diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml index 40aa0baa..00d21a38 100644 --- a/.github/workflows/quick-start.yml +++ b/.github/workflows/quick-start.yml @@ -8,7 +8,7 @@ jobs: steps: - name: Download docker-compose file # todo replace branch name with master after the change is merge - run: wget https://raw.githubusercontent.com/maykinmedia/objects-api/feature/merge-docker-composes/docker-compose.yml + run: wget https://raw.githubusercontent.com/maykinmedia/objects-api/deps/oaf-0.8.0/docker-compose.yml - name: Start docker containers run: docker compose up -d --no-build - name: Load fixtures diff --git a/docker-compose.yml b/docker-compose.yml index cf49c46c..997c1395 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,7 +30,8 @@ services: # setup_configuration env vars - OBJECTS_DOMAIN=web:8000 - OBJECTS_ORGANIZATION=Objects - - OBJECTTYPES_API_ROOT=https://objecttypes.example.com/api/v2/ + - OBJECTS_OBJECTTYPES_CONFIG_ENABLE=false + # - OBJECTTYPES_API_ROOT=https://objecttypes.example.com/api/v2/ - OBJECTS_OBJECTTYPES_TOKEN=some-random-string - DEMO_CONFIG_ENABLE=yes - DEMO_TOKEN=demo-random-string diff --git a/docs/installation/config.rst b/docs/installation/config.rst index bd0009da..22f6fa0b 100644 --- a/docs/installation/config.rst +++ b/docs/installation/config.rst @@ -18,6 +18,9 @@ Required * ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. You should generate one via `miniwebtool `_. * ``ALLOWED_HOSTS``: a comma separated (without spaces!) list of domains that serve the installation. Used to protect against Host header attacks. Defaults to: ``(empty string)``. +* ``CACHE_DEFAULT``: redis cache address for the default cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``. +* ``CACHE_AXES``: redis cache address for the brute force login protection cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``. +* ``EMAIL_HOST``: hostname for the outgoing e-mail server (this **MUST** be set when using Docker). Defaults to: ``localhost``. Database @@ -55,6 +58,18 @@ Elastic APM * ``ELASTIC_APM_TRANSACTION_SAMPLE_RATE``: By default, the agent will sample every transaction (e.g. request to your service). To reduce overhead and storage requirements, set the sample rate to a value between 0.0 and 1.0. Defaults to: ``0.1``. +Content Security Policy +----------------------- + +* ``CSP_EXTRA_DEFAULT_SRC``: Extra default source URLs for CSP other than ``self``. Used for ``img-src``, ``style-src`` and ``script-src``. Defaults to: ``[]``. +* ``CSP_REPORT_URI``: URI of the``report-uri`` directive. Defaults to: ``None``. +* ``CSP_REPORT_PERCENTAGE``: Percentage of requests that get the ``report-uri`` directive. Defaults to: ``0``. +* ``CSP_EXTRA_FORM_ACTION``: Add additional ``form-action`` source to the default . Defaults to: ``[]``. +* ``CSP_FORM_ACTION``: Override the default ``form-action`` source. Defaults to: ``['"\'self\'"']``. +* ``CSP_EXTRA_IMG_SRC``: Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``. Defaults to: ``[]``. +* ``CSP_OBJECT_SRC``: ``object-src`` urls. Defaults to: ``['"\'none\'"']``. + + Optional -------- @@ -62,9 +77,6 @@ Optional * ``DEBUG``: Only set this to ``True`` on a local development environment. Various other security settings are derived from this setting!. Defaults to: ``False``. * ``USE_X_FORWARDED_HOST``: whether to grab the domain/host from the X-Forwarded-Host header or not. This header is typically set by reverse proxies (such as nginx, traefik, Apache...). Note: this is a header that can be spoofed and you need to ensure you control it before enabling this. Defaults to: ``False``. * ``IS_HTTPS``: Used to construct