Une MAJ de sécurité est nécessaire sur notre version actuelle. Elle sera effectuée lundi 02/08 entre 12h30 et 13h. L'interruption de service devrait durer quelques minutes (probablement moins de 5 minutes).

Commit 97bef7ca authored by BAIRE Anthony's avatar BAIRE Anthony
Browse files

generate and rotate the SECRET_KEY automatically

parent 75371692
......@@ -8,7 +8,21 @@ with env_loader.EnvironmentVarLoader(__name__, "ALLGO_",
# core django config
#
env_var("ALLGO_SECRET_KEY", help="secret key for django")
env_var("ALLGO_SECRET_KEY_PATH", fixed=True,
default="/vol/cache/allgo/secret_key",
help="""path where the django secret key is stored
This key is generated automatically at startup and rotated every
`ALLGO_SECRET_KEY_DAYS` days
""")
env_var("ALLGO_SECRET_KEY_DAYS",
default="30",
help="""lifetime of the django secret key in days
Note: the regeneration of the key happens only at django startup
time (i.e. django needs to be restarted to regenerate the key)
""")
env_var("ALLGO_DEBUG",
default = "False",
......
import logging
import os
import sys
import time
from . import env
......@@ -15,13 +17,36 @@ def parse_bool(value):
raise ValueError("invalid value %r (expected 'true' or 'false')" % value)
# load and possibly regenerate the secret key
def load_secret_key(path, expire):
key = None
try:
mtime = os.path.getmtime(path)
if mtime <= time.time() <= mtime + expire*86400:
key = open(path).read()
else:
os.unlink(path)
except FileNotFoundError:
pass
if key is None:
logging.getLogger("allgo").info("regenerating a new secret key")
key = os.urandom(128).hex()
try:
old_umask = os.umask(0o0077)
with open(path, "w") as out:
out.write(key)
finally:
os.umask(old_umask)
assert len(key)>=256
return key
# REQUIRED SETTINGS
# ------------------------------------------------------------------------------
# TODO
# if ALLGO_SECRET_KEY is empty:
# load .env
SECRET_KEY = env.ALLGO_SECRET_KEY
SECRET_KEY = load_secret_key(env.ALLGO_SECRET_KEY_PATH, int(env.ALLGO_SECRET_KEY_DAYS))
# GENERAL
......
......@@ -10,12 +10,4 @@ sys.path.append(os.path.join(app_path, 'allgo'))
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'config.settings')
if os.environ.get('ALLGO_SECRET_KEY') is None:
if os.path.exists('.env'):
print('Importing environment from .env...')
for line in open('.env'):
var = line.strip().split('=')
if len(var) == 2:
os.environ[var[0]] = var[1]
application = get_wsgi_application()
......@@ -36,15 +36,11 @@ can be installed through pip.
Development environment
-----------------------
By default, the `config/settings.py` is setup for a production config and
requires to setup at minimum two environment variables:
The configuraton of Allgo is set using environment variables and there is a
default value for most of them.
- ALLGO_SECRET_KEY
- ALLGO_DATABASE_PASSWORD
These variables must be written into a `.env` file located at the root of the
django docker container (same level as the `manage.py` file. You can override
over variables to alter the behaviour of the application.
Some variables are overriden in the `docker-compose.yml` so as to provide an
environment suitable for development.
For a detailled list of all environment variables, please refer to
:ref:`environment-variable-label`.
......@@ -118,16 +114,12 @@ the database tables in the `/tmp` folder.
Production environment
-----------------------
By default, the `config/settings.py` is setup for a production config and
requires to setup at minimum two environment variables:
- ALLGO_SECRET_KEY
- ALLGO_DATABASE_PASSWORD
By default, the `config/env.py` is setup for a production config and
requires to setup at minimum one environment variable:
.. warning::
- `ALLGO_ALLOWED_HOSTS` to be set to the hostname where this allgo instance is
reachable
In production, you **must** set up either through a `.env` file at the root
of the django container or at the docker-compose level if you prefer.
Docker setup
^^^^^^^^^^^^
......@@ -137,11 +129,10 @@ The different configuration file for the docker file such as the nginx
configuration in the `setup/dk` directory. This includes:
- `allgo.conf`: nginx configuration for the django docker
- `container_init`: doesn't contain anything at this stage
- `container_init`: initialisation of the container (imports the rails database)
- `nginx.patch`: main nginx configuration
- `run-allgo`: bash script creating the necessary directories, executing the
migration and running the different services necessary for the application
- `supervisord.conf`: supervisor configuration for gunicor, nginx and django
- `run-allgo`: bash script creating the necessary directories and running the
different services necessary for the application
.. _environment-variable-label:
......
......@@ -11,6 +11,7 @@ mkdir -p \
/vol/log/redis \
/vol/log/supervisor \
/vol/log/gunicorn \
/vol/cache/allgo \
/vol/cache/redis \
/vol/cache/nginx
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment