When a portfolio state machine transitions to the COMPLETED state, an
email is sent to the PPOC letting them know it's ready, and provides
them with their username needed to create a password.
To comply with security guidelines, we need to destroy the session when
a user logs out. This means that the session's key in the Redis cache
needs to be deleted. Flask expects to _always_ have a session object. If
the current session object does not exist in the Redis cache, Flask will
reserialize and store it at the end of the request. In order for
session deletion to work, we need to delete the key for the existing
session and then replace the session object with a new, empty one.
This also updates the SessionLimiter class so that the session prefix is
configurable.
We do not have the bandwidth to keep the Minikube deployment up-to-date,
so rather than leave half-baked config in the repo we'll remove it for
now. Complications that would have to be resolved for running Minikube
locally include managing secrets out of Azure Key Vault and managing TLS
termination over localhost.
The Synack audit also identified the Minikube basic auth password as an
issue; it's only for demo purposes, but this will resolve that ticket.
This got lost somewhere along the way (almost certainly by me), so this
commit tries to make it explicit. The app needs to be able to configure
the session cookie domain name so that it is valid for both the main
site domain and the authentication subdomain. For instance, if the site
is runnning at uat.atat.code.mil and authentication happens at
auth-uat.atat.code.mil, SESSION_COOKIE_DOMAIN should be set to
atat.code.mil so that it's valid for both.
This adds the setting to the base INI file and a default for our K8s
clusters.
These settings are used in the deployed instance and mentioned elsewhere
in the README, but were missing from the base INI file and the
Configuration Guide section of the README.
Adds a CircleCI integration for Ghost Inspector
(https://ghostinspector.com), a headless browser testing SaaS. The
README is updated with details about how to run GI locally.
Removes the bootstrap setup for Selenium testing with BrowserStack.
The Minikube version of the cluster has some differences from the main
config (noted in the README) but will be useful for for future DevOps
development.
This adds the following:
- A detect-secrets dependency and a related script
(`script/detect_secrets`) to find and alert developers to secrets
added to the code. By default, the script will search staged and new,
unstaged files. It can optionally search only staged files.
- A whitelist, `.secrets.baseline`, that tracks instances of secrets or
false positives already in the repo.
- Modifies `script/test` to detect secrets as part of the test suite.
- Updates to the README regarding the use of detect-secrets.
Dockerfile is now a single multi-stage build that relies on a Python 3.7
base image.
Notes:
- This builds uWSGI with a `pip install` because the Alpine vendored
uWSGI is built against Python 3.6.
- Adds a docker-compose file that can be used for testing that the build
works. It is not usable for development purposes because it creates a
static copy of the application.
