Convert http references to https #3998
Conversation
anselmbradford
requested review from
rosskarchner,
chosak,
sebworks and
willbarton
![accesslint[bot]](https://avatars.githubusercontent.com/in/1502?s=60&v=4){kind=small}
anselmbradford
force-pushed
the
convert_http_to_https
branch
from
babc696
to
6e49488
Compare
| @@ -0,0 +1,6 @@ | |||
| <?xml version="1.0" encoding="UTF-8"?> | |||
There was a problem hiding this comment.
This shouldn't be in the commit. I'll add it the folder to the git ignore.
There was a problem hiding this comment.
Whoops! Removed it. Can we send those into the /test/ directory too?
| @@ -114,7 +114,7 @@ | |||
| "note": "", | |||
| "updated": "2017-10-10", | |||
| "name": "download_files", | |||
| "json_value": "{\"2017-03\":{\"percent_30_60\":{\"County\":{\"url\":\"http://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/CountyMortgagesPercent-30-89DaysLate-thru-2017-03.csv\",\"slug\":\"CountyMortgagesPercent-30-89DaysLate-thru-2017-03\",\"size\":\"40 KB\"},\"MetroArea\":{\"url\":\"http://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/MetroAreaMortgagesPercent-30-89DaysLate-thru-2017-03.csv\",\"slug\":\"MetroAreaMortgagesPercent-30-89DaysLate-thru-2017-03\",\"size\":\"148 KB\"},\"State\":{\"url\":\"http://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/StateMortgagesPercent-30-89DaysLate-thru-2017-03.csv\",\"slug\":\"StateMortgagesPercent-30-89DaysLate-thru-2017-03\",\"size\":\"25 KB\"}},\"thru_month\":\"March 2017\",\"percent_90\":{\"County\":{\"url\":\"http://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/CountyMortgagesPercent-90-plusDaysLate-thru-2017-03.csv\",\"slug\":\"CountyMortgagesPercent-90-plusDaysLate-thru-2017-03\",\"size\":\"40 KB\"},\"MetroArea\":{\"url\":\"http://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/MetroAreaMortgagesPercent-90-plusDaysLate-thru-2017-03.csv\",\"slug\":\"MetroAreaMortgagesPercent-90-plusDaysLate-thru-2017-03\",\"size\":\"148 KB\"},\"State\":{\"url\":\"http://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/StateMortgagesPercent-90-plusDaysLate-thru-2017-03.csv\",\"slug\":\"StateMortgagesPercent-90-plusDaysLate-thru-2017-03\",\"size\":\"25 KB\"}},\"pub_date\":\"October 2017\"}}" | |||
| "json_value": "{\"2017-03\":{\"percent_30_60\":{\"County\":{\"url\":\"https://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/CountyMortgagesPercent-30-89DaysLate-thru-2017-03.csv\",\"slug\":\"CountyMortgagesPercent-30-89DaysLate-thru-2017-03\",\"size\":\"40 KB\"},\"MetroArea\":{\"url\":\"https://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/MetroAreaMortgagesPercent-30-89DaysLate-thru-2017-03.csv\",\"slug\":\"MetroAreaMortgagesPercent-30-89DaysLate-thru-2017-03\",\"size\":\"148 KB\"},\"State\":{\"url\":\"https://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/StateMortgagesPercent-30-89DaysLate-thru-2017-03.csv\",\"slug\":\"StateMortgagesPercent-30-89DaysLate-thru-2017-03\",\"size\":\"25 KB\"}},\"thru_month\":\"March 2017\",\"percent_90\":{\"County\":{\"url\":\"https://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/CountyMortgagesPercent-90-plusDaysLate-thru-2017-03.csv\",\"slug\":\"CountyMortgagesPercent-90-plusDaysLate-thru-2017-03\",\"size\":\"40 KB\"},\"MetroArea\":{\"url\":\"https://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/MetroAreaMortgagesPercent-90-plusDaysLate-thru-2017-03.csv\",\"slug\":\"MetroAreaMortgagesPercent-90-plusDaysLate-thru-2017-03\",\"size\":\"148 KB\"},\"State\":{\"url\":\"https://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/StateMortgagesPercent-90-plusDaysLate-thru-2017-03.csv\",\"slug\":\"StateMortgagesPercent-90-plusDaysLate-thru-2017-03\",\"size\":\"25 KB\"}},\"pub_date\":\"October 2017\"}}" | |||
There was a problem hiding this comment.
URLs like http://files.consumerfinance.gov.s3.amazonaws.com/foo need to become just https://files.consumerfinance.gov/foo
There was a problem hiding this comment.
Fixed in 6f01018
| @@ -18,7 +18,7 @@ | |||
| S3_SECRET = os.getenv('AWS_S3_SECRET_ACCESS_KEY') | |||
| BASE_BUCKET = settings.AWS_STORAGE_BUCKET_NAME | |||
| MORTGAGE_SUB_BUCKET = "data/mortgage-performance" | |||
| PUBLIC_ACCESS_BASE = 'http://{}.s3.amazonaws.com/{}'.format( | |||
| PUBLIC_ACCESS_BASE = 'https://{}.s3.amazonaws.com/{}'.format( | |||
There was a problem hiding this comment.
See above; the HTTPS format for S3 would be something like
'https://{}/{}'.format(BASE_BUCKET, MORTGAGE_SUB_BUCKET)There was a problem hiding this comment.
Is as you have written okay, or does it need testing to verify? Fixed in 6f01018
There was a problem hiding this comment.
We could add a new test but it'd just be testing that strings are appended correctly. I tested this manually on your branch:
$ convert_http_to_https* $ ALLOWED_HOSTS='["*"]' DJANGO_SETTINGS_MODULE=cfgov.settings.production cfgov/manage.py shell
>>> from data_research.mortgage_utilities.s3_utils import *
>>> PUBLIC_ACCESS_BASE, S3_SOURCE_BUCKET
(u'https://files.consumerfinance.gov/data/mortgage-performance', u'https://files.consumerfinance.gov/data/mortgage-performance/source')This looks correct to me.
| @@ -117,7 +117,7 @@ def export_downloadable_csv(geo_type, late_value): | |||
| Each CSV is to start with a National row for comparison. | |||
|
|
|||
| CSVs are posted at | |||
| http://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/ # noqa: E501 | |||
| https://files.consumerfinance.gov.s3.amazonaws.com/data/mortgage-performance/downloads/ # noqa: E501 | |||
There was a problem hiding this comment.
See above; remove s3.amazonaws.com.
| @@ -1,32 +1,31 @@ | |||
|
|
|||
| $(function() { | |||
| /* this allows us to pass in HTML tags to autocomplete. Without this they get escaped | |||
| /* this allows us to pass in HTML tags to autocomplete. Without this they get escaped | |||
There was a problem hiding this comment.
Maybe remove extraneous whitespace changes to reduce the size of this PR?
There was a problem hiding this comment.
You can view it without whitespace changes by adding ?w=1 to the PR URL, see https://blog.github.com/2011-10-21-github-secrets/#whitespace
Does this work for you?
| @@ -201,7 +201,7 @@ const sourceCookies = { | |||
| */ | |||
| parseOrganicSearch: function( host, query, referrer ) { | |||
| // Referrer must not be the same host | |||
| if ( hostsAreEqual( 'http://' + host, referrer ) === false ) { | |||
| if ( hostsAreEqual( 'https://' + host, referrer ) === false ) { | |||
There was a problem hiding this comment.
Is this a file we should be modifying?
There was a problem hiding this comment.
Yes, host is set by document.location.host on https://github.com/cfpb/cfgov-refresh/blob/master/cfgov/unprocessed/apps/analytics-gtm/js/enterprise-attribution-cookies.js#L414 and https://github.com/cfpb/cfgov-refresh/blob/master/cfgov/unprocessed/apps/analytics-gtm/js/enterprise-attribution-cookies.js#L53, which would be our pages where this script runs, which will be https.
| @@ -1,5 +1,12 @@ | |||
| import $ from 'jquery'; | |||
| import 'rangeslider.js'; | |||
| import { | |||
There was a problem hiding this comment.
Same comment as above; would you consider removing extraneous whitespace changes to reduce the scope of this PR?
There was a problem hiding this comment.
Whoops! #3991 appears to have snuck in here. I'll see if I can get that one reviewed and rebase here.
There was a problem hiding this comment.
This is the non-whitespace diff URL https://github.com/cfpb/cfgov-refresh/pull/3998/files?w=1
| @@ -2,15 +2,15 @@ | |||
|
|
|||
| ### Akamai | |||
|
|
|||
| We use [Akamai](https://www.akamai.com/), a content delivery network, to cache the entirety of [www.consumerfinance.gov](https://www.consumerfinance.gov/) (but not our development servers). We invalidate any given page in Wagtail when it is published or unpublished (by hooking up the custom class [`AkamaiBackend`](https://github.com/cfpb/cfgov-refresh/blob/master/cfgov/v1/models/akamai_backend.py) to [Wagtail's frontend cache invalidator](http://docs.wagtail.io/en/v1.9/reference/contrib/frontendcache.html). By default, we clear the Akamai cache any time we deploy. | |||
| We use [Akamai](https://www.akamai.com/), a content delivery network, to cache the entirety of [www.consumerfinance.gov](https://www.consumerfinance.gov/) (but not our development servers). We invalidate any given page in Wagtail when it is published or unpublished (by hooking up the custom class [`AkamaiBackend`](https://github.com/cfpb/cfgov-refresh/blob/master/cfgov/v1/models/akamai_backend.py) to [Wagtail's frontend cache invalidator](http://docs.wagtail.io/en/v2.0.1/reference/contrib/frontendcache.html). By default, we clear the Akamai cache any time we deploy. | |||
There was a problem hiding this comment.
It makes me sad that docs.wagtail.io can't be HTTPS; this looks to be a ReadTheDocs thing.
| @@ -0,0 +1,6 @@ | |||
| <?xml version="1.0" encoding="UTF-8"?> | |||
There was a problem hiding this comment.
Did you mean to commit these files?
refresh-data.sh
Outdated
| @@ -42,7 +42,7 @@ if [[ -z "$refresh_dump_name" ]]; then | |||
|
|
|||
| Or you can define the location of a dump and this script will download it for you: | |||
|
|
|||
| export CFGOV_PROD_DB_LOCATION=http://some-bucket.s3.amazonaws.com/wherever/production_django.sql.gz | |||
| export CFGOV_PROD_DB_LOCATION=https://some-bucket.s3.amazonaws.com/wherever/production_django.sql.gz | |||
There was a problem hiding this comment.
This won't work with HTTPS if you include the s3.amazonaws.com (see above).
There was a problem hiding this comment.
Removed in 225af8f
TERMS.md
Outdated
| co-created with Jonathan Neal, is licensed under the MIT License. | ||
| - [Slick](http://kenwheeler.github.io/slick/) by Ken Wheeler is licensed under |
There was a problem hiding this comment.
If you're cleaning up this reference to Slick (which I guess is no longer used), can we also remove this one?
refresh-data.sh
Outdated
| @@ -42,7 +42,7 @@ if [[ -z "$refresh_dump_name" ]]; then | |||
|
|
|||
| Or you can define the location of a dump and this script will download it for you: | |||
|
|
|||
| export CFGOV_PROD_DB_LOCATION=http://some-bucket.s3.amazonaws.com/wherever/production_django.sql.gz | |||
| export CFGOV_PROD_DB_LOCATION=https://some-bucket.com/wherever/production_django.sql.gz | |||
There was a problem hiding this comment.
Now that we're removing references to our explicit use of S3, how would you feel about removing the word "bucket" here? Since in theory the production dumps could live anywhere.
There was a problem hiding this comment.
Updated to example.com
There was a problem hiding this comment.
Thanks for responding to my feedback @anselmbradford. This generally looks good to me, as there isn't much that would impact backend code besides the one change to the mortgage utilities code.
I found a number of URLs in the codebase that are listed as http URLs but are accessible at https URLs, so updated those.
Changes
Testing
gulp test:acceptanceshould pass.gulp test:unitshould pass.gulp audit:perfshouldn't show a redundant protocolhttp://https://URL.