Tag: Python

  • Django: Deferred constrain enforcement

    Another Friday, another Django related post. I guess this blog is becoming a bit monothematic. I promise the next ones will bring the much-needed diversity of contents, but today let’s explore a very useful feature of the Django’s ORM.

    Ok… Ok… it’s more of a feature of PostgreSQL that Django supports, and it isn’t available on the other database backends. But let’s dive in any way.

    Let’s imagine this incredibly simplistic scenario where you have the following model:

    class Player(models.Model):
      team = models.ForeignKey(Team, on_delete=models.CASCADE)
      squad_number = models.PositiveSmallIntegerField()
    
      class Meta:
        constrains = [
          models.UniqueConstraint(
            name="unique_squad_number",
            fields=["team", "squad_number"],
          )
        ]

    So a team has many players and each player has a different squad/shirt number. Only one player can use that number for a given team.

    Users, can select their teams and then re-arrange their player’s numbers however they like. To keep it simple, let’s assume it is done through the Django Admin, using a Player Inline on the Team‘s model admin.

    We add proper form validation, to ensure that no players in the submitted squad are assigned the same squad_number. Things work great until you start noticing that despite your validation and despite the user’s input not having any players assigned the same number, integrity errors are flying around. What’s happening?

    Well, when the system tries to update some player records after being correctly validated, each update/insertion is checked against the constraint (even atomically within a transaction). This means that the order of the updates, or in certain situations all updates with correct data, will “raise” integrity errors, due to conflicts with the data currently stored in the database.

    The solution? Deferring the integrity checks to the end of the transaction. Here’s how:

    class Player(models.Model):
      team = models.ForeignKey(Team, on_delete=models.CASCADE)
      squad_number = models.PositiveSmallIntegerField()
    
      class Meta:
        constrains = [
          models.UniqueConstraint(
            name="unique_squad_number",
            fields=["team", "squad_number"],
            deferrable=models.Deferrable.DEFERRED,
          )
        ]

    Now, when you save multiple objects within a single transaction, you will no longer see those errors if the input data is valid.

    Fediverse Reactions
  • Status of old PyPI projects: archived

    Since late January, the python package index (PyPI) supports archiving projects/packages. This is, in fact, a very welcome feature, since it clearly tells without any doubt when a package is no longer maintained and will not receive any further updates.

    It makes it easier for the person looking for packages, to know which ones deserve a closer inspection and which ones are there abandoned, polluting the results.

    Previously, the only viable way to retire a package was by adding a disclaimer to the README, and let it sit there indefinitely, being treated just like the other active packages.

    “You had the option of deleting the package”, you might say. Yes, but as I explained in a previous post, this is dangerous and should be avoided. So, archiving is in my view the best course of action when a person no longer wants to maintain their published packages and projects.

    With this in mind, this week I decided to do my part and archive old packages that I had published for different reasons and were there abandoned for years. These were:

    • mdvis: a small package I wrote many years ago, mostly to learn how to publish things on PyPI.
    • auto-tune: something I was about to start working on for a previous employer and that was cancelled at the last minute.
    • django-cryptolock: an experiment done for a previous client. It tried to implement an existing proposal for an authentication scheme, using Monero wallets.
    • monero-python: a few years ago, during my day-to-day work, this package was removed (then renamed by the original author). At the time, it was a direct dependency for many projects and tools, which meant a malicious actor could have taken it and compromise those systems. As a precaution, I grabbed the open name. It has been there empty ever since.

    Now it is your turn.

    After a sufficient number of packages get marked as archived, we can hope for some enhancements to the search functionality of PyPI. Namely, a way of filtering out archived packages from the results and a visual marker for them in the list view. One step at a time.

    Fediverse Reactions
  • Ways to have an atomic counter in Django

    This week, I’m back at my tremendously irregular Django tips series, where I share small pieces of code and approaches to common themes that developers face when working on their web applications.

    The topic of today’s post is how to implement a counter that isn’t vulnerable to race conditions. Counting is everywhere, when handling money, when controlling access limits, when scoring, etc.

    One common rookie mistake is to do it like this:

    model = MyModel.objects.get(id=id)
    model.count += 1
    model.save(update_fields=["count"])

    An approach that is subject to race conditions, as described below:

    • Process 1 gets count value (let’s say it is currently 5)
    • Process 2 gets counts value
    • Process 1 increments and saves
    • Process 2 increments and saves

    Instead of 7, you end up with 6 in your records.

    On a low stakes project or in a situation where precision is not that important, this might do the trick and not become a problem. However, if you need accuracy, you will need to do it differently.

    Approach 1

    with transaction.atomic():
        model = (
            MyModel.objects.select_for_update()
            .get(id=id)
        )
        model.count += 1
        model.save(update_fields=["count"])

    In this approach, when you first fetch the record, you ask for the database to lock it. While you are handling it, no one else can access it.

    Since it locks the records, it can create a bottleneck. You will have to evaluate if fits your application’s access patterns. As a rule of thumb, it should be used when you require access to the final value.

    Approach 2

    from django.db.models import F
    
    model = MyModel.objects.filter(id=id).update(
        count=F("count") + 1
    )

    In this approach, you don’t lock any values or need to explicitly work inside a transaction. Here, you just tell the database, that it should add 1 to the value that is currently there. The database will take care of atomically incrementing the value.

    It should be faster, since multiple processes can access and modify the record “at the same time”. Ideally, you would use it when you don’t need to access the final value.

    Approach 3

    from django.core.cache import cache
    
    cache.incr(f"mymodel_{id}_count", 1)

    If your counter has a limited life-time, and you would rather not pay the cost of a database insertion, using your cache backend could provide you with an even faster method.

    The downside, is the level of persistence and the fact that your cache backend needs to support atomic increments. As far as I can tell, you are well served with Redis and Memcached.

    For today, this is it. Please let me know if I forgot anything.

  • So you need to upgrade Django

    No matter how much you try to delay and how many reasons you find to postpone, eventually the time comes. You need to update and upgrade your software, your system components, your apps, your dependencies, etc.

    This happens to all computer users. On some systems, this is an enjoyable experience, on other systems as painful as it can get.

    Most of the time, upgrading Django on our projects falls in the first category, due to its amazing documentation and huge community. Nevertheless, the upgrade path takes work and “now” rarely seems the right time to move forward with it, specially if you are jumping between LTS versions.

    So, today’s tip is a mention of 2 packages that can help you reduce the burden of going through your codebase looking for the lines that need to be changed. They are:

    Both of them do more or less the same thing, they will automatically detect the code that needs to be changed and then fix it according to the release notes. Attention, this is no excuse to avoid reading the release notes.

    django-upgrade is faster and probably the best choice, but django-codemod supports older versions of Python. Overall, it will depend on the situation at hand.

    And this is it… I hope these libraries are as helpful to you as they have been to me.

  • Secure PostgreSQL connections on your Django project

    Last week, an article was published with some interesting numbers about the security of PostgreSQL servers publicly exposed to the internet (You can find it here).

    But more than the numbers, what really caught my attention was the fact that most clients and libraries used to access and interact with the databases have insecure defaults:

    most popular SQL clients are more than happy to accept unencrypted connections without a warning. We conducted an informal survey of 22 popular SQL clients and found that only two require encrypted connections by default.

    Jonathan Mortensen

    The article goes on to explain how clients connect to the database server and what options there are to establish and verify the connections.

    So, this week, let’s see how we can set up things in Django to ensure our apps are communicating with the database securely over the network.

    Usually, we set up the database connection like this:

    DATABASES = {
        "default": {
            "ENGINE": "django.db.backends.postgresql",
            "NAME": "db_name",
            "USER": "db_user",
            "PASSWORD": "db_password",
            "HOST": "127.0.0.1",
            "PORT": "5432",
        }
    }

    The above information can also be provided using a single “URL” such as postgres://USER:PASSWORD@HOST:PORT/NAME, but in this case, you might need some extra parsing logic or to rely on an external dependency.

    Now, based on that article psycopg2 by default prefers to use an encrypted connection but doesn’t require it, or even enforces a valid certificate. How can we change that?

    By using the field OPTIONS and then set the sslmode:

    DATABASES = {
        "default": {
            "ENGINE": "django.db.backends.postgresql",
            "NAME": "db_name",
            "USER": "db_user",
            "PASSWORD": "db_password",
            "HOST": "127.0.0.1",
            "PORT": "5432",
            "OPTIONS": {
                "sslmode": "<mode here>"
            }
        }
    }

    The available modes are:

    • disable
    • allow
    • prefer
    • require
    • verify-ca
    • verify-full

    The obvious choice for a completely secure connection is verify-full, specially when the traffic goes through a public network.

    If you are using a URL, something like this should do the trick: postgres://USER:PASSWORD@HOST:PORT/NAME?sslmode=verify-full.

    And that’s it, at least on the client’s side.

    If the above is not an option for you, I recommend taking a look at pgproxy. You can find more details here.

  • Shutting Down Webhook-logger

    A few years ago I built a small application to test Django’s websocket support through django-channels. It basically displayed on a web page in real time all the requests made to a given endpoint (you could generate multiple of them) without storing anything. It was fun and it was very useful to quickly debug stuff , so I kept it running since that time.

    If you are interested in more details about the project itself, you can find a complete overview here.

    However today, Heroku, the platform where it was running, announced the end of the free tier. This tier has been a godsend for personal projects and experiments over the last decade and heroku as a platform initially set the bar really high regarding the developer experience of deploying those projects.

    “Webhook-logger” was the only live project I had running on Heroku’s free tier and after some consideration I reached the conclusion it was time to turn it off. Its functionality is not unique and there are better options for this use case, so it is not worth the work required to move it to a new hosting provider.

    The code is still available in case anyone still want to take a look or deploy by their own.

  • Controlling the access to the clipboard contents

    In a previous blog post published earlier this year I explored some security considerations of the well known “clipboard” functionality that most operating systems provide.

    Long story short, in my opinion there is a lot more that could be done to protect the users (and their sensitive data) from many attacks that use of clipboard as a vector to trick the user or extract sensitive material.

    The proof-of-concept I ended up building to demonstrate some of the ideas worked in X11 but didn’t achieve one of the desired goals:

    It seems possible to detect all attempts of accessing the clipboard, but after struggling a bit, it seems that due to the nature of X11 it is not possible to know which running process owns the window that is accessing the clipboard. A shame.

    Myself, last blog post on this topic

    The good news about the above quote, is that it no longer is true. A kind soul contributed a patch that allows “clipboard-watcher” to fetch the required information about the process accessing the clipboard. Now we have all ingredients to make the tool fulfill its initial intended purpose (and it does).

    With this lengthily introduction we are ready to address the real subject of this post, giving the user more control over how the clipboard is used. Notifying the users about an access is just a first step, but restricting the access is what we want.

    On this topic, several comments to the previous post mentioned the strategy used by Qubes OS. It relies on having one clipboard specific to each app and a second clipboard that is shared between apps. The later requires user intervention to be used. While I think this is a good approach, it is not easy to replicate in a regular Linux distribution.

    However as I mentioned in my initial post, I think we can achieve a similar result by asking the user for permission when an app requests the data currently stored on the clipboard. This was the approach Apple implemented on the recent iOS release.

    So in order to check/test how this could work, I tried to adapt my proof-of-concept to ask for permission before sharing any data. Here’s an example:

    Working example of clipboard-watcher requesting permission before letting other apps access the clipboard contents.

    As we can see, it asks of permission before the requesting app is given the data and it kinda works (ignore the clunky interface and UX). Of course that there are many possible improvements to make its usage bearable, such as whitelisting certain apps, “de-duplicate” the content requests (apps can generate a new one for each available content type, which ends up being spammy), etc.

    Overall I’m pleased with the result and in my humble opinion this should be a “must have” security feature for any good clipboard manager on Linux. I say it even taking into account that this approach is not bulletproof, given that a malicious application could continuously fight/race the clipboard manager for the control of the “X selections”.

    Anyhow, the new changes for the proof-of-concept are available here, please give it a try and let me know what you think and if you find any other problems.

  • Django Friday Tips: Less known builtin commands

    Django management commands can be very helpful while developing your application or website, we are very used to runserver, makemigrations, migrate, shell and others. Third party packages often provide extra commands and you can easily add new commands to your own apps.

    Today lets take a look at some less known and yet very useful commands that Django provides out of the box.


    diffsettings

    $ python manage.py diffsettings --default path.to.module --output unified

    Dealing with multiple environments and debugging their differences is not as rare as we would like. In that particular scenario diffsettings can become quite handy.

    Basically, it displays the differences between the current configuration and another settings file. The default settings are used if a module is not provided.

    - DEBUG = False
    + DEBUG = True
    - EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
    + EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
    - TIME_ZONE = 'America/Chicago'
    + TIME_ZONE = 'UTC'
    + USE_SRI = True
    - USE_TZ = False
    + USE_TZ = True
    ...

    sendtestemail

    $ python manage.py sendtestemail my@address.com

    This one does not require an extensive explanation. It lets you test and debug your email configuration by using it to send the following message:

    Content-Type: text/plain; charset="utf-8"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Subject: Test email from host on 2022-04-28 19:08:56.968492+00:00
    From: webmaster@localhost
    To: my@address.com
    Date: Thu, 28 Apr 2022 19:08:56 -0000
    Message-ID: <165117293696.405310.3477251481753991809@host>
    
    If you're reading this, it was successful.
    -----------------------------------------------------------

    inspectdb

    $ python manage.py inspectdb

    If you are building your project on top of an existing database (managed by other system), inspectdb can look into the schema and generate the respective models for Django’s ORM, making it very easy to start using the data right away. Here’s an example:

    # This is an auto-generated Django model module.
    # You'll have to do the following manually to clean this up:
    #   * Rearrange models' order
    #   * Make sure each model has one field with primary_key=True
    #   * Make sure each ForeignKey and OneToOneField has `on_delete` set to the desired behavior
    #   * Remove `managed = False` lines if you wish to allow Django to create, modify, and delete the table
    # Feel free to rename the models, but don't rename db_table values or field names.
    
    ...
    
    class AuthPermission(models.Model):
        content_type = models.ForeignKey('DjangoContentType', models.DO_NOTHING)
        codename = models.CharField(max_length=100)
        name = models.CharField(max_length=255)
    
        class Meta:
            managed = False
            db_table = 'auth_permission'
            unique_together = (('content_type', 'codename'),)
    ...

    showmigrations

    $ python manage.py showmigrations --verbosity 2

    When you need to inspect the current state of the project’s migrations in a given environment the above command is the easiest way to get that information. It will tell you what migrations exist, which ones were applied and when.

    admin
     [X] 0001_initial (applied at 2021-01-13 19:49:24)
     [X] 0002_logentry_remove_auto_add (applied at 2021-01-13 19:49:24)
     [X] 0003_logentry_add_action_flag_choices (applied at 2021-01-13 19:49:24)
    auth
     [X] 0001_initial (applied at 2021-01-13 19:49:24)
     [X] 0002_alter_permission_name_max_length (applied at 2021-01-13 19:49:24)
     [X] 0003_alter_user_email_max_length (applied at 2021-01-13 19:49:24)
    ...

    There are many other useful management commands that are missing in the base Django package, to fill that gap there are some external packages available such as django-extensions. But I will leave those to a future post.

  • Inlineshashes: a new tool to help you build your CSP

    Content-Security-Policy (CSP) is an important mechanism in today’s web security arsenal. Is a way of defending against Cross-Site Scripting and other attacks.

    It isn’t hard to get started with or to put in place in order to secure your website or web application (I did that exercise in a previous post). However when the systems are complex or when you don’t fully control an underlying “codebase” that frequently changes (like it happens with of-the-shelf software) things can get a bit messier.

    In those cases it is harder to build a strict and simple policy, since there are many moving pieces and/or you don’t control the code development, so you will end up opening exceptions and whitelisting certain pieces of content making the policy more complex. This is specially true for inline elements, making the unsafe-inline source very appealing (its name tells you why you should avoid it).

    Taking WordPress as an example, recommended theme and plugin updates can introduce changes in the included inline elements, which you will have to review in order to update your CSP. The task gets boring very quickly.

    To help with the task of building and maintaining the CSP in the cases described above, I recently started to work on a small tool (and library) to detect, inspect and whitelist new inline changes. You can check it here or download it directly from PyPI.

  • Django Friday Tips: Admin Docs

    While the admin is a well known and very useful app for your projects, Django also includes another admin package that isn’t as popular (at least I never seen it being heavily used) but that can also be quite handy.

    I’m talking about the admindocs app. What it does is to provide documentation for the main components of your project in the Django administration itself.

    It takes the existing documentation provided in the code to developers and exposes it to users that have the is_staff flag enabled.

    This is what they see:

    Django admindocs main page.
    A view of the main page of the generated docs.
    Checking documentation for existing views.
    Checking a model reference in the admin documentation.
    Checking a model reference.

    I can see this being very helpful for small websites that are operated by teams of “non-developers” or even for people providing support to customers. At least when a dedicated and more mature solution for documentation is not available.

    To install you just have to:

    • Install the docutils package.
    • Add django.contrib.admindocs to the installed apps.
    • Add path('admin/doc/', include('django.contrib.admindocs.urls')) to the URLs.
    • Document your code with “docstrings” and “help_text” attributes.

    More details documentation can be found here. And for today, this is it.

  • Who keeps an eye on clipboard access?

    If there is any feature that “universally” describes the usage of computers, it is the copy/paste pattern. We are used to it, practically all the common graphical user interfaces have support for it, and it magically works.

    We copy some information from one application and paste into another, and another…

    How does these applications have access to this information? The clipboard must be something that is shared across all of them, right? Right.

    While very useful, this raises a lot of security questions. As far as I can tell, all apps could be grabbing what is available on the clipboard.

    It isn’t uncommon for people to copy sensitive information from one app to another and even if the information is not sensitive, the user generally has a clear target app for the information (the others don’t have anything to do with it).

    These questions started bugging me a long time ago, and the sentiment even got worse when Apple released an iOS feature that notifies users when an app reads the contents of the clipboard. That was brilliant, why didn’t anyone thought of that before?

    The result? Tons of apps caught snooping into the clipboard contents without the user asking for it. The following articles can give you a glimpse of what followed:

    That’s not good, and saying you won’t do it again is not enough. On iOS, apps were caught and users notified, but what about Android? What about other desktop operating systems?

    Accessing the clipboard to check what’s there, then steal passwords, or replace cryptocurrency addresses or just to get a glimpse of what the user is doing is a common pattern of malware.

    I wonder why hasn’t a similar feature been implemented in most operating systems we use nowadays (it doesn’t need to be identical, but at least let us verify how the clipboard is being used). Perhaps there exists tools can help us with this, however I wasn’t able to find any for Linux.

    A couple of weeks ago, I started to look at how this works (on Linux, which is what I’m currently using). What I found is that most libraries just provide a simple interface to put things on the clipboard and to get the current clipboard content. Nothing else.

    After further digging, I finally found some useful and interesting articles on how this feature works on X11 (under the hood of those high level APIs). For example:

    Then, with this bit of knowledge about how the clipboard works in X11, I decided to do a quick experiment in order to check if I can recreate the clipboard access notifications seen in iOS.

    During the small periods I had available in the last few weekends, I tried to build a quick proof of concept, nothing fancy, just a few pieces of code from existing examples stitched together.

    Here’s the current result:

    Demonstration of clipboard-watcher detecting when other apps access the contents

    It seems possible to detect all attempts of accessing the clipboard, but after struggling a bit, it seems that due to the nature of X11 it is not possible to know which running process owns the window that is accessing the clipboard. A shame.

    The information that X11 has about the requesting client must be provided by the client itself, which makes it very hard to know for sure which process it is (most of the time it is not provided at all).

    Nevertheless, I think this could still be a very useful capability for existing clipboard managers (such as Klipper), given the core of this app works just like one.

    Even without knowing the process trying to access the clipboard contents, I can see a few useful features that are possible to implement, such as:

    • Create some stats about the clipboard access patterns.
    • Ask the user for permission, before providing the clipboard contents.

    Anyhow, you can check the proof of concept here and give it a try (improvements are welcome). Let me know what you think and what I’ve missed.

  • Django Friday Tips: Deal with login brute-force attacks

    In the final tips post of the year, lets address a solution to a problem that most websites face once they have been online for a while.

    If you have a back-office or the concept of user accounts, soon you will face the security problem of attackers trying to hack into these private zones of the website.

    These attackers can either be people trying to login as somebody else, or even bots trying to find accounts with common/leaked passwords.

    Unfortunately we cannot rely on users to pick strong and unique passwords. We can help them, as I explained in a previous post, but it isn’t guaranteed that the user will make a good choice.

    Using a slow key derivation function, to slowdown the process and increase the time required to test an high number of possibilities, helps but isn’t enough.

    However we can go even further with this strategy, by controlling the number of attempts and only allowing a “given number of tries per time window”.

    This is very easy to achieve on Django projects by relying on the django-axes package. Here’s an explanation of what it does:

    Axes records login attempts to your Django powered site and prevents attackers from attempting further logins to your site when they exceed the configured attempt limit.

    django-axes documentation

    Basically you end up with record of attempts (that you can see in the admin) and allows you to define how the system will behave after multiple failed tries, by setting the maximum number of failures and cool-off periods.

    You can check the package here, it is very easy to setup and it shouldn’t require many changes to your code. The documentation can be found here and it covers everything you will need so I won’t provide any examples this time.

    I hope this tip ends up being useful and wish you a Merry Christmas. The tips will continue in 2022.

  • Django Friday Tips: Password validation

    This time I’m gonna address Django’s builtin authentication system, more specifically the ways we can build custom improvements over the already very solid foundations it provides.

    The idea for this post came from reading an article summing up some considerations we should have when dealing with passwords. Most of those considerations are about what controls to implement (what “types” of passwords to accept) and how to securely store those passwords. By default Django does the following:

    • Passwords are stored using PBKDF2. There are also other alternatives such as Argon2 and bcrypt, that can be defined in the setting PASSWORD_HASHERS.
    • Every Django release the “strength”/cost of this algorithm is increased. For example, version 3.1 applied 216000 iterations and the last version (3.2 at the time of writing) applies 260000. The migration from one to another is done automatically once the user logs in.
    • There are a set of validators that control the kinds of passwords allowed to be used in the system, such as enforcing a minimum length. These validators are defined on the setting AUTH_PASSWORD_VALIDATORS.

    By default when we start a new project these are the included validators :

    • UserAttributeSimilarityValidator
    • MinimumLengthValidator
    • CommonPasswordValidator
    • NumericPasswordValidator

    The names are very descriptive and I would say a good starting point. But as the article mentions the next step is to make sure users aren’t reusing previously breached passwords or using passwords that are known to be easily guessed (even when complying with the other rules). CommonPasswordValidator already does part of this job but with a very limited list (20000 entries).

    Improving password validation

    So for the rest of this post I will show you some ideas on how we can make this even better. More precisely, prevent users from using a known weak password.

    1. Use your own list

    The easiest approach, but also the more limited one, is providing your own list to `CommonPasswordValidator`, containing more entries than the ones provided by default. The list must be provided as a file with one entry in lower case per line. It can be set like this:

    {
      "NAME": "django.contrib.auth.password_validation.CommonPasswordValidator",
      "OPTIONS": {"password_list_path": "<path_to_your_file>"}
    }

    2. Use zxcvbn-python

    Another approach is to use an existing and well-known library that evaluates the password, compares it with a list of known passwords (30000) but also takes into account slight variations and common patterns.

    To use zxcvbn-python we need to implement our own validator, something that isn’t hard and can be done this way:

    # <your_app>/validators.py
    
    from django.core.exceptions import ValidationError
    from zxcvbn import zxcvbn
    
    
    class ZxcvbnValidator:
        def __init__(self, min_score=3):
            self.min_score = min_score
    
        def validate(self, password, user=None):
            user_info = []
            if user:
                user_info = [
                    user.email, 
                    user.first_name, 
                    user.last_name, 
                    user.username
                ]
            result = zxcvbn(password, user_inputs=user_info)
    
            if result.get("score") < self.min_score:
                raise ValidationError(
                    "This passoword is too weak",
                    code="not_strong_enough",
                    params={"min_score": self.min_score},
                )
    
        def get_help_text(self):
            return "The password must be long and not obvious"
    

    Then we just need to add to the settings just like the other validators. It’s an improvement but we still can do better.

    3. Use “have i been pwned?”

    As suggested by the article, a good approach is to make use of the biggest source of leaked passwords we have available, haveibeenpwned.com.

    The full list is available for download, but I find it hard to justify a 12GiB dependency on most projects. The alternative is to use their API (documentation available here), but again we must build our own validator.

    # <your_app>/validators.py
    
    from hashlib import sha1
    from io import StringIO
    
    from django.core.exceptions import ValidationError
    
    import requests
    from requests.exceptions import RequestException
    
    class LeakedPasswordValidator:
        def validate(self, password, user=None):
            hasher = sha1(password.encode("utf-8"))
            hash = hasher.hexdigest().upper()
            url = "https://api.pwnedpasswords.com/range/"
    
            try:
                resp = requests.get(f"{url}{hash[:5]}")
                resp.raise_for_status()
            except RequestException:
                raise ValidationError(
                    "Unable to evaluate password.",
                    code="network_failure",
                )
    
            lines = StringIO(resp.text).readlines()
            for line in lines:
                suffix = line.split(":")[0]
    
                if hash == f"{hash[:5]}{suffix}":
                    raise ValidationError(
                        "This password has been leaked before",
                        code="leaked_password",
                    )
    
        def get_help_text(self):
            return "Use a different password"
    

    Then add it to the settings.

    Edit: As suggested by one reader, instead of this custom implementation we could use pwned-passwords-django (which does practically the same thing).

    And for today this is it. If you have any suggestions for other improvements related to this matter, please share them in the comments, I would like to hear about them.

  • Django Friday Tips: Subresource Integrity

    As you might have guessed from the title, today’s tip is about how to add “Subresource integrity” (SRI) checks to your website’s static assets.

    First lets see what SRI is. According to the Mozilla’s Developers Network:

    Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.

    Source: MDN

    So basically, if you don’t serve all your static assets and rely on any sort of external provider, you can force the browser to check that the delivered contents are exactly the ones you expect.

    To trigger that behavior you just need to add the hash of the content to the integrity attribute of the <script> and/or <link> elements in question.

    Something like this:

    <script src="https://cdn.jsdelivr.net/npm/vue@2.6.12/dist/vue.min.js" integrity="sha256-KSlsysqp7TXtFo/FHjb1T9b425x3hrvzjMWaJyKbpcI=" crossorigin="anonymous"></script>

    Using SRI in a Django project

    This is all very nice but adding this info manually isn’t that fun or even practical, when your resources might change frequently or are built dynamically on each deployment.

    To help with this task I recently found a little tool called django-sri that automates these steps for you (and is compatible with whitenoise if you happen to use it).

    After the install, you just need to replace the {% static ... %} tags in your templates with the new one provided by this package ({% sri_static .. %}) and the integrity attribute will be automatically added.

  • Django Friday Tips: Permissions in the Admin

    In this year’s first issue of my irregular Django quick tips series, lets look at the builtin tools available for managing access control.

    The framework offers a comprehensive authentication and authorization system that is able to handle the common requirements of most websites without even needing any external library.

    Most of the time, simple websites only make use of the “authentication” features, such as registration, login and logout. On more complex systems only authenticating the users is not enough, since different users or even groups of users will have access to distinct sets of features and data records.

    This is when the “authorization” / access control features become handy. As you will see they are very simple to use as soon as you understand the implementation and concepts behind them. Today I’m gonna focus on how to use these permissions on the Admin, perhaps in a future post I can address the usage of permissions on other situations. In any case Django has excellent documentation, so a quick visit to this page will tell you what you need to know.

    Under the hood

    Simplified Entity-Relationship diagram of Django's authentication and authorization features.
    ER diagram of Django’s “auth” package

    The above picture is a quick illustration of how this feature is laid out in the database. So a User can belong to multiple groups and have multiple permissions, each Group can also have multiple permissions. So a user has a given permission if it is directly associated with him or or if it is associated with a group the user belongs to.

    When a new model is added 4 permissions are created for that particular model, later if we need more we can manually add them. Those permissions are <app>.add_<model>, <app>.view_<model>, <app>.update_<model> and <app>.delete_<model>.

    For demonstration purposes I will start with these to show how the admin behaves and then show how to implement an action that’s only executed if the user has the right permission.

    The scenario

    Lets image we have a “store” with some items being sold and it also has a blog to announce new products and promotions. Here’s what the admin looks like for the “superuser”:

    Admin view, with all models being displayed.
    The admin showing all the available models

    We have several models for the described functionality and on the right you can see that I added a test user. At the start, this test user is just marked as regular “staff” (is_staff=True), without any permissions. For him the admin looks like this:

    A view of Django admin without any model listed.
    No permissions

    After logging in, he can’t do anything. The store manager needs the test user to be able to view and edit articles on their blog. Since we expect in the future that multiple users will be able to do this, instead of assigning these permissions directly, lets create a group called “editors” and assign those permissions to that group.

    Only two permissions for this group of users

    Afterwards we also add the test user to that group (in the user details page). Then when he checks the admin he can see and edit the articles as desired, but not add or delete them.

    Screenshot of the Django admin, from the perspective of a user with only "view" and "change" permissions.
    No “Add” button there

    The actions

    Down the line, the test user starts doing other kinds of tasks, one of them being “reviewing the orders and then, if everything is correct, mark them as ready for shipment”. In this case, we don’t want him to be able to edit the order details or change anything else, so the existing “update” permissions cannot be used.

    What we need now is to create a custom admin action and a new permission that would let specific users (or groups) execute that action. Lets start with the later:

    class Order(models.Model):
        ...
        class Meta:
            ...
            permissions = [("set_order_ready", "Can mark the order as ready for shipment")]

    What we are doing above, is telling Django there is one more permission that should be created for this model, a permission that we will use ourselves.

    Once this is done (you need to run manage.py migrate), we can now create the action and ensure we check that the user executing it has the newly created permission:

    class OrderAdmin(admin.ModelAdmin):
        ...
        actions = ["mark_as_ready"]
    
        def mark_as_ready(self, request, queryset):
            if request.user.has_perm("shop.set_order_ready"):
                queryset.update(ready=True)
                self.message_user(
                    request, "Selected orders marked as ready", messages.SUCCESS
                )
            else:
                self.message_user(
                    request, "You are not allowed to execute this action", messages.ERROR
                )
    
        mark_as_ready.short_description = "Mark selected orders as ready"

    As you can see, we first check the user as the right permission, using has_perm and the newly defined permission name before proceeding with the changes.

    And boom .. now we have this new feature that only lets certain users mark the orders as ready for shipment. If we try to execute this action with the test user (that does not have yet the required permission):

    No permission assigned, no action for you sir

    Finally we just add the permission to the user and it’s done. For today this is it, I hope you find it useful.