diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..919d99d2 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,106 @@ +name: Semantic Release + +on: + push: + branches: + - master + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Semantic Release + uses: buildlyio/semantic-release-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: Start OpenLDAP Server + id: ldap_server + run: | + docker run -p 389:389 -p 636:636 --name openldap_server -d osixia/openldap:1.3.0 + + - name: Install dependencies + run: | + sudo apt-get install libsasl2-dev libldap2-dev libssl-dev + sudo touch /var/log/buildly.log + sudo chown runner:docker /var/log/buildly.log + cat requirements/base.txt | grep "^Django==\|^psycopg2" | xargs pip install + pip install -r requirements/ci.txt + + - name: Lint & Vulnerability check + run: | + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + bandit -r . -ll + + - name: Test with pytest + run: | + pytest + env: + ALLOWED_HOSTS: "*" + CORS_ORIGIN_WHITELIST: "*" + DATABASE_ENGINE: "postgresql" + DATABASE_NAME: "buildly_api" + DATABASE_USER: "root" + DATABASE_PASSWORD: "root" + DATABASE_HOST: "localhost" + DATABASE_PORT: "5432" + DEFAULT_ORG: "Default Organization" + DJANGO_SETTINGS_MODULE: "buildly.settings.production" + SOCIAL_AUTH_GITHUB_REDIRECT_URL: "/complete/github" + SOCIAL_AUTH_GOOGLE_OAUTH2_REDIRECT_URL: "/complete/google-oauth2" + SOCIAL_AUTH_MICROSOFT_GRAPH_REDIRECT_URL: "/complete/microsoft-graph" + JWT_ISSUER: "buildly" + JWT_PRIVATE_KEY_RSA_BUILDLY: |- + -----BEGIN RSA PRIVATE KEY----- + MIIBOwIBAAJBALFc9NFZaOaSwUMPNektbtJqEjYZ6IRBqhqvJu1hKPYn9HYd75c0 + gIDYHJ9lb7QwQvg44aO27104rDK0xSstzL0CAwEAAQJAe5z5096oyeqGX6J+RGGx + 11yuDJ7J+0N4tthUHSWWUtgkd19NvmTM/mVLmPCzZHgNUT+aWUKsQ84+jhru/NQD + 0QIhAOHOzFmjxjTAR1jspn6YtJBKQB40tvT6WEvm2mKm0aD7AiEAyRPwXyZf3JT+ + M6Ui0Mubs7Qb/E4g1d/kVL+o/XoZC6cCIQC+nKzPtnooKW+Q1yOslgdGDgeV9/XB + Ulqap+MNh7hJZQIgZNaM+wqhlFtbx8aO2SrioJI4XqVHrjojpaSgOM3cdY0CIQDB + Q6ckOaDV937acmWuiZhxuG2euNLwNbMldtCV5ADo/g== + -----END RSA PRIVATE KEY----- + JWT_PUBLIC_KEY_RSA_BUILDLY: |- + -----BEGIN PUBLIC KEY----- + MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALFc9NFZaOaSwUMPNektbtJqEjYZ6IRB + qhqvJu1hKPYn9HYd75c0gIDYHJ9lb7QwQvg44aO27104rDK0xSstzL0CAwEAAQ== + -----END PUBLIC KEY----- + SECRET_KEY: "nothing" + OAUTH_CLIENT_ID: "vBn4KsOCthm7TWzMH0kVV0dXkUPJEtOQwaLu0eoC" + OAUTH_CLIENT_SECRET: "0aYDOHUNAxK4MjbnYOHhfrKx8EzjKqN6GbB6IGyCgpT6pmQ5pEVJmH7mIEUJ" + DOCKER_REPO: "buildly/buildly" + LDAP_ENABLE: "True" + LDAP_HOST: "ldap://localhost:389" + LDAP_USERNAME: "cn=admin,dc=example,dc=org" + LDAP_PASSWORD: "admin" + LDAP_BASE_DN: "dc=example,dc=org" + + - name: Docker Build & Release + if: steps.semantic.outputs.new_release_published == 'true' + run: | + echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin + docker build --tag ${BUILDLY_IMAGE} . + docker push ${BUILDLY_IMAGE} + env: + BUILDLY_IMAGE: buildly/buildly:v${{ steps.semantic.outputs.new_release_version }} + + # postgres + services: + postgres: + image: postgres:9.6 + env: + POSTGRES_USER: root + POSTGRES_PASSWORD: root + POSTGRES_DB: buildly_api + ports: + - 5432:5432 + # needed because the postgres container does not provide a healthcheck + options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 diff --git a/.releaserc.js b/.releaserc.js new file mode 100644 index 00000000..41bac462 --- /dev/null +++ b/.releaserc.js @@ -0,0 +1,8 @@ +module.exports = { + branches: ['master'], + plugins: [ + '@semantic-release/commit-analyzer', + '@semantic-release/release-notes-generator', + "@semantic-release/github", + ], +}; diff --git a/README.md b/README.md index 070a5ac1..d4f3b579 100644 --- a/README.md +++ b/README.md @@ -74,51 +74,77 @@ $ openssl rsa -in private.pem -outform PEM -pubout -out public.pem ### Configuration -The following table lists the configurable parameters of buildly and their default values. +Specify each parameter using `-e`, `--env`, and `--env-file` flags to set simple (non-array) environment variables to `docker run`. For example, + +```bash +$ docker run -e MYVAR1 --env MYVAR2=foo \ + --env-file ./env.list \ + buildly/buildly: +``` +The following tables list the configurable parameters of buildly and their default values. + +#### Security System | Parameter | Description | Default | |-------------------------------------|------------------------------------|-------------------------------------------| -| `ACCESS_TOKEN_EXPIRE_SECONDS` | The number of seconds an access token remains valid | 3600 | | `ALLOWED_HOSTS` | A list of strings representing the domain names the app can serve | `[]` | | `CORS_ORIGIN_ALLOW_ALL` | If True, CORS_ORIGIN_WHITELIST is not used and all origins are accepted | False | | `CORS_ORIGIN_WHITELIST` | A list of origins that are authorized to make cross-site HTTP requests | `[]` | +| `DEFAULT_ORG` | The first organization created in the database | `` | +| `SECRET_KEY` | Used to provide cryptographic signing, and should be set to a unique, unpredictable value | None | +| `SUPER_USER_PASSWORD` | Used to define the super user password when it's created for the first time | `admin` in Debug mode or None | + +#### Database Connection +| Parameter | Description | Default | +|-------------------------------------|------------------------------------|-------------------------------------------| | `DATABASE_ENGINE` | The database backend to use. (`postgresql`, `mysql`, `sqlite3` or `oracle`) | `` | | `DATABASE_NAME` | The name of the database to use | `` | | `DATABASE_USER` | The username to use when connecting to the database | `` | | `DATABASE_PASSWORD` | The password to use when connecting to the database | `` | | `DATABASE_HOST` | The host to use when connecting to the database | `` | | `DATABASE_PORT` | The port to use when connecting to the database | `` | -| `DEFAULT_ORG` | The first organization created in the database | `` | + +#### Authentication System +| Parameter | Description | Default | +|-------------------------------------|------------------------------------|-------------------------------------------| +| `ACCESS_TOKEN_EXPIRE_SECONDS` | The number of seconds an access token remains valid | 3600 | | `JWT_ISSUER` | The name of the JWT issuer | `` | | `JWT_PRIVATE_KEY_RSA_BUILDLY` | The private RSA KEY | `` | | `JWT_PUBLIC_KEY_RSA_BUILDLY` | The public RSA KEY | `` | -| `LDAP_ENABLE` | If true, enable LDAP authentication | False | -| `LDAP_HOST` | The host to use when connecting to the LDAP server | `` | -| `LDAP_USERNAME` | The username to use when connecting to the LDAP server | `` | -| `LDAP_PASSWORD` | The password to use when connecting to the LDAP server | `` | -| `LDAP_BASE_DN` | The base domain name for search | `` | -| `LDAP_USERNAME_FIELD_SEARCH` | The username field used by the LDAP server for search | `` | | `OAUTH_CLIENT_ID` | Used in combination with OAUTH_CLIENT_SECRET to create OAuth2 password grant | None | | `OAUTH_CLIENT_SECRET` | Used in combination with OAUTH_CLIENT_ID to create OAuth2 password grant | None | | `PASSWORD_MINIMUM_LENGTH` | The minimum length of passwords | `6` | -| `SECRET_KEY` | Used to provide cryptographic signing, and should be set to a unique, unpredictable value | None | -| `SOCIAL_AUTH_GITHUB_REDIRECT_URL` | The redirect URL for GitHub Social auth | None | -| `SOCIAL_AUTH_GOOGLE_OAUTH2_REDIRECT_URL` | The redirect URL for Google Social auth | None | -| `SOCIAL_AUTH_LOGIN_REDIRECT_URL` | Redirect the user once the auth process ended successfully | None | -| `SOCIAL_AUTH_MICROSOFT_GRAPH_REDIRECT_URL` | The redirect URL for Microsoft graph Social auth | None | -| `SUPER_USER_PASSWORD` | Used to define the super user password when it's created for the first time | `admin` in Debug mode or None | | `USE_PASSWORD_MINIMUM_LENGTH_VALIDATOR` | Checks whether the password meets a minimum length | True | | `USE_PASSWORD_USER_ATTRIBUTE_SIMILARITY_VALIDATOR` | Checks the similarity between the password and a set of attributes of the user | True | | `USE_PASSWORD_COMMON_VALIDATOR` | Checks whether the password occurs in a list of common passwords | True | | `USE_PASSWORD_NUMERIC_VALIDATOR` | Checks whether the password isn’t entirely numeric | True | +| `SOCIAL_AUTH_GITHUB_REDIRECT_URL` | The redirect URL for GitHub Social auth | None | +| `SOCIAL_AUTH_GOOGLE_OAUTH2_REDIRECT_URL` | The redirect URL for Google Social auth | None | +| `SOCIAL_AUTH_LOGIN_REDIRECT_URL` | Redirect the user once the auth process ended successfully | None | +| `SOCIAL_AUTH_MICROSOFT_GRAPH_REDIRECT_URL` | The redirect URL for Microsoft graph Social auth | None | -Specify each parameter using `-e`, `--env`, and `--env-file` flags to set simple (non-array) environment variables to `docker run`. For example, +#### LDAP & Active Directory Server +| Parameter | Description | Default | +|-------------------------------------|------------------------------------|-------------------------------------------| +| `LDAP_ENABLE` | If true, enable LDAP authentication | False | +| `LDAP_HOST` | The host to use when connecting to the LDAP server | `` | +| `LDAP_USERNAME` | The username to use when connecting to the LDAP server | `` | +| `LDAP_PASSWORD` | The password to use when connecting to the LDAP server | `` | +| `LDAP_BASE_DN` | The base domain name for search | `` | +| `LDAP_USERNAME_FIELD_SEARCH` | The username field used by the LDAP server for search | `` | -```bash -$ docker run -e MYVAR1 --env MYVAR2=foo \ - --env-file ./env.list \ - buildly/buildly: -``` +#### Email Server +| Parameter | Description | Default | +|-------------------------------------|------------------------------------|-------------------------------------------| +| `EMAIL_BACKEND` | If `SMTP`, enable connection to an SMTP Server | `` | +| `EMAIL_HOST` | The host to use for sending email server | `` | +| `EMAIL_HOST_USER` | The username to use when connecting to the SMTP server | `` | +| `EMAIL_HOST_PASSWORD` | The password to use when connecting to the SMTP server | `` | +| `EMAIL_PORT` | The port to use when connecting to the SMTP Server | `587` | +| `EMAIL_USE_TLS` | Whether to use a TLS connection when talking to the SMTP server | `True` | +| `EMAIL_SUBJECT_PREFIX` | Subject-line prefix for email messages sent | `` | +| `DEFAULT_FROM_EMAIL` | The email address to be set in messages' FROM | `` | +| `DEFAULT_REPLYTO_EMAIL` | The email address to be set in messages' REPLY TO | `` | ## Built With diff --git a/requirements/base.txt b/requirements/base.txt index d65233dc..2ffdb885 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -3,7 +3,7 @@ django-filter==2.2.0 django-health-check==3.6.1 git+https://github.com/buildlyio/django-oauth-toolkit-jwt@v0.5.2#egg=django-oauth-toolkit-jwt djangorestframework==3.9.4 -psycopg2-binary==2.8.3 +psycopg2-binary==2.8.6 social-auth-app-django==3.1.0 django-oauth-toolkit==1.3.2 futures==3.1.1