Release 2.17.4 (#3878)

SEED-platform · Feb 21, 2023 · 666c8f3 · 666c8f3
1 parent bc442fb
commit 666c8f3
Show file tree

Hide file tree

Showing 14 changed files with 121 additions and 104 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,14 @@
+# SEED Version 2.17.4
+<!-- Release notes generated using configuration in .github/release.yml at develop -->
+
+## What's Changed
+### Improvements 📈
+* Open New Tab on Insight Property Click by @haneslinger in https://github.com/SEED-platform/seed/pull/3853
+### Maintenance 🧹
+* Improve NGINX security by @nllong and @axelstudios in https://github.com/SEED-platform/seed/pull/3873
+
+**Full Changelog**: https://github.com/SEED-platform/seed/compare/v2.17.3...v2.17.4
+
 # SEED Version 2.17.3
 <!-- Release notes generated using configuration in .github/release.yml at prep-release-2.17.3 -->
 

diff --git a/docker/nginx-seed.conf b/docker/nginx-seed.conf
@@ -102,73 +102,6 @@ http {
     # Includes virtual hosts configs.
     # include /etc/nginx/http.d/*.conf;
 
-    add_header Referrer-Policy 'same-origin';
-
-    # https://gist.github.com/plentz/6737338
-    # config to disallow the browser to render the page inside a frame or iframe
-    # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
-    # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
-    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
-    add_header X-Frame-Options SAMEORIGIN;
-
-    # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
-    # to disable content-type sniffing on some browsers.
-    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    # currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
-    # https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
-    # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
-    add_header X-Content-Type-Options nosniff;
-
-    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
-    # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
-    # this particular website if it was disabled by the user.
-    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    add_header X-XSS-Protection "1; mode=block";
-
-    # HSTS
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-
-    # Content Security Policy (CSP)
-    # https://www.html5rocks.com/en/tutorials/security/content-security-policy/
-    # https://www.owasp.org/index.php/Content_Security_Policy
-    # https://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-    set $DEFAULT "default-src 'self'";
-
-    set $SCRIPT "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
-    set $SCRIPT "${SCRIPT} https://better-lbnl-development.herokuapp.com";
-    set $SCRIPT "${SCRIPT} https://better.lbl.gov";
-    set $SCRIPT "${SCRIPT} https://cdn.jsdelivr.net";
-    set $SCRIPT "${SCRIPT} https://cdn.plot.ly";
-    set $SCRIPT "${SCRIPT} https://cdnjs.cloudflare.com";
-    set $SCRIPT "${SCRIPT} https://code.jquery.com";
-    set $SCRIPT "${SCRIPT} https://stackpath.bootstrapcdn.com";
-    set $SCRIPT "${SCRIPT} https://www.google.com/recaptcha/";
-    set $SCRIPT "${SCRIPT} https://www.gstatic.com/recaptcha/";
-
-    set $STYLE "style-src 'self' 'unsafe-inline'";
-    set $STYLE "${STYLE} https://cdn.jsdelivr.net";
-    set $STYLE "${STYLE} https://cdnjs.cloudflare.com";
-    set $STYLE "${STYLE} https://maxcdn.bootstrapcdn.com";
-    set $STYLE "${STYLE} https://stackpath.bootstrapcdn.com";
-
-    set $FONT "font-src 'self' 'unsafe-inline'";
-    set $FONT "${FONT} https://cdnjs.cloudflare.com";
-    set $FONT "${FONT} https://maxcdn.bootstrapcdn.com";
-
-    set $FRAME "frame-src 'self'";
-    set $FRAME "${FRAME} https://recaptcha.google.com/recaptcha/";
-    set $FRAME "${FRAME} https://www.google.com/recaptcha/";
-
-    set $IMG "img-src 'self' data:";
-    set $IMG "${IMG} https://*.a.ssl.fastly.net";
-    set $IMG "${IMG} https://better-lbnl-development.herokuapp.com";
-    set $IMG "${IMG} https://better.lbl.gov";
-    set $IMG "${IMG} https://validator.swagger.io";
-
-    set $OBJECT "object-src 'none'";
-
-    add_header Content-Security-Policy "${DEFAULT}; ${SCRIPT}; ${STYLE}; ${FONT}; ${FRAME}; ${IMG}; ${OBJECT}";
-
     # the upstream component nginx needs to connect to
     upstream seed_upstream {
         server unix:///tmp/uwsgi-seed.sock;
@@ -194,6 +127,73 @@ http {
         # max upload size
         client_max_body_size 75M;   # adjust to taste
 
