[Attempt 2] Remove pycon hostname middleware (#3780)

pythonitalia · Mar 24, 2024 · 168be4c · 168be4c
1 parent 35226cb
commit 168be4c
Show file tree

Hide file tree

Showing 19 changed files with 174 additions and 106 deletions.
diff --git a/.codecov.yml b/.codecov.yml
@@ -7,7 +7,9 @@ comment:
   require_changes: false
 coverage:
   precision: 2
-  range: "80%"
+  range:
+    - 70.0
+    - 100.0
   round: down
   status:
     changes: false

diff --git a/backend/pycon/middleware.py b/backend/pycon/middleware.py
diff --git a/backend/pycon/settings/prod.py b/backend/pycon/settings/prod.py
@@ -1,5 +1,5 @@
 from .base import *  # noqa
-from .base import DATABASES, MIDDLEWARE, env
+from .base import DATABASES, env
 
 SECRET_KEY = env("SECRET_KEY")
 
@@ -19,11 +19,8 @@
     "EMAIL_BACKEND", default="django.core.mail.backends.locmem.EmailBackend"
 )
 
-FORCE_PYCON_HOST = env("FORCE_PYCON_HOST", bool, default=True)
-
-if FORCE_PYCON_HOST:  # pragma: no cover
-    SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
-    MIDDLEWARE += ["pycon.middleware.force_pycon_host"]
+USE_X_FORWARDED_HOST = True
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
 DEFAULT_FROM_EMAIL = "noreply@pycon.it"
 

diff --git a/backend/pycon/tests/test_middleware.py b/backend/pycon/tests/test_middleware.py
diff --git a/backend/pycon/tests/test_settings.py b/backend/pycon/tests/test_settings.py
@@ -0,0 +1,8 @@
+def test_importing_settings(mocker):
+    # test that importing settings does not raise any exception
+    mocker.patch("pycon.settings.base.env")
+
+    from pycon.settings import prod  # noqa
+    from pycon.settings import dev  # noqa
+    from pycon.settings import test  # noqa
+    from pycon.settings import base  # noqa
diff --git a/infrastructure/applications/applications.tf b/infrastructure/applications/applications.tf
@@ -1,7 +1,7 @@
 locals {
-  is_prod         = terraform.workspace == "production"
-  deploy_pretix   = local.is_prod
-  enable_proxy    = local.is_prod ? false : false
+  is_prod       = terraform.workspace == "production"
+  deploy_pretix = local.is_prod
+  enable_proxy  = local.is_prod ? false : false
 }
 
 # Applications
@@ -13,8 +13,8 @@ module "pretix" {
 }
 
 module "pycon_backend" {
-  source          = "./pycon_backend"
-  enable_proxy    = local.enable_proxy
+  source       = "./pycon_backend"
+  enable_proxy = local.enable_proxy
 
   providers = {
     aws    = aws

diff --git a/infrastructure/applications/pycon_backend/main.tf b/infrastructure/applications/pycon_backend/main.tf
@@ -51,6 +51,11 @@ data "aws_acm_certificate" "cert" {
   provider = aws.us
 }
 
+data "aws_lambda_function" "forward_host_header" {
+  function_name = "forward_host_header"
+  provider      = aws.us
+}
+
 data "aws_elasticache_cluster" "redis" {
   cluster_id = "production-pretix"
 }
@@ -71,7 +76,7 @@ module "lambda" {
     SENTRY_DSN                                = module.secrets.value.sentry_dsn
     VOLUNTEERS_PUSH_NOTIFICATIONS_IOS_ARN     = module.secrets.value.volunteers_push_notifications_ios_arn
     VOLUNTEERS_PUSH_NOTIFICATIONS_ANDROID_ARN = module.secrets.value.volunteers_push_notifications_android_arn
-    ALLOWED_HOSTS                             = "*"
+    ALLOWED_HOSTS                             = "admin.pycon.it"
     DJANGO_SETTINGS_MODULE                    = "pycon.settings.prod"
     ASSOCIATION_FRONTEND_URL                  = "https://associazione.python.it"
     AWS_MEDIA_BUCKET                          = aws_s3_bucket.backend_media.id
@@ -84,7 +89,6 @@ module "lambda" {
     AWS_S3_CUSTOM_DOMAIN                      = local.cdn_url
     PRETIX_API_TOKEN                          = module.common_secrets.value.pretix_api_token
     PINPOINT_APPLICATION_ID                   = module.secrets.value.pinpoint_application_id
-    FORCE_PYCON_HOST                          = local.is_prod
     SQS_QUEUE_URL                             = aws_sqs_queue.queue.id
     MAILCHIMP_SECRET_KEY                      = module.common_secrets.value.mailchimp_secret_key
     MAILCHIMP_DC                              = module.common_secrets.value.mailchimp_dc
@@ -123,9 +127,10 @@ module "api" {
 module "admin_distribution" {
   source = "../../components/cloudfront"
 
-  application     = local.application
-  zone_name       = "pycon.it"
-  domain          = local.full_admin_domain
-  certificate_arn = data.aws_acm_certificate.cert.arn
-  origin_url      = module.api.cloudfront_friendly_endpoint
+  application                    = local.application
+  zone_name                      = "pycon.it"
+  domain                         = local.full_admin_domain
+  certificate_arn                = data.aws_acm_certificate.cert.arn
+  origin_url                     = module.api.cloudfront_friendly_endpoint
+  forward_host_header_lambda_arn = data.aws_lambda_function.forward_host_header.qualified_arn
 }
diff --git a/infrastructure/applications/pycon_backend/worker.tf b/infrastructure/applications/pycon_backend/worker.tf
@@ -30,7 +30,7 @@ locals {
     },
     {
       name  = "ALLOWED_HOSTS",
-      value = "*"
+      value = "admin.pycon.it"
     },
     {
       name  = "DJANGO_SETTINGS_MODULE",
@@ -49,7 +49,7 @@ locals {
       value = aws_s3_bucket.backend_media.region
     },
     {
-      name = "AWS_DEFAULT_REGION",
+      name  = "AWS_DEFAULT_REGION",
       value = "eu-central-1"
     },
     {
@@ -84,10 +84,6 @@ locals {
       name  = "PINPOINT_APPLICATION_ID",
       value = module.secrets.value.pinpoint_application_id
     },
-    {
-      name  = "FORCE_PYCON_HOST",
-      value = local.is_prod ? "true" : "false"
-    },
     {
       name  = "SQS_QUEUE_URL",
       value = aws_sqs_queue.queue.id
@@ -173,7 +169,7 @@ locals {
       value = data.external.githash.result.githash
     },
     {
-      name = "PLAIN_INTEGRATION_TOKEN"
+      name  = "PLAIN_INTEGRATION_TOKEN"
       value = module.secrets.value.plain_integration_token
     },
     {

diff --git a/infrastructure/azure-applications/components/container_app/variables.tf b/infrastructure/azure-applications/components/container_app/variables.tf
@@ -7,7 +7,7 @@ variable "service_name" {
 }
 
 variable "service_resource_name" {
-  type = string
+  type    = string
   default = null
 }
 

diff --git a/infrastructure/azure-applications/users_backend/app.tf b/infrastructure/azure-applications/users_backend/app.tf
@@ -16,17 +16,17 @@ data "azurerm_postgresql_flexible_server" "db" {
 }
 
 module "app" {
-  source              = "../components/container_app"
-  service_name        = "users-backend"
+  source                = "../components/container_app"
+  service_name          = "users-backend"
   service_resource_name = "users"
-  resource_group_name = var.resource_group_name
-  workspace           = var.workspace
-  githash             = var.githash
-  environment_name    = "pythonit-${var.workspace}-env"
-  healthcheck_path    = "/graphql"
-  port                = 8000
-  domain              = local.domain
-  command             = ["/home/app/.venv/bin/python", "-m", "gunicorn", "main:wrapped_app"]
+  resource_group_name   = var.resource_group_name
+  workspace             = var.workspace
+  githash               = var.githash
+  environment_name      = "pythonit-${var.workspace}-env"
+  healthcheck_path      = "/graphql"
+  port                  = 8000
+  domain                = local.domain
+  command               = ["/home/app/.venv/bin/python", "-m", "gunicorn", "main:wrapped_app"]
   env_vars = [
     { name = "DEBUG", value = "false", secret = false },
     { name = "SECRET_KEY", value = random_password.secret_key.result, secret = true },

diff --git a/infrastructure/components/application_lambda/main.tf b/infrastructure/components/application_lambda/main.tf
@@ -1,7 +1,7 @@
 locals {
   lambda_name = "${terraform.workspace}-${var.application}"
   base_env_vars = {
-    ENV = terraform.workspace,
+    ENV     = terraform.workspace,
     GITHASH = data.external.githash.result.githash,
   }
   env_vars = merge(var.env_vars, local.base_env_vars)

diff --git a/infrastructure/components/cloudfront/main.tf b/infrastructure/components/cloudfront/main.tf
@@ -1,3 +1,11 @@
+data "aws_cloudfront_cache_policy" "caching_disabled" {
+  name = "Managed-CachingDisabled"
+}
+
+data "aws_cloudfront_origin_request_policy" "all_viewer_except_host_header" {
+  name = "Managed-AllViewerExceptHostHeader"
+}
+
 resource "aws_cloudfront_distribution" "application" {
   enabled             = true
   is_ipv6_enabled     = true
@@ -29,28 +37,20 @@ resource "aws_cloudfront_distribution" "application" {
     cached_methods   = ["GET", "HEAD"]
     target_origin_id = "default"
 
-    forwarded_values {
-      query_string = true
-      headers = [
-        "Access-Control-Request-Headers",
-        "Access-Control-Request-Method",
-        "Origin",
-        "Authorization",
-        "Referer",
-        "Accept",
-        "Accept-Language"
-      ]
-
-      cookies {
-        forward = "all"
-      }
-    }
+    cache_policy_id          = data.aws_cloudfront_cache_policy.caching_disabled.id
+    origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer_except_host_header.id
 
     viewer_protocol_policy = "redirect-to-https"
     compress               = true
     min_ttl                = 0
     default_ttl            = 604800
     max_ttl                = 31536000
+
+    lambda_function_association {
+      event_type   = "viewer-request"
+      lambda_arn   = var.forward_host_header_lambda_arn
+      include_body = false
+    }
   }
 
   restrictions {

diff --git a/infrastructure/components/cloudfront/variables.tf b/infrastructure/components/cloudfront/variables.tf
@@ -3,3 +3,4 @@ variable "origin_url" {}
 variable "domain" {}
 variable "certificate_arn" {}
 variable "zone_name" {}
+variable "forward_host_header_lambda_arn" {}
diff --git a/infrastructure/global/.terraform.lock.hcl b/infrastructure/global/.terraform.lock.hcl
diff --git a/infrastructure/global/archives/pycon-2022.tf b/infrastructure/global/archives/pycon-2022.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket" "archive_2022" {
+  bucket = "2022.pycon.it"
+  acl    = "private"
+
+  website {
+    index_document = "index.html"
+  }
+}