Since after bug 1400069 it is no longer used by the UI.
This removes everything but the Job model field (since the table is
large enough that migrations need to be carefully coordinated, and we
can batch up that change with others).
The last of the usages were removed a while ago, so we're safe to
drop the column. The auto-generated migration caused an exception
until it was manually re-ordered, due to a Django bug:
https://code.djangoproject.com/ticket/29124
The `push` table on production is only 300K rows and 100MB, so the
migration should be fairly fast.
The output from `sqlmigrate` is:
```
BEGIN;
--
-- Alter field revision on push
--
ALTER TABLE `push` MODIFY `revision` varchar(40) NOT NULL;
--
-- Alter unique_together for push (1 constraint(s))
--
CREATE INDEX `push_repository_id_e7501345` ON `push` (`repository_id`);
ALTER TABLE `push` DROP INDEX `push_repository_id_revision_hash_3cd3c5e3_uniq`;
--
-- Remove field revision_hash from push
--
ALTER TABLE `push` DROP COLUMN `revision_hash`;
COMMIT;
```
The old API (`MIDDLEWARE_CLASSES`) has been deprecated in favour of
the `MIDDLEWARE` pref. The new API is faster (since it short-circuits)
and has more sensible error handling characteristics.
See:
https://github.com/django/deps/blob/master/final/0005-improved-middleware.rsthttps://docs.djangoproject.com/en/1.11/topics/http/middleware/#upgrading-middleware
Since the new API short-circuits (that is, doesn't run later middleware
if an earlier one returns a response), `XFrameOptionsMiddleware` and
`CorsMiddleware` must be moved to before the WhiteNoise middleware,
to ensure the headers are still set like before - even when WhiteNoise
returns early for static content. (Whilst most static content doesn't
need CORS headers, `revision.txt` and `contribute.json` do.)
With ES6, the `'use strict'` directives are unnecessary:
https://eslint.org/docs/rules/strict
The directives have been left in the Neutrino configs, since they
are used by node directly, which doesn't yet support ES6 modules.
To pick up the newer kernel/security updates. Only takes effect when
people destroy/recreate their VM, so also adds a `dist-upgrade` to
upgrade existing boxes. (The older Bento box had a broken kernel
config so `dist-upgrade` can't upgrade the kernel, but it's better
than nothing.)
Also switches the Hyper-V provider to the Bento images for parity,
since Bento now create Hyper-V variants too.
The `box` name cannot be factored out of the provider blocks due to:
https://github.com/hashicorp/vagrant/issues/9452
* Allow Google login
Presently, when you login with google you are prompted with a screen
that tells you to login using another provider. However, if you try to
login with google using an LDAP email "@mozilla.com", then there is a
blank page saying Unrecognized identity.
* Add test cases
## Rough summary of the changes
### Front end
The auth callback is written in React and lives under the /login.html endpoint. It communicates with Treeherder using the localStorage.
### Credential expiration
The Django user session expiration is set to expire when the client access token or the id token expires (whichever one expires first). These values are controlled by the IAM team. Presently, the access token expires after 1 day and the id token expires after a week. That being said, the session will therefore expire after 1 day. If you want this value change, we simply need to send a request to the IAM team.
### Credential renewal
Renewals are set to happen every 15 minutes or so. The renewal is skewed slightly so that different open tabs don't renew at the same time. Once renewal happens, both tokens are renewed and the Django session is updated.
### Migration
If the userSession localStorage key is not set, then the user will be logged out including logging out from the Django session. In other words, all users will be automatically logged out when the merge to production happens.
Since the only things we used it for were:
* editing users - but that doesn't work any more (bug 1346740) so
requires a manual DB edit as is it, and we won't need to edit users
at all once LDAP groups are used for permissions (bug 1273092)
* marking pending Hawk credentials as approved - however we're not
accepting any new requests for Hawk credentials (bug 1433011)
* resetting the secret key for Hawk credentials - however we've not
used this feature once in the entire time we've used Hawk - and its
trivial via MySQLWorkbench.
As as added bonus removing Django admin:
* reduces the work required to add a CSP header
* speeds up `collectstatic` (which is run during deploy) by 30%
* reduces the risk of giving `is_staff` permissions (which have to be
given to sheriffs, but also allowed admin access)
* reduces attack surface in general
In addition to the Django admin app, `django.contrib.messages` app
and the auth/messages context processors have been removed, since
after bug 1433011, admin was the only remaining consumer of them:
https://docs.djangoproject.com/en/1.11/ref/contrib/admin/
Now that we're using MySQL 5.7, we can specify `REQUIRE SSL` on the
`CREATE USER` statement, rather than having to do so on the individual
GRANTs. Compare:
https://dev.mysql.com/doc/refman/5.6/en/create-user.htmlhttps://dev.mysql.com/doc/refman/5.7/en/create-user.html
Prevents:
```
1 warning(s): 1287 Using GRANT statement to modify existing user's
properties other than privileges is deprecated and will be removed
in future release. Use ALTER USER statement for this operation.
```
Generated using the approach documented at the end of the page:
https://treeherder.readthedocs.io/admin.html#direct-database-access
The changes are required since bug 1373008 added the `group` and
`group_failure_lines` tables and #2532 removed `text_log_summary`
and `text_log_summary_line`.
Ed Morley
Jonathan French
pyup.io bot
renovate[bot]
Hassan Ali
William Lachance
Stephen Donner
Balaji.G
ionutgoldan