Merge pull request #282 from silinternational/release/6.7.0

Release 6.7.0 -- AppConfig

.github/pull_request_template.md

@@ -22,6 +22,3 @@
 - [ ] Documentation (README, etc.)
 - [ ] Unit tests created or updated
 - [ ] Run `make composershow`
-
-### Release PR Checklist
-- [ ] Update version number in main.php Sentry configuration

.github/workflows/test-and-publish.yml

@@ -33,11 +33,13 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ vars.IMAGE_NAME }}
+          images: ${{ vars.DOCKER_ORG }}/${{ github.event.repository.name }}
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            GITHUB_REF_NAME=${{ github.ref_name }}

Dockerfile

@@ -1,5 +1,8 @@
 FROM silintl/php8:8.1
 
+ARG GITHUB_REF_NAME
+ENV GITHUB_REF_NAME=$GITHUB_REF_NAME
+
 RUN apt-get update -y && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
@@ -27,5 +30,8 @@ RUN sed -i -E 's@ErrorLog .*@ErrorLog /proc/self/fd/2@i' /etc/apache2/apache2.co
 
 RUN touch /etc/default/locale
 
+ADD https://github.com/silinternational/config-shim/releases/latest/download/config-shim.gz config-shim.gz
+RUN gzip -d config-shim.gz && chmod 755 config-shim && mv config-shim /usr/local/bin
+
 EXPOSE 80
 CMD ["/data/run.sh"]

README.md

@@ -36,6 +36,26 @@ Backend API for Identity Provider Password Management
 8. You'll probably also want the web interface for this application which you can
    clone at <https://github.com/silinternational/idp-profile-ui>
 
+## Configuration
+By default, configuration is read from environment variables. These are documented
+in the `local.env.dist` file. Optionally, you can define configuration in AWS AppConfig.
+To do this, set the following environment variables to point to the configuration in
+AWS:
+
+* `AWS_REGION` - the AWS region in use
+* `APP_ID` - the application ID or name
+* `CONFIG_ID` - the configuration profile ID or name
+* `ENV_ID` - the environment ID or name
+
+In addition, the AWS API requires authentication. It is best to use an access role
+such as an [ECS Task Role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html).
+If that is not an option, you can specify an access token using the `AWS_ACCESS_KEY_ID` and
+`AWS_SECRET_ACCESS_KEY` variables.
+
+The content of the configuration profile takes the form of a typical .env file, using
+`#` for comments and `=` for variable assignment. Any variables read from AppConfig
+will overwrite variables set in the execution environment.
+
 ### Additional setup for Linux & Mac
 1. Add entry to ```/etc/hosts``` for ```127.0.0.1 idp-pw-api.local```
 2. Run ```docker build -t idp-pw-api .```
@@ -206,3 +226,13 @@ The chart below summarizes the test configuration.
 |       |             | config    | tests/api.suite.yml  | (same)                  |
 |       |             | coverage  | controllers          | (same)                  |
 |-------|-------------|-----------|----------------------| ----------------------- |
+
+### Running tests
+
+To run all tests, use `make test`.
+
+To run a single unit test:
+
+```
+docker compose run --rm unittest vendor/bin/codecept run tests/unit/common/models/PasswordTest.php:testBadBytes
+```

application/common/config/main.php

@@ -181,7 +181,7 @@
                     'clientOptions' => [
                         'attach_stacktrace' => false, // stack trace identifies the logger call stack, not helpful
                         'environment' => YII_ENV,
-                        'release' => 'idp-pw-api@6.6.4',
+                        'release' => 'idp-pw-api@' . Env::get('GITHUB_REF_NAME', 'unknown'),
                         'max_request_body_size' => 'never', // never send request bodies
                         'before_send' => function (Event $event) use ($idpName): ?Event {
                             $event->setExtra(['idp' => $idpName]);

application/common/models/Password.php

@@ -83,6 +83,10 @@ public function rules()
             [
                 'password', 'passwordStoreInterfaceAssess',
                 'skipOnError' => true,
+            ],
+            [
+                'password', 'validateNoBadBytes',
+                'skipOnError' => false,
             ]
         ];
     }
@@ -277,4 +281,11 @@ public function passwordStoreInterfaceAssess($attribute)
             }
         }
     }
+
+    public function validateNoBadBytes($attribute)
+    {
+        if (str_contains($this->$attribute, "\0")) {
+            $this->addError($attribute, \Yii::t('app', 'Password.ContainsBadByte'));
+        }
+    }
 }

application/frontend/messages/en/app.php

@@ -42,6 +42,7 @@
     'Multiple.SetPartialSuccess' => 'Successfully set the password in {successes}, but failed to set the password in {errors}. Contact {supportName} at {supportEmail} for assistance.',
     'Multiple.SetFailed' => 'Failed to set the password in {errors}. Contact {supportName} at {supportEmail} for assistance.',
     'Password.Breached' => 'The password you entered was previously discovered in a data breach of a different website. It may or may not have been your own account that was compromised. Please use a different password here and then visit <a href="https://sites.google.com/sil.org/identityaccounts/logging-in/password-recommendations" target="_blank">this help page</a> to learn more.',
+    'Password.ContainsBadByte' => 'Password contains a disallowed character',
     'Password.DisallowedContent' => 'Your password may not contain any of these: {labelList} (code 180)',
     'Password.MissingPassword' => 'Password is required',
     'Password.PasswordReuse' => 'Unable to update password. If this password has been used before please use something different.',

