Merge remote-tracking branch 'hmpps-integration-api-docs/main' into merge-tech-docs

Author: mxco86

.github/dependabot.yml

@@ -11,6 +11,17 @@ updates:
           - "patch"
         patterns:
           - "*"
+  - package-ecosystem: "bundler"
+    directory: "/tech-docs"
+    schedule:
+      interval: "weekly"
+    groups:
+      minor:
+        update-types:
+          - "minor"
+          - "patch"
+        patterns:
+          - "*"
 
   - package-ecosystem: "github-actions"
     directory: "/"

.github/workflows/format-code.yml

@@ -0,0 +1,17 @@
+name: Format code
+
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+
+jobs:
+  format-code:
+    name: 🧹 Format code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Format code
+        uses: ministryofjustice/github-actions/code-formatter@v14
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish.yml

@@ -0,0 +1,53 @@
+name: Publish gh-pages
+
+on:
+  workflow_dispatch:
+  push:
+    paths-ignore:
+      - "docs/**"
+
+# GITHUB_TOKEN permissions to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+  group: "pages"
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: 🏗 Build application
+    runs-on: ubuntu-latest
+    container:
+      image: ministryofjustice/tech-docs-github-pages-publisher:v3.0.1
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Compile Markdown to HTML and create artifact
+        run: |
+          /scripts/deploy.sh
+        working-directory: tech-docs/
+      - name: Upload artifact to be published
+        uses: actions/upload-artifact@v4
+        with:
+          name: github-pages
+          path: artifact.tar
+          retention-days: 1
+
+  deploy:
+    name: 🚀 Deploy application
+    needs: build
+    if: github.ref_name == 'main'
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/review-dependency-changes.yml

@@ -0,0 +1,22 @@
+# Need a GitHub Advanced Security license to run this action on private repos.
+
+name: Review dependency changes
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  review-dependency-changes:
+    name: 🕵️ Review dependency changes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - name: Review dependency changes
+        uses: actions/dependency-review-action@v4
+        with:
+          # Possible values: critical, high, moderate, low
+          fail-on-severity: critical

.gitignore

@@ -89,3 +89,6 @@ __pycache__/
 
 # Localstack
 localstack/cache
+
+.env
+.idea

Makefile

@@ -1,3 +1,5 @@
+IMAGE := ministryofjustice/tech-docs-github-pages-publisher:v3
+
 authenticate-docker:
 	./scripts/authenticate_docker.sh
 
@@ -49,4 +51,23 @@ check:
 generate-client-certificate:
 	cd ./scripts/client_certificates && ./generate.sh
 
-.PHONY: authenticate-docker build-dev test serve publish unit-test smoke-test build lint
+preview-docs:
+	docker run --rm \
+		-v $$(pwd)/config:/app/config \
+		-v $$(pwd)/source:/app/source \
+		-p 4567:4567 \
+		-it $(IMAGE) /scripts/preview.sh
+
+deploy-docs:
+	docker run --rm \
+		-v $$(pwd)/config:/app/config \
+		-v $$(pwd)/source:/app/source \
+		-it $(IMAGE) /scripts/deploy.sh
+
+check-docs:
+	docker run --rm \
+		-v $$(pwd)/config:/app/config \
+		-v $$(pwd)/source:/app/source \
+		-it $(IMAGE) /scripts/check-url-links.sh
+
+.PHONY: authenticate-docker build-dev test serve publish unit-test smoke-test build lint preview-docs check-docs

docs/.gitkeep

@@ -0,0 +1,2 @@
+source "https://rubygems.org"
+ruby "3.1.0"

tech-docs/Gemfile

@@ -0,0 +1,17 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+
+PLATFORMS
+  arm64-darwin-21
+  x64-mingw32
+  x86_64-darwin-20
+  x86_64-linux
+
+DEPENDENCIES
+
+RUBY VERSION
+   ruby 3.1.0
+
+BUNDLED WITH
+   2.4.5

tech-docs/Gemfile.lock

@@ -0,0 +1,70 @@
+# HMPPS Integration API Documentation Site
+
+[![repo standards badge](https://img.shields.io/badge/dynamic/json?color=blue&style=flat&logo=github&label=MoJ%20Compliant&query=%24.result&url=https%3A%2F%2Foperations-engineering-reports.cloud-platform.service.justice.gov.uk%2Fapi%2Fv1%2Fcompliant_public_repositories%2Ftemplate-documentation-site)](https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/public-github-repositories.html#template-documentation-site "Link to report")
+
+## Contents
+
+- [About this project](#about-this-project)
+- [Getting started](#getting-started)
+  - [Prerequisites](#prerequisites)
+  - [Installation](#installation)
+- [Usage](#usage)
+  - [Running the application](#running-the-application)
+  - [Running checks](#running-checks)
+  - [Updating configuration](#updating-configuration)
+- [Publishing](#publishing)
+
+## About this project
+
+This repository is used to generate the [technical documentation website](https://ministryofjustice.github.io/hmpps-integration-api-docs) for the [HMPPS Integration API](https://github.com/ministryofjustice/hmpps-integration-api).
+
+## Getting started
+
+### Prerequisites
+
+- [Docker](https://www.docker.com/get-started/)
+- [Ruby](https://github.com/rbenv/rbenv)
+
+### Installation
+
+1. Clone the repository.
+
+```bash
+git clone git@github.com:ministryofjustice/hmpps-integration-api-docs.git
+```
+
+## Usage
+
+### Running the application
+
+To run the application for local development:
+
+```bash
+make preview
+```
+
+Then visit http://localhost:4567.
+
+### Running checks
+
+To check the application compiles and URLs are valid:
+
+```bash
+make check
+```
+
+For more details see the [Tech Docs GitHub Pages Publisher GitHub repository](https://github.com/ministryofjustice/tech-docs-github-pages-publisher).
+
+### Updating configuration
+
+Aspects of the documentation site such as the header and sidebar can be configured using [config/tech-docs.yml](config/tech-docs.yml). Further configuration options are described on the [Tech Docs Template website: Global Configuration](https://tdt-documentation.london.cloudapps.digital/configure_project/global_configuration/).
+
+## Publishing
+
+Changes pushed or merged into to `main` are automatically published to GitHub Pages and viewable at https://ministryofjustice.github.io/hmpps-integration-api-docs.
+
+## Reviewing
+
+Should you need to review the content of our documentation, ensure that the `review_in` field is updated as part of the front matter of the markdown page. This should be formatted `yyyy-mm-dd`.
+
+A Ministry of Justice tool named [Tech Docs Monitor _also known as_ Daniel the Manual Spaniel](https://github.com/ministryofjustice/tech-docs-monitor) will send a notification to the Slack channel specified in the `owner_slack` property when a document is due for review.

tech-docs/README.md

@@ -0,0 +1,40 @@
+# See the available options: https://tdt-documentation.london.cloudapps.digital/configure_project/global_configuration/#configure-your-documentation-site
+
+# Host to use for canonical URL generation (without trailing slash)
+host: https://ministryofjustice.github.io/hmpps-integration-api-docs
+
+# Header-related options
+show_govuk_logo: false
+service_name: HMPPS Integration API And Events Documentation
+service_link: /
+
+# Links to show on right-hand-side of header
+header_links:
+  Docs GitHub: https://github.com/ministryofjustice/hmpps-integration-api-docs
+  Integration API GitHub: https://github.com/ministryofjustice/hmpps-integration-api
+  Integration Events Github: https://github.com/ministryofjustice/hmpps-integration-events
+
+# Enables search functionality. This indexes pages only and is not recommended for single-page sites.
+enable_search: true
+
+# Tracking ID from Google Analytics (e.g. UA-XXXX-Y)
+ga_tracking_id:
+
+# Enable collapsible navigation in the sidebar
+collapsible_nav: true
+
+multipage_nav: true
+
+# Table of contents depth – how many levels to include in the table of contents.
+# If your ToC is too long, reduce this number and we'll only show higher-level
+# headings.
+max_toc_heading_level: 2
+
+# Prevent robots from indexing (e.g. whilst in development)
+prevent_indexing: true
+
+show_contribution_banner: true
+github_repo: ministryofjustice/hmpps-integration-api-docs
+github_branch: main
+
+api_path: https://ministryofjustice.github.io/hmpps-integration-api/openapi/api-docs.json

