✨♻️ Differentiate between TLS and STARTTLS in web-mailserver (⚠️ devops)

[mrnicegyu11]

What do these changes do?

This enables the mail-sending functionality of the webserver to handle STARTTLS and TLS. Before, only STARTTLS was possible. Furthermore, there were naming ambigouitites , as the env-vars referred to TLS, which is different from STARTTLS

Bonus:

• Adds settings-test ensuring that not both STARTTLS and TLS are simultaneously requested
• Updates black-linter in precommit-hook, which would crash on my dev-PC in the old version

⚠️ devops:
Deprecates the Env-Var:
SMTP_TLS_ENABLED
Introduces the Env-Var:
SMTP_PROTOCOL
which can have the values

• UNENCRYPTED
• TLS
• STARTTLS

Related issue/s

• Feature: Enable possibilty to use STARTTLS for sending mails from oSparc #2944
• Can't send email #2882

How to test

I did a dry-run test, but since we do not fully emulate an external mail-server in our tests this will have to be properly checked in master. The dry-run test involved running the send_mail(app: web.Application, msg: MIMEText) function vanilla in python, outside oSparc.

Checklist

• Unit tests for the changes exist
• Runs in the swarm
• Documentation reflects the changes

[codecov]

Codecov Report

Merging #2965 (4fc0951) into master (075b043) will increase coverage by 0.8%.
The diff coverage is 50.0%.

@@           Coverage Diff            @@
##           master   #2965     +/-   ##
========================================
+ Coverage    83.5%   84.4%   +0.8%     
========================================
  Files         848     647    -201     
  Lines       35763   28529   -7234     
  Branches      748     178    -570     
========================================
- Hits        29876   24079   -5797     
+ Misses       5697    4392   -1305     
+ Partials      190      58    -132     

Flag	Coverage Δ
integrationtests	67.5% <21.4%> (-0.1%)	⬇️
unittests	80.6% <50.0%> (+0.1%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...re_service_webserver/application_settings_utils.py	97.7% <ø> (-0.1%)	⬇️
...erver/src/simcore_service_webserver/login/utils.py	73.6% <8.3%> (-3.9%)	⬇️
...ges/settings-library/src/settings_library/email.py	94.5% <90.0%> (-5.5%)	⬇️
...er/src/simcore_service_webserver/login/settings.py	100.0% <100.0%> (ø)
...tor_v2/modules/dynamic_sidecar/scheduler/_utils.py	92.0% <0.0%> (-5.0%)	⬇️
...rc/simcore_service_catalog/db/repositories/dags.py	44.4% <0.0%> (-2.8%)	⬇️
...simcore_service_director_v2/modules/node_rights.py	98.1% <0.0%> (-1.0%)	⬇️
...ector_v2/modules/dynamic_sidecar/scheduler/task.py	80.4% <0.0%> (-0.7%)	⬇️
...imcore_service_webserver/garbage_collector_core.py	69.8% <0.0%> (-0.7%)	⬇️
... and 204 more

[GitHK]

Not sure about bumping this here. @sanderegg @pcrespov ?

[pcrespov]

The pre-commit scripts run on their own virtualenv (with is different from our .venv) so bumping the version there is ok. Nonetheless there should be some level of compatibility with the tools used in vscode (which are installed in our .venv).

This number should be at least compatible (if possible identical) with the version we have in the requirements/_tool.txt (see screenshot below)... otherwise it is very confusing to format in one way with vscode tooling and then again with the pre-commit. Same applies for isort.

That said, as you can see we use 22.1.0 so that hsould be the version you put there.

[GitHK]

not sure I understand the reason for this warning here

[mrnicegyu11]

It is not really perfect to use encrypted communication but trust all certificates, the gain in security is marginal. I just thought the least I can do at this point (didnt wanna open up a whole big pandoras box and follow up on why it is coded like this now), was to add a warning.

But of course this log can be nerfed or removed

[GitHK]

I would suggest something like the following. Please use the actual port from the configuration.

log.warning(
    f"Certificates are not validated for STARTTLS (as it happens for TLS) on port {cfg.SMTP_PORT}!"
)

[sanderegg]

I am not sure I understand the whole thing here. Is this a warning that no one will check even though we should tackle it? in which case please create an issue.
Is this workaround here because of the library? Is that the way it works? then I would not show any warning.
And if this is a security issue, should we really use starttls?

[GitHK]

It's slightly better than unencrypted. In theory we should get a better mail server, since we run it, which supports TLS and be done with it.

[pcrespov]

As discussed, check the possibility with Enums. IMO it iwll be simpler to maintain

[pcrespov]

The pre-commit scripts run on their own virtualenv (with is different from our .venv) so bumping the version there is ok. Nonetheless there should be some level of compatibility with the tools used in vscode (which are installed in our .venv).

This number should be at least compatible (if possible identical) with the version we have in the requirements/_tool.txt (see screenshot below)... otherwise it is very confusing to format in one way with vscode tooling and then again with the pre-commit. Same applies for isort.

That said, as you can see we use 22.1.0 so that hsould be the version you put there.

[pcrespov]

when you have multiple exclusive choices it is better if you can a single field (i.e. env variable) associated with an enum that has all the choice. Can you afford that?

[sanderegg]

all good. thanks for integrating the changes. Maybe just check the warning message if it makes sense like this.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[pcrespov]

As agreed fix the smtp.connect and set the logs in info mode. thx 🎉

[GitHK]

👍

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication