Merge branch 'main' into 211-xtoolmap

.github/workflows/.deploy.yml

@@ -36,6 +36,7 @@ jobs:
           parameters:
             -p NAME_SUFFIX=${{ inputs.target }}
             -p POSTGRESQL_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
+            -p POSTGRESQL_USER=${{ secrets.POSTGRES_USER }}
             -p FDW_DATABASE_PASSWORD=${{ secrets.FDW_DATABASE_PASSWORD }}
             -p DJANGO_ADMIN_PASSWORD=${{ secrets.DJANGO_ADMIN_PASSWORD }}
             -p DJANGO_ADMIN_URL=${{ secrets.DJANGO_ADMIN_URL }}

.github/workflows/analysis.yml

@@ -62,7 +62,7 @@ jobs:
     name: Trivy Security Scan
     if: ${{ ! github.event.pull_request.draft }}
     runs-on: ubuntu-latest
-    timeout-minutes: 1
+    timeout-minutes: 5
     steps:
       - uses: actions/checkout@v4
       - name: Run Trivy vulnerability scanner in repo mode
@@ -87,7 +87,7 @@ jobs:
     if: always()
     runs-on: ubuntu-latest
     steps:
-      - if: contains(needs.*.result, 'failure')
+      - if: contains(needs.*.result, 'failure')||contains(needs.*.result, 'canceled')
         run: echo "At least one job has failed." && exit 1
       - run: echo "Success!"
 

.github/workflows/merge.yml

@@ -43,35 +43,27 @@ jobs:
       tag: ${{ needs.init.outputs.pr }}
       target: test
 
-  # deploy-prod:
-  #   name: Deploy (prod)
-  #   needs: [deploy-test, vars]
-  #   uses: bcgov/quickstart-openshift-helpers/.github/workflows/[email protected]
-  #   secrets:
-  #     oc_namespace: ${{ secrets.OC_NAMESPACE }}
-  #     oc_token: ${{ secrets.OC_TOKEN }}
-  #   with:
-  #     environment: prod
-  #     params:
-  #       --set backend.deploymentStrategy=RollingUpdate
-  #       --set frontend.deploymentStrategy=RollingUpdate
-  #       --set global.autoscaling=true
-  #       --set frontend.pdb.enabled=true
-  #       --set backend.pdb.enabled=true
-  # promote:
-  #   name: Promote Images
-  #   needs: [deploy-prod, vars]
-  #   runs-on: ubuntu-latest
-  #   permissions:
-  #     packages: write
-  #   strategy:
-  #     matrix:
-  #       package: [migrations, backend, frontend]
-  #   timeout-minutes: 1
-  #   steps:
-  #     - uses: shrink/actions-docker-registry-tag@v4
-  #       with:
-  #         registry: ghcr.io
-  #         repository: ${{ github.repository }}/${{ matrix.package }}
-  #         target: ${{ needs.vars.outputs.pr }}
-  #         tags: prod
+  deploys-prod:
+    name: Deploy (prod)
+    needs: [init, deploys-test]
+    secrets: inherit
+    uses: ./.github/workflows/.deploy.yml
+    with:
+      environment: prod
+      tag: ${{ needs.init.outputs.pr }}
+      target: prod
+
+  promote:
+    name: Promote Images
+    needs: [init, deploys-prod]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        package: [minio, database, backend, frontend]
+    steps:
+      - uses: shrink/actions-docker-registry-tag@v4
+        with:
+          registry: ghcr.io
+          repository: ${{ github.repository }}/${{ matrix.package }}
+          target: ${{ needs.vars.outputs.pr }}
+          tags: prod

backend/aquifers/views_v2.py

@@ -40,7 +40,10 @@
     AQUIFER_CHUNK_SIZE,
     GeoJSONIterator
 )
-from gwells.roles import AQUIFERS_EDIT_ROLE
+from gwells.roles import (
+  AQUIFERS_EDIT_ROLE,
+  AQUIFERS_VIEWER_ROLE
+)
 from aquifers import serializers, serializers_v2
 from aquifers.models import Aquifer
 from wells.models import Well, AquiferParameters
@@ -89,6 +92,13 @@ def get_queryset(self):
             qs = qs.filter(effective_date__lte=now, expiry_date__gt=now)
         return qs
 
+    def get(self, request, *args, **kwargs):
+        """ Removes notes field for users without the aquifer view role """
+        response = super().get(self, request, *args, **kwargs)
+        if not request.user.groups.filter(name=AQUIFERS_VIEWER_ROLE).exists():
+            response.data.pop('notes', None)
+        return response
+
 
 def _aquifer_qs(request):
     """

backend/gwells/roles.py

@@ -43,8 +43,11 @@
 # Surveys
 SURVEYS_EDIT_ROLE = 'surveys_edit'
 
+# IDIR
+IDIR_ROLE = 'idir'
+
 # These roles are excluded, as they cannot be mapped to any particular useful groups.
-EXCLUDE = ('idir', 'offline_access', 'admin', 'uma_authorization', 'gwells_admin')
+EXCLUDE = ('offline_access', 'admin', 'uma_authorization', 'gwells_admin')
 
 
 def roles_to_groups(user, roles: Tuple[str] = None):

backend/gwells/tests/test_roles.py

@@ -1,6 +1,5 @@
 from django.core.management import call_command
 from django.test import TestCase
-from django.utils.six import StringIO
 from gwells.roles import (
     roles_to_groups,
     REGISTRIES_EDIT_ROLE,

backend/openshift.deploy.yml

@@ -474,7 +474,7 @@ objects:
 - kind: Service
   apiVersion: v1
   metadata:
-    name: gwells-${NAME_SUFFIX}-backend
+    name: nr-gwells-${NAME_SUFFIX}-backend
     creationTimestamp: 
     labels:
       app: nr-gwells-${NAME_SUFFIX}
@@ -488,29 +488,29 @@ objects:
       port: 8000
       targetPort: 8000
     selector:
-      name: gwells-${NAME_SUFFIX}-backend
+      name: nr-gwells-${NAME_SUFFIX}-backend
     type: ClusterIP
     sessionAffinity: None
-- kind: Route
-  apiVersion: v1
-  metadata:
-    name: gwells-${NAME_SUFFIX}-backend
-    creationTimestamp: 
-    labels:
-      frontend: 'true'
-      app: nr-gwells-${NAME_SUFFIX}
-      appver: gwells-${NAME_SUFFIX}-backend
-    annotations: {}
-  spec:
-    host: "${HOST}"
-    path: "/gwells"
-    to:
-      kind: Service
-      name: gwells-${NAME_SUFFIX}-backend
-      weight: 100
-    port:
-      targetPort: web
-    tls:
-      insecureEdgeTerminationPolicy: Redirect
-      termination: edge
-    wildcardPolicy: None
+# - kind: Route
+#   apiVersion: v1
+#   metadata:
+#     name: nr-gwells-${NAME_SUFFIX}-backend
+#     creationTimestamp: 
+#     labels:
+#       frontend: 'true'
+#       app: nr-gwells-${NAME_SUFFIX}
+#       appver: gwells-${NAME_SUFFIX}-backend
+#     annotations: {}
+#   spec:
+#     host: nr-gwells-${NAME_SUFFIX}-backend.apps.silver.devops.gov.bc.ca
+#     path: "/gwells"
+#     to:
+#       kind: Service
+#       name: nr-gwells-${NAME_SUFFIX}-backend
+#       weight: 100
+#     port:
+#       targetPort: web
+#     tls:
+#       insecureEdgeTerminationPolicy: Redirect
+#       termination: edge
+#     wildcardPolicy: None

backend/registries/tests.py

@@ -19,7 +19,6 @@
 
 from django.test import TestCase
 from django.core.management import call_command
-from django.utils.six import StringIO
 from django.contrib.auth.models import User, Group
 from django.contrib.gis.geos import GEOSGeometry
 

backend/wells/fixtures/well_detail_fixture.json

@@ -9,13 +9,24 @@
    "pk": "BC"},
 
   {"model": "wells.wellclasscode",
-   "fields": {"create_user": "",
+   "fields": {
+    "create_user": "",
               "description": "",
               "create_date": "2018-02-08T17:22:21.892Z",
               "display_order": 1,
               "update_date": "2018-02-08T17:22:21.893Z",
-              "update_user":""},
-   "pk": "WCC"},
+              "update_user":""
+  },
+   "pk": "WCC"
+  },
+  {
+    "model": "wells.wellorientationcode",
+    "pk": 1,
+    "fields": {
+      "display_order": 1,
+      "well_orientation_code": "HORIZONTAL"
+    }
+  },
 
