Clewellyn nava/bb2 4668/integration test gha (#1591)

* initial commit

* add more boiler code

* initial attempt at running api in codebuild runner

* renive okd byukd oridyctuib cide

* re-enable workflow dispatch

* typo in compose

* fix dockerfile

* final initial changset 400

* fix path

* 3rd time is the charm

* path change again

* fixed part 1003231

* fixing paths

* use make for codebuild instance

* I don't understand file paths

* using the power of root paths

* what if there were even more path changes

* fix path

* fix some more stuff

* more path fixes

* minor spelling mistake

* one day.....

* more path fixes

* more changes

* cooking with gas

* maybe last changes but probably not

* remove debugpy

* cleaning some stuff up

* remove return exit code

* check db path

* remove readonly from codebuild

* attempt number 5000

* added integration tests and teardown

* paths!!!

* paths part 2

* almost there

* still file paths

* I hate you file paths

* more path shenanigans

* tests run but they error out now

* unnecessary makefile changes

* makefile beautification (also fix relative paths for docker)

* make migrate simpler (scope creep)

* cleanup env, make some make changes, migrate and collectstatic work

* change mslsx for better teardown

* podman support (does the database need a persistence volume?)

* persist database locally

* this worked before and now it doesn't

* test certificate issue

* tabs

* not sure what changed here

* change podman tmpfs which doesnt work in docker

* cleaning up files

* change makefile targets

* lower tmp size in codebuild

* check memory in action

* not anything

* add explicit env file

* up memory limit on tmp

* add container env to codebuild instance, remove from integration test

* remove unused envvars

* MAYBE?

* ruff failure

* Fail unit tests

* change unit tests back

* ruff failure

* fail unit test

* Fix unit tests

* BB2-4183: Dynamic v3 Permissions Screen (#1531)

* BB2-4183: Dynamic permissions screen for v3

* Add unit testing

* Raise a no scopes provided error if there are no scopes in the DB for an app, or if the scopes passed in the scope param has no overlap with an app's scopes in DB

* Ensure v3 only shows scopes that are both requested/in the DB

* Add another unit test

* Added bene name, some styling

* Add svg icon, modify some styling, add unit tests

* Finish up styling and make sure Rubik font shows correctly

* New tab for privacy policy/ToS links and add icon for those as well

* Modify format_patient_name, add profile to list of scopes that shows patient info on v3 permissions screen

* BB2-4676: SAMHSA filtering v3 EOB calls (#1595)

* Add param support for EOB call

* BB2-4676: Add SAMHSA filtering for v3 EOB calls based on include_samhsa value

* Add back ioncorrectly removed tag and override_switch on integration test

* Use httpstatus.ok instead of 200 and remove commented out line

* Address PR feedback

* anna/bb2 4818 display app contact in permissions screen (#1606)

Displays an application's contact email in the v3 permissions screen.

* add application support email to v3 permissions screen

* add changes to authorize_v3_coverage_only.html

* match wording in figma files

* fix template formatting

* update contributors information (#1608)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Make apt get install Debian:13 lcms2 to version 2.16-2+deb13u2 (#1610)

* Bump the pip group across 1 directory with 2 updates (#1601)

* Bump the pip group across 1 directory with 2 updates

Bumps the pip group with 2 updates in the /requirements directory: [idna](https://github.com/kjd/idna) and [urllib3](https://github.com/urllib3/urllib3).


Updates `idna` from 3.7 to 3.15
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.7...v3.15)

Updates `urllib3` from 2.6.3 to 2.7.0
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.6.3...2.7.0)

---
updated-dependencies:
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: direct:production
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add back our via value

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Demery <jamesdemery@navapbc.com>

* (NFC) Update synthetic beneficiary test password (#1609)

* Fix integration test (#1600)

* ryan-morosa/bb2-4860-respect-app-settings-follow-up (#1603)

* Fix the search vs.read functionality

* Work on more testing

* Get unit tests to work for FHIRResourcesReadSearchTest

* BB2-4183: Dynamic v3 Permissions Screen (#1531)

* BB2-4183: Dynamic permissions screen for v3

* Add unit testing

* Raise a no scopes provided error if there are no scopes in the DB for an app, or if the scopes passed in the scope param has no overlap with an app's scopes in DB

* Ensure v3 only shows scopes that are both requested/in the DB

* Add another unit test

* Added bene name, some styling

* Add svg icon, modify some styling, add unit tests

* Finish up styling and make sure Rubik font shows correctly

* New tab for privacy policy/ToS links and add icon for those as well

* Modify format_patient_name, add profile to list of scopes that shows patient info on v3 permissions screen

* BB2-4676: SAMHSA filtering v3 EOB calls (#1595)

* Add param support for EOB call

* BB2-4676: Add SAMHSA filtering for v3 EOB calls based on include_samhsa value

* Add back ioncorrectly removed tag and override_switch on integration test

* Use httpstatus.ok instead of 200 and remove commented out line

* Address PR feedback

* Fix some more integration tests

* Get more integration tests to pass

* Get all tests passing

* Do some cleanup

* Cleanup database setup commands

* Remove from audit logger

* Final cleanup

* Cleanup some of the app scope permission code

* Add app scope permission class to insurance card view

* Add bundle for dic endpoint

* Get insurance card endpoint to work with app scope permissions too

* Update logic in read/search section of app scope permissions

* Get rid of is_not_empty and rename dictionary lookup

---------

Co-authored-by: James Demery <jamesdemery@navapbc.com>

* BB2-4817 run scheduled django commands on GitHub Actions (#1604)

Run scheduled Django management commands on GitHub actions.

* add workflow_call to run-manage-command.yml and add scheduled commands workflow

* add name for workflow

* fix syntax

* fix syntax (2)

* fix syntax (3)

* fix syntax (4)

* update input description

* add fail-fast: false and inherit secrets

---------

Co-authored-by: James Demery <jamesdemery@navapbc.com>

* update contributors information (#1612)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Noor1027/bb2 4604 prod fargate release clean (#1611)

* BB2-4604: add prod SOPS config and fix ACM cert lookup for prod environment

Set ACM domain to api.bluebutton.cms.gov in 20-microservices platform
module since the default domain pattern does not match the prod cert.
Add encrypted SOPS config for the prod environment.

* updated SOPS and softlink

* skip environment protection for workflow_call

* fix environment protection bypass using skip_protection input

* Rename test job to unit-test in workflow (#1613)

Co-authored-by: ryan-morosa <Ryan.Morosa@icf.com>

* BB2-4781: Revoke prior tokens on new auth flow (#1605)

* BB2-4781: Revoke prior tokens on new auth flow

* Ensure token revocation only happens on v3 auth flows

* Move the revocation of prior tokens to form_valid of AuthorizationView from post of TokenView. Revoke all previous tokens as the newest one will not have been created yet at that point

* Address PR feedback, remove no longer needed test

* Address feedback - use previously existing utils function

* Fix typo

* Add unit test coverage

* Delete unit test yaml file

* Try to run sequentially

* Add some debugging steps

* change some of the commands

* Get rid of inspection

* Get back to normal

* added validation around code_challenge_method to reject non S256 values (#1599)

* added validation around code_challenge_method to reject non S256 values

* intermediate commit

* Fix authorize POST param handling in code_challenge_method validation

Agent-Logs-Url: https://github.com/CMSgov/bluebutton-web-server/sessions/ec2649c7-d427-4f59-ad18-098613b75e4e

Co-authored-by: bwang-icf <178809349+bwang-icf@users.noreply.github.com>

* Remove stale commented lines in authorization GET handler

Agent-Logs-Url: https://github.com/CMSgov/bluebutton-web-server/sessions/ec2649c7-d427-4f59-ad18-098613b75e4e

Co-authored-by: bwang-icf <178809349+bwang-icf@users.noreply.github.com>

* cleanup of previous pkce setup

* removing unnecessary error handling

* adding updated tests with pkce params as part of enforcing pkce params on auth

* adding extra tests for pkce param verification before login

* removing unnecessary change for this pr

* reverting code_challenge_method back to post_auth

* removing invalid code challenge method printing

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bwang-icf <178809349+bwang-icf@users.noreply.github.com>
Co-authored-by: annamontare-nava <267455234+annamontare-nava@users.noreply.github.com>

* Noor1027/bb2 4816 release notes missing last commit (#1616)

* Bug fix

publish-release.yml always drops the oldest commit from release notes

* temp change to run GHA

* Revert "temp change to run GHA"

This reverts commit dae8864.

* BB2-4675: Add SAMHSA checkbox to v3 permissions screen (#1607)

* BB2-4675: Add SAMHSA checkbox to v3 permissions screen

* Use cache.add instead of cache.set, modify default for code

* Address PR feedback - add docstrings

* Add a new table to track user SAMHSA preferences rather than use caching

* Address PR feedback

* Remove commented out line

* Address copilot feedback

* Convert share_samhsa_data to a BooleanField to make the code less confusing

* Revert "BB2-4675: Add SAMHSA checkbox to v3 permissions screen (#1607)" (#1619)

This reverts commit e1b0b7b.

* BB2-4890 - Add Fargate pre-deploy migrations safety gate

* Revert "BB2-4890 - Add Fargate pre-deploy migrations safety gate"

This reverts commit ffc450b.

* update sops values (#1617)

Co-authored-by: James Demery <jamesdemery@navapbc.com>

* BB2-4851: Update lodash (#1621)

* BB2-4851: Update lodash

* Fix new vulnerability that popped up

* BB2-4845: Update libgnutls (#1618)

* BB2-4845: Update libgnutls

* Update bb-css Dockerfile

* Update gnutls in mslsx Dockerfile

* Revert file mode change

* docs(contributor): contributors readme action update (#1624)

* update contributors information

* Trigger unit tests

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: James Demery <jamesdemery@navapbc.com>

* BB2-4574: Run unit and integration tests with pytest (#1614)

* BB2-4574: Install pytest-django and add .ini file

* Add conftest.py file, skip one test file, add a fixture

* Add pytest.mark.integration, update ini file

* Ensure all unit and integration tests pass with pytest, update some docs

* removed unneeded code from conftest.py

* Update unit test command for GHA

* Remove commented out code

* Address most PR feedback - still have documentation updates to make

* Update documentation to reflect latest

* Add strict-markers to toml file

* B2-4890 Add pre/post-deploy migration support to Fargate deploy workflow (#1623)

* masking hostname and removed gates

* Update run-manage-command.yml

* updated task def

* removed multiple env for confirm apporvals

* Updated Gate Approval for Post deploy

* Fix New Relic reporting 401, 403, and 405 errors in Fargate

* Fix New Relic ignoring status codes by dynamically creating config file on startup

---------

Co-authored-by: jimmyfagan <90421499+jimmyfagan@users.noreply.github.com>

* upgrading with npm --legacy-peer-deps (#1626)

* Change workflow to run on push to any branch

* Try just one test

* Update docker compose codebuild to have no volumes

* Roll back to run all integration tests

* change it to run integration tests with pytest

* Add aws credentials setup

* testing certs

* catch OOM traceback

* Update Makefile

* masking for test

* test with  codebuild VPC updates

* Target impl for integration tests

* adding health to chek certs are exisit

* See if integration tag is working properly

* Change the github action to use pytest instead of the old way

* Separate out ruff and unit test jobs

* Change back to regular integration testing bfd test

* Only collect the ones that are deselected to compare

* Put the collected tests into a file

* Upload collected tests as an artifact to compare locally

* Show integration and deslected that weren't integration

* try to get deselected test summary in gha

* BB2-4675: v3 Permissions Screen SAMHSA Checkbox (#1620)

* BB2-4675: Add SAMHSA checkbox to v3 permissions screen

* Use cache.add instead of cache.set, modify default for code

* Address PR feedback - add docstrings

* Add a new table to track user SAMHSA preferences rather than use caching

* Address PR feedback

* Remove commented out line

* Address copilot feedback

* Convert share_samhsa_data to a BooleanField to make the code less confusing

* Small changes to get it back to the way it was

* Delete unit tests yml since it is absorbed by pr checks now

* Ensure runnign with bfd sbx locally still works

* Help consolidate some of the make file selenium building and running locally

* Comment changes

* Make test names plural

* Ensure we use make integration-test in make file

* Change it back to pytest command

* Update pull request checks to ignore certain paths

Added paths-ignore to pull request checks for docs and markdown files.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Ryan Morosa <Ryan.Morosa@icf.com>
Co-authored-by: James Demery <jamesdemery@navapbc.com>
Co-authored-by: annamontare-nava <267455234+annamontare-nava@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: jimmyfagan <90421499+jimmyfagan@users.noreply.github.com>
Co-authored-by: noor1027 <noorulla@gmail.com>
Co-authored-by: bwang-icf <Brandon.Wang@icf.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bwang-icf <178809349+bwang-icf@users.noreply.github.com>

Author: 10 people

.env.example

@@ -7,8 +7,6 @@ BB20_REMOTE_DEBUG_WAIT_ATTACH=false
 SUPER_USER_NAME=root
 SUPER_USER_PASSWORD=blue123
 SUPER_USER_EMAIL=bluebutton@example.com
-## DB image migrations
-DB_MIGRATIONS=true
 ## put a place holder Django secret
 DJANGO_SECRET_KEY=replace-me-with-real-secret
 # This value controls if some unit tests run that require being online. 

.github/workflows/pull-request-checks.yml

@@ -0,0 +1,94 @@
+name: Pull Request Checks
+
+on:
+  pull_request:
+    branches: [master]
+    paths-ignore:
+      - 'docs/**'
+      - '*.md'
+  workflow_dispatch:
+
+jobs:
+  ruff:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install python dependencies
+        run: |
+          python3 -m venv venv
+          source venv/bin/activate
+          python3 -m pip install --upgrade pip setuptools wheel
+          pip install -r requirements/requirements.dev.txt --no-deps --prefer-binary --require-hashes
+
+      - name: Run Ruff Linter
+        run: |
+          source venv/bin/activate
+          ruff check
+
+  unit-tests:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install python dependencies
+        run: |
+          python3 -m venv venv
+          source venv/bin/activate
+          python3 -m pip install --upgrade pip setuptools wheel
+          pip install -r requirements/requirements.dev.txt --no-deps --prefer-binary --require-hashes
+
+      - name: Run Unit Tests
+        run: |
+          source venv/bin/activate
+          pytest -m 'not integration'
+
+  integration-tests:
+    needs: [ruff, unit-tests]
+    env:
+      AWS_REGION: us-east-1
+
+    permissions:
+      id-token: write
+      contents: read
+
+    # This will only run on test
+    runs-on: codebuild-bb-test-web-server-${{ github.run_id }}-${{ github.run_attempt }}
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Setup AWS credentials
+        uses: ./.github/actions/setup-tofu
+        with:
+          environment: test
+          non-prod-account: ${{ secrets.NON_PROD_ACCOUNT }}
+          prod-account: ${{ secrets.PROD_ACCOUNT }}
+          test-role-id: ${{ secrets.TEST_AWS_ROLE_ID_MASK }}
+          prod-role-id: ${{ secrets.PROD_AWS_ROLE_ID_MASK }}
+
+      - name: Build BBAPI
+        run: |
+          cd ./ops/containers/bb-api
+          make build-codebuild
+
+      - name: Start Stack
+        run: |
+          cd ./ops/containers/bb-api
+          make run-codebuild
+
+      - name: Execute Integration Tests
+        run: |
+          cd ./ops/containers/bb-api
+          make run-codebuild-integration
+
+      - name: Teardown Stack
+        if: always()
+        run: |
+          cd ./ops/containers/bb-api
+          make teardown-codebuild

.github/workflows/unit-tests.yml

@@ -1,20 +1,10 @@
-build-local:
-	cd ops/containers ; make build-local ; cd ../..
+.PHONY: build-local build-local-no-cache run-local build-selenium \
+        run-selenium-local reqs-install reqs-install-dev generate \
+        generate-requirements migrate collectstatic \
+        unit-test integration-test
 
-build-local-no-cache:
-	cd ops/containers ; make build-local-no-cache ; cd ../..
-
-run-local:
-	cd ops/containers ; make run-local ; cd ../..
-
-exec-web:
-	cd ops/containers ; make exec-web ; cd ../..
-
-build-selenium:
-	cd ops/containers ; make build-selenium ; cd ../..
-
-run-selenium:
-	$(MAKE) -C ops/containers run-selenium-target-local
+build-local build-local-no-cache run-local build-selenium migrate collectstatic run-selenium-local:
+	$(MAKE) -C ops/containers $@
 
 reqs-install:
 	pip install -r requirements/requirements.txt
@@ -23,16 +13,7 @@ reqs-install-dev:
 	pip install -r requirements/requirements.dev.txt
 
 generate generate-requirements:
-	cd ops/containers ; make requirements ; cd ../..
-
-retrieve-certs:
-	cd ops/containers ; make retrieve-certs ; cd ../..
-
-migrate:
-	cd ops/containers ;  make migrate ; cd ../..
-
-collectstatic:
-	cd ops/containers ; make collectstatic ; cd ../..
+	$(MAKE) -C ops/containers requirements
 
 unit-test:
 	pytest -m 'not integration'

Makefile

@@ -9,11 +9,9 @@
     TARGET_ENV=(str, ''),
 )
 
-environ.Env.read_env(os.path.join(BASE_DIR + '/ops/containers', '.env.local'))
-
 TARGET_ENV = env('TARGET_ENV')
 
-if TARGET_ENV == 'local':
-    from hhs_oauth_server.settings.base_local import *  # noqa
+if TARGET_ENV == 'local' or TARGET_ENV == 'codebuild':
+    from hhs_oauth_server.settings.base_local import *
 else:
-    from hhs_oauth_server.settings.base_ec2 import *  # noqa
+    from hhs_oauth_server.settings.base_ec2 import *

hhs_oauth_server/settings/base.py

@@ -16,7 +16,9 @@
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
 # Take environment variables from .env.local file
-environ.Env.read_env(os.path.join(BASE_DIR + '/ops/container', '.env.local'))
+TARGET_ENV = env('TARGET_ENV')
+
+environ.Env.read_env(os.path.join(BASE_DIR + '/ops/container', f'.env.{TARGET_ENV}'))
 
 ###############################################################################
 # DJANGO BASE SETTINGS
@@ -262,12 +264,7 @@
     },
 }
 
-DATABASES = {
-    'default': env.db(
-        'DATABASES_CUSTOM',
-        default=f'sqlite:///{BASE_DIR}/db.sqlite3',
-    )
-}
+DATABASES = {'default': env.db('DATABASES_CUSTOM', default='sqlite:////tmp/db.sqlite3')}  # type: ignore
 
 # internationalization
 LANGUAGE_CODE = 'en'

hhs_oauth_server/settings/base_local.py

@@ -27,8 +27,6 @@ AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
 SUPER_USER_NAME=root
 SUPER_USER_PASSWORD=blue123
 SUPER_USER_EMAIL=bluebutton@example.com
-# We run migrations *always* when running locally
-DB_MIGRATIONS=true
 # This would be cryptographically secure in production.
 DJANGO_SECRET_KEY=replace-me-with-real-secret
 

hhs_oauth_server/settings/logging_it.py

@@ -1,64 +1,52 @@
-SHELL:=/bin/bash
-RELEASE_TAG?=TAG_NOT_SET
-bfd ?= "test"
-env ?= "local"
-auth ?= "live"
+SHELL       := /bin/bash
+RELEASE_TAG ?= TAG_NOT_SET
+bfd         ?= test
+env         ?= local
+auth        ?= live
+
+.PHONY: css requirements build-local build-local-no-cache build-production run-local \
+		migrate collectstatic run-selenium-local build-selenium
 
 css:
-	cd bb-css ; make build-local
-	cd bb-css ; make run-local
+	$(MAKE) -C bb-css build-local run-local
 
 requirements:
-	cd bb-requirements ; make clean
-	cd bb-requirements ; make build-local
-	cd bb-requirements ; make run-local
+	$(MAKE) -C bb-requirements clean build-local run-local
 
 build-local: css requirements
-	cd mslsx ; make build-local
-	cd bb-api ; make build-local
+	$(MAKE) -C mslsx build-local
+	$(MAKE) -C bb-api build-local
 
 build-local-no-cache:
-	cd bb-api ; make build-local-no-cache
+	$(MAKE) -C bb-api build-local-no-cache
 
 # This is speculative; not yet tested in production.
 build-production:
-	echo "build"
-	env="local" \
-	bfd=${bfd} \
-	docker build \
-	--platform "linux/amd64" \
-	--build-arg RELEASE_TAG="${RELEASE_TAG}" \
-	--build-arg BUILD_TARGET="production" \
-	--no-cache \
-	-t bb:latest \
-	-f bb-api/Dockerfile \
-	.
+	@echo "Building production..."
+	env="local" bfd="$(bfd)" docker build \
+		--platform "linux/amd64" \
+		--build-arg RELEASE_TAG="$(RELEASE_TAG)" \
+		--build-arg BUILD_TARGET="production" \
+		--no-cache \
+		-t bb:latest \
+		-f bb-api/Dockerfile .
 
 run-local:
-	bfd="${bfd}" \
-	env="${env}" \
-	auth="${auth}" \
-	TARGET_ENV="local" \
+	bfd="$(bfd)" env="$(env)" auth="$(auth)" TARGET_ENV="local" \
 	bash ./bb-api/scripts/external/prepare-environment.bash
 
 migrate:
-	MIGRATE=1 \
-	bfd="test" \
-	env="local" \
-	TARGET_ENV="local" \
+	MIGRATE=1 bfd="test" env="local" TARGET_ENV="local" \
 	bash ./bb-api/scripts/external/prepare-environment.bash
 
 collectstatic:
-	COLLECTSTATIC=1 \
-	bfd="test" \
-	env="local" \
-	TARGET_ENV="local" \
+	COLLECTSTATIC=1 bfd="test" env="local" TARGET_ENV="local" \
 	bash ./bb-api/scripts/external/prepare-environment.bash
 
-run-selenium-target-local:
+run-selenium-local:
 	@echo "Running Selenium: Local"
-	$(MAKE) -C selenium run-selenium-target-local AUTH=$(auth)
+	$(MAKE) -C selenium run-selenium-local AUTH="$(auth)" DEBUG="$(debug)"
 
 build-selenium:
-	@echo "Running Selenium: Local"
-	cd selenium && make build-selenium
+	@echo "Building Selenium..."
+	$(MAKE) -C selenium build-selenium