Merge pull request #52 from hmrc/PLATOPS-1850

PLATOPS-1850: Library security upgrades

app/uk/gov/hmrc/cataloguefrontend/AuthController.scala

@@ -28,15 +28,14 @@ import uk.gov.hmrc.cataloguefrontend.service.AuthService
 import uk.gov.hmrc.cataloguefrontend.service.AuthService.TokenAndDisplayName
 import uk.gov.hmrc.play.bootstrap.controller.FrontendController
 import views.html.sign_in
-
-import scala.concurrent.Future
+import scala.concurrent.{ExecutionContext, Future}
 
 @Singleton
 class AuthController @Inject()(
   authService: AuthService,
   configuration: Configuration,
-  mcc: MessagesControllerComponents
-) extends FrontendController(mcc) {
+  mcc: MessagesControllerComponents)(implicit ec: ExecutionContext)
+    extends FrontendController(mcc) {
 
   import AuthController.signinForm
 
@@ -52,16 +51,18 @@ class AuthController @Inject()(
       .fold(
         formWithErrors => Future.successful(BadRequest(sign_in(formWithErrors, selfServiceUrl))),
         signInData =>
-          authService.authenticate(signInData.username, signInData.password).map {
-            case Right(TokenAndDisplayName(UmpToken(token), DisplayName(displayName))) =>
-              Redirect(routes.CatalogueController.index())
-                .withSession(
-                  UmpToken.SESSION_KEY_NAME    -> token,
-                  DisplayName.SESSION_KEY_NAME -> displayName
-                )
-            case Left(_) =>
-              BadRequest(sign_in(signinForm.withGlobalError(Messages("sign-in.wrong-credentials")), selfServiceUrl))
-        }
+          authService
+            .authenticate(signInData.username, signInData.password)
+            .map {
+              case Right(TokenAndDisplayName(UmpToken(token), DisplayName(displayName))) =>
+                Redirect(routes.CatalogueController.index())
+                  .withSession(
+                    UmpToken.SESSION_KEY_NAME    -> token,
+                    DisplayName.SESSION_KEY_NAME -> displayName
+                  )
+              case Left(_) =>
+                BadRequest(sign_in(signinForm.withGlobalError(Messages("sign-in.wrong-credentials")), selfServiceUrl))
+          }
       )
   }
 

build.sbt

@@ -7,42 +7,45 @@ import uk.gov.hmrc.versioning.SbtGitVersioning
 val appName: String = "catalogue-frontend"
 
 lazy val microservice = Project(appName, file("."))
-  .enablePlugins(Seq(play.sbt.PlayScala, SbtAutoBuildPlugin, SbtGitVersioning, SbtDistributablesPlugin, SbtArtifactory): _*)
+  .enablePlugins(
+    Seq(play.sbt.PlayScala, SbtAutoBuildPlugin, SbtGitVersioning, SbtDistributablesPlugin, SbtArtifactory): _*)
   .settings(publishingSettings: _*)
   .settings(
-    majorVersion                     := 4,
-    playDefaultPort                  := 9017,
-    libraryDependencies              ++= compile ++ test,
+    majorVersion := 4,
+    playDefaultPort := 9017,
+    libraryDependencies ++= compile ++ test,
     evictionWarningOptions in update := EvictionWarningOptions.default.withWarnScalaVersionEviction(false),
-    resolvers                        += Resolver.jcenterRepo
+    resolvers += Resolver.jcenterRepo
   )
 
-val bootstrapPlayVersion = "0.22.0"
+val bootstrapPlayVersion = "0.36.0"
 
 val compile = Seq(
-  "uk.gov.hmrc"               %% "simple-reactivemongo"    % "7.9.0-play-26",
-  "uk.gov.hmrc"               %% "bootstrap-play-26"       % bootstrapPlayVersion,
-  "uk.gov.hmrc"               %% "url-builder"             % "1.1.0",
-  "org.typelevel"             %% "cats-core"               % "1.1.0",
-  "org.apache.httpcomponents" %  "httpcore"                % "4.3.2",
-  "org.yaml"                  %  "snakeyaml"               % "1.17",
-  "org.apache.httpcomponents" %  "httpclient"              % "4.3.5",
-  "com.github.tototoshi"      %% "scala-csv"               % "1.3.4",
-  "com.github.melrief"        %% "purecsv"                 % "0.1.0",
-  "com.opencsv"               %  "opencsv"                 % "4.0"
+  "uk.gov.hmrc"               %% "simple-reactivemongo" % "7.12.0-play-26",
+  "uk.gov.hmrc"               %% "bootstrap-play-26"    % bootstrapPlayVersion,
+  "uk.gov.hmrc"               %% "url-builder"          % "1.1.0",
+  "org.typelevel"             %% "cats-core"            % "1.1.0",
+  "org.apache.httpcomponents" % "httpcore"              % "4.3.2",
+  "org.yaml"                  % "snakeyaml"             % "1.17",
+  "org.apache.httpcomponents" % "httpclient"            % "4.3.5",
+  "com.github.tototoshi"      %% "scala-csv"            % "1.3.4",
+  "com.github.melrief"        %% "purecsv"              % "0.1.0",
+  "com.opencsv"               % "opencsv"               % "4.0"
 )
 
-val test  = Seq(
-  "uk.gov.hmrc"            %% "bootstrap-play-26"          % bootstrapPlayVersion % Test classifier "tests",
-  "uk.gov.hmrc"            %% "hmrctest"                   % "3.2.0"              % Test,
-  "uk.gov.hmrc"            %% "reactivemongo-test"         % "4.6.0-play-26"      % Test,
-  "org.scalatest"          %% "scalatest"                  % "3.0.5"              % Test,
-  "org.scalatestplus.play" %% "scalatestplus-play"         % "3.1.2"              % Test,
-  "org.scalacheck"         %% "scalacheck"                 % "1.14.0"             % Test,
-  "org.pegdown"            %  "pegdown"                    % "1.6.0"              % Test,
-  "com.typesafe.play"      %% "play-test"                  % PlayVersion.current  % Test,
-  "com.github.tomakehurst" %  "wiremock"                   % "1.55"               % Test,
-  "org.jsoup"              %  "jsoup"                      % "1.9.2"              % Test,
-  "org.mockito"            %  "mockito-all"                % "1.10.19"            % Test,
+val test = Seq(
+  "uk.gov.hmrc"            %% "bootstrap-play-26"  % bootstrapPlayVersion % Test classifier "tests",
+  "uk.gov.hmrc"            %% "hmrctest"           % "3.2.0"              % Test,
+  "uk.gov.hmrc"            %% "reactivemongo-test" % "4.6.0-play-26"      % Test,
+  "org.scalatest"          %% "scalatest"          % "3.0.5"              % Test,
+  "org.scalatestplus.play" %% "scalatestplus-play" % "3.1.2"              % Test,
+  "org.scalacheck"         %% "scalacheck"         % "1.14.0"             % Test,
+  "org.pegdown"            % "pegdown"             % "1.6.0"              % Test,
+  "com.typesafe.play"      %% "play-test"          % PlayVersion.current  % Test,
+  "com.github.tomakehurst" % "wiremock"            % "1.55"               % Test,
+  "org.jsoup"              % "jsoup"               % "1.9.2"              % Test,
+  "org.mockito"            % "mockito-all"         % "1.10.19"            % Test,
+  // force dependencies due to security flaws found in xercesImpl 2.11.0
+  "xerces"                 % "xercesImpl"          % "2.12.0"             % Test,
   ws
 )

project/plugins.sbt

@@ -13,6 +13,6 @@ addSbtPlugin("uk.gov.hmrc" % "sbt-git-versioning" % "1.15.0")
 
 addSbtPlugin("uk.gov.hmrc" % "sbt-distributables" % "1.1.0")
 
-addSbtPlugin("uk.gov.hmrc" % "sbt-artifactory" % "0.13.0")
+addSbtPlugin("uk.gov.hmrc" % "sbt-artifactory" % "0.17.0")
 
 addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.6.15")

test/uk/gov/hmrc/cataloguefrontend/connector/HttpClientStub.scala

@@ -16,6 +16,7 @@
 
 package uk.gov.hmrc.cataloguefrontend.connector
 
+import akka.actor.ActorSystem
 import cats.data.OptionT
 import cats.implicits._
 import com.typesafe.config.Config
@@ -26,7 +27,6 @@ import uk.gov.hmrc.http.hooks.HttpHook
 import uk.gov.hmrc.http.{HeaderCarrier, HttpReads, HttpResponse}
 import uk.gov.hmrc.play.bootstrap.http.HttpClient
 import uk.gov.hmrc.play.http.ws.WSHttp
-
 import scala.collection.immutable.Queue
 import scala.concurrent.ExecutionContext.Implicits.global
 import scala.concurrent.{ExecutionContext, Future}
@@ -187,9 +187,10 @@ trait HttpClientStub {
     override def doDelete(url: String)(implicit hc: HeaderCarrier): Future[HttpResponse] =
       ???
 
-    override protected def configuration: Option[Config] = ???
+    override protected def configuration: Option[Config] = None
 
-    override def wsClient: WSClient = ???
+    override def wsClient: WSClient                 = ???
+    override protected def actorSystem: ActorSystem = ActorSystem("test-actor-system")
   }
 
   val httpClient: ClientStub = new ClientStub(expect)