Merge pull request #241 from apel/release-3.3.0

Release 3.3.0 to master
apel · Jun 29, 2023 · 6fc105c · 6fc105c
2 parents 8227034 + 7e8afc3
commit 6fc105c
Show file tree

Hide file tree

Showing 28 changed files with 438 additions and 196 deletions.
diff --git a/CODEOWNERS → .github/CODEOWNERS b/CODEOWNERS → .github/CODEOWNERS
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+      # For GitHub Actions, "/" checks for workflow files in .github/workflows.
+    directory: "/"
+    schedule:
+      # By default, this is on Monday.
+      interval: "weekly"
diff --git a/.github/workflows/build-pkgs.yml b/.github/workflows/build-pkgs.yml
@@ -0,0 +1,59 @@
+name: Build Packages
+on:
+  push:
+    tags: '[0-9]+.[0-9]+.[0-9]+-*'
+  schedule:
+    # If this workflow changes in the future to uploading RPMs directly to a
+    # release on tag push, then a conditional check should be added for the
+    # cron to continue uploading as an artifact on the workflow build.
+    - cron: '41 22 * * SUN'
+
+jobs:
+  build-rpm:
+    runs-on: ubuntu-latest
+    if: '!github.event.repository.fork'
+
+    env:
+      # _github_home is the dir used as a volume by the container
+      RPMDIR: /home/runner/work/_temp/_github_home/rpmbuild
+    steps:
+    - name: Install rpmlint
+      run: |
+        sudo apt-get update
+        sudo apt-get install rpmlint
+    - uses: actions/checkout@v3
+      with:
+        # Get all branches and tags so the latest tag can be found for VERSION
+        fetch-depth: 0
+    - name: Set VERSION
+      run: echo "VERSION=`echo $(git describe --tags $(git rev-list --tags --max-count=1))`" >> $GITHUB_ENV
+    - name: Set SSMDIR
+      run: echo "SSMDIR=apel-ssm-$VERSION" >> $GITHUB_ENV
+
+    # Based on the ssm-build-rpm.sh script
+    - name: Download and rename archive
+      run: |
+        wget --no-check-certificate https://github.com/apel/ssm/archive/$VERSION.tar.gz -O $VERSION
+        tar xzvf $VERSION
+        mv ssm-$VERSION $SSMDIR
+        tar czvf $SSMDIR.tar.gz $SSMDIR
+        sudo mkdir -p $RPMDIR/SOURCES
+        sudo cp $SSMDIR.tar.gz $RPMDIR/SOURCES
+
+    - name: Build RPM package
+      id: rpm
+      uses: naveenrajm7/rpmbuild@v1.0.0
+      with:
+        spec_file: "apel-ssm.spec"
+
+    - name: Lint RPMs
+      continue-on-error: true
+      run: rpmlint ${{ steps.rpm.outputs.rpm_dir_path }}
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v3.1.2
+      with:
+        name: Binary and Source RPMs
+        path: |
+          ${{ steps.rpm.outputs.rpm_dir_path }}
+          ${{ steps.rpm.outputs.source_rpm_dir_path }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,52 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "dev" ]
+    # Can't use the paths-ignore with 'push' as this would cause missing analyses.
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "dev" ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/*.ya?ml'
+      - '**/*.sh'
+  schedule:
+    - cron: '39 11 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    if: '!github.event.repository.fork'
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: security-extended,security-and-quality
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,59 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  push:
+    # Build all branches
+    branches: '*'
+    # Build tags which look like ###.###.###-###, i.e. actual releases only
+    # as any build from a GitHub tag also get's published as latest.
+    # Note: This is a GitHub actions filter pattern, not a regex
+    # (see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet).
+    tags: [ '[0-9]+.[0-9]+.[0-9]+-[0-9]+' ]
+  pull_request:
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        # Login against a Docker registry
+        # https://github.com/docker/login-action
+        name: Login to ${{ env.REGISTRY }}
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      -
+        # Extract metadata (tags, labels) for Docker
+        # https://github.com/docker/metadata-action
+        name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      -
+        # Build and push Docker image
+        # https://github.com/docker/build-push-action
+        name: Build and push Docker image
+        uses: docker/build-push-action@v4.1.1
+        with:
+          # Only push containers to the registry on GitHub pushes,
+          # not pull requests. GitHub won't let a rogue PR create a container
+          # in the registry without secrets being set up before hand anyway,
+          # if GitHub were to try without secrets - the action would fail.
+          push: ${{ github.event_name == 'push' }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -0,0 +1,34 @@
+name: Run Unit Tests
+
+on: [push, pull_request]
+
+jobs:
+  unit-test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['2.x', '3.x']
+    name: Python ${{ matrix.python-version }} test
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Set up dependencies for python-ldap
+      run: sudo apt-get install libsasl2-dev libldap2-dev libssl-dev
+    - name: Base requirements for SSM
+      run: pip install -r requirements.txt
+    - name: Additional requirements for the unit and coverage tests
+      run: pip install -r requirements-test.txt
+    - name: Pre-test set up
+      run: |
+        export TMPDIR=$PWD/tmp
+        mkdir $TMPDIR
+        export PYTHONPATH=$PYTHONPATH:`pwd -P`
+        cd test
+    - name: Run unit tests
+      run: coverage run --branch --source=ssm,bin -m unittest discover --buffer
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v3.1.4
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,29 @@
+# See https://pre-commit.com for more information
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v2.5.0
+  hooks:
+  # Python related checks
+  - id: check-ast
+  - id: check-builtin-literals
+  - id: check-docstring-first
+  - id: name-tests-test
+    name: Check unit tests start with 'test_'
+    args: ['--django']
+    files: 'test/.*'
+  # Other checks
+  - id: check-added-large-files
+  - id: check-merge-conflict
+  - id: check-yaml
+  - id: end-of-file-fixer
+  - id: mixed-line-ending
+    name: Force line endings to LF
+    args: ['--fix=lf']
+  - id: trailing-whitespace
+
+- repo: https://github.com/pre-commit/pygrep-hooks
+  rev: v1.9.0
+  hooks:
+  - id: python-check-mock-methods
+  - id: python-no-eval
+  - id: python-no-log-warn
diff --git a/.travis.yml b/.travis.yml
@@ -2,7 +2,7 @@ os: linux
 language: python
 python:
   - "2.7"
-  - "3.7"
+  - "3.8"
 
