Skip to content

Commit

Permalink
Merge pull request #2034 from govuk-one-login/PYIC-6710
Browse files Browse the repository at this point in the history 
PYIC-6710: remove common secrets from .scerets.baseline
  • Loading branch information
@DanCorderIPV
DanCorderIPV authored Jun 24, 2024
2 parents f4df8db + 64fcd6f commit 84697b3
Show file tree
Hide file tree
Showing 34 changed files with 402 additions and 1,999 deletions.
1,675 changes: 85 additions & 1,590 deletions .secrets.baseline
View file

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions ...rc/test/java/uk/gov/di/ipv/core/buildcrioauthrequest/BuildCriOauthRequestHandlerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,9 @@
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.CREDENTIAL_ATTRIBUTES_3;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.CREDENTIAL_ATTRIBUTES_4;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.EC_PRIVATE_KEY;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.EC_PUBLIC_JWK;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.RSA_ENCRYPTION_PRIVATE_KEY;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.RSA_ENCRYPTION_PUBLIC_JWK;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.TEST_EC_PUBLIC_JWK;
import static uk.gov.di.ipv.core.library.helpers.VerifiableCredentialGenerator.generateVerifiableCredential;
import static uk.gov.di.ipv.core.library.helpers.VerifiableCredentialGenerator.vcClaim;

Expand Down Expand Up @@ -785,7 +785,7 @@ private void assertSharedClaimsJWTIsValid(String request)
assertEquals(3, (vcAttributes.get("address")).size());
assertEquals(2, (vcAttributes.get("birthDate")).size());

ECDSAVerifier verifier = new ECDSAVerifier(ECKey.parse(EC_PUBLIC_JWK));
ECDSAVerifier verifier = new ECDSAVerifier(ECKey.parse(TEST_EC_PUBLIC_JWK));
assertTrue(signedJWT.verify(verifier));
}

Expand Down Expand Up @@ -813,7 +813,7 @@ private void assertSharedClaimsJWTIsValidForAllVCsAreNotSuccess(String request)
JsonNode birtDate = vcAttributes.get("birthDate");
assertTrue(birtDate.isEmpty());

ECDSAVerifier verifier = new ECDSAVerifier(ECKey.parse(EC_PUBLIC_JWK));
ECDSAVerifier verifier = new ECDSAVerifier(ECKey.parse(TEST_EC_PUBLIC_JWK));
assertTrue(signedJWT.verify(verifier));
}

Expand Down
4 changes: 2 additions & 2 deletions .../java/uk/gov/di/ipv/core/buildcrioauthrequest/helpers/AuthorizationRequestHelperTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,10 @@
import static uk.gov.di.ipv.core.library.config.ConfigurationVariable.COMPONENT_ID;
import static uk.gov.di.ipv.core.library.config.ConfigurationVariable.JWT_TTL_SECONDS;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.EC_PRIVATE_KEY;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.EC_PUBLIC_JWK;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.RSA_ENCRYPTION_PRIVATE_KEY;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.RSA_ENCRYPTION_PUBLIC_JWK;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.SIGNED_JWT;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.TEST_EC_PUBLIC_JWK;

@ExtendWith(MockitoExtension.class)
class AuthorizationRequestHelperTest {
Expand Down Expand Up @@ -139,7 +139,7 @@ void shouldCreateSignedJWTWithCorrectClaims()
assertEquals(
IPV_CLIENT_ID_VALUE, result.getJWTClaimsSet().getClaims().get(CLIENT_ID_FIELD));
assertEquals(TEST_REDIRECT_URI, result.getJWTClaimsSet().getClaims().get("redirect_uri"));
assertTrue(result.verify(new ECDSAVerifier(ECKey.parse(EC_PUBLIC_JWK))));
assertTrue(result.verify(new ECDSAVerifier(ECKey.parse(TEST_EC_PUBLIC_JWK))));
}

@ParameterizedTest
Expand Down
6 changes: 3 additions & 3 deletions ...src/test/java/uk/gov/di/ipv/core/builduseridentity/pact/BuildUserIdentityHandlerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ void testMethod(PactVerificationContext context) {
""";

private final String CIMIT_VC_NO_CIS_SIGNATURE =
"q9bLcKWe9K13QJoJL-f8Lz4UdhUGfzQgXPtsmu5TK5W2mP4mr7oXJjqKBAUPypnZdWza1zdKZiQpAmmVy1BW3A";
"q9bLcKWe9K13QJoJL-f8Lz4UdhUGfzQgXPtsmu5TK5W2mP4mr7oXJjqKBAUPypnZdWza1zdKZiQpAmmVy1BW3A"; // pragma: allowlist secret

