Bump pillow from 10.1.0 to 10.2.0 #397

dependabot · 2024-01-22T22:20:44Z

Bumps pillow from 10.1.0 to 10.2.0.

Release notes

10.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html

Changes

Add keep_rgb option when saving JPEG to prevent conversion of RGB colorspace #7553 [@bgilbert]

Trim negative glyph offsets in ImageFont.getmask() #7672 [@nulano]

Removed unnecessary "pragma: no cover" #7668 [@radarhere]

Trim glyph size in ImageFont.getmask() #7669 [@radarhere]

Fix loading IPTC images and update test #7667 [@nulano]

Allow uncompressed TIFF images to be saved in chunks #7650 [@radarhere]

Concatenate multiple JPEG EXIF markers #7496 [@radarhere]

Changed IPTC tile tuple to match other plugins #7661 [@radarhere]

Do not assign new fp attribute when exiting context manager #7566 [@radarhere]

Support arbitrary masks for uncompressed RGB DDS images #7589 [@radarhere]

Support setting ROWSPERSTRIP tag #7654 [@radarhere]

Apply ImageFont.MAX_STRING_LENGTH to ImageFont.getmask() #7662 [@radarhere]

Optimise ImageColor using functools.lru_cache #7657 [@hugovk]

Restricted environment keys for ImageMath.eval() #7655 [@radarhere]

Optimise ImageMode.getmode using functools.lru_cache #7641 [@hugovk]

Added trusted PyPI publishing #7616 [@radarhere]

Compile FriBiDi for Windows ARM64 #7629 [@nulano]

Fix incorrect color blending for overlapping glyphs #7497 [@ZachNagengast]

Add .git-blame-ignore-revs file #7528 [@akx]

Attempt memory mapping when tile args is a string #7565 [@radarhere]

Fill identical pixels with transparency in subsequent frames when saving GIF #7568 [@radarhere]

Removed unnecessary string length check #7560 [@radarhere]

Determine mask mode in Python instead of C #7548 [@radarhere]

Corrected duration when combining multiple GIF frames into single frame #7521 [@radarhere]

Handle disposing GIF background from outside palette #7515 [@radarhere]

Seek past the data when skipping a PSD layer #7483 [@radarhere]

ImageMath: Inline isinstance check #7623 [@hugovk]

Update actions/upload-artifact action to v4 #7619 [@radarhere]

Import plugins relative to the module #7576 [@deliangyang]

Translate encoder error codes to strings; deprecate ImageFile.raise_oserror() #7609 [@bgilbert]

Updated readthedocs to latest version of Python #7611 [@radarhere]

Support reading BC4U and DX10 BC1 images #6486 [@REDxEYE]

Optimize ImageStat.Stat.extrema #7593 [@florath]

Handle pathlib.Path in FreeTypeFont #7578 [@radarhere]

Use list comprehensions to create transformed lists #7597 [@hugovk]

Added support for reading DX10 BC4 DDS images #7603 [@sambvfx]

Optimized ImageStat.Stat.count #7599 [@florath]

Moved error from truetype() to FreeTypeFont #7587 [@radarhere]

Correct PDF palette size when saving #7555 [@radarhere]

Fixed closing file pointer with olefile 0.47 #7594 [@radarhere]

ruff: Minor optimizations of list comprehensions, x in set, etc. #7524 [@cclauss]

Build Windows wheels using cibuildwheel #7580 [@nulano]

Raise ValueError when TrueType font size is zero or less #7584 [@akx]

Install cibuildwheel from requirements file #7581 [@hugovk]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.2.0 (2024-01-02)

Add keep_rgb option when saving JPEG to prevent conversion of RGB colorspace #7553 [bgilbert, radarhere]

Trim glyph size in ImageFont.getmask() #7669, #7672 [radarhere, nulano]

Deprecate IptcImagePlugin helpers #7664 [nulano, hugovk, radarhere]

Allow uncompressed TIFF images to be saved in chunks #7650 [radarhere]

Concatenate multiple JPEG EXIF markers #7496 [radarhere]

Changed IPTC tile tuple to match other plugins #7661 [radarhere]

Do not assign new fp attribute when exiting context manager #7566 [radarhere]

Support arbitrary masks for uncompressed RGB DDS images #7589 [radarhere, akx]

Support setting ROWSPERSTRIP tag #7654 [radarhere]

Apply ImageFont.MAX_STRING_LENGTH to ImageFont.getmask() #7662 [radarhere]

Optimise ImageColor using functools.lru_cache #7657 [hugovk]

Restricted environment keys for ImageMath.eval() #7655 [wiredfool, radarhere]

Optimise ImageMode.getmode using functools.lru_cache #7641 [hugovk, radarhere]

Fix incorrect color blending for overlapping glyphs #7497 [ZachNagengast, nulano, radarhere]

Attempt memory mapping when tile args is a string #7565 [radarhere]

Fill identical pixels with transparency in subsequent frames when saving GIF #7568 [radarhere]

... (truncated)

Commits

6956d0b 10.2.0 version bump
31c8dac Merge pull request #7675 from python-pillow/pre-commit-ci-update-config
40a3f91 Merge pull request #7674 from nulano/url-example
cb41b0c [pre-commit.ci] pre-commit autoupdate
de62b25 fix image url in "Reading from URL" example
7c526a6 Update CHANGES.rst [ci skip]
d93a5ad Merge pull request #7553 from bgilbert/jpeg-rgb
aed764f Update CHANGES.rst [ci skip]
f8df530 Merge pull request #7672 from nulano/imagefont-negative-crop
24e9485 Merge pull request #7671 from radarhere/imagetransform
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

* Refactoring the forgotten password code to split it up into more modular, smaller views. * black refactoring * black refactoring * Splitting up long line * black reformatting * Prelminary work on inviting existing third parties to cases * [ci skip] AUTOMATED - update fitness functions * Updated requirements.txt to use new client branch * [ci skip] AUTOMATED - update fitness functions * Updated requirements.txt to use new client branch * made trade_remedies_public a module, getting module not found errors on Jenkins * [ci skip] AUTOMATED - update fitness functions * Monkey patching the BaseRegisterView as build still failing * [ci skip] AUTOMATED - update fitness functions * Checking is user is logged in * New modified invite flow for third parties * [ci skip] AUTOMATED - update fitness functions * Changed the wording to better reflect when the emails get sent * [ci skip] AUTOMATED - update fitness functions * black and flake8 * [ci skip] AUTOMATED - update fitness functions * Moved BaseRegisterView * Black * [ci skip] AUTOMATED - update fitness functions * Removed the special client branch from requirements * [ci skip] AUTOMATED - update fitness functions * Re-removed the redirect invite code * [ci skip] AUTOMATED - update fitness functions * remove redundant noqa occurences * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]> Co-authored-by: nboyse <[email protected]>

* Changed Procfile to stop compiling CSS * [ci skip] AUTOMATED - update fitness functions * Changed Procfile to compile CSS before collectstatic * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* feature: add codecov to repo * [ci skip] AUTOMATED - update fitness functions * Remove redundant variable and extra arguments * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Refactored circleci config.yml * Added python flake8 to requirements * Updated circleci ssh key fingerprint * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Refactored circleci config.yml * Added python flake8 to requirements * Updated circleci ssh key fingerprint * [ci skip] AUTOMATED - update fitness functions * Updated pflake8 exception ignore to match original * [ci skip] AUTOMATED - update fitness functions * Added pre-commit hooks to circleci * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Fix - update python runtime Updating python version in runtime.txt as 3.9.10 is no longer supported in Python Buildpack 1.7.53 * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Refactoring the forgotten password code to split it up into more modular, smaller views. * black refactoring * black refactoring * Splitting up long line * black reformatting * Prelminary work on inviting existing third parties to cases * [ci skip] AUTOMATED - update fitness functions * Updated requirements.txt to use new client branch * [ci skip] AUTOMATED - update fitness functions * Updated requirements.txt to use new client branch * made trade_remedies_public a module, getting module not found errors on Jenkins * [ci skip] AUTOMATED - update fitness functions * Monkey patching the BaseRegisterView as build still failing * [ci skip] AUTOMATED - update fitness functions * Checking is user is logged in * New modified invite flow for third parties * [ci skip] AUTOMATED - update fitness functions * Changed the wording to better reflect when the emails get sent * [ci skip] AUTOMATED - update fitness functions * black and flake8 * [ci skip] AUTOMATED - update fitness functions * Moved BaseRegisterView * Black * [ci skip] AUTOMATED - update fitness functions * Removed the special client branch from requirements * [ci skip] AUTOMATED - update fitness functions * Re-removed the redirect invite code * [ci skip] AUTOMATED - update fitness functions * remove redundant noqa occurences * [ci skip] AUTOMATED - update fitness functions * Hopefully resolved some of the issues regarding the incorrect name being displayed to public users; 'you are x representing y' * [ci skip] AUTOMATED - update fitness functions * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]> Co-authored-by: nboyse <[email protected]>

…ew type radio button branch. (#127) * Renamed summary to is_notice * [ci skip] AUTOMATED - update fitness functions * Black reformatting * [ci skip] AUTOMATED - update fitness functions * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Updated DJango to 3.2.13 * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Updated async to >=2.6.4 * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 😐 * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Release 1 5 16 (#107) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 😐 * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Updated version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.17 (#113) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 😐 * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 😐 * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Updated version Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 (#109) * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 * Generated .txt. requirement files Updated pip-tools to >6.5.0 * prod.txt generated * Update to 3.9.10 * Bump version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Bumped version to 1.5.18 * [ci skip] AUTOMATED - update fitness functions * [ci skip] AUTOMATED - update fitness functions * Deleted pytest.ini and updated config.yml * [ci skip] AUTOMATED - update fitness functions Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Release 1 5 16 (#107) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Updated version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.17 (#113) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Updated version Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 (#109) * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 * Generated .txt. requirement files Updated pip-tools to >6.5.0 * prod.txt generated * Update to 3.9.10 * Bump version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.18 (#131) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in…

…used (#135) * Deleted references to node and npm as no longer being used * [ci skip] AUTOMATED - update fitness functions * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Release 1 5 16 (#107) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Updated version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.17 (#113) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Updated version Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 (#109) * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 * Generated .txt. requirement files Updated pip-tools to >6.5.0 * prod.txt generated * Update to 3.9.10 * Bump version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.18 (#131) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not…

* get selenium tests running * black * attempt to get chrome onto circle ci * use browsers image * do not specify chromedriver path * install browsers via orb * try without orb * try again without orb * Revert "try again without orb" This reverts commit f9c1628. * Revert "try without orb" This reverts commit 5d0d66a. * remove unused commands * ps ignore * added first functional test * lands on right page * added styling * added back button and redesigned password request * fixed back button, defined sign in flow in middleware * sends reset email * use base with form * update password reset email sent template * added redesigned reset password template * back button middleware handles url kwargs * clean up finding non back urls * added password show/hide * added password criteria checks * use jquery and better special character criteria * added password reset success * updated non back urls * added page title * black * remove unused import * use deployed regex for special characters * Revert "added first functional test" This reverts commit c29ffaf * Revert "get selenium tests running" This reverts commit 0cf3745 * Revert "install browsers via orb" This reverts commit 61e606e. # Conflicts: # .circleci/config.yml * skip false positives * make pre-commit hooks happy * pre-commit ignores font files * stop using browsers image * [ci skip] AUTOMATED - update fitness functions * Update trade_remedies_public/password/views.py Co-authored-by: Christopher Pettinga <[email protected]> * [ci skip] AUTOMATED - update fitness functions * use try-except for reverse match * [ci skip] AUTOMATED - update fitness functions * remove background image * use base.html instead * use base.html instead * remove unused static * [ci skip] AUTOMATED - update fitness functions * import js files * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]> Co-authored-by: Christopher Pettinga <[email protected]>

* Making headway on the V2 login journey, abstracting HTML templates * Implementing the V2 login journey * Clearing up CSS Refactoring two-factor view * [ci skip] AUTOMATED - update fitness functions * get selenium tests running * black * attempt to get chrome onto circle ci * use browsers image * do not specify chromedriver path * install browsers via orb * try without orb * try again without orb * Revert "try again without orb" This reverts commit f9c1628. * Revert "try without orb" This reverts commit 5d0d66a. * remove unused commands * ps ignore * [ci skip] AUTOMATED - update fitness functions * MVP for the V2 login journey. * Made the V1 navbar more aesthetically similar to the new V2 one, not perfect yet. Fixed password show-hide button not centering when errors appear No longer show password show-hide button when JS is disabled Modified V2 decorator to reraise non validation-exceptions * Selenium tests should run headless * Ran black and added browsertools to circleci config.yml to run selenium front-end tests * flake8 fixes * Temporaily removing frontend teting from circleci * black formatting * [ci skip] AUTOMATED - update fitness functions * added first functional test * lands on right page * Moved the v2_error_handling decorator around as it causes issues with importing from trade_remedies_public module? * [ci skip] AUTOMATED - update fitness functions * Added static files to the right source folder in the templates directory, so that collectstatic moves them to public/static. * [ci skip] AUTOMATED - update fitness functions * added styling * added back button and redesigned password request * fixed back button, defined sign in flow in middleware * sends reset email * use base with form * update password reset email sent template * Changed client github link to point to correct branch * [ci skip] AUTOMATED - update fitness functions * added redesigned reset password template * back button middleware handles url kwargs * clean up finding non back urls * Updated requirements.txt to pull correct client branch * [ci skip] AUTOMATED - update fitness functions * added password show/hide * added password criteria checks * use jquery and better special character criteria * added password reset success * updated non back urls * added page title * black * remove unused import * use deployed regex for special characters * Revert "added first functional test" This reverts commit c29ffaf * Revert "get selenium tests running" This reverts commit 0cf3745 * Revert "install browsers via orb" This reverts commit 61e606e. # Conflicts: # .circleci/config.yml * skip false positives * make pre-commit hooks happy * pre-commit ignores font files * stop using browsers image * [ci skip] AUTOMATED - update fitness functions * Update trade_remedies_public/password/views.py Co-authored-by: Christopher Pettinga <[email protected]> * [ci skip] AUTOMATED - update fitness functions * use try-except for reverse match * [ci skip] AUTOMATED - update fitness functions * remove background image * use base.html instead * use base.html instead * remove unused static * [ci skip] AUTOMATED - update fitness functions * import js files * Impementing copy changes * [ci skip] AUTOMATED - update fitness functions * added email validation * added password validation * [ci skip] AUTOMATED - update fitness functions * fix error message styling * [ci skip] AUTOMATED - update fitness functions * flake8 and black * Mary requested changes from the 7th May: 1. <fieldset> shouldn’t be used to encapsulate entire form - they’ve been removed from the proto. All headers should therefore be a standard <h1> 2. Form error summary should have links to each error. See GDS: Error summary or see bottom example on proto: Sign in - GOV.UK Prototype Kit 3. All "functional" links .e.g. "Create account" or "Back" should not show visited state use class: "govuk-link--no-visited-state". Llet's keep visited state for links to outside articles etc 4. Start page. Missing a link for the Active Cases. Use this: Trade remedies 5. Start page. I've also changed the H1 of the start page and made it blue since you started it. Sign in - GOV.UK Prototype Kit * [ci skip] AUTOMATED - update fitness functions * Black formatting * [ci skip] AUTOMATED - update fitness functions * Flake8 formatting * [ci skip] AUTOMATED - update fitness functions * PII exclusion * [ci skip] AUTOMATED - update fitness functions * Mary's comments - https://uktrade.atlassian.net/browse/TRSV2-174?focusedCommentId=94102 * [ci skip] AUTOMATED - update fitness functions * PII exclusions. * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]> Co-authored-by: Johnny <[email protected]> Co-authored-by: Jonathan Li <[email protected]>

* get selenium tests running * black * attempt to get chrome onto circle ci * use browsers image * do not specify chromedriver path * install browsers via orb * try without orb * try again without orb * Revert "try again without orb" This reverts commit f9c1628. * Revert "try without orb" This reverts commit 5d0d66a. * remove unused commands * ps ignore * added first functional test * lands on right page * added styling * added back button and redesigned password request * fixed back button, defined sign in flow in middleware * sends reset email * use base with form * update password reset email sent template * added redesigned reset password template * back button middleware handles url kwargs * clean up finding non back urls * added password show/hide * added password criteria checks * use jquery and better special character criteria * added password reset success * updated non back urls * added page title * black * remove unused import * use deployed regex for special characters * Revert "added first functional test" This reverts commit c29ffaf * Revert "get selenium tests running" This reverts commit 0cf3745 * Revert "install browsers via orb" This reverts commit 61e606e. # Conflicts: # .circleci/config.yml * skip false positives * make pre-commit hooks happy * pre-commit ignores font files * stop using browsers image * [ci skip] AUTOMATED - update fitness functions * Update trade_remedies_public/password/views.py Co-authored-by: Christopher Pettinga <[email protected]> * [ci skip] AUTOMATED - update fitness functions * use try-except for reverse match * [ci skip] AUTOMATED - update fitness functions * remove background image * use base.html instead * use base.html instead * remove unused static * [ci skip] AUTOMATED - update fitness functions * import js files * added email validation * added password validation * [ci skip] AUTOMATED - update fitness functions * fix error message styling * added expired reset link page * use try-except * enable password reset request via user primary key * black * flake8 * ps ignore * handle expected TypeError * updated to current prototype * simplify * use show_password.js * use url reverse * use request id uuid instead of user pk uuid * remove unused imports * stop using fieldset * functional links do not show visited state * summary error messages link to input * no visited state for forgot your password * ps ignore * unfocus from input when submitting * put it back on the same line * remove commented out lines * update to use new base templates and error handling from api * remove unused imports * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]> Co-authored-by: Christopher Pettinga <[email protected]>

