Add validator to restrict sender ids like NHSNoReply

NCSC are trying to reduce the number of sender IDs in use to help people know they are coming from a legitimate place. One of the sender ids with lots of variation is NHSNoReply This PR stops new people registering new sender ids with nhs and no and reply in any order, apart from NHSNoReply
alphagov · Sep 23, 2024 · 0b70d0d · 0b70d0d
1 parent b6b1930
commit 0b70d0d
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/app/main/forms.py b/app/main/forms.py
@@ -70,6 +70,7 @@
     IsAUKMobileNumberOrShortCode,
     IsNotAGenericSenderID,
     IsNotAPotentiallyMaliciousSenderID,
+    IsNotLikeNHSNoReply,
     Length,
     MustContainAlphanumericCharacters,
     NoCommasInPlaceHolders,
@@ -1832,6 +1833,7 @@ class ServiceSmsSenderForm(StripWhitespaceForm):
             IsNotAGenericSenderID(),
             IsNotAPotentiallyMaliciousSenderID(),
             IsAUKMobileNumberOrShortCode(),
+            IsNotLikeNHSNoReply(),
         ],
     )
     is_default = GovukCheckboxField("Make this text message sender ID the default")

diff --git a/app/main/validators.py b/app/main/validators.py
@@ -193,6 +193,23 @@ def __call__(self, form, field):
             raise ValidationError(self.message)
 
 
+class IsNotLikeNHSNoReply:
+    def __init__(
+        self,
+        message="Text message sender ID has to be NHSNoReply if being used for that purpose.",
+    ):
+        self.message = message
+
+    def __call__(self, form, field):
+        lower_cased_data = field.data.lower()
+        if (
+            field.data
+            and ("nhs" in lower_cased_data and "no" in lower_cased_data and "reply" in lower_cased_data)
+            and not field.data == "NHSNoReply"
+        ):
+            raise ValidationError(self.message)
+
+
 def create_phishing_senderid_zendesk_ticket(senderID=None):
     ticket_message = render_template(
         "support-tickets/phishing-senderid.txt",

diff --git a/tests/app/main/forms/test_service_sms_senders_form.py b/tests/app/main/forms/test_service_sms_senders_form.py
@@ -45,6 +45,14 @@
             True,
             True,
         ),  # Evri is a user id that will be set in the
+        ("NHSNoReply", False, None, False, False),  # NHSNoReply is allowed
+        (
+            "NHSno Reply",
+            True,
+            "Text message sender ID has to be NHSNoReply if being used for that purpose.",
+            False,
+            False,
+        ),  # NHS-No Reply and variants are not allowed
         pytest.param(
             "'UC'", False, None, False, False, marks=pytest.mark.xfail
         ),  # Apostrophes can cause SMS delivery issues