Multi-Issue PR

docs/Architecture Decision Record/011-buildpacks.md

@@ -1,6 +1,6 @@
 # 11. Implement Cloud.gov Buildpacks
 
-Date: 2021-02-26
+Date: 2021-02-26 (updated 2021-07-26)
 
 ## Status
 
@@ -33,3 +33,56 @@ Our recommendation is to move to Cloud.gov buildpacks at this time. They are alr
 **Notes**
 - Docker containers will still need to be maintained for local development and CI/CD
 - Docker containers will still need to be hardened for CI/CD
+
+## Restaging for updated buildpacks
+
+As described in [#1045](https://github.com/raft-tech/TANF-app/issues/1045), cloud.gov will inform us that buildpack(s) we use have been updated to a newer version via e-mail to all users with 'developer' role. The e-mail provides specific CloudFoundry CLI steps needed but we have already captured our deployment strategy process/commands in scripts/deploy-backend.sh. Running that script is the preferred methodology. Presently, the e-mail does not provide any specifics about the update, just that there was an update.
+
+Below is the restaging process in full:
+    1. Upon receipt of email from cloud.gov, restage against dev:
+```bash
+user@host$ cf login -a api.fr.cloud.gov --sso
+API endpoint: api.fr.cloud.gov
+
+Temporary Authentication Code ( Get one at https://login.fr.cloud.gov/passcode ): 
+Authenticating...
+OK
+
+
+Targeted org hhs-acf-prototyping.
+
+Select a space:
+1. tanf-dev
+2. tanf-staging
+
+Space (enter to skip): 1
+Targeted space tanf-dev.
+
+API endpoint:   https://api.fr.cloud.gov
+API version:    3.101.0
+user:           abottoms@goraft.tech
+org:            hhs-acf-prototyping
+space:          tanf-dev 
+$ cf restage tdp-backend-a11y
+$ cf restage tdp-backend-raft
+$ cf restage tdp-backend-qasp
+$ cf restage tdp-backend-sandbox
+OR
+$ cf restage tdp-frontend-a11y
+$ cf restage tdp-frontend-raft
+$ cf restage tdp-frontend-qasp
+$ cf restage tdp-frontend-sandbox
+
+```
+    1. Inspect dev environment in cloud.gov for new buildpack versions after restage
+    1. Inspect relevant official changelog(s):
+        * https://github.com/cloudfoundry/nginx-buildpack/blob/master/CHANGELOG
+        * https://github.com/cloudfoundry/python-buildpack/blob/master/CHANGELOG
+    1. On a new branch, update docs/Technical-Documentation/buildpack-changelog.md with information of the following format:
+```
+## Buildpacks Changelog
+- MM/DD/YYYY [name v#.#.##](link)
+- 07/13/2021 [python-buildpack v1.7.43](https://github.com/cloudfoundry/python-buildpack/releases/tag/v1.7.43)
+```
+    1. Open a pull request to 'raft-tdp-main' and assign to Technical Lead
+    1. Merging pull request shall trigger rolling deploy of the updated buildpack(s) to staging & (eventually) prod without downtime

docs/Sprint-Review/sprint-25-summary.md

@@ -0,0 +1,68 @@
+# Sprint 25 Summary
+**07/06/2021- 07/20/2021**
+
+### Summary Updates
+- The Engineering team continued to work on Secret Key Epic tickets and various devops related tickets to finishing out ATO functionality as well as accessibility work for Django admin and other areas.
+- The UX Research team focused on Parsing Error blockers and understanding Regional Staff user journeys, and began investigations into the user access request journey
+- NextGen XMS and ACF AMS teams have given us technical information in order to assess and estimate our technical implimentation and recommendation to TDP Product Owner and tech lead. Our next task is to write integration tickets and estimate this work and provide a recommendation to OFA.
+
+
+## Sprint 25 Goals
+- Finish closing ATO functionality tickets
+- Focus on Secret Key Leakage Mitigation Epic
+- UX Ideation for Parsing Blocker Communications
+
+**[Next Sprint (26) Goals](https://github.com/raft-tech/TANF-app/milestone/29)** 
+- 
+
+## Merged/Completed (Done/Demo, Closed)
+- Django Admin a11y Fixes (Sprint 1) [#973](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/973)
+- (UX Sprint 24) Current State Analysis of Error Communication and Regional Staff Workflow Validation [#1018](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1018)
+- Documentation of current staging environments for TDP [#1051](https://app.zenhub.com/workspaces/tdrs-product-backlog-5f2c6cdc7c0bb1001bdc43a5/issues/raft-tech/tanf-app/1051)
+SPIKE: File transfer options for Tribal MVP [#1011](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1011)
+## Submitted (QASP Review, OCIO Review)
+- Dependabot Mass Merge / Improvements [#1023](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1023)
+- Verify Admin Permissions Hierarchy and Roles [#1058](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1058)
+
+## Moving to Next Sprint (Raft Review, In Progress, Current Sprint Backlog)
+**Raft Review**
+- [EPIC] As an OFA admin, I can download raw file [#89](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/89)
+- Groups: Rename `Data Prepper` to `Data Analyst` [#1071](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1071)
+- Perform scheduled OWASP scans against deployed site(s) [#1032](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1032)
+- [Devops] Allow pa11y to scan views that require authorization [#1044](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1044)
+- [Frontend] Hook upload and download to real API endpoints [#834](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/834)
+
+
+**Blocked**
+- Update ATO docs and corresponding code docs [#962](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/962)
+- 
+
+**In Progress**
+- Django Admin a11y Fixes (Sprint 2)[#1053](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1053)
+- As a tadpole, I want to know the platform I use to login to TDP (new TDRS)[#379](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/379)
+- As tech lead, I want to know the steps that will be followed to use updated buildpacks for TDP apps [#1045](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1045)
+- As an OFA Admin, I want an accessible, 508-compliant user interface for managing permissions [#892](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/892)
+- Deployed environments should pull AWS credentials from Cloud.gov provided environment variables [#971](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/971)
+- SPIKE: Authentication Feasibility Research [#1046](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1046)
+
+**Current Sprint Backlog**
+- As a dev, I need to know which authentication service we're using (login.gov vs. NextGen XMS) [#638](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/638)
+- [DevOps] Generate a new, random DJANGO_SECRET_KEY on initial Cloud.gov deployments or rebuilds [#967](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/967)
+- As a dev, I want an automated tool to prevent me from committing secret keys to the repo [#965](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/965)
+- [EPIC] Secret Key Leakage Mitigation [#972](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/972)
+- As TDP SO/TL, I need a basic security awareness training developed for IS users (AT-02)[#953](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/953)
+- I want a client-side Content Security Policy to protect me from XSS and other client side attacks [#907](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/907)
+- Audit Config & Inspection for Production Environment [#897](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/897)
+- As a dev, I want Terraform changes to be reflected in label driven deployments (GitHub Action) [#1059](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1059)
+- [DevOps] Perform validation on Codecov Bash Uploader script during CI steps [#968](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/968)
+
+
+## Agenda for Sprint 25 Demo 
+- (UX Sprint 24) Current State Analysis of Error Communication and Regional Staff Workflow Validation [#1018](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1018) - Miles/ Dmitri
+- TDP Staging Site [#1051](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1051) - Jorge
+- Django Admin a11y Fixes (Sprint 1) [#973](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/973) - Jorge, locally 
+- (Pre QASP)[Frontend] Hook upload and download to real API endpoints [#834](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/834) - John
+- (Pre QASP)[Devops] Allow pa11y to scan views that require authorization [#1044](https://app.zenhub.com/workspaces/tdrs-sprint-board-5f18ab06dfd91c000f7e682e/issues/raft-tech/tanf-app/1044) - Aaron
+
+
+[Link to Sprint 25 Milestone Details](https://github.com/raft-tech/TANF-app/milestone/28)

docs/Technical-Documentation/buildpack-changelog.md

@@ -0,0 +1,3 @@
+## Buildpacks Changelog
+
+- 7/13/2021 [python-buildpack v1.7.43](https://github.com/cloudfoundry/python-buildpack/releases/tag/v1.7.43)

tdrs-backend/tdpservice/reports/views.py

@@ -2,6 +2,7 @@
 import logging
 
 from django.http import StreamingHttpResponse
+from django_filters import rest_framework as filters
 from rest_framework.parsers import MultiPartParser
 from rest_framework.response import Response
 from rest_framework.status import HTTP_400_BAD_REQUEST
@@ -17,15 +18,43 @@
 logger = logging.getLogger()
 
 
+class ReportFileFilter(filters.FilterSet):
+    """Filters that can be applied to GET requests as query parameters."""
+
+    # Override the generated definition for the STT field so we can require it.
+    stt = filters.NumberFilter(field_name='stt_id', required=True)
+
+    class Meta:
+        """Class metadata linking to the ReportFile and fields accepted."""
+
+        model = ReportFile
+        fields = ['stt', 'quarter', 'year']
+
+
 class ReportFileViewSet(ModelViewSet):
     """Report file views."""
 
     http_method_names = ['get', 'post', 'head']
+    filterset_class = ReportFileFilter
     parser_classes = [MultiPartParser]
     permission_classes = [ReportFilePermissions]
     serializer_class = ReportFileSerializer
+
+    # TODO: Handle versioning in queryset
+    # Ref: https://github.com/raft-tech/TANF-app/issues/1007
     queryset = ReportFile.objects.all()
 
+    # NOTE: This is a temporary hack to make sure the latest version of the file
+    # is the one presented in the UI. Once we implement the above linked issue
+    # we will be able to appropriately refer to the latest versions only.
+    ordering = ['-version']
+
+    def filter_queryset(self, queryset):
+        """Only apply filters to the list action."""
+        if self.action != 'list':
+            self.filterset_class = None
+        return super().filter_queryset(queryset)
+
     @action(methods=["get"], detail=True)
     def download(self, request, pk=None):
         """Retrieve a file from s3 then stream it to the client."""

tdrs-backend/tdpservice/settings/common.py

@@ -121,6 +121,7 @@ class Common(Configuration):
     AWS_S3_SECRET_ACCESS_KEY = os.getenv("AWS_SECRET_ACCESS_KEY")
     AWS_STORAGE_BUCKET_NAME = os.getenv("AWS_BUCKET")
     AWS_REGION_NAME = os.getenv("AWS_REGION_NAME")
+    AWS_S3_REGION_NAME = os.getenv("AWS_REGION_NAME")
 
     # Those who will receive error notifications from django via email
     ADMINS = (("Admin1", "ADMIN_EMAIL_FIRST"), ("Admin2", "ADMIN_EMAIL_SECOND"))
@@ -154,7 +155,7 @@ class Common(Configuration):
         }
 
     # General
-    APPEND_SLASH = False
+    APPEND_SLASH = True
     TIME_ZONE = "UTC"
     LANGUAGE_CODE = "en-us"
     # If you set this to False, Django will make some optimizations so as not
@@ -302,6 +303,9 @@ class Common(Configuration):
             "rest_framework.authentication.SessionAuthentication",
             "rest_framework.authentication.TokenAuthentication",
         ),
+        "DEFAULT_FILTER_BACKENDS": [
+            "django_filters.rest_framework.DjangoFilterBackend",
+        ],
         "TEST_REQUEST_DEFAULT_FORMAT": "json",
         "TEST_REQUEST_RENDERER_CLASSES": [
             "rest_framework.renderers.MultiPartRenderer",

tdrs-backend/tdpservice/users/permissions.py

@@ -1,12 +1,21 @@
 """Set permissions for users."""
+from collections import ChainMap
 
 from rest_framework import permissions
 
 
 def is_own_stt(request, view):
     """Verify user belongs to requested STT."""
     is_data_analyst = is_in_group(request.user, 'Data Analyst')
-    requested_stt = view.kwargs.get('stt', request.data.get('stt'))
+
+    # Depending on the request, the STT could be found in three different places
+    # so we will merge all together and just do one check
+    request_parameters = ChainMap(
+        view.kwargs,
+        request.query_params,
+        request.data
+    )
+    requested_stt = request_parameters.get('stt')
     user_stt = request.user.stt_id if hasattr(request.user, 'stt_id') else None
 
     return bool(
@@ -76,7 +85,7 @@ def has_object_permission(self, request, view, obj):
         This is used in cases where we call .get_object() to retrieve a report
         and do not have the STT available in the request, ie. report was
         requested for download via the ID of the report. This is not called
-        on POST requests (creating new reports).
+        on POST requests (creating new reports) or for a list of reports.
         """
         is_ofa_admin = is_in_group(request.user, "OFA Admin")
         is_data_analyst = is_in_group(request.user, 'Data Analyst')