From aeedb9ecd43d86ff9ff36a9d81e2091acf934f6f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 21:40:14 +0000 Subject: [PATCH 1/6] Bump exceptiongroup from 1.1.2 to 1.1.3 Bumps [exceptiongroup](https://github.com/agronholm/exceptiongroup) from 1.1.2 to 1.1.3. - [Changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst) - [Commits](https://github.com/agronholm/exceptiongroup/compare/1.1.2...1.1.3) --- updated-dependencies: - dependency-name: exceptiongroup dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- poetry.lock | 18 ++++++++++++++---- pyproject.toml | 2 +- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/poetry.lock b/poetry.lock index 0b289a1c4..b8ed18722 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1077,13 +1077,13 @@ six = ">=1.10.0" [[package]] name = "exceptiongroup" -version = "1.1.2" +version = "1.1.3" description = "Backport of PEP 654 (exception groups)" optional = false python-versions = ">=3.7" files = [ - {file = "exceptiongroup-1.1.2-py3-none-any.whl", hash = "sha256:e346e69d186172ca7cf029c8c1d16235aa0e04035e5750b4b95039e65204328f"}, - {file = "exceptiongroup-1.1.2.tar.gz", hash = "sha256:12c3e887d6485d16943a309616de20ae5582633e0a2eda17f4e10fd61c1e8af5"}, + {file = "exceptiongroup-1.1.3-py3-none-any.whl", hash = "sha256:343280667a4585d195ca1cf9cef84a4e178c4b6cf2274caef9859782b567d5e3"}, + {file = "exceptiongroup-1.1.3.tar.gz", hash = "sha256:097acd85d473d75af5bb98e41b61ff7fe35efe6675e4f9370ec6ec5126d160e9"}, ] [package.extras] @@ -2044,6 +2044,16 @@ files = [ {file = "MarkupSafe-2.1.3-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac"}, {file = "MarkupSafe-2.1.3-cp311-cp311-win32.whl", hash = "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb"}, {file = "MarkupSafe-2.1.3-cp311-cp311-win_amd64.whl", hash = "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-win32.whl", hash = "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007"}, + {file = "MarkupSafe-2.1.3-cp312-cp312-win_amd64.whl", hash = "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb"}, {file = "MarkupSafe-2.1.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2"}, {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b"}, {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707"}, @@ -4281,4 +4291,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p [metadata] lock-version = "2.0" python-versions = "^3.9" -content-hash = "15aafd504a605f6621f3017ddfba898373885f90926eb16eef363ba5b33b53a6" +content-hash = "9567d12431fe9070c72a3a344f91b5e537382b7075cf55321feac92dcca47044" diff --git a/pyproject.toml b/pyproject.toml index 1e91acf7e..c9750c43e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -69,7 +69,7 @@ newrelic = "*" [tool.poetry.group.dev.dependencies] -exceptiongroup = "==1.1.2" +exceptiongroup = "==1.1.3" flake8 = "==4.0.1" flake8-bugbear = "==23.3.12" isort = "==5.12.0" From b4bf0f8084c67834b1b57f66994f905cb4418c10 Mon Sep 17 00:00:00 2001 From: stvnrlly Date: Tue, 26 Sep 2023 09:37:10 -0400 Subject: [PATCH 2/6] only need one with --- .github/workflows/adr-accepted.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/adr-accepted.yml b/.github/workflows/adr-accepted.yml index 4f933e5e6..e57699be7 100644 --- a/.github/workflows/adr-accepted.yml +++ b/.github/workflows/adr-accepted.yml @@ -22,8 +22,7 @@ jobs: uses: actions/checkout@v3 with: ref: main - with: - ssh-key: ${{ secrets.SSH_PRIVATE_KEY }} + ssh-key: ${{ secrets.SSH_PRIVATE_KEY }} - name: get ADR number id: next From 309c49dc8447ad5042eb5a3ebab6d542529aca89 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Tue, 26 Sep 2023 08:11:47 -0700 Subject: [PATCH 3/6] notify-api-360 messages are hanging in pending forever --- app/clients/cloudwatch/aws_cloudwatch.py | 43 +++++++++++------------- tests/app/clients/test_aws_cloudwatch.py | 18 ++++++++++ 2 files changed, 38 insertions(+), 23 deletions(-) diff --git a/app/clients/cloudwatch/aws_cloudwatch.py b/app/clients/cloudwatch/aws_cloudwatch.py index 3447cbc20..8876f61ba 100644 --- a/app/clients/cloudwatch/aws_cloudwatch.py +++ b/app/clients/cloudwatch/aws_cloudwatch.py @@ -51,7 +51,6 @@ class AwsCloudwatchClient(Client): # Check all cloudwatch logs from the time the notification was sent (currently 5 minutes previously) until now now = round(time.time() * 1000) beginning = sent_at - current_app.logger.info(f"TIME RANGE TO CHECK {beginning} to {now}") next_token = None all_log_events = [] while True: @@ -74,40 +73,42 @@ class AwsCloudwatchClient(Client): all_log_events.extend(log_events) if len(log_events) > 0: # We found it - current_app.logger.info( - f"WE FOUND THE EVENT WE WERE LOOKING FOR? {log_events}" - ) + break next_token = response.get("nextToken") if not next_token: break - if len(all_log_events) == 0: - print(f"WE FOUND NO LOG EVENTS OVER TIME RANGE {beginning} to {now}") return all_log_events + def _extract_account_number(self, ses_domain_arn, region): + account_number = ses_domain_arn + # handle cloud.gov case + if "aws-us-gov" in account_number: + account_number = account_number.replace(f"arn:aws-us-gov:ses:{region}:", "") + account_number = account_number.split(":") + account_number = account_number[0] + # handle staging case + else: + account_number = account_number.replace(f"arn:aws:ses:{region}:", "") + account_number = account_number.split(":") + account_number = account_number[0] + return account_number + def check_sms(self, message_id, notification_id, created_at): - if os.getenv("LOCALSTACK_ENDPOINT_URL"): - current_app.logger.info("GADZOOKS WE ARE RUNNING WITH LOCALSTACK") region = cloud_config.sns_region # TODO this clumsy approach to getting the account number will be fixed as part of notify-api #258 - account_number = cloud_config.ses_domain_arn - account_number = account_number.replace(f"arn:aws:ses:{region}:", "") - account_number = account_number.split(":") - account_number = account_number[0] + account_number = self._extract_account_number( + cloud_config.ses_domain_arn, region + ) log_group_name = f"sns/{region}/{account_number}/DirectPublishToPhoneNumber" current_app.logger.info( - f"LOG GROUP NAME: {log_group_name} MESSAGE ID: {message_id}" + f"Log group name: {log_group_name} message id: {message_id}" ) filter_pattern = '{$.notification.messageId="XXXXX"}' filter_pattern = filter_pattern.replace("XXXXX", message_id) all_log_events = self._get_log(filter_pattern, log_group_name, created_at) - current_app.logger.info(f"NUMBER OF ALL LOG EVENTS {len(all_log_events)}") - if all_log_events and len(all_log_events) > 0: - current_app.logger.info( - "SHOULD RETURN SUCCESS BECAUSE WE FOUND A SUCCESS MESSAGE FOR MESSAGE ID" - ) event = all_log_events[0] message = json.loads(event["message"]) current_app.logger.info(f"MESSAGE {message}") @@ -116,11 +117,8 @@ class AwsCloudwatchClient(Client): log_group_name = ( f"sns/{region}/{account_number}/DirectPublishToPhoneNumber/Failure" ) - current_app.logger.info(f"FAILURE LOG GROUP NAME {log_group_name}") + # current_app.logger.info(f"Failure log group name: {log_group_name}") all_failed_events = self._get_log(filter_pattern, log_group_name, created_at) - current_app.logger.info( - f"NUMBER OF ALL FAILED LOG EVENTS {len(all_failed_events)}" - ) if all_failed_events and len(all_failed_events) > 0: current_app.logger.info("SHOULD RETURN FAILED BECAUSE WE FOUND A FAILURE") event = all_failed_events[0] @@ -128,7 +126,6 @@ class AwsCloudwatchClient(Client): current_app.logger.info(f"MESSAGE {message}") return "failure", message["delivery"]["providerResponse"] - print(f"RAISING EXCEPTION FOR MESSAGE_ID {message_id}") raise Exception( f"No event found for message_id {message_id} notification_id {notification_id}" ) diff --git a/tests/app/clients/test_aws_cloudwatch.py b/tests/app/clients/test_aws_cloudwatch.py index 5805d7cd5..dbb83dbdc 100644 --- a/tests/app/clients/test_aws_cloudwatch.py +++ b/tests/app/clients/test_aws_cloudwatch.py @@ -86,3 +86,21 @@ def test_check_sms_failure(notify_api, mocker): assert "Failure" in mock_call assert "fail" in mock_call assert "notification.messageId" in mock_call + + +def test_extract_account_number_gov_cloud(): + domain_arn = "arn:aws-us-gov:ses:us-gov-west-1:12345:identity/ses-abc.xxx.xxx.xxx" + actual_account_number = aws_cloudwatch_client._extract_account_number( + domain_arn, "us-gov-west-1" + ) + expected_account_number = "12345" + assert actual_account_number == expected_account_number + + +def test_extract_account_number_gov_staging(): + domain_arn = "arn:aws:ses:us-south-14:12345:identity/ses-abc.xxx.xxx.xxx" + actual_account_number = aws_cloudwatch_client._extract_account_number( + domain_arn, "us-south-14" + ) + expected_account_number = "12345" + assert actual_account_number == expected_account_number From 7887eed89112ff4bd1465cc56719acef8a683bb4 Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Tue, 26 Sep 2023 11:35:19 -0400 Subject: [PATCH 4/6] Fix the dynamic-scan job This PR fixes the dynamic-scan job, which is now failing in our PR checks due to missing environment variables. Signed-off-by: Carlo Costino --- .github/workflows/checks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index dfa48c934..05db0ed10 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -123,6 +123,10 @@ jobs: run: make bootstrap env: SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api + NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} + NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }} + NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }} + NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} - name: Run server run: make run-flask & env: From 455b6071ba41f2317c306a1e74e969e3d1e0b7f1 Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Tue, 26 Sep 2023 12:09:03 -0400 Subject: [PATCH 5/6] Updated ZAP Action config to match recent changes Signed-off-by: Carlo Costino --- .github/workflows/checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 05db0ed10..109991619 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -132,9 +132,9 @@ jobs: env: SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api - name: Run OWASP Baseline Scan - uses: zaproxy/action-api-scan@v0.4.0 + uses: zaproxy/action-api-scan@v0.5.0 with: - docker_name: 'owasp/zap2docker-stable' + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' target: 'http://localhost:6011/docs/openapi.yml' fail_action: true allow_issue_writing: false From 5e0ba6a672334581d0ec41b28d44c72888a9e58a Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Tue, 26 Sep 2023 15:47:37 -0400 Subject: [PATCH 6/6] Trying ZAP weekly release instead of stable I noticed that a previous scan yesterday had referenced the weekly releases under the hood despite being configured for stable. Signed-off-by: Carlo Costino --- .github/workflows/checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 109991619..08634f6e3 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -134,7 +134,7 @@ jobs: - name: Run OWASP Baseline Scan uses: zaproxy/action-api-scan@v0.5.0 with: - docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + docker_name: 'ghcr.io/zaproxy/zaproxy:weekly' target: 'http://localhost:6011/docs/openapi.yml' fail_action: true allow_issue_writing: false