Added a check for proper API key settings in production, and added workable default API key settings for development.
- Legacy-Id: 14319
This commit is contained in:
Henrik Levkowetz
parent
bfb9365cc0
commit
4f8f9d5c3f
|
|
@ -30,6 +30,9 @@ EMAIL_PORT=2025
|
|||
|
||||
TRAC_WIKI_DIR_PATTERN = "test/wiki/%s"
|
||||
TRAC_SVN_DIR_PATTERN = "test/svn/%s"
|
||||
TRAC_CREATE_ADHOC_WIKIS = [
|
||||
('iesg', 'Meeting', TRAC_WIKI_DIR_PATTERN % "ietf/meeting"),
|
||||
]
|
||||
|
||||
MEDIA_BASE_DIR = 'test'
|
||||
MEDIA_ROOT = MEDIA_BASE_DIR + '/media/'
|
||||
|
|
@ -45,3 +48,46 @@ SUBMIT_YANG_DRAFT_MODEL_DIR = 'data/developers/ietf-ftp/yang/draftmod/'
|
|||
SUBMIT_YANG_INVAL_MODEL_DIR = 'data/developers/ietf-ftp/yang/invalmod/'
|
||||
SUBMIT_YANGLINT_COMMAND = 'yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model}'
|
||||
|
||||
|
||||
API_PUBLIC_KEY_PEM = """
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIm3wBpMEhFmy40ZBNHU
|
||||
jn6cMVeDwynedDtww+071mQFIyidDn0UYCTfLn8dLQDpbdoreMz9Zzb0tMygMyMb
|
||||
5fsOItkEd7J5jVqpPWqlvspaa5qb5zuB8NHAxRjPfomgn0Sl1Uvwl1Gc3N2UElCb
|
||||
mJ+wEK+C55YVLj1k/9GU34G//XLcSnBF7bmjcycP+z8wkAtjE51ZR2Y6oP6o11jO
|
||||
yL5X7Y+1Nk9cPlUbtrvmmyXEKnjUXbRUoK4CJ87dYjFk8CHWmqolY++bgp4Ro6gK
|
||||
k6RAy1XaC6uCaVnlJQKpIZ8XvJyv34ku65KUuLQMlxBbVt7z+ybrMvU7NNpCVTGp
|
||||
kwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
"""
|
||||
|
||||
API_PRIVATE_KEY_PEM = """
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4ibfAGkwSEWbL
|
||||
jRkE0dSOfpwxV4PDKd50O3DD7TvWZAUjKJ0OfRRgJN8ufx0tAOlt2it4zP1nNvS0
|
||||
zKAzIxvl+w4i2QR3snmNWqk9aqW+ylprmpvnO4Hw0cDFGM9+iaCfRKXVS/CXUZzc
|
||||
3ZQSUJuYn7AQr4LnlhUuPWT/0ZTfgb/9ctxKcEXtuaNzJw/7PzCQC2MTnVlHZjqg
|
||||
/qjXWM7Ivlftj7U2T1w+VRu2u+abJcQqeNRdtFSgrgInzt1iMWTwIdaaqiVj75uC
|
||||
nhGjqAqTpEDLVdoLq4JpWeUlAqkhnxe8nK/fiS7rkpS4tAyXEFtW3vP7Jusy9Ts0
|
||||
2kJVMamTAgMBAAECggEBAKV46EnbysaQ0ApKFVsbBGxZ35jnDoGcM5sqCa3GNlfC
|
||||
DFFAg8SQKAsmRPIejXzjSm10qnKB7d/1iWvt6OCx5LxOaJia3MSwRwqXdxZZYRI5
|
||||
xOakFpQ76gKVMzQJUVX39w2ZstIWbEBjsDLkhXf+y+cJmgj8OHeNPqTd7Ijv13yq
|
||||
B8JVFhtrARTE9X5bxxl5FMrqchVv7HyCS6FBTK+rPPaE3gK2XyiNKHokcV2NfmeF
|
||||
OHqqDn9LPN4ERRU13FNv5/wvH6/Z0AXsRWFkxuCdYcVzG9xEnf/72b0jumRqnSAN
|
||||
bVK+/b37SOky/L0mwfXwhQoMvePgbYE1qv2Lx4maVcECgYEA5Im7Ys2FfFAGWV3Y
|
||||
eNizNHmJYXuvLVsEEYtxT1tM/yPTvlljA27s5rrXdtRDS67Hnj28b9nrHp0COlZp
|
||||
GycbppQcPEKiDupLlvstdQ+b+t1MO3xAqW2ZeM47A1SmPKa7XmTAL+6ZReeN/Eg6
|
||||
QCmqY5HHANhX+OwN+zwAg9ZQlBECgYEAzrZ1qr8RBBP4/0NY3WMkAiJpluIOc6kO
|
||||
8lP0tNk6FJ9OaIMAI6FKxh/7KKcgWzINWSVqz+8te5HUCUt5JWZXcn2NMkk2ufm4
|
||||
4OV0vXz3ba6RhIXtDxJW9qbihhZ+EJYPvgwWUF3W1Onu4BuirD+74LSTWG8Ko3lK
|
||||
m0qbAl5s92MCgYEAuJQxHwyE6jEr35O3GWtT2WbruSsPAd/Hum/X9VL1Lf/+rXc+
|
||||
S/CUL4nqKdQoAgFIwhp0jhYAGrqOqRVPUJnWcEShRV4/yzIaGPgG78vKm+OOBWFG
|
||||
TFDzqilOalM87DFxlTxkKJJZgqcQ+xhOy7GbJ03+30TcUHQ+mpIMjG5UqDECgYBG
|
||||
yc8T0OiX1+seJ0cIUYokPPqh0/oU+6EFtWCIihdMtp1YRvxGN1bu8EbHTixTbpmJ
|
||||
nLmuSX7u4SqWoET1XM23hG1U+iOGnpEEWy+WMHRfGDf3BRIAZkxnnRDX0F4NegYc
|
||||
E/GURf5q3U2Ta4NSr2S8d7o5v5UKFGBLO8pHjmSMdwKBgQCbZMPV/ogqNbsuEXsP
|
||||
rZQg+DTonX55os7Dnii715NAzzP7zaZ/RF/zEJrYKKATiaYFNIpz66wuAIX6UrcO
|
||||
N1mb6IlkRXoou2mawSFAPuwOFyKHDfohlA7lCiUsgB40uc90pa1evX8tctSXOuzh
|
||||
qlOfAYmntqZaggU8f3gGh7EPjw==
|
||||
-----END PRIVATE KEY-----
|
||||
"""
|
||||
|
|
|
|||
|
|
@ -344,3 +344,39 @@ def check_svn_import(app_configs, **kwargs):
|
|||
id = "datatracker.E0014",
|
||||
))
|
||||
return errors
|
||||
|
||||
@checks.register('security')
|
||||
def check_api_key_in_local_settings(app_configs, **kwargs):
|
||||
errors = []
|
||||
import settings_local
|
||||
if settings.SERVER_MODE == 'development':
|
||||
if not ( hasattr(settings_local, 'API_PUBLIC_KEY_PEM')
|
||||
and hasattr(settings_local, 'API_PRIVATE_KEY_PEM')):
|
||||
errors.append(checks.Critical(
|
||||
"There are no API key settings in your settings_local.py",
|
||||
hint = dedent("""
|
||||
You are running in production mode, and need API key settings that are
|
||||
different than the default settings. Please add settings for
|
||||
API_PUBLIC_KEY_PEM and API_PRIVATE_KEY_PEM to your settings local. The
|
||||
content should be matching public and private keys in PEM format. You
|
||||
can generate a suitable keypair with 'ssh-keygen -f apikey.pem', and then
|
||||
extract the public key with 'openssl rsa -in apikey.pem -pubout > apikey.pub'.
|
||||
|
||||
""").replace('\n', '\n ').rstrip(),
|
||||
id = "datatracker.E0015",
|
||||
))
|
||||
elif not ( settings_local.API_PUBLIC_KEY_PEM == settings.API_PUBLIC_KEY_PEM
|
||||
and settings_local.API_PRIVATE_KEY_PEM == settings.API_PRIVATE_KEY_PEM ):
|
||||
errors.append(checks.Critical(
|
||||
"Your API key settings in your settings_local.py are not picked up in settings.",
|
||||
hint = dedent("""
|
||||
You are running in production mode, and need API key settings which are
|
||||
different than the default settings. You seem to have API key settings
|
||||
in settings_local.py, but they don't seem to propagate to django.conf.settings.
|
||||
Please check if you have multiple settings_local.py files.
|
||||
""").replace('\n', '\n ').rstrip(),
|
||||
id = "datatracker.E0016",
|
||||
))
|
||||
|
||||
return errors
|
||||
|
||||
|
|
|
|||
|
|
@ -933,8 +933,48 @@ STATS_NAMES_LIMIT = 25
|
|||
|
||||
UTILS_TEST_RANDOM_STATE_FILE = '.factoryboy_random_state'
|
||||
|
||||
API_PUBLIC_KEY_PEM = "Set this in settings_local.py"
|
||||
API_PRIVATE_KEY_PEM = "Set this in settings_local.py"
|
||||
API_PUBLIC_KEY_PEM = """
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIm3wBpMEhFmy40ZBNHU
|
||||
jn6cMVeDwynedDtww+071mQFIyidDn0UYCTfLn8dLQDpbdoreMz9Zzb0tMygMyMb
|
||||
5fsOItkEd7J5jVqpPWqlvspaa5qb5zuB8NHAxRjPfomgn0Sl1Uvwl1Gc3N2UElCb
|
||||
mJ+wEK+C55YVLj1k/9GU34G//XLcSnBF7bmjcycP+z8wkAtjE51ZR2Y6oP6o11jO
|
||||
yL5X7Y+1Nk9cPlUbtrvmmyXEKnjUXbRUoK4CJ87dYjFk8CHWmqolY++bgp4Ro6gK
|
||||
k6RAy1XaC6uCaVnlJQKpIZ8XvJyv34ku65KUuLQMlxBbVt7z+ybrMvU7NNpCVTGp
|
||||
kwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
"""
|
||||
|
||||
API_PRIVATE_KEY_PEM = """
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4ibfAGkwSEWbL
|
||||
jRkE0dSOfpwxV4PDKd50O3DD7TvWZAUjKJ0OfRRgJN8ufx0tAOlt2it4zP1nNvS0
|
||||
zKAzIxvl+w4i2QR3snmNWqk9aqW+ylprmpvnO4Hw0cDFGM9+iaCfRKXVS/CXUZzc
|
||||
3ZQSUJuYn7AQr4LnlhUuPWT/0ZTfgb/9ctxKcEXtuaNzJw/7PzCQC2MTnVlHZjqg
|
||||
/qjXWM7Ivlftj7U2T1w+VRu2u+abJcQqeNRdtFSgrgInzt1iMWTwIdaaqiVj75uC
|
||||
nhGjqAqTpEDLVdoLq4JpWeUlAqkhnxe8nK/fiS7rkpS4tAyXEFtW3vP7Jusy9Ts0
|
||||
2kJVMamTAgMBAAECggEBAKV46EnbysaQ0ApKFVsbBGxZ35jnDoGcM5sqCa3GNlfC
|
||||
DFFAg8SQKAsmRPIejXzjSm10qnKB7d/1iWvt6OCx5LxOaJia3MSwRwqXdxZZYRI5
|
||||
xOakFpQ76gKVMzQJUVX39w2ZstIWbEBjsDLkhXf+y+cJmgj8OHeNPqTd7Ijv13yq
|
||||
B8JVFhtrARTE9X5bxxl5FMrqchVv7HyCS6FBTK+rPPaE3gK2XyiNKHokcV2NfmeF
|
||||
OHqqDn9LPN4ERRU13FNv5/wvH6/Z0AXsRWFkxuCdYcVzG9xEnf/72b0jumRqnSAN
|
||||
bVK+/b37SOky/L0mwfXwhQoMvePgbYE1qv2Lx4maVcECgYEA5Im7Ys2FfFAGWV3Y
|
||||
eNizNHmJYXuvLVsEEYtxT1tM/yPTvlljA27s5rrXdtRDS67Hnj28b9nrHp0COlZp
|
||||
GycbppQcPEKiDupLlvstdQ+b+t1MO3xAqW2ZeM47A1SmPKa7XmTAL+6ZReeN/Eg6
|
||||
QCmqY5HHANhX+OwN+zwAg9ZQlBECgYEAzrZ1qr8RBBP4/0NY3WMkAiJpluIOc6kO
|
||||
8lP0tNk6FJ9OaIMAI6FKxh/7KKcgWzINWSVqz+8te5HUCUt5JWZXcn2NMkk2ufm4
|
||||
4OV0vXz3ba6RhIXtDxJW9qbihhZ+EJYPvgwWUF3W1Onu4BuirD+74LSTWG8Ko3lK
|
||||
m0qbAl5s92MCgYEAuJQxHwyE6jEr35O3GWtT2WbruSsPAd/Hum/X9VL1Lf/+rXc+
|
||||
S/CUL4nqKdQoAgFIwhp0jhYAGrqOqRVPUJnWcEShRV4/yzIaGPgG78vKm+OOBWFG
|
||||
TFDzqilOalM87DFxlTxkKJJZgqcQ+xhOy7GbJ03+30TcUHQ+mpIMjG5UqDECgYBG
|
||||
yc8T0OiX1+seJ0cIUYokPPqh0/oU+6EFtWCIihdMtp1YRvxGN1bu8EbHTixTbpmJ
|
||||
nLmuSX7u4SqWoET1XM23hG1U+iOGnpEEWy+WMHRfGDf3BRIAZkxnnRDX0F4NegYc
|
||||
E/GURf5q3U2Ta4NSr2S8d7o5v5UKFGBLO8pHjmSMdwKBgQCbZMPV/ogqNbsuEXsP
|
||||
rZQg+DTonX55os7Dnii715NAzzP7zaZ/RF/zEJrYKKATiaYFNIpz66wuAIX6UrcO
|
||||
N1mb6IlkRXoou2mawSFAPuwOFyKHDfohlA7lCiUsgB40uc90pa1evX8tctSXOuzh
|
||||
qlOfAYmntqZaggU8f3gGh7EPjw==
|
||||
-----END PRIVATE KEY-----
|
||||
"""
|
||||
|
||||
|
||||
# Put the production SECRET_KEY in settings_local.py, and also any other
|
||||
|
|
|
|||
Loading…
Reference in a new issue