initial gpo service (#1)

* initial gpo service

* PR fixes
refactor upload function
fix requirements versions
fix log level var
fix file timestamp

* add tzdata for dev on windows

* create gpo schema if absent

.bandit

@@ -0,0 +1,2 @@
+[bandit]
+exclude: gpo/tests, .venv/

.cfignore

@@ -0,0 +1,10 @@
+*.md
+.venv/
+gpo/__pycache__/
+.bandit
+.codeclimate.yml 
+.github
+.pre-commit-config.yaml
+requirements-dev.txt
+tests/
+vars.yaml

.codeclimate.yml

@@ -0,0 +1,5 @@
+---
+version: "2"
+plugins:
+  bandit:
+    enabled: true

.github/dependabot.yaml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: pip
+    directory: "/"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - python
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - github-actions

.github/workflows/README.md

@@ -0,0 +1,38 @@
+# GitHub Actions CI/CD workflows
+
+## Python Checks
+The Python-Checks workflow will run a series of checks on the python code
+in this repository.
+
+### Bandit
+The Bandit workflow will run the Bandit security linter tool against this 
+project. A failed run indicates that Bandit found at least one vulnerability.
+
+### Black
+The workflow outlined in `black.yml` checks to ensure that the Python style
+for this project is consistent and fully implemented in all Python files.
+For more information about this workflow, see
+https://black.readthedocs.io/en/stable/github_actions.html
+
+## CodeQL-Analysis
+The codeql-analysis workflow the CodeQL semantic code analysis engine to help
+find security issues very early on in the development process. See
+[CodeQL](https://securitylab.github.com/tools/codeql) for more details.
+
+## Deploy
+Deploys the project to the correct GIVE environment within Cloud.gov. The
+deploy workflow will run unit-tests and only deploy if those test are
+successful. Deployment will also only be triggered in the 18F repository. This
+will prevent forks from needlessly running workflows that will always fail
+(forks won't be able to authenticate into the dev environment).
+
+## Stale Items
+The stale-items workflow will run once per day and mark issues and PR's as
+stale if they have not seen any activity over the last 30 days. After being
+marked stale for 5 days, the workflow will close the item.
+
+## Unit Tests
+The unit-tests workflow will install the project runtime dependencies and run
+the unit test suite against the code. This workflow is used to run unit tests
+for the application against pull requests before merging takes place. Additional
+unit testing will take place on merging.

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,52 @@
+---
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+    paths-ignore:
+      - '**.md'  # All markdown files in the repository
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [main]
+    paths-ignore:
+      - '**.md'
+  schedule:
+    # weekly run at arbitrary time
+    - cron: '43 22 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['python']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ matrix.language }}
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java)
+      # If this step fails, then remove it and run the build manually. See below
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+
+      # If the Autobuild fails above, remove it and uncomment the following
+      # three lines and modify them (or add more) to build your code if your
+      # project uses a compiled language
+
+      # - run: |
+      #     make bootstrap
+      #     make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1

.github/workflows/deploy.yaml

@@ -0,0 +1,41 @@
+---
+# This workflow will run unit tests and deploy the application to a
+# target environment
+
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+    paths-ignore:
+      - "**.md" # All markdown files in the repository
+
+jobs:
+  unit-test:
+    uses: 18F/identity-idva-gpo/.github/workflows/unit-tests.yaml@main
+
+  deploy:
+    if: github.repository_owner == '18F'
+    needs: unit-test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: 18F/identity-idva-cf-setup@v2
+        id: cf-setup
+        with:
+          cf-username: ${{ secrets.CF_USERNAME }}
+          cf-password: ${{ secrets.CF_PASSWORD }}
+          cf-org: ${{ secrets.CF_ORG }}
+
+      - name: Deploy application
+        run: cf push --vars-file vars.yaml
+          --var ENVIRONMENT=${{ steps.cf-setup.outputs.target-environment }}
+          --var GPO_USERNAME=${{ secrets.GPO_USERNAME }}
+          --var GPO_PASSWORD=${{ secrets.GPO_PASSWORD }}
+          --var GPO_HOST=${{ secrets.GPO_HOST }}
+          --var GPO_HOSTKEY=${{ secrets.GPO_HOSTKEY }}
+          --strategy rolling

.github/workflows/python-checks.yaml

@@ -0,0 +1,46 @@
+---
+# This workflow will run the Black Python formatter as well as the
+# Bandit security linter. See the following pages for details:
+# See https://black.readthedocs.io/en/stable/github_actions.html
+# https://github.com/PyCQA/bandit
+name: Python-Checks
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '**.py'  # All python files in the repository
+  pull_request:
+    paths:
+      - '**.py'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+
+      - uses: psf/black@stable
+
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+
+      - uses: actions/cache@v2
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements-dev.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Scan
+        run: |
+          pip install -r requirements-dev.txt
+          bandit --exclude ./.venv/,./tests -r .

.github/workflows/stale-items.yaml

@@ -0,0 +1,23 @@
+---
+name: 'Stale-Items'
+on:
+  schedule:
+      # daily run at arbitrary time
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v4
+        with:
+          stale-issue-message: >-
+            This issue has been automatically marked as stale because it has
+            not had any activity in the last 30 days. Remove stale label or
+            comment or this will be closed in 5 days.
+          stale-pr-message: >-
+            This issue has been automatically marked as stale because it has
+            not had any activity in the last 30 days. Remove stale label or
+            comment or this will be closed in 5 days.
+          days-before-stale: 30
+          days-before-close: 5

.github/workflows/unit-tests.yaml

@@ -0,0 +1,36 @@
+---
+# This workflow will install Python dependencies and run tests so that
+# unit tests can be run against pull requests.
+
+name: Unit-Tests
+
+on:
+  pull_request:
+    paths-ignore:
+      - '**.md'  # All markdown files in the repository
+  workflow_call:
+
+jobs:
+  unit-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Set up Python 3.9
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install pytest
+      - name: Test with Pytest unit tests
+        run: |
+          export DEBUG=True
+          python -m pytest

.gitignore

@@ -0,0 +1,3 @@
+.venv
+__pycache__
+.pytest_cache

.pre-commit-config.yaml

@@ -0,0 +1,12 @@
+---
+repos:
+  - repo: https://github.com/psf/black
+    rev: 22.3.0 # Update with 'pre-commit autoupdate'
+    hooks:
+      - id: black
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.4
+    hooks:
+      - id: bandit
+        exclude: tests

.pylintrc

@@ -0,0 +1,2 @@
+[MASTER]
+extension-pkg-whitelist=pydantic

CONTRIBUTING.md

@@ -0,0 +1,37 @@
+# Welcome!
+
+We're so glad you're thinking about contributing to a
+[open source project of the U.S. government](https://code.gov/)! If you're
+unsure about anything, just ask -- or submit the issue or pull request anyway.
+The worst that can happen is you'll be politely asked to change something. We
+love all friendly contributions.
+
+We encourage you to read this project's CONTRIBUTING policy (you are here), its
+[LICENSE](LICENSE.md), and its [README](README.md).
+
+## Policies
+
+We want to ensure a welcoming environment for all of our projects. Our staff
+follow the [TTS Code of Conduct](https://18f.gsa.gov/code-of-conduct/) and
+all contributors should do the same.
+
+We adhere to the
+[18F Open Source Policy](https://github.com/18f/open-source-policy). If you 
+have any questions, just [shoot us an email](mailto:[email protected]).
+
+As part of a U.S. government agency, the General Services Administration
+(GSA)’s Technology Transformation Services (TTS) takes seriously our
+responsibility to protect the public’s information, including financial and
+personal information, from unwarranted disclosure. For more information about
+security and vulnerability disclosure for our projects, please read our
+[18F Vulnerability Disclosure Policy](https://18f.gsa.gov/vulnerability-disclosure-policy/).
+
+## Public domain
+
+This project is in the public domain within the United States, and copyright
+and related rights in the work worldwide are waived through the
+[CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
+
+All contributions to this project will be released under the CC0 dedication. By
+submitting a pull request or issue, you are agreeing to comply with this waiver
+of copyright interest.

LICENSE.md

@@ -0,0 +1,33 @@
+# License
+
+As a work of the [United States government](https://www.usa.gov/), this project
+is in the public domain within the United States of America.
+
+Additionally, we waive copyright and related rights in the work worldwide
+through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the
+[Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to the
+public domain by waiving all of their rights to the work worldwide under
+copyright law, including all related and neighboring rights, to the extent
+allowed by law.
+
+You can copy, modify, distribute, and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0, nor
+are the rights that other persons may have in the work or in how the work is
+used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with this
+deed makes no warranties about the work, and disclaims liability for all uses
+of the work, to the fullest extent permitted by applicable law. When using or
+citing the work, you should not imply endorsement by the author or the affirmer.