Merge pull request #1959 from govuk-one-login/PYIC-6098

PYIC-6089: add external MFA reset endpoint
govuk-one-login · Jun 5, 2024 · 67881ae · 67881ae
2 parents ff6e75e + fb62fe1
commit 67881ae
Show file tree

Hide file tree

Showing 31 changed files with 1,177 additions and 202 deletions.
diff --git a/.gitignore b/.gitignore
@@ -47,3 +47,6 @@ deploy/core-back-*.yaml
 dev
 production
 uuid_results
+
+libs/pact-test-helpers/bin
+local-running/bin/
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -75,6 +75,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -184,14 +188,14 @@
         "filename": "deploy/template.yaml",
         "hashed_secret": "6afab4c634af2dd2b9c344a98f96667277c56df0",
         "is_verified": false,
-        "line_number": 2021
+        "line_number": 2102
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "38450ffe4ff65a68053ea5083d47521010709df2",
         "is_verified": false,
-        "line_number": 2489
+        "line_number": 2570
       }
     ],
     "lambdas/build-user-identity/src/test/java/uk/gov/di/ipv/core/builduseridentity/pact/BuildUserIdentityHandlerTest.java": [
@@ -200,21 +204,21 @@
         "filename": "lambdas/build-user-identity/src/test/java/uk/gov/di/ipv/core/builduseridentity/pact/BuildUserIdentityHandlerTest.java",
         "hashed_secret": "85d1e7563098941624848ca8a7c731a6c013235b",
         "is_verified": false,
-        "line_number": 221
+        "line_number": 222
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "lambdas/build-user-identity/src/test/java/uk/gov/di/ipv/core/builduseridentity/pact/BuildUserIdentityHandlerTest.java",
         "hashed_secret": "69facda46567909882c049ea59985c33000974b3",
         "is_verified": false,
-        "line_number": 304
+        "line_number": 305
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "lambdas/build-user-identity/src/test/java/uk/gov/di/ipv/core/builduseridentity/pact/BuildUserIdentityHandlerTest.java",
         "hashed_secret": "1bb4f6b3cf1f8b05e40be98e555120bbac8bb8a8",
         "is_verified": false,
-        "line_number": 357
+        "line_number": 358
       }
     ],
     "lambdas/call-ticf-cri/src/main/java/uk/gov/di/ipv/core/callticfcri/service/TicfCriService.java": [
@@ -1896,28 +1900,28 @@
         "filename": "local-running/setConfigForLocalOrCloudRunning.py",
         "hashed_secret": "941443ade4a41d67343885660bc79ef5f8d29a6f",
         "is_verified": false,
-        "line_number": 39
+        "line_number": 40
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "local-running/setConfigForLocalOrCloudRunning.py",
         "hashed_secret": "c6fc0dad9371be54dc77708cad1a8098c363e74b",
         "is_verified": false,
-        "line_number": 39
+        "line_number": 40
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "local-running/setConfigForLocalOrCloudRunning.py",
         "hashed_secret": "cd93cb86a58869ea8f3968e7a8408ca2acf257aa",
         "is_verified": false,
-        "line_number": 40
+        "line_number": 41
       },
       {
         "type": "Secret Keyword",
         "filename": "local-running/setConfigForLocalOrCloudRunning.py",
         "hashed_secret": "7cb6efb98ba5972a9b5090dc2e517fe14d12cb04",
         "is_verified": false,
-        "line_number": 43
+        "line_number": 44
       }
     ]
   },

diff --git a/deploy/template.yaml b/deploy/template.yaml
@@ -1154,7 +1154,7 @@ Resources:
                         - !Ref AWS::AccountId
                         - cimitEnvironment
       Events:
-        IPVCoreExternalAPI:
+        IPVCoreExternalAPIUserIdentity:
           Type: Api
           Properties:
             RestApiId:
@@ -1178,6 +1178,87 @@ Resources:
       FilterPattern: ""
       LogGroupName: !Ref BuildUserIdentityFunctionLogGroup
 
+  UserReverificationFunction:
+    Type: AWS::Serverless::Function
+    DependsOn:
+      - "UserReverificationFunctionLogGroup"
+    Properties:
+      # checkov:skip=CKV_AWS_115: We do not have enough data to allocate the concurrent execution allowance per function.
+      # checkov:skip=CKV_AWS_116: Lambdas invoked via API Gateway do not support Dead Letter Queues.
+      # checkov:skip=CKV_AWS_117: Lambdas will migrate to our own VPC in future work.
+      FunctionName: !Sub "user-reverification-${Environment}"
+      Handler: uk.gov.di.ipv.core.userreverification.UserReverificationHandler::handleRequest
+      PackageType: Zip
+      CodeUri: ../lambdas/user-reverification
+      Tracing: Active
+      Environment:
+        # checkov:skip=CKV_AWS_173: These environment variables do not require encryption.
+        Variables:
+          ENVIRONMENT: !Sub "${Environment}"
+          POWERTOOLS_SERVICE_NAME: !Sub user-reverification-${Environment}
+          IPV_SESSIONS_TABLE_NAME: !Ref SessionsTable
+          CLIENT_OAUTH_SESSIONS_TABLE_NAME: !Ref ClientOAuthSessionsTable
+          SESSION_CREDENTIALS_TABLE_NAME: !Ref SessionCredentialsTable
+      VpcConfig:
+        SubnetIds:
+          - Fn::ImportValue: !Sub ${VpcStackName}-ProtectedSubnetIdA
+          - Fn::ImportValue: !Sub ${VpcStackName}-ProtectedSubnetIdB
+        SecurityGroupIds:
+          - !GetAtt LambdaSecurityGroup.GroupId
+      Policies:
+        - VPCAccessPolicy: {}
+        - Statement:
+            - Sid: EnforceStayinSpecificVpc
+              Effect: Allow
+              Action:
+                - 'lambda:CreateFunction'
+                - 'lambda:UpdateFunctionConfiguration'
+              Resource:
+                - "*"
+              Condition:
+                StringEquals:
+                  "lambda:VpcIds":
+                    - Fn::ImportValue: !Sub ${VpcStackName}-VpcId
+        - KMSDecryptPolicy:
+            KeyId: !Ref DynamoDBKmsKey
+        - DynamoDBCrudPolicy:
+            TableName: !Ref SessionCredentialsTable
+        - DynamoDBReadPolicy:
+            TableName: !Ref SessionsTable
+        - DynamoDBWritePolicy:
+            TableName: !Ref SessionsTable
+        - DynamoDBReadPolicy:
+            TableName: !Ref ClientOAuthSessionsTable
+        - SSMParameterReadPolicy:
+            ParameterName: !Sub ${Environment}/core/*
+        - AWSSecretsManagerGetSecretValuePolicy:
+            SecretArn: !Sub arn:aws:secretsmanager:eu-west-2:*:secret:/${Environment}/core/self/ci-config-*
+      Events:
+        IPVCoreExternalAPIReverification:
+          Type: Api
+          Properties:
+            RestApiId:
+              Ref: IPVCoreExternalAPI
+            Path: /reverification
+            Method: GET
+      AutoPublishAlias: live
+
+  UserReverificationFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    # checkov:skip=CKV_AWS_158: No need for customer managed keys for short lived logs
+    Properties:
+      RetentionInDays: 30
+      LogGroupName: !Sub "/aws/lambda/user-reverification-${Environment}"
+
+  UserReverificationFunctionLogGroupSubscriptionFilter:
+    Type: AWS::Logs::SubscriptionFilter
+    Condition: IsSubscriptionEnviroment
+    Properties:
+      DestinationArn: "arn:aws:logs:eu-west-2:885513274347:destination:csls_cw_logs_destination_prodpython"
+      FilterPattern: ""
+      LogGroupName: !Ref UserReverificationFunctionLogGroup
+
+
   JourneyEngineStepFunction:
     Type: AWS::Serverless::StateMachine
     Properties: