Gonçalo Valério

Category: Technology and Internet

Everything related to technology and the Internet. Tutorials, projects, news…

  • Django Friday Tips: Secret Key

    One thing that is always generated for you when you start a new django project is the SECRET_KEY string. This value is described in the documentation as:

    A secret key for a particular Django installation. This is used to provide cryptographic signing, and should be set to a unique, unpredictable value.

    The rule book mandates that this value should not be shared or made public, since this will defeat its purpose and many securing features used by the framework. Given that on any modern web development process we have multiple environments such as production and staging, or in the cases where we might deploy the same codebase different times for different purposes, we will need to generate and have distinct versions of this variable so we can’t rely solely on the one that was generated when the project was started.

    There is no official way to generate new values for the secret key, but with a basic search on the Internet, you can find several sources and code snippets for this task. So which one to use? The django implementation has a length of 50 characters, chosen randomly from an alphabet with size 50 as well, so we might start with this as a requirement. Better yet, why not call the same function that django-admin.py uses itself?

    So for a new project, the first thing to do is to replace this:

    SECRET_KEY = "uN-pR3d_IcT4~ble!_Str1Ng..."

    With this:

    SECRET_KEY = os.environ.get("SECRET_KEY", None)

    Then for each deployment we can generate a distinct value for it using a simple script like this one:

    from django.utils.crypto import get_random_string

chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
print("SECRET_KEY={}".format(get_random_string(50, chars)))

    Usage:

    $ python script_name.py >> .env

    Some people think the default function is not random enough and proposed a different alternative (that also works), if you feel the same way check this script.

  • Managing secrets

    A few hours ago, I published a small article on Whitesmith’s blog about sharing and managing secrets, inside a software development environment. At first I dig a little into this problem that is very common and later I explain how we are addressing these issues. You can check it through the following link:

    Managing Secrets (www.whitesmith.co/blog/managing-secrets/)

    I mention some tools on the article that are very interesting in this area, but a more detailed analysis or walk-through was left for a future post as we get more familiarized with them.

  • Browsing folders of markdown files

    If you are like me, you have a bunch of notes and documents written in markdown spread across many folders. Even the documentation of some projects involving many people is done this way and stored, for example, in a git repository. While it is easy to open the text editor to read these files, it is not the most pleasant experience, since the markup language was made to later generate readable documents in other formats (eg. HTML).

    For many purposes setting up the required configuration of tools to generate documentation (like mkdocs) is not practical, neither it was the initial intent when it was written. So last weekend I took a couple of hours and built a rough (and dirty) tool to help me navigate and read the markdown documents with a more pleasant experience, using the browser (applying style as github).

    I called it mdvis and it is available for download through “pip”. Here’s how working with it looks like:

    It does not provide many features and is somewhat “green”, but it serves my current purposes. The program is open-source so you can check it here, in case you want to help improving it.

  • Django Friday Tips: Security Checklist

    Security is one of those areas where it is very hard to know if everything is taken care of. So you have been working on this project for a while and you want to deploy it into a production server, there are several settings on this new environment that should differ from your development one.

    Since this is very common situation and there are many examples of misconfigurations that later turned to security issues, django has a security checklist (since version 1.8) to remind you of some basic aspects (mostly on/off switches) that you should make sure that are set correctly.

    To run it on your project you simply have to execute the following command:

    $python manage.py check --deploy

    After the verification you will be presented with warnings like this one:

    (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.

    More information can be found in the documentation, since it uses the check framework, that has several interesting use cases.

    Interested in more information about security in django? Check this video from the last edition of “Django Under the Hood“.

  • Django Friday Tips: Managing Dependencies

    This one is not specific of django but it is very common during the development of any python project. Managing the contents of the requirements.txt file, that sometimes grows uncontrollably can be a mess. One of the root causes is the common work-flow of using virtualenv, install with pip all the required libraries and then do something like:

    $pip freeze > requirements.txt

    At the beginning this might work great, however soon you will need to change things and remove libraries. At this point, things start to get a little trickier, since you do not know which lines are a direct dependency of your project or if they were installed because a library you already removed needed them. This leads to some tedious work in order to maintain the dependency list clean.

    To solve this problem we might use pip-tools, which will help you declare the dependencies in a simple way and automatically generate the final requirements.txt. As it is shown in the project readme, we can declare the following requirements.in file:

    django
requests
pillow
celery

    Then we generate our “official” requirements.txt with the pip-compile command, that will product the following output:

    #
# This file is autogenerated by pip-compile
# Make changes in requirements.in, then run this to update:
#
#    pip-compile requirements.in
#
amqp==1.4.8               # via kombu
anyjson==0.3.3            # via kombu
billiard==3.3.0.22        # via celery
celery==3.1.19
django==1.9
kombu==3.0.30             # via celery
pillow==3.0.0
pytz==2015.7              # via celery
requests==2.8.1

    Now you can keep track of where all those libraries came from. Need to add or remove packages? Just run pip-compile again.

  • Securing IoT Devices

    During the first couple of months of the year 2015 I’ve worked a “little” on the subject of security in the Internet of things world. Even though there is a lot of information about this topic and its crucial role on this new era of the IoT. So today I will share a small document I’ve compiled, with information about simple issues, that we should take for granted in the functionality of these devices, that I’ve found out that they aren’t always done the right way.

    This document was written in the beginning of the summer but today I’ve decided to recompile the .tex files and share here. The PDF version can be found in this link and web version for quick consultation bellow in this post.

    The document is always open to updates and improvements, so if you have any suggestions just send me an email or leave some feedback in the comment’s section.

    (more…)

  • Django friday tips: Switch the user model

    In the most recent versions of django, you’re no longer attached to the default user model. So unlike what happened some time ago, when you had two models (User and Profile) “linked” together through an one-to-one relationship, nowadays you can extend or substitute the base user model.

    It is as simples as adding the following line to your settings.py:

    AUTH_USER_MODEL = 'djangoapp.UserModel'

    If you only want to extend it and avoid having to implement some boilerplate, you should sub class the AbstractUserModel like this:

    from django.contrib.auth.models import AbstractUser


class User(AbstractUser):
    ...

    This way you will be able to use all th predefined features, and even use the admin settings of the default user model by doing the following in your admin.py file:

    from django.contrib.auth.admin import UserAdmin as DefaultUserAdmin

@admin.register(User)
class UserAdmin(DefaultUserAdmin):
    ...

    If you are starting out I hope this information was useful.

  • An heavy chat application

    Following up the quote I pointed some time ago in an entry entitled “Bloat”, I will let here one good example. I know Slack it is a great application and it has some complex features, yet I don’t see any reason for any chat program to steal almost 900 Megabytes of my computer’s memory.

    slack memoryNote: I know the version I am using is still in beta but c’mon guys that’s too much.

  • Newsletters for Python web developers

    The amount of new information that is added each day to the web is overwhelming, trying to keep up daily with everything about a given topic can be a time consuming process. One good way I found to tackle this problem and to avoid wasting a good chunk of my day searching and filtering through lots of new content in order to know what’s going on, was to subscribe to good resources that curate this material and send to my email box at the end of each week/month.

    Over time I found that the following 4 sources have continuously provided me with selection of good and up to date content summing up what I might have missed in the previous week/month related to Python and web development in general.

    Pycoders weekly

    This weekly newsletter is not focused on the web but address what’s going on on the python community, suggests good articles so you can level up your python skills and showcases interesting projects or libraries.

    Url: http://pycoders.com/

    Django Round-Up

    This one is comes less frequently but I found the quality of the content to be high. As its name shows, Django round-up focus exclusively on contents related to the web framework.

    Url: https://lincolnloop.com/django-round-up/

    HTML5 Weekley

    The first two were about the server side, with this one we move to the browser. HTML5 Weekly focuses on what can be done in the browser and were these technologies are heading to.

    Url: http://html5weekly.com/

    Javascript Weekly

    Being a web development post we can’t leave JavaScript behind, at least for now. This newsletter gives you the latest news and tools related to this programming language.

    Url: http://javascriptweekly.com/

    I hope you like it. If you find them useful you might also want to follow my Django Collection bundle (which I described in this old post), where I collect useful material related with the Django web framework.

  • Getting started with GPG

    Getting started with GPG

    Last week I gave a small workshop during the lunch hour (the famous Whitesmith’s “Lunch’n Learn”) about openPGP. It only covered the most basic aspects so that non-technical people could be introduced to this tool, something that can be very useful when someone is sharing or working with sensitive information (either personal or work related).

    It covers aspects such as key pair generation, key revocation, exportation/importation of keys and obviously encryption and decryption of documents. Most of the examples use a command line interface but there are several frontends available which are straightforward to use once you are familiarized with the concepts. Perhaps it can also be useful to you (somehow) so here is the link to the presentation, if you have any question feel free to ask in the comments section.

  • Integrating security tests into web applications

    Today I published a blog post about how to easily run and automate security tests while developing your websites and web applications using Zed Attack Proxy. The example uses Ruby on Rails framework but it is independent of any stack. I’m planning to write a follow up article on the same theme, so any feedback on this first part is welcome. You can check the blog post here (whitesmith.co/blog) and the sample code here (Github).

  • “Bloat”

    Last week I’ve read a great post entitled “Web Design: The First 100 Years“, it is a long one but definitely worth reading. I will just leave here a quote (3 short paragraphs) because it puts into words something that already crossed my mind multiple times.

    “A further symptom of our exponential hangover is bloat. As soon as a system shows signs of performance, developers will add enough abstraction to make it borderline unusable. Software forever remains at the limits of what people will put up with. Developers and designers together create overweight systems in hopes that the hardware will catch up in time and cover their mistakes.

    We complained for years that browsers couldn’t do layout and javascript consistently. As soon as that got fixed, we got busy writing libraries that reimplemented the browser within itself, only slower.

    It’s 2014, and consider one hot blogging site, Medium. On a late-model computer it takes me ten seconds for a Medium page (which is literally a formatted text file) to load and render. This experience was faster in the sixties.” Maciej Cegłowski

  • Disable Firefox’s pocket integration

    Firefox has been my browser of choice for quite some time now. However recent decisions made by Mozilla are increasing my desire to change soon. They added “ads” on the “new tab page”, changed the UI to just look like chrome, decided to include DRM directly into the browser (more on that), etc. The last one was to include Pocket, a proprietary service, directly into the open-source browser.

    While this service might be useful for many users, other people do not like/use it. This kind of functionality should be relegated to pluggable extensions, one of the features that in its early days gave notoriety to Firefox. So a browser that was supposed to be light, open-source and extensible is slowly starting to drift apart from its initial strengths. This post describes in a short way what seems to be happening.

    Somebody yesterday wrote a rant about it with some valid points and concerns. So here’s how I disabled pockets in my browser:

    1. Write “about:config” in the address bar.
    2. Click “I will be careful, I promise“.
    3. Search for “pocket“.
    4. Modify it like is shown in the picture bellow.
    5. Restart the browser.

    disable-pocket

    Small extra: if you, like me, don’t like the tab style that just looks like chrome, you can switch to the development theme by changing the line “browser.devedition.theme.enabled” to true. Want the dark theme? Change the line “devtools.theme” to “dark“.

    Now lets hope that Mozilla puts an end to this series of bad decisions in a near future.

    Note: In Firefox v40 the development theme is no longer available (or at least accessible), so to use it you will need an extension.

  • Plasma 5

    Plasma 5

    Upon the release of the new version of Kubuntu, I decided to update my Ubuntu machine and move from the rock solid KDE4 to the new Plasma 5 desktop environment. In this post I do a small overview of my experience with it until now.

    I first started with the version 5.2 since it is the one that comes with the default repositories. I spent several days on this release and then moved to the newest 5.3 that was launched roughly around the same time as the new Kubuntu version.

    So why I decided to move to Plasma 5? Because it is gorgeous, the new default theme and the overall design is a breath of fresh air, it makes all other DE I’ve used with their default themes feel ugly. Second because it is the future and I like the change in strategy used by the KDE team to split the previous huge monolith into several small libraries that can be used independently. The releases are now also divided into Plasma 5 (de Desktop Environment), KDE Frameworks (those libraries) and KDE Applications.

    Plasma 5 is great because it maintains the KDE tradition of giving you a huge amount configuration capabilities, so you can make it work the way you want. It also does not try to enforce a tablet/phone user interface, I’m working on a laptop with keyboard and a track-pad not in a touch device.

    These were the things that I liked the most in this new version:

    • The overall new look, including the theme, new icons, splash screen, etc.
    • The new system tray widget. The new aggregation feature is awesome and now includes the clipboard contents.
    • Keyboard backlight controls work great (out of the box) on my machine.

    It is new but almost everything works as it should. For sure there are still some missing features and personalization capabilities that were present before and weren’t ported for the new version but nothing that time will not solve.

    Even though the experience has been pretty good, there are still some rough edges that need to be addressed and lots of widgets/plasmoids are still missing. For example in the last few days I’ve struggled with two issues and haven’t been able to solve them completely. The first one was described here in the official forum and it seems many people had the same problem, the second one is related to the dark version of the theme that suddenly stopped working, as you can see in the following screenshot:

    Breeze theme working as it should
    Something is wrong with this Breeze Dark theme

    Other thing is that the developer documentation is still in its early days, so, good luck if you want to develop something for this new version.

    Summing up, if you are using a UNIX based operating system and like to have bleeding edge software installed, I definitely recommend that you try Plasma 5. You will be surprised with it, but for the time being do not forget to also have other DE installed, in the case you run into some problems, like I did, in moments that you don’t have the time to search for the solution.

  • Please do not let your SSL certificate expire

    nonio-cert

    Please avoid what is happening right now with the student’s platform of my university, that is, letting your SSL certificate expire over the weekend. Initially it will raise suspicion and distrust based on the alert showed by the browser and if the issue lasts too long it will expose lots of users to phishing attacks, since users will not notice the difference between the real site and a rogue one.