diff --git a/.github/actions/deploy-proxy/action.yml b/.github/actions/deploy-proxy/action.yml
index c07a1c03f..13bdc494f 100644
--- a/.github/actions/deploy-proxy/action.yml
+++ b/.github/actions/deploy-proxy/action.yml
@@ -12,7 +12,7 @@ inputs:
default: https://github.com/GSA-TTS/cg-egress-proxy.git
proxy_version:
description: git ref to be deployed
- default: cflinuxfs4-deploy
+ default: main
runs:
using: composite
steps:
diff --git a/Pipfile b/Pipfile
index 0da1950cf..a4c395a85 100644
--- a/Pipfile
+++ b/Pipfile
@@ -15,7 +15,7 @@ bcrypt = "==3.2.2"
beautifulsoup4 = "==4.11.1"
billiard = "==3.6.4.0"
bleach = "==4.1.0"
-blinker = "==1.4"
+blinker = "~=1.4"
boto3 = "==1.23.8"
botocore = "==1.26.8"
cachetools = "==5.1.0"
@@ -35,7 +35,7 @@ dnspython = "==2.2.1"
docopt = "==0.6.2"
docutils = "==0.16"
eventlet = "==0.33.1"
-flask = "~=2.2"
+flask = "~=2.3"
flask-bcrypt = "==1.0.1"
flask-marshmallow = "==0.14.0"
flask-migrate = "==3.1.0"
@@ -54,7 +54,7 @@ psycopg2-binary = "==2.9.3"
pyjwt = "==2.4.0"
python-dotenv = "==0.20.0"
sqlalchemy = "==1.4.40"
-werkzeug = "~=2.2"
+werkzeug = "~=2.3"
# gds metrics packages
prometheus-client = "==0.14.1"
gds-metrics = {version = "==0.2.4", ref = "6f1840a57b6fb1ee40b7e84f2f18ec229de8aa72", git = "https://github.com/alphagov/gds_metrics_python.git"}
diff --git a/Pipfile.lock b/Pipfile.lock
index 9c4f53d39..12d87b09e 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
- "sha256": "b58a7407ba322daf10ca83357dc35a7af28bac028fa04475d56f8c53d93b3028"
+ "sha256": "cec76bad3c666e613f7b6ef7da68232b923ae8855fa9d302446ac5f9843b634f"
},
"pipfile-spec": 6,
"requires": {
@@ -115,10 +115,11 @@
},
"blinker": {
"hashes": [
- "sha256:471aee25f3992bd325afa3772f1063dbdbbca947a041b8b89466dc00d606f8b6"
+ "sha256:4afd3de66ef3a9f8067559fb7a1cbe555c17dcbe15971b05d1b625c3e7abe213",
+ "sha256:c3d739772abb7bc2860abf5f2ec284223d9ad5c76da018234f6f50d6f31ab1f0"
],
"index": "pypi",
- "version": "==1.4"
+ "version": "==1.6.2"
},
"boto3": {
"hashes": [
@@ -349,11 +350,11 @@
},
"flask": {
"hashes": [
- "sha256:13f6329ddbfff11340939cd11919daf150a01358ded4b7e81c03c055dfecb559",
- "sha256:77504c4c097f56ac5f29b00f9009213010cf9d2923a288c0e0564a5db2bb53d6"
+ "sha256:77fd4e1249d8c9923de34907236b747ced06e5467ecac1a7bb7115ae0e9670b0",
+ "sha256:8c2f9abd47a9e8df7f0c3f091ce9497d011dc3b31effcf4c85a6e2b50f4114ef"
],
"index": "pypi",
- "version": "==2.2.4"
+ "version": "==2.3.2"
},
"flask-bcrypt": {
"hashes": [
@@ -1061,11 +1062,11 @@
},
"requests": {
"hashes": [
- "sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b",
- "sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059"
+ "sha256:10e94cc4f3121ee6da529d358cdaeaff2f1c409cd377dbc72b825852f2f7e294",
+ "sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4"
],
"markers": "python_version >= '3.7'",
- "version": "==2.29.0"
+ "version": "==2.30.0"
},
"rfc3339-validator": {
"hashes": [
@@ -1267,11 +1268,11 @@
},
"werkzeug": {
"hashes": [
- "sha256:2f3278e9ef61511cdf82cc28fc5da0f5b501dd8f01ecf5ef6a5d810048f68702",
