Skip to content

Commit

Permalink
Merge branch 'main' into snyk-upgrade-c172c94c99d023257905b427d164cb03
Browse files Browse the repository at this point in the history
  • Loading branch information
smirnovaae authored Sep 26, 2024
2 parents 85607d1 + 5fe4c70 commit b422f19
Show file tree
Hide file tree
Showing 17 changed files with 328 additions and 24 deletions.
85 changes: 85 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: build

on:
workflow_call:
inputs:
environment:
required: true
type: string
module:
required: true
type: string
workflow_dispatch:
inputs:
environment:
required: true
type: choice
options:
- dev
- test
module:
required: true
type: choice
options:
- api
- worker

jobs:
build:
runs-on: self-hosted

env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
AWS_REGION: ${{ vars.AWS_REGION }}
DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}

steps:
- name: Checkout Code
uses: actions/checkout@v3

- name: Setup Java
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'

- name: Install Maven 3.6.3
run: |
export PATH="$PATH:/opt/maven/bin"
echo "PATH=$PATH" >> $GITHUB_ENV
if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi
tmpdir="$(mktemp -d)"
curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir"
sudo rm -rf /opt/maven
sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven
- name: Set env vars from AWS params in BCDA management account
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
with:
params: |
ARTIFACTORY_URL=/artifactory/url
ARTIFACTORY_USER=/artifactory/user
ARTIFACTORY_PASSWORD=/artifactory/password
- name: Build package
run: mvn -U clean package -s settings.xml -DskipTests -Dusername="${ARTIFACTORY_USER}" -Dpassword="${ARTIFACTORY_PASSWORD}" -Drepository_url="${ARTIFACTORY_URL}"

- name: Assume role in AB2D Management account
uses: aws-actions/configure-aws-credentials@v3
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.MGMT_ACCOUNT_ID }}:role/delegatedadmin/developer/ab2d-mgmt-github-actions

- name: Build image and push to ECR
working-directory: ./${{ inputs.module }}
run: |
ECR_REPO_DOMAIN="${{ secrets.MGMT_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com"
aws ecr get-login-password | docker login --username AWS --password-stdin "$ECR_REPO_DOMAIN"
ECR_REPO_URI="$ECR_REPO_DOMAIN/ab2d_${{ inputs.module }}"
SHA_SHORT=$(git rev-parse --short HEAD)
echo "Building image for commit sha $SHA_SHORT"
docker build \
-t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-$SHA_SHORT" \
-t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-latest" .
echo "Pushing image"
docker push "${ECR_REPO_URI}" --all-tags
48 changes: 48 additions & 0 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: deploy

on:
workflow_call:
inputs:
environment:
required: true
type: string
module:
required: true
type: string
workflow_dispatch:
inputs:
environment:
required: true
type: choice
options:
- dev
- test
- sbx
- prod
- prod-test
module:
required: true
type: choice
options:
- api
- worker

jobs:
deploy:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}
ACCOUNT: ${{ inputs.environment == 'prod-test' && 'prod' || inputs.environment }}

steps:
- name: Assume role in AB2D ${{ env.ACCOUNT }} account
uses: aws-actions/configure-aws-credentials@v3
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', env.ACCOUNT)] }}:role/delegatedadmin/developer/ab2d-${{ env.ACCOUNT }}-github-actions

- name: Deploy latest image in ECR to ECS
run: aws ecs update-service --cluster ab2d-${DEPLOYMENT_ENV}-${{ inputs.module }} --service ab2d-${DEPLOYMENT_ENV}-${{ inputs.module }} --force-new-deployment
97 changes: 97 additions & 0 deletions .github/workflows/e2e-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: end-to-end tests

on:
workflow_call:
inputs:
environment:
required: true
type: string
workflow_dispatch: # Allow manual trigger
inputs:
environment:
required: true
type: choice
options:
- dev
- test
- sbx
default: test

# Ensure we have only one e2e test running at a time in each environment
concurrency:
group: ${{ inputs.environment }}-e2e-test

jobs:
test:
runs-on: self-hosted

env:
# Keystore location must be full path for spring framework
AB2D_BFD_KEYSTORE_LOCATION: "${{ github.workspace }}/opt/ab2d/ab2d_bfd_keystore"
AB2D_V2_ENABLED: 'true'
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true

steps:
- name: Checkout Code
uses: actions/checkout@v3

- name: Setup Java
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'

- name: Install Maven 3.6.3
run: |
export PATH="$PATH:/opt/maven/bin"
echo "PATH=$PATH" >> $GITHUB_ENV
if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi
tmpdir="$(mktemp -d)"
curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir"
sudo rm -rf /opt/maven
sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven
- name: Set env vars from AWS params in BCDA management account
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
env:
AWS_REGION: ${{ vars.AWS_REGION }}
with:
params: |
ARTIFACTORY_URL=/artifactory/url
ARTIFACTORY_USER=/artifactory/user
ARTIFACTORY_PASSWORD=/artifactory/password
- name: Assume role in AB2D account for this environment
uses: aws-actions/configure-aws-credentials@v3
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', inputs.environment)] }}:role/delegatedadmin/developer/ab2d-${{ inputs.environment }}-github-actions

- name: Set env vars from AWS params in AB2D account
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
env:
AWS_REGION: ${{ vars.AWS_REGION }}
with:
params: |
AB2D_BFD_KEYSTORE_PASSWORD=/bfd/keystore-password
OKTA_CLIENT_ID=/okta/test-pdp-100-id
OKTA_CLIENT_PASSWORD=/okta/test-pdp-100-secret
SECONDARY_USER_OKTA_CLIENT_ID=/okta/test-pdp-1000-id
SECONDARY_USER_OKTA_CLIENT_PASSWORD=/okta/test-pdp-1000-secret
- name: Create opt/ab2d directory and download keystore
run: |
mkdir -p opt/ab2d
KEYSTORE_FILE_NAME="ab2d_${{ inputs.environment == 'test' && 'imp' || inputs.environment }}_keystore"
aws s3 cp s3://ab2d-${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}-main/$KEYSTORE_FILE_NAME $AB2D_BFD_KEYSTORE_LOCATION
test -f $AB2D_BFD_KEYSTORE_LOCATION && echo "created keystore file"
- name: Run e2e-bfd-test
run: |
mvn test -s settings.xml -pl e2e-bfd-test -am -Dtest=EndToEndBfdTests -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress
- name: Run e2e-test
env:
E2E_ENVIRONMENT: ${{ inputs.environment == 'dev' && 'DEV' || inputs.environment == 'test' && 'IMPL' || inputs.environment == 'sbx' && 'SANDBOX' }}
run: |
mvn test -s settings.xml -pl e2e-test -am -Dtest=TestRunner -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress
47 changes: 47 additions & 0 deletions .github/workflows/pull-request.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: pull request jobs

on:
pull_request:

jobs:
unit-integration-test:
uses: ./.github/workflows/unit-integration-test.yml
secrets: inherit
build-api:
uses: ./.github/workflows/build.yml
with:
environment: test
module: api
secrets: inherit
build-worker:
uses: ./.github/workflows/build.yml
with:
environment: test
module: worker
secrets: inherit
deploy-api:
needs: build-api
permissions:
contents: read
id-token: write
uses: ./.github/workflows/deploy.yml
with:
environment: test
module: api
secrets: inherit
deploy-worker:
needs: build-worker
permissions:
contents: read
id-token: write
uses: ./.github/workflows/deploy.yml
with:
environment: test
module: worker
secrets: inherit
e2e-test:
needs: [deploy-api, deploy-worker]
uses: ./.github/workflows/e2e-test.yml
with:
environment: test
secrets: inherit
14 changes: 4 additions & 10 deletions .github/workflows/unit-integration-test.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
name: Run unit and integration tests

on:
pull_request:
workflow_call:
workflow_dispatch: # Allow manual trigger

jobs:
test:
runs-on: self-hosted

env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true

steps:
- name: Checkout Code
uses: actions/checkout@v3
Expand Down Expand Up @@ -37,15 +40,6 @@ jobs:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: ${{ vars.AB2D_DEV_ROLE }}

- name: Set env vars from AWS params
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
with:
params: |
OKTA_CLIENT_ID=/okta/client-id
OKTA_CLIENT_PASSWORD=/okta/client-secret
SECONDARY_USER_OKTA_CLIENT_ID=/secondary-okta/client-id
SECONDARY_USER_OKTA_CLIENT_PASSWORD=/secondary-okta/client-secret
- name: Install Maven 3.6.3
run: |
export PATH="$PATH:/opt/maven/bin"
Expand Down
9 changes: 9 additions & 0 deletions .gitleaks.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
title = "DASG Standard"

[extend]
useDefault = true

[[rules]]
id = "mbi-detection"
description = "Detects a potential MBI pattern based on https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf"
regex = '''\b((?i)[1-9][ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]-?\d[ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]\d-?[ACDEFGHJKMNPQRTUVWXY]{2}\d{2})\b'''
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.1
rev: v8.19.2
hooks:
- id: gitleaks
2 changes: 1 addition & 1 deletion api/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
<properties>
<project.root>${basedir}/..</project.root>
<springfox.version>3.0.0</springfox.version>
<okta-jwt.version>0.5.7</okta-jwt.version>
<okta-jwt.version>0.5.8</okta-jwt.version>
<sonar.coverage.exclusions>**/JobClient.java</sonar.coverage.exclusions>
<!--
- AB2D-6099 -
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,11 @@ private boolean shouldBePublic(String requestUri) {
return true;
}

if (requestUri.endsWith("/metadata")) {
log.debug("metadata requested");
return true;
}

return false;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {

private final String[] authExceptions = new String[]{"/swagger-ui/**", "/configuration/**",
"/swagger-resources/**", "/v3/api-docs/**", "/webjars/**",
AKAMAI_TEST_OBJECT, "/favicon.ico", "/error", HEALTH_ENDPOINT, STATUS_ENDPOINT};
AKAMAI_TEST_OBJECT, "/favicon.ico", "/error", HEALTH_ENDPOINT, STATUS_ENDPOINT,
"/**/metadata"};

@Override
protected void configure(HttpSecurity security) throws Exception {
Expand All @@ -61,9 +62,9 @@ protected void configure(HttpSecurity security) throws Exception {
// Add a filter to validate the tokens with every request.
.addFilterAfter(jwtTokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
.authorizeHttpRequests()
.antMatchers(authExceptions).permitAll()
.antMatchers(API_PREFIX_V1 + ADMIN_PREFIX + "/**").hasAuthority(ADMIN_ROLE)
.antMatchers(API_PREFIX_V1 + FHIR_PREFIX + "/**").hasAnyAuthority(SPONSOR_ROLE)
.antMatchers(authExceptions).permitAll()
.anyRequest().authenticated();

// Override default behavior to add more informative logs
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -165,3 +165,5 @@ databaseChangeLog:
file: db/changelog/v2024/misc_opt_out_attribution.sql
- include:
file: db/changelog/v2024/add_until_column.sql
- include:
file: db/changelog/v2024/ab2d_6151_rename_column.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
DO $$
BEGIN
IF EXISTS (SELECT 1
FROM information_schema.columns
WHERE table_schema = 'public' AND table_name = 'current_mbi' AND
column_name = 'opt_out_flag')
THEN
ALTER TABLE public.current_mbi RENAME opt_out_flag TO share_data;
END IF;
END
$$;
Loading

0 comments on commit b422f19

Please sign in to comment.