From fea559623431fafdce1f440a570b41037e4e7483 Mon Sep 17 00:00:00 2001
From: David McDonald <david.mcdonald@digital.cabinet-office.gov.uk>
Date: Mon, 6 Dec 2021 15:59:13 +0000
Subject: [PATCH] Add security policy page

This follows the guidance in
https://gds-way.cloudapps.digital/standards/vulnerability-disclosure.html#vulnerability-disclosure-and-security-txt
---
 app/main/__init__.py                         |  1 +
 app/main/views/security_policy.py            | 11 +++++++++++
 tests/app/main/views/test_security_policy.py | 13 +++++++++++++
 tests/app/test_navigation.py                 |  1 +
 4 files changed, 26 insertions(+)
 create mode 100644 app/main/views/security_policy.py
 create mode 100644 tests/app/main/views/test_security_policy.py

diff --git a/app/main/__init__.py b/app/main/__init__.py
index eb9366e53..860b8b01e 100644
--- a/app/main/__init__.py
+++ b/app/main/__init__.py
@@ -33,6 +33,7 @@ from app.main.views import (  # noqa isort:skip
     providers,
     register,
     returned_letters,
+    security_policy,
     send,
     service_settings,
     sign_in,
diff --git a/app/main/views/security_policy.py b/app/main/views/security_policy.py
new file mode 100644
index 000000000..b4d284c0f
--- /dev/null
+++ b/app/main/views/security_policy.py
@@ -0,0 +1,11 @@
+from flask import redirect
+
+from app.main import main
+
+
+@main.route('/.well-known/security.txt', methods=['GET'])
+@main.route('/security.txt', methods=['GET'])
+def security_policy():
+    # See GDS Way security policy which this implements
+    # https://gds-way.cloudapps.digital/standards/vulnerability-disclosure.html#vulnerability-disclosure-and-security-txt
+    return redirect("https://vdp.cabinetoffice.gov.uk/.well-known/security.txt")
diff --git a/tests/app/main/views/test_security_policy.py b/tests/app/main/views/test_security_policy.py
new file mode 100644
index 000000000..71785e775
--- /dev/null
+++ b/tests/app/main/views/test_security_policy.py
@@ -0,0 +1,13 @@
+import pytest
+
+
+@pytest.mark.parametrize('url', [
+    '/security.txt',
+    '/.well-known/security.txt',
+])
+def test_security_policy_redirects_to_policy(client_request, url):
+    client_request.get_url(
+        url,
+        _expected_status=302,
+        _expected_redirect="https://vdp.cabinetoffice.gov.uk/.well-known/security.txt",
+    )
diff --git a/tests/app/test_navigation.py b/tests/app/test_navigation.py
index fad19a5db..4e783080b 100644
--- a/tests/app/test_navigation.py
+++ b/tests/app/test_navigation.py
@@ -212,6 +212,7 @@ EXCLUDED_ENDPOINTS = tuple(map(Navigation.get_endpoint_with_blueprint, {
     'roadmap',
     'save_contact_list',
     'security',
+    'security_policy',
     'send_files_by_email',
     'send_files_by_email_contact_details',
     'send_from_contact_list',