From c86fa4a714887433581da8c4405bcbf666249c48 Mon Sep 17 00:00:00 2001
From: Tim van Oostrom <t.van.oostrom@amsterdam.nl>
Date: Thu, 2 Nov 2023 08:56:46 +0100
Subject: [PATCH] Mijn 7102 kv certs (#1023)

---
 .github/dependabot.yml                  | 12 ++---
 .github/workflows/codeql-analysis.yml   | 71 -------------------------
 docker-compose.yml                      | 24 ---------
 src/server/config.ts                    | 51 ++++++++++--------
 src/server/services/buurt/buurt.test.ts |  1 +
 5 files changed, 37 insertions(+), 122 deletions(-)
 delete mode 100644 .github/workflows/codeql-analysis.yml
 delete mode 100644 docker-compose.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7dba5ba683..bc40215ade 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,11 +5,11 @@
 
 version: 2
 updates:
-  - package-ecosystem: "Docker"
-    directory: "/"
+  - package-ecosystem: 'docker'
+    directory: '/'
     schedule:
-      interval: "weekly"
-  - package-ecosystem: "npm"
-    directory: "/"
+      interval: 'weekly'
+  - package-ecosystem: 'npm'
+    directory: '/'
     schedule:
-      interval: "weekly"
+      interval: 'weekly'
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index 9c4f641a7b..0000000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
-  schedule:
-    - cron: '36 3 * * 0'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'javascript' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
diff --git a/docker-compose.yml b/docker-compose.yml
deleted file mode 100644
index 803a50a4b1..0000000000
--- a/docker-compose.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-version: '3.5'
-services:
-  # Unit testing
-  test-unit-bff:
-    build:
-      context: .
-      dockerfile: Dockerfile
-      target: build-deps
-    environment:
-      - BFF_DISABLE_MOCK_ADAPTER=true
-      - BFF_REQUEST_CACHE_ENABLED=false
-      - TZ=Europe/Amsterdam
-    entrypoint: npm run bff-api:test
-
-  test-unit-client:
-    build:
-      context: .
-      dockerfile: Dockerfile
-      target: build-deps
-    environment:
-      - BFF_DISABLE_MOCK_ADAPTER=true
-      - BFF_REQUEST_CACHE_ENABLED=false
-      - TZ=Europe/Amsterdam
-    entrypoint: npm test
diff --git a/src/server/config.ts b/src/server/config.ts
index 46aa62178f..9858dd81cd 100644
--- a/src/server/config.ts
+++ b/src/server/config.ts
@@ -1,8 +1,3 @@
-import {
-  ApiSuccessResponse,
-  ApiErrorResponse,
-  ApiPostponeResponse,
-} from './../universal/helpers/api';
 import { AxiosRequestConfig } from 'axios';
 import { CorsOptions } from 'cors';
 import { ConfigParams } from 'express-openid-connect';
@@ -10,22 +5,38 @@ import fs from 'fs';
 import https from 'https';
 import jose from 'jose';
 import { FeatureToggle } from '../universal/config';
-import { IS_OT, IS_TAP } from '../universal/config/env';
+import { IS_OT, IS_TEST } from '../universal/config/env';
+import {
+  ApiErrorResponse,
+  ApiPostponeResponse,
+  ApiSuccessResponse,
+} from './../universal/helpers/api';
 import { TokenData } from './helpers/app';
 
-export function getCertificateSync(path?: string, name?: string) {
-  if (!path) {
-    if (name) {
-      console.log(`${name}: Certificate path empty ${path}`);
-    }
-    return '';
+export function getCertificateSync(envVarName: string | undefined) {
+  const path = envVarName && process.env[envVarName];
+  if (path) {
+    try {
+      return fs.readFileSync(path).toString();
+    } catch (error) {}
+  }
+
+  return undefined;
+}
+
+function decodeBase64EncodedCertificateFromEnv(name: string | undefined) {
+  const data = name && process.env[name];
+  if (data) {
+    return Buffer.from(data, 'base64').toString('utf-8');
   }
-  let fileContents: string = '';
-  try {
-    fileContents = fs.readFileSync(path).toString();
-  } catch (error) {}
+  return undefined;
+}
 
-  return fileContents;
+function getCert(envVarName: string | undefined) {
+  // TODO: Should be only decodeBase64EncodedCertificateFromEnv when we've migrated to AZ
+  return IS_TEST
+    ? decodeBase64EncodedCertificateFromEnv(envVarName)
+    : getCertificateSync(envVarName);
 }
 
 export const BFF_REQUEST_CACHE_ENABLED =
@@ -168,10 +179,8 @@ export const ApiConfig: ApiDataRequestConfig = {
     postponeFetch: !FeatureToggle.milieuzoneApiActive,
     method: 'POST',
     httpsAgent: new https.Agent({
-      cert: IS_TAP
-        ? getCertificateSync(process.env.BFF_SERVER_CLIENT_CERT)
-        : [],
-      key: IS_TAP ? getCertificateSync(process.env.BFF_SERVER_CLIENT_KEY) : [],
+      cert: getCert('BFF_SERVER_CLIENT_CERT'),
+      key: getCert('BFF_SERVER_CLIENT_KEY'),
     }),
   },
   SIA: {
diff --git a/src/server/services/buurt/buurt.test.ts b/src/server/services/buurt/buurt.test.ts
index 9f26b6d6ee..2e3e791715 100644
--- a/src/server/services/buurt/buurt.test.ts
+++ b/src/server/services/buurt/buurt.test.ts
@@ -132,6 +132,7 @@ vi.mock('../../../universal/config/env', () => {
     IS_PRODUCTION: false,
     IS_ACCEPTANCE: true,
     IS_TAP: true,
+    IS_TEST: true,
   };
 });
 vi.mock('../../../universal/config/myarea-datasets');