New environment variables to configure the secret key, database, and celery options. The secret key can also be read from a file. Stricter defaults to increase security.

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
2018-04-13 16:00:13 -04:00
parent aa13953326
commit b165b9a5f2
4 changed files with 74 additions and 12 deletions
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -153,6 +153,11 @@
 - Add support for HTML bodies to the user mailers.
 - Production ALLOWED_HOSTS settings now defaults to a safer ['127.0.0.1', 'localhost', '[::1]']
 - Capture menu resolution errors on invalid URLs. Closes GitLab issue #420.
+- New environment variables: MAYAN_SECRET_KEY, MAYAN_CELERY_ALWAYS_EAGER, MAYAN_CELERY_RESULT_BACKEND,
+  MAYAN_BROKER_URL, MAYAN_DATABASE_ENGINE, MAYAN_DATABASE_CONN_MAX_AGE, MAYAN_DATABASE_NAME,
+  MAYAN_DATABASE_USER, MAYAN_DATABASE_PASSWORD, MAYAN_DATABASE_HOST, MAYAN_DATABASE_PORT,
+  MAYAN_DEBUG.
+- Stricter defaults. CELERY_ALWAYS_EAGER to False, ALLOWED_HOSTS to ['127.0.0.1', 'localhost', '[::1]'].

 2.7.3 (2017-09-11)
 ==================
--- a/docs/releases/3.0.rst
+++ b/docs/releases/3.0.rst
@@ -472,6 +472,11 @@ Other changes worth mentioning
 - Add support for HTML bodies to the user mailers.
 - Production ALLOWED_HOSTS settings now defaults to a safer ['127.0.0.1', 'localhost', '[::1]']
 - Capture menu resolution errors on invalid URLs. Closes GitLab issue #420.
+- New environment variables: MAYAN_SECRET_KEY, MAYAN_CELERY_ALWAYS_EAGER, MAYAN_CELERY_RESULT_BACKEND,
+  MAYAN_BROKER_URL, MAYAN_DATABASE_ENGINE, MAYAN_DATABASE_CONN_MAX_AGE, MAYAN_DATABASE_NAME, 
+  MAYAN_DATABASE_USER, MAYAN_DATABASE_PASSWORD, MAYAN_DATABASE_HOST, MAYAN_DATABASE_PORT,
+  MAYAN_DEBUG.
+- Stricter defaults. CELERY_ALWAYS_EAGER to False, ALLOWED_HOSTS to ['127.0.0.1', 'localhost', '[::1]'].

 Removals
 --------
--- a/mayan/settings/base.py
+++ b/mayan/settings/base.py
@@ -18,6 +18,11 @@ from django.utils.translation import ugettext_lazy as _

 import mayan

+# Literals
+DEFAULT_SECRET_KEY = 'secret_key_missing'
+SECRET_KEY_FILENAME = 'SECRET_KEY'
+SYSTEM_DIR = 'system'
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)

 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -26,12 +31,12 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 # See https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/

 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'secret_key_missing'
+SECRET_KEY = DEFAULT_SECRET_KEY

 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False

-ALLOWED_HOSTS = ['*']
+ALLOWED_HOSTS = ['127.0.0.1', 'localhost', '[::1]']

 # Application definition

@@ -88,9 +93,6 @@ INSTALLED_APPS = (
    'document_states',
    'documents',
    'events',
-    # Disable the folders app by default
-    # Will be removed in the next version
-    # 'folders',
    'linking',
    'mailer',
    'mayan_statistics',
@@ -266,7 +268,7 @@ PAGINATION_SETTINGS = {
 }
 # ----------- Celery ----------
 CELERY_ACCEPT_CONTENT = ('json',)
-CELERY_ALWAYS_EAGER = True
+CELERY_ALWAYS_EAGER = False
 CELERY_CREATE_MISSING_QUEUES = False
 CELERY_DISABLE_RATE_LIMITS = True
 CELERY_EAGER_PROPAGATES_EXCEPTIONS = True
@@ -292,3 +294,59 @@ SWAGGER_SETTINGS = {
 }
 # ----- AJAX REDIRECT -----
 AJAX_REDIRECT_CODE = 278
+
+#########################
+# Environment overrides #
+#########################
+
+# Secret key
+
+environment_secret_key = os.environ.get('MAYAN_SECRET_KEY')
+if environment_secret_key:
+    SECRET_KEY = environment_secret_key
+else:
+    try:
+        with open(os.path.join(MEDIA_ROOT, SYSTEM_DIR, SECRET_KEY_FILENAME)) as file_object:
+            SECRET_KEY = file_object.read().strip()
+    except IOError:
+        pass
+
+# Celery
+
+environment_celery_always_eager = os.environ.get('MAYAN_CELERY_ALWAYS_EAGER', 'True')
+if environment_celery_always_eager == 'True':
+    CELERY_ALWAYS_EAGER = True
+elif environment_celery_always_eager == 'False':
+    CELERY_ALWAYS_EAGER = False
+
+CELERY_RESULT_BACKEND = os.environ.get('MAYAN_CELERY_RESULT_BACKEND', None)
+BROKER_URL = os.environ.get('MAYAN_BROKER_URL', None)
+
+# Database
+
+environment_database_engine = os.environ.get('MAYAN_DATABASE_ENGINE')
+
+if environment_database_engine:
+    environment_database_conn_max_age = os.environ.get('MAYAN_DATABASE_CONN_MAX_AGE', None)
+    if environment_database_conn_max_age:
+        environment_database_conn_max_age = int(environment_database_conn_max_age)
+
+    DATABASES = {
+        'default': {
+            'ENGINE': environment_database_engine,
+            'NAME': os.environ['MAYAN_DATABASE_NAME'],
+            'USER': os.environ['MAYAN_DATABASE_USER'],
+            'PASSWORD': os.environ['MAYAN_DATABASE_PASSWORD'],
+            'HOST': os.environ.get('MAYAN_DATABASE_HOST', None),
+            'PORT': os.environ.get('MAYAN_DATABASE_PORT', None),
+            'CONN_MAX_AGE': environment_database_conn_max_age,
+        }
+    }
+
+# Debug
+
+environment_debug = os.environ.get('MAYAN_DEBUG', 'False')
+if environment_debug == 'True':
+    DEBUG = True
+elif environment_debug == 'False':
+    DEBUG = False
--- a/mayan/settings/production.py
+++ b/mayan/settings/production.py
@@ -2,10 +2,6 @@ from __future__ import absolute_import, unicode_literals

 from . import *  # NOQA

-# Update this accordingly;
-# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = ['127.0.0.1', 'localhost', '[::1]']
-
 TEMPLATES[0]['OPTIONS']['loaders'] = (
    (
        'django.template.loaders.cached.Loader', (
@@ -14,5 +10,3 @@ TEMPLATES[0]['OPTIONS']['loaders'] = (
        )
    ),
 )
-
-CELERY_ALWAYS_EAGER = False