The new library is already supported in django 3.2 and gives us better
support for IPv6 addresses and encrypted connections.
Also, the same library is being used by all other OpenStack projects.
Depends-on: https://review.opendev.org/c/openstack/devstack/+/898302
Closes-Bug: #2039225
Change-Id: I964ac4d0d62dff4c1f7c1f1373763fbf23024269
The COMPRESS_CSS_FILTERS option was deprecated in django-compressor
v2.4[1] and causes the following warning message.
```
DeprecationWarning: COMPRESS_CSS_FILTERS setting is deprecated and will
be removed in django-compressor 3.0. Use COMPRESS_FILTERS instead.
```
[1] https://django-compressor.readthedocs.io/en/2.4/changelog/#v2-4-2019-12-02
Change-Id: Ib87906faab507540ba57ee3a1a30c6fc4a92f835
The Multiple Simultaneous Logins Control is a feature designed
for securing Horizon dashboard sessions. The default Horizon
configuration allows the same user to login several times
(e.g. different browsers) simultaneously, that is, the same user
can have more than one active session for Horizon dashboard. When
there is the need to control the active sessions that one user can
have simultaneously, it will be possible to configure the Horizon dashboard
to disallow more than one active session per user. When multiple simultaneously
sessions are disabled, the most recent authenticated session will be considered
the valid one and the previous session will be invalidated.
The following manual tests encompass both simulteaneous session control
configuration: 'allow' and 'disconnect' and were verified with this code
change before submitting it:
Test Plan:
PASS: Verify that a user is able to login to Horizon dashboard (when
configuration is 'disconnect')
PASS: Verify that a user is able to start a second Horizon dashboard
session and the first session is finished (when configuration is
'disconnect')
Failure Path:
PASS: Verify that when a user fails to authenticate a second Horizon
dashboard session the first session stills active (when configuration is
'disconnect')
Regression:
PASS: Verify that a user is able to login to Horizon dashboard (when
configuration is default: 'allow')
PASS: Verify that a user is able to start multiple simultaneous Horizon
dashboard sessions (when configuration is default: 'allow')
Implements: blueprint handle-multiple-login-sessions-from-same-user-in-horizon
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
Co-authored-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: I8462aa98398dd8f27fe24d911c9bfaa7f303eb93
django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(),
ungettext(), and ungettext_lazy() are deprecated in favor of the
functions that they’re aliases for: django.utils.translation.gettext(),
gettext_lazy(), gettext_noop(), ngettext(), and ngettext_lazy().
https://docs.djangoproject.com/en/4.0/releases/3.0/#id3
Change-Id: I77878f84e9d10cf6a136dada81eabf4e18676250
django-pyscss is not compatible with Django 3.0.
django_pyscss_fix is a temporary workaround for django.utils.six
used in django-pyscss. It also add six in requirements.txt
as we use six module for this workaround.
This is just to run horizon for testing with Django 3.0+.
six is re-added to requirements.txt as it is used in the workaround.
Note that other codes in the horizon repo should not depend on six.
Change-Id: If79289b7518dd8eaf292a90d6fb790beb154cb7c
Fix tempest jobs to properly use tempest-horizon as tempest-plugin in
job configuration.
Flake8 3.8.0 fixed a few bugs so that additional issues are marked, fix
these.
Co-Authored-By: Andreas Jaeger <aj@suse.com>
Change-Id: I2aca3286ea2cc1ade567087786781952489d6efa
neutron 'quota_details' extension was added in Pike to provide
a convenient way to retrieve resource usage in neutron without listing
individual resources. It was added in Pike release and we will have
six releases since then once Ussuri release is shipped. Enough time has
passed to migrate it to the new mechanism, so it is time to deprecate
the legacy way for future cleanup.
Change-Id: Ie0b4613bf9fdcd96481b3bb1139b4fb153bfef83
openstack_dashboard/settings.py defines a custom formatwarning function,
but it looks unnecessary. When using the custom function, there are
downsides: locations which cause warnings are not shown, and
no newline is added at the end of warning messages.
Change-Id: Ibd331dc77026ed8ca812822b08253650bcb140bc
This reverts commit 4e911e2889.
We don't need this change on the latest master. I'm unable to reproduce
an original bug without this patch.
Closes-Bug: #1834167
Change-Id: Iaffdb64fb0bc58525554ac9d40d2aeadb0876ffd
This patch allows administrators to set disk_formats only for glance,
while horizon will retrieve list of supported formats from glance API.
IMAGE_BACKEND_SETTINGS still may be used to redefine display name
of the format or additionally limit list of availble ones.
Change-Id: Ia4ea513023895f4ad2a87f91e3d2837c7668d9ae
Closes-Bug: 1853822
It seems hacking 2.0.0 was shipped with incompatible changes
(which is not surprising as this is a new major version).
Let's fix these errors and use a newer hacking.
Change-Id: I8da9dca5d8d74f6dfc2340dabc8d50e6253358e2
Some remaining default values of openstack_dashboard are still defined
in settings.py. This commit moves them to openstack_dashboard/defaults.py.
If the default values are same as those defined in horizon,
they are just dropped.
Part of blueprint ini-based-configuration
Change-Id: I723a8f9064450972d4510ac9e8b423f3041d1cac
test_parse_isotime_filter in test_filters is updated to match
TIME_ZONE=UTC. Previously TIME_ZONE was not set in horizon.test.settings
and the default value America/Chicago was used. Horizon uses UTC as the
default value of TIME_ZONE, so it is better to use UTC for testing too.
horizon settings in openstack_dashboard.settings are moved to
under horizon.
Part of blueprint ini-based-configuration
Change-Id: I9abdbbe0dcefc08ffea61143e3c0a87ed87b2e2a
This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.
Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.
Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
This commit mainly covers settings in the remaining files
under openstack_dashboard.
Note that HORIZON_CONFIG, horizon and openstack_auth are not covered.
They will be covered by follow-up patches.
Part of blueprint ini-based-configuration
Change-Id: Ibd70e030445a073d9a62da9867850f4893135a89
This commit mainly covers settings
in openstack_dashboard/dashboards/project/.
Part of blueprint ini-based-configuration
Change-Id: I22413d2fe20576a507634dc4e2d0354c7db8800a
Set absolute paths in the LOCALE_PATHS configuration param to allow
Django work with current supported locales.
Change-Id: I62fffe04860b7b4b63f227ad99729ab4e8384d8f
Related-Bug: #1818639
Closes-Bug: #1830886
SHOW_KEYSTONE_V2_RC is deprecated since Stein release and it's safe
to remove it now.
Keystone v2 support removal will be implemented in a follow up patch.
Change-Id: Ib3098789a3aef47f4f4b84fd56f03376ce2ea96f
Cinder consistency group has been replaced by the generic group feature.
Horizon support of the generic group (in the project dashboard) is
available since Rocky release and it covers all existing support
for consistency group in horizon.
The consistency group support is horizon was marked as deprecated
in Stein release [1].
This commit drops the consistency group support.
[1] https://review.openstack.org/#/c/626846/
Change-Id: I11187d2b03b7e0033a6c6ba3f8be25b8b5e4dd74
Currently horizon defines default values of settings in the logic
using getattr(settings, <setting name>, <default value>) and
it is not easy to handle the default values of available settings.
This commit starts the effort to define default settings explicitly.
This is a preparation for ini-based-configurations.
It covers settings in openstack_dashboard/api.
