plain 0.5.0__tar.gz → 0.7.0__tar.gz

{plain-0.5.0 → plain-0.7.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: plain
-Version: 0.5.0
+Version: 0.7.0
 Summary: A web framework for building products with Python.
 Author: Dave Gaeddert
 Author-email: dave.gaeddert@dropseed.dev

{plain-0.5.0 → plain-0.7.0}/plain/cli/cli.py

@@ -5,6 +5,7 @@ import shutil
 import subprocess
 import sys
 import traceback
+from importlib.metadata import entry_points
 from importlib.util import find_spec
 from pathlib import Path
 
@@ -14,7 +15,9 @@ from click.core import Command, Context
 import plain.runtime
 from plain import preflight
 from plain.assets.compile import compile_assets, get_compiled_path
+from plain.exceptions import ImproperlyConfigured
 from plain.packages import packages
+from plain.utils.crypto import get_random_string
 
 from .formatting import PlainContext
 from .packages import EntryPointGroup, InstalledPackagesGroup
@@ -284,17 +287,10 @@ def compile(keep_original, fingerprint, compress):
         )
         sys.exit(1)
 
-    # TODO make this an entrypoint instead
-    # Compile our Tailwind CSS (including templates in plain itself)
-    if find_spec("plain.tailwind") is not None:
-        click.secho("Compiling Tailwind CSS", bold=True)
-        result = subprocess.run(["plain", "tailwind", "compile", "--minify"])
+    for entry_point in entry_points(group="plain.assets.compile"):
+        click.secho(f"Running {entry_point.name}", bold=True)
+        result = entry_point.load()()
         print()
-        if result.returncode:
-            click.secho(
-                f"Error compiling Tailwind CSS (exit {result.returncode})", fg="red"
-            )
-            sys.exit(result.returncode)
 
     # TODO also look in [tool.plain.compile.run]
 
@@ -406,6 +402,18 @@ def setting(setting_name):
         click.secho(f'Setting "{setting_name}" not found', fg="red")
 
 
+@plain_cli.group()
+def utils():
+    pass
+
+
+@utils.command()
+def generate_secret_key():
+    """Generate a new secret key"""
+    new_secret_key = get_random_string(50)
+    click.echo(new_secret_key)
+
+
 class AppCLIGroup(click.Group):
     """
     Loads app.cli if it exists as `plain app`
@@ -459,16 +467,31 @@ class PlainCommandCollection(click.CommandCollection):
                 EntryPointGroup(),
                 plain_cli,
             ]
-        except Exception as e:
+        except ImproperlyConfigured as e:
             click.secho(
-                f"Error setting up Plain CLI\n{e}",
+                str(e),
                 fg="red",
                 err=True,
             )
+
+            # None of these require the app to be setup
+            sources = [
+                EntryPointGroup(),
+                AppCLIGroup(),
+                plain_cli,
+            ]
+        except Exception as e:
             print("---")
             print(traceback.format_exc())
             print("---")
 
+            click.secho(
+                f"Error: {e}",
+                fg="red",
+                err=True,
+            )
+
+            # None of these require the app to be setup
             sources = [
                 EntryPointGroup(),
                 AppCLIGroup(),

{plain-0.5.0 → plain-0.7.0}/plain/forms/fields.py

@@ -14,7 +14,6 @@ from urllib.parse import urlsplit, urlunsplit
 
 from plain import validators
 from plain.exceptions import ValidationError
-from plain.runtime import settings
 from plain.utils import timezone
 from plain.utils.dateparse import parse_datetime, parse_duration
 from plain.utils.duration import duration_string
@@ -1001,7 +1000,7 @@ def from_current_timezone(value):
     When time zone support is enabled, convert naive datetimes
     entered in the current time zone to aware datetimes.
     """
-    if settings.USE_TZ and value is not None and timezone.is_naive(value):
+    if value is not None and timezone.is_naive(value):
         current_timezone = timezone.get_current_timezone()
         try:
             if timezone._datetime_ambiguous_or_imaginary(value, current_timezone):
@@ -1025,6 +1024,6 @@ def to_current_timezone(value):
     When time zone support is enabled, convert aware datetimes
     to naive datetimes in the current time zone for display.
     """
-    if settings.USE_TZ and value is not None and timezone.is_aware(value):
+    if value is not None and timezone.is_aware(value):
         return timezone.make_naive(value)
     return value

plain-0.7.0/plain/middleware/security.py

@@ -0,0 +1,31 @@
+import re
+
+from plain.http import ResponsePermanentRedirect
+from plain.runtime import settings
+
+
+class SecurityMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.redirect = settings.SECURE_SSL_REDIRECT
+        self.redirect_host = settings.SECURE_SSL_HOST
+        self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
+
+        self.default_headers = settings.SECURE_DEFAULT_HEADERS
+
+    def __call__(self, request):
+        path = request.path.lstrip("/")
+        if (
+            self.redirect
+            and not request.is_secure()
+            and not any(pattern.search(path) for pattern in self.redirect_exempt)
+        ):
+            host = self.redirect_host or request.get_host()
+            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")
+
+        response = self.get_response(request)
+
+        for header, value in self.default_headers.items():
+            response.headers.setdefault(header, value)
+
+        return response

plain-0.7.0/plain/preflight/security/base.py

@@ -0,0 +1,114 @@
+from plain.exceptions import ImproperlyConfigured
+from plain.runtime import settings
+
+from .. import Warning, register
+
+SECRET_KEY_INSECURE_PREFIX = "plain-insecure-"
+SECRET_KEY_MIN_LENGTH = 50
+SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5
+
+SECRET_KEY_WARNING_MSG = (
+    f"Your %s has less than {SECRET_KEY_MIN_LENGTH} characters, less than "
+    f"{SECRET_KEY_MIN_UNIQUE_CHARACTERS} unique characters, or it's prefixed "
+    f"with '{SECRET_KEY_INSECURE_PREFIX}' indicating that it was generated "
+    f"automatically by Plain. Please generate a long and random value, "
+    f"otherwise many of Plain's security-critical features will be "
+    f"vulnerable to attack."
+)
+
+W001 = Warning(
+    "You do not have 'plain.middleware.security.SecurityMiddleware' "
+    "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
+    "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
+    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
+    "have no effect.",
+    id="security.W001",
+)
+
+W008 = Warning(
+    "Your SECURE_SSL_REDIRECT setting is not set to True. "
+    "Unless your site should be available over both SSL and non-SSL "
+    "connections, you may want to either set this setting True "
+    "or configure a load balancer or reverse-proxy server "
+    "to redirect all connections to HTTPS.",
+    id="security.W008",
+)
+
+W009 = Warning(
+    SECRET_KEY_WARNING_MSG % "SECRET_KEY",
+    id="security.W009",
+)
+
+W018 = Warning(
+    "You should not have DEBUG set to True in deployment.",
+    id="security.W018",
+)
+
+W020 = Warning(
+    "ALLOWED_HOSTS must not be empty in deployment.",
+    id="security.W020",
+)
+
+W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
+
+
+def _security_middleware():
+    return "plain.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE
+
+
+@register(deploy=True)
+def check_security_middleware(package_configs, **kwargs):
+    passed_check = _security_middleware()
+    return [] if passed_check else [W001]
+
+
+@register(deploy=True)
+def check_ssl_redirect(package_configs, **kwargs):
+    passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
+    return [] if passed_check else [W008]
+
+
+def _check_secret_key(secret_key):
+    return (
+        len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS
+        and len(secret_key) >= SECRET_KEY_MIN_LENGTH
+        and not secret_key.startswith(SECRET_KEY_INSECURE_PREFIX)
+    )
+
+
+@register(deploy=True)
+def check_secret_key(package_configs, **kwargs):
+    try:
+        secret_key = settings.SECRET_KEY
+    except (ImproperlyConfigured, AttributeError):
+        passed_check = False
+    else:
+        passed_check = _check_secret_key(secret_key)
+    return [] if passed_check else [W009]
+
+
+@register(deploy=True)
+def check_secret_key_fallbacks(package_configs, **kwargs):
+    warnings = []
+    try:
+        fallbacks = settings.SECRET_KEY_FALLBACKS
+    except (ImproperlyConfigured, AttributeError):
+        warnings.append(Warning(W025.msg % "SECRET_KEY_FALLBACKS", id=W025.id))
+    else:
+        for index, key in enumerate(fallbacks):
+            if not _check_secret_key(key):
+                warnings.append(
+                    Warning(W025.msg % f"SECRET_KEY_FALLBACKS[{index}]", id=W025.id)
+                )
+    return warnings
+
+
+@register(deploy=True)
+def check_debug(package_configs, **kwargs):
+    passed_check = not settings.DEBUG
+    return [] if passed_check else [W018]
+
+
+@register(deploy=True)
+def check_allowed_hosts(package_configs, **kwargs):
+    return [] if settings.ALLOWED_HOSTS else [W020]

{plain-0.5.0 → plain-0.7.0}/plain/runtime/README.md

@@ -59,7 +59,6 @@ MIDDLEWARE = [
     "plain.middleware.common.CommonMiddleware",
     "plain.csrf.middleware.CsrfViewMiddleware",
     "plain.auth.middleware.AuthenticationMiddleware",
-    "plain.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 if DEBUG:

{plain-0.5.0 → plain-0.7.0}/plain/runtime/__init__.py

@@ -5,7 +5,7 @@ from pathlib import Path
 
 from dotenv import load_dotenv
 
-from .user_settings import LazySettings
+from .user_settings import Settings
 
 try:
     __version__ = importlib.metadata.version("plain")
@@ -18,7 +18,7 @@ APP_PATH = Path.cwd() / "app"
 
 
 # from plain.runtime import settings
-settings = LazySettings()
+settings = Settings()
 
 
 class AppPathNotFound(RuntimeError):

{plain-0.5.0 → plain-0.7.0}/plain/runtime/global_settings.py

@@ -20,12 +20,9 @@ ALLOWED_HOSTS: list[str] = []
 
 # Local time zone for this installation. All choices can be found here:
 # https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
-# systems may support all possibilities). When USE_TZ is True, this is
-# interpreted as the default user time zone.
-TIME_ZONE = "America/Chicago"
-
-# If you set this to True, Plain will use timezone-aware datetimes.
-USE_TZ = True
+# systems may support all possibilities). This is interpreted as the default
+# user time zone.
+TIME_ZONE: str = "UTC"
 
 # Default charset to use for all Response objects, if a MIME type isn't
 # manually specified. It's used to construct the Content-Type header.
@@ -75,19 +72,6 @@ DATA_UPLOAD_MAX_NUMBER_FILES = 100
 # (i.e. "/tmp" on *nix systems).
 FILE_UPLOAD_TEMP_DIR = None
 
-# The numeric mode to set newly-uploaded files to. The value should be a mode
-# you'd pass directly to os.chmod; see
-# https://docs.python.org/library/os.html#files-and-directories.
-FILE_UPLOAD_PERMISSIONS = 0o644
-
-# The numeric mode to assign to newly-created directories, when uploading files.
-# The value should be a mode as you'd pass to os.chmod;
-# see https://docs.python.org/library/os.html#files-and-directories.
-FILE_UPLOAD_DIRECTORY_PERMISSIONS = None
-
-# Default X-Frame-Options header value
-X_FRAME_OPTIONS = "DENY"
-
 USE_X_FORWARDED_HOST = False
 USE_X_FORWARDED_PORT = False
 
@@ -114,14 +98,13 @@ MIDDLEWARE = [
     "plain.middleware.security.SecurityMiddleware",
     "plain.middleware.common.CommonMiddleware",
     "plain.csrf.middleware.CsrfViewMiddleware",
-    "plain.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 ###########
 # SIGNING #
 ###########
 
-SIGNING_BACKEND = "plain.signing.TimestampSigner"
+COOKIE_SIGNING_BACKEND = "plain.signing.TimestampSigner"
 
 ########
 # CSRF #
@@ -132,7 +115,7 @@ CSRF_COOKIE_NAME = "csrftoken"
 CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
 CSRF_COOKIE_DOMAIN = None
 CSRF_COOKIE_PATH = "/"
-CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_HTTPONLY = False
 CSRF_COOKIE_SAMESITE = "Lax"
 CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
@@ -170,15 +153,19 @@ SILENCED_PREFLIGHT_CHECKS = []
 #######################
 # SECURITY MIDDLEWARE #
 #######################
-SECURE_CONTENT_TYPE_NOSNIFF = True
-SECURE_CROSS_ORIGIN_OPENER_POLICY = "same-origin"
-SECURE_HSTS_INCLUDE_SUBDOMAINS = False
-SECURE_HSTS_PRELOAD = False
-SECURE_HSTS_SECONDS = 0
 SECURE_REDIRECT_EXEMPT = []
-SECURE_REFERRER_POLICY = "same-origin"
 SECURE_SSL_HOST = None
-SECURE_SSL_REDIRECT = False
+SECURE_SSL_REDIRECT = True
+
+SECURE_DEFAULT_HEADERS = {
+    # "Content-Security-Policy": "default-src 'self'",
+    # https://hstspreload.org/
+    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
+    "Cross-Origin-Opener-Policy": "same-origin",
+    "Referrer-Policy": "same-origin",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+}
 
 #############
 # Templates #