From 0ddb1f54c019452cf237f920983a2b792eaa16f7 Mon Sep 17 00:00:00 2001 From: leigh-mil Date: Fri, 24 Jan 2020 15:36:30 -0500 Subject: [PATCH 1/5] Fix typo --- translations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/translations.yaml b/translations.yaml index d9615c4d..15240d4c 100644 --- a/translations.yaml +++ b/translations.yaml @@ -509,7 +509,7 @@ task_orders: tooltip: obligated_funds: Funds committed to fund your portfolio. This may represent 100% of your total Task Order value, or a portion of it. total_value: All obligated and projected funds for the Task Order’s Base and Option CLINs. - expended_funds: All funds spend from the Task Order so far. + expended_funds: All funds spent from the Task Order so far. form: add_clin: Add Another CLIN add_to_header: Enter the Task Order number From 99edf3df907b36fc140ad6cfed831f71315ef5fc Mon Sep 17 00:00:00 2001 From: leigh-mil Date: Mon, 27 Jan 2020 11:20:52 -0500 Subject: [PATCH 2/5] Save valid TO form fields when clicking previous in TO builder --- atst/routes/task_orders/new.py | 38 +++++++++++++--- templates/task_orders/builder_base.html | 17 ++++++-- templates/task_orders/step_2.html | 2 +- templates/task_orders/step_3.html | 2 +- tests/routes/task_orders/test_new.py | 58 +++++++++++++++++++++++++ 5 files changed, 105 insertions(+), 12 deletions(-) diff --git a/atst/routes/task_orders/new.py b/atst/routes/task_orders/new.py index f6e53b75..eaf6f2b2 100644 --- a/atst/routes/task_orders/new.py +++ b/atst/routes/task_orders/new.py @@ -70,7 +70,12 @@ def update_task_order(form, portfolio_id=None, task_order_id=None, flash_invalid def update_and_render_next( - form_data, next_page, current_template, portfolio_id=None, task_order_id=None + form_data, + next_page, + current_template, + portfolio_id=None, + task_order_id=None, + previous=False, ): form = None if task_order_id: @@ -80,8 +85,9 @@ def update_and_render_next( form = TaskOrderForm(form_data) task_order = update_task_order(form, portfolio_id, task_order_id) - if task_order: - return redirect(url_for(next_page, task_order_id=task_order.id)) + if task_order or previous: + to_id = task_order.id if task_order else task_order_id + return redirect(url_for(next_page, task_order_id=to_id)) else: return ( render_task_orders_edit( @@ -210,12 +216,21 @@ def form_step_two_add_number(task_order_id): @task_orders_bp.route("/task_orders//form/step_2", methods=["POST"]) @user_can(Permissions.CREATE_TASK_ORDER, message="update task order form") def submit_form_step_two_add_number(task_order_id): + previous = http_request.args.get("previous", "False").lower() == "true" form_data = {**http_request.form} - next_page = "task_orders.form_step_three_add_clins" + next_page = ( + "task_orders.form_step_three_add_clins" + if not previous + else "task_orders.form_step_one_add_pdf" + ) current_template = "task_orders/step_2.html" return update_and_render_next( - form_data, next_page, current_template, task_order_id=task_order_id + form_data, + next_page, + current_template, + task_order_id=task_order_id, + previous=previous, ) @@ -230,12 +245,21 @@ def form_step_three_add_clins(task_order_id): @task_orders_bp.route("/task_orders//form/step_3", methods=["POST"]) @user_can(Permissions.CREATE_TASK_ORDER, message="update task order form") def submit_form_step_three_add_clins(task_order_id): + previous = http_request.args.get("previous", "False").lower() == "true" form_data = {**http_request.form} - next_page = "task_orders.form_step_four_review" + next_page = ( + "task_orders.form_step_four_review" + if not previous + else "task_orders.form_step_two_add_number" + ) current_template = "task_orders/step_3.html" return update_and_render_next( - form_data, next_page, current_template, task_order_id=task_order_id + form_data, + next_page, + current_template, + task_order_id=task_order_id, + previous=previous, ) diff --git a/templates/task_orders/builder_base.html b/templates/task_orders/builder_base.html index f5b88c3a..5b819b27 100644 --- a/templates/task_orders/builder_base.html +++ b/templates/task_orders/builder_base.html @@ -39,9 +39,20 @@ {% endblock %} {% if step != "1" %} - - Previous - + {% if step == "2" or step == "3" -%} + + {% else -%} + + Previous + + {%- endif %} {% endif %} Date: Mon, 27 Jan 2020 12:08:18 -0500 Subject: [PATCH 3/5] Move text from TO builder into translations file --- templates/task_orders/builder_base.html | 14 +++++++++----- templates/task_orders/form_header.html | 2 +- templates/task_orders/step_1.html | 2 +- templates/task_orders/step_2.html | 2 +- templates/task_orders/step_4.html | 2 +- translations.yaml | 9 +++++++++ 6 files changed, 22 insertions(+), 9 deletions(-) diff --git a/templates/task_orders/builder_base.html b/templates/task_orders/builder_base.html index 5b819b27..9ee8dd0c 100644 --- a/templates/task_orders/builder_base.html +++ b/templates/task_orders/builder_base.html @@ -14,10 +14,14 @@ {% call Modal(name='cancel', dismissable=True) %}
-

