Merge branch 'master' into RDM-4374

* master:
  RDM-4542: Use lowercase email for User Profile retrieval (#452)
  FR-901
  Revert "RDM-3325: White space validation rules applied on text fields (#284)" (#459)
  RDM-4610: CVE-2019-0232 fix (#458)
  increased default callback timeout from 15sec to 60 sec
  Rdm 3897- Retrieve all the case data (#376)
  RDM-3325: White space validation rules applied on text fields (#284)
  RDM-4369: Support reserved characters in userId email address (#420)
  Add externalId index for CMC (#418)
  Fix OWASP issue (#456)
  SIDAM Switch

Author: mohammedanas

build.gradle

@@ -1,6 +1,6 @@
 buildscript {
     ext {
-        springBootVersion = '2.1.3.RELEASE'
+        springBootVersion = '2.1.4.RELEASE'
     }
     dependencies {
         classpath 'org.jsonschema2pojo:jsonschema2pojo-gradle-plugin:0.5.1'
@@ -256,6 +256,15 @@ dependencyManagement {
     imports {
         mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
     }
+
+    dependencies {
+        // CVE-2019-0232 - Java and Command Line injections in Windows
+        dependencySet(group: 'org.apache.tomcat.embed', version: '9.0.19') {
+            entry 'tomcat-embed-core'
+            entry 'tomcat-embed-el'
+            entry 'tomcat-embed-websocket'
+        }
+    }
 }
 
 task projectVersion {

charts/ccd-data-store-api/values.yaml

@@ -22,7 +22,7 @@ java:
 
     CCD_DRAFT_TTL_DAYS: 180
 
-    DATA_STORE_S2S_AUTHORISED_SERVICES: ccd_data,ccd_gw,ccd_ps,probate_backend,divorce_ccd_submission,sscs,sscs_bulkscan,cmc,cmc_claim_store,jui_webapp,pui_webapp,bulk_scan_orchestrator,fpl_case_service,iac,finrem_ccd_data_migrator
+    DATA_STORE_S2S_AUTHORISED_SERVICES: ccd_data,ccd_gw,ccd_ps,probate_backend,divorce_ccd_submission,sscs,sscs_bulkscan,cmc,cmc_claim_store,jui_webapp,pui_webapp,bulk_scan_orchestrator,fpl_case_service,iac,finrem_ccd_data_migrator,finrem_case_orchestration
 
     DEFINITION_CACHE_MAX_IDLE_SEC: 259200
     DEFINITION_CACHE_LATEST_VERSION_TTL_SEC: 1
@@ -46,4 +46,3 @@ java:
     CCD_DEFAULTPRINTURL: https://return-case-doc-ccd.nonprod.platform.hmcts.net/jurisdictions/:jid/case-types/:ctid/cases/:cid
   postgresql:
     postgresqlDatabase: ccd_data_store
-     

dependency-check-suppressions.xml

@@ -137,6 +137,12 @@
         <gav regex="true">^org\.springframework:spring-.+:.*$</gav>
         <cve>CVE-2018-15756</cve>
     </suppress>
+    <suppress>
+        <notes>We are using SecureRandom without a custom seed so not affected. This will however be
+            fixed with spring boot 2.1.4 upgrade which is using spring-security.* of 5.1.5 or higher</notes>
+        <gav regex="true">^org\.springframework:spring-security.+:.*$</gav>
+        <cve>CVE-2019-3795</cve>
+    </suppress>
 
     <suppress>
         <notes><![CDATA[

infrastructure/main.tf

@@ -99,6 +99,7 @@ module "ccd-data-store-api" {
   asp_rg = "${(var.asp_rg == "use_shared") ? local.sharedASPResourceGroup : var.asp_rg}"
   website_local_cache_sizeinmb = 2000
   capacity = "${var.capacity}"
+  java_container_version = "9.0"
 
   app_settings = {
     DATA_STORE_DB_HOST = "${module.data-store-db.host_name}"

infrastructure/prod.tfvars

@@ -12,7 +12,6 @@ database_sku_name = "GP_Gen5_8"
 database_sku_capacity = "8"
 
 http_client_connection_timeout = 10000
-#http_client_read_timeout = 15000
 http_client_max_total = 200
 #http_client_seconds_idle_connection = 120
 http_client_max_client_per_route = 40

infrastructure/saat.tfvars

@@ -1,4 +1,4 @@
-idam_api_url = "https://idam-api-idam-saat.service.core-compute-idam-saat.internal"
+idam_api_url = "http://idam-api-idam-saat.service.core-compute-idam-saat.internal"
 asp_name = "ccd-data-store-api-saat"
 asp_rg = "ccd-data-store-api-saat"
 elastic_search_enabled = "false"

infrastructure/sprod.tfvars

@@ -9,7 +9,6 @@ database_sku_capacity = "8"
 database_storage_mb = "52224"
 
