Given I am an authenticated and verified bidder
And I have entered a bid
And someone else has entered a lower bid
Then I should be allowed to enter another bid to stay in the competetion

Currently there are controller specs that test database changes and which view is rendered. There have been easy refactoring generated bugs getting through because the views are not being exercised in the tests yet. Also, the typical user story flows are not being captured in the unit tests.

This chore aims to capture user flows and make sure all the views get exercised in the test suite. More than likely controller specs will be eliminated in this process.

Please add the standard LICENSING and CONTRIBUTION files.

As an 18F developer
I "want" Rails
So that I can develop faster, better.

As a site visitor
I want to see a favicon
So that I can quickly understand what site I'm visiting by looking at the browser tab.

Given I am prompted to authenticate myself via github
When I return to the app
Then I should see a form demanding my duns and sam id
And I must enter those details in order for my profile to be saved and to be logged in
And my bidding status will not be approved

Given I am logged in as an admin
And I go to the admin/issues/new page
Then I should see a form for entering new auctions into the app
When I complete the form
Then I will have created a new auction with the details provided

Given I am a non-admin signed in user
When I try to go to the new issues page
Then I will be redirected to home

As an admin,
I want to sign in without being asked to provide a DUNS or SAM number,
So that I don't enter un-needed information.

Given I am an authenticated and approved bidder
And I have posted a bid
And I am the lowest bid
Then I want to see on the issue detail page a clear indication that I am the current winner

Currently you can create auctions, but no edit them.

As a bidder, I want to know what the minimum bid increment is, so that I can bid appropriately.

  1) Security (via Brakeman static code analysis) The site has zero Brakeman security warnings
     Failure/Error: expect(@brakeman_warnings.length).to eq(0), "Expected 0 security warnings, got: \n #{@brakeman_warnings.map(&:to_s)}."
       Expected 0 security warnings, got: 
        ["(High) Redirect - Possible unprotected redirect near line 3 in /Users/alandelevie/micropurchase/app/controllers/authentications_controller.rb: redirect_to(Authenticator.new(request.env[\"omniauth.auth\"], session).perform)"].
     # ./spec/features/security_spec.rb:14:in `block (2 levels) in <top (required)>'

More info: http://brakemanscanner.org/docs/warning_types/redirect/

Read more: https://docs.cloudfoundry.org/buildpacks/ruby/ruby-prod-server.html

Given I have not signed in
Then I should be able to see all the open issues

Given that I'm not registered / have an account,
I see a login link in the header,
which takes me to the registration / "Getting Started" page,
so that I can authorize with GitHub.

Header at home screen:

Registration / Getting Started page:

See https://pages.18f.gov/before-you-ship/ato/

Please re-open this issue if any relevant documentation falls out of date.

As an 18F developer
I want a reliable CI/CD pipeline
So that ...

Given I'm authenticated as an admin (could be anyone in consulting group),
I can manage any models in the database via CRUD operations.

As an admin
I want to be able to receive email from users
So that I can respond to their needs.

Rather than pushing directly to master, can we use pull-requests? I'd love to see (1) pull requests for each change and (2) code reviews

Ensure that the pull request is merged by someone other than the original author.

Given that I am authorized with GitHub,
I want to see my avatar in the Header,
and have a link to "Logout".

MPT3500 was a working title, but we want this whole shebang to be more accessible.

Not for the upcoming sprint, but these are proposed scenarios for the future...

Feature: Avoid split purchases
  The micro-purchase platform should automatically flag situations that pose a risk of split purchases
  The primary concerns are related to similarly scoped requirements or multiple requirements in a short time frame
  To help address, require a review and/or require a heightened "power user" level

Scenario: Multiple requirements within a month get flagged for review
  Given a requirement R for a project repository P
    And R was opened within the past 28 days
  When there is a request to open a new requirement N for P
  Then flag N for review by power user

Scenario: Multiple requirements by non-power-user within 48 hours get flagged for review
  Given a requester Q is not a power user
    And Q has submitted a requirement within the past 48 hours
  When Q requests to open a new requirement N
  Then flag N for review by power user

Obviously, this implies not just the new functionality, but will require some notion of "role" for a given administrative user.

Given I am a logged in admin
And I visit the adming/bidders page
I should see a list of bidders with information
And each bidder should have an indication of whether they have been approved
When I click to approve a bidder
Then I should see that they have been approved
When I click to remove approval from the bidder
Then I should see that they are no longer approved

[Placeholder for micro-purchase]

As a DevOpser
I want to know the architecture and data flows of the application
So that I can mitigate problems during the ATO process.

See https://pages.18f.gov/before-you-ship/ato/.

• What does it do?
• How does it move information around?
• What does it accomplish by doing it?

The documentation should be in the README.

See https://pages.18f.gov/before-you-ship/ato/.

Current mockups here – post a comment if you have feedback on them:

Given I am an authenticated
I should be allowed to enter a bid

Given I have not signed in
And I visit the detail page of an issue
Then I should see a button prompting me to sign in to bid
And when I click it, I should be redirected to github to authenticate
And when I return I should be prompted for my duns and sam id
And when I complete that information, I will finally be redirected to the detail page containing a bid form

Admin data flow

An admin is authenticated via GitHub-provided OAuth (using the omniauth-github gem) and authorized via a whitelist of GitHub user IDs (see GitHub documentation for instructions on obtaining a canonical ID for a GitHub user.) The whitelist is public, version-controlled, and located at config/admins.yml. Only persons who are permitted to have read and write access to all data are included on the whitelist.

Successful authentication results in the creation of a session which stores a unique identifier of the user.
Logging out occurs after a successful GET request to /logout. Logging out results in the destruction of the previously-mentioned session.

The registration data flow describes the process by which both admin and non-admin users register to use the Micropurchase website.

In screen 1, the user is logged out, and clicks on a button taking them to /login. /login is a public-facing page that includes information about registration as well as any terms that must be agreed to before proceeding.

On screen 2, when the user clicks "Authorize with GitHub", they proceed through the GitHub OAuth flow. After granting the Micropurchase OAuth application permission to access public information from their GitHub account (on screen 3), the user is redirected back to the Micropurchase website (screen 4).

If the GitHub ID does not exist at this time in the Micropurchase database, a new user record is created. Screen 4 contains a form where for non-admin users to enter their DUNS number. Upon submission of that form, the DUNS number is saved as part of that user record. A DUNS number is public information. At this stage, there may be validation of the DUNS number. Such validation may include a request to the SAM.gov API to ensure authenticity of the DUNS number and/or to retrieve public information associated with that DUNS number from SAM.gov. This public information may be presented back to the user for confirmation, and this information may be stored in the Micropurchase database as part of the user record.

Once a user has submitted their DUNS number, they may place bids, using the bid data flow described above.

Successful authentication results in the creation of a session which stores a unique identifier of the user.
Logging out occurs after a successful GET request to /logout. Logging out results in the destruction of the previously-mentioned session.

The bid data flow describes the creation of bid records in the database. This diagram assumes a user is already registered and logged in (e.g. authenticated). In screen 1, the user clicks on a an individual auction listing and is taken to screen 2. In screen 2, the user types a bid amount into a form, and clicks submit. The same either page re-renders or the user is redirected to another page. Meanwhile, if the bid amount passes validation checks on the server, a new bid is saved in the database.

The bid list screen displays a list of bids for a given auction. All bid data is considered public and not procurement sensitive. At the discretion of the Micropurchase team, some data (such as identity of the bidder) may be redacted while an auction is currently running. However, all users will be given notice and must consent to the publishing of all bid data (and potentially other usage data) before registering and before bidding. Terms will be consistent and made clear to users. Those terms may change from auction to auction, however, terms will be consistent within each auction. All bidding data will be released when an auction ends.

On /make-bid, each bid must be less than the previous bid.

Adding the commit hook needs to be done by the organization owner. Currently I have the badge setup via my own login. I would really like to get this in our commit process ... and even better I would like to see code coverage too.

http://docs.codeclimate.com/article/222-how-do-i-install-code-climates-github-service-hook
http://docs.codeclimate.com/article/219-setting-up-test-coverage

Flush out the README so that it's clear what's going on here.

What does this software do?
Why is it needed?
What's the micro-purchase experiment?

If one wants to run a local copy of this, how does one do it?

As a site admin
I want CRUD access to each model
So that I can moderate Auctions, Bids, and Users

[A little higher fidelity stories:]

As a site admin
I want to create/edit Auctions from the web UI
So that I can easily add/edit Auctions and not need SSH access to the server

As a site admin
I want to monitor bids from the web UI
So that I can better understand the auctions (e.g. who is bidding, what prices are the bids, etc)

As a site admin
I want to view a list of users
So that I can know who the users are, and
So that I can begin to verify their DUNS numbers

As a site admin
I want to be able to delete abusive users
So that I can maintain the integrity of the Auctions

As a site visitor
I want clear registration and bidding instructions
So that I know if bidding is right for me

• association between GitHub user/org I.D. and DUNS/SAME
• information about all auctions, past and present
• information about all bids, past and present

See https://pages.18f.gov/before-you-ship/ato/

Selected controls will be visible here: #62

See gem repo for details.

See https://pages.18f.gov/before-you-ship/ato/

See e-Manifest's: https://github.com/18F/e-manifest/blob/master/manifest.yml

Given I am not signed in
Then I should be able to click on the detail view for any issue
And I should see details about the current bid

Link to blog post?
Clear feedback or issue tracking system

Given I have signed in as a bidder with github
Then I should see my name and github image in the header

See https://pages.18f.gov/before-you-ship/ato/

If any security issues are identified, please reference this issue and re-open it if the issue is close.

See https://pages.18f.gov/before-you-ship/ato/

None of the views use real data at the moment. We'll use ERB for this.