From acde519e0b52dc57fb60a4cc423d43f11eb174ba Mon Sep 17 00:00:00 2001
From: Abhishek Katiyar <abhishek.k@navi.com>
Date: Fri, 15 Nov 2024 13:28:42 +0530
Subject: [PATCH 1/7] INFRA-3897 | Abhishek | Add checkbox for strict matching
 of routes in commonApiGateway routes

---
 src/coreform/deployment/ApiGatewayForm.tsx | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/coreform/deployment/ApiGatewayForm.tsx b/src/coreform/deployment/ApiGatewayForm.tsx
index 3aaa848..91b829c 100644
--- a/src/coreform/deployment/ApiGatewayForm.tsx
+++ b/src/coreform/deployment/ApiGatewayForm.tsx
@@ -99,6 +99,14 @@ const GatewayAttributes = (props: any = { sourceGatewayPath: string }) => {
               />{' '}
             </TableCell>
           </TableRow>
+          <TableRow>
+            <TableCell>
+              <FormControlLabel
+                control={<FormikCheckbox name={`${sourceGatewayPath}.${i}.strictMatching`} />}
+                label="Ensure strict matching of routes"
+              />
+            </TableCell>
+          </TableRow>
           <TableRow>
             <TableCell>
               <FormikTextField

From a240988e92099dceab3b6417f9c8f57e140d0076 Mon Sep 17 00:00:00 2001
From: Abhishek Katiyar <abhishek.k@navi.com>
Date: Fri, 15 Nov 2024 14:00:45 +0530
Subject: [PATCH 2/7] INFRA-3897 | Abhishek | Make external auth and internal
 gateways optional for clusters

---
 src/coreform/deployment/ApiGatewayForm.tsx | 61 ++++++++++++++++------
 1 file changed, 44 insertions(+), 17 deletions(-)

diff --git a/src/coreform/deployment/ApiGatewayForm.tsx b/src/coreform/deployment/ApiGatewayForm.tsx
index 91b829c..3479244 100644
--- a/src/coreform/deployment/ApiGatewayForm.tsx
+++ b/src/coreform/deployment/ApiGatewayForm.tsx
@@ -68,17 +68,34 @@ const InternalCommonApiGatewayUrlMap = {
   [Cluster.IAPL_PROD]: InternalCommonApiGatewayUrl.IAPL_PROD,
 };
 
+const ExternalAuthEnabledMap = {
+  [Cluster.LENDING_NP]: InternalCommonApiGatewayUrl.LENDING_NP,
+  [Cluster.LENDING_PROD]: InternalCommonApiGatewayUrl.LENDING_PROD,
+  [Cluster.PAY_NP]: InternalCommonApiGatewayUrl.PAY_NP,
+  [Cluster.PAY_PROD]: InternalCommonApiGatewayUrl.PAY_PROD,
+  [Cluster.GI_NP]: InternalCommonApiGatewayUrl.GI_NP,
+  [Cluster.GI_PROD]: InternalCommonApiGatewayUrl.GI_PROD,
+  [Cluster.SA_NP]: InternalCommonApiGatewayUrl.SA_NP,
+  [Cluster.SA_PROD]: InternalCommonApiGatewayUrl.SA_PROD,
+  [Cluster.PPL_NONPROD]: InternalCommonApiGatewayUrl.PPL_NP,
+  [Cluster.PPL_PROD]: InternalCommonApiGatewayUrl.PPL_PROD,
+  [Cluster.IAPL_PROD]: InternalCommonApiGatewayUrl.IAPL_PROD,
+};
+
 const rateLimitOptions = ['header', 'path'];
 
 const GatewayAttributes = (props: any = { sourceGatewayPath: string }) => {
   const { sourceGatewayPath } = props;
   const classes = useStyles();
   const { values }: { values: any } = useFormikContext();
+  const cluster = values?.cluster;
   const attributeStateValue =
     typeof getIn(values, sourceGatewayPath) !== 'undefined' ? getIn(values, sourceGatewayPath) : [];
   const deployedState = attributeStateValue.map(
     (gatewayAttributes: any) => gatewayAttributes.isDeployed,
   );
+  const externalAuthAllowed =
+    cluster in ExternalAuthEnabledMap ? ExternalAuthEnabledMap[cluster] : undefined;
 
   return (
     <FormikCardList
@@ -134,14 +151,18 @@ const GatewayAttributes = (props: any = { sourceGatewayPath: string }) => {
               />{' '}
             </TableCell>
           </TableRow>
-          <TableRow>
-            <TableCell>
-              <FormControlLabel
-                control={<FormikCheckbox name={`${sourceGatewayPath}.${i}.externalAuth`} />}
-                label="Use External Auth Service"
-              />
-            </TableCell>
-          </TableRow>
+          {externalAuthAllowed ? (
+            <TableRow>
+              <TableCell>
+                <FormControlLabel
+                  control={<FormikCheckbox name={`${sourceGatewayPath}.${i}.externalAuth`} />}
+                  label="Use External Auth Service"
+                />
+              </TableCell>
+            </TableRow>
+          ) : (
+            <></>
+          )}
           <TableFooter>
             <RateLimitRules sourceRateLimitPath={`${sourceGatewayPath}.${i}.rateLimitRules`} />
           </TableFooter>
@@ -226,6 +247,8 @@ const ApiGatewayForm = () => {
   const gatewayStateValue =
     typeof getIn(values, gatewayPath) !== 'undefined' ? getIn(values, gatewayPath) : [];
   const deployedState = gatewayStateValue.map((gateway: any) => gateway.isDeployed);
+  const internalGatewayUrl =
+    cluster in InternalCommonApiGatewayUrlMap ? InternalCommonApiGatewayUrlMap[cluster] : undefined;
 
   return (
     <NotConfigured
@@ -262,15 +285,19 @@ const ApiGatewayForm = () => {
               >
                 {toMenuItems(ExternalCommonApiGatewayUrlMap[cluster])}
               </FormikTextField>
-              <FormikTextField
-                select
-                className={classes.field}
-                label="Corresponding INTERNAL Common API Gateway URL"
-                name={`deployment.commonApiGateways.${i}.internalCommonApiGatewayUrl`}
-                disabled={gatewayStateValue[i].isDeployed}
-              >
-                {toMenuItems(InternalCommonApiGatewayUrlMap[cluster])}
-              </FormikTextField>
+              {internalGatewayUrl !== undefined ? (
+                <FormikTextField
+                  select
+                  className={classes.field}
+                  label="Corresponding INTERNAL Common API Gateway URL"
+                  name={`deployment.commonApiGateways.${i}.internalCommonApiGatewayUrl`}
+                  disabled={gatewayStateValue[i].isDeployed}
+                >
+                  {toMenuItems(InternalCommonApiGatewayUrlMap[cluster])}
+                </FormikTextField>
+              ) : (
+                <></>
+              )}
               <GatewayAttributes
                 sourceGatewayPath={`deployment.commonApiGateways.${i}.gatewayAttributes`}
               />

From a5de1cf078c3a0714cb0414017132b31347511b7 Mon Sep 17 00:00:00 2001
From: Abhishek Katiyar <abhishek.k@navi.com>
Date: Fri, 15 Nov 2024 14:50:55 +0530
Subject: [PATCH 3/7] INFRA-3897 | Abhishek | Enable external auth only in
 gi-nonprod and pay-nonprod clusters

---
 src/coreform/deployment/ApiGatewayForm.tsx | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/src/coreform/deployment/ApiGatewayForm.tsx b/src/coreform/deployment/ApiGatewayForm.tsx
index 3479244..b98ffb4 100644
--- a/src/coreform/deployment/ApiGatewayForm.tsx
+++ b/src/coreform/deployment/ApiGatewayForm.tsx
@@ -69,17 +69,8 @@ const InternalCommonApiGatewayUrlMap = {
 };
 
 const ExternalAuthEnabledMap = {
-  [Cluster.LENDING_NP]: InternalCommonApiGatewayUrl.LENDING_NP,
-  [Cluster.LENDING_PROD]: InternalCommonApiGatewayUrl.LENDING_PROD,
-  [Cluster.PAY_NP]: InternalCommonApiGatewayUrl.PAY_NP,
-  [Cluster.PAY_PROD]: InternalCommonApiGatewayUrl.PAY_PROD,
   [Cluster.GI_NP]: InternalCommonApiGatewayUrl.GI_NP,
-  [Cluster.GI_PROD]: InternalCommonApiGatewayUrl.GI_PROD,
-  [Cluster.SA_NP]: InternalCommonApiGatewayUrl.SA_NP,
-  [Cluster.SA_PROD]: InternalCommonApiGatewayUrl.SA_PROD,
-  [Cluster.PPL_NONPROD]: InternalCommonApiGatewayUrl.PPL_NP,
-  [Cluster.PPL_PROD]: InternalCommonApiGatewayUrl.PPL_PROD,
-  [Cluster.IAPL_PROD]: InternalCommonApiGatewayUrl.IAPL_PROD,
+  [Cluster.PAY_NP]: InternalCommonApiGatewayUrl.PAY_NP,
 };
 
 const rateLimitOptions = ['header', 'path'];

From 482c3bafa96d8f4b0a260b048c8be0a79d5f38ac Mon Sep 17 00:00:00 2001
From: Abhishek Katiyar <abhishek.k@navi.com>
Date: Fri, 15 Nov 2024 14:51:57 +0530
Subject: [PATCH 4/7] INFRA-3897 | Abhishek | Disable interna api-gateway urls
 in all clusters

---
 src/coreform/deployment/ApiGatewayForm.tsx | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/src/coreform/deployment/ApiGatewayForm.tsx b/src/coreform/deployment/ApiGatewayForm.tsx
index b98ffb4..5c3a1ec 100644
--- a/src/coreform/deployment/ApiGatewayForm.tsx
+++ b/src/coreform/deployment/ApiGatewayForm.tsx
@@ -54,19 +54,7 @@ const ExternalCommonApiGatewayUrlMap = {
   [Cluster.IAPL_PROD]: ExternalCommonApiGatewayUrl.IAPL_PROD,
 };
 
-const InternalCommonApiGatewayUrlMap = {
-  [Cluster.LENDING_NP]: InternalCommonApiGatewayUrl.LENDING_NP,
-  [Cluster.LENDING_PROD]: InternalCommonApiGatewayUrl.LENDING_PROD,
-  [Cluster.PAY_NP]: InternalCommonApiGatewayUrl.PAY_NP,
-  [Cluster.PAY_PROD]: InternalCommonApiGatewayUrl.PAY_PROD,
-  [Cluster.GI_NP]: InternalCommonApiGatewayUrl.GI_NP,
-  [Cluster.GI_PROD]: InternalCommonApiGatewayUrl.GI_PROD,
-  [Cluster.SA_NP]: InternalCommonApiGatewayUrl.SA_NP,
-  [Cluster.SA_PROD]: InternalCommonApiGatewayUrl.SA_PROD,
-  [Cluster.PPL_NONPROD]: InternalCommonApiGatewayUrl.PPL_NP,
-  [Cluster.PPL_PROD]: InternalCommonApiGatewayUrl.PPL_PROD,
-  [Cluster.IAPL_PROD]: InternalCommonApiGatewayUrl.IAPL_PROD,
-};
+const InternalCommonApiGatewayUrlMap = {};
 
 const ExternalAuthEnabledMap = {
   [Cluster.GI_NP]: InternalCommonApiGatewayUrl.GI_NP,

From 6a7c00c43eb8964022f2fd5e01126045f5a777fe Mon Sep 17 00:00:00 2001
From: Abhishek Katiyar <abhishek.k@navi.com>
Date: Fri, 15 Nov 2024 14:58:00 +0530
Subject: [PATCH 5/7] INFRA-3897 | Abhishek | internalGatewayUrl for
 commonApiGateways should not be mandatory

---
 src/models/ManifestValidationSchema.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/models/ManifestValidationSchema.ts b/src/models/ManifestValidationSchema.ts
index a94b5d9..6b002ff 100644
--- a/src/models/ManifestValidationSchema.ts
+++ b/src/models/ManifestValidationSchema.ts
@@ -163,7 +163,7 @@ const commonApiGatewayValidationSchema = yup
   .of(
     yup.object({
       commonApiGatewayUrl: yup.string().required('is Required'),
-      internalCommonApiGatewayUrl: yup.string().required('is Required'),
+      internalCommonApiGatewayUrl: yup.string(),
       gatewayAttributes: yup.array().of(
         yup.object({
           pathName: yup

From 1262dda44f3ab19218e20af1fffef499d2abec0e Mon Sep 17 00:00:00 2001
From: Abhishek Katiyar <abhishek.k@navi.com>
Date: Fri, 15 Nov 2024 15:47:15 +0530
Subject: [PATCH 6/7] INFRA-3897 | Abhishek | Extract map into separate
 constant file

---
 src/constants/CommonApiGatewayUrl.tsx      |  5 +++++
 src/coreform/deployment/ApiGatewayForm.tsx | 12 +++++-------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/constants/CommonApiGatewayUrl.tsx b/src/constants/CommonApiGatewayUrl.tsx
index 066d9a2..3fb1ea9 100644
--- a/src/constants/CommonApiGatewayUrl.tsx
+++ b/src/constants/CommonApiGatewayUrl.tsx
@@ -55,3 +55,8 @@ export class InternalCommonApiGatewayUrl {
   public static readonly PPL_PROD = ['internal-gateway.prod.navi-ppl.in'];
   public static readonly IAPL_PROD = ['internal-gateway.prod.navi-iapl.in'];
 }
+
+export class ExternalAuthEnabledMap {
+  public static readonly PAY_NP = true;
+  public static readonly GI_NP = true;
+}
diff --git a/src/coreform/deployment/ApiGatewayForm.tsx b/src/coreform/deployment/ApiGatewayForm.tsx
index 5c3a1ec..d57bcbc 100644
--- a/src/coreform/deployment/ApiGatewayForm.tsx
+++ b/src/coreform/deployment/ApiGatewayForm.tsx
@@ -8,7 +8,10 @@ import { getIn, useFormikContext } from 'formik';
 import NotConfigured from '../NotConfiguredPanel';
 import { Table, TableFooter, TableRow } from '@material-ui/core';
 import { Cluster } from '../../constants/Cluster';
-import { ExternalCommonApiGatewayUrl } from '../../constants/CommonApiGatewayUrl';
+import {
+  ExternalAuthEnabledMap,
+  ExternalCommonApiGatewayUrl,
+} from '../../constants/CommonApiGatewayUrl';
 import { InternalCommonApiGatewayUrl } from '../../constants/CommonApiGatewayUrl';
 import { string } from 'yup';
 import { FormikCheckbox } from '../../components/common/FormikCheckbox';
@@ -56,11 +59,6 @@ const ExternalCommonApiGatewayUrlMap = {
 
 const InternalCommonApiGatewayUrlMap = {};
 
-const ExternalAuthEnabledMap = {
-  [Cluster.GI_NP]: InternalCommonApiGatewayUrl.GI_NP,
-  [Cluster.PAY_NP]: InternalCommonApiGatewayUrl.PAY_NP,
-};
-
 const rateLimitOptions = ['header', 'path'];
 
 const GatewayAttributes = (props: any = { sourceGatewayPath: string }) => {
@@ -74,7 +72,7 @@ const GatewayAttributes = (props: any = { sourceGatewayPath: string }) => {
     (gatewayAttributes: any) => gatewayAttributes.isDeployed,
   );
   const externalAuthAllowed =
-    cluster in ExternalAuthEnabledMap ? ExternalAuthEnabledMap[cluster] : undefined;
+    cluster in ExternalAuthEnabledMap ? ExternalAuthEnabledMap[cluster] : false;
 
   return (
     <FormikCardList

From 54639c71a1a47720ca1f54e1ffceaed933f049fa Mon Sep 17 00:00:00 2001
From: Ankit Bhardwaj Bhardwaj <ankit.bhardwaj@navi.com>
Date: Wed, 20 Nov 2024 15:39:46 +0530
Subject: [PATCH 7/7] INFRA-4009 | Ankit Bhardwaj | add validation for
 restrictive policy (#723)

---
 src/models/s3BucketsValidationSchema.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/models/s3BucketsValidationSchema.ts b/src/models/s3BucketsValidationSchema.ts
index 5cab72e..a1872bc 100644
--- a/src/models/s3BucketsValidationSchema.ts
+++ b/src/models/s3BucketsValidationSchema.ts
@@ -30,12 +30,15 @@ function isS3WildcardAction(action: string | string[]): boolean {
 function createContextError(context: any, message: string): boolean {
   return context.createError({ message });
 }
+function isPrincipalRestrictive(principal: any): boolean {
+  return principal === '*' || principal?.AWS === '*' || principal?.AWS?.includes('*');
+}
 
 function isStatementTooRestrictive(statements: any): boolean {
   return statements.some(
     (statement: any) =>
-      statement.Principal === '*' &&
       statement.Effect === 'Deny' &&
+      isPrincipalRestrictive(statement.Principal) &&
       isS3WildcardAction(statement.Action),
   );
 }