tech-docs/config/tech-docs.yml

@@ -0,0 +1,46 @@
+---
+title: API Changes and Versioning
+weight: 4
+owner_slack: "#hmpps-integration-api-alerts"
+last_reviewed_on: 2024-09-03
+review_in: 3 months
+---
+
+# API Changes and Versioning
+
+As HMPPS Integration API evolves, more features will be added, and features that already exist will change. Both consumers and MOJ must be prepared to handle these changes, and to manage them carefully.
+
+There will broadly speaking be two kinds of changes - "non-breaking" changes, where consumers should be able to use the new version without modifying their usage, and "breaking" changes where we would expect that consumers would not be able to seamlessly use the new version.
+
+## Non-Breaking Change
+
+We would like to minimise the number of breaking changes, and where this is not possible, we will increment the API version and manage the migration.
+
+- MOJ - must not change or remove an existing data element unless we are certain it is not in use
+- MOJ - must update documentation to reflect any changes
+- MOJ - may add new elements and change/remove elements that we know are not in use
+- Consumers - implementation must accept new elements and changes to elements that are not in use (i.e. it must be resilient to non-breaking API changes)
+
+## Breaking Change
+
+Where a non-breaking change is not possible, there is then a breaking change. In this case, we will increment the version of the API
+
+- MOJ - must update documentation, and explicitly call out the change between versions
+- MOJ - must distribute the new documentation as soon as practical
+- MOJ - must run both versions of the API, as long as this is practical, for at least 1 month
+- Consumers - must commit to moving to the new version of the API within a reasonable timescale, usually 1 month
+- Depending on the size of the change, MOJ may require the Consumer to go through additional re-assurance steps
+
+## Ongoing Assurance
+
+As part of including new functionality into the system, new processes will be available to be undertaken via the API. As these are introduced, we will ask consumers to go through further rounds of assurance, broadly similar to the initial round described above.
+
+## URI Path
+
+Where versioning must be implemented, it will be in the form of a path parameter:
+
+```
+https://integration-api.hmpps.service.justice.gov.uk/v1/images/123456
+```
+
+Versions will increment by major version only and no minor version updates will be supported.

tech-docs/source/api-changes-and-versioning.html.md.erb

@@ -0,0 +1,42 @@
+---
+title: Authentication
+weight: 3
+owner_slack: "#hmpps-integration-api-alerts"
+last_reviewed_on: 2024-09-03
+review_in: 3 months
+---
+
+# Authentication
+
+## Reading from the API
+
+API consumers are authenticated on a service to service level using:
+
+- [Mutual TLS](https://www.cloudflare.com/en-gb/learning/access-management/what-is-mutual-tls/) to ensure trust on both the server and client side
+- API keys to track and manage usage of the client
+
+Using mutual TLS authentication allows HMPPS to additionally verify the identity of a consumer before securely providing any data and therefore a client must present it's own TLS certificate, issued by HMPPS, as part of making a request. Providing an API key enables per-client management of API interactions such as rate limiting and therefore a valid API key must also be presented as part of making a request.
+
+Providing a client certificate and key for mTLS is dependent on the tools used to make the request. As an example when using `curl` the certificate and key are provided as request parameters. If a valid TLS certificate and private key is not supplied the TLS handshake will not complete.
+
+Providing an API key can be done using an HTTP header called `x-api-key` with the value of the API key as the header value, ensuring it's not encoded in Base64. If a valid API key is not supplied a `403 Forbidden` HTTP response is returned.
+
+### Example: Read from an API Endpoint
+
+To make an authenticated data request to the API using the client-specific TLS certificate, private key and API key:
+
+```sh
+curl --cert <client-cert-file> --key <client-key-file> -X GET https://<environment>.integration-api.hmpps.service.justice.gov.uk/v1/persons/X802678/risks/scores -H 'x-api-key: <api-key>'
+```
+
+## Interacting with an HMPPS SQS Queue
+
+For consumers that have an SQS queue configured, temporary AWS access credentials that can be used with standard AWS tooling to interact with SQS can be obtained by calling the `/token` endpoint. Both a valid TLS certificate and an API key must be supplied with the token request. Note that the token endpoint is not versioned.
+
+### Example: Create and Read a Temporary SQS Token
+
+To make an authenticated token request to the API using the client-specific TLS certificate, private key and API key:
+
+```sh
+curl --cert <client-cert-file> --key <client-key-file> -X POST https://<environment>.integration-api.hmpps.service.justice.gov.uk/token -H 'x-api-key: <api-key>'
+```

tech-docs/source/authentication.html.md.erb

@@ -0,0 +1,15 @@
+---
+title: Architecture Decision Records
+weight: 9
+owner_slack: "#hmpps-integration-api-alerts"
+last_reviewed_on: 2024-09-03
+review_in: 3 months
+---
+
+# Relevant Architecture Decision Records
+
+| Status                                             | Adr No. | Title                                     |
+|----------------------------------------------------|---------|-------------------------------------------|
+| <strong class="govuk-tag--green">ACCEPTED</strong> | 0004    | [Always return a JSON object for JSON responses](https://github.com/ministryofjustice/hmpps-integration-api/blob/main/docs/adr/0004-always-return-a-json-object-for-json-responses.md) |
+| <strong class="govuk-tag--green">ACCEPTED</strong> | 0006    | [URL-encode path parameters that contain a forward slash](https://github.com/ministryofjustice/hmpps-integration-api/blob/main/docs/adr/0006-url-encode-path-parameters.md) |
+| <strong class="govuk-tag--green">ACCEPTED</strong> | 0007    | [Version through URL path](https://github.com/ministryofjustice/hmpps-integration-api/blob/main/docs/adr/0007-version-through-url-path.md) |