Release/27.0

application/common/constants.py

@@ -3,7 +3,7 @@
 CLOSED_AND_HIDDEN_STATUSES = ["HIDDEN", "CLOSED"]
 
 PHARMACY_SERVICE_TYPE_IDS = [13, 131, 132, 134, 137, 148, 149]
-PHARMACY_ORGANISATION_SUB_TYPES = ["Community"]
+PHARMACY_ORGANISATION_SUB_TYPES = ["Community", "DistanceSelling"]
 PHARMACY_ODSCODE_LENGTH = 5
 PHARMACY_SERVICE_TYPE_ID = 13
 

infrastructure/stacks/application/data.tf

@@ -51,6 +51,22 @@ data "aws_iam_policy_document" "sns_topic_app_alerts_for_slack_access_default_re
     }
     resources = [aws_sns_topic.sns_topic_app_alerts_for_slack_default_region.arn]
   }
+
+  statement {
+    sid     = "DenyNonSecureTransport"
+    effect  = "Deny"
+    actions = ["sns:Publish"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [aws_sns_topic.sns_topic_app_alerts_for_slack_default_region.arn]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "sns_topic_app_alerts_for_slack_access_alarm_region" {
@@ -63,6 +79,22 @@ data "aws_iam_policy_document" "sns_topic_app_alerts_for_slack_access_alarm_regi
     }
     resources = [aws_sns_topic.sns_topic_app_alerts_for_slack_route53_health_check_alarm_region.arn]
   }
+
+  statement {
+    sid     = "DenyNonSecureTransport"
+    effect  = "Deny"
+    actions = ["sns:Publish"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [aws_sns_topic.sns_topic_app_alerts_for_slack_route53_health_check_alarm_region.arn]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 # ##############

infrastructure/stacks/application/security_groups.tf

@@ -22,13 +22,13 @@ resource "aws_security_group_rule" "allow_https_out" {
 
 #tfsec:ignore:aws-vpc-no-public-egress-sgr
 resource "aws_security_group_rule" "allow_postgres_out" {
-  type              = "egress"
-  from_port         = 5432
-  to_port           = 5432
-  protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = aws_security_group.lambda_sg.id
-  description       = "Allow all Postgres outbound traffic"
+  type                     = "egress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  source_security_group_id = data.aws_security_group.db_sg.id
+  security_group_id        = aws_security_group.lambda_sg.id
+  description              = "Allow all Postgres outbound traffic"
 }
 
 resource "aws_security_group_rule" "database_allow_in_from_lambda" {

infrastructure/stacks/shared-resources/api-gateway-responses.tf

@@ -7,6 +7,9 @@ resource "aws_api_gateway_method_response" "response_200" {
     "method.response.header.Cache-control"             = true
     "method.response.header.Pragma"                    = true
     "method.response.header.Strict-Transport-Security" = true
+    "method.response.header.X-Frame-Options"           = true
+    "method.response.header.X-Content-Type-Options"    = true
+    "method.response.header.Content-Security-Policy"   = true
   }
   response_models = {
     "application/json" = aws_api_gateway_model.default_model.name
@@ -22,6 +25,9 @@ resource "aws_api_gateway_method_response" "response_400" {
     "method.response.header.Cache-control"             = true
     "method.response.header.Pragma"                    = true
     "method.response.header.Strict-Transport-Security" = true
+    "method.response.header.X-Frame-Options"           = true
+    "method.response.header.X-Content-Type-Options"    = true
+    "method.response.header.Content-Security-Policy"   = true
   }
   response_models = {
     "application/json" = aws_api_gateway_model.default_model.name
@@ -37,6 +43,9 @@ resource "aws_api_gateway_method_response" "response_500" {
     "method.response.header.Cache-control"             = true
     "method.response.header.Pragma"                    = true
     "method.response.header.Strict-Transport-Security" = true
+    "method.response.header.X-Frame-Options"           = true
+    "method.response.header.X-Content-Type-Options"    = true
+    "method.response.header.Content-Security-Policy"   = true
   }
   response_models = {
     "application/json" = aws_api_gateway_model.default_model.name
@@ -54,6 +63,9 @@ resource "aws_api_gateway_integration_response" "di_endpoint_integration_success
     "method.response.header.Cache-control"             = "'no-cache'"
     "method.response.header.Pragma"                    = "'no-store'"
     "method.response.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "method.response.header.X-Frame-Options"           = "'DENY'"
+    "method.response.header.X-Content-Type-Options"    = "'nosniff'"
+    "method.response.header.Content-Security-Policy"   = "'default-src 'self''"
   }
 