application/frontend/messages/es/app.php

@@ -42,6 +42,7 @@
     'Multiple.SetPartialSuccess' => 'Estableció correctamente la contraseña en {successes}, pero no pudo establecer la contraseña en {errors}. Póngase en contacto con {supportName} en {supportEmail} para obtener ayuda.',
     'Multiple.SetFailed' => 'Error al establecer la contraseña en {errors}. Póngase en contacto con {supportName} en {supportEmail} para obtener ayuda.',
     'Password.Breached' => 'La contraseña que ingresó fue descubierta previamente en una violación de datos de un sitio web diferente. Puede o no haber sido su propia cuenta la que se vio comprometida. Utilice una contraseña diferente aquí y luego visite <a href="https://sites.google.com/sil.org/identityaccounts/logging-in/password-recommendations" target="_blank">esta página de ayuda</a> para obtener más información.',
+    'Password.ContainsBadByte' => 'La contraseña contiene un carácter no permitido',
     'Password.DisallowedContent' => 'Su contraseña no puede contener ninguno de estos: {labelList} (código 180)',
     'Password.MissingPassword' => 'Se requiere contraseña',
     'Password.PasswordReuse' => 'No se puede actualizar la contraseña. Si esta contraseña ha sido usada antes, use algo diferente.',

application/frontend/messages/fr/app.php

@@ -42,6 +42,7 @@
     'Multiple.SetPartialSuccess' => 'Le mot de passe a été bien défini sur {successes}, mais pas sur {errors}. Contactez {supportName} à {supportEmail} pour obtenir de l\'aide.',
     'Multiple.SetFailed' => 'Impossible de définir le mot de passe sur {errors}. Contactez {supportName} à {supportEmail} pour obtenir de l\'aide.',
     'Password.Breached' => 'Le mot de passe que vous avez entré a déjà été découvert dans une violation de données d\'un site Web différent. Votre compte a peut-être été compromis ou non. Veuillez utiliser un mot de passe différent ici, puis visitez <a href="https://sites.google.com/sil.org/identityaccounts/logging-in/password-recommendations" target="_blank">cette page d’aide</a> pour en savoir plus.',
+    'Password.ContainsBadByte' => 'Le mot de passe contient un caractère non autorisé',
     'Password.DisallowedContent' => 'Votre mot de passe ne peut contenir aucun de ceux-ci: {labelList} (code 180)',
     'Password.MissingPassword' => 'Mot de passe requis',
     'Password.PasswordReuse' => 'Impossible de mettre à jour le mot de passe. Si ce mot de passe a déjà été utilisé, veuillez utiliser quelque chose de différent.',

application/frontend/messages/ko/app.php

@@ -42,6 +42,7 @@
     'Multiple.SetPartialSuccess' => '{successes} 에서 비밀번호를 설정했지만 {errors} 에서 비밀번호를 설정하지 못했습니다. 도움이 필요하면 {supportName} 시 {supportEmail} 에 문의하십시오.',
     'Multiple.SetFailed' => '비밀번호를 {errors} 으로 설정하지 못했습니다. 도움을 청하기 위해 {supportName} 의 {supportEmail} 로 문의하십시오.',
     'Password.Breached' => '입력 한 비밀번호는 이전에 다른 웹 사이트의 데이터 유출로 발견되었습니다. 귀하의 계좌가 손상되었을 수도 있고 아닐 수도 있습니다. 여기에 다른 암호를 사용하고 방문하시기 바랍니다 <a href="https://sites.google.com/sil.org/identityaccounts/logging-in/password-recommendations" target="_blank">이 도움말 페이지</a> 자세한 내용은.',
+    'Password.ContainsBadByte' => '비밀번호에 허용되지 않는 문자가 포함되어 있습니다.',
     'Password.DisallowedContent' => '귀하의 비밀번호는 다음을 포함하지 않을 수 있습니다 : {labelList} (코드 180)',
     'Password.MissingPassword' => '비밀번호가 필요합니다.',
     'Password.PasswordReuse' => '비밀번호를 업데이트 할 수 없습니다. 이 암호를 사용하기 전에 다른 것을 사용하십시오.',

application/run.sh

@@ -16,7 +16,11 @@ if [[ $APP_ENV == "dev" ]]; then
     apt-get update && apt-get install php-xdebug
 fi
 
-apache2ctl -k start -D FOREGROUND
+if [[ -z "${APP_ID}" ]]; then
+  apache2ctl -k start -D FOREGROUND
+else
+  config-shim --app $APP_ID --config $CONFIG_ID --env $ENV_ID apache2ctl -k start -D FOREGROUND
+fi
 
 # endless loop with a wait is needed for the trap to work
 while true

application/tests/unit/common/models/PasswordTest.php

@@ -113,6 +113,19 @@ public function testVsUserAttributes()
         }
     }
 
+    public function testBadBytes()
+    {
+        $employeeId = '111111';
+        $user = User::findOne(['employee_id' => $employeeId]);
+
+        $badPassword = "1" . "\0" . "23456";
+        $password = Password::create($user, $badPassword);
+        $password->validate();
+        $errors = join('|', array_values($password->getErrors('password')));
+        $msg = sprintf('Failed validating test for bad bytes in password. (Errors: "%s")', $errors);
+        $this->assertTrue(str_contains($errors, 'Password.ContainsBadByte'), $msg);
+    }
+
     private function getTestData()
     {
         return [

local.env.dist

@@ -17,6 +17,21 @@ IDP_NAME=
 #IDP_DISPLAY_NAME=
 
 
+# === AWS AppConfig ===
+
+# The AWS region in use
+AWS_REGION=
+
+# The AppConfig Application ID (or name)
+APP_ID=
+
+# The AppConfig Configuration Profile ID (or name)
+CONFIG_ID=
+
+# The AppConfig Environment ID (or name)
+ENV_ID=
+
+
 # === email template data ===
 
 # Email signature line, e.g. "Your friendly Help Desk team"