Merge pull request #3750 from GSA-TTS/main

.github/workflows/zap-scan.yml

@@ -21,7 +21,7 @@ jobs:
         uses: zaproxy/[email protected]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          docker_name: 'owasp/zap2docker-stable'
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
           target: '${{ env.url }}'
           rules_file_name: 'zap.conf'
           allow_issue_writing: false

backend/audit/cross_validation/naming.py

@@ -15,11 +15,13 @@ class SectionBabelFish(NamedTuple):
     camel_case: str  # Mostly used in JSON Schemas.
     friendly: str  # The name we show to users.
     friendly_title: str  # The title on the submission progress page/form page.
-    reverse_url: str | None  # Django value for finding the actual URL.
+    reverse_url_for_file_upload: str | None  # Django value for finding the actual URL for upload.
+    reverse_url_for_file_deletion: str | None  # Django value for finding the actual URL for deletion.
     snake_case: str  # Mostly used for the field names in SingleAuditChecklist.
     url_tail: str | None  # Hyphenated version of snake_case, mostly.
     workbook_number: int | None  # Our upload ordering of workbooks.
     submission_event: str  # The event type we log to the SubmissionEvents table when this section is updated
+    deletion_event: str | None  # The event type we log to the SubmissionEvents table when this section is deleted
 