   depends_on = [
@@ -75,6 +87,9 @@ resource "aws_api_gateway_integration_response" "response_400" {
     "method.response.header.Cache-control"             = "'no-cache'"
     "method.response.header.Pragma"                    = "'no-store'"
     "method.response.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "method.response.header.X-Frame-Options"           = "'DENY'"
+    "method.response.header.X-Content-Type-Options"    = "'nosniff'"
+    "method.response.header.Content-Security-Policy"   = "'default-src 'self''"
   }
 
   depends_on = [
@@ -96,6 +111,9 @@ resource "aws_api_gateway_integration_response" "response_500" {
     "method.response.header.Cache-control"             = "'no-cache'"
     "method.response.header.Pragma"                    = "'no-store'"
     "method.response.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "method.response.header.X-Frame-Options"           = "'DENY'"
+    "method.response.header.X-Content-Type-Options"    = "'nosniff'"
+    "method.response.header.Content-Security-Policy"   = "'default-src 'self''"
   }
 
   depends_on = [
@@ -112,9 +130,41 @@ resource "aws_api_gateway_gateway_response" "access_denied_403_gateway_response"
   response_type      = "ACCESS_DENIED"
   response_templates = ({ "application/json" : jsonencode({ "Message" : "Access Denied, please contact the development team for assistance" }) })
 
+  response_parameters = {
+    "gatewayresponse.header.Cache-control"             = "'no-cache'"
+    "gatewayresponse.header.Pragma"                    = "'no-store'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Frame-Options"           = "'DENY'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+    "gatewayresponse.header.Content-Security-Policy"   = "'default-src 'self''"
+  }
+
   depends_on = [
     aws_api_gateway_integration.di_endpoint_integration,
     aws_api_gateway_resource.di_endpoint_change_event_path,
     aws_api_gateway_method.di_endpoint_method,
   ]
 }
+
+resource "aws_api_gateway_gateway_response" "invalid_api_key_403_response" {
+  rest_api_id        = aws_api_gateway_rest_api.di_endpoint.id
+  status_code        = "403"
+  response_type      = "INVALID_API_KEY"
+  response_templates = ({ "application/json" : jsonencode({ "message" : "Forbidden" }) })
+
+  response_parameters = {
+    "gatewayresponse.header.Cache-Control"             = "'no-cache'"
+    "gatewayresponse.header.Pragma"                    = "'no-store'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Frame-Options"           = "'DENY'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+    "gatewayresponse.header.Content-Security-Policy"   = "'default-src 'self''"
+  }
+
+  depends_on = [
+    aws_api_gateway_integration.di_endpoint_integration,
+    aws_api_gateway_resource.di_endpoint_change_event_path,
+    aws_api_gateway_method.di_endpoint_method,
+  ]
+}
+

infrastructure/stacks/shared-resources/api-gateway.tf

@@ -95,7 +95,8 @@ EOF
 resource "aws_api_gateway_deployment" "di_endpoint_deployment" {
   rest_api_id = aws_api_gateway_rest_api.di_endpoint.id
   depends_on = [
-    aws_api_gateway_rest_api_policy.di_endpoint_policy
+    aws_api_gateway_rest_api_policy.di_endpoint_policy,
+    aws_api_gateway_gateway_response.invalid_api_key_403_response
   ]
   triggers = {
     redeployment = join("", [md5(jsonencode([

infrastructure/stacks/shared-resources/data.tf

@@ -68,6 +68,22 @@ data "aws_iam_policy_document" "shared_resources_sns_topic_app_alerts_for_slack_
     }
     resources = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]
   }
+
+  statement {
+    sid     = "DenyNonSecureTransport"
+    effect  = "Deny"
+    actions = ["sns:Publish"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "shared_resources_sns_topic_app_alerts_for_slack_access_alarm_region" {
@@ -80,6 +96,22 @@ data "aws_iam_policy_document" "shared_resources_sns_topic_app_alerts_for_slack_
     }
     resources = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_route53_health_check_alarm_region.arn]
   }
+
+  statement {
+    sid     = "DenyNonSecureTransport"
+    effect  = "Deny"
+    actions = ["sns:Publish"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_route53_health_check_alarm_region.arn]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 data "aws_iam_role" "di_firehose_role" {

test/integration/features/F001_Valid_Change_Events.feature

@@ -59,7 +59,9 @@ Feature: F001. Ensure valid change events are converted and sent to DoS
   Scenario: F001SXX3. A Changed event with aligned data does not save an update to DoS
     Given a basic service is created
     When the Changed Event is sent for processing with "valid" api key
-    Then the "service-sync" lambda shows field "message" with value "No changes to save"
+    Then the change event response has status code "200"
+    And the response has security headers
+    And the "service-sync" lambda shows field "message" with value "No changes to save"
     And the service history is not updated
 
   @complete @general
@@ -511,3 +513,51 @@ Feature: F001. Ensure valid change events are converted and sent to DoS
       | " 0123456789"  | 0123456789     |
       | "0123456789 "  | 0123456789     |
       | "012 34567 89" | 0123456789     |
+
+
+  @complete @general
+  Scenario Outline: F001SX40. Changes are processed successfully for service_type = "134" with OrganisationSubType = "DistanceSelling"
+    Given an entry is created in the services table
+    And the service "service_type" is set to "134"
+    And the service "service_status" is set to "1"
+    And the entry is committed to the services table
+    And the change event "OrganisationSubType" is set to "DistanceSelling"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the "service-sync" lambda shows field "message" with value "Update Request Success"
+    Then the Changed Event is stored in dynamo db
+    And the service history is not updated
+    When the change event "<field>" is set to "<value>"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the Changed Event is stored in dynamo db
+    Then the "<DOS_field>" is updated within the DoS DB
+    And the service history shows "<service_hist_field>" change type is "modify"
+
+    Examples:
+      | field      | value                    | DOS_field     |service_hist_field |
+      | website    | www.testonetwo.com       | website       | cmsurl            |
+      | phone      | 22459436909              | phone         | cmstelephoneno    |
+      | Address1   | 5 Tester Way             | address       | postaladdress     |
+
+  @complete @general
+  Scenario: F001SX41. Changed Event with updated postcode to verify location changes with service_type = "134" and OrganisationSubType = "DistanceSelling"
+    Given an entry is created in the services table
+    And the service "service_type" is set to "134"
+    And the service "service_status" is set to "1"
+    And the entry is committed to the services table
+    And the change event "OrganisationSubType" is set to "DistanceSelling"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the "service-sync" lambda shows field "message" with value "Update Request Success"
+    Then the Changed Event is stored in dynamo db
+    And the service history is not updated
+    When the change event "Postcode" is set to "PR4 2BE"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the Changed Event is stored in dynamo db
+    Then DoS has "PR4 2BE" in the "Postcode" field
+    Then DoS has "KIRKHAM" in the "town" field
+    And DoS has "341832" in the "easting" field
+    And DoS has "432011" in the "northing" field
+    And DoS has "53.781108" in the "latitude" field
+    And DoS has "-2.886537" in the "longitude" field
+    And the service history is updated with the "Postcode"
+    And the service history shows "postalcode" change type is "modify"
+

test/integration/features/F002_Invalid_Change_Events.feature

@@ -62,3 +62,11 @@ Feature: F002. Invalid change event Exception handling
     And the change event has an additional date with no specified date
     When the Changed Event is sent for processing with "valid" api key
     Then the "service-sync" lambda shows field "message" with value "Opening times are not valid"
+
+  @complete @validation
+  Scenario: F002SXX9. A Changed Event where OrganisationSubType is NOT DistanceSelling is reported and ignored
+    Given a basic service is created with type "134"
+    And the change event "OrganisationSubType" is set to "Distance Selling"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the "ingest-change-event" lambda shows field "message" with value "Validation Error - Unexpected Org Sub Type ID: 'Distance Selling'"
+    And the service history is not updated

test/integration/features/F003_DoS_Security.feature

@@ -5,4 +5,5 @@ Feature: F003. Endpoint security and reporting
     Given a basic service is created
     When the Changed Event is sent for processing with "invalid" api key
     Then the change event response has status code "403"
+    And the response has security headers
     And the Slack channel shows an alert saying "DI 4XX Endpoint Errors" from "SHARED_ENVIRONMENT"

test/integration/features/F004_Error_Handling.feature

@@ -5,6 +5,7 @@ Feature: F004. Error Handling
     Given a basic service is created
     When the Changed Event is sent for processing with no sequence id
     Then the change event response has status code "400"
+    And the response has security headers
 
