With ES6, the `'use strict'` directives are unnecessary:
https://eslint.org/docs/rules/strict
The directives have been left in the Neutrino configs, since they
are used by node directly, which doesn't yet support ES6 modules.
To pick up the newer kernel/security updates. Only takes effect when
people destroy/recreate their VM, so also adds a `dist-upgrade` to
upgrade existing boxes. (The older Bento box had a broken kernel
config so `dist-upgrade` can't upgrade the kernel, but it's better
than nothing.)
Also switches the Hyper-V provider to the Bento images for parity,
since Bento now create Hyper-V variants too.
The `box` name cannot be factored out of the provider blocks due to:
https://github.com/hashicorp/vagrant/issues/9452
* Allow Google login
Presently, when you login with google you are prompted with a screen
that tells you to login using another provider. However, if you try to
login with google using an LDAP email "@mozilla.com", then there is a
blank page saying Unrecognized identity.
* Add test cases
## Rough summary of the changes
### Front end
The auth callback is written in React and lives under the /login.html endpoint. It communicates with Treeherder using the localStorage.
### Credential expiration
The Django user session expiration is set to expire when the client access token or the id token expires (whichever one expires first). These values are controlled by the IAM team. Presently, the access token expires after 1 day and the id token expires after a week. That being said, the session will therefore expire after 1 day. If you want this value change, we simply need to send a request to the IAM team.
### Credential renewal
Renewals are set to happen every 15 minutes or so. The renewal is skewed slightly so that different open tabs don't renew at the same time. Once renewal happens, both tokens are renewed and the Django session is updated.
### Migration
If the userSession localStorage key is not set, then the user will be logged out including logging out from the Django session. In other words, all users will be automatically logged out when the merge to production happens.
Since the only things we used it for were:
* editing users - but that doesn't work any more (bug 1346740) so
requires a manual DB edit as is it, and we won't need to edit users
at all once LDAP groups are used for permissions (bug 1273092)
* marking pending Hawk credentials as approved - however we're not
accepting any new requests for Hawk credentials (bug 1433011)
* resetting the secret key for Hawk credentials - however we've not
used this feature once in the entire time we've used Hawk - and its
trivial via MySQLWorkbench.
As as added bonus removing Django admin:
* reduces the work required to add a CSP header
* speeds up `collectstatic` (which is run during deploy) by 30%
* reduces the risk of giving `is_staff` permissions (which have to be
given to sheriffs, but also allowed admin access)
* reduces attack surface in general
In addition to the Django admin app, `django.contrib.messages` app
and the auth/messages context processors have been removed, since
after bug 1433011, admin was the only remaining consumer of them:
https://docs.djangoproject.com/en/1.11/ref/contrib/admin/
Now that we're using MySQL 5.7, we can specify `REQUIRE SSL` on the
`CREATE USER` statement, rather than having to do so on the individual
GRANTs. Compare:
https://dev.mysql.com/doc/refman/5.6/en/create-user.htmlhttps://dev.mysql.com/doc/refman/5.7/en/create-user.html
Prevents:
```
1 warning(s): 1287 Using GRANT statement to modify existing user's
properties other than privileges is deprecated and will be removed
in future release. Use ALTER USER statement for this operation.
```
Generated using the approach documented at the end of the page:
https://treeherder.readthedocs.io/admin.html#direct-database-access
The changes are required since bug 1373008 added the `group` and
`group_failure_lines` tables and #2532 removed `text_log_summary`
and `text_log_summary_line`.
In `configureStore.js` the same object was being exported twice, once
as the default export and once as a named export. Since default exports
are preferred if there is only one export in a file, I've removed the
named import and left the default one.
In `Groups.jsx` the `Groups` class was exported but unused, so has
been adjusted to no longer be exported, so the `App.jsx` import
doesn't trigger the warning:
`import Groups from './Groups';`
See:
https://github.com/benmosher/eslint-plugin-import/blob/master/docs/rules/no-named-as-default.md
Ed Morley
pyup.io bot
renovate[bot]
Hassan Ali
William Lachance
Stephen Donner
Jonathan French
Balaji.G
ionutgoldan