Merge branch 'main' into dependabot/go_modules/github.com/jackc/pgx/v…

…5-5.5.4

.github/CONTRIBUTING.md

@@ -0,0 +1,15 @@
+# Contribution expectations
+
+The following expectations apply to each PR:
+
+1. The PR and branch are named for [automatic linking](https://support.atlassian.com/jira-cloud-administration/docs/use-the-github-for-jira-app/) to the most relevant JIRA issue (for example, `JRA-123 Adds foo` for PR title and `jra-123-adds-foo` for branch name).
+2. Reviewers are selected to include people from all teams impacted by the changes in the PR.
+3. The PR has been assigned to the people who will respond to reviews and merge when ready (usually the person filing the review, but can change when a PR is handed off to someone else).
+4. The PR is reasonably limited in scope to ensure:
+   - It doesn't bunch together disparate features, fixes, refactorings, etc.
+   - There isn't too much of a burden on reviewers.
+   - Any problems it causes have a small blast radius.
+   - Changes will be easier to roll back if necessary.
+5. The PR includes any required documentation changes, including `README` updates and changelog or release notes entries.
+6. All new and modified code is appropriately commented to make the what and why of its design reasonably clear, even to those unfamiliar with the project.
+7. Any incomplete work introduced by the PR is detailed in `TODO` comments which include a JIRA ticket ID for any items that require urgent attention.

.github/pull_request_template.md

@@ -1,24 +1,21 @@
 ## 🎫 Ticket
 
-https://jira.cms.gov/browse/BCDA-xxx
+https://jira.cms.gov/browse/...
 
 ## 🛠 Changes
 
-(What was added, updated, or removed in this PR.)
+<!-- What was added, updated, or removed in this PR? -->
 
-## ℹ️ Context for reviewers
+## ℹ️ Context
 
-(Background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.)
+<!-- Why were these changes made? Add background context suitable for a non-technical audience. -->
 
-## ✅ Acceptance Validation
+<!-- If any of the following security implications apply, this PR must not be merged without Stephen Walter's approval. Explain in this section and add @SJWalter11 as a reviewer.
+  - Adds a new software dependency or dependencies.
+  - Modifies or invalidates one or more of our security controls.
+  - Stores or transmits data that was not stored or transmitted before.
+  - Requires additional review of security implications for other reasons. -->
 
-(How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable.)
+## 🧪 Validation
 
-## 🔒 Security Implications
-
-- [ ] This PR adds a new software dependency or dependencies.
-- [ ] This PR modifies or invalidates one or more of our security controls.
-- [ ] This PR stores or transmits data that was not stored or transmitted before.
-- [ ] This PR requires additional review of its security implications for other reasons.
-
-If any security implications apply, add Jason Ashbaugh (GitHub username: StewGoin) as a reviewer and do not merge this PR without his approval.
+<!-- How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable. -->

.github/workflows/ci-workflow.yml

@@ -32,7 +32,7 @@ jobs:
         run: |
           make test
       - name: Archive code coverage results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: code-coverage-report
           path: ./test_results/latest/testcoverage.out
@@ -41,9 +41,12 @@ jobs:
     name: Sonarqube Quality Gate
     needs: build
     runs-on: self-hosted
+    env:
+      # Workaround until https://jira.cms.gov/browse/PLT-338 is implemented.
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: "true"
     steps:
       - name: Download code coverage
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: code-coverage-report
       - name: Set env vars from AWS params

.github/workflows/dbdocs.yml

@@ -0,0 +1,27 @@
+# This workflow generates database documentation and ERD files.
+#
+name: Generate dbdocs
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/dbdocs.yml
+      - db/migrations
+
+jobs:
+  generate-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Generate DB docs
+        run: make dbdocs
+
+      - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
+        with:
+          add: dbdocs
+          message: "Generate dbdocs"
+          default_author: github_actions

.gitleaks.toml

@@ -0,0 +1,9 @@
+title = "DASG Standard"
+
+[extend]
+  useDefault = true
+
+[[rules]]
+  id = "mbi-detection"
+  description = "Detects a potential MBI pattern based on https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf"
+  regex = '''\b((?i)[1-9][ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]-?\d[ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]\d-?[ACDEFGHJKMNPQRTUVWXY]{2}\d{2})\b'''

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.16.1
+    rev: v8.19.2
     hooks:
       - id: gitleaks
   - repo: https://github.com/tekwizely/pre-commit-golang
-    rev: master
+    rev: v1.0.0-rc.1
     hooks:
       - id: go-imports
         args: ['-w']

Dockerfiles/Dockerfile.package

@@ -1,4 +1,4 @@
-FROM golang:1.19-alpine3.15
+FROM golang:1.21.12-alpine3.20
 
 ENV CGO_ENABLED=0
 

Dockerfiles/Dockerfile.ssas

@@ -1,18 +1,19 @@
-FROM golang:1.19-alpine3.15 AS documentation
+FROM golang:1.21.12-alpine3.20 AS documentation
 RUN apk update upgrade
-RUN apk add git build-base gcc
+RUN apk add git build-base gcc binutils-gold
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app
 COPY . .
+ARG GO111MODULE=auto
 
 RUN dir=$(mktemp -d) && \
-    git clone -b v0.28.0 https://github.com/go-swagger/go-swagger "$dir" && \
+    git clone -b v0.31.0 https://github.com/go-swagger/go-swagger "$dir" && \
     cd "$dir" && \
     go install ./cmd/swagger
 
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app/ssas/service/main
 RUN swagger generate spec -i ../../swaggerui/tags.yml -o ../../swaggerui/swagger.json -m
 
-FROM golang:1.19-alpine3.15 AS builder
+FROM golang:1.21.12-alpine3.20 AS builder
 ARG VERSION
 RUN apk update upgrade
 RUN apk add git
@@ -22,7 +23,7 @@ WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app/ssas
 COPY --from=documentation /go/src/github.com/CMSgov/bcda-ssas-app/ssas/swaggerui ./swaggerui
 RUN go build -ldflags "-X github.com/CMSgov/bcda-ssas-app/ssas/constants.Version=$VERSION" -o ssas ./service/main
 
-FROM golang:1.19-alpine3.15
+FROM golang:1.21.12-alpine3.20
 RUN apk update upgrade
 RUN apk --no-cache add ca-certificates aws-cli curl
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app

Dockerfiles/Dockerfile.tests

@@ -1,14 +1,14 @@
-FROM golang:1.19-alpine3.15
+FROM golang:1.21.12-alpine3.20
 
 RUN apk update upgrade
 
 RUN apk add bash build-base curl
 
 RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
 
-RUN GO111MODULE=on go install github.com/xo/usql@v0.11.0
-RUN go install github.com/securego/gosec/v2/cmd/gosec@v2.12.0
-RUN go install gotest.tools/gotestsum@v1.8.1
+RUN GO111MODULE=on go install github.com/xo/usql@v0.17.5
+RUN go install github.com/securego/gosec/v2/cmd/gosec@v2.20.0
+RUN go install gotest.tools/gotestsum@v1.12.0
 RUN go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/[email protected]
 
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app

Makefile

@@ -1,7 +1,7 @@
 package:
 	# This target should be executed by passing in an argument representing the version of the artifacts we are packaging
 	# For example: make package version=r1
-	docker-compose run --rm documentation swagger generate spec -i ../../swaggerui/tags.yml -o ../../swaggerui/swagger.json -m
+	docker compose run --rm documentation swagger generate spec -i ../../swaggerui/tags.yml -o ../../swaggerui/swagger.json -m
 	docker build -t packaging -f Dockerfiles/Dockerfile.package .
 	docker run --rm \
 	-e BCDA_GPG_RPM_PASSPHRASE='${BCDA_GPG_RPM_PASSPHRASE}' \
@@ -12,26 +12,28 @@ package:
 	-v ${PWD}:/go/src/github.com/CMSgov/bcda-ssas-app packaging $(version)
 
 lint:
-	docker-compose -f docker-compose.test.yml run --rm tests golangci-lint -e SA1029 -v run ./...
-	docker-compose -f docker-compose.test.yml run --rm tests gosec ./...
+	docker compose -f docker-compose.test.yml run --rm tests golangci-lint -e SA1029 --timeout 10m0s -v run ./...
+	docker compose -f docker-compose.test.yml run --rm tests gosec ./...
 
 # The following vars are available to tests needing SSAS admin credentials; currently they are used in smoke-test-ssas, postman-ssas, and unit-test-ssas
 # Note that these variables should only be used for smoke tests, must be set before the api starts, and cannot be changed after the api starts
 SSAS_ADMIN_CLIENT_ID ?= 31e029ef-0e97-47f8-873c-0e8b7e7f99bf
-SSAS_ADMIN_CLIENT_SECRET := $(shell docker-compose run --rm ssas sh -c 'ssas --reset-secret --client-id=$(SSAS_ADMIN_CLIENT_ID)'|tail -n1)
+SSAS_ADMIN_CLIENT_SECRET := $(shell docker compose run --rm ssas sh -c 'ssas --reset-secret --client-id=$(SSAS_ADMIN_CLIENT_ID)'|tail -n1)
 
 smoke-test:
-	docker-compose -f docker-compose.test.yml run --rm postman_test test/postman_test/SSAS_Smoke_Test.postman_collection.json -e test/postman_test/local.postman_environment.json --global-var "token=$(token)" --global-var adminClientId=$(SSAS_ADMIN_CLIENT_ID) --global-var adminClientSecret=$(SSAS_ADMIN_CLIENT_SECRET) --global-var ssas_client_assertion_aud=$(SASS_CLIENT_ASSERTION_AUD)
+	docker compose -f docker-compose.test.yml run --rm postman_test test/postman_test/SSAS_Smoke_Test.postman_collection.json -e test/postman_test/local.postman_environment.json --global-var "token=$(token)" --global-var adminClientId=$(SSAS_ADMIN_CLIENT_ID) --global-var adminClientSecret=$(SSAS_ADMIN_CLIENT_SECRET) --global-var ssas_client_assertion_aud=$(SASS_CLIENT_ASSERTION_AUD)
 
 postman:
-	docker-compose -f docker-compose.test.yml run --rm postman_test test/postman_test/SSAS.postman_collection.json -e test/postman_test/local.postman_environment.json --global-var adminClientId=$(SSAS_ADMIN_CLIENT_ID) --global-var adminClientSecret=$(SSAS_ADMIN_CLIENT_SECRET) --global-var ssas_client_assertion_aud=$(SASS_CLIENT_ASSERTION_AUD)
+	docker compose -f docker-compose.test.yml run --rm postman_test test/postman_test/SSAS.postman_collection.json -e test/postman_test/local.postman_environment.json --global-var adminClientId=$(SSAS_ADMIN_CLIENT_ID) --global-var adminClientSecret=$(SSAS_ADMIN_CLIENT_SECRET) --global-var ssas_client_assertion_aud=$(SASS_CLIENT_ASSERTION_AUD)
 
 migrations-test:
-	docker-compose -f docker-compose.test.yml run --rm tests bash ops/migrations_test.sh
+	docker compose -f docker-compose.test.yml run --rm tests bash ops/migrations_test.sh
 
-unit-test:
-	docker-compose up -d db
-	docker-compose -f docker-compose.test.yml run --rm tests bash unit_test.sh
+start-db:
+	docker compose up -d db
+
+unit-test: start-db
+	docker compose -f docker-compose.test.yml run --rm tests bash unit_test.sh
 
 test:
 	$(MAKE) lint
@@ -41,17 +43,20 @@ test:
 	$(MAKE) migrations-test
 
 load-fixtures:
-	docker-compose -f docker-compose.migrate.yml run --rm migrate  -database "postgres://postgres:toor@db:5432/bcda?sslmode=disable" -path /go/src/github.com/CMSgov/bcda-ssas-app/db/migrations up
-	docker-compose -f docker-compose.yml run ssas sh -c 'ssas --add-fixture-data'
+	docker compose -f docker-compose.migrate.yml run --rm migrate  -database "postgres://postgres:toor@db:5432/bcda?sslmode=disable" -path /go/src/github.com/CMSgov/bcda-ssas-app/db/migrations up
+	docker compose -f docker-compose.yml run ssas sh -c 'ssas --add-fixture-data'
 
 docker-build:
-	docker-compose build --force-rm
-	docker-compose -f docker-compose.test.yml build --force-rm
+	docker compose build --force-rm
+	docker compose -f docker-compose.test.yml build --force-rm
 
 docker-bootstrap:
 	$(MAKE) docker-build
-	docker-compose up -d
+	docker compose up -d
 	sleep 40
 	$(MAKE) load-fixtures
 
-.PHONY: docker-build docker-bootstrap load-fixtures test package release smoke-test postman unit-test lint migrations-test
+dbdocs: start-db load-fixtures
+	docker run --rm -v $PWD:/work -w /work --network bcda-ssas-app_default ghcr.io/k1low/tbls doc --rm-dist "postgres://postgres:toor@db:5432/bcda?sslmode=disable" dbdocs/bcda
+
+.PHONY: docker-build docker-bootstrap load-fixtures test package release smoke-test postman unit-test lint migrations-test start-db dbdocs

README.md

@@ -104,7 +104,7 @@ The project uses [Go Modules](https://golang.org/ref/mod) allowing you to clone
 
 # Build
 
-Build all the code and containers with `make docker-bootstrap`. Alternatively, `docker-compose up ssas` will build and run the SSAS by itself. Note that SSAS needs the db container to be running as well.
+Build all the code and containers with `make docker-bootstrap`. Alternatively, `docker compose up ssas` will build and run the SSAS by itself. Note that SSAS needs the db container to be running as well.
 
 ## Bootstrapping CLI
 
@@ -129,7 +129,7 @@ one of these test suites, follow the instructions at the top of the test file.
 
 ### **Running Single / Single-file Unit Tests**
 
-This step assumes that the user has installed VSCode, the Go language extension available [here](https://marketplace.visualstudio.com/items?itemName=golang.Go), and has successfully imported test data to their local database. 
+This step assumes that the user has installed VSCode, the Go language extension available [here](https://marketplace.visualstudio.com/items?itemName=golang.Go), and has successfully imported test data to their local database.
 
 To run tests from within VSCode:
 In a FILENAME_test.go file, there will be a green arrow to the left of the method name, and clicking this arrow will run a single test locally. Tests should not be dependent upon other tests, but if a known-good test is failing, the user can run all tests in a given file by going to View -> Command Palette -> Go: Test Package, which will run all tests in a given file. Alternatively, in some instances, the init() method can be commented out to enable testing of single functions.
@@ -138,13 +138,13 @@ In a FILENAME_test.go file, there will be a green arrow to the left of the metho
 
 To run postman tests locally:
 
-Build and startup the required containers. Building with docker-compose up first will significantly improve the performance of the following steps.
+Build and startup the required containers. Building with docker compose up first will significantly improve the performance of the following steps.
 
 ```
-docker-compose up
-docker-compose stop
-docker-compose up -d db
-docker-compose up ssas
+docker compose up
+docker compose stop
+docker compose up -d db
+docker compose up ssas
 ```
 
 If this is the first time you've started the containers, set up your database tables and seed them with sample group and systems:
@@ -175,13 +175,13 @@ docker run --rm --network bcda-ssas-app_default -e PGPASSWORD=PASSHERE -it postg
 To reset a secret by client id (can be found in Makefile):
 
 ```
-docker-compose run --rm ssas sh -c 'ssas --reset-secret --client-id=[client_id]'
+docker compose run --rm ssas sh -c 'ssas --reset-secret --client-id=[client_id]'
 ```
 
 To list all active IPs from the connected database:
 
 ```
-docker-compose run --rm ssas sh -c 'ssas --list-ips'
+docker compose run --rm ssas sh -c 'ssas --list-ips'
 ```
 
 # Swagger Documentation
@@ -190,11 +190,11 @@ The admin server has Swagger documentation. To access:
 
 1. Make sure it's been built (the container will stop after a few seconds when the documentation is ready)
 
-   `docker-compose up documentation`
+   `docker compose up documentation`
 
 1. Make sure the `ssas` container is running
 
-   `docker-compose up ssas`
+   `docker compose up ssas`
 
 1. Access Swagger in your browser:
    http://localhost:3104/swagger

db/migrations/README.md

@@ -4,7 +4,7 @@
 * All database changes will be modeled in discrete schema migrations
     * Code to roll back a migration will be included unless highly impracticable
 * Migrations will receive unique sequential integer identifiers.
-    * Engineers should keep aware of identifier collisions (and in some instances required migration order), and adjust their migration ID’s before merging with master, if necessary.
+    * Engineers should keep aware of identifier collisions (and in some instances required migration order), and adjust their migration ID’s before merging with main, if necessary.
 * Migrations will be written with production environments in mind
     * If data changes are required (default values instead of nulls, compound fields broken apart, etc.), the migration will include commands for these transformations.
     * If the migration would break running instances, reasonable effort will be made to write multiple migrations.  In the first migration, a non-breaking transition schema will be used that can support both the old and new code versions.  After all instances have been upgraded, the final version of the schema can be introduced in a second migration.
@@ -19,4 +19,4 @@
     * Using the file format `######_schema_name.[up|down].sql` create separate scripts for each schema change, and for reversing the schema change.
     * Add tests for both scripts in `migrations_test.go`
 * Test migration scripts
-    * Run `make migrations-test`
+    * Run `make migrations-test`

dbdocs/bcda/README.md

@@ -0,0 +1,23 @@
+# bcda
+
+## Tables
+
+| Name | Columns | Comment | Type |
+| ---- | ------- | ------- | ---- |
+| [public.schema_migrations](public.schema_migrations.md) | 2 |  | BASE TABLE |
+| [public.blacklist_entries](public.blacklist_entries.md) | 7 |  | BASE TABLE |
+| [public.encryption_keys](public.encryption_keys.md) | 7 |  | BASE TABLE |
+| [public.groups](public.groups.md) | 7 |  | BASE TABLE |
+| [public.secrets](public.secrets.md) | 6 |  | BASE TABLE |
+| [public.systems](public.systems.md) | 12 |  | BASE TABLE |
+| [public.ips](public.ips.md) | 6 |  | BASE TABLE |
+| [public.client_tokens](public.client_tokens.md) | 8 |  | BASE TABLE |
+| [public.root_keys](public.root_keys.md) | 8 |  | BASE TABLE |
+
+## Relations
+
+![er](schema.svg)
+
+---
+
+> Generated by [tbls](https://github.com/k1LoW/tbls)