+        add_header Referrer-Policy 'same-origin';
+
+        # https://gist.github.com/plentz/6737338
+        # config to disallow the browser to render the page inside a frame or iframe
+        # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
+        # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
+        # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+        add_header X-Frame-Options SAMEORIGIN;
+
+        # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
+        # to disable content-type sniffing on some browsers.
+        # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+        # currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
+        # https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
+        # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
+        add_header X-Content-Type-Options nosniff;
+
+        # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
+        # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
+        # this particular website if it was disabled by the user.
+        # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+        add_header X-XSS-Protection "1; mode=block";
+
+        # HSTS
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+        # Content Security Policy (CSP)
+        # https://www.html5rocks.com/en/tutorials/security/content-security-policy/
+        # https://www.owasp.org/index.php/Content_Security_Policy
+        # https://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
+        set $DEFAULT "default-src 'self'";
+
+        set $SCRIPT "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
+        set $SCRIPT "${SCRIPT} https://better-lbnl-development.herokuapp.com";
+        set $SCRIPT "${SCRIPT} https://better.lbl.gov";
+        set $SCRIPT "${SCRIPT} https://cdn.jsdelivr.net";
+        set $SCRIPT "${SCRIPT} https://cdn.plot.ly";
+        set $SCRIPT "${SCRIPT} https://cdnjs.cloudflare.com";
+        set $SCRIPT "${SCRIPT} https://code.jquery.com";
+        set $SCRIPT "${SCRIPT} https://stackpath.bootstrapcdn.com";
+        set $SCRIPT "${SCRIPT} https://www.google.com/recaptcha/";
+        set $SCRIPT "${SCRIPT} https://www.gstatic.com/recaptcha/";
+
+        set $STYLE "style-src 'self' 'unsafe-inline'";
+        set $STYLE "${STYLE} https://cdn.jsdelivr.net";
+        set $STYLE "${STYLE} https://cdnjs.cloudflare.com";
+        set $STYLE "${STYLE} https://maxcdn.bootstrapcdn.com";
+        set $STYLE "${STYLE} https://stackpath.bootstrapcdn.com";
+
+        set $FONT "font-src 'self' 'unsafe-inline'";
+        set $FONT "${FONT} https://cdnjs.cloudflare.com";
+        set $FONT "${FONT} https://maxcdn.bootstrapcdn.com";
+
+        set $FRAME "frame-src 'self'";
+        set $FRAME "${FRAME} https://recaptcha.google.com/recaptcha/";
+        set $FRAME "${FRAME} https://www.google.com/recaptcha/";
+
+        set $IMG "img-src 'self' data:";
+        set $IMG "${IMG} https://*.a.ssl.fastly.net";
+        set $IMG "${IMG} https://better-lbnl-development.herokuapp.com";
+        set $IMG "${IMG} https://better.lbl.gov";
+        set $IMG "${IMG} https://validator.swagger.io";
+
+        set $OBJECT "object-src 'none'";
+
+        add_header Content-Security-Policy "${DEFAULT}; ${SCRIPT}; ${STYLE}; ${FONT}; ${FRAME}; ${IMG}; ${OBJECT}";
+
         # configure maintenance page redirect
         if (-f /seed/collected_static/maintenance.html) {
             return 503;

diff --git a/docs/source/developer_resources.rst b/docs/source/developer_resources.rst
@@ -1,6 +1,12 @@
 Developer Resources
 ===================
 
+.. toctree::
+
+    migrations
+    translation
+
+
 General Notes
 -------------
 
@@ -34,7 +40,7 @@ to emulate the same checks as the CI machine.
 
 To run flake locally call:
 
-.. code-block:: console
+.. code-block:: bash
 
     tox -e flake8
 
@@ -71,7 +77,7 @@ your own IDE, we recommend the following extensions:
 
 To run the same typechecking applied in CI (i.e., using mypy) you can run the following
 
-.. code-block:: console
+.. code-block:: bash
 
     tox -e mypy
 
@@ -171,7 +177,7 @@ NginX Notes
 
 Toggle *maintenance mode* to display a maintenance page and prevent access to all site resources including API endpoints:
 
-.. code-block:: Bash
+.. code-block:: bash
 
     docker exec seed_web ./docker/maintenance.sh on
     docker exec seed_web ./docker/maintenance.sh off
@@ -251,7 +257,7 @@ Below is a standard set of error messages from Django.
 A logger is configured to have a log level. This log level describes the severity of
 the messages that the logger will handle. Python defines the following log levels:
 
-.. code-block:: console
+.. code-block:: bash
 
     DEBUG: Low level system information for debugging purposes
     INFO: General system information
@@ -294,7 +300,7 @@ that you require.
 Below are the commands for resetting the database and creating a new
 user:
 
-.. code-block:: console
+.. code-block:: bash
 
     createuser -U seed seeduser
 
@@ -316,7 +322,7 @@ user:
 Restoring a Database Dump
 -------------------------
 
-.. code-block:: console
+.. code-block:: bash
 
     psql -c 'DROP DATABASE "seed";'
     psql -c 'CREATE DATABASE "seed" WITH OWNER = "seeduser";'
@@ -365,7 +371,7 @@ JS tests can be run with Jasmine at the url `/angular_js_tests/`.
 
 Python unit tests are run with
 
-.. code-block:: console
+.. code-block:: bash
 
     python manage.py test --settings=config.settings.test
 
@@ -378,22 +384,22 @@ Note on geocode-related testing:
 
 Run coverage using
 
-.. code-block:: console
+.. code-block:: bash
 
     coverage run manage.py test --settings=config.settings.test
     coverage report --fail-under=83
 
 Python compliance uses PEP8 with flake8
 
-.. code-block:: console
+.. code-block:: bash
 
     flake8
     # or
     tox -e flake8
 
 JS Compliance uses jshint
 
-.. code-block:: console
+.. code-block:: bash
 
     jshint seed/static/seed/js
 
@@ -402,7 +408,7 @@ Building Documentation
 
 Older versions of the source code documentation are (still) on readthedocs; however, newer versions are built and pushed to the seed-website repository manually. To build the documentation follow the script below:
 
-.. code-block:: console
+.. code-block:: bash
 
         cd docs
         rm -rf htmlout

diff --git a/docs/source/index.rst b/docs/source/index.rst
@@ -36,22 +36,13 @@ with funding from the U.S. Department of Energy.
    data_model
    data_quality
    mapping
+   matching
    modules
    developer_resources
    license
    help
    faq
 
-Updating this documentation
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-This python code documentation was generated by running the following::
-
-    $ pip install -r requirements/local.txt
-    $ sphinx-apidoc -o docs/source/modules . seed/lib/mcm seed/lib/superperms
-    $ cd docs
-    $ make html
-
 Indices and tables
 ==================
 

diff --git a/docs/source/matching.rst b/docs/source/matching.rst
@@ -116,12 +116,8 @@ carried over to the final record once merges are complete.
 In the case of importing, considerations must be taken for the fact that, in most cases, multiple records
 are being imported together. Also, since this is the entry point for records, it's possible that a user might
 accidentally try to import the same record snapshot twice - where all the record values are the same as another
-existing record (as opposed to just having the same values for matching criteria fields). So on import, the
-process is as follows:
+existing record (as opposed to just having the same values for matching criteria fields). So on import, the process is as follows:
 
 1. Amongst only the incoming records, duplicates (of other incoming or existing) are flagged and ignored.
 2. Amongst only the incoming records, matching records are merged together.
-3. Amongst all records in the same Cycle, incoming records that match an existing record gets merged with priority to that existing record.
-    If the incoming record has multiple existing matches, the existing matches are merged together in
-    latest updated order first while also combining any other associations (labels, notes, etc.) just as in the manual merge or edit cases.
-    Since the incoming record is new, it doesn't have any of the other associations.
+3. Amongst all records in the same Cycle, incoming records that match an existing record gets merged with priority to that existing record. If the incoming record has multiple existing matches, the existing matches are merged together in latest updated order first while also combining any other associations (labels, notes, etc.) just as in the manual merge or edit cases. Since the incoming record is new, it doesn't have any of the other associations.
diff --git a/docs/source/migrations.rst b/docs/source/migrations.rst
@@ -47,6 +47,10 @@ local_untracked.py file
         ),
     )
 
+Version 2.17.4
+--------------
+- There are no special migrations needed for this version. Simply run `./manage.py migrate`.
+
 Version 2.17.3
 --------------
 - There are no special migrations needed for this version. Simply run `./manage.py migrate`.

diff --git a/docs/source/modules.rst b/docs/source/modules.rst
@@ -6,11 +6,14 @@ Modules
     :maxdepth: 3
 
     modules/config
+    modules/seed.cleansing
     modules/seed.data
     modules/seed.data_importer
     modules/seed.features
     modules/seed.landing
     modules/seed.lib
+    modules/seed.lib.mappings
+    modules/seed.lib.merging
     modules/seed.mappings
     modules/seed.managers
     modules/seed.models

diff --git a/docs/source/modules/seed.tests.rst b/docs/source/modules/seed.tests.rst
@@ -8,6 +8,7 @@ Submodules
     :maxdepth: 2
 
     seed.test_helpers
+    seed.tests.functional
 
 Admin Views
 -----------
@@ -65,6 +66,11 @@ Tests
     :undoc-members:
     :show-inheritance:
 
+.. automodule:: seed.tests.functional
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
 Utils
 -----
 

diff --git a/docs/source/setup_osx.rst b/docs/source/setup_osx.rst
@@ -71,7 +71,7 @@ should have the following dependencies already installed:
 
 
 PostgreSQL 11.1
---------------
+---------------
 
 MacPorts::
 

diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "seed",
-  "version": "2.17.3",
+  "version": "2.17.4",
   "description": "Standard Energy Efficiency Data (SEED) Platform™",
   "license": "SEE LICENSE IN LICENSE",
   "directories": {