final JwtService jwtService;
     private final NowClock nowClock;

@@ -57,6 +57,9 @@ void shouldReturn500WhenSigningKeyIsNotPresent() {
         var result = handler.handleRequest(event, context);
 
         assertThat(result, hasStatus(500));
-        assertThat(result, hasBody("Error providing MFA Reset JAR JWK data"));
+        assertThat(
+                result,
+                hasBody(
+                        "Auth MFA reverification request JAR signature verification key not available."));
     }
 }
@@ -57,7 +57,9 @@ void shouldReturn500WhenSigningKeyIsNotPresent() {
         var result = handler.handleRequest(event, context);
 
         assertThat(result, hasStatus(500));
-        assertThat(result, hasBody("Error providing MfaResetStorageTokenJwk data"));
+        assertThat(
+                result,
+                hasBody("Auth MFA storage token signature verification key not available."));
     }
 
     @Test

@@ -36,14 +36,16 @@ dependencies {
     implementation project(":utils"), noXray
 
     testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:${dependencyVersions.junit}"
+    testImplementation("uk.org.webcompere:system-stubs-jupiter:2.1.3")
+    testImplementation("com.google.guava:guava:33.3.1-jre")
+    testImplementation("org.awaitility:awaitility:4.2.0")
+    testImplementation('org.wiremock:wiremock-jetty12:3.10.0')
 }
 
 test {
     useJUnitPlatform()
     exclude 'uk/gov/di/authentication/contract/**'
 
-    jacoco {
-    }
     environment "AUDIT_SIGNING_KEY_ALIAS", "alias/local-audit-payload-signing-key-alias"
     environment "AWS_ACCESS_KEY_ID", "mock-access-key"
     environment "AWS_REGION", "eu-west-2"
@@ -69,6 +71,10 @@ test {
     environment "BULK_USER_EMAIL_INCLUDED_TERMS_AND_CONDITIONS", "1.0,1.1,1.2,1.3,1.4"
     environment "SEND_STORAGE_TOKEN_TO_IPV_ENABLED", "true"
 
+    testLogging {
+        showStandardStreams = false
+    }
+
     doLast {
         tasks.getByName("jacocoTestReport").sourceDirectories.from(
                 project(":frontend-api").sourceSets.main.java,

@@ -0,0 +1,124 @@
+package uk.gov.di.authentication.api;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.jwk.Curve;
+import com.nimbusds.jose.jwk.KeyType;
+import com.nimbusds.jose.jwk.KeyUse;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.kms.KmsClient;
+import software.amazon.awssdk.services.kms.model.GetPublicKeyRequest;
+import software.amazon.awssdk.services.kms.model.GetPublicKeyResponse;
+import software.amazon.awssdk.services.kms.model.KeyUsageType;
+import uk.gov.di.authentication.frontendapi.lambda.MfaResetJarJwkHandler;
+import uk.gov.di.authentication.shared.services.ConfigurationService;
+import uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest;
+import uk.gov.di.authentication.sharedtest.extensions.KmsKeyExtension;
+import uk.gov.di.authentication.sharedtest.logging.CaptureLoggingExtension;
+import uk.org.webcompere.systemstubs.environment.EnvironmentVariables;
+import uk.org.webcompere.systemstubs.jupiter.SystemStub;
+import uk.org.webcompere.systemstubs.jupiter.SystemStubsExtension;
+
+import java.net.URI;
+import java.util.Map;
+import java.util.Optional;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasItem;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static uk.gov.di.authentication.shared.helpers.HashHelper.hashSha256String;
+import static uk.gov.di.authentication.sharedtest.logging.LogEventMatcher.withMessageContaining;
+import static uk.gov.di.orchestration.sharedtest.matchers.APIGatewayProxyResponseEventMatcher.hasStatus;
+
+@ExtendWith(SystemStubsExtension.class)
+class AuthSigningKeyJWKSIntegrationTest extends ApiGatewayHandlerIntegrationTest {
+    private static final Logger LOG = LogManager.getLogger(AuthSigningKeyJWKSIntegrationTest.class);
+
+    @SystemStub private static final EnvironmentVariables environment = new EnvironmentVariables();
+
+    @RegisterExtension
+    private static final KmsKeyExtension mfaResetJarSigningKey =
+            new KmsKeyExtension("mfa-reset-jar-signing-key", KeyUsageType.SIGN_VERIFY);
+
+    @RegisterExtension
+    private static final CaptureLoggingExtension logging =
+            new CaptureLoggingExtension(MfaResetJarJwkHandler.class);
+
+    private static String expectedHashKeyArn;
+
+    @BeforeAll
+    static void setupEnvironment() {
+        environment.set(
+                "IPV_REVERIFICATION_REQUESTS_SIGNING_KEY_ALIAS", mfaResetJarSigningKey.getKeyId());
+
+        try (KmsClient kmsClient = getKmsClient()) {
+            GetPublicKeyRequest getPublicKeyRequest =
+                    GetPublicKeyRequest.builder().keyId(mfaResetJarSigningKey.getKeyId()).build();
+
+            GetPublicKeyResponse getPublicKeyResponse = kmsClient.getPublicKey(getPublicKeyRequest);
+
+            expectedHashKeyArn = hashSha256String(getPublicKeyResponse.keyId());
+        } catch (Exception e) {
+            LOG.error(e.getMessage(), e);
+        }
+    }
+
+    private static KmsClient getKmsClient() {
+        return KmsClient.builder()
+                .endpointOverride(URI.create("http://localhost:45678"))
+                .credentialsProvider(
+                        StaticCredentialsProvider.create(
+                                AwsBasicCredentials.create("dummy", "dummy")))
+                .region(Region.EU_WEST_2)
+                .build();
+    }
+
+    @Test
+    void shouldReturnJWKSetContainingTheReverificationSigningKey() {
+        handler = new MfaResetJarJwkHandler(new ConfigurationService());
+
+        var response = makeRequest(Optional.empty(), Map.of(), Map.of());
+
+        assertThat(response, hasStatus(200));
+
+        JsonObject jwk = JsonParser.parseString(response.getBody()).getAsJsonObject();
+        JsonArray keys = jwk.get("keys").getAsJsonArray();
+        assertEquals(1, keys.size(), "JWKS endpoint must return a single key.");
+
+        checkPublicSigningKeyResponseMeetsADR0030(keys.get(0).getAsJsonObject());
+    }
+
+    @Test
+    void shouldNotAllowExceptionsToEscape() {
+        environment.set("IPV_REVERIFICATION_REQUESTS_SIGNING_KEY_ALIAS", "wrong-key-alias");
+
+        handler = new MfaResetJarJwkHandler(new ConfigurationService());
+
+        var response = makeRequest(Optional.empty(), Map.of(), Map.of());
+
+        assertThat(response, hasStatus(500));
+        assertThat(
+                logging.events(),
+                hasItem(
+                        withMessageContaining(
+                                "Failed to serve Auth reverification request JAR signature verification key.")));
+    }
+
+    private static void checkPublicSigningKeyResponseMeetsADR0030(JsonObject key) {
+        assertEquals(expectedHashKeyArn, key.get("kid").getAsString());
+        assertEquals(KeyType.EC.getValue(), key.get("kty").getAsString());
+        assertEquals(KeyUse.SIGNATURE.getValue(), key.get("use").getAsString());
+        assertEquals(Curve.P_256.getName(), key.get("crv").getAsString());
+        assertEquals(JWSAlgorithm.ES256.toString(), key.get("alg").getAsString());
+    }
+}