Migrate to Azure (#678)

* Bump up Ruby to v2.5.7 * Remove Danger * Add rspec junit formatter * Read secrets and ENV variables on Azure * Add option to disable Sentry SSL verification * initial commit for ADO * switching ruby to 2.5.5 * Update .ruby-version * Update Gemfile * Update test-application.yaml * moving back to 2.5.7 * Update azure-pipelines.yml * switching to new base image * updating base image * adding EXTERNA_URL var * Update Dockerfile * adding app vars * Update azure-pipelines.yml * pass DB_URL during build * pass DB_URL during build fix * pass DB_URL during build fix ii * trigger deployment * db params * unset env params * adding missing dependecy RST-2377 * adding more dependencies * Update Dockerfile * RST-2316 adding daily export cron job * Updating permissions on export script * Updating path for the export job script * RST-2316 refactoring * adding missing switch * redirecting cron to STDOUT * refactor * adding LF * Lock users after 10 failed attempts * Get the app version from the APP_GIT_COMMIT var * Send default logger to STDOUT * Increase the password complexity * Throttle password reset emails * Invalidate all user sessions on sign out (#652) * Enable HTTP Strict Transport Security (#654) * Enable secure cookies (#653) * Send metrics to Azure Application Insights (#656) * Allow http requests for the /status.json * Bump up Rails to v6.0.3.2 * Bump up govuk_template to v0.26.0 Co-authored-by: tomaszcwikcs <tomasz@cwiksolutions.co.uk> Co-authored-by: mohammed abubakar <mohammed.abubakar@altostack.io>
ministryofjustice · Jul 20, 2020 · 735ff2f · 735ff2f
1 parent 63144fa
commit 735ff2f
Show file tree

Hide file tree

Showing 42 changed files with 770 additions and 101 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,9 @@
+.git*
+log/*
+tmp/*
+.travis.yml
+Dockerfile
+Dockerfile.development
+docker-compose.yml
+azure-pipelines.yaml
+pipeline-steps/*
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.5.3
+2.5.7
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,19 @@
-FROM ministryofjustice/ruby:2.5.3-webapp-onbuild
+FROM employmenttribunal.azurecr.io/ruby25-onbuild:0.4
 
-ENV PUMA_PORT 3000
+# Adding argument support for ping.json
+ARG APP_VERSION=unknown
+ARG APP_BUILD_DATE=unknown
+ARG APP_GIT_COMMIT=unknown
+ARG APP_BUILD_TAG=unknown
+
+# Setting up ping.json variables
+ENV APP_VERSION ${APP_VERSION}
+ENV APP_BUILD_DATE ${APP_BUILD_DATE}
+ENV APP_GIT_COMMIT ${APP_GIT_COMMIT}
+ENV APP_BUILD_TAG ${APP_BUILD_TAG}
+
+# Application specific variables 
 
-ENV DATABASE_URL                 replace_this_at_build_time
 ENV GLIMR_API_URL                replace_this_at_build_time
 ENV EXTERNAL_URL                 replace_this_at_build_time
 ENV PAYMENT_ENDPOINT             replace_this_at_build_time
@@ -14,10 +25,8 @@ ENV GTM_TRACKING_ID              replace_this_at_build_time
 ENV TAX_TRIBUNAL_EMAIL           replace_this_at_build_time
 ENV ZENDESK_USERNAME             replace_this_at_build_time
 ENV ZENDESK_TOKEN                replace_this_at_build_time
-
 ENV UPLOAD_PROBLEMS_REPORT_AUTH_USER            replace_this_at_build_time
 ENV UPLOAD_PROBLEMS_REPORT_AUTH_DIGEST          replace_this_at_build_time
-
 ENV NOTIFY_CASE_CONFIRMATION_TEMPLATE_ID        replace_this_at_build_time
 ENV NOTIFY_FTT_CASE_NOTIFICATION_TEMPLATE_ID    replace_this_at_build_time
 ENV NOTIFY_CASE_FIRST_REMINDER_TEMPLATE_ID      replace_this_at_build_time
@@ -26,12 +35,25 @@ ENV NOTIFY_NEW_CASE_SAVED_TEMPLATE_ID           replace_this_at_build_time
 ENV NOTIFY_RESET_PASSWORD_TEMPLATE_ID           replace_this_at_build_time
 ENV NOTIFY_CHANGE_PASSWORD_TEMPLATE_ID          replace_this_at_build_time
 
-RUN touch /etc/inittab
 
-RUN apt-get update && apt-get install -y && apt-get install libcurl4-gnutls-dev -y
+# fix to address http://tzinfo.github.io/datasourcenotfound - PET ONLY
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -q && \
+    apt-get install -qy tzdata libcurl4-gnutls-dev libxrender-dev libfontconfig libxext6 --no-install-recommends && apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && rm -fr *Release* *Sources* *Packages* && \
+    truncate -s 0 /var/log/*log
 
+ENV PUMA_PORT 8000
 EXPOSE $PUMA_PORT
 
-RUN bundle exec rake assets:precompile RAILS_ENV=production       SECRET_KEY_BASE=required_but_does_not_matter_for_assets
+RUN bash -c "bundle exec rake assets:precompile RAILS_ENV=production SECRET_KEY_BASE=required_but_does_not_matter_for_assets"
+
+# adding daily export cron job
+ADD daily-export /etc/cron.d/
+
+# running app as a servive
+ENV PHUSION true
+RUN mkdir /etc/service/app
+COPY run.sh /etc/service/app/run
+RUN chmod +x /etc/service/app/run
 
-ENTRYPOINT ["./run.sh"]
diff --git a/Gemfile b/Gemfile
@@ -1,8 +1,9 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-ruby '2.5.3'
+ruby '2.5.7'
 
+gem 'azure_env_secrets', github: 'ministryofjustice/azure_env_secrets', tag: 'v0.1.3'
 gem 'bootsnap', require: false
 gem 'devise', '~> 4.7.1'
 gem 'email_validator'
@@ -24,9 +25,11 @@ gem 'responders'
 gem 'sanitize'
 gem 'sass-rails', '~> 5.0'
 gem 'sentry-raven'
+gem 'strong_password', '~> 0.0.8'
 gem 'uglifier'
 gem 'virtus'
 gem 'zendesk_api', '~> 1.14.4'
+gem 'application_insights', '~> 0.5.6'
 
