From da2d8c5df5242309dbb1c485a77b5d5862a454c6 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Fri, 18 Nov 2022 12:10:59 -0500
Subject: [PATCH 01/38] create latest/vX.X whever we tag.

---
 .github/workflows/release_builds.yml | 78 ++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 .github/workflows/release_builds.yml

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
new file mode 100644
index 000000000..783442490
--- /dev/null
+++ b/.github/workflows/release_builds.yml
@@ -0,0 +1,78 @@
+name: Build docker containers on version release
+
+on:
+  push:
+    tags: [ v* ]
+
+jobs:
+  create_frontend_docker_container:
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: sartography/spiffworkflow-frontend
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v3.0.2
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting in sonarcloud
+          fetch-depth: 0
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Frontend Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          # this action doesn't seem to respect working-directory so set context
+          context: spiffworkflow-backend
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  create_backend_docker_container:
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: sartography/spiffworkflow-backend
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v3.0.2
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting in sonarcloud
+          fetch-depth: 0
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Backend Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          # this action doesn't seem to respect working-directory so set context
+          context: spiffworkflow-backend
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

From 2ec75256e21a390d52aff13962060a5ebc713b97 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:01:10 -0500
Subject: [PATCH 02/38] Adding connector proxy demo.

---
 .github/workflows/release_builds.yml | 43 ++++++++++++++++++++++++++--
 1 file changed, 41 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index 783442490..c93c96402 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       REGISTRY: ghcr.io
-      IMAGE_NAME: sartography/spiffworkflow-frontend
+      IMAGE_NAME: sartography/
     permissions:
       contents: read
       packages: write
@@ -30,13 +30,14 @@ jobs:
         id: meta
         uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
         with:
+          context: spiffworkflow-frontend
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build and push Frontend Docker image
         uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
         with:
           # this action doesn't seem to respect working-directory so set context
-          context: spiffworkflow-backend
+          context: spiffworkflow-frontend
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -76,3 +77,41 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+ create_demo-proxy:
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: sartography/connector-proxy-demo
+
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v3.0.2
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting in sonarcloud
+          fetch-depth: 0
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          context: connector-proxy-demo
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push the connector proxy
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          # this action doesn't seem to respect working-directory so set context
+          context: connector-proxy-demo
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

From a5584ec2357f518d90ea97472d7447f53b3b1ea4 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:12:39 -0500
Subject: [PATCH 03/38] tweeking.

---
 .github/workflows/release_builds.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index c93c96402..5c6807bd3 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -1,6 +1,7 @@
 name: Build docker containers on version release
 
 on:
+  workflow_dispatch
   push:
     tags: [ v* ]
 

From eaa64f3ba87e995ab7b04499baf8c112e5b4a933 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:13:48 -0500
Subject: [PATCH 04/38] tweeking.

---
 .github/workflows/release_builds.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index 5c6807bd3..eb2457536 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -1,7 +1,7 @@
 name: Build docker containers on version release
 
 on:
-  workflow_dispatch
+  workflow_dispatch:
   push:
     tags: [ v* ]
 

From 8cf2aff2961c9500b8d998a16ada1146baa8affb Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:16:01 -0500
Subject: [PATCH 05/38]  avoid running tests while doing builds.

---
 .github/workflows/backend_tests.yml  | 5 +++--
 .github/workflows/frontend_tests.yml | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/backend_tests.yml b/.github/workflows/backend_tests.yml
index deed14483..370af4afb 100644
--- a/.github/workflows/backend_tests.yml
+++ b/.github/workflows/backend_tests.yml
@@ -1,8 +1,9 @@
 name: Backend Tests
 
 on:
-  - push
-  - pull_request
+  - workflow_dispatch
+#  - push
+#  - pull_request
 
 defaults:
   run:
diff --git a/.github/workflows/frontend_tests.yml b/.github/workflows/frontend_tests.yml
index 1bbfdbedc..0cd1d5e74 100644
--- a/.github/workflows/frontend_tests.yml
+++ b/.github/workflows/frontend_tests.yml
@@ -1,8 +1,9 @@
 name: Frontend Tests
 
 on:
-  - push
-  - pull_request
+  - workflow_dispatch
+#  - push
+#  - pull_request
 
 defaults:
   run:

From ef582919bdb20ad4b996ef8f1a62319cc738cc6f Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:17:43 -0500
Subject: [PATCH 06/38] twiddling.

---
 .github/workflows/release_builds.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index eb2457536..d4b9b319a 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -79,7 +79,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
- create_demo-proxy:
+  create_demo-proxy:
     runs-on: ubuntu-latest
     env:
       REGISTRY: ghcr.io

From fd711cb1b2d5e4b23294e93f4a209d4aca04e00a Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:24:25 -0500
Subject: [PATCH 07/38] updating the action.

---
 .github/workflows/release_builds.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index d4b9b319a..203f9ad72 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -1,4 +1,4 @@
-name: Build docker containers on version release
+name: Release Builds
 
 on:
   workflow_dispatch:

From cc4b1a2edd421039425c3fdc89aeec1b5213779f Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:26:28 -0500
Subject: [PATCH 08/38] can I even do this on a branch?

---
 .github/workflows/release_builds.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index 203f9ad72..6767895cf 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -78,7 +78,7 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-
+# Is this getting updated, I wonder?
   create_demo-proxy:
     runs-on: ubuntu-latest
     env:

From e8a6d1cf21b64161c428941bbbae9ab4167b582b Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:28:01 -0500
Subject: [PATCH 09/38] Getting the darn thing to trigger.

---
 .github/workflows/release_builds.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index 6767895cf..0e0ec655c 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -1,9 +1,10 @@
 name: Release Builds
 
 on:
-  workflow_dispatch:
-  push:
-    tags: [ v* ]
+  - workflow_dispatch
+  - push
+#  push:
+#    tags: [ v* ]
 
 jobs:
   create_frontend_docker_container:

From 5c3fe94375674bb0ad45a996ea1468e3bddc7317 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:29:12 -0500
Subject: [PATCH 10/38] Just do it on tags.

---
 .github/workflows/release_builds.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index 0e0ec655c..adc890ef4 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -1,10 +1,8 @@
 name: Release Builds
 
 on:
-  - workflow_dispatch
-  - push
-#  push:
-#    tags: [ v* ]
+  push:
+    tags: [ v* ]
 
 jobs:
   create_frontend_docker_container:

From 8c3be88e57bd6739cbb073e7d690fe74922c0931 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:32:57 -0500
Subject: [PATCH 11/38] more tweaking

---
 .github/workflows/release_builds.yml          |  2 +-
 connector-proxy-demo/Dockerfile               | 28 +++++++++++++++++++
 .../bin/boot_server_in_docker                 | 19 +++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 connector-proxy-demo/Dockerfile
 create mode 100755 connector-proxy-demo/bin/boot_server_in_docker

diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index adc890ef4..ef1c3b992 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       REGISTRY: ghcr.io
-      IMAGE_NAME: sartography/
+      IMAGE_NAME: sartography/spiffworkflow-frontend
     permissions:
       contents: read
       packages: write
diff --git a/connector-proxy-demo/Dockerfile b/connector-proxy-demo/Dockerfile
new file mode 100644
index 000000000..e2d89bebd
--- /dev/null
+++ b/connector-proxy-demo/Dockerfile
@@ -0,0 +1,28 @@
+FROM ghcr.io/sartography/python:3.11
+
+RUN pip install poetry
+RUN useradd _gunicorn --no-create-home --user-group
+
+RUN apt-get update && \
+    apt-get install -y -q \
+        gcc libssl-dev \
+        curl git-core libpq-dev \
+        gunicorn3 default-mysql-client
+
+WORKDIR /app
+COPY pyproject.toml poetry.lock /app/
+RUN poetry install --without dev
+
+RUN set -xe \
+  && apt-get remove -y gcc python3-dev libssl-dev \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf /var/lib/apt/lists/*
+
+COPY . /app/
+
+# run poetry install again AFTER copying the app into the image
+# otherwise it does not know what the main app module is
+RUN poetry install --without dev
+
+CMD ./bin/boot_server_in_docker
diff --git a/connector-proxy-demo/bin/boot_server_in_docker b/connector-proxy-demo/bin/boot_server_in_docker
new file mode 100755
index 000000000..d64f417bc
--- /dev/null
+++ b/connector-proxy-demo/bin/boot_server_in_docker
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+function error_handler() {
+  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
+  exit "$2"
+}
+trap 'error_handler ${LINENO} $?' ERR
+set -o errtrace -o errexit -o nounset -o pipefail
+
+port="${CONNECTOR_PROXY_STATUS_IM_PORT:-}"
+if [[ -z "$port" ]]; then
+  port=7004
+fi
+
+workers=3
+
+# THIS MUST BE THE LAST COMMAND!
+# default --limit-request-line is 4094. see https://stackoverflow.com/a/66688382/6090676
+exec poetry run gunicorn --bind "0.0.0.0:$port" --workers="$workers" --limit-request-line 8192 --timeout 90 --capture-output --access-logfile '-' --log-level debug app:app

From e6146423bbdaa50405f7d3aae87a66d5152fd0de Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 13:43:15 -0500
Subject: [PATCH 12/38] Don't look for sources where there aren't any

---
 connector-proxy-demo/pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/connector-proxy-demo/pyproject.toml b/connector-proxy-demo/pyproject.toml
index 9a6f51f88..c3630780e 100644
--- a/connector-proxy-demo/pyproject.toml
+++ b/connector-proxy-demo/pyproject.toml
@@ -20,5 +20,5 @@ build-backend = "poetry.core.masonry.api"
 
 [tool.pytest.ini_options]
 pythonpath = [
-  ".", "src",
+  "."
 ]
\ No newline at end of file

From 7a6282dc22ddda352e3bfa0669ac1285f273737f Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 14:27:43 -0500
Subject: [PATCH 13/38] fixing a few borked up things about the
 connector-proxy-demo's docker contaier.

---
 connector-proxy-demo/poetry.lock    | 44 +++++++++++++++++++++++++++--
 connector-proxy-demo/pyproject.toml |  4 +--
 2 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/connector-proxy-demo/poetry.lock b/connector-proxy-demo/poetry.lock
index 9147d0315..d7798e2dc 100644
--- a/connector-proxy-demo/poetry.lock
+++ b/connector-proxy-demo/poetry.lock
@@ -55,7 +55,7 @@ optional = false
 python-versions = ">=3.6.0"
 
 [package.extras]
-unicode_backport = ["unicodedata2"]
+unicode-backport = ["unicodedata2"]
 
 [[package]]
 name = "click"
@@ -127,6 +127,23 @@ Flask = "*"
 oauthlib = ">=1.1.2,<2.0.3 || >2.0.3,<2.0.4 || >2.0.4,<2.0.5 || >2.0.5,<3.0.0"
 requests-oauthlib = ">=0.6.2,<1.2.0"
 
+[[package]]
+name = "gunicorn"
+version = "20.1.0"
+description = "WSGI HTTP Server for UNIX"
+category = "main"
+optional = false
+python-versions = ">=3.5"
+
+[package.dependencies]
+setuptools = ">=3.0"
+
+[package.extras]
+eventlet = ["eventlet (>=0.24.1)"]
+gevent = ["gevent (>=1.4.0)"]
+setproctitle = ["setproctitle"]
+tornado = ["tornado (>=0.2)"]
+
 [[package]]
 name = "idna"
 version = "3.4"
@@ -214,7 +231,7 @@ urllib3 = ">=1.21.1,<1.27"
 
 [package.extras]
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
-use_chardet_on_py3 = ["chardet (>=3.0.2,<6)"]
+use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
 
 [[package]]
 name = "requests-oauthlib"
@@ -245,6 +262,19 @@ botocore = ">=1.12.36,<2.0a.0"
 [package.extras]
 crt = ["botocore[crt] (>=1.20.29,<2.0a.0)"]
 
+[[package]]
+name = "setuptools"
+version = "65.6.0"
+description = "Easily download, build, install, upgrade, and uninstall Python packages"
+category = "main"
+optional = false
+python-versions = ">=3.7"
+
+[package.extras]
+docs = ["furo", "jaraco.packaging (>=9)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-hoverxref (<2)", "sphinx-inline-tabs", "sphinx-notfound-page (==0.8.3)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
+testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8 (<5)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "pip (>=19.1)", "pip-run (>=8.8)", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-flake8", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+testing-integration = ["build[virtualenv]", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
+
 [[package]]
 name = "simplejson"
 version = "3.17.6"
@@ -310,7 +340,7 @@ watchdog = ["watchdog"]
 [metadata]
 lock-version = "1.1"
 python-versions = "^3.10"
-content-hash = "86cf682d49dc495c8cf6dc60a8aedc31ad32a293e6ceaf7b1428e0c232f8319e"
+content-hash = "cc395c0c1ce2b0b7ca063a17617981b2d55db39802265b36f0bc3c4383c89919"
 
 [metadata.files]
 boto3 = [
@@ -350,6 +380,10 @@ Flask-OAuthlib = [
     {file = "Flask-OAuthlib-0.9.6.tar.gz", hash = "sha256:5bb79c8a8e670c2eb4cb553dfc3283b6c8d1202f674934676dc173cee94fe39c"},
     {file = "Flask_OAuthlib-0.9.6-py3-none-any.whl", hash = "sha256:a5c3b62959aa1922470a62b6ebf4273b75f1c29561a7eb4a69cde85d45a1d669"},
 ]
+gunicorn = [
+    {file = "gunicorn-20.1.0-py3-none-any.whl", hash = "sha256:9dcc4547dbb1cb284accfb15ab5667a0e5d1881cc443e0677b4882a4067a807e"},
+    {file = "gunicorn-20.1.0.tar.gz", hash = "sha256:e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8"},
+]
 idna = [
     {file = "idna-3.4-py3-none-any.whl", hash = "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"},
     {file = "idna-3.4.tar.gz", hash = "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4"},
@@ -428,6 +462,10 @@ s3transfer = [
     {file = "s3transfer-0.6.0-py3-none-any.whl", hash = "sha256:06176b74f3a15f61f1b4f25a1fc29a4429040b7647133a463da8fa5bd28d5ecd"},
     {file = "s3transfer-0.6.0.tar.gz", hash = "sha256:2ed07d3866f523cc561bf4a00fc5535827981b117dd7876f036b0c1aca42c947"},
 ]
+setuptools = [
+    {file = "setuptools-65.6.0-py3-none-any.whl", hash = "sha256:6211d2f5eddad8757bd0484923ca7c0a6302ebc4ab32ea5e94357176e0ca0840"},
+    {file = "setuptools-65.6.0.tar.gz", hash = "sha256:d1eebf881c6114e51df1664bc2c9133d022f78d12d5f4f665b9191f084e2862d"},
+]
 simplejson = [
     {file = "simplejson-3.17.6-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:a89acae02b2975b1f8e4974cb8cdf9bf9f6c91162fb8dec50c259ce700f2770a"},
     {file = "simplejson-3.17.6-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:82ff356ff91be0ab2293fc6d8d262451eb6ac4fd999244c4b5f863e049ba219c"},
diff --git a/connector-proxy-demo/pyproject.toml b/connector-proxy-demo/pyproject.toml
index c3630780e..8acd820e6 100644
--- a/connector-proxy-demo/pyproject.toml
+++ b/connector-proxy-demo/pyproject.toml
@@ -5,14 +5,14 @@ description = "An example showing how to use the Spiffworkflow-proxy's Flask Blu
 authors = ["Dan <dan@sartography.com>"]
 license = "LGPL"
 readme = "README.md"
-packages = [{include = "connector_proxy_demo", from = "src"}]
+#packages = [{include = "connector_proxy_demo", from = "."}]
 
 [tool.poetry.dependencies]
 python = "^3.10"
 Flask = "^2.2.2"
 spiffworkflow-proxy = {git = "https://github.com/sartography/spiffworkflow-proxy"}
 connector-aws = { git = "https://github.com/sartography/connector-aws.git"}
-
+gunicorn = "^20.1.0"
 
 [build-system]
 requires = ["poetry-core"]

From ce82b799dfa91f8bd550f6d957ec5c696ddc04de Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 15:20:30 -0500
Subject: [PATCH 14/38] adding a docker compose that will spin up all services.

---
 docker-compose.yml | 97 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 97 insertions(+)
 create mode 100644 docker-compose.yml

diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 000000000..0625d1044
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,97 @@
+# Why we are running with network_mode: host
+#
+# In order for the backend server to talk to the mysql server, they need to be on the same network.
+# I tried splitting it out where the mysql runs on a custom network and the backend runs on both
+# the custom network AND with localhost. Nothing I tried worked and googling didn't help. They
+# only ever mentioned one thing or using host.docker.internal which would cause the domains to
+# be different.
+#
+# So instead we are running with both the mysql server and the backend server in host network mode.
+# There may be a better way to do this but if it works, then it works.
+
+version: "3.8"
+services:
+  db:
+    container_name: db
+    image: mysql:8.0.29
+    platform: linux/amd64
+    cap_add:
+      - SYS_NICE
+    restart: "${SPIFFWORKFLOW_BACKEND_DATABASE_DOCKER_RESTART_POLICY:-no}"
+    environment:
+      - MYSQL_DATABASE=${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
+      - MYSQL_ROOT_PASSWORD=${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw}
+      - MYSQL_TCP_PORT=7003
+    network_mode: host
+    ports:
+      - "7003"
+    volumes:
+      - spiffworkflow_backend:/var/lib/mysql
+    healthcheck:
+      test: mysql --user=root --password=${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw} -e 'select 1' ${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
+      interval: 10s
+      timeout: 5s
+      retries: 10
+
+  spiffworkflow-backend:
+    container_name: spiffworkflow-backend
+    image: ghcr.io/sartography/spiffworkflow-backend
+    depends_on:
+      db:
+        condition: service_healthy
+    environment:
+      - APPLICATION_ROOT=/
+      - SPIFFWORKFLOW_BACKEND_ENV=${SPIFFWORKFLOW_BACKEND_ENV:-development}
+      - FLASK_DEBUG=0
+      - FLASK_SESSION_SECRET_KEY=${FLASK_SESSION_SECRET_KEY:-super_secret_key}
+      - OPEN_ID_SERVER_URL=${OPEN_ID_SERVER_URL:-http://localhost:7002}
+      - SPIFFWORKFLOW_FRONTEND_URL=${SPIFFWORKFLOW_FRONTEND_URL:-http://localhost:7001}
+      - SPIFFWORKFLOW_BACKEND_URL=${SPIFFWORKFLOW_BACKEND_URL:-http://localhost:7000}
+      - SPIFFWORKFLOW_BACKEND_PORT=7000
+      - SPIFFWORKFLOW_BACKEND_UPGRADE_DB=true
+      - SPIFFWORKFLOW_BACKEND_DATABASE_URI=mysql+mysqlconnector://root:${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw}@localhost:7003/${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
+      - BPMN_SPEC_ABSOLUTE_DIR=/app/process_models
+      - SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA=${SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA:-false}
+      - SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME=${SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME:-acceptance_tests.yml}
+      - RUN_BACKGROUND_SCHEDULER=true
+    ports:
+      - "7000:7000"
+    network_mode: host
+    volumes:
+      - ${BPMN_SPEC_ABSOLUTE_DIR:-./../sample-process-models}:/app/process_models
+      - ./log:/app/log
+    healthcheck:
+      test: curl localhost:7000/v1.0/status --fail
+      interval: 10s
+      timeout: 5s
+      retries: 20
+
+  spiffworkflow-frontend:
+    container_name: spiffworkflow-frontend
+    image: ghcr.io/sartography/spiffworkflow-frontend
+    environment:
+      - APPLICATION_ROOT=/
+      - PORT0=7001
+    ports:
+      - "7001:7001"
+
+  connector-proxy-demo: &connector-proxy-demo
+    container_name: connector-proxy-demo
+    image: ghcr.io/sartography/connector-proxy-demo
+    environment:
+      - FLASK_ENV=${FLASK_ENV:-development}
+      - FLASK_DEBUG=0
+      - FLASK_SESSION_SECRET_KEY=${FLASK_SESSION_SECRET_KEY:-super_secret_key}
+    ports:
+      - "7004:7004"
+    network_mode: host
+    healthcheck:
+      test: curl localhost:7004/liveness --fail
+      interval: 10s
+      timeout: 5s
+      retries: 20
+
+
+volumes:
+  spiffworkflow_backend:
+    driver: local

From 05fe43c8cbe3bdd3b3404a3a7edcc5bbef30c226 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Tue, 22 Nov 2022 15:23:32 -0500
Subject: [PATCH 15/38] Reenable the tests.

---
 .github/workflows/backend_tests.yml  | 5 ++---
 .github/workflows/frontend_tests.yml | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/backend_tests.yml b/.github/workflows/backend_tests.yml
index 370af4afb..deed14483 100644
--- a/.github/workflows/backend_tests.yml
+++ b/.github/workflows/backend_tests.yml
@@ -1,9 +1,8 @@
 name: Backend Tests
 
 on:
-  - workflow_dispatch
-#  - push
-#  - pull_request
+  - push
+  - pull_request
 
 defaults:
   run:
diff --git a/.github/workflows/frontend_tests.yml b/.github/workflows/frontend_tests.yml
index 0cd1d5e74..1bbfdbedc 100644
--- a/.github/workflows/frontend_tests.yml
+++ b/.github/workflows/frontend_tests.yml
@@ -1,9 +1,8 @@
 name: Frontend Tests
 
 on:
-  - workflow_dispatch
-#  - push
-#  - pull_request
+  - push
+  - pull_request
 
 defaults:
   run:

From 934681f03c19fabeb4d942a5e1fcb274cc35758c Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Thu, 24 Nov 2022 14:58:16 -0500
Subject: [PATCH 16/38] just a bit of cleanup in the docker compose file.

---
 docker-compose.yml | 32 +++++++++-----------------------
 1 file changed, 9 insertions(+), 23 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0625d1044..d6a86149c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,18 +1,7 @@
-# Why we are running with network_mode: host
-#
-# In order for the backend server to talk to the mysql server, they need to be on the same network.
-# I tried splitting it out where the mysql runs on a custom network and the backend runs on both
-# the custom network AND with localhost. Nothing I tried worked and googling didn't help. They
-# only ever mentioned one thing or using host.docker.internal which would cause the domains to
-# be different.
-#
-# So instead we are running with both the mysql server and the backend server in host network mode.
-# There may be a better way to do this but if it works, then it works.
-
 version: "3.8"
 services:
-  db:
-    container_name: db
+  spiffworkflow-db:
+    container_name: spiffworkflow-db
     image: mysql:8.0.29
     platform: linux/amd64
     cap_add:
@@ -22,7 +11,6 @@ services:
       - MYSQL_DATABASE=${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
       - MYSQL_ROOT_PASSWORD=${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw}
       - MYSQL_TCP_PORT=7003
-    network_mode: host
     ports:
       - "7003"
     volumes:
@@ -37,26 +25,25 @@ services:
     container_name: spiffworkflow-backend
     image: ghcr.io/sartography/spiffworkflow-backend
     depends_on:
-      db:
+      spiffworkflow-db:
         condition: service_healthy
     environment:
       - APPLICATION_ROOT=/
       - SPIFFWORKFLOW_BACKEND_ENV=${SPIFFWORKFLOW_BACKEND_ENV:-development}
       - FLASK_DEBUG=0
       - FLASK_SESSION_SECRET_KEY=${FLASK_SESSION_SECRET_KEY:-super_secret_key}
-      - OPEN_ID_SERVER_URL=${OPEN_ID_SERVER_URL:-http://localhost:7002}
-      - SPIFFWORKFLOW_FRONTEND_URL=${SPIFFWORKFLOW_FRONTEND_URL:-http://localhost:7001}
-      - SPIFFWORKFLOW_BACKEND_URL=${SPIFFWORKFLOW_BACKEND_URL:-http://localhost:7000}
+      - OPEN_ID_SERVER_URL=${OPEN_ID_SERVER_URL:-http://spiffworkflow-openid:7002}
+      - SPIFFWORKFLOW_FRONTEND_URL=${SPIFFWORKFLOW_FRONTEND_URL:-http://spiffworkflow-frontend:7001}
+      - SPIFFWORKFLOW_BACKEND_URL=${SPIFFWORKFLOW_BACKEND_URL:-http://spiffworkflow-backend:7000}
       - SPIFFWORKFLOW_BACKEND_PORT=7000
       - SPIFFWORKFLOW_BACKEND_UPGRADE_DB=true
-      - SPIFFWORKFLOW_BACKEND_DATABASE_URI=mysql+mysqlconnector://root:${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw}@localhost:7003/${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
+      - SPIFFWORKFLOW_BACKEND_DATABASE_URI=mysql+mysqlconnector://root:${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw}@spiffworkflow-db:7003/${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
       - BPMN_SPEC_ABSOLUTE_DIR=/app/process_models
       - SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA=${SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA:-false}
       - SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME=${SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME:-acceptance_tests.yml}
       - RUN_BACKGROUND_SCHEDULER=true
     ports:
       - "7000:7000"
-    network_mode: host
     volumes:
       - ${BPMN_SPEC_ABSOLUTE_DIR:-./../sample-process-models}:/app/process_models
       - ./log:/app/log
@@ -75,8 +62,8 @@ services:
     ports:
       - "7001:7001"
 
-  connector-proxy-demo: &connector-proxy-demo
-    container_name: connector-proxy-demo
+  spiffworkflow-connector:
+    container_name: spiffworkflow-connector
     image: ghcr.io/sartography/connector-proxy-demo
     environment:
       - FLASK_ENV=${FLASK_ENV:-development}
@@ -84,7 +71,6 @@ services:
       - FLASK_SESSION_SECRET_KEY=${FLASK_SESSION_SECRET_KEY:-super_secret_key}
     ports:
       - "7004:7004"
-    network_mode: host
     healthcheck:
       test: curl localhost:7004/liveness --fail
       interval: 10s

From 3ade3e5b999f9383eb8098effdadca498c2e6285 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Wed, 30 Nov 2022 11:32:55 -0500
Subject: [PATCH 17/38] Adding a blueprint for openid - a very lightweight
 embedded authentication system to make it eaiser to try out SpiffWorkflow
 when you don't have openID set up with Google etal. Removing all calls to
 open id's user_info endpoint - as these are unncessiary. Adding a users
 section to the permission files -- so we can handle all
 user/group/permissions in one file when needed. There was a very confusing
 is_admin function on the user model that needed killin.

---
 .../src/spiffworkflow_backend/__init__.py     |   2 +
 .../config/permissions/development.yml        |  10 ++
 .../src/spiffworkflow_backend/models/user.py  |   4 -
 .../routes/openid_blueprint/__init__.py       |   1 +
 .../openid_blueprint/openid_blueprint.py      | 116 ++++++++++++++++++
 .../openid_blueprint/templates/login.html     | 103 ++++++++++++++++
 .../src/spiffworkflow_backend/routes/user.py  |  42 ++++---
 .../services/authentication_service.py        |  37 ------
 .../services/authorization_service.py         |   6 +
 .../integration/test_openid_blueprint.py      |  79 ++++++++++++
 10 files changed, 339 insertions(+), 61 deletions(-)
 create mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/__init__.py
 create mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
 create mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
 create mode 100644 spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
index 5d591d847..389c93704 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
@@ -19,6 +19,7 @@ from werkzeug.exceptions import NotFound
 import spiffworkflow_backend.load_database_models  # noqa: F401
 from spiffworkflow_backend.config import setup_config
 from spiffworkflow_backend.routes.admin_blueprint.admin_blueprint import admin_blueprint
+from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import openid_blueprint
 from spiffworkflow_backend.routes.process_api_blueprint import process_api_blueprint
 from spiffworkflow_backend.routes.user import verify_token
 from spiffworkflow_backend.routes.user_blueprint import user_blueprint
@@ -103,6 +104,7 @@ def create_app() -> flask.app.Flask:
     app.register_blueprint(process_api_blueprint)
     app.register_blueprint(api_error_blueprint)
     app.register_blueprint(admin_blueprint, url_prefix="/admin")
+    app.register_blueprint(openid_blueprint, url_prefix="/openid")
 
     origins_re = [
         r"^https?:\/\/%s(.*)" % o.replace(".", r"\.")
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml
index e17e3f110..1acace141 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml
@@ -1,5 +1,15 @@
 default_group: everybody
 
+users:
+  admin:
+    email: admin@spiffworkflow.org
+    password: admin
+  dan:
+    email: dan@spiffworkflow.org
+    password: password
+
+
+
 groups:
   admin:
     users:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
index c33a72e7a..eb88e5de9 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
@@ -83,10 +83,6 @@ class UserModel(SpiffworkflowBaseDBModel):
             algorithm="HS256",
         )
 
-    def is_admin(self) -> bool:
-        """Is_admin."""
-        return True
-
     # @classmethod
     # def from_open_id_user_info(cls, user_info: dict) -> Any:
     #     """From_open_id_user_info."""
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/__init__.py
new file mode 100644
index 000000000..f520b09de
--- /dev/null
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/__init__.py
@@ -0,0 +1 @@
+"""__init__."""
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
new file mode 100644
index 000000000..dd8928c63
--- /dev/null
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -0,0 +1,116 @@
+"""
+Provides the bare minimum endpoints required by SpiffWorkflow to
+handle openid authentication -- definitely not a production system.
+This is just here to make local development, testing, and
+demonstration easier.
+"""
+import base64
+import time
+import urllib
+from urllib.parse import urlencode
+
+import jwt
+import yaml
+from flask import Blueprint, render_template, request, current_app, redirect, url_for, g
+
+openid_blueprint = Blueprint(
+    "openid", __name__, template_folder="templates", static_folder="static"
+)
+
+MY_SECRET_CODE = ":this_should_be_some_crazy_code_different_all_the_time"
+
+@openid_blueprint.route("/well-known/openid-configuration", methods=["GET"])
+def well_known():
+    """OpenID Discovery endpoint -- as these urls can be very different from system to system,
+       this is just a small subset."""
+    host_url = request.host_url.strip('/')
+    return {
+        "issuer": f"{host_url}/openid",
+        "authorization_endpoint":  f"{host_url}{url_for('openid.auth')}",
+        "token_endpoint": f"{host_url}{url_for('openid.token')}",
+    }
+
+
+@openid_blueprint.route("/auth", methods=["GET"])
+def auth():
+    """Accepts a series of parameters"""
+    return render_template('login.html',
+                           state=request.args.get('state'),
+                           response_type=request.args.get('response_type'),
+                           client_id=request.args.get('client_id'),
+                           scope=request.args.get('scope'),
+                           redirect_uri=request.args.get('redirect_uri'),
+                           error_message=request.args.get('error_message'))
+
+
+@openid_blueprint.route("/form_submit", methods=["POST"])
+def form_submit():
+
+    users = get_users()
+    if request.values['Uname'] in users and request.values['Pass'] == users[request.values['Uname']]["password"]:
+        # Redirect back to the end user with some detailed information
+        state = request.values.get('state')
+        data = {
+            "state": base64.b64encode(bytes(state, 'UTF-8')),
+            "code": request.values['Uname'] + MY_SECRET_CODE
+        }
+        url = request.values.get('redirect_uri') + urlencode(data)
+        return redirect(url, code=200)
+    else:
+        return render_template('login.html',
+                               state=request.values.get('state'),
+                               response_type=request.values.get('response_type'),
+                               client_id=request.values.get('client_id'),
+                               scope=request.values.get('scope'),
+                               redirect_uri=request.values.get('redirect_uri'),
+                               error_message="Login failed.  Please try agian.")
+
+
+@openid_blueprint.route("/token", methods=["POST"])
+def token():
+    """Url that will return a valid token, given the super secret sauce"""
+    grant_type=request.values.get('grant_type')
+    code=request.values.get('code')
+    redirect_uri=request.values.get('redirect_uri')
+
+    """We just stuffed the user name on the front of the code, so grab it."""
+    user_name, secret_hash = code.split(":")
+
+    """Get authentication from headers."""
+    authorization = request.headers.get('Authorization')
+    authorization = authorization[6:]  # Remove "Basic"
+    authorization = base64.b64decode(authorization).decode('utf-8')
+    client_id, client_secret = authorization.split(":")
+
+    base_url = url_for(openid_blueprint)
+    access_token = "..."
+    refresh_token = "..."
+    id_token = jwt.encode({
+        "iss": base_url,
+        "aud": [client_id, "account"],
+        "iat": time.time(),
+        "exp": time.time() + 86400 # Exprire after a day.
+    })
+
+    {'exp': 1669757386, 'iat': 1669755586, 'auth_time': 1669753049, 'jti': '0ec2cc09-3498-4921-a021-c3b98427df70',
+     'iss': 'http://localhost:7002/realms/spiffworkflow', 'aud': 'spiffworkflow-backend',
+     'sub': '99e7e4ea-d4ae-4944-bd31-873dac7b004c', 'typ': 'ID', 'azp': 'spiffworkflow-backend',
+     'session_state': '8751d5f6-2c60-4205-9be0-2b1005f5891e', 'at_hash': 'O5i-VLus6sryR0grMS2Y4w', 'acr': '0',
+     'sid': '8751d5f6-2c60-4205-9be0-2b1005f5891e', 'email_verified': False, 'preferred_username': 'dan'}
+
+    response = {
+        "access_token": id_token,
+        "id_token": id_token,
+    }
+
+@openid_blueprint.route("/refresh", methods=["POST"])
+def refresh():
+    pass
+
+def get_users():
+    with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
+        permission_configs = yaml.safe_load(file)
+    if "users" in permission_configs:
+        return permission_configs["users"]
+    else:
+        return {}
\ No newline at end of file
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
new file mode 100644
index 000000000..1da64914d
--- /dev/null
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
@@ -0,0 +1,103 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Login Form</title>
+    <link rel="stylesheet" type="text/css" href="css/style.css">
+    <style>
+        body{
+            margin: 0;
+            padding: 0;
+            background-color:white;
+            font-family: 'Arial';
+        }
+        .error {
+            margin: 20px auto;
+            color: red;
+            font-weight: bold;
+            text-align: center;
+        }
+        .login{
+                width: 382px;
+                overflow: hidden;
+                margin: 20px auto;
+                padding: 80px;
+                background: #000;
+                border-radius: 15px ;
+
+        }
+        h2{
+            text-align: center;
+            color: #277582;
+            padding: 20px;
+        }
+        label{
+            color: #fff;
+            font-size: 17px;
+        }
+        #Uname{
+            width: 300px;
+            height: 30px;
+            border: none;
+            border-radius: 3px;
+            padding-left: 8px;
+        }
+        #Pass{
+            width: 300px;
+            height: 30px;
+            border: none;
+            border-radius: 3px;
+            padding-left: 8px;
+
+        }
+        #log{
+            width: 300px;
+            height: 30px;
+            border: none;
+            border-radius: 17px;
+            padding-left: 7px;
+            color: blue;
+
+
+        }
+        span{
+            color: white;
+            font-size: 17px;
+        }
+        a{
+            float: right;
+            background-color: grey;
+        }
+    </style>
+</head>
+<body>
+    <h2>Login to SpiffWorkflow</h2><br>
+    <div class="error">{{error_message}}</div>
+    <div class="login">
+    <form id="login" method="post" action="{{ url_for('openid.form_submit') }}">
+        <label><b>User Name
+        </b>
+        </label>
+        <input type="text" name="Uname" id="Uname" placeholder="Username">
+        <br><br>
+        <label><b>Password
+        </b>
+        </label>
+        <input type="Password" name="Pass" id="Pass" placeholder="Password">
+        <br><br>
+        <input type="hidden" name="state" value="{{state}}"/>
+        <input type="hidden" name="response_type" value="{{response_type}}"/>
+        <input type="hidden" name="client_id" value="{{client_id}}"/>
+        <input type="hidden" name="scope" value="{{scope}}"/>
+        <input type="hidden" name="redirect_uri" value="{{redirect_uri}}"/>
+        <input type="submit" name="log" id="log" value="Log In">
+        <br><br>
+        <!-- should maybe add this stuff in eventually, but this is just for testing.
+        <input type="checkbox" id="check">
+        <span>Remember me</span>
+        <br><br>
+        Forgot <a href="#">Password</a>
+         -->
+    </form>
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index 5fe10e0af..c9059427c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -1,6 +1,7 @@
 """User."""
 import ast
 import base64
+import json
 from typing import Any
 from typing import Dict
 from typing import Optional
@@ -14,9 +15,12 @@ from flask import request
 from flask_bpmn.api.api_error import ApiError
 from werkzeug.wrappers import Response
 
+from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
+from spiffworkflow_backend.models.principal import PrincipalModel
 from spiffworkflow_backend.models.user import UserModel
 from spiffworkflow_backend.services.authentication_service import (
-    AuthenticationService,
+    AuthenticationService, AuthenticationProviderTypes,
 )
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
 from spiffworkflow_backend.services.user_service import UserService
@@ -58,7 +62,6 @@ def verify_token(
         decoded_token = get_decoded_token(token)
 
         if decoded_token is not None:
-
             if "token_type" in decoded_token:
                 token_type = decoded_token["token_type"]
                 if token_type == "internal":  # noqa: S105
@@ -68,11 +71,11 @@ def verify_token(
                         current_app.logger.error(
                             f"Exception in verify_token getting user from decoded internal token. {e}"
                         )
-
             elif "iss" in decoded_token.keys():
                 try:
-                    user_info = AuthenticationService.get_user_info_from_open_id(token)
-                except ApiError as ae:
+                    if AuthenticationService.validate_id_token(token):
+                        user_info = decoded_token
+                except ApiError as ae:  # API Error is only thrown in the token is outdated.
                     # Try to refresh the token
                     user = UserService.get_user_by_service_and_service_id(
                         "open_id", decoded_token["sub"]
@@ -86,14 +89,9 @@ def verify_token(
                                 )
                             )
                             if auth_token and "error" not in auth_token:
-                                # redirect to original url, with auth_token?
-                                user_info = (
-                                    AuthenticationService.get_user_info_from_open_id(
-                                        auth_token["access_token"]
-                                    )
-                                )
-                                if not user_info:
-                                    raise ae
+                                # We have the user, but this code is a bit convoluted, and will later demand
+                                # a user_info object so it can look up the user.  Sorry to leave this crap here.
+                                user_info = {"sub": user.service_id }
                             else:
                                 raise ae
                         else:
@@ -202,6 +200,15 @@ def login(redirect_url: str = "/") -> Response:
     )
     return redirect(login_redirect_url)
 
+def parse_id_token(token: str) -> dict:
+    parts = token.split(".")
+    if len(parts) != 3:
+        raise Exception("Incorrect id token format")
+
+    payload = parts[1]
+    padded = payload + '=' * (4 - len(payload) % 4)
+    decoded = base64.b64decode(padded)
+    return json.loads(decoded)
 
 def login_return(code: str, state: str, session_state: str) -> Optional[Response]:
     """Login_return."""
@@ -211,10 +218,9 @@ def login_return(code: str, state: str, session_state: str) -> Optional[Response
     if "id_token" in auth_token_object:
         id_token = auth_token_object["id_token"]
 
+        user_info = parse_id_token(id_token)
+
         if AuthenticationService.validate_id_token(id_token):
-            user_info = AuthenticationService.get_user_info_from_open_id(
-                auth_token_object["access_token"]
-            )
             if user_info and "error" not in user_info:
                 user_model = AuthorizationService.create_user_from_sign_in(user_info)
                 g.user = user_model.id
@@ -332,15 +338,11 @@ def get_user_from_decoded_internal_token(decoded_token: dict) -> Optional[UserMo
         .filter(UserModel.service_id == service_id)
         .first()
     )
-    # user: UserModel = UserModel.query.filter()
     if user:
         return user
     user = UserModel(
         username=service_id,
-        uid=service_id,
         service=service,
         service_id=service_id,
-        name="API User",
     )
-
     return user
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 18f08d0f3..a12e57fae 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -42,43 +42,6 @@ class AuthenticationService:
             open_id_client_secret_key,
         )
 
-    @classmethod
-    def get_user_info_from_open_id(cls, token: str) -> dict:
-        """The token is an auth_token."""
-        (
-            open_id_server_url,
-            open_id_client_id,
-            open_id_realm_name,
-            open_id_client_secret_key,
-        ) = cls.get_open_id_args()
-
-        headers = {"Authorization": f"Bearer {token}"}
-
-        request_url = f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/userinfo"
-        try:
-            request_response = requests.get(request_url, headers=headers)
-        except Exception as e:
-            current_app.logger.error(f"Exception in get_user_info_from_id_token: {e}")
-            raise ApiError(
-                error_code="token_error",
-                message=f"Exception in get_user_info_from_id_token: {e}",
-                status_code=401,
-            ) from e
-
-        if request_response.status_code == 401:
-            raise ApiError(
-                error_code="invalid_token", message="Please login", status_code=401
-            )
-        elif request_response.status_code == 200:
-            user_info: dict = json.loads(request_response.text)
-            return user_info
-
-        raise ApiError(
-            error_code="user_info_error",
-            message="Cannot get user info in get_user_info_from_id_token",
-            status_code=401,
-        )
-
     @staticmethod
     def get_backend_url() -> str:
         """Get_backend_url."""
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index ea488f7a9..f29c09851 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -1,4 +1,5 @@
 """Authorization_service."""
+import inspect
 import re
 from typing import Optional
 from typing import Union
@@ -23,6 +24,7 @@ from spiffworkflow_backend.models.principal import PrincipalModel
 from spiffworkflow_backend.models.user import UserModel
 from spiffworkflow_backend.models.user import UserNotFoundError
 from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
+from spiffworkflow_backend.routes.openid_blueprint import openid_blueprint
 from spiffworkflow_backend.services.group_service import GroupService
 from spiffworkflow_backend.services.user_service import UserService
 
@@ -125,6 +127,7 @@ class AuthorizationService:
             db.session.add(user_group_assignemnt)
             db.session.commit()
 
+
     @classmethod
     def import_permissions_from_yaml_file(
         cls, raise_if_missing_user: bool = False
@@ -241,6 +244,7 @@ class AuthorizationService:
             return True
 
         api_view_function = current_app.view_functions[request.endpoint]
+        module = inspect.getmodule(api_view_function)
         if (
             api_view_function
             and api_view_function.__name__.startswith("login")
@@ -248,6 +252,7 @@ class AuthorizationService:
             or api_view_function.__name__.startswith("console_ui_")
             or api_view_function.__name__ in authentication_exclusion_list
             or api_view_function.__name__ in swagger_functions
+            or module == openid_blueprint
         ):
             return True
 
@@ -442,6 +447,7 @@ class AuthorizationService:
                 email=email,
             )
 
+
         # this may eventually get too slow.
         # when it does, be careful about backgrounding, because
         # the user will immediately need permissions to use the site.
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
new file mode 100644
index 000000000..b234d914e
--- /dev/null
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
@@ -0,0 +1,79 @@
+"""Test_authentication."""
+import ast
+import base64
+
+from flask import Flask
+from flask.testing import FlaskClient
+
+from tests.spiffworkflow_backend.helpers.base_test import BaseTest
+
+from spiffworkflow_backend.services.authentication_service import (
+    AuthenticationService,
+)
+
+
+class TestFaskOpenId(BaseTest):
+    """An integrated Open ID that responds to openID requests
+       by referencing a build in YAML file.  Useful for
+       local development, testing, demos etc..."""
+
+    def test_discovery_of_endpoints(self,
+                                    app: Flask,
+                                    client: FlaskClient,
+                                    with_db_and_bpmn_file_cleanup: None,) -> None:
+        response = client.get("/openid/well-known/openid-configuration")
+        discovered_urls = response.json
+        assert "http://localhost/openid" == discovered_urls["issuer"]
+        assert "http://localhost/openid/auth" == discovered_urls["authorization_endpoint"]
+        assert "http://localhost/openid/token" == discovered_urls["token_endpoint"]
+
+    def test_get_login_page(self,
+                            app: Flask,
+                            client: FlaskClient,
+                            with_db_and_bpmn_file_cleanup: None,) -> None:
+        # It should be possible to get to a login page
+        data = {
+            "state": {"bubblegum":1, "daydream":2}
+        }
+        response = client.get("/openid/auth", query_string=data)
+        assert b"<h2>Login to SpiffWorkflow</h2>" in response.data
+        assert b"bubblegum" in response.data
+
+    def test_get_token(self,
+        app: Flask,
+        client: FlaskClient,
+        with_db_and_bpmn_file_cleanup: None,) -> None:
+
+        code = "c3BpZmZ3b3JrZmxvdy1iYWNrZW5kOkpYZVFFeG0wSmhRUEx1bWdIdElJcWY1MmJEYWxIejBx"
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Authorization": f"Basic {code}",
+        }
+        data =  {
+            "grant_type": 'authorization_code',
+            "code": code,
+            "redirect_url": 'http://localhost:7000/v1.0/login_return'
+        }
+        response = client.post("/openid/token", data=data, headers=headers)
+        assert response
+
+    def test_refresh_token_endpoint(self,
+        app: Flask,
+        client: FlaskClient,
+        with_db_and_bpmn_file_cleanup: None,) -> None:
+        pass
+        # Handle a refresh with the following
+        # data provided
+        #             "grant_type": "refresh_token",
+        #             "refresh_token": refresh_token,
+        #             "client_id": open_id_client_id,
+        #             "client_secret": open_id_client_secret_key,
+        # Return an json response with:
+        #   id  - (this users' id)
+
+    def test_logout(self,
+        app: Flask,
+        client: FlaskClient,
+        with_db_and_bpmn_file_cleanup: None,) -> None:
+        pass
+        # It should be possible to logout and be redirected back.

From 2082c113b2493638cffe4e53a7f1ba59af4d1b33 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Wed, 30 Nov 2022 11:51:20 -0500
Subject: [PATCH 18/38] Not all open id systems have realms like KeyCloak does
 -- so removing this in favor of setting just one value - which is the base
 url of the openid system -- which will work across all openid systems.

---
 .../spiffworkflow_backend/config/default.py    |  3 +--
 .../services/authentication_service.py         | 18 +++++-------------
 2 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index 53d670c77..c32c48828 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -30,9 +30,8 @@ CONNECTOR_PROXY_URL = environ.get(
 GIT_COMMIT_ON_SAVE = environ.get("GIT_COMMIT_ON_SAVE", default="false") == "true"
 
 # Open ID server
-OPEN_ID_SERVER_URL = environ.get("OPEN_ID_SERVER_URL", default="http://localhost:7002")
+OPEN_ID_SERVER_URL = environ.get("OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow")
 OPEN_ID_CLIENT_ID = environ.get("OPEN_ID_CLIENT_ID", default="spiffworkflow-backend")
-OPEN_ID_REALM_NAME = environ.get("OPEN_ID_REALM_NAME", default="spiffworkflow")
 OPEN_ID_CLIENT_SECRET_KEY = environ.get(
     "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
 )  # noqa: S105
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index a12e57fae..f8171d88d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -15,7 +15,6 @@ from werkzeug.wrappers import Response
 
 from spiffworkflow_backend.models.refresh_token import RefreshTokenModel
 
-
 class AuthenticationProviderTypes(enum.Enum):
     """AuthenticationServiceProviders."""
 
@@ -31,14 +30,12 @@ class AuthenticationService:
         """Get_open_id_args."""
         open_id_server_url = current_app.config["OPEN_ID_SERVER_URL"]
         open_id_client_id = current_app.config["OPEN_ID_CLIENT_ID"]
-        open_id_realm_name = current_app.config["OPEN_ID_REALM_NAME"]
         open_id_client_secret_key = current_app.config[
             "OPEN_ID_CLIENT_SECRET_KEY"
         ]  # noqa: S105
         return (
             open_id_server_url,
             open_id_client_id,
-            open_id_realm_name,
             open_id_client_secret_key,
         )
 
@@ -55,11 +52,10 @@ class AuthenticationService:
         (
             open_id_server_url,
             open_id_client_id,
-            open_id_realm_name,
             open_id_client_secret_key,
         ) = AuthenticationService.get_open_id_args()
         request_url = (
-            f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/logout?"
+            f"{open_id_server_url}/protocol/openid-connect/logout?"
             + f"post_logout_redirect_uri={return_redirect_url}&"
             + f"id_token_hint={id_token}"
         )
@@ -79,12 +75,11 @@ class AuthenticationService:
         (
             open_id_server_url,
             open_id_client_id,
-            open_id_realm_name,
             open_id_client_secret_key,
         ) = AuthenticationService.get_open_id_args()
         return_redirect_url = f"{self.get_backend_url()}{redirect_url}"
         login_redirect_url = (
-            f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/auth?"
+            f"{open_id_server_url}/protocol/openid-connect/auth?"
             + f"state={state}&"
             + "response_type=code&"
             + f"client_id={open_id_client_id}&"
@@ -100,7 +95,6 @@ class AuthenticationService:
         (
             open_id_server_url,
             open_id_client_id,
-            open_id_realm_name,
             open_id_client_secret_key,
         ) = AuthenticationService.get_open_id_args()
 
@@ -117,7 +111,7 @@ class AuthenticationService:
             "redirect_uri": f"{self.get_backend_url()}{redirect_url}",
         }
 
-        request_url = f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/token"
+        request_url = f"{open_id_server_url}/protocol/openid-connect/token"
 
         response = requests.post(request_url, data=data, headers=headers)
         auth_token_object: dict = json.loads(response.text)
@@ -131,7 +125,6 @@ class AuthenticationService:
         (
             open_id_server_url,
             open_id_client_id,
-            open_id_realm_name,
             open_id_client_secret_key,
         ) = cls.get_open_id_args()
         try:
@@ -142,7 +135,7 @@ class AuthenticationService:
                 message="Cannot decode id_token",
                 status_code=401,
             ) from e
-        if decoded_token["iss"] != f"{open_id_server_url}/realms/{open_id_realm_name}":
+        if decoded_token["iss"] != open_id_server_url:
             valid = False
         elif (
             open_id_client_id not in decoded_token["aud"]
@@ -207,7 +200,6 @@ class AuthenticationService:
         (
             open_id_server_url,
             open_id_client_id,
-            open_id_realm_name,
             open_id_client_secret_key,
         ) = cls.get_open_id_args()
 
@@ -226,7 +218,7 @@ class AuthenticationService:
             "client_secret": open_id_client_secret_key,
         }
 
-        request_url = f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/token"
+        request_url = f"{open_id_server_url}/protocol/openid-connect/token"
 
         response = requests.post(request_url, data=data, headers=headers)
         auth_token_object: dict = json.loads(response.text)

From ca339ee9334f16fc65f696db0a0eeba066450549 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Wed, 30 Nov 2022 16:33:44 -0500
Subject: [PATCH 19/38] Use the "well-known" configuration dictionary from
 openid to get the url endpoints, rather than trying to configure or guess the
 correct endpoint urls.

---
 .../openid_blueprint/openid_blueprint.py      |  7 +-
 .../services/authentication_service.py        | 92 ++++++++-----------
 2 files changed, 43 insertions(+), 56 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index dd8928c63..b16ba46af 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -19,7 +19,7 @@ openid_blueprint = Blueprint(
 
 MY_SECRET_CODE = ":this_should_be_some_crazy_code_different_all_the_time"
 
-@openid_blueprint.route("/well-known/openid-configuration", methods=["GET"])
+@openid_blueprint.route("/.well-known/openid-configuration", methods=["GET"])
 def well_known():
     """OpenID Discovery endpoint -- as these urls can be very different from system to system,
        this is just a small subset."""
@@ -52,9 +52,10 @@ def form_submit():
         state = request.values.get('state')
         data = {
             "state": base64.b64encode(bytes(state, 'UTF-8')),
-            "code": request.values['Uname'] + MY_SECRET_CODE
+            "code": request.values['Uname'] + MY_SECRET_CODE,
+            "session_state": ""
         }
-        url = request.values.get('redirect_uri') + urlencode(data)
+        url = request.values.get('redirect_uri') + "?" + urlencode(data)
         return redirect(url, code=200)
     else:
         return render_template('login.html',
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index f8171d88d..5fdedf767 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -3,6 +3,7 @@ import base64
 import enum
 import json
 import time
+import typing
 from typing import Optional
 
 import jwt
@@ -15,6 +16,7 @@ from werkzeug.wrappers import Response
 
 from spiffworkflow_backend.models.refresh_token import RefreshTokenModel
 
+
 class AuthenticationProviderTypes(enum.Enum):
     """AuthenticationServiceProviders."""
 
@@ -24,20 +26,31 @@ class AuthenticationProviderTypes(enum.Enum):
 
 class AuthenticationService:
     """AuthenticationService."""
+    ENDPOINT_CACHE = {}  # We only need to find the openid endpoints once, then we can cache them.
 
     @staticmethod
-    def get_open_id_args() -> tuple:
-        """Get_open_id_args."""
-        open_id_server_url = current_app.config["OPEN_ID_SERVER_URL"]
-        open_id_client_id = current_app.config["OPEN_ID_CLIENT_ID"]
-        open_id_client_secret_key = current_app.config[
-            "OPEN_ID_CLIENT_SECRET_KEY"
-        ]  # noqa: S105
-        return (
-            open_id_server_url,
-            open_id_client_id,
-            open_id_client_secret_key,
-        )
+    def client_id():
+        return current_app.config["OPEN_ID_CLIENT_ID"]
+
+    @staticmethod
+    def server_url():
+        return current_app.config["OPEN_ID_SERVER_URL"]
+
+    @staticmethod
+    def secret_key():
+        return current_app.config["OPEN_ID_CLIENT_SECRET_KEY"]
+
+
+    @classmethod
+    def open_id_endpoint_for_name(cls, name: str) -> None:
+        """All openid systems provide a mapping of static names to the full path of that endpoint."""
+        if name not in AuthenticationService.ENDPOINT_CACHE:
+            request_url = f"{cls.server_url()}/.well-known/openid-configuration"
+            response = requests.get(request_url)
+            AuthenticationService.ENDPOINT_CACHE = response.json()
+        if name not in AuthenticationService.ENDPOINT_CACHE:
+            raise Exception(f"Unknown OpenID Endpoint: {name}")
+        return AuthenticationService.ENDPOINT_CACHE[name]
 
     @staticmethod
     def get_backend_url() -> str:
@@ -49,14 +62,9 @@ class AuthenticationService:
         if redirect_url is None:
             redirect_url = "/"
         return_redirect_url = f"{self.get_backend_url()}/v1.0/logout_return"
-        (
-            open_id_server_url,
-            open_id_client_id,
-            open_id_client_secret_key,
-        ) = AuthenticationService.get_open_id_args()
         request_url = (
-            f"{open_id_server_url}/protocol/openid-connect/logout?"
-            + f"post_logout_redirect_uri={return_redirect_url}&"
+            self.open_id_endpoint_for_name("end_session_endpoint")
+            + f"?post_logout_redirect_uri={return_redirect_url}&"
             + f"id_token_hint={id_token}"
         )
 
@@ -72,17 +80,12 @@ class AuthenticationService:
         self, state: str, redirect_url: str = "/v1.0/login_return"
     ) -> str:
         """Get_login_redirect_url."""
-        (
-            open_id_server_url,
-            open_id_client_id,
-            open_id_client_secret_key,
-        ) = AuthenticationService.get_open_id_args()
         return_redirect_url = f"{self.get_backend_url()}{redirect_url}"
         login_redirect_url = (
-            f"{open_id_server_url}/protocol/openid-connect/auth?"
-            + f"state={state}&"
+            self.open_id_endpoint_for_name("authorization_endpoint")
+            + f"?state={state}&"
             + "response_type=code&"
-            + f"client_id={open_id_client_id}&"
+            + f"client_id={self.client_id()}&"
             + "scope=openid&"
             + f"redirect_uri={return_redirect_url}"
         )
@@ -92,13 +95,7 @@ class AuthenticationService:
         self, code: str, redirect_url: str = "/v1.0/login_return"
     ) -> dict:
         """Get_auth_token_object."""
-        (
-            open_id_server_url,
-            open_id_client_id,
-            open_id_client_secret_key,
-        ) = AuthenticationService.get_open_id_args()
-
-        backend_basic_auth_string = f"{open_id_client_id}:{open_id_client_secret_key}"
+        backend_basic_auth_string = f"{self.client_id()}:{self.secret_key()}"
         backend_basic_auth_bytes = bytes(backend_basic_auth_string, encoding="ascii")
         backend_basic_auth = base64.b64encode(backend_basic_auth_bytes)
         headers = {
@@ -111,7 +108,7 @@ class AuthenticationService:
             "redirect_uri": f"{self.get_backend_url()}{redirect_url}",
         }
 
-        request_url = f"{open_id_server_url}/protocol/openid-connect/token"
+        request_url = self.open_id_endpoint_for_name("token_endpoint")
 
         response = requests.post(request_url, data=data, headers=headers)
         auth_token_object: dict = json.loads(response.text)
@@ -122,11 +119,6 @@ class AuthenticationService:
         """Https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation."""
         valid = True
         now = time.time()
-        (
-            open_id_server_url,
-            open_id_client_id,
-            open_id_client_secret_key,
-        ) = cls.get_open_id_args()
         try:
             decoded_token = jwt.decode(id_token, options={"verify_signature": False})
         except Exception as e:
@@ -135,15 +127,15 @@ class AuthenticationService:
                 message="Cannot decode id_token",
                 status_code=401,
             ) from e
-        if decoded_token["iss"] != open_id_server_url:
+        if decoded_token["iss"] != cls.server_url():
             valid = False
         elif (
-            open_id_client_id not in decoded_token["aud"]
+            cls.client_id() not in decoded_token["aud"]
             and "account" not in decoded_token["aud"]
         ):
             valid = False
         elif "azp" in decoded_token and decoded_token["azp"] not in (
-            open_id_client_id,
+            cls.client_id(),
             "account",
         ):
             valid = False
@@ -196,14 +188,8 @@ class AuthenticationService:
 
     @classmethod
     def get_auth_token_from_refresh_token(cls, refresh_token: str) -> dict:
-        """Get a new auth_token from a refresh_token."""
-        (
-            open_id_server_url,
-            open_id_client_id,
-            open_id_client_secret_key,
-        ) = cls.get_open_id_args()
 
-        backend_basic_auth_string = f"{open_id_client_id}:{open_id_client_secret_key}"
+        backend_basic_auth_string = f"{cls.client_id()}:{cls.secret_key()}"
         backend_basic_auth_bytes = bytes(backend_basic_auth_string, encoding="ascii")
         backend_basic_auth = base64.b64encode(backend_basic_auth_bytes)
         headers = {
@@ -214,11 +200,11 @@ class AuthenticationService:
         data = {
             "grant_type": "refresh_token",
             "refresh_token": refresh_token,
-            "client_id": open_id_client_id,
-            "client_secret": open_id_client_secret_key,
+            "client_id": cls.client_id(),
+            "client_secret": cls.secret_key(),
         }
 
-        request_url = f"{open_id_server_url}/protocol/openid-connect/token"
+        request_url = cls.open_id_endpoint_for_name("token_endpoint")
 
         response = requests.post(request_url, data=data, headers=headers)
         auth_token_object: dict = json.loads(response.text)

From e8cbe1df84b061e223a48370be83b663a72e7ab2 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Thu, 1 Dec 2022 11:42:36 -0500
Subject: [PATCH 20/38] A little cleanup of the ui Don't check authorization on
 static assets Do not require unique username on user table (uniqueness check
 is on the service and service id composite.)

---
 .../{ff1c1628337c_.py => 3f049fa4d8ac_.py}    |   9 +-
 .../config/permissions/development.yml        |   6 +-
 .../src/spiffworkflow_backend/models/user.py  |   2 +-
 .../openid_blueprint/openid_blueprint.py      |  79 +++++++-----
 .../routes/openid_blueprint/static/login.css  | 112 ++++++++++++++++++
 .../routes/openid_blueprint/static/logo.png   | Bin 0 -> 10138 bytes
 .../openid_blueprint/static/logo_small.png    | Bin 0 -> 5000 bytes
 .../openid_blueprint/templates/login.html     |  85 ++-----------
 .../services/authorization_service.py         |   3 +-
 .../integration/test_openid_blueprint.py      |  22 +---
 10 files changed, 177 insertions(+), 141 deletions(-)
 rename spiffworkflow-backend/migrations/versions/{ff1c1628337c_.py => 3f049fa4d8ac_.py} (99%)
 create mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/login.css
 create mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/logo.png
 create mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/logo_small.png

diff --git a/spiffworkflow-backend/migrations/versions/ff1c1628337c_.py b/spiffworkflow-backend/migrations/versions/3f049fa4d8ac_.py
similarity index 99%
rename from spiffworkflow-backend/migrations/versions/ff1c1628337c_.py
rename to spiffworkflow-backend/migrations/versions/3f049fa4d8ac_.py
index d8da6d3c4..dc8675a67 100644
--- a/spiffworkflow-backend/migrations/versions/ff1c1628337c_.py
+++ b/spiffworkflow-backend/migrations/versions/3f049fa4d8ac_.py
@@ -1,8 +1,8 @@
 """empty message
 
-Revision ID: ff1c1628337c
+Revision ID: 3f049fa4d8ac
 Revises: 
-Create Date: 2022-11-28 15:08:52.014254
+Create Date: 2022-11-30 16:49:54.805372
 
 """
 from alembic import op
@@ -10,7 +10,7 @@ import sqlalchemy as sa
 
 
 # revision identifiers, used by Alembic.
-revision = 'ff1c1628337c'
+revision = '3f049fa4d8ac'
 down_revision = None
 branch_labels = None
 depends_on = None
@@ -79,8 +79,7 @@ def upgrade():
     sa.Column('email', sa.String(length=255), nullable=True),
     sa.PrimaryKeyConstraint('id'),
     sa.UniqueConstraint('service', 'service_id', name='service_key'),
-    sa.UniqueConstraint('uid'),
-    sa.UniqueConstraint('username')
+    sa.UniqueConstraint('uid')
     )
     op.create_table('message_correlation_property',
     sa.Column('id', sa.Integer(), nullable=False),
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml
index 1acace141..d92daeaf3 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml
@@ -4,11 +4,7 @@ users:
   admin:
     email: admin@spiffworkflow.org
     password: admin
-  dan:
-    email: dan@spiffworkflow.org
-    password: password
-
-
+    preferred_username: Admin
 
 groups:
   admin:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
index eb88e5de9..ed6d10e6d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
@@ -30,7 +30,7 @@ class UserModel(SpiffworkflowBaseDBModel):
     __table_args__ = (db.UniqueConstraint("service", "service_id", name="service_key"),)
 
     id = db.Column(db.Integer, primary_key=True)
-    username = db.Column(db.String(255), nullable=False, unique=True)
+    username = db.Column(db.String(255), nullable=False, unique=False)  # server and service id must be unique, not username.
     uid = db.Column(db.String(50), unique=True)
     service = db.Column(db.String(50), nullable=False, unique=False)
     service_id = db.Column(db.String(255), nullable=False, unique=False)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index b16ba46af..5c96d62b8 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -1,23 +1,22 @@
 """
 Provides the bare minimum endpoints required by SpiffWorkflow to
-handle openid authentication -- definitely not a production system.
-This is just here to make local development, testing, and
-demonstration easier.
+handle openid authentication -- definitely not a production ready system.
+This is just here to make local development, testing, and demonstration easier.
 """
 import base64
 import time
-import urllib
 from urllib.parse import urlencode
 
 import jwt
 import yaml
-from flask import Blueprint, render_template, request, current_app, redirect, url_for, g
+from flask import Blueprint, render_template, request, current_app, redirect, url_for
 
 openid_blueprint = Blueprint(
     "openid", __name__, template_folder="templates", static_folder="static"
 )
 
-MY_SECRET_CODE = ":this_should_be_some_crazy_code_different_all_the_time"
+MY_SECRET_CODE = ":this_is_not_secure_do_not_use_in_production"
+
 
 @openid_blueprint.route("/.well-known/openid-configuration", methods=["GET"])
 def well_known():
@@ -26,8 +25,9 @@ def well_known():
     host_url = request.host_url.strip('/')
     return {
         "issuer": f"{host_url}/openid",
-        "authorization_endpoint":  f"{host_url}{url_for('openid.auth')}",
+        "authorization_endpoint": f"{host_url}{url_for('openid.auth')}",
         "token_endpoint": f"{host_url}{url_for('openid.token')}",
+        "end_session_endpoint": f"{host_url}{url_for('openid.end_session')}",
     }
 
 
@@ -40,23 +40,22 @@ def auth():
                            client_id=request.args.get('client_id'),
                            scope=request.args.get('scope'),
                            redirect_uri=request.args.get('redirect_uri'),
-                           error_message=request.args.get('error_message'))
+                           error_message=request.args.get('error_message', ''))
 
 
 @openid_blueprint.route("/form_submit", methods=["POST"])
 def form_submit():
-
     users = get_users()
     if request.values['Uname'] in users and request.values['Pass'] == users[request.values['Uname']]["password"]:
         # Redirect back to the end user with some detailed information
         state = request.values.get('state')
         data = {
-            "state": base64.b64encode(bytes(state, 'UTF-8')),
+            "state": state,
             "code": request.values['Uname'] + MY_SECRET_CODE,
             "session_state": ""
         }
         url = request.values.get('redirect_uri') + "?" + urlencode(data)
-        return redirect(url, code=200)
+        return redirect(url)
     else:
         return render_template('login.html',
                                state=request.values.get('state'),
@@ -64,18 +63,19 @@ def form_submit():
                                client_id=request.values.get('client_id'),
                                scope=request.values.get('scope'),
                                redirect_uri=request.values.get('redirect_uri'),
-                               error_message="Login failed.  Please try agian.")
+                               error_message="Login failed.  Please try again.")
 
