plain 0.4.1__py3-none-any.whl → 0.11.0__py3-none-any.whl

plain/cli/cli.py

@@ -5,6 +5,7 @@ import shutil
 import subprocess
 import sys
 import traceback
+from importlib.metadata import entry_points
 from importlib.util import find_spec
 from pathlib import Path
 
@@ -14,7 +15,9 @@ from click.core import Command, Context
 import plain.runtime
 from plain import preflight
 from plain.assets.compile import compile_assets, get_compiled_path
+from plain.exceptions import ImproperlyConfigured
 from plain.packages import packages
+from plain.utils.crypto import get_random_string
 
 from .formatting import PlainContext
 from .packages import EntryPointGroup, InstalledPackagesGroup
@@ -248,7 +251,7 @@ def preflight_checks(package_label, deploy, fail_level, databases):
             msg = header + body + footer
             click.echo(msg, err=True)
         else:
-            click.echo("Preflight check identified no issues.", err=True)
+            click.secho("✔ Preflight check identified no issues.", err=True, fg="green")
 
 
 @plain_cli.command()
@@ -284,17 +287,10 @@ def compile(keep_original, fingerprint, compress):
         )
         sys.exit(1)
 
-    # TODO make this an entrypoint instead
-    # Compile our Tailwind CSS (including templates in plain itself)
-    if find_spec("plain.tailwind") is not None:
-        click.secho("Compiling Tailwind CSS", bold=True)
-        result = subprocess.run(["plain", "tailwind", "compile", "--minify"])
+    for entry_point in entry_points(group="plain.assets.compile"):
+        click.secho(f"Running {entry_point.name}", bold=True)
+        result = entry_point.load()()
         print()
-        if result.returncode:
-            click.secho(
-                f"Error compiling Tailwind CSS (exit {result.returncode})", fg="red"
-            )
-            sys.exit(result.returncode)
 
     # TODO also look in [tool.plain.compile.run]
 
@@ -406,6 +402,18 @@ def setting(setting_name):
         click.secho(f'Setting "{setting_name}" not found', fg="red")
 
 
+@plain_cli.group()
+def utils():
+    pass
+
+
+@utils.command()
+def generate_secret_key():
+    """Generate a new secret key"""
+    new_secret_key = get_random_string(50)
+    click.echo(new_secret_key)
+
+
 class AppCLIGroup(click.Group):
     """
     Loads app.cli if it exists as `plain app`
@@ -459,16 +467,31 @@ class PlainCommandCollection(click.CommandCollection):
                 EntryPointGroup(),
                 plain_cli,
             ]
-        except Exception as e:
+        except ImproperlyConfigured as e:
             click.secho(
-                f"Error setting up Plain CLI\n{e}",
+                str(e),
                 fg="red",
                 err=True,
             )
+
+            # None of these require the app to be setup
+            sources = [
+                EntryPointGroup(),
+                AppCLIGroup(),
+                plain_cli,
+            ]
+        except Exception as e:
             print("---")
             print(traceback.format_exc())
             print("---")
 
+            click.secho(
+                f"Error: {e}",
+                fg="red",
+                err=True,
+            )
+
+            # None of these require the app to be setup
             sources = [
                 EntryPointGroup(),
                 AppCLIGroup(),

plain/csrf/middleware.py

@@ -9,7 +9,7 @@ import string
 from collections import defaultdict
 from urllib.parse import urlparse
 
-from plain.exceptions import DisallowedHost, ImproperlyConfigured
+from plain.exceptions import DisallowedHost
 from plain.http import HttpHeaders, UnreadablePostError
 from plain.logs import log_response
 from plain.runtime import settings
@@ -242,44 +242,31 @@ class CsrfViewMiddleware:
         If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if
         the request's secret has invalid characters or an invalid length.
         """
-        if settings.CSRF_USE_SESSIONS:
-            try:
-                csrf_secret = request.session.get(CSRF_SESSION_KEY)
-            except AttributeError:
-                raise ImproperlyConfigured(
-                    "CSRF_USE_SESSIONS is enabled, but request.session is not "
-                    "set. SessionMiddleware must appear before CsrfViewMiddleware "
-                    "in MIDDLEWARE."
-                )
+        try:
+            csrf_secret = request.COOKIES[settings.CSRF_COOKIE_NAME]
+        except KeyError:
+            csrf_secret = None
         else:
-            try:
-                csrf_secret = request.COOKIES[settings.CSRF_COOKIE_NAME]
-            except KeyError:
-                csrf_secret = None
-            else:
-                # This can raise InvalidTokenFormat.
-                _check_token_format(csrf_secret)
+            # This can raise InvalidTokenFormat.
+            _check_token_format(csrf_secret)
+
         if csrf_secret is None:
             return None
         return csrf_secret
 
     def _set_csrf_cookie(self, request, response):
-        if settings.CSRF_USE_SESSIONS:
-            if request.session.get(CSRF_SESSION_KEY) != request.META["CSRF_COOKIE"]:
-                request.session[CSRF_SESSION_KEY] = request.META["CSRF_COOKIE"]
-        else:
-            response.set_cookie(
-                settings.CSRF_COOKIE_NAME,
-                request.META["CSRF_COOKIE"],
-                max_age=settings.CSRF_COOKIE_AGE,
-                domain=settings.CSRF_COOKIE_DOMAIN,
-                path=settings.CSRF_COOKIE_PATH,
-                secure=settings.CSRF_COOKIE_SECURE,
-                httponly=settings.CSRF_COOKIE_HTTPONLY,
-                samesite=settings.CSRF_COOKIE_SAMESITE,
-            )
-            # Set the Vary header since content varies with the CSRF cookie.
-            patch_vary_headers(response, ("Cookie",))
+        response.set_cookie(
+            settings.CSRF_COOKIE_NAME,
+            request.META["CSRF_COOKIE"],
+            max_age=settings.CSRF_COOKIE_AGE,
+            domain=settings.CSRF_COOKIE_DOMAIN,
+            path=settings.CSRF_COOKIE_PATH,
+            secure=settings.CSRF_COOKIE_SECURE,
+            httponly=settings.CSRF_COOKIE_HTTPONLY,
+            samesite=settings.CSRF_COOKIE_SAMESITE,
+        )
+        # Set the Vary header since content varies with the CSRF cookie.
+        patch_vary_headers(response, ("Cookie",))
 
     def _origin_verified(self, request):
         request_origin = request.META["HTTP_ORIGIN"]
@@ -289,7 +276,7 @@ class CsrfViewMiddleware:
             pass
         else:
             good_origin = "{}://{}".format(
-                "https" if request.is_secure() else "http",
+                "https" if request.is_https() else "http",
                 good_host,
             )
             if request_origin == good_origin:
@@ -331,11 +318,7 @@ class CsrfViewMiddleware:
         ):
             return
         # Allow matching the configured cookie domain.
-        good_referer = (
-            settings.SESSION_COOKIE_DOMAIN
-            if settings.CSRF_USE_SESSIONS
-            else settings.CSRF_COOKIE_DOMAIN
-        )
+        good_referer = settings.CSRF_COOKIE_DOMAIN
         if good_referer is None:
             # If no cookie domain is configured, allow matching the current
             # host:port exactly if it's permitted by ALLOWED_HOSTS.
@@ -435,7 +418,7 @@ class CsrfViewMiddleware:
                 return self._reject(
                     request, REASON_BAD_ORIGIN % request.META["HTTP_ORIGIN"]
                 )
-        elif request.is_secure():
+        elif request.is_https():
             # If the Origin header wasn't provided, reject HTTPS requests if
             # the Referer header doesn't match an allowed value.
             #

plain/forms/fields.py

@@ -14,7 +14,6 @@ from urllib.parse import urlsplit, urlunsplit
 
 from plain import validators
 from plain.exceptions import ValidationError
-from plain.runtime import settings
 from plain.utils import timezone
 from plain.utils.dateparse import parse_datetime, parse_duration
 from plain.utils.duration import duration_string
@@ -1001,7 +1000,7 @@ def from_current_timezone(value):
     When time zone support is enabled, convert naive datetimes
     entered in the current time zone to aware datetimes.
     """
-    if settings.USE_TZ and value is not None and timezone.is_naive(value):
+    if value is not None and timezone.is_naive(value):
         current_timezone = timezone.get_current_timezone()
         try:
             if timezone._datetime_ambiguous_or_imaginary(value, current_timezone):
@@ -1025,6 +1024,6 @@ def to_current_timezone(value):
     When time zone support is enabled, convert aware datetimes
     to naive datetimes in the current time zone for display.
     """
-    if settings.USE_TZ and value is not None and timezone.is_aware(value):
+    if value is not None and timezone.is_aware(value):
         return timezone.make_naive(value)
     return value

plain/forms/forms.py

@@ -203,7 +203,8 @@ class BaseForm:
             self._errors[field].extend(error_list)
 