 # Cache the dependencies installed by pip
 cache: pip

diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,16 @@
 Changelog for ssm
 =================
+* Thu Jun 29 2023 Adrian Coveney <adrian.coveney@stfc.ac.uk> - 3.3.0-1
+ - Added destination queue to the log during startup to aid troubleshooting.
+ - Added check that the config file exists to allow for better error messages.
+ - Changed dependencies to limit python-ldap below 3.4.0 and python-daemon below 2.3.0.
+ - Changed rpmbuild config to use less OS-specific dependencies.
+ - Fixed read timeouts leading to a crash.
+ - Fixed command line arguments to allow a relative file path for the DNs file.
+ - Removed the separate logging config file.
+ - Removed python-daemon as a hard requirement as only needed for receivers.
+ - Refactored a large amount of code for maintainability and security.
+
 * Wed Apr 28 2021 Adrian Coveney <adrian.coveney@stfc.ac.uk> - 3.2.1-1
  - Changed certificate and key comparison to allow both RSA and EC keys.
  - Corrected dependencies to include OpenSSL.

diff --git a/LICENSE b/LICENSE
@@ -138,4 +138,4 @@ if You agree to indemnify, defend, and hold each Contributor harmless for any li
 incurred by, or claims asserted against, such Contributor by reason of your accepting
 any such warranty or additional liability.
 
-END OF TERMS AND CONDITIONS
+END OF TERMS AND CONDITIONS
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 [![Build Status](https://travis-ci.org/apel/ssm.svg?branch=dev)](https://travis-ci.org/apel/ssm)
 [![Coverage Status](https://coveralls.io/repos/github/apel/ssm/badge.svg?branch=dev)](https://coveralls.io/github/apel/ssm?branch=dev)
-[![Codacy Badge](https://api.codacy.com/project/badge/Grade/cc3e808664ee41638938aa5c660a88ae)](https://www.codacy.com/app/apel/ssm)
+[![Codacy Badge](https://app.codacy.com/project/badge/Grade/9d2b1c88ab844f0081e5fafab49b269d)](https://www.codacy.com/gh/apel/ssm/dashboard)
 [![Maintainability](https://api.codeclimate.com/v1/badges/34aa04f3583afce2ceb2/maintainability)](https://codeclimate.com/github/apel/ssm/maintainability)
 
 Secure STOMP Messenger (SSM) is designed to simply send messages
@@ -18,9 +18,9 @@ For more information about SSM, see the [EGI wiki](https://wiki.egi.eu/wiki/APEL
 ## Acknowledgements
 
 <span>
-  <img alt="STFC logo" src="https://github.com/GOCDB/gocdb/raw/dev/htdocs/web_portal/img/UKRI_STF_Council-Logo_Horiz-RGB_crop.png" height="57" />
-  <img alt="EU flag" src="https://github.com/GOCDB/gocdb/raw/dev/htdocs/web_portal/img/eu_flag_yellow_low_150.png" height="51" />
-  <img alt="EOSC-hub logo" src="https://github.com/GOCDB/gocdb/raw/dev/htdocs/web_portal/img/eosc-hub-v-web_150.png" height="57" />
+  <img alt="STFC logo" src="https://github.com/GOCDB/gocdb/raw/dev/htdocs/images/UKRI_STF_Council-Logo_Horiz-RGB_crop.png" height="57" />
+  <img alt="EU flag" src="https://github.com/GOCDB/gocdb/raw/dev/htdocs/images/eu_flag_yellow_low_150.png" height="51" />
+  <img alt="EOSC-hub logo" src="https://github.com/GOCDB/gocdb/raw/dev/htdocs/images/eosc-hub-v-web_150.png" height="57" />
 </span>
 
 SSM is provided by [STFC](https://stfc.ukri.org/), a part of [UK Research and Innovation](https://www.ukri.org/), and is co-funded by the [EOSC-hub](https://www.eosc-hub.eu/) project (Horizon 2020) under Grant number 777536. Licensed under the [Apache 2 License](http://www.apache.org/licenses/LICENSE-2.0).
@@ -40,16 +40,17 @@ The Python STOMP library (N.B. versions between 3.1.1 (inclusive) and 5.0.0
 
 The Python AMS library. This is only required if you want to use AMS. See here for details on obtaining an RPM: https://github.com/ARGOeu/argo-ams-library/
 
-The Python daemon library
-* `yum install python-daemon`
-
 The Python ldap library
 * `yum install python-ldap`
 
 Optionally, the Python dirq library (N.B. this is only required if your messages
 are stored in a dirq structure)
 * `yum install python-dirq`
 
+The Python daemon library (N.B. installing this library is only required when
+using the SSM as a receiver)
+* `yum install python-daemon`
+
 You need a certificate and key in PEM format accessible to the SSM.
 There are a number of ways to do this.  One is to make a copy of the
 hostcert and hostkey files, owned by the apel user (created later):
@@ -193,7 +194,7 @@ add your messages using the `add` method.
      -v /path/to/read/messages:/var/spool/apel/outgoing \
      -v /etc/grid-security:/etc/grid-security \
      -v /path/to/persistently/log:/var/log/apel \
-     stfc/ssm
+     ghcr.io/apel/ssm
  ```
  * The line `-v /path/to/persistently/log:/var/log/apel \` is only required if you want to access the sender log as a file. If `console: true` is set in your `sender.cfg`, the container will also log to stdout/stderr.
 
@@ -215,7 +216,7 @@ add your messages using the `add` method.
      -v /path/to/dns/file:/etc/apel/dns \
      -v /etc/grid-security:/etc/grid-security \
      -v /path/to/persistently/log:/var/log/apel \
-     stfc/ssm
+     ghcr.io/apel/ssm
  ```
   * The line `-v /path/to/persistently/log:/var/log/apel \` is only required if you want to access the receiver log as a file. If `console: true` is set in your `receiver.cfg`, the container will also log to stdout/stderr.
 

diff --git a/apel-ssm.spec b/apel-ssm.spec
@@ -4,7 +4,7 @@
 %endif
 
 Name:           apel-ssm
-Version:        3.2.1
+Version:        3.3.0
 %define releasenumber 1
 Release:        %{releasenumber}%{?dist}
 Summary:        Secure stomp messenger
@@ -21,7 +21,7 @@ BuildArch:      noarch
 BuildRequires:  python-devel
 %endif
 
-Requires:       stomppy < 5.0.0, python-daemon, python-ldap, openssl
+Requires:       stomppy < 5.0.0, python-ldap < 3.4.0, python-setuptools, openssl
 Requires(pre):  shadow-utils
 
 %define ssmconf %_sysconfdir/apel
@@ -100,6 +100,17 @@ rm -rf $RPM_BUILD_ROOT
 %doc %_defaultdocdir/%{name}
 
 %changelog
+* Thu Jun 29 2023 Adrian Coveney <adrian.coveney@stfc.ac.uk> - 3.3.0-1
+ - Added destination queue to the log during startup to aid troubleshooting.
+ - Added check that the config file exists to allow for better error messages.
+ - Changed dependencies to limit python-ldap below 3.4.0 and python-daemon below 2.3.0.
+ - Changed rpmbuild config to use less OS-specific dependencies.
+ - Fixed read timeouts leading to a crash.
+ - Fixed command line arguments to allow a relative file path for the DNs file.
+ - Removed the separate logging config file.
+ - Removed python-daemon as a hard requirement as only needed for receivers.
+ - Refactored a large amount of code for maintainability and security.
+
 * Wed Apr 28 2021 Adrian Coveney <adrian.coveney@stfc.ac.uk> - 3.2.1-1
  - Changed certificate and key comparison to allow both RSA and EC keys.
  - Corrected dependencies to include OpenSSL.

diff --git a/bin/apel-ssm b/bin/apel-ssm
@@ -74,4 +74,3 @@ case "$1" in
 esac
 
 exit $RETVAL
-
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,7 @@ os: linux @@
     language: python
     python:
       - "2.7"
-      - "3.7"
+      - "3.8"
     # Cache the dependencies installed by pip
     cache: pip
@@ Expand Down @@