// 2099-01-01 00:00:00 is 4070908800 in epoch seconds
// From DCMAW-3079-AC1
Expand Down Expand Up @@ -303,7 +303,7 @@ void testMethod(PactVerificationContext context) {
// valid signature (using https://jwt.io works well) and record it here so the PACT file doesn't
// change each time we run the tests.
private static final String VALID_UK_PASSPORT_VC_SIGNATURE =
"dnXc3avCGKj6XdKpGnNTgjH3lpRZotBSyzx4ttFksnaheiHExklxqGHc8ZNRdIJu0cpFyP-Dw6Bl5xO46nZCVA";
"dnXc3avCGKj6XdKpGnNTgjH3lpRZotBSyzx4ttFksnaheiHExklxqGHc8ZNRdIJu0cpFyP-Dw6Bl5xO46nZCVA"; // pragma: allowlist secret

private static final String VALID_ADDRESS_VC_BODY =
"""
Expand Down Expand Up @@ -356,5 +356,5 @@ void testMethod(PactVerificationContext context) {
// valid signature (using https://jwt.io works well) and record it here so the PACT file doesn't
// change each time we run the tests.
private static final String VALID_ADDRESS_VC_SIGNATURE =
"EFfq4iMeJ9ekCYJDZS8MTqxK0semEH7HRMac9Tc69zILtxzlVmJxnrhsVSgjpMNi3osCBUhWlz3Zh-jEUB4izw";
"EFfq4iMeJ9ekCYJDZS8MTqxK0semEH7HRMac9Tc69zILtxzlVmJxnrhsVSgjpMNi3osCBUhWlz3Zh-jEUB4izw"; // pragma: allowlist secret
}
19 changes: 8 additions & 11 deletions ...call-ticf-cri/src/test/java/uk/gov/di/ipv/core/callticfcri/pact/ticfCri/ContractTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
import static org.hamcrest.MatcherAssert.assertThat;
import static org.mockito.Mockito.when;
import static uk.gov.di.ipv.core.library.domain.Cri.TICF;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.EC_PRIVATE_KEY_JWK;

@ExtendWith(PactConsumerTestExt.class)
@ExtendWith(MockitoExtension.class)
Expand All @@ -53,10 +54,6 @@ class ContractTest {
private static final String TEST_USER = "dummyUserId";
private static final String API_PATH = "/risk-assessment";
private static final String PRIVATE_API_KEY = "dummyApiKey";
private static final String PRIVATE_TICF_SIGNING_KEY =
"""
{"kty":"EC","d":"OXt0P05ZsQcK7eYusgIPsqZdaBCIJiW4imwUtnaAthU","crv":"P-256","x":"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM","y":"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04"}
""";
private static final String APPLICATION_JSON = "application/json";
private static final Clock CURRENT_TIME =
Clock.fixed(Instant.parse("2099-01-01T00:00:00.00Z"), ZoneOffset.UTC);
Expand Down Expand Up @@ -88,7 +85,7 @@ public RequestResponsePact validPassportVcReturnsVcWithNoInterventions(
PactDslWithProvider builder) {
return builder.given("dummyApiKey is a valid api key")
.given(
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}")
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}") // pragma: allowlist secret
.given("TICF VC has no interventions or warnings")
.given("TICF VC risk assessment has id dummyRiskAssessmentId")
.given("TICF VC issuer is https://ticf.account.gov.uk")
Expand Down Expand Up @@ -155,7 +152,7 @@ public RequestResponsePact validPassportVcReturnsVcWithWarningsButNoIntervention
PactDslWithProvider builder) {
return builder.given("dummyApiKey is a valid api key")
.given(
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}")
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}") // pragma: allowlist secret
.given("TICF VC has no interventions but has B00 warning")
.given("TICF VC risk assessment has id dummyRiskAssessmentId")
.given("TICF VC issuer is https://ticf.account.gov.uk")
Expand Down Expand Up @@ -228,7 +225,7 @@ public RequestResponsePact validPassportVcReturnsVcWithInterventions(
PactDslWithProvider builder) {
return builder.given("dummyApiKey is a valid api key")
.given(
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}")
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}") // pragma: allowlist secret
.given("TICF VC has intervention with code 01 and reason 007")
.given("TICF VC risk assessment has id dummyRiskAssessmentId")
.given("TICF VC issuer is https://ticf.account.gov.uk")
Expand Down Expand Up @@ -300,7 +297,7 @@ void fetchRiskAssessment_whenCalledWithValidPassportVcOnTicfCri_returnsVcWithInt
public RequestResponsePact validPassportVcReturnsEmptyVc(PactDslWithProvider builder) {
return builder.given("dummyApiKey is a valid api key")
.given(
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}")
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}") // pragma: allowlist secret
.given("TICF times out")
.given("TICF VC issuer is https://ticf.account.gov.uk")
.given("Time is GMT Thursday, 1 January 2099 00:00:00")
Expand Down Expand Up @@ -362,7 +359,7 @@ void fetchRiskAssessment_whenCalledWithValidPassportVcOnTicfCri_timesOut(MockSer
public RequestResponsePact validVcsReturnVcWithNoInterventions(PactDslWithProvider builder) {
return builder.given("dummyApiKey is a valid api key")
.given(
"Provided VCs can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}")
"Provided VCs can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}") // pragma: allowlist secret
.given("TICF VC has no interventions or warnings")
.given("TICF VC risk assessment has id dummyRiskAssessmentId")
.given("TICF VC issuer is https://ticf.account.gov.uk")
Expand Down Expand Up @@ -494,7 +491,7 @@ public RequestResponsePact dvlaVcWithCiReturnVcWithWarningsButNoInterventions(
PactDslWithProvider builder) {
return builder.given("dummyApiKey is a valid api key")
.given(
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}")
"Provided VC can be validated with {\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}") // pragma: allowlist secret
.given("TICF VC has no interventions but has B00 warning")
.given("TICF VC risk assessment has id dummyRiskAssessmentId")
.given("TICF VC issuer is https://ticf.account.gov.uk")
Expand Down Expand Up @@ -636,7 +633,7 @@ private IpvSessionItem getIpvSessionItem() {
private static RestCriConfig getMockCredentialIssuerConfig(MockServer mockServer)
throws URISyntaxException {
return RestCriConfig.builder()
.signingKey(PRIVATE_TICF_SIGNING_KEY)
.signingKey(EC_PRIVATE_KEY_JWK)
.componentId("https://ticf.account.gov.uk")
.credentialUrl(
new URI("http://localhost:" + mockServer.getPort() + "/risk-assessment"))
Expand Down
6 changes: 3 additions & 3 deletions ...all-ticf-cri/src/test/java/uk/gov/di/ipv/core/callticfcri/service/TicfCriServiceTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
import static uk.gov.di.ipv.core.callticfcri.service.TicfCriService.X_API_KEY_HEADER;
import static uk.gov.di.ipv.core.library.domain.Cri.TICF;
import static uk.gov.di.ipv.core.library.domain.ErrorResponse.FAILED_TO_GET_CREDENTIAL;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.EC_PUBLIC_JWK;
import static uk.gov.di.ipv.core.library.fixtures.TestFixtures.TEST_EC_PUBLIC_JWK;
import static uk.gov.di.ipv.core.library.fixtures.VcFixtures.M1B_DCMAW_VC;
import static uk.gov.di.ipv.core.library.fixtures.VcFixtures.VC_ADDRESS;

Expand Down Expand Up @@ -94,7 +94,7 @@ void setUp() throws Exception {
ticfCriConfig =
RestCriConfig.builder()
.credentialUrl(new URI("https://credential.example.com"))
.signingKey(EC_PUBLIC_JWK)
.signingKey(TEST_EC_PUBLIC_JWK)
.componentId("https://ticf-cri.example.com")
.requiresApiKey(false)
.build();
Expand All @@ -105,7 +105,7 @@ void getTicfVcShouldReturnASignedJwtForASuccessfulInvocation() throws Exception
RestCriConfig ticfConfigWithApiKeyRequired =
RestCriConfig.builder()
.credentialUrl(new URI("https://credential.example.com"))
.signingKey(EC_PUBLIC_JWK)
.signingKey(TEST_EC_PUBLIC_JWK)
.componentId("https://ticf-cri.example.com")
.requiresApiKey(true)
.build();
Expand Down
2 changes: 1 addition & 1 deletion ...rc/test/java/uk/gov/di/ipv/core/initialiseipvsession/InitialiseIpvSessionHandlerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@
class InitialiseIpvSessionHandlerTest {
public static final String TEST_COMPONENT_ID = "test-component-id";
public static final String TEST_SIGNING_KEY =
"{\"kty\":\"EC\",\"d\":\"OXt0P05ZsQcK7eYusgIPsqZdaBCIJiW4imwUtnaAthU\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}";
"{\"kty\":\"EC\",\"d\":\"OXt0P05ZsQcK7eYusgIPsqZdaBCIJiW4imwUtnaAthU\",\"crv\":\"P-256\",\"x\":\"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM\",\"y\":\"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04\"}"; // pragma: allowlist secret
public static final String TEST_USER_ID = "test-user-id";
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
private static final CriConfig TEST_CRI_CONFIG =
Expand Down
Loading

0 comments on commit 84697b3

Please sign in to comment.