Opened 13 years ago

Closed 10 years ago

#17101 closed New feature (fixed)

Add --deploy option to check management command

Reported by: Carl Meyer Owned by: Tim Graham
Component: Core (Management commands) Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

There has been discussion of integrating something similar to django-secure into Django core, to help users check some common deployment mis-configurations. We probably want to use a name like "checkdeploy" rather than "checksecure", both to allow for a broader range of checks to be included, and to avoid giving users a false sense that a successful runs means their code is secure.

This would include checking SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, X_FRAME_OPTIONS (and the middleware); these are all things which django-secure currently checks.

It could also include checking for common python path issues, existence of 500/404 templates (if you're using the default 404/500 handlers)...

And of course it should be pluggable so third-party apps can provide additional checks that users can include (and users should be able to disable built-in checks if they determine it doesn't apply to them for whatever reason).

Change History (4)

comment:1 by Preston Holmes, 13 years ago

Triage Stage: UnreviewedAccepted

A couple quick thoughts to attach to this idea:

The solution should work well with automated deployment workflows, I can't see why a management command would be limiting for this in any way - and django-secure is already well factored to allow the checks to be used outside of the management command context. Just mentioning.

It would be nice to support multiple outputs. In addition to the standard human readable console output, a machine parseable format, and a shiny HTML grid format.

comment:2 by Tim Graham, 10 years ago

Has patch: set
Owner: changed from nobody to Tim Graham
Patch needs improvement: set
Status: newassigned
Version: 1.3master

I'm working on this as part of integrating django-secure.

I've implemented the ability to register "deployment checks" by adding deploy=True to register(), e.g. @register("tag_name", deploy=True). These checks are only run if you pass the --deploy flag to check. So in development you can run manage.py check --deploy --settings=settings_prod to check your production settings file. Running these checks automatically if DEBUG is False would likely give them better visibility, but I don't see an easy way of disabling them when testing if we did that.

django-developers thread.

comment:3 by Tim Graham, 10 years ago

Patch needs improvement: unset
Summary: Add "checkdeploy" management commandAdd --deploy option to check management command

comment:4 by Tim Graham <timograham@…>, 10 years ago

Resolution: fixed
Status: assignedclosed

In 52ef6a47269a455113d95992f868939131f9c10c:

Fixed #17101 -- Integrated django-secure and added check --deploy option

Thanks Carl Meyer for django-secure and for reviewing.

Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and
Jorge Carleitao for reviews.

Note: See TracTickets for help on using tickets.
Back to Top