Merge tag '10.15.0' into relcorp

Author: humitos

CHANGELOG.rst

@@ -1,3 +1,24 @@
+Version 10.15.0
+---------------
+
+:Date: January 09, 2024
+
+* `@humitos <https://github.com/humitos>`__: pip-compile fixes (`#11010 <https://github.com/readthedocs/readthedocs.org/pull/11010>`__)
+* `@github-actions[bot] <https://github.com/github-actions[bot]>`__: Dependencies: all packages updated via pip-tools (`#11005 <https://github.com/readthedocs/readthedocs.org/pull/11005>`__)
+* `@ericholscher <https://github.com/ericholscher>`__: Fix structlog by downgrading it (`#11003 <https://github.com/readthedocs/readthedocs.org/pull/11003>`__)
+* `@humitos <https://github.com/humitos>`__: Eslint fix issues (`#10998 <https://github.com/readthedocs/readthedocs.org/pull/10998>`__)
+* `@webknjaz <https://github.com/webknjaz>`__: Fix ref to the "new addons integrations" blog post @ custom build doc (`#10997 <https://github.com/readthedocs/readthedocs.org/pull/10997>`__)
+* `@humitos <https://github.com/humitos>`__: Notifications: small fixes found after reviewer (`#10996 <https://github.com/readthedocs/readthedocs.org/pull/10996>`__)
+* `@stsewd <https://github.com/stsewd>`__: Update common (`#10995 <https://github.com/readthedocs/readthedocs.org/pull/10995>`__)
+* `@humitos <https://github.com/humitos>`__: Remove leftovers from `django-messages-extends` (`#10994 <https://github.com/readthedocs/readthedocs.org/pull/10994>`__)
+* `@stsewd <https://github.com/stsewd>`__: Integrations: hardcode deprecation date for incoming webhooks without a secret (`#10993 <https://github.com/readthedocs/readthedocs.org/pull/10993>`__)
+* `@stsewd <https://github.com/stsewd>`__: Development: update steps for testing subscriptions (`#10992 <https://github.com/readthedocs/readthedocs.org/pull/10992>`__)
+* `@stsewd <https://github.com/stsewd>`__: Redirects: remove null option from position field (`#10991 <https://github.com/readthedocs/readthedocs.org/pull/10991>`__)
+* `@ericholscher <https://github.com/ericholscher>`__: Release 10.14.0 (`#10989 <https://github.com/readthedocs/readthedocs.org/pull/10989>`__)
+* `@humitos <https://github.com/humitos>`__: Addons: get translation from main project (`#10952 <https://github.com/readthedocs/readthedocs.org/pull/10952>`__)
+* `@humitos <https://github.com/humitos>`__: New notification system: implementation (`#10922 <https://github.com/readthedocs/readthedocs.org/pull/10922>`__)
+* `@stsewd <https://github.com/stsewd>`__: Custom domains: don't allow adding a custom domain on subprojects (`#8953 <https://github.com/readthedocs/readthedocs.org/pull/8953>`__)
+
 Version 10.14.0
 ---------------
 

common

@@ -77,7 +77,7 @@
 
 master_doc = "index"
 copyright = "Read the Docs, Inc & contributors"
-version = "10.14.0"
+version = "10.15.0"
 release = version
 exclude_patterns = ["_build", "shared", "_includes"]
 default_role = "obj"

docs/conf.py

@@ -9,11 +9,10 @@ Local testing
 -------------
 
 To test subscriptions locally, you need to have access to the Stripe account,
-and define the following settings with the keys from Stripe test mode:
+and define the following environment variables with the keys from Stripe test mode:
 
-- ``STRIPE_SECRET``: https://dashboard.stripe.com/test/apikeys
-- ``STRIPE_TEST_SECRET_KEY``: https://dashboard.stripe.com/test/apikeys
-- ``DJSTRIPE_WEBHOOK_SECRET``: https://dashboard.stripe.com/test/webhooks
+- ``RTD_STRIPE_SECRET``: https://dashboard.stripe.com/test/apikeys
+- ``RTD_DJSTRIPE_WEBHOOK_SECRET``: https://dashboard.stripe.com/test/webhooks
 
 To test the webhook locally, you need to run your local instance with ngrok, for example:
 

docs/dev/subscriptions.rst

@@ -390,7 +390,7 @@ Override the build process
 .. warning::
 
    This feature is in *beta* and could change without warning.
-   We are currently testing `the new addons integrations we are building <rtd-blog:addons-flyout-menu-beta>`_
+   We are currently testing :ref:`the new addons integrations we are building <rtd-blog:addons-flyout-menu-beta>`
    on projects using ``build.commands`` configuration key.
 
