cmsgov / bluebutton-web-server Goto Github PK

Blue Button API

Home Page: https://sandbox.bluebutton.cms.gov

License: Other

Python 65.42% HTML 7.18% CSS 12.32% JavaScript 7.28% Shell 1.26% Makefile 0.02% Dockerfile 0.03% SCSS 5.30% PLpgSQL 0.06% TypeScript 1.14%

fhir-server oauth-server oauth2-server oauth-provider django

bluebutton-web-server's Introduction

Blue Button Web Server

This server serves as a data provider for sharing Medicare claims data with third parties. The server connects to Medicare.gov for authentication, and uses OAuth2 to confirm permission grants to external app developers. The data itself comes from a back end FHIR server (https://github.com/CMSgov/bluebutton-data-server), which in turn pulls data from the CMS Chronic Conditions Warehouse (https://www.ccwdata.org)

For more information on how to connect to the API implemented here, check out our developer documentation at https://cmsgov.github.io/bluebutton-developer-help/. Our most recent deployment is at https://sandbox.bluebutton.cms.gov, and you can also check out our Google Group at https://groups.google.com/forum/#!forum/developer-group-for-cms-blue-button-api for more details.

The information below outlines setting up the server for development or your own environment. For general information on deploying Django see https://docs.djangoproject.com/en/1.11/howto/deployment/.

NOTE: Internal software engineers or other interested parties should follow the documentation for running a Dockerized local development enviornment. For more information see https://github.com/CMSgov/bluebutton-web-server/blob/master/docker-compose/readme.md.

Setup

These instructions provide a quick start for developers new to the project. Follow these steps on the command line.

# prepare your repository folder
git clone https://github.com/CMSGov/bluebutton-web-server.git
cd bluebutton-web-server

# create the virtualenv
python3 -m venv venv

# Install any prerequisites  (C headers, etc. This is OS specific)
# Ubuntu example
sudo apt-get install python3-dev libxml2-dev libxslt1-dev


# install the requirements
pip install --upgrade pip==9.0.1
pip install pip-tools
pip install -r requirements/requirements.txt

# prepare Django settings
cp hhs_oauth_server/settings/local_sample.txt hhs_oauth_server/settings/local.py

Note that most settings can be overridden by environment variables. See custom environment variables section below. Please ensure to create and use your own keys and secrets. See https://docs.djangoproject.com/en/1.11/topics/settings/ for more information. Continue the installation by issuing the following commands:

python manage.py migrate
python manage.py loaddata apps/accounts/fixtures/scopes_and_groups.json
python manage.py createsuperuser
python manage.py create_admin_groups
python manage.py create_blue_button_scopes
python manage.py create_test_user_and_application

The next step is optional: If your backend HAPI FHIR server is configured to require x509 certificates to access it then you need to obtain that keypair and place those files in certificate folder called cerstore.

mkdir ../certstore
(copy both x509 files, in PEM format, inside certstore)

If your backend FHIR server does not require certificate-based authorization then the previous step can be omitted.

Making calls to a back-end FHIR server requires that you set a series of variables before running tests or the server itself.

#Run the development server
python manage.py runserver

Note you can find the path to your Python3 binary by typing which python3.

docker-compose setup

Instructions for running the development environment via docker-compose can be found here

How to View the CSS/Styles Locally

To keep our CSS organized and consolidated across our applications, we use a dedicated Blue Button CSS Repo.

In order to be able to see the styles locally for this project, you'll just need to clone the Blue Button CSS Repo at the root of this project.

From within bluebutton-web-server, run the following commands (Bash):

git clone [email protected]:CMSgov/bluebutton-css.git

That sould be all you need to get the styles working. The instructions below will tell you how to work with or update the SCSS.

To get started making changes to the styles:

cd bluebutton-css

You'll need to make sure you have NodeJS installed. Click here to find out more about NodeJS. Once you have NodeJs installed, run:

npm i

Finally, make sure you have Gulp 4.0 installed:

npm i gulp@4

To export the CSS once, run:

gulp

To watch the SCSS files for changes, run:

gulp watch

Running Tests

Run the following:

    python runtests.py

You can run individual applications tests or tests with in a specific area as well.

The following are a few examples (drilling down to a single test):

python runtests.py apps.dot_ext.tests

python runtests.py apps.dot_ext.tests.test_templates

python runtests.py apps.dot_ext.tests.test_templates.TestDOTTemplates.test_application_list_template_override

Multiple arguments can be provided too:

python runtests.py apps.dot_ext.tests apps.accounts.tests.test_login

Using this Project

This project is free and open source software under the Apache2 license. You may add additional applications, authentication backends, and styles/themes are not subject to the Apache2 license.

In other words, you or your organization are not in any way prevented from build closed source applications on top of this tool. Applications that you create can be licensed in any way that suits you business or organizational needs. Any 3rd party applications are subject to the license in which they are distributed by their respective authors.

License

This project is free and open source software under the Apache 2 license. See LICENSE for more information.

bluebutton-web-server's People

Contributors

Stargazers

Watchers

bluebutton-web-server's Issues

Add margin/style to logo in application detail page

At a minimum: just add a little space about the image. But we could also potentially add some styles there as well.

hhs_oauth_client mentions load_test_data on server

`python manage.py load_test_data'

Where is this file in the server installation?

Proper URL configuration for oAuth Token Exchange

I was working on a sample application using the go oauth2 client on the backend. Configuration is below:

var (
	config = oauth2.Config{
		ClientID:     "---   CLIENT ID OMMITTED   ---",
		ClientSecret: "--- CLIENT SECRET OMMITTED ---",
		RedirectURL:  "http://localhost:9094/oauth2",
		Scopes:       []string{"profile"},
		Endpoint: oauth2.Endpoint{
			TokenURL: "https://sandbox.bluebutton.cms.gov/v1/o/token",
			AuthURL:  "https://sandbox.bluebutton.cms.gov/v1/o/authorize",
		},
	}
)

I found a minor issue with the way TokenURL is processed by the servers router. When configured like above, a HTTP/405 Method Not Allowed is returned. When adjusted with a trailing "/" (TokenURL: "https://sandbox.bluebutton.cms.gov/v1/o/token/") the token exchange works as expected.

Its my understanding that having a trailing "/" on a URL is only considered different with static content - a file vs a directroy but not for a dynamic endpoint.

This is not an issue with the AuthURL - it works fine with and without the trailing slash.

Select Box Issue in Firefox

The select boxes in forms have some custom styling. They look great in chrome, but poor in Firefox. May also want to see if we can make the background color different from the input to increase contrast/usability.

add contribution guidelines

Add URL pattern mating support to Protected Capability

Add URL pattern mating support to Protected Capability model. For example, something like this could work:

[
["POST", "/fhir/v3/Practitioner"],
["PUT", "/fhir/v3/Practitioner/[id]"],
["POST", "/fhir/v3/Organization"],
["PUT", "/fhir/v3/Organization/[id]"],
["POST", "/npi/v1/update-all/[npi]"],
["POST", "/npi/v1/update-partial/[npi]"],
["GET", "/fhir/v3/metadata"]
]

Perhaps how the pattern format is expressed in the form should simply match how django URLs work. I leave that to you how best to address.

Secondary Footer Bar Question

@ekivemark / @dtisza1 / @whytheplatypus

Quick question. I noticed that there is this secondary gray bar in the footer:

Here is the code for that section:

<div class="row container-fluid">
    <div class="row footer-wrapper panel-footer">
         
         {% if user.is_authenticated %}
         <div class="row-container-fluid" >
            <p class="row-container-fluid footer-small well">
            {{ settings.APPLICATION_TITLE }} is operated by {{settings.ORGANIZATION_TITLE }}. {{settings.DISCLOSURE_TEXT}}
            </p>
         </div>
         {% endif %}
             {% if user.is_superuser %}
                    {% if settings.ALLOWED_HOSTS %}<div class="ds ds-l-row ds-u-fill--gray-lightest ds-u-font-size--small">{{ settings.ALLOWED_HOSTS|last }}</div>
                    {% endif %}
             {% else %}
                    {% if settings.DEBUG %}
                       <div class="ds ds-l-row ds-u-fill--gray-lightest ds-u-font-style--italic ds-u-font-size--small">{{ settings.ALLOWED_HOSTS|last }}</div>
                    {% endif %}
             {% endif %}       

</div><!-- /.container-fluid -->

Basically, I want to know if I can tweak the styling of this bar to make it blend better with the rest of the page. What is the use of this bar? Does this just display info based on app registration information and user permissions?

Any context here would be awesome! If I can clean this up, it will make the Sandbox login page look a lot cleaner.

add documentation for used environment variables

Provide a proper example for a production deployment

Lockdown od Application Creation Screen

Client ID and client secret should not be editable.
Authorization grant type should only be Authorization Code and Explicit.

hhs_oauth_server/settings/local_sample.txt

Does not exist

code is unreachable in the apps/fhir/server/views/history.py

    return FHIR_BACKEND.vread(request, resource_type, id, vid)

    od = OrderedDict()
    od['request_method'] = request.method
    od['interaction_type'] = 'vread'
    od['resource_type'] = resource_type
    od['id'] = id
    od['vid'] = vid
    od['note'] = 'This is only a stub for future implementation'

    return HttpResponse(json.dumps(od, indent=4),
                        content_type='application/json')

The first return makes the code unreachable; please alter the code flow.

fix tests for the fhir package

this is the current stacktrace:

======================================================================
FAIL: test_create_fhir (apps.fhir.server.tests.test_create_view.FHIR_Create_TestCase)
test_fhir_create
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/palazzem/workspaces/videntity/hhs_oauth_server/apps/fhir/server/tests/test_create_view.py", line 83, in test_create_fhir
    self.assertEqual(response.status_code, 201)
AssertionError: 400 != 201

======================================================================
FAIL: test_unauth_interaction_fhir (apps.fhir.server.tests.test_resource_and_interaction_support.FHIR_CheckUnAuthInteraction_TestCase)
test_fhir_create
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/palazzem/workspaces/videntity/hhs_oauth_server/apps/fhir/server/tests/test_resource_and_interaction_support.py", line 53, in test_unauth_interaction_fhir
    self.assertEqual(response.status_code, 403)
AssertionError: 200 != 403

They should be fixed after the settings refactoring; in the meantime I'll flag them as a "failing tests" so that the CI accepts their failures.

We may discuss about these tests later after the next PR.

When editing an application user can select capabilities not allowed by his groups

Oauth flow completes, but not authorized to access resource

I'm trying to set up the environment locally with a small test client, but I can't seem to authenticate. The same code authenticates against the sandbox environment, so I suspect I missed some steps.

I'm working off current master: * 7d711ac (origin/master, master) Merge pull request #497 from CMSgov/develop.

I looked at https://github.com/CMSgov/bluebutton-web-server#setup, but it references a file that doesn't seem to exist (hhs_oauth_server/settings/local_sample.txt), so I'm guessing things have changed since that was written.

Steps I took to set the local instance up:

docker-compose up
From another tab: docker-compose exec web docker-compose/migrate.sh
From another tab: docker-compose exec web python manage.py create_test_user_and_application
Then I logged in locally
Then I made sure the callback URL matched
Then I ran my test client and went through the oauth flow

Test client code:

from requests_oauthlib import OAuth2Session
from flask import Flask, request, redirect, session, url_for
from flask.json import jsonify
import os

app = Flask(__name__)

# https://stackoverflow.com/questions/27785375/testing-flask-oauthlib-locally-without-https
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'

# This information is obtained upon registration of a new GitHub OAuth
# application here: https://github.com/settings/applications/new
client_id = "R7wsHFuiUzLBvVBkCrViLfQL2vRcyc0LmSuuBpX4"
client_secret = "XXXXX"
authorization_base_url = 'http://localhost:8000/v1/o/authorize/'
token_url = 'http://localhost:8000/v1/o/token/'
redirect_uri = "http://localhost:5000/callback"

#client_id = "Vx5H94QUhKhTd7j2ZeTIgv2WJdZhoshwiod5kiKd"
#client_secret = "XXXXX"
#authorization_base_url = 'https://sandbox.bluebutton.cms.gov/v1/o/authorize/'
#token_url = 'https://sandbox.bluebutton.cms.gov/v1/o/token/'
#redirect_uri = "http://localhost:5000/callback"



@app.route("/")
def demo():
    """Step 1: User Authorization.

    Redirect the user/resource owner to the OAuth provider (i.e. Github)
    using an URL with a few key OAuth parameters.
    """
    app.logger.debug("Step 1: User Authorization.")
    github = OAuth2Session(client_id, redirect_uri=redirect_uri)
    authorization_url, state = github.authorization_url(authorization_base_url)
    app.logger.debug("Authorization URL: %s", authorization_url)

    # State is used to prevent CSRF, keep this for later.
    session['oauth_state'] = state
    app.logger.debug("OAuth State: %s", session['oauth_state'])
    return redirect(authorization_url)


# Step 2: User authorization, this happens on the provider.

@app.route("/callback", methods=["GET"])
def callback():
    """ Step 3: Retrieving an access token.

    The user has been redirected back from the provider to your registered
    callback URL. With this redirection comes an authorization code included
    in the redirect URL. We will use that to obtain an access token.
    """
    app.logger.debug("Step 1: Retrieving Access Token.")
    github = OAuth2Session(client_id, state=session['oauth_state'], redirect_uri=redirect_uri)
    app.logger.debug("Authorization Response: %s", request.url)
    app.logger.debug("Token URL: %s", token_url)
    token = github.fetch_token(token_url, client_secret=client_secret,
                               authorization_response=request.url)

    # At this point you can fetch protected resources but lets save
    # the token and show how this is done from a persisted token
    # in /profile.
    session['oauth_token'] = token
    app.logger.debug("Token: %s", session['oauth_token'])
    print session['oauth_token']

    return redirect(url_for('.profile'))


@app.route("/profile", methods=["GET"])
def profile():
    """Fetching a protected resource using an OAuth 2 token.
    """
    resource_url = 'https://sandbox.bluebutton.cms.gov/v1/connect/userinfo'
    app.logger.debug("Fetching URL: %s with token %s", resource_url, session['oauth_token'])
    github = OAuth2Session(client_id, token=session['oauth_token'], redirect_uri=redirect_uri)
    res = github.get(resource_url)
    app.logger.debug("Resource response code: %s", res.status_code)
    return jsonify(res.json())


if __name__ == "__main__":
    # This allows us to use a plain HTTP callback
    os.environ['DEBUG'] = "1"

    app.secret_key = os.urandom(24)
    app.run(debug=True)

Running invocation and log output:

$ python test_oauth_client.py 
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 780-654-211
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:34]:
Step 1: User Authorization.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:37]:
Authorization URL: http://localhost:8000/v1/o/authorize/?response_type=code&client_id=R7wsHFuiUzLBvVBkCrViLfQL2vRcyc0LmSuuBpX4&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fcallback&state=MPvElFptoZKWRajVcNJ4pivLYK3Trw
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:41]:
OAuth State: MPvElFptoZKWRajVcNJ4pivLYK3Trw
--------------------------------------------------------------------------------
127.0.0.1 - - [15/Feb/2018 11:14:28] "GET / HTTP/1.1" 302 -
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:55]:
Step 1: Retrieving Access Token.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:57]:
Authorization Response: http://localhost:5000/callback?code=aHZ1qCYcHzNjTWf9yJys4GjfL4v5ss&state=MPvElFptoZKWRajVcNJ4pivLYK3Trw
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:58]:
Token URL: http://localhost:8000/v1/o/token/
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:66]:
Token: {u'token_type': u'Bearer', u'patient': u'20140000008325', u'refresh_token': u'lWijMeqxMaxtXPal49oKOiDUp1abV6', u'access_token': u'sample-token-string', u'scope': [u'profile', u'patient/Patient.read', u'patient/ExplanationOfBenefit.read', u'patient/Coverage.read'], u'expires_in': 86219.14765, u'expires_at': 1518797488.542184}
--------------------------------------------------------------------------------
{u'token_type': u'Bearer', u'patient': u'20140000008325', u'refresh_token': u'lWijMeqxMaxtXPal49oKOiDUp1abV6', u'access_token': u'sample-token-string', u'scope': [u'profile', u'patient/Patient.read', u'patient/ExplanationOfBenefit.read', u'patient/Coverage.read'], u'expires_in': 86219.14765, u'expires_at': 1518797488.542184}
127.0.0.1 - - [15/Feb/2018 11:14:29] "GET /callback?code=aHZ1qCYcHzNjTWf9yJys4GjfL4v5ss&state=MPvElFptoZKWRajVcNJ4pivLYK3Trw HTTP/1.1" 302 -
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:77]:
Fetching URL: https://sandbox.bluebutton.cms.gov/v1/connect/userinfo with token {u'patient': u'20140000008325', u'access_token': u'sample-token-string', u'expires_in': 86219.14765, u'expires_at': 1518797488.542184, u'token_type': u'Bearer', u'scope': [u'profile', u'patient/Patient.read', u'patient/ExplanationOfBenefit.read', u'patient/Coverage.read'], u'refresh_token': u'lWijMeqxMaxtXPal49oKOiDUp1abV6'}
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
DEBUG in test_oauth_client [test_oauth_client.py:80]:
Resource response code: 403
--------------------------------------------------------------------------------
127.0.0.1 - - [15/Feb/2018 11:14:29] "GET /profile HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1997, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1985, in wsgi_app
    response = self.handle_exception(e)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1540, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1982, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1517, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/test_oauth_client.py", line 81, in profile
    return jsonify(res.json())
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/requests/models.py", line 892, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/lib64/python2.7/json/__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.7/json/decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.7/json/decoder.py", line 382, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
127.0.0.1 - - [15/Feb/2018 11:14:29] "GET /profile?__debugger__=yes&cmd=resource&f=style.css HTTP/1.1" 200 -
127.0.0.1 - - [15/Feb/2018 11:14:29] "GET /profile?__debugger__=yes&cmd=resource&f=jquery.js HTTP/1.1" 200 -
127.0.0.1 - - [15/Feb/2018 11:14:29] "GET /profile?__debugger__=yes&cmd=resource&f=debugger.js HTTP/1.1" 200 -
127.0.0.1 - - [15/Feb/2018 11:14:29] "GET /profile?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 200 -
127.0.0.1 - - [15/Feb/2018 11:14:29] "GET /profile?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 200 -

Log output from local server:

web_1  | 2018-02-15 16:13:34,751 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:34.750845 request    2c38a8e0-126b-11e8-9a1f-0242ac120003  1 /v1/o/applications/1/update/ +0:00:00 
web_1  | 2018-02-15 16:13:34,752 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:34.752321 response   2c38a8e0-126b-11e8-9a1f-0242ac120003  2 /v1/o/applications/1/update/ +0:00:00.001476 302 => /v1/accounts/mfa/login?next=/v1/o/applications/1/update/
web_1  | [15/Feb/2018 16:13:34] "GET /v1/o/applications/1/update/ HTTP/1.1" 302 0
web_1  | 2018-02-15 16:13:34,763 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:34.763667 request    2c3a96f0-126b-11e8-b547-0242ac120003  1 /v1/accounts/mfa/login +0:00:00 
web_1  | 2018-02-15 16:13:34,786 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:34.786530 response   2c3a96f0-126b-11e8-b547-0242ac120003  2 /v1/accounts/mfa/login +0:00:00.022863 200 (7630b)
web_1  | [15/Feb/2018 16:13:34] "GET /v1/accounts/mfa/login?next=/v1/o/applications/1/update/ HTTP/1.1" 200 7630
web_1  | 2018-02-15 16:13:45,374 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:45.374379 request    328dabc8-126b-11e8-9d99-0242ac120003  1 /v1/accounts/mfa/login +0:00:00 
web_1  | 2018-02-15 16:13:45,429 INFO [10] hhs_oauth_server.accounts line:129 Successful login from 172.18.0.1
web_1  | 2018-02-15 16:13:45,429 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:45.429487 response   328dabc8-126b-11e8-9d99-0242ac120003  2 /v1/accounts/mfa/login +0:00:00.055108 302 => /v1/o/applications/1/update/
web_1  | [15/Feb/2018 16:13:45] "POST /v1/accounts/mfa/login?next=/v1/o/applications/1/update/ HTTP/1.1" 302 0
web_1  | 2018-02-15 16:13:45,434 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:45.434474 request    3296d1e4-126b-11e8-b0a7-0242ac120003  1 /v1/o/applications/1/update/ +0:00:00 
web_1  | 2018-02-15 16:13:45,473 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:45.473164 response   3296d1e4-126b-11e8-b0a7-0242ac120003  2 /v1/o/applications/1/update/ +0:00:00.038690 200 (13375b)
web_1  | [15/Feb/2018 16:13:45] "GET /v1/o/applications/1/update/ HTTP/1.1" 200 13375
web_1  | 2018-02-15 16:13:54,055 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:54.054953 request    37ba3814-126b-11e8-b9f4-0242ac120003  1 /v1/o/applications/1/update/ +0:00:00 
web_1  | 2018-02-15 16:13:54,071 INFO [10] hhs_server.apps.dot_ext.models line:57 fred agreed to https://cmsgov.github.io/bluebutton-developer-help/api-terms-of-use.html for the application TestApp on 2018-02-15 16:13:54.068875+00:00
web_1  | 2018-02-15 16:13:54,073 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:54.073842 response   37ba3814-126b-11e8-b9f4-0242ac120003  2 /v1/o/applications/1/update/ +0:00:00.018889 302 => /v1/o/applications/1/
web_1  | [15/Feb/2018 16:13:54] "POST /v1/o/applications/1/update/ HTTP/1.1" 302 0
web_1  | 2018-02-15 16:13:54,076 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:54.076671 request    37bd82d0-126b-11e8-a86b-0242ac120003  1 /v1/o/applications/1/ +0:00:00 
web_1  | 2018-02-15 16:13:54,097 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:13:54.097223 response   37bd82d0-126b-11e8-a86b-0242ac120003  2 /v1/o/applications/1/ +0:00:00.020552 200 (10032b)
web_1  | [15/Feb/2018 16:13:54] "GET /v1/o/applications/1/ HTTP/1.1" 200 10032
web_1  | 2018-02-15 16:14:03,619 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:03.619136 request    3d6d9936-126b-11e8-9096-0242ac120003  1 /v1/o/authorize/ +0:00:00 
web_1  | 2018-02-15 16:14:03,648 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:03.648802 response   3d6d9936-126b-11e8-9096-0242ac120003  2 /v1/o/authorize/ +0:00:00.029666 200 (4431b)
web_1  | [15/Feb/2018 16:14:03] "GET /v1/o/authorize/?response_type=code&client_id=R7wsHFuiUzLBvVBkCrViLfQL2vRcyc0LmSuuBpX4&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fcallback&state=8OAUsepwyvKskuNvbyZdVQCq17bMC8 HTTP/1.1" 200 4431
web_1  | 2018-02-15 16:14:05,182 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:05.182018 request    3e5c1354-126b-11e8-8a94-0242ac120003  1 /v1/o/authorize/ +0:00:00 
web_1  | 2018-02-15 16:14:05,197 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:05.196985 response   3e5c1354-126b-11e8-8a94-0242ac120003  2 /v1/o/authorize/ +0:00:00.014967 302 => http://localhost:5000/callback?code=ejBtExTJjiCq9LXAsN8of3FEKVefAH&state=8OAUsepwyvKskuNvbyZdVQCq17bMC8
web_1  | [15/Feb/2018 16:14:05] "POST /v1/o/authorize/?response_type=code&client_id=R7wsHFuiUzLBvVBkCrViLfQL2vRcyc0LmSuuBpX4&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fcallback&state=8OAUsepwyvKskuNvbyZdVQCq17bMC8 HTTP/1.1" 302 0
web_1  | 2018-02-15 16:14:05,204 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:05.204006 request    3e5f69c8-126b-11e8-a450-0242ac120003  1 /v1/o/token/ +0:00:00 
web_1  | 2018-02-15 16:14:05,226 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:05.226129 response   3e5f69c8-126b-11e8-a450-0242ac120003  2 /v1/o/token/ +0:00:00.022123 200 (268b)
web_1  | [15/Feb/2018 16:14:05] "POST /v1/o/token/ HTTP/1.1" 200 268
web_1  | 2018-02-15 16:14:28,202 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:28.202332 request    4c14b6b8-126b-11e8-aba2-0242ac120003  1 /v1/o/authorize/ +0:00:00 
web_1  | 2018-02-15 16:14:28,229 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:28.229411 response   4c14b6b8-126b-11e8-aba2-0242ac120003  2 /v1/o/authorize/ +0:00:00.027079 200 (4431b)
web_1  | [15/Feb/2018 16:14:28] "GET /v1/o/authorize/?response_type=code&client_id=R7wsHFuiUzLBvVBkCrViLfQL2vRcyc0LmSuuBpX4&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fcallback&state=MPvElFptoZKWRajVcNJ4pivLYK3Trw HTTP/1.1" 200 4431
web_1  | 2018-02-15 16:14:29,462 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:29.462081 request    4cd4f874-126b-11e8-b971-0242ac120003  1 /v1/o/authorize/ +0:00:00 
web_1  | 2018-02-15 16:14:29,498 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:29.498174 response   4cd4f874-126b-11e8-b971-0242ac120003  2 /v1/o/authorize/ +0:00:00.036093 302 => http://localhost:5000/callback?code=aHZ1qCYcHzNjTWf9yJys4GjfL4v5ss&state=MPvElFptoZKWRajVcNJ4pivLYK3Trw
web_1  | [15/Feb/2018 16:14:29] "POST /v1/o/authorize/?response_type=code&client_id=R7wsHFuiUzLBvVBkCrViLfQL2vRcyc0LmSuuBpX4&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fcallback&state=MPvElFptoZKWRajVcNJ4pivLYK3Trw HTTP/1.1" 302 0
web_1  | 2018-02-15 16:14:29,508 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:29.507863 request    4cdbe45e-126b-11e8-b3a2-0242ac120003  1 /v1/o/token/ +0:00:00 
web_1  | 2018-02-15 16:14:29,540 INFO [10] performance.hhs_oauth_server.request_logging line:64 2018-02-15T16:14:29.540167 response   4cdbe45e-126b-11e8-b3a2-0242ac120003  2 /v1/o/token/ +0:00:00.032304 200 (267b)
web_1  | [15/Feb/2018 16:14:29] "POST /v1/o/token/ HTTP/1.1" 200 267

Is there some step I missed to actually get the data from the backing provider? It's strange though, because I'm just trying to get the profile information.

Updating Authorization Page

Display check boxes, defaulted to checked, for each scope being requested by the application. These scopes map to the "slug" in the protected capability. This will allow the end user to decrease the actual scope from requested scope.

Lock down the application creation screen

Issues using developer portal to authorize against sandbox with python oauth client

This may be a problem with my configuration/client, but I've tried to rule that out as best I can.

This is all using the developer portal to authorize.

I'm using the example here: http://requests-oauthlib.readthedocs.io/en/latest/examples/real_world_example.html#real-example. I copied that directly and it worked with github, but when I try to use that same code with the blue button developer sandbox I get this error:

$ python test_oauth_client.py 
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 780-654-211
127.0.0.1 - - [13/Feb/2018 14:50:37] "GET / HTTP/1.1" 302 -
127.0.0.1 - - [13/Feb/2018 14:50:39] "GET /callback?state=CMFhTJE3spyFfJh9F1dyqVjkuTzmaz&code=XXXXXXXXXXXXXXXX HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1997, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1985, in wsgi_app
    response = self.handle_exception(e)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1540, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1982, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1517, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/test_oauth_client.py", line 56, in callback
    authorization_response=request.url)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/requests_oauthlib/oauth2_session.py", line 244, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 408, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 379, in parse_token_response
    validate_token_parameters(params)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 386, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 415, in raise_from_error
    raise cls(**kwargs)
InvalidGrantError: (invalid_grant)

I also intermittently get this:

127.0.0.1 - - [13/Feb/2018 14:54:13] "GET / HTTP/1.1" 302 -
127.0.0.1 - - [13/Feb/2018 14:54:15] "GET /callback?state=32e3bRXegRScJgUPDWT3bId4EUQTNK&code=XXXXXXXXXXXXX HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1997, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1985, in wsgi_app
    response = self.handle_exception(e)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1540, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1982, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1517, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/test_oauth_client.py", line 53, in callback
    authorization_response=request.url)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/requests_oauthlib/oauth2_session.py", line 244, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 408, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 379, in parse_token_response
    validate_token_parameters(params)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 386, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/home/sverch/USDS/HHS/repos/bluebutton-web-server/env/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 415, in raise_from_error
    raise cls(**kwargs)
AccessDeniedError: (access_denied)

I tried to change my client_id and client_secret to something obviously broken, and that caused a different error, so I think those are correct.

Here's the code:

from requests_oauthlib import OAuth2Session
from flask import Flask, request, redirect, session, url_for
from flask.json import jsonify
import os

app = Flask(__name__)

# https://stackoverflow.com/questions/27785375/testing-flask-oauthlib-locally-without-https
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'

client_id = "XXXX"
client_secret = "XXXX"
authorization_base_url = 'https://sandbox.bluebutton.cms.gov/v1/o/authorize/'
token_url = 'https://sandbox.bluebutton.cms.gov/v1/o/token/'

@app.route("/")
def demo():
    """Step 1: User Authorization.

    Redirect the user/resource owner to the OAuth provider (i.e. Github)
    using an URL with a few key OAuth parameters.
    """
    github = OAuth2Session(client_id)
    authorization_url, state = github.authorization_url(authorization_base_url)

    # State is used to prevent CSRF, keep this for later.
    session['oauth_state'] = state
    return redirect(authorization_url)


# Step 2: User authorization, this happens on the provider.

@app.route("/callback", methods=["GET"])
def callback():
    """ Step 3: Retrieving an access token.

    The user has been redirected back from the provider to your registered
    callback URL. With this redirection comes an authorization code included
    in the redirect URL. We will use that to obtain an access token.
    """

    github = OAuth2Session(client_id, state=session['oauth_state'])
    token = github.fetch_token(token_url, client_secret=client_secret,
                               authorization_response=request.url)

    # At this point you can fetch protected resources but lets save
    # the token and show how this is done from a persisted token
    # in /profile.
    session['oauth_token'] = token

    return redirect(url_for('.profile'))


@app.route("/profile", methods=["GET"])
def profile():
    """Fetching a protected resource using an OAuth 2 token.
    """
    github = OAuth2Session(client_id, token=session['oauth_token'])
    return jsonify(github.get('http://localhost:8000/connect/userinfo').json())


if __name__ == "__main__":
    # This allows us to use a plain HTTP callback
    os.environ['DEBUG'] = "1"

    app.secret_key = os.urandom(24)
    app.run(debug=True)

automate testing through a Continuous Integration system

Probably we're going to use Travis CI

Sandbox Bootstrap Instances for Update/Removal

Instances of Bootstrap in the Django/Sandbox Repo

templates/design_system/include/head.html and templates/design_system/include/foot.html
- This, therefore also implicates /templates/design_system/base.html so I need to find out where that file is being consumed to understand the impact removal would have.
sitestatic/bootstrap
- There seems to be an entire folder here. Can't tell if it could be updated with npm, but it looks like it would have to be updated manually.
/vendor/django-bootstrap-form-3.4.tar.gz
/apps/dot_ext/templates/oauth2_provider/authorize.html - calls bootstrap form
apps/accounts/templates/registration/login.html

It kind of seems like there are a few things going on:

Bootstrap is somehow installed via package or manually in sitestatic - this would potentially involve manual update to those files and templates.
Bootstrap Form - this seems messier and not something I don't think we want to tackle right now, so I need to know if there is a way to just update this.
Other than the form, need to make sure that bootstrap isn't being called anywhere else in our system.

Add Endorsement JWT Badges to Authorization Page

Hey @synasius

Create pages to allow list/add/delete of 0..N Endorsements per Application.
Display Endorsement JWT Badges to Authorization Page

Notes:

See the following:

https://github.com/TransparentHealth/python-poetri
https://github.com/HHSIDEAlab/poet/blob/master/poet_payload_schema.json
https://github.com/HHSIDEAlab/poet

The endorsement model is already defined in the "dot_ext" application, but change if needed.

WARNING: Generate your secret key and set in environment variable: DJANGO_SECRET_KEY
/usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
  """)
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py", line 62, in execute
    return self.cursor.execute(sql)
psycopg2.IntegrityError: insert or update on table "auth_group_permissions" violates foreign key constraint "auth_group_permissio_permission_id_84c5c92e_fk_auth_perm"
DETAIL:  Key (permission_id)=(91) is not present in table "auth_permission".


The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "manage.py", line 22, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/__init__.py", line 364, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.6/site-packages/django/core/management/__init__.py", line 356, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/base.py", line 283, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/base.py", line 330, in execute
    output = self.handle(*args, **options)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/commands/loaddata.py", line 69, in handle
    self.loaddata(fixture_labels)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/commands/loaddata.py", line 115, in loaddata
    connection.check_constraints(table_names=table_names)
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/postgresql/base.py", line 243, in check_constraints
    self.cursor().execute('SET CONSTRAINTS ALL IMMEDIATE')
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py", line 79, in execute
    return super(CursorDebugWrapper, self).execute(sql, params)
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py", line 64, in execute
    return self.cursor.execute(sql, params)
  File "/usr/local/lib/python3.6/site-packages/django/db/utils.py", line 94, in __exit__
    six.reraise(dj_exc_type, dj_exc_value, traceback)
  File "/usr/local/lib/python3.6/site-packages/django/utils/six.py", line 685, in reraise
    raise value.with_traceback(tb)
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py", line 62, in execute
    return self.cursor.execute(sql)
django.db.utils.IntegrityError: Problem installing fixtures: insert or update on table "auth_group_permissions" violates foreign key constraint "auth_group_permissio_permission_id_84c5c92e_fk_auth_perm"
DETAIL:  Key (permission_id)=(91) is not present in table "auth_permission".

/usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
  """)
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py", line 62, in execute
    return self.cursor.execute(sql)
psycopg2.IntegrityError: insert or update on table "capabilities_protectedcapability" violates foreign key constraint "capabilities_protect_group_id_b47f3ae0_fk_auth_grou"
DETAIL:  Key (group_id)=(1) is not present in table "auth_group".


The above exception was the direct cause of the following exception:

WARNING: Generate your secret key and set in environment variable: DJANGO_SECRET_KEY
Traceback (most recent call last):
  File "manage.py", line 22, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/__init__.py", line 364, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.6/site-packages/django/core/management/__init__.py", line 356, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/base.py", line 283, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/base.py", line 330, in execute
    output = self.handle(*args, **options)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/commands/loaddata.py", line 69, in handle
    self.loaddata(fixture_labels)
  File "/usr/local/lib/python3.6/site-packages/django/core/management/commands/loaddata.py", line 115, in loaddata
    connection.check_constraints(table_names=table_names)
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/postgresql/base.py", line 243, in check_constraints
    self.cursor().execute('SET CONSTRAINTS ALL IMMEDIATE')
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py", line 79, in execute
    return super(CursorDebugWrapper, self).execute(sql, params)
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py", line 64, in execute
    return self.cursor.execute(sql, params)
  File "/usr/local/lib/python3.6/site-packages/django/db/utils.py", line 94, in __exit__
    six.reraise(dj_exc_type, dj_exc_value, traceback)
  File "/usr/local/lib/python3.6/site-packages/django/utils/six.py", line 685, in reraise
    raise value.with_traceback(tb)
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py", line 62, in execute
    return self.cursor.execute(sql)
django.db.utils.IntegrityError: Problem installing fixtures: insert or update on table "capabilities_protectedcapability" violates foreign key constraint "capabilities_protect_group_id_b47f3ae0_fk_auth_grou"
DETAIL:  Key (group_id)=(1) is not present in table "auth_group".

WARNING: Generate your secret key and set in environment variable: DJANGO_SECRET_KEY
/usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
  """)

It looks like some migrations are failing on constraint errors. I'm trying to set everything up locally and havent' tried to use the application yet so I don't yet know the impact of that error.