rails_template_18f 0.1.0

data/templates/README.md.tt

@@ -0,0 +1,213 @@
+<%= app_name.titleize %>
+========================
+
+<<TKTK: quick summary of project>>
+
+## Development
+
+If you're new to Rails, see the [Getting Started with Rails](https://guides.rubyonrails.org/getting_started.html)
+guide for an introduction to the framework.
+
+### Local Setup
+
+* Install Ruby <%= @ruby_version %>
+* Install NodeJS <%= @node_version %>
+* Install PostgreSQL: `brew install postgresql`
+  * Add postgres to your PATH if it wasn't done automatically
+  `echo 'export PATH="/usr/local/opt/postgresql/bin:$PATH"' >> ~/.zshrc`
+  * Start the server
+  `brew services start postgresql`
+* Install Ruby dependencies: `bundle install`
+* Install chromedriver for integration tests: `brew install --cask chromedriver`
+  * Chromedriver must be allowed to run. You can either do that by:
+    * The command line: `xattr -d com.apple.quarantine $(which chromedriver)` (this is the only option if you are on Big Sur)
+    * Manually: clicking "allow" when you run the integration tests for the first time and a dialogue opens up
+* Install JS dependencies: `yarn install`
+* Create database: `bundle exec rake db:create`
+* Run migrations: `bundle exec rake db:migrate`
+* Run the server: `bundle exec rails s`
+* Visit the site: http://localhost:3000
+
+### Local Configuration
+
+Environment variables can be set in development using the [dotenv](https://github.com/bkeepers/dotenv) gem.
+
+Consistent but sensitive credentials should be added to `config/credentials.yml.env` by using `$ rails credentials:edit`
+
+Production credentials should be added to `config/credentials/production.yml.env` by using `$ rails credentials:edit --environment production`
+
+Any changes to variables in `.env` that should not be checked into git should be set
+in `.env.local`.
+
+If you wish to override a config globally for the `test` Rails environment you can set it in `.env.test.local`.
+However, any config that should be set on other machines should either go into `.env` or be explicitly set as part
+of the test.
+
+## Security
+
+### Authentication
+
+TBD
+
+### Inline `<script>` and `<style>` security
+
+The system's Content-Security-Policy header prevents `<script>` and `<style>` tags from working without further
+configuration. Use `<%%= javascript_tag nonce: true %>` for inline javascript.
+<% if @adrs %>
+See the [CSP compliant script tag helpers](./doc/adr/0004-rails-csp-compliant-script-tag-helpers.md) ADR for
+more information on setting these up successfully.
+<% end %>
+
+## Internationalization
+
+### Managing locale files
+
+We use the gem `i18n-tasks` to manage locale files. Here are a few common tasks:
+
+Add missing keys across locales:
+```
+$ i18n-tasks missing # shows missing keys
+$ i18n-tasks add-missing # adds missing keys across locale files
+```
+
+Key sorting:
+```
+$ i18n-tasks normalize
+```
+
+Removing unused keys:
+```
+$ i18n-tasks unused # shows unused keys
+$ i18n-tasks remove-unused # removes unused keys across locale files
+```
+
+For more information on usage and helpful rake tasks to manage locale files, see [the documentation](https://github.com/glebm/i18n-tasks#usage).
+
+## Testing
+
+### Running tests
+
+* Tests: `bundle exec rake spec`
+* Ruby linter: `bundle exec rake standard`
+* Accessibility scan: `./bin/pa11y-scan`
+* Dynamic security scan: `./bin/owasp-scan`
+* Ruby static security scan: `bundle exec rake brakeman`
+* Ruby dependency checks: `bundle exec rake bundler:audit`
+* JS dependency checks: `bundle exec rake yarn:audit`
+
+Run everything: `bundle exec rake`
+
+#### Pa11y Scan
+
+When new pages are added to the application, ensure they are added to `./.pa11yci` so that they can be scanned.
+
+### Automatic linting <% if @terraform %>and terraform formatting<% end %>
+
+To enable automatic ruby linting<% if @terraform %> and terraform formatting<% end %> on every `git commit`
+follow the instructions at the top of `.githooks/pre-commit`
+
+## CI/CD
+
+### Deployment
+
+Each environment has dependencies on a PostgreSQL RDS instance managed by cloud.gov.
+See [cloud.gov docs](https://cloud.gov/docs/services/relational-database/) for information on RDS.
+
+#### Staging
+
+<% if !@github_actions && !@circleci_pipeline %>
+<% if @terraform %>
+Follow the instructions in `terraform/README.md` to create the supporting services.
+<% else %>
+Before the first deploy only, create DB service with `cf create-service aws-rds micro-psql <%= app_name %>-rds-staging`
+<% end %>
+`cf push --strategy rolling --vars-file config/deployment/staging.yml --var rails_master_key=$(cat config/master.key)`
+<% end %>
+
+#### Production
+
+<% if !@github_actions && !@circleci_pipeline %>
+<% if @terraform %>
+Follow the instructions in `terraform/README.md` to create the supporting services.
+<% else %>
+Before the first deploy only, create DB service with `cf create-service aws-rds <<SERVICE_PLAN_NAME>> <%= app_name %>-rds-production`
+<% end %>
+`cf push --strategy rolling --vars-file config/deployment/production.yml --var rails_master_key=$(cat config/credentials/production.key)`
+<% end %>
+
+### Configuring ENV variables in cloud.gov
+
+All configuration that needs to be added to the deployed application's ENV should be added to
+the `env:` block in `manifest.yml`
+
+Items that are both **public** and **consistent** across staging and production can be set directly there.
+
+Otherwise, they are set as a `((variable))` within `manifest.yml` and the variable is defined depending on sensitivity:
+
+#### Credentials and other Secrets
+
+#### Non-secrets
+
+Configuration that changes from staging to production, but is public, should be added to `config/deployment/staging.yml` and `config/deployment/production.yml`
+
+<% if @newrelic %>
+## Monitoring with New Relic
+
+The [New Relic Ruby agent](https://docs.newrelic.com/docs/apm/agents/ruby-agent/getting-started/introduction-new-relic-ruby) has been installed for monitoring this application.
+
+The config lives at `config/newrelic.yml`, and points to a [FEDRAMP version of the New Relic service as its host](https://docs.newrelic.com/docs/security/security-privacy/compliance/fedramp-compliant-endpoints/). To access the metrics dashboard, you will need to be connected to VPN.
+
+### Getting started
+
+To get started sending metrics via New Relic APM:
+1. Replace `<APPNAME>` in `config/newrelic.yml` with what is registered for your application in New Relic
+1. Add your New Relic license key to the Rails credentials with key `new_relic_key`.
+1. Comment out the `agent_enabled: false` line in `config/newrelic.yml`
+1. Add the [Javascript snippet provided by New Relic](https://docs.newrelic.com/docs/browser/browser-monitoring/installation/install-browser-monitoring-agent) into `application.html.erb`. It is recommended to vary this based on environment (i.e. include one snippet for staging and another for production).
+<% end %>
+
+<% if @dap %>
+## Analytics
+
+Digital Analytics Program (DAP) code has been included for the Production environment, associated with GSA.
+
+If <%= app_name.titleize %> is for another agency, update the agency line in `app/views/layouts/application.html.erb`
+<% end %>
+
+## Documentation
+
+<% if @adrs %>
+
+Architectural Decision Records (ADR) are stored in `doc/adr`
+To create a new ADR, first install [ADR-tools](https://github.com/npryce/adr-tools) if you don't
+already have it installed.
+* `brew install adr-tools`
+
+Then create the ADR:
+*  `adr new Title Of Architectural Decision`
+
+This will create a new, numbered ADR in the `doc/adr` directory.
+<% end %>
+
+Compliance diagrams are stored in `doc/compliance`. See the README there for more information on
+generating diagram updates.
+
+## Contributing
+
+*This will continue to evolve as the project moves forward.*
+
+* Pull down the most recent main before checking out a branch
+* Write your code<% if @adrs %>
+* If a big architectural decision was made, add an ADR<% end %>
+* Submit a PR
+  * If you added functionality, please add tests.
+  * All tests must pass!
+* Ping the other engineers for a review.
+* At least one approving review is required for merge.
+* Rebase against main before merge to ensure your code is up-to-date!
+* Merge after review.
+  * Squash commits into meaningful chunks of work and ensure that your commit messages convey meaning.
+
+## Story Acceptance
+
+TBD

data/templates/app/assets/images/uswds.js

@@ -0,0 +1,5 @@
+// Glue to find USWDS images with the `image_tag` helper
+
+//= link uswds/dist/img/us_flag_small.png
+//= link uswds/dist/img/icon-dot-gov.svg
+//= link uswds/dist/img/icon-https.svg

data/templates/app/assets/stylesheets/uswds-settings.scss

@@ -0,0 +1,7 @@
+// Point the asset pipline to the correct locations
+$theme-font-path: "uswds/dist/fonts";
+$theme-image-path: "uswds/dist/img";
+
+$theme-show-notifications: false;
+
+// Put your USWDS Theme settings here

data/templates/app/views/application/_banner_lock_icon.html.erb

@@ -0,0 +1,19 @@
+<span class="icon-lock">
+  <svg
+    xmlns="http://www.w3.org/2000/svg"
+    width="52"
+    height="64"
+    viewBox="0 0 52 64"
+    class="usa-banner__lock-image"
+    role="img"
+    aria-labelledby="banner-lock-title banner-lock-description"
+  >
+    <title id="banner-lock-title"><%= t('shared.banner.lock') %></title>
+    <desc id="banner-lock-description"><%= t('shared.banner.locked_padlock') %></desc>
+    <path
+      fill="#000000"
+      fill-rule="evenodd"
+      d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"
+    />
+  </svg>
+</span>

data/templates/app/views/application/_demo_site_banner.html.erb

@@ -0,0 +1,3 @@
+<div class="font-sans-lg padding-y-4 bg-secondary-darker text-white line-height-1 text-center">
+  <%= t('shared.header.demo_banner') %>
+</div>

data/templates/app/views/application/_header.html.erb

@@ -0,0 +1,26 @@
+<div class="usa-overlay"></div>
+<header class="usa-header usa-header--basic">
+  <%= render "application/demo_site_banner" if Rails.configuration.x.show_demo_banner %>
+  <div class="usa-nav-container">
+    <div class="usa-navbar">
+      <div class="usa-logo">
+        <em class="usa-logo__text">
+          <%= link_to t('shared.header.title'), root_path %>
+        </em>
+      </div>
+      <button class="usa-menu-btn"><%= t('shared.header.menu') %></button>
+    </div>
+    <nav aria-label="<%= t('shared.header.primary') %>" class="usa-nav">
+      <button class="usa-nav__close">
+        <%= image_tag "uswds/dist/img/usa-icons/close.svg", role: "img", alt: t('shared.header.close') %>
+      </button>
+      <ul class="usa-nav__primary usa-accordion">
+        <% I18n.available_locales.each do |l| %>
+          <li class="usa-nav__primary-item">
+            <%= format_active_locale(l) %>
+          </li>
+        <% end %>
+      </ul>
+    </nav>
+  </div>
+</header>

data/templates/app/views/application/_usa_banner.html.erb

@@ -0,0 +1,51 @@
+<a class="usa-skipnav" href="#main-content"><%= t('shared.skip_link') %></a>
+
+<section class="usa-banner site-banner" aria-label="<%= t('shared.banner.official_site') %>">
+  <div class="usa-accordion">
+    <header class="usa-banner__header">
+      <div class="usa-banner__inner">
+        <div class="grid-col-auto">
+          <%= image_tag "uswds/dist/img/us_flag_small.png", alt: t('shared.banner.us_flag'), class: "usa-banner__header-flag" %>
+        </div>
+        <div class="grid-col-fill tablet:grid-col-auto">
+          <p class="usa-banner__header-text">
+            <%= t('shared.banner.official_site') %>
+          </p>
+          <p class="usa-banner__header-action" aria-hidden="true">
+            <%= t('shared.banner.how') %>
+          </p>
+        </div>
+        <button
+          class="usa-accordion__button usa-banner__button"
+          aria-expanded="false"
+          aria-controls="gov-banner"
+        >
+          <span class="usa-banner__button-text"><%= t('shared.banner.how') %></span>
+        </button>
+      </div>
+    </header>
+    <div class="usa-banner__content usa-accordion__content" id="gov-banner">
+      <%= javascript_tag nonce: true do %>
+        document.getElementById('gov-banner').setAttribute('hidden', '');
+      <% end %>
+      <div class="grid-row grid-gap-lg">
+        <div class="usa-banner__guidance tablet:grid-col-6">
+          <%= image_tag "uswds/dist/img/icon-dot-gov.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
+          <div class="usa-media-block__body">
+            <strong><%= t('shared.banner.gov_heading') %></strong>
+            <br> <%= t('shared.banner.gov_description_html') %>
+          </div>
+        </div>
+        <div class="usa-banner__guidance tablet:grid-col-6">
+          <%= image_tag "uswds/dist/img/icon-https.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
+          <div class="usa-media-block__body">
+            <p>
+              <strong><%= t('shared.banner.secure_heading') %></strong>
+              <br> <%= t('shared.banner.secure_description_html', lock_icon: render('application/banner_lock_icon')) %>
+            </p>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>

data/templates/bin/owasp-scan

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+usage="
+$0: Run OWASP Zap scan against local server
+
+Usage:
+  $0 -h
+  $0 [-f] [-s]
+
+Options:
+-h: show help and exit
+-f: run full scan
+-s: run with zap2docker-stable docker image
+
+Notes:
+* defaults to running a baseline scan in zap2docker-weekly
+* prerequisites:
+  * db must be running
+  * docker must be running
+  * nothing listening on port 3000
+* script currently only works on macOS
+"
+
+set -e
+
+scan="zap-baseline.py"
+docker_name="owasp/zap2docker-weekly"
+
+while getopts "hfs" opt; do
+  case "$opt" in
+    f)
+      scan="zap-full-scan.py"
+      ;;
+    s)
+      docker_name="owasp/zap2docker-stable"
+      ;;
+    *)
+      echo "$usage"
+      exit 1
+      ;;
+  esac
+done
+
+
+hostname="http://host.docker.internal:3000"
+args="-c zap.conf -I -r zap_report.html"
+cmd="docker run --rm --user root -v $(pwd):/zap/wrk/:rw -t $docker_name $scan -t $hostname $args"
+
+`dirname "$0"`/with-server "$cmd"

data/templates/bin/pa11y-scan

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+# Run a pa11y scan locally in a near-production configuration
+#
+# prerequisits:
+#  * db is running
+#  * no other server is listening on port 3000
+
+
+`dirname "$0"`/with-server "yarn run pa11y-ci"

data/templates/bin/with-server

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+#
+# Run the passed arguments in a near-production configuration
+#
+# prerequisits:
+#  * db is running
+#  * no other server is listening on port 3000
+
+if [[ $# -eq 0 ]]; then
+  echo "You must pass the test to run against the CI environment server"
+  exit 1
+fi
+
+export RAILS_ENV=ci
+
+# ensure assets are properly compiled for CI environment
+bundle exec rake assets:clobber
+bundle exec rake assets:precompile
+
+# run the server
+bundle exec rails server &
+server_pid=$!
+# pause to ensure the server has started
+sleep 5
+
+
+$@
+exit_status=$?
+
+
+# shut down the server and cleanup after ourselves
+bundle exec rake assets:clobber
+kill $server_pid
+
+exit $exit_status

data/templates/browserslistrc

@@ -0,0 +1,5 @@
+# Supported browsers
+> 2%
+last 2 versions
+IE 11
+not dead

data/templates/config/deployment/production.yml

@@ -0,0 +1,3 @@
+env: production
+web_instances: 2
+web_memory: 512M

data/templates/config/deployment/staging.yml

@@ -0,0 +1,3 @@
+env: staging
+web_instances: 1
+web_memory: 512M

data/templates/config/environments/ci.rb

@@ -0,0 +1,10 @@
+require_relative "./production"
+
+Rails.application.configure do
+  config.assets.compile = true
+  config.public_file_server.enabled = true
+
+  logger = ActiveSupport::Logger.new($stdout)
+  logger.formatter = config.log_formatter
+  config.logger = ActiveSupport::TaggedLogging.new(logger)
+end

data/templates/config/environments/staging.rb

@@ -0,0 +1,6 @@
+require_relative "./production"
+
+Rails.application.configure do
+  # insert any staging overrides here
+  config.x.show_demo_banner = true
+end

data/templates/config/locales/en.yml.tt

@@ -0,0 +1,25 @@
+---
+en:
+  shared:
+    banner:
+      gov_description_html: A <strong>.gov</strong> website belongs to an official government organization in the United States.
+      gov_heading: Official websites use .gov
+      how: Here’s how you know
+      lock: Lock
+      locked_padlock: A locked padlock
+      official_site: An official website of the United States government
+      secure_description_html: A <strong>lock</strong> (%{lock_icon}) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
+      secure_heading: Secure .gov websites use HTTPS
+      us_flag: U.S. Flag
+    header:
+      title: <%= app_name.titleize %>
+      menu: Menu
+      close: Close
+      primary: Primary navigation
+      demo_banner: TEST SITE - Do not use real personal information (demo purposes only) - TEST SITE
+    languages:
+      en: English
+      es: Español
+      fr: Français
+      zh: 中文
+    skip_link: Skip to main content

data/templates/config/locales/es.yml

@@ -0,0 +1,19 @@
+---
+es:
+  shared:
+    banner:
+      gov_description_html: Un sitio web <strong>.gov</strong> pertenece a una organización oficial del Gobierno de Estados Unidos.
+      gov_heading: Los sitios web oficiales usan .gov
+      how: Así es como usted puede verificarlo
+      lock: Candado
+      locked_padlock: Candado cerrado
+      official_site: Un sitio oficial del Gobierno de Estados Unidos
+      secure_description_html: Un <strong>candado</strong> (%{lock_icon}) o <strong>https://</strong> significa que usted se conectó de forma segura a un sitio web .gov. Comparta información sensible sólo en sitios web oficiales y seguros.
+      secure_heading: Los sitios web seguros .gov usan HTTPS
+      us_flag: Bandera de Estados Unidos
+    header:
+      menu: Menú
+      close: Cerrar
+      primary: Navegacion primaria
+      demo_banner: SITIO DE PRUEBA - No utilice información personal real (sólo para propósitos de demostración) - SITIO DE PRUEBA
+    skip_link: Salte al contenido principal

data/templates/config/locales/fr.yml

@@ -0,0 +1,22 @@
+---
+fr:
+  shared:
+    banner:
+      gov_description_html: Un site Web <strong>.gov</strong> appartient à une organisation gouvernementale officielle des États-Unis.
+      gov_heading: Les sites Web officiels utilisent .gov
+      how: Voici comment vous savez
+      lock: Verrou
+      locked_padlock: Verrou fermé
+      official_site: Un site web officiel du gouvernement des États-Unis
+      secure_description_html: Un <strong>verrou</strong> (%{lock_icon}) ou
+        <strong>https://</strong> signifie que vous êtes connecté en toute
+        sécurité au site Web .gov. Partagez des informations sensibles
+        uniquement sur des sites Web officiels et sécurisés.
+      secure_heading: Les sites Web sécurisés .gov utilisent HTTPS
+      us_flag: Drapeau américain
+    header:
+      menu: Menu
+      close: Fermer
+      primary: Navigation primaire
+      demo_banner: SITE DE TEST - N’utilisez pas de véritables données personnelles (il s’agit d’une démonstration seulement) - SITE DE TEST
+    skip_link: Passer au contenu principal

data/templates/config/locales/zh.yml

@@ -0,0 +1,16 @@
+---
+zh:
+  shared:
+    banner:
+      gov_description_html: "<strong>“.gov”</strong>网站为美国官方政府组织机构网站。"
+      gov_heading: 官方网站使用“.gov”
+      how: 这里是了解途径
+      lock: 锁
+      locked_padlock: 上锁的挂锁
+      official_site: 美国政府的官方网站
+      secure_description_html: "<strong>锁形图标</strong> (%{lock_icon}) 或 <strong>“https://”</strong>表示您已安全连接到.gov网站。仅在安全的官方网站上分享敏感信息。"
+      secure_heading: 安全的.gov网站使用HTTPS
+      us_flag: 美国国旗
+    header:
+      primary: 主导航
+    skip_link: 跳转到主要内容

data/templates/config/newrelic.yml

@@ -0,0 +1,65 @@
+#
+# This file configures the New Relic Agent.  New Relic monitors Ruby, Java,
+# .NET, PHP, Python, Node, and Go applications with deep visibility and low
+# overhead.  For more information, visit www.newrelic.com.
+#
+# Generated January 12, 2022
+#
+# This configuration file is custom generated for NewRelic Administration
+#
+
+common: &default_settings
+  # Required license key associated with your New Relic account.
+  license_key: <%= Rails.application.credentials.new_relic_key %>
+  # FEDRAMP-specific New Relic host
+  # https://docs.newrelic.com/docs/security/security-privacy/compliance/fedramp-compliant-endpoints/
+  host: 'gov-collector.newrelic.com'
+
+  # Your application name. Renaming here affects where data displays in New
+  # Relic.  For more details, see https://docs.newrelic.com/docs/apm/new-relic-apm/maintenance/renaming-applications
+  app_name: <APPNAME>
+
+  monitor_mode: true
+
+  distributed_tracing:
+    enabled: true
+
+  browser_monitoring:
+    # include js code via partial to comply with CSP settings
+    auto_instrument: false
+
+  # This line disables agent regardless of other settings.
+  # To enable the New Relic agent:
+  # 1) Replace <APPNAME> in this file with the application name you want to show in New Relic
+  # 2) add the New Relic license keys to the appropriate encrypted credentials file(s)
+  # 3) Comment out the line below
+  agent_enabled: false
+
+  # Logging level for log/newrelic_agent.log
+  log_level: info
+
+
+# Environment-specific settings are in this section.
+# RAILS_ENV or RACK_ENV (as appropriate) is used to determine the environment.
+# If your application has other named environments, configure them here.
+development:
+  <<: *default_settings
+  app_name: <APPNAME> (Development)
+
+test:
+  <<: *default_settings
+  # It doesn't make sense to report to New Relic from automated test runs.
+  monitor_mode: false
+
+ci:
+  <<: *default_settings
+  # It doesn't make sense to report to New Relic from automated test runs.
+  monitor_mode: false
+
+staging:
+  <<: *default_settings
+  app_name: <APPNAME> (Staging)
+
+production:
+  <<: *default_settings
+  app_name: <APPNAME> (Production)

data/templates/doc/adr/0001-record-architecture-decisions.md.tt

@@ -0,0 +1,21 @@
+# 1. Record architecture decisions
+
+Date: <%= Date.today.iso8601 %>
+
+## Status
+
+Accepted
+
+## Context
+
+We need to record decisions made on this project.
+
+## Decision
+
+We will use Architecture Decision Records (ADR), as [described by Michael Nygard](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions).
+
+We will use Nat Pryce's [adr-tools](https://github.com/npryce/adr-tools) to simplify the management of ADRs.
+
+## Consequences
+
+Architectural decisions are available in a consistent format to simplify review for technical and security considerations.

data/templates/doc/adr/0002-initial-architecture-decisions.md.tt

@@ -0,0 +1,24 @@
+# 2. Initial architecture decisions
+
+Date: <%= Date.today.iso8601 %>
+
+## Status
+
+Accepted
+
+## Context
+
+We need to choose the initial language and framework for the <%= app_name %> application.
+
+## Decision
+
+We will use:
+
+* Language: Ruby
+* Framework: Rails with unused frameworks disabled.
+* Unit tests: RSpec
+* Javascript bundler: webpack
+
+## Consequences
+
+Ruby on Rails is a common development environment for the developers on this team, leading to faster development timelines.