CCD-7110 Harden callback SSRF controls, redact URL secrets, and align tests/co…

AGENTS.md

@@ -0,0 +1,70 @@
+# Agents
+
+This file is the index for repo-local workflow skills in this repository. Skill files live under `docs/skills/`.
+
+## CCD Callback SSRF Hardening
+
+Use the `ccd-callback-ssrf-hardening` agent for any callback security change in this repository, especially around event callbacks, webhook URL ingestion, or auth header handling.
+
+### Trigger Phrases
+
+- "Use ccd-callback-ssrf-hardening"
+- "Run callback SSRF hardening"
+- "Audit callback token leakage"
+
+### Recommended Prompt Template
+
+```text
+Use ccd-callback-ssrf-hardening on hmcts/ccd-data-store-api.
+Scope:
+- src/main/java/uk/gov/hmcts/ccd/domain/service/callbacks/CallbackService.java
+- src/main/java/uk/gov/hmcts/ccd/data/SecurityUtils.java
+- callback URL ingestion/parsing paths
+Tasks:
+1. Detect SSRF and credential leakage patterns.
+2. Enforce callback URL validation (allowlist, HTTPS, private/internal target blocking).
+3. Remove sensitive header forwarding (Authorization, ServiceAuthorization, user-id, user-roles).
+4. Add/update regression tests.
+5. Summarize risk reduction and residual risk.
+```
+
+### Quick Scanner
+
+```bash
+bash docs/skills/ccd-callback-ssrf-hardening/scripts/scan_callback_risks.sh
+```
+
+## CCD SonarQube Remediation
+
+Use the `ccd-sonarqube-remediation` agent for SonarQube-driven cleanup and quality fixes in this repository, especially maintainability/code smell issues that require safe refactors and test wiring updates.
+
+### Trigger Phrases
+
+- "Use ccd-sonarqube-remediation"
+- "Fix Sonar issues"
+- "Address code smells from SonarQube"
+
+### Recommended Prompt Template
+
+```text
+Use ccd-sonarqube-remediation on hmcts/ccd-data-store-api.
+Scope:
+- files flagged by current SonarQube findings
+Tasks:
+1. Reproduce and identify root cause for each finding.
+2. Patch with minimal behavior change and clear naming/structure.
+3. Update affected tests and fixtures if constructor/bean wiring changes.
+4. Add/update tests so coverage for new/changed code is at least 80%.
+5. Run targeted Gradle compile/tests plus `checkstyleMain` and `checkstyleTest` for touched areas.
+6. Verify SonarQube quality gate status and that blocker/critical issues introduced by the change are zero.
+7. Summarize risks, behavior impact, and follow-up actions.
+```
+
+### Testing Workflow Note
+
+- WireMock-backed integration tests now use class-level Spring context teardown via `@DirtiesContext(AFTER_CLASS)` in `WireMockBaseTest` to reduce intermittent `WireMockServer` port-bind failures.
+- This improves stability but can increase test runtime because affected test classes do not reuse the same Spring context across classes.
+- Build verification is split into `testUnit` (parallel unit tests) and `testIt` (serialized `*IT`/`*ITest` tests for stability).
+- The default `test` task is disabled to avoid duplicate execution; `check`/`build` run `testUnit` and `testIt`.
+- Smoke test execution now includes `preSmokeDiagnostics`, which logs `TEST_URL`, key auth/callback env values, and probes `${TEST_URL}/actuator/health` before BEFTA starts.
+- Jenkins archives stage-specific BEFTA outputs as `target/cucumber-smoke.json` and `target/cucumber-functional.json` (plus corresponding JUnit XML), so smoke/functional failures can be triaged independently.

Dockerfile

@@ -3,7 +3,7 @@ ARG JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom"
 ARG APP_INSIGHTS_AGENT_VERSION=3.7.7
 ARG PLATFORM=""
 
-FROM hmctspublic.azurecr.io/base/java${PLATFORM}:21-distroless
+FROM hmctsprod.azurecr.io/base/java${PLATFORM}:21-distroless
 USER hmcts
 LABEL maintainer="https://github.com/hmcts/ccd-data-store-api"
 

Jenkinsfile_CNP

@@ -105,15 +105,20 @@ env.MAX_NUM_PARALLEL_THREADS=6
 env.BEFTA_S2S_CLIENT_ID = "ccd_gw"
 env.ROLE_ASSIGNMENT_API_GATEWAY_S2S_CLIENT_ID = "ccd_data"
 env.BEFTA_TEST_STUB_SERVICE_BASE_URL = "http://ccd-test-stubs-service-aat.service.core-compute-aat.internal"
+env.BEFTA_TEST_STUB_SERVICE_HOST = "ccd-test-stubs-service-aat.service.core-compute-aat.internal"
+env.AAC_MANAGE_CASE_ASSIGNMENT_HOST = "aac-manage-case-assignment-aat.service.core-compute-aat.internal"
+env.CCD_CALLBACK_ALLOWED_HOSTS = "localhost,127.0.0.1,${env.BEFTA_TEST_STUB_SERVICE_HOST},${env.AAC_MANAGE_CASE_ASSIGNMENT_HOST}"
+env.CCD_CALLBACK_ALLOWED_HTTP_HOSTS = "localhost,127.0.0.1,${env.BEFTA_TEST_STUB_SERVICE_HOST},${env.AAC_MANAGE_CASE_ASSIGNMENT_HOST}"
+env.CCD_CALLBACK_ALLOW_PRIVATE_HOSTS = "localhost,127.0.0.1,${env.BEFTA_TEST_STUB_SERVICE_HOST},${env.AAC_MANAGE_CASE_ASSIGNMENT_HOST}"
 env.BEFTA_S2S_CLIENT_ID_OF_CCD_DATA = "ccd_data"
 env.BEFTA_S2S_CLIENT_ID_OF_XUI_WEBAPP = "xui_webapp"
 // BEFTA retry env variables
 env.BEFTA_RETRY_MAX_ATTEMPTS = "3"
 env.BEFTA_RETRY_STATUS_CODES = "500,502,503,504"
 env.BEFTA_RETRY_MAX_DELAY = "1000"
 env.BEFTA_RETRY_NON_RETRYABLE_HTTP_METHODS = "POST,PUT"
-// Prevent Docker hub rate limit errors by ensuring that testcontainers uses images from hmctspublic ACR
-env.TESTCONTAINERS_HUB_IMAGE_NAME_PREFIX = "hmctspublic.azurecr.io/imported/"
+// Prevent Docker hub rate limit errors by ensuring that testcontainers uses images from hmctsprod ACR
+env.TESTCONTAINERS_HUB_IMAGE_NAME_PREFIX = "hmctsprod.azurecr.io/imported/"
 
 withPipeline(type, product, component) {
     onMaster {
@@ -139,6 +144,7 @@ withPipeline(type, product, component) {
         env.DEFINITION_STORE_URL_BASE = "https://ccd-definition-store-ccd-data-store-api-${env.BRANCH_NAME}.preview.platform.hmcts.net".toLowerCase()
         env.DEFINITION_STORE_HOST = env.DEFINITION_STORE_URL_BASE
     }
+    echo "Effective TEST_URL=${env.TEST_URL}"
 
     echo "ES FTA Enabled = ${env.ELASTIC_SEARCH_FTA_ENABLED} on branch ${env.BRANCH_NAME}"
 
@@ -184,6 +190,9 @@ withPipeline(type, product, component) {
     }
 
     afterAlways('smoketest:preview') {
+        steps.sh("if [ -f target/cucumber.json ]; then cp target/cucumber.json target/cucumber-smoke.json; fi")
+        steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'target/cucumber-smoke.json'
+        steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'build/test-results/smoke/cucumber.xml'
         steps.archiveArtifacts allowEmptyArchive: true, artifacts: '**/BEFTA Report for Smoke Tests/**/*'
         publishHTML target: [
             allowMissing         : true,
@@ -196,6 +205,9 @@ withPipeline(type, product, component) {
     }
 
     afterAlways('smoketest:aat') {
+        steps.sh("if [ -f target/cucumber.json ]; then cp target/cucumber.json target/cucumber-smoke.json; fi")
+        steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'target/cucumber-smoke.json'
+        steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'build/test-results/smoke/cucumber.xml'
         steps.archiveArtifacts allowEmptyArchive: true, artifacts: '**/BEFTA Report for Smoke Tests/**/*'
         publishHTML target: [
             allowMissing         : true,
@@ -208,6 +220,9 @@ withPipeline(type, product, component) {
     }
 
     afterAlways('functionalTest:preview') {
+        steps.sh("if [ -f target/cucumber.json ]; then cp target/cucumber.json target/cucumber-functional.json; fi")
+        steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'target/cucumber-functional.json'
+        steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'build/test-results/functional/cucumber.xml'
         steps.archiveArtifacts allowEmptyArchive: true, artifacts: '**/BEFTA Report for Functional Tests/**/*'
         publishHTML target: [
             allowMissing         : true,
@@ -220,6 +235,9 @@ withPipeline(type, product, component) {
     }
 
     afterAlways('functionalTest:aat') {
+        steps.sh("if [ -f target/cucumber.json ]; then cp target/cucumber.json target/cucumber-functional.json; fi")
+        steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'target/cucumber-functional.json'
+        steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'build/test-results/functional/cucumber.xml'
         steps.archiveArtifacts allowEmptyArchive: true, artifacts: '**/BEFTA Report for Functional Tests/**/*'
         publishHTML target: [
             allowMissing         : true,

Jenkinsfile_nightly

@@ -81,8 +81,8 @@ def vaultOverrides = [
 // vars needed for functional tests
 // Assume a feature build branched off 'develop', with dependencies develop-to-develop.
 env.TEST_URL = "http://ccd-data-store-api-aat.service.core-compute-aat.internal"
-// Prevent Docker hub rate limit errors by ensuring that testcontainers uses images from hmctspublic ACR
-env.TESTCONTAINERS_HUB_IMAGE_NAME_PREFIX = "hmctspublic.azurecr.io/imported/"
+// Prevent Docker hub rate limit errors by ensuring that testcontainers uses images from hmctsprod ACR
+env.TESTCONTAINERS_HUB_IMAGE_NAME_PREFIX = "hmctsprod.azurecr.io/imported/"
 
 // Other env variables needed for BEFTA.
 env.BEFTA_S2S_CLIENT_ID = "ccd_gw"
@@ -96,6 +96,11 @@ env.BEFTA_RESPONSE_HEADER_CHECK_POLICY="JUST_WARN" // Temporary workaround for p
 env.ELASTIC_SEARCH_FTA_ENABLED = "true"
 env.DEFAULT_COLLECTION_ASSERTION_MODE="UNORDERED"
 env.BEFTA_TEST_STUB_SERVICE_BASE_URL = "http://ccd-test-stubs-service-aat.service.core-compute-aat.internal"
+env.BEFTA_TEST_STUB_SERVICE_HOST = "ccd-test-stubs-service-aat.service.core-compute-aat.internal"
+env.AAC_MANAGE_CASE_ASSIGNMENT_HOST = "aac-manage-case-assignment-aat.service.core-compute-aat.internal"
+env.CCD_CALLBACK_ALLOWED_HOSTS = "localhost,127.0.0.1,${env.BEFTA_TEST_STUB_SERVICE_HOST},${env.AAC_MANAGE_CASE_ASSIGNMENT_HOST}"
+env.CCD_CALLBACK_ALLOWED_HTTP_HOSTS = "localhost,127.0.0.1,${env.BEFTA_TEST_STUB_SERVICE_HOST},${env.AAC_MANAGE_CASE_ASSIGNMENT_HOST}"
+env.CCD_CALLBACK_ALLOW_PRIVATE_HOSTS = "localhost,127.0.0.1,${env.BEFTA_TEST_STUB_SERVICE_HOST},${env.AAC_MANAGE_CASE_ASSIGNMENT_HOST}"
 env.DEFINITION_STORE_HOST = "http://ccd-definition-store-api-aat.service.core-compute-aat.internal"
 // BEFTA retry env variables
 env.BEFTA_RETRY_MAX_ATTEMPTS = "3"

README.md

@@ -13,6 +13,8 @@
 
 Store/search cases and provide workbaskets.
 
