Merge pull request dbca-wa#481 from ropable/master

Prevent bad generated email addresses, bump project dependencies, update Kustomize definitions

.github/workflows/image-build-scan.yml

@@ -80,6 +80,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'image'
+          scanners: 'vuln'
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           vuln-type: 'os,library'
           severity: 'HIGH,CRITICAL'

.github/workflows/secret-scan.yml

@@ -0,0 +1,25 @@
+name: "Scan project for secrets & sensitive information"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  secret-scan:
+    name: Scan project for secrets
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Secret scanning
+      uses: trufflesecurity/trufflehog@main
+      with:
+        base: ""
+        head: ${{ github.ref_name }}
+        extra_args: --only-verified

.pre-commit-config.yaml

@@ -8,4 +8,4 @@ repos:
       # For running trufflehog in docker, use the following entry instead:
       # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
       language: system
-      stages: ["commit", "push"]
+      stages: ["pre-commit", "pre-push"]

itassets/settings.py

@@ -1,13 +1,15 @@
-from dbca_utils.utils import env
-from django.core.exceptions import DisallowedHost
-from django.db.utils import OperationalError
-import dj_database_url
 import os
-from pathlib import Path
 import sys
 import tomllib
+from pathlib import Path
 from zoneinfo import ZoneInfo
 
+import dj_database_url
+from dbca_utils.utils import env
+from django.core.exceptions import DisallowedHost
+from django.db.utils import OperationalError
+from redis.exceptions import ConnectionError
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = str(Path(__file__).resolve().parents[1])
 PROJECT_DIR = str(Path(__file__).resolve().parents[0])
@@ -264,6 +266,9 @@ def sentry_excluded_exceptions(event, hint):
         # Exclude exceptions related to host requests not in ALLOWED_HOSTS.
         elif hint["exc_info"][0] is DisallowedHost:
             return None
+        # Exclude Redis service connection errors.
+        elif hint["exc_info"][0] is ConnectionError:
+            return None
 
     return event
 

kustomize/overlays/prod/kustomization.yaml

@@ -22,6 +22,8 @@ secretGenerator:
     type: Opaque
     envs:
       - .env
+generatorOptions:
+  disableNameSuffixHash: true
 labels:
   - includeSelectors: true
     pairs:
@@ -35,4 +37,4 @@ patches:
   - path: postgres_fdw_service_patch.yaml
 images:
   - name: ghcr.io/dbca-wa/it-assets
-    newTag: 2.4.31
+    newTag: 2.4.32

kustomize/overlays/uat/kustomization.yaml

@@ -11,6 +11,8 @@ secretGenerator:
     type: Opaque
     envs:
       - .env
+generatorOptions:
+  disableNameSuffixHash: true
 labels:
   - includeSelectors: true
     pairs:

organisation/ascender.py

@@ -549,19 +549,19 @@ def create_ad_user_account(job, cc, job_start_date, licence_type, manager, locat
     if job["first_name"]:
         first_name = "".join([i.lower() for i in job["first_name"] if i.isalnum()])
     else:
-        first_name = None
+        first_name = ""
     if job["preferred_name"]:
         preferred_name = "".join([i.lower() for i in job["preferred_name"] if i.isalnum()])
     else:
-        preferred_name = None
+        preferred_name = ""
     if job["surname"]:
         surname = "".join([i.lower() for i in job["surname"] if i.isalnum()])
     else:
-        surname = None
+        surname = ""
     if job["second_name"]:
         second_name = "".join([i.lower() for i in job["second_name"] if i.isalnum()])
     else:
-        second_name = None
+        second_name = ""
 
     # New email address generation.
     # Make no assumption about names (presence or absence). Remove any spaces/special characters within name text.

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "itassets"
-version = "2.4.31"
+version = "2.4.32"
 description = "DBCA IT assets (both physical and knowledge-based) management system"
 authors = ["DBCA OIM <[email protected]>"]
 license = "Apache-2.0"
@@ -13,25 +13,25 @@ psycopg = { version = "3.2.3", extras = ["binary", "pool"] }
 dbca-utils = "2.0.2"
 django-extensions = "3.2.3"
 python-dotenv = "1.0.1"
-dj-database-url = "2.2.0"
+dj-database-url = "2.3.0"
 gunicorn = "23.0.0"
 unicodecsv = "0.14.1"
 python-dateutil = "2.8.2"
 webtemplate-dbca = "1.7.1"
 mixer = "7.2.2"
 msal = "1.31.0"
-whitenoise = { version = "6.7.0", extras = ["brotli"] }
+whitenoise = { version = "6.8.2", extras = ["brotli"] }
 pysftp = "0.2.9"
 azure-storage-blob = "12.23.1"
 django-storages = { version = "1.14.4", extras = ["azure"] }
 xlsxwriter = "3.2.0"
-sentry-sdk = { version = "2.14.0", extras = ["django"] }
-redis = "5.1.0"
+sentry-sdk = { version = "2.18.0", extras = ["django"] }
+redis = "5.2.0"
 
 [tool.poetry.group.dev.dependencies]
-ipython = "^8.27.0"
+ipython = "^8.29.0"
 ipdb = "^0.13.13"
-pre-commit = "^3.8.0"
+pre-commit = "^4.0.1"
 
 # Reference: https://docs.astral.sh/ruff/configuration/
 [tool.ruff]