The SystemAssigned managed identity requires a preview feature to be
enabled.
```
rgil@rem5:~/atst/terraform/providers/dev$ az feature list|grep MSIPreview
"id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
"name": "Microsoft.ContainerService/MSIPreview",
rgil@rem5:~/atst/terraform/providers/dev$ az feature register --namespace Microsoft.ContainerService --name MSIPreview
Once the feature 'MSIPreview' is registered, invoking 'az provider register -n Microsoft.ContainerService' is required to get the change propagated
{
"id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
"name": "Microsoft.ContainerService/MSIPreview",
"properties": {
"state": "Registering"
},
"type": "Microsoft.Features/providers/features"
}
rgil@rem5:~/atst/terraform/providers/dev$ az provider register -n Microsoft.ContainerService
rgil@rem5:~/atst/terraform/providers/dev$
```
This also now integrates the policy for keyvault with the k8s managed
identity (system assigned).
This addresses an SSTI vulnerability in Flask's `render_template_string`
function, which we were using for rendering flash messages. The
implementation I'd built was too complicated, so I removed its reliance
on Jinja template rendering. Instead, all parts of the flash message
should be keys in the translations file. The `flash` wrapper in
`atst.utils.flash` is just a thin wrapper over our `translate` function.
The `translate` function relies on Python string formatting, which does
not evaluate expressions and so isn't vulnerable to SSTI.
- Update the form to use BooleanFields for the permissions and make the
form more similar to the Application Members form
- Use MemberFormTemplate macro in the portfolio settings template
- fix tests affected by the form changes
To satisfy security requirements, we need to explicitly track:
- when a user attempts to log in, successful or not
- when a user logs out
- whether or not the user associated with a request is logged in
The first two are satisfied by extra log statements and the last is a
new boolean field on the JSON logs.
This is leftover from a previous iteration of ATAT where inviting a user
to a portfolio would create a pending entry in the users table. This is
no longer used.
uWGI was generating warnings about being unable to find plugin files we
specify. To fix this, I've added uwsgi-python3 to the list of Alpine
packages we install in the container specified the plugins directory in
the uWSGI config. The updated uWSGI ConfigMap has been applied to the
staging cluster, which eliminated the warning about the logfile plugin.
The remaining warning about the python3 plugin will be eliminated once
the new container built by this branch is deployed.
I left the domains hard-coded for the redirects in our NGINX config,
which was breaking authentication for versions of the site that don't
use that domain. This updates the config to use the domains supplied via
environment variable.
