cal-itp · thekaveman · Sep 27, 2023 · Aug 22, 2023 · Aug 30, 2023 · Aug 30, 2023
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,12 +1,12 @@
 FROM eligibility_server:latest
 
-# install devcontainer requirements
-RUN pip install -e .[dev,test]
-
 # docs requirements are in a separate file for the GitHub Action
 COPY docs/requirements.txt docs/requirements.txt
 RUN pip install --no-cache-dir -r docs/requirements.txt
 
+# install devcontainer requirements
+RUN pip install -e .[dev,test]
+
 # install pre-commit environments in throwaway Git repository
 # https://stackoverflow.com/a/68758943
 COPY .pre-commit-config.yaml .

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -6,8 +6,6 @@
   "runServices": ["dev", "docs"],
   "workspaceFolder": "/home/calitp/app",
   "postStartCommand": ["/bin/bash", "bin/init.sh"],
-  "postAttachCommand": ["/bin/bash", ".devcontainer/postAttach.sh"],
-
   "customizations": {
     // Set *default* container specific settings.json values on container create.
     "vscode": {
@@ -27,7 +25,9 @@
         "hashicorp.terraform",
         "mhutchie.git-graph",
         "ms-python.python",
-        "ms-python.vscode-pylance"
+        "ms-python.black-formatter",
+        "ms-python.flake8",
+        "tamasfe.even-better-toml"
       ]
     }
   }

diff --git a/.devcontainer/postAttach.sh b/.devcontainer/postAttach.sh
diff --git a/.github/workflows/.python-version b/.github/workflows/.python-version
@@ -1 +1 @@
-3.10
+3.11
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -20,21 +20,21 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Docker Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build, tag, and push image to GitHub Container Registry
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           builder: ${{ steps.buildx.outputs.name }}
           build-args: GIT-SHA=${{ github.sha }}

diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Deploy docs
         uses: mhausenblas/mkdocs-deploy-gh-pages@master

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -8,7 +8,7 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: actions/setup-python@v4
         with:

diff --git a/.markdownlint.yaml b/.markdownlint.yaml
@@ -13,3 +13,6 @@ MD024: false
 
 # Allow inline HTML
 MD033: false
+
+# Allow fenced code blocks
+MD046: false
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -15,7 +15,7 @@ default_stages:
 
 repos:
   - repo: https://github.com/compilerla/conventional-pre-commit
-    rev: v2.1.1
+    rev: v2.4.0
     hooks:
       - id: conventional-pre-commit
         stages: [commit-msg]
@@ -33,27 +33,27 @@ repos:
       - id: check-added-large-files
 
   - repo: https://github.com/psf/black
-    rev: 23.1.0
+    rev: 23.9.1
     hooks:
       - id: black
         types:
           - python
 
   - repo: https://github.com/PyCQA/flake8
-    rev: 6.0.0
+    rev: 6.1.0
     hooks:
       - id: flake8
         types:
           - python
 
   - repo: https://github.com/pycqa/bandit
-    rev: 1.7.4
+    rev: 1.7.5
     hooks:
       - id: bandit
         args: ["-ll"]
         files: .py$
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.33.0
+    rev: v0.37.0
     hooks:
       - id: markdownlint
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -7,9 +7,9 @@
   "files.trimFinalNewlines": true,
   "files.trimTrailingWhitespace": true,
   "[python]": {
-    "editor.defaultFormatter": "ms-python.python"
+    "editor.defaultFormatter": "ms-python.black-formatter"
   },
-  "python.formatting.provider": "black",
+  "python.formatting.provider": "none",
   "python.languageServer": "Pylance",
   "python.linting.enabled": true,
   "python.linting.flake8Enabled": true,

diff --git a/docs/configuration/README.md b/docs/configuration/README.md
@@ -9,7 +9,35 @@ If you want to run with different settings, you should:
 1. Set the `ELIGIBILITY_SERVER_SETTINGS` environment variable to the path of your new file
 
 !!! note
-The Eligibility server loads in settings using Flask's methods for [Configuration Handling](https://flask.palletsprojects.com/en/2.2.x/config/).
 
-!!! important
-The default settings that will always be loaded are in [eligibility_server/settings.py](https://github.com/cal-itp/eligibility-server/blob/dev/eligibility_server/settings.py)
+    The Eligibility server loads in settings using Flask's methods for [Configuration Handling](https://flask.palletsprojects.com/en/2.3.x/config/).
+
+!!! note
+
+    The default settings that will always be loaded are in [eligibility_server/settings.py](https://github.com/cal-itp/eligibility-server/blob/dev/eligibility_server/settings.py)
+
+## Creating a new keypair
+
+!!! warning
+
+    The sample keys cannot be used for production. You must create and use a new keypair.
+
+To create a new keypair, start by creating the private key e.g. using [OpenSSL](https://www.openssl.org/docs/man3.1/man1/openssl-genrsa.html):
+
+```console
+openssl genrsa -out private.pem -traditional 4096
+```
+
+Next, extract the public key e.g. using [OpenSSL](https://www.openssl.org/docs/man3.1/man1/openssl-rsa.html):
+
+```console
+openssl rsa -in private.pem -pubout -out public.pem
+```
+
+Now there are two files:
+
+- The private key, kept secret for this server instance only: `private.pem`
+- The public key, shared with all clients of this server: `public.pem`
+
+The server instance also needs a public key reference from its client, so the above process should be repeated on the client-
+side and the client's _public key_ should be shared with the server.
diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -1,4 +1,3 @@
-fontawesome_markdown
 mkdocs
 mkdocs-awesome-pages-plugin
 mkdocs-macros-plugin

diff --git a/eligibility_server/__init__.py b/eligibility_server/__init__.py
@@ -1,3 +1,7 @@
-__version__ = "2023.08.2"
+from importlib.metadata import version, PackageNotFoundError
 
