Merge branch 'master' into EM-pe-vuln-pull

cisagov · Feb 26, 2024 · e489f5b · e489f5b
2 parents 02828a8 + be9a174
commit e489f5b
Show file tree

Hide file tree

Showing 22 changed files with 423 additions and 517 deletions.
diff --git a/backend/env.yml b/backend/env.yml
@@ -39,6 +39,7 @@ staging:
   WORKER_SIGNATURE_PUBLIC_KEY: ${ssm:/crossfeed/staging/WORKER_SIGNATURE_PUBLIC_KEY}
   ELASTICSEARCH_ENDPOINT: ${ssm:/crossfeed/staging/ELASTICSEARCH_ENDPOINT}
   REACT_APP_TERMS_VERSION: ${ssm:/crossfeed/staging/REACT_APP_TERMS_VERSION}
+  REACT_APP_RANDOM_PASSWORD: ${ssm:/crossfeed/staging/REACT_APP_RANDOM_PASSWORD}
   MATOMO_URL: http://matomo.crossfeed.local
   EXPORT_BUCKET_NAME: cisa-crossfeed-staging-exports
   PE_API_URL: ${ssm:/crossfeed/staging/PE_API_URL}
@@ -88,6 +89,7 @@ prod:
   WORKER_SIGNATURE_PUBLIC_KEY: ${ssm:/crossfeed/prod/WORKER_SIGNATURE_PUBLIC_KEY}
   ELASTICSEARCH_ENDPOINT: ${ssm:/crossfeed/prod/ELASTICSEARCH_ENDPOINT}
   REACT_APP_TERMS_VERSION: ${ssm:/crossfeed/prod/REACT_APP_TERMS_VERSION}
+  REACT_APP_RANDOM_PASSWORD: ${ssm:/crossfeed/prod/REACT_APP_RANDOM_PASSWORD}
   MATOMO_URL: http://matomo.crossfeed.local
   EXPORT_BUCKET_NAME: cisa-crossfeed-prod-exports
   PE_API_URL: ${ssm:/crossfeed/staging/PE_API_URL}

diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -11,8 +11,9 @@
     "@aws-sdk/client-ssm": "^3.414.0",
     "@elastic/elasticsearch": "~7.10.0",
     "@thefaultvault/tfv-cpe-parser": "^1.3.0",
+    "@types/dockerode": "^3.3.19",
     "amqplib": "^0.10.3",
-    "aws-sdk": "^2.1352.0",
+    "aws-sdk": "^2.1551.0",
     "axios": "^1.6",
     "body-parser": "^1.19.0",
     "bufferutil": "^4.0.7",
@@ -21,15 +22,16 @@
     "cookie": "^0.4.1",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
-    "@types/dockerode": "^3.3.19",
+    "date-fns": "^3.3.1",
     "express": "^4.18.1",
     "global-agent": "^2.2.0",
     "got": "^11.8.5",
     "handlebars": "^4.7.8",
     "helmet": "^4.1.1",
     "http-proxy-middleware": "^2.0.6",
+    "ip": "^1.1.9",
     "jsdom": "^22.1",
-    "jsonwebtoken": "^9.0",
+    "jsonwebtoken": "^9.0.2",
     "jwks-rsa": "^3.0",
     "lodash": "^4.17.21",
     "nodemailer": "^6.7.2",
@@ -77,6 +79,7 @@
     "sentencer": "^0.2.1",
     "serverless": "^3.30",
     "serverless-domain-manager": "^7.0",
+    "serverless-dotenv-plugin": "^6.0.0",
     "serverless-webpack": "^5.11.0",
     "supertest": "^6.3",
     "ts-jest": "^27",
@@ -112,4 +115,4 @@
   },
   "author": "",
   "license": "ISC"
-}
+}
diff --git a/backend/serverless.yml b/backend/serverless.yml
@@ -39,12 +39,15 @@ provider:
   iam:
     role:
       statements:
-        # TODO: make the resources more specific.
+        # TODO: make the resources more specific. See Resource: '*' was
         - Effect: Allow
           Action:
             - lambda:InvokeAsync
             - lambda:InvokeFunction
-          Resource: '*'
+            - cognito-idp:AdminDisableUser
+            - cognito-idp:ListUsers
+            - cognito-idp:AdminSetUserPassword
+          Resource: "*"
         - Effect: Allow
           Action:
             - ecs:RunTask
@@ -154,3 +157,4 @@ functions:
 plugins:
   - serverless-domain-manager
   - serverless-webpack
+  - serverless-dotenv-plugin
diff --git a/backend/src/api/helpers.ts b/backend/src/api/helpers.ts
@@ -7,9 +7,9 @@ import {
 import { ValidationOptions, validateOrReject } from 'class-validator';
 import { ClassType } from 'class-transformer/ClassTransformer';
 import { plainToClass } from 'class-transformer';
+import S3Client from '../tasks/s3-client';
 import { SES } from 'aws-sdk';
 import * as nodemailer from 'nodemailer';
-import fs from 'fs';
 import * as handlebars from 'handlebars';
 
 export const validateBody = async <T>(
@@ -146,47 +146,45 @@ export const sendUserRegistrationEmail = async (
   subject: string,
   firstName: string,
   lastName: string,
-  templateFilePath: string
+  templateFileName: string
 ) => {
-  console.log('TemplateFilePath: ', templateFilePath);
-  const fs = require('fs');
-  const htmlTemplate = await fs.promises.readFile(
-    templateFilePath,
-    'utf8',
-    (err, data) => {
-      if (err) {
-        console.error('Error reading file data', err);
-        return;
-      }
-      console.log('Finished reading file');
-      return data;
-    }
-  );
-  const template = handlebars.compile(htmlTemplate);
-  const data = {
-    firstName: firstName,
-    lastName: lastName
-  };
+  try {
+    const client = new S3Client();
+    const htmlTemplate = await client.getEmailAsset(templateFileName);
+    const template = handlebars.compile(htmlTemplate);
+    const data = {
+      firstName: firstName,
+      lastName: lastName
+    };
 
-  const htmlToSend = template(data);
-  const mailOptions = {
-    from: process.env.CROSSFEED_SUPPORT_EMAIL_SENDER!,
-    to: recepient,
-    subject: subject,
-    html: htmlToSend,
-    replyTo: process.env.CROSSFEED_SUPPORT_EMAIL_REPLYTO!
-  };
+    const htmlToSend = template(data);
+    const mailOptions = {
+      from: process.env.CROSSFEED_SUPPORT_EMAIL_SENDER!,
+      to: recepient,
+      subject: subject,
+      html: htmlToSend,
+      replyTo: process.env.CROSSFEED_SUPPORT_EMAIL_REPLYTO!
+    };
+
+    const transporter = nodemailer.createTransport({
+      SES: new SES({ region: 'us-east-1' })
+    });
+    await transporter.sendMail(mailOptions);
+  } catch (errorMessage) {
+    console.log('Email error: ', errorMessage);
+  }
 };
 
 export const sendRegistrationDeniedEmail = async (
   recepient: string,
   subject: string,
   firstName: string,
   lastName: string,
-  templateFilePath: string
+  templateFileName: string
 ) => {
   try {
-    const htmlTemplate = fs.readFileSync(templateFilePath, 'utf-8');
+    const client = new S3Client();
+    const htmlTemplate = await client.getEmailAsset(templateFileName);
     const template = handlebars.compile(htmlTemplate);
     const data = {
       firstName: firstName,
@@ -201,6 +199,11 @@ export const sendRegistrationDeniedEmail = async (
       html: htmlToSend,
       replyTo: process.env.CROSSFEED_SUPPORT_EMAIL_REPLYTO!
     };
+
+    const transporter = nodemailer.createTransport({
+      SES: new SES({ region: 'us-east-1' })
+    });
+    await transporter.sendMail(mailOptions);
   } catch (errorMessage) {
     console.log('Email error: ', errorMessage);
   }
@@ -211,10 +214,11 @@ export const sendRegistrationApprovedEmail = async (
   subject: string,
   firstName: string,
   lastName: string,
-  templateFilePath: string
+  templateFileName: string
 ) => {
   try {
-    const htmlTemplate = fs.readFileSync(templateFilePath, 'utf-8');
+    const client = new S3Client();
+    const htmlTemplate = await client.getEmailAsset(templateFileName);
     const template = handlebars.compile(htmlTemplate);
     const data = {
       firstName: firstName,
@@ -229,6 +233,11 @@ export const sendRegistrationApprovedEmail = async (
       html: htmlToSend,
       replyTo: process.env.CROSSFEED_SUPPORT_EMAIL_REPLYTO!
     };
+
+    const transporter = nodemailer.createTransport({
+      SES: new SES({ region: 'us-east-1' })
+    });
+    await transporter.sendMail(mailOptions);
   } catch (errorMessage) {
     console.log('Email error: ', errorMessage);
   }