CCM-17440: Fix dependabot issues#321
Conversation
simonlabarere
force-pushed
the
feature/CCM-17440_dependabot_updates
branch
5 times, most recently
from
0dfc38a to
2e522f2
Compare
simonlabarere
force-pushed
the
feature/CCM-17440_dependabot_updates
branch
2 times, most recently
from
7d404da to
63ce4d2
Compare
simonlabarere
force-pushed
the
feature/CCM-17440_dependabot_updates
branch
from
63ce4d2 to
72c1f93
Compare
simonlabarere
dismissed stale reviews from Ian-Hodges and lapenna-bjss
via
cb90136
| @@ -1,4 +1,4 @@ | |||
| import { KeyStore } from '../../key-generation-utils/jwk'; | |||
| import { KeyStore } from '../../key-generation-utils/jwk-key-store'; | |||
There was a problem hiding this comment.
Sorry, it's super minor, but this can be shortened.
import { KeyStore } from '../../key-generation-utils';
There was a problem hiding this comment.
Actually, it can be added to the one below.
import { KeyStore, generateNewKey } from '../../key-generation-utils';
| @@ -0,0 +1,73 @@ | |||
| import { Key } from '../../key-generation-utils/jwk-key'; | |||
There was a problem hiding this comment.
| import { Key } from '../../key-generation-utils/jwk-key'; | |
| import { Key } from '../../key-generation-utils'; |
| import { asKeyStore } from '../../key-generation-utils/jwk'; | ||
| import { logger } from '../../logger'; | ||
| import { uploadPublicKeystoreToS3 } from '../../key-generation-utils'; |
There was a problem hiding this comment.
| import { asKeyStore } from '../../key-generation-utils/jwk'; | |
| import { logger } from '../../logger'; | |
| import { uploadPublicKeystoreToS3 } from '../../key-generation-utils'; | |
| import { logger } from '../../logger'; | |
| import { asKeyStore, uploadPublicKeystoreToS3 } from '../../key-generation-utils'; |
| import { asKey } from '../../key-generation-utils/jwk'; | ||
| import { | ||
| ValidateKeyResult, | ||
| validatePrivateKey, | ||
| } from '../../key-generation-utils'; | ||
|
|
There was a problem hiding this comment.
| import { | |
| asKey, | |
| ValidateKeyResult, | |
| validatePrivateKey, | |
| } from '../../key-generation-utils'; | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| - name: "Build docs" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/build-docs@3.0.0 | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/build-docs@53e42b5046ec10ce54d732c0051c96968aaebeb2 |
There was a problem hiding this comment.
This is a change that needs reverting before merge, right? Or updating to point at a new tag.
|
|
||
| const key = await JWK.asKey(keyPem, 'pem'); | ||
| const { kid } = key.toJSON() as KeyJson; | ||
| await asKey(keyPem, 'pem'); |
There was a problem hiding this comment.
The result of this asKey call isn't being used. Is it redundant? You seem to be getting the Key ID from the SSM parameter name instead?
| const key = await JWK.asKey(keyPem, 'pem'); | ||
| const { kid } = key.toJSON() as KeyJson; | ||
| await asKey(keyPem, 'pem'); | ||
| const privateKeyRegex = /privatekey_(\d{8})_(.+)\.pem/; |
There was a problem hiding this comment.
This regex also appears to be defined in validateParamName above. It could perhaps be extracted to a constant, or perhaps wrapped with a utility to use it to extract the components of a key name that can be reused?
There was a problem hiding this comment.
We should probably have tests for this class, shouldn't we?
| const pem = nodePrivateKey.export({ | ||
| type: 'pkcs8', | ||
| format: 'pem', | ||
| }) as string; | ||
|
|
||
| const reImportedKey = createPrivateKey(pem); |
There was a problem hiding this comment.
Why export nodePrivateKey and then re-import it? I assume there's a reason for it, but it would be worth a comment to explain what it is.
4 participants
Description
Updated the following dependencies:
node-joseuses a vulnerable version ofuuidand it couldn't be overridden (I hacked it to force it use a new version and node-jose wouldn't work because it detected something was wrong).I used copilot to replace
node-josewith a combination ofjose(which is maintained) andnode:crypto. The problem is thatjoseversion 6 (latest) is not compatible out of the box with the way we usejestfor testing. I spent some time trying to make it work but it involved using an experimental version ofjestand it made all the unit tests flaky in general. Version 5 ofjosedidn't have that problem so this is what I ended up using but it's a year old. On the other hand it doesn't have any vulnerabilities so it's still better than the 3 year old version ofnode-jose.Testing involved generating a new public/private key pair and making sure it's working with the APIM authentication mechanism.
Testing
Running the key-generation lambda manually
Generated private key
Generated public key
APIM Updated to point at pr321
Token generation
Other changes
Since we last ran the build docs step:
There is a corresponding PR in the shared-modules repository to address these changes. Until a new version of shared-modules is released, this PR references the commit SHA directly. Once a new release is available, we can update this to use the release tag instead.
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.