Do you want to save this draft?

+

{{ 'task_orders.form.builder_base.cancel_modal' | translate }}

- - + +
{% endcall %} @@ -44,13 +48,13 @@ type="submit" class="usa-button usa-button-secondary" formaction="{{ previous_button_link }}"> - Previous + {{ "common.previous" | translate }} {% else -%} - Previous + {{ "common.previous" | translate }} {%- endif %} {% endif %} diff --git a/templates/task_orders/form_header.html b/templates/task_orders/form_header.html index 3356a8c9..7db9a313 100644 --- a/templates/task_orders/form_header.html +++ b/templates/task_orders/form_header.html @@ -7,7 +7,7 @@ {%- endif %} {% if to_number %}

- Task Order Number: {{ to_number }} + {{ "task_orders.form.builder_base.to_number" | translate({ "number": to_number }) | safe }}

{% endif %} {% if description %} diff --git a/templates/task_orders/step_1.html b/templates/task_orders/step_1.html index 177a41a8..1e2911e5 100644 --- a/templates/task_orders/step_1.html +++ b/templates/task_orders/step_1.html @@ -10,7 +10,7 @@ {% set action = url_for("task_orders.submit_form_step_one_add_pdf", portfolio_id=portfolio.id) %} {% endif %} -{% set next_button_text = "Next: Add TO Number" %} +{% set next_button_text = "task_orders.form.step_1.next_button" | translate %} {% set step = "1" %} {% set sticky_cta_text = 'task_orders.form.sticky_header_text' | translate %} diff --git a/templates/task_orders/step_2.html b/templates/task_orders/step_2.html index e40f4bfc..6be0dec7 100644 --- a/templates/task_orders/step_2.html +++ b/templates/task_orders/step_2.html @@ -4,7 +4,7 @@ {% from "task_orders/form_header.html" import TOFormStepHeader %} {% set action = url_for("task_orders.submit_form_step_two_add_number", task_order_id=task_order_id) %} -{% set next_button_text = "Next: Add Base CLIN" %} +{% set next_button_text = "task_orders.form.step_2.next_button" | translate %} {% set previous_button_link = url_for("task_orders.submit_form_step_two_add_number", task_order_id=task_order_id, previous=True) %} {% set step = "2" %} {% set sticky_cta_text = 'task_orders.form.sticky_header_text' | translate %} diff --git a/templates/task_orders/step_4.html b/templates/task_orders/step_4.html index 770a40c4..bc17ac01 100644 --- a/templates/task_orders/step_4.html +++ b/templates/task_orders/step_4.html @@ -12,7 +12,7 @@ - Next: Confirm + {{ "task_orders.form.step_4.next_button" | translate }} {% endblock %} diff --git a/translations.yaml b/translations.yaml index 15240d4c..b3caebc7 100644 --- a/translations.yaml +++ b/translations.yaml @@ -514,6 +514,11 @@ task_orders: add_clin: Add Another CLIN add_to_header: Enter the Task Order number add_to_description: Please input your 13-digit Task Order number. This number may be listed under "Order Number" if your Contracting Officer used form 1149, or "Delivery Order/Call No." if form 1155 was used. Moving forward, this portion of funding will be referenced by the recorded Task Order number. + builder_base: + cancel_modal: Do you want to save this draft? + delete_draft: No, delete it + save_draft: Yes, save for later + to_number: "Task Order Number: {number}" clin_title: Enter Contract Line Items clin_description: "Refer to your task order to locate your Contract Line Item Numbers (CLINs)." clin_details: CLIN Details @@ -536,12 +541,16 @@ task_orders: step_1: title: Upload your approved Task Order (TO) description: Upload your approved Task Order here. You are required to confirm you have the appropriate signature. You will have the ability to add additional approved Task Orders with more funding to this Portfolio in the future. + next_button: "Next: Add TO Number" + step_2: + next_button: "Next: Add Base CLIN" step_3: next_button: "Next: Review Task Order" percent_obligated: "% of Funds Obligated" step_4: documents: Documents clins: CLIN