@govuk-pay/cli 0.0.3 → 0.0.5

package/resources/legacy-ruby-cli/spec/naming_spec.rb

@@ -0,0 +1,83 @@
+# rubocop:disable Metrics/BlockLength
+RSpec.describe 'pay naming' do
+  # rubocop:enable Metrics/BlockLength
+  context 'asg names' do
+    it 'frontend www weirdness' do
+      expect(PayCLI::Naming.asg_name(
+        'env-name',
+        'frontend'
+      )).to eq('env-name-www-ecs-appserver')
+    end
+
+    it 'cardid normalness' do
+      expect(PayCLI::Naming.asg_name(
+        'env-name',
+        'cardid'
+      )).to eq('env-name-cardid-ecs-appserver')
+    end
+  end
+
+  context 'elb names' do
+    it 'elb names to be correct' do
+      names = PayCLI::Naming.elb_names(
+        'env-name',
+        %w(adminusers connector products publicauth notifications ledger)
+      )
+      expected_names = {
+        'env-name-adminusers-ecs-elb' =>  'adminusers',
+        'env-name-connector-ecs-elb'  =>  'connector',
+        'env-name-products-ecs-elb'   =>  'products',
+        'env-name-publicauth-ecs-elb' =>  'publicauth',
+        'env-name-notices-ecs-elb'    =>  'notifications',
+        'env-name-ledger-ecs-elb'     =>  'ledger',
+      }
+
+      expect(names).to eq(expected_names)
+    end
+  end
+
+  context 'domain names' do
+    it 'domain names to be correct' do
+      expected_domain_names = %w(
+        pymnt.uk pymnt.uk pymnt.uk
+        payments.service.gov.uk payments.service.gov.uk payments.service.gov.uk
+        pymnt.uk
+      )
+
+      actual_domain_names = %w(
+        ci dev test deploy staging production blah
+      ).map { |env| PayCLI::Naming.domain_name(env) }
+
+      expect(actual_domain_names).to eq(expected_domain_names)
+    end
+  end
+
+  context 'bucket names' do
+    it 'ci bucket is correct' do
+      expected_name = 'pay-govuk-terraform-state-ci'
+      expect(%w( ci dev test ).all? do |e|
+        PayCLI::Naming.bucket_name(e) == expected_name
+      end).to eq(true)
+    end
+
+    it 'deploy bucket is correct' do
+      expected_name = 'pay-govuk-terraform-state-deploy'
+      expect(%w( staging production deploy ).all? do |e|
+        PayCLI::Naming.bucket_name(e) == expected_name
+      end).to eq(true)
+    end
+
+    it 'arbtrary-env bucket is correct' do
+      expect(PayCLI::Naming.bucket_name('arbitrary')).to eq('pay-govuk-terraform-state-arbitrary')
+    end
+  end
+
+  context 'db names' do
+    it 'resolves instance name with no version specified' do
+      service = { 'service_name' => 'connector' }
+      expect(
+        PayCLI::Naming.db_name('env-1', service)
+      ).to eq('env-1-connector-rds-0')
+    end
+  end
+end

package/resources/legacy-ruby-cli/spec/spec_helper.rb

@@ -0,0 +1,106 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  # This option will default to `:apply_to_host_groups` in RSpec 4 (and will
+  # have no way to turn it off -- the option exists only for backwards
+  # compatibility in RSpec 3). It causes shared context metadata to be
+  # inherited by the metadata hash of host groups and examples, rather than
+  # triggering implicit auto-inclusion in groups with matching metadata.
+  config.shared_context_metadata_behavior = :apply_to_host_groups
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+# rubocop:disable Style/BlockComments
+=begin
+  # rubocop:enable Style/BlockComments
+  # This allows you to limit a spec run to individual examples or groups
+  # you care about by tagging them with `:focus` metadata. When nothing
+  # is tagged with `:focus`, all examples get run. RSpec also provides
+  # aliases for `it`, `describe`, and `context` that include `:focus`
+  # metadata: `fit`, `fdescribe` and `fcontext`, respectively.
+  config.filter_run_when_matching :focus
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = "doc"
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end
+
+require 'zeitwerk_setup'
+require_relative '../lib/pay_cli/entry_point'

package/resources/legacy-ruby-cli/vulnerability_scan/.nvmrc

@@ -0,0 +1 @@
+18.12.1

package/resources/legacy-ruby-cli/vulnerability_scan/generate_vulnerability_report.js

@@ -0,0 +1,91 @@
+const fs = require('fs')
+const path = require('path')
+
+const INPUT_PATH = `${path.dirname(__filename)}/reports`
+const OUTPUT_PATH = `${path.dirname(__filename)}/reports`
+const HEADERS = ["App name", "Release", "Vulnerability", "Severity", "Package", "Fixed version"]
+const NODE_MAJOR_VERSION = process.versions.node.split('.')[0];
+
+if (NODE_MAJOR_VERSION < 16) {
+  console.warn('⛔️ requires >= Node 16')
+} else {
+  generate()
+}
+
+function generate() {
+  const jsonData = []
+  const date = new Date().toJSON().slice(0, 10);
+  const jsonFiles = fs.readdirSync(INPUT_PATH).filter(file => path.extname(file) === '.json')
+  const reportFilePath = `${OUTPUT_PATH}/vulnerability_scan_report-${date}.csv`
+  let parseCount = 0
+  let rowCount = 0
+  try {
+    jsonFiles.forEach(file => {
+      const appAndRelease = extractAppAndRelease(file)
+      const filePath = path.join(INPUT_PATH, file)
+      const data = fs.readFileSync(filePath, 'utf8')
+      const parsedData = JSON.parse(data)
+      const cveObjects = extractCVEObjects(parsedData["runs"][0]["results"], appAndRelease)
+      jsonData.push({
+        "CVEs": cveObjects
+      })
+    })
+
+    fs.writeFileSync(reportFilePath, HEADERS.join(',') + '\n')
+
+    jsonData.forEach(data => {
+      data["CVEs"].forEach(cve => {
+        const row = HEADERS.map(key => cve[key]).join(',')
+        fs.appendFileSync(reportFilePath, row + '\n')
+        rowCount++
+      })
+      parseCount++
+    })
+  } catch (err) {
+    console.error("ERROR:", err.message)
+  } finally {
+    console.log(`Parsed ${parseCount} of ${jsonFiles.length} JSON files, wrote ${rowCount} row(s) to ${reportFilePath}`)
+  }
+}
+
+
+function extractAppAndRelease(inputString) {
+  const regex = /^.*?(?=-\d+)/ // matches any characters at the beginning of the string that are followed by a dash and one or more digits
+  const match = inputString.match(regex)
+  if (match && match[0]) {
+    const release = inputString.replace(`${match[0]}-`, "").replace(".json", "")
+    return [match[0], release]
+  } else {
+    const fallback = inputString.replace(".json", "")
+    return [fallback, fallback] // fallback option
+  }
+}
+
+function extractCVEObjects(results, appAndRelease) {
+  let cveObjects = []
+  results.forEach(result => {
+    const stringArr = result["message"]["text"].split("\n").reduce((stringArr, string) => {
+      if (string !== "") {
+        stringArr.push(string
+          .split(", ")
+          .join(" ")
+          .trim()
+        )
+      }
+      return stringArr
+    }, [])
+    stringArr.push(`App name: ${appAndRelease[0]}`)
+    stringArr.push(`Release: ${appAndRelease[1]}`)
+    cveObjects.push(convertStringArrayToCVEObj(stringArr))
+  })
+  return cveObjects
+}
+
+function convertStringArrayToCVEObj(stringArr) {
+  const cveObj = {}
+  stringArr.forEach(s => {
+    const parts = s.split(':');
+    cveObj[parts[0].trim()] = parts[1].trim()
+  })
+  return cveObj
+}

