Since we are on a "modern" version of Python in
Debian buster container (3.7) and a modern version
of Django (3.1.x) we should be able to run with
the latest of all dependencies.
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Fixes a vulnerability in the password reset process due to
insufficiently stringent validation of unicode email addresses.
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/https://nvd.nist.gov/vuln/detail/CVE-2019-19844
(The existing version specification would have selected the fixed
version of Django already for new installs, but bumping the minimum
ensures that it will be installed for upgrades with
./dockersetup.py -u as well.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Update Pillow version to incorporate a fix for a denial-of-service
vulnerability (which should not affect this application however, as it
does not use Pillow to process external images):
https://nvd.nist.gov/vuln/detail/CVE-2019-16865
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* Bump a few versions where we can
* Drop anyjson - this used to be a dependency of kombu but not anymore,
and nothing else needs it.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
This is the only dependency we can update right now; the rest will cause
problems given that the layer index needs python 2 support still.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Update to latest versions; as per last update we skip django-reversion
and django-axes. (Now however I've realised that django-axes > 4.5.4
probably isn't found within the container because in my development
setup, pip == pip3 whereas in the container pip is the Python 2 version.
For now let's stick with something that we can still use with the layer
index that still requires Python 2).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Simplify things a bit. We lose the digg-style pagination but the new
behaviour is good enough and improves maintainability.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Update to the latest versions, with the exception of django-reversion
which I suspect will trigger some regressions; plus django-axes which
for some reason pip did not want to fetch 5.x versions of within the
container.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Change minimum required version of Django to 1.11.11.
Signed-off-by: Amber Elliot <amber.n.elliot@intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
This involves changing how registration templates are referenced
and how the activation email is sent on user's email address change.
Signed-off-by: Amber Elliot <amber.n.elliot@intel.com>
Upgrade everything with the exception of django-registration 3.0 and
django-reversion 3.0.x which both require some work to migrate to.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Upgrade GitPython and trim out old dependencies: gitdb and smmap are no
longer needed by current GitPython, gitdb2 and smmap2 have replaced
them.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Repeated failed login attempts should trigger lockout to prevent
brute-forcing and user enumeration - django-axes does this using account
and IP-based lockout.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
nvd3 and its python/django wrappers appear to be no longer actively
maintained, and at least the wrappers were a bit clunky to use. Looking
around for a suitable replacement, Chart.js seems capable, has no
additional dependencies and is fairly simple to use. As a bonus we get
to drop a few Python dependencies from our list.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Add the ability to show a notice at the top of every page; this provides
the ability for admins to display a message to visitors in the case of
infrastructure or index data issues. Notices can have an expiry date and
can be disabled and re-enabled if needed. A subset of HTML can be used
for formatting the text, URLs will be made into clickable links, and
four "levels" are supported (info, success, warning and error).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* Use maintenance plans to get layerbranches
* Use from/to/subject and admin contact from maintenance plan
* Use an actual template to render the email (and drop tabulate
dependency)
* Improve grammar in the email text
* Use a single line to represent the most recent commit
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
pip (strangely only in the python 2 version when I test it here) reports
that some of the versions in requirements.txt were incompatible:
django-nvd3 0.9.7 has requirement python-nvd3==0.14.2, but you'll have
python-nvd3 0.15.0 which is incompatible.
django-registration 2.4.1 has requirement confusable-homoglyphs~=3.0,
but you'll have confusable-homoglyphs 2.0.2 which is incompatible.
python-nvd3 0.14.2 has requirement python-slugify==1.1.4, but you'll
have python-slugify 1.2.5 which is incompatible.
I'm not particularly keen on downgrading these but it seems like we
don't have much choice. Luckily looking over the changelogs it doesn't
seem like that will cause us any problems though.
Thanks to Yi Zhao <yi.zhao@windriver.com> for pointing this out.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Since Django 1.8 is now out of support, and we've cleaned up the issues,
bump the Django requirement to 1.11 and update other dependencies at the
same time.
Fixes [YOCTO #12696] (requires preceding commits)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Use latest tested versions (though we pin djangorestframework at 3.6.4
since that is the last version that supports Django 1.8), and add new
resulting dependencies.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
This patch adds asynchronous task execution using a Celery backend
and RabbitMQ task queue, so that the layer submission process to
proceed even in the event that sending the notification email fails,
and establishing an asynchronous execution mechanism that we can use
in the future e.g. for triggering parse operations from the web UI.
This pertains to bug 11197:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=11197
It updates the README to reflect the installation and configuration
of a basic RabbitMQ setup, adds a 'tasks.py' file to contain task
definitions, updates the 'edit_layer_view' function to send
emails to administrators about new and updated layers asynchronously,
modifies the 'settings.py' to include a default configuration
for a RabbitMQ connection, and updates the Dockerfile to start a Celery
worker alongside the Gunicorn daemon.
Fixes [YOCTO #11197].
Signed-off-by: Diana Thayer <garbados@gmail.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
I'd like to be upgrading to 1.8 but that causes problems with South, and
we're not quite ready to dispense with our existing migrations yet.
Part of the implementation for [YOCTO #9620].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
We add the corsheaders application in order to
enable the CORS policy for the read-only REST API.
This is needed to allow AJAX queries to the layerindex
application from a browser environment.
Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
This patch enables a read-only REST API for the layerindex
application using Django REST Framework.
The objects of types Branch, LayerBranch and LayerItem are
exposed to queries so that the layerindex application can
function as a Layer Source in Toaster.
The library dependencies are documented in the requirements.txt
file.
Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
General practice influenced by heroku.com is to create
a requirements.txt documenting the python library dependencies
for the project. This allows a user to easy setup a running
environment for the project using virtualenv and pip.
Extending .gitignore to ignore venv (reserved for virtualenv
use) and vim swap files.
Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
