From 946a29acdaa5299ef8c69d8db426acca0ebe587d Mon Sep 17 00:00:00 2001 From: richard-dds Date: Mon, 25 Nov 2019 16:28:31 -0500 Subject: [PATCH 01/10] Document the significance of our configuration values --- .secrets.baseline | 4 ++-- README.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index dd2428f1..abedb855 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$", "lines": null }, - "generated_at": "2019-11-19T18:28:27Z", + "generated_at": "2019-11-25T21:28:07Z", "plugins_used": [ { "base64_limit": 4.5, @@ -46,7 +46,7 @@ "hashed_secret": "81b127e2222d9bfc4609053faec85300f7525463", "is_secret": false, "is_verified": false, - "line_number": 244, + "line_number": 294, "type": "Secret Keyword" } ], diff --git a/README.md b/README.md index d12a5b74..fff444c9 100644 --- a/README.md +++ b/README.md @@ -220,6 +220,48 @@ To generate coverage reports for the Javascript tests: yarn test:coverage +## Configuration + +- `ASSETS_URL`: URL to host which serves static assets (such as a CDN). +- `BLOB_STORAGE_URL`: URL to Azure blob storage container. +- `CAC_URL`: URL for the CAC authentication route. +- `CA_CHAIN`: Path to the CA chain file. +- `CDN_ORIGIN`: URL for the origin host for asset files. +- `CELERY_DEFAULT_QUEUE`: +- `CLASSIFIED`: Boolean specifying if we're running in a classified environment. +- `CONTRACT_END_DATE`: String specifying the end date of the JEDI contract. Used for task order validation. Example: 2019-09-14 +- `CONTRACT_START_DATE`: String specifying the start date of the JEDI contract. Used for task order validation. Example: 2019-09-14. +- `CRL_FAIL_OPEN`: Boolean specifying if expired CRLs should fail open, rather than closed. +- `CRL_STORAGE_CONTAINER`: Path to a directory where the CRL cache will be stored. +- `CSP`: String specifying the cloud service provider to use. Acceptable values: "azure", "mock", "mock-csp". +- `DEBUG`: Boolean. A truthy value enables Flask's debug mode. https://flask.palletsprojects.com/en/1.1.x/config/#DEBUG +- `DISABLE_CRL_CHECK`: Boolean specifying if CRL check should be bypassed. +- `ENVIRONMENT`: String specifying the current environment. Acceptable values: "dev", "prod". +- `LIMIT_CONCURRENT_SESSIONS`: Boolean specifying if users should be allowed only one active session at a time. +- `LOG_JSON`: Boolean specifying whether app should log in a json format. +- `PERMANENT_SESSION_LIFETIME`: Integer specifying how many seconds a user's session can stay valid for. https://flask.palletsprojects.com/en/1.1.x/config/#PERMANENT_SESSION_LIFETIME +- `PE_NUMBER_CSV_URL`: +- `PGAPPNAME`: +- `PGDATABASE`: String specifying the name of the postgres database. +- `PGHOST`: String specifying the hostname of the postgres database. +- `PGPASSWORD`: String specifying the password of the postgres database. +- `PGPORT`: Integer specifying the port number of the postgres database. +- `PGSSLMODE`: String specifying the ssl mode to use when connecting to the postgres database. https://www.postgresql.org/docs/9.1/libpq-ssl.html +- `PGSSLROOTCERT`: Path to the root SSL certificate for the postgres database. +- `PGUSER`: String specifying the username to use when connecting to the postgres database. +- `PORT`: Integer specifying the port to bind to when running the flask server. +- `REDIS_URI`: URI for the redis server. +- `RQ_QUEUES`: +- `SECRET_KEY`: String key which will be used to sign the session cookie. Should be a long string of random bytes. https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY +- `SERVER_NAME`: Hostname for ATAT. +- `SESSION_COOKIE_NAME`: String value specifying the name to use for the session cookie. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_NAME +- `SESSION_TYPE`: String value specifying the cookie storage backend. https://pythonhosted.org/Flask-Session/ +- `SESSION_USE_SIGNER`: Boolean value specifying if the cookie sid should be signed. +- `SQLALCHEMY_ECHO`: Boolean value specifying if SQLAlchemy should log queries to stdout. +- `STATIC_URL`: URL specifying where static assets are hosted. +- `USE_AUDIT_LOG`: Boolean value describing if ATAT should write to the audit log. Set to "false" by default for performance reasons. +- `WTF_CSRF_ENABLED`: Boolean value specifying if WTForms should protect against CSRF. Should be set to "true" unless running automated tests. + ### UI Test Automation AT-AT uses [Ghost Inpsector](https://app.ghostinspector.com/), a testing PaaS From a33468b6c7db3fe46bb535d76ad0e7c222539023 Mon Sep 17 00:00:00 2001 From: richard-dds Date: Tue, 26 Nov 2019 16:28:55 -0500 Subject: [PATCH 02/10] Add definition for CELERY_DEFAULT_QUEUE --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fff444c9..b66b5cb1 100644 --- a/README.md +++ b/README.md @@ -227,7 +227,7 @@ To generate coverage reports for the Javascript tests: - `CAC_URL`: URL for the CAC authentication route. - `CA_CHAIN`: Path to the CA chain file. - `CDN_ORIGIN`: URL for the origin host for asset files. -- `CELERY_DEFAULT_QUEUE`: +- `CELERY_DEFAULT_QUEUE`: String specifying the name of the queue that background tasks will be added to. - `CLASSIFIED`: Boolean specifying if we're running in a classified environment. - `CONTRACT_END_DATE`: String specifying the end date of the JEDI contract. Used for task order validation. Example: 2019-09-14 - `CONTRACT_START_DATE`: String specifying the start date of the JEDI contract. Used for task order validation. Example: 2019-09-14. From 2f8135ecd1762068f972f67370ff3841dc2faaa9 Mon Sep 17 00:00:00 2001 From: richard-dds Date: Tue, 26 Nov 2019 16:29:55 -0500 Subject: [PATCH 03/10] Remove CLASSIFIED param --- .secrets.baseline | 6 +++--- README.md | 1 - atst/app.py | 1 - config/base.ini | 1 - 4 files changed, 3 insertions(+), 6 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index abedb855..ccfe1664 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$", "lines": null }, - "generated_at": "2019-11-25T21:28:07Z", + "generated_at": "2019-11-26T21:30:17Z", "plugins_used": [ { "base64_limit": 4.5, @@ -46,7 +46,7 @@ "hashed_secret": "81b127e2222d9bfc4609053faec85300f7525463", "is_secret": false, "is_verified": false, - "line_number": 294, + "line_number": 293, "type": "Secret Keyword" } ], @@ -98,7 +98,7 @@ "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3", "is_secret": false, "is_verified": false, - "line_number": 21, + "line_number": 23, "type": "Secret Keyword" } ], diff --git a/README.md b/README.md index b66b5cb1..8ecc6383 100644 --- a/README.md +++ b/README.md @@ -228,7 +228,6 @@ To generate coverage reports for the Javascript tests: - `CA_CHAIN`: Path to the CA chain file. - `CDN_ORIGIN`: URL for the origin host for asset files. - `CELERY_DEFAULT_QUEUE`: String specifying the name of the queue that background tasks will be added to. -- `CLASSIFIED`: Boolean specifying if we're running in a classified environment. - `CONTRACT_END_DATE`: String specifying the end date of the JEDI contract. Used for task order validation. Example: 2019-09-14 - `CONTRACT_START_DATE`: String specifying the start date of the JEDI contract. Used for task order validation. Example: 2019-09-14. - `CRL_FAIL_OPEN`: Boolean specifying if expired CRLs should fail open, rather than closed. diff --git a/atst/app.py b/atst/app.py index 3695f65e..eea814a5 100644 --- a/atst/app.py +++ b/atst/app.py @@ -160,7 +160,6 @@ def map_config(config): "BROKER_URL": config["default"]["REDIS_URI"], "DEBUG": config["default"].getboolean("DEBUG"), "SQLALCHEMY_ECHO": config["default"].getboolean("SQLALCHEMY_ECHO"), - "CLASSIFIED": config["default"].getboolean("CLASSIFIED"), "PORT": int(config["default"]["PORT"]), "SQLALCHEMY_DATABASE_URI": config["default"]["DATABASE_URI"], "SQLALCHEMY_TRACK_MODIFICATIONS": False, diff --git a/config/base.ini b/config/base.ini index 146ebcb4..4e3a26cb 100644 --- a/config/base.ini +++ b/config/base.ini @@ -5,7 +5,6 @@ CAC_URL = http://localhost:8000/login-redirect CA_CHAIN = ssl/server-certs/ca-chain.pem CDN_ORIGIN=http://localhost:8000 CELERY_DEFAULT_QUEUE=celery -CLASSIFIED = false CONTRACT_END_DATE = 2022-09-14 CONTRACT_START_DATE = 2019-09-14 CRL_FAIL_OPEN = false From f8a457bacdd515d96ac36af40984397ea4187a89 Mon Sep 17 00:00:00 2001 From: richard-dds Date: Tue, 26 Nov 2019 16:31:23 -0500 Subject: [PATCH 04/10] Add more detail for DISABLE_CRL_CHECK --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8ecc6383..a69bdb8f 100644 --- a/README.md +++ b/README.md @@ -234,7 +234,7 @@ To generate coverage reports for the Javascript tests: - `CRL_STORAGE_CONTAINER`: Path to a directory where the CRL cache will be stored. - `CSP`: String specifying the cloud service provider to use. Acceptable values: "azure", "mock", "mock-csp". - `DEBUG`: Boolean. A truthy value enables Flask's debug mode. https://flask.palletsprojects.com/en/1.1.x/config/#DEBUG -- `DISABLE_CRL_CHECK`: Boolean specifying if CRL check should be bypassed. +- `DISABLE_CRL_CHECK`: Boolean specifying if CRL check should be bypassed. Useful for instances of the application container that are not serving HTTP requests, such as Celery workers. - `ENVIRONMENT`: String specifying the current environment. Acceptable values: "dev", "prod". - `LIMIT_CONCURRENT_SESSIONS`: Boolean specifying if users should be allowed only one active session at a time. - `LOG_JSON`: Boolean specifying whether app should log in a json format. From 684b86c2d03578e19b1c6d5a1d9066d71c4b00e9 Mon Sep 17 00:00:00 2001 From: richard-dds Date: Tue, 26 Nov 2019 16:32:17 -0500 Subject: [PATCH 05/10] Remove PE_NUMBER_CSV_URL and PGAPPNAME --- .secrets.baseline | 6 +++--- README.md | 2 -- config/base.ini | 2 -- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index ccfe1664..06f94963 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$", "lines": null }, - "generated_at": "2019-11-26T21:30:17Z", + "generated_at": "2019-11-26T21:32:13Z", "plugins_used": [ { "base64_limit": 4.5, @@ -46,7 +46,7 @@ "hashed_secret": "81b127e2222d9bfc4609053faec85300f7525463", "is_secret": false, "is_verified": false, - "line_number": 293, + "line_number": 291, "type": "Secret Keyword" } ], @@ -98,7 +98,7 @@ "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3", "is_secret": false, "is_verified": false, - "line_number": 23, + "line_number": 21, "type": "Secret Keyword" } ], diff --git a/README.md b/README.md index a69bdb8f..eca405f8 100644 --- a/README.md +++ b/README.md @@ -239,8 +239,6 @@ To generate coverage reports for the Javascript tests: - `LIMIT_CONCURRENT_SESSIONS`: Boolean specifying if users should be allowed only one active session at a time. - `LOG_JSON`: Boolean specifying whether app should log in a json format. - `PERMANENT_SESSION_LIFETIME`: Integer specifying how many seconds a user's session can stay valid for. https://flask.palletsprojects.com/en/1.1.x/config/#PERMANENT_SESSION_LIFETIME -- `PE_NUMBER_CSV_URL`: -- `PGAPPNAME`: - `PGDATABASE`: String specifying the name of the postgres database. - `PGHOST`: String specifying the hostname of the postgres database. - `PGPASSWORD`: String specifying the password of the postgres database. diff --git a/config/base.ini b/config/base.ini index 4e3a26cb..8526c756 100644 --- a/config/base.ini +++ b/config/base.ini @@ -16,8 +16,6 @@ ENVIRONMENT = dev LIMIT_CONCURRENT_SESSIONS = false LOG_JSON = false PERMANENT_SESSION_LIFETIME = 1800 -PE_NUMBER_CSV_URL = http://c95e1ebb198426ee57b8-174bb05a294821bedbf46b6384fe9b1f.r31.cf5.rackcdn.com/penumbers.csv -PGAPPNAME = atst PGDATABASE = atat PGHOST = localhost PGPASSWORD = postgres From 97bc63df667d5153fdaa5afc9f205d1b5b055071 Mon Sep 17 00:00:00 2001 From: richard-dds Date: Tue, 26 Nov 2019 16:33:08 -0500 Subject: [PATCH 06/10] Additional details for PORT --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eca405f8..981fe024 100644 --- a/README.md +++ b/README.md @@ -246,7 +246,7 @@ To generate coverage reports for the Javascript tests: - `PGSSLMODE`: String specifying the ssl mode to use when connecting to the postgres database. https://www.postgresql.org/docs/9.1/libpq-ssl.html - `PGSSLROOTCERT`: Path to the root SSL certificate for the postgres database. - `PGUSER`: String specifying the username to use when connecting to the postgres database. -- `PORT`: Integer specifying the port to bind to when running the flask server. +- `PORT`: Integer specifying the port to bind to when running the flask server. Used only for local development. - `REDIS_URI`: URI for the redis server. - `RQ_QUEUES`: - `SECRET_KEY`: String key which will be used to sign the session cookie. Should be a long string of random bytes. https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY From 6b2427a98d15c75a9583dcf40b8b6d4187f8ad7b Mon Sep 17 00:00:00 2001 From: richard-dds Date: Tue, 26 Nov 2019 16:33:47 -0500 Subject: [PATCH 07/10] Remove unused RQ_QUEUES --- .secrets.baseline | 4 ++-- README.md | 1 - config/base.ini | 1 - 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 06f94963..07353d5a 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$", "lines": null }, - "generated_at": "2019-11-26T21:32:13Z", + "generated_at": "2019-11-26T21:33:43Z", "plugins_used": [ { "base64_limit": 4.5, @@ -46,7 +46,7 @@ "hashed_secret": "81b127e2222d9bfc4609053faec85300f7525463", "is_secret": false, "is_verified": false, - "line_number": 291, + "line_number": 290, "type": "Secret Keyword" } ], diff --git a/README.md b/README.md index 981fe024..62745b71 100644 --- a/README.md +++ b/README.md @@ -248,7 +248,6 @@ To generate coverage reports for the Javascript tests: - `PGUSER`: String specifying the username to use when connecting to the postgres database. - `PORT`: Integer specifying the port to bind to when running the flask server. Used only for local development. - `REDIS_URI`: URI for the redis server. -- `RQ_QUEUES`: - `SECRET_KEY`: String key which will be used to sign the session cookie. Should be a long string of random bytes. https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY - `SERVER_NAME`: Hostname for ATAT. - `SESSION_COOKIE_NAME`: String value specifying the name to use for the session cookie. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_NAME diff --git a/config/base.ini b/config/base.ini index 8526c756..257059e4 100644 --- a/config/base.ini +++ b/config/base.ini @@ -25,7 +25,6 @@ PGSSLROOTCERT PGUSER = postgres PORT=8000 REDIS_URI = redis://localhost:6379 -RQ_QUEUES = atat_%(ENVIRONMENT)s SECRET_KEY = change_me_into_something_secret SERVER_NAME SESSION_COOKIE_NAME=atat From 40d9d28b5e4e6899ccb2256b1f97b118e63502f4 Mon Sep 17 00:00:00 2001 From: richard-dds Date: Tue, 26 Nov 2019 16:35:00 -0500 Subject: [PATCH 08/10] Additional details for SERVER_NAME --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 62745b71..156e6a29 100644 --- a/README.md +++ b/README.md @@ -249,7 +249,7 @@ To generate coverage reports for the Javascript tests: - `PORT`: Integer specifying the port to bind to when running the flask server. Used only for local development. - `REDIS_URI`: URI for the redis server. - `SECRET_KEY`: String key which will be used to sign the session cookie. Should be a long string of random bytes. https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY -- `SERVER_NAME`: Hostname for ATAT. +- `SERVER_NAME`: Hostname for ATAT. Only needs to be specified in contexts where the hostname cannot be inferred from the request, such as Celery workers. https://flask.palletsprojects.com/en/1.1.x/config/#SERVER_NAME - `SESSION_COOKIE_NAME`: String value specifying the name to use for the session cookie. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_NAME - `SESSION_TYPE`: String value specifying the cookie storage backend. https://pythonhosted.org/Flask-Session/ - `SESSION_USE_SIGNER`: Boolean value specifying if the cookie sid should be signed. From bd881fd1e09170331b7b039d2d6236b446a62315 Mon Sep 17 00:00:00 2001 From: richard-dds Date: Tue, 26 Nov 2019 16:35:38 -0500 Subject: [PATCH 09/10] Additional details for USE_AUDIT_LOG --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 156e6a29..d18177d4 100644 --- a/README.md +++ b/README.md @@ -255,7 +255,7 @@ To generate coverage reports for the Javascript tests: - `SESSION_USE_SIGNER`: Boolean value specifying if the cookie sid should be signed. - `SQLALCHEMY_ECHO`: Boolean value specifying if SQLAlchemy should log queries to stdout. - `STATIC_URL`: URL specifying where static assets are hosted. -- `USE_AUDIT_LOG`: Boolean value describing if ATAT should write to the audit log. Set to "false" by default for performance reasons. +- `USE_AUDIT_LOG`: Boolean value describing if ATAT should write to the audit log table in the database. Set to "false" by default for performance reasons. - `WTF_CSRF_ENABLED`: Boolean value specifying if WTForms should protect against CSRF. Should be set to "true" unless running automated tests. ### UI Test Automation From 9d7e54c1f5bfd76acea3dc84c91c990c1f49939e Mon Sep 17 00:00:00 2001 From: dandds Date: Wed, 27 Nov 2019 10:34:56 -0500 Subject: [PATCH 10/10] Remove mappings for unused RQ values. --- atst/app.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/atst/app.py b/atst/app.py index eea814a5..39eab6ec 100644 --- a/atst/app.py +++ b/atst/app.py @@ -174,8 +174,6 @@ def map_config(config): "PERMANENT_SESSION_LIFETIME": config.getint( "default", "PERMANENT_SESSION_LIFETIME" ), - "RQ_REDIS_URL": config["default"]["REDIS_URI"], - "RQ_QUEUES": [config["default"]["RQ_QUEUES"]], "DISABLE_CRL_CHECK": config.getboolean("default", "DISABLE_CRL_CHECK"), "CRL_FAIL_OPEN": config.getboolean("default", "CRL_FAIL_OPEN"), "LOG_JSON": config.getboolean("default", "LOG_JSON"),