Commit Graph

3166 Commits

Author SHA1 Message Date
Leo Hemsted
80cfbacd84 Merge pull request #3974 from alphagov/deleted-template
dont let people get into one-off flow for deleted templates
2021-07-22 13:14:08 +01:00
Leo Hemsted
5da69dd495 dont let people get into one-off flow for deleted templates
previously we'd skip the template page entirely if someone didnt have
manage templates/api keys permission. however, if the template is
deleted you'd then go through the flow entering placeholders and stuff
before it would then crash when trying to send.

instead, just bounce the user to the template page. It has the content
and says when the template was deleted.
2021-07-22 11:47:07 +01:00
Ben Thorner
171f911237 Audit when user permissions are changed
I've used the term "admin_roles" in the event data to try and show
that these are not the permissions we store in the DB. This is the
name we use for the abstracted form of permissions in the Admin app.
While we could store the DB permissions, that would be a bit more
effort and arguably it's clearer to keep the event data consistent
with the options the user actually saw / chose.
2021-07-21 15:32:03 +01:00
Katie Smith
0249f1602d Change hint text for the broadcast form 2021-07-19 14:40:14 +01:00
Katie Smith
a66a31c944 Allow users with new broadcast permissions access to routes
Added two new permissions - `create_broadcasts` and
`approve_broadcasts`. These new permissions get added to the
`has_permissions` decorator of the broadcast routes to allow the routes
to be accessed with either the old permissions on the new ones while we
switch over.

We were using the `send_messages` permission for the broadcast routes.
By having two new permissions we can allow a more granular control of
these routes.
2021-07-19 14:40:13 +01:00
Chris Hill-Scott
f8d4617672 Refactor organisation invite form for reuse
It’s exactly the same code as `BaseInviteUserForm` so there’s really no
need to duplicate it (and means that changes we make to
`BaseInviteUserForm` in the future will get inherited).
2021-07-16 09:20:06 +01:00
Chris Hill-Scott
f84f05191e Merge pull request #3968 from alphagov/forgotten-password-govuk-link
Style link in wrong password error
2021-07-16 09:16:53 +01:00
Chris Hill-Scott
93fbd1319c Merge pull request #3966 from alphagov/block-plus-addressing
Be strict about similar email addresses when inviting a user to an emergency alerts service
2021-07-16 09:16:47 +01:00
Chris Hill-Scott
d749ee5cea Rename confusing variable
The reason the email address is considered invalid is because it is the
address of the person doing the inviting.

This commit renames the variable to be more specific and avoid confusion
with the email address of the person being invited.
2021-07-15 14:21:58 +01:00
Chris Hill-Scott
c3091223a9 Be strict about similar email addresses for alerts
We don’t want a single person to have two accounts on an emergency
alerts service because it would let them circumvent the two eyes
approval process.

We can go some way to mitigating against this by stopping people using
common methods that email providers use to alias email addresses. These
are:
- being case insensitive
- being insensitive to the position or number of dots in the local part
  of an email address
- using ‘plus addressing’

We already prevent the first one, this commit adds normalisation which
strip out the second two before doing the comparision with the current
user’s email address.
2021-07-15 13:55:50 +01:00
Ben Thorner
9170c0b175 Merge pull request #3969 from alphagov/fix-suspend-archive-perm-178770416
Fix backend permissions for stopping services
2021-07-15 09:29:20 +01:00
Katie Smith
9d4095074d Merge pull request #3967 from alphagov/broadcast-form-cache-clear
Clear user cache when broadcast service settings form is submitted
2021-07-14 16:02:14 +01:00
Ben Thorner
96a87e7cf2 Fix and test archive service permissions
Previously the backend would never validate permissions because the
"not service.active" part would (usually) fail. I've updated it to
match the (inverse of the) conditional we have in the HTML [1].

[1]: 6ac593aa5f/app/templates/views/service-settings.html (L455)
2021-07-14 14:51:33 +01:00
Ben Thorner
cd95a891a7 Enforce only Platform Admin can suspend / resume
This was previously out-of-sync with the superficial restriction in
the HTML [1][2].

[1]: 6ac593aa5f/app/templates/views/service-settings.html (L462-L468)
[2]: 6ac593aa5f/app/templates/views/service-settings.html (L471)
2021-07-14 14:51:32 +01:00
Chris Hill-Scott
db15e3ebb0 Style link in wrong password error
It was missing the class which gives it the correct colour and underline styles.

Also adds a little bit of spacing to make it look better.
2021-07-14 09:42:56 +01:00
Katie Smith
5b52b6f9bf Clear user cache when broadcast service settings form is submitted
When the broadcast service settings form is submitted it now removes all
permissions for users in notifications-api. This means it should be
clearing the user cache.
2021-07-13 17:06:35 +01:00
Chris Hill-Scott
9dd5c89252 Move two calls to str.lower next to each other
This means that we can rewrite `validate_email_address` to do a
different comparison without having to also change `__init__`

I’ve moved the platform admin check into its own conditional to keep the
line length manageable.
2021-07-13 15:38:13 +01:00
Ben Thorner
6ac593aa5f Merge pull request #3963 from alphagov/audit-service-resume-178770416
Audit when a service is resumed
2021-07-13 12:09:54 +01:00
Ben Thorner
1cde6ac686 Audit when a service is resumed
This could also be an issue if the service can send broadcasts, so
it's worth auditing who performed this action.
2021-07-13 10:57:23 +01:00
Ben Thorner
22ac1bfcae DRY-up and enforce kwargs for most events
For most events this makes the purpose of each argument clearer at
the point the event is called. It's still worth having a function
for each event type, as this abstracts knowledge of the event label.
Using a schema approach will make adding new events easier.

In the next commit we'll DRY-up the duplication in the tests as well.
2021-07-13 10:57:19 +01:00
Chris Hill-Scott
aefbe7709b Merge pull request #3951 from alphagov/hide-go-live-ticket-content
Hide details of go live request ticket from the user
2021-07-13 08:49:43 +01:00
Ben Thorner
301908460a Audit when a service is archived ("deleted")
This is similar to the previous commit. I've used the term 'archive'
to match the rest of the code - services aren't ever truly deleted.
2021-07-08 17:17:22 +01:00
Ben Thorner
bb4c86008a Add audit event for suspending a service
This is particularly important for broadcast services, where a rogue
service or platform admin could launch a DoS attack by suspending a
service at a critical moment when it needs to send alerts.
2021-07-08 15:29:52 +01:00
Ben Thorner
e72a260e13 Merge pull request #3947 from alphagov/allow-ccs
Allow other users to use security keys
2021-07-08 11:53:03 +01:00
Chris Hill-Scott
ceca92c84e Merge pull request #3952 from alphagov/emergency-alerts-content-review
Emergency alerts content review
2021-07-08 09:33:54 +01:00
Ben Thorner
4c2915ce86 Use API flag to give users access to WebAuthn
This allows us to roll out the feature to other users. Note that
the flag is also "True" if the user has "webauthn_auth" as their
auth type, so this is compatible with the more fine-grained check
we have on the authentication parts of the feature. We could do a
more explicit "can_use_webauthn or webauthn_auth" check here, but
the idea is that we'll be able to get rid of this flag eventually,
so I've optimised for brevity instead.

I've modified a couple of the unhappy-path tests to make it more
explicit that the flag is false, since it can be true for Platform
Admins and "normal users" alike.
2021-07-07 15:04:48 +01:00
Ben Thorner
a1b4ccc246 Prevent auth type changing for any WebAuthn user
Previously we applied this restriction to Platform Admins, on the
assumption that all of them use a security key to log in. Rather
than making that assumption, we can explicitly check their login
method, which also supports rolling out the feature to more users.
2021-07-07 15:04:43 +01:00
Chris Hill-Scott
cc4cc78d8c Hide details of go live request ticket from the user
We put some content in the go live ticket which is for our benefit, for
example notes about the organisation.

It’s hard for us to be able to say what we want here if we know that the
person making a go live request is going to see those notes.

This commit changes go live requests so that the initial content of the
ticket is hidden from the person raising it (in Zendesk it will appear
as an ‘internal note’, rather than a ‘public reply’).

---

Depends on:
- [ ] https://github.com/alphagov/notifications-utils/pull/877/files
2021-07-06 17:30:17 +01:00
Leo Hemsted
416b5c3e26 Merge pull request #3926 from alphagov/sign-in-bug
ensure user details are always in the session after entering password
2021-07-06 11:56:24 +01:00
Chris Hill-Scott
2cfd22b20c Remove empty state step before choosing areas
We had some kind of idea that having this empty page would introduce the
idea of choosing areas and reinforce that you are building up a list of
areas.

But since the journey is now so simple with the button to create an
alert directly on the dashboard page, maybe people don’t need this extra
orientation.
2021-07-05 14:33:02 +01:00
karlchillmaid
dcc38b5619 Change previous to past 2021-07-05 13:46:04 +01:00
Ben Thorner
1f33924ceb Send upload_id to Template Preview for logging
This means we can include the anonymous ID for the file in the log
we have about Type3 fonts [1]. Currently, we have no way of tracing
manually uploaded files with this potential defect.

[1]: https://github.com/alphagov/notifications-template-preview/pull/557
2021-07-01 12:09:47 +01:00
Ben Thorner
43afcd1064 Remove redundant restrictions for WebAuthn feature
Since the register and authentication APIs work in pairs, we can
just put the restrictions on the "begin" API. We weren't testing
the restrictions on the "complete" API anyway.

For authentication, it's also enough to check if the user has
WebAuthn as their auth type, as it's not a big deal if a user
continues to login with a security key indefinitely.
2021-06-30 16:19:12 +01:00
Ben Thorner
7fafc18fb3 Remove unnecessary restriction for 2FA WebAuthn
It should be enough to check the user has it set as their auth type.
Even if a user is no longer eligible to register a security key, it
should still be OK for them to continue using the feature.
2021-06-30 14:54:20 +01:00
Leo Hemsted
7b3751240c ensure user details are always in the session after entering password
We signal that we're mid-way through the sign-in flow by adding a
`user_details` dict to the session.

previously, we'd only put a user's details in the session in `User.sign_in`,
just before sending any 2fa prompt and redirecting to the two factor
pages.

However, we found a bug where a user with no session (eg, using a fresh
browser) tried to log in, but they had never clicked the link to
validate their email address when registering. Their user's state was
still in "pending", so we redirected to `main.resend_email_verification`
as intended - however, they didn't have anything in the session and the
resend page expected to get the email address to resend to out of that.

To be safe, as soon as we've confirmed the user has entered their
password correctly, lets save the session data at that point. That way
any redirects will be fine.
2021-06-29 18:13:25 +01:00
Leo Hemsted
71613dd942 remove old /two-factor endpoint and update test names
we redirect people to `/two-factor-sms` since #26ad20719
2021-06-29 16:19:24 +01:00
Leo Hemsted
126f9cf6be fix bug stopping editing of permissions of webauthn platform admins
We hide the radio field in the HTML for platform admins, as we don't
want anyone to be able to change their auth type. However, when the form
is validated, the form has a field called login_authentication that it
expects a value for. It silently fails as it complains that when the
user POSTed they didn't select a value for that radio field, but the
error message is on the radio fields that don't get displayed to the
user so they'd never know.

Fixing this is actually pretty hard.

We use this form in two places, one where we have a user to edit, one
where we are creating an invite from scratch. So sometimes we don't know
about a user's auth type. In addition, radio buttons are mandatory by
design, but now sometimes we don't just want to make it optional but
explicitly ignore the value being passed in? To solve this, remove the
field entirely from the form if the user is a platform admin. This means
that if the code in manage_users.py tries to access the
login_authentication value from the form, it'll error, but I think
that's okay to leave for now given we concede that this isn't a perfect
final solution.