+Repo-local workflow docs are indexed in `AGENTS.md`.
+
 ### Prerequisites
 
 - [Open JDK 21](https://openjdk.java.net/)
@@ -47,6 +49,12 @@ The following environment variables are required:
 | DRAFT_STORE_URL | - | Base URL for Draft Store API service. `http://localhost:8800` for the dockerised local instance. |
 | DRAFT_ENCRYPTION_KEY | - | Draft encryption key. The encryption key used by draft store to encrypt documents with. |
 | DRAFT_TTL_DAYS | - | Number of days after which the saved draft will be deleted if unmodified. |
+| CCD_CALLBACK_ALLOWED_HOSTS | localhost,127.0.0.1 | Comma-separated callback destination match patterns. Exact hosts, legacy `*.domain.tld`, `*`, and regex patterns are supported. Invalid regex-like entries fail validation explicitly. Use environment-specific callback hosts or patterns (for example local Docker: `host.docker.internal`; preview/demo PR domains: `.*\\.demo\\.platform\\.hmcts\\.net,.*\\.preview\\.platform\\.hmcts\\.net`; AAT/pipeline: internal service DNS). |
+| CCD_CALLBACK_ALLOWED_HTTP_HOSTS | localhost,127.0.0.1 | Comma-separated host match patterns allowed to use `http` for callbacks. Exact hosts, legacy `*.domain.tld`, `*`, and regex patterns are supported; invalid regex-like entries fail validation explicitly; all other callback hosts must use `https`. |
+| CCD_CALLBACK_ALLOW_PRIVATE_HOSTS | localhost,127.0.0.1 | Comma-separated host match patterns allowed to resolve to private/local addresses for callbacks. Exact hosts, legacy `*.domain.tld`, `*`, and regex patterns are supported; invalid regex-like entries fail validation explicitly. |
+
+For callback hardening rollout guidance, allowlist pattern syntax, and environment examples (including preview/AAT allowlist hosts),
+see [`docs/api/security.md`](docs/api/security.md).
 
 ### Building
 

acb.tpl.yaml

@@ -1,7 +1,7 @@
 version: 1.0-preview-1
 steps:
   - id: pull-base-image-amd64
-    cmd: docker pull --platform linux/amd64 hmctspublic.azurecr.io/base/java:21-distroless && docker tag hmctspublic.azurecr.io/base/java:21-distroless hmctspublic.azurecr.io/base/java/linux/amd64:21-distroless
+    cmd: docker pull --platform linux/amd64 hmctsprod.azurecr.io/base/java:21-distroless && docker tag hmctsprod.azurecr.io/base/java:21-distroless hmctsprod.azurecr.io/base/java/linux/amd64:21-distroless
     when: ["-"]
     retries: 3
     retryDelay: 5
@@ -18,7 +18,7 @@ steps:
     retryDelay: 5
 
   - id: pull-base-image-arm64
-    cmd: docker pull --platform linux/arm64 hmctspublic.azurecr.io/base/java:21-distroless && docker tag hmctspublic.azurecr.io/base/java:21-distroless hmctspublic.azurecr.io/base/java/linux/arm64:21-distroless
+    cmd: docker pull --platform linux/arm64 hmctsprod.azurecr.io/base/java:21-distroless && docker tag hmctsprod.azurecr.io/base/java:21-distroless hmctsprod.azurecr.io/base/java/linux/arm64:21-distroless
     when:
       - pull-base-image-amd64
     retries: 3