Merge branch 'main' into dependabot/npm_and_yarn/backend/esbuild-0.19.3

.github/ISSUE_TEMPLATE/epic-template.md

@@ -0,0 +1,13 @@
+## Description
+
+[//]: # ( A plain language description of the epic. Who, what, why. )
+
+**Who**: 
+**What**: 
+**Why**: 
+
+
+```[tasklist]
+### Stories
+- [ ] 
+```

.github/ISSUE_TEMPLATE/helpdesk-issue.yml

@@ -0,0 +1,71 @@
+name: Helpdesk Issue
+description: Used as output from helpdesk issue triage.
+title: "[HD]: "
+labels: ["helpdesk"]
+assignees:
+  - jadudm
+  - carley-sullivan
+body:
+  - type: markdown
+    attributes:
+      value: |
+        **Remember to keep all PII out of tickets.**
+        
+        Do not use names, and do not attach files to this ticket. 
+  - type: input
+    id: zendesk-link
+    attributes:
+      label: Zendesk link
+      description: Link to the issue in Zendesk
+      placeholder: ex. https://fac-something.zendesk.com/something/...
+    validations:
+      required: true
+  - type: checkboxes
+    id: fac-components
+    attributes:
+      label: FAC components involved
+      description: Select all that apply
+      options:
+        - label: submission system (app.fac.gov)
+        - label: workbooks
+        - label: static site (fac.gov)
+        - label: The helpdesk (zendesk)
+        - label: API (api.fac.gov)
+        - label: other
+    validations:
+      required: true
+  - type: dropdown
+    id: browser
+    attributes:
+      label: What browser did the user report as using?
+      multiple: false
+      options:
+        - Firefox
+        - Chrome
+        - Safari
+        - Microsoft Edge
+        - Other (Opera, Brave, etc.)  
+  - type: markdown
+    attributes:
+      value: |
+        Audits are not yet public at this point. 
+        
+        Place all files and screenshots in the [Google Drive Helpdesk folder](https://drive.google.com/drive/folders/1jgb2YRxaFOjKS6CwZsBTqUsbzUCzktic) and link to that folder here.
+
+        Delete the files from Zendesk when you are done.
+  - type: input
+    id: gdrive-link
+    attributes:
+      label: Gdrive link
+      description: Link to supporting files in GDrive
+      placeholder: ex. https://google.com/drive/something/...
+    validations:
+      required: false  
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Summarize the issue the user is experiencing. 
+      placeholder: 
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/snip-at-a-glance.md

@@ -0,0 +1,11 @@
+# At a glance
+
+[comment]: # "Begin with a short summary so intent can be understood at a glance."
+[comment]: # "In order to: some objective or value to be achieved"
+[comment]: # "as a: stakeholder"
+[comment]: # "I want: some new feature"
+
+**In order to** 
+**as a**
+**I want**
+

.github/ISSUE_TEMPLATE/snip-background.md

@@ -0,0 +1,4 @@
+
+# Background
+
+[comment]: # "Any helpful contextual notes or links to artifacts/evidence, if needed"

.github/ISSUE_TEMPLATE/snip-content-signoff.md

@@ -0,0 +1,12 @@
+### Content signoff
+
+[comment]: # "As each step is completed, assign the next team member to this ticket. At-mention (@-mention) them in a comment for visibility."
+
+```[tasklist]
+### Signed off by...
+- [ ] Author
+- [ ] Content review
+- [ ] Content lead
+- [ ] Optional: Product
+```
+

.github/ISSUE_TEMPLATE/snip-security-considerations.md

@@ -0,0 +1,8 @@
+
+# Security Considerations
+
+Required per [CM-4](https://nvd.nist.gov/800-53/Rev4/control/CM-4).
+
+[comment]: # "Our SSP says 'The team ensures security implications are considered as part of the agile requirements refinement process by including a section in the issue template used as a basis for new work.'"
+[comment]: # "Please do not remove this section without care."
+[comment]: # "Note any security concerns that might be implicated in the change. 'None' is OK, but we must be explicit here."