   {"model": "wells.well",
    "pk": 123,
@@ -47,7 +58,7 @@
               "alternative_specs_submitted": false,
               "screen_type": null,
               "well_subclass": null,
-              "well_orientation_status": "horizontal",
+              "well_orientation_status": "HORIZONTAL",
               "owner_postal_code": "",
               "other_screen_material": "",
               "legal_township": "",

backend/wells/permissions.py

@@ -12,7 +12,7 @@
     limitations under the License.
 """
 from rest_framework.permissions import BasePermission, SAFE_METHODS
-from gwells.roles import WELLS_VIEWER_ROLE, WELLS_EDIT_ROLE, WELLS_SUBMISSION_ROLE, WELLS_SUBMISSION_VIEWER_ROLE
+from gwells.roles import WELLS_VIEWER_ROLE, WELLS_EDIT_ROLE, WELLS_SUBMISSION_ROLE, WELLS_SUBMISSION_VIEWER_ROLE, IDIR_ROLE
 
 
 class WellsEditOrReadOnly(BasePermission):
@@ -26,6 +26,17 @@ def has_permission(self, request, view):
         result = has_edit or request.method in SAFE_METHODS
         return result
 
+class WellsIDIREditOrReadOnly(BasePermission):
+    """
+    Allows read access to all IDIR users and write access to those with edit rights.
+    """
+    def has_permission(self, request, view):
+        has_edit = request.user and request.user.is_authenticated and request.user.groups.filter(
+            name=WELLS_EDIT_ROLE).exists()
+        result = (has_edit or request.method in SAFE_METHODS) and request.user.groups.filter(
+            name=IDIR_ROLE).exists()
+        return result
+
 
 class WellsDocumentViewPermissions(BasePermission):
     """

backend/wells/tests/test_signals.py

@@ -1,7 +1,8 @@
 from django.test import TestCase
 from django.contrib.gis.geos import Point
 from wells.models import Well
-from wells.signals import update_utm
+from wells.signals import update_utm, _get_utm_zone, _generate_utm_point
+from osgeo import ogr
 
 class TestSignals(TestCase):
     def test_get_utm_zone(self):

backend/wells/tests/test_wells.py

@@ -125,7 +125,7 @@ def test_well_history_after_geom_update(self):
 
 class TestWellDetailAuthenticated(APITestCase):
     # Tbh, I don't know if all of these fixtures are necessary but I don't feel like tracing through the code to find out
-    fixtures = ['gwells-codetables', 'wellsearch-codetables', 'wellsearch', 'registries', 'registries-codetables', 'well_detail_fixture']
+    fixtures = ['gwells-codetables', 'wellsearch-codetables', 'wellsearch', 'registries', 'registries-codetables', 'well_detail_fixture', 'aquifers']
 
     def setUp(self):
         roles = [WELLS_VIEWER_ROLE]
@@ -138,15 +138,15 @@ def setUp(self):
         self.client.force_authenticate(user)
 
     def test_well_detail_authenticated(self):
-        url = reverse('well-detail', kwargs={'well_id': 123, 'version': 'v1'})
+        url = reverse('well-detail', kwargs={'well_tag_number': 123, 'version': 'v1'})
         response = self.client.get(url)
         self.assertTrue('internal_comments' in response.data)
 
 class TestWellDetailUnauthenticated(APITestCase):
     # Same comment as above
-    fixtures = ['gwells-codetables', 'wellsearch-codetables', 'wellsearch', 'registries', 'registries-codetables', 'well_detail_fixture']
+    fixtures = ['gwells-codetables', 'wellsearch-codetables', 'wellsearch', 'registries', 'registries-codetables', 'well_detail_fixture', 'aquifers']
 
     def test_well_detail_unauthenticated(self):
-        url = reverse('well-detail', kwargs={'well_id': 123, 'version': 'v1'})
+        url = reverse('well-detail', kwargs={'well_tag_number': 123, 'version': 'v1'})
         response = self.client.get(url)
         self.assertFalse('internal_comments' in response.data)

backend/wells/urls.py

@@ -37,9 +37,9 @@
         never_cache(views_v2.WellAquiferListV2APIView.as_view()), name='well-aquifers'),
 