-VERSION = __version__
+try:
+    __version__ = version("eligibility-server")
+except PackageNotFoundError:
+    # package is not installed
+    pass
diff --git a/eligibility_server/db/setup.py b/eligibility_server/db/setup.py
@@ -64,7 +64,7 @@ def import_json_users(json_path, remote):
     data = {}
     if remote:
         # download the file to a dict
-        data = requests.get(json_path).json()
+        data = requests.get(json_path, timeout=config.request_timeout).json()
     else:
         # open the file and load to a dict
         with open(json_path) as file:
@@ -82,7 +82,7 @@ def import_csv_users(csv_path, remote):
     temp_csv = None
     if remote:
         # download the content as text and write to a temp file
-        content = requests.get(csv_path).text
+        content = requests.get(csv_path, timeout=config.request_timeout).text
         # note we leave the temp file open so it exists later for reading
         temp_csv = NamedTemporaryFile(mode="w", encoding="utf-8")
         temp_csv.write(content)
@@ -98,7 +98,7 @@ def import_csv_users(csv_path, remote):
             file,
             delimiter=config.csv_delimiter,
             quoting=config.csv_quoting,
-            quotechar=config.csv_quotechar,
+            quotechar=config.csv_quotechar if config.csv_quotechar else None,
         )
 
         for row in data:

diff --git a/eligibility_server/keypair.py b/eligibility_server/keypair.py
@@ -17,7 +17,7 @@ def _read_key_file(key_path):
         return _CACHE[key_path]
 
     if key_path.startswith("http"):
-        data = requests.get(key_path).text
+        data = requests.get(key_path, timeout=config.request_timeout).text
         key = data.encode("utf8")
     else:
         with open(key_path, "rb") as pemfile:

diff --git a/eligibility_server/settings.py b/eligibility_server/settings.py
@@ -9,6 +9,7 @@
 DEBUG_MODE = True
 HOST = "0.0.0.0"  # nosec
 LOG_LEVEL = "INFO"
+REQUEST_TIMEOUT = (3, 20)
 
 # Database settings
 
@@ -62,6 +63,10 @@ def host(self):
     def log_level(self):
         return str(current_app.config["LOG_LEVEL"])
 
+    @property
+    def request_timeout(self):
+        return current_app.config["REQUEST_TIMEOUT"]
+
     # API settings
 
     @property

diff --git a/keys/README.md b/keys/README.md
@@ -1,3 +1,5 @@
 # keys
 
-*These keys are just samples*. They cannot be used for production systems.
+_These keys are just samples_. They cannot be used for production systems.
+
+See more at <https://docs.calitp.org/eligibility-server/configuration>
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -57,4 +57,3 @@ markdown_extensions:
       # insert a blank space before the character
       permalink: " ¶"
   - smarty
-  - fontawesome_markdown
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,23 +1,18 @@
-[build-system]
-requires = ["setuptools>=64", "wheel"]
-build-backend = "setuptools.build_meta"
-
 [project]
-classifiers = ["Programming Language :: Python :: 3 :: Only"]
+name = "eligibility-server"
+version = "2023.09.1"
 description = "Server implementation of the Eligibility Verification API"
+readme = "README.md"
+license = { file = "LICENSE" }
+classifiers = ["Programming Language :: Python :: 3 :: Only"]
+requires-python = ">=3.9"
 dependencies = [
-    "eligibility-api==2023.6.1",
-    "Flask==2.3.2",
+    "eligibility-api==2023.9.1",
+    "Flask==2.3.3",
     "Flask-RESTful==0.3.10",
-    "Flask-SQLAlchemy==3.0.5",
+    "Flask-SQLAlchemy==3.1.1",
     "requests==2.31.0"
 ]
-dynamic = ["version"]
-keywords = ["flask"]
-license = { file = "LICENSE" }
-name = "eligibility-server"
-readme = "README.md"
-requires-python = ">=3.9"
 
 [project.optional-dependencies]
 dev = [
@@ -36,11 +31,17 @@ Code = "https://github.com/cal-itp/eligibility-server"
 Documentation = "https://docs.calitp.org/eligibility-server"
 Issues = "https://github.com/cal-itp/eligibility-server/issues"
 
-# Configuration for black
+[build-system]
+requires = ["setuptools>=65", "wheel"]
+build-backend = "setuptools.build_meta"
+
 [tool.black]
 line-length = 127
-target-version = ['py310']
+target-version = ['py311']
 include = '\.pyi?$'
 
+[tool.pyright]
+include = ["eligibility_server", "tests"]
+
 [tool.setuptools]
 packages = ["eligibility_server"]
diff --git a/terraform/app_service.tf b/terraform/app_service.tf
@@ -19,6 +19,7 @@ resource "azurerm_linux_web_app" "main" {
   https_only          = true
 
   site_config {
+    always_on     = false
     ftps_state    = "Disabled"
     http2_enabled = true