Merge pull request #83 from ropable/master

Update Django to 4.2, update project dependencies, update base Docker image

.github/workflows/run-tests.yml

@@ -0,0 +1,79 @@
+name: "Run unit tests"
+
+on:
+  # Triggers the workflow on push or pull request events but only for the master branch
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+
+jobs:
+  run_tests:
+    name: Run Django Tests
+    runs-on: ubuntu-latest
+    env:
+      DATABASE_URL: postgis://postgres:postgres@localhost:5432/postgres
+    services:
+      postgres:
+        image: postgis/postgis:15-3.4-alpine
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        ports:
+          - 5432:5432
+        options: --mount type=tmpfs,destination=/var/lib/postgresql/data --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+    steps:
+      #----------------------------------------------
+      # Install GDAL into the environment
+      #----------------------------------------------
+      - name: Install GDAL
+        id: install-gdal
+        run: |
+          sudo apt-add-repository ppa:ubuntugis/ubuntugis-unstable
+          sudo apt-get update
+          sudo apt-get install gdal-bin libgdal-dev
+      #----------------------------------------------
+      # Checkout repo and set up Python
+      #----------------------------------------------
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        id: setup-python
+        with:
+          python-version: '3.11'
+      #----------------------------------------------
+      # Install & configure Poetry
+      #----------------------------------------------
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+      #----------------------------------------------
+      # Load cached venv if cache exists
+      #----------------------------------------------
+      - name: Load cached venv
+        id: cached-poetry-dependencies
+        uses: actions/cache@v4
+        with:
+          path: .venv
+          key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}
+      #----------------------------------------------
+      # Install project dependencies if cache does not exist
+      #----------------------------------------------
+      - name: Install project dependencies
+        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
+        run: poetry install --no-interaction --no-root
+      #----------------------------------------------
+      # Run unit tests
+      #----------------------------------------------
+      - name: Run tests
+        run: |
+          source .venv/bin/activate
+          python manage.py collectstatic
+          python manage.py test --noinput --failfast --verbosity 0

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 # Prepare the base environment.
-FROM python:3.10.13-slim AS builder_base_csw
+FROM python:3.11.9-slim AS builder_base_csw
 LABEL [email protected]
 LABEL org.opencontainers.image.source=https://github.com/dbca-wa/csw
 
@@ -27,7 +27,6 @@ RUN groupadd -g "${GID}" appuser \
 
 # Install the project.
 FROM python_libs_csw
-WORKDIR /app
 COPY catalogue ./catalogue
 COPY csw ./csw
 COPY gunicorn.py manage.py ./

README.md

@@ -11,9 +11,13 @@ environment. With Poetry installed, change into the project directory and run:
 
     poetry install
 
-To run Python commands in the virtualenv, thereafter run them like so:
+Activate the Poetry-managed virtualenv like so:
 
-    poetry run python manage.py
+    poetry shell
+
+To run Python commands in the virtualenv, thereafter run them as normal:
+
+    python manage.py
 
 Manage new or updating project dependencies with Poetry also, like so:
 
@@ -31,11 +35,11 @@ Required settings are as follows:
 
 Use `runserver` to run a local copy of the application:
 
-    poetry run python manage.py runserver 0:8080
+    python manage.py runserver 0:8080
 
 Run console commands manually:
 
-    poetry run python manage.py shell_plus
+    python manage.py shell_plus
 
 # Media uploads
 

SECURITY.md

@@ -0,0 +1,56 @@
+# Security Policy
+
+The Department of Biodiversity, Conservation and Attractions (DBCA) takes the
+security of our software products and services seriously, which includes all
+source code repositories managed through our GitHub organisation
+[dbca-wa](https://github.com/dbca-wa).
+
+This repository takes guidance relating to Secure Software Development from the
+[WA Government Cyber Security
+Policy](https://www.wa.gov.au/system/files/2022-01/WA%20Government%20Cyber%20Security%20Policy.pdf).
+
+If you believe that you have found a security vulnerability in any DBCA-managed
+repository, please report it to us as described below.
+
+## Reporting a vulnerability or security issue
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report any security vulnerabilities to
+[[email protected]](mailto:[email protected]).
+
+You should receive a response within 1-2 business days. If for some reason you
+do not, please follow up via email to ensure we received your original message.
+
+Please include the requested information listed below (as much as you can provide)
+to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly. Please note that
+we prefer all communications to be in English.
+
+## Updates related to security issues
+
+Updates and patches to this project which are related to identified security
+issues will be undertaken with reference to the "Patch applications" mitigation
+strategy as part of the [Essential Eight Maturity
+Model](https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model).
+In practice this means that patches, updates or mitigations for security
+vulnerabilites will be applied on an ongoing basis during the normal development
+cycle. In general we aim to apply mitigations within two weeks of release, or
+within 48 hours if an exploit exists.
+
+## Automated monitoring of security issues
+
+This repository makes use of automated scanning to check for known security
+issues within software dependencies and built outputs. Where security issues
+are identified within project dependencies and/or outputs, updates to mitigate
+those issues will be incorporated into our normal development cycle and
+mitigated as soon as practical.

csw/settings.py

@@ -1,9 +1,11 @@
-from dbca_utils.utils import env
-import dj_database_url
 import os
-from pathlib import Path
 import sys
+from pathlib import Path
 
+import dj_database_url
+from dbca_utils.utils import env
+
+# Project paths
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = str(Path(__file__).resolve().parents[1])
 PROJECT_DIR = str(Path(__file__).resolve().parents[0])
@@ -14,8 +16,11 @@
 DEBUG = env('DEBUG', False)
 SECRET_KEY = env('SECRET_KEY', 'PlaceholderSecretKey')
 CSRF_COOKIE_SECURE = env('CSRF_COOKIE_SECURE', False)
-CSRF_COOKIE_HTTPONLY = env('CSRF_COOKIE_HTTPONLY', False)
+CSRF_TRUSTED_ORIGINS = env('CSRF_TRUSTED_ORIGINS', 'http://127.0.0.1').split(',')
 SESSION_COOKIE_SECURE = env('SESSION_COOKIE_SECURE', False)
+SECURE_SSL_REDIRECT = env('SECURE_SSL_REDIRECT', False)
+SECURE_REFERRER_POLICY = env('SECURE_REFERRER_POLICY', None)
+SECURE_HSTS_SECONDS = env('SECURE_HSTS_SECONDS', 0)
 if not DEBUG:
     ALLOWED_HOSTS = env('ALLOWED_HOSTS', 'localhost').split(',')
 else:
@@ -24,9 +29,6 @@
 ROOT_URLCONF = 'csw.urls'
 WSGI_APPLICATION = 'csw.wsgi.application'
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
-BASE_URL = env('BASE_URL', 'https://csw.dbca.wa.gov.au')
-BORG_URL = env('BORG_URL', 'https://borg.dbca.wa.gov.au')
-CORS_URL = env('CORS_URL', 'https://sss.dbca.wa.gov.au')
 
 # Assume Azure blob storage is used for media uploads, unless explicitly set as local storage.
 LOCAL_MEDIA_STORAGE = env('LOCAL_MEDIA_STORAGE', False)
@@ -40,6 +42,10 @@
     AZURE_CONTAINER = env('AZURE_CONTAINER', 'container')
     AZURE_URL_EXPIRATION_SECS = env('AZURE_URL_EXPIRATION_SECS', 3600)  # Default one hour.
 
+BASE_URL = env('BASE_URL', 'https://csw.dbca.wa.gov.au')
+BORG_URL = env('BORG_URL', 'https://borg.dbca.wa.gov.au')
+CORS_URL = env('CORS_URL', 'https://sss.dbca.wa.gov.au')
+
 INSTALLED_APPS = [
     'django.contrib.admin',
     'django.contrib.auth',
@@ -90,6 +96,9 @@
     },
 ]
 
+LOGIN_URL = '/login/'
+LOGIN_REDIRECT_URL = '/'
+
 
 # Database configuration
 DATABASES = {