             # The field had an error, so removed it from the final data
-            if field in self.cleaned_data:
+            # (we use getattr here so errors can be added to uncleaned forms)
+            if field in getattr(self, "cleaned_data", {}):
                 del self.cleaned_data[field]
 
     def full_clean(self):

plain/http/request.py

@@ -140,7 +140,7 @@ class HttpRequest:
             # Reconstruct the host using the algorithm from PEP 333.
             host = self.META["SERVER_NAME"]
             server_port = self.get_port()
-            if server_port != ("443" if self.is_secure() else "80"):
+            if server_port != ("443" if self.is_https() else "80"):
                 host = f"{host}:{server_port}"
         return host
 
@@ -267,12 +267,12 @@ class HttpRequest:
 
     @property
     def scheme(self):
-        if settings.SECURE_PROXY_SSL_HEADER:
+        if settings.HTTPS_PROXY_HEADER:
             try:
-                header, secure_value = settings.SECURE_PROXY_SSL_HEADER
+                header, secure_value = settings.HTTPS_PROXY_HEADER
             except ValueError:
                 raise ImproperlyConfigured(
-                    "The SECURE_PROXY_SSL_HEADER setting must be a tuple containing "
+                    "The HTTPS_PROXY_HEADER setting must be a tuple containing "
                     "two values."
                 )
             header_value = self.META.get(header)
@@ -281,7 +281,7 @@ class HttpRequest:
                 return "https" if header_value.strip() == secure_value else "http"
         return self._get_scheme()
 
-    def is_secure(self):
+    def is_https(self):
         return self.scheme == "https"
 
     @property

plain/internal/handlers/base.py

@@ -13,6 +13,15 @@ from .exception import convert_exception_to_response
 logger = logging.getLogger("plain.request")
 
 
+# These middleware classes are always used by Plain.
+BUILTIN_MIDDLEWARE = [
+    "plain.internal.middleware.headers.DefaultHeadersMiddleware",
+    "plain.internal.middleware.https.HttpsRedirectMiddleware",
+    "plain.internal.middleware.slash.RedirectSlashMiddleware",
+    "plain.csrf.middleware.CsrfViewMiddleware",
+]
+
+
 class BaseHandler:
     _view_middleware = None
     _middleware_chain = None
@@ -27,7 +36,10 @@ class BaseHandler:
 
         get_response = self._get_response
         handler = convert_exception_to_response(get_response)
-        for middleware_path in reversed(settings.MIDDLEWARE):
+
+        middlewares = reversed(BUILTIN_MIDDLEWARE + settings.MIDDLEWARE)
+
+        for middleware_path in middlewares:
             middleware = import_string(middleware_path)
             mw_instance = middleware(handler)
 

plain/internal/middleware/headers.py

@@ -0,0 +1,19 @@
+from plain.runtime import settings
+
+
+class DefaultHeadersMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+
+        for header, value in settings.DEFAULT_RESPONSE_HEADERS.items():
+            response.headers.setdefault(header, value)
+
+        # Add the Content-Length header to non-streaming responses if not
+        # already set.
+        if not response.streaming and not response.has_header("Content-Length"):
+            response.headers["Content-Length"] = str(len(response.content))
+
+        return response

plain/internal/middleware/https.py

@@ -0,0 +1,36 @@
+import re
+
+from plain.http import ResponsePermanentRedirect
+from plain.runtime import settings
+
+
+class HttpsRedirectMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+        # Settings for https (compile regexes once)
+        self.https_redirect_enabled = settings.HTTPS_REDIRECT_ENABLED
+        self.https_redirect_host = settings.HTTPS_REDIRECT_HOST
+        self.https_redirect_exempt = [
+            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT
+        ]
+
+    def __call__(self, request):
+        """
+        Rewrite the URL based on settings.APPEND_SLASH
+        """
+
+        if redirect_response := self.maybe_https_redirect(request):
+            return redirect_response
+
+        return self.get_response(request)
+
+    def maybe_https_redirect(self, request):
+        path = request.path.lstrip("/")
+        if (
+            self.https_redirect_enabled
+            and not request.is_https()
+            and not any(pattern.search(path) for pattern in self.https_redirect_exempt)
+        ):
+            host = self.https_redirect_host or request.get_host()
+            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")

plain/{middleware/common.py → internal/middleware/slash.py}

@@ -4,25 +4,7 @@ from plain.urls import is_valid_path
 from plain.utils.http import escape_leading_slashes
 
 
-class CommonMiddleware:
-    """
-    "Common" middleware for taking care of some basic operations:
-
-        - URL rewriting: Based on the APPEND_SLASH setting,
-          append missing slashes.
-
-            - If APPEND_SLASH is set and the initial URL doesn't end with a
-              slash, and it is not found in urlpatterns, form a new URL by
-              appending a slash at the end. If this new URL is found in
-              urlpatterns, return an HTTP redirect to this new URL; otherwise
-              process the initial URL as usual.
-
-          This behavior can be customized by subclassing CommonMiddleware and
-          overriding the response_redirect_class attribute.
-    """
-
-    response_redirect_class = ResponsePermanentRedirect
-
+class RedirectSlashMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
@@ -40,12 +22,7 @@ class CommonMiddleware:
         # If the given URL is "Not Found", then check if we should redirect to
         # a path with a slash appended.
         if response.status_code == 404 and self.should_redirect_with_slash(request):
-            return self.response_redirect_class(self.get_full_path_with_slash(request))
-
-        # Add the Content-Length header to non-streaming responses if not
-        # already set.
-        if not response.streaming and not response.has_header("Content-Length"):
-            response.headers["Content-Length"] = str(len(response.content))
+            return ResponsePermanentRedirect(self.get_full_path_with_slash(request))
 
         return response
 

plain/preflight/security/base.py

@@ -1,23 +1,7 @@
 from plain.exceptions import ImproperlyConfigured
 from plain.runtime import settings
 
-from .. import Error, Warning, register
-
-CROSS_ORIGIN_OPENER_POLICY_VALUES = {
-    "same-origin",
-    "same-origin-allow-popups",
-    "unsafe-none",
-}
-REFERRER_POLICY_VALUES = {
-    "no-referrer",
-    "no-referrer-when-downgrade",
-    "origin",
-    "origin-when-cross-origin",
-    "same-origin",
-    "strict-origin",
-    "strict-origin-when-cross-origin",
-    "unsafe-url",
-}
+from .. import Warning, register
 
 SECRET_KEY_INSECURE_PREFIX = "plain-insecure-"
 SECRET_KEY_MIN_LENGTH = 50
@@ -32,54 +16,18 @@ SECRET_KEY_WARNING_MSG = (
     f"vulnerable to attack."
 )
 
+# TODO
 W001 = Warning(
-    "You do not have 'plain.middleware.security.SecurityMiddleware' "
+    "You do not have 'plain.middleware.https.HttpsRedirectMiddleware' "
     "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
     "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
-    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
+    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and HTTPS_REDIRECT_ENABLED settings will "
     "have no effect.",
     id="security.W001",
 )
 
-W002 = Warning(
-    "You do not have "
-    "'plain.middleware.clickjacking.XFrameOptionsMiddleware' in your "
-    "MIDDLEWARE, so your pages will not be served with an "
-    "'x-frame-options' header. Unless there is a good reason for your "
-    "site to be served in a frame, you should consider enabling this "
-    "header to help prevent clickjacking attacks.",
-    id="security.W002",
-)
-
-W004 = Warning(
-    "You have not set a value for the SECURE_HSTS_SECONDS setting. "
-    "If your entire site is served only over SSL, you may want to consider "
-    "setting a value and enabling HTTP Strict Transport Security. "
-    "Be sure to read the documentation first; enabling HSTS carelessly "
-    "can cause serious, irreversible problems.",
-    id="security.W004",
-)
-
-W005 = Warning(
-    "You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. "
-    "Without this, your site is potentially vulnerable to attack "
-    "via an insecure connection to a subdomain. Only set this to True if "
-    "you are certain that all subdomains of your domain should be served "
-    "exclusively via SSL.",
-    id="security.W005",
-)
-
-W006 = Warning(
-    "Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, "
-    "so your pages will not be served with an "
-    "'X-Content-Type-Options: nosniff' header. "
-    "You should consider enabling this header to prevent the "
-    "browser from identifying content types incorrectly.",
-    id="security.W006",
-)
-
 W008 = Warning(
-    "Your SECURE_SSL_REDIRECT setting is not set to True. "
+    "Your HTTPS_REDIRECT_ENABLED setting is not set to True. "
     "Unless your site should be available over both SSL and non-SSL "
     "connections, you may want to either set this setting True "
     "or configure a load balancer or reverse-proxy server "
@@ -102,99 +50,9 @@ W020 = Warning(
     id="security.W020",
 )
 
-W021 = Warning(
-    "You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, "
-    "your site cannot be submitted to the browser preload list.",
-    id="security.W021",
-)
-
-W022 = Warning(
-    "You have not set the SECURE_REFERRER_POLICY setting. Without this, your "
-    "site will not send a Referrer-Policy header. You should consider "
-    "enabling this header to protect user privacy.",
-    id="security.W022",
-)
-
-E023 = Error(
-    "You have set the SECURE_REFERRER_POLICY setting to an invalid value.",
-    hint="Valid values are: {}.".format(", ".join(sorted(REFERRER_POLICY_VALUES))),
-    id="security.E023",
-)
-
-E024 = Error(
-    "You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid "
-    "value.",
-    hint="Valid values are: {}.".format(
-        ", ".join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES)),
-    ),
-    id="security.E024",
-)
-
 W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
 
 
-def _security_middleware():
-    return "plain.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE
-
-
-def _xframe_middleware():
-    return (
-        "plain.middleware.clickjacking.XFrameOptionsMiddleware" in settings.MIDDLEWARE
-    )
-
-
-@register(deploy=True)
-def check_security_middleware(package_configs, **kwargs):
-    passed_check = _security_middleware()
-    return [] if passed_check else [W001]
-
-
-@register(deploy=True)
-def check_xframe_options_middleware(package_configs, **kwargs):
-    passed_check = _xframe_middleware()
-    return [] if passed_check else [W002]
-
-
-@register(deploy=True)
-def check_sts(package_configs, **kwargs):
-    passed_check = not _security_middleware() or settings.SECURE_HSTS_SECONDS
-    return [] if passed_check else [W004]
-
-
-@register(deploy=True)
-def check_sts_include_subdomains(package_configs, **kwargs):
-    passed_check = (
-        not _security_middleware()
-        or not settings.SECURE_HSTS_SECONDS
-        or settings.SECURE_HSTS_INCLUDE_SUBDOMAINS is True
-    )
-    return [] if passed_check else [W005]
-
-
-@register(deploy=True)
-def check_sts_preload(package_configs, **kwargs):
-    passed_check = (
-        not _security_middleware()
-        or not settings.SECURE_HSTS_SECONDS
-        or settings.SECURE_HSTS_PRELOAD is True
-    )
-    return [] if passed_check else [W021]
-
-
-@register(deploy=True)
-def check_content_type_nosniff(package_configs, **kwargs):
-    passed_check = (
-        not _security_middleware() or settings.SECURE_CONTENT_TYPE_NOSNIFF is True
-    )
-    return [] if passed_check else [W006]
-
-
-@register(deploy=True)
-def check_ssl_redirect(package_configs, **kwargs):
-    passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
-    return [] if passed_check else [W008]
-
-
 def _check_secret_key(secret_key):
     return (
         len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS
@@ -239,30 +97,3 @@ def check_debug(package_configs, **kwargs):
 @register(deploy=True)
 def check_allowed_hosts(package_configs, **kwargs):
     return [] if settings.ALLOWED_HOSTS else [W020]
-
-
-@register(deploy=True)
-def check_referrer_policy(package_configs, **kwargs):
-    if _security_middleware():
-        if settings.SECURE_REFERRER_POLICY is None:
-            return [W022]
-        # Support a comma-separated string or iterable of values to allow fallback.
-        if isinstance(settings.SECURE_REFERRER_POLICY, str):
-            values = {v.strip() for v in settings.SECURE_REFERRER_POLICY.split(",")}
-        else:
-            values = set(settings.SECURE_REFERRER_POLICY)
-        if not values <= REFERRER_POLICY_VALUES:
-            return [E023]
-    return []
-
-
-@register(deploy=True)
-def check_cross_origin_opener_policy(package_configs, **kwargs):
-    if (
-        _security_middleware()
-        and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY is not None
-        and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
-        not in CROSS_ORIGIN_OPENER_POLICY_VALUES
-    ):
-        return [E024]
-    return []

plain/preflight/security/csrf.py

@@ -32,9 +32,5 @@ def check_csrf_middleware(package_configs, **kwargs):
 
 @register(deploy=True)
 def check_csrf_cookie_secure(package_configs, **kwargs):
-    passed_check = (
-        settings.CSRF_USE_SESSIONS
-        or not _csrf_middleware()
-        or settings.CSRF_COOKIE_SECURE is True
-    )
+    passed_check = not _csrf_middleware() or settings.CSRF_COOKIE_SECURE is True
     return [] if passed_check else [W016]

plain/runtime/README.md

@@ -54,12 +54,8 @@ SECRET_KEY = environ["SECRET_KEY"]
 DEBUG = environ.get("DEBUG", "false").lower() in ("true", "1", "yes")
 
 MIDDLEWARE = [
-    "plain.middleware.security.SecurityMiddleware",
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.middleware.common.CommonMiddleware",
-    "plain.csrf.middleware.CsrfViewMiddleware",
     "plain.auth.middleware.AuthenticationMiddleware",
-    "plain.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 if DEBUG: