Merge branch 'main' into dependabot/go_modules/google.golang.org/prot…

…obuf-1.33.0

.github/workflows/ci-workflow.yml

@@ -32,7 +32,7 @@ jobs:
         run: |
           make test
       - name: Archive code coverage results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: code-coverage-report
           path: ./test_results/latest/testcoverage.out
@@ -41,9 +41,12 @@ jobs:
     name: Sonarqube Quality Gate
     needs: build
     runs-on: self-hosted
+    env:
+      # Workaround until https://jira.cms.gov/browse/PLT-338 is implemented.
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: "true"
     steps:
       - name: Download code coverage
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: code-coverage-report
       - name: Set env vars from AWS params

.github/workflows/dbdocs.yml

@@ -0,0 +1,27 @@
+# This workflow generates database documentation and ERD files.
+#
+name: Generate dbdocs
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/dbdocs.yml
+      - db/migrations
+
+jobs:
+  generate-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Generate DB docs
+        run: make dbdocs
+
+      - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
+        with:
+          add: dbdocs
+          message: "Generate dbdocs"
+          default_author: github_actions

.gitleaks.toml

@@ -0,0 +1,9 @@
+title = "DASG Standard"
+
+[extend]
+  useDefault = true
+
+[[rules]]
+  id = "mbi-detection"
+  description = "Detects a potential MBI pattern based on https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf"
+  regex = '''\b((?i)[1-9][ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]-?\d[ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]\d-?[ACDEFGHJKMNPQRTUVWXY]{2}\d{2})\b'''

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.16.1
+    rev: v8.19.2
     hooks:
       - id: gitleaks
   - repo: https://github.com/tekwizely/pre-commit-golang
-    rev: master
+    rev: v1.0.0-rc.1
     hooks:
       - id: go-imports
         args: ['-w']

Dockerfiles/Dockerfile.package

@@ -1,4 +1,4 @@
-FROM golang:1.19-alpine3.18
+FROM golang:1.21.12-alpine3.20
 
 ENV CGO_ENABLED=0
 

Dockerfiles/Dockerfile.ssas

@@ -1,18 +1,19 @@
-FROM golang:1.19-alpine3.18 AS documentation
+FROM golang:1.21.12-alpine3.20 AS documentation
 RUN apk update upgrade
-RUN apk add git build-base gcc
+RUN apk add git build-base gcc binutils-gold
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app
 COPY . .
+ARG GO111MODULE=auto
 
 RUN dir=$(mktemp -d) && \
-    git clone -b v0.28.0 https://github.com/go-swagger/go-swagger "$dir" && \
+    git clone -b v0.31.0 https://github.com/go-swagger/go-swagger "$dir" && \
     cd "$dir" && \
     go install ./cmd/swagger
 
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app/ssas/service/main
 RUN swagger generate spec -i ../../swaggerui/tags.yml -o ../../swaggerui/swagger.json -m
 
-FROM golang:1.19-alpine3.18 AS builder
+FROM golang:1.21.12-alpine3.20 AS builder
 ARG VERSION
 RUN apk update upgrade
 RUN apk add git
@@ -22,7 +23,7 @@ WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app/ssas
 COPY --from=documentation /go/src/github.com/CMSgov/bcda-ssas-app/ssas/swaggerui ./swaggerui
 RUN go build -ldflags "-X github.com/CMSgov/bcda-ssas-app/ssas/constants.Version=$VERSION" -o ssas ./service/main
 
-FROM golang:1.19-alpine3.18
+FROM golang:1.21.12-alpine3.20
 RUN apk update upgrade
 RUN apk --no-cache add ca-certificates aws-cli curl
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app

Dockerfiles/Dockerfile.tests

@@ -1,14 +1,14 @@
-FROM golang:1.19-alpine3.18
+FROM golang:1.21.12-alpine3.20
 
 RUN apk update upgrade
 
 RUN apk add bash build-base curl
 
 RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
 
-RUN GO111MODULE=on go install github.com/xo/usql@v0.11.0
-RUN go install github.com/securego/gosec/v2/cmd/gosec@v2.12.0
-RUN go install gotest.tools/gotestsum@v1.8.1
+RUN GO111MODULE=on go install github.com/xo/usql@v0.17.5
+RUN go install github.com/securego/gosec/v2/cmd/gosec@v2.20.0
+RUN go install gotest.tools/gotestsum@v1.12.0
 RUN go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/[email protected]
 
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app

Makefile

@@ -1,7 +1,7 @@
 package:
 	# This target should be executed by passing in an argument representing the version of the artifacts we are packaging
 	# For example: make package version=r1
-	docker-compose run --rm documentation swagger generate spec -i ../../swaggerui/tags.yml -o ../../swaggerui/swagger.json -m
+	docker compose run --rm documentation swagger generate spec -i ../../swaggerui/tags.yml -o ../../swaggerui/swagger.json -m
 	docker build -t packaging -f Dockerfiles/Dockerfile.package .
 	docker run --rm \
 	-e BCDA_GPG_RPM_PASSPHRASE='${BCDA_GPG_RPM_PASSPHRASE}' \
@@ -12,26 +12,28 @@ package:
 	-v ${PWD}:/go/src/github.com/CMSgov/bcda-ssas-app packaging $(version)
 
 lint:
-	docker-compose -f docker-compose.test.yml run --rm tests golangci-lint -e SA1029 --timeout 10m0s -v run ./...
-	docker-compose -f docker-compose.test.yml run --rm tests gosec ./...
+	docker compose -f docker-compose.test.yml run --rm tests golangci-lint -e SA1029 --timeout 10m0s -v run ./...
+	docker compose -f docker-compose.test.yml run --rm tests gosec ./...
 
 # The following vars are available to tests needing SSAS admin credentials; currently they are used in smoke-test-ssas, postman-ssas, and unit-test-ssas
 # Note that these variables should only be used for smoke tests, must be set before the api starts, and cannot be changed after the api starts
 SSAS_ADMIN_CLIENT_ID ?= 31e029ef-0e97-47f8-873c-0e8b7e7f99bf
-SSAS_ADMIN_CLIENT_SECRET := $(shell docker-compose run --rm ssas sh -c 'ssas --reset-secret --client-id=$(SSAS_ADMIN_CLIENT_ID)'|tail -n1)
+SSAS_ADMIN_CLIENT_SECRET := $(shell docker compose run --rm ssas sh -c 'ssas --reset-secret --client-id=$(SSAS_ADMIN_CLIENT_ID)'|tail -n1)
 
 smoke-test:
-	docker-compose -f docker-compose.test.yml run --rm postman_test test/postman_test/SSAS_Smoke_Test.postman_collection.json -e test/postman_test/local.postman_environment.json --global-var "token=$(token)" --global-var adminClientId=$(SSAS_ADMIN_CLIENT_ID) --global-var adminClientSecret=$(SSAS_ADMIN_CLIENT_SECRET) --global-var ssas_client_assertion_aud=$(SASS_CLIENT_ASSERTION_AUD)
+	docker compose -f docker-compose.test.yml run --rm postman_test test/postman_test/SSAS_Smoke_Test.postman_collection.json -e test/postman_test/local.postman_environment.json --global-var "token=$(token)" --global-var adminClientId=$(SSAS_ADMIN_CLIENT_ID) --global-var adminClientSecret=$(SSAS_ADMIN_CLIENT_SECRET) --global-var ssas_client_assertion_aud=$(SASS_CLIENT_ASSERTION_AUD)
 
 postman:
-	docker-compose -f docker-compose.test.yml run --rm postman_test test/postman_test/SSAS.postman_collection.json -e test/postman_test/local.postman_environment.json --global-var adminClientId=$(SSAS_ADMIN_CLIENT_ID) --global-var adminClientSecret=$(SSAS_ADMIN_CLIENT_SECRET) --global-var ssas_client_assertion_aud=$(SASS_CLIENT_ASSERTION_AUD)
+	docker compose -f docker-compose.test.yml run --rm postman_test test/postman_test/SSAS.postman_collection.json -e test/postman_test/local.postman_environment.json --global-var adminClientId=$(SSAS_ADMIN_CLIENT_ID) --global-var adminClientSecret=$(SSAS_ADMIN_CLIENT_SECRET) --global-var ssas_client_assertion_aud=$(SASS_CLIENT_ASSERTION_AUD)
 
 migrations-test:
-	docker-compose -f docker-compose.test.yml run --rm tests bash ops/migrations_test.sh
+	docker compose -f docker-compose.test.yml run --rm tests bash ops/migrations_test.sh
 
-unit-test:
-	docker-compose up -d db
-	docker-compose -f docker-compose.test.yml run --rm tests bash unit_test.sh
+start-db:
+	docker compose up -d db
+
+unit-test: start-db
+	docker compose -f docker-compose.test.yml run --rm tests bash unit_test.sh
 
 test:
 	$(MAKE) lint
@@ -41,17 +43,20 @@ test:
 	$(MAKE) migrations-test
 
 load-fixtures:
-	docker-compose -f docker-compose.migrate.yml run --rm migrate  -database "postgres://postgres:toor@db:5432/bcda?sslmode=disable" -path /go/src/github.com/CMSgov/bcda-ssas-app/db/migrations up
-	docker-compose -f docker-compose.yml run ssas sh -c 'ssas --add-fixture-data'
+	docker compose -f docker-compose.migrate.yml run --rm migrate  -database "postgres://postgres:toor@db:5432/bcda?sslmode=disable" -path /go/src/github.com/CMSgov/bcda-ssas-app/db/migrations up
+	docker compose -f docker-compose.yml run ssas sh -c 'ssas --add-fixture-data'
 
 docker-build:
-	docker-compose build --force-rm
-	docker-compose -f docker-compose.test.yml build --force-rm
+	docker compose build --force-rm
+	docker compose -f docker-compose.test.yml build --force-rm
 
 docker-bootstrap:
 	$(MAKE) docker-build
-	docker-compose up -d
+	docker compose up -d
 	sleep 40
 	$(MAKE) load-fixtures
 
-.PHONY: docker-build docker-bootstrap load-fixtures test package release smoke-test postman unit-test lint migrations-test
+dbdocs: start-db load-fixtures
+	docker run --rm -v $PWD:/work -w /work --network bcda-ssas-app_default ghcr.io/k1low/tbls doc --rm-dist "postgres://postgres:toor@db:5432/bcda?sslmode=disable" dbdocs/bcda
+
+.PHONY: docker-build docker-bootstrap load-fixtures test package release smoke-test postman unit-test lint migrations-test start-db dbdocs

README.md

@@ -104,7 +104,7 @@ The project uses [Go Modules](https://golang.org/ref/mod) allowing you to clone
 
 # Build
 
-Build all the code and containers with `make docker-bootstrap`. Alternatively, `docker-compose up ssas` will build and run the SSAS by itself. Note that SSAS needs the db container to be running as well.
+Build all the code and containers with `make docker-bootstrap`. Alternatively, `docker compose up ssas` will build and run the SSAS by itself. Note that SSAS needs the db container to be running as well.
 
 ## Bootstrapping CLI
 
@@ -129,7 +129,7 @@ one of these test suites, follow the instructions at the top of the test file.
 
 ### **Running Single / Single-file Unit Tests**
 
-This step assumes that the user has installed VSCode, the Go language extension available [here](https://marketplace.visualstudio.com/items?itemName=golang.Go), and has successfully imported test data to their local database. 
+This step assumes that the user has installed VSCode, the Go language extension available [here](https://marketplace.visualstudio.com/items?itemName=golang.Go), and has successfully imported test data to their local database.
 
 To run tests from within VSCode:
 In a FILENAME_test.go file, there will be a green arrow to the left of the method name, and clicking this arrow will run a single test locally. Tests should not be dependent upon other tests, but if a known-good test is failing, the user can run all tests in a given file by going to View -> Command Palette -> Go: Test Package, which will run all tests in a given file. Alternatively, in some instances, the init() method can be commented out to enable testing of single functions.
@@ -138,13 +138,13 @@ In a FILENAME_test.go file, there will be a green arrow to the left of the metho
 
 To run postman tests locally:
 
-Build and startup the required containers. Building with docker-compose up first will significantly improve the performance of the following steps.
+Build and startup the required containers. Building with docker compose up first will significantly improve the performance of the following steps.
 
 ```
-docker-compose up
-docker-compose stop
-docker-compose up -d db
-docker-compose up ssas
+docker compose up
+docker compose stop
+docker compose up -d db
+docker compose up ssas
 ```
 
 If this is the first time you've started the containers, set up your database tables and seed them with sample group and systems:
@@ -175,13 +175,13 @@ docker run --rm --network bcda-ssas-app_default -e PGPASSWORD=PASSHERE -it postg
 To reset a secret by client id (can be found in Makefile):
 
 ```
-docker-compose run --rm ssas sh -c 'ssas --reset-secret --client-id=[client_id]'
+docker compose run --rm ssas sh -c 'ssas --reset-secret --client-id=[client_id]'
 ```
 
 To list all active IPs from the connected database:
 
 ```
-docker-compose run --rm ssas sh -c 'ssas --list-ips'
+docker compose run --rm ssas sh -c 'ssas --list-ips'
 ```
 
 # Swagger Documentation
@@ -190,11 +190,11 @@ The admin server has Swagger documentation. To access:
 
 1. Make sure it's been built (the container will stop after a few seconds when the documentation is ready)
 
-   `docker-compose up documentation`
+   `docker compose up documentation`
 
 1. Make sure the `ssas` container is running
 
-   `docker-compose up ssas`
+   `docker compose up ssas`
 
 1. Access Swagger in your browser:
    http://localhost:3104/swagger

dbdocs/bcda/README.md

@@ -0,0 +1,23 @@
+# bcda
+
+## Tables
+
+| Name | Columns | Comment | Type |
+| ---- | ------- | ------- | ---- |
+| [public.schema_migrations](public.schema_migrations.md) | 2 |  | BASE TABLE |
+| [public.blacklist_entries](public.blacklist_entries.md) | 7 |  | BASE TABLE |
+| [public.encryption_keys](public.encryption_keys.md) | 7 |  | BASE TABLE |
+| [public.groups](public.groups.md) | 7 |  | BASE TABLE |
+| [public.secrets](public.secrets.md) | 6 |  | BASE TABLE |
+| [public.systems](public.systems.md) | 12 |  | BASE TABLE |
+| [public.ips](public.ips.md) | 6 |  | BASE TABLE |
+| [public.client_tokens](public.client_tokens.md) | 8 |  | BASE TABLE |
+| [public.root_keys](public.root_keys.md) | 8 |  | BASE TABLE |
+
+## Relations
+
+![er](schema.svg)
+
+---
+
+> Generated by [tbls](https://github.com/k1LoW/tbls)

dbdocs/bcda/public.blacklist_entries.md

@@ -0,0 +1,36 @@
+# public.blacklist_entries
+
+## Description
+
+## Columns
+
+| Name | Type | Default | Nullable | Children | Parents | Comment |
+| ---- | ---- | ------- | -------- | -------- | ------- | ------- |
+| id | integer | nextval('blacklist_entries_id_seq'::regclass) | false |  |  |  |
+| created_at | timestamp with time zone |  | true |  |  |  |
+| updated_at | timestamp with time zone |  | true |  |  |  |
+| deleted_at | timestamp with time zone |  | true |  |  |  |
+| key | text |  | false |  |  |  |
+| entry_date | bigint |  | false |  |  |  |
+| cache_expiration | bigint |  | false |  |  |  |
+
+## Constraints
+
+| Name | Type | Definition |
+| ---- | ---- | ---------- |
+| blacklist_entries_pkey | PRIMARY KEY | PRIMARY KEY (id) |
+
+## Indexes
+
+| Name | Definition |
+| ---- | ---------- |
+| blacklist_entries_pkey | CREATE UNIQUE INDEX blacklist_entries_pkey ON public.blacklist_entries USING btree (id) |
+| idx_blacklist_entries_deleted_at | CREATE INDEX idx_blacklist_entries_deleted_at ON public.blacklist_entries USING btree (deleted_at) |
+
+## Relations
+
+![er](public.blacklist_entries.svg)
+
+---
+
+> Generated by [tbls](https://github.com/k1LoW/tbls)