Merge pull request #438 from maykinmedia/deps/oaf-0.8.0

⬆️ bump open-api-framework to 0.8.0
maykinmedia · Aug 23, 2024 · 79591dc · 79591dc
2 parents c86ad0e + daa3ad4
commit 79591dc
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 9 deletions.
diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml
@@ -8,7 +8,7 @@ jobs:
     steps:
       - name: Download docker-compose file
         # todo replace branch name with master after the change is merge
-        run: wget https://raw.githubusercontent.com/maykinmedia/objects-api/feature/merge-docker-composes/docker-compose.yml
+        run: wget https://raw.githubusercontent.com/maykinmedia/objects-api/deps/oaf-0.8.0/docker-compose.yml
       - name: Start docker containers
         run: docker compose up -d --no-build
       - name: Load fixtures

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -30,7 +30,8 @@ services:
       # setup_configuration env vars
       - OBJECTS_DOMAIN=web:8000
       - OBJECTS_ORGANIZATION=Objects
-      - OBJECTTYPES_API_ROOT=https://objecttypes.example.com/api/v2/
+      - OBJECTS_OBJECTTYPES_CONFIG_ENABLE=false
+      # - OBJECTTYPES_API_ROOT=https://objecttypes.example.com/api/v2/
       - OBJECTS_OBJECTTYPES_TOKEN=some-random-string
       - DEMO_CONFIG_ENABLE=yes
       - DEMO_TOKEN=demo-random-string

diff --git a/docs/installation/config.rst b/docs/installation/config.rst
@@ -18,6 +18,9 @@ Required
 
 * ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. You should generate one via `miniwebtool <https://www.miniwebtool.com/django-secret-key-generator>`_.
 * ``ALLOWED_HOSTS``: a comma separated (without spaces!) list of domains that serve the installation. Used to protect against Host header attacks. Defaults to: ``(empty string)``.
+* ``CACHE_DEFAULT``: redis cache address for the default cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
+* ``CACHE_AXES``: redis cache address for the brute force login protection cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
+* ``EMAIL_HOST``: hostname for the outgoing e-mail server (this **MUST** be set when using Docker). Defaults to: ``localhost``.
 
 
 Database
@@ -55,16 +58,25 @@ Elastic APM
 * ``ELASTIC_APM_TRANSACTION_SAMPLE_RATE``: By default, the agent will sample every transaction (e.g. request to your service). To reduce overhead and storage requirements, set the sample rate to a value between 0.0 and 1.0. Defaults to: ``0.1``.
 
 
+Content Security Policy
+-----------------------
+
+* ``CSP_EXTRA_DEFAULT_SRC``: Extra default source URLs for CSP other than ``self``. Used for ``img-src``, ``style-src`` and ``script-src``. Defaults to: ``[]``.
+* ``CSP_REPORT_URI``: URI of the``report-uri`` directive. Defaults to: ``None``.
+* ``CSP_REPORT_PERCENTAGE``: Percentage of requests that get the ``report-uri`` directive. Defaults to: ``0``.
+* ``CSP_EXTRA_FORM_ACTION``: Add additional ``form-action`` source to the default . Defaults to: ``[]``.
+* ``CSP_FORM_ACTION``: Override the default ``form-action`` source. Defaults to: ``['"\'self\'"']``.
+* ``CSP_EXTRA_IMG_SRC``: Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``. Defaults to: ``[]``.
+* ``CSP_OBJECT_SRC``: ``object-src`` urls. Defaults to: ``['"\'none\'"']``.
+
+
 Optional
 --------
 
 * ``SITE_ID``: The database ID of the site object. You usually won't have to touch this. Defaults to: ``1``.
 * ``DEBUG``: Only set this to ``True`` on a local development environment. Various other security settings are derived from this setting!. Defaults to: ``False``.
 * ``USE_X_FORWARDED_HOST``: whether to grab the domain/host from the X-Forwarded-Host header or not. This header is typically set by reverse proxies (such as nginx, traefik, Apache...). Note: this is a header that can be spoofed and you need to ensure you control it before enabling this. Defaults to: ``False``.
 * ``IS_HTTPS``: Used to construct absolute URLs and controls a variety of security settings. Defaults to the inverse of ``DEBUG``.
-* ``CACHE_DEFAULT``: redis cache address for the default cache. Defaults to: ``localhost:6379/0``.
-* ``CACHE_AXES``: redis cache address for the brute force login protection cache. Defaults to: ``localhost:6379/0``.
-* ``EMAIL_HOST``: hostname for the outgoing e-mail server. Defaults to: ``localhost``.
 * ``EMAIL_PORT``: port number of the outgoing e-mail server. Note that if you're on Google Cloud, sending e-mail via port 25 is completely blocked and you should use 487 for TLS. Defaults to: ``25``.
 * ``EMAIL_HOST_USER``: username to connect to the mail server. Defaults to: ``(empty string)``.
 * ``EMAIL_HOST_PASSWORD``: password to connect to the mail server. Defaults to: ``(empty string)``.

diff --git a/requirements/base.txt b/requirements/base.txt
@@ -76,6 +76,7 @@ django==4.2.15
     #   django-appconf
     #   django-axes
     #   django-cors-headers
+    #   django-csp
     #   django-filter
     #   django-formtools
     #   django-jsonform
@@ -111,6 +112,8 @@ django-axes==6.5.1
     # via open-api-framework
 django-cors-headers==4.4.0
     # via open-api-framework
+django-csp==3.8
+    # via open-api-framework
 django-filter==24.2
     # via
     #   commonground-api-common
@@ -235,7 +238,7 @@ notifications-api-common==0.2.2
     # via
     #   -r requirements/base.in
     #   commonground-api-common
-open-api-framework==0.7.1
+open-api-framework==0.8.0
     # via -r requirements/base.in
 orderedmultidict==1.0.1
     # via furl

diff --git a/requirements/ci.txt b/requirements/ci.txt
@@ -118,6 +118,7 @@ django==4.2.15
     #   django-appconf
     #   django-axes
     #   django-cors-headers
+    #   django-csp
     #   django-filter
     #   django-formtools
     #   django-jsonform
@@ -161,6 +162,10 @@ django-cors-headers==4.4.0
     # via
     #   -r requirements/base.txt
     #   open-api-framework
+django-csp==3.8
+    # via
+    #   -r requirements/base.txt
+    #   open-api-framework
 django-filter==24.2
     # via
     #   -r requirements/base.txt
@@ -376,7 +381,7 @@ notifications-api-common==0.2.2
     # via
     #   -r requirements/base.txt
     #   commonground-api-common
-open-api-framework==0.7.1
+open-api-framework==0.8.0
     # via -r requirements/base.txt
 orderedmultidict==1.0.1
     # via

diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -138,6 +138,7 @@ django==4.2.15
     #   django-appconf
     #   django-axes
     #   django-cors-headers
+    #   django-csp
     #   django-debug-toolbar
     #   django-extensions
     #   django-filter
@@ -183,6 +184,10 @@ django-cors-headers==4.4.0
     # via
     #   -r requirements/ci.txt
     #   open-api-framework
+django-csp==3.8
+    # via
+    #   -r requirements/ci.txt
+    #   open-api-framework
 django-debug-toolbar==4.2.0
     # via -r requirements/dev.in
 django-extensions==3.2.3
@@ -425,7 +430,7 @@ notifications-api-common==0.2.2
     # via
     #   -r requirements/ci.txt
     #   commonground-api-common
-open-api-framework==0.7.1
+open-api-framework==0.8.0
     # via -r requirements/ci.txt
 orderedmultidict==1.0.1
     # via

diff --git a/src/objects/conf/base.py b/src/objects/conf/base.py
@@ -108,7 +108,7 @@
     "OBJECTS_OBJECTTYPES_CONFIG_ENABLE", default=True, add_to_docs=False
 )
 OBJECTTYPES_API_ROOT = config("OBJECTTYPES_API_ROOT", "", add_to_docs=False)
-if OBJECTTYPES_API_ROOT and not OBJECTTYPES_API_ROOT.endswith("/", add_to_docs=False):
+if OBJECTTYPES_API_ROOT and not OBJECTTYPES_API_ROOT.endswith("/"):
     OBJECTTYPES_API_ROOT = f"{OBJECTTYPES_API_ROOT.strip()}/"
 OBJECTTYPES_API_OAS = config(
     "OBJECTTYPES_API_OAS",