From 0b70d0d107527462d014f5802caae05f3b67418a Mon Sep 17 00:00:00 2001
From: Will Pearson <will.pearson@digital.cabinet-office.gov.uk>
Date: Mon, 23 Sep 2024 11:50:34 +0100
Subject: [PATCH] Add validator to restrict sender ids like NHSNoReply

NCSC are trying to reduce the number of sender IDs in use to help
people know they are coming from a legitimate place.

One of the sender ids with lots of variation is NHSNoReply

This PR stops new people  registering new sender ids with nhs and no and
reply in any order, apart from NHSNoReply
---
 app/main/forms.py                               |  2 ++
 app/main/validators.py                          | 17 +++++++++++++++++
 .../main/forms/test_service_sms_senders_form.py |  8 ++++++++
 3 files changed, 27 insertions(+)

diff --git a/app/main/forms.py b/app/main/forms.py
index f483e042a7..96e5f87ad5 100644
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -70,6 +70,7 @@
     IsAUKMobileNumberOrShortCode,
     IsNotAGenericSenderID,
     IsNotAPotentiallyMaliciousSenderID,
+    IsNotLikeNHSNoReply,
     Length,
     MustContainAlphanumericCharacters,
     NoCommasInPlaceHolders,
@@ -1832,6 +1833,7 @@ class ServiceSmsSenderForm(StripWhitespaceForm):
             IsNotAGenericSenderID(),
             IsNotAPotentiallyMaliciousSenderID(),
             IsAUKMobileNumberOrShortCode(),
+            IsNotLikeNHSNoReply(),
         ],
     )
     is_default = GovukCheckboxField("Make this text message sender ID the default")
diff --git a/app/main/validators.py b/app/main/validators.py
index 6d2c7f6b72..ecf7927fe5 100644
--- a/app/main/validators.py
+++ b/app/main/validators.py
@@ -193,6 +193,23 @@ def __call__(self, form, field):
             raise ValidationError(self.message)
 
 
+class IsNotLikeNHSNoReply:
+    def __init__(
+        self,
+        message="Text message sender ID has to be NHSNoReply if being used for that purpose.",
+    ):
+        self.message = message
+
+    def __call__(self, form, field):
+        lower_cased_data = field.data.lower()
+        if (
+            field.data
+            and ("nhs" in lower_cased_data and "no" in lower_cased_data and "reply" in lower_cased_data)
+            and not field.data == "NHSNoReply"
+        ):
+            raise ValidationError(self.message)
+
+
 def create_phishing_senderid_zendesk_ticket(senderID=None):
     ticket_message = render_template(
         "support-tickets/phishing-senderid.txt",
diff --git a/tests/app/main/forms/test_service_sms_senders_form.py b/tests/app/main/forms/test_service_sms_senders_form.py
index 4cc0c530af..3df4987422 100644
--- a/tests/app/main/forms/test_service_sms_senders_form.py
+++ b/tests/app/main/forms/test_service_sms_senders_form.py
@@ -45,6 +45,14 @@
             True,
             True,
         ),  # Evri is a user id that will be set in the
+        ("NHSNoReply", False, None, False, False),  # NHSNoReply is allowed
+        (
+            "NHSno Reply",
+            True,
+            "Text message sender ID has to be NHSNoReply if being used for that purpose.",
+            False,
+            False,
+        ),  # NHS-No Reply and variants are not allowed
         pytest.param(
             "'UC'", False, None, False, False, marks=pytest.mark.xfail
         ),  # Apostrophes can cause SMS delivery issues