From d9d668ec5730d9d4aa94e8ce100847a890128f04 Mon Sep 17 00:00:00 2001 From: ChrisBAshton Date: Wed, 26 Jul 2023 12:18:59 +0100 Subject: [PATCH] Don't fall back to fixture data in production The `EmergencyContactDetails` class relies on a `EMERGENCY_CONTACT_DETAILS` ENV variable to define sensitive information such as phone numbers and email addresses, which we then display in the Support app. If the ENV variable is missing, then it falls back to the nonsense data in `config/emergency_contact_details.json`, potentially displaying incorrect information to publishers. It would be better for the application to crash. The fallback behaviour has instead been moved to `config/environments`, in `development.rb` and `test.rb` only. This is so that the app can be started up without having to define the ENV var (`development.rb`) and so that all of the unrelated tests continue to pass (`test.rb`). --- app/lib/emergency_contact_details.rb | 6 +++- config/environments/development.rb | 2 ++ config/environments/test.rb | 2 ++ spec/lib/emergency_contact_details_spec.rb | 40 ++++++++++++++++++++++ 4 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 spec/lib/emergency_contact_details_spec.rb diff --git a/app/lib/emergency_contact_details.rb b/app/lib/emergency_contact_details.rb index aa637c474..a90feb0d2 100644 --- a/app/lib/emergency_contact_details.rb +++ b/app/lib/emergency_contact_details.rb @@ -1,7 +1,11 @@ class EmergencyContactDetails def self.fetch - config_str = ENV["EMERGENCY_CONTACT_DETAILS"] || File.read(Rails.root.join("config/emergency_contact_details.json")) + config_str = ENV["EMERGENCY_CONTACT_DETAILS"] + raise MissingEnvVar if config_str.nil? + config = JSON.parse(config_str) ActiveSupport::HashWithIndifferentAccess.new(config) end + + class MissingEnvVar < StandardError; end end diff --git a/config/environments/development.rb b/config/environments/development.rb index 7415aecb4..e6c2c3e05 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -64,4 +64,6 @@ config.hosts += [ "support.dev.gov.uk", ] + + ENV["EMERGENCY_CONTACT_DETAILS"] = ENV["EMERGENCY_CONTACT_DETAILS"] || File.read(Rails.root.join("config/emergency_contact_details.json")) end diff --git a/config/environments/test.rb b/config/environments/test.rb index 3dd2ea767..dd41b715c 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -54,4 +54,6 @@ # Annotate rendered view with file names. # config.action_view.annotate_rendered_view_with_filenames = true + + ENV["EMERGENCY_CONTACT_DETAILS"] = ENV["EMERGENCY_CONTACT_DETAILS"] || File.read(Rails.root.join("config/emergency_contact_details.json")) end diff --git a/spec/lib/emergency_contact_details_spec.rb b/spec/lib/emergency_contact_details_spec.rb new file mode 100644 index 000000000..182388948 --- /dev/null +++ b/spec/lib/emergency_contact_details_spec.rb @@ -0,0 +1,40 @@ +require "rails_helper" + +describe EmergencyContactDetails do + describe ".fetch" do + it "returns a HashWithIndifferentAccess derived from `ENV['EMERGENCY_CONTACT_DETAILS']`" do + contact_details = { + "current_at": "2014-07-01", + "primary_contacts": { + "national_emergencies": { + "phone": "0555 555 555", + }, + }, + "secondary_contacts": [ + { + "name": "Billy Director", + "role": "Director", + "phone": "05555 555 555", + "email": "billy.director@email.uk", + }, + ], + "verify_contacts": { + "ida_support_email": "idasupport@email.uk", + "out_of_hours_email": "outofhours@email.uk", + }, + } + + allow(ENV).to receive(:[]).with(anything) + allow(ENV).to receive(:[]).with("EMERGENCY_CONTACT_DETAILS").and_return(contact_details.to_json) + expect(described_class.fetch).to eq(contact_details.to_h.with_indifferent_access) + expect(described_class.fetch[:verify_contacts][:ida_support_email]).to eq("idasupport@email.uk") + end + + it "raises an exception if `ENV['EMERGENCY_CONTACT_DETAILS']` is not defined" do + allow(ENV).to receive(:[]).with(anything) + allow(ENV).to receive(:[]).with("EMERGENCY_CONTACT_DETAILS").and_return(nil) + + expect { described_class.fetch }.to raise_exception(EmergencyContactDetails::MissingEnvVar) + end + end +end