 http_client_connection_timeout = 10000
-#http_client_read_timeout = 15000
 http_client_max_total = 200
 #http_client_seconds_idle_connection = 120
 http_client_max_client_per_route = 40

infrastructure/variables.tf

@@ -108,7 +108,7 @@ variable "database_storage_mb" {
 
 variable "authorised-services" {
   type    = "string"
-  default = "ccd_data,ccd_gw,ccd_ps,probate_backend,divorce_ccd_submission,sscs,sscs_bulkscan,cmc,cmc_claim_store,jui_webapp,pui_webapp,bulk_scan_orchestrator,fpl_case_service,iac,finrem_ccd_data_migrator"
+  default = "ccd_data,ccd_gw,ccd_ps,probate_backend,divorce_ccd_submission,sscs,sscs_bulkscan,cmc,cmc_claim_store,jui_webapp,pui_webapp,bulk_scan_orchestrator,fpl_case_service,iac,finrem_ccd_data_migrator,finrem_case_orchestration"
 }
 
 variable "idam_api_url" {
@@ -183,7 +183,7 @@ variable "http_client_connection_timeout" {
 
 variable "http_client_read_timeout" {
   type = "string"
-  default = "15000"
+  default = "60000"
 }
 
 variable "http_client_max_total" {

src/main/java/uk/gov/hmcts/ccd/ApplicationParams.java

@@ -103,7 +103,7 @@ public class ApplicationParams {
     @Value("${search.elastic.nodes.discovery.filter}")
     private String elasticsearchNodeDiscoveryFilter;
 
-    private static String encode(final String stringToEncode) {
+    public static String encode(final String stringToEncode) {
         try {
             return URLEncoder.encode(stringToEncode, "UTF-8");
         } catch (UnsupportedEncodingException e) {

src/main/java/uk/gov/hmcts/ccd/data/user/DefaultUserRepository.java

@@ -1,9 +1,12 @@
 package uk.gov.hmcts.ccd.data.user;
 
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -21,9 +24,10 @@
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Repository;
-import org.springframework.web.client.HttpStatusCodeException;
 import org.springframework.web.client.RestClientException;
+import org.springframework.web.client.RestClientResponseException;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.web.util.UriComponentsBuilder;
 import uk.gov.hmcts.ccd.ApplicationParams;
 import uk.gov.hmcts.ccd.AuthCheckerConfiguration;
 import uk.gov.hmcts.ccd.data.SecurityUtils;
@@ -111,17 +115,22 @@ public UserDefault getUserDefaultSettings(final String userId) {
             LOG.debug("retrieving default user settings for user {}", userId);
             final HttpEntity requestEntity = new HttpEntity(securityUtils.authorizationHeaders());
             final Map<String, String> queryParams = new HashMap<>();
-            queryParams.put("uid", userId);
-            return restTemplate.exchange(applicationParams.userDefaultSettingsURL(),
-                HttpMethod.GET, requestEntity, UserDefault.class, queryParams).getBody();
-        } catch (HttpStatusCodeException e) {
+            queryParams.put("uid", ApplicationParams.encode(userId.toLowerCase()));
+            final String encodedUrl = UriComponentsBuilder.fromHttpUrl(applicationParams.userDefaultSettingsURL())
+                .buildAndExpand(queryParams).toUriString();
+            return restTemplate.exchange(new URI(encodedUrl), HttpMethod.GET, requestEntity, UserDefault.class)
+                .getBody();
+        } catch (RestClientResponseException e) {
             LOG.error("Failed to retrieve user profile", e);
-            final List<String> headerMessages = e.getResponseHeaders().get("Message");
+            final List<String> headerMessages = Optional.ofNullable(e.getResponseHeaders())
+                .map(headers -> headers.get("Message")).orElse(null);
             final String message = headerMessages != null ? headerMessages.get(0) : e.getMessage();
             if (message != null) {
                 throw new BadRequestException(message);
             }
             throw new ServiceException("Problem getting user default settings for " + userId);
+        } catch (URISyntaxException e) {
+            throw new BadRequestException(e.getMessage());
         }
     }
 

src/main/java/uk/gov/hmcts/ccd/domain/model/std/CaseDataContent.java

@@ -31,6 +31,9 @@ public class CaseDataContent {
     @JsonProperty("draft_id")
     private String draftId;
 
+    @JsonProperty("case_reference")
+    private String caseReference;
+
     public Event getEvent() {
         return event;
     }
@@ -99,4 +102,12 @@ public String getDraftId() {
     public void setDraftId(String draftId) {
         this.draftId = draftId;
     }
+
+    public String getCaseReference() {
+        return caseReference;
+    }
+
+    public void setCaseReference(String caseReference) {
+        this.caseReference = caseReference;
+    }
 }

src/main/java/uk/gov/hmcts/ccd/domain/service/common/CaseService.java

@@ -13,6 +13,7 @@
 import uk.gov.hmcts.ccd.data.casedetails.CachedCaseDetailsRepository;
 import uk.gov.hmcts.ccd.data.casedetails.CaseDetailsRepository;
 import uk.gov.hmcts.ccd.domain.model.definition.CaseDetails;
+import uk.gov.hmcts.ccd.domain.model.std.CaseDataContent;
 import uk.gov.hmcts.ccd.endpoint.exceptions.BadRequestException;
 import uk.gov.hmcts.ccd.endpoint.exceptions.ResourceNotFoundException;
 
@@ -47,7 +48,7 @@ public String hashData(CaseDetails caseDetails) {
     }
 
     /**
-     * @param caseTypeId     caseTypeId of new case details
+     * @param caseTypeId caseTypeId of new case details
      * @param jurisdictionId jurisdictionId of new case details
      * @return <code>CaseDetails</code> - new case details object
      */
@@ -59,6 +60,17 @@ public CaseDetails createNewCaseDetails(String caseTypeId, String jurisdictionId
         return caseDetails;
     }
 
+    /**
+     * @param content Data received from the client.
+     * @param caseDetails of the case.
+     * @return <code>Optional&lt;CaseDetails&gt;<code/> - CaseDetails wrapped in Optional
+     */
+    public CaseDetails populateCurrentCaseDetailsWithEventFields(CaseDataContent content, CaseDetails caseDetails) {
+
+            content.getEventData().forEach((key, value) -> caseDetails.getData().put(key, value));
+            return caseDetails;
+    }
+
     public CaseDetails clone(CaseDetails source) {
         final CaseDetails clone;
 

src/main/java/uk/gov/hmcts/ccd/domain/service/createevent/MidEventCallback.java

@@ -8,6 +8,7 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Service;
@@ -62,16 +63,28 @@ public JsonNode invoke(String caseTypeId,
                 .findFirst();
 
             if (wizardPageOptional.isPresent() && !isBlank(wizardPageOptional.get().getCallBackURLMidEvent())) {
-                CaseDetails newCaseDetails = caseService.createNewCaseDetails(caseTypeId, caseType.getJurisdictionId(),
-                                                                              content.getEventData() == null ? content.getData() : content.getEventData());
-
-                CaseDetails caseDetails = callbackInvoker.invokeMidEventCallback(wizardPageOptional.get(),
-                                                                                 caseType,
-                                                                                 caseEvent,
-                                                                                 null,
-                                                                                 newCaseDetails,
-                                                                                 content.getIgnoreWarning());
-                return dataJsonNode(caseDetails.getData());
+
+                CaseDetails caseDetailsBefore = null;
+                CaseDetails currentOrNewCaseDetails;
+                if (StringUtils.isNotEmpty(content.getCaseReference())) {
+                    CaseDetails caseDetails = caseService.getCaseDetails(caseType.getJurisdictionId(), content.getCaseReference());
+                    caseDetailsBefore = caseService.clone(caseDetails);
+                    currentOrNewCaseDetails = caseService.populateCurrentCaseDetailsWithEventFields(content,
+                        caseDetails);
+
+                } else {
+                    currentOrNewCaseDetails = caseService.createNewCaseDetails(caseTypeId, caseType.getJurisdictionId(),
+                        content.getEventData() == null ? content.getData() : content.getEventData());
+                }
+
+                CaseDetails caseDetailsFromMidEventCallback = callbackInvoker.invokeMidEventCallback(wizardPageOptional.get(),
+                    caseType,
+                    caseEvent,
+                    caseDetailsBefore,
+                    currentOrNewCaseDetails,
+                    content.getIgnoreWarning());
+
+                return dataJsonNode(caseDetailsFromMidEventCallback.getData());
             }
         }
         return dataJsonNode(content.getData());

src/main/resources/db/changelog/db.changelog-RDM-4396.xml

@@ -0,0 +1,14 @@
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+
+
+    <changeSet id="rdm-4396" author="[email protected]">
+        <sql dbms="postgresql"
+             endDelimiter="\nGO"
+             splitStatements="true"
+             stripComments="true">
+            CREATE INDEX idx_case_data_case_external_id ON public.case_data USING BTREE ((TRIM(UPPER(data#>>'{externalId}'))));
+        </sql>
+    </changeSet>
+</databaseChangeLog>

src/main/resources/db/changelog/db.changelog-master.xml

@@ -23,4 +23,5 @@
     <include file="db/changelog/db.changelog-RDM-3922.xml"/>
     <include file="db/changelog/db.changelog-RDM-3922-part-2.xml"/>
     <include file="db/changelog/db.changelog-RDM-4060-part-1.xml"/>
+    <include file="db/changelog/db.changelog-RDM-4396.xml"/>
 </databaseChangeLog>