Part of blueprint ini-based-configuration
Change-Id: Id4c3287f0a572fd14ea93b54bcab8fabda39e583
openstack_dashboard/context_processors.py:94:15: C0122: Comparison should be link['url'] != 'horizon:project:api_access:openrcv2' (misplaced-comparison-constant)
openstack_dashboard/settings.py:467:4: C0412: Imports from package horizon are not grouped (ungrouped-imports)
openstack_dashboard/enabled/_1370_project_vg_snapshots.py:9:0: C0301: Line too long (86/80) (line-too-long)
openstack_dashboard/enabled/_1360_project_volume_groups.py:9:0: C0301: Line too long (85/80) (line-too-long)
openstack_dashboard/usage/base.py:62:8: W0106: Expression "[instance_list.extend(u.server_usages) for u in self.usage_list]" is assigned to nothing (expression-not-assigned)
openstack_dashboard/dashboards/project/images/utils.py:43:12: W0106: Expression "[public_images.append(image) for image in images]" is assigned to nothing (expression-not-assigned)
openstack_dashboard/dashboards/project/images/utils.py:75:12: W0106: Expression "[community_images.append(image) for image in images]" is assigned to nothing (expression-not-assigned)
openstack_dashboard/api/glance.py:47:4: C0412: Imports from package glanceclient are not grouped (ungrouped-imports)
openstack_dashboard/api/cinder.py:60:4: C0412: Imports from package cinderclient are not grouped (ungrouped-imports)
openstack_auth/user.py:358:4: E0211: Method has no argument (no-method-argument)
openstack_auth/user.py:362:4: E0211: Method has no argument (no-method-argument)
openstack_dashboard/api/keystone.py:75:4: C0412: Imports from package keystoneclient are not grouped (ungrouped-imports)
horizon/loaders.py:43:16: W0706: The except handler raises immediately (try-except-raise)
horizon/themes.py:174:8: W0706: The except handler raises immediately (try-except-raise)
Change-Id: I40cf3ffbc4519657e11180d2e2fe7401387c5556
This commit changes the default SESSION_ENGINE to the cached
sessions and the default cached backend to memcached.
The cached sessions with memcahced is our current recommendation, but
we do not use it in our default settings and do not test it in our CI
(horizon-dsvm-tempest-plugin). It is better to use the recommended
configurations in our CI.
The previous default SESSION_ENGINE, the signed cookies, has
a limitation on the length o cookies and using keystone3 can hit this
easily. It is not ready for production for most cases.
For a cache backend, considering multi-process web server deployments,
memcahced is recommended rather than a local memory backend.
Note for developers: If you use "tox -e runserver" for developments,
SESSION_ENGINE = 'django.contrib.sessions.backends.cache' might not
work expectedly. From my testing, I was forced to log-in frequently
when moving pages. If you hit this, my suggestion is to configure
SESSION_ENGINE to django.contrib.sessions.backends.signed_cookies.
Change-Id: I1c4578ec5a7f70a59c6348d76ad0c12956a18573
Closes-Bug: #1736021
Add a new config SESSION_REFRESH (default True) which
turns SESSION_TIMEOUT into an idle timeout rather than
a hard timeout.
The existing hard timeout is awful UX, and while
SESSION_TIMEOUT could be set to a higher value, it
still makes for a somewhat unpleasant experience.
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: Icc6942e62c4e8d2fac57988b0a2233a8073b1944
Operators now can control whether the links of "Download OpenRC" and
"Download clouds.yaml" are displayed or not via new settings
SHOW_OPENRC_FILE and SHOW_OPENSTACK_CLOUDS_YAML.
openrc and clouds.yaml files provided by horizon now assume
the basic simple deployment and do not cover keystone authentication
like saml2, openid and so on. The default openrc and clouds.yaml
from horizon do not make sense for such environments.
Change-Id: I1407a24387c7d7bd2c20c995cebf1350f8090e72
Partial-Bug: #1795851
In favor of keystone v2 support, SHOW_KEYSTONE_V2_RC now defaults
to False. SHOW_KEYSTONE_V2_RC setting is also deprecated.
Along with this change, "v3" part of "OpenStack RC File (Identity API v3)"
is now unnecessary, so "v3" information is dropped.
Change-Id: If0359e2dc1f2c8fb5f3c87046fd23043f94abc21
Django looks for and uses if it exists a locale directory in each of
the installed apps listed in INSTALLED_APPS [1]. horizon and
openstack_dashboard are specified in INSTALLED_APPS, so there is no need
to specify horizon/locale and openstack_dashboard/locale explicitly.
We can drop them without any side-effect.
[1] https://docs.djangoproject.com/en/1.11/topics/i18n/translation/#javascript-catalog-view
Change-Id: Ibe364b2a16894a51fe17411f29a326aef621472c
Related-Bug: #1804289
The "request" attribute is not available in
openstack_auth.backend.KeystoneBackend.get_user when session data is restored
and it's the first request to happen after a server restart.
As stated by the function document, the "request" attribute needs to be
monkey-patched by openstack_auth.utils.patch_middleware_get_user
for this function to work properly.
This should happen in openstack_auth.urls at import time. But there is nowhere
in Horizon where this module is imported at startup. It's only introspected
by openstack_dashboard.urls due to AUTHENTICATION_URLS setting.
Without this monkey-patching, the whole authentication mechanism falls back
to "AnonymousUser" and you will get redirected to the login page due
to horizon.exceptions.NotAuthenticated being raised by
horizon.decorators.require_auth as request.user.is_authenticated will be False.
But if a user requests a page under auth/, it will have the side-effect of
monkey-patching django.contrib.auth.middleware as expected. This means that
once this request is completed, all following requests to pages other than
the ones under auth/ will have there sessions properly restored and
you will be properly authenticated.
Therefore this change introduces a dummy middleware which sole purpose is
to perform this monkey-patching as early as possible.
There is also some cleanup to get rid of the previous attempts at
monkeypatching.
Closes-bug: #1764622
Change-Id: Ib9912090a87b716e7f5710f6f360b0df168ec2e3
memoized now operates as a LRU cache that additionally uses
weakrefs to clear keys.
The max_size of the LRU cache can be set per decorated
function when defined, but a global default can be set too.
Change-Id: I431d61283cd613f09664f8f370dd3fd126fc724f
BREACH is a category of vulnerabilities and not a specific
instance affecting a specific piece of software. To be vulnerable,
a web application must:
* Be served from a server that uses HTTP-level compression
* Reflect user-input in HTTP response bodies
* Reflect a secret (such as a CSRF token) in HTTP response bodies
More details on breach attack - http://breachattack.com/
Since horizon falls under this category, we can include django-debreach
module within horizon as a requirement which provides mitigation against the breach attacks.
https://github.com/lpomfrey/django-debreach
CSRF token masking is a built-in feature within Django 1.10+,
therefore only content-length modification feature provided by django-debreach
can be enabled.
Depends-On: I32f11e089fc794444ef267b463c7fb2ad8cfa96a
Change-Id: I2b4999ca7b0e1762c5273c4fe96f5ee768f44339
Blueprint: mitigate-breach-attacks
In scenarios where the cloud operators have only a single Identity Provider,
we can have a default redirection to remove unnecessary user clicks and
improve user experience.
Closes-bug: #1784368
Change-Id: I251703dcaeac43174fbcba7e0658c6f92098b2e0
Nose has been in maintenance mode for the past several years. It has
issue with exit code [1] which leads to false positive results for our
seleniun-headless job.
This patch changes test runner for Horizon tests and does the following
things:
* Django test runner executes test in a different order than Nose does.
That's why we've got an issue with side-effect in
horizon.tests.unit.tables.test_tables.MyToggleAction class. This patch
adds workaround to it.
* Rename filename of test files to names starting with 'test_'
so that the django test runner can find tests expectedly.
* '--with-html-output' option is temporary dropped and will be added in
a following patch.
* Integraion tests is marked via django.test.tag mechanism which is
introduced in Django 1.10
* 'selenium-headless' is broken now because we don't have geckodriver on
gates, this patch makes it non-voting.
* 'tox -e cover' is fixed
* Remove @memorized decorator from
dashboards.project.images.images.tables.filter_tenant_ids function.
[1] https://github.com/nose-devs/nose/issues/984
Depends-On: https://review.openstack.org/572095
Depends-On: https://review.openstack.org/572124
Depends-On: https://review.openstack.org/572390
Depends-On: https://review.openstack.org/572391
Related blueprint: improve-horizon-testing
Change-Id: I7fb2fd7dd40f301ea822154b9809a9a07610c507
Radomir Dopieralski