 
 @openid_blueprint.route("/token", methods=["POST"])
 def token():
     """Url that will return a valid token, given the super secret sauce"""
-    grant_type=request.values.get('grant_type')
-    code=request.values.get('code')
-    redirect_uri=request.values.get('redirect_uri')
+    grant_type = request.values.get('grant_type')
+    code = request.values.get('code')
+    redirect_uri = request.values.get('redirect_uri')
 
     """We just stuffed the user name on the front of the code, so grab it."""
     user_name, secret_hash = code.split(":")
+    user_details = get_users()[user_name]
 
     """Get authentication from headers."""
     authorization = request.headers.get('Authorization')
@@ -83,35 +83,50 @@ def token():
     authorization = base64.b64decode(authorization).decode('utf-8')
     client_id, client_secret = authorization.split(":")
 
-    base_url = url_for(openid_blueprint)
-    access_token = "..."
-    refresh_token = "..."
+    base_url = request.host_url + "openid"
+    access_token = user_name + ":" + "always_good_demo_access_token"
+    refresh_token = user_name + ":" + "always_good_demo_refresh_token"
+
     id_token = jwt.encode({
         "iss": base_url,
         "aud": [client_id, "account"],
         "iat": time.time(),
-        "exp": time.time() + 86400 # Exprire after a day.
-    })
-
-    {'exp': 1669757386, 'iat': 1669755586, 'auth_time': 1669753049, 'jti': '0ec2cc09-3498-4921-a021-c3b98427df70',
-     'iss': 'http://localhost:7002/realms/spiffworkflow', 'aud': 'spiffworkflow-backend',
-     'sub': '99e7e4ea-d4ae-4944-bd31-873dac7b004c', 'typ': 'ID', 'azp': 'spiffworkflow-backend',
-     'session_state': '8751d5f6-2c60-4205-9be0-2b1005f5891e', 'at_hash': 'O5i-VLus6sryR0grMS2Y4w', 'acr': '0',
-     'sid': '8751d5f6-2c60-4205-9be0-2b1005f5891e', 'email_verified': False, 'preferred_username': 'dan'}
-
+        "exp": time.time() + 86400,  # Expire after a day.
+        "sub": user_name,
+        "preferred_username": user_details.get('preferred_username', user_name)
+    },
+        client_secret,
+        algorithm="HS256",
+    )
     response = {
         "access_token": id_token,
         "id_token": id_token,
+        "refresh_token": id_token
     }
+    return response
+
+
+@openid_blueprint.route("/end_session", methods=["GET"])
+def end_session():
+    redirect_url = request.args.get('post_logout_redirect_uri')
+    id_token_hint = request.args.get('id_token_hint')
+    return redirect(redirect_url)
+
 
 @openid_blueprint.route("/refresh", methods=["POST"])
 def refresh():
     pass
 
+
+permission_cache = None
+
+
 def get_users():
-    with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
-        permission_configs = yaml.safe_load(file)
-    if "users" in permission_configs:
-        return permission_configs["users"]
+    global permission_cache
+    if not permission_cache:
+        with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
+            permission_cache = yaml.safe_load(file)
+    if "users" in permission_cache:
+        return permission_cache["users"]
     else:
-        return {}
\ No newline at end of file
+        return {}
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/login.css b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/login.css
new file mode 100644
index 000000000..15b093f67
--- /dev/null
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/login.css
@@ -0,0 +1,112 @@
+        body{
+            margin: 0;
+            padding: 0;
+            background-color:white;
+            font-family: 'Arial';
+        }
+        header {
+            width: 100%;
+            background-color: black;
+        }
+        .logo_small {
+            padding: 5px 20px;
+        }
+        .error {
+            margin: 20px auto;
+            color: red;
+            font-weight: bold;
+            text-align: center;
+        }
+        .login{
+                width: 400px;
+                overflow: hidden;
+                margin: 20px auto;
+                padding: 50px;
+                background: #fff;
+                border-radius: 15px ;
+        }
+        h2{
+            text-align: center;
+            color: #277582;
+            padding: 20px;
+        }
+        label{
+            color: #fff;
+            width: 200px;
+            display: inline-block;
+        }
+        #log {
+            width: 100px;
+            height: 50px;
+            border: none;
+            padding-left: 7px;
+            background-color:#202020;
+            color: #DDD;
+            text-align: left;
+        }
+        .cds--btn--primary {
+            background-color: #0f62fe;
+            border: 1px solid #0000;
+            color: #fff;
+        }
+        .cds--btn {
+            align-items: center;
+            border: 0;
+            border-radius: 0;
+            box-sizing: border-box;
+            cursor: pointer;
+            display: inline-flex;
+            flex-shrink: 0;
+            font-family: inherit;
+            font-size: 100%;
+            font-size: .875rem;
+            font-weight: 400;
+            justify-content: space-between;
+            letter-spacing: .16px;
+            line-height: 1.28572;
+            margin: 0;
+            max-width: 20rem;
+            min-height: 3rem;
+            outline: none;
+            padding: calc(0.875rem - 3px) 63px calc(0.875rem - 3px) 15px;
+            position: relative;
+            text-align: left;
+            text-decoration: none;
+            transition: background 70ms cubic-bezier(0, 0, .38, .9), box-shadow 70ms cubic-bezier(0, 0, .38, .9), border-color 70ms cubic-bezier(0, 0, .38, .9), outline 70ms cubic-bezier(0, 0, .38, .9);
+            vertical-align: initial;
+            vertical-align: top;
+            width: max-content;
+        }
+        .cds--btn:hover {
+            background-color: #0145c5;
+        }
+        .cds--btn:focus {
+            background-color: #01369a;
+        }
+
+        .cds--text-input {
+            background-color: #eee;
+            border: none;
+            border-bottom: 1px solid #8d8d8d;
+            color: #161616;
+            font-family: inherit;
+            font-size: .875rem;
+            font-weight: 400;
+            height: 2.5rem;
+            letter-spacing: .16px;
+            line-height: 1.28572;
+            outline: 2px solid #0000;
+            outline-offset: -2px;
+            padding: 0 1rem;
+            transition: background-color 70ms cubic-bezier(.2,0,.38,.9),outline 70ms cubic-bezier(.2,0,.38,.9);
+            width: 100%;
+        }
+
+        span{
+            color: white;
+            font-size: 17px;
+        }
+        a{
+            float: right;
+            background-color: grey;
+        }
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/logo.png b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..4cffb07fdf112e035c669c06bd5cbdc9355f43a5
GIT binary patch
literal 10138
zcmW++byyT%7hbwVSh_*F^G7Qo-MMtS(%l`qg0u)oHz**;g22)xNJw`rEJ$~Ee)!!#
zX3jJB&O9?`&OPrv?|WmkHI?vjsc-=R0KST{ye<HM^8VRY!^V6*Dy2R6J)dygm5sds
z0PN>M*tjV12VLpU7b(3JjJ);SY`y)gJ#7Gfetx_Tu1;QHYj+!7H&46l!`D;*00Tfp
zURK{f=OEX?pJqC>dfBUG1D{%rhZ5X{o?IP8NW}0e!)lGN|CA+@n_r#b?gjdfG?&Ys
znn9jgEN3-A!WtAxUt3m628c|x95w`?GKY`zIda%&=@hg6D=es;9#k{6<YQXdqg=BW
zk{9~5-E`@&T*_y6(Q6c_$npKQM4Zvr#88*dyyN#E{#Ee1=Y|<ad5H6Z1h^!dRGSiT
zrdw{UV|&U$KK<e<=l|Vu?;6?owR`DA);M%Np$72vzX0#=<Iv}dH#y!8N&CKT^_+Ac
z<zr=KE$QfY*RtYQmsqN(*!?dNrR9RtBFesYS=jbZbH#`YJ*=tc_wV25={h{0QFLpC
z=(~>rpSjCT61QuN`1^kUjwe&B{8N;zkqGm*=_*t@M5Qs)7Zwq*kw2wd5wk-3OuN~1
z-ow0--6^(`-z}M%kx@BXHv1W+Bxm<vpKWLmUD}L%4``mIwLS6bc)%X@CH~V9Iue}@
z%@t(<Q~YvfbFlLO9eUXOH&-=(|7GioI@FzKQ+;U0ZYt3D+;%t>Ngcg7u2f5_<DkAd
zyzDd?$BXpHOQ-t%N*bF+;rJneg>a;@^Q_YjQ{Yfrh`!Ofkqt;ptVh}7JFEMe&v?>S
z3b$2BzQj?7o{3^g6KO&m|2B#9OH5>BvsdI28|I;>rz&Tz!wB0!vaJ13K88rtQyBWS
z<%+?I%t{ry7Q+z=5+DM^K0WC?>XrhBw?V#lR&;t<2N3y-LX537s_I)luC>yov0#(^
zH>+2knTV!|-50`FfWBZWN;W5uqel+;n9oPm4Zs3syv)OwR<hhj-IqIVdyV6~4-!SW
zb{9KhgRmnWN35UHyTlcfUTg`Y_-ExEv9sFhul;8{H4}7KmQf2CMf)($swA-odBoj(
zLX%QrFcZDvlunajutdqBo9V#+50L-TG7%*TK#v-VF?F%q!RVaAMkuI-rWE00$uj2q
zq<PFv;LhwGCKjqz<xvhP#YXoR4Je4EOHts0bRJ$VhoWT2CXOu;T+>6TF~bSW(EpQY
zPZ8)O2q)eNI1OaV`9MGNq*`#d*+warztXb1$-VLx72?u8`d`%Blpfi?_bnYCM%*>i
zB{oTkg&f%hjQ2g0MGHmRwpB^bNFcc$rewW@_AzJAVeI+rY^tvuYrLo$=fw&e<N!E&
zm!qc9<$n;KKmt^aQ6|D_OBO<_tH`x|!uqEdkeNnm2qq3>9)0DoXw3z?5A|C3SjwuZ
zNW>D)@(6_&Z?9#`HXMQd-x?aukf0$jL*|oj@TC`|3T>H<a5D;}G$McFp%ec1o&bL@
z48!bYFz3EBZDWKCv2?^r%-ZK7a6HDNB#oCPlo~nQ+4CiIOF*Fb6Dq_^((R;0Br$cF
z-4i!8L#UqT<6Hg?4J+L;9?oU-;AENZ5O(f8)GP>j_bsC9)HUJU6}9pV8#UpCV#N{F
zI!JwPv#k2bGWOFJF}8GgL)VifucH_3FZ^}4&eiH4ruKe#!xiCd*mYwi)rWXV`L7!T
z8i4jSqreQCP_mg^<$~P&m#>Lt@~LJ**zOSznIo_KWBqBwTDB=_v0atbARu&;%Xd(=
zwo%FdyL*oDbH!HRbXLO^grp_W#Z6s)zPLOt7jvv3O$NbJ?;xdWMYS`G?9{@Euwgq^
zH$sLmwMNMx@)Qalrhyr3p=u1Rj@Wd|aqu<OfWq0Qy>2il@@Sd-(FJ#q)QC1sA%qVH
zHT#Mank_4Eg#RQpS+Ng-W)J55z4MC-%io{g6vv%sx<^bnSuEv)8Me4sZRLTF*P!@i
zZ=pAdT?i(!4TIkz8zyabSYnC|ZCB$(rwwt)#8-qcP-oc3gFWoJaaRi#ekU5uYW^9_
z`^--CBotdB?5-e8vDpNh-R7>2!EnjAU1Yqy8xHyjdY}JNTx3eng%)83!_3E{7MBxn
z;04!Z%2D1dM(03L^DIr@rx;3MW)xj~jlLpNI?4voAJ`qo2`*+WQ+H<!z4M7HI)OsJ
zRt>~28IKhkajyf6$ZXKsurf4O5{|i03uj$|9x%sb8Rm+$QDw#JSGC5v*ZwX$px5uW
zYoj8L+R;VR-X$g~VLPuyje{-3Gi0u%Xxoo?rJ;0QYA1dZZ>l&*N1k1vpY;1I-nOX#
zO3Rpy6Ur_JN4S(V2>D5O84i#oh#_8EB{Zg5SvzQ<`oV_Lp`IZ62MZ>`l6-uGA=<^4
z=G-Ox99gUS?RvNr@#PcAF#{w)441{dEnC(q9fX?DK=k<5>PYHU&g4U<JSt>C)k=iJ
zmgAThb@-wKyYBA?Y%-K83{AYmCkrUs$N9g@u1BBuaL7c`ff;<<zx*b%m2mcvPb$aW
zCszJBOkM3-gv3IzDl>JNi80PUhf^8G3j1$B;6C%V+aSB<(EDypjgU?5q*(M*?F?1}
z;>Da#%!JWZ#2G*sle^lUVz+Nk;*B^|q51|Lbw>pnStZof>`KQ>cnCVrVExhwKRiRH
z!`is!g%spyRbMn_<|(w}E4Ww|^=ZC1=7A>gvY}cs^Yh#%b$%i0fulPSd0{V(%}f+O
zRIxP*n9+PP)hH0or=~+gZMkC$XF-n(8wL79%;f))9f7+?&)hms&_yqmqD8(v;}j=z
zs)aX4f942gk>!90-~F<mr!Lwn(DFH(JOTIQS0%!R7e<87fcD#2IGF*fk(1P5Q}F}8
ztNks>E=jLkA@KiQKFR2DYDpB0SF|~UoyV=r#^y9SU|Cm`Fc0o%@Vj@4XewX6IHAEo
ziovjEea%h1#*A5}Xz--Gy800NJN={H3Kyeu3{WP0JDj0G8CtSG(YuO|A@JOo@^rX9
z@9k#WmhbX}hcA-gt!89ojE|I&_HzbObhY^&Q%n4Vbw%`I0|q<E5{q78HouD{!Dsxo
z_2v&0`uMv`?AfFSpX07S-<aVNuj5oR2RmsMn0A_HanPtNp9=rMR!Chl{TSzOVHftX
zTyig2r4{awCH&`0bjJq<r?Xz$S%Wiz*Q2R#Icz0uCid~1`t)xk=UYpNlt~put%$1N
zJa3*Z`d{YRxpRaf-_pxBta>Zasz4b;lPEZ_BPoPrSaT1jK|Wc}=@oE<iqv0k|2kGz
z()3fTF_<|;tEr4tXZnH`B*kPbg&B|c)rNv>E=qsq`fGL`O514J;`q!$qoCst4t$NE
zTLUdr@d4LeF#!05kv;}SyqmJkJonBJQ}iNN*MZ9*RemBBm+hVo;&YR1YL((NN8r1l
z!7e{$h|59F&@1+30~@mSD_wedC{H!}%H7wA%nNkc(nFz`-#kmG5~;)lsoQmy7jbQ7
zTye;lQGOF;##T)&z{%T)kmdOu=WKnS49O&@cJd_pLsk`yp4UWA5Zuyhq}lVqX)oLM
zyZ2H=jUK(u4N(CW0Ly6HQ5B4t;@F?FSz!^cO?sb|6R(#6*?m!QD;fv|^f>d;1UVJ?
zE|lBCbKYj&XTOpplIOeUHa902ONkaOp=XwTM3Hz?uA3T`{oh^J4Ru<6dO~^PPWJA6
zoS)neu4RO#tyv#8)OmXRVJi@;yvh&wJ_$x4>&nSn@qIKW)-xci7X_(#dwZr*%lD%)
z`JTRrpv0vqE%IT&Azjt(F+A;SGwLt;S!;se1F9;qvW}o1w?pP)$y^lhd{@)MHbM}&
zUS3wNArELN*|9=5&&~Ak!J|UmUa}MWwnFei7&LJq{XzY{DFp01f25hDTR7Fy!e=<H
zW&NTxDFl2(+J?tk!k5D+STHo?2Wy%@G+N&T7)S6%T&1;sPE?1v1!{dmn;CIgAQxi}
z<i1=qV@bk&OY*(0fvHO%35+xCqIbOqkUI0#GJjb8z!Gh|BweQujQ*bUev2Z=4ph2R
z#FlUJicyLA?DQ>XZj+{bzP@Slr)^p#Yo>lK6(>szuWyFDq~p~>^@HsTARCfdru^x!
z=G&Q}lb4+Xg=k{?m5aV+vaT%x>skeDAAEY0tLQVZx%3;Dt$7$6_Wyoi)lKM~)%x<L
z<S(&4)tu@ESXrgK)YYIDF9oeTHcx)pHkL>on%&UlT~D1%&3m=rI2jj8VVmWvgO^jn
zi6*8Xr*%c*+~xgsSE$2aoEqVDQId4MW*P#&vMrbL!s|Nu20wid8-cO&5b)0oaXW2*
z=ya0uqZdSgnI+qY(4j7Ou!Ej$nz&DFe<J7rS6@FOmvEkb`a`YYO?q3eku2ePyEni_
zLUv+CO2@{aX-_%HI5i$E+`4&?g!fl47&BtTdm7ujYy$N*gQAyRkaSQMd-`PcXhj*7
zS>00ydCNvfvH4sOfq_y?{dT&>;)p3x;l|f^A5+Y>rm9MNVeRDCMAcl?im5?6KW?Qg
ziYGOOi-KZIJ>R5M)GF!kZn6$ozzXHBL+hJ<F5**$mut36R2~feO&$6GcGF;}ust8&
z?fy5dZI?h>m${p2OPl!cpE7iWdFjk*;>1(NO*0t7M{~jTOvwN@Udb?@^1_{E?Y5K&
z^^W350;BOe#|e$ChKBzv1Q$~{R<crBJdeRp!yXECxWtq+2zHb{`jfv&-CW_!<ex`5
z-765%MS&gv;{3n~rO|a4kG^JXHcOr{vwsv2YETbi5R+Oh3lVB)Jux;K>nnU0``uzt
zeldt->bl-?)<b>6*<)@*SQN>_c!r&<_Q`+<YGH;L^FDOfde1)Q8M?As|3=c?Hed7e
zwNj6lZfT4{a>-tG`|aIa>=3XX>I*;EltcexSZqY;CP6^~t}8byIbBq?Y@i$_S;VLv
zPT+xGXgukU=dZSpDZMUlZiKb(WY*90K2gV>>~31{Yn)vc8)R@6wU@W&X+P+hR$MJ;
z$4e8+|2}E~**L5Ef?lTy{Lp5hHO88RNDf?(7w$tXv?O<Gb8kHx)i%owY++^p^7X>_
z&wO}uRP;WBGHE$=@O8^(Mc$8oXF-|Wk>>Zw9ZhFz(8F?0#?J>eF{Dh3!`}U{mPg$;
zvlV0-hly@}O7F4siF>y(oi<p2clxj%Q)x3VYED%;wVKKV>5AM2fBJ(OJi>O`X<HJj
zAKTM<qmBEsI+-<2yF!x+jObC@@TSekQlAcuX+8<eB*neE$sLPPeL{4ucTSU;%dxSu
z=}Qu+Bdvfbg=wGU#USutfKy=l^l+P17W_s?=i!H!_D0`#@6FxhL<R{yMC)-g4|w=e
z%DHE#G(NMSeDa<pb>xe(h~-9sPh|o|9`OxKfQ$GKui9^4qsT<bExeTga6ggFnK`~X
z4=19*^$=q+$J7%=K9?$h@s%rNKLG4lyIDcjZY}CV^O70k)to<BFg_;3yp7(@&=C+e
z>~Nvw;NX7fh@m{qcT2{I5sE~;Ir$UQ(pIxxr?F%s?A7WA)<{{J^2mwcO(3EZ&8(wm
z>lcx-ccf~4P#ETOXE#J8u$3$cZSpIC={N6ew_a>1!3i>xRqcudaeOvS$o60NbEH@A
zwQ}`#Ov6u18FQjXm40PeNXzSE00Ajl--HOtPKz%kg1GY16RD~sa&HPe_%5ZAos5rn
zJkL~wxtmc_-6W{X@{*m*{o^VEuiOIHX0!zPh#!96>aNqB?I+(<ZJLnhytsT*K19}t
zw(fwV3vVDebE-TWWPfkc4xY>@!zE3Y(fFgbF}TE|iysG*Sx+bAkO9PZz2FKA(~y`X
zI-K_t5I^<T7W%cF7W$lqoiqY<DlQ(<wKK8Q*@ZS=>a1}Hk`;)wT{AuZCrzgzFt+8_
z)-ZLSDI@R?%bL9E!*VYKX-vE{Prq!-NXxs{GX|&RD58x(Hcz`L_xAjwLFd0F%E80%
zg?v>}+T4LG5Uw;ZLnR=x8!)L8`uW|#neav2z@t(3QTui<zYREajZD%{BXHcVCyNcE
zT{9vqfH6O;c2R(n#b<Xl3@7rWgJhJ$|4+qD@U&=iq{qLJdKZ~dvPXsY3813BVq5l2
z^JB^h4a)$@juQo78XA3ZFn=90zgh&fuJM`va86IsZ0~}}9m$x&`MsUSo3)x#SRrS=
z$N9md#h^tkweOdm&Jmpu(ojo-yJ5J06~ORgRnmv81eMAp%IN<{T~v5wQjY-Sm*923
z*=I~4M4a>JZyL-gq3`M$3%!bZ?6cZWEB7pqK3}Gk_T)yG9kx)ufSRM6{!IpV%{81-
z6R<`*XhT)5YsV(;phm9xe<fKq-hD!6ToYCopGI^O@a{+7C^+@~V|NM+`K#HZT4MUm
zzkgK7G&_4+B~6<!0PJ*g+{=ChjUzZ}-H|qZFpp`_!0+=&J%%to2>+*5n-qSfEt9|@
z0q9}`ze9B&9hJT=er9ADFU<<zE*j3|M4h$yKASq7e9AvB)qAonHji-JO?`H=fdK0;
zhN=#RMD!3HM0H>kwqhlns`y#nY;3>i*a^sO+Q2&+o}On4zsos@xcY~u+p}{bC&UH1
z){EJ0r4yM?6fzw;QE4Yf!n(Z=8cYX$d$m4~1IIfRWo>jDR0FK>XJR^diT^$<n%Bnt
zl^sTEr0`Bj?cMa?cAwMpgaWo@o?58i_~=Ov^a}69=`SFD;y$_3K;^6w1WtEqN(!t?
zN~9(u24o^VL~%ea8p7{2IbqdvmWn=rf+4D?toB*q@V33@ygF>oqa?{GlCZpAMU#u#
zL_NB9o^+(!D<mH*{#9BI*QDs?qWFph;#=dwwCx5_rp`4<Ao=pExZq23+4o1v(OO)c
z69V7t9M?e0bq~VQhdJ`vnyb6!k3+K2p`+979oT`^J`$7Zd_DvNf8Py{!sAQTlzsWL
zvwd^@di?bd*}d?q$epBxlSSRWPG~5_^#{m_6in#q<=@C072Q*`VMPsT$D1;MKmAz$
zERvsikN=Nj)4MJxMhwitPLOm<sFX&t6W5H#@wJft7ECekbVg~?@i5`8Uyeh43h$*L
zv<L+a(#HlY|JTU|Vch*}EtX|c+9fxuNSB6IqD@|a%4c2*yhX0Da?2R13Qn!B<SNfu
zJ@M3k-Kfj^QyW|!Z-4Rr5=i*Bm+jQ(dYMV5n<eMaZMVkjQK*%*-U^h>;lwr5C;t^0
zJwlYK#c<DN-xMhfUU7U~HGy$-Vx99z>N6yp>ownvLFn3WG|gZ8pYvtGzeun9qC*R3
zef-QanJN=n5A_EYX1P}9Oo<DIznC6rhXDS*#}oP)SjSk(smq%&P634Nnpgkztis<I
zFYATUi8)+Gj-S}*7sGmzJ*KSdm3=dd-Cq}~R9gshzF{x&r@fZZkL;59Z>F`3Cf&(}
z8<}yuvL1lc_|qCNCk!jF#KNo-uz9BaEDPBvG@sWL%u`K#*WaDJiYLud%<BtQ-l}{P
z8u?;q4!#hj=5=%48#N<sv;53XeX*Wpo);1(`P!J@{FQFYn09qVKNHb~F~}B0dfS}j
z-s*I`{&nhIP)FtWQFW|=8zs>#M;|&1uv@}T=t|W0k3*E~>EgEsDFc~&8!Iz{U?n2g
zH;<O2ZF)(i!VaSPKFL#GJ=~BSbaFdz4rP{9(_rE4E!yFb&sC{sn2t^sjXguPlR0=L
zo0XF-l|qQs_Crj$gSsuLDo$7G$^odE)7om0PgW45LU%_Y9h$SVE#3xecd-4nB^oG7
z74VS7xs!!+?|0O-qN3r)<(N%s4{C(@6%vN%k*wPr_M4_$h2bDHaZ3dg1ArCEA!nBJ
zy4Ei`n^}-*oyIn|hqL+pcEzL|f_Nk==?i}5iO}**KY%mrmR3g!*7al6ON@2gN9-k!
zs{9dOFyFHK2ytHj^g;lykSr|V*A>aYO$~w7unax16G1<m_xkEGEmHJ{i}CUAf6sRr
zY$K0#E3#2a%44v6#tlJzH8O>kY{p>G*$Mxkr>)zOckunDTOSzw=O4Izo|Cb=$Z?RN
zU22!tbY+qvaDywKFhQ4{ZiJ~Lj(u5LchI*grj?KrjEI+^GvS{7QZX{KKn=l%-F`hT
ze3d_m4K|B<VjyhtL1er&{6)JJz#&TzZ+|-qAKZGPEqKWCno&tIpsmr<2+<oiaA|m$
zqiU(CmN$=M2MmYIJCnlPr(-;Sf6;3TbuLIQm6aACImsk;M530t*k|E;HlIZ^Zf#|e
z-@8}$A$I*ObfZIKQMJ8|Z&2iQ%ymni1llwl=Be)N*WU_$S}`y&VP)*V8wU5_eHB!^
zM@=!I@SNGWIE_0Ddj~O#kWm`ZPba882*|asb0QBf;_ZGAkt39`U_zUz&^_)?+fQbS
zX`YE4!c#5uMI?|s$mkb8yvML`w%l}?$E0)Q=t<0MtKN7AL94C@@5*(Slu1PX3>7r~
zNuCHq@awnyIW0Q)?manP-aIw0?5$GYbW&6(hMXz!b$O??_-pudP4av;Bw_p;=xR;#
zgPy3(K<yhXSe_lJN2bN4=C?NUAY{4B_m9p#gA#HvX+L_&vUq}hT3W`7D-D_dv4t&$
zqZYyP&xnij9QYnS7aBtUD8$rrT9>j@M@z{X0ROJV_Zj=AITwN$l7ddycRg~qam?TH
zl7n#^-dbKwlQHMNwU7_lNHK^qA9VE*w0`9|L||pUZD*P1q<M%MGGJUKBB-bGd)>mt
z$)dWZsGhWVcFhQjX#Jy^>L|s+nv22@9zU1`jQN9l<Hr3F?6#E|cO*3$@u0zP3Y(wW
zFL_`;4ItmnX#M4zouN8RX7XN%tn}%`RMPdhfg34Feo+!Si}+qUFa*3NlDe~U=Euk2
ziaklt_$HLdbnm`sduREe(j-&_<cwu1FhG(t_yp=l3ed7E+C-8jyev%{OGJG_*B(sL
zA+uc8`oX;|7`lk&tEZ$=6Je!Rj~fkJ7PzsVQfy8n?W@xMYG8(&q8Rj9z9Cg)wz-3m
zl!vO~_*xrNQm}kDn#4_X8A|F(6La#*ysTMh3;RLL(4M;gFljBCN6he#W?N~6YEd^J
zdI%kcMcAFx!=^bd{cvF7CKRr7R*;%pb=#Sh!kf1kIxM~?b~zK_=-qD&xohcr<;eJt
zSg0@DxrcF{8A8t7*E#X-=%A+$!{Fia=3CZT+#`Fi*Rn<@1xHNMc-+BT2Cc<y>G(Ad
zi)t*nMkjUEs#lR6zKFyYhnDkw{7!I>3uL!hJPr+ipxo=q8v6F`XS9#oht$yb?LZH=
z8Ew<?LlGe5Lb$B!RegcU1)I+Wl2<Nps4_ZQY&3NupIhP3i-i$m%kg3wnZ4q^tp9T7
zMsy;<CC*^cApJ?`o0BRI<?Mw(_^#iZJCtZ7h69J088>0SkDa;T_h)h>|NHK{S-{K3
zp4i9NsUzHbOeNjyGIyRxtWFc3US~p~a=8oxb$`1=vw4GchH%akf>&KkZ@(yeMLE{d
z&R+>%L$F~9QWdeqM==~hUOrJGJc?8EGZe%Da-6@)ClB1Yex}4W2@J3WGZ#5VZJMPz
zRM_t{5w#)41DDM;Pn*GizL<GI1MCN>M+cc+n=O3&0AO~@ahRJL;0x?nW_;}@{wLc?
z)aQrx##57op^Th{!AGVP8E+{W8RkHxOyX2rH~HNuDCzforDl9>R*ebS0>*MIB~W?H
zp&kD?UJxsd5>uNnp|y=iW~#h+W!-5hg%8$MgR1^|EfCTbKQ*;AsNhO1fNg6(Lb`gn
z@kzq4ee!{4TmTu&V8+E|Od-<#q%8|cQ{0|BHX&^wI&nVHTP1_E2AHjyyp55fK+iN!
zaorW79U~-eY9o`GK6e{!KZdCWrzd1AE%i-JKS*q{_cpJ+oYfy~Us=M|vB1t6B5x_h
zP+!=VmXDZM21zvzsvyxL`g`c%-?HF9pT~X--`+FM=~lBt)#!!4Wc^hR_IvU2bw6R&
zItr$tQN;9DO{hrod3Mf%mS)EU4$}T6(W@IYG1v06HWoLer5X3}Y8F?UC@#WrDrGhF
zR~<Vg6ZeyXM-oceGxw>WpO~=!9{|1W>zK>?Jzy`%+|p9lWm~dE|EH8a@^nf*8J(?R
zwcl+MEtTU)@e2Z(_n0^Wk0^7;Mch9EO4gw-ZxC>#Z36!X?EPf{ktXT!UjcQTRUI6>
zLk4$Yzy9*U`0GWo<EQF_h#i%Kns+fmimC+a>25!(Fu!!If-j?l^pCS!gIu#b%SCJ6
zgb`ihEdDwwH5k3{J#vcXz>mA?q`fkgEN5)Bag`iVit!Gst8OS@*`p`pcz6!6w>$S&
zD_@TcU+q&1w`-T@QorW=&YAkLEEuoPHk^?)CgY5Y#;bE`=mhCf=PV^A{HH7RUR7CU
z9%Eqa52C3@&w0M>0zoGGdZ}zl75ns6#GBZ`!LJb1PC^GuSgoU-;?-xnE{v?VP=*a&
zS&VlbX0CJqoaK8i*Q>GV`I*RWk}@UNf$7~O7q!ta+R?!~N6p`~RqxC5`DYW>FLL2(
zZSYSCvH%L{@vWu-(}$uKgS>h7CUQzTnF!_D$W9C8^`qAHK!S(Cd>&3ZJ<-F2?ii6K
z=l+=+7TZtnT{LaW5GklKq-_)L(tbEO1OrEfgb)67SJ!jAI6l}thfnPfU9jpT0glKW
zZE9laVr)codHL(5vdjgarXN4?742}821<KwysVYl@?|58DVQ{p_U!&$AIr#v{)V+^
zS5JQK%G`I=^+yfkz&CB?TgCaP@DA$eEb8*$1{l(GQ?&>F|I&F0e!^{6@4DVz=xwt{
z5ZhMamyCGk1Ndf3gmzXNaofb2MbgD2@tAyzqd{$^@<o14<s%h&dk^*px_pANJ?nbB
z<-na-b!C+Bxgc{8PD&%2+e4Z2Zjj>RP*0-1j0_znPxN<i@tgl-n)o<Xe*R43Yh=YO
zPz`zJk8gQ^b+1S3`Lds^?x^o*B1te;*xzBjATZweSs40#y9#o19u1ye006M4|Lp}x
z`X=+ME$(}8$JGsv7edpEm;L<g_2rDbM)QudY{%v<S65Yi1M}xz`5;A^_u;|PM{H_C
zcx^bt3_2wr`==e(j2K>2OZU<ix+!tR1hI~usWSf5$O^GOK$ugz`Mq()d@+bxpW-|S
z-II0ooUU-}O;rIif0i-DC=#{7ITCDN1WCGisGRpU2fC%p*X+IQ+}PZ@b4-)m_4k^;
zsfc;`bStGFn}583&|}GRk52P95ks5E*1Z#u(fv(J4!Cv++JkO8ziOb}^2<F8X(*qh
z>5f*9E>DCva5qw7(rn%81?+X`r;IFe9SaVi8(ny?U!h@Cn25aWtyjK;hdgF11WcPi
z^|jk#{N-n)FEYi>pBX%5J391OISIx2M3+*_jTd@ZPA4;^RAj;}XnA{&F|7gZBDpu;
ziYf?2ifsw{!#)Yl!n<P42JeAa%wK6irTudw-O)(FJQ63jEbr#4SF>w(?h`Y+Z3fvE
z=U~Dpy>J>uWP65V|02gRd4&;hezH9DQ?$2H+wGDCO){JUzwT_+r!Ypj&@d6Z!^^Gl
zCqcT!Y0@c(#hP)L8S}~<1K2bS!jd)9NvOZV7u}P;aFRO~6PI1V>oki<8E{eyKUEGI
zgqGdABSfCP5~rV&QCs9Zrff5t+DRN@<1pedtWcmst=X)?8T@ixU7t$!Dfd*h_hW<y
zPQu@B{}!I#1=v<C7!dICNi*qA_GnXDO6fyqtJDe$Ywm$`khs!H>lkHWJijem=c!Kc
z0wpG*o4$$Asd!cm;K_rRUmV<e?waSFsf)j|SW`B0*<>?b@K8VQY9qqr8C*Z@l{Y0t
zVSk)H?6_axxtm}+@Xd$Qe#<w7tMj^^5n?v(VM-+tEZm18mn1VqzMjn_zNdIsb3@>G
zld+hu`HlRF=j%sEz1k?!>aRcMqvRq~CQ3&f30EA;zMQ?heZzaz&?TFTDt>=(Mfny4
zVj3nT#9kLn<SlWV6$X|jZt@>XWH5ORCy*{3FzVdUjV-%JnllCl2i0DkhbKx7{48Na
z$<k7%Fic`y5{Z=7yIgpoO`SVdm+^1ret3gDYcM}BSFlZ9%aiaV6fJ-RE;t>${Z9f<
zE!-l<(a3DXOx*cjIT7*ml5oI&fOKrr)XTf6;2vYqHz!efKH5_OC6XqA@gXU0p%E-V
zt$np5w|}zHyW}u}p$FRG0^Lc<rWXxXH19*2(r&(eym&lmH&a_vfm%TCepZP-RnO3*
zx>#JF$<q1h*VbpT?U;s35%pGVXLo8E@<x(|SAo94<aj-KkX+BI<|sh$Tnp_Cqv@B{
z0vf`U3^|?{+8wpE5t2mg-glr`bZKkXTx9*Mv0Op(t0Z2Wd(xcf(s&n{fu};<4^D4F
z%%vme1pjEED9|6#VzbvI@c0p<TbT#->6gZ<LSJLcySibB|Cj12@#eWW3Q$SiN;vU)
zB!J+2dw6z=Y`)IWlS5aB%Yp8Zo18!yMJ2|#Gv3xSp16`YZ2}uLE=HIU7`KfKqVZaq
z_v2h@ntOZDfba<nK7fQo0)l7k^vhu7DCffx{xvm?sdfr=FTT_Wbjw)74hCe`cu!TN
z{8VF5hKyIvbg4b98N?sx**(g=A**(O*7~yhnD5srcgIncv;#wt2G<{eO<EBME<v5L
zR;ayqy!qdz$04Ep^Z(=%?KtNk&9HALJz3{PdgwPL6~h!M(kSf5WINmc<;HwHiX~mF
zIx<b&VtJ=T6&}k&T_$aI|EBnvuT4j^zM&g0hU|Rlou3EXTO{3KGU2HU1~gpc=2HWS
zGZo52LsO-aha}gyi^~%u+V95u$~5h4DOA@0Bp#JiEnh?CyGoDAK;LR&GRtf~D>sz5
z&Zxb8IUKj_=lnO6AvTv?5(bmOmf*O`BsHjS;AWq9l(_j4=SVTD1LnT*%{DRD8CuWK
z>4u%bD4x>Hr4`OpC?!LkP1zg4iVV+Ww{z4d4O*Y%p}lL3Iv1hBFqB_s>YPrG@k}cA
zKy!3~FL!2zpy{;BnMnK(xhpdT`x?p@5VO6m0ln6L%J2&y=4dUar)K0qMVSl*+8*(r
z_2?xa2{AFT5Rm}jU^t;erU$-Jvm9+NhnP6KBe&uCC*4Zg4b~^;s7p~Qea?7f==wIl
z87arQ_$(y9t0xb<yn+Act)D;}_JUuVUQNMUr#|4<yqsX|KYjNg9-1&)(c!mg+LYE?
zRUk;tsdh<uN)CK@4+|(1{aPCr6B9H4DH{8cG0Vxt%$C@f05pOR27GbGBHPwB`o3-G
zMXR@*?_y!(o35t*uLUH-V#oeIzFS$1*}*G~7rt5QNq1;}r=e?@C`z197tiPZ|6#8*
zA&c1wJX@9X*iQAA@Bc~C^>&KRs_FlKse~s2E+GiFbSEY9d0!nsML|;@_SOpeKeuZ5
AE&u=k

literal 0
HcmV?d00001

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/logo_small.png b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/static/logo_small.png
new file mode 100644
index 0000000000000000000000000000000000000000..d0ad4499a9f187c829438db52f20575863e526c1
GIT binary patch
literal 5000
zcmV;36L;*1P)<h;3K|Lk000e1NJLTq00651001Ni1^@s6_72Jv00009a7bBm000Br
z000Br0g<}oCjbBd8FWQhbW?9;ba!ELWdL_~cP?peYja~^aAhuUa%Y?FJQ@H16BS8B
zK~#90?VNjjRMoY|ziZEg1mux969kbe_Ti)2Du@MzYJIeoPh0QR7PP4MT6>E{GC{1Z
z){<~C!B<tlOhAjb>a7n%t9|$>)M^n$@zG+n+SV4|$~&0}ghw7Td)+_InVB;o2>}x9
zz0L3Q$tP#;z4qE`?^$O*)>``ry#%K`ezOSgHBfpdiHerqYNrqXItcX^<Kl6r*9+X=
zpXTzCac6|eCVcJXZ7)2Y?ydIv@c$puo6Mb9{8Hej04VFk$W4Q`W$t|U9=EwS+wBah
zIsh0gBG2_8&%=Qd5&3&h@$5s#Fuln<*)r^2;C%puLshkQ+aU8^Bvy0v$XWCHcUDhT
z*Q)B{s``woUa-G%sOrW3V-&c0fBCh;slYis%(D+2AUCs)nC1>>?iacYvFCw&9OzV;
z_7VpH{W{2BFCsT~G}Ef;>mqWTstyGH2uuWK`toiB)&ds-MZjgiO(HT~RqKEUfiQ5e
zh&-gK#{$0xeg(`2?)U4r0p9@*2WA5;z%?RL@5^w4pWg~x1pEm2EU;2U7OLt+z+@l;
zJP+If%ma#n1tRkDevVro+Q9$}z1;m|bFp~^(Rm;ffe}EYhyFTJRDcowO#4<e7Qdt;
z0uk8`yb630m;kI2kvd={umC6lP6iHB)uVt>z<I#ef%kkKe*rd%$YsC|zs^)Zfib|1
zz^{S7<0*a?^MF}+FU5G^7!jEaoZ~P3bAj`LH9q}xycg*KAl^xz`>-D{Loas+rbA{q
z@TrfW{cXTqZDITCjtW&Z3>*u*?PvYL|NlGSB%m2@cKsbN2UvnPQ+@_-M(zl2i--lb
z;H@4JyxIR<;5PxfQecyaC{RXrI|G}5;eZv9W;_MO=Mw@3;mzQE=wXD@#*~XUb7iqn
zktalT*PbeiA&qKNS2T*8$L=q}HlQ{gw)3~mcat4d>!+%B0Y?F~BC=Uk3!280dAOf`
z9Jm3f06quo6p>7T{w-Bq1l*1{qXuz1-c0*9JO$3;KHyPRT?c#*xJp$Q0*Bzurq8SD
zoxTju;LWJF`TXDNVo3V1j}RwT{Rfb-etLadKYM)Bt!{l!Fn40^U@#xz%{H)SB?UlL
zhv02d8vU6KRUHIu7ZFv}e!x&*Gk}P+scNZ+G^%PbU_@kBfL{@wl6?pa5RvVw+8<~W
zk+iBF1VlvS!*+5+Job|GXZc~k1`)BUYJ8rXfslwa`!t6FAGUj0`p^RigB+1h%5Qo~
zQ2|6kF<;5LrKI_KvbBS}roeM6u&!NsqyK+52ZV^UkzdBQ`+2(p<vZ~9v+e7p0?+AS
zoBmcJn{Erxytk+R^<m!-CU^i6yS=9vI~6r&tLiL7YtkWI&>bc1Lm#?AxYsyatLY*=
zvQJ6-&{OC&Wlh%2dAzrH_u*d?VZde+s#5e3%Cbi|74a#eItJnShT1v5YF{3W&HWr=
z&sEDPF{IV95s?>@8;|-04^PPy(5M_PqL~~`H1kVb_y1JvLL^pmwZTRJ5T0nLo%8#>
zsXw%$=2IEfZwhjxf<f$NQF%rB7e7Kv>j-Q0@;tSzOeWlIJ=%f2L>Slr3;__8iA;Vd
zl>K4<nGl&dcOup<RRk1DuW&~<E^uGTmPadUeyD1%LlFd2@%?kUmWQYO93WC2zecgw
z<1@+9DEj7*hR~nFvFh(+`6+sR`yXf6RW~1$ZrNFxO^Y#i*WXsTTTDPS7M~3|5Wph8
zNhPXQ_4IfE2>M+`M)?Bo#Pig33(<<|b2F+-fg;UX^Hfl1wvGA=DYA!Qq#{diLPa;?
z9h5&ZgjMwk5jh$F(G#5EZ#*Uy)l1c~b6=T?n2aLplPyEnu=ujJo)A>54k$>c%|Y4c
zVc&HRZc}yXI51}kz`)q`Lxps8M>Hb3L_;>EY4d%u@e;~Yc=p>ITAO#CDkAyV0;}8c
zJXtv$JoCC?X`89ZHWO0$ZTEY5fZ)1D8)N~VL!~{Ir50ba)tOO!przU)!m6QLMeL<`
zUL1f)sxoPR;<3CpRdI?pC5hEspNwYa<GOZ_6}vz(nt9Tx54kEj2IcuwUFB-10-&{D
zXsmd)*KGS!Q&C-7x+VOvOi6kNK#{hMMI=w7T$n1e4@OdqOo!RobgP?;#^SFkj0V6k
zfp*F&$Qi-3g)?ZUtm#a8B9a@t=8~d=UfiF4_XZ*<MgoWBGDK^V8;+?yc*NSWbeneO
z9{<P@Zd^F~y|VI}saA9;p5MGD;eg%}Z3vBSKraSq?>*{1T-PQc@VZy!AFVopmrGL{
zk9mm16x$fIc?wRDU8>AJgzMT=-u{ZhQ~1iNDxYsJf(T~@J7D0Hk+bIY|8V}5y8@XL
z0zR_U1!eyvP{9e#MONhz9-flf?75QvX%PmfudDoZX)He8z;(cv=y-Y9XDE816N^8c
zOmHVaX)J!4@gkZK(fb;jhd<zyY>KJMg@PUdY!;Dw8+6Dm*;@u>Gi#2rR_k(1Gv?Cd
zqS+smUg4e~8NL;0PMqOy{FYc8L{iDx$|)X=1Zi*@%yMFJfW~B^YO*iq3PG*}5cnLf
z+Yi@m1sF8r`lymV-mjhlA_~R3(mN&qPX;<WA^$8ZvyY=LaZ8#8hrX?<=L4Sr`h%<k
zyWHB)!p4QOb1zmjR&$o3R|6Q~n)=$RHPMRdb5&&ya0GBqGEp_Nt1&-#=5@o`Y-X{*
z0Ixr~rXf-F!_q6N50^~n%AnWT!0k>fz5_s8`h6p{_?q3EGVKv9uQ@}7X^NgGo;NWG
ztP$iV4T;L!ctm3Hguu}NsyvdatGXjw=FF)6B1V1?V7nxlsJbg(xB4rBT;Y#vea>{%
zn5cRc`09vh?ttcEMj0{t93rS{LaI6e(d)_0)^Zhi%4&pRC};T{80hrdbT-Nbk{`f`
zs?K$2oRD<guj0B^(ZS%=0T7cusBDHi#%9bP*?k{+mM_Sr(pY@7$*`tV8sB9LAm}QP
zG~P=*z-b7NNx};NMbh>K5N|&#@=H`b<rh5@Us*>?a|bjdqjTdBlBWQim^*Tth91KU
zI}DCg1mrkl>~|vN)l*Y-bC!EN?IEam<Aa<Xjm0OaQj@PnYX`%ggA;QHw^_SPyr?o1
z-VB@YMI)wF_ixUae}J~1j84uzv=!SuYy(uBiuin0o#~BP4nu$=6#Ygd7OzVsDl0%#
z&|Tp5MMMYUg;IJje4W5=>a)8mpET!#dUXx=?Ph0Pzu4Ug{IzR=yM>pc74d^rxyDZ)
zIrMUO_?AWP#zHa~k1!ti0M&O88BIQxV3LzGmnPxAJ8B>!rcK~wyrAk)fg&$#Pe=;3
z4K-cTWHXWpcbiilUxP5tE3*^vl~s(Kk&UHM)w=~Q#yg<q_OY!cG7inHN;^`K^h>y|
zp<eDs3KaDnV57ho_2OSkMP%uaSk36IiOPZ?7*)NTe87&E=f~W3gpsr6_21dn^q7c_
z@w3)z$bND2f~rj;rnv)vKcfslI3`f-ufQ&VP+Gb)-$lx6E<+_at2g2W0UeQ*Q=r_5
z)x4EVu)qk*t@3@3RK_|ncW~ayBB%TGE&e#1oL|jUgqoZpTg&p^^I!oAe+s74#tbDN
zQWwO}lN*n|fQP4KqO;~6s%iTIFw$o-jZTy`Raf;IFg6;C|A)f=WSdPUs>Ze>9UHBv
zzF1X$md)sZ1^_WUrRpiGdQ18({&Q9-n^RHyVzj}$<{if5#L_F=(#8dDqqSyYU|aqi
zuG<=|s6JCgPR);r{2-O6ycxVWVjD86)mugfg}hq~)7ptN0#J}8D%=-BH(@gyc9UDA
z4c86tXxRRs<l9TB*e^FOaNmX8L^QT+hC9ZJS(B@5nUY*s^_PyuqX4dJq=Cvn&MMQt
z_$&24zPbt5?dQ~+2NBNo%c_Xg-d^t{pK}_d32y=lD{>m}m=kkH0!MmdqW6GY1`KeL
z;ju|r9VxFl4lhs$Ad}Yc<Gp&V1(iYzK*)AzV^FBg+IAb}&t8X0P&r4By2S12gI}jm
z^_Fe`0~0_cI&1Es`1>w_7jfNI6@A7h3x%wl27u^<JRhC{uqywaXU@9R#-rwClUo+K
zZzBF3HIHC2=<Z`AIyaf9oSLewTvlIOwWhw#UEhJ|+oMU7ko*;!orw8rs@8pdFNdI0
zI9tp(yqCulOSHQF$5(p+My}hc#s*HkL?Wcl!gX5}R^;mV78MaWGn*F@b1RSrP-{>1
z%fA%h^-|NqYa0q?*0LGy7;DVAB8)<{NkvvBHyr&)Z#xOX8N0SH$G#re4TVz!Lx+TS
z3q$Q46cv{|*VeMD73ilhv}{K8r!*tuvhrk=*;uo}inni5I33r0j0VPM`IwNWtVS4>
z3&j;)Z$Fl5_2q!6t8~ze8w#uz0HL%l+LPR>ItiGR%MfNIYiF<ScE`H`H9ATHyVTYq
zeKlB~s-5$fXsjl?q+^gz0En;*<==e4&HzwrPDd1!x3?rJ*G6JBe-?C%2&VxzX7{RI
z!?N7thv%7zR>beO#;gHmt8$Sd(@~Z>!`^tUG!`FC@1ii;%b0?2y>Ph4O=_KD(=FfM
z0s2xloiTEfTA7$ltLO@VbU5=2-u)}EGTzx@j=}c?0^1rQb`5|kkvw-Vj4=pp*VmFz
zW;bQsvS?0sOiGgqQc8JOmooParZkvpdjHd@!g5h1?@Urr$NO&sjuAa}=;iJ}(9Z*i
zVKsoD&-w%><GNwslw7MumjM_iKNM<f+4ZO@Q#+JTIL5#e&W!l6d*3-538unr9ec%8
z@=J@CVLuj3hSVJ3$SnyjTVoJT^piVMQTrl5;{vx4?{Ejg@nSeBz+hD%&LE(mTJU27
zo{cyF)0*kPY}9T0^gH+mCEzo=(oMH^vtIY0S|Hn?!~R<E`!ek(MdT01px(=wy3Ktb
z$nJ?lnNa8ygd+f~#k&?SWUt2$aq8tvV6dOwSYKQDGJuH=f8%02+iE~4)<J=JB#L3L
zIzD9j4H47?0wLJ3CFFe25v_)#;6+g6vw`IH&5^c-y=i-YVFLSB-~`B>oS)6wT>%8m
zDs>6oMa67MuD+_ilF#R)_WN&R0(M#0u;~tWGy4R6HXXKORk<pcgG_hIt0(Upzuh5X
zgMFc2OK4&+9qGSi9DztaBf)Kg=4MyLo<q(bZN05Z+B_d<DKM7&Hv6)M75#Q#f4IxS
zq{h0cr-w|xA!5R9j|zOjFZ*&N7GELRrLU__L6OpSJl>_dEFSLcGeW8+KBT<nm92G^
z??h(Koha7k4EPEwaNRUB58Q>(f!i}LY#U^D;aw;^+5eAHpu{L<1-|iK1NK5=GkIkd
zd060Dyg_!F2Fbh;)7-1pFLrlE%Bv@-@}GHrJhJan%M;t?&q;#b9*Na_Id{+!`Dxh<
z_tpA^?mzaOw})h6&flEa+&_bU7C=RB7!s>_ZEK?PE#HbWFF?MbUL(0Zvk1#o`5u5l
z&i0pz##DsY0g{Vmf8dnI*C8BA(Do`U&psNE<H=)5W1{M5fUURxFl9{6M(Wq&be~a|
ze+s8jsHmGHY-V>p40>Eh^lc{=-yznnA|I!q_@<)+iFfaDo7K0k68L_CF}ax(fRdKX
zv*LYkAV}9(zxmU-8O3+D+?`D;GQGLjG&-?(lZY$})T<Avy<z{Q7i}Z_UwF}U0E4VC
z4-l&@?g`%FU7pNZd5#XDZ#uDfO4IfO2yBH^e-xaY8XR4Pe>PFig9pm$f|wEEdH?^%
z{hUlXWOLpyL(mDK6c~ghWA@t$pzx*|`=y5Yv)6S((tzY<l!C}AROa+nc-@{Lg<AoD
ztqtpsF8FZ8`o-=}g_nYP3M<>6_y;%H86rFo$SMK`1}d!+%vU-wN$oYZC$8NBatV2#
z>WPk|Zt4l%4T;JpMf4K#dt>k>rmP;NMdaFK-JH7%D!Oi~c(E5bNPeH{XHXdQqxxL%
zrb!s|b&&Bs@zk=4_~QE7sx`x|y7{2CmR*HwugWWkc0+-+1<VJieIg~1`?#&kuLwFx
z$6gRk$~P7BHPjv=BJT=%SAC)?*SU<?Ek@1aY}(lT!9_9uK&@9M+TmeDHMBNI(;cWj
zO4cy}VEB87COp*y$lvmGvRhEN|HYXLBeD1$pyz`eD`-EE^@=>%zcq93`o&fGQ*<|F
zRn;YeL;+NEO|UGPsQg{DqGqOAJ<iW6DJyqJ)YrM|Ghyl_Lw+p9wma2>37hvb)-KGZ
zZKf?}wP>iFb8lI>`+GH^Z>iN&5G?~q0)GsN{A^2Y<=XcAe0djw<Qy6n9xEiU%TSZM
zwl9W)@Jewi;?q!m63ENoeVyb`@}?LRR;ChFr*|a8-omMfPeEClO(!WW>H92ZANB;3
zbnIPd&Km>XS4BQeKv98h3RfOj(fZJbLKs{(t*yo9Nc$-{kM|HWsWDOYr%uZI(1!zp
zFn}Mwc#a=udY%X$M`f#uu1q@iXSh{ehNShO4+jDTu>ro>>gkV2mOk{MOZ+cn4Di%D
S|CE~m0000<MNUMnLSTaG#Dc2;

literal 0
HcmV?d00001

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
index 1da64914d..6ef264577 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
@@ -2,94 +2,27 @@
 <html>
 <head>
     <title>Login Form</title>
-    <link rel="stylesheet" type="text/css" href="css/style.css">
-    <style>
-        body{
-            margin: 0;
-            padding: 0;
-            background-color:white;
-            font-family: 'Arial';
-        }
-        .error {
-            margin: 20px auto;
-            color: red;
-            font-weight: bold;
-            text-align: center;
-        }
-        .login{
-                width: 382px;
-                overflow: hidden;
-                margin: 20px auto;
-                padding: 80px;
-                background: #000;
-                border-radius: 15px ;
-
-        }
-        h2{
-            text-align: center;
-            color: #277582;
-            padding: 20px;
-        }
-        label{
-            color: #fff;
-            font-size: 17px;
-        }
-        #Uname{
-            width: 300px;
-            height: 30px;
-            border: none;
-            border-radius: 3px;
-            padding-left: 8px;
-        }
-        #Pass{
-            width: 300px;
-            height: 30px;
-            border: none;
-            border-radius: 3px;
-            padding-left: 8px;
-
-        }
-        #log{
-            width: 300px;
-            height: 30px;
-            border: none;
-            border-radius: 17px;
-            padding-left: 7px;
-            color: blue;
-
-
-        }
-        span{
-            color: white;
-            font-size: 17px;
-        }
-        a{
-            float: right;
-            background-color: grey;
-        }
-    </style>
+    <link rel="stylesheet" type="text/css" href="{{ url_for('openid.static', filename='login.css') }}">
 </head>
 <body>
-    <h2>Login to SpiffWorkflow</h2><br>
+    <header>
+        <img class="logo_small" src="{{ url_for('openid.static', filename='logo_small.png') }}"/>
+    </header>
+
+    <h2>Login</h2>
     <div class="error">{{error_message}}</div>
     <div class="login">
     <form id="login" method="post" action="{{ url_for('openid.form_submit') }}">
-        <label><b>User Name
-        </b>
-        </label>
-        <input type="text" name="Uname" id="Uname" placeholder="Username">
+        <input type="text" class="cds--text-input" name="Uname" id="Uname" placeholder="Username">
         <br><br>
-        <label><b>Password
-        </b>
-        </label>
-        <input type="Password" name="Pass" id="Pass" placeholder="Password">
+        <input type="Password" class="cds--text-input" name="Pass" id="Pass" placeholder="Password">
         <br><br>
         <input type="hidden" name="state" value="{{state}}"/>
         <input type="hidden" name="response_type" value="{{response_type}}"/>
         <input type="hidden" name="client_id" value="{{client_id}}"/>
         <input type="hidden" name="scope" value="{{scope}}"/>
         <input type="hidden" name="redirect_uri" value="{{redirect_uri}}"/>
-        <input type="submit" name="log" id="log" value="Log In">
+        <input type="submit" name="log" class="cds--btn cds--btn--primary" value="Log In">
         <br><br>
         <!-- should maybe add this stuff in eventually, but this is just for testing.
         <input type="checkbox" id="check">
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index f29c09851..d7bd40a1a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -6,7 +6,7 @@ from typing import Union
 
 import jwt
 import yaml
-from flask import current_app
+from flask import current_app, scaffold
 from flask import g
 from flask import request
 from flask_bpmn.api.api_error import ApiError
@@ -253,6 +253,7 @@ class AuthorizationService:
             or api_view_function.__name__ in authentication_exclusion_list
             or api_view_function.__name__ in swagger_functions
             or module == openid_blueprint
+            or module == scaffold  # don't check permissions for static assets
         ):
             return True
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
index b234d914e..963b5585f 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
@@ -21,7 +21,7 @@ class TestFaskOpenId(BaseTest):
                                     app: Flask,
                                     client: FlaskClient,
                                     with_db_and_bpmn_file_cleanup: None,) -> None:
-        response = client.get("/openid/well-known/openid-configuration")
+        response = client.get("/openid/.well-known/openid-configuration")
         discovered_urls = response.json
         assert "http://localhost/openid" == discovered_urls["issuer"]
         assert "http://localhost/openid/auth" == discovered_urls["authorization_endpoint"]
@@ -57,23 +57,3 @@ class TestFaskOpenId(BaseTest):
         response = client.post("/openid/token", data=data, headers=headers)
         assert response
 
-    def test_refresh_token_endpoint(self,
-        app: Flask,
-        client: FlaskClient,
-        with_db_and_bpmn_file_cleanup: None,) -> None:
-        pass
-        # Handle a refresh with the following
-        # data provided
-        #             "grant_type": "refresh_token",
-        #             "refresh_token": refresh_token,
-        #             "client_id": open_id_client_id,
-        #             "client_secret": open_id_client_secret_key,
-        # Return an json response with:
-        #   id  - (this users' id)
-
-    def test_logout(self,
-        app: Flask,
-        client: FlaskClient,
-        with_db_and_bpmn_file_cleanup: None,) -> None:
-        pass
-        # It should be possible to logout and be redirected back.

From b9fbedc63c708282a6ccb157b1e635060f162842 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Thu, 1 Dec 2022 13:29:57 -0500
Subject: [PATCH 21/38] Adding a demo permissions file.

---
 .../config/permissions/demo.yml               | 88 +++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml
new file mode 100644
index 000000000..79bfed81d
--- /dev/null
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml
@@ -0,0 +1,88 @@
+default_group: everybody
+
+users:
+  admin:
+    email: admin@spiffworkflow.org
+    password: admin
+    preferred_username: Admin
+  nelson:
+    email: nelson@spiffworkflow.org
+    password: nelson
+    preferred_username: Nelson
+  malala:
+    email: malala@spiffworkflow.org
+    password: malala
+    preferred_username: Malala
+
+groups:
+  admin:
+    users:
+      [
+        admin,
+      ]
+  Education:
+    users:
+      [
+        malala
+      ]
+  President:
+    users:
+      [
+        nelson
+      ]
+
+permissions:
+  # Admins have access to everything.
+  admin:
+    groups: [admin]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /*
+
+  # Everybody can participate in tasks assigned to them.
+  tasks-crud:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /v1.0/tasks/*
+
+  # Everyone can see everything (all groups, and processes are visible)
+  read-all-process-groups:
+    groups: [ everybody ]
+    users: [ ]
+    allowed_permissions: [ read ]
+    uri: /v1.0/process-groups/*
+  read-all-process-models:
+    groups: [ everybody ]
+    users: [ ]
+    allowed_permissions: [ read ]
+    uri: /v1.0/process-models/*
+  read-all-process-instance:
+    groups: [ everybody ]
+    users: [ ]
+    allowed_permissions: [ read ]
+    uri: /v1.0/process-instances/*
+  read-process-instance-reports:
+    groups: [ everybody ]
+    users: [ ]
+    allowed_permissions: [ read ]
+    uri: /v1.0/process-instances/reports/*
+  processes-read:
+    groups: [ everybody ]
+    users: [ ]
+    allowed_permissions: [ read ]
+    uri: /v1.0/processes
+
+  # Members of the Education group can change they processes work.
+  education-admin:
+    groups: ["Education", "President"]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /v1.0/process-groups/education:*
+
+  # Anyone can start an education process.
+  education-everybody:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [create, read]
+    uri: /v1.0/process-instances/misc:category_number_one:process-model-with-form/*

From f01cd57d247dba131d525c8d33342615b37bf8f5 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Thu, 1 Dec 2022 14:12:25 -0500
Subject: [PATCH 22/38] Reorder config imports so that instance config is dead
 last - and can override everything else. Updated docker-compose for running a
 demo. run_pyl fixes

---
 docker-compose.yml                            | 32 +++----
 .../src/spiffworkflow_backend/__init__.py     |  4 +-
 .../spiffworkflow_backend/config/__init__.py  | 12 +--
 .../spiffworkflow_backend/config/default.py   |  6 +-
 .../src/spiffworkflow_backend/models/user.py  |  3 +-
 .../openid_blueprint/openid_blueprint.py      | 89 +++++++++++--------
 .../openid_blueprint/templates/login.html     |  2 +-
 .../src/spiffworkflow_backend/routes/user.py  | 11 ++-
 .../services/authentication_service.py        |  7 +-
 .../services/authorization_service.py         |  5 +-
 .../integration/test_openid_blueprint.py      | 57 ++++++------
 11 files changed, 123 insertions(+), 105 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index d6a86149c..7e05ba2a1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,46 +6,46 @@ services:
     platform: linux/amd64
     cap_add:
       - SYS_NICE
-    restart: "${SPIFFWORKFLOW_BACKEND_DATABASE_DOCKER_RESTART_POLICY:-no}"
+    restart: "no"
     environment:
-      - MYSQL_DATABASE=${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
-      - MYSQL_ROOT_PASSWORD=${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw}
+      - MYSQL_DATABASE=spiffworkflow_backend_development
+      - MYSQL_ROOT_PASSWORD=my-secret-pw
       - MYSQL_TCP_PORT=7003
     ports:
       - "7003"
-    volumes:
-      - spiffworkflow_backend:/var/lib/mysql
     healthcheck:
-      test: mysql --user=root --password=${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw} -e 'select 1' ${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
+      test: mysql --user=root --password=my-secret-pw -e 'select 1' spiffworkflow_backend_development
       interval: 10s
       timeout: 5s
       retries: 10
 
   spiffworkflow-backend:
     container_name: spiffworkflow-backend
-    image: ghcr.io/sartography/spiffworkflow-backend
+    image: ghcr.io/sartography/spiffworkflow-backend:latest
     depends_on:
       spiffworkflow-db:
         condition: service_healthy
     environment:
       - APPLICATION_ROOT=/
-      - SPIFFWORKFLOW_BACKEND_ENV=${SPIFFWORKFLOW_BACKEND_ENV:-development}
+      - SPIFFWORKFLOW_BACKEND_ENV=development
       - FLASK_DEBUG=0
-      - FLASK_SESSION_SECRET_KEY=${FLASK_SESSION_SECRET_KEY:-super_secret_key}
-      - OPEN_ID_SERVER_URL=${OPEN_ID_SERVER_URL:-http://spiffworkflow-openid:7002}
-      - SPIFFWORKFLOW_FRONTEND_URL=${SPIFFWORKFLOW_FRONTEND_URL:-http://spiffworkflow-frontend:7001}
-      - SPIFFWORKFLOW_BACKEND_URL=${SPIFFWORKFLOW_BACKEND_URL:-http://spiffworkflow-backend:7000}
+      - FLASK_SESSION_SECRET_KEY=super_secret_key
+      - OPEN_ID_SERVER_URL=http://localhost:7000/openid
+      - SPIFFWORKFLOW_FRONTEND_URL=http://localhost:7001
+      - SPIFFWORKFLOW_BACKEND_URL=http://localhost:7000
       - SPIFFWORKFLOW_BACKEND_PORT=7000
       - SPIFFWORKFLOW_BACKEND_UPGRADE_DB=true
-      - SPIFFWORKFLOW_BACKEND_DATABASE_URI=mysql+mysqlconnector://root:${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw}@spiffworkflow-db:7003/${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
+      - SPIFFWORKFLOW_BACKEND_DATABASE_URI=mysql+mysqlconnector://root:my-secret-pw@spiffworkflow-db:7003/spiffworkflow_backend_development
       - BPMN_SPEC_ABSOLUTE_DIR=/app/process_models
-      - SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA=${SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA:-false}
-      - SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME=${SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME:-acceptance_tests.yml}
+      - SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA=false
+      - SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME=demo.yml
       - RUN_BACKGROUND_SCHEDULER=true
+      - OPEN_ID_CLIENT_ID=spiffworkflow-backend
+      - OPEN_ID_CLIENT_SECRET_KEY=my_open_id_secret_key
     ports:
       - "7000:7000"
     volumes:
-      - ${BPMN_SPEC_ABSOLUTE_DIR:-./../sample-process-models}:/app/process_models
+      - ./process_models:/app/process_models
       - ./log:/app/log
     healthcheck:
       test: curl localhost:7000/v1.0/status --fail
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
index 389c93704..c2baf9b69 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
@@ -19,7 +19,9 @@ from werkzeug.exceptions import NotFound
 import spiffworkflow_backend.load_database_models  # noqa: F401
 from spiffworkflow_backend.config import setup_config
 from spiffworkflow_backend.routes.admin_blueprint.admin_blueprint import admin_blueprint
-from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import openid_blueprint
+from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import (
+    openid_blueprint,
+)
 from spiffworkflow_backend.routes.process_api_blueprint import process_api_blueprint
 from spiffworkflow_backend.routes.user import verify_token
 from spiffworkflow_backend.routes.user_blueprint import user_blueprint
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
index b56683ca3..e51d16978 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
@@ -52,12 +52,6 @@ def setup_config(app: Flask) -> None:
     app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
     app.config.from_object("spiffworkflow_backend.config.default")
 
-    # This allows config/testing.py or instance/config.py to override the default config
-    if "ENV_IDENTIFIER" in app.config and app.config["ENV_IDENTIFIER"] == "testing":
-        app.config.from_pyfile("config/testing.py", silent=True)
-    else:
-        app.config.from_pyfile(f"{app.instance_path}/config.py", silent=True)
-
     env_config_prefix = "spiffworkflow_backend.config."
     env_config_module = env_config_prefix + app.config["ENV_IDENTIFIER"]
     try:
@@ -73,6 +67,12 @@ def setup_config(app: Flask) -> None:
                 f"Cannot find config module: {env_config_module}"
             ) from exception
 
+    # This allows config/testing.py or instance/config.py to override the default config
+    if "ENV_IDENTIFIER" in app.config and app.config["ENV_IDENTIFIER"] == "testing":
+        app.config.from_pyfile("config/testing.py", silent=True)
+    else:
+        app.config.from_pyfile(f"{app.instance_path}/config.py", silent=True)
+
     setup_database_uri(app)
     setup_logger(app)
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index c32c48828..bb2cab582 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -30,7 +30,11 @@ CONNECTOR_PROXY_URL = environ.get(
 GIT_COMMIT_ON_SAVE = environ.get("GIT_COMMIT_ON_SAVE", default="false") == "true"
 
 # Open ID server
-OPEN_ID_SERVER_URL = environ.get("OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow")
+OPEN_ID_SERVER_URL = environ.get(
+    "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
+)
+# Replace above line with this to use the built-in Open ID Server.
+# OPEN_ID_SERVER_URL = environ.get("OPEN_ID_SERVER_URL", default="http://localhost:7000/openid")
 OPEN_ID_CLIENT_ID = environ.get("OPEN_ID_CLIENT_ID", default="spiffworkflow-backend")
 OPEN_ID_CLIENT_SECRET_KEY = environ.get(
     "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
index ed6d10e6d..b8c83d0f7 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
@@ -30,7 +30,8 @@ class UserModel(SpiffworkflowBaseDBModel):
     __table_args__ = (db.UniqueConstraint("service", "service_id", name="service_key"),)
 
     id = db.Column(db.Integer, primary_key=True)
-    username = db.Column(db.String(255), nullable=False, unique=False)  # server and service id must be unique, not username.
+    # server and service id must be unique, not username.
+    username = db.Column(db.String(255), nullable=False, unique=False)
     uid = db.Column(db.String(50), unique=True)
     service = db.Column(db.String(50), nullable=False, unique=False)
     service_id = db.Column(db.String(255), nullable=False, unique=False)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index 5c96d62b8..c0c55aecf 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -9,7 +9,12 @@ from urllib.parse import urlencode
 
 import jwt
 import yaml
-from flask import Blueprint, render_template, request, current_app, redirect, url_for
+from flask import Blueprint
+from flask import current_app
+from flask import redirect
+from flask import render_template
+from flask import request
+from flask import url_for
 
 openid_blueprint = Blueprint(
     "openid", __name__, template_folder="templates", static_folder="static"
@@ -21,8 +26,8 @@ MY_SECRET_CODE = ":this_is_not_secure_do_not_use_in_production"
 @openid_blueprint.route("/.well-known/openid-configuration", methods=["GET"])
 def well_known():
     """OpenID Discovery endpoint -- as these urls can be very different from system to system,
-       this is just a small subset."""
-    host_url = request.host_url.strip('/')
+    this is just a small subset."""
+    host_url = request.host_url.strip("/")
     return {
         "issuer": f"{host_url}/openid",
         "authorization_endpoint": f"{host_url}{url_for('openid.auth')}",
@@ -34,82 +39,90 @@ def well_known():
 @openid_blueprint.route("/auth", methods=["GET"])
 def auth():
     """Accepts a series of parameters"""
-    return render_template('login.html',
-                           state=request.args.get('state'),
-                           response_type=request.args.get('response_type'),
-                           client_id=request.args.get('client_id'),
-                           scope=request.args.get('scope'),
-                           redirect_uri=request.args.get('redirect_uri'),
-                           error_message=request.args.get('error_message', ''))
+    return render_template(
+        "login.html",
+        state=request.args.get("state"),
+        response_type=request.args.get("response_type"),
+        client_id=request.args.get("client_id"),
+        scope=request.args.get("scope"),
+        redirect_uri=request.args.get("redirect_uri"),
+        error_message=request.args.get("error_message", ""),
+    )
 
 
 @openid_blueprint.route("/form_submit", methods=["POST"])
 def form_submit():
     users = get_users()
-    if request.values['Uname'] in users and request.values['Pass'] == users[request.values['Uname']]["password"]:
+    if (
+        request.values["Uname"] in users
+        and request.values["Pass"] == users[request.values["Uname"]]["password"]
+    ):
         # Redirect back to the end user with some detailed information
-        state = request.values.get('state')
+        state = request.values.get("state")
         data = {
             "state": state,
-            "code": request.values['Uname'] + MY_SECRET_CODE,
-            "session_state": ""
+            "code": request.values["Uname"] + MY_SECRET_CODE,
+            "session_state": "",
         }
-        url = request.values.get('redirect_uri') + "?" + urlencode(data)
+        url = request.values.get("redirect_uri") + "?" + urlencode(data)
         return redirect(url)
     else:
-        return render_template('login.html',
-                               state=request.values.get('state'),
-                               response_type=request.values.get('response_type'),
-                               client_id=request.values.get('client_id'),
-                               scope=request.values.get('scope'),
-                               redirect_uri=request.values.get('redirect_uri'),
-                               error_message="Login failed.  Please try again.")
+        return render_template(
+            "login.html",
+            state=request.values.get("state"),
+            response_type=request.values.get("response_type"),
+            client_id=request.values.get("client_id"),
+            scope=request.values.get("scope"),
+            redirect_uri=request.values.get("redirect_uri"),
+            error_message="Login failed.  Please try again.",
+        )
 
 
 @openid_blueprint.route("/token", methods=["POST"])
 def token():
     """Url that will return a valid token, given the super secret sauce"""
-    grant_type = request.values.get('grant_type')
-    code = request.values.get('code')
-    redirect_uri = request.values.get('redirect_uri')
+    request.values.get("grant_type")
+    code = request.values.get("code")
+    request.values.get("redirect_uri")
 
     """We just stuffed the user name on the front of the code, so grab it."""
     user_name, secret_hash = code.split(":")
     user_details = get_users()[user_name]
 
     """Get authentication from headers."""
-    authorization = request.headers.get('Authorization')
+    authorization = request.headers.get("Authorization")
     authorization = authorization[6:]  # Remove "Basic"
-    authorization = base64.b64decode(authorization).decode('utf-8')
+    authorization = base64.b64decode(authorization).decode("utf-8")
     client_id, client_secret = authorization.split(":")
 
     base_url = request.host_url + "openid"
     access_token = user_name + ":" + "always_good_demo_access_token"
     refresh_token = user_name + ":" + "always_good_demo_refresh_token"
 
-    id_token = jwt.encode({
-        "iss": base_url,
-        "aud": [client_id, "account"],
-        "iat": time.time(),
-        "exp": time.time() + 86400,  # Expire after a day.
-        "sub": user_name,
-        "preferred_username": user_details.get('preferred_username', user_name)
-    },
+    id_token = jwt.encode(
+        {
+            "iss": base_url,
+            "aud": [client_id, "account"],
+            "iat": time.time(),
+            "exp": time.time() + 86400,  # Expire after a day.
+            "sub": user_name,
+            "preferred_username": user_details.get("preferred_username", user_name),
+        },
         client_secret,
         algorithm="HS256",
     )
     response = {
         "access_token": id_token,
         "id_token": id_token,
-        "refresh_token": id_token
+        "refresh_token": id_token,
     }
     return response
 
 
 @openid_blueprint.route("/end_session", methods=["GET"])
 def end_session():
-    redirect_url = request.args.get('post_logout_redirect_uri')
-    id_token_hint = request.args.get('id_token_hint')
+    redirect_url = request.args.get("post_logout_redirect_uri")
+    request.args.get("id_token_hint")
     return redirect(redirect_url)
 
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
index 6ef264577..d9b8b901a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
@@ -33,4 +33,4 @@
     </form>
 </div>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index c9059427c..24346771b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -15,12 +15,9 @@ from flask import request
 from flask_bpmn.api.api_error import ApiError
 from werkzeug.wrappers import Response
 
-from spiffworkflow_backend.models.group import GroupModel
-from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
-from spiffworkflow_backend.models.principal import PrincipalModel
 from spiffworkflow_backend.models.user import UserModel
 from spiffworkflow_backend.services.authentication_service import (
-    AuthenticationService, AuthenticationProviderTypes,
+    AuthenticationService,
 )
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
 from spiffworkflow_backend.services.user_service import UserService
@@ -91,7 +88,7 @@ def verify_token(
                             if auth_token and "error" not in auth_token:
                                 # We have the user, but this code is a bit convoluted, and will later demand
                                 # a user_info object so it can look up the user.  Sorry to leave this crap here.
-                                user_info = {"sub": user.service_id }
+                                user_info = {"sub": user.service_id}
                             else:
                                 raise ae
                         else:
@@ -200,16 +197,18 @@ def login(redirect_url: str = "/") -> Response:
     )
     return redirect(login_redirect_url)
 
+
 def parse_id_token(token: str) -> dict:
     parts = token.split(".")
     if len(parts) != 3:
         raise Exception("Incorrect id token format")
 
     payload = parts[1]
-    padded = payload + '=' * (4 - len(payload) % 4)
+    padded = payload + "=" * (4 - len(payload) % 4)
     decoded = base64.b64decode(padded)
     return json.loads(decoded)
 
+
 def login_return(code: str, state: str, session_state: str) -> Optional[Response]:
     """Login_return."""
     state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8"))
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 5fdedf767..b17c1fa94 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -3,7 +3,6 @@ import base64
 import enum
 import json
 import time
-import typing
 from typing import Optional
 
 import jwt
@@ -26,7 +25,10 @@ class AuthenticationProviderTypes(enum.Enum):
 
 class AuthenticationService:
     """AuthenticationService."""
-    ENDPOINT_CACHE = {}  # We only need to find the openid endpoints once, then we can cache them.
+
+    ENDPOINT_CACHE = (
+        {}
+    )  # We only need to find the openid endpoints once, then we can cache them.
 
     @staticmethod
     def client_id():
@@ -40,7 +42,6 @@ class AuthenticationService:
     def secret_key():
         return current_app.config["OPEN_ID_CLIENT_SECRET_KEY"]
 
-
     @classmethod
     def open_id_endpoint_for_name(cls, name: str) -> None:
         """All openid systems provide a mapping of static names to the full path of that endpoint."""
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index d7bd40a1a..bde408308 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -6,9 +6,10 @@ from typing import Union
 
 import jwt
 import yaml
-from flask import current_app, scaffold
+from flask import current_app
 from flask import g
 from flask import request
+from flask import scaffold
 from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
@@ -127,7 +128,6 @@ class AuthorizationService:
             db.session.add(user_group_assignemnt)
             db.session.commit()
 
-
     @classmethod
     def import_permissions_from_yaml_file(
         cls, raise_if_missing_user: bool = False
@@ -448,7 +448,6 @@ class AuthorizationService:
                 email=email,
             )
 
-
         # this may eventually get too slow.
         # when it does, be careful about backgrounding, because
         # the user will immediately need permissions to use the site.
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
index 963b5585f..af158cefc 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
@@ -1,59 +1,58 @@
 """Test_authentication."""
-import ast
-import base64
-
 from flask import Flask
 from flask.testing import FlaskClient
-
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
-from spiffworkflow_backend.services.authentication_service import (
-    AuthenticationService,
-)
-
 
 class TestFaskOpenId(BaseTest):
     """An integrated Open ID that responds to openID requests
-       by referencing a build in YAML file.  Useful for
-       local development, testing, demos etc..."""
+    by referencing a build in YAML file.  Useful for
+    local development, testing, demos etc..."""
 
-    def test_discovery_of_endpoints(self,
-                                    app: Flask,
-                                    client: FlaskClient,
-                                    with_db_and_bpmn_file_cleanup: None,) -> None:
+    def test_discovery_of_endpoints(
+        self,
+        app: Flask,
+        client: FlaskClient,
+        with_db_and_bpmn_file_cleanup: None,
+    ) -> None:
         response = client.get("/openid/.well-known/openid-configuration")
         discovered_urls = response.json
         assert "http://localhost/openid" == discovered_urls["issuer"]
-        assert "http://localhost/openid/auth" == discovered_urls["authorization_endpoint"]
+        assert (
+            "http://localhost/openid/auth" == discovered_urls["authorization_endpoint"]
+        )
         assert "http://localhost/openid/token" == discovered_urls["token_endpoint"]
 
-    def test_get_login_page(self,
-                            app: Flask,
-                            client: FlaskClient,
-                            with_db_and_bpmn_file_cleanup: None,) -> None:
+    def test_get_login_page(
+        self,
+        app: Flask,
+        client: FlaskClient,
+        with_db_and_bpmn_file_cleanup: None,
+    ) -> None:
         # It should be possible to get to a login page
-        data = {
-            "state": {"bubblegum":1, "daydream":2}
-        }
+        data = {"state": {"bubblegum": 1, "daydream": 2}}
         response = client.get("/openid/auth", query_string=data)
         assert b"<h2>Login to SpiffWorkflow</h2>" in response.data
         assert b"bubblegum" in response.data
 
-    def test_get_token(self,
+    def test_get_token(
+        self,
         app: Flask,
         client: FlaskClient,
-        with_db_and_bpmn_file_cleanup: None,) -> None:
+        with_db_and_bpmn_file_cleanup: None,
+    ) -> None:
 
-        code = "c3BpZmZ3b3JrZmxvdy1iYWNrZW5kOkpYZVFFeG0wSmhRUEx1bWdIdElJcWY1MmJEYWxIejBx"
+        code = (
+            "c3BpZmZ3b3JrZmxvdy1iYWNrZW5kOkpYZVFFeG0wSmhRUEx1bWdIdElJcWY1MmJEYWxIejBx"
+        )
         headers = {
             "Content-Type": "application/x-www-form-urlencoded",
             "Authorization": f"Basic {code}",
         }
-        data =  {
-            "grant_type": 'authorization_code',
+        data = {
+            "grant_type": "authorization_code",
             "code": code,
-            "redirect_url": 'http://localhost:7000/v1.0/login_return'
+            "redirect_url": "http://localhost:7000/v1.0/login_return",
         }
         response = client.post("/openid/token", data=data, headers=headers)
         assert response
-

From a7c896c0b1e11007073b32a923968709daa6b00e Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Thu, 1 Dec 2022 14:40:59 -0500
Subject: [PATCH 23/38] fixing some typing issues.

---
 .../openid_blueprint/openid_blueprint.py      | 22 ++++++++++---------
 .../src/spiffworkflow_backend/routes/user.py  |  2 +-
 .../services/authentication_service.py        | 18 +++++++--------
 3 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index c0c55aecf..e2be4cb0e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -5,6 +5,7 @@ This is just here to make local development, testing, and demonstration easier.
 """
 import base64
 import time
+from typing import Any
 from urllib.parse import urlencode
 
 import jwt
@@ -15,6 +16,7 @@ from flask import redirect
 from flask import render_template
 from flask import request
 from flask import url_for
+from werkzeug.wrappers import Response
 
 openid_blueprint = Blueprint(
     "openid", __name__, template_folder="templates", static_folder="static"
@@ -24,7 +26,7 @@ MY_SECRET_CODE = ":this_is_not_secure_do_not_use_in_production"
 
 
 @openid_blueprint.route("/.well-known/openid-configuration", methods=["GET"])
-def well_known():
+def well_known() -> dict:
     """OpenID Discovery endpoint -- as these urls can be very different from system to system,
     this is just a small subset."""
     host_url = request.host_url.strip("/")
@@ -37,7 +39,7 @@ def well_known():
 
 
 @openid_blueprint.route("/auth", methods=["GET"])
-def auth():
+def auth() -> str:
     """Accepts a series of parameters"""
     return render_template(
         "login.html",
@@ -51,7 +53,7 @@ def auth():
 
 
 @openid_blueprint.route("/form_submit", methods=["POST"])
-def form_submit():
+def form_submit() -> Response | str:
     users = get_users()
     if (
         request.values["Uname"] in users
@@ -79,7 +81,7 @@ def form_submit():
 
 
 @openid_blueprint.route("/token", methods=["POST"])
-def token():
+def token() -> dict:
     """Url that will return a valid token, given the super secret sauce"""
     request.values.get("grant_type")
     code = request.values.get("code")
@@ -90,7 +92,7 @@ def token():
     user_details = get_users()[user_name]
 
     """Get authentication from headers."""
-    authorization = request.headers.get("Authorization")
+    authorization = request.headers.get("Authorization", "Basic ")
     authorization = authorization[6:]  # Remove "Basic"
     authorization = base64.b64decode(authorization).decode("utf-8")
     client_id, client_secret = authorization.split(":")
@@ -120,21 +122,21 @@ def token():
 
 
 @openid_blueprint.route("/end_session", methods=["GET"])
-def end_session():
-    redirect_url = request.args.get("post_logout_redirect_uri")
+def end_session() -> Response:
+    redirect_url = request.args.get("post_logout_redirect_uri", "http://localhost")
     request.args.get("id_token_hint")
     return redirect(redirect_url)
 
 
 @openid_blueprint.route("/refresh", methods=["POST"])
-def refresh():
-    pass
+def refresh() -> str:
+    return ""
 
 
 permission_cache = None
 
 
-def get_users():
+def get_users() -> Any:
     global permission_cache
     if not permission_cache:
         with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index 24346771b..92f032b74 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -198,7 +198,7 @@ def login(redirect_url: str = "/") -> Response:
     return redirect(login_redirect_url)
 
 
-def parse_id_token(token: str) -> dict:
+def parse_id_token(token: str) -> Any:
     parts = token.split(".")
     if len(parts) != 3:
         raise Exception("Incorrect id token format")
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index b17c1fa94..8087cc693 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -26,24 +26,24 @@ class AuthenticationProviderTypes(enum.Enum):
 class AuthenticationService:
     """AuthenticationService."""
 
-    ENDPOINT_CACHE = (
+    ENDPOINT_CACHE: dict = (
         {}
     )  # We only need to find the openid endpoints once, then we can cache them.
 
     @staticmethod
-    def client_id():
-        return current_app.config["OPEN_ID_CLIENT_ID"]
+    def client_id() -> str:
+        return current_app.config.get("OPEN_ID_CLIENT_ID", "")
 
     @staticmethod
-    def server_url():
-        return current_app.config["OPEN_ID_SERVER_URL"]
+    def server_url() -> str:
+        return current_app.config.get("OPEN_ID_SERVER_URL","")
 
     @staticmethod
-    def secret_key():
-        return current_app.config["OPEN_ID_CLIENT_SECRET_KEY"]
+    def secret_key() -> str:
+        return current_app.config.get("OPEN_ID_CLIENT_SECRET_KEY", "")
 
     @classmethod
-    def open_id_endpoint_for_name(cls, name: str) -> None:
+    def open_id_endpoint_for_name(cls, name: str) -> str:
         """All openid systems provide a mapping of static names to the full path of that endpoint."""
         if name not in AuthenticationService.ENDPOINT_CACHE:
             request_url = f"{cls.server_url()}/.well-known/openid-configuration"
@@ -51,7 +51,7 @@ class AuthenticationService:
             AuthenticationService.ENDPOINT_CACHE = response.json()
         if name not in AuthenticationService.ENDPOINT_CACHE:
             raise Exception(f"Unknown OpenID Endpoint: {name}")
-        return AuthenticationService.ENDPOINT_CACHE[name]
+        return AuthenticationService.ENDPOINT_CACHE.get(name, "")
 
     @staticmethod
     def get_backend_url() -> str:

From 48be27d367942ea6f4c7c20e12a4470fcaa24a78 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Thu, 1 Dec 2022 15:01:25 -0500
Subject: [PATCH 24/38] fixing some typing issues, white space, etal...

---
 .../routes/openid_blueprint/openid_blueprint.py            | 2 +-
 .../services/authentication_service.py                     | 7 +++----
 .../integration/test_openid_blueprint.py                   | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index e2be4cb0e..136da75ad 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -53,7 +53,7 @@ def auth() -> str:
 
 
 @openid_blueprint.route("/form_submit", methods=["POST"])
-def form_submit() -> Response | str:
+def form_submit() -> Any:
     users = get_users()
     if (
         request.values["Uname"] in users
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 8087cc693..6f59f7663 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -36,7 +36,7 @@ class AuthenticationService:
 
     @staticmethod
     def server_url() -> str:
-        return current_app.config.get("OPEN_ID_SERVER_URL","")
+        return current_app.config.get("OPEN_ID_SERVER_URL", "")
 
     @staticmethod
     def secret_key() -> str:
@@ -61,11 +61,10 @@ class AuthenticationService:
     def logout(self, id_token: str, redirect_url: Optional[str] = None) -> Response:
         """Logout."""
         if redirect_url is None:
-            redirect_url = "/"
-        return_redirect_url = f"{self.get_backend_url()}/v1.0/logout_return"
+            redirect_url = f"{self.get_backend_url()}/v1.0/logout_return"
         request_url = (
             self.open_id_endpoint_for_name("end_session_endpoint")
-            + f"?post_logout_redirect_uri={return_redirect_url}&"
+            + f"?post_logout_redirect_uri={redirect_url}&"
             + f"id_token_hint={id_token}"
         )
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
index af158cefc..11beb3826 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
@@ -32,7 +32,7 @@ class TestFaskOpenId(BaseTest):
         # It should be possible to get to a login page
         data = {"state": {"bubblegum": 1, "daydream": 2}}
         response = client.get("/openid/auth", query_string=data)
-        assert b"<h2>Login to SpiffWorkflow</h2>" in response.data
+        assert b"<h2>Login</h2>" in response.data
         assert b"bubblegum" in response.data
 
     def test_get_token(

From 8a61a0e17e47ad4835a0800ce59ca562c1f8d23d Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Thu, 1 Dec 2022 16:22:50 -0500
Subject: [PATCH 25/38] I can't say I love flake8. Removing dependency on rust
 (monkeytype)

---
 poetry.lock                                   | 83 ++-----------------
 pyproject.toml                                |  1 -
 .../openid_blueprint/openid_blueprint.py      | 24 ++++--
 .../src/spiffworkflow_backend/routes/user.py  |  1 +
 .../services/authentication_service.py        |  5 +-
 .../integration/test_openid_blueprint.py      | 13 +--
 6 files changed, 34 insertions(+), 93 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index 2a8d7b0d5..e5c9c4c04 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -614,7 +614,7 @@ werkzeug = "*"
 type = "git"
 url = "https://github.com/sartography/flask-bpmn"
 reference = "main"
-resolved_reference = "5e40777f4013f71f2c1237f13f7dba1bdd5c0de3"
+resolved_reference = "860f2387bebdaa9220e9fbf6f8fa7f74e805d0d4"
 
 [[package]]
 name = "flask-cors"
@@ -884,22 +884,6 @@ category = "main"
 optional = false
 python-versions = ">=3.7"
 
-[[package]]
-name = "libcst"
-version = "0.4.7"
-description = "A concrete syntax tree with AST-like properties for Python 3.5, 3.6, 3.7, 3.8, 3.9, and 3.10 programs."
-category = "dev"
-optional = false
-python-versions = ">=3.7"
-
-[package.dependencies]
-pyyaml = ">=5.2"
-typing-extensions = ">=3.7.4.2"
-typing-inspect = ">=0.4.0"
-
-[package.extras]
-dev = ["black (==22.3.0)", "coverage (>=4.5.4)", "fixit (==0.1.1)", "flake8 (>=3.7.8)", "hypothesis (>=4.36.0)", "hypothesmith (>=0.0.4)", "jinja2 (==3.0.3)", "jupyter (>=1.0.0)", "maturin (>=0.8.3,<0.9)", "nbsphinx (>=0.4.2)", "prompt-toolkit (>=2.0.9)", "pyre-check (==0.9.9)", "setuptools-rust (>=0.12.1)", "setuptools-scm (>=6.0.1)", "slotscheck (>=0.7.1)", "sphinx-rtd-theme (>=0.4.3)", "ufmt (==1.3)", "usort (==1.0.0rc1)"]
-
 [[package]]
 name = "livereload"
 version = "2.6.3"
@@ -1005,18 +989,6 @@ category = "dev"
 optional = false
 python-versions = "*"
 
-[[package]]
-name = "monkeytype"
-version = "22.2.0"
-description = "Generating type annotations from sampled production types"
-category = "dev"
-optional = false
-python-versions = ">=3.6"
-
-[package.dependencies]
-libcst = ">=0.3.7"
-mypy-extensions = "*"
-
 [[package]]
 name = "mypy"
 version = "0.982"
@@ -1788,7 +1760,7 @@ lxml = "*"
 type = "git"
 url = "https://github.com/sartography/SpiffWorkflow"
 reference = "main"
-resolved_reference = "580939cc8cb0b7ade1571483bd1e28f554434ac4"
+resolved_reference = "bba7ddf5478af579b891ca63c50babbfccf6b7a4"
 
 [[package]]
 name = "sqlalchemy"
@@ -1998,18 +1970,6 @@ category = "main"
 optional = false
 python-versions = ">=3.7"
 
-[[package]]
-name = "typing-inspect"
-version = "0.8.0"
-description = "Runtime inspection utilities for typing module."
-category = "dev"
-optional = false
-python-versions = "*"
-
-[package.dependencies]
-mypy-extensions = ">=0.3.0"
-typing-extensions = ">=3.7.4"
-
 [[package]]
 name = "tzdata"
 version = "2022.5"
@@ -2151,7 +2111,7 @@ tests-strict = ["cmake (==3.21.2)", "codecov (==2.0.15)", "ninja (==1.10.2)", "p
 [metadata]
 lock-version = "1.1"
 python-versions = ">=3.11,<3.12"
-content-hash = "8c37333988fdd68bc6868faf474e628a690582acd17ee3b31b18e005a864fecf"
+content-hash = "17e037a3784758eb23a5ed9889fd774913ebde97225692dcd9df159f03da8a22"
 
 [metadata.files]
 alabaster = [
@@ -2484,6 +2444,7 @@ greenlet = [
     {file = "greenlet-2.0.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d5b0ff9878333823226d270417f24f4d06f235cb3e54d1103b71ea537a6a86ce"},
     {file = "greenlet-2.0.1-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:be9e0fb2ada7e5124f5282d6381903183ecc73ea019568d6d63d33f25b2a9000"},
     {file = "greenlet-2.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b493db84d124805865adc587532ebad30efa68f79ad68f11b336e0a51ec86c2"},
+    {file = "greenlet-2.0.1-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:0459d94f73265744fee4c2d5ec44c6f34aa8a31017e6e9de770f7bcf29710be9"},
     {file = "greenlet-2.0.1-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:a20d33124935d27b80e6fdacbd34205732660e0a1d35d8b10b3328179a2b51a1"},
     {file = "greenlet-2.0.1-cp37-cp37m-win32.whl", hash = "sha256:ea688d11707d30e212e0110a1aac7f7f3f542a259235d396f88be68b649e47d1"},
     {file = "greenlet-2.0.1-cp37-cp37m-win_amd64.whl", hash = "sha256:afe07421c969e259e9403c3bb658968702bc3b78ec0b6fde3ae1e73440529c23"},
@@ -2492,6 +2453,7 @@ greenlet = [
     {file = "greenlet-2.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:659f167f419a4609bc0516fb18ea69ed39dbb25594934bd2dd4d0401660e8a1e"},
     {file = "greenlet-2.0.1-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:356e4519d4dfa766d50ecc498544b44c0249b6de66426041d7f8b751de4d6b48"},
     {file = "greenlet-2.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:811e1d37d60b47cb8126e0a929b58c046251f28117cb16fcd371eed61f66b764"},
+    {file = "greenlet-2.0.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:d38ffd0e81ba8ef347d2be0772e899c289b59ff150ebbbbe05dc61b1246eb4e0"},
     {file = "greenlet-2.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:0109af1138afbfb8ae647e31a2b1ab030f58b21dd8528c27beaeb0093b7938a9"},
     {file = "greenlet-2.0.1-cp38-cp38-win32.whl", hash = "sha256:88c8d517e78acdf7df8a2134a3c4b964415b575d2840a2746ddb1cc6175f8608"},
     {file = "greenlet-2.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:d6ee1aa7ab36475035eb48c01efae87d37936a8173fc4d7b10bb02c2d75dd8f6"},
@@ -2500,6 +2462,7 @@ greenlet = [
     {file = "greenlet-2.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:505138d4fa69462447a562a7c2ef723c6025ba12ac04478bc1ce2fcc279a2db5"},
     {file = "greenlet-2.0.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:cce1e90dd302f45716a7715517c6aa0468af0bf38e814ad4eab58e88fc09f7f7"},
     {file = "greenlet-2.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9e9744c657d896c7b580455e739899e492a4a452e2dd4d2b3e459f6b244a638d"},
+    {file = "greenlet-2.0.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:662e8f7cad915ba75d8017b3e601afc01ef20deeeabf281bd00369de196d7726"},
     {file = "greenlet-2.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:41b825d65f31e394b523c84db84f9383a2f7eefc13d987f308f4663794d2687e"},
     {file = "greenlet-2.0.1-cp39-cp39-win32.whl", hash = "sha256:db38f80540083ea33bdab614a9d28bcec4b54daa5aff1668d7827a9fc769ae0a"},
     {file = "greenlet-2.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:b23d2a46d53210b498e5b701a1913697671988f4bf8e10f935433f6e7c332fb6"},
@@ -2566,32 +2529,6 @@ lazy-object-proxy = [
     {file = "lazy_object_proxy-1.8.0-pp38-pypy38_pp73-any.whl", hash = "sha256:7e1561626c49cb394268edd00501b289053a652ed762c58e1081224c8d881cec"},
     {file = "lazy_object_proxy-1.8.0-pp39-pypy39_pp73-any.whl", hash = "sha256:ce58b2b3734c73e68f0e30e4e725264d4d6be95818ec0a0be4bb6bf9a7e79aa8"},
 ]
-libcst = [
-    {file = "libcst-0.4.7-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:dc6f8965b6ca68d47e11321772887d81fa6fd8ea86e6ef87434ca2147de10747"},
-    {file = "libcst-0.4.7-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:a8f47d809df59fcd83058b777b86a300154ee3a1f1b0523a398a67b5f8affd4c"},
-    {file = "libcst-0.4.7-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c0d19de56aa733b4ef024527e3ce4896d4b0e9806889797f409ec24caa651a44"},
-    {file = "libcst-0.4.7-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:31da97bc986dc3f7a97f7d431fa911932aaf716d2f8bcda947fc964afd3b57cd"},
-    {file = "libcst-0.4.7-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:71b2e2c5e33e53669c20de0853cecfac1ffb8657ee727ab8527140f39049b820"},
-    {file = "libcst-0.4.7-cp310-cp310-win_amd64.whl", hash = "sha256:76fae68bd6b7ce069e267b3322c806b4305341cea78d161ae40e0ed641c8c660"},
-    {file = "libcst-0.4.7-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:bac76d69980bb3254f503f52128c256ef4d1bcbaabe4a17c3a9ebcd1fc0472c0"},
-    {file = "libcst-0.4.7-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:26f86535271eaefe84a99736875566a038449f92e1a2a61ea0b588d8359fbefd"},
-    {file = "libcst-0.4.7-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:617f7fa2610a8c86cf22d8d03416f25391383d05bd0ad1ca8ef68023ddd6b4f6"},
-    {file = "libcst-0.4.7-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c3637fffe476c5b4ee2225c6474b83382518f2c1b2fe4771039e06bdd7835a4a"},
-    {file = "libcst-0.4.7-cp37-cp37m-win_amd64.whl", hash = "sha256:f56565124c2541adee0634e411b2126b3f335306d19e91ed2bfe52efa698b219"},
-    {file = "libcst-0.4.7-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0ca2771ff3cfdf1f148349f89fcae64afa365213ed5c2703a69a89319325d0c8"},
-    {file = "libcst-0.4.7-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:aa438131b7befc7e5a3cbadb5a7b1506305de5d62262ea0556add0152f40925e"},
-    {file = "libcst-0.4.7-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8c6bd66a8be2ffad7b968d90dae86c62fd4739c0e011d71f3e76544a891ae743"},
-    {file = "libcst-0.4.7-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:214a9c4f4f90cd5b4bfa18e17877da4dd9a896821d9af9be86fa3effdc289b9b"},
-    {file = "libcst-0.4.7-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:27a37f2b459a8b51a41e260bd89c24ae41ab1d658f610c91650c79b1bbf27138"},
-    {file = "libcst-0.4.7-cp38-cp38-win_amd64.whl", hash = "sha256:2f6766391d90472f036b88a95251c87d498ab068c377724f212ab0cc20509a68"},
-    {file = "libcst-0.4.7-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:234293aa8681a3d47fef1716c5622797a81cbe85a9381fe023815468cfe20eed"},
-    {file = "libcst-0.4.7-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:fa618dc359663a0a097c633452b104c1ca93365da7a811e655c6944f6b323239"},
-    {file = "libcst-0.4.7-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3569d9901c18940632414fb7a0943bffd326db9f726a9c041664926820857815"},
-    {file = "libcst-0.4.7-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:beb5347e46b419f782589da060e9300957e71d561aa5574309883b71f93c1dfe"},
-    {file = "libcst-0.4.7-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1e541ccfeebda1ae5f005fc120a5bf3e8ac9ccfda405ec3efd3df54fc4688ac3"},
-    {file = "libcst-0.4.7-cp39-cp39-win_amd64.whl", hash = "sha256:3a2b7253cd2e3f0f8a3e23b5c2acb492811d865ef36e0816091c925f32b713d2"},
-    {file = "libcst-0.4.7.tar.gz", hash = "sha256:95c52c2130531f6e726a3b077442cfd486975435fecf3db8224d43fba7b85099"},
-]
 livereload = [
     {file = "livereload-2.6.3.tar.gz", hash = "sha256:776f2f865e59fde56490a56bcc6773b6917366bce0c267c60ee8aaf1a0959869"},
 ]
@@ -2729,10 +2666,6 @@ mccabe = [
     {file = "mccabe-0.6.1-py2.py3-none-any.whl", hash = "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42"},
     {file = "mccabe-0.6.1.tar.gz", hash = "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f"},
 ]
-monkeytype = [
-    {file = "MonkeyType-22.2.0-py3-none-any.whl", hash = "sha256:3d0815c7e98a18e9267990a452548247f6775fd636e65df5a7d77100ea7ad282"},
-    {file = "MonkeyType-22.2.0.tar.gz", hash = "sha256:6b0c00b49dcc5095a2c08d28246cf005e05673fc51f64d203f9a6bca2036dfab"},
-]
 mypy = [
     {file = "mypy-0.982-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:5085e6f442003fa915aeb0a46d4da58128da69325d8213b4b35cc7054090aed5"},
     {file = "mypy-0.982-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:41fd1cf9bc0e1c19b9af13a6580ccb66c381a5ee2cf63ee5ebab747a4badeba3"},
@@ -3336,10 +3269,6 @@ typing-extensions = [
     {file = "typing_extensions-4.4.0-py3-none-any.whl", hash = "sha256:16fa4864408f655d35ec496218b85f79b3437c829e93320c7c9215ccfd92489e"},
     {file = "typing_extensions-4.4.0.tar.gz", hash = "sha256:1511434bb92bf8dd198c12b1cc812e800d4181cfcb867674e0f8279cc93087aa"},
 ]
-typing-inspect = [
-    {file = "typing_inspect-0.8.0-py3-none-any.whl", hash = "sha256:5fbf9c1e65d4fa01e701fe12a5bca6c6e08a4ffd5bc60bfac028253a447c5188"},
-    {file = "typing_inspect-0.8.0.tar.gz", hash = "sha256:8b1ff0c400943b6145df8119c41c244ca8207f1f10c9c057aeed1560e4806e3d"},
-]
 tzdata = [
     {file = "tzdata-2022.5-py2.py3-none-any.whl", hash = "sha256:323161b22b7802fdc78f20ca5f6073639c64f1a7227c40cd3e19fd1d0ce6650a"},
     {file = "tzdata-2022.5.tar.gz", hash = "sha256:e15b2b3005e2546108af42a0eb4ccab4d9e225e2dfbf4f77aad50c70a4b1f3ab"},
diff --git a/pyproject.toml b/pyproject.toml
index 3f74a8a60..371f30f0e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -99,7 +99,6 @@ sphinx-click = "^4.3.0"
 Pygments = "^2.10.0"
 pyupgrade = "^3.1.0"
 furo = ">=2021.11.12"
-MonkeyType = "^22.2.0"
 
 [tool.poetry.scripts]
 spiffworkflow-backend = "spiffworkflow_backend.__main__:main"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index 136da75ad..f812ab034 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -1,4 +1,6 @@
-"""
+"""OpenID Implementation for demos and local development.
+
+A very insecure and partial OpenID implementation for use in demos and testing.
 Provides the bare minimum endpoints required by SpiffWorkflow to
 handle openid authentication -- definitely not a production ready system.
 This is just here to make local development, testing, and demonstration easier.
@@ -22,13 +24,15 @@ openid_blueprint = Blueprint(
     "openid", __name__, template_folder="templates", static_folder="static"
 )
 
-MY_SECRET_CODE = ":this_is_not_secure_do_not_use_in_production"
+OPEN_ID_CODE = ":this_is_not_secure_do_not_use_in_production"
 
 
 @openid_blueprint.route("/.well-known/openid-configuration", methods=["GET"])
 def well_known() -> dict:
-    """OpenID Discovery endpoint -- as these urls can be very different from system to system,
-    this is just a small subset."""
+    """Open ID Discovery endpoint.
+
+    These urls can be very different from one openid impl to the next, this is just a small subset.
+    """
     host_url = request.host_url.strip("/")
     return {
         "issuer": f"{host_url}/openid",
@@ -40,7 +44,7 @@ def well_known() -> dict:
 
 @openid_blueprint.route("/auth", methods=["GET"])
 def auth() -> str:
-    """Accepts a series of parameters"""
+    """Accepts a series of parameters."""
     return render_template(
         "login.html",
         state=request.args.get("state"),
@@ -54,6 +58,7 @@ def auth() -> str:
 
 @openid_blueprint.route("/form_submit", methods=["POST"])
 def form_submit() -> Any:
+    """Handles the login form submission."""
     users = get_users()
     if (
         request.values["Uname"] in users
@@ -63,7 +68,7 @@ def form_submit() -> Any:
         state = request.values.get("state")
         data = {
             "state": state,
-            "code": request.values["Uname"] + MY_SECRET_CODE,
+            "code": request.values["Uname"] + OPEN_ID_CODE,
             "session_state": "",
         }
         url = request.values.get("redirect_uri") + "?" + urlencode(data)
@@ -82,7 +87,7 @@ def form_submit() -> Any:
 
 @openid_blueprint.route("/token", methods=["POST"])
 def token() -> dict:
-    """Url that will return a valid token, given the super secret sauce"""
+    """Url that will return a valid token, given the super secret sauce."""
     request.values.get("grant_type")
     code = request.values.get("code")
     request.values.get("redirect_uri")
@@ -98,8 +103,6 @@ def token() -> dict:
     client_id, client_secret = authorization.split(":")
 
     base_url = request.host_url + "openid"
-    access_token = user_name + ":" + "always_good_demo_access_token"
-    refresh_token = user_name + ":" + "always_good_demo_refresh_token"
 
     id_token = jwt.encode(
         {
@@ -123,6 +126,7 @@ def token() -> dict:
 
 @openid_blueprint.route("/end_session", methods=["GET"])
 def end_session() -> Response:
+    """Logout."""
     redirect_url = request.args.get("post_logout_redirect_uri", "http://localhost")
     request.args.get("id_token_hint")
     return redirect(redirect_url)
@@ -130,6 +134,7 @@ def end_session() -> Response:
 
 @openid_blueprint.route("/refresh", methods=["POST"])
 def refresh() -> str:
+    """Refresh."""
     return ""
 
 
@@ -137,6 +142,7 @@ permission_cache = None
 
 
 def get_users() -> Any:
+    """Load users from a local configuration file."""
     global permission_cache
     if not permission_cache:
         with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index 92f032b74..2bbbc1374 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -199,6 +199,7 @@ def login(redirect_url: str = "/") -> Response:
 
 
 def parse_id_token(token: str) -> Any:
+    """Parse the id token."""
     parts = token.split(".")
     if len(parts) != 3:
         raise Exception("Incorrect id token format")
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 6f59f7663..ad252d116 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -32,14 +32,17 @@ class AuthenticationService:
 
     @staticmethod
     def client_id() -> str:
+        """Returns the client id from the config."""
         return current_app.config.get("OPEN_ID_CLIENT_ID", "")
 
     @staticmethod
     def server_url() -> str:
+        """Returns the server url from the config."""
         return current_app.config.get("OPEN_ID_SERVER_URL", "")
 
     @staticmethod
     def secret_key() -> str:
+        """Returns the secret key from the config."""
         return current_app.config.get("OPEN_ID_CLIENT_SECRET_KEY", "")
 
     @classmethod
@@ -188,7 +191,7 @@ class AuthenticationService:
 
     @classmethod
     def get_auth_token_from_refresh_token(cls, refresh_token: str) -> dict:
-
+        """Converts a refresh token to an Auth Token by calling the openid's auth endpoint."""
         backend_basic_auth_string = f"{cls.client_id()}:{cls.secret_key()}"
         backend_basic_auth_bytes = bytes(backend_basic_auth_string, encoding="ascii")
         backend_basic_auth = base64.b64encode(backend_basic_auth_bytes)
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
index 11beb3826..90db8c2f3 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
@@ -5,9 +5,11 @@ from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 
 class TestFaskOpenId(BaseTest):
-    """An integrated Open ID that responds to openID requests
-    by referencing a build in YAML file.  Useful for
-    local development, testing, demos etc..."""
+    """An integrated Open ID that responds to openID requests.
+
+    By referencing a build in YAML file.  Useful for
+    local development, testing, demos etc...
+    """
 
     def test_discovery_of_endpoints(
         self,
@@ -15,6 +17,7 @@ class TestFaskOpenId(BaseTest):
         client: FlaskClient,
         with_db_and_bpmn_file_cleanup: None,
     ) -> None:
+        """Test discovery endpoints."""
         response = client.get("/openid/.well-known/openid-configuration")
         discovered_urls = response.json
         assert "http://localhost/openid" == discovered_urls["issuer"]
@@ -29,7 +32,7 @@ class TestFaskOpenId(BaseTest):
         client: FlaskClient,
         with_db_and_bpmn_file_cleanup: None,
     ) -> None:
-        # It should be possible to get to a login page
+        """It should be possible to get to a login page."""
         data = {"state": {"bubblegum": 1, "daydream": 2}}
         response = client.get("/openid/auth", query_string=data)
         assert b"<h2>Login</h2>" in response.data
@@ -41,7 +44,7 @@ class TestFaskOpenId(BaseTest):
         client: FlaskClient,
         with_db_and_bpmn_file_cleanup: None,
     ) -> None:
-
+        """It should be possible to get a token."""
         code = (
             "c3BpZmZ3b3JrZmxvdy1iYWNrZW5kOkpYZVFFeG0wSmhRUEx1bWdIdElJcWY1MmJEYWxIejBx"
         )

From 1e86345a338ad75c9b4c4f3c5bb0f9050a18ed8a Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Mon, 5 Dec 2022 10:46:26 -0500
Subject: [PATCH 26/38] Fixes based off KB's super kind review. ------- *
 Remove unnecessary packages from dockerfile for the demo-connect proxy. *
 Rename an environment variable that mentioned Status.im in what is now a
 generic connector. * Fixed a spelling mistake.

---
 connector-proxy-demo/Dockerfile                                | 3 +--
 connector-proxy-demo/bin/boot_server_in_docker                 | 2 +-
 docker-compose.yml                                             | 2 +-
 .../config/permissions/{demo.yml => example.yml}               | 0
 .../spiffworkflow_backend/integration/test_openid_blueprint.py | 2 +-
 5 files changed, 4 insertions(+), 5 deletions(-)
 rename spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/{demo.yml => example.yml} (100%)

diff --git a/connector-proxy-demo/Dockerfile b/connector-proxy-demo/Dockerfile
index e2d89bebd..2e1a76b7f 100644
--- a/connector-proxy-demo/Dockerfile
+++ b/connector-proxy-demo/Dockerfile
@@ -6,8 +6,7 @@ RUN useradd _gunicorn --no-create-home --user-group
 RUN apt-get update && \
     apt-get install -y -q \
         gcc libssl-dev \
-        curl git-core libpq-dev \
-        gunicorn3 default-mysql-client
+        curl gunicorn3
 
 WORKDIR /app
 COPY pyproject.toml poetry.lock /app/
diff --git a/connector-proxy-demo/bin/boot_server_in_docker b/connector-proxy-demo/bin/boot_server_in_docker
index d64f417bc..1179bf5bb 100755
--- a/connector-proxy-demo/bin/boot_server_in_docker
+++ b/connector-proxy-demo/bin/boot_server_in_docker
@@ -7,7 +7,7 @@ function error_handler() {
 trap 'error_handler ${LINENO} $?' ERR
 set -o errtrace -o errexit -o nounset -o pipefail
 
-port="${CONNECTOR_PROXY_STATUS_IM_PORT:-}"
+port="${CONNECTOR_PROXY_PORT:-}"
 if [[ -z "$port" ]]; then
   port=7004
 fi
diff --git a/docker-compose.yml b/docker-compose.yml
index 7e05ba2a1..1cf550248 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -38,7 +38,7 @@ services:
       - SPIFFWORKFLOW_BACKEND_DATABASE_URI=mysql+mysqlconnector://root:my-secret-pw@spiffworkflow-db:7003/spiffworkflow_backend_development
       - BPMN_SPEC_ABSOLUTE_DIR=/app/process_models
       - SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA=false
-      - SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME=demo.yml
+      - SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME=example.yml
       - RUN_BACKGROUND_SCHEDULER=true
       - OPEN_ID_CLIENT_ID=spiffworkflow-backend
       - OPEN_ID_CLIENT_SECRET_KEY=my_open_id_secret_key
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example.yml
similarity index 100%
rename from spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml
rename to spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example.yml
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
index 90db8c2f3..20a0bb67b 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
@@ -4,7 +4,7 @@ from flask.testing import FlaskClient
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 
-class TestFaskOpenId(BaseTest):
+class TestFlaskOpenId(BaseTest):
     """An integrated Open ID that responds to openID requests.
 
     By referencing a build in YAML file.  Useful for

From 43bc82163ed73dade0dc42e98e6acd20f4359403 Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Mon, 5 Dec 2022 12:05:52 -0500
Subject: [PATCH 27/38] Setting things up so it's easy to switch databases
 using a local configuration file (still works with environment variables)
 Swtiched from a "joinedload" to a "selectinload" which removes a problem with
 groupby columns in Postgres and sqlite.
 (https://docs.sqlalchemy.org/en/14/orm/loading_relationships.html#selectin-eager-loading)

---
 .../spiffworkflow_backend/config/__init__.py  | 14 +++++++-------
 .../spiffworkflow_backend/config/default.py   |  4 ++++
 .../routes/process_api_blueprint.py           | 19 +++++++++++--------
 3 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
index e51d16978..00f540566 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
@@ -14,13 +14,13 @@ class ConfigurationError(Exception):
 
 def setup_database_uri(app: Flask) -> None:
     """Setup_database_uri."""
-    if os.environ.get("SPIFFWORKFLOW_BACKEND_DATABASE_URI") is None:
+    if app.config.get("SPIFFWORKFLOW_BACKEND_DATABASE_URI") is None:
         database_name = f"spiffworkflow_backend_{app.config['ENV_IDENTIFIER']}"
-        if os.environ.get("SPIFF_DATABASE_TYPE") == "sqlite":
+        if app.config.get("SPIFF_DATABASE_TYPE") == "sqlite":
             app.config[
                 "SQLALCHEMY_DATABASE_URI"
             ] = f"sqlite:///{app.instance_path}/db_{app.config['ENV_IDENTIFIER']}.sqlite3"
-        elif os.environ.get("SPIFF_DATABASE_TYPE") == "postgres":
+        elif app.config.get("SPIFF_DATABASE_TYPE") == "postgres":
             app.config[
                 "SQLALCHEMY_DATABASE_URI"
             ] = f"postgresql://spiffworkflow_backend:spiffworkflow_backend@localhost:5432/{database_name}"
@@ -33,7 +33,7 @@ def setup_database_uri(app: Flask) -> None:
                 "SQLALCHEMY_DATABASE_URI"
             ] = f"mysql+mysqlconnector://root:{db_pswd}@localhost/{database_name}"
     else:
-        app.config["SQLALCHEMY_DATABASE_URI"] = os.environ.get(
+        app.config["SQLALCHEMY_DATABASE_URI"] = app.config.get(
             "SPIFFWORKFLOW_BACKEND_DATABASE_URI"
         )
 
@@ -73,9 +73,6 @@ def setup_config(app: Flask) -> None:
     else:
         app.config.from_pyfile(f"{app.instance_path}/config.py", silent=True)
 
-    setup_database_uri(app)
-    setup_logger(app)
-
     app.config["PERMISSIONS_FILE_FULLPATH"] = None
     if app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME"]:
         app.config["PERMISSIONS_FILE_FULLPATH"] = os.path.join(
@@ -92,5 +89,8 @@ def setup_config(app: Flask) -> None:
     if app.config["BPMN_SPEC_ABSOLUTE_DIR"] is None:
         raise ConfigurationError("BPMN_SPEC_ABSOLUTE_DIR config must be set")
 
+    setup_database_uri(app)
+    setup_logger(app)
+
     thread_local_data = threading.local()
     app.config["THREAD_LOCAL_DATA"] = thread_local_data
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index bb2cab582..79211c123 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -60,3 +60,7 @@ SENTRY_TRACES_SAMPLE_RATE = environ.get(
 SPIFFWORKFLOW_BACKEND_LOG_LEVEL = environ.get(
     "SPIFFWORKFLOW_BACKEND_LOG_LEVEL", default="info"
 )
+
+# Datbase Configuration
+SPIFF_DATABASE_TYPE =environ.get("SPIFF_DATABASE_TYPE", default="mysql")  # can also be sqlite, postgres
+SPIFFWORKFLOW_BACKEND_DATABASE_URI=environ.get("SPIFFWORKFLOW_BACKEND_DATABASE_URI", default=None) # Overide above with specific sqlalchymy connection string.
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
index 739e689d2..78c12a90f 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
@@ -30,7 +30,7 @@ from SpiffWorkflow.task import TaskState
 from sqlalchemy import and_
 from sqlalchemy import asc
 from sqlalchemy import desc
-from sqlalchemy.orm import joinedload
+from sqlalchemy.orm import selectinload
 
 from spiffworkflow_backend.exceptions.process_entity_not_found_error import (
     ProcessEntityNotFoundError,
@@ -814,7 +814,7 @@ def process_instance_list(
     process_instance_query = ProcessInstanceModel.query
     # Always join that hot user table for good performance at serialization time.
     process_instance_query = process_instance_query.options(
-        joinedload(ProcessInstanceModel.process_initiator)
+        selectinload(ProcessInstanceModel.process_initiator)
     )
 
     if report_filter.process_model_identifier is not None:
@@ -928,13 +928,16 @@ def process_instance_list(
             UserGroupAssignmentModel.user_id == g.user.id
         )
 
-    process_instances = (
-        process_instance_query.group_by(ProcessInstanceModel.id)
-        .order_by(
-            ProcessInstanceModel.start_in_seconds.desc(), ProcessInstanceModel.id.desc()  # type: ignore
+    try:
+        process_instances = (
+            process_instance_query.group_by(ProcessInstanceModel.id)
+            .order_by(
+                ProcessInstanceModel.start_in_seconds.desc(), ProcessInstanceModel.id.desc()  # type: ignore
+            )
+            .paginate(page=page, per_page=per_page, error_out=False)
         )
-        .paginate(page=page, per_page=per_page, error_out=False)
-    )
+    except Exception as e:
+        print(e)
 
     results = list(
         map(

From 3a09b457657289b6964690ed2560cbba827facdb Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Mon, 5 Dec 2022 12:29:19 -0500
Subject: [PATCH 28/38] running py_pl -- mainly reordering imports.

---
 flask-bpmn/pyproject.toml                                | 1 -
 flask-bpmn/src/flask_bpmn/models/db.py                   | 4 ++--
 .../bin/import_tickets_for_command_line.py               | 1 -
 spiffworkflow-backend/conftest.py                        | 4 ++--
 .../src/spiffworkflow_backend/__init__.py                | 6 +++---
 .../src/spiffworkflow_backend/config/default.py          | 9 +++++++--
 .../src/spiffworkflow_backend/helpers/db_helper.py       | 2 +-
 .../src/spiffworkflow_backend/models/active_task.py      | 4 ++--
 .../src/spiffworkflow_backend/models/active_task_user.py | 2 +-
 .../src/spiffworkflow_backend/models/group.py            | 4 ++--
 .../spiffworkflow_backend/models/message_correlation.py  | 4 ++--
 .../models/message_correlation_message_instance.py       | 2 +-
 .../models/message_correlation_property.py               | 1 +
 .../src/spiffworkflow_backend/models/message_instance.py | 4 ++--
 .../models/message_triggerable_process_model.py          | 1 +
 .../models/permission_assignment.py                      | 4 ++--
 .../spiffworkflow_backend/models/permission_target.py    | 4 ++--
 .../src/spiffworkflow_backend/models/principal.py        | 2 +-
 .../src/spiffworkflow_backend/models/process_instance.py | 4 ++--
 .../models/process_instance_metadata.py                  | 2 +-
 .../models/process_instance_report.py                    | 4 ++--
 .../src/spiffworkflow_backend/models/refresh_token.py    | 2 +-
 .../src/spiffworkflow_backend/models/secret_model.py     | 2 +-
 .../src/spiffworkflow_backend/models/spec_reference.py   | 2 +-
 .../src/spiffworkflow_backend/models/spiff_logging.py    | 3 +--
 .../spiffworkflow_backend/models/spiff_step_details.py   | 4 ++--
 .../src/spiffworkflow_backend/models/user.py             | 6 +++---
 .../models/user_group_assignment.py                      | 1 +
 .../routes/process_api_blueprint.py                      | 4 ++--
 .../src/spiffworkflow_backend/routes/user.py             | 2 +-
 .../src/spiffworkflow_backend/routes/user_blueprint.py   | 4 ++--
 .../src/spiffworkflow_backend/scripts/get_localtime.py   | 2 +-
 .../scripts/save_process_instance_metadata.py            | 3 +--
 .../src/spiffworkflow_backend/scripts/script.py          | 3 +--
 .../services/acceptance_test_fixtures.py                 | 2 +-
 .../services/authentication_service.py                   | 4 ++--
 .../services/authorization_service.py                    | 4 ++--
 .../spiffworkflow_backend/services/data_setup_service.py | 3 ++-
 .../services/error_handling_service.py                   | 5 ++---
 .../services/file_system_service.py                      | 2 +-
 .../src/spiffworkflow_backend/services/group_service.py  | 3 +--
 .../spiffworkflow_backend/services/logging_service.py    | 2 +-
 .../spiffworkflow_backend/services/message_service.py    | 2 +-
 .../services/process_instance_processor.py               | 4 ++--
 .../services/process_instance_service.py                 | 4 ++--
 .../services/process_model_service.py                    | 3 +--
 .../src/spiffworkflow_backend/services/secret_service.py | 3 +--
 .../spiffworkflow_backend/services/spec_file_service.py  | 2 +-
 .../src/spiffworkflow_backend/services/user_service.py   | 4 ++--
 .../tests/spiffworkflow_backend/helpers/base_test.py     | 4 ++--
 .../integration/test_process_api.py                      | 2 +-
 .../integration/test_secret_service.py                   | 2 +-
 .../scripts/test_get_group_members.py                    | 3 ++-
 .../spiffworkflow_backend/unit/test_message_instance.py  | 3 ++-
 .../spiffworkflow_backend/unit/test_permission_target.py | 3 ++-
 .../tests/spiffworkflow_backend/unit/test_permissions.py | 3 ++-
 .../spiffworkflow_backend/unit/test_process_model.py     | 3 ++-
 .../unit/test_restricted_script_engine.py                | 3 ++-
 .../spiffworkflow_backend/unit/test_spec_file_service.py | 2 +-
 .../spiffworkflow_backend/unit/test_spiff_logging.py     | 2 +-
 60 files changed, 95 insertions(+), 89 deletions(-)

diff --git a/flask-bpmn/pyproject.toml b/flask-bpmn/pyproject.toml
index 3cb3217a5..105fa15d6 100644
--- a/flask-bpmn/pyproject.toml
+++ b/flask-bpmn/pyproject.toml
@@ -64,7 +64,6 @@ sphinx-click = "^4.3.0"
 Pygments = "^2.13.0"
 pyupgrade = "^3.2.2"
 furo = ">=2021.11.12"
-MonkeyType = "^22.2.0"
 
 [tool.poetry.scripts]
 flask-bpmn = "flask_bpmn.__main__:main"
diff --git a/flask-bpmn/src/flask_bpmn/models/db.py b/flask-bpmn/src/flask_bpmn/models/db.py
index 643e1a85d..a288e6fda 100644
--- a/flask-bpmn/src/flask_bpmn/models/db.py
+++ b/flask-bpmn/src/flask_bpmn/models/db.py
@@ -8,8 +8,8 @@ from typing import Any
 from flask_migrate import Migrate  # type: ignore
 from flask_sqlalchemy import SQLAlchemy  # type: ignore
 from sqlalchemy import event  # type: ignore
-from sqlalchemy.engine.base import Connection  # type: ignore
-from sqlalchemy.orm.mapper import Mapper  # type: ignore
+from sqlalchemy.engine.base import Connection
+from sqlalchemy.orm.mapper import Mapper
 
 db = SQLAlchemy()
 migrate = Migrate()
diff --git a/spiffworkflow-backend/bin/import_tickets_for_command_line.py b/spiffworkflow-backend/bin/import_tickets_for_command_line.py
index e193b5990..a993a3d30 100644
--- a/spiffworkflow-backend/bin/import_tickets_for_command_line.py
+++ b/spiffworkflow-backend/bin/import_tickets_for_command_line.py
@@ -1,6 +1,5 @@
 """Grabs tickets from csv and makes process instances."""
 import csv
-
 from flask_bpmn.models.db import db
 
 from spiffworkflow_backend import get_hacked_up_app_for_script
diff --git a/spiffworkflow-backend/conftest.py b/spiffworkflow-backend/conftest.py
index c3af94332..2ded9053b 100644
--- a/spiffworkflow-backend/conftest.py
+++ b/spiffworkflow-backend/conftest.py
@@ -1,12 +1,12 @@
 """Conftest."""
 import os
 import shutil
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 
 import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 from spiffworkflow_backend.models.active_task_user import ActiveTaskUserModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
index c2baf9b69..565047059 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
@@ -1,5 +1,8 @@
 """__init__."""
 import os
+from flask_bpmn.api.api_error import api_error_blueprint
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import migrate
 from typing import Any
 
 import connexion  # type: ignore
@@ -9,9 +12,6 @@ import sqlalchemy
 from apscheduler.schedulers.background import BackgroundScheduler  # type: ignore
 from apscheduler.schedulers.base import BaseScheduler  # type: ignore
 from flask.json.provider import DefaultJSONProvider
-from flask_bpmn.api.api_error import api_error_blueprint
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import migrate
 from flask_cors import CORS  # type: ignore
 from flask_mail import Mail  # type: ignore
 from werkzeug.exceptions import NotFound
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index 79211c123..8643df768 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -62,5 +62,10 @@ SPIFFWORKFLOW_BACKEND_LOG_LEVEL = environ.get(
 )
 
 # Datbase Configuration
-SPIFF_DATABASE_TYPE =environ.get("SPIFF_DATABASE_TYPE", default="mysql")  # can also be sqlite, postgres
-SPIFFWORKFLOW_BACKEND_DATABASE_URI=environ.get("SPIFFWORKFLOW_BACKEND_DATABASE_URI", default=None) # Overide above with specific sqlalchymy connection string.
+SPIFF_DATABASE_TYPE = environ.get(
+    "SPIFF_DATABASE_TYPE", default="mysql"
+)  # can also be sqlite, postgres
+# Overide above with specific sqlalchymy connection string.
+SPIFFWORKFLOW_BACKEND_DATABASE_URI = environ.get(
+    "SPIFFWORKFLOW_BACKEND_DATABASE_URI", default=None
+)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/helpers/db_helper.py b/spiffworkflow-backend/src/spiffworkflow_backend/helpers/db_helper.py
index 45cd38f7a..2ceea1f44 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/helpers/db_helper.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/helpers/db_helper.py
@@ -1,8 +1,8 @@
 """Db_helper."""
 import time
+from flask_bpmn.models.db import db
 
 import sqlalchemy
-from flask_bpmn.models.db import db
 
 
 def try_to_connect(start_time: float) -> None:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task.py
index ea9e10552..cf08394f4 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task.py
@@ -2,10 +2,10 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
-from typing import TYPE_CHECKING
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+from typing import TYPE_CHECKING
+
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
 from sqlalchemy.orm import RelationshipProperty
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task_user.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task_user.py
index f194c38e4..a14c08ce4 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task_user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task_user.py
@@ -2,9 +2,9 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.active_task import ActiveTaskModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/group.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/group.py
index 3b7edd6ce..b6db3cf34 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/group.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/group.py
@@ -1,10 +1,10 @@
 """Group."""
 from __future__ import annotations
 
-from typing import TYPE_CHECKING
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.group import FlaskBpmnGroupModel
+from typing import TYPE_CHECKING
+
 from sqlalchemy.orm import relationship
 
 if TYPE_CHECKING:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation.py
index 08bc1cb12..65937a4fc 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation.py
@@ -1,9 +1,9 @@
 """Message_correlation."""
 from dataclasses import dataclass
-from typing import TYPE_CHECKING
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+from typing import TYPE_CHECKING
+
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_message_instance.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_message_instance.py
index 320dfba3e..dbbddb44f 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_message_instance.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_message_instance.py
@@ -1,8 +1,8 @@
 """Message_correlation_message_instance."""
 from dataclasses import dataclass
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.message_correlation import MessageCorrelationModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_property.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_property.py
index b84b7140c..c0c06925f 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_property.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_property.py
@@ -1,6 +1,7 @@
 """Message_correlation_property."""
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.message_model import MessageModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_instance.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_instance.py
index 2559a6352..745d2c2d6 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_instance.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_instance.py
@@ -1,12 +1,12 @@
 """Message_instance."""
 import enum
 from dataclasses import dataclass
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 from typing import Optional
 from typing import TYPE_CHECKING
 
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.event import listens_for
 from sqlalchemy.orm import relationship
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_triggerable_process_model.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_triggerable_process_model.py
index cc8834654..29b742f7d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_triggerable_process_model.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_triggerable_process_model.py
@@ -1,6 +1,7 @@
 """Message_correlation_property."""
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.message_model import MessageModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py
index 63295f74e..8aa2b5ade 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py
@@ -1,9 +1,9 @@
 """PermissionAssignment."""
 import enum
-from typing import Any
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+from typing import Any
+
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import validates
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_target.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_target.py
index 53334baf0..3b4a10553 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_target.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_target.py
@@ -1,10 +1,10 @@
 """PermissionTarget."""
 import re
 from dataclasses import dataclass
-from typing import Optional
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+from typing import Optional
+
 from sqlalchemy.orm import validates
 
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/principal.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/principal.py
index c7efa8609..1c267052d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/principal.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/principal.py
@@ -1,8 +1,8 @@
 """Principal."""
 from dataclasses import dataclass
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
 from sqlalchemy.schema import CheckConstraint
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
index e6a5f6849..c2b003104 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
@@ -1,12 +1,12 @@
 """Process_instance."""
 from __future__ import annotations
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 from typing import cast
 
 import marshmallow
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from marshmallow import INCLUDE
 from marshmallow import Schema
 from marshmallow_enum import EnumField  # type: ignore
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_metadata.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_metadata.py
index 5a4d4ca5b..66db3fb04 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_metadata.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_metadata.py
@@ -1,8 +1,8 @@
 """Spiff_step_details."""
 from dataclasses import dataclass
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_report.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_report.py
index 5cccf4a59..8e4c3e583 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_report.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_report.py
@@ -2,13 +2,13 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 from typing import cast
 from typing import Optional
 from typing import TypedDict
 
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import deferred
 from sqlalchemy.orm import relationship
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/refresh_token.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/refresh_token.py
index 2e96b7f05..c5684f25a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/refresh_token.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/refresh_token.py
@@ -1,8 +1,8 @@
 """Refresh_token."""
 from dataclasses import dataclass
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from sqlalchemy import ForeignKey
 
 # from sqlalchemy.orm import relationship
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/secret_model.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/secret_model.py
index 92fd470a3..1bb634cec 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/secret_model.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/secret_model.py
@@ -1,8 +1,8 @@
 """Secret_model."""
 from dataclasses import dataclass
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from marshmallow import Schema
 from sqlalchemy import ForeignKey
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/spec_reference.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/spec_reference.py
index 1e85f7229..ce083a483 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/spec_reference.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/spec_reference.py
@@ -1,8 +1,8 @@
 """Message_model."""
 from dataclasses import dataclass
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from flask_marshmallow import Schema  # type: ignore
 from marshmallow import INCLUDE
 from sqlalchemy import UniqueConstraint
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_logging.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_logging.py
index b0b908877..e27daeb64 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_logging.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_logging.py
@@ -1,9 +1,8 @@
 """Spiff_logging."""
 from dataclasses import dataclass
-from typing import Optional
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+from typing import Optional
 
 
 @dataclass
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
index 91d70116a..62dcd5957 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
@@ -1,9 +1,9 @@
 """Spiff_step_details."""
 from dataclasses import dataclass
-from typing import Optional
-
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+from typing import Optional
+
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import deferred
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
index b8c83d0f7..cdd2379b7 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
@@ -1,14 +1,14 @@
 """User."""
 from __future__ import annotations
 
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 
 import jwt
 import marshmallow
 from flask import current_app
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from marshmallow import Schema
 from sqlalchemy.orm import relationship
 from sqlalchemy.orm import validates
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/user_group_assignment.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/user_group_assignment.py
index fa5b620c8..548a280b9 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/user_group_assignment.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/user_group_assignment.py
@@ -1,6 +1,7 @@
 """UserGroupAssignment."""
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
index 78c12a90f..212d853dc 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
@@ -3,6 +3,8 @@ import json
 import random
 import string
 import uuid
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import Dict
 from typing import Optional
@@ -21,8 +23,6 @@ from flask import make_response
 from flask import redirect
 from flask import request
 from flask.wrappers import Response
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from lxml import etree  # type: ignore
 from lxml.builder import ElementMaker  # type: ignore
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index 2bbbc1374..f18dff3b3 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -2,6 +2,7 @@
 import ast
 import base64
 import json
+from flask_bpmn.api.api_error import ApiError
 from typing import Any
 from typing import Dict
 from typing import Optional
@@ -12,7 +13,6 @@ from flask import current_app
 from flask import g
 from flask import redirect
 from flask import request
-from flask_bpmn.api.api_error import ApiError
 from werkzeug.wrappers import Response
 
 from spiffworkflow_backend.models.user import UserModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user_blueprint.py
index 29bbddcd1..d1dea8c8e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user_blueprint.py
@@ -1,5 +1,7 @@
 """Main."""
 import json
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import Final
 
@@ -7,8 +9,6 @@ import flask.wrappers
 from flask import Blueprint
 from flask import request
 from flask import Response
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from sqlalchemy.exc import IntegrityError
 
 from spiffworkflow_backend.models.group import GroupModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py
index 689b86d8c..c6680c9dd 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py
@@ -1,9 +1,9 @@
 """Get_localtime."""
 from datetime import datetime
+from flask_bpmn.api.api_error import ApiError
 from typing import Any
 
 import pytz
-from flask_bpmn.api.api_error import ApiError
 
 from spiffworkflow_backend.models.script_attributes_context import (
     ScriptAttributesContext,
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/save_process_instance_metadata.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/save_process_instance_metadata.py
index ae5fe00ef..588402fdf 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/save_process_instance_metadata.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/save_process_instance_metadata.py
@@ -1,7 +1,6 @@
 """Get_env."""
-from typing import Any
-
 from flask_bpmn.models.db import db
+from typing import Any
 
 from spiffworkflow_backend.models.process_instance_metadata import (
     ProcessInstanceMetadataModel,
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py
index b744694a2..00f8de792 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py
@@ -5,11 +5,10 @@ import importlib
 import os
 import pkgutil
 from abc import abstractmethod
+from flask_bpmn.api.api_error import ApiError
 from typing import Any
 from typing import Callable
 
-from flask_bpmn.api.api_error import ApiError
-
 from spiffworkflow_backend.models.script_attributes_context import (
     ScriptAttributesContext,
 )
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/acceptance_test_fixtures.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/acceptance_test_fixtures.py
index 81488910e..81cb2b3fa 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/acceptance_test_fixtures.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/acceptance_test_fixtures.py
@@ -1,8 +1,8 @@
 """Acceptance_test_fixtures."""
 import time
+from flask_bpmn.models.db import db
 
 from flask import current_app
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index ad252d116..497af7ed0 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -3,14 +3,14 @@ import base64
 import enum
 import json
 import time
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Optional
 
 import jwt
 import requests
 from flask import current_app
 from flask import redirect
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from werkzeug.wrappers import Response
 
 from spiffworkflow_backend.models.refresh_token import RefreshTokenModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index bde408308..5b0d0573b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -1,6 +1,8 @@
 """Authorization_service."""
 import inspect
 import re
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Optional
 from typing import Union
 
@@ -10,8 +12,6 @@ from flask import current_app
 from flask import g
 from flask import request
 from flask import scaffold
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
 from sqlalchemy import or_
 from sqlalchemy import text
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/data_setup_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/data_setup_service.py
index c9c0647ed..b0179079e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/data_setup_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/data_setup_service.py
@@ -1,7 +1,8 @@
 """Data_setup_service."""
-from flask import current_app
 from flask_bpmn.models.db import db
 
+from flask import current_app
+
 from spiffworkflow_backend.services.process_model_service import ProcessModelService
 from spiffworkflow_backend.services.spec_file_service import SpecFileService
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
index 1e8b38f2d..a5be1b8e3 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
@@ -1,11 +1,10 @@
 """Error_handling_service."""
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import List
 from typing import Union
 
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
-
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
 from spiffworkflow_backend.models.process_instance import ProcessInstanceStatus
 from spiffworkflow_backend.services.email_service import EmailService
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
index 5812748c7..29f118b63 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
@@ -1,12 +1,12 @@
 """File_system_service."""
 import os
 from datetime import datetime
+from flask_bpmn.api.api_error import ApiError
 from typing import List
 from typing import Optional
 
 import pytz
 from flask import current_app
-from flask_bpmn.api.api_error import ApiError
 
 from spiffworkflow_backend.models.file import CONTENT_TYPES
 from spiffworkflow_backend.models.file import File
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/group_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/group_service.py
index aa560009e..edc0e69a4 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/group_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/group_service.py
@@ -1,7 +1,6 @@
 """Group_service."""
-from typing import Optional
-
 from flask_bpmn.models.db import db
+from typing import Optional
 
 from spiffworkflow_backend.models.group import GroupModel
 from spiffworkflow_backend.services.user_service import UserService
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/logging_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/logging_service.py
index dd34cb3fd..fe56e104f 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/logging_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/logging_service.py
@@ -2,12 +2,12 @@
 import json
 import logging
 import re
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import Optional
 
 from flask import g
 from flask.app import Flask
-from flask_bpmn.models.db import db
 
 from spiffworkflow_backend.models.spiff_logging import SpiffLoggingModel
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
index cfb42c836..8e8f7a728 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
@@ -1,8 +1,8 @@
 """Message_service."""
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import Optional
 
-from flask_bpmn.models.db import db
 from sqlalchemy import and_
 from sqlalchemy import or_
 from sqlalchemy import select
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
index d1df67428..1a38259df 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
@@ -8,6 +8,8 @@ import re
 import time
 from datetime import datetime
 from datetime import timedelta
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import Callable
 from typing import Dict
@@ -21,8 +23,6 @@ from typing import Union
 import dateparser
 import pytz
 from flask import current_app
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from lxml import etree  # type: ignore
 from RestrictedPython import safe_globals  # type: ignore
 from SpiffWorkflow.bpmn.exceptions import WorkflowTaskExecException  # type: ignore
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_service.py
index f98eaae18..f8df009de 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_service.py
@@ -1,11 +1,11 @@
 """Process_instance_service."""
 import time
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import List
 
 from flask import current_app
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
 
 from spiffworkflow_backend.models.active_task import ActiveTaskModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
index f009af688..9a88cb56a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
@@ -2,14 +2,13 @@
 import json
 import os
 import shutil
+from flask_bpmn.api.api_error import ApiError
 from glob import glob
 from typing import Any
 from typing import List
 from typing import Optional
 from typing import TypeVar
 
-from flask_bpmn.api.api_error import ApiError
-
 from spiffworkflow_backend.exceptions.process_entity_not_found_error import (
     ProcessEntityNotFoundError,
 )
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/secret_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/secret_service.py
index e4dee4913..2362a1a5d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/secret_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/secret_service.py
@@ -1,8 +1,7 @@
 """Secret_service."""
-from typing import Optional
-
 from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db
+from typing import Optional
 
 from spiffworkflow_backend.models.secret_model import SecretModel
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py
index c69f41c30..8057a7e14 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py
@@ -2,10 +2,10 @@
 import os
 import shutil
 from datetime import datetime
+from flask_bpmn.models.db import db
 from typing import List
 from typing import Optional
 
-from flask_bpmn.models.db import db
 from SpiffWorkflow.bpmn.parser.ValidationException import ValidationException  # type: ignore
 
 from spiffworkflow_backend.models.file import File
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/user_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/user_service.py
index 0e8e65c2c..009d0531b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/user_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/user_service.py
@@ -1,11 +1,11 @@
 """User_service."""
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import Optional
 
 from flask import current_app
 from flask import g
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 
 from spiffworkflow_backend.models.active_task import ActiveTaskModel
 from spiffworkflow_backend.models.active_task_user import ActiveTaskUserModel
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py b/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py
index 8d56853b4..16b96830d 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py
@@ -3,14 +3,14 @@ import io
 import json
 import os
 import time
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from typing import Any
 from typing import Dict
 from typing import Optional
 
 from flask import current_app
 from flask.testing import FlaskClient
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 from werkzeug.test import TestResponse  # type: ignore
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
index 5ee5ae9f2..0d996bcb8 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
@@ -3,12 +3,12 @@ import io
 import json
 import os
 import time
+from flask_bpmn.models.db import db
 from typing import Any
 
 import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_secret_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_secret_service.py
index c71f67f23..9d064173f 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_secret_service.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_secret_service.py
@@ -1,11 +1,11 @@
 """Test_secret_service."""
 import json
+from flask_bpmn.api.api_error import ApiError
 from typing import Optional
 
 import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.api.api_error import ApiError
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from werkzeug.test import TestResponse  # type: ignore
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_group_members.py b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_group_members.py
index 8a6046b5b..a2e9f5ef8 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_group_members.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_group_members.py
@@ -1,7 +1,8 @@
 """Test_get_localtime."""
+from flask_bpmn.models.db import db
+
 from flask.app import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_message_instance.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_message_instance.py
index 2c091eeb1..a28034144 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_message_instance.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_message_instance.py
@@ -1,8 +1,9 @@
 """Test_message_instance."""
+from flask_bpmn.models.db import db
+
 import pytest
 from flask import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 from spiffworkflow_backend.models.message_instance import MessageInstanceModel
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permission_target.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permission_target.py
index 567681428..f0f693f09 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permission_target.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permission_target.py
@@ -1,7 +1,8 @@
 """Process Model."""
+from flask_bpmn.models.db import db
+
 import pytest
 from flask.app import Flask
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 from spiffworkflow_backend.models.permission_target import (
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py
index b66f32370..92f5c5002 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py
@@ -1,7 +1,8 @@
 """Test Permissions."""
+from flask_bpmn.models.db import db
+
 from flask.app import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_process_model.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_process_model.py
index 09421bc71..f8470743b 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_process_model.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_process_model.py
@@ -1,7 +1,8 @@
 """Process Model."""
+from flask_bpmn.models.db import db
+
 from flask.app import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_restricted_script_engine.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_restricted_script_engine.py
index d31ea424f..ae77a1fc6 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_restricted_script_engine.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_restricted_script_engine.py
@@ -1,8 +1,9 @@
 """Test_various_bpmn_constructs."""
+from flask_bpmn.api.api_error import ApiError
+
 import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.api.api_error import ApiError
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py
index 3cc353b52..5d67d2b22 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py
@@ -1,10 +1,10 @@
 """Test_message_service."""
 import os
+from flask_bpmn.models.db import db
 
 import pytest
 from flask import Flask
 from flask.testing import FlaskClient
-from flask_bpmn.models.db import db
 from SpiffWorkflow.bpmn.parser.ValidationException import ValidationException  # type: ignore
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spiff_logging.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spiff_logging.py
index d8680b719..15a892c06 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spiff_logging.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spiff_logging.py
@@ -1,8 +1,8 @@
 """Process Model."""
 from decimal import Decimal
+from flask_bpmn.models.db import db
 
 from flask.app import Flask
-from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 

From e06500821e12e669ec1e0c18b7750c4f8dc90edb Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Mon, 5 Dec 2022 12:55:44 -0500
Subject: [PATCH 29/38] fixing an untyped method.

---
 .../services/process_instance_processor.py    | 119 +++++++++---------
 1 file changed, 60 insertions(+), 59 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
index 1a38259df..4e460b403 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
@@ -97,6 +97,7 @@ from spiffworkflow_backend.services.service_task_service import ServiceTaskDeleg
 from spiffworkflow_backend.services.spec_file_service import SpecFileService
 from spiffworkflow_backend.services.user_service import UserService
 
+
 # Sorry about all this crap.  I wanted to move this thing to another file, but
 # importing a bunch of types causes circular imports.
 
