[Django] #17101: Add "checkdeploy" management command
Django
-------------------------------------+-------------------------------------
Reporter: carljm | Owner: nobody
Type: New | Status: new
feature | Version: 1.3
Component: Core | Keywords:
(Management commands) | Has patch: 0
Severity: Normal | Needs tests: 0
Triage Stage: | Easy pickings: 0
Unreviewed |
Needs documentation: 0 |
Patch needs improvement: 0 |
UI/UX: 0 |
-------------------------------------+-------------------------------------
There has been discussion of integrating something similar to
[http://pypi.python.org/pypi/django-secure django-secure] into Django
core, to help users check some common deployment mis-configurations. We
probably want to use a name like "checkdeploy" rather than "checksecure",
both to allow for a broader range of checks to be included, and to avoid
giving users a false sense that a successful runs means their code is
secure.
This would include checking SESSION_COOKIE_SECURE,
SESSION_COOKIE_HTTPONLY, X_FRAME_OPTIONS (and the middleware); these are
all things which django-secure currently checks.
It could also include checking for common python path issues, existence of
500/404 templates (if you're using the default 404/500 handlers)...
And of course it should be pluggable so third-party apps can provide
additional checks that users can include (and users should be able to
disable built-in checks if they determine it doesn't apply to them for
whatever reason).
--
Ticket URL: <https://code.djangoproject.com/ticket/17101>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: carljm | Owner: nobody
Component: Core (Management | Version: 1.3
commands) | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by ptone):
* stage: Unreviewed => Accepted
Comment:
A couple quick thoughts to attach to this idea:
The solution should work well with automated deployment workflows, I can't
see why a management command would be limiting for this in any way - and
django-secure is already well factored to allow the checks to be used
outside of the management command context. Just mentioning.
It would be nice to support multiple outputs. In addition to the standard
human readable console output, a machine parseable format, and a shiny
HTML grid format.
--
Ticket URL: <https://code.djangoproject.com/ticket/17101#comment:1>
Django
-------------------------------------+-------------------------------------
Type: New feature | Status: assigned
Component: Core (Management | Version: master
commands) | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: | Needs documentation: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* status: new => assigned
* needs_better_patch: 0 => 1
* has_patch: 0 => 1
* version: 1.3 => master
* owner: nobody => timgraham
Comment:
I'm working on this as part of [https://github.com/django/django/pull/3128
integrating django-secure].
I've implemented the ability to register "deployment checks" by adding
`deploy=True` to `register()`, e.g. `@register("tag_name", deploy=True)`.
These checks are only run if you pass the `--deploy` flag to `check`. So
in development you can run `manage.py check --deploy
--settings=settings_prod` to check your production settings file. Running
these checks automatically if `DEBUG` is `False` would likely give them
better visibility, but I don't see an easy way of disabling them when
testing if we did that.
[https://groups.google.com/d/topic/django-
developers/t8ybImtdnpM/discussion django-developers thread].
--
Ticket URL: <https://code.djangoproject.com/ticket/17101#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: carljm | Owner: timgraham
Type: New feature | Status: assigned
Component: Core (Management | Version: master
commands) | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: | Needs documentation: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by timgraham):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/17101#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: carljm | Owner: timgraham
Type: New feature | Status: closed
Component: Core (Management | Version: master
Severity: Normal | Triage Stage: Accepted
Keywords: | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"52ef6a47269a455113d95992f868939131f9c10c"]:
{{{
#!CommitTicketReference repository=""
revision="52ef6a47269a455113d95992f868939131f9c10c"
Fixed #17101 -- Integrated django-secure and added check --deploy option
Thanks Carl Meyer for django-secure and for reviewing.
Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and
Jorge Carleitao for reviews.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/17101#comment:4>