API-7018: Improve Content Security Policy using latest play-bootstrap (…

…hmrc#471)

* API-7018: Tidy up of CSP to remove config done by play-bootstrap 7.15.0 and above

* API-7018: Build cleanup

* API-7018: Style and formatting

* API-7018: PR recommendations

* API-7018: Switch off CSP report-uri for local testing

app/uk/gov/hmrc/apidocumentation/config/ApplicationConfig.scala

@@ -106,7 +106,7 @@ class ApplicationConfigImpl @Inject() (config: Configuration)
 
   val cookieSettingsUrl: String = s"/${getString("tracking-consent-frontend.cookie-settings-path")}"
 
-  val oasFetchResolvedMaxDuration: Long = config.getMillis("oasFetchResolvedMaxDurationMilliseconds")
+  val oasFetchResolvedMaxDuration: Long   = config.getMillis("oasFetchResolvedMaxDurationMilliseconds")
   val oasFetchResolvedUsingHttps: Boolean = getBoolean("oasFetchResolvedUsingHttps")
 
   private def platformBaseUrl(key: String) = {

app/uk/gov/hmrc/apidocumentation/controllers/AuthorisationController.scala

@@ -23,7 +23,7 @@ import play.api.mvc._
 import uk.gov.hmrc.play.bootstrap.frontend.controller.FrontendController
 
 import uk.gov.hmrc.apidocumentation.config.ApplicationConfig
-import uk.gov.hmrc.apidocumentation.models.{Breadcrumbs, Crumb}
+import uk.gov.hmrc.apidocumentation.models.Crumb
 import uk.gov.hmrc.apidocumentation.services._
 import uk.gov.hmrc.apidocumentation.util.ApplicationLogger
 import uk.gov.hmrc.apidocumentation.views.html._

app/uk/gov/hmrc/apidocumentation/controllers/DocumentationController.scala

@@ -56,19 +56,19 @@ class DocumentationController @Inject() (
     with TermsCrumb
     with ApplicationLogger {
 
-
   def indexPage(): Action[AnyContent] = headerNavigation {
     def extractDeveloperIdentifier(f: Future[Option[Developer]]): Future[Option[DeveloperIdentifier]] = {
       f.map(o =>
         o.map(d => UuidIdentifier(d.userId))
       )
     }
 
-    implicit request => navLinks =>
-      for {
-        userId <- extractDeveloperIdentifier(loggedInUserService.fetchLoggedInUser())
-        isLoggedIn = userId.isDefined
-      } yield Ok(indexView("Home", navLinks, isLoggedIn))
+    implicit request =>
+      navLinks =>
+        for {
+          userId    <- extractDeveloperIdentifier(loggedInUserService.fetchLoggedInUser())
+          isLoggedIn = userId.isDefined
+        } yield Ok(indexView("Home", navLinks, isLoggedIn))
   }
 
   def tutorialsPage(): Action[AnyContent] = headerNavigation {

app/uk/gov/hmrc/apidocumentation/controllers/OpenApiDocumentationController.scala

@@ -22,6 +22,7 @@ import javax.inject.{Inject, Singleton}
 import scala.concurrent.Future.successful
 import scala.concurrent.duration.FiniteDuration
 import scala.concurrent.{ExecutionContext, Future, blocking}
+import scala.jdk.CollectionConverters._
 
 import akka.actor.ActorSystem
 import io.swagger.v3.core.util.Yaml
@@ -43,8 +44,6 @@ import uk.gov.hmrc.apidocumentation.services.{ApiDefinitionService, LoggedInUser
 import uk.gov.hmrc.apidocumentation.util.ApplicationLogger
 import uk.gov.hmrc.apidocumentation.views.html._
 
-import scala.jdk.CollectionConverters._
-
 @Singleton
 class OpenApiDocumentationController @Inject() (
     openApiViewRedoc: OpenApiViewRedoc,
@@ -138,7 +137,7 @@ class OpenApiDocumentationController @Inject() (
     parseOptions.setResolve(true)
     parseOptions.setResolveFully(true)
 
-    val emptyAuthList = java.util.Collections.emptyList[io.swagger.v3.parser.core.models.AuthorizationValue]()
+    val emptyAuthList   = java.util.Collections.emptyList[io.swagger.v3.parser.core.models.AuthorizationValue]()
     val fetchUsingHttps = appConfig.oasFetchResolvedUsingHttps
     val oasFileLocation = routes.OpenApiDocumentationController.fetchOas(service, version).absoluteURL(fetchUsingHttps)
 

app/uk/gov/hmrc/apidocumentation/views/OpenApiPreviewView.scala.html

@@ -46,7 +46,7 @@ <h2 class="govuk-label-wrapper">
             <button class="govuk-button" type="submit" value="Submit" data-module="govuk-button">
                 Submit
             </button>
-            <a class="govuk-link govuk-link--no-visited-state" href="@routes.OpenApiDocumentationController.previewApiDocumentationPage.url">
+            <a class="govuk-link govuk-link--no-visited-state" href="@routes.OpenApiDocumentationController.previewApiDocumentationPage().url">
                 Reset
             </a>
         </div>

app/uk/gov/hmrc/apidocumentation/views/TermsOfUseNotMeetingView.scala.html

@@ -44,8 +44,8 @@ <h1 class="govuk-heading-l">If your software doesn’t meet our terms of use</h1
   <hr class="govuk-section-break govuk-section-break--xl govuk-section-break--visible">
 
   <ul class="govuk-list">
-    <li><a class="govuk-link govuk-link--no-visited-state" href="@controllers.routes.DocumentationController.termsOfUseWhatYouCanExpectPage">What you can expect from us</a></li>
-    <li><a class="govuk-link govuk-link--no-visited-state" href="@controllers.routes.DocumentationController.termsOfUsePage">Terms of use main page</a></li>
+    <li><a class="govuk-link govuk-link--no-visited-state" href="@controllers.routes.DocumentationController.termsOfUseWhatYouCanExpectPage()">What you can expect from us</a></li>
+    <li><a class="govuk-link govuk-link--no-visited-state" href="@controllers.routes.DocumentationController.termsOfUsePage()">Terms of use main page</a></li>
   </ul>
 
 </div>

app/uk/gov/hmrc/apidocumentation/views/TermsOfUseView.scala.html

@@ -29,7 +29,7 @@
 <div class="panel panel-border-wide">
     <p class="govuk-body">
         The current Terms of Use could not be loaded.
-        Please <a class="govuk-link" href="@controllers.routes.DocumentationController.termsOfUsePage">try again</a> later.
+        Please <a class="govuk-link" href="@controllers.routes.DocumentationController.termsOfUsePage()">try again</a> later.
     </p>
 </div>
 }

app/uk/gov/hmrc/apidocumentation/views/TermsOfUseWhatYouCanExpectView.scala.html

@@ -41,8 +41,8 @@ <h1 class="govuk-heading-l">What you can expect from us</h1>
     <hr class="govuk-section-break govuk-section-break--xl govuk-section-break--visible">
 
     <ul class="govuk-list">
-      <li><a class="govuk-link govuk-link--no-visited-state" href="@controllers.routes.DocumentationController.termsOfUseNotMeetingPage">Not meeting our terms of use</a></li>
-      <li><a class="govuk-link govuk-link--no-visited-state" href="@controllers.routes.DocumentationController.termsOfUsePage">Terms of use main page</a></li>
+      <li><a class="govuk-link govuk-link--no-visited-state" href="@controllers.routes.DocumentationController.termsOfUseNotMeetingPage()">Not meeting our terms of use</a></li>
+      <li><a class="govuk-link govuk-link--no-visited-state" href="@controllers.routes.DocumentationController.termsOfUsePage()">Terms of use main page</a></li>
     </ul>
   </div>
 }

build.sbt

@@ -11,18 +11,14 @@ import bloop.integrations.sbt.BloopDefaults
 
 Global / bloopAggregateSourceDependencies := true
 
+scalaVersion := "2.13.8"
+
 ThisBuild / scalafixDependencies += "com.github.liancheng" %% "organize-imports" % "0.6.0"
+ThisBuild / semanticdbEnabled := true
+ThisBuild / semanticdbVersion := scalafixSemanticdb.revision
 
