Handle GovUK PaaS secrets (#161)

* Extract GA API secret from PasS env vars * Update GA options in manifest * Allow setting of GA secret when running locally
UKGovernmentBEIS · Jun 20, 2023 · ef9885b · ef9885b
1 parent 3240720
commit ef9885b
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 10 deletions.
diff --git a/build.gradle b/build.gradle
@@ -28,6 +28,7 @@ dependencies {
   implementation 'org.jsoup:jsoup:1.11.3'
   implementation 'com.google.guava:guava:27.1-jre'
   implementation 'io.nayuki:qrcodegen:1.6.0'
+  implementation 'io.pivotal.cfenv:java-cfenv:2.4.2'
 
   //Bucket4j dependencies
   implementation 'com.giffing.bucket4j.spring.boot.starter:bucket4j-spring-boot-starter:0.5.2'

diff --git a/manifest-dev.yml b/manifest-dev.yml
@@ -13,7 +13,8 @@ applications:
     env:
       SHOW_START_PAGE: true
       HOME_PAGE_URL: /
-      ENABLE_GOOGLE_ANALYTICS: false
+      ENABLE_GOOGLE_ANALYTICS: true
+      GOOGLE_ANALYTICS_MEASUREMENT_ID: G-MXY8G0TL9D
       VALID_REFERER_DOMAIN: https://energy-label-service-dev.london.cloudapps.digital/
       # https://github.com/cloudfoundry/loggregator-release/blob/develop/docs/java-multi-line-work-around.md
       LOG_PATTERN: "%d{dd-MM-yyyy HH:mm:ss.SSS} %magenta([%thread]) %highlight(%-5level) %logger.%M - %msg %replace(%ex){'[\r\n]+', 'CF_NEWLINE_PLACEHOLDER'}%nopex %n"
diff --git a/manifest-prod.yml b/manifest-prod.yml
@@ -9,13 +9,15 @@ applications:
     health-check-http-endpoint: /health
     services:
       - syslog-drain
+      - ga-credentials
     routes:
       - route: energy-label-service-prod.london.cloudapps.digital
       - route: create-energy-label.service.gov.uk
     env:
       SHOW_START_PAGE: false
       HOME_PAGE_URL: https://www.gov.uk/guidance/create-an-energy-label
       ENABLE_GOOGLE_ANALYTICS: true
+      GOOGLE_ANALYTICS_MEASUREMENT_ID: G-MXY8G0TL9D
       VALID_REFERER_DOMAIN: https://create-energy-label.service.gov.uk/
       # https://github.com/cloudfoundry/loggregator-release/blob/develop/docs/java-multi-line-work-around.md
       LOG_PATTERN: "%d{dd-MM-yyyy HH:mm:ss.SSS} %magenta([%thread]) %highlight(%-5level) %logger.%M - %msg %replace(%ex){'[\r\n]+', 'CF_NEWLINE_PLACEHOLDER'}%nopex %n"

diff --git a/manifest-qa.yml b/manifest-qa.yml
@@ -9,10 +9,12 @@ applications:
     health-check-http-endpoint: /health
     services:
       - syslog-drain
+      - ga-credentials
     env:
       SHOW_START_PAGE: true
       HOME_PAGE_URL: /
-      ENABLE_GOOGLE_ANALYTICS: false
+      ENABLE_GOOGLE_ANALYTICS: true
+      GOOGLE_ANALYTICS_MEASUREMENT_ID: G-MXY8G0TL9D
       VALID_REFERER_DOMAIN: https://energy-label-service-qa.london.cloudapps.digital/
       # https://github.com/cloudfoundry/loggregator-release/blob/develop/docs/java-multi-line-work-around.md
       LOG_PATTERN: "%d{dd-MM-yyyy HH:mm:ss.SSS} %magenta([%thread]) %highlight(%-5level) %logger.%M - %msg %replace(%ex){'[\r\n]+', 'CF_NEWLINE_PLACEHOLDER'}%nopex %n"
diff --git a/src/main/java/uk/gov/beis/els/service/AnalyticsService.java b/src/main/java/uk/gov/beis/els/service/AnalyticsService.java
@@ -1,6 +1,11 @@
 package uk.gov.beis.els.service;
 
 import com.google.common.base.Strings;
+import io.pivotal.cfenv.core.CfEnv;
+import java.time.Duration;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -14,11 +19,6 @@
 import uk.gov.beis.els.model.GoogleAnalyticsEventCategory;
 import uk.gov.beis.els.model.GoogleAnalyticsEventParams;
 
-import java.time.Duration;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-
 @Service
 public class AnalyticsService {
 
@@ -33,11 +33,10 @@ public class AnalyticsService {
 
   public AnalyticsService(@Value("${app.enable_google_analytics}") boolean analyticsEnabled,
                           @Value("${app.analytics_connection_timeout_ms}") int connectionTimeoutMs,
-                          @Value("${app.analytics_api_secret}") String apiSecret,
                           @Value("${app.analytics_measurement_id}") String measurementId) {
     this.analyticsEnabled = analyticsEnabled;
     this.connectionTimeoutMs = connectionTimeoutMs;
-    this.apiSecret = apiSecret;
+    this.apiSecret = parseGaApiSecret();
     this.measurementId = measurementId;
   }
 
@@ -85,4 +84,25 @@ public void sendGoogleAnalyticsEvent(String jsClientId, GoogleAnalyticsEventCate
 
   }
 
+  // Handle secrets set via GovUk PaaS. Can be removed once migrated to BEIS AWS platform
+  // See https://docs.cloudfoundry.org/devguide/deploy-apps/environment-variable.html#VCAP-SERVICES and
+  // https://docs.cloudfoundry.org/devguide/services/user-provided.html
+  private String parseGaApiSecret() {
+    if (System.getenv("VCAP_SERVICES") == null) {
+      // Allow running locally when PaaS vars don't exist
+      LOGGER.warn("No Gov PaaS VCAP_SERVICES env var found, unable to extract GA api secret. Falling back to LOCAL_DEV_ANALYTICS_API_SECRET");
+      String localSecretValue = System.getenv("LOCAL_DEV_ANALYTICS_API_SECRET");
+      return (localSecretValue == null)? "not-set" : localSecretValue;
+    }
+    try {
+      CfEnv cfEnv = new CfEnv();
+      return cfEnv
+          .findServiceByName("ga-credentials")
+          .getCredentials()
+          .getString("api_key");
+    } catch (Exception e) {
+      throw new RuntimeException("Failed to parse Gov PaaS VCAP_SERVICES env var");
+    }
+  }
+
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -8,7 +8,6 @@ app.home_page_url=${HOME_PAGE_URL:/}
 app.enable_google_analytics=${ENABLE_GOOGLE_ANALYTICS:false}
 # Ensure measurement ID matches in cookieControl.js
 app.analytics_measurement_id=${GOOGLE_ANALYTICS_MEASUREMENT_ID:not-set}
-app.analytics_api_secret=${ANALYTICS_API_SECRET:not-set}
 app.analytics_connection_timeout_ms=${ANALYTICS_CONN_TIMEOUT_MS:1000}
 app.valid_referer_domain=${VALID_REFERER_DOMAIN:http://localhost}