- "sha256:b7b8bc1609f35ae8e45d48a9b58d7a4eb1e41eec148d37e977e5df6ebf3398b2"
+ "sha256:4866679a0722de00796a74086238bb3b98d90f423f05de039abb09315487254a",
+ "sha256:a987caf1092edc7523edb139edb20c70571c4a8d5eed02e0b547b4739174d091"
],
"index": "pypi",
- "version": "==2.3.2"
+ "version": "==2.3.3"
},
"wrapt": {
"hashes": [
@@ -2074,11 +2075,11 @@
},
"requests": {
"hashes": [
- "sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b",
- "sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059"
+ "sha256:10e94cc4f3121ee6da529d358cdaeaff2f1c409cd377dbc72b825852f2f7e294",
+ "sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4"
],
"markers": "python_version >= '3.7'",
- "version": "==2.29.0"
+ "version": "==2.30.0"
},
"requests-mock": {
"hashes": [
@@ -2190,11 +2191,11 @@
},
"werkzeug": {
"hashes": [
- "sha256:2f3278e9ef61511cdf82cc28fc5da0f5b501dd8f01ecf5ef6a5d810048f68702",
- "sha256:b7b8bc1609f35ae8e45d48a9b58d7a4eb1e41eec148d37e977e5df6ebf3398b2"
+ "sha256:4866679a0722de00796a74086238bb3b98d90f423f05de039abb09315487254a",
+ "sha256:a987caf1092edc7523edb139edb20c70571c4a8d5eed02e0b547b4739174d091"
],
"index": "pypi",
- "version": "==2.3.2"
+ "version": "==2.3.3"
},
"xmltodict": {
"hashes": [
diff --git a/README.md b/README.md
index 34e367374..9ccbf6f8f 100644
--- a/README.md
+++ b/README.md
@@ -44,10 +44,15 @@ Our other repositories are:
### Common steps
+On MacOS, using [Homebrew](https://brew.sh/) for package management is highly recommended. This helps avoid some known installation issues.
+
1. Install pre-requisites for setup:
* [jq](https://stedolan.github.io/jq/): `brew install jq`
* [terraform](https://www.terraform.io/): `brew install terraform` or `brew install tfenv` and use `tfenv` to install `terraform ~> 1.4.0`
* [cf-cli@8](https://docs.cloudfoundry.org/cf-cli/install-go-cli.html): `brew install cloudfoundry/tap/cf-cli@8`
+ * [postgresql](https://www.postgresql.org/): `brew install postgresql@15` (Homebrew requires a version pin, but any recent version will work)
+ * [redis](https://redis.io/): `brew install redis`
+ * [pyenv](https://github.com/pyenv/pyenv): `brew install pyenv`
1. [Log into cloud.gov](https://cloud.gov/docs/getting-started/setup/#set-up-the-command-line): `cf login -a api.fr.cloud.gov --sso`
1. Ensure you have access to the `notify-local-dev` and `notify-staging` spaces in cloud.gov
1. Run the development terraform with:
@@ -111,6 +116,12 @@ If you're working in VS Code, you can also leverage Docker for a containerized d
NOTE: when you change .env in the future, you'll need to rebuild the devcontainer for the change to take effect. VS Code _should_ detect the change and prompt you with a toast notification during a cached build. If not, you can find a manual rebuild in command pallette or just `docker rm` the notifications-api container.
+### Known installation issues
+
+On M1 Macs, if you get a `fatal error: 'Python.h' file not found` message, try a different method of installing Python. Installation via `pyenv` is known to work.
+
+A direct installation of PostgreSQL will not put the `createdb` command on your `$PATH`. It can be added there in your shell startup script, or a Homebrew-managed installation of PostgreSQL will take care of it.
+
## License && public domain
Work through [commit `e604385`](https://github.com/GSA/notifications-api/commit/e604385e0cf4c2ab8c6451b7120ceb196cce21b5) is licensed by the UK government under the MIT license. Work after that commit is in the worldwide public domain. See [LICENSE.md](./LICENSE.md) for more information.
diff --git a/docs/message-sending-path.md b/docs/message-sending-path.md
new file mode 100644
index 000000000..4d3774756
--- /dev/null
+++ b/docs/message-sending-path.md
@@ -0,0 +1,15 @@
+# How messages are queued and sent
+
+There are several ways for notifications to come into the API.
+
+- Messages sent through the API enter through `app/notifications/post_notifications.py`
+- One-off messages sent from the UI enter through `create_one_off_notification` in `app/service/rest.py`
+- CSV uploads enter through `app/job/rest.py`
+
+API messages and one-off UI messages come in one at a time, and take slightly-separate routes
+that both end up at `persist_notification`, which writes to the database, and `provider_tasks.deliver_sms`,
+which enqueues the sending.
+
+For CSV uploads, the CSV is first stored in S3 and queued as a `Job`. When the job runs, it iterates
+through the rows, running `process_job.save_sms` to send notifications through `persist_notification` and
+`provider_tasks.deliver_sms`.
diff --git a/docs/run-book.md b/docs/run-book.md
index 822067977..f93114a99 100644
--- a/docs/run-book.md
+++ b/docs/run-book.md
@@ -1,12 +1,16 @@
Run Book
========
-Policies and Procedures needed before and during US Notify Operations
+Policies and Procedures needed before and during US Notify Operations. Many of these policies are taken from the U.S. Notify System Security & Privacy Plan (SSPP).
+
+Any changes to policies and procedures defined both here and in the SSPP must be kept in sync, and should be done collaboratively with the System ISSO and ISSM to ensure
+that the security of the system is maintained.
1. [Alerts, Notifications, Monitoring](#alerts)
1. [Restaging Apps](#restaging-apps)
1. [Smoke-testing the App](#smoke-testing)
1. [Configuration Management](#cm)
+1. [DNS Changes](#dns)
1. [Known Gotchas](#gotcha)
1. [User Account Management](#ac)
1. [SMS Phone Number Management](#phone-numbers)
@@ -19,6 +23,12 @@ Operational alerts are posted to the [#pb-notify-alerts](https://gsa-tts.slack.c
[Cloud.gov Logging](https://logs.fr.cloud.gov/) is used to view and search application and platform logs.
+In addition to the application logs, there are several tables in the application that store useful information for audit logging purposes:
+
+* `events`
+* the various `*_history` tables
+
+
## Restaging Apps
Our apps must be restaged whenever cloud.gov releases updates to buildpacks. Cloud.gov will send email notifications whenever buildpack updates affect a deployed app.
@@ -103,6 +113,17 @@ US_Notify Administrators are responsible for ensuring that remediations for vuln
* Low - 180 days
* Informational - 365 days (depending on the analysis of the issue)
+## DNS Changes
+
+U.S. Notify DNS records are maintained within [the 18f/dns repository](https://github.com/18F/dns/blob/main/terraform/notify.gov.tf). To create new DNS records for notify.gov or any subdomains:
+
+1. Update the `notify.gov.tf` terraform to update or create the new records within Route53 and push the branch to the 18f/dns repository.
+1. Open a PR.
+1. Verify that the plan output within circleci creates the records that you expect.
+1. Request a PR review from the 18F/tts-tech-portfolio team
+1. Once the PR is approved and merged, verify that the apply step happened correctly within [CircleCI](https://app.circleci.com/pipelines/github/18F/dns)
+
+
## Known Gotchas
### SSB Service Bindings are failing