Allow access to the intranet-archive via JWT.

.github/README.md

@@ -363,6 +363,7 @@ To view the intranet content, visitors must meet one of the following criteria.
 
 - Be in an Allow List of IP ranges. 
 - Or, have a Microsoft Azure account, within the organisation.
+- Or, in the case of the intranet-archive scraper, have a valid JWT token.
 
 The visitor's IP is checked first, then if that check fails, they are redirected to the project's Entra application.
 
@@ -546,6 +547,16 @@ This is for 2 reasons:
 - It will keep the OAuth session fresh, the endpoint handler will refresh OAuth tokens, and update JWTs before they expire.
 - If a visitor's state has changed, e.g. they have moved from an office with an allowed IP, then their browser content is blurred and they are prompted to refresh the page.
 
+### Access for the Intranet Archive service.
+
+The intranet-archive service is a scraper that collects content from the intranet for archiving purposes.
+
+It is granted access via a JWT token, which is generated manually by running the `wp gen-jwt intranet-archive` command from an fpm container.
+
+The cookie has a role of `intranet-archive`. For this roll to be granted access to the intranet, the request IP must be one of Cloud Platform's egress IPs.
+
+When the JWT_SECRET is rotated, a new JWT token will need to be generated, and the Intranet Archive service will need to be updated with the new JWT.
+
 <!-- License -->
 
 [License Link]: https://github.com/ministryofjustice/intranet/blob/main/LICENSE 'License.'

.github/workflows/ip-ranges-configure.yml

@@ -34,13 +34,16 @@ jobs:
           # @see https://nginx.org/en/docs/http/ngx_http_geo_module.html
           ALLOW_VALUE=1
           DEPRI_VALUE=2
+          CLOUD_EGRES=5
 
           ALLOW_FORMATTED=$(yq 'explode(.) | .allow_access_to_moj_intranet       | flatten | map(. + " '$ALLOW_VALUE';") | join("\n")' moj-cidr-addresses.yml)
           DEPRI_FORMATTED=$(yq 'explode(.) | .deprecating_access_to_moj_intranet | flatten | map(. + " '$DEPRI_VALUE';") | join("\n")' moj-cidr-addresses.yml)
+          CLOUD_FORMATTED=$(yq 'explode(.) | .cloud_platform                     | flatten | map(. + " '$CLOUD_EGRES';") | join("\n")' moj-cidr-addresses.yml)
 
           CONFIG=$(
               echo "$ALLOW_FORMATTED"
               echo "$DEPRI_FORMATTED"
+              echo "$CLOUD_FORMATTED"
           )
 
           CONFIG_ENCRYPTED=$(

composer.json

@@ -89,7 +89,8 @@
         "php-http/guzzle7-adapter": "^1.0"
     },
     "require-dev": {
-        "squizlabs/php_codesniffer": "^3.0.2"
+        "squizlabs/php_codesniffer": "^3.0.2",
+        "php-stubs/wp-cli-stubs": "^2.11"
     },
     "extra": {
         "installer-paths": {

deploy/config/local/nginx/server.conf

@@ -38,6 +38,7 @@ map $ip_group $ip_skip_oauth {
     2       1; # Allowed IPs (depricating)
     3       0; # Cloud Platform IPs
     4       1; # Local IP
+    5       0; # Cloud Platform Egress IPs
     default 0; # Default value
 }
 
@@ -202,6 +203,7 @@ server {
 
         # The subrequest handler, WordPress is not loaded in this file.
         set $script_name /app/mu-plugins/moj-auth/verify.php;
+        fastcgi_param HTTP_X_MOJ_IP_GROUP $ip_group;
         include /etc/nginx/php-fpm-auth.conf;
     }
 

deploy/config/server.conf

@@ -40,6 +40,7 @@ map $ip_group $ip_skip_oauth {
     2       1; # Allowed IPs (depricating)
     3       0; # Cloud Platform IPs
     4       1; # Local IP (127.0.0.1)
+    5       0; # Cloud Platform Egress IPs
     default 0; # Default value
 }
 
@@ -217,6 +218,7 @@ server {
 
         # The subrequest handler, WordPress is not loaded in this file.
         set $script_name /app/mu-plugins/moj-auth/verify.php;
+        fastcgi_param HTTP_X_MOJ_IP_GROUP $ip_group;
         include /etc/nginx/php-fpm-auth.conf;
     }
 

public/app/mu-plugins/moj-auth/401.php

@@ -96,7 +96,7 @@ public function handle401Request(): void
         $jwt->failed_callbacks = $jwt->failed_callbacks ?? 0;
 
         // Set a JWT without a role, to persist the user's ID, login attempts and success_url.
-        $jwt = $this->setJwt($jwt);
+        [$jwt] = $this->setJwt($jwt);
 
         $this->log('handle401Request failed_callbacks: ' . $jwt->failed_callbacks);
 

public/app/mu-plugins/moj-auth/moj-auth.php

@@ -23,6 +23,7 @@
     return;
 }
 
+require_once 'traits/cli.php';
 require_once 'traits/jwt.php';
 require_once 'traits/oauth.php';
 require_once 'traits/utils.php';
@@ -39,6 +40,7 @@
 
 class Auth
 {
+    use AuthCli;
     use AuthJwt;
     use AuthOauth;
     use AuthUtils;
@@ -61,6 +63,7 @@ public function __construct(array $args = [])
         $this->debug = $args['debug'] ?? false;
         $this->https = isset($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && 'https' === $_SERVER['HTTP_X_FORWARDED_PROTO']);
 
+        $this->initCli();
         $this->initJwt();
         $this->initOauth();
     }
@@ -69,6 +72,10 @@ public function handleRequest(): void
     {
         $this->log('handleRequest()');
 
+        if (defined('WP_CLI') && WP_CLI) {
+            return;
+        }
+
         if (!$this->oauth_action) {
             return;
         }
@@ -78,7 +85,7 @@ public function handleRequest(): void
 
         // Set a JWT without a role, to persist the user's ID.
         if (!$jwt) {
-            $jwt = $this->setJwt();
+            $this->setJwt();
         }
 
         if ('login' === $this->oauth_action) {
@@ -187,7 +194,7 @@ public function handleHeartbeatRequest(): void
 
         // It's not time to refresh the JWT, and we need to update the JWT.
         if ($jwt_remaining_time > $this::JWT_REFRESH && $mutated_jwt) {
-            $jwt = $this->setJwt($jwt);
+            [$jwt] = $this->setJwt($jwt);
             $mutated_jwt = false;
         }
 
@@ -218,7 +225,7 @@ public function handleHeartbeatRequest(): void
 
         // Set the JWT, if it's been mutated. Either by clearing properties, or it's been refreshed.
         if ($mutated_jwt) {
-            $jwt = $this->setJwt($jwt);
+            $this->setJwt($jwt);
         }
 
         return;

public/app/mu-plugins/moj-auth/traits/cli.php

@@ -0,0 +1,66 @@
+<?php
+
+/**
+ * This command is used to generate a JWT token for the intranet-archive service.
+ * 
+ * To test this command locally you can run, first run `make bash` to enter the container.
+ * To run this command on a deployed container, first run `kubectl -n $NSP exec -it $POD -c fpm -- ash` to enter the container.
+ * 
+ * Usage:
+ *  run: wp gen-jwt intranet-archive
+ */
+
+namespace MOJ\Intranet;
+
+use WP_CLI;
+
+trait AuthCli
+{
+    const GENERATED_JWT_DURATION    = 60 * 60 * 24 * 365 * 3; // 3 years
+
+    /**
+     * Init the WP CLI command.
+     * 
+     * @return void
+     */
+    public function initCli() : void
+    {
+        // If the WP_CLI constant is defined and true, then we're running in the WP CLI environment.
+        if (defined('WP_CLI') && WP_CLI) {
+            // Register the command.
+            WP_CLI::add_command('gen-jwt', [$this, 'generateJwtCommand']);
+        }
+    }
+
+    /**
+     * Generate a JWT token for the intranet-archive service.
+     * 
+     * @param array $args The arguments passed to the command.
+     * @return void
+     */
+    public function generateJwtCommand(array $args): void
+    {
+        $this->log('in generateJwtCommand');
+
+        WP_CLI::log('GenerateJwt starting');
+
+        if (empty($args[0]) || $args[0] !== 'intranet-archive') {
+            WP_CLI::log('GenerateJwt the command was missing the role argument.');
+            return;
+        }
+
+        // Generate a JWT with the intranet-archive role and a long expiry.
+        [$jwt, $jwt_string] = $this->setJwt((object) [
+            'roles' => [$args[0]],
+            'expiry'   => time() + self::GENERATED_JWT_DURATION
+        ]);
+
+        // Log the JWT object, so the user can see the contents.
+        WP_CLI::log('JWT contents: ' . print_r($jwt, true));
+
+        // Log the JWT string, this should be copied by the user and can be set as a cookie with name `jwt`.
+        WP_CLI::log('JWT cookie: ' . $jwt_string);
+
+        WP_CLI::log('GenerateJwt complete');
+    }
+}