.github/ISSUE_TEMPLATE/snip-shepherd.md

@@ -0,0 +1,9 @@
+### Shepherds
+
+[comment]: # "@ mention shepherds as we move across the board."
+[comment]: # "Add/remove as needed"
+
+* Content shepherd: 
+* Design shepherd: 
+* Engineering shepherd: 
+

.github/ISSUE_TEMPLATE/snip-story-process.md

@@ -0,0 +1,55 @@
+<h3>Process Checklist</h3>
+<p>How it moves across the board...</p>
+
+<details>
+  <summary>Process checklist</summary>
+
+# Sketch
+
+[comment]: # "Notes or a checklist reflecting our understanding of the selected approach"
+
+Team members who will likely need to be involved in doing all the things:
+
+- [ ] Content
+- [ ] Data
+- [ ] Design
+- [ ] Engineering
+- [ ] Infrastructure
+- [ ] Product
+
+# Definition of Done
+
+## Triage
+
+### If not likely to be important in the next quarter...
+- [ ] Archived from the board
+
+### Otherwise...
+
+- [ ] Has a clear story statement
+- [ ] Product team moves it to the appropriate backlog
+
+## Backlog
+
+- [ ] Has clearly stated/testable acceptance criteria
+- [ ] One or more shepherds have been identified
+
+## In Progress
+
+- [ ] Meets the acceptance criteria
+- [ ] (As appropriate) Is relabeled and triaged for movement from design to engineering, etc. 
+
+## Review Needed
+
+- [ ] Necessary outside review/sign-off was provided
+
+## Done
+
+- [ ] Includes screenshots or references to artifacts
+
+### If there's UI...
+- [ ] Screen reader - Listen to the experience with a screen reader extension, ensure the information presented in order
+- [ ] Keyboard navigation - Run through acceptance criteria with keyboard tabs, ensure it works. 
+- [ ] Text scaling - Adjust viewport to 1280 pixels wide and zoom to 200%, ensure everything renders as expected. Document 400% zoom issues with USWDS if appropriate.
+
+</details> 

.github/workflows/deploy-application.yml

@@ -69,6 +69,26 @@ jobs:
           cf_space: ${{ env.space }}
           cf_command: update-user-provided-service fac-key-service -p '"{\"SAM_API_KEY\":\"${{ secrets.SAM_API_KEY }}\", \"DJANGO_SECRET_LOGIN_KEY\":\"${{ secrets.DJANGO_SECRET_LOGIN_KEY }}\", \"LOGIN_CLIENT_ID\":\"${{ secrets.LOGIN_CLIENT_ID }}\", \"SECRET_KEY\":\"${{ secrets.SECRET_KEY}}\"}"'
 
+      - name: Bind backup s3 bucket to prod app
+        if: startsWith(github.ref, 'refs/tags/v1.')
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: gsa-tts-oros-fac
+          cf_space: ${{ env.space }}
+          command: cf bind-service gsa-fac backups -w
+
+      - name: Backup the database (Prod Only)
+        if: startsWith(github.ref, 'refs/tags/v1.')
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: gsa-tts-oros-fac
+          cf_space: ${{ env.space }}
+          command: cf run-task gsa-fac -k 2G -m 2G --name pg_backup --command "./backup_database.sh ${{ env.space }}"
+
       - name: Deploy fac to cloud.gov
         uses: cloud-gov/cg-cli-tools@main
         with:
@@ -80,6 +100,16 @@ jobs:
           cf_vars_file: backend/manifests/vars/vars-${{ env.space }}.yml
           command: bin/ops/deploy.sh
 
+      - name: Unbind backup s3 bucket from prod app
+        if: startsWith(github.ref, 'refs/tags/v1.')
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: gsa-tts-oros-fac
+          cf_space: ${{ env.space }}
+          command: cf unbind-service gsa-fac backups
+
       - name: Load historical data
         uses: cloud-gov/cg-cli-tools@main
         with:

.github/workflows/linting.yml

@@ -47,6 +47,11 @@ jobs:
           python -m pip install --upgrade pip
           pip install -r dev-requirements.txt
 
+      - name: Install type stubs
+        working-directory: ./backend
+        run: |
+          pip install types-pytz
+
       - name: Lint with flake8
         working-directory: ./backend
         run: flake8 . --count --show-source --statistics

.github/workflows/regression-tests.yml

@@ -27,6 +27,8 @@ jobs:
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     env:
+      CYPRESS_API_GOV_KEY: ${{ secrets.CYPRESS_API_GOV_KEY }}
+      CYPRESS_API_GOV_URL: ${{ secrets.CYPRESS_API_GOV_URL }}
       CYPRESS_BASE_URL: ${{ inputs.url }}
       CYPRESS_LOGIN_TEST_EMAIL: ${{ secrets.CYPRESS_LOGIN_TEST_EMAIL }}
       CYPRESS_LOGIN_TEST_PASSWORD: ${{ secrets.CYPRESS_LOGIN_TEST_PASSWORD }}

.github/workflows/terraform-apply-env.yml

@@ -51,3 +51,24 @@ jobs:
             bucket=${{ secrets.terraform_BUCKET }},
             region=${{ secrets.terraform_REGION }},
             key=${{ env.KEY }},
+
+
+      - name: Unshare backups s3 bucket to staging space
+        if: ${{ inputs.environment == 'meta' }}
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: gsa-tts-oros-fac
+          cf_space: production
+          command: cf unshare-service backups -s staging -f
+
+      - name: Share backups s3 bucket to staging space
+        if: ${{ inputs.environment == 'meta' }}
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: gsa-tts-oros-fac
+          cf_space: production
+          command: cf share-service backups -s staging

.github/workflows/testing-from-build.yml

@@ -23,7 +23,7 @@ jobs:
 
       - uses: actions/setup-node@v3
         with:
-          node-version: 16
+          node-version: 18
 
       - name: Create .env
         working-directory: ./backend
@@ -73,7 +73,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: 16
+          node-version: 18
       - name: Start services
         working-directory: ./backend
         run: |

.github/workflows/testing-from-ghcr.yml

@@ -24,7 +24,7 @@ jobs:
 
       - uses: actions/setup-node@v3
         with:
-          node-version: 16
+          node-version: 18
 
       - name: Create .env file
         working-directory: ./backend

backend/Dockerfile

@@ -19,14 +19,17 @@ RUN \
     apt-get update && \
     apt-get install -yqq apt-transport-https wget gnupg2
 
+# Updated nodesource install via: https://github.com/nodesource/distributions#ubuntu-versions
 RUN \
     apt-get update -yq && \
-    apt install curl -y && \
-    apt-get install -y gcc && \
-    curl -fsSL https://deb.nodesource.com/setup_14.x | bash - && \
-    apt-get install -y nodejs && \
-    apt-get install -y npm && \
-    npm i -g npm@^8
+    apt install build-essential curl -y && \
+    apt-get install -y gcc ca-certificates gnupg && \
+    mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+    NODE_MAJOR=18 && \
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && \
+    apt-get install nodejs -y
 
 COPY requirements.txt /tmp/requirements.txt
 COPY dev-requirements.txt /tmp/dev-requirements.txt

backend/Makefile

@@ -34,6 +34,8 @@ lint:
 	@black --check .
 	@echo "bandit:"
 	@bandit -c pyproject.toml -r .
+	@echo "Installing type stubs:"
+	@python -m pip install types-pytz
 	@echo "mypy:"
 	@mypy .
 	@echo "djlint:"
@@ -81,7 +83,7 @@ docker-nctest:
 
 docker-lint:
 	docker compose build
-	docker compose run web bash -c 'flake8 && black --check . && bandit -c pyproject.toml -r . && mypy . && djlint .'
+	docker compose run web bash -c 'flake8 && black --check . && bandit -c pyproject.toml -r . && python -m pip install types-pytz && mypy . && djlint .'
 
 ghcr-first-run:
 	docker compose -f docker-compose-web.yml run web python manage.py makemigrations
@@ -103,7 +105,7 @@ ghcr-nctest:
 	docker compose -f docker-compose-web.yml run web python manage.py test --parallel ${fac.test.scope}
 
 ghcr-lint:
-	docker compose -f docker-compose-web.yml run web bash -c 'flake8 && black --check . && bandit -c pyproject.toml -r . && mypy . && djlint .'
+	docker compose -f docker-compose-web.yml run web bash -c 'flake8 && black --check . && bandit -c pyproject.toml -r . && python -m pip install types-pytz && mypy . && djlint .'
 
 docker-clean:
 	docker compose down

backend/api/serializers.py

@@ -38,6 +38,10 @@
     "Auditor Contacts needs to be a list of full names and emails"
 )
 
+CERTIFIERS_HAVE_DIFFERENT_EMAILS = _(
+    "The certifying auditee and certifying auditor must have different email addresses."
+)
+
 
 class EligibilitySerializer(serializers.Serializer):
     user_provided_organization_type = serializers.CharField()
@@ -166,6 +170,18 @@ class AccessAndSubmissionSerializer(serializers.Serializer):
         min_length=0,
     )
 
+    def validate(self, data):
+        certifying_auditee_contact_email = data["certifying_auditee_contact_email"]
+        certifying_auditor_contact_email = data["certifying_auditor_contact_email"]
+
+        if (
+            certifying_auditee_contact_email.lower()
+            == certifying_auditor_contact_email.lower()
+        ):
+            raise ValidationError(CERTIFIERS_HAVE_DIFFERENT_EMAILS)
+
+        return data
+
 
 class SingleAuditChecklistSerializer(serializers.ModelSerializer):
     class Meta: