Merge pull request #1695 from GSA/main

05/07/2025 Production Deploy

Author: ccostino

.ds.baseline

@@ -127,262 +127,16 @@
     }
   ],
   "results": {
-    ".github/workflows/checks.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": ".github/workflows/checks.yml",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 28,
-        "is_secret": false
-      },
-      {
-        "type": "Basic Auth Credentials",
-        "filename": ".github/workflows/checks.yml",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 45,
-        "is_secret": false
-      }
-    ],
-    ".github/workflows/daily_checks.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": ".github/workflows/daily_checks.yml",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 61,
-        "is_secret": false
-      },
-      {
-        "type": "Basic Auth Credentials",
-        "filename": ".github/workflows/daily_checks.yml",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 77,
-        "is_secret": false
-      }
-    ],
-    "app/enums.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "app/enums.py",
-        "hashed_secret": "12322e07b94ee3c7cd65a2952ece441538b53eb3",
-        "is_verified": false,
-        "line_number": 123,
-        "is_secret": false
-      }
-    ],
-    "app/notifications/receive_notifications.py": [
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "app/notifications/receive_notifications.py",
-        "hashed_secret": "d70eab08607a4d05faa2d0d6647206599e9abc65",
-        "is_verified": false,
-        "line_number": 29,
-        "is_secret": false
-      }
-    ],
-    "deploy-config/sandbox.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "deploy-config/sandbox.yml",
-        "hashed_secret": "113151dd10316fcb0d5507b6215d78e2f3fe9e54",
-        "is_verified": false,
-        "line_number": 11,
-        "is_secret": false
-      }
-    ],
-    "sample.env": [
-      {
-        "type": "Basic Auth Credentials",
-        "filename": "sample.env",
-        "hashed_secret": "5b98cf4c3d794c8af1fcd7991e89cd4e52fb42a4",
-        "is_verified": false,
-        "line_number": 16,
-        "is_secret": false
-      }
-    ],
-    "tests/app/aws/test_s3.py": [
+    ".github/actions/deploy-proxy/action.yml": [
       {
         "type": "Hex High Entropy String",
-        "filename": "tests/app/aws/test_s3.py",
-        "hashed_secret": "67a74306b06d0c01624fe0d0249a570f4d093747",
-        "is_verified": false,
-        "line_number": 42,
-        "is_secret": false
-      }
-    ],
-    "tests/app/clients/test_document_download.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/clients/test_document_download.py",
-        "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f",
-        "is_verified": false,
-        "line_number": 14,
-        "is_secret": false
-      }
-    ],
-    "tests/app/clients/test_performance_platform.py": [
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "tests/app/clients/test_performance_platform.py",
-        "hashed_secret": "76bb66c38ac4046bf73cd4a2c35a2b0af94aeb61",
-        "is_verified": false,
-        "line_number": 84,
-        "is_secret": false
-      }
-    ],
-    "tests/app/dao/test_services_dao.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/dao/test_services_dao.py",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 289,
-        "is_secret": false
-      }
-    ],
-    "tests/app/dao/test_users_dao.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/dao/test_users_dao.py",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 69,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/dao/test_users_dao.py",
-        "hashed_secret": "f2c57870308dc87f432e5912d4de6f8e322721ba",
-        "is_verified": false,
-        "line_number": 199,
-        "is_secret": false
-      }
-    ],
-    "tests/app/db.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/db.py",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 90,
-        "is_secret": false
-      }
-    ],
-    "tests/app/notifications/test_receive_notification.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/notifications/test_receive_notification.py",
-        "hashed_secret": "913a73b565c8e2c8ed94497580f619397709b8b6",
-        "is_verified": false,
-        "line_number": 27,
-        "is_secret": false
-      },
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "tests/app/notifications/test_receive_notification.py",
-        "hashed_secret": "d70eab08607a4d05faa2d0d6647206599e9abc65",
-        "is_verified": false,
-        "line_number": 57,
-        "is_secret": false
-      }
-    ],
-    "tests/app/notifications/test_validators.py": [
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "tests/app/notifications/test_validators.py",
-        "hashed_secret": "6c1a8443963d02d13ffe575a71abe19ea731fb66",
-        "is_verified": false,
-        "line_number": 672,
-        "is_secret": false
-      }
-    ],
-    "tests/app/service/test_rest.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/service/test_rest.py",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 1285,
-        "is_secret": false
-      }
-    ],
-    "tests/app/test_cloudfoundry_config.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/test_cloudfoundry_config.py",
-        "hashed_secret": "e5e178db7317356946d13e5d2da037d39ac61c71",
-        "is_verified": false,
-        "line_number": 12,
-        "is_secret": false
-      },
-      {
-        "type": "Basic Auth Credentials",
-        "filename": "tests/app/test_cloudfoundry_config.py",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 14,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/test_cloudfoundry_config.py",
-        "hashed_secret": "cfd48edeb81ba7d48cbddcf1eeede25ba67057e8",
-        "is_verified": false,
-        "line_number": 33,
-        "is_secret": false
-      }
-    ],
-    "tests/app/user/test_rest.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/user/test_rest.py",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 110,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/app/user/test_rest.py",
-        "hashed_secret": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33",
-        "is_verified": false,
-        "line_number": 864,
-        "is_secret": false
-      }
-    ],
-    "tests/notifications_utils/clients/antivirus/test_antivirus_client.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/notifications_utils/clients/antivirus/test_antivirus_client.py",
-        "hashed_secret": "932b25270abe1301c22c709a19082dff07d469ff",
-        "is_verified": false,
-        "line_number": 16,
-        "is_secret": false
-      }
-    ],
-    "tests/notifications_utils/clients/encryption/test_encryption_client.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/notifications_utils/clients/encryption/test_encryption_client.py",
-        "hashed_secret": "f1e923a9667de11be6a210849a8651c1bfd81605",
-        "is_verified": false,
-        "line_number": 13,
-        "is_secret": false
-      }
-    ],
-    "tests/notifications_utils/clients/zendesk/test_zendesk_client.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/notifications_utils/clients/zendesk/test_zendesk_client.py",
-        "hashed_secret": "913a73b565c8e2c8ed94497580f619397709b8b6",
+        "filename": ".github/actions/deploy-proxy/action.yml",
+        "hashed_secret": "a6c13f5da3788e8d654cd24001dc79a238723248",
         "is_verified": false,
-        "line_number": 16,
+        "line_number": 18,
         "is_secret": false
       }
     ]
   },
-  "generated_at": "2025-02-27T21:09:45Z"
+  "generated_at": "2025-05-12T16:45:34Z"
 }

