This also updates `test/README.md` to be a bit more specific
and precise with our current state of testing.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This resolves logging issues with alembic on aurweb.initdb
in addition to adding more logging utilities for aurweb
and tests in general.
Developers should fetch a logger for their specific module
via `logging.getLogger(__name__)`.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit introduces a middleware function which adds
the following security headers to each response:
- Content-Security-Policy
- This includes a new `nonce`, which is tied to a user
via authentication middleware. Both an anonymous user
and an authenticated user recieve their own random nonces.
- X-Content-Type-Options
- Referrer-Policy
- X-Frame-Options
They are then tested for existence in test/test_routes.py.
Note: The overcomplicated-looking asyncio behavior in the
middleware function is used to avoid a warning about the old
coroutine awaits being deprecated. See
https://docs.python.org/3/library/asyncio-task.html#asyncio.wait
for more detail.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This function adds f"SameSite={value}" to each cookie's header
stored in response.
This is needed because starlette does not currently support
the `samesite` argument in Response.set_cookie. It is merged,
however, and waiting for next release.
Signed-off-by: Kevin Morris <kevr@0cost.org>
We'll piggyback off of the current existing configuration item,
`disable_http_login`, to decide how we should submit cookies to
an HTTP response.
Previously, in `sso.py`, the http schema was used to make this
decision. There is an issue with that, however: We cannot actually
test properly if we depend on the https schema.
This change allows us to toggle `disable_http_login` to modify
the behavior of cookies sent with an http response to be secure.
We test this behavior in test/test_auth_routes.py#L81:
`test_secure_login(mock)`.
Signed-off-by: Kevin Morris <kevr@0cost.org>
See docstring for updates.
template= has been modified.
status_code= has been added as an optional template status_code.
Signed-off-by: Kevin Morris <kevr@0cost.org>
With the addition of these two, some code has been swapped
to use these in some of the other db wrappers with an additional
autocommit kwarg in create and delete, to control batch
transactions.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Two utility functions for all of our ORM models that will
allow us to easily convert them to Python structures and
JSON data.
Signed-off-by: Kevin Morris <kevr@0cost.org>
SQLite does not support native DECIMAL columns, and for that
reason, we had to switch to using Strings that can hold the data
in the case we are using sqlite.
This commit sets the TUVoteInfo model up in a generic way, that
it always converts to string when setting Quorum (OK for DECIMAL)
and always converts to float when getting Quorum.
This way, we can treat TUVoteInfo.Quorum as the same thing
everywhere.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Django uses a reference graph to determine the order
in table deletions that occur. Do the same here.
This commit also adds in the `REGEXP` sqlite function,
exactly how Django uses it in its reference graphing.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This rewrites the entire model base as declarative models.
This allows us to more easily customize overlay fields
in tables and is more common.
This effort also brought some DB violations to light which
this commit addresses.
Signed-off-by: Kevin Morris <kevr@0cost.org>
`ci` in this context means "Case Insensitive".
`cs` in this context means "Case Sensitive".
New models created:
- OfficialProvider
This was required to write a test for checking that
OfficialProviders behaves as we expect, which was the starter
for the original aurblup bug.
New tests created:
- test_official_provider
Modified tests:
- test_package_base: add ci test
- test_package: add ci test
- test_session: add cs test
- test_ssh_pub_key: add cs test
Signed-off-by: Kevin Morris <kevr@0cost.org>
First off: This commit changes the default development database
backend to mysql. sqlite, however, is still completely supported
with the caveat that a user must now modify config.dev to use
the sqlite backend.
While looking into this, it was discovered that our SQLAlchemy
backend for mysql (mysql-connector) completely broke model
attributes when we switched to utf8mb4_bin (binary) -- it does
not correct the correct conversion to and from binary utf8mb4.
The new, replacement dependency mysqlclient does. mysqlclient
is also recommended in SQLAlchemy documentation as the "best"
one available.
The mysqlclient backend uses a different exception flow then
sqlite, and so tests expecting IntegrityError has to be modified
to expect OperationalError from sqlalchemy.exc.
So, for each model that we define, check keys that can't be
NULL and raise sqlalchemy.exc.IntegrityError if we have to.
This way we keep our exceptions uniform.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This fixes SQLAlchemy warnings related to primary keys not
having an auto_increment or nullable.
We've done this by making all foreign primary keys nullable.
In ApiRateLimit's case, we can set a default str to act as
a null, which seems a bit more sensible.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Some of these tests were written before some of our convenient
tooling existed. Additionally, some of the tests were not
cooperating with PEP-8 guidelines or isorted.
This commit does the following:
- Replaces all calls to make_(user|session) with
aurweb.db.create(Model, ...).
- Replace calls to session.add(...) + session.commit() with
aurweb.db.create.
- Removes the majority of calls to (session|aurweb.db).delete(...).
- Replaces session.query calls with aurweb.db.query.
- Initializes all mutable globals in pytest fixture setup().
- Makes mutable global declarations more concise:
`var1, var2 = None, None` -> `var1 = var2 = None`
- Defines a warning exclusion for test/test_ssh_pub_key.py.
- Removes the aurweb.testing.models module.
- Removes some useless pytest.fixture yielding.
As of this commit, developers should use the following guidelines
when writing tests:
- Always use aurweb.db.(create|delete|query) for database
operations, where possible.
- Always define mutable globals in the style: `var1 = var2 = None`.
- `yield` the most dependent model in pytest setup fixture **iff**
you must delete records after test runs to maintain database
integrity. Example: test/test_account_type.py.
This all makes the test code look and behave much cleaner.
Previously, aurweb.testing.setup_test_db was buggy and leaving
objects around in SQLAlchemy's IdentityMap.
Signed-off-by: Kevin Morris <kevr@0cost.org>
We no longer need to delete records like this; in fact, it causes
errors now. Fix this by removing the deletions and allow
setup_test_db to do it's job.
We'll need to do this for other tests as well.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Additionally, add an optional **kwargs passing via make_relationship.
This allows us to use things like `uselist=False`, which was needed
for test/test_package.py.
Signed-off-by: Kevin Morris <kevr@0cost.org>
