Reference from
github.com/PostHog/posthog/pull/4631/commits/341c28da0f6d33d6fb12fe443766a2d822ff0097
This fixes a deprecation warning regarding distutil's strtobool.
Signed-off-by: Kevin Morris <kevr@0cost.org>
There was one blazing issue with the previous implementation regardless
of the multiple records: we were generating fingerprints by storing
the key into a file and reading it with ssh-keygen. This is absolutely
terrible and was not meant to be left around (it was forgotten, my bad).
Took this opportunity to clean up a few things:
- simplify pubkey validation
- centralize things a bit better
Signed-off-by: Kevin Morris <kevr@0cost.org>
For tests, we only care about emails having a valid syntax.
I don't think we should verify this at all, as aurweb.scripts.notify
will timeout if it cant deliver via sendmail/smtp.
Signed-off-by: Kevin Morris <kevr@0cost.org>
We were allowing erroneous URLs through, raising exceptions,
from e.g. `http://[localhost:8444/blah`. This patch catches
any ValueErrors raised during the parse process and returns
False, indicating that the validation failed.
This patch also adds testing specifically for `util.valid_homepage`.
We didn't have specific testing for this before; this will allow us
to catch regressions in this area.
Closes#250
Signed-off-by: Kevin Morris <kevr@0cost.org>
This gets raised when a client closes a connection before receiving
a valid response; this is not controllable from our side.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Introduces:
- aurweb.testing.alpm.AlpmDatabase
- Used to mock up and manage a remote repository.
- templates/testing/alpm_package.j2
- Used to generate a single ALPM package desc.
- Removed aurblup sharness test
Signed-off-by: Kevin Morris <kevr@0cost.org>
Changes:
-------
- Add aurweb.db.get_session()
- Returns aurweb.db's global `session` instance
- Provides us a way to change the implementation of the session
instance without interrupting user code.
- Use aurweb.db.get_session() in session API methods
- Add docstrings to session API methods
- Refactor aurweb.db.delete
- Normalize aurweb.db.delete to an alias of session.delete
- Refresh instances in places we depend on their non-PK columns
being up to date.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This definitely leaked through in more areas. We'll need to reuse
this new utility function in a few other routes in upcoming commits.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This change removes cookie re-emission of AURLANG and AURTZ,
adds the AURREMEMBER cookie (the state of the "Remember Me"
checkbox on login), and re-emits AURSID based on the AURREMEMBER
cookie.
Previously, re-emission of AURSID was forcefully modifying
the expiration of the AURSID cookie. The introduction of
AURREMEMBER allows us to deduct the correct cookie expiration
timing based on configuration variables. With this addition,
we now re-emit the AURSID cookie with an updated expiration
based on the "Remember Me" checkbox on login.
Signed-off-by: Kevin Morris <kevr@0cost.org>
With this change, we provide a wrapper to `logging.getLogger`
in the `aurweb.logging` module. Modules wishing to log using
logging.conf should get their module-local loggers by calling
`aurweb.logging.getLogger(__name__)`, similar to `logging.getLogger`,
this way initialization with logging.conf is guaranteed.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Currently, the config parser converts all keys to lowercase which is
inconsistent with the old PHP behavior. This has been fixed and relevant
fingerprint-getting functions have been simplified without changes in
behavior.
Signed-off-by: Steven Guikal <void@fluix.one>
The new `extend_query` and `urlencode` filters are way cleaner ways
to achieve what we did with `dedupe_qs`.
Signed-off-by: Kevin Morris <kevr@0cost.org>
The first addition, extend_query, can be used to take an existing
query parameter dictionary and inject an *additions as replacement
key/value pairs.
The second, to_qs, converts a query parameter dictionary to
a query string in the form "a=b&c=d".
These two functions simplify and make dedupe_qs and quote_plus more
efficient in terms of constructing custom query string overrides.
Signed-off-by: Kevin Morris <kevr@0cost.org>
urlencode does more than just a quote_plus. Using urlencode
was not sensible, so this commit addresses that.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This filter gets a vote of a request's user toward a voteinfo.
Example: {% set vote = (voteinfo | get_vote(request)) %}
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit introduces a middleware function which adds
the following security headers to each response:
- Content-Security-Policy
- This includes a new `nonce`, which is tied to a user
via authentication middleware. Both an anonymous user
and an authenticated user recieve their own random nonces.
- X-Content-Type-Options
- Referrer-Policy
- X-Frame-Options
They are then tested for existence in test/test_routes.py.
Note: The overcomplicated-looking asyncio behavior in the
middleware function is used to avoid a warning about the old
coroutine awaits being deprecated. See
https://docs.python.org/3/library/asyncio-task.html#asyncio.wait
for more detail.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This function adds f"SameSite={value}" to each cookie's header
stored in response.
This is needed because starlette does not currently support
the `samesite` argument in Response.set_cookie. It is merged,
however, and waiting for next release.
Signed-off-by: Kevin Morris <kevr@0cost.org>
We'll piggyback off of the current existing configuration item,
`disable_http_login`, to decide how we should submit cookies to
an HTTP response.
Previously, in `sso.py`, the http schema was used to make this
decision. There is an issue with that, however: We cannot actually
test properly if we depend on the https schema.
This change allows us to toggle `disable_http_login` to modify
the behavior of cookies sent with an http response to be secure.
We test this behavior in test/test_auth_routes.py#L81:
`test_secure_login(mock)`.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Two utility functions for all of our ORM models that will
allow us to easily convert them to Python structures and
JSON data.
Signed-off-by: Kevin Morris <kevr@0cost.org>
* Added account_url filter to jinja2 environment. This produces a path
to the user's account url (/account/{username}).
* Updated archdev-navbar to link to new edit route.
+ Added migrate_cookies(request, response) to aurweb.util, a function
that simply migrates the request cookies to response and returns it.
+ Added account_edit tests to test_accounts_routes.py.
Signed-off-by: Kevin Morris <kevr@0cost.org>
* Added /register get and post routes.
+ Added default attributes to AnonymousUser, including a new
AnonymousList which behaves like an sqlalchemy relationship
list.
+ aurweb.util: Added validation functions for various user fields
used throughout registration.
+ test_accounts_routes: Added get|post register route tests.
Signed-off-by: Kevin Morris <kevr@0cost.org>
+ Added aurweb.util module.
- Added make_random_string function.
+ Added aurweb.db.make_random_value function.
- Takes a model and a column and introspects them to figure out the
proper column length to create a random string for; then creates
a unique string for that column.
Signed-off-by: Kevin Morris <kevr@0cost.org>
