Merge pull request #1729 from GSA/main

07/16/2024 Production Deploy

.ds.baseline

@@ -527,15 +527,15 @@
         "filename": "tests/app/main/views/organizations/test_organization_invites.py",
         "hashed_secret": "bdbb156d25d02fd7792865824201dda1c60f4473",
         "is_verified": false,
-        "line_number": 265,
+        "line_number": 274,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "tests/app/main/views/organizations/test_organization_invites.py",
         "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
         "is_verified": false,
-        "line_number": 273,
+        "line_number": 282,
         "is_secret": false
       }
     ],
@@ -545,7 +545,7 @@
         "filename": "tests/app/main/views/test_accept_invite.py",
         "hashed_secret": "07f0a6c13923fc3b5f0c57ffa2d29b715eb80d71",
         "is_verified": false,
-        "line_number": 607,
+        "line_number": 626,
         "is_secret": false
       }
     ],
@@ -565,23 +565,23 @@
         "filename": "tests/app/main/views/test_register.py",
         "hashed_secret": "bdbb156d25d02fd7792865824201dda1c60f4473",
         "is_verified": false,
-        "line_number": 116,
+        "line_number": 122,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "tests/app/main/views/test_register.py",
         "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
         "is_verified": false,
-        "line_number": 192,
+        "line_number": 201,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "tests/app/main/views/test_register.py",
         "hashed_secret": "bb5b7caa27d005d38039e3797c3ddb9bcd22c3c8",
         "is_verified": false,
-        "line_number": 260,
+        "line_number": 274,
         "is_secret": false
       }
     ],
@@ -591,7 +591,7 @@
         "filename": "tests/app/main/views/test_sign_in.py",
         "hashed_secret": "8b8b69116ee882b5e987e330f55db81aba0636f9",
         "is_verified": false,
-        "line_number": 90,
+        "line_number": 97,
         "is_secret": false
       }
     ],
@@ -601,7 +601,7 @@
         "filename": "tests/app/main/views/test_two_factor.py",
         "hashed_secret": "dc66ad927c29e31c6c374231f57a4684b0687bfe",
         "is_verified": false,
-        "line_number": 267,
+        "line_number": 290,
         "is_secret": false
       }
     ],
@@ -702,5 +702,5 @@
       }
     ]
   },
-  "generated_at": "2024-06-11T22:26:18Z"
+  "generated_at": "2024-07-11T16:37:23Z"
 }

.github/workflows/checks.yml

@@ -160,6 +160,8 @@ jobs:
       - uses: pypa/[email protected]
         with:
           inputs: requirements.txt
+          ignore-vulns: |
+            PYSEC-2024-60
       - name: Run npm audit
         run: make npm-audit
 

app/main/views/dashboard.py

@@ -36,7 +36,7 @@
 
 @socketio.on("fetch_daily_stats")
 def handle_fetch_daily_stats():
-    service_id = session.get('service_id')
+    service_id = session.get("service_id")
     if service_id:
         date_range = get_stats_date_range()
         daily_stats = service_api_client.get_service_notification_statistics_by_day(

app/main/views/jobs.py

@@ -312,7 +312,7 @@ def get_status_filters(service, message_type, statistics):
     filters = [
         # key, label, option
         ("requested", "total", "sending,delivered,failed"),
-        ("pending", "pending", "pending"),
+        ("pending", "pending", "sending,pending"),
         ("delivered", "delivered", "delivered"),
         ("failed", "failed", "failed"),
     ]

app/main/views/sign_out.py

@@ -1,7 +1,7 @@
 import os
 
 import requests
-from flask import current_app, redirect, url_for
+from flask import current_app, redirect, session, url_for
 from flask_login import current_user
 
 from app.main import main
@@ -25,12 +25,16 @@ def _sign_out_at_login_dot_gov():
 
 @main.route("/sign-out", methods=(["GET", "POST"]))
 def sign_out():
-    # An AnonymousUser does not have an id
-    current_app.logger.info("HIT THE REGULAR SIGN OUT")
+
     if current_user.is_authenticated:
-        # TODO This doesn't work yet, due to problems above.
+        current_user.deactivate()
+        session.clear()
         current_user.sign_out()
+
+        session.permanent = False
+
         login_dot_gov_logout_url = os.getenv("LOGIN_DOT_GOV_LOGOUT_URL")
         if login_dot_gov_logout_url:
+            current_app.config["SESSION_PERMANENT"] = False
             return redirect(login_dot_gov_logout_url)
     return redirect(url_for("main.index"))

app/main/views/verify.py

@@ -79,5 +79,4 @@ def activate_user(user_id):
     else:
         activated_user = user.activate()
         activated_user.login()
-
         return redirect(url_for("main.add_service", first="first"))

app/models/user.py

@@ -147,6 +147,13 @@ def activate(self):
         else:
             return self
 
+    def deactivate(self):
+        if self.is_active:
+            user_data = user_api_client.deactivate_user(self.id)
+            return self.__class__(user_data["data"])
+        else:
+            return self
+
     def login(self):
         login_user(self)
         session["user_id"] = self.id

app/notify_client/__init__.py

@@ -1,4 +1,6 @@
-from flask import abort, has_request_context, request
+import os
+
+from flask import abort, current_app, has_request_context, request
 from flask_login import current_user
 from notifications_python_client import __version__
 from notifications_python_client.base import BaseAPIClient
@@ -54,16 +56,46 @@ def check_inactive_service(self):
         ):
             abort(403)
 
+    def check_inactive_user(self, *args):
+        still_signing_in = False
+        for arg in args:
+            arg = str(arg)
+            if (
+                "get-login-gov-user" in arg
+                or "user/email" in arg
+                or "/activate" in arg
+                or "/email-code" in arg
+                or "/verify/code" in arg
+            ):
+                still_signing_in = True
+
+            # This seems to be a weird edge case that happens intermittently with invites
+            if str(arg) == "()":
+                still_signing_in = True
+        # TODO:  Update this once E2E tests are managed by a feature flag or some other main config option.
+        if os.getenv("NOTIFY_E2E_TEST_EMAIL"):
+            # allow end-to-end tests to skip check
+            pass
+        elif still_signing_in is True:
+            # we are not full signed in yet
+            pass
+        elif not current_user or not current_user.is_active:
+            current_app.logger.error(f"Unauthorized URL #notify-compliance-46 {args}")
+            abort(403)
+
     def post(self, *args, **kwargs):
         self.check_inactive_service()
+        self.check_inactive_user(args)
         return super().post(*args, **kwargs)
 
     def put(self, *args, **kwargs):
         self.check_inactive_service()
+        self.check_inactive_user()
         return super().put(*args, **kwargs)
 
     def delete(self, *args, **kwargs):
         self.check_inactive_service()
+        self.check_inactive_user()
         return super().delete(*args, **kwargs)
 
 

app/notify_client/user_api_client.py

@@ -217,6 +217,10 @@ def find_users_by_full_or_partial_email(self, email_address):
     def activate_user(self, user_id):
         return self.post("/user/{}/activate".format(user_id), data=None)
 
+    @cache.delete("user-{user_id}")
+    def deactivate_user(self, user_id):
+        return self.post("/user/{}/deactivate".format(user_id), data=None)
+
     def send_change_email_verification(self, user_id, new_email):
         endpoint = "/user/{}/change-email-verification".format(user_id)
         data = {"email": new_email}