plain 0.4.1__tar.gz → 0.6.0__tar.gz

{plain-0.4.1 → plain-0.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: plain
-Version: 0.4.1
+Version: 0.6.0
 Summary: A web framework for building products with Python.
 Author: Dave Gaeddert
 Author-email: dave.gaeddert@dropseed.dev

{plain-0.4.1 → plain-0.6.0}/plain/cli/cli.py

@@ -14,7 +14,9 @@ from click.core import Command, Context
 import plain.runtime
 from plain import preflight
 from plain.assets.compile import compile_assets, get_compiled_path
+from plain.exceptions import ImproperlyConfigured
 from plain.packages import packages
+from plain.utils.crypto import get_random_string
 
 from .formatting import PlainContext
 from .packages import EntryPointGroup, InstalledPackagesGroup
@@ -406,6 +408,18 @@ def setting(setting_name):
         click.secho(f'Setting "{setting_name}" not found', fg="red")
 
 
+@plain_cli.group()
+def utils():
+    pass
+
+
+@utils.command()
+def generate_secret_key():
+    """Generate a new secret key"""
+    new_secret_key = get_random_string(50)
+    click.echo(new_secret_key)
+
+
 class AppCLIGroup(click.Group):
     """
     Loads app.cli if it exists as `plain app`
@@ -459,16 +473,31 @@ class PlainCommandCollection(click.CommandCollection):
                 EntryPointGroup(),
                 plain_cli,
             ]
-        except Exception as e:
+        except ImproperlyConfigured as e:
             click.secho(
-                f"Error setting up Plain CLI\n{e}",
+                str(e),
                 fg="red",
                 err=True,
             )
+
+            # None of these require the app to be setup
+            sources = [
+                EntryPointGroup(),
+                AppCLIGroup(),
+                plain_cli,
+            ]
+        except Exception as e:
             print("---")
             print(traceback.format_exc())
             print("---")
 
+            click.secho(
+                f"Error: {e}",
+                fg="red",
+                err=True,
+            )
+
+            # None of these require the app to be setup
             sources = [
                 EntryPointGroup(),
                 AppCLIGroup(),

{plain-0.4.1 → plain-0.6.0}/plain/forms/fields.py

@@ -14,7 +14,6 @@ from urllib.parse import urlsplit, urlunsplit
 
 from plain import validators
 from plain.exceptions import ValidationError
-from plain.runtime import settings
 from plain.utils import timezone
 from plain.utils.dateparse import parse_datetime, parse_duration
 from plain.utils.duration import duration_string
@@ -1001,7 +1000,7 @@ def from_current_timezone(value):
     When time zone support is enabled, convert naive datetimes
     entered in the current time zone to aware datetimes.
     """
-    if settings.USE_TZ and value is not None and timezone.is_naive(value):
+    if value is not None and timezone.is_naive(value):
         current_timezone = timezone.get_current_timezone()
         try:
             if timezone._datetime_ambiguous_or_imaginary(value, current_timezone):
@@ -1025,6 +1024,6 @@ def to_current_timezone(value):
     When time zone support is enabled, convert aware datetimes
     to naive datetimes in the current time zone for display.
     """
-    if settings.USE_TZ and value is not None and timezone.is_aware(value):
+    if value is not None and timezone.is_aware(value):
         return timezone.make_naive(value)
     return value

{plain-0.4.1 → plain-0.6.0}/plain/forms/forms.py

@@ -203,7 +203,8 @@ class BaseForm:
             self._errors[field].extend(error_list)
 
             # The field had an error, so removed it from the final data
-            if field in self.cleaned_data:
+            # (we use getattr here so errors can be added to uncleaned forms)
+            if field in getattr(self, "cleaned_data", {}):
                 del self.cleaned_data[field]
 
     def full_clean(self):

plain-0.6.0/plain/middleware/security.py

@@ -0,0 +1,31 @@
+import re
+
+from plain.http import ResponsePermanentRedirect
+from plain.runtime import settings
+
+
+class SecurityMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.redirect = settings.SECURE_SSL_REDIRECT
+        self.redirect_host = settings.SECURE_SSL_HOST
+        self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
+
+        self.default_headers = settings.SECURE_DEFAULT_HEADERS
+
+    def __call__(self, request):
+        path = request.path.lstrip("/")
+        if (
+            self.redirect
+            and not request.is_secure()
+            and not any(pattern.search(path) for pattern in self.redirect_exempt)
+        ):
+            host = self.redirect_host or request.get_host()
+            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")
+
+        response = self.get_response(request)
+
+        for header, value in self.default_headers.items():
+            response.headers.setdefault(header, value)
+
+        return response

plain-0.6.0/plain/preflight/security/base.py

@@ -0,0 +1,114 @@
+from plain.exceptions import ImproperlyConfigured
+from plain.runtime import settings
+
+from .. import Warning, register
+
+SECRET_KEY_INSECURE_PREFIX = "plain-insecure-"
+SECRET_KEY_MIN_LENGTH = 50
+SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5
+
+SECRET_KEY_WARNING_MSG = (
+    f"Your %s has less than {SECRET_KEY_MIN_LENGTH} characters, less than "
+    f"{SECRET_KEY_MIN_UNIQUE_CHARACTERS} unique characters, or it's prefixed "
+    f"with '{SECRET_KEY_INSECURE_PREFIX}' indicating that it was generated "
+    f"automatically by Plain. Please generate a long and random value, "
+    f"otherwise many of Plain's security-critical features will be "
+    f"vulnerable to attack."
+)
+
+W001 = Warning(
+    "You do not have 'plain.middleware.security.SecurityMiddleware' "
+    "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
+    "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
+    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
+    "have no effect.",
+    id="security.W001",
+)
+
+W008 = Warning(
+    "Your SECURE_SSL_REDIRECT setting is not set to True. "
+    "Unless your site should be available over both SSL and non-SSL "
+    "connections, you may want to either set this setting True "
+    "or configure a load balancer or reverse-proxy server "
+    "to redirect all connections to HTTPS.",
+    id="security.W008",
+)
+
+W009 = Warning(
+    SECRET_KEY_WARNING_MSG % "SECRET_KEY",
+    id="security.W009",
+)
+
+W018 = Warning(
+    "You should not have DEBUG set to True in deployment.",
+    id="security.W018",
+)
+
+W020 = Warning(
+    "ALLOWED_HOSTS must not be empty in deployment.",
+    id="security.W020",
+)
+
+W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
+
+
+def _security_middleware():
+    return "plain.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE
+
+
+@register(deploy=True)
+def check_security_middleware(package_configs, **kwargs):
+    passed_check = _security_middleware()
+    return [] if passed_check else [W001]
+
+
+@register(deploy=True)
+def check_ssl_redirect(package_configs, **kwargs):
+    passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
+    return [] if passed_check else [W008]
+
+
+def _check_secret_key(secret_key):
+    return (
+        len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS
+        and len(secret_key) >= SECRET_KEY_MIN_LENGTH
+        and not secret_key.startswith(SECRET_KEY_INSECURE_PREFIX)
+    )
+
+
+@register(deploy=True)
+def check_secret_key(package_configs, **kwargs):
+    try:
+        secret_key = settings.SECRET_KEY
+    except (ImproperlyConfigured, AttributeError):
+        passed_check = False
+    else:
+        passed_check = _check_secret_key(secret_key)
+    return [] if passed_check else [W009]
+
+
+@register(deploy=True)
+def check_secret_key_fallbacks(package_configs, **kwargs):
+    warnings = []
+    try:
+        fallbacks = settings.SECRET_KEY_FALLBACKS
+    except (ImproperlyConfigured, AttributeError):
+        warnings.append(Warning(W025.msg % "SECRET_KEY_FALLBACKS", id=W025.id))
+    else:
+        for index, key in enumerate(fallbacks):
+            if not _check_secret_key(key):
+                warnings.append(
+                    Warning(W025.msg % f"SECRET_KEY_FALLBACKS[{index}]", id=W025.id)
+                )
+    return warnings
+
+
+@register(deploy=True)
+def check_debug(package_configs, **kwargs):
+    passed_check = not settings.DEBUG
+    return [] if passed_check else [W018]
+
+
+@register(deploy=True)
+def check_allowed_hosts(package_configs, **kwargs):
+    return [] if settings.ALLOWED_HOSTS else [W020]

{plain-0.4.1 → plain-0.6.0}/plain/runtime/README.md

@@ -59,7 +59,6 @@ MIDDLEWARE = [
     "plain.middleware.common.CommonMiddleware",
     "plain.csrf.middleware.CsrfViewMiddleware",
     "plain.auth.middleware.AuthenticationMiddleware",
-    "plain.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 if DEBUG:

{plain-0.4.1 → plain-0.6.0}/plain/runtime/__init__.py

@@ -5,7 +5,7 @@ from pathlib import Path
 
 from dotenv import load_dotenv
 
-from .user_settings import LazySettings
+from .user_settings import Settings
 
 try:
     __version__ = importlib.metadata.version("plain")
@@ -18,7 +18,7 @@ APP_PATH = Path.cwd() / "app"
 
 
 # from plain.runtime import settings
-settings = LazySettings()
+settings = Settings()
 
 
 class AppPathNotFound(RuntimeError):

{plain-0.4.1 → plain-0.6.0}/plain/runtime/global_settings.py

@@ -20,12 +20,9 @@ ALLOWED_HOSTS: list[str] = []
 
 # Local time zone for this installation. All choices can be found here:
 # https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
-# systems may support all possibilities). When USE_TZ is True, this is
-# interpreted as the default user time zone.
-TIME_ZONE = "America/Chicago"
-
-# If you set this to True, Plain will use timezone-aware datetimes.
-USE_TZ = True
+# systems may support all possibilities). This is interpreted as the default
+# user time zone.
+TIME_ZONE: str = "UTC"
 
 # Default charset to use for all Response objects, if a MIME type isn't
 # manually specified. It's used to construct the Content-Type header.
@@ -75,19 +72,6 @@ DATA_UPLOAD_MAX_NUMBER_FILES = 100
 # (i.e. "/tmp" on *nix systems).
 FILE_UPLOAD_TEMP_DIR = None
 
-# The numeric mode to set newly-uploaded files to. The value should be a mode
-# you'd pass directly to os.chmod; see
-# https://docs.python.org/library/os.html#files-and-directories.
-FILE_UPLOAD_PERMISSIONS = 0o644
-
-# The numeric mode to assign to newly-created directories, when uploading files.
-# The value should be a mode as you'd pass to os.chmod;
-# see https://docs.python.org/library/os.html#files-and-directories.
-FILE_UPLOAD_DIRECTORY_PERMISSIONS = None
-
-# Default X-Frame-Options header value
-X_FRAME_OPTIONS = "DENY"
-
 USE_X_FORWARDED_HOST = False
 USE_X_FORWARDED_PORT = False
 
@@ -114,14 +98,13 @@ MIDDLEWARE = [
     "plain.middleware.security.SecurityMiddleware",
     "plain.middleware.common.CommonMiddleware",
     "plain.csrf.middleware.CsrfViewMiddleware",
-    "plain.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 ###########
 # SIGNING #
 ###########
 
-SIGNING_BACKEND = "plain.signing.TimestampSigner"
+COOKIE_SIGNING_BACKEND = "plain.signing.TimestampSigner"
 
 ########
 # CSRF #
@@ -132,7 +115,7 @@ CSRF_COOKIE_NAME = "csrftoken"
 CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
 CSRF_COOKIE_DOMAIN = None
 CSRF_COOKIE_PATH = "/"
-CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_HTTPONLY = False
 CSRF_COOKIE_SAMESITE = "Lax"
 CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
@@ -170,15 +153,19 @@ SILENCED_PREFLIGHT_CHECKS = []
 #######################
 # SECURITY MIDDLEWARE #
 #######################
-SECURE_CONTENT_TYPE_NOSNIFF = True
-SECURE_CROSS_ORIGIN_OPENER_POLICY = "same-origin"
-SECURE_HSTS_INCLUDE_SUBDOMAINS = False
-SECURE_HSTS_PRELOAD = False
-SECURE_HSTS_SECONDS = 0
 SECURE_REDIRECT_EXEMPT = []
-SECURE_REFERRER_POLICY = "same-origin"
 SECURE_SSL_HOST = None
-SECURE_SSL_REDIRECT = False
+SECURE_SSL_REDIRECT = True
+
+SECURE_DEFAULT_HEADERS = {
+    # "Content-Security-Policy": "default-src 'self'",
+    # https://hstspreload.org/
+    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
+    "Cross-Origin-Opener-Policy": "same-origin",
+    "Referrer-Policy": "same-origin",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+}
 
 #############
 # Templates #

plain-0.6.0/plain/runtime/user_settings.py

@@ -0,0 +1,313 @@
+import importlib
+import json
+import os
+import time
+import types
+import typing
+from pathlib import Path
+
+from plain.exceptions import ImproperlyConfigured
+from plain.packages import PackageConfig
+
+ENVIRONMENT_VARIABLE = "PLAIN_SETTINGS_MODULE"
+ENV_SETTINGS_PREFIX = "PLAIN_"
+CUSTOM_SETTINGS_PREFIX = "APP_"
+
+
+class Settings:
+    """
+    Settings and configuration for Plain.
+
+    This class handles loading settings from the module specified by the
+    PLAIN_SETTINGS_MODULE environment variable, as well as from default settings,
+    environment variables, and explicit settings in the settings module.
+
+    Lazy initialization is implemented to defer loading until settings are first accessed.
+    """
+
+    def __init__(self, settings_module=None):
+        self._settings_module = settings_module
+        self._settings = {}
+        self._errors = []  # Collect configuration errors
+        self.configured = False
+
+    def _setup(self):
+        if self.configured:
+            return
+        else:
+            self.configured = True
+
+        self._settings = {}  # Maps setting names to SettingDefinition instances
+
+        # Determine the settings module
+        if self._settings_module is None:
+            self._settings_module = os.environ.get(ENVIRONMENT_VARIABLE, "settings")
+
+        # First load the global settings from plain
+        self._load_module_settings(
+            importlib.import_module("plain.runtime.global_settings")
+        )
+
+        # Import the user's settings module
+        try:
+            mod = importlib.import_module(self._settings_module)
+        except ImportError as e:
+            raise ImproperlyConfigured(
+                f"Could not import settings '{self._settings_module}': {e}"
+            )
+
+        # Keep a reference to the settings.py module path
+        self.path = Path(mod.__file__).resolve()
+
+        # Load default settings from installed packages
+        self._load_default_settings(mod)
+        # Load environment settings
+        self._load_env_settings()
+        # Load explicit settings from the settings module
+        self._load_explicit_settings(mod)
+        # Check for any required settings that are missing
+        self._check_required_settings()
+        # Check for any collected errors
+        self._raise_errors_if_any()
+
+    def _load_module_settings(self, module):
+        annotations = getattr(module, "__annotations__", {})
+        settings = dir(module)
+
+        for setting in settings:
+            if setting.isupper():
+                if setting in self._settings:
+                    self._errors.append(f"Duplicate setting '{setting}'.")
+                    continue
+
+                setting_value = getattr(module, setting)
+                self._settings[setting] = SettingDefinition(
+                    name=setting,
+                    default_value=setting_value,
+                    annotation=annotations.get(setting, None),
+                    module=module,
+                )
+
+        # Store any annotations that didn't have a value (these are required settings)
+        for setting, annotation in annotations.items():
+            if setting not in self._settings:
+                self._settings[setting] = SettingDefinition(
+                    name=setting,
+                    default_value=None,
+                    annotation=annotation,
+                    module=module,
+                    required=True,
+                )
+
+    def _load_default_settings(self, settings_module):
+        for entry in getattr(settings_module, "INSTALLED_PACKAGES", []):
+            try:
+                if isinstance(entry, PackageConfig):
+                    app_settings = entry.module.default_settings
+                else:
+                    app_settings = importlib.import_module(f"{entry}.default_settings")
+            except ModuleNotFoundError:
+                continue
+
+            self._load_module_settings(app_settings)
+
+    def _load_env_settings(self):
+        env_settings = {
+            k[len(ENV_SETTINGS_PREFIX) :]: v
+            for k, v in os.environ.items()
+            if k.startswith(ENV_SETTINGS_PREFIX) and k.isupper()
+        }
+        for setting, value in env_settings.items():
+            if setting in self._settings:
+                setting_def = self._settings[setting]
+                try:
+                    parsed_value = _parse_env_value(value, setting_def.annotation)
+                    setting_def.set_value(parsed_value, "env")
+                except ImproperlyConfigured as e:
+                    self._errors.append(str(e))
+
+    def _load_explicit_settings(self, settings_module):
+        for setting in dir(settings_module):
+            if setting.isupper():
+                setting_value = getattr(settings_module, setting)
+
+                if setting in self._settings:
+                    setting_def = self._settings[setting]
+                    try:
+                        setting_def.set_value(setting_value, "explicit")
+                    except ImproperlyConfigured as e:
+                        self._errors.append(str(e))
+                        continue
+
+                elif setting.startswith(CUSTOM_SETTINGS_PREFIX):
+                    # Accept custom settings prefixed with '{CUSTOM_SETTINGS_PREFIX}'
+                    setting_def = SettingDefinition(
+                        name=setting,
+                        default_value=None,
+                        annotation=None,
+                        required=False,
+                    )
+                    try:
+                        setting_def.set_value(setting_value, "explicit")
+                    except ImproperlyConfigured as e:
+                        self._errors.append(str(e))
+                        continue
+                    self._settings[setting] = setting_def
+                else:
+                    # Collect unrecognized settings individually
+                    self._errors.append(
+                        f"Unknown setting '{setting}'. Custom settings must start with '{CUSTOM_SETTINGS_PREFIX}'."
+                    )
+
+        if hasattr(time, "tzset") and self.TIME_ZONE:
+            zoneinfo_root = Path("/usr/share/zoneinfo")
+            zone_info_file = zoneinfo_root.joinpath(*self.TIME_ZONE.split("/"))
+            if zoneinfo_root.exists() and not zone_info_file.exists():
+                self._errors.append(
+                    f"Invalid TIME_ZONE setting '{self.TIME_ZONE}'. Timezone file not found."
+                )
+            else:
+                os.environ["TZ"] = self.TIME_ZONE
+                time.tzset()
+
+    def _check_required_settings(self):
+        missing = [k for k, v in self._settings.items() if v.required and not v.is_set]
+        if missing:
+            self._errors.append(f"Missing required setting(s): {', '.join(missing)}.")
+
+    def _raise_errors_if_any(self):
+        if self._errors:
+            errors = ["- " + e for e in self._errors]
+            raise ImproperlyConfigured(
+                "Settings configuration errors:\n" + "\n".join(errors)
+            )
+
+    def __getattr__(self, name):
+        # Avoid recursion by directly returning internal attributes
+        if not name.isupper():
+            return object.__getattribute__(self, name)
+
+        self._setup()
+
+        if name in self._settings:
+            return self._settings[name].value
+        else:
+            raise AttributeError(f"'Settings' object has no attribute '{name}'")
+
+    def __setattr__(self, name, value):
+        # Handle internal attributes without recursion
+        if not name.isupper():
+            object.__setattr__(self, name, value)
+        else:
+            if name in self._settings:
+                self._settings[name].set_value(value, "runtime")
+                self._raise_errors_if_any()
+            else:
+                object.__setattr__(self, name, value)
+
+    def __repr__(self):
+        if not self.configured:
+            return "<Settings [Unevaluated]>"
+        return f'<Settings "{self._settings_module}">'
+
+
+def _parse_env_value(value, annotation):
+    if not annotation:
+        raise ImproperlyConfigured("Type hint required to set from environment.")
+
+    if annotation is bool:
+        # Special case for bools
+        return value.lower() in ("true", "1", "yes")
+    elif annotation is str:
+        return value
+    else:
+        # Parse other types using JSON
+        try:
+            return json.loads(value)
+        except json.JSONDecodeError as e:
+            raise ImproperlyConfigured(
+                f"Invalid JSON value for setting: {e.msg}"
+            ) from e
+
+
+class SettingDefinition:
+    """Store detailed information about settings."""
+
+    def __init__(
+        self, name, default_value=None, annotation=None, module=None, required=False
+    ):
+        self.name = name
+        self.default_value = default_value
+        self.annotation = annotation
+        self.module = module
+        self.required = required
+        self.value = default_value
+        self.source = "default"  # 'default', 'env', 'explicit', or 'runtime'
+        self.is_set = False  # Indicates if the value was set explicitly
+
+    def set_value(self, value, source):
+        self.check_type(value)
+        self.value = value
+        self.source = source
+        self.is_set = True
+
+    def check_type(self, obj):
+        if not self.annotation:
+            return
+
+        if not SettingDefinition._is_instance_of_type(obj, self.annotation):
+            raise ImproperlyConfigured(
+                f"'{self.name}': Expected type {self.annotation}, but got {type(obj)}."
+            )
+
+    @staticmethod
+    def _is_instance_of_type(value, type_hint) -> bool:
+        # Simple types
+        if isinstance(type_hint, type):
+            return isinstance(value, type_hint)
+
+        # Union types
+        if (
+            typing.get_origin(type_hint) is typing.Union
+            or typing.get_origin(type_hint) is types.UnionType
+        ):
+            return any(
+                SettingDefinition._is_instance_of_type(value, arg)
+                for arg in typing.get_args(type_hint)
+            )
+
+        # List types
+        if typing.get_origin(type_hint) is list:
+            return isinstance(value, list) and all(
+                SettingDefinition._is_instance_of_type(
+                    item, typing.get_args(type_hint)[0]
+                )
+                for item in value
+            )
+
+        # Tuple types
+        if typing.get_origin(type_hint) is tuple:
+            return isinstance(value, tuple) and all(
+                SettingDefinition._is_instance_of_type(
+                    item, typing.get_args(type_hint)[i]
+                )
+                for i, item in enumerate(value)
+            )
+
+        raise ValueError(f"Unsupported type hint: {type_hint}")
+
+    def __str__(self):
+        return f"SettingDefinition(name={self.name}, value={self.value}, source={self.source})"
+
+
+class SettingsReference(str):
+    """
+    String subclass which references a current settings value. It's treated as
+    the value in memory but serializes to a settings.NAME attribute reference.
+    """
+
+    def __new__(self, value, setting_name):
+        return str.__new__(self, value)
+
+    def __init__(self, value, setting_name):
+        self.setting_name = setting_name