Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update django 4.2 #343

Merged
merged 1 commit into from
May 6, 2024
Merged

Update django 4.2 #343

merged 1 commit into from
May 6, 2024

Conversation

hina-shah
Copy link
Contributor

@hina-shah hina-shah commented Apr 3, 2024
edited
Loading

The PR makes necessary changes to upgrade Django to 4.2, and it's related libraries.

4.2 is the next LTS according to this, and will be supported till beginning of 2026.

mbacon-renci
mbacon-renci reviewed Apr 22, 2024
View reviewed changes
requirements.txt Outdated Show resolved Hide resolved
@waTeim
Copy link
Contributor

waTeim commented Apr 23, 2024

Ok I have some questions:

What's the purpose of this?

CSRF_TRUSTED_ORIGINS = [
        "https://localhost",
        "https://127.0.0.1",
        "https://*.renci.org",
    ]

And we resolved that this matches what we have set up with UNC ITS:

 "USE_JWT": False,
    'WANT_ASSERTIONS_SIGNED': True,
    'AUTHN_REQUESTS_SIGNED': False,
    'WANT_RESPONSE_SIGNED': False,
    'TOKEN_REQUIRED': False,

I wonder if this is even necessary (or for that matter anything in migrations) since we never bother to maintain the user database from one version of appstore to the other.
True, I am making an assumption on what the purpose of this is: appstore/core/migrations/0002_auto_20200430_1711.py

@hina-shah
Copy link
Contributor Author

Ok I have some questions:

What's the purpose of this?

CSRF_TRUSTED_ORIGINS = [
        "https://localhost",
        "https://127.0.0.1",
        "https://*.renci.org",
    ]

CSRF_TRUSTED_ORIGINS is a list os trusted domains for POST requests for eg. We had this setting before enabled only for DEBUG mode, and only localhost was in the list. But we were getting CSRF_TOKEN errors, and hence not able to access the appstore page at all. Pulling out CSRF_TOKEN out of the DEBUG mode and adding renci.org as a trusted domain resolved that issue.


And we resolved that this matches what we have set up with UNC ITS:

"USE_JWT": False,
'WANT_ASSERTIONS_SIGNED': True,
'AUTHN_REQUESTS_SIGNED': False,
'WANT_RESPONSE_SIGNED': False,
'TOKEN_REQUIRED': False,

Yes, we have checked that. Any changes in this messes up with SAML.

I wonder if this is even necessary (or for that matter anything in migrations) since we never bother to maintain the user database from one version of appstore to the other. True, I am making an assumption on what the purpose of this is: appstore/core/migrations/0002_auto_20200430_1711.py

I'm not sure on this. Some migrations run by default even when the databases are generated when the appstore is deployed. But this one in particular was just renaming the model, and I did not see a reason for it. I think I can keep on investigating when working on whitelisting.

@waTeim
Copy link
Contributor

waTeim commented Apr 23, 2024

Ok if there is a problem with CSRF on renci.org sites if it's not in the list, will there be a problem for eduhelx on ashe (when it's unc.edu)?

Should these things be in the values file rather than hard-coded?

@hina-shah
Copy link
Contributor Author

Ok if there is a problem with CSRF on renci.org sites if it's not in the list, will there be a problem for eduhelx on ashe (when it's unc.edu)?

Should these things be in the values file rather than hard-coded?

That's a good point, renci.unc.edu should be added to that list.

I'm not sure if it should be in values file.. If we want to "strictly" keep the deployments within the renci domain, then hardcoded values make sense. If we want to have it truly open-source, and let folks do their own deployments, then yes - definitely should be a list value in values file.

@frostyfan109
Copy link
Contributor

frostyfan109 commented Apr 23, 2024
edited
Loading

@waTeim pretty sure CSRF_TRUSTED_ORIGIN means that cross-site requests from that origin do not require a CSRF token on the post request. @hina-shah I think hardcoded domains (renci.org, renci.unc.edu) should be moved to values and make the current list the default value if unspecified.

@waTeim
Copy link
Contributor

waTeim commented Apr 24, 2024
edited
Loading

Still not a fan:

if CSRF_TRUSTED_ORIGINS == 0:
    CSRF_TRUSTED_ORIGINS = [
            "https://*.renci.org",
            "https://*.renci.unc.edu"
        ]

I get it, the intention is to make the default behavior backward compatible, otherwise, when you use the previous values file it would not work. Ok, I'm not sure that's a good idea, but even if we want that. I say these things should go into the chart's default values.

And/Or simply in the release notes point out that this value must be set.

Also, this is kind of a problem if the env variable is not set, you'll get an array containing a 0-length string instead of a 0-length array:

>>> "".split(',')
['']

@joshua-seals
Copy link
Collaborator

I think it is probably fine this way honestly since the deployment customization from the chart necessarily allows for changing this setting (assuming that is a settable value in appstore-chart).

I wonder though, in settings/base.py if there is some other value that could be coupled to this one to introspect the context of the deployment. 🤔
if CSRF_TRUSTED_ORIGINS == 0: CSRF_TRUSTED_ORIGINS := append(CSRF_TRUSTED_ORIGINS, EMAIL_HOST)
or some other value that infers our deployment context as a default value setting`. This way, we keep it general to the email host (or better domain context) if that is changed for any domain deployment like it is set to nih.gov but offer additional addons.

joshua-seals
joshua-seals reviewed Apr 29, 2024
View reviewed changes
.env.sample Outdated
stdnfsPvc="stdnfs"
CSRF_DOMAINS="https://*.remci.org"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching that!

frostyfan109
frostyfan109 requested changes Apr 30, 2024
View reviewed changes
appstore/appstore/settings/base.py Outdated Show resolved Hide resolved
appstore/appstore/settings/base.py Show resolved Hide resolved
appstore/appstore/settings/base.py Show resolved Hide resolved
appstore/appstore/settings/base.py Show resolved Hide resolved
appstore/appstore/settings/heal_settings.py Outdated Show resolved Hide resolved
appstore/core/migrations/0002_auto_20200430_1711.py Outdated Show resolved Hide resolved
@hina-shah hina-shah merged commit b168241 into develop May 6, 2024
8 of 9 checks passed
@hina-shah hina-shah deleted the update-django-4.2 branch May 6, 2024 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshua-seals joshua-seals joshua-seals approved these changes

@frostyfan109 frostyfan109 frostyfan109 approved these changes

@waTeim waTeim waTeim approved these changes

@pj-linebaugh pj-linebaugh Awaiting requested review from pj-linebaugh

@cnbennett3 cnbennett3 Awaiting requested review from cnbennett3

@mbacon-renci mbacon-renci Awaiting requested review from mbacon-renci

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hina-shah @waTeim @frostyfan109 @joshua-seals @mbacon-renci