@@ -178,16 +179,16 @@ class CustomBpmnScriptEngine(PythonScriptEngine):  # type: ignore
         )
         return Script.generate_augmented_list(script_attributes_context)
 
-    def evaluate(self, task: SpiffTask, expression: str, external_methods=None) -> Any:
+    def evaluate(self, task: SpiffTask, expression: str, external_methods: Any = None) -> Any:
         """Evaluate."""
         return self._evaluate(expression, task.data, task, external_methods)
 
     def _evaluate(
-        self,
-        expression: str,
-        context: Dict[str, Union[Box, str]],
-        task: Optional[SpiffTask] = None,
-        external_methods: Optional[Dict[str, Any]] = None,
+            self,
+            expression: str,
+            context: Dict[str, Union[Box, str]],
+            task: Optional[SpiffTask] = None,
+            external_methods: Optional[Dict[str, Any]] = None,
     ) -> Any:
         """_evaluate."""
         methods = self.__get_augment_methods(task)
@@ -211,7 +212,7 @@ class CustomBpmnScriptEngine(PythonScriptEngine):  # type: ignore
                 ) from exception
 
     def execute(
-        self, task: SpiffTask, script: str, external_methods: Any = None
+            self, task: SpiffTask, script: str, external_methods: Any = None
     ) -> None:
         """Execute."""
         try:
@@ -225,10 +226,10 @@ class CustomBpmnScriptEngine(PythonScriptEngine):  # type: ignore
             raise WorkflowTaskExecException(task, f" {script}, {e}", e) from e
 
     def call_service(
-        self,
-        operation_name: str,
-        operation_params: Dict[str, Any],
-        task_data: Dict[str, Any],
+            self,
+            operation_name: str,
+            operation_params: Dict[str, Any],
+            task_data: Dict[str, Any],
     ) -> Any:
         """CallService."""
         return ServiceTaskDelegate.call_connector(
@@ -275,7 +276,7 @@ class ProcessInstanceProcessor:
     #   * get_spec, which returns a spec and any subprocesses (as IdToBpmnProcessSpecMapping dict)
     #   * __get_bpmn_process_instance, which takes spec and subprocesses and instantiates and returns a BpmnWorkflow
     def __init__(
-        self, process_instance_model: ProcessInstanceModel, validate_only: bool = False
+            self, process_instance_model: ProcessInstanceModel, validate_only: bool = False
     ) -> None:
         """Create a Workflow Processor based on the serialized information available in the process_instance model."""
         tld = current_app.config["THREAD_LOCAL_DATA"]
@@ -302,7 +303,7 @@ class ProcessInstanceProcessor:
             )
         else:
             bpmn_json_length = len(process_instance_model.bpmn_json.encode("utf-8"))
-            megabyte = float(1024**2)
+            megabyte = float(1024 ** 2)
             json_size = bpmn_json_length / megabyte
             if json_size > 1:
                 wf_json = json.loads(process_instance_model.bpmn_json)
@@ -316,22 +317,22 @@ class ProcessInstanceProcessor:
                         len(json.dumps(test_spec).encode("utf-8")) / megabyte
                     )
                     message = (
-                        "Workflow "
-                        + process_instance_model.process_model_identifier
-                        + f" JSON Size is over 1MB:{json_size:.2f} MB"
+                            "Workflow "
+                            + process_instance_model.process_model_identifier
+                            + f" JSON Size is over 1MB:{json_size:.2f} MB"
                     )
                     message += f"\n  Task Size: {task_size}"
                     message += f"\n  Spec Size: {spec_size}"
                     current_app.logger.warning(message)
 
                     def check_sub_specs(
-                        test_spec: dict, indent: int = 0, show_all: bool = False
+                            test_spec: dict, indent: int = 0, show_all: bool = False
                     ) -> None:
                         """Check_sub_specs."""
                         for my_spec_name in test_spec["task_specs"]:
                             my_spec = test_spec["task_specs"][my_spec_name]
                             my_spec_size = (
-                                len(json.dumps(my_spec).encode("utf-8")) / megabyte
+                                    len(json.dumps(my_spec).encode("utf-8")) / megabyte
                             )
                             if my_spec_size > 0.1 or show_all:
                                 current_app.logger.warning(
@@ -367,13 +368,13 @@ class ProcessInstanceProcessor:
             raise ApiError(
                 error_code="unexpected_process_instance_structure",
                 message="Failed to deserialize process_instance"
-                " '%s'  due to a mis-placed or missing task '%s'"
-                % (self.process_model_identifier, str(ke)),
+                        " '%s'  due to a mis-placed or missing task '%s'"
+                        % (self.process_model_identifier, str(ke)),
             ) from ke
 
     @classmethod
     def get_process_model_and_subprocesses(
-        cls, process_model_identifier: str
+            cls, process_model_identifier: str
     ) -> Tuple[BpmnProcessSpec, IdToBpmnProcessSpecMapping]:
         """Get_process_model_and_subprocesses."""
         process_model_info = ProcessModelService.get_process_model(
@@ -391,7 +392,7 @@ class ProcessInstanceProcessor:
 
     @classmethod
     def get_bpmn_process_instance_from_process_model(
-        cls, process_model_identifier: str
+            cls, process_model_identifier: str
     ) -> BpmnWorkflow:
         """Get_all_bpmn_process_identifiers_for_process_model."""
         (bpmn_process_spec, subprocesses) = cls.get_process_model_and_subprocesses(
@@ -416,7 +417,7 @@ class ProcessInstanceProcessor:
         return current_user
 
     def add_user_info_to_process_instance(
-        self, bpmn_process_instance: BpmnWorkflow
+            self, bpmn_process_instance: BpmnWorkflow
     ) -> None:
         """Add_user_info_to_process_instance."""
         current_user = self.current_user()
@@ -429,8 +430,8 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def get_bpmn_process_instance_from_workflow_spec(
-        spec: BpmnProcessSpec,
-        subprocesses: Optional[IdToBpmnProcessSpecMapping] = None,
+            spec: BpmnProcessSpec,
+            subprocesses: Optional[IdToBpmnProcessSpecMapping] = None,
     ) -> BpmnWorkflow:
         """Get_bpmn_process_instance_from_workflow_spec."""
         return BpmnWorkflow(
@@ -441,10 +442,10 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def __get_bpmn_process_instance(
-        process_instance_model: ProcessInstanceModel,
-        spec: Optional[BpmnProcessSpec] = None,
-        validate_only: bool = False,
-        subprocesses: Optional[IdToBpmnProcessSpecMapping] = None,
+            process_instance_model: ProcessInstanceModel,
+            spec: Optional[BpmnProcessSpec] = None,
+            validate_only: bool = False,
+            subprocesses: Optional[IdToBpmnProcessSpecMapping] = None,
     ) -> BpmnWorkflow:
         """__get_bpmn_process_instance."""
         if process_instance_model.bpmn_json:
@@ -487,14 +488,14 @@ class ProcessInstanceProcessor:
         self.save()
 
     def raise_if_no_potential_owners(
-        self, potential_owner_ids: list[int], message: str
+            self, potential_owner_ids: list[int], message: str
     ) -> None:
         """Raise_if_no_potential_owners."""
         if not potential_owner_ids:
             raise (NoPotentialOwnersForTaskError(message))
 
     def get_potential_owner_ids_from_task(
-        self, task: SpiffTask
+            self, task: SpiffTask
     ) -> PotentialOwnerIdList:
         """Get_potential_owner_ids_from_task."""
         task_spec = task.task_spec
@@ -666,7 +667,7 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def backfill_missing_spec_reference_records(
-        bpmn_process_identifier: str,
+            bpmn_process_identifier: str,
     ) -> Optional[str]:
         """Backfill_missing_spec_reference_records."""
         process_models = ProcessModelService.get_process_models(recursive=True)
@@ -687,7 +688,7 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def bpmn_file_full_path_from_bpmn_process_identifier(
-        bpmn_process_identifier: str,
+            bpmn_process_identifier: str,
     ) -> str:
         """Bpmn_file_full_path_from_bpmn_process_identifier."""
         if bpmn_process_identifier is None:
@@ -697,8 +698,8 @@ class ProcessInstanceProcessor:
 
         spec_reference = (
             SpecReferenceCache.query.filter_by(identifier=bpmn_process_identifier)
-            .filter_by(type="process")
-            .first()
+                .filter_by(type="process")
+                .first()
         )
         bpmn_file_full_path = None
         if spec_reference is None:
@@ -717,15 +718,15 @@ class ProcessInstanceProcessor:
                 ApiError(
                     error_code="could_not_find_bpmn_process_identifier",
                     message="Could not find the the given bpmn process identifier from any sources: %s"
-                    % bpmn_process_identifier,
+                            % bpmn_process_identifier,
                 )
             )
         return os.path.abspath(bpmn_file_full_path)
 
     @staticmethod
     def update_spiff_parser_with_all_process_dependency_files(
-        parser: BpmnDmnParser,
-        processed_identifiers: Optional[set[str]] = None,
+            parser: BpmnDmnParser,
+            processed_identifiers: Optional[set[str]] = None,
     ) -> None:
         """Update_spiff_parser_with_all_process_dependency_files."""
         if processed_identifiers is None:
@@ -763,7 +764,7 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def get_spec(
-        files: List[File], process_model_info: ProcessModelInfo
+            files: List[File], process_model_info: ProcessModelInfo
     ) -> Tuple[BpmnProcessSpec, IdToBpmnProcessSpecMapping]:
         """Returns a SpiffWorkflow specification for the given process_instance spec, using the files provided."""
         parser = ProcessInstanceProcessor.get_parser()
@@ -777,14 +778,14 @@ class ProcessInstanceProcessor:
                 dmn: etree.Element = etree.fromstring(data)
                 parser.add_dmn_xml(dmn, filename=file.name)
         if (
-            process_model_info.primary_process_id is None
-            or process_model_info.primary_process_id == ""
+                process_model_info.primary_process_id is None
+                or process_model_info.primary_process_id == ""
         ):
             raise (
                 ApiError(
                     error_code="no_primary_bpmn_error",
                     message="There is no primary BPMN process id defined for process_model %s"
-                    % process_model_info.id,
+                            % process_model_info.id,
                 )
             )
         ProcessInstanceProcessor.update_spiff_parser_with_all_process_dependency_files(
@@ -802,7 +803,7 @@ class ProcessInstanceProcessor:
             raise ApiError(
                 error_code="process_instance_validation_error",
                 message="Failed to parse the Workflow Specification. "
-                + "Error is '%s.'" % str(ve),
+                        + "Error is '%s.'" % str(ve),
                 file_name=ve.filename,
                 task_id=ve.id,
                 tag=ve.tag,
@@ -849,12 +850,12 @@ class ProcessInstanceProcessor:
 
             message_correlations = []
             for (
-                message_correlation_key,
-                message_correlation_properties,
+                    message_correlation_key,
+                    message_correlation_properties,
             ) in bpmn_message.correlations.items():
                 for (
-                    message_correlation_property_identifier,
-                    message_correlation_property_value,
+                        message_correlation_property_identifier,
+                        message_correlation_property_value,
                 ) in message_correlation_properties.items():
                     message_correlation_property = (
                         MessageCorrelationPropertyModel.query.filter_by(
@@ -946,7 +947,7 @@ class ProcessInstanceProcessor:
             db.session.add(message_instance)
 
             for (
-                spiff_correlation_property
+                    spiff_correlation_property
             ) in waiting_task.task_spec.event_definition.correlation_properties:
                 # NOTE: we may have to cycle through keys here
                 # not sure yet if it's valid for a property to be associated with multiple keys
@@ -956,9 +957,9 @@ class ProcessInstanceProcessor:
                         process_instance_id=self.process_instance_model.id,
                         name=correlation_key_name,
                     )
-                    .join(MessageCorrelationPropertyModel)
-                    .filter_by(identifier=spiff_correlation_property.name)
-                    .first()
+                        .join(MessageCorrelationPropertyModel)
+                        .filter_by(identifier=spiff_correlation_property.name)
+                        .first()
                 )
                 message_correlation_message_instance = (
                     MessageCorrelationMessageInstanceModel(
@@ -1062,12 +1063,12 @@ class ProcessInstanceProcessor:
         endtasks = []
         if self.bpmn_process_instance.is_completed():
             for task in SpiffTask.Iterator(
-                self.bpmn_process_instance.task_tree, TaskState.ANY_MASK
+                    self.bpmn_process_instance.task_tree, TaskState.ANY_MASK
             ):
                 # Assure that we find the end event for this process_instance, and not for any sub-process_instances.
                 if (
-                    isinstance(task.task_spec, EndEvent)
-                    and task.workflow == self.bpmn_process_instance
+                        isinstance(task.task_spec, EndEvent)
+                        and task.workflow == self.bpmn_process_instance
                 ):
                     endtasks.append(task)
             if len(endtasks) > 0:
@@ -1103,8 +1104,8 @@ class ProcessInstanceProcessor:
                     return task
             for task in ready_tasks:
                 if (
-                    self.bpmn_process_instance.last_task
-                    and task.parent == last_user_task.parent
+                        self.bpmn_process_instance.last_task
+                        and task.parent == last_user_task.parent
                 ):
                     return task
 
@@ -1114,7 +1115,7 @@ class ProcessInstanceProcessor:
         # and return that
         next_task = None
         for task in SpiffTask.Iterator(
-            self.bpmn_process_instance.task_tree, TaskState.NOT_FINISHED_MASK
+                self.bpmn_process_instance.task_tree, TaskState.NOT_FINISHED_MASK
         ):
             next_task = task
         return next_task
@@ -1198,7 +1199,7 @@ class ProcessInstanceProcessor:
             t
             for t in all_tasks
             if not self.bpmn_process_instance._is_engine_task(t.task_spec)
-            and t.state in [TaskState.COMPLETED, TaskState.CANCELLED]
+               and t.state in [TaskState.COMPLETED, TaskState.CANCELLED]
         ]
 
     def get_all_waiting_tasks(self) -> list[SpiffTask]:
@@ -1213,7 +1214,7 @@ class ProcessInstanceProcessor:
 
     @classmethod
     def get_task_by_bpmn_identifier(
-        cls, bpmn_task_identifier: str, bpmn_process_instance: BpmnWorkflow
+            cls, bpmn_task_identifier: str, bpmn_process_instance: BpmnWorkflow
     ) -> Optional[SpiffTask]:
         """Get_task_by_id."""
         all_tasks = bpmn_process_instance.get_tasks(TaskState.ANY_MASK)

From 2a03b3315639aefccdac20c0f4ef62f7aac7c20c Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Tue, 6 Dec 2022 16:20:00 -0500
Subject: [PATCH 30/38] updated terraform permissions to match development
 better w/ burnettk

---
 .../config/permissions/terraform_deployed_environment.yml  | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml
index ce2e2dba1..2e41e3b00 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml
@@ -70,6 +70,13 @@ permissions:
     allowed_permissions: [create, read, update, delete]
     uri: /v1.0/tasks/*
 
+  service-tasks:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /v1.0/service-tasks
+
+
   # read all for everybody
   read-all-process-groups:
     groups: [everybody]

From 7595758548382090b89e0ebc8d9cf9096d00674e Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 7 Dec 2022 14:09:33 -0500
Subject: [PATCH 31/38] rename terraform configs from rb to py w/ burnettk

---
 ..._deployed_environment.rb => terraform_deployed_environment.py} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename spiffworkflow-backend/src/spiffworkflow_backend/config/{terraform_deployed_environment.rb => terraform_deployed_environment.py} (100%)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.rb b/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
similarity index 100%
rename from spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.rb
rename to spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py

From 7c660f874f995e3cdd09318d9b0d7542b28e926e Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 7 Dec 2022 14:18:49 -0500
Subject: [PATCH 32/38] moved some configs from deploy scripts to terraform env
 config w/ burnettk

---
 .../config/terraform_deployed_environment.py                 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
index f1be3410c..7b6769ccf 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
@@ -14,3 +14,8 @@ SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
 RUN_BACKGROUND_SCHEDULER = (
     environ.get("RUN_BACKGROUND_SCHEDULER", default="false") == "true"
 )
+
+OPEN_ID_SERVER_URL = f"https://keycloak.{environment_identifier_for_this_config_file_only}.spiffworkflow.org/realms/spiffworkflow"
+SPIFFWORKFLOW_FRONTEND_URL = f"https://{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
+SPIFFWORKFLOW_BACKEND_URL = f"https://api.{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
+CONNECTOR_PROXY_URL = f"https://connector-proxy.{environment_identifier_for_this_config_file_only}.spiffworkflow.org"

From 9ff80f6affae02cc3f981a8a98b6241419813d4b Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 7 Dec 2022 14:40:04 -0500
Subject: [PATCH 33/38] remove staging py config file in favor of terraform
 configs w/ burnettk

---
 .../src/spiffworkflow_backend/config/staging.py          | 9 ---------
 1 file changed, 9 deletions(-)
 delete mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/config/staging.py

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/staging.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/staging.py
deleted file mode 100644
index 53c8af61c..000000000
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/staging.py
+++ /dev/null
@@ -1,9 +0,0 @@
-"""Staging."""
-from os import environ
-
-GIT_COMMIT_ON_SAVE = True
-GIT_COMMIT_USERNAME = "staging"
-GIT_COMMIT_EMAIL = "staging@example.com"
-SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
-    "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME", default="staging.yml"
-)

From d4ae1d6d37f506ff24853a0ff09af77c8fb1356a Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 7 Dec 2022 14:42:13 -0500
Subject: [PATCH 34/38] syntax fix w/ burnettk

---
 .../src/spiffworkflow_backend/config/__init__.py                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
index 00f540566..4bd175a7c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
@@ -61,7 +61,7 @@ def setup_config(app: Flask) -> None:
             os.environ.get("TERRAFORM_DEPLOYED_ENVIRONMENT") == "true"
             and os.environ.get("SPIFFWORKFLOW_BACKEND_ENV") is not None
         ):
-            app.config.from_object("{env_config_prefix}terraform_deployed_environment")
+            app.config.from_object(f"{env_config_prefix}terraform_deployed_environment")
         else:
             raise ModuleNotFoundError(
                 f"Cannot find config module: {env_config_module}"

From 0fc136a6dd3411e18f8aac4babc78fef9d0bd453 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 7 Dec 2022 15:11:58 -0500
Subject: [PATCH 35/38] added frontend url as post redirect url in keycloak w/
 burnettk

---
 .../bin/spiffworkflow-realm.json              | 59 ++++++++++---------
 1 file changed, 32 insertions(+), 27 deletions(-)

diff --git a/spiffworkflow-backend/bin/spiffworkflow-realm.json b/spiffworkflow-backend/bin/spiffworkflow-realm.json
index e0b7ee3f7..8abb6cbc3 100644
--- a/spiffworkflow-backend/bin/spiffworkflow-realm.json
+++ b/spiffworkflow-backend/bin/spiffworkflow-realm.json
@@ -1251,12 +1251,17 @@
   }, {
     "id" : "f44558af-3601-4e54-b854-08396a247544",
     "clientId" : "spiffworkflow-backend",
+    "name" : "",
+    "description" : "",
+    "rootUrl" : "",
+    "adminUrl" : "",
+    "baseUrl" : "",
     "surrogateAuthRequired" : false,
     "enabled" : true,
     "alwaysDisplayInConsole" : false,
     "clientAuthenticatorType" : "client-secret",
     "secret" : "JXeQExm0JhQPLumgHtIIqf52bDalHz0q",
-    "redirectUris" : [ "http://localhost:7000/*", "https://api.unused-for-local-dev.spiffworkflow.org/*", "http://67.205.133.116:7000/*", "http://167.172.242.138:7000/*", "https://api.demo.spiffworkflow.org/*" ],
+    "redirectUris" : [ "http://localhost:7000/*", "https://api.unused-for-local-dev.spiffworkflow.org/*", "https://api.replace-me-with-spiff-subdomain.spiffworkflow.org/*", "http://67.205.133.116:7000/*", "http://167.172.242.138:7000/*" ],
     "webOrigins" : [ ],
     "notBefore" : 0,
     "bearerOnly" : false,
@@ -1273,7 +1278,7 @@
       "saml.force.post.binding" : "false",
       "saml.multivalued.roles" : "false",
       "frontchannel.logout.session.required" : "false",
-      "post.logout.redirect.uris" : "+",
+      "post.logout.redirect.uris" : "https://replace-me-with-spiff-subdomain.spiffworkflow.org/*##http://localhost:7001/*",
       "oauth2.device.authorization.grant.enabled" : "false",
       "backchannel.logout.revoke.offline.tokens" : "false",
       "saml.server.signature.keyinfo.ext" : "false",
@@ -2161,7 +2166,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "saml-user-property-mapper", "oidc-address-mapper", "saml-user-attribute-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "oidc-address-mapper" ]
       }
     }, {
       "id" : "d68e938d-dde6-47d9-bdc8-8e8523eb08cd",
@@ -2179,7 +2184,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "oidc-usermodel-attribute-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "oidc-full-name-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper" ]
       }
     }, {
       "id" : "3854361d-3fe5-47fb-9417-a99592e3dc5c",
@@ -2269,7 +2274,7 @@
   "internationalizationEnabled" : false,
   "supportedLocales" : [ ],
   "authenticationFlows" : [ {
-    "id" : "b30ab201-b13a-405f-bc57-cb5cd934bdc3",
+    "id" : "b896c673-57ab-4f24-bbb1-334bdadbecd3",
     "alias" : "Account verification options",
     "description" : "Method with which to verity the existing account",
     "providerId" : "basic-flow",
@@ -2291,7 +2296,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "7d22faa2-1da8-49ae-a2cc-74e9c9f6ed51",
+    "id" : "4da99e29-371e-4f4b-a863-e5079f30a714",
     "alias" : "Authentication Options",
     "description" : "Authentication options.",
     "providerId" : "basic-flow",
@@ -2320,7 +2325,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "ae089cf3-3179-4e12-a683-7969a31be566",
+    "id" : "d398c928-e201-4e8b-ab09-289bb351cd2e",
     "alias" : "Browser - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -2342,7 +2347,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "27a21643-2167-4847-a6b4-b07007671d9a",
+    "id" : "663b7aa3-84f6-4347-8ed4-588c2464b75d",
     "alias" : "Direct Grant - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -2364,7 +2369,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "0ee33ef7-da6b-4248-81c6-9f4f11b58195",
+    "id" : "98013bc1-e4dd-41f7-9849-1f898143b944",
     "alias" : "First broker login - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -2386,7 +2391,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "e1d02af3-2886-42bb-95f4-bfa6f1299edc",
+    "id" : "b77e7545-9e39-4d72-93f8-1b38c954c2e2",
     "alias" : "Handle Existing Account",
     "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
     "providerId" : "basic-flow",
@@ -2408,7 +2413,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "35cfc75f-70e3-487c-acd7-0627ab1dbdf1",
+    "id" : "2470e6f4-9a01-476a-9057-75d78e577182",
     "alias" : "Reset - Conditional OTP",
     "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
     "providerId" : "basic-flow",
@@ -2430,7 +2435,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "cc2f7206-8d15-46db-b974-71e67d4d1077",
+    "id" : "8e7dad0b-f4e1-4534-b618-b635b0a0e4f9",
     "alias" : "User creation or linking",
     "description" : "Flow for the existing/non-existing user alternatives",
     "providerId" : "basic-flow",
@@ -2453,7 +2458,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "d8314533-eacb-40ef-8f44-7c06321e9793",
+    "id" : "97c83e43-cba8-4d92-b108-9181bca07a1e",
     "alias" : "Verify Existing Account by Re-authentication",
     "description" : "Reauthentication of existing account",
     "providerId" : "basic-flow",
@@ -2475,7 +2480,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "d58a5ff1-9a9c-45a9-9f97-1324565e9679",
+    "id" : "fbabd64c-20de-4b8c-bfd2-be6822572278",
     "alias" : "browser",
     "description" : "browser based authentication",
     "providerId" : "basic-flow",
@@ -2511,7 +2516,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "3ea2aed9-12d9-4999-a104-67f5c5f7841a",
+    "id" : "0628a99f-b194-495d-8e54-cc4ca8684956",
     "alias" : "clients",
     "description" : "Base authentication for clients",
     "providerId" : "client-flow",
@@ -2547,7 +2552,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "c605af3c-bede-4f8f-a5c5-94176171c82c",
+    "id" : "ce6bf7af-3bff-48ce-b214-7fed08503a2a",
     "alias" : "direct grant",
     "description" : "OpenID Connect Resource Owner Grant",
     "providerId" : "basic-flow",
@@ -2576,7 +2581,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "901b4d6c-9c27-4d3d-981a-1b5281c1ea2b",
+    "id" : "60ce729b-d055-4ae7-83cb-85dbcf8cfdaa",
     "alias" : "docker auth",
     "description" : "Used by Docker clients to authenticate against the IDP",
     "providerId" : "basic-flow",
@@ -2591,7 +2596,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "9d1de1bf-b170-4235-92f1-5dfd3ec31c45",
+    "id" : "0bd3cf93-7f33-46b2-ad1f-85cdfb0a87f9",
     "alias" : "first broker login",
     "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
     "providerId" : "basic-flow",
@@ -2614,7 +2619,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "8ee6b54f-4d31-4847-9ddc-36cb4c01b92b",
+    "id" : "3e52f178-9b9d-4a62-97d5-f9f3f872bcd9",
     "alias" : "forms",
     "description" : "Username, password, otp and other auth forms.",
     "providerId" : "basic-flow",
@@ -2636,7 +2641,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "76d3380b-218b-443d-a3ea-bea712f4a1f4",
+    "id" : "3f5fd6cc-2935-45d8-9bef-6857bba3657a",
     "alias" : "http challenge",
     "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes",
     "providerId" : "basic-flow",
@@ -2658,7 +2663,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "cd756473-4606-4150-9ba5-5b96e6f39c3a",
+    "id" : "2c2b32dd-57dc-45d7-9a24-b4a253cb6a03",
     "alias" : "registration",
     "description" : "registration flow",
     "providerId" : "basic-flow",
@@ -2674,7 +2679,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "574fcee6-e152-4069-b328-a7fe33aded3a",
+    "id" : "dbc28b13-dba7-42a0-a8ab-faa8762979c3",
     "alias" : "registration form",
     "description" : "registration form",
     "providerId" : "form-flow",
@@ -2710,7 +2715,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "e5a890ee-140a-4ab3-8d79-87e3499385b0",
+    "id" : "b4a901d5-e7b9-4eb6-9f8e-1d3305846828",
     "alias" : "reset credentials",
     "description" : "Reset credentials for a user if they forgot their password or something",
     "providerId" : "basic-flow",
@@ -2746,7 +2751,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "6243167c-7e2e-4cc7-b35d-bad7862dc9ef",
+    "id" : "824fe757-cc5c-4e13-ab98-9a2132e10f5c",
     "alias" : "saml ecp",
     "description" : "SAML ECP Profile Authentication Flow",
     "providerId" : "basic-flow",
@@ -2762,13 +2767,13 @@
     } ]
   } ],
   "authenticatorConfig" : [ {
-    "id" : "ae605746-d169-4a81-8348-b5f52e07ae14",
+    "id" : "817a93da-29df-447f-ab05-cd9557e66745",
     "alias" : "create unique user config",
     "config" : {
       "require.password.update.after.registration" : "false"
     }
   }, {
-    "id" : "c5feb20c-eea5-4556-b9f8-797be4d67e26",
+    "id" : "4a8a9659-fa0d-4da8-907b-3b6daec1c878",
     "alias" : "review profile config",
     "config" : {
       "update.profile.on.first.login" : "missing"
@@ -2863,4 +2868,4 @@
   "clientPolicies" : {
     "policies" : [ ]
   }
-}
+}
\ No newline at end of file

From 829eacc40ddcfe403a1f9ee214d7a830d1364fb9 Mon Sep 17 00:00:00 2001
From: burnettk <burnettk@users.noreply.github.com>
Date: Thu, 8 Dec 2022 08:44:31 -0500
Subject: [PATCH 36/38] make process metadata saving more resilient

---
 .../services/process_instance_processor.py    | 27 +++++++++++--------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
index 1be46f1b8..e833d8af1 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
@@ -595,20 +595,25 @@ class ProcessInstanceProcessor:
             path_segments = path.split(".")
             data_for_key = current_data
             for path_segment in path_segments:
-                data_for_key = data_for_key[path_segment]
+                if path_segment in data_for_key:
+                    data_for_key = data_for_key[path_segment]
+                else:
+                    data_for_key = None
+                    break
 
-            pim = ProcessInstanceMetadataModel.query.filter_by(
-                process_instance_id=self.process_instance_model.id,
-                key=key,
-            ).first()
-            if pim is None:
-                pim = ProcessInstanceMetadataModel(
+            if data_for_key is not None:
+                pim = ProcessInstanceMetadataModel.query.filter_by(
                     process_instance_id=self.process_instance_model.id,
                     key=key,
-                )
-            pim.value = data_for_key
-            db.session.add(pim)
-            db.session.commit()
+                ).first()
+                if pim is None:
+                    pim = ProcessInstanceMetadataModel(
+                        process_instance_id=self.process_instance_model.id,
+                        key=key,
+                    )
+                pim.value = data_for_key
+                db.session.add(pim)
+                db.session.commit()
 
     def save(self) -> None:
         """Saves the current state of this processor to the database."""

From cee726e8b0f2e14f201d2fb05b815f0e10ddcc59 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 8 Dec 2022 13:47:30 -0500
Subject: [PATCH 37/38] pyl passes

---
 flask-bpmn/src/flask_bpmn/models/db.py        |   4 +-
 .../bin/import_tickets_for_command_line.py    |   1 +
 .../bin/spiffworkflow-realm.json              |   2 +-
 spiffworkflow-backend/conftest.py             |   4 +-
 .../src/spiffworkflow_backend/__init__.py     |   6 +-
 .../config/terraform_deployed_environment.py  |  11 +-
 .../helpers/db_helper.py                      |   2 +-
 .../models/active_task.py                     |   4 +-
 .../models/active_task_user.py                |   2 +-
 .../src/spiffworkflow_backend/models/group.py |   4 +-
 .../models/message_correlation.py             |   4 +-
 .../message_correlation_message_instance.py   |   2 +-
 .../models/message_correlation_property.py    |   1 -
 .../models/message_instance.py                |   4 +-
 .../message_triggerable_process_model.py      |   1 -
 .../models/permission_assignment.py           |   4 +-
 .../models/permission_target.py               |   4 +-
 .../spiffworkflow_backend/models/principal.py |   2 +-
 .../models/process_instance.py                |   4 +-
 .../models/process_instance_metadata.py       |   2 +-
 .../models/process_instance_report.py         |   4 +-
 .../models/refresh_token.py                   |   2 +-
 .../models/secret_model.py                    |   2 +-
 .../models/spec_reference.py                  |   2 +-
 .../models/spiff_logging.py                   |   3 +-
 .../models/spiff_step_details.py              |   4 +-
 .../src/spiffworkflow_backend/models/user.py  |   6 +-
 .../models/user_group_assignment.py           |   1 -
 .../routes/process_api_blueprint.py           |   5 +-
 .../src/spiffworkflow_backend/routes/user.py  |   2 +-
 .../routes/user_blueprint.py                  |   4 +-
 .../scripts/get_localtime.py                  |   2 +-
 .../scripts/save_process_instance_metadata.py |   1 -
 .../spiffworkflow_backend/scripts/script.py   |   3 +-
 .../services/acceptance_test_fixtures.py      |   2 +-
 .../services/authentication_service.py        |   4 +-
 .../services/authorization_service.py         |   4 +-
 .../services/data_setup_service.py            |   3 +-
 .../services/error_handling_service.py        |   5 +-
 .../services/file_system_service.py           |   2 +-
 .../services/group_service.py                 |   3 +-
 .../services/logging_service.py               |   2 +-
 .../services/message_service.py               |   2 +-
 .../services/process_instance_processor.py    | 122 +++++++++---------
 .../services/process_instance_service.py      |   4 +-
 .../services/process_model_service.py         |   3 +-
 .../services/secret_service.py                |   3 +-
 .../services/spec_file_service.py             |   2 +-
 .../services/user_service.py                  |   4 +-
 .../helpers/base_test.py                      |   4 +-
 .../integration/test_process_api.py           |   2 +-
 .../integration/test_secret_service.py        |   2 +-
 .../scripts/test_get_group_members.py         |   3 +-
 .../unit/test_message_instance.py             |   3 +-
 .../unit/test_permission_target.py            |   3 +-
 .../unit/test_permissions.py                  |   3 +-
 .../unit/test_process_model.py                |   3 +-
 .../unit/test_restricted_script_engine.py     |   3 +-
 .../unit/test_spec_file_service.py            |   2 +-
 .../unit/test_spiff_logging.py                |   2 +-
 60 files changed, 152 insertions(+), 152 deletions(-)

diff --git a/flask-bpmn/src/flask_bpmn/models/db.py b/flask-bpmn/src/flask_bpmn/models/db.py
index a288e6fda..643e1a85d 100644
--- a/flask-bpmn/src/flask_bpmn/models/db.py
+++ b/flask-bpmn/src/flask_bpmn/models/db.py
@@ -8,8 +8,8 @@ from typing import Any
 from flask_migrate import Migrate  # type: ignore
 from flask_sqlalchemy import SQLAlchemy  # type: ignore
 from sqlalchemy import event  # type: ignore
-from sqlalchemy.engine.base import Connection
-from sqlalchemy.orm.mapper import Mapper
+from sqlalchemy.engine.base import Connection  # type: ignore
+from sqlalchemy.orm.mapper import Mapper  # type: ignore
 
 db = SQLAlchemy()
 migrate = Migrate()
diff --git a/spiffworkflow-backend/bin/import_tickets_for_command_line.py b/spiffworkflow-backend/bin/import_tickets_for_command_line.py
index a993a3d30..e193b5990 100644
--- a/spiffworkflow-backend/bin/import_tickets_for_command_line.py
+++ b/spiffworkflow-backend/bin/import_tickets_for_command_line.py
@@ -1,5 +1,6 @@
 """Grabs tickets from csv and makes process instances."""
 import csv
+
 from flask_bpmn.models.db import db
 
 from spiffworkflow_backend import get_hacked_up_app_for_script
diff --git a/spiffworkflow-backend/bin/spiffworkflow-realm.json b/spiffworkflow-backend/bin/spiffworkflow-realm.json
index 8abb6cbc3..a30f53c14 100644
--- a/spiffworkflow-backend/bin/spiffworkflow-realm.json
+++ b/spiffworkflow-backend/bin/spiffworkflow-realm.json
@@ -2868,4 +2868,4 @@
   "clientPolicies" : {
     "policies" : [ ]
   }
-}
\ No newline at end of file
+}
diff --git a/spiffworkflow-backend/conftest.py b/spiffworkflow-backend/conftest.py
index 2ded9053b..c3af94332 100644
--- a/spiffworkflow-backend/conftest.py
+++ b/spiffworkflow-backend/conftest.py
@@ -1,12 +1,12 @@
 """Conftest."""
 import os
 import shutil
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 
 import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 from spiffworkflow_backend.models.active_task_user import ActiveTaskUserModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
index e894f2f98..9599116a2 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
@@ -1,8 +1,5 @@
 """__init__."""
 import os
-from flask_bpmn.api.api_error import api_error_blueprint
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import migrate
 from typing import Any
 
 import connexion  # type: ignore
@@ -12,6 +9,9 @@ import sqlalchemy
 from apscheduler.schedulers.background import BackgroundScheduler  # type: ignore
 from apscheduler.schedulers.base import BaseScheduler  # type: ignore
 from flask.json.provider import DefaultJSONProvider
+from flask_bpmn.api.api_error import api_error_blueprint
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import migrate
 from flask_cors import CORS  # type: ignore
 from flask_mail import Mail  # type: ignore
 from werkzeug.exceptions import NotFound
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
index 7b6769ccf..458e541cb 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
@@ -8,7 +8,8 @@ GIT_COMMIT_ON_SAVE = True
 GIT_COMMIT_USERNAME = environment_identifier_for_this_config_file_only
 GIT_COMMIT_EMAIL = f"{environment_identifier_for_this_config_file_only}@example.com"
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
-    "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME", default="terraform_deployed_environment.yml"
+    "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME",
+    default="terraform_deployed_environment.yml",
 )
 
