pay-publicapi initial commit

Author: arcuri82

jdk_11_maven/cs/rest/pay-publicapi/.secrets.baseline

@@ -0,0 +1,196 @@
+{
+  "version": "1.4.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {
+    "openapi/publicapi_spec.json": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "openapi/publicapi_spec.json",
+        "hashed_secret": "0ca33fee4444c18265ffce030b9e327b54f05ae0",
+        "is_verified": false,
+        "line_number": 602
+      }
+    ],
+    "src/main/java/uk/gov/pay/api/model/CreateCardPaymentRequest.java": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/main/java/uk/gov/pay/api/model/CreateCardPaymentRequest.java",
+        "hashed_secret": "0ca33fee4444c18265ffce030b9e327b54f05ae0",
+        "is_verified": false,
+        "line_number": 202
+      }
+    ],
+    "src/main/java/uk/gov/pay/api/resources/PaymentsResource.java": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/main/java/uk/gov/pay/api/resources/PaymentsResource.java",
+        "hashed_secret": "0ca33fee4444c18265ffce030b9e327b54f05ae0",
+        "is_verified": false,
+        "line_number": 241
+      }
+    ],
+    "src/test/java/uk/gov/pay/api/filter/AuthorizationValidationFilterTest.java": [
+      {
+        "type": "Secret Keyword",
+        "filename": "src/test/java/uk/gov/pay/api/filter/AuthorizationValidationFilterTest.java",
+        "hashed_secret": "70abceeb20d82fc2d55e8934d1ad05ad17609752",
+        "is_verified": false,
+        "line_number": 36
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "src/test/java/uk/gov/pay/api/filter/AuthorizationValidationFilterTest.java",
+        "hashed_secret": "a0936a38d2c31ad225d670f529a82319fc5bb915",
+        "is_verified": false,
+        "line_number": 87
+      }
+    ],
+    "src/test/resources/config/empty-elevated-accounts-test-config.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "src/test/resources/config/empty-elevated-accounts-test-config.yaml",
+        "hashed_secret": "3d4478f77d368235803ceb52bbd45b7240e6af62",
+        "is_verified": false,
+        "line_number": 48
+      }
+    ],
+    "src/test/resources/config/test-config.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "src/test/resources/config/test-config.yaml",
+        "hashed_secret": "3d4478f77d368235803ceb52bbd45b7240e6af62",
+        "is_verified": false,
+        "line_number": 50
+      }
+    ],
+    "src/test/resources/pacts/publicapi-connector-get-payment-refund.json": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/test/resources/pacts/publicapi-connector-get-payment-refund.json",
+        "hashed_secret": "4c39a6a28507c3d7ea6de26da0bd1d27cff4a4af",
+        "is_verified": false,
+        "line_number": 25
+      }
+    ],
+    "src/test/resources/pacts/publicapi-ledger-get-one-agreement.json": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/test/resources/pacts/publicapi-ledger-get-one-agreement.json",
+        "hashed_secret": "2d893b1b122fa0a884e02bb0a5b20764a80ef6e4",
+        "is_verified": false,
+        "line_number": 22
+      }
+    ]
+  },
+  "generated_at": "2023-09-06T14:26:21Z"
+}

jdk_11_maven/cs/rest/pay-publicapi/CONTRIBUTING.md

@@ -0,0 +1,11 @@
+# GOV.UK Pay contributing guide
+
+This guide covers the basics of how to contribute to the GOV.UK Pay project.
+
+## Pull requests
+The team's pull request checklist can be found [here](https://github.com/alphagov/pay-team-manual/blob/master/docs/development-processes/pull-request-checklist.md)
+
+## Contributions from beyond the team
+If you have an idea to share or a feature to request to raise please contact the GOV.UK Pay team govuk-pay-support@digital.cabinet-office.gov.uk. 
+
+If this is a security issue please do not submit a pull request or raise a GitHub issue, instead, please read the disclosure process [here](/README.md#responsible-disclosure).

jdk_11_maven/cs/rest/pay-publicapi/Dockerfile

@@ -0,0 +1,28 @@
+FROM eclipse-temurin:11-jre-alpine@sha256:77f7c2509dba2f346bf042e424d395b16b0c432ee1eabf0cbcc17922dc900c73
+
+RUN ["apk", "--no-cache", "upgrade"]
+
+ARG DNS_TTL=15
+
+# Default to UTF-8 file.encoding
+ENV LANG C.UTF-8
+
+RUN echo networkaddress.cache.ttl=$DNS_TTL >> "$JAVA_HOME/conf/security/java.security"
+
+RUN ["apk", "add", "--no-cache", "bash", "tini"]
+
+ENV PORT 8080
+ENV ADMIN_PORT 8081
+
+EXPOSE 8080
+EXPOSE 8081
+
+WORKDIR /app
+
+ADD docker-startup.sh /app/docker-startup.sh
+ADD target/*.yaml /app/
+ADD target/pay-*-allinone.jar /app/
+
+ENTRYPOINT ["tini", "-e", "143", "--"]
+
+CMD ["bash", "./docker-startup.sh"]

jdk_11_maven/cs/rest/pay-publicapi/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Crown Copyright (Government Digital Service)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

jdk_11_maven/cs/rest/pay-publicapi/README.md

@@ -0,0 +1,59 @@
+# pay-publicapi
+
+GOV.UK Pay Public API service in Java (Dropwizard)
+
+## General configuration
+
+Configuration of the application is performed via environment variables, some of which are mandatory.
+
+| Variable                    | Required? | Default        | Description                                                                                                |
+| --------------------------- | --------- | -------------- | ---------------------------------------------------------------------------------------------------------- |
+| `ADMIN_PORT`                | No        | 8081           | The port number to listen for Dropwizard admin requests on.                                                |
+| `ALLOW_HTTP_FOR_RETURN_URL` | No        | false          | Whether to allow service return URLs to be non-HTTPS                                                       |
+| `CONNECTOR_URL`             | Yes       | N/A            | The URL to the [connector](https://github.com/alphagov/pay-connector) service                              |
+| `DISABLE_INTERNAL_HTTPS`    | No        | false          | Disable secure connection for calls to internal APIs                                                       |
+| `PORT`                      | No        | 8080           | The port number to listen for requests on.                                                                 |
+| `PUBLICAPI_BASE`            | Yes       | N/A            | The base URL clients can use to reach the API. e.g. http://api.example.org:1234/                           |
+| `PUBLIC_AUTH_URL`           | Yes       | N/A            | The URL to the [publicauth](https://github.com/alphagov/pay-publicauth) service                            |
+| `REDIS_URL`                 | No        | localhost:6379 | The location of the redis endpoint to store rate-limiter information in                                    |
+| `TOKEN_API_HMAC_SECRET`     | Yes       | N/A            | Hmac secret to be used to validate that the given token is genuine (Api Key = Token + Hmac (Token, Secret) |
+
+## Rate limiting
+
+The application will rate-limit incoming API requests, recording the current
+rate limit state in Redis (see `REDIS_URL` above). The rate-limiting behaviour
+can be tuned via the following environment variables which all have default
+values:
+
+| Variable                             | Default      |  Description                               |
+| ----------------------------------   | ------------ | ------------------------------------------ |
+| `RATE_LIMITER_VALUE`                 | Default 75   | Number of non-`POST` requests allowed per `RATE_LIMITER_PER_MILLIS` milliseconds |
+| `RATE_LIMITER_VALUE_POST`            | Default 15   | Number of `POST` requests allowed per `RATE_LIMITER_PER_MILLIS` milliseconds |
+| `RATE_LIMITER_ELEVATED_ACCOUNTS`     | N/A          | Comma-separated list of accounts to which `..._ELEVATED_...` limits apply (example: `1,2,3`) |
+| `RATE_LIMITER_ELEVATED_VALUE_GET`    | Default 100  | Number of non-`POST` requests allowed per `RATE_LIMITER_PER_MILLIS` milliseconds (for `RATE_LIMITER_ELEVATED_ACCOUNTS`) |
+| `RATE_LIMITER_ELEVATED_VALUE_POST`   | Default 40   | Number of `POST` requests allowed per `RATE_LIMITER_PER_MILLIS` milliseconds (for `RATE_LIMITER_ELEVATED_ACCOUNTS`) |
+| `RATE_LIMITER_VALUE_PER_NODE`        | Default 25   | Number of non-`POST` requests allowed per `RATE_LIMITER_PER_MILLIS` milliseconds for a given client |
+| `RATE_LIMITER_VALUE_PER_NODE_POST`   | Default 5    | Number of `POST` requests allowed per `RATE_LIMITER_PER_MILLIS` milliseconds for a given client |
+| `RATE_LIMITER_PER_MILLIS`            | Default 1000 | Rate limiter time window |
+| `RATE_LIMITER_LOW_TRAFFIC_ACCOUNTS`  | N/A          | Comma-separated list of accounts to which `..._LOW_TRAFFIC_...` limits apply (example: `5,6,7`) |
+| `RATE_LIMITER_LOW_TRAFFIC_VALUE_GET` | Default 4500 | Number of non-`POST` requests allowed per `RATE_LIMITER_LOW_TRAFFIC_PER_MILLIS` in milliseconds for a given account (for `RATE_LIMITER_LOW_TRAFFIC_ACCOUNTS`) |
+| `RATE_LIMITER_LOW_TRAFFIC_VALUE_POST`| Default 1    | Number of `POST` requests allowed per `RATE_LIMITER_LOW_TRAFFIC_PER_MILLIS` in milliseconds (for `RATE_LIMITER_LOW_TRAFFIC_ACCOUNTS`) |
+| `RATE_LIMITER_LOW_TRAFFIC_PER_MILLIS`| Default 60000| rate limit internal per `RATE_LIMITER_LOW_TRAFFIC_PER_MILLIS` (in milliseconds) for `RATE_LIMITER_LOW_TRAFFIC_ACCOUNTS`  |
+
+## API specification
+
+Read our  [developer documentation](https://docs.payments.service.gov.uk/#gov-uk-pay-documentation) for guidance on using the API.
+
+For more detailed information you can use our [OpenAPI specifiation](https://github.com/alphagov/pay-publicapi/blob/master/openapi/publicapi_spec.json)
+
+## Dependencies
+
+- https://www.mock-server.com/ is used for mocking dependent services
+
+## Licence
+
+[MIT License](LICENSE)
+
+## Vulnerability Disclosure
+
+GOV.UK Pay aims to stay secure for everyone. If you are a security researcher and have discovered a security vulnerability in this code, we appreciate your help in disclosing it to us in a responsible manner. Please refer to our [vulnerability disclosure policy](https://www.gov.uk/help/report-vulnerability) and our [security.txt](https://vdp.cabinetoffice.gov.uk/.well-known/security.txt) file for details.

