diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml
index 8439254fd..e7e38856b 100644
--- a/.github/workflows/deploy-sandbox.yaml
+++ b/.github/workflows/deploy-sandbox.yaml
@@ -1,15 +1,22 @@
# This workflow runs on pushes when a pull request is opened under certain branch conventions.
name: Build and deploy developer sandbox
-run-name: Build and deploy developer sandbox for branch ${{ github.ref_name }}
+run-name: Build and deploy developer sandbox for branch ${{ github.head_ref }}
on:
pull_request:
- paths-ignore:
- - 'docs/**'
jobs:
variables:
+ if: |
+ startsWith(github.head_ref, 'ik/')
+ || startsWith(github.head_ref, 'jon')
+ || startsWith(github.head_ref, 'sspj/')
+ || startsWith(github.head_ref, 'mr/')
+ || startsWith(github.head_ref, 'nmb/')
+ || startsWith(github.head_ref, 'ab/')
+ || startsWith(github.head_ref, 'bl/')
+ || startsWith(github.head_ref, 'rjm/')
outputs:
environment: ${{ steps.var.outputs.environment}}
runs-on: "ubuntu-latest"
@@ -21,14 +28,6 @@ jobs:
script: |
core.setOutput('environment', '${{ github.head_ref }}'.split("/")[0]);
deploy:
- if: |
- ${{startsWith(github.head_ref, 'ik/')
- || startsWith(github.head_ref, 'jon')
- || startsWith(github.head_ref, 'sspj/')
- || startsWith(github.head_ref, 'mr/')
- || startsWith(github.head_ref, 'nmb/')
- || startsWith(github.head_ref, 'lmm/')
- }}
runs-on: ubuntu-latest
needs: [variables]
steps:
diff --git a/.github/workflows/migrate.yaml b/.github/workflows/migrate.yaml
index 31e889ddf..820c219fd 100644
--- a/.github/workflows/migrate.yaml
+++ b/.github/workflows/migrate.yaml
@@ -14,8 +14,10 @@ on:
description: Which environment should we run migrations for?
options:
- stable
+ - ab
+ - bl
+ - rjm
- jon
- - lmm
- ik
- sspj
- nmb
diff --git a/.github/workflows/reset-db.yaml b/.github/workflows/reset-db.yaml
index bdb1cd95d..69fda8bff 100644
--- a/.github/workflows/reset-db.yaml
+++ b/.github/workflows/reset-db.yaml
@@ -15,8 +15,10 @@ on:
description: Which environment should we flush and re-load data for?
options:
- stable
+ - ab
+ - bl
+ - rjm
- jon
- - lmm
- ik
- sspj
- nmb
diff --git a/.github/workflows/security-check.yaml b/.github/workflows/security-check.yaml
index bd41e7966..01cd9c71d 100644
--- a/.github/workflows/security-check.yaml
+++ b/.github/workflows/security-check.yaml
@@ -24,6 +24,12 @@ jobs:
DJANGO_SECRET_KEY: not-a-secret-jw7kQcb35fcDRIKp7K4fqZBmVvb+Sy4nkAGf44DxHi6EJl
DATABASE_URL: "postgres://not_a_user:not_a_password@not_a_host"
DJANGO_BASE_URL: "https://not_a_host"
+ REGISTRY_CL_ID: nothing
+ REGISTRY_PASSWORD: nothing
+ REGISTRY_CERT: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNMekNDQWRXZ0F3SUJBZ0lVWThXWEljcFVlVUk0TVUrU3NWbkIrOGErOUlnd0NnWUlLb1pJemowRUF3SXcKYlRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba1JETVJNd0VRWURWUVFIREFwWFlYTm9hVzVuZEc5dQpNUXd3Q2dZRFZRUUtEQU5IVTBFeEREQUtCZ05WQkFzTUF6RTRSakVnTUI0R0ExVUVBd3dYUjA5V0lGQnliM1J2CmRIbHdaU0JTWldkcGMzUnlZWEl3SGhjTk1qTXdOREl4TVRVMU5ETTFXaGNOTWpRd05ESXdNVFUxTkRNMVdqQnQKTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NSRU14RXpBUkJnTlZCQWNNQ2xkaGMyaHBibWQwYjI0eApEREFLQmdOVkJBb01BMGRUUVRFTU1Bb0dBMVVFQ3d3RE1UaEdNU0F3SGdZRFZRUUREQmRIVDFZZ1VISnZkRzkwCmVYQmxJRkpsWjJsemRISmhjakJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCRkN4bGVsN1ZoWHkKb1ZIRWY2N3FKamo5UDk0ZWdqdXNtSWVaNFRLYkxkM3RRRVgzZnFKdVk4WmZzWWN4N0s1K0NEdnJLMnZRdjlMYgpmamhMTjZad3FqK2pVekJSTUIwR0ExVWREZ1FXQkJRUEZCRHdnSlhOUXE4a1V0K1hyYzFFWm9wbW9UQWZCZ05WCkhTTUVHREFXZ0JRUEZCRHdnSlhOUXE4a1V0K1hyYzFFWm9wbW9UQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01Bb0cKQ0NxR1NNNDlCQU1DQTBnQU1FVUNJRVJEaml0VGR0UTB3eVNXb1hEbCtYbUpVUmdENUo0VHVudkFGeDlDSitCUwpBaUVBME42eTJoeGdFWkYxRXJGYW1VQW5EUHlQSFlJeFNJQkwwNW5ibE9IZFVLRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ REGISTRY_KEY: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUhzTUZjR0NTcUdTSWIzRFFFRkRUQktNQ2tHQ1NxR1NJYjNEUUVGRERBY0JBakJYK1UvdUFkQ3hBSUNDQUF3CkRBWUlLb1pJaHZjTkFna0ZBREFkQmdsZ2hrZ0JaUU1FQVNvRUVHWTNnblRGZ3F0UE5sVU93a2hvSHFrRWdaQlAKMG5FMWpSRXliTHBDNHFtaGczRXdaR2lXZDFWV2RLVEtyNXF3d3hsdjhCbHB1UHhtRGN4dTA1U3VReWhMcU5hWgpVNjRoZlFyYy94cnRnT3Mwc0ZXenlhY0hEaFhiQUdTQjdTTjc2WG55NU9wWDVZVGtRTFMvRTk4YmxFY3NQUWVuCkNqNTJnQzVPZ0JtYzl1cjZlbWY2bjd6TE5vUWovSzk4MEdIWjg5OVZHQ1J3OHhGZGIyb3IyU3dMcDd0V1Ixcz0KLS0tLS1FTkQgRU5DUllQVEVEIFBSSVZBVEUgS0VZLS0tLS0K
+ REGISTRY_KEY_PASSPHRASE: fake
+ REGISTRY_HOSTNAME: localhost
steps:
- name: Check out
diff --git a/docs/operations/runbooks/rotate_application_secrets.md b/docs/operations/runbooks/rotate_application_secrets.md
index dd0d367fc..456baf61d 100644
--- a/docs/operations/runbooks/rotate_application_secrets.md
+++ b/docs/operations/runbooks/rotate_application_secrets.md
@@ -65,3 +65,40 @@ You also need to upload the `public.crt` key if recently created to the login.go
To access the AWS Simple Email Service, we need credentials from the CISA AWS
account for an IAM user who has limited access to only SES. Those credentials
need to be specified in the environment.
+
+## REGISTRY_CL_ID and REGISTRY_PASSWORD
+
+These are the login credentials for accessing the registry.
+
+## REGISTRY_CERT and REGISTRY_KEY and REGISTRY_KEY_PASSPHRASE
+
+These are the client certificate and its private key used to identify the registrar to the registry during the establishment of a TCP connection.
+
+The private key is protected by a passphrase for safer transport and storage.
+
+These were generated with:
+
+```bash
+openssl genpkey -out client.key \
+ -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
+ -aes-256-cbc
+openssl req -new -x509 -days 365 \
+ -key client.key -out client.crt \
+ -subj "/C=US/ST=DC/L=Washington/O=GSA/OU=18F/CN=GOV Prototype Registrar"
+
+```
+
+(If you can't use openssl on your computer directly, you can access it using Docker as `docker run --platform=linux/amd64 -it --rm -v $(pwd):/apps -w /apps alpine/openssl`.)
+
+Encode them using:
+
+```bash
+base64 client.key
+base64 client.crt
+```
+
+You'll need to give the new certificate to the registry vendor _before_ rotating it in production.
+
+## REGISTRY_HOSTNAME
+
+This is the hostname at which the registry can be found.
diff --git a/docs/product/phase_one.md b/docs/product/phase_one.md
deleted file mode 100644
index cf42887bf..000000000
--- a/docs/product/phase_one.md
+++ /dev/null
@@ -1,41 +0,0 @@
-# A new .gov system: Phase 1
-Purpose: Summarize the priorities for 18F and CISA in pursuing an initial build of a new .gov registrar.
-**The below was agreed upon on 08/04/2022**
-
-## Goals for Phase 1
-**Primary Goal:** Recreate the necessary core functionality in a new system
-
-**Secondary Goal:** Reduce the CISA admin burden while maintaining high security standards
-
-Deprioritized for later:
-* Make getting a .gov domain as easy as getting a .com or .us
-* Help more government entities set up and maintain their .gov site and infrastructure
-* Build awareness and credibility of .gov domains
-
-## Milestones
-April 2023 - projected month 18F agreement ends
-
-## Considerations and Tradeoffs
-### Success for Phase 1 is...