The tests didn't flag this previously as they tried to set from sms_auth
(the default for `platform_admin_user`) TO email_auth or sms_auth. Also,
the diagnosis of this bug was confounded further by the fact that
`mock_get_users_by_service` sets what is returned by the API - the
service model then takes the IDs out of that response and calls
`User.get_user_by_id` for the matching ID (as in, the code only uses
get_users_by_service to ensure the user belongs to that service). This
means that we accidentally set the form editing the current user, as
when we log in we set `get_user_by_id` to return the user of our choice
2021-06-29 15:53:48 +01:00
Leo Hemsted
92b6885224 ensure webauthn page aborts if user isn't allowed 2021-06-29 15:53:48 +01:00
Rebecca Law
5534ecb5a4 Merge pull request #3939 from alphagov/check-daily-limit-for-csv-uploads
Check the daily limit get the daily notification_count from redis.
2021-06-29 14:41:22 +01:00
Rebecca Law
77c2aa9fd6 Stop passing in today_only for the get_service_statistics method.
We now only ever call it with False.
To remove it from the api call will require a change in the API so will do that at another time.
2021-06-29 07:33:40 +01:00
Ben Thorner
e7c1ce1869 Merge pull request #3938 from alphagov/save-original-pdf-uploads
Backup original precompiled uploads to S3
2021-06-24 12:43:40 +01:00
Ben Thorner
b3f48c1a84 Backup original precompiled uploads to S3
This continues the work from Template Preview [1], so that we have
a complete store of original PDFs to use for testing changes to it.

Previously we did store some originals, but these were only invalid
PDFs that had failed sanitisation; for valid PDFs, the "transient"
bucket only contains the sanitised versions, which the API deletes
/ moves when the notification is sent [2].

Since the notification is only created at a later stage [3], there's
no easy way to get the final name of the PDF we send to DVLA. Instead,
we use the "upload_id", which eventually becomes the notification ID
[4]. This should be enough to trace the file for specific debugging.

Note that we only want to store original PDFs if they're valid (and
virus free!), since there's no point testing changes with bad data.

[1]: https://github.com/alphagov/notifications-template-preview/pull/545
[2]: c44ec57c17/app/service/send_notification.py (L212)
[3]: 7930a53a58/app/main/views/uploads.py (L362)
[4]: 7930a53a58/app/main/views/uploads.py (L373)
2021-06-24 12:21:05 +01:00
Katie Smith
1862cd0223 Update data format for platform admin report
The format of dates returned from API for the "Monthly notification
statuses for live services" report has changed, so we no longer need to
format the dates here.

https://github.com/alphagov/notifications-api/pull/3279
2021-06-23 16:14:58 +01:00
Rebecca Law
44f02f2e30 To check the daily limit get the daily notification_count from redis.
The daily limit cache is set by the api when a notification is created. There is one cache key per service per day and it expires after 24 hours.
2021-06-23 15:56:05 +01:00
Pea Tyczynska
7930a53a58 Merge pull request #3935 from alphagov/more-detailed-request-go-live-ticket
Make a label more descriptive in request-to-go-live ticket
2021-06-18 10:01:50 +01:00
Pea Tyczynska
d1dc1aec6c Make a label more descriptive in request-to-go-live ticket
We have a label saying "other live services". This label means
other live services for a user making the request, but it could
also be interpreted as other live services for an organisation.

Hence, we are changing the label to "other live services for
that user" to avoid confusion
2021-06-17 17:53:28 +01:00
Ben Thorner
c17d438de8 DRY-up email revalidation check
Previously this was duplicated between the "two_factor" and the
"webauthn" views, and required more test setup. This DRYs up the
check and tests it once, using mocks to simplify the view tests.

As part of DRYing up the check into a util module, I've also moved
the "is_less_than_days_ago" function it uses.
2021-06-14 12:52:54 +01:00
Ben Thorner
bf2e6802bf Extract login utils out of two_factor view
This better reflects how the code is reused in other views and is
not specific to two factor actions. We have a pattern of testing
utility functionality for each view (as opposed to testing the util
+ the view calls the util), so I'm leaving the tests as-is.
2021-06-14 11:19:06 +01:00
Ben Thorner
3250f2b3ed Move redirect_to_signin helper to new util module
We'll expand this module in later commits.
2021-06-14 11:09:42 +01:00
Ben Thorner
edb0b8214d Move pagination utils into own module
This continues the pattern established in [1], just to chip away a
bit more at the random collection of stuff in utils/__init__.py.

[1]: https://github.com/alphagov/notifications-admin/pull/3923
2021-06-14 11:00:05 +01:00