Releases: ministryofjustice/analytics-platform-control-panel
Fixes for OWASP ZAP report items
- Disable client-side caching
- Secure CSRF and session cookies
- Enable XSS protection
- Disable content-type sniffing
App error handling and AWS client refactor
- Add logging and error handling for Github repo listing
- Prevent creating App with already registered Github repo
- Improve create app form validation and errors
- Validate app customer email addresses
- Handle Auth0 errors adding and removing customers
- Set default choice on create app form
- Refactor AWS client code to use boto3 Resource API
- Remove redundant
AWSClient
class - Remove redundant
IAMRole
class (replaced by boto3Role
resource class) - Refactor
S3AccessPolicy
class to operate on boto3RolePolicy
objects - also fixes bug which removes all resources from policy - Refactor
AppS3Bucket
,PolicyS3Bucket
andUserS3Bucket
to loosen coupling withS3AccessPolicy
andManagedS3AccessPolicy
- Refactor
cluster
module to follow @xoen'scluster.App
example - Test with moto
- Remove the unused
write_to_cluster
feature flag
Moved `cluster` functions into `ToolDeployment` class
PR #762 (More refactoring)
- moved functions in
controlpanel.api.cluster
module related to a deployed tool into theToolDeployment
class - fixed import of
HelmError
in that module - added
__repr__()
tomodels.User
class
KubernetesClient related refactorings
PR #761
- Simplified
KubernetesClient
to not read the userid_token
from HTTP request (this can't be always done, e.g. if in the context of a background worker) - Above allowed me to write some tests [1] [2] for this class
- Remove the implicit read of the
id_token
required me to be sure that all places where aKubernetesClient
is instantiated (and their client code) always pass theid_token
when performing an operation against the kubernetes API. This is done in this two commits:- change to
cluster. restart_tool_deployment()
- change to the rest of
cluster
functions (functions usingcluster. list_tool_deployments()
directly or indirectly)
- change to
- also fixed use of unimported
helm.HelmError
incluster
module
App logs scroll fix and other minor fixes/refactorings
Add back App URL/Fix for k8s race condition
This should fix the race condition in the kubernetes configuration.
PR: #756
Don't get App URL until we fix the `KubernetesClient` bug
Sometimes users get a 401 from the Kubernetes API. This seems
to be caused by a bug/race condition in the way the kubernetes module
loads the configuration (this is our best theory so far)
It's annoying for users so avoiding this until we fix the problem.
PR: #754
Part of ticket: https://trello.com/c/D4bpabeD
Fix grant admin access form
Missing "admin" option when requesting user is a superadmin
Fix for error when `id_token` not provided
Fix for error raised when id_token
not provided
(currently some code relies on KubernetesClient
to automagically read the id_token
from the request. We're planning to refactor the code to always pass the id_token
explicitly and this check was part of that. Unfortunately having this check in master
is bad and it'll have to wait)
Group and path specific s3 permissions
- Adds Groups for s3 permissions
- Adds paths to the access so user can specify paths that access is given to