-* A new system that
- * Can respond to user needs for all long term goals
- * Can reduce the number of actors or decisions in a successful flow
- * Upholds a security review process for getting a .gov domain
- * Meets code and accessibility standards + open source policy
- * Lays the foundation for a “a simple and secure registration process that works to ensure that domains are registered and maintained only by authorized individuals (DOTGOV ACT)”
-* Supporting 1-2 registrant and admin flows with limited improvement and automation, based on value and complexity
-* Has or is ready for an ATO
-* Coordinating and navigating with procurement processes (RFPs and current vendor agreement)
-
-### Risks
-* App may be supported by a combination of manual work and automation, not fully automated
-* Scope creep – we build a system that can’t be ATO’d prior to Summer or Fall 2023
-* We build out a narrow slice of the system, which may be insufficient for all registrant and administrative use cases
-* We wouldn’t be intentionally and directly focused on or prioritizing improving the registrant / admin experience
-
-### Example User Stories (to be prioritized)
-* As a potential registrant, I want to learn what I should know about .gov so I can build support inside my organization to get a .gov domain.
-* As a registrant, I need the registrar to have strong user authentication so that sensitive domain- or account-impacting actions take place post-authentication.
-* As a program lead, I need to ensure that issued domains are from authentic, eligible organizations and requested by someone with authority so that domains are only given to bona fide US-based government organizations.
-* As a program lead, I need to run queries on .gov data to ensure alignment with program, agency, and Congressional reporting requirements.
-* As a program lead, I want to be able to send messages to individuals, groups, or all registrants so they are aware of important information: status emails (system downtime, etc.) to updates to status of an application. (PENDING, APPROVED, etc.).
diff --git a/ops/manifests/manifest-lmm.yaml b/ops/manifests/manifest-ab.yaml
similarity index 81%
rename from ops/manifests/manifest-lmm.yaml
rename to ops/manifests/manifest-ab.yaml
index 96c503f44..a08a7ef24 100644
--- a/ops/manifests/manifest-lmm.yaml
+++ b/ops/manifests/manifest-ab.yaml
@@ -1,6 +1,6 @@
---
applications:
-- name: getgov-lmm
+- name: getgov-ab
buildpacks:
- python_buildpack
path: ../../src
@@ -17,11 +17,11 @@ applications:
# Tell Django where to find its configuration
DJANGO_SETTINGS_MODULE: registrar.config.settings
# Tell Django where it is being hosted
- DJANGO_BASE_URL: https://getgov-lmm.app.cloud.gov
+ DJANGO_BASE_URL: https://getgov-ab.app.cloud.gov
# Tell Django how much stuff to log
DJANGO_LOG_LEVEL: INFO
routes:
- - route: getgov-lmm.app.cloud.gov
+ - route: getgov-ab.app.cloud.gov
services:
- getgov-credentials
- - getgov-lmm-database
+ - getgov-ab-database
diff --git a/ops/manifests/manifest-bl.yaml b/ops/manifests/manifest-bl.yaml
new file mode 100644
index 000000000..f9d635c32
--- /dev/null
+++ b/ops/manifests/manifest-bl.yaml
@@ -0,0 +1,27 @@
+---
+applications:
+- name: getgov-bl
+ buildpacks:
+ - python_buildpack
+ path: ../../src
+ instances: 1
+ memory: 512M
+ stack: cflinuxfs3
+ timeout: 180
+ command: ./run.sh
+ health-check-type: http
+ health-check-http-endpoint: /health
+ env:
+ # Send stdout and stderr straight to the terminal without buffering
+ PYTHONUNBUFFERED: yup
+ # Tell Django where to find its configuration
+ DJANGO_SETTINGS_MODULE: registrar.config.settings
+ # Tell Django where it is being hosted
+ DJANGO_BASE_URL: https://getgov-bl.app.cloud.gov
+ # Tell Django how much stuff to log
+ DJANGO_LOG_LEVEL: INFO
+ routes:
+ - route: getgov-bl.app.cloud.gov
+ services:
+ - getgov-credentials
+ - getgov-bl-database
