Merge branch 'main' into snyk-upgrade-c172c94c99d023257905b427d164cb03

CMSgov · Sep 26, 2024 · b422f19 · b422f19
2 parents 85607d1 + 5fe4c70
commit b422f19
Show file tree

Hide file tree

Showing 17 changed files with 328 additions and 24 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,85 @@
+name: build
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      module:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        options:
+          - dev
+          - test
+      module:
+        required: true
+        type: choice
+        options:
+          - api
+          - worker
+
+jobs:
+  build:
+    runs-on: self-hosted
+
+    env:
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Setup Java
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Install Maven 3.6.3
+        run: |
+          export PATH="$PATH:/opt/maven/bin"
+          echo "PATH=$PATH" >> $GITHUB_ENV
+          if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi
+          tmpdir="$(mktemp -d)"
+          curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir"
+          sudo rm -rf /opt/maven
+          sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven
+
+      - name: Set env vars from AWS params in BCDA management account
+        uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
+        with:
+          params: |
+            ARTIFACTORY_URL=/artifactory/url
+            ARTIFACTORY_USER=/artifactory/user
+            ARTIFACTORY_PASSWORD=/artifactory/password
+
+      - name: Build package
+        run: mvn -U clean package -s settings.xml -DskipTests -Dusername="${ARTIFACTORY_USER}" -Dpassword="${ARTIFACTORY_PASSWORD}" -Drepository_url="${ARTIFACTORY_URL}"
+
+      - name: Assume role in AB2D Management account
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.MGMT_ACCOUNT_ID }}:role/delegatedadmin/developer/ab2d-mgmt-github-actions
+
+      - name: Build image and push to ECR
+        working-directory: ./${{ inputs.module }}
+        run: |
+          ECR_REPO_DOMAIN="${{ secrets.MGMT_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com"
+          aws ecr get-login-password | docker login --username AWS --password-stdin "$ECR_REPO_DOMAIN"
+          ECR_REPO_URI="$ECR_REPO_DOMAIN/ab2d_${{ inputs.module }}"
+          SHA_SHORT=$(git rev-parse --short HEAD)
+          echo "Building image for commit sha $SHA_SHORT"
+          docker build \
+            -t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-$SHA_SHORT" \
+            -t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-latest" .
+          echo "Pushing image"
+          docker push "${ECR_REPO_URI}" --all-tags
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,48 @@
+name: deploy
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      module:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        options:
+          - dev
+          - test
+          - sbx
+          - prod
+          - prod-test
+      module:
+        required: true
+        type: choice
+        options:
+          - api
+          - worker
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}
+      ACCOUNT: ${{ inputs.environment == 'prod-test' && 'prod' || inputs.environment }}
+
+    steps:
+      - name: Assume role in AB2D ${{ env.ACCOUNT }} account
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', env.ACCOUNT)] }}:role/delegatedadmin/developer/ab2d-${{ env.ACCOUNT }}-github-actions
+
+      - name: Deploy latest image in ECR to ECS
+        run: aws ecs update-service --cluster ab2d-${DEPLOYMENT_ENV}-${{ inputs.module }} --service ab2d-${DEPLOYMENT_ENV}-${{ inputs.module }} --force-new-deployment
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
@@ -0,0 +1,97 @@
+name: end-to-end tests
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+  workflow_dispatch: # Allow manual trigger
+    inputs:
+      environment:
+        required: true
+        type: choice
+        options:
+          - dev
+          - test
+          - sbx
+        default: test
+
+# Ensure we have only one e2e test running at a time in each environment
+concurrency:
+  group: ${{ inputs.environment }}-e2e-test
+
+jobs:
+  test:
+    runs-on: self-hosted
+
+    env:
+      # Keystore location must be full path for spring framework
+      AB2D_BFD_KEYSTORE_LOCATION: "${{ github.workspace }}/opt/ab2d/ab2d_bfd_keystore"
+      AB2D_V2_ENABLED: 'true'
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Setup Java
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Install Maven 3.6.3
+        run: |
+          export PATH="$PATH:/opt/maven/bin"
+          echo "PATH=$PATH" >> $GITHUB_ENV
+          if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi
+          tmpdir="$(mktemp -d)"
+          curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir"
+          sudo rm -rf /opt/maven
+          sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven
+
+      - name: Set env vars from AWS params in BCDA management account
+        uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
+        env:
+          AWS_REGION: ${{ vars.AWS_REGION }}
+        with:
+          params: |
+            ARTIFACTORY_URL=/artifactory/url
+            ARTIFACTORY_USER=/artifactory/user
+            ARTIFACTORY_PASSWORD=/artifactory/password
+
+      - name: Assume role in AB2D account for this environment
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', inputs.environment)] }}:role/delegatedadmin/developer/ab2d-${{ inputs.environment }}-github-actions
+
+      - name: Set env vars from AWS params in AB2D account
+        uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
+        env:
+          AWS_REGION: ${{ vars.AWS_REGION }}
+        with:
+          params: |
+            AB2D_BFD_KEYSTORE_PASSWORD=/bfd/keystore-password
+            OKTA_CLIENT_ID=/okta/test-pdp-100-id
+            OKTA_CLIENT_PASSWORD=/okta/test-pdp-100-secret
+            SECONDARY_USER_OKTA_CLIENT_ID=/okta/test-pdp-1000-id
+            SECONDARY_USER_OKTA_CLIENT_PASSWORD=/okta/test-pdp-1000-secret
+
+      - name: Create opt/ab2d directory and download keystore
+        run: |
+          mkdir -p opt/ab2d
+          KEYSTORE_FILE_NAME="ab2d_${{ inputs.environment == 'test' && 'imp' || inputs.environment }}_keystore"
+          aws s3 cp s3://ab2d-${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}-main/$KEYSTORE_FILE_NAME $AB2D_BFD_KEYSTORE_LOCATION
+          test -f $AB2D_BFD_KEYSTORE_LOCATION && echo "created keystore file"
+
+      - name: Run e2e-bfd-test
+        run: |
+          mvn test -s settings.xml -pl e2e-bfd-test -am -Dtest=EndToEndBfdTests -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress
+
+      - name: Run e2e-test
+        env:
+          E2E_ENVIRONMENT: ${{ inputs.environment == 'dev' && 'DEV' || inputs.environment == 'test' && 'IMPL' || inputs.environment == 'sbx' && 'SANDBOX' }}
+        run: |
+          mvn test -s settings.xml -pl e2e-test -am -Dtest=TestRunner -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -0,0 +1,47 @@
+name: pull request jobs
+
+on:
+  pull_request:
+
+jobs:
+  unit-integration-test:
+    uses: ./.github/workflows/unit-integration-test.yml
+    secrets: inherit
+  build-api:
+    uses: ./.github/workflows/build.yml
+    with:
+      environment: test
+      module: api
+    secrets: inherit
+  build-worker:
+    uses: ./.github/workflows/build.yml
+    with:
+      environment: test
+      module: worker
+    secrets: inherit
+  deploy-api:
+    needs: build-api
+    permissions:
+      contents: read
+      id-token: write
+    uses: ./.github/workflows/deploy.yml
+    with:
+      environment: test
+      module: api
+    secrets: inherit
+  deploy-worker:
+    needs: build-worker
+    permissions:
+      contents: read
+      id-token: write
+    uses: ./.github/workflows/deploy.yml
+    with:
+      environment: test
+      module: worker
+    secrets: inherit
+  e2e-test:
+    needs: [deploy-api, deploy-worker]
+    uses: ./.github/workflows/e2e-test.yml
+    with:
+      environment: test
+    secrets: inherit
diff --git a/.github/workflows/unit-integration-test.yml b/.github/workflows/unit-integration-test.yml
@@ -1,13 +1,16 @@
 name: Run unit and integration tests
 
