428 Commits

Author SHA1 Message Date
tomdds
dfee80680d Skip legacy azure csp tests 2020-01-14 16:36:16 -05:00
tomdds
7b2c77298d Fix app name collision errors in portfolio tests 2020-01-14 16:36:16 -05:00
tomdds
d81d953c31 Fix formatting and some typos 2020-01-14 16:36:16 -05:00
Philip Kalinsky
69bd2f43a5 provision portfolio state machine 2020-01-14 16:36:16 -05:00
leigh-mil
17864cc060 Add migration to change environment_roles role column from string to
enum type.
Fix tests and functions affected by the column type change.
2020-01-14 13:12:29 -05:00
leigh-mil
79b2773852 Portfolio manager invite updates:
- Update the form to use BooleanFields for the permissions and make the
form more similar to the Application Members form
- Use MemberFormTemplate macro in the portfolio settings template
- fix tests affected by the form changes
2020-01-10 10:25:55 -05:00
graham-dds
490d778743 Better incorporate fixture data into reporting
Before this commit, if a portfolio wasn't present in the spending fixture
data, the reporting screen would be empty -- even if the portfolio had
applications and environments associated with it on the database. Now,
0s appear if an application and / or environment isn't present in the
fixture data.
2020-01-06 12:01:13 -05:00
dandds
3bfb6c9621 Basic implementation for a policy wrapper.
The implementation here is meant to wrap a library of JSON policy
documents. Policies should be added to directories corresponding to
where they will be defined (portfolio, application, environment).
Functionality for parsing portfolio policy definitions is included. When
the policies need to be defined on a management group, the
AzureCloudProvider can iterate the appropriate tier of the policy
manager and add those definitions.
2019-12-20 10:34:12 -05:00
dandds
b61956080e Initial policies and method for creating policy definition.
This adds some initial example policies:

- One for region restrictions
- One for service restrictions

Note that the MS ARM team has said that region restrictions may be
controlled by ARM, so that policy might prove unnecessary. The
parameters list for the service restrictions is stubbed for now, pending
the full list.

I also added an internal method for adding policy definitions to a
management group. This method is agnostic about what tier of management
group the policy is being defined at. It requires that a dictionary
representing the properties section of a valid Azure JSON policy
definition be passed as an argument.
2019-12-20 10:34:12 -05:00
leigh-mil
812caf5d7d Update schema and create/update Environments domain methods to enforce environment name uniqueness within an application context. 2019-12-18 10:54:17 -05:00
leigh-mil
22dd5d7b85 Add migration for enforcing uniqueness of an application name within a portfolio and update create/update Applicaiton domain methods. 2019-12-16 14:39:32 -05:00
leigh-mil
6446b4fbd0 Raise AlreadyExistsError if a task order is created or updated with a number of an existing task order 2019-12-13 14:53:58 -05:00
leigh-mil
1550f32b4c
Merge branch 'staging' into to-index-page-redesign_part-3 2019-12-13 13:01:11 -05:00
leigh-mil
2552d4c700 Styling for empty status accordion and update Not signed to Unsigned 2019-12-13 11:49:50 -05:00
tomdds
8a1ed5b193 Sketch in Management Group integration for Azure
Add mocks and real implementations for creating nested management groups that reflect the Portfolio->Application->Environment->Subscription hierarchy.
2019-12-13 10:53:24 -05:00
leigh-mil
ac8dd662d1 Fake task order's expended funds, default task order start and end date to None, fix how task orders are sorted by status 2019-12-12 09:40:18 -05:00
leigh-mil
e32bad0d30 Display TOs grouped by status 2019-12-12 09:40:18 -05:00
leigh-mil
d3f757c649 Update test_for_user to make variables clearer and add in a test case that should not be included in the list returned.
Use list comprehension in portfolio_applications route to get list of all environments for a user
2019-12-11 10:35:42 -05:00
leigh-mil
02efa33e49 Display users env role if they have environment access 2019-12-11 10:07:09 -05:00
graham-dds
29644a495b Add tests (& placeholder tests) for new reporting 2019-12-10 11:23:53 -05:00
leigh-mil
8330b4de24 Check to see if the env_role has been provisioned before disabling env_role in the csp 2019-12-06 09:59:56 -05:00
leigh-mil
c501431719 Check to see if the environment has been provisioned before disabling the env role in the csp 2019-12-06 09:53:36 -05:00
leigh-mil
614514d6a2 Update tables to match business logic 2019-12-02 14:46:11 -05:00
graham-dds
0303434561 First pass at new reporting designs
This commit lays out the genral structure and provides necessary
data for the new reporting page designs.

Some of the data generated by the report domain classes (including
the mock CSP reporting class) was modified to fit new designs. This also
included removing data that was no longer necessary. Part of the newly
mocked data includes the idea of "expended" data per CLIN or task order.
This was was mocked simply by using a 75% of the obligated funds fo a
given object. Tests were also written for these new/ modifed reporting
functions.

As for the front end, this commit only focuses on the high-level markup
layout. This includes splitting the large reporting index page into
smaller component templates for each of the major sections of the report.
2019-11-25 13:12:35 -05:00
leigh-mil
dd148f0837 exclude audit log related functions from coverage 2019-11-20 13:46:44 -05:00
leigh-mil
a4f21dc7e6 Prevent error from being raised when user is not trying to update a
disabled env role

We were only checking to see if a role was disabled or deleted before
raising an error, so I added in a check to see if the user was trying to
update the env role before raising an error. The error should only be
raised if the role is disabled or deleted AND the user is trying to
assign a new role to the env role.

I also added in a disabled property to the EnvironmentRole model to make
things more readable.
2019-11-15 09:51:02 -05:00
dandds
3ddfc5c179 Fix bug in static CRL test.
A CRL test that relies on fixtures files was not getting a working copy
of the relevant CRL list it needed. This also adds a setup function to
the relevant test module so that we can clear and rebuild the CRL
location cache for the fixtures.
2019-11-14 14:12:07 -05:00
dandds
9c086e2f85
Merge pull request #1177 from dod-ccpo/crls-again
Maintain static list of CRL URIs and issuers.
2019-11-14 05:45:51 -05:00
leigh-mil
06a36f23bc Raise error when a user attempts to update a disabled env role 2019-11-12 17:02:57 -05:00
leigh-mil
e8f21acf5b PR fixes 2019-11-12 16:59:22 -05:00
leigh-mil
f928b776a6 Properly set deleted data for UpdateMemberForm and display suspended env access text
Styling for env name and role in update app member perms form
2019-11-12 16:54:46 -05:00
leigh-mil
d40c11a8f6 Change how env_roles are updated
This change makes it so that when an env_role is updated to be None, the
role property on the env_role is changed to be None in addition to being
marked as deleted. This also adds in a check so that previously deleted
env_roles cannot be reassigned a role.
2019-11-12 16:54:46 -05:00
leigh-mil
54f3c2f8ba Update text and icon in modal
Update env_role status when it is deleted
2019-11-12 16:54:46 -05:00
dandds
1b6239893b Maintain static list of CRL URIs and issuers.
The previous solution (ad-hoc stream-parsing the CRLs to obtain their
issuers and nextUpdate) was too cute. It began breaking on CRLs that had
an addition hex 0x30 byte somewhere in their header. I thought that 0x30
was a reserved character only to be used for tags in ASN1 encoded with
DER; turns out that's not true. Rather than write a full-fledged ASN1
stream-parser, the simplest solution is to just maintain the list of
issuers as a constant in the codebase. This is fine because the issuer
for a specific CRL URI should not change. If it does, we've probably got
bigger problems.

This also removes the Flask app's functionality for updating the local
CRL cache. This is being handled out-of-band by a Kubernetes CronJob
and is not a concern of the app's. This means that instances of the
CRLCache do not have to explicitly track expirations for CRLs.
Previously, the in-memory dictionary or CRL issuers and locations
included expirations; now it is flattened to not include that
information.

The CRLCache class has been updated to accept a crl_list kwargs so that
unit tests can provide their own alternative CRL lists, since we now
hard-code the expected CRLs and issuers. The nightly CRL check job has
been updated to check that the hard-coded list of issuers matches what
we get when we actually sync the CRLs.
2019-11-12 05:43:11 -05:00
dandds
0b5acde4c4 Stream-parse CRLs for caching file locations.
AT-AT needs to maintain a key-value CRL cache where each key is the DER
byte-string of the issuer and the value is a dictionary of the CRL file
path and expiration. This way when it checks a client certificate, it
can load the correct CRL by comparing the issuers. This is preferable to
loading all of the CRLs in-memory. However, it still requires that AT-AT
load and parse each CRL when the application boots. Because of the size
of the CRLs and their parsed, in-memory size, this leads to the
application spiking to use nearly 900MB of memory (resting usage is
around 50MB).

This change introduces a small function to ad-hoc parse the CRL and
obtain the information in the CRL we need: the issuer and the
expiration. It does this by reading the CRL byte-by-byte until it
reaches the ASN1 sequence that corresponds to the issuer, and then looks
ahead to find the nextUpdate field (i.e., the expiration date). The
CRLCache class uses this function to build its cache and JSON-serializes
the cache to disk. If another AT-AT application process finds the
serialized version, it will load that copy instead of rebuilding it. It
also entails a change to the function signature for the init method of
CRLCache: now it expects the CRL directory as its second argument,
instead of a list of locations.

The Python script invoked by `script/sync-crls` will rebuild the
location cache each time it's run. This means that when the Kubernetes
CronJob for CRLs runs, it will refresh the cache each time. When a new
application container boots, it will get the refreshed cache.

This also adds a nightly CircleCI job to sync the CRLs and test that the
ad-hoc parsing function returns the same result as a proper parsing
using the Python cryptography library. This provides extra insurance
that the function is returning correct results on real data.
2019-11-04 08:36:03 -05:00
tomdds
d0746a3bf6 Cleanup imports and formatting in azure testing code 2019-10-30 16:43:59 -04:00
tomdds
3e7a720ffb Post-rebase fixes 2019-10-30 16:43:59 -04:00
tomdds
63ea7db390 Rudimentary tests to validate mocking 2019-10-30 16:43:59 -04:00
tomdds
99e306e602 First pass at mocking and testing azure integration 2019-10-30 16:43:59 -04:00
richard-dds
d1e6533824 Implement EnvironmentRoles.disable 2019-10-29 15:57:57 -04:00
richard-dds
ec44d4a560
Merge pull request #1143 from dod-ccpo/consolidate-csp-interface
Simplify CloudProviderInterface and remove AWS impl.
2019-10-29 13:47:14 -04:00
richard-dds
184b58d5d2 Remove AWSCloudProvider 2019-10-28 13:55:34 -04:00
richard-dds
6ea17bb4f8 Merge create_environment and create_environment_baseline 2019-10-28 13:39:40 -04:00
graham-dds
ccaabcaab0 Add revoke invitation logic to port. admin route 2019-10-28 13:15:42 -04:00
graham-dds
a1c672d89f Conditionally skip tests related to audit log 2019-10-21 11:36:53 -04:00
richard-dds
1bce0a1f01 Revert user deletion job 2019-10-14 16:51:19 -04:00
richard-dds
0c480ccc41 Fix tests 2019-10-08 16:42:25 -04:00
leigh-mil
875b908908 Do not change app role status when invite status changes, add assertions to tests for this 2019-10-03 14:56:38 -04:00
richard-dds
e34333a990 Fix tests 2019-10-02 16:01:23 -04:00
richard-dds
cc3de11e54 Standardize all of the AWS credentials 2019-10-02 16:01:23 -04:00