Merge branch 'master' into network-mode

Ouranosinc · Sep 17, 2024 · 3e903fd · 3e903fd
2 parents 64894e3 + 2e57bef
commit 3e903fd
Show file tree

Hide file tree

Showing 13 changed files with 71 additions and 43 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -9,6 +9,29 @@ Changes
 `Unreleased <https://github.com/Ouranosinc/Magpie/tree/master>`_ (latest)
 ------------------------------------------------------------------------------------
 
+* Nothing new for the moment.
+
+.. _changes_4.1.1:
+
+`4.1.1 <https://github.com/Ouranosinc/Magpie/tree/4.1.1>`_ (2024-07-23)
+------------------------------------------------------------------------------------
+
+Features / Changes
+~~~~~~~~~~~~~~~~~~~~~
+
+* Update docker with latest ``python:3.11-alpine3.20`` base.
+* Pin ``setuptools>=71.0.3`` for CVE-2024-6345.
+* Pin ``requests>=2.32.3`` for CVE-2024-35195.
+* Pin ``urllib3>=2.2.2`` for CVE-2024-37891.
+* Pin ``zipp>=3.19.1`` for CVE-2024-5569.
+* Pin ``pyramid-twitcher>=0.10.0`` and ``birdhouse/twitcher:v0.10.0`` for same security updates as above
+  (relates to `bird-house/twitcher#136 <https://github.com/bird-house/twitcher/pull/136>`_).
+
+.. _changes_4.1.0:
+
+`4.1.0 <https://github.com/Ouranosinc/Magpie/tree/4.1.0>`_ (2024-06-11)
+------------------------------------------------------------------------------------
+
 Features / Changes
 ~~~~~~~~~~~~~~~~~~
 
@@ -18,6 +41,10 @@ Features / Changes
 * Add CLI helper ``batch_update_permissions`` that allows registering one or more `Permission` configuration files
   against a running `Magpie` instance.
 * Security fix: bump Docker base ``python:3.11-alpine3.19``.
+* Update ``authomatic[OpenID]==1.3.0`` to resolve temporary workarounds
+  (relates to `authomatic/authomatic#195 <https://github.com/authomatic/authomatic/issues/195>`_
+  and `authomatic/authomatic#233 <https://github.com/authomatic/authomatic/issues/233>`_,
+  fixes `#583 <https://github.com/Ouranosinc/Magpie/issues/583>`_).
 
 Bug Fixes
 ~~~~~~~~~

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11-alpine3.19
+FROM python:3.11-alpine3.20
 LABEL Description="Runs Magpie AuthN/AuthZ service for REST-API and UI interfaces."
 LABEL Maintainer="Francis Charette-Migneault <[email protected]>"
 LABEL Vendor="CRIM"

diff --git a/Dockerfile.adapter b/Dockerfile.adapter
@@ -3,7 +3,7 @@
 #   docker run will need to override ini file with mounted volume
 #   using config 'twitcher.adapter = magpie.adapter.MagpieAdapter'
 #
-FROM birdhouse/twitcher:v0.9.0
+FROM birdhouse/twitcher:v0.10.0
 LABEL Description="Configures MagpieAdapter on top of Twitcher application."
 LABEL Maintainer="Francis Charette-Migneault <[email protected]>"
 LABEL Vendor="CRIM"

diff --git a/Makefile b/Makefile
@@ -19,7 +19,7 @@ MAKEFILE_NAME := $(word $(words $(MAKEFILE_LIST)),$(MAKEFILE_LIST))
 # Application
 APP_ROOT    := $(abspath $(lastword $(MAKEFILE_NAME))/..)
 APP_NAME    := magpie
-APP_VERSION ?= 4.0.0
+APP_VERSION ?= 4.1.1
 APP_INI     ?= $(APP_ROOT)/config/$(APP_NAME).ini
 
 # guess OS (Linux, Darwin,...)

diff --git a/README.rst b/README.rst
@@ -19,29 +19,46 @@ Behind the scene, it uses `Ziggurat-Foundations`_ and `Authomatic`_.
     :widths: 10,90
 
     * - dependencies
-      - | |py_ver_support| |py_ver_recommend| |dependencies|
+      - | |py_ver_recommend| |py_ver_support| |py_ver_legacy| |dependencies|
     * - tests status
       - | |github_latest| |github_tagged| |coverage| |codacy|
     * - docker status
       - | |docker_build_mode| |docker_build_status| |docker_latest_tag| |docker_semver_tag|
     * - releases
       - | |version| |commits-since|
 
-.. |py_ver_support| image:: https://img.shields.io/badge/python%20%28legacy%20support%29-3.5%2B-orange.svg
+.. list-table::
+    :header-rows: 1
+    :widths: 15,85
+
+    * - Python Versions
+      - Description
+    * - *Legacy*
+      - Older versions could still work, but maintenance is dropped.
+    * - *Supported*
+      - Tested by the CI and maintained for backward compatibility.
+    * - *Recommended*
+      - Prefered minimal version to use for latest security updates and performance enhancements.
+
+.. |py_ver_legacy| image:: https://img.shields.io/badge/python%20%28legacy%29-3.5%20%2D%2D%203.7-orange.svg
     :alt: Python 3.5+ supported (legacy)
     :target: https://www.python.org/getit
 
-.. |py_ver_recommend| image:: https://img.shields.io/badge/python%20%28recommended%29-3.7%2B-blue.svg
-    :alt: Python 3.7+ recommended
+.. |py_ver_support| image:: https://img.shields.io/badge/python%20%28supported%29-3.8%2B-yellow.svg
+    :alt: Python 3.8+ supported
+    :target: https://www.python.org/getit
+
+.. |py_ver_recommend| image:: https://img.shields.io/badge/python%20%28recommended%29-3.11%2B-blue.svg
+    :alt: Python 3.11+ recommended
     :target: https://www.python.org/getit
 
-.. |commits-since| image:: https://img.shields.io/github/commits-since/Ouranosinc/Magpie/4.0.0.svg
+.. |commits-since| image:: https://img.shields.io/github/commits-since/Ouranosinc/Magpie/4.1.1.svg
     :alt: Commits since latest release
-    :target: https://github.com/Ouranosinc/Magpie/compare/4.0.0...master
+    :target: https://github.com/Ouranosinc/Magpie/compare/4.1.1...master
 
-.. |version| image:: https://img.shields.io/badge/tag-4.0.0-blue.svg?style=flat
+.. |version| image:: https://img.shields.io/badge/tag-4.1.1-blue.svg?style=flat
     :alt: Latest Tag
-    :target: https://github.com/Ouranosinc/Magpie/tree/4.0.0
+    :target: https://github.com/Ouranosinc/Magpie/tree/4.1.1
 
 .. |dependencies| image:: https://pyup.io/repos/github/Ouranosinc/Magpie/shield.svg
     :alt: Dependencies Status
@@ -51,9 +68,9 @@ Behind the scene, it uses `Ziggurat-Foundations`_ and `Authomatic`_.
     :alt: Github Actions CI Build Status (master branch)
     :target: https://github.com/Ouranosinc/Magpie/actions?query=workflow%3ATests+branch%3Amaster
 
-.. |github_tagged| image:: https://img.shields.io/github/actions/workflow/status/Ouranosinc/Magpie/tests.yml?label=4.0.0&branch=4.0.0
+.. |github_tagged| image:: https://img.shields.io/github/actions/workflow/status/Ouranosinc/Magpie/tests.yml?label=4.1.1&branch=4.1.1
     :alt: Github Actions CI Build Status (latest tag)
-    :target: https://github.com/Ouranosinc/Magpie/actions?query=workflow%3ATests+branch%3A4.0.0
+    :target: https://github.com/Ouranosinc/Magpie/actions?query=workflow%3ATests+branch%3A4.1.1
 
 .. |readthedocs| image:: https://img.shields.io/readthedocs/pavics-magpie
     :alt: Readthedocs Build Status (master branch)
@@ -81,7 +98,7 @@ Behind the scene, it uses `Ziggurat-Foundations`_ and `Authomatic`_.
 
 .. |docker_semver_tag| image:: https://img.shields.io/docker/v/pavics/magpie?label=version&sort=semver
     :alt: Docker Version Tag
-    :target: https://hub.docker.com/r/pavics/magpie/tags?page=1&ordering=last_updated&name=4.0.0
+    :target: https://hub.docker.com/r/pavics/magpie/tags?page=1&ordering=last_updated&name=4.1.1
 
 .. end-badges
 
@@ -125,8 +142,8 @@ Following most recent variants are available:
     * - Magpie
       - Twitcher |br|
         (with integrated ``MagpieAdapter``)
-    * - ``pavics/magpie:4.0.0``
-      - ``pavics/twitcher:magpie-4.0.0``
+    * - ``pavics/magpie:4.1.1``
+      - ``pavics/twitcher:magpie-4.1.1``
     * - ``pavics/magpie:latest``
       - ``pavics/twitcher:magpie-latest``
 

