Mc issue 310 refactor security

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 /client/ @joshuagraber
-* @mbodeantor
+* @josh-chamberlain

.github/workflows/bandit.yaml

@@ -0,0 +1,32 @@
+name: Bandit Security Linting
+
+on: [pull_request]
+
+jobs:
+  bandit:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install bandit
+
+    - name: Run Bandit
+      run: |
+        bandit -r middleware resources app.py
+
+    - name: Upload Bandit results
+      uses: actions/upload-artifact@v2
+      with:
+        name: bandit-report
+        path: bandit_output.txt
+

.github/workflows/pull.yaml

@@ -48,7 +48,7 @@ jobs:
     - name: Test with pytest
       run: |
         pip install pytest pytest-cov
-        pytest app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html
+        pytest tests/resources/app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html
 
   setup_client:
     defaults:

.github/workflows/python_checks.yml

@@ -18,4 +18,5 @@ jobs:
         uses: reviewdog/action-flake8@v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          flake8_args: --ignore E501,W291  # Does not check for max line exceed or trailing whitespace
           level: warning

.github/workflows/test_api.yml

@@ -0,0 +1,25 @@
+#name: Test API using Pytest
+#
+#on:
+#  pull_request:
+#
+#jobs:
+#  test_api:
+#    env:
+#      SECRET_KEY: ${{ secrets.SECRET_KEY }}
+#      DEV_DB_CONN_STRING: ${{secrets.DEV_DB_CONN_STRING}}
+#    name: Test API
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v4
+#    - uses: actions/setup-python@v4
+#      with:
+#        python-version: '3.11'
+#    - name: Install dependencies
+#      run: |
+#        python -m pip install --upgrade pip
+#        pip install -r requirements.txt
+#        python -m spacy download en_core_web_sm
+#        pip install pytest pytest-cov
+#    - name: Run tests
+#      run: pytest tests --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html

README.md

@@ -1,4 +1,6 @@
-# data-sources-app
+# data-sources-app-v2
+
+Development of the next big iteration of the data sources app according to https://github.com/Police-Data-Accessibility-Project/data-sources-app/issues/248
 
 An API and UI for searching, using, and maintaining Data Sources. 
 
@@ -102,9 +104,18 @@ npm run dev
 
 ## Testing
 
-All unit tests for the API live in the app_test.py file. It is best practice to add tests for any new feature to ensure it is working as expected and that any future code changes do not affect its functionality. All tests will be automatically run when a PR into dev is opened in order to ensure any changes do not break current app functionality. If a test fails, it is a sign that the new code should be checked or possibly that the test needs to be updated. Tests are currently run with pytest and can be run locally with the `pytest` command.
+### Location
+All unit and integration tests for the API live in the `tests` folder
+
+It is best practice to add tests for any new feature to ensure it is working as expected and that any future code changes do not affect its functionality. All tests will be automatically run when a PR into dev is opened in order to ensure any changes do not break current app functionality. If a test fails, it is a sign that the new code should be checked or possibly that the test needs to be updated. 
+
+
+### How to run tests
+Some tests involve interfacing with the development database, which copies the production database's data and schema daily.
+
+To ensure such tests properly connect to the database, create or amend an `.env` file in the root direct of the project with the environment variable `DEV_DB_CONN_STRING`. Provide as a value a connection string giving you access to the `data_sources_app` user. If you do not have this connection string, DM a database administrator.
 
-Endpoints are structured for simplified testing and debugging. Code for interacting with the database is contained in a function suffixed with "_results" and tested against a local sqlite database instance. Limited rows (stored in the DATA_SOURCES_ROWS and AGENCIES_ROWS variables in app_test_data.py) are inserted into this local instance on setup, you may need to add additional rows to test other functionality fully. 
+Tests are currently run with pytest and can be run locally with the `pytest` command.
 
 Remaining API code is stored in functions suffixed with "_query" tested against static query results stored in app_test_data.py. Tests for hitting the endpoint directly should be included in regular_api_checks.py, makes sure to add the test function name in the list at the bottom so it is included in the Github actions run every 15 minutes.
 

app.py

@@ -25,9 +25,7 @@
     api.add_resource(resource, endpoint, resource_class_kwargs=kwargs)
 
 
-def create_app() -> Flask:
-    psycopg2_connection = initialize_psycopg2_connection()
-
+def create_app(psycopg2_connection) -> Flask:
     app = Flask(__name__)
     api = Api(app)
     CORS(app)
@@ -57,5 +55,5 @@
 
 
 if __name__ == "__main__":
-    app = create_app()
+    app = create_app(initialize_psycopg2_connection())
     app.run(debug=True, host="0.0.0.0")