Merge pull request #1131 from GSA-TTS/main

2023-05-17 main -> prod

.github/ISSUE_TEMPLATE/bug-template.yaml

@@ -0,0 +1,70 @@
+name: Bug Report 🐞
+description: Report a bug and help USWDS improve.
+title: "FAC - Bug: [YOUR TITLE]"
+labels: ['Type: Bug','Status: Triage','Needs: Confirmation']
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Describe the bug
+      description: Add a clear and concise description of the bug. Let us know if it impacts major or minor functionality and if you have workaround.
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce the bug
+      description: Describe how to reproduce this issue.
+      placeholder: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error...
+    validations:
+      required: true
+  - type: textarea
+    id: expectation
+    attributes:
+      label: Expected Behavior
+      description: Add a clear and concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots
+      description: Add screenshots to help provide context, if applicable.
+    validations:
+      required: false
+  - type: textarea
+    id: system
+    attributes:
+      label: System setup
+      description: Provide your system details. Be sure to include your device, operating system, and browser (with version).
+      placeholder: |
+        - Device:
+        - Operating system:
+        - Browser and version:
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Add any other context about the problem.
+    validations:
+      required: false
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: Please confirm the following
+      options:
+        - label:
+            I agree to abide by the [Digital.gov Community Guidelines](https://digital.gov/communities/community-guidelines/) and the [TTS Code of Conduct](https://handbook.tts.gsa.gov/code-of-conduct/). Respect your peers, use plain language, and be patient. 
+          required: true
+        - label:
+            I checked the [current
+              issues](https://github.com/GSA-TTS/FAC/issues?q=is%3Aissue+is%3Aopen+label%3A%22Type%3A+Bug%22) for
+              duplicate bug reports.
+          required: true

.github/ISSUE_TEMPLATE/feature-request.yaml

@@ -0,0 +1,51 @@
+name: Feature Request 💡
+description:
+  Suggest a new idea for the design system.
+title: 'FAC - Feature: [YOUR TITLE]'
+labels: ['Type: Feature Request','Status: Triage']
+body:
+  - type: markdown
+    attributes:
+      value: '## Feature Request 💡'
+  - type: textarea
+    id: problem
+    attributes:
+      label: Is your feature request related to a problem? Please describe.
+      description: "Provide a clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: "Describe the solution you'd like"
+      description: "Provide a clear and concise description of what you want to happen."
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: "Describe alternatives you've considered"
+      description: "Provide a clear and concise description of any alternative solutions or features you've considered."
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request."
+    validations:
+      required: false
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: Please confirm the following
+      options:
+        - label:
+            I agree to abide by the [Digital.gov Community Guidelines](https://digital.gov/communities/community-guidelines/) and the [TTS Code of Conduct](https://handbook.tts.gsa.gov/code-of-conduct/). Respect your peers, use plain language, and be patient.
+          required: true
+        - label:
+            I checked the [current
+            issues](https://github.com/GSA-TTS/FAC/issues?q=is%3Aissue+is%3Aopen+label%3A%22Type%3A+Feature+Request%22) for
+            duplicate feature requests.
+          required: true

.github/ISSUE_TEMPLATE/story-issue-template.md

@@ -15,7 +15,7 @@ assignees: ''
 [comment]: # "I want: some new feature"
 
 **In order to** 
-**as a **
+**as a**
 **I want**
 
 # Acceptance Criteria
@@ -62,6 +62,14 @@ Required per [CM-4](https://nvd.nist.gov/800-53/Rev4/control/CM-4).
 [comment]: # "Please do not remove this section without care."
 [comment]: # "Note any security concerns that might be implicated in the change. 'None' is OK, but we must be explicit here."
 
+# Sketch
+
+We're thinking we'll try implementing A and then changing B.
+
+```[tasklist]
+# Tasks
+- [ ] 
+```
 
 ---
 

backend/.profile

@@ -1,7 +1,10 @@
 #!/bin/bash
 
+export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
 export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 
+export https_proxy="$(echo "$VCAP_SERVICES" | jq --raw-output --arg service_name "egress-creds" ".[][] | select(.name == \$service_name) | .credentials.uri")"
+
 # Grab the New Relic license key from the newrelic-creds user-provided service instance
 export NEW_RELIC_LICENSE_KEY="$(echo "$VCAP_SERVICES" | jq --raw-output --arg service_name "newrelic-creds" ".[][] | select(.name == \$service_name) | .credentials.NEW_RELIC_LICENSE_KEY")"
 
@@ -11,7 +14,11 @@ export NEW_RELIC_APP_NAME="$(echo "$VCAP_APPLICATION" | jq -r .application_name)
 # Set the environment name for New Relic telemetry.
 export NEW_RELIC_ENVIRONMENT="$(echo "$VCAP_APPLICATION" | jq -r .space_name)"
 