diff --git a/magpie/__init__.py b/magpie/__init__.py
@@ -7,16 +7,6 @@
 
 import sys
 
-# FIXME: patch workaround for Python 3.12 issue with vendor-specific 'six.moves'
-#   Inspired from https://github.com/dpkp/kafka-python/issues/2401#issuecomment-1760208950
-#   Applied here such that anything importing 'magpie' does it first, to avoid patch everywhere importing 'authomatic'.
-#   Official fix required (see https://github.com/authomatic/authomatic/issues/233).
-if sys.version_info >= (3, 12, 0):
-    import six
-    sys.modules["authomatic.six.moves"] = six.moves
-    sys.modules["authomatic.six.moves.urllib"] = six.moves.urllib
-    sys.modules["authomatic.six.moves.urllib.parse"] = six.moves.urllib.parse
-
 
 def includeme(config):
     # import needs to be here, otherwise ImportError happens during setup.py install (modules not yet installed)

diff --git a/magpie/__meta__.py b/magpie/__meta__.py
@@ -2,7 +2,7 @@
 General meta information on the magpie package.
 """
 
-__version__ = "4.0.0"
+__version__ = "4.1.1"
 __title__ = "Magpie"
 __package__ = "magpie"  # pylint: disable=W0622
 __author__ = "Francois-Xavier Derue, Francis Charette-Migneault"

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -14,7 +14,7 @@ mock>4
 pylint>=2.11,!=2.12,!=2.15
 pylint-quotes
 # bird-house/twticher, must match version in Dockerfile.adapater
-pyramid-twitcher>=0.9.0
+pyramid-twitcher>=0.10.0
 pytest
 pytest-httpserver==1.0.10
 safety

diff --git a/requirements-doc.txt b/requirements-doc.txt
@@ -2,6 +2,7 @@
 # these are doc-only requirements
 # we actually need to install all requirements during docs build because of OpenAPI generation
 # (see 'docs/conf.py')
+-r requirements.txt
 astroid<2.12    # pin to resolve sphinx-autoapi (see https://github.com/readthedocs/sphinx-autoapi/issues/349)
 pycodestyle>=2.6.0,<3
 # sphinx-autoapi dropped 3.5 support at 1.3.0

diff --git a/requirements-sys.txt b/requirements-sys.txt
@@ -1,2 +1,3 @@
 pip
-setuptools>=65.5.1
+packaging>=22.0
+setuptools>=71.0.3
diff --git a/requirements.txt b/requirements.txt
@@ -1,16 +1,6 @@
 -r requirements-sys.txt
 alembic>=1.10
-# TODO: remove when merged
-#   until fix merged and deployed (https://github.com/authomatic/authomatic/pull/195)
-#   old variants:
-#       -e git+https://github.com/fmigneault/authomatic.git@httplib-port#egg=Authomatic
-#       https://github.com/fmigneault/authomatic/archive/httplib-port.zip#egg=Authomatic-1.0.1
-#   - new authomatic handles openid install correctly
-#   - https://github.com/authomatic/authomatic/tree/master includes #195 (http-po#rt)
-#     via https://github.com/authomatic/authomatic/pull/227
-#     However, this is not the latest tag https://github.com/authomatic/authomatic/tree/1.2.1 (done before #227).
-#   - Requires https://github.com/authomatic/authomatic/issues/233 for Python 3.12 (temporary patch in magpie.__init__)
-authomatic[OpenID] @ https://github.com/fmigneault/authomatic/archive/httplib-port.zip
+authomatic[OpenID]==1.3.0
 bcrypt>=3.1.6
 # FIXME: integrate when implemnted by official package (see https://github.com/bbangert/beaker/issues/201)
 beaker @ https://github.com/crim-ca/beaker/archive/0ac88bcd8cca063a571fc385ffbe9bcc8acaa690.zip
@@ -40,7 +30,7 @@ pyramid_retry==2.1.1
 pyramid_tm>=2.2.1
 python-dotenv
 pyyaml>=5.1
-requests
+requests>=2.32.3
 requests_file
 simplejson
 six>=1.12.0
@@ -51,8 +41,10 @@ sqlalchemy-utils==0.39.0  # pyup: ignore
 threddsclient>=0.4.2
 transaction
 typing_extensions
+urllib3>=2.2.2
 wheel>=0.38
 webob
 ziggurat_foundations==0.9.1
 zope.interface>=4.7.2,<5
 zope.sqlalchemy==1.6
+zipp>=3.19.1
diff --git a/setup.cfg b/setup.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 4.0.0
+current_version = 4.1.1
 commit = True
 tag = True
 tag_name = {new_version}

diff --git a/setup.py b/setup.py
@@ -217,7 +217,7 @@ def _extra_requirements(base_requirements, other_requirements):
         "Programming Language :: Python :: 3.11",
         "Programming Language :: Python :: 3.12",
     ],
-    python_requires=">=3.5, <4",
+    python_requires=">=3.8, <4",
 
     # -- Package structure -------------------------------------------------
     packages=[__meta__.__package__],