gwc-pybundle 2.1.2__py3-none-any.whl

pybundle/steps/django_checks.py

@@ -0,0 +1,214 @@
+"""
+Step: Django System Checks
+Run Django's built-in system checks for security and deployment best practices.
+"""
+
+import subprocess
+import re
+from pathlib import Path
+from typing import Dict, List, Tuple
+
+from .base import Step, StepResult
+
+
+class DjangoSystemChecksStep(Step):
+    """Run Django system checks and parse results."""
+
+    name = "django checks"
+
+    def run(self, ctx: "BundleContext") -> StepResult:  # type: ignore[name-defined]
+        """Run Django system checks."""
+        import time
+
+        start = time.time()
+
+        root = ctx.root
+
+        # Check if Django is installed and project has manage.py
+        manage_py = self._find_manage_py(root)
+        if not manage_py:
+            elapsed = int(time.time() - start)
+            return StepResult(
+                self.name, "SKIP", elapsed, "No Django project found (manage.py not detected)"
+            )
+
+        # Run Django system checks
+        checks_output = self._run_django_checks(manage_py)
+
+        # Also run deploy checks
+        deploy_output = self._run_django_deploy_checks(manage_py)
+
+        # Parse results
+        checks_issues = self._parse_check_output(checks_output)
+        deploy_issues = self._parse_check_output(deploy_output)
+
+        # Generate report
+        lines = [
+            "=" * 80,
+            "DJANGO SYSTEM CHECKS REPORT",
+            "=" * 80,
+            "",
+        ]
+
+        lines.extend(
+            [
+                "SUMMARY",
+                "=" * 80,
+                f"Django project: {manage_py}",
+                "",
+            ]
+        )
+
+        # General checks
+        lines.extend(
+            [
+                "GENERAL SYSTEM CHECKS",
+                "-" * 80,
+                "",
+            ]
+        )
+
+        if checks_issues:
+            lines.append(f"Found {len(checks_issues)} issue(s):")
+            lines.append("")
+            for level, msg, hint in checks_issues:
+                icon = "⚠" if level.upper() == "WARNING" else "✗" if level.upper() == "ERROR" else "ℹ"
+                lines.append(f"  {icon} [{level.upper()}] {msg}")
+                if hint:
+                    lines.append(f"      Hint: {hint}")
+            lines.append("")
+        else:
+            lines.append("✓ All general checks passed")
+            lines.append("")
+
+        # Deployment checks
+        lines.extend(
+            [
+                "DEPLOYMENT BEST PRACTICES (--deploy mode)",
+                "-" * 80,
+                "",
+            ]
+        )
+
+        if deploy_issues:
+            lines.append(f"Found {len(deploy_issues)} issue(s):")
+            lines.append("")
+            for level, msg, hint in deploy_issues:
+                icon = "⚠" if level.upper() == "WARNING" else "✗" if level.upper() == "ERROR" else "ℹ"
+                lines.append(f"  {icon} [{level.upper()}] {msg}")
+                if hint:
+                    lines.append(f"      Hint: {hint}")
+            lines.append("")
+        else:
+            lines.append("✓ All deployment checks passed")
+            lines.append("")
+
+        # Recommendations
+        lines.extend(
+            [
+                "=" * 80,
+                "DEPLOYMENT READINESS CHECKLIST",
+                "=" * 80,
+                "",
+                "Security Settings:",
+                "  ☐ DEBUG = False in production",
+                "  ☐ SECRET_KEY set to secure random value",
+                "  ☐ ALLOWED_HOSTS configured",
+                "  ☐ SECURE_HSTS_SECONDS >= 31536000 (1 year)",
+                "  ☐ SESSION_COOKIE_SECURE = True",
+                "  ☐ SESSION_COOKIE_HTTPONLY = True",
+                "  ☐ CSRF_COOKIE_SECURE = True",
+                "  ☐ CSRF_COOKIE_HTTPONLY = True",
+                "",
+                "Database:",
+                "  ☐ Using production-grade database (not SQLite)",
+                "  ☐ Database connections configured with SSL",
+                "  ☐ Database backups automated",
+                "",
+                "Static & Media:",
+                "  ☐ STATIC_ROOT configured",
+                "  ☐ Static files collected (./manage.py collectstatic)",
+                "  ☐ MEDIA_ROOT and MEDIA_URL configured",
+                "",
+                "Logging:",
+                "  ☐ LOGGING configured for production",
+                "  ☐ Error emails configured (ADMINS)",
+                "  ☐ Log files retention policy set",
+                "",
+                "Performance:",
+                "  ☐ Database connection pooling enabled",
+                "  ☐ Caching configured (Redis/Memcached)",
+                "  ☐ Compression enabled (gzip, brotli)",
+                "",
+            ]
+        )
+
+        # Write report
+        output = "\n".join(lines)
+        dest = ctx.workdir / "logs" / "150_django_checks.txt"
+        dest.parent.mkdir(parents=True, exist_ok=True)
+        dest.write_text(output, encoding="utf-8")
+
+        elapsed = int(time.time() - start)
+        return StepResult(self.name, "OK", elapsed, "")
+
+    def _find_manage_py(self, root: Path) -> Path | None:
+        """Find Django's manage.py file."""
