From 37c47a60567ae55058c1839345c03b8ee506e46f Mon Sep 17 00:00:00 2001
From: Tim Ballard <1425377+timoballard@users.noreply.github.com>
Date: Tue, 31 Oct 2023 14:45:25 -0500
Subject: [PATCH] Set private S3 bucket ACL to "private" (#2663)

* private bucket uses private default ACL

* set private ACL in non-cgov envs

* handle multiple report/workbook file records

* lint

* 404 if file does not exist
---
 backend/audit/file_downloads.py       | 19 ++++++++++++++-----
 backend/config/settings.py            |  1 +
 backend/report_submission/storages.py |  1 +
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/backend/audit/file_downloads.py b/backend/audit/file_downloads.py
index c64668155f..e003d77212 100644
--- a/backend/audit/file_downloads.py
+++ b/backend/audit/file_downloads.py
@@ -2,7 +2,6 @@
 
 from django.conf import settings
 from django.http import Http404
-from django.shortcuts import get_object_or_404
 
 from boto3 import client as boto3_client
 from botocore.client import ClientError, Config
@@ -14,11 +13,21 @@
 
 def get_filename(sac, file_type):
     if file_type == "report":
-        file_obj = get_object_or_404(SingleAuditReportFile, sac=sac)
-        return f"singleauditreport/{file_obj.filename}"
+        try:
+            file_obj = SingleAuditReportFile.objects.filter(sac=sac).latest(
+                "date_created"
+            )
+            return f"singleauditreport/{file_obj.filename}"
+        except SingleAuditReportFile.DoesNotExist:
+            raise Http404()
     else:
-        file_obj = get_object_or_404(ExcelFile, sac=sac, form_section=file_type)
-        return f"excel/{file_obj.filename}"
+        try:
+            file_obj = ExcelFile.objects.filter(sac=sac, form_section=file_type).latest(
+                "date_created"
+            )
+            return f"excel/{file_obj.filename}"
+        except ExcelFile.DoesNotExist:
+            raise Http404()
 
 
 def file_exists(filename):
diff --git a/backend/config/settings.py b/backend/config/settings.py
index f00d9c9f5e..9ef51f7f8b 100644
--- a/backend/config/settings.py
+++ b/backend/config/settings.py
@@ -257,6 +257,7 @@
     AWS_S3_PRIVATE_ENDPOINT = os.environ.get(
         "AWS_S3_PRIVATE_ENDPOINT", "http://minio:9000"
     )
+    AWS_PRIVATE_DEFAULT_ACL = "private"
 
     AWS_S3_ENDPOINT_URL = AWS_S3_PRIVATE_ENDPOINT
 
diff --git a/backend/report_submission/storages.py b/backend/report_submission/storages.py
index 2acb85004d..e3022a8df1 100644
--- a/backend/report_submission/storages.py
+++ b/backend/report_submission/storages.py
@@ -13,4 +13,5 @@ class S3PrivateStorage(S3Boto3Storage):
     bucket_name = settings.AWS_PRIVATE_STORAGE_BUCKET_NAME
     access_key = settings.AWS_PRIVATE_ACCESS_KEY_ID
     secret_key = settings.AWS_PRIVATE_SECRET_ACCESS_KEY
+    default_acl = settings.AWS_PRIVATE_DEFAULT_ACL
     location = ""