Django Admin -> Changes to replace Admin API

[rnovak338]

All changes from #4427 in relation to the Django Admin updates. This PR enhances Django Admin to provide the team more accessibility to enabling tribal access and API keys for users.

1. There is a new staffusers.json file, which dictates access to Django Admin. The only way we can bring in new users is through a PR that manipulates this file. This means we can keep track historically of who gets added/removed from the Django Admin staff list. onboarding.md and offboarding.md have been updated to reflect this change.
2. The roles for Django admin have been reworked to the following three permission types: read-only, helpdesk, and superuser.
3. Two new tables are present in Django Admin (User permissions and Tribal api access key ids) to allow support for helpdesk and superuser privileges to add/remove content. Previously, this was only accessible through the Admin API.
4. Django Admin also has a new Log entries table, which will keep track of any changes made directly through Django Admin. Shown below:

NOTE - this PR does NOT remove any Admin API logic (yet).

How to test

Getting into Django Admin

1. Run docker-clean / docker-first-run make commands.
2. Boot up the application.
3. Authenticate and login using Login.gov.
4. Restart the application (it is scanning the staffusers.json list for users that exist in the auth_users table. However, your account will only populate here if you log into Login.gov at least once. Hence, step 3).
5. Visit localhost:8000/admin and log in. You should be able to get into Django Admin at this point.

Feedback as of 11/26

1. Attempt to create a userpermission using an email that does not exist in the system.
   • Use another email that you can access (but haven't yet logged into).
   • Once it is created, you should NOT see a UUID.
2. Clear the userpermission table, then create a userpermission for your email using caps.
   • This should automatically lowercase your email by the time you save it.
3. Attempt to create a TribalApiAccessKeyId with an uppercase letter email (and use whatever text you'd like for the key_id).
   • This should populate a LOWERCASE email record.
4. Now update either or both of the fields for this new TribalApiAccessKeyId record.
5. Check the new Log entries table and validate that the entire changelog was stored.

PR Checklist: Submitter

• Link to an issue if possible. If there’s no issue, describe what your branch does. Even if there is an issue, a brief description in the PR is still useful.
• List any special steps reviewers have to follow to test the PR. For example, adding a local environment variable, creating a local test file, etc.
• For extra credit, submit a screen recording like this one.
• Make sure you’ve merged main into your branch shortly before creating the PR. (You should also be merging main into your branch regularly during development.)
• Make sure you’ve accounted for any migrations. When you’re about to create the PR, bring up the application locally and then run git status | grep migrations. If there are any results, you probably need to add them to the branch for the PR. Your PR should have only one new migration file for each of the component apps, except in rare circumstances; you may need to delete some and re-run python manage.py makemigrations to reduce the number to one. (Also, unless in exceptional circumstances, your PR should not delete any migration files.)
• Make sure that whatever feature you’re adding has tests that cover the feature. This includes test coverage to make sure that the previous workflow still works, if applicable.
• Make sure the full-submission.cy.js Cypress test passes, if applicable.
• Do manual testing locally. Our tests are not good enough yet to allow us to skip this step. If that’s not applicable for some reason, check this box.
• Verify that no Git surgery was necessary, or, if it was necessary at any point, repeat the testing after it’s finished.
• Once a PR is merged, keep an eye on it until it’s deployed to dev, and do enough testing on dev to verify that it deployed successfully, the feature works as expected, and the happy path for the broad feature area (such as submission) still works.
• Ensure that prior to merging, the working branch is up to date with main and the terraform plan is what you expect.

PR Checklist: Reviewer

• Pull the branch to your local environment and run make docker-clean; make docker-first-run && docker compose up; then run docker compose exec web /bin/bash -c "python manage.py test"
• Manually test out the changes locally, or check this box to verify that it wasn’t applicable in this case.
• Check that the PR has appropriate tests. Look out for changes in HTML/JS/JSON Schema logic that may need to be captured in Python tests even though the logic isn’t in Python.
• Verify that no Git surgery is necessary at any point (such as during a merge party), or, if it was, repeat the testing after it’s finished.

The larger the PR, the stricter we should be about these points.

Pre Merge Checklist: Merger

• Ensure that prior to approving, the terraform plan is what we expect it to be. -/+ resource "null_resource" "cors_header" should be destroying and recreating its self and ~ resource "cloudfoundry_app" "clamav_api" might be updating its sha256 for the fac-file-scanner and fac-av-${ENV} by default.
• Ensure that the branch is up to date with main.
• Ensure that a terraform plan has been recently generated for the pull request.

[github-actions]

Terraform plan for meta

No changes. Your infrastructure matches the configuration.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

📝 Plan generated in Pull Request Checks #3987

[github-actions]

Terraform plan for dev

Plan: 1 to add, 0 to change, 1 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.dev.module.cors.null_resource.cors_header must be replaced
-/+ resource "null_resource" "cors_header" {
!~      id       = "*******************" -> (known after apply)
!~      triggers = { # forces replacement
!~          "always_run" = "2024-11-27T17:55:48Z" -> (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

📝 Plan generated in Pull Request Checks #3987

[James-Paul-Mason]

@rnovak338 I think you meant to request a review from @jperson1

[rnovak338]

@rnovak338 I think you meant to request a review from @jperson1

I requested the whole FAC team so you may have gotten pinged. But yes this is pretty technical, so I just need devs on this

[sambodeme]

Tested successfully, and it worked perfectly!

[danswick]

Couple of notes from discussion with Bobby:

1. You can't add an email address for a user who doesn't hasn't logged in. We probably need to add this functionality.
2. We need to "normalize" email addresses to be all lower-case.
3. Make sure we're adequately logging admin events see:

   FAC/backend/support/api/admin_api_v1_1_1/create_functions.sql

   Line 40 in 12b87aa

   create or replace function admin_api_v1_1_1_functions.log_admin_api_event(event TEXT, meta JSON)

[github-actions]

Package	Line Rate	Branch Rate	Health
.	100%	100%	✔
api	98%	90%	✔
audit	97%	87%	✔
audit.cross_validation	98%	88%	✔
audit.fixtures	84%	50%	❌
audit.intakelib	90%	81%	➖
audit.intakelib.checks	92%	85%	➖
audit.intakelib.common	98%	82%	✔
audit.intakelib.transforms	100%	94%	✔
audit.management.commands	78%	17%	❌
audit.migrations	100%	100%	✔
audit.models	93%	75%	➖
audit.templatetags	100%	100%	✔
audit.views	60%	39%	❌
census_historical_migration	96%	65%	✔
census_historical_migration.migrations	100%	100%	✔
census_historical_migration.sac_general_lib	92%	84%	➖
census_historical_migration.transforms	95%	90%	✔
census_historical_migration.workbooklib	68%	69%	❌
config	76%	31%	❌
curation	100%	100%	✔
curation.curationlib	57%	100%	❌
curation.migrations	100%	100%	✔
dissemination	91%	72%	➖
dissemination.migrations	97%	25%	✔
dissemination.searchlib	74%	64%	❌
dissemination.templatetags	100%	100%	✔
djangooidc	53%	38%	❌
djangooidc.tests	100%	94%	✔
report_submission	93%	88%	➖
report_submission.migrations	100%	100%	✔
report_submission.templatetags	74%	100%	❌
support	91%	63%	➖
support.management.commands	96%	100%	✔
support.migrations	100%	100%	✔
support.models	97%	83%	✔
tools	98%	50%	✔
users	95%	92%	➖
users.fixtures	100%	83%	✔
users.management	100%	100%	✔
users.management.commands	100%	100%	✔
users.migrations	100%	100%	✔
Summary	90% (17335 / 19162)	76% (2161 / 2842)	➖