diff --git a/ops/manifests/manifest-rjm.yaml b/ops/manifests/manifest-rjm.yaml
new file mode 100644
index 000000000..e8da5a62e
--- /dev/null
+++ b/ops/manifests/manifest-rjm.yaml
@@ -0,0 +1,27 @@
+---
+applications:
+- name: getgov-rjm
+ buildpacks:
+ - python_buildpack
+ path: ../../src
+ instances: 1
+ memory: 512M
+ stack: cflinuxfs3
+ timeout: 180
+ command: ./run.sh
+ health-check-type: http
+ health-check-http-endpoint: /health
+ env:
+ # Send stdout and stderr straight to the terminal without buffering
+ PYTHONUNBUFFERED: yup
+ # Tell Django where to find its configuration
+ DJANGO_SETTINGS_MODULE: registrar.config.settings
+ # Tell Django where it is being hosted
+ DJANGO_BASE_URL: https://getgov-rjm.app.cloud.gov
+ # Tell Django how much stuff to log
+ DJANGO_LOG_LEVEL: INFO
+ routes:
+ - route: getgov-rjm.app.cloud.gov
+ services:
+ - getgov-credentials
+ - getgov-rjm-database
diff --git a/src/.flake8 b/src/.flake8
index e1ca2cc9a..db9f3094a 100644
--- a/src/.flake8
+++ b/src/.flake8
@@ -2,6 +2,6 @@
max-line-length = 88
max-complexity = 10
extend-ignore = E203
-per-file-ignores = __init__.py:F401,F403
+per-file-ignores = __init__.py:F401,F403,E402
# migrations are auto-generated and often break rules
exclude=registrar/migrations/*
diff --git a/src/docker-compose.yml b/src/docker-compose.yml
index 693cad6c0..4399c5b70 100644
--- a/src/docker-compose.yml
+++ b/src/docker-compose.yml
@@ -27,6 +27,18 @@ services:
- DJANGO_DEBUG=True
# Tell Django where it is being hosted
- DJANGO_BASE_URL=http://localhost:8080
+ # Set a username for accessing the registry
+ - REGISTRY_CL_ID=nothing
+ # Set a password for accessing the registry
+ - REGISTRY_PASSWORD=nothing
+ # Set a private certifcate for accessing the registry
+ - REGISTRY_CERT=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNMekNDQWRXZ0F3SUJBZ0lVWThXWEljcFVlVUk0TVUrU3NWbkIrOGErOUlnd0NnWUlLb1pJemowRUF3SXcKYlRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba1JETVJNd0VRWURWUVFIREFwWFlYTm9hVzVuZEc5dQpNUXd3Q2dZRFZRUUtEQU5IVTBFeEREQUtCZ05WQkFzTUF6RTRSakVnTUI0R0ExVUVBd3dYUjA5V0lGQnliM1J2CmRIbHdaU0JTWldkcGMzUnlZWEl3SGhjTk1qTXdOREl4TVRVMU5ETTFXaGNOTWpRd05ESXdNVFUxTkRNMVdqQnQKTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NSRU14RXpBUkJnTlZCQWNNQ2xkaGMyaHBibWQwYjI0eApEREFLQmdOVkJBb01BMGRUUVRFTU1Bb0dBMVVFQ3d3RE1UaEdNU0F3SGdZRFZRUUREQmRIVDFZZ1VISnZkRzkwCmVYQmxJRkpsWjJsemRISmhjakJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCRkN4bGVsN1ZoWHkKb1ZIRWY2N3FKamo5UDk0ZWdqdXNtSWVaNFRLYkxkM3RRRVgzZnFKdVk4WmZzWWN4N0s1K0NEdnJLMnZRdjlMYgpmamhMTjZad3FqK2pVekJSTUIwR0ExVWREZ1FXQkJRUEZCRHdnSlhOUXE4a1V0K1hyYzFFWm9wbW9UQWZCZ05WCkhTTUVHREFXZ0JRUEZCRHdnSlhOUXE4a1V0K1hyYzFFWm9wbW9UQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01Bb0cKQ0NxR1NNNDlCQU1DQTBnQU1FVUNJRVJEaml0VGR0UTB3eVNXb1hEbCtYbUpVUmdENUo0VHVudkFGeDlDSitCUwpBaUVBME42eTJoeGdFWkYxRXJGYW1VQW5EUHlQSFlJeFNJQkwwNW5ibE9IZFVLRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ # Set a private certifcate's key for accessing the registry
+ - REGISTRY_KEY=LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUhzTUZjR0NTcUdTSWIzRFFFRkRUQktNQ2tHQ1NxR1NJYjNEUUVGRERBY0JBakJYK1UvdUFkQ3hBSUNDQUF3CkRBWUlLb1pJaHZjTkFna0ZBREFkQmdsZ2hrZ0JaUU1FQVNvRUVHWTNnblRGZ3F0UE5sVU93a2hvSHFrRWdaQlAKMG5FMWpSRXliTHBDNHFtaGczRXdaR2lXZDFWV2RLVEtyNXF3d3hsdjhCbHB1UHhtRGN4dTA1U3VReWhMcU5hWgpVNjRoZlFyYy94cnRnT3Mwc0ZXenlhY0hEaFhiQUdTQjdTTjc2WG55NU9wWDVZVGtRTFMvRTk4YmxFY3NQUWVuCkNqNTJnQzVPZ0JtYzl1cjZlbWY2bjd6TE5vUWovSzk4MEdIWjg5OVZHQ1J3OHhGZGIyb3IyU3dMcDd0V1Ixcz0KLS0tLS1FTkQgRU5DUllQVEVEIFBSSVZBVEUgS0VZLS0tLS0K
+ # set a passphrase for decrypting the registry key
+ - REGISTRY_KEY_PASSPHRASE=fake
+ # Set a URI for accessing the registry
+ - REGISTRY_HOSTNAME=localhost
# --- These keys are obtained from `.env` file ---
# Set a private JWT signing key for Login.gov
- DJANGO_SECRET_LOGIN_KEY
@@ -50,6 +62,9 @@ services:
- POSTGRES_PASSWORD=feedabee
node:
+ build:
+ context: .
+ dockerfile: node.Dockerfile
image: node
volumes:
- .:/app
diff --git a/src/epp/__init__.py b/src/epp/__init__.py
deleted file mode 100644
index e69de29bb..000000000
diff --git a/src/epp/mock_epp.py b/src/epp/mock_epp.py
deleted file mode 100644
index 7d1d1d84e..000000000
--- a/src/epp/mock_epp.py
+++ /dev/null
@@ -1,40 +0,0 @@
-"""
-This file defines a number of mock functions which can be used to simulate
-communication with the registry until that integration is implemented.
-"""
-from datetime import datetime
-
-
-def domain_check(_):
- """Is domain available for registration?"""
- return True
-
-
-def domain_info(domain):
- """What does the registry know about this domain?"""
- return {
- "name": domain,
- "roid": "EXAMPLE1-REP",
- "status": ["ok"],
- "registrant": "jd1234",
- "contact": {
- "admin": "sh8013",
- "tech": None,
- },
- "ns": {
- f"ns1.{domain}",
- f"ns2.{domain}",
- },
- "host": [
- f"ns1.{domain}",
- f"ns2.{domain}",
- ],
- "sponsor": "ClientX",
- "creator": "ClientY",
- # TODO: think about timezones
- "creation_date": datetime.today(),
- "updator": "ClientX",
- "last_update_date": datetime.today(),
- "expiration_date": datetime.today(),
- "last_transfer_date": datetime.today(),
- }
diff --git a/src/epplibwrapper/__init__.py b/src/epplibwrapper/__init__.py
new file mode 100644
index 000000000..ab3b63080
--- /dev/null
+++ b/src/epplibwrapper/__init__.py
@@ -0,0 +1,52 @@
+import logging
+from types import SimpleNamespace
+
+try:
+ from epplib import constants
+except ImportError:
+ # allow epplibwrapper to load without epplib, for testing and development
+ pass
+
+logger = logging.getLogger(__name__)
+
+NAMESPACE = SimpleNamespace(
+ EPP="urn:ietf:params:xml:ns:epp-1.0",
+ XSI="http://www.w3.org/2001/XMLSchema-instance",
+ FRED="noop",
+ NIC_CONTACT="urn:ietf:params:xml:ns:contact-1.0",
+ NIC_DOMAIN="urn:ietf:params:xml:ns:domain-1.0",
+ NIC_ENUMVAL="noop",
+ NIC_EXTRA_ADDR="noop",
+ NIC_HOST="urn:ietf:params:xml:ns:host-1.0",
+ NIC_KEYSET="noop",
+ NIC_NSSET="noop",
+)
+
+SCHEMA_LOCATION = SimpleNamespace(
+ XSI="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd",
+ FRED="noop fred-1.5.0.xsd",
+ NIC_CONTACT="urn:ietf:params:xml:ns:contact-1.0 contact-1.0.xsd",
+ NIC_DOMAIN="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd",
+ NIC_ENUMVAL="noop enumval-1.2.0.xsd",
+ NIC_EXTRA_ADDR="noop extra-addr-1.0.0.xsd",
+ NIC_HOST="urn:ietf:params:xml:ns:host-1.0 host-1.0.xsd",
+ NIC_KEYSET="noop keyset-1.3.2.xsd",
+ NIC_NSSET="noop nsset-1.2.2.xsd",
+)
+
+try:
+ constants.NAMESPACE = NAMESPACE
+ constants.SCHEMA_LOCATION = SCHEMA_LOCATION
+except NameError:
+ pass
+
+# Attn: these imports should NOT be at the top of the file
+try:
+ from .client import CLIENT, commands
+except ImportError:
+ pass
+
+__all__ = [
+ "CLIENT",
+ "commands",
+]
diff --git a/src/epplibwrapper/cert.py b/src/epplibwrapper/cert.py
new file mode 100644
index 000000000..15ff16c06
--- /dev/null
+++ b/src/epplibwrapper/cert.py
@@ -0,0 +1,34 @@
+import os
+import tempfile
+
+from django.conf import settings
+
+
+class Cert:
+ """
+ Location of client certificate as written to disk.
+
+ This is needed because the certificate is stored as an environment
+ variable but Python's ssl library requires a file.
+ """
+
+ def __init__(self, data=settings.SECRET_REGISTRY_CERT) -> None:
+ self.filename = self._write(data)
+
+ def __del__(self):
+ """Remove the files when this object is garbage collected."""
+ os.unlink(self.filename)
+
+ def _write(self, data) -> str:
+ """Write data to a secure tempfile. Returns the path."""
+ _, path = tempfile.mkstemp()
+ with open(path, "wb") as file:
+ file.write(data)
+ return path
+
+
+class Key(Cert):
+ """Location of private key as written to disk."""
+
+ def __init__(self) -> None:
+ super().__init__(data=settings.SECRET_REGISTRY_KEY)
diff --git a/src/epplibwrapper/client.py b/src/epplibwrapper/client.py
new file mode 100644
index 000000000..7ddf0a03e
--- /dev/null
+++ b/src/epplibwrapper/client.py
@@ -0,0 +1,128 @@
+"""Provide a wrapper around epplib to handle authentication and errors."""
+
+import logging
+from time import sleep
+
+try:
+ from epplib.client import Client
+ from epplib import commands
+ from epplib.exceptions import TransportError, ParsingError
+ from epplib.transport import SocketTransport
+except ImportError:
+ pass
+
+from django.conf import settings
+
+from .cert import Cert, Key
+from .errors import LoginError, RegistryError
+from .socket import Socket
+
+logger = logging.getLogger(__name__)
+
+try:
+ # Write cert and key to disk
+ CERT = Cert()
+ KEY = Key()
+except Exception:
+ CERT = None # type: ignore
+ KEY = None # type: ignore
+ logger.warning(
+ "Problem with client certificate. Registrar cannot contact registry.",
+ exc_info=True,
+ )
+
+
+class EPPLibWrapper:
+ """
+ A wrapper over epplib's client.
+
+ ATTN: This should not be used directly. Use `Domain` from domain.py.
+ """
+
+ def __init__(self) -> None:
+ """Initialize settings which will be used for all connections."""
+
+ # prepare (but do not send) a Login command
+ self._login = commands.Login(
+ cl_id=settings.SECRET_REGISTRY_CL_ID,
+ password=settings.SECRET_REGISTRY_PASSWORD,
+ obj_uris=[
+ "urn:ietf:params:xml:ns:domain-1.0",
+ "urn:ietf:params:xml:ns:contact-1.0",
+ ],
+ )
+ # establish a client object with a TCP socket transport
+ self._client = Client(
+ SocketTransport(
+ settings.SECRET_REGISTRY_HOSTNAME,
+ cert_file=CERT.filename,
+ key_file=KEY.filename,
+ password=settings.SECRET_REGISTRY_KEY_PASSPHRASE,
+ )
+ )
+ # prepare a context manager which will connect and login when invoked
+ # (it will also logout and disconnect when the context manager exits)
+ self._connect = Socket(self._client, self._login)
+
+ def _send(self, command):
+ """Helper function used by `send`."""
+ try:
+ with self._connect as wire:
+ response = wire.send(command)
+ except (ValueError, ParsingError) as err:
+ logger.warning(
+ "%s failed to execute due to some syntax error."
+ % command.__class__.__name__,
+ exc_info=True,
+ )
+ raise RegistryError() from err
+ except TransportError as err:
+ logger.warning(
+ "%s failed to execute due to a connection error."
+ % command.__class__.__name__,
+ exc_info=True,
+ )
+ raise RegistryError() from err
+ except LoginError as err:
+ logger.warning(
+ "%s failed to execute due to a registry login error."
+ % command.__class__.__name__,
+ exc_info=True,
+ )
+ raise RegistryError() from err
+ except Exception as err:
+ logger.warning(
+ "%s failed to execute due to an unknown error."
+ % command.__class__.__name__,
+ exc_info=True,
+ )
+ raise RegistryError() from err
+ else:
+ if response.code >= 2000:
+ raise RegistryError(response.msg)
+ else:
+ return response
+
+ def send(self, command):
+ """Login, send the command, then close the connection. Tries 3 times."""
+ counter = 0 # we'll try 3 times
+ while True:
+ try:
+ return self._send(command)
+ except RegistryError as err:
+ if counter == 3: # don't try again
+ raise err
+ else:
+ counter += 1
+ sleep((counter * 50) / 1000) # sleep 50 ms to 150 ms
+
+
+try:
+ # Initialize epplib
+ CLIENT = EPPLibWrapper()
+ logger.debug("registry client initialized")
+except Exception:
+ CLIENT = None # type: ignore
+ logger.warning(
+ "Unable to configure epplib. Registrar cannot contact registry.", exc_info=True
+ )
diff --git a/src/epplibwrapper/errors.py b/src/epplibwrapper/errors.py
new file mode 100644
index 000000000..c3028e0c4
--- /dev/null
+++ b/src/epplibwrapper/errors.py
@@ -0,0 +1,6 @@
+class RegistryError(Exception):
+ pass
+
+
+class LoginError(RegistryError):
+ pass
diff --git a/src/epplibwrapper/socket.py b/src/epplibwrapper/socket.py
new file mode 100644
index 000000000..5c9acce79
--- /dev/null
+++ b/src/epplibwrapper/socket.py
@@ -0,0 +1,37 @@
+import logging
+
+try:
+ from epplib import commands
+except ImportError:
+ pass
+
+from .errors import LoginError
+
+
+logger = logging.getLogger(__name__)
+
+
+class Socket:
+ """Context manager which establishes a TCP connection with registry."""
+
+ def __init__(self, client, login) -> None:
+ """Save the epplib client and login details."""
+ self.client = client
+ self.login = login
+
+ def __enter__(self):
+ """Use epplib to connect."""
+ self.client.connect()
+ response = self.client.send(self.login)
+ if response.code >= 2000:
+ self.client.close()
+ raise LoginError(response.msg)
+ return self.client
+
+ def __exit__(self, *args, **kwargs):
+ """Close the connection."""
+ try:
+ self.client.send(commands.Logout())
+ self.client.close()
+ except Exception:
+ logger.warning("Connection to registry was not cleanly closed.")
diff --git a/src/mypy.ini b/src/mypy.ini
index a151424a3..e8708cb67 100644
--- a/src/mypy.ini
+++ b/src/mypy.ini
@@ -7,6 +7,8 @@ strict_optional = True
# implicit_optional: treat arguments a None default value as implicitly Optional?
# `var: int = None` is equal to `var: Optional[int] = None`
implicit_optional = True
+# we'd still like mypy to succeed when 3rd party libraries are not installed
+ignore_missing_imports = True
[mypy.plugins.django-stubs]
django_settings_module = "registrar.config.settings"
diff --git a/src/registrar/assets/img/registrar/dotgov_logo.svg b/src/registrar/assets/img/registrar/dotgov_logo.svg
new file mode 100644
index 000000000..1b712b6c7
--- /dev/null
+++ b/src/registrar/assets/img/registrar/dotgov_logo.svg
@@ -0,0 +1,11 @@
+
diff --git a/src/registrar/assets/sass/_theme/_uswds-theme-custom-styles.scss b/src/registrar/assets/sass/_theme/_uswds-theme-custom-styles.scss
index f36817574..d43e82c9b 100644
--- a/src/registrar/assets/sass/_theme/_uswds-theme-custom-styles.scss
+++ b/src/registrar/assets/sass/_theme/_uswds-theme-custom-styles.scss
@@ -35,6 +35,16 @@ $letter-space--xs: .0125em;
-moz-osx-font-smoothing: grayscale;
}
+body {
+ display: flex;
+ flex-direction: column;
+ min-height: 100vh;
+}
+
+#wrapper {
+ flex-grow: 1;
+}
+
.usa-logo {
@include at-media(desktop) {
margin-top: units(2);
@@ -113,8 +123,10 @@ h2 {
}
/* Make "placeholder" links visually obvious */
+a[href^="https://federalist-"]::after,
a[href$="todo"]::after {
background-color: yellow;
+ color: color(blue-80v);
content: " [link TBD]";
font-style: italic;
}
@@ -401,6 +413,9 @@ footer {
background-color: color('primary-lightest');
}
+.usa-footer__secondary-section a {
+ color: color('primary');
+}
abbr[title] {
// workaround for underlining abbr element
diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py
index 2947e2a70..9491b354a 100644
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@@ -55,11 +55,18 @@ secret_key = secret("DJANGO_SECRET_KEY")
secret_aws_ses_key_id = secret("AWS_ACCESS_KEY_ID", None)
secret_aws_ses_key = secret("AWS_SECRET_ACCESS_KEY", None)
+secret_registry_cl_id = secret("REGISTRY_CL_ID")
+secret_registry_password = secret("REGISTRY_PASSWORD")
+secret_registry_cert = b64decode(secret("REGISTRY_CERT", ""))
+secret_registry_key = b64decode(secret("REGISTRY_KEY", ""))
+secret_registry_key_passphrase = secret("REGISTRY_KEY_PASSPHRASE", "")
+secret_registry_hostname = secret("REGISTRY_HOSTNAME")
# region: Basic Django Config-----------------------------------------------###
# Build paths inside the project like this: BASE_DIR / "subdir".
-BASE_DIR = path.resolve().parent.parent
+# (settings.py is in `src/registrar/config/`: BASE_DIR is `src/`)
+BASE_DIR = path.resolve().parent.parent.parent
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = env_debug
@@ -156,16 +163,16 @@ WSGI_APPLICATION = "registrar.config.wsgi.application"
# will place static files for deployment.
# Do not use this directory for permanent storage -
# it is for Django!
-STATIC_ROOT = BASE_DIR / "public"
+STATIC_ROOT = BASE_DIR / "registrar" / "public"
STATICFILES_DIRS = [
- BASE_DIR / "assets",
+ BASE_DIR / "registrar" / "assets",
]
TEMPLATES = [
{
"BACKEND": "django.template.backends.django.DjangoTemplates",
- "DIRS": [BASE_DIR / "templates"],
+ "DIRS": [BASE_DIR / "registrar" / "templates"],
# look for templates inside installed apps
# required by django-debug-toolbar
"APP_DIRS": True,
@@ -496,6 +503,17 @@ ROOT_URLCONF = "registrar.config.urls"
# Must be relative and end with "/"
STATIC_URL = "public/"
+# endregion
+# region: Registry----------------------------------------------------------###
+
+# SECURITY WARNING: keep all registry variables in production secret!
