Merge pull request #1506 from ministryofjustice/MLPAB-2212-jwt-key

MLPAB-2212 Use environment variable specified lpa store secret key
ministryofjustice · Sep 24, 2024 · a18ea18 · a18ea18
2 parents 086b7e7 + 10dd6e1
commit a18ea18
Show file tree

Hide file tree

Showing 11 changed files with 62 additions and 54 deletions.
diff --git a/cmd/event-received/factory.go b/cmd/event-received/factory.go
@@ -60,6 +60,7 @@ type Factory struct {
 	dynamoClient          dynamodbClient
 	appPublicURL          string
 	lpaStoreBaseURL       string
+	lpaStoreSecretARN     string
 	uidBaseURL            string
 	notifyBaseURL         string
 	notifyIsProduction    bool
@@ -175,7 +176,7 @@ func (f *Factory) LpaStoreClient() (LpaStoreClient, error) {
 			return nil, err
 		}
 
-		f.lpaStoreClient = lpastore.New(f.lpaStoreBaseURL, secretsClient, f.LambdaClient())
+		f.lpaStoreClient = lpastore.New(f.lpaStoreBaseURL, secretsClient, f.lpaStoreSecretARN, f.LambdaClient())
 	}
 
 	return f.lpaStoreClient, nil

diff --git a/cmd/event-received/main.go b/cmd/event-received/main.go
@@ -91,6 +91,7 @@ func handler(ctx context.Context, event Event) error {
 		evidenceBucketName    = os.Getenv("UPLOADS_S3_BUCKET_NAME")
 		uidBaseURL            = os.Getenv("UID_BASE_URL")
 		lpaStoreBaseURL       = os.Getenv("LPA_STORE_BASE_URL")
+		lpaStoreSecretARN     = os.Getenv("LPA_STORE_SECRET_ARN")
 		eventBusName          = cmp.Or(os.Getenv("EVENT_BUS_NAME"), "default")
 		searchEndpoint        = os.Getenv("SEARCH_ENDPOINT")
 		searchIndexName       = cmp.Or(os.Getenv("SEARCH_INDEX_NAME"), "lpas")
@@ -135,6 +136,7 @@ func handler(ctx context.Context, event Event) error {
 		dynamoClient:          dynamoClient,
 		appPublicURL:          appPublicURL,
 		lpaStoreBaseURL:       lpaStoreBaseURL,
+		lpaStoreSecretARN:     lpaStoreSecretARN,
 		uidBaseURL:            uidBaseURL,
 		notifyBaseURL:         notifyBaseURL,
 		notifyIsProduction:    notifyIsProduction,

diff --git a/cmd/mlpa/main.go b/cmd/mlpa/main.go
@@ -108,6 +108,7 @@ func run(ctx context.Context, logger *slog.Logger) error {
 		}
 		uidBaseURL            = cmp.Or(os.Getenv("UID_BASE_URL"), "http://mock-uid:8080")
 		lpaStoreBaseURL       = cmp.Or(os.Getenv("LPA_STORE_BASE_URL"), "http://mock-lpa-store:8080")
+		lpaStoreSecretARN     = os.Getenv("LPA_STORE_SECRET_ARN")
 		metadataURL           = os.Getenv("ECS_CONTAINER_METADATA_URI_V4")
 		oneloginURL           = cmp.Or(os.Getenv("ONELOGIN_URL"), "https://home.integration.account.gov.uk")
 		evidenceBucketName    = cmp.Or(os.Getenv("UPLOADS_S3_BUCKET_NAME"), "evidence")
@@ -273,7 +274,7 @@ func run(ctx context.Context, logger *slog.Logger) error {
 
 	lambdaClient := lambda.New(cfg, v4.NewSigner(), httpClient, time.Now)
 	uidClient := uid.New(uidBaseURL, lambdaClient)
-	lpaStoreClient := lpastore.New(lpaStoreBaseURL, secretsClient, lambdaClient)
+	lpaStoreClient := lpastore.New(lpaStoreBaseURL, secretsClient, lpaStoreSecretARN, lambdaClient)
 
 	mux := http.NewServeMux()
 	mux.HandleFunc(page.PathHealthCheckService.String(), func(w http.ResponseWriter, r *http.Request) {})

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -28,6 +28,7 @@ services:
       - SEARCH_INDEXING_ENABLED=1
       - DEV_MODE=1
       - SCHEDULED_RUNNER_PERIOD=1m
+      - LPA_STORE_SECRET_ARN=lpa-store-jwt-secret-key
 
   event-logger:
     build:

diff --git a/internal/lpastore/client.go b/internal/lpastore/client.go
@@ -10,7 +10,6 @@ import (
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/ministryofjustice/opg-modernising-lpa/internal/actor/actoruid"
-	"github.com/ministryofjustice/opg-modernising-lpa/internal/secrets"
 )
 
 const (
@@ -41,12 +40,19 @@ type SecretsClient interface {
 type Client struct {
 	baseURL       string
 	secretsClient SecretsClient
+	secretARN     string
 	doer          Doer
 	now           func() time.Time
 }
 
-func New(baseURL string, secretsClient SecretsClient, lambdaClient Doer) *Client {
-	return &Client{baseURL: baseURL, secretsClient: secretsClient, doer: lambdaClient, now: time.Now}
+func New(baseURL string, secretsClient SecretsClient, secretARN string, lambdaClient Doer) *Client {
+	return &Client{
+		baseURL:       baseURL,
+		secretsClient: secretsClient,
+		secretARN:     secretARN,
+		doer:          lambdaClient,
+		now:           time.Now,
+	}
 }
 
 func (c *Client) do(ctx context.Context, actorUID actoruid.UID, req *http.Request) (*http.Response, error) {
@@ -60,7 +66,7 @@ func (c *Client) do(ctx context.Context, actorUID actoruid.UID, req *http.Reques
 		Subject:  actorUID.PrefixedString(),
 	})
 
-	secretKey, err := c.secretsClient.Secret(ctx, secrets.LpaStoreJwtSecretKey)
+	secretKey, err := c.secretsClient.Secret(ctx, c.secretARN)
 	if err != nil {
 		return nil, err
 	}

diff --git a/internal/lpastore/client_test.go b/internal/lpastore/client_test.go
@@ -1058,7 +1058,7 @@ func TestClientDo(t *testing.T) {
 		Do(mock.Anything).
 		Return(expectedResponse, expectedError)
 
-	client := New("http://base", secretsClient, doer)
+	client := New("http://base", secretsClient, "secret", doer)
 	resp, err := client.do(ctx, actoruid.New(), req)
 
 	assert.Equal(t, expectedError, err)
@@ -1081,7 +1081,7 @@ func TestCheckHealth(t *testing.T) {
 		w.Write([]byte(`{"status":"OK"}`))
 	}))
 
-	client := New(server.URL, nil, server.Client())
+	client := New(server.URL, nil, "secret", server.Client())
 
 	err := client.CheckHealth(context.Background())
 
@@ -1093,7 +1093,7 @@ func TestCheckHealth(t *testing.T) {
 func TestCheckHealthOnNewRequestError(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
 
-	client := New(server.URL+"`invalid-url-format", nil, server.Client())
+	client := New(server.URL+"`invalid-url-format", nil, "secret", server.Client())
 	err := client.CheckHealth(context.Background())
 	assert.NotNil(t, err)
 }
@@ -1104,7 +1104,7 @@ func TestCheckHealthOnDoRequestError(t *testing.T) {
 		Do(mock.Anything).
 		Return(nil, expectedError)
 
-	client := New("/", nil, httpClient)
+	client := New("/", nil, "secret", httpClient)
 	err := client.CheckHealth(context.Background())
 	assert.Equal(t, expectedError, err)
 }
@@ -1114,7 +1114,7 @@ func TestCheckHealthWhenNotOK(t *testing.T) {
 		w.WriteHeader(http.StatusTeapot)
 	}))
 
-	client := New(server.URL, nil, server.Client())
+	client := New(server.URL, nil, "secret", server.Client())
 	err := client.CheckHealth(context.Background())
 	assert.NotNil(t, err)
 }
diff --git a/internal/lpastore/lpa_test.go b/internal/lpastore/lpa_test.go
@@ -16,7 +16,6 @@ import (
 	"github.com/ministryofjustice/opg-modernising-lpa/internal/localize"
 	"github.com/ministryofjustice/opg-modernising-lpa/internal/lpastore/lpadata"
 	"github.com/ministryofjustice/opg-modernising-lpa/internal/place"
-	"github.com/ministryofjustice/opg-modernising-lpa/internal/secrets"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )
@@ -286,7 +285,7 @@ func TestClientSendLpa(t *testing.T) {
 
 			secretsClient := newMockSecretsClient(t)
 			secretsClient.EXPECT().
-				Secret(ctx, secrets.LpaStoreJwtSecretKey).
+				Secret(ctx, "secret").
 				Return("secret", nil)
 
 			var body []byte
@@ -306,7 +305,7 @@ func TestClientSendLpa(t *testing.T) {
 				})).
 				Return(&http.Response{StatusCode: http.StatusCreated, Body: io.NopCloser(strings.NewReader(""))}, nil)
 
-			client := New("http://base", secretsClient, doer)
+			client := New("http://base", secretsClient, "secret", doer)
 			client.now = func() time.Time { return time.Date(2000, time.January, 2, 3, 4, 5, 6, time.UTC) }
 			err := client.SendLpa(ctx, tc.donor)
 
@@ -316,7 +315,7 @@ func TestClientSendLpa(t *testing.T) {
 }
 
 func TestClientSendLpaWhenNewRequestError(t *testing.T) {
-	client := New("http://base", nil, nil)
+	client := New("http://base", nil, "secret", nil)
 	err := client.SendLpa(nil, &donordata.Provided{})
 
 	assert.NotNil(t, err)
@@ -330,7 +329,7 @@ func TestClientSendLpaWhenSecretsClientError(t *testing.T) {
 		Secret(mock.Anything, mock.Anything).
 		Return("", expectedError)
 
-	client := New("http://base", secretsClient, nil)
+	client := New("http://base", secretsClient, "secret", nil)
 	err := client.SendLpa(ctx, &donordata.Provided{})
 
 	assert.Equal(t, expectedError, err)
@@ -349,7 +348,7 @@ func TestClientSendLpaWhenDoerError(t *testing.T) {
 		Do(mock.Anything).
 		Return(nil, expectedError)
 
-	client := New("http://base", secretsClient, doer)
+	client := New("http://base", secretsClient, "secret", doer)
 	err := client.SendLpa(ctx, &donordata.Provided{})
 
 	assert.Equal(t, expectedError, err)
@@ -375,7 +374,7 @@ func TestClientSendLpaWhenStatusCodeIsNotOK(t *testing.T) {
 				Do(mock.Anything).
 				Return(&http.Response{StatusCode: code, Body: io.NopCloser(strings.NewReader("hey"))}, nil)
 
-			client := New("http://base", secretsClient, doer)
+			client := New("http://base", secretsClient, "secret", doer)
 			err := client.SendLpa(ctx, &donordata.Provided{})
 
 			assert.Equal(t, responseError{name: errorName, body: "hey"}, err)
@@ -655,7 +654,7 @@ func TestClientLpa(t *testing.T) {
 
 			secretsClient := newMockSecretsClient(t)
 			secretsClient.EXPECT().
-				Secret(ctx, secrets.LpaStoreJwtSecretKey).
+				Secret(ctx, "secret").
 				Return("secret", nil)
 
 			doer := newMockDoer(t)
@@ -668,7 +667,7 @@ func TestClientLpa(t *testing.T) {
 				})).
 				Return(&http.Response{StatusCode: http.StatusOK, Body: io.NopCloser(strings.NewReader(tc.json))}, nil)
 
-			client := New("http://base", secretsClient, doer)
+			client := New("http://base", secretsClient, "secret", doer)
 			client.now = func() time.Time { return time.Date(2000, time.January, 2, 3, 4, 5, 6, time.UTC) }
 			donor, err := client.Lpa(ctx, "M-0000-1111-2222")
 
@@ -679,7 +678,7 @@ func TestClientLpa(t *testing.T) {
 }
 
 func TestClientLpaWhenNewRequestError(t *testing.T) {
-	client := New("http://base", nil, nil)
+	client := New("http://base", nil, "secret", nil)
 	_, err := client.Lpa(nil, "M-0000-1111-2222")
 
 	assert.NotNil(t, err)
@@ -693,7 +692,7 @@ func TestClientLpaWhenSecretsClientError(t *testing.T) {
 		Secret(mock.Anything, mock.Anything).
 		Return("", expectedError)
 
-	client := New("http://base", secretsClient, nil)
+	client := New("http://base", secretsClient, "secret", nil)
 	_, err := client.Lpa(ctx, "M-0000-1111-2222")
 
 	assert.Equal(t, expectedError, err)
@@ -712,7 +711,7 @@ func TestClientLpaWhenDoerError(t *testing.T) {
 		Do(mock.Anything).
 		Return(nil, expectedError)
 
-	client := New("http://base", secretsClient, doer)
+	client := New("http://base", secretsClient, "secret", doer)
 	_, err := client.Lpa(ctx, "M-0000-1111-2222")
 
 	assert.Equal(t, expectedError, err)
@@ -731,7 +730,7 @@ func TestClientLpaWhenStatusCodeIsNotFound(t *testing.T) {
 		Do(mock.Anything).
 		Return(&http.Response{StatusCode: http.StatusNotFound, Body: io.NopCloser(strings.NewReader("hey"))}, nil)
 
-	client := New("http://base", secretsClient, doer)
+	client := New("http://base", secretsClient, "secret", doer)
 	_, err := client.Lpa(ctx, "M-0000-1111-2222")
 
 	assert.Equal(t, ErrNotFound, err)
@@ -750,7 +749,7 @@ func TestClientLpaWhenStatusCodeIsNotOK(t *testing.T) {
 		Do(mock.Anything).
 		Return(&http.Response{StatusCode: http.StatusBadRequest, Body: io.NopCloser(strings.NewReader("hey"))}, nil)
 
-	client := New("http://base", secretsClient, doer)
+	client := New("http://base", secretsClient, "secret", doer)
 	_, err := client.Lpa(ctx, "M-0000-1111-2222")
 
 	assert.Equal(t, responseError{name: "expected 200 response but got 400", body: "hey"}, err)
@@ -1023,7 +1022,7 @@ func TestClientLpas(t *testing.T) {
 
 			secretsClient := newMockSecretsClient(t)
 			secretsClient.EXPECT().
-				Secret(ctx, secrets.LpaStoreJwtSecretKey).
+				Secret(ctx, "secret").
 				Return("secret", nil)
 
 			doer := newMockDoer(t)
@@ -1037,7 +1036,7 @@ func TestClientLpas(t *testing.T) {
 				})).
 				Return(&http.Response{StatusCode: http.StatusOK, Body: io.NopCloser(strings.NewReader(tc.json))}, nil)
 
-			client := New("http://base", secretsClient, doer)
+			client := New("http://base", secretsClient, "secret", doer)
 			client.now = func() time.Time { return time.Date(2000, time.January, 2, 3, 4, 5, 6, time.UTC) }
 			lpas, err := client.Lpas(ctx, []string{"M-0000-1111-2222"})
 
@@ -1048,7 +1047,7 @@ func TestClientLpas(t *testing.T) {
 }
 
 func TestClientLpasWhenNewRequestError(t *testing.T) {
-	client := New("http://base", nil, nil)
+	client := New("http://base", nil, "secret", nil)
 	_, err := client.Lpas(nil, []string{"M-0000-1111-2222"})
 
 	assert.NotNil(t, err)
@@ -1062,7 +1061,7 @@ func TestClientLpasWhenSecretsClientError(t *testing.T) {
 		Secret(mock.Anything, mock.Anything).
 		Return("", expectedError)
 
-	client := New("http://base", secretsClient, nil)
+	client := New("http://base", secretsClient, "secret", nil)
 	_, err := client.Lpas(ctx, []string{"M-0000-1111-2222"})
 
 	assert.Equal(t, expectedError, err)
@@ -1081,7 +1080,7 @@ func TestClientLpasWhenDoerError(t *testing.T) {
 		Do(mock.Anything).
 		Return(nil, expectedError)
 
-	client := New("http://base", secretsClient, doer)
+	client := New("http://base", secretsClient, "secret", doer)
 	_, err := client.Lpas(ctx, []string{"M-0000-1111-2222"})
 
 	assert.Equal(t, expectedError, err)
@@ -1100,7 +1099,7 @@ func TestClientLpasWhenStatusCodeIsNotOK(t *testing.T) {
 		Do(mock.Anything).
 		Return(&http.Response{StatusCode: http.StatusBadRequest, Body: io.NopCloser(strings.NewReader("hey"))}, nil)
 
-	client := New("http://base", secretsClient, doer)
+	client := New("http://base", secretsClient, "secret", doer)
 	_, err := client.Lpas(ctx, []string{"M-0000-1111-2222"})
 
 	assert.Equal(t, responseError{name: "expected 200 response but got 400", body: "hey"}, err)