* Making headway on the V2 login journey, abstracting HTML templates * Implementing the V2 login journey * Clearing up CSS Refactoring two-factor view * [ci skip] AUTOMATED - update fitness functions * get selenium tests running * black * attempt to get chrome onto circle ci * use browsers image * do not specify chromedriver path * install browsers via orb * try without orb * try again without orb * Revert "try again without orb" This reverts commit f9c1628. * Revert "try without orb" This reverts commit 5d0d66a. * remove unused commands * ps ignore * [ci skip] AUTOMATED - update fitness functions * MVP for the V2 login journey. * Made the V1 navbar more aesthetically similar to the new V2 one, not perfect yet. Fixed password show-hide button not centering when errors appear No longer show password show-hide button when JS is disabled Modified V2 decorator to reraise non validation-exceptions * Selenium tests should run headless * Ran black and added browsertools to circleci config.yml to run selenium front-end tests * flake8 fixes * Temporaily removing frontend teting from circleci * black formatting * [ci skip] AUTOMATED - update fitness functions * added first functional test * lands on right page * Moved the v2_error_handling decorator around as it causes issues with importing from trade_remedies_public module? * [ci skip] AUTOMATED - update fitness functions * Added static files to the right source folder in the templates directory, so that collectstatic moves them to public/static. * [ci skip] AUTOMATED - update fitness functions * added styling * added back button and redesigned password request * fixed back button, defined sign in flow in middleware * sends reset email * use base with form * update password reset email sent template * Changed client github link to point to correct branch * [ci skip] AUTOMATED - update fitness functions * added redesigned reset password template * back button middleware handles url kwargs * clean up finding non back urls * Updated requirements.txt to pull correct client branch * [ci skip] AUTOMATED - update fitness functions * added password show/hide * added password criteria checks * use jquery and better special character criteria * added password reset success * updated non back urls * added page title * black * remove unused import * use deployed regex for special characters * Revert "added first functional test" This reverts commit c29ffaf * Revert "get selenium tests running" This reverts commit 0cf3745 * Revert "install browsers via orb" This reverts commit 61e606e. # Conflicts: # .circleci/config.yml * skip false positives * make pre-commit hooks happy * pre-commit ignores font files * stop using browsers image * [ci skip] AUTOMATED - update fitness functions * Update trade_remedies_public/password/views.py Co-authored-by: Christopher Pettinga <[email protected]> * [ci skip] AUTOMATED - update fitness functions * use try-except for reverse match * [ci skip] AUTOMATED - update fitness functions * remove background image * use base.html instead * use base.html instead * remove unused static * [ci skip] AUTOMATED - update fitness functions * import js files * Impementing copy changes * [ci skip] AUTOMATED - update fitness functions * added email validation * added password validation * [ci skip] AUTOMATED - update fitness functions * fix error message styling * [ci skip] AUTOMATED - update fitness functions * flake8 and black * Mary requested changes from the 7th May: 1. <fieldset> shouldn’t be used to encapsulate entire form - they’ve been removed from the proto. All headers should therefore be a standard <h1> 2. Form error summary should have links to each error. See GDS: Error summary or see bottom example on proto: Sign in - GOV.UK Prototype Kit 3. All "functional" links .e.g. "Create account" or "Back" should not show visited state use class: "govuk-link--no-visited-state". Llet's keep visited state for links to outside articles etc 4. Start page. Missing a link for the Active Cases. Use this: Trade remedies 5. Start page. I've also changed the H1 of the start page and made it blue since you started it. Sign in - GOV.UK Prototype Kit * [ci skip] AUTOMATED - update fitness functions * Changed the V1 navbar so it looks identical to the V2 version. AS we slowly phase out the V1 journeys and all new code inherits from the new HTML templates, we will remove the duplicate code. Also changed the logic in the landing page so if a user is authenticated, they are redirected to their dashboard, rather than seeing a sign to login. * black, flake8, and PII checks * [ci skip] AUTOMATED - update fitness functions * Nawaz comments * [ci skip] AUTOMATED - update fitness functions * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]> Co-authored-by: Johnny <[email protected]> Co-authored-by: Jonathan Li <[email protected]>

* Fix - update python runtime Updating python version in runtime.txt as 3.9.10 is no longer supported in Python Buildpack 1.7.53 * [ci skip] AUTOMATED - update fitness functions * Updating python runtime.txt * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* remove extra block tag * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

