Merge pull request #2559 from GSA/main

05/07/2025 Production Deploy

Author: ccostino

.ds.baseline

@@ -127,6 +127,26 @@
     }
   ],
   "results": {
+    ".github/actions/deploy-proxy/action.yml": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": ".github/actions/deploy-proxy/action.yml",
+        "hashed_secret": "a6c13f5da3788e8d654cd24001dc79a238723248",
+        "is_verified": false,
+        "line_number": 18,
+        "is_secret": false
+      }
+    ],
+    ".github/workflows/checks.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": ".github/workflows/checks.yml",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 68,
+        "is_secret": false
+      }
+    ],
     "app/assets/js/uswds.min.js": [
       {
         "type": "Secret Keyword",
@@ -389,26 +409,6 @@
         "is_secret": false
       }
     ],
-    "app/templates/new/components/head.html": [
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "app/templates/new/components/head.html",
-        "hashed_secret": "ee5048791fc7ff45a1545e24f85bec3317371327",
-        "is_verified": false,
-        "line_number": 33,
-        "is_secret": false
-      }
-    ],
-    "app/templates/old/admin_template.html": [
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "app/templates/old/admin_template.html",
-        "hashed_secret": "ee5048791fc7ff45a1545e24f85bec3317371327",
-        "is_verified": false,
-        "line_number": 18,
-        "is_secret": false
-      }
-    ],
     "deploy-config/sandbox.yml": [
       {
         "type": "Secret Keyword",
@@ -642,37 +642,7 @@
         "line_number": 3266,
         "is_secret": false
       }
-    ],
-    "tests/notifications_utils/clients/antivirus/test_antivirus_client.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/notifications_utils/clients/antivirus/test_antivirus_client.py",
-        "hashed_secret": "932b25270abe1301c22c709a19082dff07d469ff",
-        "is_verified": false,
-        "line_number": 16,
-        "is_secret": false
-      }
-    ],
-    "tests/notifications_utils/clients/encryption/test_encryption_client.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/notifications_utils/clients/encryption/test_encryption_client.py",
-        "hashed_secret": "f1e923a9667de11be6a210849a8651c1bfd81605",
-        "is_verified": false,
-        "line_number": 13,
-        "is_secret": false
-      }
-    ],
-    "tests/notifications_utils/clients/zendesk/test_zendesk_client.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/notifications_utils/clients/zendesk/test_zendesk_client.py",
-        "hashed_secret": "913a73b565c8e2c8ed94497580f619397709b8b6",
-        "is_verified": false,
-        "line_number": 16,
-        "is_secret": false
-      }
     ]
   },
-  "generated_at": "2025-04-10T19:38:31Z"
+  "generated_at": "2025-05-12T16:50:20Z"
 }

.github/actions/deploy-proxy/action.yml

@@ -15,7 +15,7 @@ inputs:
     default: https://github.com/GSA-TTS/cg-egress-proxy.git
   proxy_version:
     description: git ref to be deployed
-    default: main
+    default: 1500c67157c1a7a6fbbda7a2de172b3d0a67e703
 runs:
   using: composite
   steps:

.github/actions/setup-project/action.yml

@@ -16,6 +16,9 @@ runs:
     - name: Install poetry
       shell: bash
       run: pip install poetry==1.8.5
+    - name: Downgrade virtualenv to compatible version
+      shell: bash
+      run: pip install "virtualenv<20.30"
     - name: Install application dependencies
       shell: bash
       run: make bootstrap

.github/workflows/checks.yml

@@ -51,74 +51,73 @@ jobs:
       - name: Check coverage threshold
         run: poetry run coverage report --fail-under=90
 
-  # TODO FIX THIS!
-  # end-to-end-tests:
-  #   if: ${{ github.actor != 'dependabot[bot]' }}
+  end-to-end-tests:
+    if: ${{ github.actor != 'dependabot[bot]' }}
 
-  #   permissions:
-  #     checks: write
-  #     pull-requests: write
-  #     contents: write
-  #   runs-on: ubuntu-latest
-  #   environment: staging
-  #   services:
-  #     postgres:
-  #       image: postgres
-  #       env:
-  #         POSTGRES_USER: user
-  #         POSTGRES_PASSWORD: password
-  #         POSTGRES_DB: test_notification_api
-  #       options: >-
-  #         --health-cmd pg_isready
-  #         --health-interval 10s
-  #         --health-timeout 5s
-  #         --health-retries 5
-  #       ports:
-  #         # Maps tcp port 5432 on service container to the host
-  #         - 5432:5432
-  #     redis:
-  #       image: redis
-  #       options: >-
-  #         --health-cmd "redis-cli ping"
-  #         --health-interval 10s
-  #         --health-timeout 5s
-  #         --health-retries 5
-  #       ports:
-  #         # Maps tcp port 6379 on service container to the host
-  #         - 6379:6379
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: write
+    runs-on: ubuntu-latest
+    environment: staging
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_USER: user
+          POSTGRES_PASSWORD: password
+          POSTGRES_DB: test_notification_api
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          # Maps tcp port 5432 on service container to the host
+          - 5432:5432
+      redis:
+        image: redis
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          # Maps tcp port 6379 on service container to the host
+          - 6379:6379
 
-    # steps:
-    #   - uses: actions/checkout@v4
-    #   - uses: ./.github/actions/setup-project
-    #   - uses: jwalton/gh-find-current-pr@v1
-    #     id: findPr
-    #   - name: Check API Server availability
-    #     run: |
-    #       curl --fail -v https://notify-api-staging.app.cloud.gov || exit 1
-    #   - name: Run Admin server
-    #     # If we want to log stuff and see what's broken,
-    #     # insert this line:
-    #     # tail -f admin-server.log &
-    #     # above make e2e-test
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-project
+      - uses: jwalton/gh-find-current-pr@v1
+        id: findPr
+      - name: Check API Server availability
+        run: |
+          curl --fail -v https://notify-api-staging.app.cloud.gov || exit 1
+      - name: Run Admin server
+        # If we want to log stuff and see what's broken,
+        # insert this line:
+        # tail -f admin-server.log &
+        # above make e2e-test
 
 
-    #     run: |
-    #       make run-flask > admin-server.log 2>&1 &
-    #       tail -f admin-server.log &
-    #       make e2e-test
+        run: |
+          make run-flask > admin-server.log 2>&1 &
+          tail -f admin-server.log &
+          make e2e-test
 
-    #     env:
-    #       API_HOST_NAME: https://notify-api-staging.app.cloud.gov/
-    #       SECRET_KEY: ${{ secrets.SECRET_KEY }}
-    #       DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
-    #       ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
-    #       ADMIN_CLIENT_USERNAME: notify-admin
-    #       NOTIFY_ENVIRONMENT: e2etest
-    #       NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }}
-    #       NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
-    #       NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
-    #       NOTIFY_E2E_TEST_URI: http://localhost:6012/
-    #       VCAP_SERVICES: ${{ secrets.VCAP_SERVICES }}
+        env:
+          API_HOST_NAME: https://notify-api-staging.app.cloud.gov/
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
+          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
+          ADMIN_CLIENT_USERNAME: notify-admin
+          NOTIFY_ENVIRONMENT: e2etest
+          NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }}
+          NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
+          NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
+          NOTIFY_E2E_TEST_URI: http://localhost:6012/
+          VCAP_SERVICES: ${{ secrets.VCAP_SERVICES }}
 
   validate-new-relic-config:
     runs-on: ubuntu-latest

.profile

@@ -6,4 +6,4 @@
 export NEW_RELIC_PROXY_HOST=$egress_proxy
 export http_proxy=$egress_proxy
 export https_proxy=$egress_proxy
-export no_proxy="apps.internal"
+export no_proxy="apps.internal,s3-fips.us-gov-west-1.amazonaws.com"

Makefile

@@ -17,7 +17,6 @@ NVMSH := $(shell [ -f "$(HOME)/.nvm/nvm.sh" ] && echo "$(HOME)/.nvm/nvm.sh" || e
 .PHONY: bootstrap
 bootstrap: ## Set up everything to run the app
 	make generate-version-file
-	poetry self add poetry-dotenv-plugin
 	poetry lock --no-update
 	poetry install --sync --no-root
 	poetry run playwright install --with-deps
@@ -29,7 +28,6 @@ bootstrap: ## Set up everything to run the app
 .PHONY: bootstrap-with-git-hooks
 bootstrap-with-git-hooks:  ## Sets everything up and accounts for pre-existing git hooks
 	make generate-version-file
-	poetry self add poetry-dotenv-plugin
 	poetry lock --no-update
 	poetry install --sync --no-root
 	poetry run playwright install --with-deps
@@ -106,11 +104,11 @@ py-test: ## Run python unit tests
 dead-code: ## 60% is our aspirational goal, but currently breaks the build
 	poetry run vulture ./app ./notifications_utils --min-confidence=100
 
-
 .PHONY: e2e-test
 e2e-test: export NEW_RELIC_ENVIRONMENT=test
 e2e-test: ## Run end-to-end integration tests; note that --browser webkit isn't currently working
-	DEBUG=pw:api,pw:browser poetry run pytest -vv --browser chromium  --browser firefox tests/end_to_end
+	@echo "Running E2E tests in path: $${TESTPATH:-tests/end_to_end}"
+	@bash -c 'DEBUG=pw:api,pw:browser poetry run pytest -vv --browser chromium --browser firefox "$${TESTPATH:-tests/end_to_end}"'
 
 .PHONY: js-lint
 js-lint: ## Run javascript linting scanners

app/__init__.py

@@ -141,7 +141,9 @@
 def _csp(config):
     asset_domain = config["ASSET_DOMAIN"]
     logo_domain = config["LOGO_CDN_DOMAIN"]
-    return {
+    api_host_name = config["API_HOST_NAME"]
+
+    csp = {
         "default-src": ["'self'", asset_domain],
         "frame-src": [
             "https://www.youtube.com",
@@ -165,13 +167,22 @@ def _csp(config):
             "'self'",
             "https://gov-bam.nr-data.net",
             "https://www.google-analytics.com",
-            "http://localhost:6011",
-            "ws://localhost:6011",
         ],
         "style-src": ["'self'", asset_domain],
         "img-src": ["'self'", asset_domain, logo_domain],
     }
 
+    if api_host_name:
+        csp["connect-src"].append(api_host_name)
+        # this is for web socket
+        if api_host_name.startswith("http://"):
+            ws_url = api_host_name.replace("http://", "ws://")
+            csp["connect-src"].append(ws_url)
+        elif api_host_name.startswith("https://"):
+            ws_url = api_host_name.replace("https://", "wss://")
+            csp["connect-src"].append(ws_url)
+    return csp
+
 
 def create_app(application):
     @application.after_request