sync w main

Author: JFU-NAVA-PBC

.github/pull_request_template.md

@@ -5,7 +5,7 @@ This PR template is here to help ensure you're setup for success:
 -->
 
 **JIRA Ticket:**
-[SOMEPROJECT-42](https://jira.cms.gov/browse/SOMEPROJECT-42)
+[BB2-XXXX](https://jira.cms.gov/browse/BB2-XXXX)
 
 **User Story or Bug Summary:**
 <!-- Please copy-paste the brief user story or bug description that this PR is intended to address. -->

Dockerfile.selenium

@@ -14,4 +14,3 @@ RUN . /tmp/venv/bin/activate
 ENV PATH="/tmp/venv/bin:${PATH}"
 RUN pip3 install --upgrade pip
 RUN pip3 install selenium pytest jsonschema
-

apps/accounts/admin.py

@@ -1,3 +1,4 @@
+from datetime import datetime
 from django.contrib import admin
 from django.contrib.auth.models import User
 from django.contrib.auth.admin import UserAdmin as DjangoUserAdmin
@@ -9,7 +10,6 @@
     UserIdentificationLabel,
 )
 
-
 admin.site.register(ActivationKey)
 admin.site.register(ValidPasswordResetKey)
 
@@ -30,8 +30,36 @@ def queryset(self, request, queryset):
         return queryset
 
 
-class UserAdmin(DjangoUserAdmin):
+class ActiveAccountFilter(admin.SimpleListFilter):
+    title = "User activation status"
+    parameter_name = "status"
+
+    def lookups(self, request, model_admin):
+        return [
+            ("active", "Active"),
+            ("inactive_all", "Inactive"),
+            ("inactive_expired", "Inactive (expired activation key)")
+        ]
+
+    def queryset(self, request, queryset):
+        if self.value() == "inactive_expired":
+            return queryset.filter(
+                is_active=False,
+                activationkey__key_status="expired",
+            ) | queryset.filter(
+                # Since the activation keys only reach "expired" status when they are
+                # used post-expiration, we need to check the "created" status as well
+                is_active=False,
+                activationkey__key_status="created",
+                activationkey__expires__lt=(datetime.today()),
+            )
+        elif self.value() == "inactive_all":
+            return queryset.filter(is_active=False)
+        elif self.value() == "active":
+            return queryset.filter(is_active=True)
 
+
+class UserAdmin(DjangoUserAdmin):
     list_display = (
         "username",
         "get_type",
@@ -43,7 +71,7 @@ class UserAdmin(DjangoUserAdmin):
         "date_joined",
     )
 
-    list_filter = (UserTypeFilter,)
+    list_filter = (UserTypeFilter, ActiveAccountFilter,)
 
     @admin.display(
         description="Type",

apps/accounts/tests/test_password_reset_while_authenticated.py

@@ -193,26 +193,15 @@ def test_password_change_reuse_validation(self):
         self.user = User.objects.get(username="fred")  # get user again so that you can see password changed
         self.assertEquals(self.user.check_password("IchangedTHEpassword#123"), True)
 
-        # add 12 minutes to time to expire current password
-        StubDate.now = classmethod(
-            lambda cls, timezone: datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(minutes=+12)
-        )
-        self.client.logout()
-        form_data = {'username': 'fred',
-                     'password': 'IchangedTHEpassword#123'}
-        response = self.client.post(reverse('login'), form_data, follow=True)
-        self.assertContains(response,
-                            ("Your password has expired, change password strongly recommended."))
-
     @override_switch('login', active=True)
     @mock.patch("apps.accounts.validators.datetime", StubDate)
-    def test_password_expire_not_affect_staff(self):
+    def test_no_password_expire(self):
         self.client.logout()
-        # add 20 minutes to time to show staff is not effected
+        # add 90 days to time to show expiration is removed
         StubDate.now = classmethod(
-            lambda cls, timezone: datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(minutes=+20)
+            lambda cls, timezone: datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(days=+90)
         )
-        form_data = {'username': 'staff',
+        form_data = {'username': 'fred',
                      'password': 'foobarfoobarfoobar'}
         response = self.client.post(reverse('login'), form_data, follow=True)
         # assert account dashboard page
@@ -222,8 +211,5 @@ def test_password_expire_not_affect_staff(self):
                             ("The Developer Sandbox lets you register applications to get credentials"))
 
     def test_password_reuse_min_age_validator_args_check(self):
-        with self.assertRaisesRegex(ValueError,
-                                    (".*password_min_age < password_reuse_interval expected.*"
-                                     "password_expire < password_reuse_interval expected.*"
-                                     "password_min_age < password_expire expected.*")):
-            PasswordReuseAndMinAgeValidator(60 * 60 * 24 * 30, 60 * 60 * 24 * 10, 60 * 60 * 24 * 20)
+        with self.assertRaisesRegex(ValueError, ".*password_min_age < password_reuse_interval expected.*"):
+            PasswordReuseAndMinAgeValidator(60 * 60 * 24 * 30, 60 * 60 * 24 * 10)

apps/accounts/validators.py

@@ -86,7 +86,7 @@ class PasswordReuseAndMinAgeValidator(object):
     def __init__(self,
                  password_min_age=60 * 60 * 24,
                  password_reuse_interval=60 * 60 * 24 * 120,
-                 password_expire=60 * 60 * 24 * 30):
+                 password_expire=0):
 
         msg1 = "Invalid OPTIONS, password_min_age < password_reuse_interval expected, " \
                "but having password_min_age({}) >= password_reuse_interval({})"
@@ -96,14 +96,11 @@ def __init__(self,
                "but having password_expire({}) >= password_reuse_interval({})"
 
         check_opt_err = []
-        if password_min_age > 0 and password_reuse_interval > 0 \
-                and password_min_age > password_reuse_interval:
+        if 0 < password_reuse_interval < password_min_age:
             check_opt_err.append(msg1.format(password_min_age, password_reuse_interval))
-        if password_expire > 0 and password_reuse_interval > 0 \
-                and password_expire > password_reuse_interval:
+        if 0 < password_reuse_interval < password_expire:
             check_opt_err.append(msg2.format(password_expire, password_reuse_interval))
-        if password_min_age > 0 and password_expire > 0 \
-                and password_min_age > password_expire:
+        if 0 < password_expire < password_min_age:
             check_opt_err.append(msg3.format(password_min_age, password_expire))
         if len(check_opt_err) > 0:
             raise ValueError(check_opt_err)
@@ -234,8 +231,7 @@ def password_expired(self, user=None):
             except PastPassword.DoesNotExist:
                 pass
             if passwds is not None and passwds.first() is not None:
-                if (datetime.now(timezone.utc)
-                        - passwds.first().date_created).total_seconds() >= self.password_expire:
+                if (datetime.now(timezone.utc) - passwds.first().date_created).total_seconds() >= self.password_expire:
                     # the elapsed time since last password change / create is more than password_expire
                     passwd_expired = True
         return passwd_expired

apps/accounts/views/login.py

@@ -21,11 +21,6 @@ def dispatch(self, request, *args, **kwargs):
         return super().dispatch(request, *args, **kwargs)
 
     def form_valid(self, form):
-        """
-        Extend django login view to do password expire check
-        and redirect to password-change instead of user account home
-        """
-        # auth_login(self.request, form.get_user())
         response = super().form_valid(form)
         if response.status_code == 302:
             passwd_validators = get_default_password_validators()

apps/authorization/management/commands/update_access_grants.py

@@ -1,33 +1,38 @@
 from django.core.management.base import BaseCommand
 from apps.authorization.models import DataAccessGrant
 from apps.dot_ext.models import Application
+
+
 class Command(BaseCommand):
     help = (
         'Update Access Grants Per Application.'
         'Pass in a list of application ids.'
     )
 
     def add_arguments(self, parser):
-        parser.add_argument('--applications', help="list of applications to update "
+        parser.add_argument('--applications', help="List of applications to update "
                                                     "id, comma separated: "
-                                                    "eg. 1,2,3 ")
-
+                                                    "eg. 1,2,3. Supersedes --all")
+        parser.add_argument('--all', action='store_true', help="Update access grants for all applications")
+        parser.set_defaults(all=False)
 
     def handle(self, *args, **options):
         if options['applications']:
             application_ids = options['applications'].split(',')
+        elif options['all']:
+            application_ids = Application.objects.values_list('id', flat=True)
         else:
-            print("You must pass at least one application to update.")
+            print("You must pass at least one application to update or use the --all option.")
             return False
         for app_id in application_ids:
             application = Application.objects.get(id=app_id)
             grants = DataAccessGrant.objects.filter(application=app_id)
+            if not grants:
+                continue
             if "ONE_TIME" in application.data_access_type:
                 grants.delete()
             elif "THIRTEEN_MONTH" in application.data_access_type:
                 for grant in grants:
                     grant.update_expiration_date()
             else:
                 continue
-
-

apps/authorization/views.py

@@ -1,3 +1,6 @@
+from datetime import datetime
+
+from django.db.models import Q
 from django.http import HttpResponse
 from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import csrf_exempt
@@ -46,7 +49,10 @@ class AuthorizedGrants(viewsets.GenericViewSet,
     serializer_class = DataAccessGrantSerializer
 
     def get_queryset(self):
-        return DataAccessGrant.objects.select_related("application").filter(beneficiary=self.request.user)
+        return DataAccessGrant.objects.select_related("application").filter(
+            Q(expiration_date__gt=datetime.now()) | Q(expiration_date=None),
+            beneficiary=self.request.user
+        )
 
 
 @method_decorator(csrf_exempt, name="dispatch")

apps/dot_ext/forms.py

@@ -59,7 +59,9 @@ def __init__(self, user, *args, **kwargs):
         self.fields["name"].label = "Name*"
         self.fields["name"].required = True
         self.fields["client_type"].label = "Client Type*"
+        self.fields["client_type"].required = False
         self.fields["authorization_grant_type"].label = "Authorization Grant Type*"
+        self.fields["authorization_grant_type"].required = False
         self.fields["redirect_uris"].label = "Redirect URIs*"
         self.fields["logo_uri"].disabled = True
 
@@ -86,29 +88,6 @@ class Meta:
     required_css_class = "required"
 
     def clean(self):
-        client_type = self.cleaned_data.get("client_type")
-        authorization_grant_type = self.cleaned_data.get("authorization_grant_type")
-
-        msg = ""
-        validate_error = False
-
-        # Validate choices
-        if not (
-            client_type == "confidential"
-            and authorization_grant_type == "authorization-code"
-        ):
-            validate_error = True
-            msg += (
-                "Only a confidential client and "
-                "authorization-code grant type are allowed at this time."
-            )
-
-        if validate_error:
-            msg_output = _(msg)
-            raise forms.ValidationError(msg_output)
-        else:
-            pass
-
         return self.cleaned_data
 
     def clean_name(self):
@@ -176,6 +155,8 @@ def clean_require_demographic_scopes(self):
         return require_demographic_scopes
 
     def save(self, *args, **kwargs):
+        self.instance.client_type = "confidential"
+        self.instance.authorization_grant_type = "authorization-code"
         app = self.instance
         # Only log agreement from a Register form
         if app.agree and type(self) == CustomRegisterApplicationForm:

apps/dot_ext/models.py

@@ -33,6 +33,7 @@
 from apps.capabilities.models import ProtectedCapability
 
 TEN_HOURS = _("for 10 hours")
+THIRTEEN_MONTHS = _("for 13 months, until ")
 
 
 class Application(AbstractApplication):
@@ -165,7 +166,7 @@ def access_end_date_text(self):
             return TEN_HOURS
         # no message displayed for RESEARCH_STUDY
         else:
-            return _("until ")
+            return THIRTEEN_MONTHS
 
     def access_end_date(self):
         if self.data_access_type == "THIRTEEN_MONTH":