Merge pull request #800 from open-zaak/release/1.3.3

Release 1.3.3
open-zaak · Dec 17, 2020 · 682f652 · 682f652
2 parents 9522692 + a438442
commit 682f652
Show file tree

Hide file tree

Showing 10 changed files with 94 additions and 30 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,7 +1,7 @@
 [bumpversion]
 commit = False
 tag = False
-current_version = 1.3.2
+current_version = 1.3.3
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\.dev(?P<dev>\d+))?
 serialize = 
 	{major}.{minor}.{patch}.dev{dev}

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,92 @@
 Changelog
 =========
 
+1.3.3 (2020-12-17)
+------------------
+
+Security and bugfix release
+
+.. warning:: this release includes a security fix for `CVE-2020-26251`_, where Open Zaak
+   had a possible vulnerable CORS configuration. It is advised to update as soon as
+   possible. The severity is considered low, since we haven't been able to actually
+   exploit this due to mitigating additional security configuration in other aspects.
+
+.. _CVE-2020-26251: https://github.com/open-zaak/open-zaak/security/advisories/GHSA-chhr-gxrg-64x7
+
+The bugfixes are mostly CMIS-adapter related.
+
+**Bugfixes**
+
+* The Cross-Origin Resource Sharing configuration is now safe by default - no CORS is
+  allowed. Environment configuration options are made available to make CORS possible
+  to varying degrees, which are all opt-in. This fixes CVE-2020-26251.
+* Fixed duplicate ``ObjectInformatieObject`` instances being created with CMIS enabled
+  (#778)
+* Fixed stale CMIS queryset cache preventing correct chained filtering (#782)
+* Fixed some links being opened in new window/tab without ``norel`` or ``noreferrer``
+  set in the ``rel`` attribute
+* Fixed multiple ``EnkelvoudigInformatieobject`` instances having the same
+  ``bronorganisatie`` and ``identificatie`` (#768). If you're not using the CMIS-adapter,
+  see the manual intervention required below.
+* Fixed a bug retrieving ``ObjectInformatieObject`` collection in the Documenten API
+  when CMIS is enabled. This may also have affected the ``Gebruiksrechten`` resource. (#791)
+
+**Documentation**
+
+* Improved documentation for CMIS services configuration
+* Fixed a typo in the Governance document
+* Documented environment variable to disable TLS certificate validation. This should
+  never be used in production, instead the certificate setup should be fixed.
+
+**Other changes**
+
+* Enabled CMIS-adapter logging in DEBUG mode
+* Migrated CI from Travis CI to Github Actions
+* Explicitly test PostgreSQL versions 10, 11 and 12 (#716)
+* Optimized CI build to re-use Docker image artifacts from previous jobs
+* Replaced postman.io mocks subscription with nginx container (#790)
+* Avoid some unnecessary queries when CMIS is enabled
+* Implemented a (likely) fix to non-deterministic behaviour in the test suite (#798)
+
+.. warning::
+
+    Manual intervention required.
+
+    There is a chance that documents have been created in the Documents API with
+    duplicate ``(bronorganisatie, identificatie)`` combinations.
+
+    We've provided a management command to check and fix these occurrences.
+
+    Run ``python src/manage.py detect_duplicate_eio --help`` in an Open Zaak container
+    to get the command line options. By default, the command is interactive:
+
+    .. tabs::
+
+      .. group-tab:: single-server
+
+        .. code-block:: bash
+
+            $ docker exec openzaak-0 src/manage.py detect_duplicate_eio
+            Checking 30 records ...
+            Found no duplicate records.
+
+      .. group-tab:: Kubernetes
+
+        .. code-block:: bash
+
+            $ kubectl get pods
+            NAME                        READY   STATUS    RESTARTS   AGE
+            cache-79455b996-jxk9r       1/1     Running   0          2d9h
+            nginx-8579d9dfbd-gdtbf      1/1     Running   0          2d9h
+            nginx-8579d9dfbd-wz6wn      1/1     Running   0          2d9h
+            openzaak-7b696c8fd5-hchbq   1/1     Running   0          2d9h
+            openzaak-7b696c8fd5-kz2pb   1/1     Running   0          2d9h
+
+            $ kubectl exec openzaak-7b696c8fd5-hchbq -- src/manage.py detect_duplicate_eio
+            Checking 30 records ...
+            Found no duplicate records.
+
+
 1.3.2 (2020-11-09)
 ------------------
 

diff --git a/README.en.md b/README.en.md
@@ -6,7 +6,7 @@
 
 | | | |
 |-|-|-|
-| **Version:** | 1.3.2 |
+| **Version:** | 1.3.3 |
 | **Source:** | https://github.com/open-zaak/open-zaak |
 | **Keywords:** | zaken, zaakgericht werken, zaken-api, catalogi-api, besluiten-api, documenten-api |
 | **PythonVersion:** | 3.7 |

diff --git a/README.rst b/README.rst
@@ -7,7 +7,7 @@ Open Zaak
 
 .. _`Read this in English`: README.en.md
 
-:Version: 1.3.2
+:Version: 1.3.3
 :Source: https://github.com/open-zaak/open-zaak
 :Keywords: zaken, zaakgericht werken, zaken-api, catalogi-api, besluiten-api, documenten-api
 :PythonVersion: 3.7

diff --git a/deployment/kubernetes/apps.yml b/deployment/kubernetes/apps.yml
@@ -16,7 +16,7 @@
   roles:
     - role: open_zaak_k8s
       vars:  # these override vars_files
-        openzaak_version: '1.3.2'
+        openzaak_version: '1.3.3'
         openzaak_db_host: "{{ db.privateIp }}"
         openzaak_db_port: "{{ db.port }}"
       tags:

diff --git a/deployment/single-server/open-zaak.yml b/deployment/single-server/open-zaak.yml
@@ -61,7 +61,7 @@
 
     - role: open_zaak_docker
       vars:
-        openzaak_version: '1.3.2'  # see https://hub.docker.com/r/openzaak/open-zaak/tags
+        openzaak_version: '1.3.3'  # see https://hub.docker.com/r/openzaak/open-zaak/tags
       tags:
         - replicas
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "openzaak",
-  "version": "1.3.2",
+  "version": "1.3.3",
   "description": "Open Zaak",
   "main": "src/index.js",
   "directories": {

diff --git a/src/openzaak/accounts/tests/factories.py b/src/openzaak/accounts/tests/factories.py
@@ -5,7 +5,7 @@
 
 class UserFactory(factory.django.DjangoModelFactory):
     username = factory.Sequence(lambda n: f"user-{n}")
-    password = factory.PostGenerationMethodCall("set_password")
+    password = factory.PostGenerationMethodCall("set_password", "secret")
 
     class Meta:
         model = "accounts.User"

diff --git a/src/openzaak/components/documenten/management/commands/detect_duplicate_eio.py b/src/openzaak/components/documenten/management/commands/detect_duplicate_eio.py
@@ -11,9 +11,7 @@
 
 
 class Command(BaseCommand):
-    help = _(
-        "Check for any duplicate documents (with same identificatie, bronorganisatie and versie)."
-    )
+    help = "Check for any duplicate documents (with same identificatie, bronorganisatie and versie)."
 
     def add_arguments(self, parser):
         parser.add_argument(

diff --git a/src/openzaak/fixtures/default_groups.json b/src/openzaak/fixtures/default_groups.json
@@ -564,26 +564,6 @@
                 "contenttypes",
                 "contenttype"
             ],
-            [
-                "add_corsmodel",
-                "corsheaders",
-                "corsmodel"
-            ],
-            [
-                "change_corsmodel",
-                "corsheaders",
-                "corsmodel"
-            ],
-            [
-                "delete_corsmodel",
-                "corsheaders",
-                "corsmodel"
-            ],
-            [
-                "view_corsmodel",
-                "corsheaders",
-                "corsmodel"
-            ],
             [
                 "add_statuslog",
                 "django_db_logger",