     # Well
-    url(r'api/v1/wells/(?P<well_tag_number>[0-9]+)$',
+    url(api_path_prefix() + r'/wells/(?P<well_tag_number>[0-9]+)$',
         never_cache(views.WellDetail.as_view()), name='well-detail'),
-    url(r'api/v2/wells/(?P<well_tag_number>[0-9]+)$',
+    url(api_path_prefix() + r'/wells/(?P<well_tag_number>[0-9]+)$',
         never_cache(views_v2.WellDetail.as_view()), name='well-detail'),
 
     # Well tag search

backend/wells/views_v2.py

@@ -54,7 +54,7 @@
     CrossReferencingSerializer,
     RecordComplianceSerializer
 )
-from wells.permissions import WellsEditOrReadOnly
+from wells.permissions import WellsEditOrReadOnly, WellsIDIREditOrReadOnly
 from wells.renderers import WellListCSVRenderer, WellListExcelRenderer
 
 from aquifers.models import (
@@ -593,7 +593,7 @@ class MislocatedWellsListView(ListAPIView):
     serializer_class = MislocatedWellsSerializer
 
     swagger_schema = None
-    permission_classes = (WellsEditOrReadOnly,)
+    permission_classes = (WellsIDIREditOrReadOnly,)
     model = Well
     pagination_class = APILimitOffsetPagination
 
@@ -617,7 +617,7 @@ class RecordComplianceListView(ListAPIView):
     serializer_class = RecordComplianceSerializer
 
     swagger_schema = None
-    permission_classes = (WellsEditOrReadOnly,)
+    permission_classes = (WellsIDIREditOrReadOnly,)
     model = Well
     pagination_class = APILimitOffsetPagination
 
@@ -636,7 +636,7 @@ class CrossReferencingListView(ListAPIView):
     serializer_class = CrossReferencingSerializer
 
     swagger_schema = None
-    permission_classes = (WellsEditOrReadOnly,)
+    permission_classes = (WellsIDIREditOrReadOnly,)
     model = Well
     pagination_class = APILimitOffsetPagination
 
@@ -657,6 +657,7 @@ def get_queryset(self):
 # Download Views for QaQc
 
 class MislocatedWellsDownloadView(WellExportListAPIViewV2):
+    permission_classes = (WellsIDIREditOrReadOnly,)
     filter_backends = (WellListOrderingFilter, WellQaQcFilterBackend, filters.SearchFilter)
 
     def get_queryset(self):
@@ -667,6 +668,7 @@ def get_serializer_class(self):
 
 
 class RecordComplianceDownloadView(WellExportListAPIViewV2):
+    permission_classes = (WellsIDIREditOrReadOnly,)
     filter_backends = (WellListOrderingFilter, WellQaQcFilterBackend, filters.SearchFilter)
 
     def get_queryset(self):
@@ -677,6 +679,7 @@ def get_serializer_class(self):
 
 
 class CrossReferencingDownloadView(WellExportListAPIViewV2):
+    permission_classes = (WellsIDIREditOrReadOnly,)
     filter_backends = (WellListOrderingFilter, WellQaQcFilterBackend, filters.SearchFilter)
 
     def get_queryset(self):

common/openshift.init.yml

@@ -111,7 +111,7 @@ objects:
     kind: Secret
     metadata:
       creationTimestamp:
-      name: crunchy-db-credentials
+      name: crunchy-db-credentials-${NAME_SUFFIX}
       labels:
         app: nr-gwells-${NAME_SUFFIX}
     stringData: