ALLOWEDFLARE_EMAIL_DOMAIN (#5)

Account for the possibility of different top level domains between
private stuff and public-facing stuff like email addresses.

Put a 3-second timeout on the certificates request, just in case.

Bump the Ruff version to pick up
astral-sh/ruff#9734 and update some other
tooling. Also prepare for running more linters with Ruff and replacing
`black` with [The Ruff
Formatter](https://docs.astral.sh/ruff/formatter/).

Author: covracer

.pre-commit-config.yaml

@@ -4,18 +4,18 @@ default_language_version:
 repos:
     # Autoformatters
     - repo: https://github.com/astral-sh/ruff-pre-commit
-      rev: v0.0.270
+      rev: v0.3.0
       hooks:
           - id: ruff
             args:
                 - --fix
     - repo: https://github.com/pre-commit/pre-commit-hooks
-      rev: v4.4.0
+      rev: v4.5.0
       hooks:
           - id: double-quote-string-fixer
           - id: end-of-file-fixer
     - repo: https://github.com/psf/black
-      rev: 23.10.1
+      rev: 23.12.1
       hooks:
           - id: black
     - repo: https://github.com/jazzband/pip-tools
@@ -46,7 +46,7 @@ repos:
           - id: validate-pyproject
 
     - repo: https://github.com/adrienverge/yamllint.git
-      rev: v1.32.0
+      rev: v1.33.0
       hooks:
           - id: yamllint
 

demodj/settings.py

@@ -1,5 +1,4 @@
-"""
-Django settings for the Demo DJ project.
+"""Django settings for the Demo DJ project.
 
 Generated by 'django-admin startproject' using Django 4.2.1.
 
@@ -11,8 +10,8 @@
 """
 
 from ast import literal_eval
-from pathlib import Path
 from os import getenv
+from pathlib import Path
 
 BASE_DIR = Path(__file__).resolve().parent.parent
 
@@ -41,6 +40,7 @@
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
+    'django_extensions',
 ]
 
 MIDDLEWARE = [

django_allowedflare/__init__.py

@@ -1,33 +1,36 @@
 import logging
-from datetime import datetime, timedelta, timezone as datetime_timezone
+from datetime import datetime, timedelta
+from datetime import timezone as datetime_timezone
 from typing import Any
 
+import requests
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+from django.conf import settings
 from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth.models import User
 from django.http import HttpRequest
 from django.utils import timezone as django_utils_timezone
-from django.conf import settings
+from jwt import InvalidSignatureError, decode
 from jwt.algorithms import RSAAlgorithm
-from jwt import decode, InvalidSignatureError
-import requests
-
 
 cache_updated = datetime.fromtimestamp(0, tz=datetime_timezone.utc)
 cached_keys: list[RSAPublicKey] = []
 logger = logging.getLogger(__name__)
 
 
 def clean_username(username: str) -> str:
-    return username.removesuffix(f'@{settings.ALLOWEDFLARE_PRIVATE_DOMAIN}')
+    suffix = getattr(settings, 'ALLOWEDFLARE_EMAIL_DOMAIN', settings.ALLOWEDFLARE_PRIVATE_DOMAIN)
+    return username.removesuffix(f'@{suffix}')
 
 
 def fetch_or_reuse_keys() -> list[RSAPublicKey]:
-    global cache_updated, cached_keys
+    global cache_updated, cached_keys  # noqa: PLW0603
     now = django_utils_timezone.now()
     # As of June 2023, signing keys are documented as rotated every 6 weeks
     if cache_updated + timedelta(days=1) < now:
-        response = requests.get(f'{settings.ALLOWEDFLARE_ACCESS_URL}/cdn-cgi/access/certs').json()
+        response = requests.get(
+            f'{settings.ALLOWEDFLARE_ACCESS_URL}/cdn-cgi/access/certs', timeout=3
+        ).json()
         if response.get('keys'):
             decoded_keys = [RSAAlgorithm.from_jwk(key) for key in response['keys']]
             cached_keys = [key for key in decoded_keys if isinstance(key, RSAPublicKey)]
@@ -50,7 +53,7 @@ def decode_token(cf_authorization: str) -> dict:
 
 
 def defaults_for_user(token: dict) -> dict:
-    return getattr(settings, 'ALLOWEDFLARE_DEFAULTS_FOR_USER', lambda token: {'is_staff': True})(
+    return getattr(settings, 'ALLOWEDFLARE_DEFAULTS_FOR_USER', lambda _token: {'is_staff': True})(
         token
     )
 

includes.sh

@@ -1,13 +1,17 @@
 # shellcheck shell=bash
 
-case $(uname -s) in
+OS=$(uname -s)
+
+case $OS in
     Darwin)
         export BASH_SILENCE_DEPRECATION_WARNING=1
 
-    if ! [[ -x $(command -v brew) ]]; then
-        [[ -d /opt/homebrew/bin ]] && export PATH="/opt/homebrew/bin:$PATH"
-        [[ -x $(command -v brew) ]] || echo ERROR: homebrew missing
-    fi
+        if ! [[ -x $(command -v brew) ]]; then
+            [[ -d /opt/homebrew/bin ]] && export PATH="/opt/homebrew/bin:$PATH"
+            [[ -x $(command -v brew) ]] || echo ERROR: homebrew missing
+        fi
+
+        ;;
 esac
 
 if ! [[ -x $(command -v nvm) ]]; then
@@ -17,21 +21,21 @@ if ! [[ -x $(command -v nvm) ]]; then
 fi
 
 # F: no-op for single page, R: color, X: keep text when exiting, i: case insensitive searching
-LESS="-FRXi"
+LESS='-FRXi'
 export LESS
 
 # Aliases only work in interactive shells
 alias jq='jq --color-output'
 alias ls='ls --color=auto'
 
 pathver() {
-    : Print path and version
+    : 'Print path and version'
     (type "$1" && "$1" --version) |
-        sed -Ee N -e 's,^[^/(]*,,' -e 's,\((.+)\),\1,' -e 's/\n/ /'
+        sed -Ee N -e 's,^[^/(]*,,' -e 's,\((.+)\),\1,' -e "s/\n($1 )?/ /i"
 }
 
 a() {
-    : Activate virtual environment after changing directory
+    : 'Activate virtual environment after changing directory'
 
     if [[ $1 ]]; then
         directory=~/code/$1
@@ -46,9 +50,9 @@ a() {
 
     cd "$directory" || return 1
 
-    # TODO pyenv-virtualenv wants `. deactivate`
-    # TODO conda wants `conda deactivate`
+    [[ $(command -v conda) ]] && conda deactivate
     [[ $(command -v deactivate) ]] && deactivate
+    # TODO pyenv-virtualenv wants `. deactivate`
 
     if [[ -f .venv/bin/activate ]]; then
         # shellcheck disable=SC1091
@@ -57,47 +61,80 @@ a() {
     elif [[ -d conda ]]; then
         # shellcheck disable=SC1091
         source "$HOME/miniconda3/etc/profile.d/conda.sh"
-        conda activate "$(basename "$directory")"
+        conda activate "$(basename "$PWD")"
         pathver python
     fi
 
     if [[ -f .nvmrc ]]; then
-        nvm install && nvm use
+        nvm install &>/dev/null && nvm use &>/dev/null
         pathver node
     fi
+
+    export PS1='\w$ '
 }
 
