From 3c847905d25739c091c03eff8617d48c79a4cb77 Mon Sep 17 00:00:00 2001
From: William Fish <william.michael.fish@gmail.com>
Date: Fri, 5 Jan 2024 09:54:16 +0000
Subject: [PATCH 1/2] HOTT-4446: Pentest remediation work

---
 .env.development                  |  2 +-
 Dockerfile                        | 37 ++++++++++++++++++-------------
 Makefile                          | 31 ++++++++++++++++++++++++++
 config/environments/production.rb |  2 +-
 4 files changed, 55 insertions(+), 17 deletions(-)
 create mode 100644 Makefile

diff --git a/.env.development b/.env.development
index d7437a0e..9ff77fa6 100644
--- a/.env.development
+++ b/.env.development
@@ -3,4 +3,4 @@ DUTY_CALCULATOR_HOST=http://localhost:3002
 PORT=3002
 ROUTE_THROUGH_FRONTEND=false
 TRADE_TARIFF_FRONTEND_URL="http://localhost:3001/"
-WEB_CONCURRENCY=0
\ No newline at end of file
+WEB_CONCURRENCY=0
diff --git a/Dockerfile b/Dockerfile
index 7e22d9db..3be6b893 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,10 +11,9 @@ RUN apk add --update --no-cache build-base git yarn tzdata && \
   cp /usr/share/zoneinfo/Europe/London /etc/localtime && \
   echo "Europe/London" > /etc/timezone
 
-RUN bundle config set without 'development test'
-
 # Install gems defined in Gemfile
 COPY .ruby-version Gemfile Gemfile.lock /app/
+RUN bundle config set without 'development test'
 RUN bundle install --jobs=4 --no-binstubs
 
 # Install node packages defined in package.json, including webpack
@@ -25,20 +24,20 @@ RUN yarn install --frozen-lockfile
 COPY . /app/
 
 ENV GOVUK_APP_DOMAIN=localhost \
-    GOVUK_WEBSITE_ROOT=http://localhost/ \
-    RAILS_ENV=production \
-    NODE_OPTIONS="--openssl-legacy-provider"
+  GOVUK_WEBSITE_ROOT=http://localhost/ \
+  RAILS_ENV=production \
+  NODE_OPTIONS="--openssl-legacy-provider"
 
 RUN bundle exec rails assets:precompile
 
 # Cleanup to save space in the production image
 RUN rm -rf node_modules log tmp && \
-      rm -rf /usr/local/bundle/cache && \
-      rm -rf .env && \
-      find /usr/local/bundle/gems -name "*.c" -delete && \
-      find /usr/local/bundle/gems -name "*.h" -delete && \
-      find /usr/local/bundle/gems -name "*.o" -delete && \
-      find /usr/local/bundle/gems -name "*.html" -delete
+  rm -rf /usr/local/bundle/cache && \
+  rm -rf .env && \
+  find /usr/local/bundle/gems -name "*.c" -delete && \
+  find /usr/local/bundle/gems -name "*.h" -delete && \
+  find /usr/local/bundle/gems -name "*.o" -delete && \
+  find /usr/local/bundle/gems -name "*.html" -delete
 
 # Build runtime image
 FROM ruby:3.2.2-alpine3.18 as production
@@ -50,10 +49,9 @@ RUN apk add --update --no-cache tzdata && \
 # The application runs from /app
 WORKDIR /app
 
-ENV GOVUK_APP_DOMAIN=localhost \
-    GOVUK_WEBSITE_ROOT=http://localhost/ \
-    RAILS_SERVE_STATIC_FILES=true \
-    RAILS_ENV=production
+ENV RAILS_SERVE_STATIC_FILES=true \
+  RAILS_ENV=production \
+  PORT=8080
 
 RUN bundle config set without 'development test'
 
@@ -61,4 +59,13 @@ RUN bundle config set without 'development test'
 COPY --from=builder /app /app
 COPY --from=builder /usr/local/bundle/ /usr/local/bundle/
 
+RUN addgroup -S tariff && \
+  adduser -S tariff -G tariff && \
+  chown -R tariff:tariff /app && \
+  chown -R tariff:tariff /usr/local/bundle
+
+HEALTHCHECK CMD nc -z 0.0.0.0 $PORT
+
+USER tariff
+
 CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..12c296a1
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,31 @@
+.PHONY: default build run clean
+
+IMAGE_NAME := trade-tariff-duty-calculator
+COMMON_ENV := --env-file ".env.development" \
+              -e 'SECRET_KEY_BASE="0620b2907b1cee61dbcf5cbbf4125c04bf5db3554c66589d40a9349b5abd5463a40f4a1a8c2db9b07c13715340ee3c94bbc24b1adb3140a20f702e9dc3d4fc0c"' \
+              -e 'GOVUK_APP_DOMAIN="localhost"' \
+              -e 'GOVUK_WEBSITE_ROOT="http://localhost/"' \
+              -e 'RAILS_ASSUME_SSL="false"'
+
+default: build run
+
+build:
+	docker build -t $(IMAGE_NAME) .
+
+run:
+	docker run \
+		--network=host \
+		--rm \
+		--name $(IMAGE_NAME) \
+		$(COMMON_ENV) \
+		$(IMAGE_NAME)
+
+clean:
+	docker rmi $(IMAGE_NAME)
+
+shell:
+	docker run \
+		--rm \
+		--name $(IMAGE_NAME)-shell \
+		$(COMMON_ENV) \
+		-it $(IMAGE_NAME) /bin/sh
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 076f5330..8773bb05 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -32,7 +32,7 @@
 
   # Assume all access to the app is happening through a SSL-terminating reverse proxy.
   # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
-  config.assume_ssl = true
+  config.assume_ssl = ENV.fetch('RAILS_ASSUME_SSL', "true") == "true"
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   # config.force_ssl = true

From 8d16d444c967a88dfe814a915306bab4d2d67003 Mon Sep 17 00:00:00 2001
From: William Fish <william.michael.fish@gmail.com>
Date: Fri, 5 Jan 2024 10:13:22 +0000
Subject: [PATCH 2/2] HOTT-4446: No healthcheck in shell task

---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index 12c296a1..b51b6be3 100644
--- a/Makefile
+++ b/Makefile
@@ -28,4 +28,5 @@ shell:
 		--rm \
 		--name $(IMAGE_NAME)-shell \
 		$(COMMON_ENV) \
+		--no-healthcheck \
 		-it $(IMAGE_NAME) /bin/sh