+        # Check root
+        if (root / "manage.py").exists():
+            return root / "manage.py"
+
+        # Check common locations
+        for subdir in [".", "src", "app", "django_app"]:
+            candidate = root / subdir / "manage.py"
+            if candidate.exists():
+                return candidate
+
+        return None
+
+    def _run_django_checks(self, manage_py: Path) -> str:
+        """Run basic Django checks."""
+        try:
+            result = subprocess.run(
+                ["python", str(manage_py), "check"],
+                capture_output=True,
+                text=True,
+                timeout=10,
+                cwd=manage_py.parent,
+            )
+            return result.stdout + result.stderr
+        except Exception:
+            return ""
+
+    def _run_django_deploy_checks(self, manage_py: Path) -> str:
+        """Run Django deployment checks."""
+        try:
+            result = subprocess.run(
+                ["python", str(manage_py), "check", "--deploy"],
+                capture_output=True,
+                text=True,
+                timeout=10,
+                cwd=manage_py.parent,
+            )
+            return result.stdout + result.stderr
+        except Exception:
+            return ""
+
+    def _parse_check_output(self, output: str) -> List[Tuple[str, str, str]]:
+        """Parse Django check output."""
+        issues = []
+
+        lines = output.split("\n")
+        for line in lines:
+            # Pattern: "WARNING (security.W001): ..."
+            match = re.search(r"(ERROR|WARNING|INFO)\s+\((\w+)\):\s+(.*?)(?:\nHint|$)", line)
+            if match:
+                level, code, msg = match.groups()
+                hint = ""
+                # Try to extract hint from next line
+                idx = lines.index(line) if line in lines else -1
+                if idx >= 0 and idx + 1 < len(lines) and "Hint:" in lines[idx + 1]:
+                    hint = lines[idx + 1].replace("Hint:", "").strip()
+                issues.append((level, f"{msg} ({code})", hint))
+
+        return issues

pybundle/steps/dockerfile_lint.py

@@ -0,0 +1,282 @@
+"""
+Step: Dockerfile Linting
+Validate Dockerfile best practices using hadolint.
+"""
+
+import subprocess
+import re
+from pathlib import Path
+from typing import List, Dict
+
+from .base import Step, StepResult
+
+
+class DockerfileLintStep(Step):
+    """Lint Dockerfiles for best practices using hadolint."""
+
+    name = "dockerfile lint"
+
+    def run(self, ctx: "BundleContext") -> StepResult:  # type: ignore[name-defined]
+        """Run hadolint on all Dockerfiles found."""
+        import time
+
+        start = time.time()
+
+        # Find all Dockerfiles (exact name or name with .suffix)
+        dockerfiles = []
+        for pattern in ["Dockerfile", "dockerfile", "Dockerfile.*", "dockerfile.*"]:
+            dockerfiles.extend(ctx.root.rglob(pattern))
+        
+        # Filter to files that are actually Dockerfiles (exclude .py, .pyc, etc)
+        seen = set()
+        unique_dockerfiles = []
+        for df in dockerfiles:
+            if df.is_file():
+                # Skip if it's clearly not a Dockerfile (has a code extension)
+                if df.suffix in [".py", ".pyc", ".pyo", ".pyw", ".pyd"]:
+                    continue
+                
+                key = str(df).lower()
+                if key not in seen:
+                    seen.add(key)
+                    unique_dockerfiles.append(df)
+
+        if not unique_dockerfiles:
+            elapsed = int(time.time() - start)
+            return StepResult(self.name, "SKIP", elapsed, "No Dockerfiles found")
+
+        # Check if hadolint is available
+        hadolint_path = None
+        try:
+            result = subprocess.run(
+                ["which", "hadolint"],
+                capture_output=True,
+                text=True,
+            )
+            if result.returncode == 0:
+                hadolint_path = result.stdout.strip()
+        except FileNotFoundError:
+            pass
+
+        # Generate report
+        lines = [
+            "=" * 80,
+            "DOCKERFILE LINTING REPORT",
+            "=" * 80,
+            "",
+            f"Dockerfiles found: {len(unique_dockerfiles)}",
+            "",
+        ]
+
+        # List dockerfiles
+        lines.extend(
+            [
+                "=" * 80,
+                "DOCKERFILES",
+                "=" * 80,
+                "",
+            ]
+        )
+
+        for df in sorted(unique_dockerfiles):
+            rel_path = df.relative_to(ctx.root)
+            lines.append(f"  - {rel_path}")
+            
+            # Show file size
+            try:
+                size = df.stat().st_size
+                lines.append(f"    Size: {size} bytes")
+            except OSError:
+                pass
+
+        lines.append("")
+
+        # Run hadolint if available
+        if hadolint_path:
+            lines.extend(
+                [
+                    "=" * 80,
+                    "HADOLINT RESULTS",
+                    "=" * 80,
+                    "",
+                ]
+            )
+
+            hadolint_issues: Dict[str, List[str]] = {}
+            total_warnings = 0
+            total_errors = 0
+
+            for df in sorted(unique_dockerfiles):
+                rel_path = df.relative_to(ctx.root)
+                
+                try:
+                    result = subprocess.run(
+                        [hadolint_path, str(df)],
+                        capture_output=True,
+                        text=True,
+                        timeout=30,
+                    )
+
+                    output = result.stdout + result.stderr
+                    if output.strip():
+                        issues = self._parse_hadolint_output(output)
+                        if issues:
+                            hadolint_issues[str(rel_path)] = issues
+                            
+                            # Count issue types
+                            for issue in issues:
+                                if "warning" in issue.lower() or "note" in issue.lower():
+                                    total_warnings += 1
+                                elif "error" in issue.lower():
+                                    total_errors += 1
+
+                except subprocess.TimeoutExpired:
+                    lines.append(f"⚠ Timeout analyzing {rel_path}")
+                except Exception as e:
+                    lines.append(f"⚠ Error analyzing {rel_path}: {e}")
+
+            if hadolint_issues:
+                lines.append(f"Total issues found: {total_errors} error(s), {total_warnings} warning(s)")
+                lines.append("")
+
+                for dockerfile, issues in sorted(hadolint_issues.items()):
+                    lines.append(f"\n{dockerfile}:")
+                    lines.append("-" * 80)
+                    for issue in issues:
+                        lines.append(f"  {issue}")
+            else:
+                lines.append("✓ No issues found")
+                lines.append("")
+
+        else:
+            lines.extend(
+                [
+                    "=" * 80,
+                    "HADOLINT RESULTS",
+                    "=" * 80,
+                    "",
+                    "⚠ hadolint not installed. Install with: pip install hadolint-py",
+                    "  or via system package manager for full features.",
+                    "",
+                ]
+            )
+
+        # Dockerfile content analysis
+        lines.extend(
+            [
+                "=" * 80,
+                "DOCKERFILE ANALYSIS",
+                "=" * 80,
+                "",
+            ]
+        )
+
+        analysis = self._analyze_dockerfiles(unique_dockerfiles, ctx.root)
+
+        if analysis["uses_multistage"]:
+            lines.append("✓ Multi-stage builds detected")
+        else:
+            lines.append("⚠ No multi-stage builds detected")
+
+        if analysis["uses_user"]:
+            lines.append("✓ Non-root user configured")
+        else:
+            lines.append("⚠ No non-root user found (security risk)")
+
+        if analysis["pinned_versions"]:
+            lines.append(f"✓ Pinned base images: {analysis['pinned_versions']}")
+        else:
+            lines.append("⚠ Unpinned base image versions detected")
+
+        if analysis["has_healthcheck"]:
+            lines.append("✓ HEALTHCHECK configured")
+        else:
+            lines.append("⚠ No HEALTHCHECK found")
+
+        if analysis["use_args"]:
+            lines.append(f"✓ ARG variables: {analysis['use_args']}")
+
+        lines.append("")
+
+        # Best practices recommendations
+        lines.extend(
+            [
+                "=" * 80,
+                "RECOMMENDATIONS",
+                "=" * 80,
+                "",
+            ]
+        )
+
+        if not analysis["uses_multistage"]:
+            lines.append("  - Consider using multi-stage builds to reduce final image size")
+        if not analysis["uses_user"]:
+            lines.append("  - Add RUN groupadd -r appuser && useradd -r -g appuser appuser")
+            lines.append("    and USER appuser for security")
+        if not analysis["pinned_versions"]:
+            lines.append("  - Pin base image versions (use specific tags, not 'latest')")
+        if not analysis["has_healthcheck"]:
+            lines.append("  - Add HEALTHCHECK instruction for production containers")
+
+        lines.append("")
+
+        # Write report
+        output = "\n".join(lines)
+        dest = ctx.workdir / "logs" / "105_dockerfile_lint.txt"
+        dest.parent.mkdir(parents=True, exist_ok=True)
+        dest.write_text(output, encoding="utf-8")
+
+        elapsed = int(time.time() - start)
+        return StepResult(self.name, "OK", elapsed, "")
+
+    def _parse_hadolint_output(self, output: str) -> List[str]:
+        """Parse hadolint output and extract issue lines."""
+        issues = []
+        for line in output.split("\n"):
+            line = line.strip()
+            if line and not line.startswith("=="):
+                issues.append(line)
+        return issues
+
+    def _analyze_dockerfiles(self, dockerfiles: List[Path], root: Path) -> Dict:
+        """Perform static analysis of Dockerfile content."""
+        analysis = {
+            "uses_multistage": False,
+            "uses_user": False,
+            "pinned_versions": 0,
+            "has_healthcheck": False,
+            "use_args": 0,
+        }
+
+        for dockerfile in dockerfiles:
+            try:
+                content = dockerfile.read_text(encoding="utf-8", errors="ignore")
+
+                # Check for multi-stage
+                if "FROM" in content and content.count("FROM") > 1:
+                    analysis["uses_multistage"] = True
+
+                # Check for USER instruction
+                if re.search(r"^\s*USER\s+\w+", content, re.MULTILINE):
+                    if not "USER root" in content or "USER appuser" in content or "USER app" in content:
+                        analysis["uses_user"] = True
+
+                # Check for pinned versions
+                from_pattern = re.findall(r"FROM\s+([^\s]+)", content)
+                for from_ref in from_pattern:
+                    # Check if has tag (not latest or missing)
+                    if ":" in from_ref and not from_ref.endswith(":latest"):
+                        analysis["pinned_versions"] += 1
+
+                # Check for HEALTHCHECK
+                if "HEALTHCHECK" in content:
+                    analysis["has_healthcheck"] = True
+
+                # Count ARG instructions
+                arg_count = len(re.findall(r"^\s*ARG\s+", content, re.MULTILINE))
+                analysis["use_args"] += arg_count
+
+            except (OSError, UnicodeDecodeError):
+                continue
+
+        return analysis