* Making headway on the V2 login journey, abstracting HTML templates * Implementing the V2 login journey * Clearing up CSS Refactoring two-factor view * [ci skip] AUTOMATED - update fitness functions * get selenium tests running * black * attempt to get chrome onto circle ci * use browsers image * do not specify chromedriver path * install browsers via orb * try without orb * try again without orb * Revert "try again without orb" This reverts commit f9c1628. * Revert "try without orb" This reverts commit 5d0d66a. * remove unused commands * ps ignore * [ci skip] AUTOMATED - update fitness functions * MVP for the V2 login journey. * Made the V1 navbar more aesthetically similar to the new V2 one, not perfect yet. Fixed password show-hide button not centering when errors appear No longer show password show-hide button when JS is disabled Modified V2 decorator to reraise non validation-exceptions * Selenium tests should run headless * Ran black and added browsertools to circleci config.yml to run selenium front-end tests * flake8 fixes * Temporaily removing frontend teting from circleci * black formatting * [ci skip] AUTOMATED - update fitness functions * added first functional test * lands on right page * Preliminary work on the V2 registration journey * Moved the v2_error_handling decorator around as it causes issues with importing from trade_remedies_public module? * [ci skip] AUTOMATED - update fitness functions * Carrying on work on v2 registration story * Added static files to the right source folder in the templates directory, so that collectstatic moves them to public/static. * [ci skip] AUTOMATED - update fitness functions * added styling * added back button and redesigned password request * fixed back button, defined sign in flow in middleware * sends reset email * use base with form * update password reset email sent template * Finished majority of the aesthetic side of the v2 login journey, next steps are validation and API refactoring * Changed client github link to point to correct branch * [ci skip] AUTOMATED - update fitness functions * updating session * added redesigned reset password template * back button middleware handles url kwargs * Updating client to deal with authentication * clean up finding non back urls * Updated requirements.txt to pull correct client branch * [ci skip] AUTOMATED - update fitness functions * added password show/hide * [ci skip] AUTOMATED - update fitness functions * added password criteria checks * use jquery and better special character criteria * added password reset success * updated non back urls * added page title * black * remove unused import * use deployed regex for special characters * Revert "added first functional test" This reverts commit c29ffaf * Revert "get selenium tests running" This reverts commit 0cf3745 * Revert "install browsers via orb" This reverts commit 61e606e. # Conflicts: # .circleci/config.yml * skip false positives * make pre-commit hooks happy * pre-commit ignores font files * stop using browsers image * [ci skip] AUTOMATED - update fitness functions * v2 registration journey * [ci skip] AUTOMATED - update fitness functions * Update trade_remedies_public/password/views.py Co-authored-by: Christopher Pettinga <[email protected]> * [ci skip] AUTOMATED - update fitness functions * use try-except for reverse match * [ci skip] AUTOMATED - update fitness functions * remove background image * use base.html instead * use base.html instead * remove unused static * [ci skip] AUTOMATED - update fitness functions * import js files * Impementing copy changes * [ci skip] AUTOMATED - update fitness functions * added email validation * added password validation * Impementing copy changes * [ci skip] AUTOMATED - update fitness functions * [ci skip] AUTOMATED - update fitness functions * fix error message styling * [ci skip] AUTOMATED - update fitness functions * Happy path now complete * PII removal, black formatting, and flake8 * [ci skip] AUTOMATED - update fitness functions * Using develop middleware.py * [ci skip] AUTOMATED - update fitness functions * Migrated over to using Django Forms to deal with the validation for the registration journey unhappy path and validation errors. * Unhappy path complete, writing tests and weedling out remaining bugs now * Finalised beautiful tests! * Final step of registartion can now handle any final errors thrown by serializer * black and flake8 * flake8 and black * Updated requirements.txt to point to the right client branch * fixed imports * fixed imports * Fixed registration flow and added sign-out link, organisation_name was fixed as it was messing up the signup validation flow * Mary requested changes from the 7th May: 1. <fieldset> shouldn’t be used to encapsulate entire form - they’ve been removed from the proto. All headers should therefore be a standard <h1> 2. Form error summary should have links to each error. See GDS: Error summary or see bottom example on proto: Sign in - GOV.UK Prototype Kit 3. All "functional" links .e.g. "Create account" or "Back" should not show visited state use class: "govuk-link--no-visited-state". Llet's keep visited state for links to outside articles etc 4. Start page. Missing a link for the Active Cases. Use this: Trade remedies 5. Start page. I've also changed the H1 of the start page and made it blue since you started it. Sign in - GOV.UK Prototype Kit * [ci skip] AUTOMATED - update fitness functions * Black formatting * [ci skip] AUTOMATED - update fitness functions * Flake8 formatting * [ci skip] AUTOMATED - update fitness functions * PII exclusion * [ci skip] AUTOMATED - update fitness functions * Mary's comments - https://uktrade.atlassian.net/browse/TRSV2-174?focusedCommentId=94102 * [ci skip] AUTOMATED - update fitness functions * PII exclusions. * [ci skip] AUTOMATED - update fitness functions * Merged login journey into this branch, and adjusted for tuple being returned by validation_errors.py * Black, flake8, PII, and test import error * Fixed tests that were failing on CircleCI * Updated copy to reflect the protoype. Also removed back button from account created confirmation screen * Added redis to circleCI configuration as some tests use self.client.session, and django request session uses a redis backend so tests are failing. * Implemented Mary's comments on https://uktrade.atlassian.net/browse/TRSV2-205?focusedCommentId=94216 * Changed name of CustomValidationForm Used defaultdicts to add form errors to the session Adjusted the get_item templatetag to deal with defaultdicts along with dicts * Updating python runtime.txt * Correct error shows when submitting 2fa choice without selecting anything Country dropdown & text area has red outline if there is an error * Changed the back buttons to history.go(-1) whilst we work on a better back button solution * Adjusted copy * Removed no-cache. Country code dropdown is now dynamically generated from django-countries Resolved Mary's comments - https://uktrade.atlassian.net/browse/TRSV2-205?focusedCommentId=94418 * Updated dev.txt requirements * URL anchor hash is now removed on form submission * Mary's copy and functionality changes from https://uktrade.atlassian.net/browse/TRSV2-205?focusedCommentId=94629 Form inputs now blur and loose focus on page load. * Removed back button from the email verified page, and moved the logic that determines whether to display the back button into the template itself, rather that in middleware. CHanged copy in email verified page to change depending on the user's status in an organisation. * Fixed some small bugs tha prevented invitation flow from API changes * flake8 and black * Added redis to circleci config.yml * Updated REDIS base URL in config.yml * Formatting error config.yml * Updated config.yml * Testing now uses a localcache to avoid having to setup a redis instance in circleci * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]> Co-authored-by: Johnny <[email protected]> Co-authored-by: Jonathan Li <[email protected]>