 
 SECTION_NAMES = {
@@ -28,132 +30,156 @@ class SectionBabelFish(NamedTuple):
         camel_case="AdditionalEINs",
         friendly="Additional EINs",
         friendly_title="Additional EINs",
-        reverse_url="report_submission:additional-eins",
+        reverse_url_for_file_upload="report_submission:additional-eins",
+        reverse_url_for_file_deletion="report_submission:delete-additional-eins",
         snake_case="additional_eins",
         url_tail="additional-eins",
         workbook_number=8,
         submission_event=SubmissionEvent.EventType.ADDITIONAL_EINS_UPDATED,
+        deletion_event=SubmissionEvent.EventType.ADDITIONAL_EINS_DELETED,
     ),
     "additional_ueis": SectionBabelFish(
         all_caps="ADDITIONAL_UEIS",
         camel_case="AdditionalUEIs",
         friendly="Additional UEIs",
         friendly_title="Additional UEIs",
-        reverse_url="report_submission:additional-ueis",
+        reverse_url_for_file_upload="report_submission:additional-ueis",
+        reverse_url_for_file_deletion="report_submission:delete-additional-ueis",
         snake_case="additional_ueis",
         url_tail="additional-ueis",
         workbook_number=6,
         submission_event=SubmissionEvent.EventType.ADDITIONAL_UEIS_UPDATED,
+        deletion_event=SubmissionEvent.EventType.ADDITIONAL_UEIS_DELETED,
     ),
     "audit_information": SectionBabelFish(
         all_caps="AUDIT_INFORMATION",
         camel_case="AuditInformation",
         friendly="Audit Information",
         friendly_title="Audit Information form",
-        reverse_url="audit:AuditInfoForm",
+        reverse_url_for_file_upload="audit:AuditInfoForm",
+        reverse_url_for_file_deletion=None,
         snake_case="audit_information",
         url_tail="audit-information",
         workbook_number=None,
         submission_event=SubmissionEvent.EventType.AUDIT_INFORMATION_UPDATED,
+        deletion_event=None,
     ),
     "corrective_action_plan": SectionBabelFish(
         all_caps="CORRECTIVE_ACTION_PLAN",
         camel_case="CorrectiveActionPlan",
         friendly="Corrective Action Plan",
         friendly_title="Corrective Action Plan",
         snake_case="corrective_action_plan",
-        reverse_url="report_submission:CAP",
+        reverse_url_for_file_upload="report_submission:CAP",
+        reverse_url_for_file_deletion="report_submission:delete-CAP",
         url_tail="cap",
         workbook_number=5,
         submission_event=SubmissionEvent.EventType.CORRECTIVE_ACTION_PLAN_UPDATED,
+        deletion_event=SubmissionEvent.EventType.CORRECTIVE_ACTION_PLAN_DELETED,
     ),
     "federal_awards": SectionBabelFish(
         all_caps="FEDERAL_AWARDS",
         camel_case="FederalAwards",
         friendly="Federal Awards",
         friendly_title="Federal Awards",
-        reverse_url="report_submission:federal-awards",
+        reverse_url_for_file_upload="report_submission:federal-awards",
+        reverse_url_for_file_deletion=None,
         snake_case="federal_awards",
         url_tail="federal-awards",
         workbook_number=1,
         submission_event=SubmissionEvent.EventType.FEDERAL_AWARDS_UPDATED,
+        deletion_event=None,
     ),
     "findings_text": SectionBabelFish(
         all_caps="FINDINGS_TEXT",
         camel_case="FindingsText",
         friendly="Federal Awards Audit Findings Text",
         friendly_title="Federal Awards Audit Findings Text",
-        reverse_url="report_submission:audit-findings-text",
+        reverse_url_for_file_upload="report_submission:audit-findings-text",
+        reverse_url_for_file_deletion="report_submission:delete-audit-findings-text",
         snake_case="findings_text",
         url_tail="audit-findings-text",
         workbook_number=4,
         submission_event=SubmissionEvent.EventType.FEDERAL_AWARDS_AUDIT_FINDINGS_TEXT_UPDATED,
+        deletion_event=SubmissionEvent.EventType.FEDERAL_AWARDS_AUDIT_FINDINGS_TEXT_DELETED,
     ),
     "findings_uniform_guidance": SectionBabelFish(
         all_caps="FINDINGS_UNIFORM_GUIDANCE",
         camel_case="FindingsUniformGuidance",
         friendly="Findings Uniform Guidance",
         friendly_title="Federal Awards Audit Findings",
-        reverse_url="report_submission:audit-findings",
+        reverse_url_for_file_upload="report_submission:audit-findings",
+        reverse_url_for_file_deletion="report_submission:delete-audit-findings",
         snake_case="findings_uniform_guidance",
         url_tail="audit-findings",
         workbook_number=3,
         submission_event=SubmissionEvent.EventType.FINDINGS_UNIFORM_GUIDANCE_UPDATED,
+        deletion_event=SubmissionEvent.EventType.FINDINGS_UNIFORM_GUIDANCE_DELETED,
     ),
     "general_information": SectionBabelFish(
         all_caps="GENERAL_INFORMATION",
         camel_case="GeneralInformation",
         friendly="General Information",
         friendly_title="General Information form",
-        reverse_url="report_submission:general_information",
+        reverse_url_for_file_upload="report_submission:general_information",
+        reverse_url_for_file_deletion=None,
         snake_case="general_information",
         url_tail="general-information",
         workbook_number=None,
         submission_event=SubmissionEvent.EventType.GENERAL_INFORMATION_UPDATED,
+        deletion_event=None,
     ),
     "notes_to_sefa": SectionBabelFish(
         all_caps="NOTES_TO_SEFA",
         camel_case="NotesToSefa",
         friendly="Notes to SEFA",
         friendly_title="Notes to SEFA",
-        reverse_url="report_submission:notes-to-sefa",
+        reverse_url_for_file_upload="report_submission:notes-to-sefa",
+        reverse_url_for_file_deletion=None,
         snake_case="notes_to_sefa",
         url_tail="notes-to-sefa",
         workbook_number=2,
         submission_event=SubmissionEvent.EventType.NOTES_TO_SEFA_UPDATED,
+        deletion_event=None,
     ),
     "single_audit_report": SectionBabelFish(
         all_caps="SINGLE_AUDIT_REPORT",
         camel_case="SingleAuditReport",
         friendly="Single Audit Report",
         friendly_title="Audit report PDF",
-        reverse_url="audit:UploadReport",
+        reverse_url_for_file_upload="audit:UploadReport",
+        reverse_url_for_file_deletion=None,
         snake_case="single_audit_report",
         url_tail="upload-report",
         workbook_number=None,
         submission_event=SubmissionEvent.EventType.AUDIT_REPORT_PDF_UPDATED,
+        deletion_event=None,
     ),
     "secondary_auditors": SectionBabelFish(
         all_caps="SECONDARY_AUDITORS",
         camel_case="SecondaryAuditors",
         friendly="Secondary Auditors",
         friendly_title="Secondary Auditors",
-        reverse_url="report_submission:secondary-auditors",
+        reverse_url_for_file_upload="report_submission:secondary-auditors",
+        reverse_url_for_file_deletion="report_submission:delete-secondary-auditors",
         snake_case="secondary_auditors",
         url_tail="secondary-auditors",
         workbook_number=7,
         submission_event=SubmissionEvent.EventType.SECONDARY_AUDITORS_UPDATED,
+        deletion_event=SubmissionEvent.EventType.SECONDARY_AUDITORS_DELETED,
     ),
     "tribal_data_consent": SectionBabelFish(
         all_caps="TRIBAL_DATA_CONSENT",
         camel_case="TribalDataConsent",
         friendly="Tribal Data Sharing Consent",
         friendly_title="Tribal Data Sharing Consent form",
-        reverse_url=None,
+        reverse_url_for_file_upload=None,
+        reverse_url_for_file_deletion=None,
         snake_case="tribal_data_consent",
         url_tail=None,
         workbook_number=None,
         submission_event=SubmissionEvent.EventType.TRIBAL_CONSENT_UPDATED,
+        deletion_event=None,
     ),
 }
 

backend/audit/cross_validation/submission_progress_check.py

@@ -114,39 +114,69 @@ def get_num_findings(award):
     if key == "general_information":
         return general_information_progress_check(progress, general_info, sac)
 
-    # If it's not required, it's inactive:
+    # It's not required:
     if not conditions[key]:
+        # If it's not required but has been completed, it remains active so user can remove the worksheet:
+        if sections.get(key):
+            completed_by, completed_date = section_completed_metadata(sac, key)
+            if completed_by or completed_date:
+                return construct_progress_metadata(
+                    key, progress, completed_by, completed_date
+                )
+        # If it's not required and has not been completed, it's inactive.
         return {key: progress | {"display": "inactive"}}
 
     # If it is required, it should be present
     if sections.get(key):
         completed_by, completed_date = section_completed_metadata(sac, key)
-
-        return {
-            key: progress
-            | {
-                "display": "complete",
-                "completed": True,
-                "completed_by": completed_by,
-                "completed_date": completed_date,
-            }
-        }
+        return construct_progress_metadata(key, progress, completed_by, completed_date)
 
     return {key: progress | {"display": "incomplete", "completed": False}}
 
 
+def construct_progress_metadata(key, progress, completed_by, completed_date):
+    return {
+        key: progress
+        | {
+            "display": "complete",
+            "completed": True,
+            "completed_by": completed_by,
+            "completed_date": completed_date,
+        }
+    }
+
+
 def section_completed_metadata(sac, section_key):
     try:
         section = find_section_by_name(section_key)
         event_type = section.submission_event
-
         report_id = sac["sf_sac_meta"]["report_id"]
-        event = SubmissionEvent.objects.filter(
-            sac__report_id=report_id, event=event_type
-        ).latest("timestamp")
+        try:
+            submission_event = SubmissionEvent.objects.filter(
+                sac__report_id=report_id, event=event_type
+            ).latest("timestamp")
+        except SubmissionEvent.DoesNotExist:
+            submission_event = None
+        try:
+            deletion_event = SubmissionEvent.objects.filter(
+                sac__report_id=report_id, event=section.deletion_event
+            ).latest("timestamp")
+        except SubmissionEvent.DoesNotExist:
+            deletion_event = None
+        if deletion_event and (
+            not submission_event
+            or deletion_event.timestamp > submission_event.timestamp
+        ):
+            # If the deletion event is more recent than the submission event, the section is not complete.
+            return None, None
+
+        if submission_event:
+            return submission_event.user.email, submission_event.timestamp
+
+        # If there is no submission event, the section is not complete.
+        return None, None
 
-        return event.user.email, event.timestamp
-    except SubmissionEvent.DoesNotExist:
+    except Exception:
         return None, None
 
 

backend/audit/migrations/0008_alter_submissionevent_event.py

@@ -0,0 +1,78 @@
+# Generated by Django 5.0.2 on 2024-04-17 11:51
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("audit", "0007_alter_deletedaccess_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="submissionevent",
+            name="event",
+            field=models.CharField(
+                choices=[
+                    ("access-granted", "Access granted"),
+                    ("additional-eins-updated", "Additional EINs updated"),
+                    ("additional-eins-deleted", "Additional EINs deleted"),
+                    ("additional-ueis-updated", "Additional UEIs updated"),
+                    ("additional-ueis-deleted", "Additional UEIs deleted"),
+                    ("audit-information-updated", "Audit information updated"),
+                    ("audit-report-pdf-updated", "Audit report PDF updated"),
+                    (
+                        "auditee-certification-completed",
+                        "Auditee certification completed",
+                    ),
+                    (
+                        "auditor-certification-completed",
+                        "Auditor certification completed",
+                    ),
+                    (
+                        "corrective-action-plan-updated",
+                        "Corrective action plan updated",
+                    ),
+                    (
+                        "corrective-action-plan-deleted",
+                        "Corrective action plan deleted",
+                    ),
+                    ("created", "Created"),
+                    ("federal-awards-updated", "Federal awards updated"),
+                    (
+                        "federal-awards-audit-findings-updated",
+                        "Federal awards audit findings updated",
+                    ),
+                    (
+                        "federal-awards-audit-findings-deleted",
+                        "Federal awards audit findings deleted",
+                    ),
+                    (
+                        "federal-awards-audit-findings-text-updated",
+                        "Federal awards audit findings text updated",
+                    ),
+                    (
+                        "federal-awards-audit-findings-text-deleted",
+                        "Federal awards audit findings text deleted",
+                    ),
+                    (
+                        "findings-uniform-guidance-updated",
+                        "Findings uniform guidance updated",
+                    ),
+                    (
+                        "findings-uniform-guidance-deleted",
+                        "Findings uniform guidance deleted",
+                    ),
+                    ("general-information-updated", "General information updated"),
+                    ("locked-for-certification", "Locked for certification"),
+                    ("unlocked-after-certification", "Unlocked after certification"),
+                    ("notes-to-sefa-updated", "Notes to SEFA updated"),
+                    ("secondary-auditors-updated", "Secondary auditors updated"),
+                    ("secondary-auditors-deleted", "Secondary auditors deleted"),
+                    ("submitted", "Submitted to the FAC for processing"),
+                    ("disseminated", "Copied to dissemination tables"),
+                    ("tribal-consent-updated", "Tribal audit consent updated"),
+                ]
+            ),
+        ),
+    ]