 RUN_BACKGROUND_SCHEDULER = (
@@ -16,6 +17,10 @@ RUN_BACKGROUND_SCHEDULER = (
 )
 
 OPEN_ID_SERVER_URL = f"https://keycloak.{environment_identifier_for_this_config_file_only}.spiffworkflow.org/realms/spiffworkflow"
-SPIFFWORKFLOW_FRONTEND_URL = f"https://{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
-SPIFFWORKFLOW_BACKEND_URL = f"https://api.{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
+SPIFFWORKFLOW_FRONTEND_URL = (
+    f"https://{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
+)
+SPIFFWORKFLOW_BACKEND_URL = (
+    f"https://api.{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
+)
 CONNECTOR_PROXY_URL = f"https://connector-proxy.{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/helpers/db_helper.py b/spiffworkflow-backend/src/spiffworkflow_backend/helpers/db_helper.py
index 2ceea1f44..45cd38f7a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/helpers/db_helper.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/helpers/db_helper.py
@@ -1,8 +1,8 @@
 """Db_helper."""
 import time
-from flask_bpmn.models.db import db
 
 import sqlalchemy
+from flask_bpmn.models.db import db
 
 
 def try_to_connect(start_time: float) -> None:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task.py
index cf08394f4..ea9e10552 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task.py
@@ -2,10 +2,10 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import TYPE_CHECKING
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
 from sqlalchemy.orm import RelationshipProperty
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task_user.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task_user.py
index a14c08ce4..f194c38e4 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task_user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/active_task_user.py
@@ -2,9 +2,9 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
+
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.active_task import ActiveTaskModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/group.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/group.py
index b6db3cf34..3b7edd6ce 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/group.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/group.py
@@ -1,10 +1,10 @@
 """Group."""
 from __future__ import annotations
 
-from flask_bpmn.models.db import db
-from flask_bpmn.models.group import FlaskBpmnGroupModel
 from typing import TYPE_CHECKING
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.group import FlaskBpmnGroupModel
 from sqlalchemy.orm import relationship
 
 if TYPE_CHECKING:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation.py
index 65937a4fc..08bc1cb12 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation.py
@@ -1,9 +1,9 @@
 """Message_correlation."""
 from dataclasses import dataclass
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import TYPE_CHECKING
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_message_instance.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_message_instance.py
index dbbddb44f..320dfba3e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_message_instance.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_message_instance.py
@@ -1,8 +1,8 @@
 """Message_correlation_message_instance."""
 from dataclasses import dataclass
+
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.message_correlation import MessageCorrelationModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_property.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_property.py
index c0c06925f..b84b7140c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_property.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_correlation_property.py
@@ -1,7 +1,6 @@
 """Message_correlation_property."""
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.message_model import MessageModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_instance.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_instance.py
index 745d2c2d6..2559a6352 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_instance.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_instance.py
@@ -1,12 +1,12 @@
 """Message_instance."""
 import enum
 from dataclasses import dataclass
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 from typing import Optional
 from typing import TYPE_CHECKING
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.event import listens_for
 from sqlalchemy.orm import relationship
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_triggerable_process_model.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_triggerable_process_model.py
index 29b742f7d..cc8834654 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/message_triggerable_process_model.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/message_triggerable_process_model.py
@@ -1,7 +1,6 @@
 """Message_correlation_property."""
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.message_model import MessageModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py
index 8aa2b5ade..63295f74e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py
@@ -1,9 +1,9 @@
 """PermissionAssignment."""
 import enum
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import validates
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_target.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_target.py
index 3b4a10553..53334baf0 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_target.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_target.py
@@ -1,10 +1,10 @@
 """PermissionTarget."""
 import re
 from dataclasses import dataclass
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Optional
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy.orm import validates
 
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/principal.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/principal.py
index 1c267052d..c7efa8609 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/principal.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/principal.py
@@ -1,8 +1,8 @@
 """Principal."""
 from dataclasses import dataclass
+
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
 from sqlalchemy.schema import CheckConstraint
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
index c2b003104..e6a5f6849 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
@@ -1,12 +1,12 @@
 """Process_instance."""
 from __future__ import annotations
 
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 from typing import cast
 
 import marshmallow
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from marshmallow import INCLUDE
 from marshmallow import Schema
 from marshmallow_enum import EnumField  # type: ignore
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_metadata.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_metadata.py
index e34a56491..c9003594b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_metadata.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_metadata.py
@@ -1,8 +1,8 @@
 """Spiff_step_details."""
 from dataclasses import dataclass
+
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from sqlalchemy import ForeignKey
 
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_report.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_report.py
index c6da687e0..1f22a3830 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_report.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance_report.py
@@ -2,13 +2,13 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 from typing import cast
 from typing import Optional
 from typing import TypedDict
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import deferred
 from sqlalchemy.orm import relationship
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/refresh_token.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/refresh_token.py
index c5684f25a..2e96b7f05 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/refresh_token.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/refresh_token.py
@@ -1,8 +1,8 @@
 """Refresh_token."""
 from dataclasses import dataclass
+
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from sqlalchemy import ForeignKey
 
 # from sqlalchemy.orm import relationship
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/secret_model.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/secret_model.py
index 1bb634cec..92fd470a3 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/secret_model.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/secret_model.py
@@ -1,8 +1,8 @@
 """Secret_model."""
 from dataclasses import dataclass
+
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from marshmallow import Schema
 from sqlalchemy import ForeignKey
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/spec_reference.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/spec_reference.py
index ce083a483..1e85f7229 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/spec_reference.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/spec_reference.py
@@ -1,8 +1,8 @@
 """Message_model."""
 from dataclasses import dataclass
+
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from flask_marshmallow import Schema  # type: ignore
 from marshmallow import INCLUDE
 from sqlalchemy import UniqueConstraint
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_logging.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_logging.py
index e27daeb64..b0b908877 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_logging.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_logging.py
@@ -1,8 +1,9 @@
 """Spiff_logging."""
 from dataclasses import dataclass
+from typing import Optional
+
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-from typing import Optional
 
 
 @dataclass
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
index 62dcd5957..91d70116a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
@@ -1,9 +1,9 @@
 """Spiff_step_details."""
 from dataclasses import dataclass
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Optional
 
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import deferred
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
index cdd2379b7..b8c83d0f7 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py
@@ -1,14 +1,14 @@
 """User."""
 from __future__ import annotations
 
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
-from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from typing import Any
 
 import jwt
 import marshmallow
 from flask import current_app
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from marshmallow import Schema
 from sqlalchemy.orm import relationship
 from sqlalchemy.orm import validates
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/user_group_assignment.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/user_group_assignment.py
index 548a280b9..fa5b620c8 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/user_group_assignment.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/user_group_assignment.py
@@ -1,7 +1,6 @@
 """UserGroupAssignment."""
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
index a241661ab..ef194b81a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
@@ -4,8 +4,6 @@ import random
 import re
 import string
 import uuid
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import Dict
 from typing import Optional
@@ -24,6 +22,8 @@ from flask import make_response
 from flask import redirect
 from flask import request
 from flask.wrappers import Response
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from lxml import etree  # type: ignore
 from lxml.builder import ElementMaker  # type: ignore
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
@@ -33,7 +33,6 @@ from sqlalchemy import asc
 from sqlalchemy import desc
 from sqlalchemy import func
 from sqlalchemy.orm import aliased
-from sqlalchemy.orm import joinedload
 from sqlalchemy.orm import selectinload
 
 from spiffworkflow_backend.exceptions.process_entity_not_found_error import (
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index f18dff3b3..2bbbc1374 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -2,7 +2,6 @@
 import ast
 import base64
 import json
-from flask_bpmn.api.api_error import ApiError
 from typing import Any
 from typing import Dict
 from typing import Optional
@@ -13,6 +12,7 @@ from flask import current_app
 from flask import g
 from flask import redirect
 from flask import request
+from flask_bpmn.api.api_error import ApiError
 from werkzeug.wrappers import Response
 
 from spiffworkflow_backend.models.user import UserModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user_blueprint.py
index d1dea8c8e..29bbddcd1 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user_blueprint.py
@@ -1,7 +1,5 @@
 """Main."""
 import json
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import Final
 
@@ -9,6 +7,8 @@ import flask.wrappers
 from flask import Blueprint
 from flask import request
 from flask import Response
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from sqlalchemy.exc import IntegrityError
 
 from spiffworkflow_backend.models.group import GroupModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py
index c6680c9dd..689b86d8c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py
@@ -1,9 +1,9 @@
 """Get_localtime."""
 from datetime import datetime
-from flask_bpmn.api.api_error import ApiError
 from typing import Any
 
 import pytz
+from flask_bpmn.api.api_error import ApiError
 
 from spiffworkflow_backend.models.script_attributes_context import (
     ScriptAttributesContext,
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/save_process_instance_metadata.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/save_process_instance_metadata.py
index 2f3f5eac7..d9c1959aa 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/save_process_instance_metadata.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/save_process_instance_metadata.py
@@ -2,7 +2,6 @@
 from typing import Any
 
 from flask_bpmn.models.db import db
-from typing import Any
 
 from spiffworkflow_backend.models.process_instance_metadata import (
     ProcessInstanceMetadataModel,
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py
index 00f8de792..b744694a2 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py
@@ -5,10 +5,11 @@ import importlib
 import os
 import pkgutil
 from abc import abstractmethod
-from flask_bpmn.api.api_error import ApiError
 from typing import Any
 from typing import Callable
 
+from flask_bpmn.api.api_error import ApiError
+
 from spiffworkflow_backend.models.script_attributes_context import (
     ScriptAttributesContext,
 )
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/acceptance_test_fixtures.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/acceptance_test_fixtures.py
index 81cb2b3fa..81488910e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/acceptance_test_fixtures.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/acceptance_test_fixtures.py
@@ -1,8 +1,8 @@
 """Acceptance_test_fixtures."""
 import time
-from flask_bpmn.models.db import db
 
 from flask import current_app
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 4981c3156..f4bd357b1 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -3,14 +3,14 @@ import base64
 import enum
 import json
 import time
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Optional
 
 import jwt
 import requests
 from flask import current_app
 from flask import redirect
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from werkzeug.wrappers import Response
 
 from spiffworkflow_backend.models.refresh_token import RefreshTokenModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index 5b0d0573b..bde408308 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -1,8 +1,6 @@
 """Authorization_service."""
 import inspect
 import re
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Optional
 from typing import Union
 
@@ -12,6 +10,8 @@ from flask import current_app
 from flask import g
 from flask import request
 from flask import scaffold
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
 from sqlalchemy import or_
 from sqlalchemy import text
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/data_setup_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/data_setup_service.py
index b0179079e..c9c0647ed 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/data_setup_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/data_setup_service.py
@@ -1,7 +1,6 @@
 """Data_setup_service."""
-from flask_bpmn.models.db import db
-
 from flask import current_app
+from flask_bpmn.models.db import db
 
 from spiffworkflow_backend.services.process_model_service import ProcessModelService
 from spiffworkflow_backend.services.spec_file_service import SpecFileService
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
index a5be1b8e3..1e8b38f2d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
@@ -1,10 +1,11 @@
 """Error_handling_service."""
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import List
 from typing import Union
 
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
+
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
 from spiffworkflow_backend.models.process_instance import ProcessInstanceStatus
 from spiffworkflow_backend.services.email_service import EmailService
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
index 29f118b63..5812748c7 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
@@ -1,12 +1,12 @@
 """File_system_service."""
 import os
 from datetime import datetime
-from flask_bpmn.api.api_error import ApiError
 from typing import List
 from typing import Optional
 
 import pytz
 from flask import current_app
+from flask_bpmn.api.api_error import ApiError
 
 from spiffworkflow_backend.models.file import CONTENT_TYPES
 from spiffworkflow_backend.models.file import File
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/group_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/group_service.py
index edc0e69a4..aa560009e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/group_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/group_service.py
@@ -1,7 +1,8 @@
 """Group_service."""
-from flask_bpmn.models.db import db
 from typing import Optional
 
+from flask_bpmn.models.db import db
+
 from spiffworkflow_backend.models.group import GroupModel
 from spiffworkflow_backend.services.user_service import UserService
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/logging_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/logging_service.py
index fe56e104f..dd34cb3fd 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/logging_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/logging_service.py
@@ -2,12 +2,12 @@
 import json
 import logging
 import re
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import Optional
 
 from flask import g
 from flask.app import Flask
+from flask_bpmn.models.db import db
 
 from spiffworkflow_backend.models.spiff_logging import SpiffLoggingModel
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
index 8e8f7a728..cfb42c836 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
@@ -1,8 +1,8 @@
 """Message_service."""
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import Optional
 
+from flask_bpmn.models.db import db
 from sqlalchemy import and_
 from sqlalchemy import or_
 from sqlalchemy import select
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
index e833d8af1..ffe69fd72 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
@@ -8,8 +8,6 @@ import re
 import time
 from datetime import datetime
 from datetime import timedelta
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import Callable
 from typing import Dict
@@ -23,6 +21,8 @@ from typing import Union
 import dateparser
 import pytz
 from flask import current_app
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from lxml import etree  # type: ignore
 from RestrictedPython import safe_globals  # type: ignore
 from SpiffWorkflow.bpmn.exceptions import WorkflowTaskExecException  # type: ignore
@@ -192,11 +192,11 @@ class CustomBpmnScriptEngine(PythonScriptEngine):  # type: ignore
         return self._evaluate(expression, task.data, task, external_methods)
 
     def _evaluate(
-            self,
-            expression: str,
-            context: Dict[str, Union[Box, str]],
-            task: Optional[SpiffTask] = None,
-            external_methods: Optional[Dict[str, Any]] = None,
+        self,
+        expression: str,
+        context: Dict[str, Union[Box, str]],
+        task: Optional[SpiffTask] = None,
+        external_methods: Optional[Dict[str, Any]] = None,
     ) -> Any:
         """_evaluate."""
         methods = self.__get_augment_methods(task)
@@ -220,7 +220,7 @@ class CustomBpmnScriptEngine(PythonScriptEngine):  # type: ignore
                 ) from exception
 
     def execute(
-            self, task: SpiffTask, script: str, external_methods: Any = None
+        self, task: SpiffTask, script: str, external_methods: Any = None
     ) -> None:
         """Execute."""
         try:
@@ -234,10 +234,10 @@ class CustomBpmnScriptEngine(PythonScriptEngine):  # type: ignore
             raise WorkflowTaskExecException(task, f" {script}, {e}", e) from e
 
     def call_service(
-            self,
-            operation_name: str,
-            operation_params: Dict[str, Any],
-            task_data: Dict[str, Any],
+        self,
+        operation_name: str,
+        operation_params: Dict[str, Any],
+        task_data: Dict[str, Any],
     ) -> Any:
         """CallService."""
         return ServiceTaskDelegate.call_connector(
@@ -284,7 +284,7 @@ class ProcessInstanceProcessor:
     #   * get_spec, which returns a spec and any subprocesses (as IdToBpmnProcessSpecMapping dict)
     #   * __get_bpmn_process_instance, which takes spec and subprocesses and instantiates and returns a BpmnWorkflow
     def __init__(
-            self, process_instance_model: ProcessInstanceModel, validate_only: bool = False
+        self, process_instance_model: ProcessInstanceModel, validate_only: bool = False
     ) -> None:
         """Create a Workflow Processor based on the serialized information available in the process_instance model."""
         tld = current_app.config["THREAD_LOCAL_DATA"]
@@ -311,7 +311,7 @@ class ProcessInstanceProcessor:
             )
         else:
             bpmn_json_length = len(process_instance_model.bpmn_json.encode("utf-8"))
-            megabyte = float(1024 ** 2)
+            megabyte = float(1024**2)
             json_size = bpmn_json_length / megabyte
             if json_size > 1:
                 wf_json = json.loads(process_instance_model.bpmn_json)
@@ -325,22 +325,22 @@ class ProcessInstanceProcessor:
                         len(json.dumps(test_spec).encode("utf-8")) / megabyte
                     )
                     message = (
-                            "Workflow "
-                            + process_instance_model.process_model_identifier
-                            + f" JSON Size is over 1MB:{json_size:.2f} MB"
+                        "Workflow "
+                        + process_instance_model.process_model_identifier
+                        + f" JSON Size is over 1MB:{json_size:.2f} MB"
                     )
                     message += f"\n  Task Size: {task_size}"
                     message += f"\n  Spec Size: {spec_size}"
                     current_app.logger.warning(message)
 
                     def check_sub_specs(
-                            test_spec: dict, indent: int = 0, show_all: bool = False
+                        test_spec: dict, indent: int = 0, show_all: bool = False
                     ) -> None:
                         """Check_sub_specs."""
                         for my_spec_name in test_spec["task_specs"]:
                             my_spec = test_spec["task_specs"][my_spec_name]
                             my_spec_size = (
-                                    len(json.dumps(my_spec).encode("utf-8")) / megabyte
+                                len(json.dumps(my_spec).encode("utf-8")) / megabyte
                             )
                             if my_spec_size > 0.1 or show_all:
                                 current_app.logger.warning(
@@ -376,13 +376,13 @@ class ProcessInstanceProcessor:
             raise ApiError(
                 error_code="unexpected_process_instance_structure",
                 message="Failed to deserialize process_instance"
-                        " '%s'  due to a mis-placed or missing task '%s'"
-                        % (self.process_model_identifier, str(ke)),
+                " '%s'  due to a mis-placed or missing task '%s'"
+                % (self.process_model_identifier, str(ke)),
             ) from ke
 
     @classmethod
     def get_process_model_and_subprocesses(
-            cls, process_model_identifier: str
+        cls, process_model_identifier: str
     ) -> Tuple[BpmnProcessSpec, IdToBpmnProcessSpecMapping]:
         """Get_process_model_and_subprocesses."""
         process_model_info = ProcessModelService.get_process_model(
@@ -400,7 +400,7 @@ class ProcessInstanceProcessor:
 
     @classmethod
     def get_bpmn_process_instance_from_process_model(
-            cls, process_model_identifier: str
+        cls, process_model_identifier: str
     ) -> BpmnWorkflow:
         """Get_all_bpmn_process_identifiers_for_process_model."""
         (bpmn_process_spec, subprocesses) = cls.get_process_model_and_subprocesses(
@@ -425,7 +425,7 @@ class ProcessInstanceProcessor:
         return current_user
 
     def add_user_info_to_process_instance(
-            self, bpmn_process_instance: BpmnWorkflow
+        self, bpmn_process_instance: BpmnWorkflow
     ) -> None:
         """Add_user_info_to_process_instance."""
         current_user = self.current_user()
@@ -438,8 +438,8 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def get_bpmn_process_instance_from_workflow_spec(
-            spec: BpmnProcessSpec,
-            subprocesses: Optional[IdToBpmnProcessSpecMapping] = None,
+        spec: BpmnProcessSpec,
+        subprocesses: Optional[IdToBpmnProcessSpecMapping] = None,
     ) -> BpmnWorkflow:
         """Get_bpmn_process_instance_from_workflow_spec."""
         return BpmnWorkflow(
@@ -450,10 +450,10 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def __get_bpmn_process_instance(
-            process_instance_model: ProcessInstanceModel,
-            spec: Optional[BpmnProcessSpec] = None,
-            validate_only: bool = False,
-            subprocesses: Optional[IdToBpmnProcessSpecMapping] = None,
+        process_instance_model: ProcessInstanceModel,
+        spec: Optional[BpmnProcessSpec] = None,
+        validate_only: bool = False,
+        subprocesses: Optional[IdToBpmnProcessSpecMapping] = None,
     ) -> BpmnWorkflow:
         """__get_bpmn_process_instance."""
         if process_instance_model.bpmn_json:
@@ -496,14 +496,14 @@ class ProcessInstanceProcessor:
         self.save()
 
     def raise_if_no_potential_owners(
-            self, potential_owner_ids: list[int], message: str
+        self, potential_owner_ids: list[int], message: str
     ) -> None:
         """Raise_if_no_potential_owners."""
         if not potential_owner_ids:
             raise (NoPotentialOwnersForTaskError(message))
 
     def get_potential_owner_ids_from_task(
-            self, task: SpiffTask
+        self, task: SpiffTask
     ) -> PotentialOwnerIdList:
         """Get_potential_owner_ids_from_task."""
         task_spec = task.task_spec
@@ -598,7 +598,7 @@ class ProcessInstanceProcessor:
                 if path_segment in data_for_key:
                     data_for_key = data_for_key[path_segment]
                 else:
-                    data_for_key = None
+                    data_for_key = None  # type: ignore
                     break
 
             if data_for_key is not None:
@@ -712,7 +712,7 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def backfill_missing_spec_reference_records(
-            bpmn_process_identifier: str,
+        bpmn_process_identifier: str,
     ) -> Optional[str]:
         """Backfill_missing_spec_reference_records."""
         process_models = ProcessModelService.get_process_models(recursive=True)
@@ -733,7 +733,7 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def bpmn_file_full_path_from_bpmn_process_identifier(
-            bpmn_process_identifier: str,
+        bpmn_process_identifier: str,
     ) -> str:
         """Bpmn_file_full_path_from_bpmn_process_identifier."""
         if bpmn_process_identifier is None:
@@ -743,8 +743,8 @@ class ProcessInstanceProcessor:
 
         spec_reference = (
             SpecReferenceCache.query.filter_by(identifier=bpmn_process_identifier)
-                .filter_by(type="process")
-                .first()
+            .filter_by(type="process")
+            .first()
         )
         bpmn_file_full_path = None
         if spec_reference is None:
@@ -763,15 +763,15 @@ class ProcessInstanceProcessor:
                 ApiError(
                     error_code="could_not_find_bpmn_process_identifier",
                     message="Could not find the the given bpmn process identifier from any sources: %s"
-                            % bpmn_process_identifier,
+                    % bpmn_process_identifier,
                 )
             )
         return os.path.abspath(bpmn_file_full_path)
 
     @staticmethod
     def update_spiff_parser_with_all_process_dependency_files(
-            parser: BpmnDmnParser,
-            processed_identifiers: Optional[set[str]] = None,
+        parser: BpmnDmnParser,
+        processed_identifiers: Optional[set[str]] = None,
     ) -> None:
         """Update_spiff_parser_with_all_process_dependency_files."""
         if processed_identifiers is None:
@@ -809,7 +809,7 @@ class ProcessInstanceProcessor:
 
     @staticmethod
     def get_spec(
-            files: List[File], process_model_info: ProcessModelInfo
+        files: List[File], process_model_info: ProcessModelInfo
     ) -> Tuple[BpmnProcessSpec, IdToBpmnProcessSpecMapping]:
         """Returns a SpiffWorkflow specification for the given process_instance spec, using the files provided."""
         parser = ProcessInstanceProcessor.get_parser()
@@ -823,14 +823,14 @@ class ProcessInstanceProcessor:
                 dmn: etree.Element = etree.fromstring(data)
                 parser.add_dmn_xml(dmn, filename=file.name)
         if (
-                process_model_info.primary_process_id is None
-                or process_model_info.primary_process_id == ""
+            process_model_info.primary_process_id is None
+            or process_model_info.primary_process_id == ""
         ):
             raise (
                 ApiError(
                     error_code="no_primary_bpmn_error",
                     message="There is no primary BPMN process id defined for process_model %s"
-                            % process_model_info.id,
+                    % process_model_info.id,
                 )
             )
         ProcessInstanceProcessor.update_spiff_parser_with_all_process_dependency_files(
@@ -848,7 +848,7 @@ class ProcessInstanceProcessor:
             raise ApiError(
                 error_code="process_instance_validation_error",
                 message="Failed to parse the Workflow Specification. "
-                        + "Error is '%s.'" % str(ve),
+                + "Error is '%s.'" % str(ve),
                 file_name=ve.filename,
                 task_id=ve.id,
                 tag=ve.tag,
@@ -895,12 +895,12 @@ class ProcessInstanceProcessor:
 
             message_correlations = []
             for (
-                    message_correlation_key,
-                    message_correlation_properties,
+                message_correlation_key,
+                message_correlation_properties,
             ) in bpmn_message.correlations.items():
                 for (
-                        message_correlation_property_identifier,
-                        message_correlation_property_value,
+                    message_correlation_property_identifier,
+                    message_correlation_property_value,
                 ) in message_correlation_properties.items():
                     message_correlation_property = (
                         MessageCorrelationPropertyModel.query.filter_by(
@@ -992,7 +992,7 @@ class ProcessInstanceProcessor:
             db.session.add(message_instance)
 
             for (
-                    spiff_correlation_property
+                spiff_correlation_property
             ) in waiting_task.task_spec.event_definition.correlation_properties:
                 # NOTE: we may have to cycle through keys here
                 # not sure yet if it's valid for a property to be associated with multiple keys
@@ -1002,9 +1002,9 @@ class ProcessInstanceProcessor:
                         process_instance_id=self.process_instance_model.id,
                         name=correlation_key_name,
                     )
-                        .join(MessageCorrelationPropertyModel)
-                        .filter_by(identifier=spiff_correlation_property.name)
-                        .first()
+                    .join(MessageCorrelationPropertyModel)
+                    .filter_by(identifier=spiff_correlation_property.name)
+                    .first()
                 )
                 message_correlation_message_instance = (
                     MessageCorrelationMessageInstanceModel(
@@ -1108,12 +1108,12 @@ class ProcessInstanceProcessor:
         endtasks = []
         if self.bpmn_process_instance.is_completed():
             for task in SpiffTask.Iterator(
-                    self.bpmn_process_instance.task_tree, TaskState.ANY_MASK
+                self.bpmn_process_instance.task_tree, TaskState.ANY_MASK
             ):
                 # Assure that we find the end event for this process_instance, and not for any sub-process_instances.
                 if (
-                        isinstance(task.task_spec, EndEvent)
-                        and task.workflow == self.bpmn_process_instance
+                    isinstance(task.task_spec, EndEvent)
+                    and task.workflow == self.bpmn_process_instance
                 ):
                     endtasks.append(task)
             if len(endtasks) > 0:
@@ -1149,8 +1149,8 @@ class ProcessInstanceProcessor:
                     return task
             for task in ready_tasks:
                 if (
-                        self.bpmn_process_instance.last_task
-                        and task.parent == last_user_task.parent
+                    self.bpmn_process_instance.last_task
+                    and task.parent == last_user_task.parent
                 ):
                     return task
 
@@ -1160,7 +1160,7 @@ class ProcessInstanceProcessor:
         # and return that
         next_task = None
         for task in SpiffTask.Iterator(
-                self.bpmn_process_instance.task_tree, TaskState.NOT_FINISHED_MASK
+            self.bpmn_process_instance.task_tree, TaskState.NOT_FINISHED_MASK
         ):
             next_task = task
         return next_task
@@ -1244,7 +1244,7 @@ class ProcessInstanceProcessor:
             t
             for t in all_tasks
             if not self.bpmn_process_instance._is_engine_task(t.task_spec)
-               and t.state in [TaskState.COMPLETED, TaskState.CANCELLED]
+            and t.state in [TaskState.COMPLETED, TaskState.CANCELLED]
         ]
 
     def get_all_waiting_tasks(self) -> list[SpiffTask]:
@@ -1259,7 +1259,7 @@ class ProcessInstanceProcessor:
 
     @classmethod
     def get_task_by_bpmn_identifier(
-            cls, bpmn_task_identifier: str, bpmn_process_instance: BpmnWorkflow
+        cls, bpmn_task_identifier: str, bpmn_process_instance: BpmnWorkflow
     ) -> Optional[SpiffTask]:
         """Get_task_by_id."""
         all_tasks = bpmn_process_instance.get_tasks(TaskState.ANY_MASK)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_service.py
index 826019a97..46bd252b9 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_service.py
@@ -1,11 +1,11 @@
 """Process_instance_service."""
 import time
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import List
 
 from flask import current_app
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
 
 from spiffworkflow_backend.models.active_task import ActiveTaskModel
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
index 9a88cb56a..f009af688 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
@@ -2,13 +2,14 @@
 import json
 import os
 import shutil
-from flask_bpmn.api.api_error import ApiError
 from glob import glob
 from typing import Any
 from typing import List
 from typing import Optional
 from typing import TypeVar
 
+from flask_bpmn.api.api_error import ApiError
+
 from spiffworkflow_backend.exceptions.process_entity_not_found_error import (
     ProcessEntityNotFoundError,
 )
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/secret_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/secret_service.py
index 2362a1a5d..e4dee4913 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/secret_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/secret_service.py
@@ -1,7 +1,8 @@
 """Secret_service."""
+from typing import Optional
+
 from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db
-from typing import Optional
 
 from spiffworkflow_backend.models.secret_model import SecretModel
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py
index 8057a7e14..c69f41c30 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py
@@ -2,10 +2,10 @@
 import os
 import shutil
 from datetime import datetime
-from flask_bpmn.models.db import db
 from typing import List
 from typing import Optional
 
+from flask_bpmn.models.db import db
 from SpiffWorkflow.bpmn.parser.ValidationException import ValidationException  # type: ignore
 
 from spiffworkflow_backend.models.file import File
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/user_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/user_service.py
index 009d0531b..0e8e65c2c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/user_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/user_service.py
@@ -1,11 +1,11 @@
 """User_service."""
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import Optional
 
 from flask import current_app
 from flask import g
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 
 from spiffworkflow_backend.models.active_task import ActiveTaskModel
 from spiffworkflow_backend.models.active_task_user import ActiveTaskUserModel
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py b/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py
index f3746e1fc..48982fc60 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py
@@ -3,14 +3,14 @@ import io
 import json
 import os
 import time
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from typing import Any
 from typing import Dict
 from typing import Optional
 
 from flask import current_app
 from flask.testing import FlaskClient
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 from werkzeug.test import TestResponse  # type: ignore
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
index 9a87dea88..9d719a233 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
@@ -3,12 +3,12 @@ import io
 import json
 import os
 import time
-from flask_bpmn.models.db import db
 from typing import Any
 
 import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_secret_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_secret_service.py
index 9d064173f..c71f67f23 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_secret_service.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_secret_service.py
@@ -1,11 +1,11 @@
 """Test_secret_service."""
 import json
-from flask_bpmn.api.api_error import ApiError
 from typing import Optional
 
 import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.api.api_error import ApiError
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from werkzeug.test import TestResponse  # type: ignore
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_group_members.py b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_group_members.py
index a2e9f5ef8..8a6046b5b 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_group_members.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_group_members.py
@@ -1,8 +1,7 @@
 """Test_get_localtime."""
-from flask_bpmn.models.db import db
-
 from flask.app import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_message_instance.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_message_instance.py
index a28034144..2c091eeb1 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_message_instance.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_message_instance.py
@@ -1,9 +1,8 @@
 """Test_message_instance."""
-from flask_bpmn.models.db import db
-
 import pytest
 from flask import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 from spiffworkflow_backend.models.message_instance import MessageInstanceModel
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permission_target.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permission_target.py
index f0f693f09..567681428 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permission_target.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permission_target.py
@@ -1,8 +1,7 @@
 """Process Model."""
-from flask_bpmn.models.db import db
-
 import pytest
 from flask.app import Flask
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 
 from spiffworkflow_backend.models.permission_target import (
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py
index 92f5c5002..b66f32370 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py
@@ -1,8 +1,7 @@
 """Test Permissions."""
-from flask_bpmn.models.db import db
-
 from flask.app import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_process_model.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_process_model.py
index 087eee63f..9eb6901b9 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_process_model.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_process_model.py
@@ -1,8 +1,7 @@
 """Process Model."""
-from flask_bpmn.models.db import db
-
 from flask.app import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_restricted_script_engine.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_restricted_script_engine.py
index ae77a1fc6..d31ea424f 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_restricted_script_engine.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_restricted_script_engine.py
@@ -1,9 +1,8 @@
 """Test_various_bpmn_constructs."""
-from flask_bpmn.api.api_error import ApiError
-
 import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.api.api_error import ApiError
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py
index 5d67d2b22..3cc353b52 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py
@@ -1,10 +1,10 @@
 """Test_message_service."""
 import os
-from flask_bpmn.models.db import db
 
 import pytest
 from flask import Flask
 from flask.testing import FlaskClient
+from flask_bpmn.models.db import db
 from SpiffWorkflow.bpmn.parser.ValidationException import ValidationException  # type: ignore
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spiff_logging.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spiff_logging.py
index 15a892c06..d8680b719 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spiff_logging.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spiff_logging.py
@@ -1,8 +1,8 @@
 """Process Model."""
 from decimal import Decimal
-from flask_bpmn.models.db import db
 
 from flask.app import Flask
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 

From 609abe8f16d9d19272c3729ab1ffa05cf29b062a Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 8 Dec 2022 14:08:32 -0500
Subject: [PATCH 38/38] favor os.path.join over hardcoding slash w/ burnettk

---
 .../services/process_model_service.py          | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
index f009af688..d4fa5647b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
@@ -148,20 +148,18 @@ class ProcessModelService(FileSystemService):
                 error_code="existing_instances",
                 message=f"We cannot delete the model `{process_model_id}`, there are existing instances that depend on it.",
             )
-        self.get_process_model(process_model_id)
-        # path = self.workflow_path(process_model)
-        path = f"{FileSystemService.root_path()}/{process_model_id}"
+        process_model = self.get_process_model(process_model_id)
+        path = self.workflow_path(process_model)
         shutil.rmtree(path)
 
     def process_model_move(
         self, original_process_model_id: str, new_location: str
     ) -> ProcessModelInfo:
         """Process_model_move."""
-        original_model_path = os.path.abspath(
-            os.path.join(FileSystemService.root_path(), original_process_model_id)
-        )
+        process_model = self.get_process_model(original_process_model_id)
+        original_model_path = self.workflow_path(process_model)
         _, model_id = os.path.split(original_model_path)
-        new_relative_path = f"{new_location}/{model_id}"
+        new_relative_path = os.path.join(new_location, model_id)
         new_model_path = os.path.abspath(
             os.path.join(FileSystemService.root_path(), new_relative_path)
         )
@@ -245,7 +243,7 @@ class ProcessModelService(FileSystemService):
             if full_group_id_path is None:
                 full_group_id_path = process_group_id_segment
             else:
-                full_group_id_path = f"{full_group_id_path}/{process_group_id_segment}"  # type: ignore
+                full_group_id_path = os.path.join(full_group_id_path, process_group_id_segment)  # type: ignore
             parent_group = ProcessModelService.get_process_group(full_group_id_path)
             if parent_group:
                 parent_group_array.append(
@@ -307,8 +305,8 @@ class ProcessModelService(FileSystemService):
     ) -> ProcessGroup:
         """Process_group_move."""
         original_group_path = self.process_group_path(original_process_group_id)
-        original_root, original_group_id = os.path.split(original_group_path)
-        new_root = f"{FileSystemService.root_path()}/{new_location}"
+        _, original_group_id = os.path.split(original_group_path)
+        new_root = os.path.join(FileSystemService.root_path(), new_location)
         new_group_path = os.path.abspath(
             os.path.join(FileSystemService.root_path(), new_root, original_group_id)
         )