ministryofjustice / prison-api Goto Github PK

Hi there

The user emileswarts had Direct Member access to this repository and access via a team.

Access is now only via a team.

You may have less access it is dependant upon the teams access to the repo.

If you have any questions, please post in #ask-operations-engineering on Slack.

This issue can be closed.

I'm on a non-ministryofjustice team. Our project will be consuming resources from the prison-api.

My job is to report to my team, answers to these questions:

1. Is contributing to the prison-api project closed to non-ministryofjustice developers?
2. If contributing to the prison-api project is not closed, what are the prerequisites for being allowed to contribute?
3. Under what license are ministryofjustice projects in general (prison-api specifically) open sourced?
4. In what sense of „open source" should ministryofjustice projects be thought of from a third-party project's perspective?

The Open Source Initiative mentions the word „license“ in nine of the ten numbered parts of its Open Source Definition:

1. Free Redistribution
   The license shall not restrict any party...

2. Source Code
   [not mentioned]

3. Derived Works
   The license must allow modifications and derived works...

4. Integrity of The Author's Source Code
   The license may restrict source-code from being distributed in modified form only if...

5. No Discrimination Against Persons or Groups
   The license must not discriminate against any person or group of persons...

6. No Discrimination Against Fields of Endeavor
   The license must not restrict anyone from making use of the program in a specific field...

7. Distribution of License
   ...redistributed without the need for execution of an additional license...

8. License Must Not Be Specific to a Product
   ...within the terms of the program's license...

9. License Must Not Restrict Other Software
   The license must not place restrictions on other software...

10. License Must Be Technology-Neutral
    No provision of the license may be predicated on any individual technology or style of interface...

However, the prison-api project doesn't have a license included or mentioned anywhere in it. My team and I are curious to understand what that means from a practical standpoint.

How does the prison-api specify hmpps-auth as its OAuth 2.0 authorization server? Where exactly in the code or configuration files I mean?

Or if you're doing it by Spring Security's auto-configuration, can you share a link to the Spring Security documentation that describes that auto-configuration? Please? I've Googled. But I couldn't find anything.

I'm aware of a few different ways provided by Spring Security for a resource server to configure what authorization server it will delegate OAuth 2.0 authorization to.

• Specify it in application.yaml (or application.properties):

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://idp.example.com/issuer

• Specify it using the DSL:

@EnableWebSecurity
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) {
        http
            .authorizeRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt
                    .jwkSetUri("https://idp.example.com/.well-known/jwks.json")
                )
            );
    }
}

I can't see anywhere in any prison-api file where the authorization server is set. Apart from this dev profile configurations I found in the project:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          public-key-location: classpath:local-public-key.pub

And this test resource:

spring.security.oauth2.resourceserver.jwt.jwk-set-uri: http://localhost:9090/auth/.well-known/jwks.json

Thank you in advance.

Hi there

The user bjpirt had Direct Member access to this repository and access via a team.

Access is now only via a team.

You may have less access it is dependant upon the teams access to the repo.

If you have any questions, please post in #ask-operations-engineering on Slack.

This issue can be closed.

Hi there
The default branch protection setting called codeowners require review is not enabled for this repository
This option affects a pull request, i.e a PR will need to be reviewed and approved by a CODEOWNER before it can be merged.
See repository settings/Branches/Branch protection rules
Either add a new Branch protection rule or edit the existing branch protection rule and select the Require review from Code Owners option
Create a .github/CODEOWNERS file
Add a or multiple entries of @ministryofjustice/team_name to the CODEOWNERS file
The team_name shall be a team from within the MoJ teams: https://github.com/orgs/ministryofjustice/teams
See GH Codeowners documentation: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
See the repository standards: https://github.com/ministryofjustice/github-repository-standards
See the report: https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/github_repositories
Please contact Operations Engineering on Slack #ask-operations-engineering, if you need any assistance

Expected Behavior

When the /api/offenders/{offenderNo} endpoint is called, an OFFENDER_BOOKINGS record should be created in persistent storage.

Current Behavior

The system fails to create the OFFENDER_BOOKINGS record (full stack trace)...

...

org.springframework.dao.InvalidDataAccessApiUsageException: The given id must not be null!; nested exception is java.lang.IllegalArgumentException: The given id must not be null!

...

Caused by: java.lang.IllegalArgumentException: The given id must not be null!
        at org.springframework.util.Assert.notNull(Assert.java:201)
        at org.springframework.data.jpa.repository.support.SimpleJpaRepository.findById(SimpleJpaRepository.java:297)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:567)
        at org.springframework.data.repository.core.support.RepositoryMethodInvoker$RepositoryFragmentMethodInvoker.lambda$new$0(RepositoryMethodInvoker.java:289)
        at org.springframework.data.repository.core.support.RepositoryMethodInvoker.doInvoke(RepositoryMethodInvoker.java:137)
        at org.springframework.data.repository.core.support.RepositoryMethodInvoker.invoke(RepositoryMethodInvoker.java:121)
        at org.springframework.data.repository.core.support.RepositoryComposition$RepositoryFragments.invoke(RepositoryComposition.java:529)
        at org.springframework.data.repository.core.support.RepositoryComposition.invoke(RepositoryComposition.java:285)
        at org.springframework.data.repository.core.support.RepositoryFactorySupport$ImplementationMethodExecutionInterceptor.invoke(RepositoryFactorySupport.java:599)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
        at org.springframework.data.repository.core.support.QueryExecutorMethodInterceptor.doInvoke(QueryExecutorMethodInterceptor.java<===========--> 87% EXECUTING [5h 31m 35s]
        at org.springframework.data.repository.core.support.QueryExecutorMethodInterceptor.invoke(QueryExecutorMethodInterceptor.java:13
...

Context

I am an external developer of a non-DPS system. My application is specified to consume API endpoints exposed by this project. My application will be authorized by HMPPS Auth using the OAuth 2.0 Client Credentials grant.

While stepping through the debugger during investigation of a separate, unrelated issue, I had observed that Spring Security refers to the security principle as "AnonymousUser" during the OAuth 2.0 Client Credentials grant flow.

Assuming that an "AnonymousUser" would not have a user name, then the following two lines are reasonable suspects for the root cause of the reported "The given id must not be null" error...

1. (username = ((UserDetails) userPrincipal).getUsername();)
2. staffUserAccountRepository.findById(currentUsername)

Steps to Reproduce

1. Call the /api/offenders/{offenderNo} endpoint with a JWT access token issued by HMPPS Auth for an OAuth 2.0 Client Credentials grant.

Your Environment

• Windows 10
• Docker Desktop Version 3.3.3 (64133)
• IntelliJ IDEA 2021.1.2 (Community Edition)
  • Build #IC-211.7442.40

Expected Behavior

When the /api/offenders/ endpoint is called, an OFFENDERS record should be created in persistent storage.

Current Behavior

The system fails to create the OFFENDERS record...

...

Hibernate: insert into offenders (create_datetime, create_user_id, modify_datetime, modify_user_id, audit_additional_info, audit_client_ip_address, audit_client_user_id, audit_client_workstation_name, audit_module_name, audit_timestamp, audit_user_id, birth_date, caseload_type, create_date, race_code, first_name, sex_code, id_source_code, last_name, last_name_alpha_key, last_name_key, last_name_soundex, middle_name, middle_name_2, name_sequence, offender_id_display, root_offender_id, suffix, title, offender_id) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)

...

org.springframework.dao.DataIntegrityViolationException: could not execute statement; SQL [n/a]; constraint [null]; nested exception is org.hibernate.exception.ConstraintViolationException: could not execute statement
        at org.springframework.orm.jpa.vendor.HibernateJpaDialect.convertHibernateAccessException(HibernateJpaDialect.java:276)
...

Caused by: org.hsqldb.HsqlException: integrity constraint violation: NOT NULL check constraint; SYS_CT_10479 table: OFFENDERS column: CREATE_USER_ID
        at org.hsqldb.error.Error.error(Unknown Source)
        at org.hsqldb.Table.enforceRowConstraints(Unknown Source)
        at org.hsqldb.Table.generateAndCheckData(Unknown Source)
        at org.hsqldb.Table.insertSingleRow(Unknown Source)
        at org.hsqldb.StatementDML.insertSingleRow(Unknown Source)
        at org.hsqldb.StatementInsert.getResult(Unknown Source)
        at org.hsqldb.StatementDMQL.execute(Unknown Source)
        at org.hsqldb.Session.executeCompiledStatement(Unknown Source)
        at org.hsqldb.Session.execute(Unknown Source)
        ... 175 common frames omitted

Context

The DDL for the CREATE_USER_ID column is...

...
CREATE_USER_ID                VARCHAR2(40) DEFAULT USER         NOT NULL
...

Steps to Reproduce

1. Call the /api/offenders/ endpoint (see also OffenderResource#createPrisoner).