jdk_11_maven/cs/rest/pay-publicapi/build-local.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+cd "$(dirname "$0")"
+
+mvn -DskipITs clean verify
+if [ "$(uname -m)" == "arm64" ]; then
+  docker build -t governmentdigitalservice/pay-publicapi:local -f m1/arm64.Dockerfile .
+else
+  docker build -t governmentdigitalservice/pay-publicapi:local .
+fi

jdk_11_maven/cs/rest/pay-publicapi/docker-startup.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -eu
+
+exec java ${JAVA_OPTS} -jar *-allinone.jar server *.yaml

jdk_11_maven/cs/rest/pay-publicapi/docs/arch/adr-001-use-lettuce-core-lib-instead-of-dropwizard-redis.md

@@ -0,0 +1,44 @@
+# ADR 001 - Use lettuce-core library instead of dropwizard redis
+
+## Context
+
+We were using an [unsupported dropwizard-redis](https://github.com/benjamin-bader/droptools/tree/master/dropwizard-redis) bundle. Dropwizard now offer a managed bundle which provides a managed redis. This bundle uses `lettuce-core` instead of `jedis`.
+
+[We wanted to upgrade to this new library](https://payments-platform.atlassian.net/browse/PP-6343).
+
+The advantages of using this library are:
+
+* Configuration
+* Client lifecycle management
+* Client health checks
+* Dropwizard Metrics integration
+
+However, the dropwizard-redis library's io.dropwizard.redis.RedisClientFactory class 
+[expects](https://github.com/dropwizard/dropwizard-redis/blob/master/src/main/java/io/dropwizard/redis/RedisClientFactory.java#L54) 
+to make a connection with Redis on application startup. If a connection cannot be made an exception will be thrown 
+which causes the application to fail to start up. 
+
+This has some unintended consequences:
+
+* Mandating a connection on startup causes many integration tests to fail. Making a redis connection available for every relevant test is a fairly big change.
+* Mandating a connection might affect running Publicapi in dev/local environments.
+
+In order to work around this issue we could either:
+
+1. adapt the dropwizard-redis library so that it doesn't crash if the redis connection is not available
+2. use lettuce-core directly
+
+| Option  | Pros | Cons |
+|---------|---------|---------|
+| adapt   | use common component; metrics instrumentation | more effort than justified |
+| use lettuce-core directly | simpler; not hard; we don't need the extra features of dropwizard-redis; we don't need healthchecks because redis is optional | |
+
+On balance we think there are no advantages to us in using dropwizard-redis so we'll just use the lettuce-core library directly.
+
+## Decision
+
+We will use the [lettuce-core](https://github.com/lettuce-io/lettuce-core) directly. 
+
+## Status
+
+Accepted 

jdk_11_maven/cs/rest/pay-publicapi/env.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+ENV_FILE="$WORKSPACE/pay-scripts/services/publicapi.env"
+if [ -f $ENV_FILE ]
+then
+  set -a
+  source $ENV_FILE
+  set +a  
+fi
+
+eval "$@"