add encryption on secret used to do request on user-service (#90)

* add encryption on secret used to do request on user-service * fix vulnerability
cabinetoffice · Mar 22, 2024 · 3b7504a · 3b7504a
1 parent 26f97e3
commit 3b7504a
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 10 deletions.
diff --git a/.env.example b/.env.example
@@ -31,6 +31,7 @@ IS_SERVICE_DOWN=false
 FIND_ACCOUNTS_MIGRATION_ENABLED=true
 FRONT_END_HOST=http://localhost:3001/
 SUBSCRIPTIONS_PER_BATCH=50
-LAMBDA_SECRET=lambdaSecretKey
+USER_SERVICE_SECRET=userServiceSecret
+USER_SERVICE_PUBLIC_KEY=userServicePublicKey
 USER_SERVICE_URL=http://localhost:8082
 PORT=3001
diff --git a/package.json b/package.json
@@ -57,6 +57,7 @@
         "@types/luxon": "3.3.0",
         "@types/node": "20.2.5",
         "@types/node-cron": "3.0.1",
+        "@types/node-rsa": "^1.1.4",
         "@types/supertest": "2.0.11",
         "@typescript-eslint/eslint-plugin": "6.9.0",
         "@typescript-eslint/parser": "6.9.0",
@@ -66,6 +67,7 @@
         "eslint-plugin-prettier": "4.0.0",
         "jest": "29.5.0",
         "jest-matcher-specific-error": "1.0.0",
+        "node-rsa": "^1.1.1",
         "prettier": "2.3.2",
         "source-map-support": "0.5.20",
         "supertest": "6.1.3",
@@ -97,7 +99,8 @@
         "testEnvironment": "node"
     },
     "resolutions": {
-        "xml2js": "0.5.0"
+        "xml2js": "0.5.0",
+        "follow-redirects": "1.15.6"
     },
     "packageManager": "yarn@3.6.0"
 }
diff --git a/src/encryption/encryptionV2.service.ts b/src/encryption/encryptionV2.service.ts
@@ -5,6 +5,7 @@ import {
     CommitmentPolicy,
     KmsKeyringNode,
 } from '@aws-crypto/client-node';
+import NodeRSA from 'node-rsa';
 
 @Injectable()
 export class EncryptionServiceV2 {
@@ -78,4 +79,12 @@ export class EncryptionServiceV2 {
         if (typeof str === 'string') return Buffer.from(str, 'base64');
         return Buffer.from(str);
     }
+
+    encryptSecretWithPublicKey = (data: string, publicKey: string): string => {
+        const key = new NodeRSA();
+        const publicKeyWithBeginAndEnd = `-----BEGIN PUBLIC KEY-----${publicKey}-----END PUBLIC KEY-----`;
+        key.importKey(publicKeyWithBeginAndEnd, 'pkcs8-public-pem');
+
+        return key.encrypt(data, 'base64');
+    };
 }
diff --git a/src/notifications/v2/notifications.helper.ts b/src/notifications/v2/notifications.helper.ts
@@ -21,7 +21,8 @@ export class NotificationsHelper {
     private FRONT_END_HOST: string;
     private USER_SERVICE_URL: string;
     private SUBSCRIPTIONS_PER_BATCH: number;
-    private LAMBDA_SECRET: string;
+    private USER_SERVICE_SECRET: string;
+    private USER_SERVICE_PUBLIC_KEY: string;
 
     constructor(
         private configService: ConfigService,
@@ -34,7 +35,12 @@ export class NotificationsHelper {
         this.SUBSCRIPTIONS_PER_BATCH = parseInt(
             this.configService.get<string>('SUBSCRIPTIONS_PER_BATCH') ?? '50',
         );
-        this.LAMBDA_SECRET = this.configService.get<string>('LAMBDA_SECRET');
+        this.USER_SERVICE_SECRET = this.configService.get<string>(
+            'USER_SERVICE_SECRET',
+        );
+        this.USER_SERVICE_PUBLIC_KEY = this.configService.get<string>(
+            'USER_SERVICE_PUBLIC_KEY',
+        );
     }
 
     async getUserServiceEmailsBySubBatch(batchOfSubs: string[]) {
@@ -44,7 +50,11 @@ export class NotificationsHelper {
             {
                 headers: {
                     'Content-Type': 'application/json',
-                    Authorization: this.LAMBDA_SECRET,
+                    Authorization:
+                        this.encryptionServiceV2.encryptSecretWithPublicKey(
+                            this.USER_SERVICE_SECRET,
+                            this.USER_SERVICE_PUBLIC_KEY,
+                        ),
                 },
             },
         );

diff --git a/yarn.lock b/yarn.lock
@@ -2575,6 +2575,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/node-rsa@npm:^1.1.4":
+  version: 1.1.4
+  resolution: "@types/node-rsa@npm:1.1.4"
+  dependencies:
+    "@types/node": "*"
+  checksum: cd607463b7954dd0eda390e0710fa5fdc1a26e716baefd77134f54893ed57bfbf1906f3a354f43f89174aa37ac6f05fa450b708e516a4a8fa643e0d2f8e26106
+  languageName: node
+  linkType: hard
+
 "@types/node@npm:*":
   version: 20.10.7
   resolution: "@types/node@npm:20.10.7"
@@ -3229,6 +3238,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"asn1@npm:^0.2.4":
+  version: 0.2.6
+  resolution: "asn1@npm:0.2.6"
+  dependencies:
+    safer-buffer: ~2.1.0
+  checksum: 39f2ae343b03c15ad4f238ba561e626602a3de8d94ae536c46a4a93e69578826305366dc09fbb9b56aec39b4982a463682f259c38e59f6fa380cd72cd61e493d
+  languageName: node
+  linkType: hard
+
 "asynckit@npm:^0.4.0":
   version: 0.4.0
   resolution: "asynckit@npm:0.4.0"
@@ -4847,13 +4865,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"follow-redirects@npm:^1.15.4":
-  version: 1.15.4
-  resolution: "follow-redirects@npm:1.15.4"
+"follow-redirects@npm:1.15.6":
+  version: 1.15.6
+  resolution: "follow-redirects@npm:1.15.6"
   peerDependenciesMeta:
     debug:
       optional: true
-  checksum: e178d1deff8b23d5d24ec3f7a94cde6e47d74d0dc649c35fc9857041267c12ec5d44650a0c5597ef83056ada9ea6ca0c30e7c4f97dbf07d035086be9e6a5b7b6
+  checksum: a62c378dfc8c00f60b9c80cab158ba54e99ba0239a5dd7c81245e5a5b39d10f0c35e249c3379eae719ff0285fff88c365dd446fab19dee771f1d76252df1bbf5
   languageName: node
   linkType: hard
 
@@ -5033,6 +5051,7 @@ __metadata:
     "@types/luxon": 3.3.0
     "@types/node": 20.2.5
     "@types/node-cron": 3.0.1
+    "@types/node-rsa": ^1.1.4
     "@types/supertest": 2.0.11
     "@typescript-eslint/eslint-plugin": 6.9.0
     "@typescript-eslint/parser": 6.9.0
@@ -5047,6 +5066,7 @@ __metadata:
     jest-matcher-specific-error: 1.0.0
     jsonwebtoken: 9.0.0
     luxon: 3.3.0
+    node-rsa: ^1.1.1
     notifications-node-client: ^8.0.0
     pg: 8.7.3
     prettier: 2.3.2
@@ -6954,6 +6974,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"node-rsa@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "node-rsa@npm:1.1.1"
+  dependencies:
+    asn1: ^0.2.4
+  checksum: c03a6c8f69557326d2110086ce9610b4b17ef0fd594f76202225b7eb93fc0b342fb31714f6b3cf8d38320cf63c4790a3034e5d47a12f2c27d1900599ec9bd545
+  languageName: node
+  linkType: hard
+
 "nopt@npm:^7.0.0":
   version: 7.2.0
   resolution: "nopt@npm:7.2.0"
@@ -7816,7 +7845,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0, safer-buffer@npm:^2.1.0":
+"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0, safer-buffer@npm:^2.1.0, safer-buffer@npm:~2.1.0":
   version: 2.1.2
   resolution: "safer-buffer@npm:2.1.2"
   checksum: cab8f25ae6f1434abee8d80023d7e72b598cf1327164ddab31003c51215526801e40b66c5e65d658a0af1e9d6478cadcb4c745f4bd6751f97d8644786c0978b0