 # PDF generation
 gem 'wicked_pdf', '~> 1.1.0'
@@ -40,7 +43,6 @@ end
 group :development do
   gem 'better_errors'
   gem 'binding_of_caller'
-  gem 'faker'
   gem 'i18n-debug'
   gem 'listen', '~> 3.0.5'
   gem 'web-console'
@@ -49,6 +51,7 @@ end
 group :development, :test do
   gem 'byebug', platform: :mri
   gem 'dotenv-rails'
+  gem 'faker', '~> 1.6', '>= 1.6.3'
   gem 'launchy'
   gem 'mutant-rspec', '< 0.9'
   gem 'pry-byebug'
@@ -65,6 +68,7 @@ group :test do
   gem 'phantomjs'
   gem 'poltergeist', '~> 1.18', '>= 1.18.1'
   gem 'rails-controller-testing'
+  gem 'rspec_junit_formatter', '~> 0.4.1'
   gem 'rubocop', require: false
   gem 'rubocop-rspec', require: false
   gem 'selenium-webdriver', '~> 3.142'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,57 +1,64 @@
+GIT
+  remote: https://github.com/ministryofjustice/azure_env_secrets.git
+  revision: b72195789c350839d8a7f492eb2938c5101d5400
+  tag: v0.1.3
+  specs:
+    azure_env_secrets (0.1.3)
+
 GEM
   remote: https://rubygems.org/
   specs:
     abstract_type (0.0.7)
-    actioncable (6.0.3.1)
-      actionpack (= 6.0.3.1)
+    actioncable (6.0.3.2)
+      actionpack (= 6.0.3.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actionmailbox (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activejob (= 6.0.3.2)
+      activerecord (= 6.0.3.2)
+      activestorage (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       mail (>= 2.7.1)
-    actionmailer (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      actionview (= 6.0.3.1)
-      activejob (= 6.0.3.1)
+    actionmailer (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      actionview (= 6.0.3.2)
+      activejob (= 6.0.3.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.3.1)
-      actionview (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actionpack (6.0.3.2)
+      actionview (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actiontext (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activerecord (= 6.0.3.2)
+      activestorage (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       nokogiri (>= 1.8.5)
-    actionview (6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actionview (6.0.3.2)
+      activesupport (= 6.0.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.3.1)
-      activesupport (= 6.0.3.1)
+    activejob (6.0.3.2)
+      activesupport (= 6.0.3.2)
       globalid (>= 0.3.6)
-    activemodel (6.0.3.1)
-      activesupport (= 6.0.3.1)
-    activerecord (6.0.3.1)
-      activemodel (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
-    activestorage (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
+    activemodel (6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activerecord (6.0.3.2)
+      activemodel (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activestorage (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activejob (= 6.0.3.2)
+      activerecord (= 6.0.3.2)
       marcel (~> 0.3.1)
-    activesupport (6.0.3.1)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -66,6 +73,7 @@ GEM
       abstract_type (~> 0.0.7)
       adamantium (~> 0.2)
       equalizer (~> 0.0.11)
+    application_insights (0.5.6)
     archive-zip (0.12.0)
       io-like (~> 0.3.0)
     ast (2.4.0)
@@ -185,7 +193,7 @@ GEM
     govuk_notify_rails (2.0.0)
       notifications-ruby-client (>= 2.0.0)
       rails (>= 4.1.0)
-    govuk_template (0.21.0)
+    govuk_template (0.26.0)
       rails (>= 3.1)
     hashdiff (0.3.4)
     hashie (3.5.5)
@@ -216,7 +224,7 @@ GEM
       railties (>= 4)
       request_store (~> 1.0)
     logstash-event (1.2.02)
-    loofah (2.5.0)
+    loofah (2.6.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -304,20 +312,20 @@ GEM
       rack (>= 1.0, < 3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.3.1)
-      actioncable (= 6.0.3.1)
-      actionmailbox (= 6.0.3.1)
-      actionmailer (= 6.0.3.1)
-      actionpack (= 6.0.3.1)
-      actiontext (= 6.0.3.1)
-      actionview (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activemodel (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    rails (6.0.3.2)
+      actioncable (= 6.0.3.2)
+      actionmailbox (= 6.0.3.2)
+      actionmailer (= 6.0.3.2)
+      actionpack (= 6.0.3.2)
+      actiontext (= 6.0.3.2)
+      actionview (= 6.0.3.2)
+      activejob (= 6.0.3.2)
+      activemodel (= 6.0.3.2)
+      activerecord (= 6.0.3.2)
+      activestorage (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       bundler (>= 1.3.0)
-      railties (= 6.0.3.1)
+      railties (= 6.0.3.2)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.4)
       actionpack (>= 5.0.1.x)
@@ -328,9 +336,9 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    railties (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
@@ -366,6 +374,8 @@ GEM
       rspec-mocks (~> 3.9)
       rspec-support (~> 3.9)
     rspec-support (3.9.3)
+    rspec_junit_formatter (0.4.1)
+      rspec-core (>= 2, < 4, != 2.12.0)
     rubocop (0.65.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
@@ -414,6 +424,7 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
+    strong_password (0.0.8)
     thor (1.0.1)
     thread_safe (0.3.6)
     tilt (2.0.10)
@@ -462,7 +473,7 @@ GEM
     wkhtmltopdf-binary (0.12.3.1)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.3.0)
+    zeitwerk (2.3.1)
     zendesk_api (1.14.4)
       faraday (~> 0.9)
       hashie (>= 3.5.2, < 4.0.0)
@@ -474,6 +485,8 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  application_insights (~> 0.5.6)
+  azure_env_secrets!
   better_errors
   binding_of_caller
   bootsnap
@@ -486,7 +499,7 @@ DEPENDENCIES
   devise (~> 4.7.1)
   dotenv-rails
   email_validator
-  faker
+  faker (~> 1.6, >= 1.6.3)
   geckodriver-helper (~> 0.23.0)
   glimr-api-client (~> 0.3.2)
   govuk_elements_form_builder (~> 1.3.0)
@@ -514,6 +527,7 @@ DEPENDENCIES
   rails-controller-testing
   responders
   rspec-rails
+  rspec_junit_formatter (~> 0.4.1)
   rubocop
   rubocop-rspec
   sanitize
@@ -523,6 +537,7 @@ DEPENDENCIES
   simplecov
   simplecov-rcov
   site_prism (~> 2.9)
+  strong_password (~> 0.0.8)
   uglifier
   virtus
   web-console
@@ -533,7 +548,7 @@ DEPENDENCIES
   zendesk_api (~> 1.14.4)
 
 RUBY VERSION
-   ruby 2.5.3p105
+   ruby 2.5.7p206
 
 BUNDLED WITH
    1.17.3
diff --git a/app/controllers/users/logins_controller.rb b/app/controllers/users/logins_controller.rb
@@ -7,6 +7,11 @@ def save_confirmation
     def logged_out
     end
 
+    def destroy
+      current_user.invalidate_all_sessions!
+      super
+    end
+
     protected
 
     def sign_in(_resource_name, user)

diff --git a/app/controllers/users/passwords_controller.rb b/app/controllers/users/passwords_controller.rb
@@ -4,7 +4,17 @@ class PasswordsController < Devise::PasswordsController
     # value as otherwise Devise will not error if the email address is left blank.
     # This will not error on malformed email addresses as we are in Paranoid mode and Devise
     # will consider any input as valid, but at least we cover the blank scenario.
+    # Throttle the emails sent to one per three per seconds per account to avoid
+    # email flooding.
     def create
+      email = params[:user][:email]
+      unless email.empty?
+        user = User.find_by(email: email)
+        if (Time.zone.now.to_f - user&.reset_password_sent_at.to_f) < 3
+          redirect_to users_password_reset_sent_path and return
+        end
+      end
+
       super do |user|
         if user.errors.added?(:email, :blank)
           respond_with(user) and return