.github/actions/deploy-proxy/action.yml

@@ -15,7 +15,7 @@ inputs:
     default: https://github.com/GSA-TTS/cg-egress-proxy.git
   proxy_version:
     description: git ref to be deployed
-    default: main
+    default: 1500c67157c1a7a6fbbda7a2de172b3d0a67e703
 runs:
   using: composite
   steps:

.github/actions/setup-project/action.yml

@@ -16,3 +16,6 @@ runs:
     - name: Install poetry
       shell: bash
       run: pip install poetry==1.8.5
+    - name: Downgrade virtualenv to compatible version
+      shell: bash
+      run: pip install "virtualenv<20.30"

.profile

@@ -6,4 +6,4 @@
 export http_proxy=$egress_proxy
 export https_proxy=$egress_proxy
 export NEW_RELIC_PROXY_HOST=$egress_proxy
-export no_proxy="apps.internal"
+export no_proxy="apps.internal,s3-fips.us-gov-west-1.amazonaws.com"

Makefile

@@ -16,7 +16,6 @@ GIT_HOOKS_PATH ?= $(shell git config --global core.hooksPath || echo "")
 .PHONY: bootstrap
 bootstrap: ## Set up everything to run the app
 	make generate-version-file
-	poetry self add poetry-dotenv-plugin
 	poetry lock --no-update
 	poetry install --sync --no-root
 	poetry run pre-commit install
@@ -27,7 +26,6 @@ bootstrap: ## Set up everything to run the app
 .PHONY: bootstrap-with-git-hooks
 bootstrap-with-git-hooks:  ## Sets everything up and accounts for pre-existing git hooks
 	make generate-version-file
-	poetry self add poetry-dotenv-plugin
 	poetry lock --no-update
 	poetry install --sync --no-root
 	git config --global --unset-all core.hooksPath

README.md

@@ -508,7 +508,9 @@ instructions above for more details.
   - [Smoke-testing the App](./docs/all.md#-smoke-testing-the-app)
   - [Configuration Management](./docs/all.md#-configuration-management)
   - [DNS and Domain Changes](./docs/all.md#-dns-and-domain-changes)
-  - [Exporting test results for compliance monitoring](./docs/all.md#exporting-test-results-for-compliance-monitoring)
+  - [Exporting daily scan results for compliance monitoring](./docs/all.md#exporting-daily-scan-results-for-compliance-monitoring)
+  - [Reviewing daily scan results for compliance](./docs/all.md#reviewing-daily-scan-results-for-compliance)
+  - [Rotating environment variable secrets](./docs/all.md#rotating-environment-variable-secrets)
   - [Known Gotchas](./docs/all.md#-known-gotchas)
   - [User Account Management](./docs/all.md#-user-account-management)
   - [SMS Phone Number Management](./docs/all.md#-sms-phone-number-management)

app/aws/s3.py

@@ -6,6 +6,7 @@
 from io import StringIO
 
 import botocore
+import eventlet
 from boto3 import Session
 from flask import current_app
 
@@ -116,9 +117,9 @@ def list_s3_objects():
                 )
             else:
                 break
-    except Exception:
+    except Exception as e:
         current_app.logger.exception(
-            "An error occurred while regenerating cache #notify-debug-admin-1200",
+            f"An error occurred while regenerating cache #notify-debug-admin-1200: {str(e)}",
         )
 
 
@@ -375,7 +376,7 @@ def get_job_from_s3(service_id, job_id):
                 )
                 retries += 1
                 sleep_time = backoff_factor * (2**retries)  # Exponential backoff
-                time.sleep(sleep_time)
+                eventlet.sleep(sleep_time)
                 continue
             else:
                 # Typically this is "NoSuchKey"

app/celery/tasks.py

@@ -1,6 +1,6 @@
 import json
-from time import sleep
 
+import eventlet
 from celery.signals import task_postrun
 from flask import current_app
 from requests import HTTPError, RequestException, request
@@ -83,7 +83,7 @@ def process_job(job_id, sender_id=None):
         process_row(row, template, job, service, sender_id=sender_id)
         count = count + 1
         if count % 3 == 0:
-            sleep(1)
+            eventlet.sleep(1)
 
     # End point/Exit point for message send flow.
     job_complete(job, start=start)

app/clients/cloudwatch/aws_cloudwatch.py

@@ -151,7 +151,7 @@ def event_to_db_format(self, event):
     #         result = temp_client.get_query_results(queryId=query_id)
     #         if result['status'] == 'Complete':
     #             break
-    #         time.sleep(1)
+    #         eventlet.sleep(1)
 
     #     delivery_receipts = []
     #     for log in result['results']: