def test_hsts_subdomains():
app = sslify(testapp.test_app, subdomains=True)
env = create_environ()
env['wsgi.url_scheme'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
assert headers['Strict-Transport-Security'] == 'max-age=31536000; includeSubDomains'
def run(port, db_uri, hsts):
cert_db = CertificateDatabase(db_uri)
crtsh_checker = CrtshChecker()
app = raw_app = WSGIApplication(cert_db, crtsh_checker)
if hsts:
app = wsgi_sslify.sslify(app, subdomains=True)
def build_service(reactor):
multi = MultiService()
StreamServerEndpointService(
TCP4ServerEndpoint(reactor, port),
server.Site(
wsgi.WSGIResource(reactor, reactor.getThreadPool(),
app), )).setServiceParent(multi)
logger = Logger()
TimerService(
# Run every 10 minutes
10 * 60,
lambda: deferToThread(check_for_revocation, cert_db, crtsh_checker)
.addErrback(lambda f: logger.failure(
"Error checking for revocation", f))).setServiceParent(multi)
TimerService(
60 * 60,
lambda: deferToThread(raw_app._update_lint_summaries).addErrback(
lambda f: logger.failure("Error updating cablint summaries", f
))).setServiceParent(multi)
return multi
run_service(build_service)
def test_https_proxy_custom_header_ignores_default_header():
app = sslify(testapp.test_app, proxy_header='X-PROTO')
env = create_environ()
env['HTTP_X_FORWARDED_PROTO'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '301 Moved Permanently'
assert headers['Location'].startswith('https://')
def test_https_proxy_doesnt_redirect():
app = sslify(testapp.test_app)
env = create_environ()
env['HTTP_X_FORWARDED_PROTO'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
assert headers['Strict-Transport-Security'] == 'max-age=31536000'
def test_hsts_defaults():
app = sslify(testapp.test_app)
env = create_environ()
env['wsgi.url_scheme'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
assert headers['Strict-Transport-Security'] == 'max-age=31536000'
def test_hsts_off():
app = sslify(testapp.test_app, hsts=False)
env = create_environ()
env['wsgi.url_scheme'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
assert 'Strict-Transport-Security' not in headers
def test_hsts_defaults():
app = sslify(testapp.test_app)
env = create_environ()
env['wsgi.url_scheme'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
assert headers['Strict-Transport-Security'] == 'max-age=31536000'
def test_hsts_off():
app = sslify(testapp.test_app, hsts=False)
env = create_environ()
env['wsgi.url_scheme'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
assert 'Strict-Transport-Security' not in headers
def test_hsts_subdomains():
app = sslify(testapp.test_app, subdomains=True)
env = create_environ()
env['wsgi.url_scheme'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
assert headers[
'Strict-Transport-Security'] == 'max-age=31536000; includeSubDomains'
def test_redirect_to_http():
app = sslify(testapp.test_app)
env = create_environ()
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '301 Moved Permanently'
assert headers['Location'].startswith('https://')
def test_permanent():
app = sslify(testapp.test_app, permanent=False)
env = create_environ()
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '302 Found'
assert headers['Location'].startswith('https://')
def test_https_proxy_custom_header():
app = sslify(testapp.test_app, proxy_header='X-PROTO')
env = create_environ()
env['HTTP_X_PROTO'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
def test_https_proxy_doesnt_redirect():
app = sslify(testapp.test_app)
env = create_environ()
env['HTTP_X_FORWARDED_PROTO'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
"""
WSGI config for Pontoon.
It exposes the WSGI callable as a module-level variable named ``application``.
For more information on this file, see
https://docs.djangoproject.com/en/1.8/howto/deployment/wsgi/
"""
from __future__ import absolute_import
import os
from django.core.wsgi import get_wsgi_application
from wsgi_sslify import sslify
# Set settings env var before importing whitenoise as it depends on
# some settings.
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'pontoon.settings')
from whitenoise.django import DjangoWhiteNoise # noqa
# sslify sets a Strict-Transport-Security header,
# which instructs browsers to always use HTTPS.
application = sslify(DjangoWhiteNoise(get_wsgi_application()))
"""
WSGI config for gettingstarted project.
It exposes the WSGI callable as a module-level variable named ``application``.
For more information on this file, see
https://docs.djangoproject.com/en/1.6/howto/deployment/wsgi/
"""
import os
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "config.settings")
from django.core.wsgi import get_wsgi_application
from whitenoise.django import DjangoWhiteNoise
from wsgi_sslify import sslify
secure_scheme_headers = {'X-FORWARDED-PROTO': 'https'}
application = get_wsgi_application()
application = DjangoWhiteNoise(application)
application = sslify(application)
def test_redirect_to_http():
app = sslify(testapp.test_app)
env = create_environ()
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '301 Moved Permanently'
assert headers['Location'].startswith('https://')
def test_permanent():
app = sslify(testapp.test_app, permanent=False)
env = create_environ()
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '302 Found'
assert headers['Location'].startswith('https://')
def test_https_proxy_custom_header():
app = sslify(testapp.test_app, proxy_header='X-PROTO')
env = create_environ()
env['HTTP_X_PROTO'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
# if running multiple sites in the same mod_wsgi process. To fix this, use
# mod_wsgi daemon mode with each site in its own daemon process, or use
# os.environ["DJANGO_SETTINGS_MODULE"] = "treeherder.config.settings"
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "treeherder.config.settings")
import environ
from django.core.cache.backends.memcached import BaseMemcachedCache
from django.core.wsgi import get_wsgi_application as django_app
from wsgi_sslify import sslify
from treeherder.config.whitenoise_custom import CustomWhiteNoise
env = environ.Env()
# Wrap the Django WSGI app with WhiteNoise so the UI can be served by gunicorn
# in production, avoiding the need for Apache/nginx on Heroku. WhiteNoise will
# serve the Django static files at /static/ and also those in the directory
# referenced by WHITENOISE_ROOT at the site root.
application = CustomWhiteNoise(django_app())
if env.bool('IS_HEROKU', default=False):
# Redirect HTTP requests to HTTPS and set an HSTS header.
# Required since the equivalent Django features will not be
# able to alter requests that were served by WhiteNoise.
application = sslify(application)
# Fix django closing connection to MemCachier after every request:
# https://code.djangoproject.com/ticket/11331
# Remove when https://github.com/django/django/pull/4866 fixed.
BaseMemcachedCache.close = lambda self, **kwargs: None
for name in ['static', 'templates']:
directory = os.path.join(app.config['PATH'], name)
for entry in os.scandir(directory):
if entry.is_file():
yield entry.path
config = dwellingplace.settings.get_config(os.getenv('FLASK_ENV'))
os.environ['WSGI_AUTH_CREDENTIALS'] = config.WSGI_AUTH_CREDENTIALS
dpapp = dwellingplace.app.create_app(config)
redapp = red.create_app(config)
wsgi_app = BasicAuth(
DispatcherMiddleware(dpapp.wsgi_app, {'/red': redapp.wsgi_app}))
if dpapp.config['USE_HTTPS']:
wsgi_app = sslify(wsgi_app) # pylint: disable=redefined-variable-type
dpapp.wsgi_app = wsgi_app
server = Server(host='0.0.0.0',
extra_files=itertools.chain(find_assets(dpapp),
find_assets(redapp)))
manager = Manager(dpapp)
manager.add_command('run', server)
if __name__ == '__main__':
manager.run()
def test_https_proxy_doesnt_redirect():
app = sslify(testapp.test_app)
env = create_environ()
env['HTTP_X_FORWARDED_PROTO'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
"""
WSGI config for Pontoon.
It exposes the WSGI callable as a module-level variable named ``application``.
For more information on this file, see
https://docs.djangoproject.com/en/1.8/howto/deployment/wsgi/
"""
import os
from django.core.wsgi import get_wsgi_application
from wsgi_sslify import sslify
# Set settings env var before importing whitenoise as it depends on
# some settings.
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'pontoon.settings')
from whitenoise.django import DjangoWhiteNoise # noqa
# sslify sets a Strict-Transport-Security header,
# which instructs browsers to always use HTTPS.
application = sslify(DjangoWhiteNoise(get_wsgi_application()))
def test_https_doesnt_redirect():
app = sslify(testapp.test_app)
env = create_environ()
env['wsgi.url_scheme'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
"""
WSGI config for Pontoon.
It exposes the WSGI callable as a module-level variable named ``application``.
For more information on this file, see
https://docs.djangoproject.com/en/1.8/howto/deployment/wsgi/
"""
import os
import dotenv
from django.core.wsgi import get_wsgi_application
from wsgi_sslify import sslify
# Read dotenv file and inject it's values into the environment
dotenv.load_dotenv(dotenv_path=os.environ.get("DOTENV_PATH"))
# Set settings env var before importing whitenoise as it depends on
# some settings.
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pontoon.settings")
# sslify sets a Strict-Transport-Security header,
# which instructs browsers to always use HTTPS.
application = sslify(get_wsgi_application())
def test_https_doesnt_redirect():
app = sslify(testapp.test_app)
env = create_environ()
env['wsgi.url_scheme'] = 'https'
app_iter, status, headers = run_wsgi_app(app, env)
assert status == '200 OK'
