Release/27.0 (#1036)

# Release Branch Pull Request

## Description of Changes

Release includes changes to accept Distance Selling Pharmacies and some
PEN test fixes

---------

Co-authored-by: Matthew Begley <60427904+mabe13@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thomas Judd-Cooper <me@tomjuddcooper.co.uk>
Co-authored-by: Sindhu <nsindhu26@gmail.com>
Co-authored-by: ThomasC-Kainos <106971950+ThomasC-Kainos@users.noreply.github.com>
Co-authored-by: ManithaSrinivasa <manitha.srinivasa@accenture.com>

Author: 7 people

application/common/constants.py

@@ -3,7 +3,7 @@
 CLOSED_AND_HIDDEN_STATUSES = ["HIDDEN", "CLOSED"]
 
 PHARMACY_SERVICE_TYPE_IDS = [13, 131, 132, 134, 137, 148, 149]
-PHARMACY_ORGANISATION_SUB_TYPES = ["Community"]
+PHARMACY_ORGANISATION_SUB_TYPES = ["Community", "DistanceSelling"]
 PHARMACY_ODSCODE_LENGTH = 5
 PHARMACY_SERVICE_TYPE_ID = 13
 

infrastructure/stacks/application/data.tf

@@ -51,6 +51,22 @@ data "aws_iam_policy_document" "sns_topic_app_alerts_for_slack_access_default_re
     }
     resources = [aws_sns_topic.sns_topic_app_alerts_for_slack_default_region.arn]
   }
+
+  statement {
+    sid     = "DenyNonSecureTransport"
+    effect  = "Deny"
+    actions = ["sns:Publish"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [aws_sns_topic.sns_topic_app_alerts_for_slack_default_region.arn]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "sns_topic_app_alerts_for_slack_access_alarm_region" {
@@ -63,6 +79,22 @@ data "aws_iam_policy_document" "sns_topic_app_alerts_for_slack_access_alarm_regi
     }
     resources = [aws_sns_topic.sns_topic_app_alerts_for_slack_route53_health_check_alarm_region.arn]
   }
+
+  statement {
+    sid     = "DenyNonSecureTransport"
+    effect  = "Deny"
+    actions = ["sns:Publish"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [aws_sns_topic.sns_topic_app_alerts_for_slack_route53_health_check_alarm_region.arn]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 # ##############

infrastructure/stacks/application/security_groups.tf

@@ -22,13 +22,13 @@ resource "aws_security_group_rule" "allow_https_out" {
 
 #tfsec:ignore:aws-vpc-no-public-egress-sgr
 resource "aws_security_group_rule" "allow_postgres_out" {
-  type              = "egress"
-  from_port         = 5432
-  to_port           = 5432
-  protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = aws_security_group.lambda_sg.id
-  description       = "Allow all Postgres outbound traffic"
+  type                     = "egress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  source_security_group_id = data.aws_security_group.db_sg.id
+  security_group_id        = aws_security_group.lambda_sg.id
+  description              = "Allow all Postgres outbound traffic"
 }
 
 resource "aws_security_group_rule" "database_allow_in_from_lambda" {

infrastructure/stacks/shared-resources/api-gateway-responses.tf

@@ -7,6 +7,9 @@ resource "aws_api_gateway_method_response" "response_200" {
     "method.response.header.Cache-control"             = true
     "method.response.header.Pragma"                    = true
     "method.response.header.Strict-Transport-Security" = true
+    "method.response.header.X-Frame-Options"           = true
+    "method.response.header.X-Content-Type-Options"    = true
+    "method.response.header.Content-Security-Policy"   = true
   }
   response_models = {
     "application/json" = aws_api_gateway_model.default_model.name
@@ -22,6 +25,9 @@ resource "aws_api_gateway_method_response" "response_400" {
     "method.response.header.Cache-control"             = true
     "method.response.header.Pragma"                    = true
     "method.response.header.Strict-Transport-Security" = true
+    "method.response.header.X-Frame-Options"           = true
+    "method.response.header.X-Content-Type-Options"    = true
+    "method.response.header.Content-Security-Policy"   = true
   }
   response_models = {
     "application/json" = aws_api_gateway_model.default_model.name
@@ -37,6 +43,9 @@ resource "aws_api_gateway_method_response" "response_500" {
     "method.response.header.Cache-control"             = true
     "method.response.header.Pragma"                    = true
     "method.response.header.Strict-Transport-Security" = true
+    "method.response.header.X-Frame-Options"           = true
+    "method.response.header.X-Content-Type-Options"    = true
+    "method.response.header.Content-Security-Policy"   = true
   }
   response_models = {
     "application/json" = aws_api_gateway_model.default_model.name
@@ -54,6 +63,9 @@ resource "aws_api_gateway_integration_response" "di_endpoint_integration_success
     "method.response.header.Cache-control"             = "'no-cache'"
     "method.response.header.Pragma"                    = "'no-store'"
     "method.response.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "method.response.header.X-Frame-Options"           = "'DENY'"
+    "method.response.header.X-Content-Type-Options"    = "'nosniff'"
+    "method.response.header.Content-Security-Policy"   = "'default-src 'self''"
   }
 
   depends_on = [
@@ -75,6 +87,9 @@ resource "aws_api_gateway_integration_response" "response_400" {
     "method.response.header.Cache-control"             = "'no-cache'"
     "method.response.header.Pragma"                    = "'no-store'"
     "method.response.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "method.response.header.X-Frame-Options"           = "'DENY'"
+    "method.response.header.X-Content-Type-Options"    = "'nosniff'"
+    "method.response.header.Content-Security-Policy"   = "'default-src 'self''"
   }
 
   depends_on = [
@@ -96,6 +111,9 @@ resource "aws_api_gateway_integration_response" "response_500" {
     "method.response.header.Cache-control"             = "'no-cache'"
     "method.response.header.Pragma"                    = "'no-store'"
     "method.response.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "method.response.header.X-Frame-Options"           = "'DENY'"
+    "method.response.header.X-Content-Type-Options"    = "'nosniff'"
+    "method.response.header.Content-Security-Policy"   = "'default-src 'self''"
   }
 
   depends_on = [
@@ -112,9 +130,41 @@ resource "aws_api_gateway_gateway_response" "access_denied_403_gateway_response"
   response_type      = "ACCESS_DENIED"
   response_templates = ({ "application/json" : jsonencode({ "Message" : "Access Denied, please contact the development team for assistance" }) })
 
+  response_parameters = {
+    "gatewayresponse.header.Cache-control"             = "'no-cache'"
+    "gatewayresponse.header.Pragma"                    = "'no-store'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Frame-Options"           = "'DENY'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+    "gatewayresponse.header.Content-Security-Policy"   = "'default-src 'self''"
+  }
+
   depends_on = [
     aws_api_gateway_integration.di_endpoint_integration,
     aws_api_gateway_resource.di_endpoint_change_event_path,
     aws_api_gateway_method.di_endpoint_method,
   ]
 }
+
+resource "aws_api_gateway_gateway_response" "invalid_api_key_403_response" {
+  rest_api_id        = aws_api_gateway_rest_api.di_endpoint.id
+  status_code        = "403"
+  response_type      = "INVALID_API_KEY"
+  response_templates = ({ "application/json" : jsonencode({ "message" : "Forbidden" }) })
+
+  response_parameters = {
+    "gatewayresponse.header.Cache-Control"             = "'no-cache'"
+    "gatewayresponse.header.Pragma"                    = "'no-store'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Frame-Options"           = "'DENY'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+    "gatewayresponse.header.Content-Security-Policy"   = "'default-src 'self''"
+  }
+
+  depends_on = [
+    aws_api_gateway_integration.di_endpoint_integration,
+    aws_api_gateway_resource.di_endpoint_change_event_path,
+    aws_api_gateway_method.di_endpoint_method,
+  ]
+}
+

infrastructure/stacks/shared-resources/api-gateway.tf

@@ -95,7 +95,8 @@ EOF
 resource "aws_api_gateway_deployment" "di_endpoint_deployment" {
   rest_api_id = aws_api_gateway_rest_api.di_endpoint.id
   depends_on = [
-    aws_api_gateway_rest_api_policy.di_endpoint_policy
+    aws_api_gateway_rest_api_policy.di_endpoint_policy,
+    aws_api_gateway_gateway_response.invalid_api_key_403_response
   ]
   triggers = {
     redeployment = join("", [md5(jsonencode([

infrastructure/stacks/shared-resources/data.tf

@@ -68,6 +68,22 @@ data "aws_iam_policy_document" "shared_resources_sns_topic_app_alerts_for_slack_
     }
     resources = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]
   }
+
+  statement {
+    sid     = "DenyNonSecureTransport"
+    effect  = "Deny"
+    actions = ["sns:Publish"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "shared_resources_sns_topic_app_alerts_for_slack_access_alarm_region" {
@@ -80,6 +96,22 @@ data "aws_iam_policy_document" "shared_resources_sns_topic_app_alerts_for_slack_
     }
     resources = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_route53_health_check_alarm_region.arn]
   }
+
+  statement {
+    sid     = "DenyNonSecureTransport"
+    effect  = "Deny"
+    actions = ["sns:Publish"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_route53_health_check_alarm_region.arn]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 data "aws_iam_role" "di_firehose_role" {

test/integration/features/F001_Valid_Change_Events.feature

@@ -59,7 +59,9 @@ Feature: F001. Ensure valid change events are converted and sent to DoS
   Scenario: F001SXX3. A Changed event with aligned data does not save an update to DoS
     Given a basic service is created
     When the Changed Event is sent for processing with "valid" api key
-    Then the "service-sync" lambda shows field "message" with value "No changes to save"
+    Then the change event response has status code "200"
+    And the response has security headers
+    And the "service-sync" lambda shows field "message" with value "No changes to save"
     And the service history is not updated
 
   @complete @general
@@ -511,3 +513,51 @@ Feature: F001. Ensure valid change events are converted and sent to DoS
       | " 0123456789"  | 0123456789     |
       | "0123456789 "  | 0123456789     |
       | "012 34567 89" | 0123456789     |
+
+
+  @complete @general
+  Scenario Outline: F001SX40. Changes are processed successfully for service_type = "134" with OrganisationSubType = "DistanceSelling"
+    Given an entry is created in the services table
+    And the service "service_type" is set to "134"
+    And the service "service_status" is set to "1"
+    And the entry is committed to the services table
+    And the change event "OrganisationSubType" is set to "DistanceSelling"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the "service-sync" lambda shows field "message" with value "Update Request Success"
+    Then the Changed Event is stored in dynamo db
+    And the service history is not updated
+    When the change event "<field>" is set to "<value>"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the Changed Event is stored in dynamo db
+    Then the "<DOS_field>" is updated within the DoS DB
+    And the service history shows "<service_hist_field>" change type is "modify"
+
+    Examples:
+      | field      | value                    | DOS_field     |service_hist_field |
+      | website    | www.testonetwo.com       | website       | cmsurl            |
+      | phone      | 22459436909              | phone         | cmstelephoneno    |
+      | Address1   | 5 Tester Way             | address       | postaladdress     |
+
+  @complete @general
+  Scenario: F001SX41. Changed Event with updated postcode to verify location changes with service_type = "134" and OrganisationSubType = "DistanceSelling"
+    Given an entry is created in the services table
+    And the service "service_type" is set to "134"
+    And the service "service_status" is set to "1"
+    And the entry is committed to the services table
+    And the change event "OrganisationSubType" is set to "DistanceSelling"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the "service-sync" lambda shows field "message" with value "Update Request Success"
+    Then the Changed Event is stored in dynamo db
+    And the service history is not updated
+    When the change event "Postcode" is set to "PR4 2BE"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the Changed Event is stored in dynamo db
+    Then DoS has "PR4 2BE" in the "Postcode" field
+    Then DoS has "KIRKHAM" in the "town" field
+    And DoS has "341832" in the "easting" field
+    And DoS has "432011" in the "northing" field
+    And DoS has "53.781108" in the "latitude" field
+    And DoS has "-2.886537" in the "longitude" field
+    And the service history is updated with the "Postcode"
+    And the service history shows "postalcode" change type is "modify"
+

test/integration/features/F002_Invalid_Change_Events.feature

@@ -62,3 +62,11 @@ Feature: F002. Invalid change event Exception handling
     And the change event has an additional date with no specified date
     When the Changed Event is sent for processing with "valid" api key
     Then the "service-sync" lambda shows field "message" with value "Opening times are not valid"
+
+  @complete @validation
+  Scenario: F002SXX9. A Changed Event where OrganisationSubType is NOT DistanceSelling is reported and ignored
+    Given a basic service is created with type "134"
+    And the change event "OrganisationSubType" is set to "Distance Selling"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the "ingest-change-event" lambda shows field "message" with value "Validation Error - Unexpected Org Sub Type ID: 'Distance Selling'"
+    And the service history is not updated

test/integration/features/F003_DoS_Security.feature

@@ -5,4 +5,5 @@ Feature: F003. Endpoint security and reporting
     Given a basic service is created
     When the Changed Event is sent for processing with "invalid" api key
     Then the change event response has status code "403"
+    And the response has security headers
     And the Slack channel shows an alert saying "DI 4XX Endpoint Errors" from "SHARED_ENVIRONMENT"

test/integration/features/F004_Error_Handling.feature

@@ -5,6 +5,7 @@ Feature: F004. Error Handling
     Given a basic service is created
     When the Changed Event is sent for processing with no sequence id
     Then the change event response has status code "400"
+    And the response has security headers
 
   @complete @slack_and_infrastructure
   Scenario: F004SXX6. An Alphanumeric Sequence number raises a 400 Bad Request exception