 devready() {
-    : DEVelopment READYness check
+    : 'DEVelopment READYness check'
     [[ $(git config --global user.name) ]] || echo ERROR: git user.name missing
     [[ $(git config --global user.email) ]] || echo ERROR: git user.email missing
     [[ $(git config --global pull.rebase) == true ]] || echo WARNING: git pull.rebase != true
-    [[ $(git config --global rebase.autosquash) == true ]] || echo WARNING: git rebase.autosquash != true
-    [[ $(git config --global push.default) == current ]] || echo WARNING: git push.default != current
+    [[ $(git config --global rebase.autosquash) == true ]] ||
+        echo WARNING: git rebase.autosquash != true
+    [[ $(git config --global push.default) == current ]] ||
+        echo WARNING: git push.default != current
+    [[ -f ~/.config/git/ignore ]] || echo WARNING: global git ignore file absent
+    if [[ $OS == Darwin ]]; then
+        grep --fixed-strings --no-messages --quiet '.DS_Store' ~/.config/git/ignore ||
+            echo WARNING: .DS_Store files not globally git ignored
+        [[ $(defaults read NSGlobalDomain ApplePressAndHoldEnabled) == '0' ]] ||
+            echo WARNING: MacOS press and hold enabled
+        [[ $(defaults read NSGlobalDomain NSAutomaticPeriodSubstitutionEnabled) == '0' ]] ||
+            echo WARNING: MacOS period substitution enabled
+        [[ $(defaults read NSGlobalDomain NSAutomaticQuoteSubstitutionEnabled) == '0' ]] ||
+            echo WARNING: MacOS quote substitution enabled
+    fi
+}
+
+forceready() {
+    : 'FORCE system to be READY for development, clobbering current settings'
+    [[ -n $INSH_NAME ]] || git config --global user.name "$INSH_NAME"
+    [[ -n $INSH_EMAIL ]] || git config --global user.email "$INSH_EMAIL"
+    git config --global pull.rebase true
+    git config --global rebase.autosquash true
+    git config --global push.default current
+    [[ -d ~/.config/git ]] || mkdir -p ~/.config/git
+
+    if [[ $OS == Darwin ]]; then
+        [[ -f ~/.config/git/ignore ]] || curl -so ~/.config/git/ignore \
+            https://raw.githubusercontent.com/github/gitignore/master/Global/macOS.gitignore
+        defaults write NSGlobalDomain ApplePressAndHoldEnabled -bool false
+        defaults write NSGlobalDomain NSAutomaticPeriodSubstitutionEnabled -bool false
+        defaults write NSGlobalDomain NSAutomaticQuoteSubstitutionEnabled -bool false
+    fi
 }
 
 pc() {
-    : run Pre-Commit on modified files
+    : 'run Pre-Commit on modified files'
     pre-commit run "$@"
 }
 
 pca() {
-    : run Pre-Commit on All files
+    : 'run Pre-Commit on All files'
     pre-commit run --all-files "$@"
 }
 
 pcam() {
-    : run Pre-Commit on All files including Manual stage hooks
+    : 'run Pre-Commit on All files including Manual stage hooks'
     pre-commit run --all-files --hook-stage manual "$@"
 }
 
 pcm() {
-    : run Pre-Commit on modified files including Manual stage hooks
+    : 'run Pre-Commit on modified files including Manual stage hooks'
     pre-commit run --hook-stage manual "$@"
 }
 
 resourcerun() {
-    : RE-SOURCE this file and RUN the specified function with tracing enabled
+    : 'RE-SOURCE this file and RUN the specified function with tracing enabled'
     # shellcheck source=includes.sh
     source "${BASH_SOURCE[0]}"
     set -x

manage.py

@@ -5,14 +5,14 @@
 import default
 
 
-def main():
+def main() -> None:
     """Run administrative tasks."""
     try:
         from django.core.management import execute_from_command_line
-        from django.core.management.commands.runserver import Command as runserver
+        from django.core.management.commands.runserver import Command
 
-        runserver.default_addr = '0.0.0.0'
-        runserver.default_port = '8001'  # Should match docker-compose.yml
+        Command.default_addr = '0.0.0.0'  # noqa: S104
+        Command.default_port = '8001'  # Should match docker-compose.yml
     except ImportError as exc:
         raise ImportError(
             "Couldn't import Django. Are you sure it's installed and "

pyproject.toml

@@ -27,12 +27,24 @@ line-length = 100
 skip-magic-trailing-comma = true
 skip-string-normalization = true
 
+[tool.ruff.format]
+quote-style = 'single'
+skip-magic-trailing-comma = true
+
+[tool.ruff.lint.flake8-quotes]
+inline-quotes = 'single'
+
 [tool.django-stubs]
 django_settings_module = 'demodj.settings'
 
 [tool.ruff]
 line-length = 100
 
+[tool.ruff.lint]
+ignore = [
+    'EM101', # Allow exceptions to use string literals because keeping code as simple as possible is more important than keeping tracebacks as simple as possible.
+]
+
 [tool.mypy]
 plugins = ['mypy_django_plugin.main']