+SECRET_REGISTRY_CL_ID = secret_registry_cl_id
+SECRET_REGISTRY_PASSWORD = secret_registry_password
+SECRET_REGISTRY_CERT = secret_registry_cert
+SECRET_REGISTRY_KEY = secret_registry_key
+SECRET_REGISTRY_KEY_PASSPHRASE = secret_registry_key_passphrase
+SECRET_REGISTRY_HOSTNAME = secret_registry_hostname
+
# endregion
# region: Security and Privacy----------------------------------------------###
@@ -531,12 +549,14 @@ SECURE_SSL_REDIRECT = True
# web server configurations.
ALLOWED_HOSTS = [
"getgov-stable.app.cloud.gov",
+ "getgov-ab.app.cloud.gov",
+ "getgov-bl.app.cloud.gov",
+ "getgov-rjm.app.cloud.gov",
"getgov-jon.app.cloud.gov",
"getgov-mr.app.cloud.gov",
"getgov-sspj.app.cloud.gov",
"getgov-nmb.app.cloud.gov",
"getgov-ik.app.cloud.gov",
- "getgov-lmm.app.cloud.gov",
"get.gov",
]
diff --git a/src/registrar/migrations/0007_domainapplication_more_organization_information_and_more.py b/src/registrar/migrations/0007_domainapplication_more_organization_information_and_more.py
index 508b13cca..909b301ab 100644
--- a/src/registrar/migrations/0007_domainapplication_more_organization_information_and_more.py
+++ b/src/registrar/migrations/0007_domainapplication_more_organization_information_and_more.py
@@ -14,7 +14,7 @@ class Migration(migrations.Migration):
name="more_organization_information",
field=models.TextField(
blank=True,
- help_text="Further information about the government organization",
+ help_text="More information about your organization",
null=True,
),
),
diff --git a/src/registrar/models/domain.py b/src/registrar/models/domain.py
index 8e1aa3ace..7d287595a 100644
--- a/src/registrar/models/domain.py
+++ b/src/registrar/models/domain.py
@@ -9,7 +9,6 @@ from django.db import models
from django_fsm import FSMField, transition # type: ignore
from api.views import in_domains
-from epp.mock_epp import domain_info, domain_check
from registrar.utility import errors
from .utility.time_stamped_model import TimeStampedModel
@@ -131,7 +130,7 @@ class Domain(TimeStampedModel):
"""Check if a domain is available.
Not implemented. Returns a dummy value for testing."""
- return domain_check(domain)
+ return False # domain_check(domain)
def transfer(self):
"""Going somewhere. Not implemented."""
@@ -148,7 +147,7 @@ class Domain(TimeStampedModel):
if not hasattr(self, "info"):
try:
# get info from registry
- self.info = domain_info(self.name)
+ self.info = {} # domain_info(self.name)
except Exception as e:
logger.error(e)
# TODO: back off error handling
diff --git a/src/registrar/models/domain_application.py b/src/registrar/models/domain_application.py
index 898615e27..ca7f4d76f 100644
--- a/src/registrar/models/domain_application.py
+++ b/src/registrar/models/domain_application.py
@@ -293,7 +293,7 @@ class DomainApplication(TimeStampedModel):
choices=OrganizationChoices.choices,
null=True,
blank=True,
- help_text="Type of Organization",
+ help_text="Type of organization",
)
federally_recognized_tribe = models.BooleanField(
@@ -382,7 +382,7 @@ class DomainApplication(TimeStampedModel):
more_organization_information = models.TextField(
null=True,
blank=True,
- help_text="Further information about the government organization",
+ help_text="More information about your organization",
)
authorizing_official = models.ForeignKey(
diff --git a/src/registrar/templates/application_status.html b/src/registrar/templates/application_status.html
index 99f4d215f..fadd8ec36 100644
--- a/src/registrar/templates/application_status.html
+++ b/src/registrar/templates/application_status.html
@@ -32,7 +32,7 @@
Request #: {{domainapplication.id}}
@@ -63,7 +63,7 @@
{% endif %}
{% if domainapplication.organization_name %}
- {% include "includes/summary_item.html" with title='Organization address' value=domainapplication address='true' %}
+ {% include "includes/summary_item.html" with title='Organization name and mailing address' value=domainapplication address='true' %}
{% endif %}
{% if domainapplication.type_of_work %}
@@ -71,7 +71,7 @@
{% endif %}
{% if domainapplication.more_organization_information %}
- {% include "includes/summary_item.html" with title='Further information about the government organization' value=domainapplication.more_organization_information %}
+ {% include "includes/summary_item.html" with title='More information about your organization' value=domainapplication.more_organization_information %}
{% endif %}
{% if domainapplication.authorizing_official %}
diff --git a/src/registrar/templates/includes/footer.html b/src/registrar/templates/includes/footer.html
index 5864a808c..929a49cce 100644
--- a/src/registrar/templates/includes/footer.html
+++ b/src/registrar/templates/includes/footer.html
@@ -14,20 +14,23 @@
