Merge pull request #130 from bcgov/feature/DIV-1136

Feature/div 1136
5 years ago · e61768aa2b
--- a/.env.example
+++ b/.env.example
@ -26,4 +26,8 @@ EFILING_HUB_CLIENT_SECRET=''
 EFILING_HUB_API_BASE_URL=''
 # BCE ID test accounts for localdev
 EFILING_BCEID=
 EFILING_BCEID=
 # Keycloak settings
 KEYCLOAK_CLIENT_ID=
 KEYCLOAK_CLIENT_SECRET=
--- a/conf/keycloak/realm-export.json
+++ b/conf/keycloak/realm-export.json
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -43,5 +43,20 @@ services:
      - "5005:5001"
    restart: always
  # Keycloak
  keycloak:
    container_name: edivorce-keycloak
    image: jboss/keycloak:9.0.3
    environment:
      DB_VENDOR: H2
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin
      KEYCLOAK_IMPORT: /tmp/realm-export.json
    volumes:
      - ./conf/keycloak/realm-export.json:/tmp/realm-export.json
    ports:
      - 8081:8080
    command: ["-Dkeycloak.profile.feature.upload_scripts=enabled"]
 volumes:
  data-redis:
--- a/eDivorce.pyproj
+++ b/eDivorce.pyproj
@ -71,9 +71,7 @@
    <Content Include="edivorce\apps\core\templates\incomplete.html" />
    <Content Include="edivorce\apps\core\templates\intro.html" />
    <Content Include="edivorce\apps\core\templates\legal.html" />
    <Content Include="edivorce\apps\core\templates\localdev\bceid.html" />
    <Content Include="edivorce\apps\core\templates\localdev\debug.html" />
    <Content Include="edivorce\apps\core\templates\localdev\register.html" />
    <Content Include="edivorce\apps\core\templates\login.html" />
    <Content Include="edivorce\apps\core\templates\logout.html" />
    <Content Include="edivorce\apps\core\templates\overview.html" />
@ -139,7 +137,6 @@
    <Compile Include="edivorce\apps\core\context_processors.py" />
    <Compile Include="edivorce\apps\core\decorators.py" />
    <Compile Include="edivorce\apps\core\middleware\basicauth_middleware.py" />
    <Compile Include="edivorce\apps\core\middleware\bceid_middleware.py" />
    <Compile Include="edivorce\apps\core\middleware\__init__.py" />
    <Compile Include="edivorce\apps\core\migrations\0001_initial.py" />
    <Compile Include="edivorce\apps\core\migrations\0002_legalform_order.py" />
@ -179,7 +176,6 @@
    <Compile Include="edivorce\apps\core\utils\user_response.py" />
    <Compile Include="edivorce\apps\core\utils\__init__.py" />
    <Compile Include="edivorce\apps\core\views\api.py" />
    <Compile Include="edivorce\apps\core\views\localdev.py" />
    <Compile Include="edivorce\apps\core\views\main.py" />
    <Compile Include="edivorce\apps\core\views\pdf.py" />
    <Compile Include="edivorce\apps\core\views\styleguide.py" />
--- a/edivorce/apps/core/authenticators.py
+++ b/edivorce/apps/core/authenticators.py
@ -1,22 +0,0 @@
 from rest_framework import authentication
 from edivorce.apps.core.models import BceidUser
 class BCeIDAuthentication(authentication.BaseAuthentication):
    """
    Make the DRF user the BCeID user populated in our middleware, to avoid DRF
    overwriting our user for API calls.
    This relies on our middleware entirely for authentication.
    """
    def authenticate(self, request):
        try:
            request.user = request._user  # pylint: disable=protected-access
        except:
            request.user = request._request.user  # pylint: disable=protected-access
        return (request.user, None)
    def get_user(self, pk):
        return BceidUser.objects.get(pk=pk)
--- a/edivorce/apps/core/decorators.py
+++ b/edivorce/apps/core/decorators.py
@ -9,28 +9,6 @@ from edivorce.apps.core.utils.user_response import get_data_for_user, get_step_r
 base_url = settings.PROXY_BASE_URL + settings.FORCE_SCRIPT_NAME[:-1]
 def bceid_required(function=None):
    """
    View decorator to check if the user is logged in to BCEID
    This decorator has a dependency on bceid_middleware.py
    """
    def _dec(view_func):
        def _view(request, *args, **kwargs):
            if not request.user.is_authenticated:
                return redirect(base_url + '/login')
            return view_func(request, *args, **kwargs)
        _view.__name__ = view_func.__name__
        _view.__dict__ = view_func.__dict__
        _view.__doc__ = view_func.__doc__
        return _view
    return _dec if function is None else _dec(function)
 def intercept(function=None):
    """
    Decorator to redirect to intercept page
@ -75,7 +53,7 @@ def prequal_completed(function=None):
                            return redirect(reverse('prequalification', kwargs={'step': step}))
                    return redirect(reverse('prequalification', kwargs={'step': '01'}))
            else:
                return redirect(base_url + '/login')
                return redirect('oidc_authentication_init')
        _view.__name__ = view_func.__name__
        _view.__dict__ = view_func.__dict__
--- a/edivorce/apps/core/middleware/bceid_middleware.py
+++ b/edivorce/apps/core/middleware/bceid_middleware.py
@ -1,156 +0,0 @@
 import datetime
 from ipaddress import ip_address, ip_network
 from django.conf import settings
 from django.shortcuts import redirect
 from django.utils import timezone
 from django.utils.deprecation import MiddlewareMixin
 from ..models import BceidUser
 login_delta = datetime.timedelta(hours=2)
 class AnonymousUser:
    """
    Anonymous user, present mainly to provide authentication checks in templates
    """
    guid = None
    display_name = ''
    has_accepted_terms = False
    @property
    def is_authenticated(self):
        return False
    @property
    def is_anonymous(self):
        return True
 anonymous_user = AnonymousUser()
 class BceidMiddleware(MiddlewareMixin):  # pylint: disable=too-few-public-methods
    """
    Simple authentication middleware for operating in the BC Government
    OpenShift environment, with SiteMinder integration.
    For our purposes, SiteMinder is configured to add the following headers:
        BCeID:
        - SMGOV_USERGUID
        - SMGOV_USERDISPLAYNAME
        - SM_USER
        BC Services Card:
        - SMGOV_USERGUID
        - SMGOV_GIVENNAMES
        - SMGOV_SURNAME
        - SM_USER
    The first two are provided on pages configured to be protected by
    SiteMinder, which is currently just /login.  When a user goes to the login
    page, if the user is logged in, SiteMinder adds those headers with their
    BCeID values; if they're not logged in, it routes them through its
    login/signup page and then back to the login page, with those headers in
    place.  For unprotected pages, those headers are stripped if present,
    preventing spoofing.
    The third header is populated on every request that's proxied through
    SiteMinder.  For logged in users, it contains their ???; for anonymous
    users, it's empty.
    When we detect authentication by the presence of the first two headers, we
    store those values in the user's session. On all requests, we use them to
    access a local proxy object for the user (available as request.user).  For
    users that are not logged in, an Anonymous User substitute is present.
    In a local development environment, we generate a guid based on the login
    name and treat that guid/login name as guid/display name.
    """
    def process_request(self, request):  # pylint: disable=too-many-branches
        """
        Return None after populating request.user, or necessary redirects.
        If the request is not coming from inside the BC Government data centre,
        redirect the request through the proxy server.
        If the SiteMinder headers are present, indicating the user has just
        authenticated, save those headers to the session.
        Get the user's GUID and display name.  If they're present, and the user
        has authenticated (or we're in a local development environment), add
        the local proxy user to the request; if not, store the anonymous user
        instance.
        """
        # HTTP_SM_USER is available on both secure and unsecure pages.  If it
        # has a value then we know that the user is still logged into BCeID.
        # This is an additional check to make sure we aren't letting users
        # access the site via their session variables after logging out of bceid
        #
        # Note: It's still possible that a user has logged out of one BCeID and
        # logged into another BCeID via www.bceid.ca without clicking the logout
        # link on our app or closing the browser.  This is an extreme edge case,
        # and it's not pragmatic to code against it at this time.
        siteminder_user = request.META.get('HTTP_SM_USER', '')
        is_localdev = settings.DEPLOYMENT_TYPE in ['localdev', 'minishift']
        update_user = False
        using_bc_services_card = False
        guid = request.META.get('HTTP_SMGOV_USERGUID', '')
        given_names = request.META.get('HTTP_SMGOV_GIVENNAMES', '')
        surname = request.META.get('HTTP_SMGOV_SURNAME', '')
        displayname = request.META.get('HTTP_SMGOV_USERDISPLAYNAME', '')
        # HTTP_SMGOV_USERDISPLAYNAME is not included when BC Services Card authentication is used.
        if not displayname and (surname or given_names):
            displayname = "{0} {1}".format(given_names, surname)
            using_bc_services_card = True
        # HTTP_SM_USER is typically '.' when BC Services Card authentication is used.
        if (not siteminder_user or siteminder_user == '.') and given_names and surname:
            siteminder_user = "{0}{1}".format(given_names.split(None, 1)[0], surname)
        if guid:
            request.session['smgov_userguid'] = guid
        else:
            guid = request.session.get('smgov_userguid')
        if displayname:
            request.session['smgov_userdisplayname'] = displayname
        else:
            displayname = request.session.get('smgov_userdisplayname')
        if is_localdev:
            guid = request.session.get('fake_bceid_guid')
            displayname = request.session.get('login_name')
        if guid and (siteminder_user or is_localdev):
            request.user, created = BceidUser.objects.get_or_create(user_guid=guid)
            if created:
                request.session['first_login'] = True
            if siteminder_user:
                if created or not request.user.sm_user:
                    request.user.sm_user = siteminder_user
                    update_user = True
            if request.user.is_bcsc != using_bc_services_card:
                request.user.is_bcsc = using_bc_services_card
                update_user = True
            if request.user.display_name != displayname:
                request.user.display_name = displayname
                update_user = True
            if (request.user.last_login is None or
                    timezone.now() - request.user.last_login > login_delta):
                request.user.last_login = timezone.now()
                update_user = True
            if update_user:
                request.user.save()
        else:
            request.user = anonymous_user
        return None
--- a/edivorce/apps/core/middleware/keycloak.py
+++ b/edivorce/apps/core/middleware/keycloak.py
@ -0,0 +1,39 @@
 from mozilla_django_oidc.auth import OIDCAuthenticationBackend
 from ..models import BceidUser
 class EDivorceKeycloakBackend(OIDCAuthenticationBackend):
    def verify_claims(self, claims):
        verified = super(EDivorceKeycloakBackend, self).verify_claims(claims)
        print(claims)
        return verified
    def create_user(self, claims):
        user = super(EDivorceKeycloakBackend, self).create_user(claims)
        user.first_name = claims.get('given_name', '')
        user.last_name = claims.get('family_name', '')
        user.display_name = "{} {}".format(user.first_name, user.last_name).strip()
        user.sm_user = claims.get('preferred_username', '')
        user.user_guid = claims.get('universal-id', '')
        user.save()
        return user
    def update_user(self, user, claims):
        user.first_name = claims.get('given_name', '')
        user.last_name = claims.get('family_name', '')
        user.display_name = "{} {}".format(user.first_name, user.last_name).strip()
        user.sm_user = claims.get('preferred_username', '')
        user.user_guid = claims.get('universal-id', '')
        user.save()
        return user
    def filter_users_by_claims(self, claims):
        user_guid = claims.get('universal-id')
        if not user_guid:
            return self.UserModel.objects.none()
        return self.UserModel.objects.filter(user_guid=user_guid)
--- a/edivorce/apps/core/migrations/0001_initial.py
+++ b/edivorce/apps/core/migrations/0001_initial.py
@ -3,6 +3,7 @@ from __future__ import unicode_literals
 from django.db import migrations, models
 from django.conf import settings
 import django.utils.timezone
 class Migration(migrations.Migration):
@ -12,6 +13,15 @@ class Migration(migrations.Migration):
    ]
    operations = [
        migrations.CreateModel(
            name='BceidUser',
            fields=[
                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
                ('user_guid', models.CharField(unique=True, max_length=36, db_index=True)),
                ('date_joined', models.DateTimeField(default=django.utils.timezone.now)),
                ('last_login', models.DateTimeField(default=django.utils.timezone.now)),
            ],
        ),        
        migrations.CreateModel(
            name='FormQuestions',
            fields=[
--- a/edivorce/apps/core/migrations/0007_auto_20170210_1702.py
+++ b/edivorce/apps/core/migrations/0007_auto_20170210_1702.py
@ -12,15 +12,6 @@ class Migration(migrations.Migration):
    ]
    operations = [
        migrations.CreateModel(
            name='BceidUser',
            fields=[
                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
                ('user_guid', models.CharField(unique=True, max_length=36, db_index=True)),
                ('date_joined', models.DateTimeField(default=django.utils.timezone.now)),
                ('last_login', models.DateTimeField(default=django.utils.timezone.now)),
            ],
        ),
        migrations.RemoveField(
            model_name='profile',
            name='user',
--- a/edivorce/apps/core/migrations/0020_bceiduser_is_bcsc.py
+++ b/edivorce/apps/core/migrations/0020_bceiduser_is_bcsc.py
@ -0,0 +1,20 @@
 # -*- coding: utf-8 -*-
 # Generated by Django 1.11.29 on 2020-10-15 17:38
 from __future__ import unicode_literals
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('core', '0019_auto_20191008_2141'),
    ]
    operations = [
        migrations.AddField(
            model_name='bceiduser',
            name='is_bcsc',
            field=models.BooleanField(default=False),
        ),
    ]
--- a/edivorce/apps/core/migrations/0024_auto_20201009_1235.py
+++ b/edivorce/apps/core/migrations/0024_auto_20201009_1235.py
@ -0,0 +1,102 @@
 # Generated by Django 2.2.15 on 2020-10-09 21:12
 import django.contrib.auth.models
 import django.contrib.auth.validators
 from django.db import migrations, models
 import django.utils.timezone
 def set_username(apps, schema_editor):
    Series = apps.get_model('core', 'bceiduser')
    for series in Series.objects.all().iterator():
        series.username = 'user' + str(series.id)
        series.save()
 def reverse_func(apps, schema_editor):
    pass  # code for reverting migration, if any
 class Migration(migrations.Migration):
    dependencies = [
        ('core', '0023_auto_20201006_1314'),
        ('auth', '0011_update_proxy_permissions'),
    ]
    operations = [
        migrations.AlterModelOptions(
            name='bceiduser',
            options={'verbose_name': 'user', 'verbose_name_plural': 'users'},
        ),
        migrations.AlterModelManagers(
            name='bceiduser',
            managers=[
                ('objects', django.contrib.auth.models.UserManager()),
            ],
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='email',
            field=models.EmailField(blank=True, max_length=254, verbose_name='email address'),
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='first_name',
            field=models.CharField(blank=True, max_length=30, verbose_name='first name'),
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='groups',
            field=models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.Group', verbose_name='groups'),
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='is_superuser',
            field=models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status'),
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='last_name',
            field=models.CharField(blank=True, max_length=150, verbose_name='last name'),
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='password',
            field=models.CharField(default='', max_length=128, verbose_name='password'),
            preserve_default=False,
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='user_permissions',
            field=models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.Permission', verbose_name='user permissions'),
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='username',
            field=models.CharField(blank=True, default='', max_length=150),
            preserve_default=False,
        ),
        migrations.RunPython(set_username, reverse_func),
        migrations.AlterField(
            model_name='bceiduser',
            name='username',
            field=models.CharField(default='', error_messages={'unique': 'A user with that username already exists.'}, help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.', max_length=150, unique=True, validators=[django.contrib.auth.validators.UnicodeUsernameValidator()], verbose_name='username'),
            preserve_default=False,
        ),
        migrations.AlterField(
            model_name='bceiduser',
            name='date_joined',
            field=models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined'),
        ),
        migrations.AlterField(
            model_name='bceiduser',
            name='last_login',
            field=models.DateTimeField(blank=True, null=True, verbose_name='last login'),
        ),
        migrations.AddField(
            model_name='bceiduser',
            name='is_staff',
            field=models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status'),
        ),
    ]
--- a/edivorce/apps/core/migrations/0025_remove_bceiduser_is_bcsc.py
+++ b/edivorce/apps/core/migrations/0025_remove_bceiduser_is_bcsc.py
@ -0,0 +1,19 @@
 # Generated by Django 2.2.15 on 2020-10-19 16:42
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ('core', '0024_auto_20201009_1235'),
        ('core', '0024_bceiduser_is_bcsc'),
        ('core', '0020_bceiduser_is_bcsc'),
    ]
    operations = [
        migrations.RemoveField(
            model_name='bceiduser',
            name='is_bcsc',
        ),
    ]
--- a/edivorce/apps/core/models.py
+++ b/edivorce/apps/core/models.py
@ -6,12 +6,13 @@ from django.db.models import F
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.encoding import python_2_unicode_compatible
 from django.contrib.auth.models import AbstractUser
 from edivorce.apps.core import redis
@python_2_unicode_compatible
 class BceidUser(models.Model):
 class BceidUser(AbstractUser):
    """
    BCeID user table
    """
@ -25,21 +26,12 @@ class BceidUser(models.Model):
    sm_user = models.TextField(blank=True)
    """ SiteMinder user value """
    date_joined = models.DateTimeField(default=timezone.now)
    """ First login timestamp """
    last_login = models.DateTimeField(default=timezone.now)
    """ Most recent login timestamp """
    has_seen_orders_page = models.BooleanField(default=False)
    """ Flag for intercept page """
    has_accepted_terms = models.BooleanField(default=False)
    """ Flag for accepting terms of service """
    is_bcsc = models.BooleanField(default=False)
    """ Flag to identify BC Services Card users """
    @property
    def is_authenticated(self):
        return True
@ -48,9 +40,9 @@ class BceidUser(models.Model):
    def is_anonymous(self):
        return False
    is_staff = True
    is_active = True
    @property
    def is_active(self):
        return True
    def has_module_perms(self, *args):
        return True
--- a/edivorce/apps/core/static/css/main.scss
+++ b/edivorce/apps/core/static/css/main.scss
@ -983,12 +983,18 @@ textarea {
 		float: right;
 		margin-top: 16px;
 		a {
 		input[type=submit] {
 			color: #ffffff;
 			background-color: transparent;
 			display: inline;
 			padding: 0;
 			line-height: 1.5;
 			border: none;
 			&:active,
 			&:hover {
 				color: #fcfcfc;
 				text-decoration: underline;
 			}
 		}
 	}
--- a/edivorce/apps/core/templates/base.html
+++ b/edivorce/apps/core/templates/base.html
@ -13,10 +13,10 @@
        <meta name="viewport" content="width=device-width, initial-scale=1">
        {% compress css %}
        <link rel="stylesheet" type="text/css" href="{% static "css/bootstrap.min.css" %}">
        <link rel="stylesheet" type="text/css" href="{% static "css/bootstrap-datepicker3.min.css" %}">
        <link rel="stylesheet" type="text/css" href="{% static "css/font-awesome.min.css" %}">
        <link rel="stylesheet" type="text/css" href="{% sass_src "css/main.scss" %}" />
        <link rel="stylesheet" type="text/css" href="{% static 'css/bootstrap.min.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'css/bootstrap-datepicker3.min.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'css/font-awesome.min.css' %}">
        <link rel="stylesheet" type="text/css" href="{% sass_src 'css/main.scss' %}" />
        {% endcompress %}
        {% block extra_css %}
        {% endblock %}
@ -54,8 +54,12 @@
                        <div class="top_banner-user">
                            {% if request.user.is_authenticated %}
                            <span>
                                {{ request.user.display_name}}
                                &nbsp;&nbsp;|&nbsp;&nbsp; <a href="{% url 'logout' %}">Log out</a>
                                <form action="{% url 'oidc_logout' %}" method="post">
                                    {{ request.user.display_name}}
                                    &nbsp;&nbsp;|&nbsp;&nbsp; 
                                    {% csrf_token %}
                                    <input type="submit" value="Log out">
                                </form>
                            </span>
                            {% endif %}
                        </div>
--- a/edivorce/apps/core/templates/intro.html
+++ b/edivorce/apps/core/templates/intro.html
@ -51,7 +51,7 @@
        <h3>
            Already started completing forms online and want to pick up where you left off?
        </h3>
        <a href="{% url 'login' %}" class="btn btn-primary btn-lg">Returning users</a>
        <a href="{% url 'oidc_authentication_init' %}" class="btn btn-primary btn-lg">Returning users</a>
    </div>
 </div>
 {% endblock %}
--- a/edivorce/apps/core/templates/localdev/bceid.html
+++ b/edivorce/apps/core/templates/localdev/bceid.html
@ -1,155 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <title>Government of British Columbia</title>
    <meta charset="utf-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
    <meta name="keywords" content=""/>
    <meta name="description" content=""/>
    <meta name="Author" content=""/>
    <link rel="icon" href="https://logon7.gov.bc.ca/clp/images/favicon.ico">
    <title>CLP</title>
    <!-- mobile settings -->
    <meta name="viewport"
          content="width=device-width, maximum-scale=1, initial-scale=1, user-scalable=0"/>
    <!-- JAVASCRIPT FILES -->
    <script type="text/javascript" src="https://logon7.gov.bc.ca/clp/plugins/jquery-2.1.4.min.js"></script>
    <script type="text/javascript" src="https://logon7.gov.bc.ca/clp/plugins/bootstrap/js/bootstrap.min.js"></script>
    <script type="text/javascript" src="https://logon7.gov.bc.ca/clp/plugins/datepicker/js/bootstrap-datepicker.min.js"></script>
    <script type="text/javascript" src="https://logon7.gov.bc.ca/clp/js/common.js"></script>
    <script type="text/javascript" src="https://logon7.gov.bc.ca/clp/js/brandexample.js"></script>
    <script type="text/javascript" src="https://logon7.gov.bc.ca/clp/js/form-validation.js"></script>
    <script type="text/javascript" src="https://logon7.gov.bc.ca/clp/js/footer.js"></script>
    <!-- CORE CSS -->
    <link href="https://logon7.gov.bc.ca/clp/plugins/bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
    <link href="https://logon7.gov.bc.ca/clp/css/font-awesome.css" rel="stylesheet" type="text/css"/>
    <link href="https://logon7.gov.bc.ca/clp/css/main.css" rel="stylesheet" type="text/css"/>
    <link href="https://logon7.gov.bc.ca/clp/plugins/datepicker/css/bootstrap-datepicker3.min.css" rel="stylesheet" type="text/css"/>
 </head>
 <body>
 <div id="wrapper" class="main">
    <header id="bcGov" class="no-gov-brand">
        <div class="container">
            <div class="seperator"></div>
            <div id="login-to" class="site-title">FAKE BCeID LOGIN &ndash; FOR SOFTWARE DEVELOPMENT PURPOSES ONLY</div>
        </div>
    </header>
    <header id="client">
        <div class="container">
            <div>
                <img src="https://logon7.gov.bc.ca/clp/branding/bceid_default_logo.jpg" class="logo" alt=""/>
            </div>
        </div>
    </header>
    <form method="POST" name="login" id="login-form" class="login-bceid-form" novalidate>
        <section class="container">
            <div class="row">
                <div class="col-sm-7 col-md-8">
                    <div class="panel">
                        <div class="panel-heading">
                            Log in with
                            <span id="bceidLogo" class="environment-logo bceid-environment-devv2"></span>
                        </div>
                        <div class="panel-body">
                            <div class="form-element form-group">
                                <label class="control-label label-with-instruction"
                                       for="username">User ID</label>
                                <div class="instruction">Use a Basic BCeID</div>
                                <input name="user" id="username" type="text" size="20" autofocus
                                       class="form-control input-200" autocomplete="off"/>
                            </div>
                            <div class="form-element form-group">
                                <label class="control-label" for="password">Password</label>
                                <input name="password" type="password" class="form-control input-200"
                                       id="password" size="20" autocomplete="off"/>
                            </div>
                            <div class="bg-error hidden">
                                <div class="help-block field-help-block">
                                    <i class="fa fa-fw fa-exclamation-circle"></i><span
                                        class="field-help-text"></span>
                                </div>
                            </div>
                            <div class="login-form-action">
                                <input type="submit" name="btnSubmit" class="btn btn-primary"
                                       value="Continue"/>
                            </div>
                            <div class="forgot">
                                <a href="{% url 'register' %}" class="link-forgot">Forgot your user ID or password?</a>
                            </div>
                        </div>
                    </div>
                    <div class="panel">
                        <div class="panel-body" style="padding-bottom: 15px;">
                            <div>
                                <strong>No account?</strong>
                            </div>
                            <a href="{% url 'register' %}"
                               style="text-decoration: underline; font-size: 16px; font-weight: 600;">Register for a
                                BCeID</a>
                        </div>
                    </div>
                    <div>
                        &#x25C0; <a href="./" class="link-cancel">Cancel
                            and return to localdev</a>
                    </div>
                    <hr class="visible-xs">
                </div>
                <div class="col-sm-5 col-md-4">
                </div>
            </div>
        </section>
    </form>
 </div>
 <footer class="footer-stick-to-bottom">
    <div class="container" id="AccessMessage">
        <div class="row">
            <div class="col-sm-12">
                <p>Access to or unauthorized use of data on this computer system by any person other than the authorized
                    employee(s) or owner(s) of an account is strictly prohibited and may result in legal action against
                    such person.</p>
            </div>
        </div>
    </div>
    <div id="footerWrapper">
        <div class="container">
            <div class="row">
                <div class="col-sm-12">
                    <ul class="inline">
                        <li data-order="1"><a href="http://www.gov.bc.ca/com/disclaimer.html">Disclaimer</a></li>
                        <li data-order="2"><a href="http://www.gov.bc.ca/com/privacy.html">Privacy</a></li>
                        <li data-order="3"><a href="http://www.gov.bc.ca/com/accessibility.html">Accessibility</a></li>
                        <li data-order="4"><a href="http://www.gov.bc.ca/com/copyright.html">Copyright</a></li>
                    </ul>
                </div>
            </div>
        </div>
    </div>
 </footer>
 </body>
 </html>
--- a/edivorce/apps/core/templates/localdev/debug.html
+++ b/edivorce/apps/core/templates/localdev/debug.html
@ -1,16 +0,0 @@
 <html>
 <head>
    <title>Debug</title>
 </head>
 <body>
 {% for k, v in request.META.items %}
    {% if k.isupper %}
        {{ k }} = {{ v }}<br/>
    {% endif %}
 {% endfor %}
 </body>
 </html>
--- a/edivorce/apps/core/templates/localdev/register.html
+++ b/edivorce/apps/core/templates/localdev/register.html
@ -1,17 +0,0 @@
 <html>
 <head>
    <title>Register</title>
 </head>
 <body>
 <h1>localdev registration is not implemented</h1>
 <p>Enter <strong>any user id</strong> with the password <em><strong>divorce</strong></em> to
    simulate a login in your localdev envirommnent.</p>
 <a href="{% url 'login' %}">Goto Login</a>
 </body>
 </html>
--- a/edivorce/apps/core/tests/test_api.py
+++ b/edivorce/apps/core/tests/test_api.py
@ -44,8 +44,8 @@ class MockRedis:
@override_settings(CLAMAV_ENABLED=False)
 class APITest(APITestCase):
    def setUp(self):
        self.user = BceidUser.objects.create(user_guid='1234')
        self.another_user = BceidUser.objects.create(user_guid='5678')
        self.user = _get_or_create_user(user_guid='1234')
        self.another_user = _get_or_create_user(user_guid='5678')
        self.client = APIClient()
        self.default_doc_type = 'MC'
        self.default_party_code = 0
@ -53,10 +53,10 @@ class APITest(APITestCase):
    def test_get_documents(self):
        url = reverse('documents')
        response = self.client.get(url)
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
        response = self.client.post(url, {})
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
        self.client.force_authenticate(self.user)
        response = self.client.get(url)
@ -195,7 +195,7 @@ class APITest(APITestCase):
        url = document.get_file_url()
        response = self.client.get(url)
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
        self.client.force_authenticate(self.another_user)
        response = self.client.get(url)
@ -246,7 +246,7 @@ class APITest(APITestCase):
        url = document.get_file_url()
        response = self.client.delete(url)
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
        self.assertEqual(Document.objects.count(), 1)
        self.client.force_authenticate(self.another_user)
@ -267,7 +267,7 @@ class APITest(APITestCase):
            'rotation': 90
        }
        response = self.client.put(url, data)
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
        self.client.force_authenticate(self.another_user)
        response = self.client.put(url, data)
@ -307,14 +307,12 @@ class APITest(APITestCase):
@mock.patch.object(Redis, 'get', MockRedis.get)
@mock.patch.object(Redis, 'delete', MockRedis.delete)
@mock.patch.object(Redis, 'exists', MockRedis.exists)
@override_settings(AUTHENTICATION_BACKENDS=('edivorce.apps.core.authenticators.BCeIDAuthentication',))
@modify_settings(MIDDLEWARE={'remove': 'edivorce.apps.core.middleware.bceid_middleware.BceidMiddleware', })
 class GraphQLAPITest(GraphQLTestCase):
    GRAPHQL_URL = reverse('graphql')
    def setUp(self):
        self.user = BceidUser.objects.create(user_guid='1234')
        self.another_user = BceidUser.objects.create(user_guid='5678')
        self.user = _get_or_create_user(user_guid='1234')
        self.another_user = _get_or_create_user(user_guid='5678')
        self.default_doc_type = 'MC'
        self.default_party_code = 0
@ -512,3 +510,10 @@ def _create_file(extension='jpg'):
    num_documents = Document.objects.count()
    new_file = SimpleUploadedFile(f'test_file_{num_documents + 1}.{extension}', b'test content')
    return new_file
 def _get_or_create_user(user_guid):
    try:
        return BceidUser.objects.get(user_guid=user_guid)
    except BceidUser.DoesNotExist:
        return BceidUser.objects.create(user_guid=user_guid, username=user_guid)
--- a/edivorce/apps/core/urls.py
+++ b/edivorce/apps/core/urls.py
@ -1,7 +1,7 @@
 from django.conf.urls import url
 from django.urls import path
 from .views import main, system, pdf, api, localdev
 from .views import main, system, pdf, api
 urlpatterns = [
    # url(r'^guide$', styleguide.guide),
@ -13,10 +13,7 @@ urlpatterns = [
    # we add an extra 'x' to the file extension so the siteminder proxy doesn't treat it as an image
    path('api/documents/<doc_type>/<int:party_code>/<filename>x/<int:size>/', api.DocumentView.as_view(), name='document'),
    # url(r'^login/headers$', system.headers),
    url(r'^login$', main.login, name="login"),
    url(r'^bceid$', localdev.bceid, name="bceid"),
    url(r'^signin$', main.signin, name="signin"),
    url(r'^register$', main.register, name="register"),
    url(r'^register_sc$', main.register_sc, name="register_sc"),
    url(r'^logout$', main.logout, name="logout"),
--- a/edivorce/apps/core/views/localdev.py
+++ b/edivorce/apps/core/views/localdev.py
@ -1,32 +0,0 @@
 import uuid
 import binascii
 from encodings.utf_8 import decode
 from django.conf import settings
 from django.shortcuts import render, redirect
 from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
 def bceid(request):
    """ fake bceid login for developer workstation environment """
    if request.method == "POST":
        login_name = request.POST.get('user', '')
        password = request.POST.get('password', '')
        # just in case anyone from the general public discovers the dev server
        # make sure they don't accidentally login and think this is production
        if password.lower() != 'divorce':
            return redirect(settings.PROXY_BASE_URL + settings.FORCE_SCRIPT_NAME[:-1] + '/bceid')
        # convert the login name to a guid
        hex_name = decode(binascii.hexlify(str.encode(login_name)))[0]
        fake_guid = hex_name.rjust(32, '0')
        # save the guid in a session variable
        request.session['login_name'] = login_name
        request.session['fake_bceid_guid'] = fake_guid
        return redirect(settings.PROXY_BASE_URL + settings.FORCE_SCRIPT_NAME[:-1] + '/login')
    else:
        return render(request, 'localdev/bceid.html')
--- a/edivorce/apps/core/views/main.py
+++ b/edivorce/apps/core/views/main.py
@ -4,9 +4,10 @@ from django.conf import settings
 from django.shortcuts import render, redirect
 from django.urls import reverse
 from django.utils import timezone
 from django.contrib.auth.decorators import login_required
 from edivorce.apps.core.utils.derived import get_derived_data
 from ..decorators import bceid_required, intercept, prequal_completed
 from ..decorators import intercept, prequal_completed
 from ..utils.cso_filing import file_documents
 from ..utils.question_step_mapping import list_of_registries
 from ..utils.step_completeness import get_error_dict, get_missed_question_keys, get_step_completeness, is_complete, get_formatted_incomplete_list
@ -24,14 +25,10 @@ def home(request):
    """
    This is the homepage
    """
    # HTTP_SM_USER is available on both unsecure and secure pages.
    # If it has a value then we know the user is logged into BCeID/siteminder
    siteminder_is_authenticated = request.META.get('HTTP_SM_USER', '') != ''
    # if the user is returning from BCeID registration, then log them in to the site
    if siteminder_is_authenticated and request.session.get('went_to_register', False):
    if request.user.is_authenticated and request.session.get('went_to_register', False):
        request.session['went_to_register'] = False
        return redirect(settings.PROXY_BASE_URL + settings.FORCE_SCRIPT_NAME[:-1] + '/login')
        return redirect('oidc_authentication_init')
    return render(request, 'intro.html', context={'hide_nav': True})
@ -71,7 +68,7 @@ def success(request):
        if request.user.is_authenticated:
            return redirect(reverse('overview'))
        else:
            return render(request, 'success.html', context={'register_url': settings.REGISTER_URL,'register_sc_url': settings.REGISTER_SC_URL})
            return render(request, 'success.html', context={'register_url': settings.REGISTER_BCEID_URL,'register_sc_url': settings.REGISTER_BCSC_URL})
    return redirect(reverse('incomplete'))
@ -102,7 +99,7 @@ def register(request):
        return render(request, 'localdev/register.html')
    request.session['went_to_register'] = True
    return redirect(settings.REGISTER_URL)
    return redirect(settings.REGISTER_BCEID_URL)
 def register_sc(request):
    """
@ -112,38 +109,16 @@ def register_sc(request):
        return render(request, 'localdev/register.html')
    request.session['went_to_register'] = True
    return redirect(settings.REGISTER_SC_URL)
 def login(request):
    """
    This page is proxy-protected by Siteminder.  Users who are not
    logged into BCeID will get a login page.  Users who are logged into
    BCeID will be redirected to the dashboard
    """
    if settings.DEPLOYMENT_TYPE in ['localdev', 'minishift'] and not request.session.get('fake_bceid_guid'):
        return redirect(settings.PROXY_BASE_URL + settings.FORCE_SCRIPT_NAME[:-1] + '/bceid')
    return redirect(settings.REGISTER_BCSC_URL)
 def signin(request):
    if not request.user.is_authenticated:
        # Fix for weird siteminder behaviour......
        # If a user is logged into an IDIR then they can see the login page but
        # the SMGOV headers are missing.  If this is the case, then log them out
        # of their IDIR, and redirect them back to here again....
        # FUTURE DEV NOTE: The DC elements of HTTP_SM_USERDN header will tell us
        # exactly how the user is logged in. But it doesn't seem like a very
        # good idea at this time to rely on this magic string.  e.g. CN=Smith\,
        # John,OU=Users,OU=Attorney General,OU=BCGOV,DC=idir,DC=BCGOV
        if request.GET.get('noretry', '') != 'true':
            return redirect(settings.LOGOUT_URL_TEMPLATE % (
                settings.PROXY_BASE_URL,
                settings.FORCE_SCRIPT_NAME[:-1] + '/login%3Fnoretry=true'))
        return render(request, '407.html')
    if timezone.now() - request.user.last_login > datetime.timedelta(minutes=1):
        request.user.last_login = timezone.now()
        request.user.save()
    ## I think Django might be doing this automatically now that we have switched to mozilla-django-oidc?
    #if timezone.now() - request.user.last_login > datetime.timedelta(minutes=1):
    #    request.user.last_login = timezone.now()
    #    request.user.save()
    copy_session_to_db(request, request.user)
@ -164,7 +139,7 @@ def logout(request):
    return response
@bceid_required
@login_required
@prequal_completed
@intercept
 def overview(request):
@ -192,7 +167,7 @@ def overview(request):
    return response
@bceid_required
@login_required
@prequal_completed
 def dashboard_nav(request, nav_step):
    """
@ -212,13 +187,13 @@ def dashboard_nav(request, nav_step):
    return render(request, template_name=template_name, context=responses_dict)
@bceid_required
@login_required
@prequal_completed
 def submit_initial_files(request):
    return _submit_files(request, initial=True)
@bceid_required
@login_required
@prequal_completed
 def submit_final_files(request):
    return _submit_files(request, initial=False)
@ -237,7 +212,7 @@ def _submit_files(request, initial=False):
    return redirect(reverse('dashboard_nav', kwargs={'nav_step': nav_step}), context=responses_dict)
@bceid_required
@login_required
@prequal_completed
 def question(request, step, sub_step=None):
    """
@ -309,7 +284,7 @@ def contact(request):
    return render(request, 'contact-us.html', context={'active_page': 'contact'})
@bceid_required
@login_required
 def intercept_page(request):
    """
    On intercept, show the Orders page to get the requested orders before the
--- a/edivorce/apps/core/views/pdf.py
+++ b/edivorce/apps/core/views/pdf.py
@ -5,10 +5,10 @@ import json
 from django.conf import settings
 from django.http import HttpResponse
 from django.template.loader import render_to_string
 from django.contrib.auth.decorators import login_required
 import requests
 from ..decorators import bceid_required
 from ..models import Document
 from ..utils.derived import get_derived_data
 from ..utils.user_response import get_data_for_user
@ -16,7 +16,7 @@ from ..utils.user_response import get_data_for_user
 EXHIBITS = list('ABCDEFGHIJKLMNOPQRSTUVWXYZ'[::-1])
@bceid_required
@login_required
 def form(request, form_number):
    """ View for rendering PDF's and previews """
@ -111,7 +111,7 @@ def __add_claimant_info(responses, claimant):
    return responses
@bceid_required
@login_required
 def images_to_pdf(request, doc_type, party_code):
    documents = Document.objects.filter(
        bceid_user=request.user, doc_type=doc_type, party_code=party_code)
--- a/edivorce/apps/core/views/system.py
+++ b/edivorce/apps/core/views/system.py
@ -13,10 +13,6 @@ def health(request):  # pylint: disable=unused-argument
    return HttpResponse(Question.objects.count())
 def headers(request):
    return render(request, 'localdev/debug.html')
 def current(request):
    """
    Debug tool usable in dev and test environments, available at /current
--- a/edivorce/apps/poc/urls.py
+++ b/edivorce/apps/poc/urls.py
@ -1,12 +1,12 @@
 from django.conf.urls import url
 from django.contrib.auth.decorators import login_required
 from edivorce.apps.poc import views
 from ..core.decorators import bceid_required
 urlpatterns = [
    url(r'scan', bceid_required(views.UploadScan.as_view()), name="poc-scan"),
    url(r'hub', bceid_required(views.EfilingHubUpload.as_view()), name="poc-hub"),
    url(r'storage/doc/(?P<document_id>\d+)', bceid_required(views.view_document_file), name="poc-storage-download"),
    url(r'storage/delete/(?P<pk>\d+)', bceid_required(views.UploadStorageDelete.as_view()), name="poc-storage-delete"),
    url(r'storage', bceid_required(views.UploadStorage.as_view()), name="poc-storage"),
    url(r'scan', login_required(views.UploadScan.as_view()), name="poc-scan"),
    url(r'hub', login_required(views.EfilingHubUpload.as_view()), name="poc-hub"),
    url(r'storage/doc/(?P<document_id>\d+)', login_required(views.view_document_file), name="poc-storage-download"),
    url(r'storage/delete/(?P<pk>\d+)', login_required(views.UploadStorageDelete.as_view()), name="poc-storage-delete"),
    url(r'storage', login_required(views.UploadStorage.as_view()), name="poc-storage"),
 ]
--- a/edivorce/settings/base.py
+++ b/edivorce/settings/base.py
@ -11,6 +11,8 @@ https://docs.djangoproject.com/en/1.8/ref/settings/
 """
 import os
 from django.urls import reverse_lazy
 from environs import Env
 from unipath import Path
@ -45,6 +47,7 @@ INSTALLED_APPS = (
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'django.contrib.humanize',
    'mozilla_django_oidc',  # Load after auth
    'rest_framework',
    'debug_toolbar',
    'corsheaders',
@ -71,11 +74,16 @@ MIDDLEWARE = (
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'edivorce.apps.core.middleware.bceid_middleware.BceidMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'whitenoise.middleware.WhiteNoiseMiddleware',
 )
 AUTH_USER_MODEL = 'core.BceidUser'
 AUTHENTICATION_BACKENDS = (
    'edivorce.apps.core.middleware.keycloak.EDivorceKeycloakBackend',
 )
 ROOT_URLCONF = 'edivorce.urls'
 TEMPLATES = [
@ -101,7 +109,8 @@ WSGI_APPLICATION = 'wsgi.application'
 # by presence of Basic Auth headers
 REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'edivorce.apps.core.authenticators.BCeIDAuthentication',
        'mozilla_django_oidc.contrib.drf.OIDCAuthentication',
        'rest_framework.authentication.SessionAuthentication'
    ]
 }
@ -117,7 +126,7 @@ LOGGING = {
    'loggers': {
        '': {
            'handlers': ['console'],
            'level': os.getenv('DJANGO_LOG_LEVEL', 'INFO'),
            'level': env('DJANGO_LOG_LEVEL', 'INFO'),
        },
    },
 }
@ -175,10 +184,6 @@ DEBUG_TOOLBAR_CONFIG = {
 SECURE_BROWSER_XSS_FILTER = True
 LOGOUT_URL = '/accounts/logout/'
 # CLAMAV settings
 # eFiling Hub settings
 EFILING_HUB_TOKEN_BASE_URL = env('EFILING_HUB_TOKEN_BASE_URL', 'https://efiling.gov.bc.ca')
 EFILING_HUB_REALM = env('EFILING_HUB_REALM', 'abc')
@ -187,3 +192,12 @@ EFILING_HUB_CLIENT_SECRET = env('EFILING_HUB_CLIENT_SECRET', 'abc')
 EFILING_HUB_API_BASE_URL = env('EFILING_HUB_API_BASE_URL', 'https://efiling.gov.bc.ca')
 EFILING_BCEID = env.dict('EFILING_BCEID', '', subcast=str)
 # Keycloak OpenID Connect settings
 # Provided by mozilla-django-oidc
 LOGIN_URL = reverse_lazy('oidc_authentication_init')
 OIDC_RP_SIGN_ALGO = 'RS256'
 OIDC_RP_SCOPES = 'openid email profile'
 # this is needed to bypass the Keycloak login screen
 OIDC_AUTH_REQUEST_EXTRA_PARAMS = {'kc_idp_hint': 'bceid'}
 OIDC_RP_CLIENT_SECRET = env('KEYCLOAK_CLIENT_SECRET', '')
--- a/edivorce/settings/local.py
+++ b/edivorce/settings/local.py
@ -21,16 +21,14 @@ WEASYPRINT_IMAGE_LOOPBACK = 'http://host.docker.internal:8000'
 WEASYPRINT_CSS_LOOPBACK = WEASYPRINT_IMAGE_LOOPBACK
 DEPLOYMENT_TYPE = 'localdev'
 REGISTER_URL = '#'
 REGISTER_SC_URL ='#'
 REGISTER_BCEID_URL = '#'
 REGISTER_BCSC_URL = '#'
 PROXY_BASE_URL = ''
 SASS_PROCESSOR_ENABLED = True
 SASS_PROCESSOR_ROOT = PROJECT_ROOT + '/edivorce/apps/core/static'
 SASS_OUTPUT_STYLE = 'compressed'
 CORS_ORIGIN_ALLOW_ALL = True
 LOGOUT_URL = '/accounts/logout/'
 # CLAMAV settings
 CLAMAV_ENABLED = env.bool('CLAMAV_ENABLED', True)
 CLAMAV_TCP_PORT = env.int('CLAMAV_TCP_PORT', 3310)
@ -41,3 +39,13 @@ REDIS_HOST = env('REDIS_HOST', 'localhost')
 REDIS_PORT = env.int('REDIS_PORT', 6379)
 REDIS_DB = env('REDIS_DB', '')
 REDIS_PASSWORD = env('REDIS_PASSWORD', '')
 # Keycloak OpenID Connect settings
 # Provided by mozilla-django-oidc
 OIDC_OP_JWKS_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/certs'
 OIDC_OP_AUTHORIZATION_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/auth'
 OIDC_OP_TOKEN_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/token'
 OIDC_OP_USER_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/userinfo'
 OIDC_RP_CLIENT_ID = 'edivorce-app'
 LOGIN_REDIRECT_URL = '/signin'
 LOGOUT_REDIRECT_URL = '/'
--- a/edivorce/settings/openshift.py
+++ b/edivorce/settings/openshift.py
@ -1,5 +1,7 @@
 from mozilla_django_oidc import utils
 from .base import *
 def openshift_db_config():
    '''
    Database config based on the django-ex openshift sample application
@ -45,42 +47,61 @@ COMPRESS_OFFLINE = True
 #
 # See nginx-proxy/conf.d/server.conf for related settings
 #
 DEPLOYMENT_TYPE = os.getenv('ENVIRONMENT_TYPE')
 DEPLOYMENT_TYPE = env('ENVIRONMENT_TYPE', 'unittest')
 PROXY_URL_PREFIX = ''
 PROXY_BASE_URL = os.getenv('PROXY_BASE_URL', 'https://justice.gov.bc.ca')
 if DEPLOYMENT_TYPE in ['dev', 'unittest']:
    DEBUG = True
    # Keycloak OpenID Connect settings
    OIDC_OP_JWKS_ENDPOINT = 'https://sso-dev.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/certs'
    OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://sso-dev.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/auth'
    OIDC_OP_TOKEN_ENDPOINT = 'https://sso-dev.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/token'
    OIDC_OP_USER_ENDPOINT = 'https://sso-dev.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/userinfo'
    OIDC_RP_CLIENT_ID = 'e-divorce-app'
 if DEPLOYMENT_TYPE == 'dev':
    PROXY_URL_PREFIX = os.getenv('PROXY_URL_PREFIX', '/divorce')
    DEBUG = True
    CSRF_COOKIE_AGE = None
    SESSION_COOKIE_AGE = 3600
    REGISTER_URL = 'https://www.test.bceid.ca/directories/bluepages/details.aspx?serviceID=5522'
    REGISTER_SC_URL = 'https://logontest7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed38&partnerList=fed38&flags=0001:0,7&TARGET=http://dev.justice.gov.bc.ca/divorce/login'
    LOGOUT_URL_TEMPLATE = 'https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?returl=%s%s&retnow=1'
    LOGOUT_URL = LOGOUT_URL_TEMPLATE % (PROXY_BASE_URL, PROXY_URL_PREFIX)
    REGISTER_BCEID_URL = 'https://www.test.bceid.ca/directories/bluepages/details.aspx?serviceID=5522'
    REGISTER_BCSC_URL = 'https://logontest7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed38&partnerList=fed38&flags=0001:0,7&TARGET=http://dev.justice.gov.bc.ca/divorce/oidc/authenticate'
 if DEPLOYMENT_TYPE == 'test':
    PROXY_URL_PREFIX = os.getenv('PROXY_URL_PREFIX', '/divorce')
    REGISTER_URL = 'https://www.test.bceid.ca/directories/bluepages/details.aspx?serviceID=5521'
    REGISTER_SC_URL = 'https://logontest7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed38&partnerList=fed38&flags=0001:0,7&TARGET=http://test.justice.gov.bc.ca/divorce/login'
    LOGOUT_URL_TEMPLATE = 'https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?returl=%s%s&retnow=1'
    LOGOUT_URL = LOGOUT_URL_TEMPLATE % (PROXY_BASE_URL, PROXY_URL_PREFIX)
    REGISTER_BCEID_URL = 'https://www.test.bceid.ca/directories/bluepages/details.aspx?serviceID=5521'
    REGISTER_BCSC_URL = 'https://logontest7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed38&partnerList=fed38&flags=0001:0,7&TARGET=http://test.justice.gov.bc.ca/divorce/oidc/authenticate'
    # Keycloak OpenID Connect settings
    OIDC_OP_JWKS_ENDPOINT = 'https://sso-test.pathfinder.gov.bc.ca/auth/realms/XXXXXXXX/protocol/openid-connect/certs'
    OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://sso-test.pathfinder.gov.bc.ca/auth/realms/XXXXXXXX/protocol/openid-connect/auth'
    OIDC_OP_TOKEN_ENDPOINT = 'https://sso-test.pathfinder.gov.bc.ca/auth/realms/XXXXXXXX/protocol/openid-connect/token'
    OIDC_OP_USER_ENDPOINT = 'https://sso-test.pathfinder.gov.bc.ca/auth/realms/XXXXXXXX/protocol/openid-connect/userinfo'
    OIDC_RP_CLIENT_ID = 'XXXXXXXX'
 if DEPLOYMENT_TYPE == 'prod':
    PROXY_URL_PREFIX = os.getenv('PROXY_URL_PREFIX', '/divorce')
    REGISTER_URL = 'https://www.bceid.ca/directories/bluepages/details.aspx?serviceID=5203'
    REGISTER_SC_URL = 'https://logon7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed49&partnerList=fed49&flags=0001:0,8&TARGET=http://justice.gov.bc.ca/divorce/login'
    LOGOUT_URL_TEMPLATE = 'https://logon7.gov.bc.ca/clp-cgi/logoff.cgi?returl=%s%s&retnow=1'
    LOGOUT_URL = LOGOUT_URL_TEMPLATE % (PROXY_BASE_URL, PROXY_URL_PREFIX)
    REGISTER_BCEID_URL = 'https://www.bceid.ca/directories/bluepages/details.aspx?serviceID=5203'
    REGISTER_BCSC_URL = 'https://logon7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed49&partnerList=fed49&flags=0001:0,8&TARGET=http://justice.gov.bc.ca/divorce/oidc/authenticate'
    # Keycloak OpenID Connect settings
    OIDC_OP_JWKS_ENDPOINT = 'https://sso.pathfinder.gov.bc.ca/auth/realms/XXXXXXXX/protocol/openid-connect/certs'
    OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://sso.pathfinder.gov.bc.ca/auth/realms/XXXXXXXX/protocol/openid-connect/auth'
    OIDC_OP_TOKEN_ENDPOINT = 'https://sso.pathfinder.gov.bc.ca/auth/realms/XXXXXXXX/protocol/openid-connect/token'
    OIDC_OP_USER_ENDPOINT = 'https://sso.pathfinder.gov.bc.ca/auth/realms/XXXXXXXX/protocol/openid-connect/userinfo'
    OIDC_RP_CLIENT_ID = 'XXXXXXXX'
    # Google Tag Manager (Production)
    GTM_ID = 'GTM-W4Z2SPS'
 if DEPLOYMENT_TYPE == 'minishift':
    DEBUG = True
    REGISTER_URL = '#'
    REGISTER_SC_URL ='#'
    REGISTER_BCEID_URL = '#'
    REGISTER_BCSC_URL = '#'
    PROXY_BASE_URL = ''
    # Keycloak OpenID Connect settings
    OIDC_OP_JWKS_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/certs'
    OIDC_OP_AUTHORIZATION_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/auth'
    OIDC_OP_TOKEN_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/token'
    OIDC_OP_USER_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/userinfo'
 # Internal Relative Urls
 FORCE_SCRIPT_NAME = PROXY_URL_PREFIX + '/'
@ -101,8 +122,8 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 if DEPLOYMENT_TYPE != 'minishift':
    SESSION_COOKIE_PATH = PROXY_URL_PREFIX
    SESSION_COOKIE_SECURE=True
    CSRF_COOKIE_SECURE=True
    SESSION_COOKIE_SECURE = True
    CSRF_COOKIE_SECURE = True
 # CLAMAV settings
 CLAMAV_ENABLED = True
@ -113,4 +134,17 @@ CLAMAV_TCP_ADDR = os.getenv('CLAMAV_TCP_ADDR', 'clamav')
 REDIS_HOST = os.getenv('REDIS_HOST', 'redis')
 REDIS_PORT = 6379
 REDIS_DB = ''
 REDIS_PASSWORD = os.getenv('REDIS_PASSWORD', '')
 REDIS_PASSWORD = os.getenv('REDIS_PASSWORD', '')
 # Keycloak OpenID Connect settings
 LOGIN_REDIRECT_URL = PROXY_URL_PREFIX + '/signin'
 LOGOUT_REDIRECT_URL = PROXY_URL_PREFIX
 def monkey_absolutify(request, path):
    return PROXY_BASE_URL + path
 # monkey-patching mozilla_django_oidc.utils.absolutify so it doesn't
 # return urls prefixed with 'http://edivorce-django:8080' on OpenShift
 utils.absolutify = monkey_absolutify
--- a/edivorce/urls.py
+++ b/edivorce/urls.py
@ -22,6 +22,8 @@ if settings.ENVIRONMENT in ['localdev', 'minishift']:
    urlpatterns.append(url(r'^404/$', main.page_not_found, {'exception': Exception()}))
    urlpatterns.append(url(r'^500/$', main.server_error))
 urlpatterns.append(url(r'^oidc/', include('mozilla_django_oidc.urls')))
 urlpatterns.append(url(r'^', include('edivorce.apps.core.urls')))
 handler404 = main.page_not_found
--- a/requirements.txt
+++ b/requirements.txt
@ -1,15 +1,18 @@
 -i https://pypi.org/simple
 aniso8601==7.0.0
 beautifulsoup4==4.9.3
 certifi==2020.6.20
 cffi==1.14.2
 chardet==3.0.4
 clamd==1.0.2
 Django==2.2.15
 cryptography==3.1; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
 django-appconf==1.0.4
 django-compressor==2.4
 django-cors-headers==3.5.0
 django-crispy-forms==1.9.2
 django-debug-toolbar==2.2
 django-sass-processor==0.8
 django==2.2.15
 djangorestframework==3.11.1
 environs==8.0.0
 graphene==2.1.8
@ -18,23 +21,27 @@ graphql-core==2.3.2
 graphql-relay==2.0.1
 gunicorn==20.0.4
 idna==2.10
 josepy==1.4.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
 libsass==0.20.0
 marshmallow==3.7.1
 Pillow==7.2.0
 mozilla-django-oidc==1.2.4
 pillow==7.2.0
 promise==2.3
 psycopg2==2.8.5
 pycparser==2.20; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
 pyopenssl==19.1.0
 python-dotenv==0.14.0
 pytz==2020.1
 rcssmin==1.0.6
 redis==3.5.3
 requests==2.24.0
 rjsmin==1.1.0
 Rx==1.6.1
 rx==1.6.1
 singledispatch==3.4.0.3
 six==1.15.0
 soupsieve==2.0.1
 sqlparse==0.3.1
 Unidecode==1.1.1
 Unipath==1.1
 unidecode==1.1.1
 unipath==1.1
 urllib3==1.25.10
 whitenoise==3.3.1
--- a/vue/src/components/Uploader/Uploader.vue
+++ b/vue/src/components/Uploader/Uploader.vue
@ -32,6 +32,7 @@
        :post-action="postAction"
        :input-id="inputId"
        name="file"
        :headers="{ 'X-CSRFToken': getCSRFToken() }"
        :class="['drop-zone', dragging ? 'dragging' : '']"
        :data="inputKeys"
        @input-file="inputFile"
@ -185,7 +186,7 @@
      },
      pdfURL() {
        return `${this.$parent.proxyRootPath}pdf-images/${this.docType}/${this.party}/`;
      },
      }
    },
    methods: {
      inputFile(newFile, oldFile) {
@ -220,7 +221,7 @@
        // Automatically activate upload after compression completes
        if (newFile && newFile.compressed && !newFile.active) {
          newFile.active = true;
        }        
        }
      },
      inputFilter(newFile, oldFile, prevent) {
        if (newFile && !oldFile) {
@ -249,14 +250,14 @@
              quality: 0.9,
              maxWidth: 3300,
              maxHeight: 3300,
              convertSize: Infinity,           
              convertSize: Infinity,
              success(result) {
                self.$refs.upload.update(newFile, {
                  error: false,
                  file: result,
                  size: result.size,
                  type: result.type,
                  compressed: true
                  compressed: true,
                });
              },
              error(err) {
@ -346,11 +347,12 @@
      remove(file) {
        const urlbase = `${this.$parent.proxyRootPath}api/documents`;
        const encFilename = encodeURIComponent(file.name);
        const token = this.getCSRFToken();
        if (!file.error) {
          // we add an extra 'x' to the file extension so the siteminder proxy doesn't treat it as an image
          const url = `${urlbase}/${this.docType}/${this.party}/${encFilename}x/${file.size}/`;
          axios
            .delete(url)
            .delete(url, { headers: { "X-CSRFToken": token } })
            .then((response) => {
              const pos = this.files.findIndex(
                (f) => f.docType === file.docType && f.size === file.size
@ -410,13 +412,15 @@
      saveMetaData() {
        let allFiles = [];
        this.files.forEach((file) => {
          allFiles.push({
            filename: file.name,
            size: file.size,
            width: file.width,
            height: file.height,
            rotation: rotateFix(file.rotation),
          });
          if (!file.error) {
            allFiles.push({
              filename: file.name,
              size: file.size,
              width: file.width,
              height: file.height,
              rotation: rotateFix(file.rotation),
            });
          }
        });
        const data = {
          docType: this.docType,
@ -440,20 +444,34 @@
          })
          .then((response) => {
            // check for errors in the graphQL response
            this.retries = 0;            
            this.retries = 0;
            if (response.data.errors && response.data.errors.length) {
              response.data.errors.forEach((error) => {
                console.log("error", error.message || error);
                // if there was an error it's probably because the upload isn't finished yet
                // mark the metadata as dirty so it will save metadata again
                this.retries++;
                this.isDirty = true;                
              });
            }
          })
          .catch((error) => {
            this.showError("Error saving metadata");
            console.log("error", error);
            this.retries++;
          });
      },
      getCSRFToken() {
        const name = "csrftoken";
        if (document.cookie && document.cookie !== "") {
          const cookies = document.cookie.split(";");
          for (let i = 0; i < cookies.length; i++) {
            const cookie = cookies[i].trim();
            if (cookie.substring(0, name.length + 1) === name + "=") {
              return decodeURIComponent(cookie.substring(name.length + 1));
            }
          }
        }
        return null;
      }
    },
    created() {