absolute URLs and controls a variety of security settings. Defaults to the inverse of ``DEBUG``. -* ``CACHE_DEFAULT``: redis cache address for the default cache. Defaults to: ``localhost:6379/0``. -* ``CACHE_AXES``: redis cache address for the brute force login protection cache. Defaults to: ``localhost:6379/0``. -* ``EMAIL_HOST``: hostname for the outgoing e-mail server. Defaults to: ``localhost``. * ``EMAIL_PORT``: port number of the outgoing e-mail server. Note that if you're on Google Cloud, sending e-mail via port 25 is completely blocked and you should use 487 for TLS. Defaults to: ``25``. * ``EMAIL_HOST_USER``: username to connect to the mail server. Defaults to: ``(empty string)``. * ``EMAIL_HOST_PASSWORD``: password to connect to the mail server. Defaults to: ``(empty string)``. diff --git a/requirements/base.txt b/requirements/base.txt index 52d101d1..1b36d072 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -76,6 +76,7 @@ django==4.2.15 # django-appconf # django-axes # django-cors-headers + # django-csp # django-filter # django-formtools # django-jsonform @@ -111,6 +112,8 @@ django-axes==6.5.1 # via open-api-framework django-cors-headers==4.4.0 # via open-api-framework +django-csp==3.8 + # via open-api-framework django-filter==24.2 # via # commonground-api-common @@ -235,7 +238,7 @@ notifications-api-common==0.2.2 # via # -r requirements/base.in # commonground-api-common -open-api-framework==0.7.1 +open-api-framework==0.8.0 # via -r requirements/base.in orderedmultidict==1.0.1 # via furl diff --git a/requirements/ci.txt b/requirements/ci.txt index 28914eed..461167ee 100644 --- a/requirements/ci.txt +++ b/requirements/ci.txt @@ -118,6 +118,7 @@ django==4.2.15 # django-appconf # django-axes # django-cors-headers + # django-csp # django-filter # django-formtools # django-jsonform @@ -161,6 +162,10 @@ django-cors-headers==4.4.0 # via # -r requirements/base.txt # open-api-framework +django-csp==3.8 + # via + # -r requirements/base.txt + # open-api-framework django-filter==24.2 # via # -r requirements/base.txt @@ -376,7 +381,7 @@ notifications-api-common==0.2.2 # via # -r requirements/base.txt # commonground-api-common -open-api-framework==0.7.1 +open-api-framework==0.8.0 # via -r requirements/base.txt orderedmultidict==1.0.1 # via diff --git a/requirements/dev.txt b/requirements/dev.txt index ace85af1..9e0a12f1 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -138,6 +138,7 @@ django==4.2.15 # django-appconf # django-axes # django-cors-headers + # django-csp # django-debug-toolbar # django-extensions # django-filter @@ -183,6 +184,10 @@ django-cors-headers==4.4.0 # via # -r requirements/ci.txt # open-api-framework +django-csp==3.8 + # via + # -r requirements/ci.txt + # open-api-framework django-debug-toolbar==4.2.0 # via -r requirements/dev.in django-extensions==3.2.3 @@ -425,7 +430,7 @@ notifications-api-common==0.2.2 # via # -r requirements/ci.txt # commonground-api-common -open-api-framework==0.7.1 +open-api-framework==0.8.0 # via -r requirements/ci.txt orderedmultidict==1.0.1 # via diff --git a/src/objects/conf/base.py b/src/objects/conf/base.py index c3cb36eb..df972957 100644 --- a/src/objects/conf/base.py +++ b/src/objects/conf/base.py @@ -108,7 +108,7 @@ "OBJECTS_OBJECTTYPES_CONFIG_ENABLE", default=True, add_to_docs=False ) OBJECTTYPES_API_ROOT = config("OBJECTTYPES_API_ROOT", "", add_to_docs=False) -if OBJECTTYPES_API_ROOT and not OBJECTTYPES_API_ROOT.endswith("/", add_to_docs=False): +if OBJECTTYPES_API_ROOT and not OBJECTTYPES_API_ROOT.endswith("/"): OBJECTTYPES_API_ROOT = f"{OBJECTTYPES_API_ROOT.strip()}/" OBJECTTYPES_API_OAS = config( "OBJECTTYPES_API_OAS",