 on:
-  pull_request:
+  workflow_call:
   workflow_dispatch: # Allow manual trigger
 
 jobs:
   test:
     runs-on: self-hosted
 
+    env:
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+
     steps:
       - name: Checkout Code
         uses: actions/checkout@v3
@@ -37,15 +40,6 @@ jobs:
           aws-region: ${{ vars.AWS_REGION }}
           role-to-assume: ${{ vars.AB2D_DEV_ROLE }}
 
-      - name: Set env vars from AWS params
-        uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
-        with:
-          params: |
-            OKTA_CLIENT_ID=/okta/client-id
-            OKTA_CLIENT_PASSWORD=/okta/client-secret
-            SECONDARY_USER_OKTA_CLIENT_ID=/secondary-okta/client-id
-            SECONDARY_USER_OKTA_CLIENT_PASSWORD=/secondary-okta/client-secret
-
       - name: Install Maven 3.6.3
         run: |
           export PATH="$PATH:/opt/maven/bin"

diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,9 @@
+title = "DASG Standard"
+
+[extend]
+  useDefault = true
+
+[[rules]]
+  id = "mbi-detection"
+  description = "Detects a potential MBI pattern based on https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf"
+  regex = '''\b((?i)[1-9][ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]-?\d[ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]\d-?[ACDEFGHJKMNPQRTUVWXY]{2}\d{2})\b'''
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,5 +1,5 @@
 repos:
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.16.1
+    rev: v8.19.2
     hooks:
       - id: gitleaks
diff --git a/api/pom.xml b/api/pom.xml
@@ -13,7 +13,7 @@
     <properties>
         <project.root>${basedir}/..</project.root>
         <springfox.version>3.0.0</springfox.version>
-        <okta-jwt.version>0.5.7</okta-jwt.version>
+        <okta-jwt.version>0.5.8</okta-jwt.version>
         <sonar.coverage.exclusions>**/JobClient.java</sonar.coverage.exclusions>
         <!-- 
             - AB2D-6099 -

diff --git a/api/src/main/java/gov/cms/ab2d/api/security/JwtTokenAuthenticationFilter.java b/api/src/main/java/gov/cms/ab2d/api/security/JwtTokenAuthenticationFilter.java
@@ -223,6 +223,11 @@ private boolean shouldBePublic(String requestUri) {
             return true;
         }
 
+        if (requestUri.endsWith("/metadata")) {
+            log.debug("metadata requested");
+            return true;
+        }
+
         return false;
     }
 

diff --git a/api/src/main/java/gov/cms/ab2d/api/security/SecurityConfig.java b/api/src/main/java/gov/cms/ab2d/api/security/SecurityConfig.java
@@ -47,7 +47,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
     private final String[] authExceptions = new String[]{"/swagger-ui/**", "/configuration/**",
             "/swagger-resources/**", "/v3/api-docs/**", "/webjars/**",
-            AKAMAI_TEST_OBJECT, "/favicon.ico", "/error", HEALTH_ENDPOINT, STATUS_ENDPOINT};
+            AKAMAI_TEST_OBJECT, "/favicon.ico", "/error", HEALTH_ENDPOINT, STATUS_ENDPOINT,
+            "/**/metadata"};
 
     @Override
     protected void configure(HttpSecurity security) throws Exception {
@@ -61,9 +62,9 @@ protected void configure(HttpSecurity security) throws Exception {
             // Add a filter to validate the tokens with every request.
             .addFilterAfter(jwtTokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
             .authorizeHttpRequests()
+            .antMatchers(authExceptions).permitAll()
             .antMatchers(API_PREFIX_V1 + ADMIN_PREFIX + "/**").hasAuthority(ADMIN_ROLE)
             .antMatchers(API_PREFIX_V1 + FHIR_PREFIX + "/**").hasAnyAuthority(SPONSOR_ROLE)
-                .antMatchers(authExceptions).permitAll()
             .anyRequest().authenticated();
 
         // Override default behavior to add more informative logs

diff --git a/common/src/main/resources/db/changelog/db.changelog-master.yaml b/common/src/main/resources/db/changelog/db.changelog-master.yaml
@@ -165,3 +165,5 @@ databaseChangeLog:
       file: db/changelog/v2024/misc_opt_out_attribution.sql
   - include:
       file: db/changelog/v2024/add_until_column.sql
+  - include:
+      file: db/changelog/v2024/ab2d_6151_rename_column.sql
diff --git a/common/src/main/resources/db/changelog/v2024/ab2d_6151_rename_column.sql b/common/src/main/resources/db/changelog/v2024/ab2d_6151_rename_column.sql
@@ -0,0 +1,11 @@
+DO $$
+BEGIN
+    IF EXISTS (SELECT 1
+     FROM information_schema.columns
+     WHERE table_schema = 'public' AND table_name = 'current_mbi' AND
+column_name = 'opt_out_flag')
+    THEN
+ALTER TABLE public.current_mbi RENAME opt_out_flag TO share_data;
+END IF;
+END
+$$;