 ThisBuild / evictionWarningOptions := EvictionWarningOptions.default.withWarnScalaVersionEviction(false)
 
-inThisBuild(
-  List(
-    scalaVersion := "2.13.8",
-    semanticdbEnabled := true,
-    semanticdbVersion := scalafixSemanticdb.revision
-  )
-)
-
 lazy val plugins: Seq[Plugins] = Seq(PlayScala, SbtDistributablesPlugin)
 lazy val playSettings: Seq[Setting[_]] = Seq.empty
 lazy val microservice = Project(appName, file("."))
@@ -86,10 +82,16 @@ lazy val microservice = Project(appName, file("."))
 
   .settings(DefaultBuildSettings.integrationTestSettings())
 
-  .settings(scalaVersion := "2.13.8")
   .settings(headerSettings(AcceptanceTest) ++ automateHeaderSettings(AcceptanceTest))
-  .settings(SilencerSettings())
 
+  .settings(
+    scalacOptions ++= Seq(
+      "-Wconf:cat=unused&src=views/.*\\.scala:s",
+      "-Wconf:cat=unused&src=.*RoutesPrefix\\.scala:s",
+      "-Wconf:cat=unused&src=.*Routes\\.scala:s",
+      "-Wconf:cat=unused&src=.*ReverseRoutes\\.scala:s"
+    )
+  )
 lazy val AcceptanceTest = config("acceptance") extend Test
 
 lazy val appName = "api-documentation-frontend"

conf/application.conf

@@ -28,12 +28,6 @@ appName = "api-documentation-frontend"
 # !!!WARNING!!! DO NOT CHANGE THIS ROUTER
 play.http.router = prod.Routes
 
-# An ApplicationLoader that uses Guice to bootstrap the application.
-play.application.loader = "uk.gov.hmrc.play.bootstrap.ApplicationLoader"
-
-# Primary entry point for all HTTP requests on Play applications
-play.http.requestHandler = "uk.gov.hmrc.play.bootstrap.http.RequestHandler"
-
 # Provides an implementation of AuditConnector. Use `uk.gov.hmrc.play.bootstrap.AuditModule` or create your own.
 # An audit connector must be provided.
 play.modules.enabled += "uk.gov.hmrc.play.audit.AuditModule"
@@ -59,15 +53,6 @@ feedbackBanner {
   }
 }
 
-metrics {
-  name = ${appName}
-  rateUnit = SECONDS
-  durationUnit = SECONDS
-  showSamples = true
-  jvm = false
-  enabled = false
-}
-
 platform {
   production {
     api {
@@ -87,7 +72,7 @@ platform {
   }
 }
 
-play.filters.csp.directives.script-src = ${play.filters.csp.nonce.pattern} "'strict-dynamic' 'unsafe-inline' https: http:"
+play.filters.csp.directives.report-uri = 'none'
 
 retryCount = 3
 retryDelayMilliseconds = 500
@@ -127,17 +112,6 @@ features {
   subordinateBaseUrl = "https://api.development.tax.service.gov.uk"
 }
 
-auditing {
-  enabled = false
-
-  consumer {
-    baseUri {
-      host = "localhost"
-      port = 8100
-    }
-  }
-}
-
 xml-api {
   base-url = "https://www.gov.uk"
 }

project/AppDependencies.scala

@@ -6,7 +6,7 @@ object AppDependencies {
   def apply(): Seq[ModuleID] = compile ++ test
 
   lazy val playJsonVersion = "2.9.2"
-  lazy val bootstrapVersion = "7.14.0"
+  lazy val bootstrapVersion = "7.19.0"
   lazy val seleniumVersion = "4.2.0"
   lazy val jacksonDatabindVersion = "2.10.5.1"
   lazy val jacksonVersion = "2.10.5"
@@ -17,7 +17,7 @@ object AppDependencies {
     "uk.gov.hmrc"                           %% "bootstrap-frontend-play-28"   % bootstrapVersion,
     "uk.gov.hmrc"                           %% "http-metrics"                 % "2.7.0",
     "uk.gov.hmrc"                           %% "play-partials"                % "8.4.0-play-28",
-    "uk.gov.hmrc"                           %% "play-frontend-hmrc"           % "7.3.0-play-28",
+    "uk.gov.hmrc"                           %% "play-frontend-hmrc"           % "7.14.0-play-28",
     "org.typelevel"                         %% "cats-core"                    % "2.6.1",
     "org.commonjava.googlecode.markdown4j"  %  "markdown4j"                   % "2.2-cj-1.1",
     "com.typesafe.play"                     %% "play-json"                    % playJsonVersion,

run_local_with_dependencies.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-sm --start API_DEFINITION THIRD_PARTY_APPLICATION API_EXAMPLE_MICROSERVICE API_PLATFORM_MICROSERVICE THIRD_PARTY_DEVELOPER_FRONTEND CONTACT_FRONTEND API_PLATFORM_XML_SERVICES
+sm2 --start API_DEFINITION THIRD_PARTY_APPLICATION API_EXAMPLE_MICROSERVICE API_PLATFORM_MICROSERVICE THIRD_PARTY_DEVELOPER_FRONTEND CONTACT_FRONTEND API_PLATFORM_XML_SERVICES
 
 
 ./run_local.sh

test/uk/gov/hmrc/apidocumentation/controllers/DocumentationControllerSpec.scala

@@ -32,10 +32,9 @@ import uk.gov.hmrc.apidocumentation.controllers.utils._
 import uk.gov.hmrc.apidocumentation.mocks.config._
 import uk.gov.hmrc.apidocumentation.mocks.services._
 import uk.gov.hmrc.apidocumentation.models._
-import uk.gov.hmrc.apidocumentation.services.PartialsService
+import uk.gov.hmrc.apidocumentation.services.{LoggedInUserService, PartialsService}
 import uk.gov.hmrc.apidocumentation.views.html.{TermsOfUseNotMeetingView, TermsOfUseWhatYouCanExpectView, _}
 import uk.gov.hmrc.apidocumentation.{ErrorHandler, controllers}
-import uk.gov.hmrc.apidocumentation.services.LoggedInUserService
 
 class DocumentationControllerSpec
     extends CommonControllerBaseSpec

test/uk/gov/hmrc/apidocumentation/models/DocumentationSpec.scala

@@ -393,17 +393,17 @@ class DocumentationSpec extends HmrcSpec {
 
   "nameAsId" should {
     "swap spaces for hyphens and lower case" in {
-      val api1        = anApiDefinition("Hello World")
+      val api1 = anApiDefinition("Hello World")
       api1.nameAsId shouldBe "hello-world"
     }
 
     "remove brackets" in {
-      val api1        = anApiDefinition("Income Tax (MTD) end-to-end service guide")
+      val api1 = anApiDefinition("Income Tax (MTD) end-to-end service guide")
       api1.nameAsId shouldBe "income-tax-mtd-end-to-end-service-guide"
     }
 
     "remove any other chars" in {
-      val api1        = anApiDefinition("Income Tax (MTD):+{}=#@£!& [end-to-end service guide]")
+      val api1 = anApiDefinition("Income Tax (MTD):+{}=#@£!& [end-to-end service guide]")
       api1.nameAsId shouldBe "income-tax-mtd-end-to-end-service-guide"
     }
   }

test/uk/gov/hmrc/apidocumentation/views/include/IndexViewSpec.scala

@@ -52,7 +52,7 @@ class IndexViewSpec extends CommonViewSpec {
       renderedHtml.body should include("Sign up to use our APIs and get email updates.")
       renderedHtml.body should include("sign in</a>")
     }
-    
+
     "render without sign in components if signed in" in new TestCase {
       val renderedHtml = new IndexView(main)(pageTitle, navLinks, true)
       renderedHtml.body shouldNot include("Get an account")