package/resources/legacy-ruby-cli/vulnerability_scan/scan.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Script for scanning ECR docker vulnerabilities with "docker scout cves"
+# https://docs.docker.com/engine/reference/commandline/scout_cves/
+
+# **** Run this from the root of pay-infra to store reports in this folder. ****
+
+# This will take about 5 minutes unless you already have the images cached locally.
+# You will be prompted for your aws-vault auth/MFA code.
+# The report will be stored in reports/vulnerability_scan_report-YYYY-MM-DD.csv
+
+set -euo pipefail
+
+
+ACCOUNT="staging"
+ACCOUNT_ID="888564216586"
+REPORTS_FOLDER="cli/vulnerability_scan/reports"
+
+echo "🔍 checking for dependencies..."
+
+declare -a commands=("aws" "jq" "aws-vault" "docker" "docker scout")
+
+for i in "${!commands[@]}"; do
+  if ! command -v ${commands[i]} &> /dev/null
+  then
+    echo "❌ ${commands[i]}"
+    exit 1
+  else
+    echo "✅ ${commands[i]}"
+  fi
+done
+
+# Login to ECR
+echo "Logging into staging ECR"
+aws-vault exec $ACCOUNT -- aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin "${ACCOUNT_ID}.dkr.ecr.eu-west-1.amazonaws.com"
+
+# Get list of govukpay repository URIs (ignore postgres, selenium etc)
+REPOSITORIES="$(aws-vault exec $ACCOUNT -- aws ecr describe-repositories --no-paginate | jq -r '.repositories[].repositoryUri' | grep 'govukpay')"
+if [[ -z $REPOSITORIES ]]; then
+  echo "Unable to find ECR repositories"
+  exit 1
+fi
+
+# For each repository, run scan on the latest image and save to JSON file
+for REPO_URI in $REPOSITORIES
+do
+  SHORT_REPO_NAME=$(echo "$REPO_URI"| cut -d'/' -f 3)
+  LATEST_TAG="$(aws-vault exec $ACCOUNT -- aws ecr describe-images --repository-name "govukpay/$SHORT_REPO_NAME" --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' | tr -d '"')"
+  echo "Scanning latest image in $SHORT_REPO_NAME with tag $LATEST_TAG."
+  docker scout cves --format sarif --output "${REPORTS_FOLDER}/${SHORT_REPO_NAME}-${LATEST_TAG}.json" "${REPO_URI}:${LATEST_TAG}"
+done
+
+node ./cli/vulnerability_scan/generate_vulnerability_report.js
+
+# Clean up report JSON files once done
+echo "Removing JSON report files..."
+rm $REPORTS_FOLDER/*.json

package/src/commands/browse.js

@@ -26,8 +26,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.logBrowseCommands = void 0;
 const path = __importStar(require("path"));
 const standardContent_js_1 = require("../core/standardContent.js");
-const constants_js_1 = require("../core/constants.js");
 const moduleFunctionWrapper_js_1 = require("../util/moduleFunctionWrapper.js");
+const constants_1 = require("../core/constants");
 const requestableItems = new Map();
 requestableItems.set('concourse', {
     name: 'concourse page',
@@ -73,7 +73,7 @@ async function browseHandler(options) {
         const requestedItem = requestableItems.get(argumentName);
         if (requestedItem != null) {
             console.log('Usage:');
-            console.log(`  npx --package=${path.resolve(constants_js_1.rootDir)} browse ${argumentName}`);
+            console.log(`  npx --package=${path.resolve(constants_1.rootDir)} browse ${argumentName}`);
             console.log(`browses the ${requestedItem.name}`);
             return;
         }

package/src/commands/legacy.js

@@ -28,6 +28,7 @@ const payCliExec_1 = __importStar(require("../util/payCliExec"));
 const path = __importStar(require("node:path"));
 const constants_1 = require("../core/constants");
 const standardContent_1 = require("../core/standardContent");
+const pathToLegacyRubyCli = path.join(constants_1.rootDir, 'resources', 'legacy-ruby-cli');
 async function legacyHandler(options) {
     const argsToPassOn = [];
     if (options.commandName !== 'legacy') {
@@ -45,7 +46,7 @@ async function proxyArrayOfArgumentsToLegacyCli(argsToPassOn) {
     const shellCommand = process.env.PAY_CLI_SHELL_COMMAND ?? 'zsh';
     const whichRbenvResult = await (0, payCliExec_1.execAndReturnIO)(`which ${rbenvCommand}`);
     const whichBundlerResult = await (0, payCliExec_1.execAndReturnIO)(`${rbenvCommand} exec bundle --version`, {
-        cwd: path.join(constants_1.rootDir, 'legacy-ruby-cli')
+        cwd: pathToLegacyRubyCli
     });
     if (whichRbenvResult.exitCode !== 0) {
         console.error('You need rbenv installed before you can continue.');
@@ -56,7 +57,7 @@ async function proxyArrayOfArgumentsToLegacyCli(argsToPassOn) {
         process.exit(12);
     }
     await (0, payCliExec_1.default)(shellCommand, {
-        cwd: path.join(constants_1.rootDir, 'legacy-ruby-cli'),
+        cwd: pathToLegacyRubyCli,
         matchExitCode: true,
         streamStdio: true,
         commandsToWrite: [

package/src/core/constants.js

@@ -23,16 +23,13 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.distDir = exports.rootDir = void 0;
+exports.distDirForBuildTasks = exports.rootDirForBuildTasks = exports.rootDir = void 0;
 const path = __importStar(require("path"));
-// import {dirname} from 'path'
-// import {fileURLToPath} from 'url'
-//
-// // @ts-ignore
-// const currentDir = dirname(fileURLToPath(import.meta.url))
-const potentialRootDir = path.resolve(__dirname, '..', '..');
-exports.rootDir = potentialRootDir.endsWith('dist') ? path.resolve(potentialRootDir, '..') : potentialRootDir;
-exports.distDir = path.join(exports.rootDir, 'dist');
+exports.rootDir = path.resolve(__dirname, '..', '..');
+exports.rootDirForBuildTasks = exports.rootDir.endsWith('dist') ? path.resolve(exports.rootDir, '..') : exports.rootDir;
+exports.distDirForBuildTasks = path.join(exports.rootDirForBuildTasks, 'dist');
 exports.default = {
-    rootDir: exports.rootDir
+    rootDir: exports.rootDir,
+    distDirForBuildTasks: exports.distDirForBuildTasks,
+    rootDirForBuildTasks: exports.rootDirForBuildTasks
 };

package/src/util/payCliExec.js

@@ -26,9 +26,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.execAndReturnIO = void 0;
 const cp = __importStar(require("child_process"));
 async function payCliExec(fullCommand, options) {
-    return await new Promise((resolve) => {
+    return await new Promise((resolve, reject) => {
         const commandParts = fullCommand.split(' ');
         const command = commandParts.shift();
+        const commandsWritten = [];
+        const stderrParts = [];
         if (command === undefined) {
             throw new Error('Command can\'t be undefined');
         }
@@ -42,6 +44,9 @@ async function payCliExec(fullCommand, options) {
         if ((options?.onStderr) !== undefined) {
             spawnedThread.stderr.on('data', options.onStderr);
         }
+        spawnedThread.stderr.on('data', (buffer) => {
+            stderrParts.push(buffer);
+        });
         if ((options?.onClose) !== undefined) {
             spawnedThread.on('close', options.onClose);
         }
@@ -55,12 +60,24 @@ async function payCliExec(fullCommand, options) {
                 process.exitCode = exitCode;
             });
         }
+        spawnedThread.on('error', (error) => {
+            console.error('An error occurred in payCliExec.');
+            if (commandsWritten.length > 0) {
+                console.error(`commandsWritten: [${commandsWritten.join(', ')}]`);
+            }
+            if (stderrParts.length > 0) {
+                console.error(`STDERR:\n${stderrParts.map(x => x.toString()).join('\n')}`);
+            }
+            console.error(error);
+            reject(error);
+        });
         spawnedThread.once('close', () => {
             resolve();
         });
         if (options?.commandsToWrite !== undefined) {
             spawnedThread.stdin.setDefaultEncoding('utf-8');
             options.commandsToWrite.forEach((value) => {
+                commandsWritten.push(value);
                 spawnedThread.stdin.write(`${value}\n`);
             });
         }