 If your project requires full control of the build process,

docs/user/build-customization.rst

@@ -1,6 +1,6 @@
 {
   "name": "readthedocs",
-  "version": "10.14.0",
+  "version": "10.15.0",
   "description": "Read the Docs build dependencies",
   "author": "Read the Docs, Inc <[email protected]>",
   "scripts": {

package.json

@@ -1,4 +1,4 @@
 """Read the Docs."""
 
 
-__version__ = "10.14.0"
+__version__ = "10.15.0"

readthedocs/__init__.py

@@ -2,11 +2,15 @@
 
 
 from allauth.socialaccount.models import SocialAccount
+from django.core.exceptions import ObjectDoesNotExist
+from django.utils.translation import gettext as _
+from generic_relations.relations import GenericRelatedField
 from rest_framework import serializers
 
 from readthedocs.api.v2.utils import normalize_build_command
 from readthedocs.builds.models import Build, BuildCommandResult, Version
 from readthedocs.core.resolver import Resolver
+from readthedocs.notifications.models import Notification
 from readthedocs.oauth.models import RemoteOrganization, RemoteRepository
 from readthedocs.projects.models import Domain, Project
 
@@ -378,3 +382,53 @@ def get_username(self, obj):
             or obj.extra_data.get("login")
             # FIXME: which one is GitLab?
         )
+
+
+class NotificationAttachedToRelatedField(serializers.RelatedField):
+
+    """
+    Attached to related field for Notifications.
+
+    Used together with ``rest-framework-generic-relations`` to accept multiple object types on ``attached_to``.
+
+    See https://github.com/LilyFoote/rest-framework-generic-relations
+    """
+
+    default_error_messages = {
+        "required": _("This field is required."),
+        "does_not_exist": _("Object does not exist."),
+        "incorrect_type": _(
+            "Incorrect type. Expected URL string, received {data_type}."
+        ),
+    }
+
+    def to_representation(self, value):
+        return f"{self.queryset.model._meta.model_name}/{value.pk}"
+
+    def to_internal_value(self, data):
+        # TODO: handle exceptions
+        model, pk = data.strip("/").split("/")
+        if self.queryset.model._meta.model_name != model:
+            self.fail("incorrect_type")
+
+        try:
+            return self.queryset.get(pk=pk)
+        except (ObjectDoesNotExist, ValueError, TypeError):
+            self.fail("does_not_exist")
+
+
+class NotificationSerializer(serializers.ModelSerializer):
+    # Accept different object types (Project, Build, User, etc) depending on what the notification is attached to.
+    # The client has to send a value like "<model>/<pk>".
+    # Example: "build/3522" will attach the notification to the Build object with id 3522
+    attached_to = GenericRelatedField(
+        {
+            Build: NotificationAttachedToRelatedField(queryset=Build.objects.all()),
+            Project: NotificationAttachedToRelatedField(queryset=Project.objects.all()),
+        },
+        required=True,
+    )
+
+    class Meta:
+        model = Notification
+        exclude = ["attached_to_id", "attached_to_content_type"]

readthedocs/api/v2/serializers.py

@@ -12,6 +12,7 @@
     BuildCommandViewSet,
     BuildViewSet,
     DomainViewSet,
+    NotificationViewSet,
     ProjectViewSet,
     RemoteOrganizationViewSet,
     RemoteRepositoryViewSet,
@@ -25,6 +26,7 @@
 router.register(r"version", VersionViewSet, basename="version")
 router.register(r"project", ProjectViewSet, basename="project")
 router.register(r"domain", DomainViewSet, basename="domain")
+router.register(r"notifications", NotificationViewSet, basename="notifications")
 router.register(
     r"remote/org",
     RemoteOrganizationViewSet,

readthedocs/api/v2/urls.py

@@ -1,5 +1,6 @@
 """Endpoints integrating with Github, Bitbucket, and other webhooks."""
 
+import datetime
 import hashlib
 import hmac
 import json
@@ -9,6 +10,7 @@
 
 import structlog
 from django.shortcuts import get_object_or_404
+from django.utils import timezone
 from django.utils.crypto import constant_time_compare
 from rest_framework import permissions, status
 from rest_framework.exceptions import NotFound, ParseError
@@ -74,9 +76,17 @@ class WebhookMixin:
     invalid_payload_msg = 'Payload not valid'
     missing_secret_for_pr_events_msg = dedent(
         """
-        The webhook doesn't have a secret configured.
+        This webhook doesn't have a secret configured.
         For security reasons, webhooks without a secret can't process pull/merge request events.
-        You can read more information about this in our blog post: https://blog.readthedocs.com/security-update-on-incoming-webhooks/.
+        For more information, read our blog post: https://blog.readthedocs.com/security-update-on-incoming-webhooks/.
+        """
+    ).strip()
+
+    missing_secret_deprecated_msg = dedent(
+        """
+        This webhook doesn't have a secret configured.
+        For security reasons, webhooks without a secret are no longer permitted.
+        For more information, read our blog post: https://blog.readthedocs.com/security-update-on-incoming-webhooks/.
         """
     ).strip()
 
@@ -105,6 +115,18 @@ def post(self, request, project_slug):
                 return Response(resp, status=status.HTTP_406_NOT_ACCEPTABLE)
         except Project.DoesNotExist as exc:
             raise NotFound("Project not found") from exc
+
+        # Deprecate webhooks without a secret
+        # https://blog.readthedocs.com/security-update-on-incoming-webhooks/.
+        now = timezone.now()
+        deprecation_date = datetime.datetime(2024, 1, 31, tzinfo=datetime.timezone.utc)
+        is_deprecated = now >= deprecation_date
+        if is_deprecated and not self.has_secret():
+            return Response(
+                {"detail": self.missing_secret_deprecated_msg},
+                status=HTTP_400_BAD_REQUEST,
+            )
+
         if not self.is_payload_valid():
             log.warning('Invalid payload for project and integration.')
             return Response(
@@ -122,6 +144,12 @@ def post(self, request, project_slug):
             return resp
         return Response(resp)
 
+    def has_secret(self):
+        integration = self.get_integration()
+        if hasattr(integration, "token"):
+            return bool(integration.token)
+        return bool(integration.secret)
+
     def get_project(self, **kwargs):
         return Project.objects.get(**kwargs)
 

readthedocs/api/v2/views/integrations.py

@@ -18,6 +18,7 @@
 from readthedocs.api.v2.utils import normalize_build_command
 from readthedocs.builds.constants import INTERNAL
 from readthedocs.builds.models import Build, BuildCommandResult, Version
+from readthedocs.notifications.models import Notification
 from readthedocs.oauth.models import RemoteOrganization, RemoteRepository
 from readthedocs.oauth.services import registry
 from readthedocs.projects.models import Domain, Project
@@ -29,6 +30,7 @@
     BuildCommandSerializer,
     BuildSerializer,
     DomainSerializer,
+    NotificationSerializer,
     ProjectAdminSerializer,
     ProjectSerializer,
     RemoteOrganizationSerializer,
@@ -361,6 +363,42 @@ def get_queryset_for_api_key(self, api_key):
         return self.model.objects.filter(build__project=api_key.project)
 
 
+class NotificationViewSet(DisableListEndpoint, CreateModelMixin, UserSelectViewSet):
+
+    """
+    Create a notification attached to an object (User, Project, Build, Organization).
+
+    This endpoint is currently used only internally by the builder.
+    Notifications are attached to `Build` objects only when using this endpoint.
+    This limitation will change in the future when re-implementing this on APIv3 if neeed.
+    """
+
+    parser_classes = [JSONParser, MultiPartParser]
+    permission_classes = [HasBuildAPIKey]
+    renderer_classes = (JSONRenderer,)
+    serializer_class = NotificationSerializer
+    model = Notification
+
+    def perform_create(self, serializer):
+        """Restrict creation to notifications attached to the project's builds from the api key."""
+        attached_to = serializer.validated_data["attached_to"]
+
+        build_api_key = self.request.build_api_key
+
+        project_slug = None
+        if isinstance(attached_to, Build):
+            project_slug = attached_to.project.slug
+        elif isinstance(attached_to, Project):
+            project_slug = attached_to.slug
+
+        # Limit the permissions to create a notification on this object only if the API key
+        # is attached to the related project
+        if not project_slug or build_api_key.project.slug != project_slug:
+            raise PermissionDenied()
+
+        return super().perform_create(serializer)
+
+
 class DomainViewSet(DisableListEndpoint, UserSelectViewSet):
     permission_classes = [ReadOnlyPermission]
     renderer_classes = (JSONRenderer,)