Opened 3 years ago

Closed 7 months ago

#17101 closed New feature (fixed)

Add --deploy option to check management command

Reported by: carljm Owned by: timgraham
Component: Core (Management commands) Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

There has been discussion of integrating something similar to django-secure into Django core, to help users check some common deployment mis-configurations. We probably want to use a name like "checkdeploy" rather than "checksecure", both to allow for a broader range of checks to be included, and to avoid giving users a false sense that a successful runs means their code is secure.

This would include checking SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, X_FRAME_OPTIONS (and the middleware); these are all things which django-secure currently checks.

It could also include checking for common python path issues, existence of 500/404 templates (if you're using the default 404/500 handlers)...

And of course it should be pluggable so third-party apps can provide additional checks that users can include (and users should be able to disable built-in checks if they determine it doesn't apply to them for whatever reason).

Change History (4)

comment:1 Changed 3 years ago by ptone

  • Triage Stage changed from Unreviewed to Accepted

A couple quick thoughts to attach to this idea:

The solution should work well with automated deployment workflows, I can't see why a management command would be limiting for this in any way - and django-secure is already well factored to allow the checks to be used outside of the management command context. Just mentioning.

It would be nice to support multiple outputs. In addition to the standard human readable console output, a machine parseable format, and a shiny HTML grid format.

comment:2 Changed 7 months ago by timgraham

  • Has patch set
  • Owner changed from nobody to timgraham
  • Patch needs improvement set
  • Status changed from new to assigned
  • Version changed from 1.3 to master

I'm working on this as part of integrating django-secure.

I've implemented the ability to register "deployment checks" by adding deploy=True to register(), e.g. @register("tag_name", deploy=True). These checks are only run if you pass the --deploy flag to check. So in development you can run manage.py check --deploy --settings=settings_prod to check your production settings file. Running these checks automatically if DEBUG is False would likely give them better visibility, but I don't see an easy way of disabling them when testing if we did that.

django-developers thread.

comment:3 Changed 7 months ago by timgraham

  • Patch needs improvement unset
  • Summary changed from Add "checkdeploy" management command to Add --deploy option to check management command

comment:4 Changed 7 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In 52ef6a47269a455113d95992f868939131f9c10c:

Fixed #17101 -- Integrated django-secure and added check --deploy option

Thanks Carl Meyer for django-secure and for reviewing.

Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and
Jorge Carleitao for reviews.

Note: See TracTickets for help on using tickets.
Back to Top