Make Python 3 the default for development #4544

rmol · 2019-06-20T00:54:36Z

Status

Ready for review

Description of Changes

Make the default .venv Python 3, moving existing Python 2 versions out
of the way if necessary. Compile and use separate requirements files
for each version, using .venv2 to update the Python 2 requirements.

Add Makefile targets to make it easier to create both virtualenvs;
devops/scripts/boot-strap-venv.sh can now be sourced as before or just
run to create and update the virtualenv.

Merge Makefile and securedrop/Makefile. I've left securedrop/Makefile
in place with targets echoing deprecation warnings, then invoking
their equivalents in the top-level Makefile.

Type linting no longer requires a dedicated virtualenv once we're on
Python 3, so mypy is now part of the normal development requirements.

Switch mypy checking from 2.7 to Python 3.5.

Our Python dependencies also required updates, starting with Molecule,
which didn't support Python 3.5 until 2.20.1, so would have required
us to run a more recent Python 3 for development than we deploy under.

The pip-tools package needed to be updated to work with pip 19.1.1,
which is installed in the new Python 3 virtualenv.

Fix many, many lint errors from lint packages updated for Python 3.

Fixes #4519.
Fixes #4415.

Testing

Try running various Makefile targets:

make lint
make test
PYTHON_VERSION=2 make test
make update-pip-requirements
make update-python2-requirements
make build-debs (you should only get the usual apt update test failure)
make staging
molecule verify -s libvirt-staging

Deployment

This should not include any changes to production deployment.

Debian packages are still built with Python 2, and securedrop-app-code is still using the Python 2 version of libapache2-mod-wsgi. The only changes to building debs were to copy the new requirement file paths and specify that the Python 2-specific ones should be used when building wheels.

The only changes to the admin were to satisfy linters, and tests are passing.

Checklist

If you made changes to the server application code:

Linting (make lint) and tests (make -C securedrop test) pass in the development container

If you made changes to `securedrop-admin`:

Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

Configuration tests pass

If you made non-trivial code changes:

I have written a test plan and validated it for this PR

If you made changes to documentation:

Doc linting (make docs-lint) passed locally

kushaldas

$ make lint
███ Preparing Python 3 virtual environment...
Default virtualenv in .venv is Python 2; renaming it to .venv-2-20190620-123047.
Already using interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /home/kdas/code/securedrop/.venv/bin/python3
Also creating executable in /home/kdas/code/securedrop/.venv/bin/python
Installing setuptools, pip, wheel...done.

███ Linting Ansible configuration...
--> Validating schema /home/kdas/code/securedrop/molecule/virtualbox-staging-xenial/molecule.yml.
Validation completed successfully.
--> Validating schema /home/kdas/code/securedrop/molecule/fetch-tor-packages/molecule.yml.
Validation completed successfully.
--> Validating schema /home/kdas/code/securedrop/molecule/builder-xenial/molecule.yml.
Validation completed successfully.
--> Validating schema /home/kdas/code/securedrop/molecule/qubes-staging/molecule.yml.
Validation completed successfully.
--> Validating schema /home/kdas/code/securedrop/molecule/ansible-config/molecule.yml.
Validation completed successfully.
--> Validating schema /home/kdas/code/securedrop/molecule/upgrade/molecule.yml.
Validation completed successfully.
--> Validating schema /home/kdas/code/securedrop/molecule/libvirt-staging-xenial/molecule.yml.
Validation completed successfully.
--> Validating schema /home/kdas/code/securedrop/molecule/vagrant-packager/molecule.yml.
Validation completed successfully.
--> Test matrix
    
└── ansible-config
    └── verify
    
--> Inventory /home/kdas/code/securedrop/molecule/ansible-config/../../install_files/ansible-base/host_vars linked to /tmp/molecule/securedrop/ansible-config/inventory/host_vars
--> Inventory /home/kdas/code/securedrop/molecule/ansible-config/../../install_files/ansible-base/group_vars linked to /tmp/molecule/securedrop/ansible-config/inventory/group_vars
--> Scenario: 'ansible-config'
--> Action: 'verify'
Traceback (most recent call last):
  File "/home/kdas/code/securedrop/.venv/bin/molecule", line 10, in <module>
    sys.exit(main())
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/molecule/command/verify.py", line 97, in verify
    base.execute_subcommand(scenario.config, action)
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/molecule/command/base.py", line 102, in execute_subcommand
    return command(config).execute()
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/molecule/command/verify.py", line 72, in execute
    self._config.verifier.execute()
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/molecule/verifier/testinfra.py", line 184, in execute
    self.bake()
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/molecule/verifier/testinfra.py", line 163, in bake
    self._testinfra_command = sh.Command('py.test').bake(
  File "/home/kdas/code/securedrop/.venv/lib/python3.5/site-packages/sh.py", line 1202, in __init__
    raise CommandNotFound(path)
sh.CommandNotFound: py.test
Makefile:76: recipe for target 'ansible-config-lint' failed
make: *** [ansible-config-lint] Error 1

journalist_gui/journalist_gui/resources_rc.py

redshiftzero

two initial CI things i noticed, will continue reviewing

request for addressing review comments given the size of this diff: please append fixes in additional commits (and then we'll squash pre-merge)

.circleci/config.yml

.gitignore

devops/scripts/boot-strap-venv.sh

securedrop/Makefile

securedrop-admin

Makefile

securedrop/models.py

securedrop/secure_tempfile.py

redshiftzero

ok ran through this diff today, dropped comments inline, looking great so far!

codecov-io · 2019-06-24T20:18:49Z

Codecov Report

Merging #4544 into develop will increase coverage by 0.1%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           develop    #4544     +/-   ##
==========================================
+ Coverage    82.53%   82.63%   +0.1%     
==========================================
  Files           45       45             
  Lines         3121     3116      -5     
  Branches       339      337      -2     
==========================================
- Hits          2576     2575      -1     
+ Misses         458      455      -3     
+ Partials        87       86      -1

Impacted Files	Coverage Δ
...versions/3d91d6948753_create_source_uuid_column.py	`47.61% <0%> (-2.39%)`	⬇️
securedrop/securedrop/crypto_util.py	`90.4% <0%> (ø)`	⬆️
...5cbab83_add_column_to_track_source_deletion_of_.py	`42.1% <0%> (ø)`	⬆️
...p/securedrop/alembic/versions/15ac9509fc68_init.py	`40% <0%> (ø)`	⬆️
...ions/fccf57ceef02_create_submission_uuid_column.py	`45% <0%> (ø)`	⬆️
...ns/f2833ac34bb6_add_uuid_column_for_users_table.py	`42.85% <0%> (ø)`	⬆️
...op/alembic/versions/6db892e17271_add_reply_uuid.py	`45% <0%> (ø)`	⬆️
...s/2d0ce3ee5bdc_added_passphrase_hash_column_to_.py	`57.14% <0%> (ø)`	⬆️
securedrop/securedrop/i18n.py	`94.87% <0%> (ø)`	⬆️
.../b58139cfdc8c_add_checksum_columns_revoke_table.py	`36.36% <0%> (ø)`	⬆️
... and 2 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 82d4cd2...f15b2b1. Read the comment docs.

Makefile

Make the default .venv Python 3, moving existing Python 2 versions out of the way if necessary. Compile and use separate requirements files for each version, using .venv2 to update the Python 2 requirements. Add Makefile targets to make it easier to create both virtualenvs; devops/scripts/boot-strap-venv.sh can now be sourced as before or just run to create and update the virtualenv. Merge Makefile and securedrop/Makefile. I've left securedrop/Makefile in place with targets echoing deprecation warnings, then invoking their equivalents in the top-level Makefile. Type linting no longer requires a dedicated virtualenv once we're on Python 3, so mypy is now part of the normal development requirements. Switch mypy checking from 2.7 to Python 3.5. Our Python dependencies also required updates, starting with Molecule, which didn't support Python 3.5 until 2.20.1, so would have required us to run a more recent Python 3 for development than we deploy under. The pip-tools package needed to be updated to work with pip 19.1.1, which is installed in the new Python 3 virtualenv. Fix many, many lint errors from lint packages updated for Python 3.

Make sure lint targets activate the virtualenv as necessary to pick up pytest, since not everyone will have it somewhere else on the path. Ahem. Normalize lint target between Makefiles. Rename some variables in the top-level Makefile. Circle's still running the EOL Ubuntu 14.04, which has Python 3.4. We can run most linters under 3.5 in our 16.04 container, but the shellcheck package there is too old, so unless we want to run Docker-in-Docker, we need to run shellcheck in a separate step using a koalaman image.

When run in a non-interactive shell, virtualenv < 16.2 can cause an error because PS1 is unset. Apparently whatever's in the image used for fetch-tor-packages is that old.

I misunderstood a problem raised in another context; this isn't necessary.

Added pip-tools to our Ubuntu Dockerfiles, to get requirements compiled with the Python versions that will be used in production.

Installing pip requirements automatically is bad, and fails in the container, outside of a virtualenv. Instead, if safety or bandit is not available, request installation. Also improve the test-config/config.py rules to only build the test config when necessary.

redshiftzero

I've ran through the following targets on this branch, and am happy with merging this:

✅make test
✅PYTHON_VERSION=2 make test
✅make lint
✅make update-pip-requirements
✅make update-python2-requirements
✅make build-debs and was able to provision staging (using virtualbox)

We can create a followup issue on this sprint for broader developer docs changes once this is merged.

@kushaldas please give this another look and update your review, and then feel free to merge if you also think this is ready (a second set of eyes given the diff size is important here).

securedrop-admin

redshiftzero · 2019-06-29T00:28:24Z

securedrop/requirements/python3/securedrop-app-code-requirements.txt

@@ -0,0 +1,200 @@
+#


Noting here for other maintainers the requirements diff compared to securedrop-app-code-requirements.txt on develop - this PR only removes dependencies from the python 3 version of the app code requirements:

# alembic==0.9.9 \ --hash=sha256:85bd3ea7633024e4930900bc64fb58f9742dedbc6ebb6ecf25be2ea9a3c1b32e @@ -96,12 +96,6 @@ cryptography==2.6.1 \ --hash=sha256:d4afbb0840f489b60f5a580a41a1b9c3622e08ecb5eec8614d4fb4cd914c4460 \ --hash=sha256:d9ed28030797c00f4bc43c86bf819266c76a5ea61d006cd4078a93ebf7da6bfd \ --hash=sha256:e603aa7bb52e4e8ed4119a58a03b60323918467ef209e6ff9db3ac382e5cf2c6 -enum34==1.1.6 \ - --hash=sha256:2d81cbbe0e73112bdfe6ef8576f2238f2ba27dd0d55752a776c41d38b7da2850 \ - --hash=sha256:644837f692e5f550741432dd3f223bbb9852018674981b1664e5dc339387588a \ - --hash=sha256:6bd0f6ad48ec2aa117d3d141940d484deccda84d4fcd884f5c3d93c23ecd8c79 \ - --hash=sha256:8ad8c4783bf61ded74527bffb48ed9b54166685e4230386a9ed9b1279e2df5b1 \ - # via argon2-cffi, cryptography flask-assets==0.12 \ --hash=sha256:6031527b89fb3509d1581d932affa5a79dd348cfffb58d0aef99a43461d47847 flask-babel==0.11.2 \ @@ -116,10 +110,6 @@ flask-wtf==0.14.2 \ flask==1.0.2 \ --hash=sha256:2271c0070dbcb5275fad4a82e29f23ab92682dc45f9dfbc22c02ba9b9322ce48 \ --hash=sha256:a080b744b7e345ccfcbc77954861cb05b3c63786e93f2b3875e0913d44b43f05 -ipaddress==1.0.22 \ - --hash=sha256:64b28eec5e78e7510698f6d4da08800a5c575caa4a286c93d651c5d3ff7b6794 \ - --hash=sha256:b146c751ea45cad6188dd6cf2d9b757f6f4f8d6ffb96a023e6f2e26eea02a72c \ - # via cryptography itsdangerous==0.24 \ --hash=sha256:cbb3fcf8d3e33df861709ecaf89d9e6629cff0a217bc2848f1b41cd30d360519 \ # via flask

kushaldas

Tested following the steps mentioned in the comment:

✅make test
✅PYTHON_VERSION=2 make test
✅make lint
✅make update-pip-requirements
✅make update-python2-requirements
✅make build-debs and was able to provision staging (using libvirt)

Approved.

rmol requested review from conorsch, emkll, heartsucker, kushaldas, msheiny, redshiftzero and zenmonkeykstop as code owners June 20, 2019 00:54

rmol force-pushed the 4519-py3-dev branch from 230c3db to 3d071fa Compare June 20, 2019 01:01

kushaldas requested changes Jun 20, 2019

View reviewed changes

journalist_gui/journalist_gui/resources_rc.py Show resolved Hide resolved

rmol force-pushed the 4519-py3-dev branch 2 times, most recently from 13f06a7 to af075c2 Compare June 20, 2019 16:55