* Bump werkzeug from 2.3.8 to 3.0.1 Bumps [werkzeug](https://github.com/pallets/werkzeug) from 2.3.8 to 3.0.1. - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@2.3.8...3.0.1) --- updated-dependencies: - dependency-name: werkzeug dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * Regenerating requirements.txt file --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <dependabot[bot]@users.noreply.github.com> Co-authored-by: Christopher Pettinga <[email protected]>

* Bump whitenoise from 5.3.0 to 6.6.0 Bumps [whitenoise](https://github.com/evansd/whitenoise) from 5.3.0 to 6.6.0. - [Changelog](https://github.com/evansd/whitenoise/blob/main/docs/changelog.rst) - [Commits](evansd/whitenoise@v5.3.0...6.6.0) --- updated-dependencies: - dependency-name: whitenoise dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * Regenerating requirements.txt file --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <dependabot[bot]@users.noreply.github.com> Co-authored-by: Christopher Pettinga <[email protected]>

…oduct DB if it exists

Also fully removed feedback references and changed never_cache to classmthoddecorator for Django 4.x

* Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Release 1 5 16 (#107) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Updated version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.17 (#113) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Updated version Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 (#109) * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 * Generated .txt. requirement files Updated pip-tools to >6.5.0 * prod.txt generated * Update to 3.9.10 * Bump version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.18 (#131) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunico…

* Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Release 1 5 16 (#107) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Updated version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.17 (#113) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Updated version Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 (#109) * Upgrading django to 2.2.27 to resolve CVE-2022-23833 and CVE-2022-23833 * Generated .txt. requirement files Updated pip-tools to >6.5.0 * prod.txt generated * Update to 3.9.10 * Bump version Co-authored-by: Dave Charles <[email protected]> Co-authored-by: Luisella Strona <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: nboyse <[email protected]> Co-authored-by: Tash Boyse <[email protected]> Co-authored-by: Mark Higham <[email protected]> * Release 1.5.18 (#131) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn was sinking them. Added --capture-output config to gunicorn. * feat: remove help mailto. The [email protected] email is being retired and as such needs to be removed from the public portal. TRLST-295 raised replace this with a case specific email. * fix: trlst-299 django vulnerability - Bump django version to 2.2.20 * fix: TRLST-281 save and continue. This change fixes an issue where a third party invitee's organisation details were not displayed if the user edited the contact in the submission. This was mainly solved in the API, this change extracts the right attr name for organisation_address as well as tidy up the rendering. * feat: trlst 296 merge release into develop Merge release branch back into develop. Updated mismatched deps after conflict resolution required when merging release branch with develop. Also includes updated version. * feat: TRLST-306 add pip-tools to dev deps TRLST 304 introduced an improved mechanism in TR public service to use pip-compile on the container rather than in the developer's local env. However, pip-tools (required for pip-compile) is not in the API/Public/Caseworker deps and therefore does not get included in the container build. This change adds pip-tools as a dev dep, and also performs on-container build of requirements. * merge: trlst 305 merge hotfix into develop This change merges branch 'master' into develop, incorporating the hotfix made under TRLST 304. It also reintroduces appnope, seems this is required as it is a dep of iPython. * feat: TRLST-301 add audit log middleware. Added audit log middleware to service in production. See https://github.com/uktrade/django-audit-log-middleware. * feat: TRLST-315 bump runtime. (#54) PaaS buildpack python support requires bump of python runtime. * fix: bump hosted-git-info to resolve vulnerability. (#55) * feat: add IHTC compliance settings Added IHTC compliance settings. This included some wrangling of npm packages, mainly solved by dropping CI node docker image version to `lts`. * feat: trlst 327 hardening 2 - Restructured so we can apply settings in lower envs if required. - included in staging. - Also tidies logging def inconsistencies. * fix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 * LSGH-5 sec: bump django to resolve vulnerability * fix: TRLST-339 malicious file upload. - Updated deps to use new chunk uploader - Bumped boto and django-storages to match - Removed and ignored sqlite3 db that is built on deployment - Update view to use new handler and detect malware response - Added necessary settings to django config - Clean-up, removed cruft routes * hotfix: TRLST-343 Prevent external redirection in login flow * hotfix: TRLST-342 escape text_element template tag value to prevent s-xss. * hotfix: TRLST-344 cycle session key just like django.contrib.auth.login. * hotfix: TRLST 345 vulnerable third-party libraries - Bumped JQuery to 3.5.1 - Updated gov template to use JQuery 3.5.1 - Used same JQUI version as caseworker for consistency * hotfix: TRLST 349 information leakage Remediation for pen test observations: - redacted gunicorn server signature. * fix: trlst-308 third party invited org * render third party organisation and role correctly * tidy formatting and use correct extends ref * fix up invites. - Improved validations - Handle country properly - Fix issues with edits * set ci node img to lts * make invite email verify message clearer. * repair user creation and editing. * don't show edit link when a third party invite. * don't shadow built in name. * add validators for 3p contact form. * sanitise add 3p user route. * only one 3p can be added. * 3P contact processing and validation. * validate address. * intercept 3rd party draft submission navigation. * manage draft form data. * display inviting org banner. * show draft and completed correctly. * feat: trlst 295 case specific email When on a case related page this change updates the help box to include a case specific email address. * feat: Fix countdown and improve page layout. Fix bug that caused 2FA lock countdown to not be displayed, and improve 2FA challenge layout. This is a quick and dirty fix as the API 2FA views are a mess. If/when the API layer is cleaned up then Public and Caseworker portal's 2FA usage can be refactored to be less abysmal. - ensure 2fa locked countdown is displayed. - improve page layout. * merge: release 1.5.10 back into develop * fix: reset errors and redirect correctly. - Reset the session correctly when validations pass - After a user has been onboarded make sure we navigate them to the email verify page. * fix: Update config folder name Updated config folder name to be consistent with LST practice. * merge: master hotfix into develop Merge 1.5.10.1 hotfix into develop. * fix: updated example config. - Updated example config for use with new chunk uploader - Added SQLite DB updates containing chunk uploader migration. These aren't actually used, just catering for way chunk uploader app is installed. - Fixed some hitherto undetected CI fails (probs not detected because of creds refresh requirement) * merge: release 1.5.11 into develop * fix: upgrade pip packages with pip-compile * fix: change received to submitted * fix: amending breadcrumb wording for archive and active cases * Amend archive field * fix: remove change details link on public account details page * Removing all references to ACCOUNT_INFO_READ_ONLY * Flake8 :neutral_face: * fix: LSGH-41 - package-lock.json update * merge: release 1.5.12 into develop - Version bump - Runtime bump * feature: pre-commit hooks * fix: amend pii-ignore comment to prevent public site breaking * fix: Allow notices to be registered in public site under 'Apply for a new investigation' (#93) * Fix: TRLST-475 refactor and remove av scan logic As part of the effort to remove all the API related anti-virus scan logic this is a set of related tidy up changes: - There is no concept of an "unsafe" document anymore as malware is rejected at point of upload, updated download links and tests accordingly. - `django_chunk_upload_handlers` package expects an `AWS_REGION` setting (although this was not a functional issue), added to stop package logging complaint. - There we some tests that were not being executed properly due to invalid `pytest` config. The tests needed fixing up too. * merge: TRLST-499 release into develop - version bump * fix: amend regex check to accept integers * merge: TRLST-528 release into develop * TRLST-551 - upgrading iPython version due to CVE-2022-21699 (#102) * Upgrade Django to 2.2.26 (#103) * TRLST-550 - Merge release back into develop (#105) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Updated version to 1.5.15 * Forced package.json to use "node-fetch": ">=2.6.7" to avoid CVE-2022-0235 Co-authored-by: Mark Higham <[email protected]> Co-authored-by: Ross Miller <[email protected]> Co-authored-by: davecharles <[email protected]> * Public client-side changes to allow for TRLST-536 - review type radio… (#106) * Public client-side changes to allow for TRLST-536 - review type radio buttons appear when applying for a new investigation and selecting a Notice from the dropdown. * black code reformat * HTML reformatting * Release 1 5 16 (#108) * Release 1.5.6 * Update traitlets * Black and flake8 checks * Feature/trlst 171 func tests (#17) * Display date when document was submitted to TRA (TRLST 160) * Branding changes * Bump version * Bump version * bump version to 1.5.7 * merge: release 1.5.8 branch into master Release TR Public 1.5.8 * Hotfix/trlst 282 high sev vulnerabilities hotfix: release for Django vulnerability - Bumped django to 2.2.18 * merge: release 1.5.9 branch into master Release TR Public 1.5.9 * TRLST-304 Dependabot alert * Switch requirement generation to container * Update requirements and add relevant folders to compose config * hotfix: bump python runtime Required to enable deployment of TRS rebranding: - bump python runtime - set circle CI node img to lts * hotfix: bump deps to resolve vulnerabilities. - Bumped django - CVE-2021-31542 - Bumped boto3, requests, urllib3 - CVE-2021-33503 - Bump service version * LSGH-5 sec: bump django version to resolve vulnerability * merge: release 1.5.10 branch into master * hotfix: replace gulp SASS processing with django-sass-processor * Restructured to allow SASS compilation to be comprehended more easily * Removed gulp sass * Bumped version for hotfix. * Added compile SASS cmd to Procfile * merge: release 1.5.11 branch into master * Release 1.5.12 * fix: bump python runtime to 3.9.7. * Release 1.5.13 * Release 1.5.14 * Release 1 5 15 (#104) * Merge release 1.5.7 into develop (#30) This merge into develop from the 1.5.7 release branch incorporates release branch fixes and master branch hot fixes: * Update traitlets * Rationalise Procfile triggered processes * Branding changes * Dependabot alert fixes * Patch front end vulnerability * bump version to 1.5.7 * fix: http error page templates (trlst-252) Fixed 404/500 pages and add 400/403 * fix: TRLST_246 dependabot issues. * feat: trlst-131 add ecs logging Added logging per environment utilising ecs logger for json formatted log messages. * feat: trlst-262 bump python to 3.9.2 - Bumped python to 3.9.2 - Bumped Dockerfile python layer to 3.9.2 - Bumped PaaS runtime directive accordingly - Due to 3.9 api changes bumped gevent to latest - Bumped gunicorn accordingly - pip-compile latest grnerates more readable txt output hence significant txt diffs. - Bumped circleci python to 3.9.2 - Appease flake8 (method redefinition) * feat: trlst-216 Allow to remove non-confidential files without a confidential version. (#36) Normally a public user can only upload a confidential file, followed by the corresponding non-confidential version. A user managed to upload an extra non-confidential file (possibly by uploading from two different windows). The extra file is stops him from completing the submission, but there is no provision to remove it. Added an extra category when showing the uploaded file. The category lists the single non-confidential version, and ask the user to remove it. The interface allows to download the file before deleting it. * fix: trlst 259 issue post tasks Investigating an issue under TRLST 259 found some non critical issues in caseworker. This PR is a tidy up of the base settings file and the local.env.example file: - Employed consistent use of django-environ. - Removed environ.Env.read_env(). We use docker-compose for local development and feed the container settings from a local.env file. In PaaS we pick up the app's environment and do not deploy a '.env' file. - Simplified REDIS URL definition and removed hard coding of database number. - Removed 'TRUSTED_USER_TOKEN' setting, this is not used in the code base. - Removed cruft comments. - Pepified. * feat: bump develop to 1.5.9~a0. * fix: Django vulnerability - Bumped django to 2.2.18 * fix: vulnerabilities - Bumped ipython and pygments to resolve vulnerabilities. Note that iPython bump alone didn't bump pygments but updated anyway - Ran npm audit fix to resolve yargs-parser vulnerability. Note that large diff is due to v2 of lockfile format. - Had to perform some gulp wrangling to get build npm ci to succeed. I bumped my local npm to latest and looks like longer hashes are now generated in the package lock file. * fix: logging config. Django logs were not being emitted in PaaS because gunicorn …

Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.1.0 to 10.2.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@10.1.0...10.2.0) --- updated-dependencies: - dependency-name: pillow dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

codecov-commenter · 2024-01-25T11:48:41Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (00ab1bd) 43.54% compared to head (5fc58de) 43.54%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #397   +/-   ##
=======================================
  Coverage   43.54%   43.54%           
=======================================
  Files          98       98           
  Lines        4960     4960           
  Branches      651      651           
=======================================
  Hits         2160     2160           
  Misses       2800     2800

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

chris-pettinga and others added 30 commits March 30, 2022 14:44

[ci skip] AUTOMATED - update fitness functions

1e0d73b

fix: refactor user onboarding (#121)

b87ac7a

[ci skip] AUTOMATED - update fitness functions

2ae3160

Fix/protocol error (#122)

f142787

* Changed Procfile to stop compiling CSS * [ci skip] AUTOMATED - update fitness functions * Changed Procfile to compile CSS before collectstatic * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

feature: add codecov to repo (#123)

b9bbc91

* feature: add codecov to repo * [ci skip] AUTOMATED - update fitness functions * Remove redundant variable and extra arguments * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

Fix/TRSV2-2/circleci-improvements (#124)

d04bb7b

* Refactored circleci config.yml * Added python flake8 to requirements * Updated circleci ssh key fingerprint * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

Fix - update python runtime (#126)

17164bf

* Fix - update python runtime Updating python version in runtime.txt as 3.9.10 is no longer supported in Python Buildpack 1.7.53 * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

[ci skip] AUTOMATED - update fitness functions

b7ebcf6

Fix/TRSV2-191: Updating Django to 3.2.13 (#129)

4ca5f49

* Updated DJango to 3.2.13 * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

Updated async to >=2.6.4 (#130)

02cfff7

* Updated async to >=2.6.4 * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

[ci skip] AUTOMATED - update fitness functions

96e9934

[ci skip] AUTOMATED - update fitness functions

58f9160

[ci skip] AUTOMATED - update fitness functions

b660a12

[ci skip] AUTOMATED - update fitness functions

da06054

[ci skip] AUTOMATED - update fitness functions

5389da0

TRSV2-213: remove extra block tag (#147)

1e69dc6

* remove extra block tag * [ci skip] AUTOMATED - update fitness functions Co-authored-by: FITNESS-FUNCTIONS MACHINE USER <[email protected]>

dependabot bot and others added 13 commits November 30, 2023 09:08

removing feedback and updating django-extensions

471b9f9

creating requirements-dev.txt in circleci

784dfa2

only allowing security updates

46b064b

getting product descritpion from caseworkflowstate rather than the pr…

efb51af

…oduct DB if it exists

fixing email addresses to use contact if case is not initiated. (#393)

dd244e6

Also fully removed feedback references and changed never_cache to classmthoddecorator for Django 4.x

fixing dpath stuff

af1e076

updated accessibility statement (#396)

805dd06

TRS-1385

08d621c

dependabot bot added the dependencies Pull requests that update a dependency file label Jan 22, 2024

dependabot bot changed the base branch from develop to master January 24, 2024 17:39

dependabot bot force-pushed the dependabot/pip/pillow-10.2.0 branch from 3aca95a to aaf04f9 Compare January 24, 2024 17:39

osimuka added 3 commits January 25, 2024 11:44

wip

4151fb3

wip

ddf0ee5

update poetry lock

b951392

osimuka added 2 commits January 25, 2024 12:01

updating lxml version

f9869d6

downgrading lxml

5fc58de

osimuka requested review from chris-pettinga, abarolo, Santino-Trade and ferozerub January 25, 2024 12:20

chris-pettinga approved these changes Jan 26, 2024

View reviewed changes

osimuka merged commit ba572e5 into master Jan 26, 2024
3 checks passed

osimuka deleted the dependabot/pip/pillow-10.2.0 branch January 26, 2024 15:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump pillow from 10.1.0 to 10.2.0 #397

Bump pillow from 10.1.0 to 10.2.0 #397

dependabot bot commented on behalf of github Jan 22, 2024 •

edited

Loading

codecov-commenter commented Jan 25, 2024 •

edited

Loading

Bump pillow from 10.1.0 to 10.2.0 #397

Bump pillow from 10.1.0 to 10.2.0 #397

Conversation

dependabot bot commented on behalf of github Jan 22, 2024 • edited Loading

10.2.0

Changes

10.2.0 (2024-01-02)

codecov-commenter commented Jan 25, 2024 • edited Loading

Codecov Report

dependabot bot commented on behalf of github Jan 22, 2024 •

edited

Loading

codecov-commenter commented Jan 25, 2024 •

edited

Loading