Summary + next_button: "Next: Confirm" step_5: cta_text: Verify Your Information description: Prior to submitting the Task Order, you must acknowledge, by marking the appropriate box below, that the uploaded Task Order is signed by an appropriate, duly warranted Contracting Officer who has the authority to execute the uploaded Task Order on your Agency’s behalf and has authorized you to upload the Task Order in accordance with Agency policy and procedures. You must further acknowledge, by marking the appropriate box below, that all information entered herein matches that of the submitted Task Order. From 6edc7b138b0745d0b3f9d99da76c445fe954c5a7 Mon Sep 17 00:00:00 2001 From: dandds Date: Wed, 29 Jan 2020 14:39:56 -0500 Subject: [PATCH 4/5] Set SESSION_COOKIE_SECURE for deployed environments. This sets the "Secure" attribute on cookies sent to the client: https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_SECURE --- README.md | 1 + config/base.ini | 1 + deploy/azure/atst-envvars-configmap.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/README.md b/README.md index 2681346e..d846d486 100644 --- a/README.md +++ b/README.md @@ -257,6 +257,7 @@ To generate coverage reports for the Javascript tests: - `SESSION_COOKIE_DOMAIN`: String value specifying the name to use for the session cookie. This should be set to the root domain so that it is valid for both the main site and the authentication subdomain. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_DOMAIN - `SESSION_KEY_PREFIX`: A prefix that is added before all session keys: https://pythonhosted.org/Flask-Session/#configuration - `SESSION_TYPE`: String value specifying the cookie storage backend. https://pythonhosted.org/Flask-Session/ +- `SESSION_COOKIE_SECURE`: https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_SECURE - `SESSION_USE_SIGNER`: Boolean value specifying if the cookie sid should be signed. - `SQLALCHEMY_ECHO`: Boolean value specifying if SQLAlchemy should log queries to stdout. - `STATIC_URL`: URL specifying where static assets are hosted. diff --git a/config/base.ini b/config/base.ini index 6fbcce73..3504e3cd 100644 --- a/config/base.ini +++ b/config/base.ini @@ -43,6 +43,7 @@ SERVER_NAME SESSION_COOKIE_NAME=atat SESSION_COOKIE_DOMAIN SESSION_KEY_PREFIX=session: +SESSION_COOKIE_SECURE=false SESSION_TYPE = redis SESSION_USE_SIGNER = True SQLALCHEMY_ECHO = False diff --git a/deploy/azure/atst-envvars-configmap.yml b/deploy/azure/atst-envvars-configmap.yml index edd049a7..0d3e5312 100644 --- a/deploy/azure/atst-envvars-configmap.yml +++ b/deploy/azure/atst-envvars-configmap.yml @@ -32,6 +32,7 @@ data: REDIS_HOST: atat.redis.cache.windows.net:6380 REDIS_TLS: "true" SESSION_COOKIE_DOMAIN: atat.code.mil + SESSION_COOKIE_SECURE: "true" STATIC_URL: https://atat-cdn.azureedge.net/static/ TZ: UTC UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini From 26cc4ce79a6093ccb6710fc0716e29ae2450d75a Mon Sep 17 00:00:00 2001 From: dandds Date: Wed, 29 Jan 2020 16:48:33 -0500 Subject: [PATCH 5/5] Disable cipher export for TLS negotiation. In order to meet compliance requirements, this adds the EXPORT option to NGINX's ssl_cipher config. Extended discussion here: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html --- deploy/azure/nginx-snippets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/azure/nginx-snippets.yml b/deploy/azure/nginx-snippets.yml index 916d9524..dfd37a8a 100644 --- a/deploy/azure/nginx-snippets.yml +++ b/deploy/azure/nginx-snippets.yml @@ -10,7 +10,7 @@ data: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; # Set SSL protocols, ciphers, and related options ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!EXPORT; ssl_prefer_server_ciphers on; ssl_ecdh_curve X25519:prime256v1:secp384r1; ssl_dhparam /etc/ssl/dhparam.pem;