This resolves logging issues with alembic on aurweb.initdb
in addition to adding more logging utilities for aurweb
and tests in general.
Developers should fetch a logger for their specific module
via `logging.getLogger(__name__)`.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit introduces a middleware function which adds
the following security headers to each response:
- Content-Security-Policy
- This includes a new `nonce`, which is tied to a user
via authentication middleware. Both an anonymous user
and an authenticated user recieve their own random nonces.
- X-Content-Type-Options
- Referrer-Policy
- X-Frame-Options
They are then tested for existence in test/test_routes.py.
Note: The overcomplicated-looking asyncio behavior in the
middleware function is used to avoid a warning about the old
coroutine awaits being deprecated. See
https://docs.python.org/3/library/asyncio-task.html#asyncio.wait
for more detail.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This function adds f"SameSite={value}" to each cookie's header
stored in response.
This is needed because starlette does not currently support
the `samesite` argument in Response.set_cookie. It is merged,
however, and waiting for next release.
Signed-off-by: Kevin Morris <kevr@0cost.org>
We'll piggyback off of the current existing configuration item,
`disable_http_login`, to decide how we should submit cookies to
an HTTP response.
Previously, in `sso.py`, the http schema was used to make this
decision. There is an issue with that, however: We cannot actually
test properly if we depend on the https schema.
This change allows us to toggle `disable_http_login` to modify
the behavior of cookies sent with an http response to be secure.
We test this behavior in test/test_auth_routes.py#L81:
`test_secure_login(mock)`.
Signed-off-by: Kevin Morris <kevr@0cost.org>
See docstring for updates.
template= has been modified.
status_code= has been added as an optional template status_code.
Signed-off-by: Kevin Morris <kevr@0cost.org>
The Document.execCommand API is deprecated and no longer recommended to
be used. It's replacement is the much simpler navigator.clipboard API
which is supported in all browsers except internet explorer.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
This will automate a lot of conversion that happens
around the codebase in terms of status_code.
As of this commit, we should improve usage and remove
int(status_code) casts wherever we can.
Signed-off-by: Kevin Morris <kevr@0cost.org>
With the addition of these two, some code has been swapped
to use these in some of the other db wrappers with an additional
autocommit kwarg in create and delete, to control batch
transactions.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Two utility functions for all of our ORM models that will
allow us to easily convert them to Python structures and
JSON data.
Signed-off-by: Kevin Morris <kevr@0cost.org>
SQLite does not support native DECIMAL columns, and for that
reason, we had to switch to using Strings that can hold the data
in the case we are using sqlite.
This commit sets the TUVoteInfo model up in a generic way, that
it always converts to string when setting Quorum (OK for DECIMAL)
and always converts to float when getting Quorum.
This way, we can treat TUVoteInfo.Quorum as the same thing
everywhere.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Django uses a reference graph to determine the order
in table deletions that occur. Do the same here.
This commit also adds in the `REGEXP` sqlite function,
exactly how Django uses it in its reference graphing.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This rewrites the entire model base as declarative models.
This allows us to more easily customize overlay fields
in tables and is more common.
This effort also brought some DB violations to light which
this commit addresses.
Signed-off-by: Kevin Morris <kevr@0cost.org>
As per our regex and policies, usernames should consist of
ascii alphanumeric characters and possibly (-, _ or .).
gendummydata.py was creating unicode versions of some
usernames and adding them into the DB. With our newfound
collations, this becomes a problem as it treats them as
the same.
This should have never been the case here, and so,
gendummydata.py has been patched to normalize all of its
usernames and package names.
Signed-off-by: Kevin Morris <kevr@0cost.org>