-# export https_proxy="$(echo "$VCAP_SERVICES" | jq --raw-output --arg service_name "egress-creds" ".[][] | select(.name == \$service_name) | .credentials.uri")"
+# Set Agent logging to stdout to be captured by CF Logs
+export NEW_RELIC_LOG=stdout
+
+# Logging level, (critical, error, warning, info and debug). Default to info
+#export NEW_RELIC_LOG_LEVEL=
 
 # We only want to run migrate and collecstatic for the first app instance, not
 # for additional app instances, so we gate all of this behind CF_INSTANCE_INDEX

backend/audit/migrations/0023_alter_access_role.py

@@ -0,0 +1,25 @@
+# Generated by Django 4.1.7 on 2023-05-11 16:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("audit", "0022_remove_access_audit_single_creator_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="access",
+            name="role",
+            field=models.CharField(
+                choices=[
+                    ("certifying_auditee_contact", "Auditee Certifying Official"),
+                    ("certifying_auditor_contact", "Auditor Certifying Official"),
+                    ("editor", "Audit Editor"),
+                ],
+                help_text="Access type granted to this user",
+                max_length=50,
+            ),
+        ),
+    ]

backend/audit/mixins.py

@@ -0,0 +1,101 @@
+from typing import Any
+from django.contrib.auth import get_user_model
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.http.request import HttpRequest
+from django.http.response import HttpResponse
+from django.core.exceptions import PermissionDenied
+
+from .models import Access, SingleAuditChecklist
+
+User = get_user_model()
+
+
+class CertificationPermissionDenied(PermissionDenied):
+    def __init__(self, message, eligible_users):
+        super().__init__(message)
+
+        self.eligible_users = eligible_users
+
+
+def has_access(sac, user):
+    """Does a user have permission to access a submission?"""
+    return bool(Access.objects.filter(sac=sac, user=user))
+
+
+def has_role(sac, user, role):
+    """Does a user have a specific role on a submission?"""
+    return bool(Access.objects.filter(sac=sac, user=user, role=role))
+
+
+class SingleAuditChecklistAccessRequiredMixin(LoginRequiredMixin):
+    """
+    View mixin to require that a user is logged in and has access to the submission.
+    """
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        try:
+            sac = SingleAuditChecklist.objects.get(report_id=kwargs["report_id"])
+
+            if not has_access(sac, request.user):
+                raise PermissionDenied("You do not have access to this audit.")
+        except SingleAuditChecklist.DoesNotExist:
+            raise PermissionDenied("You do not have access to this audit.")
+
+        return super().dispatch(request, *args, **kwargs)
+
+
+class CertifyingAuditeeRequiredMixin(LoginRequiredMixin):
+    """
+    View mixin to require that a user is logged in, has access to the submission, and has
+    the ``certifying_auditee_contact`` role.
+    """
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        role = "certifying_auditee_contact"
+        try:
+            sac = SingleAuditChecklist.objects.get(report_id=kwargs["report_id"])
+
+            if not has_access(sac, request.user):
+                raise PermissionDenied("You do not have access to this audit")
+
+            if not has_role(sac, request.user, role):
+                eligible_accesses = Access.objects.select_related("user").filter(
+                    sac=sac, role=role
+                )
+                eligible_users = [acc.user for acc in eligible_accesses]
+
+                raise CertificationPermissionDenied(
+                    "bad role", eligible_users=eligible_users
+                )
+        except SingleAuditChecklist.DoesNotExist:
+            raise PermissionDenied("You do not have access to this audit.")
+
+        return super().dispatch(request, *args, **kwargs)
+
+
+class CertifyingAuditorRequiredMixin(LoginRequiredMixin):
+    """
+    View mixin to require that a user is logged in, has access to the submission, and has
+    the ``certifying_auditor_contact`` role.
+    """
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        role = "certifying_auditor_contact"
+        try:
+            sac = SingleAuditChecklist.objects.get(report_id=kwargs["report_id"])
+
+            if not has_access(sac, request.user):
+                raise PermissionDenied("You do not have access to this audit")
+
+            if not has_role(sac, request.user, role):
+                eligible_accesses = Access.objects.select_related("user").filter(
+                    sac=sac, role=role
+                )
+                eligible_users = [acc.user for acc in eligible_accesses]
+                raise CertificationPermissionDenied(
+                    "bad role", eligible_users=eligible_users
+                )
+        except SingleAuditChecklist.DoesNotExist:
+            raise PermissionDenied("You do not have access to this audit.")
+
+        return super().dispatch(request, *args, **kwargs)

backend/audit/models.py

@@ -403,8 +403,8 @@ class Access(models.Model):
     """
 
     ROLES = (
-        ("certifying_auditee_contact ", _("Auditee Certifying Official")),
-        ("certifying_auditor_contact ", _("Auditor Certifying Official")),
+        ("certifying_auditee_contact", _("Auditee Certifying Official")),
+        ("certifying_auditor_contact", _("Auditor Certifying Official")),
         ("editor", _("Audit Editor")),
     )
     sac = models.ForeignKey(SingleAuditChecklist, on_delete=models.CASCADE)