Rc release 5.8.9 (#2731)

* remove ssn from exported census_employees csv (#2726) * Add strict transport security (#2725) * enables strict transport security * adds specs --------- Co-authored-by: Sri Harsha <sriharsha.poosa@gmail.com> --------- Co-authored-by: Ryan Eddy <44847768+RyanEddyIC@users.noreply.github.com> Co-authored-by: Utkarsh Shukla <utkarsh7989@gmail.com>
health-connector · Jul 30, 2024 · 3c9f406 · 3c9f406
1 parent 155a48c
commit 3c9f406
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 5 deletions.
diff --git a/app/controllers/welcome_controller.rb b/app/controllers/welcome_controller.rb
@@ -1,5 +1,6 @@
 class WelcomeController < ApplicationController
   skip_before_action :require_login
+  before_action :set_cookie_attributes, only: [:index]
 
   def show_hints
     current_user.hints = !current_user.hints
@@ -12,4 +13,11 @@ def index; end
   def form_template
     # created for generic form template access at '/templates/form-template'
   end
+
+  private
+
+  def set_cookie_attributes
+    response.headers['Set-Cookie'] = "_session_id=#{session.id}; SameSite=Strict; Secure=true; HttpOnly"
+    response.headers['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains; preload"
+  end
 end
diff --git a/app/models/census_employee.rb b/app/models/census_employee.rb
@@ -985,7 +985,6 @@ def download_census_employees_roster(employer_profile_id)
         "Middle Name or Initial (optional)",
         "Suffix (optional)",
         "Email Address",
-        "SSN / TIN (Required for EE & enter without dashes)",
         "Date of Birth (MM/DD/YYYY)",
         "Gender",
         "Date of Hire",
@@ -1003,7 +1002,7 @@ def download_census_employees_roster(employer_profile_id)
 
       CSV.generate(headers: true) do |csv|
         csv << (["#{Settings.site.long_name} Employee Census Template"] + 6.times.collect{ "" } + [] + 5.times.collect{ "" } + [])
-        csv << %w[employer_assigned_family_id employee_relationship last_name first_name middle_name name_sfx email ssn dob gender hire_date termination_date is_business_owner benefit_group plan_year kind address_1 address_2 city state zip]
+        csv << %w[employer_assigned_family_id employee_relationship last_name first_name middle_name name_sfx email dob gender hire_date termination_date is_business_owner benefit_group plan_year kind address_1 address_2 city state zip]
         csv << columns
         census_employees_query_criteria(employer_profile_id).each do |rec|
           is_active = rec["benefit_group_assignments"].present? ? rec["benefit_group_assignments"].any?{|bga| (bga["start_on"]..bga["end_on"]).cover?(TimeKeeper.date_of_record)} : false

diff --git a/...nsors/app/controllers/benefit_sponsors/profiles/employers/employer_profiles_controller.rb b/...nsors/app/controllers/benefit_sponsors/profiles/employers/employer_profiles_controller.rb
@@ -104,7 +104,7 @@ def run_eligibility_check
         def export_census_employees
           authorize @employer_profile
           respond_to do |format|
-            format.csv { send_data @employer_profile.census_employees.sorted.to_csv, filename: "#{@employer_profile.legal_name.parameterize.underscore}_census_employees_#{TimeKeeper.date_of_record}.csv" }
+            format.csv { send_data CensusEmployee.download_census_employees_roster(@employer_profile.id), filename: "#{@employer_profile.legal_name.parameterize.underscore}_census_employees_#{TimeKeeper.date_of_record}.csv" }
           end
         end
 

diff --git a/...spec/controllers/benefit_sponsors/profiles/employers/employer_profiles_controller_spec.rb b/...spec/controllers/benefit_sponsors/profiles/employers/employer_profiles_controller_spec.rb
@@ -240,5 +240,20 @@ module BenefitSponsors
         expect(JSON.parse(response.body, symoblize_names: true)).to include("business_rule" => "validated successfully")
       end
     end
+
+    describe "GET export_census_employees", dbclean: :after_each do
+      include_context "setup benefit market with market catalogs and product packages"
+      include_context "setup initial benefit application"
+
+      let(:admin_user) { FactoryBot.create(:user, :with_hbx_staff_role, :person => person)}
+      let(:employer_profile) { abc_profile }
+
+      it "should export cvs" do
+        sign_in(admin_user)
+        get :export_census_employees, params: {employer_profile_id: employer_profile}, format: :csv
+        expect(response).to have_http_status(:success)
+        expect(response).not_to have_content("SSN")
+      end
+    end
   end
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -50,7 +50,7 @@
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.

diff --git a/spec/controllers/welcome_controller_spec.rb b/spec/controllers/welcome_controller_spec.rb
@@ -12,6 +12,12 @@
       it "renders welcome index" do
         expect(response).to render_template("index")
       end
+
+      it "has Cookie attributes" do
+        expect(response.headers["Set-Cookie"]).to match(/SameSite=Strict/)
+        expect(response.headers["Set-Cookie"]).to match(/HttpOnly/)
+        expect(response.headers["Strict-Transport-Security"]).to match(/max-age=31536000; includeSubDomains; preload/)
+      end
     end
 
     context "when not signed in" do
@@ -59,4 +65,4 @@
     get :index
     expect(response).to have_http_status(:success)
   end
-end
+end