   @complete @slack_and_infrastructure
   Scenario: F004SXX6. An Alphanumeric Sequence number raises a 400 Bad Request exception

test/integration/features/F005_Support_Functions.feature

@@ -7,6 +7,14 @@ Feature: F005. Support Functions
     Then the Changed Event is stored in dynamo db
     And the stored Changed Event is reprocessed in DI
 
+  @complete @general
+  Scenario: F005SXX1. An unprocessed Changed Event with service_type = "134" and OrganisationSubType = "DistanceSelling" is replayed in DI
+    Given a basic service is created with type "134"
+    And the change event "OrganisationSubType" is set to "DistanceSelling"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the Changed Event is stored in dynamo db
+    And the stored Changed Event is reprocessed in DI
+
   @complete @slack_and_infrastructure
   Scenario: F005SXX2 SQS Message for Change Event DLQ Alert
     Given a basic service is created

test/integration/features/F006_Opening_Times.feature

@@ -79,3 +79,17 @@ Feature: F006. Opening times
     When the Changed Event is sent for processing with "valid" api key
     Then DoS is open from "10:00" until "16:00" on "Jan 01 2025"
     And the "service-sync" lambda does not show "report_key" with value "BLANK_STANDARD_OPENINGS"
+
+  @complete @opening_times
+  Scenario: F006SXX11. Confirm actual opening times change for specified date and time is captured by DoS with service_type = "134" and OrganisationSubType = "DistanceSelling"
+    Given a basic service is created with type "134"
+    And the change event "OrganisationSubType" is set to "DistanceSelling"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the "service-sync" lambda shows field "message" with value "Update Request Success"
+    Then the Changed Event is stored in dynamo db
+    And the service history is not updated
+    When the change event is "open" on date "Dec 25 2028"
+    When the Changed Event is sent for processing with "valid" api key
+    Then the Changed Event is stored in dynamo db
+    Then the DoS service has been updated with the specified date is captured by DoS
+    And the service history is updated with the "added" specified opening times

test/integration/steps/functions/dos/get_data.py

@@ -60,17 +60,18 @@ def get_services_table_location_data(service_id: str) -> list:
     return loads(loads(response))
 
 
-def get_service_id(odscode: str) -> str:
+def get_service_id(odscode: str, typeid: int = 13) -> str:
     """Get service id.
 
     Args:
         odscode (str): ODSCode.
+        typeid (int, optional): Type ID. Defaults to 13. If not provided, the default value is 13.
 
     Returns:
         str: Service id.
     """
     data = []
-    query = f"SELECT id FROM services WHERE typeid = 13 AND statusid = 1 AND odscode like '{odscode}%' LIMIT 1"  # noqa: S608
+    query = f"SELECT id FROM services WHERE typeid = {typeid} AND statusid = 1 AND odscode like '{odscode}%' LIMIT 1"  # noqa: S608
     for _ in range(16):
         lambda_payload = {"type": "read", "query": query, "query_vars": None}
         response = invoke_dos_db_handler_lambda(lambda_payload)

test/integration/steps/functions/utils.py

@@ -80,10 +80,10 @@ def get_expected_data(context: Context, changed_data_name: str) -> Any:
     """Get the previous data from the context."""
     match changed_data_name.lower():
         case "phone_no" | "phone" | "public_phone" | "publicphone":
-            changed_data = context.phone
+            changed_data = context.generator_data["publicphone"]
         case "website" | "web":
-            changed_data = context.website
-        case "address":
+            changed_data = context.generator_data["web"]
+        case "address" | "address1":
             changed_data = get_address_string(context)
         case "postcode":
             changed_data = context.change_event["Postcode"]