From e0fab54dd4d81cffb46c277426e27f140d7732f5 Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Tue, 7 Feb 2023 17:00:08 +0000 Subject: [PATCH 01/13] Add Delete Role functionality to AccessProfileService --- .../domain/service/AccessProfileService.java | 2 ++ .../service/AccessProfileServiceImpl.java | 12 +++++++ .../service/AccessProfileServiceImplTest.java | 31 +++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileService.java b/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileService.java index 95ee3322ec..526da38596 100644 --- a/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileService.java +++ b/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileService.java @@ -16,4 +16,6 @@ public interface AccessProfileService { List getRoles(List roles); List getRoles(); + + void deleteRole(final UserRole userRole); } diff --git a/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImpl.java b/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImpl.java index 148e792a84..4566dc3b8b 100644 --- a/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImpl.java +++ b/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImpl.java @@ -88,4 +88,16 @@ public List getRoles() { .map(UserRoleModelMapper::toModel) .collect(toList()); } + + @Transactional + @Override + public void deleteRole(final UserRole userRole) { + final Optional searchResult = repository.findTopByReference(userRole.getRole()); + if (searchResult.isPresent()) { + final AccessProfileEntity entity = searchResult.get(); + repository.delete(entity); + } else { + throw new NotFoundException("Role '" + userRole.getRole() + "' is not found"); + } + } } diff --git a/domain/src/test/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImplTest.java b/domain/src/test/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImplTest.java index d611f0617f..1986b461f0 100644 --- a/domain/src/test/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImplTest.java +++ b/domain/src/test/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImplTest.java @@ -195,6 +195,37 @@ void shouldThrowExceptionwhenCreateRole() { } } + @Nested + @DisplayName("Delete Role Tests") + class DeleteTests { + @Test + @DisplayName("should delete role") + void shouldDeleteRole() { + final String role = "delete"; + givenUserRole(role, PUBLIC); + givenEntityWithRole(role); + + doReturn(Optional.of(mockAccessProfileEntity)).when(repository).findTopByReference(role); + + service.deleteRole(mockUserRole); + + verify(repository).delete(any(AccessProfileEntity.class)); + } + + @Test + @DisplayName("should throw exception when role not found") + void shouldThrowException_whenRoleNotFound() { + final String role = "delete"; + givenUserRole(role, PUBLIC); + givenEntityWithRole(role); + + doReturn(Optional.empty()).when(repository).findTopByReference(role); + + Throwable thrown = assertThrows(NotFoundException.class, () -> service.deleteRole(mockUserRole)); + assertEquals("Role 'delete' is not found", thrown.getMessage()); + } + } + @Nested @DisplayName("GetRoles Tests") class GetRolesTests { From 8271f4b265663b93e2be5d2f9e985f4c208bc03e Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Tue, 7 Feb 2023 20:34:26 +0000 Subject: [PATCH 02/13] Add Delete Role functionality to UserRoleController --- .../rest/endpoint/UserRoleController.java | 15 ++++++++ .../rest/endpoint/UserRoleControllerTest.java | 34 +++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java b/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java index 91003e887c..2377ac65ff 100644 --- a/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java +++ b/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java @@ -8,6 +8,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.web.bind.annotation.DeleteMapping; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.PostMapping; @@ -27,6 +28,7 @@ import java.util.List; import static org.springframework.http.HttpStatus.CREATED; +import static org.springframework.http.HttpStatus.NO_CONTENT; import static org.springframework.http.HttpStatus.RESET_CONTENT; import static uk.gov.hmcts.ccd.definition.store.domain.service.response.SaveOperationEnum.CREATE; @@ -78,6 +80,19 @@ public ResponseEntity userRoleCreate( return responseEntityBuilder.body(serviceResponse.getResponseBody()); } + // Delete User Role is based on DraftDefinitionController.draftDefinitionDelete() + @DeleteMapping(URI_USER_ROLE) + @ResponseStatus(NO_CONTENT) + @ApiOperation( + value = "Delete a user role", + notes = "a user role is deleted if it exists" + ) + @ApiResponse(code = 204, message = "User role is deleted") + public void userRoleDelete( + @ApiParam(value = "user role", required = true) @RequestBody @NotNull UserRole userRole) { + accessProfileService.deleteRole(userRole); + } + @GetMapping(value = URI_USER_ROLE, produces = {"application/json"}) @ResponseStatus(HttpStatus.OK) @ApiOperation(value = "Get a user profile") diff --git a/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java b/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java index bfb77227ca..ad6712294e 100644 --- a/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java +++ b/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java @@ -38,7 +38,9 @@ import static org.hamcrest.core.Is.is; import static org.junit.jupiter.api.Assertions.assertAll; import static org.mockito.ArgumentMatchers.isA; +import static org.mockito.Mockito.doThrow; import static org.mockito.Mockito.when; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put; @@ -310,6 +312,38 @@ void shouldHaveStatusResetContent_whenPutSuccessfully() throws Exception { } } + @Nested + @DisplayName("Delete Role Tests") + class DeleteRoleTests { + + @Test + @DisplayName("Should delete role") + void shouldDeleteRole() throws Exception { + final UserRole argument = buildUserRole(ROLE_DEFINED); + + mockMvc.perform( + delete(URL_API_USER_ROLE) + .contentType(CONTENT_TYPE) + .content(MAPPER.writeValueAsBytes(argument))) + .andExpect(status().isNoContent()); + } + + @Test + @DisplayName("Should throw exception when role not found") + void shouldThrowException_whenRoleNotFound() throws Exception { + final UserRole argument = buildUserRole(ROLE_DEFINED); + + doThrow(new NotFoundException("Role is not found")) + .when(accessProfileService).deleteRole(isA(UserRole.class)); + + mockMvc.perform( + delete(URL_API_USER_ROLE) + .contentType(CONTENT_TYPE) + .content(MAPPER.writeValueAsBytes(argument))) + .andExpect(status().isNotFound()); + } + } + private UserRole buildUserRole(final String role) { return buildUserRole(role, null); } From 47b9817644b88c46167b52611ea254bad0d132a1 Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Fri, 17 Mar 2023 16:30:15 +0000 Subject: [PATCH 03/13] Temporary change to application.properties to enable testing. To be reverted after testing. --- application/src/main/resources/application.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/src/main/resources/application.properties b/application/src/main/resources/application.properties index 6b821b7ac2..6175a6bd98 100644 --- a/application/src/main/resources/application.properties +++ b/application/src/main/resources/application.properties @@ -45,7 +45,7 @@ oidc.issuer = ${OIDC_ISSUER:http://fr-am:8080/openam/oauth2/hmcts} idam.s2s-auth.url=${IDAM_S2S_URL:http://localhost:4502} idam.s2s-auth.microservice=ccd_definition idam.s2s-auth.totp_secret=${DEFINITION_STORE_IDAM_KEY:AAAAAAAAAAAAAAAA} -idam.s2s-authorised.services=${DEFINITION_STORE_S2S_AUTHORISED_SERVICES:ccd_data,ccd_gw,ccd_admin,jui_webapp,pui_webapp,aac_manage_case_assignment} +idam.s2s-authorised.services=xui_webapp,${DEFINITION_STORE_S2S_AUTHORISED_SERVICES:ccd_data,ccd_gw,ccd_admin,jui_webapp,pui_webapp,aac_manage_case_assignment} ccd.user-profile.host=${USER_PROFILE_HOST:http://localhost:4453} From 917fa27bc2be4e35184ebbc174533c7e8981629e Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Wed, 29 Mar 2023 14:23:47 +0100 Subject: [PATCH 04/13] CCD-267: Updates to definition-store-api --- .../src/main/resources/application.properties | 2 +- .../store/domain/service/AccessProfileService.java | 2 +- .../domain/service/AccessProfileServiceImpl.java | 6 +++--- .../service/AccessProfileServiceImplTest.java | 4 ++-- .../store/rest/endpoint/UserRoleController.java | 6 +++--- .../rest/endpoint/UserRoleControllerTest.java | 14 +++++--------- 6 files changed, 15 insertions(+), 19 deletions(-) diff --git a/application/src/main/resources/application.properties b/application/src/main/resources/application.properties index 6175a6bd98..6b821b7ac2 100644 --- a/application/src/main/resources/application.properties +++ b/application/src/main/resources/application.properties @@ -45,7 +45,7 @@ oidc.issuer = ${OIDC_ISSUER:http://fr-am:8080/openam/oauth2/hmcts} idam.s2s-auth.url=${IDAM_S2S_URL:http://localhost:4502} idam.s2s-auth.microservice=ccd_definition idam.s2s-auth.totp_secret=${DEFINITION_STORE_IDAM_KEY:AAAAAAAAAAAAAAAA} -idam.s2s-authorised.services=xui_webapp,${DEFINITION_STORE_S2S_AUTHORISED_SERVICES:ccd_data,ccd_gw,ccd_admin,jui_webapp,pui_webapp,aac_manage_case_assignment} +idam.s2s-authorised.services=${DEFINITION_STORE_S2S_AUTHORISED_SERVICES:ccd_data,ccd_gw,ccd_admin,jui_webapp,pui_webapp,aac_manage_case_assignment} ccd.user-profile.host=${USER_PROFILE_HOST:http://localhost:4453} diff --git a/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileService.java b/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileService.java index 526da38596..62fcd93864 100644 --- a/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileService.java +++ b/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileService.java @@ -17,5 +17,5 @@ public interface AccessProfileService { List getRoles(); - void deleteRole(final UserRole userRole); + void deleteRole(String role); } diff --git a/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImpl.java b/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImpl.java index 4566dc3b8b..62fe20b32d 100644 --- a/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImpl.java +++ b/domain/src/main/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImpl.java @@ -91,13 +91,13 @@ public List getRoles() { @Transactional @Override - public void deleteRole(final UserRole userRole) { - final Optional searchResult = repository.findTopByReference(userRole.getRole()); + public void deleteRole(final String role) { + final Optional searchResult = repository.findTopByReference(role); if (searchResult.isPresent()) { final AccessProfileEntity entity = searchResult.get(); repository.delete(entity); } else { - throw new NotFoundException("Role '" + userRole.getRole() + "' is not found"); + throw new NotFoundException("Role '" + role + "' is not found"); } } } diff --git a/domain/src/test/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImplTest.java b/domain/src/test/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImplTest.java index 1986b461f0..7eb0b3d25b 100644 --- a/domain/src/test/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImplTest.java +++ b/domain/src/test/java/uk/gov/hmcts/ccd/definition/store/domain/service/AccessProfileServiceImplTest.java @@ -207,7 +207,7 @@ void shouldDeleteRole() { doReturn(Optional.of(mockAccessProfileEntity)).when(repository).findTopByReference(role); - service.deleteRole(mockUserRole); + service.deleteRole(role); verify(repository).delete(any(AccessProfileEntity.class)); } @@ -221,7 +221,7 @@ void shouldThrowException_whenRoleNotFound() { doReturn(Optional.empty()).when(repository).findTopByReference(role); - Throwable thrown = assertThrows(NotFoundException.class, () -> service.deleteRole(mockUserRole)); + Throwable thrown = assertThrows(NotFoundException.class, () -> service.deleteRole(role)); assertEquals("Role 'delete' is not found", thrown.getMessage()); } } diff --git a/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java b/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java index 2377ac65ff..9f4aede228 100644 --- a/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java +++ b/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java @@ -80,7 +80,6 @@ public ResponseEntity userRoleCreate( return responseEntityBuilder.body(serviceResponse.getResponseBody()); } - // Delete User Role is based on DraftDefinitionController.draftDefinitionDelete() @DeleteMapping(URI_USER_ROLE) @ResponseStatus(NO_CONTENT) @ApiOperation( @@ -89,8 +88,9 @@ public ResponseEntity userRoleCreate( ) @ApiResponse(code = 204, message = "User role is deleted") public void userRoleDelete( - @ApiParam(value = "user role", required = true) @RequestBody @NotNull UserRole userRole) { - accessProfileService.deleteRole(userRole); + @ApiParam(value = "user role", required = true) @RequestParam("role") @NotNull byte[] roleBase64EncodedBytes) { + final String role = new String(Base64.getDecoder().decode(roleBase64EncodedBytes)); + accessProfileService.deleteRole(role); } @GetMapping(value = URI_USER_ROLE, produces = {"application/json"}) diff --git a/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java b/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java index ad6712294e..23f0ea4eb3 100644 --- a/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java +++ b/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java @@ -319,27 +319,23 @@ class DeleteRoleTests { @Test @DisplayName("Should delete role") void shouldDeleteRole() throws Exception { - final UserRole argument = buildUserRole(ROLE_DEFINED); + uriVariables.put("role", Base64.getEncoder().encode(ROLE_DEFINED.getBytes())); mockMvc.perform( - delete(URL_API_USER_ROLE) - .contentType(CONTENT_TYPE) - .content(MAPPER.writeValueAsBytes(argument))) + delete(URL_TEMPLATE.expand(uriVariables))) .andExpect(status().isNoContent()); } @Test @DisplayName("Should throw exception when role not found") void shouldThrowException_whenRoleNotFound() throws Exception { - final UserRole argument = buildUserRole(ROLE_DEFINED); + uriVariables.put("role", Base64.getEncoder().encode(ROLE_DEFINED.getBytes())); doThrow(new NotFoundException("Role is not found")) - .when(accessProfileService).deleteRole(isA(UserRole.class)); + .when(accessProfileService).deleteRole(ROLE_DEFINED); mockMvc.perform( - delete(URL_API_USER_ROLE) - .contentType(CONTENT_TYPE) - .content(MAPPER.writeValueAsBytes(argument))) + delete(URL_TEMPLATE.expand(uriVariables))) .andExpect(status().isNotFound()); } } From 95dc5d747c18d584c1efe144600b5ebb6615dfb5 Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Mon, 17 Apr 2023 17:28:14 +0100 Subject: [PATCH 05/13] Temporary suppress CVE-2023-20860 --- dependency-check-suppressions.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml index e6212e0c0a..6f31923257 100644 --- a/dependency-check-suppressions.xml +++ b/dependency-check-suppressions.xml @@ -6,5 +6,6 @@ CVE-2022-45688 CVE-2022-1471 + CVE-2023-20860 From cc517fe1040adc6b2f7848659e73e3ad63b079c7 Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Wed, 27 Sep 2023 11:55:22 +0100 Subject: [PATCH 06/13] Update dependency-check-suppressions.xml --- dependency-check-suppressions.xml | 35 ++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml index e1ce7d0aeb..11d59f3817 100644 --- a/dependency-check-suppressions.xml +++ b/dependency-check-suppressions.xml @@ -1,14 +1,25 @@ - - Temporary Suppression - CVE-2022-45688 refer https://tools.hmcts.net/jira/browse/CCD-4373 - CVE-2022-1471 refer https://tools.hmcts.net/jira/browse/CCD-4454 - CVE-2023-20861 refer [Ticket] - CVE-2023-20860 refer [Ticket] - CVE-2022-45688 - CVE-2022-1471 - CVE-2023-20860 - CVE-2023-20861 - CVE-2023-20860 - + + Temporary Suppression + CVE-2022-45688 refer https://tools.hmcts.net/jira/browse/CCD-4373 + CVE-2022-1471 refer https://tools.hmcts.net/jira/browse/CCD-4454 + CVE-2023-20873 refer [Ticket] + CVE-2023-28709 refer [Ticket] + CVE-2023-20883 refer [Ticket] + CVE-2023-35116 refer [Ticket] + CVE-2023-2976 refer [Ticket] + + CVE-2023-34034 refer [Ticket] + CVE-2020-8908 refer [Ticket] + + CVE-2022-45688 + CVE-2022-1471 + CVE-2023-28709 + CVE-2023-20883 + CVE-2023-35116 + CVE-2023-2976 + CVE-2023-34034 + CVE-2020-8908 + CVE-2023-41080 + From d6abdbe41a49c87a8ccf2eac9646c57a706f4960 Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Wed, 27 Sep 2023 12:40:28 +0100 Subject: [PATCH 07/13] Update renovate.json --- .github/renovate.json | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 04d1e26c17..5daa2a29fc 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,11 +1,19 @@ { - "enabledManagers": ["helm-requirements", "terraform"], - "helm-requirements": + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["local>hmcts/.github:renovate-config"], + "labels": ["Renovate-dependencies"], + "major": { + "dependencyDashboardApproval": true + }, + "packageRules": [ { - "enabled": true, - "fileMatch": ["\\Chart.yaml|requirements.yaml$"], - "aliases": { - "hmctspublic": "https://hmctspublic.azurecr.io/helm/v1/repo/" - } + "matchUpdateTypes": [ + "minor", "patch" + ], + "groupName": "All patch-minor dependencies", + "groupSlug": "All-minor-patch", + "addLabels": ["Renovate All-minor-patch"], + "automerge": false } + ] } From 237b03815fe5b158b7908f6c8e09a89a937e9a5b Mon Sep 17 00:00:00 2001 From: Ben Lang <132359359+lang-ben@users.noreply.github.com> Date: Tue, 5 Mar 2024 17:30:36 +0000 Subject: [PATCH 08/13] Fix CVE-2023-41080 : Update org.apache.tomcat.embed to 9.0.82 --- build.gradle | 2 +- dependency-check-suppressions.xml | 30 +++++++++--------------------- 2 files changed, 10 insertions(+), 22 deletions(-) diff --git a/build.gradle b/build.gradle index 6b70fb229e..18551f2ccc 100644 --- a/build.gradle +++ b/build.gradle @@ -56,7 +56,7 @@ ext { appInsightsVersion = '2.4.1' restAssuredVersion = '4.3.0!!' groovyVersion = '3.0.17!!' - tomcatVersion = '9.0.75!!' + tomcatVersion = '9.0.82' feignJackson = '11.6' beftaFwVersion = '8.8.4' limits = [ diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml index ba7bb5066a..fb5b7261b6 100644 --- a/dependency-check-suppressions.xml +++ b/dependency-check-suppressions.xml @@ -1,33 +1,21 @@ Temporary Suppression - CVE-2022-45688 refer https://tools.hmcts.net/jira/browse/CCD-4373 - CVE-2023-2976 refer [Ticket] - CVE-2023-42794 refer [Ticket] - CVE-2023-42795 refer [Ticket] - CVE-2023-45648 refer [Ticket] - CVE-2023-44487 refer [Ticket] - CVE-2023-5072 refer [Ticket] + CVE-2024-25710 refer [Ticket] CVE-2023-35116 refer [Ticket] + CVE-2022-45688 refer [Ticket] + CVE-2023-5072 refer [Ticket] + CVE-2023-6378 refer [Ticket] CVE-2023-34055 refer [Ticket] - CVE-2023-46589 refer [Ticket] - CVE-2023-6378 refer [Ticket] CVE-2023-34042 refer [Ticket] - CVE-2023-6378 refer [Ticket] - CVE-2024-25710 refer [Ticket] - + CVE-2023-46589 refer [Ticket] + CVE-2024-25710 + CVE-2023-35116 CVE-2022-45688 - CVE-2023-41080 - CVE-2023-42794 - CVE-2023-42795 - CVE-2023-45648 - CVE-2023-44487 CVE-2023-5072 - CVE-2023-35116 - CVE-2023-34055 - CVE-2023-46589 CVE-2023-6378 + CVE-2023-34055 CVE-2023-34042 - CVE-2024-25710 + CVE-2023-46589 From a44eb868c43602dbe7303d98c6ef23bba8c15b8a Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Tue, 12 Mar 2024 16:35:35 +0000 Subject: [PATCH 09/13] Update UserRoleController.userRoleDelete() --- .../ccd/definition/store/rest/endpoint/UserRoleController.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java b/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java index 9f4aede228..a3f177b20c 100644 --- a/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java +++ b/rest-api/src/main/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleController.java @@ -88,8 +88,7 @@ public ResponseEntity userRoleCreate( ) @ApiResponse(code = 204, message = "User role is deleted") public void userRoleDelete( - @ApiParam(value = "user role", required = true) @RequestParam("role") @NotNull byte[] roleBase64EncodedBytes) { - final String role = new String(Base64.getDecoder().decode(roleBase64EncodedBytes)); + @ApiParam(value = "user role", required = true) @RequestParam("role") @NotNull String role) { accessProfileService.deleteRole(role); } From 66cc4caf23030b70e5e665d7a00127dc6b6780af Mon Sep 17 00:00:00 2001 From: JamesCollettCGI Date: Tue, 12 Mar 2024 16:54:54 +0000 Subject: [PATCH 10/13] Update unit test --- .../definition/store/rest/endpoint/UserRoleControllerTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java b/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java index 23f0ea4eb3..80d91957d5 100644 --- a/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java +++ b/rest-api/src/test/java/uk/gov/hmcts/ccd/definition/store/rest/endpoint/UserRoleControllerTest.java @@ -329,7 +329,7 @@ void shouldDeleteRole() throws Exception { @Test @DisplayName("Should throw exception when role not found") void shouldThrowException_whenRoleNotFound() throws Exception { - uriVariables.put("role", Base64.getEncoder().encode(ROLE_DEFINED.getBytes())); + uriVariables.put("role", ROLE_DEFINED); doThrow(new NotFoundException("Role is not found")) .when(accessProfileService).deleteRole(ROLE_DEFINED); From c1d2ffaca6e0b0c5834052cde257f2545003c040 Mon Sep 17 00:00:00 2001 From: dinesh1patel Date: Thu, 21 Mar 2024 22:09:33 +0000 Subject: [PATCH 11/13] Suppressing CVE - Actions --- dependency-check-suppressions.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml index fb5b7261b6..854254c6fc 100644 --- a/dependency-check-suppressions.xml +++ b/dependency-check-suppressions.xml @@ -8,7 +8,8 @@ CVE-2023-6378 refer [Ticket] CVE-2023-34055 refer [Ticket] CVE-2023-34042 refer [Ticket] - CVE-2023-46589 refer [Ticket] + CVE-2023-46589 refer [Ticket] + CVE-2024-26308 refer [Ticket] CVE-2024-25710 CVE-2023-35116 CVE-2022-45688 @@ -17,5 +18,6 @@ CVE-2023-34055 CVE-2023-34042 CVE-2023-46589 + CVE-2024-26308 From ab576c59470fb55a72f8218f6f37f3951754c3f2 Mon Sep 17 00:00:00 2001 From: dinesh1patel Date: Mon, 25 Mar 2024 19:09:40 +0000 Subject: [PATCH 12/13] Suppressing CVE - Actions --- dependency-check-suppressions.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml index 854254c6fc..86f25ad990 100644 --- a/dependency-check-suppressions.xml +++ b/dependency-check-suppressions.xml @@ -9,7 +9,8 @@ CVE-2023-34055 refer [Ticket] CVE-2023-34042 refer [Ticket] CVE-2023-46589 refer [Ticket] - CVE-2024-26308 refer [Ticket] + CVE-2024-26308 refer [Ticket] + CVE-2024-1597 refer [Ticket] CVE-2024-25710 CVE-2023-35116 CVE-2022-45688 @@ -19,5 +20,6 @@ CVE-2023-34042 CVE-2023-46589 CVE-2024-26308 + CVE-2024-1597 From 8c6d6119abf426a3ac5f70da60bcb13f0537520b Mon Sep 17 00:00:00 2001 From: Helen Bird Date: Wed, 6 Mar 2024 17:03:15 +0000 Subject: [PATCH 13/13] GA-28 Update the common code such that it updates caseAccessGroups field --- .../S-110.1.td.json | 6 +++--- .../S-110.3.td.json | 14 +++++++------- build.gradle | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/aat/src/aat/resources/features/F-110 Retrieve Organisation Profile/S-110.1.td.json b/aat/src/aat/resources/features/F-110 Retrieve Organisation Profile/S-110.1.td.json index 594d2e3108..7ff2a6ccaa 100644 --- a/aat/src/aat/resources/features/F-110 Retrieve Organisation Profile/S-110.1.td.json +++ b/aat/src/aat/resources/features/F-110 Retrieve Organisation Profile/S-110.1.td.json @@ -31,8 +31,8 @@ "accessMandatory" : true, "accessDefault" : true, "display" : true, - "description" : "BEFTA bulk Solicitor Respondant for Org description", - "hint" : "BEFTA bulk Solicitor Respondant for Org hint", + "description" : "BEFTA bulk Solicitor Respondent for Org description", + "hint" : "BEFTA bulk Solicitor Respondent for Org hint", "displayOrder" : 1, "roles" : [ { @@ -40,7 +40,7 @@ "__elementId__": "caseTypeId" }, { - "caseTypeId" : "FT_CaseAccessGroup", + "caseTypeId" : "FT_MasterCaseType", "organisationalRoleName" : "Role1", "groupRoleName" : "Role1", "caseGroupIdTemplate" : "BEFTA_MASTER:$ORGID$", diff --git a/aat/src/aat/resources/features/F-110 Retrieve Organisation Profile/S-110.3.td.json b/aat/src/aat/resources/features/F-110 Retrieve Organisation Profile/S-110.3.td.json index 854d5b2f37..789e01f2ad 100644 --- a/aat/src/aat/resources/features/F-110 Retrieve Organisation Profile/S-110.3.td.json +++ b/aat/src/aat/resources/features/F-110 Retrieve Organisation Profile/S-110.3.td.json @@ -37,8 +37,8 @@ "accessMandatory": true, "accessDefault": true, "display": true, - "description": "BEFTA bulk Solicitor Respondant for Org description2", - "hint": "BEFTA bulk Solicitor Respondant for Org hint2", + "description": "BEFTA bulk Solicitor Respondent for Org description2", + "hint": "BEFTA bulk Solicitor Respondent for Org hint2", "displayOrder": 2, "roles": [ { @@ -46,14 +46,14 @@ "__elementId__": "caseGroupIdTemplate" }, { - "caseTypeId": "FT_CaseAccessGroup", + "caseTypeId": "FT_MasterCaseType", "organisationalRoleName": "Role1", "groupRoleName": null, "caseGroupIdTemplate": null, "groupAccessEnabled": true }, { - "caseTypeId": "FT_CaseAccessGroup", + "caseTypeId": "FT_MasterCaseType", "organisationalRoleName": "Role1", "groupRoleName": "Role1", "caseGroupIdTemplate": "BEFTA_MASTER:$ORGID$", @@ -67,12 +67,12 @@ "accessMandatory": true, "accessDefault": true, "display": true, - "description": "BEFTA bulk Solicitor Respondant for Org description", - "hint": "BEFTA bulk Solicitor Respondant for Org hint", + "description": "BEFTA bulk Solicitor Respondent for Org description", + "hint": "BEFTA bulk Solicitor Respondent for Org hint", "displayOrder": 1, "roles": [ { - "caseTypeId": "FT_CaseAccessGroup", + "caseTypeId": "FT_MasterCaseType", "organisationalRoleName": "Role1", "groupRoleName": "Role1", "caseGroupIdTemplate": "BEFTA_MASTER:$ORGID$", diff --git a/build.gradle b/build.gradle index 32b11bddb1..a0555b1d54 100644 --- a/build.gradle +++ b/build.gradle @@ -319,7 +319,7 @@ subprojects { subproject -> testImplementation group: 'org.powermock', name: 'powermock-api-mockito2', version: powermockVersion testImplementation group: 'org.powermock', name: 'powermock-module-junit4', version: powermockVersion - testImplementation group: 'com.github.hmcts', name: 'ccd-test-definitions', version: '7.21.13' + testImplementation group: 'com.github.hmcts', name: 'ccd-test-definitions', version: '7.21.21' implementation group: 'com.github.hmcts', name: 'befta-fw', version: beftaFwVersion