fixes bug 1469898 - don't check security.W001 (mozilla-services#917)

Peter Bengtsson · web-flow · commit 36df3eed2dcb · 2018-06-20T12:29:06.000-04:00
diff --git a/.env-dist b/.env-dist
@@ -2,7 +2,7 @@ PYTHONUNBUFFERED=1
 PYTHONDONTWRITEBYTECODE=1
 
 # You must set this
-DJANGO_SECRET_KEY=dontusethisinprod
+DJANGO_SECRET_KEY=DontusethisinproductionbutitneedsbelongforCI1234567890
 
 # Only override this if you need something different from the default
 DJANGO_ALLOWED_HOSTS=web,localhost
diff --git a/tecken/cache_extra.py b/tecken/cache_extra.py
@@ -7,6 +7,26 @@
 from django.core.cache.backends.locmem import LocMemCache
 
 
+class MockClient:
+    """This exists to satisfy the ability to use get_redis_connection()
+    in dockerflow checks even though the backend is actually a glorified
+    LocMemCache instance.
+    """
+
+    def __init__(self):
+        pass
+
+    def get_client(self, write=True):
+        self.write = write
+        return self
+
+    def ping(self):
+        return "pong"
+
+    def info(self):
+        raise NotImplementedError
+
+
 class RedisLocMemCache(LocMemCache):
     """Expanding Django's LocMemCache with the methods that are expected
     beyond the default cache but as if it was backed by Redis"""
@@ -17,3 +37,7 @@ def iter_keys(self, search_term):
             if regex.findall(key):
                 # the "raw key" will always be "<PREFIX>:<VERSION>:<KEY>"
                 yield key.split(':', 2)[2]
+
+    @property
+    def client(self):
+        return MockClient()
diff --git a/tecken/settings.py b/tecken/settings.py
@@ -155,6 +155,7 @@ class Core(AWS, Configuration, Celery, S3):
     # with confidence we do these good deeds in Nginx.
     # https://docs.djangoproject.com/en/1.11/ref/checks/#security
     SILENCED_SYSTEM_CHECKS = [
+        'security.W001',  # Dealt with using Nginx headers
         'security.W002',  # Dealt with using Nginx headers
         'security.W003',  # CSRF is explicit only on the views that need it
         # We can't set SECURE_HSTS_INCLUDE_SUBDOMAINS since this runs under a
@@ -685,6 +686,7 @@ class Test(Localdev):
     ENABLE_AUTH0_BLOCKED_CHECK = False
 
     SECRET_KEY = values.Value('not-so-secret-after-all')
+    SESSION_COOKIE_SECURE = True
 
     OIDC_RP_CLIENT_ID = values.Value('not-so-secret-after-all')
     OIDC_RP_CLIENT_SECRET = values.Value('not-so-secret-after-all')
diff --git a/tests/test_views.py b/tests/test_views.py
@@ -162,3 +162,16 @@ def test_auth_debug(client):
     text = response.content.decode('utf-8')
     assert 'Cache works!' in text
     assert 'Session cookies work!' in text
+
+
+@pytest.mark.django_db
+def test_heartbeat_no_warnings(client, botomock, settings):
+
+    def mock_api_call(self, operation_name, api_params):
+        assert operation_name == 'HeadBucket'
+        return {}
+
+    with botomock(mock_api_call):
+        response = client.get('/__heartbeat__')
+        assert response.status_code == 200
+        assert response.json()['status'] == 'ok'
