From 4f8f9d5c3f0e016c5703ed9012365f9ae8d41ebc Mon Sep 17 00:00:00 2001 From: Henrik Levkowetz Date: Tue, 7 Nov 2017 15:49:15 +0000 Subject: [PATCH] Added a check for proper API key settings in production, and added workable default API key settings for development. - Legacy-Id: 14319 --- docker/settings_local.py | 46 ++++++++++++++++++++++++++++++++++++++++ ietf/checks.py | 36 +++++++++++++++++++++++++++++++ ietf/settings.py | 44 ++++++++++++++++++++++++++++++++++++-- 3 files changed, 124 insertions(+), 2 deletions(-) diff --git a/docker/settings_local.py b/docker/settings_local.py index b14426882..9c495ec89 100644 --- a/docker/settings_local.py +++ b/docker/settings_local.py @@ -30,6 +30,9 @@ EMAIL_PORT=2025 TRAC_WIKI_DIR_PATTERN = "test/wiki/%s" TRAC_SVN_DIR_PATTERN = "test/svn/%s" +TRAC_CREATE_ADHOC_WIKIS = [ + ('iesg', 'Meeting', TRAC_WIKI_DIR_PATTERN % "ietf/meeting"), +] MEDIA_BASE_DIR = 'test' MEDIA_ROOT = MEDIA_BASE_DIR + '/media/' @@ -45,3 +48,46 @@ SUBMIT_YANG_DRAFT_MODEL_DIR = 'data/developers/ietf-ftp/yang/draftmod/' SUBMIT_YANG_INVAL_MODEL_DIR = 'data/developers/ietf-ftp/yang/invalmod/' SUBMIT_YANGLINT_COMMAND = 'yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model}' + +API_PUBLIC_KEY_PEM = """ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIm3wBpMEhFmy40ZBNHU +jn6cMVeDwynedDtww+071mQFIyidDn0UYCTfLn8dLQDpbdoreMz9Zzb0tMygMyMb +5fsOItkEd7J5jVqpPWqlvspaa5qb5zuB8NHAxRjPfomgn0Sl1Uvwl1Gc3N2UElCb +mJ+wEK+C55YVLj1k/9GU34G//XLcSnBF7bmjcycP+z8wkAtjE51ZR2Y6oP6o11jO +yL5X7Y+1Nk9cPlUbtrvmmyXEKnjUXbRUoK4CJ87dYjFk8CHWmqolY++bgp4Ro6gK +k6RAy1XaC6uCaVnlJQKpIZ8XvJyv34ku65KUuLQMlxBbVt7z+ybrMvU7NNpCVTGp +kwIDAQAB +-----END PUBLIC KEY----- +""" + +API_PRIVATE_KEY_PEM = """ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4ibfAGkwSEWbL +jRkE0dSOfpwxV4PDKd50O3DD7TvWZAUjKJ0OfRRgJN8ufx0tAOlt2it4zP1nNvS0 +zKAzIxvl+w4i2QR3snmNWqk9aqW+ylprmpvnO4Hw0cDFGM9+iaCfRKXVS/CXUZzc +3ZQSUJuYn7AQr4LnlhUuPWT/0ZTfgb/9ctxKcEXtuaNzJw/7PzCQC2MTnVlHZjqg +/qjXWM7Ivlftj7U2T1w+VRu2u+abJcQqeNRdtFSgrgInzt1iMWTwIdaaqiVj75uC +nhGjqAqTpEDLVdoLq4JpWeUlAqkhnxe8nK/fiS7rkpS4tAyXEFtW3vP7Jusy9Ts0 +2kJVMamTAgMBAAECggEBAKV46EnbysaQ0ApKFVsbBGxZ35jnDoGcM5sqCa3GNlfC +DFFAg8SQKAsmRPIejXzjSm10qnKB7d/1iWvt6OCx5LxOaJia3MSwRwqXdxZZYRI5 +xOakFpQ76gKVMzQJUVX39w2ZstIWbEBjsDLkhXf+y+cJmgj8OHeNPqTd7Ijv13yq +B8JVFhtrARTE9X5bxxl5FMrqchVv7HyCS6FBTK+rPPaE3gK2XyiNKHokcV2NfmeF +OHqqDn9LPN4ERRU13FNv5/wvH6/Z0AXsRWFkxuCdYcVzG9xEnf/72b0jumRqnSAN +bVK+/b37SOky/L0mwfXwhQoMvePgbYE1qv2Lx4maVcECgYEA5Im7Ys2FfFAGWV3Y +eNizNHmJYXuvLVsEEYtxT1tM/yPTvlljA27s5rrXdtRDS67Hnj28b9nrHp0COlZp +GycbppQcPEKiDupLlvstdQ+b+t1MO3xAqW2ZeM47A1SmPKa7XmTAL+6ZReeN/Eg6 +QCmqY5HHANhX+OwN+zwAg9ZQlBECgYEAzrZ1qr8RBBP4/0NY3WMkAiJpluIOc6kO +8lP0tNk6FJ9OaIMAI6FKxh/7KKcgWzINWSVqz+8te5HUCUt5JWZXcn2NMkk2ufm4 +4OV0vXz3ba6RhIXtDxJW9qbihhZ+EJYPvgwWUF3W1Onu4BuirD+74LSTWG8Ko3lK +m0qbAl5s92MCgYEAuJQxHwyE6jEr35O3GWtT2WbruSsPAd/Hum/X9VL1Lf/+rXc+ +S/CUL4nqKdQoAgFIwhp0jhYAGrqOqRVPUJnWcEShRV4/yzIaGPgG78vKm+OOBWFG +TFDzqilOalM87DFxlTxkKJJZgqcQ+xhOy7GbJ03+30TcUHQ+mpIMjG5UqDECgYBG +yc8T0OiX1+seJ0cIUYokPPqh0/oU+6EFtWCIihdMtp1YRvxGN1bu8EbHTixTbpmJ +nLmuSX7u4SqWoET1XM23hG1U+iOGnpEEWy+WMHRfGDf3BRIAZkxnnRDX0F4NegYc +E/GURf5q3U2Ta4NSr2S8d7o5v5UKFGBLO8pHjmSMdwKBgQCbZMPV/ogqNbsuEXsP +rZQg+DTonX55os7Dnii715NAzzP7zaZ/RF/zEJrYKKATiaYFNIpz66wuAIX6UrcO +N1mb6IlkRXoou2mawSFAPuwOFyKHDfohlA7lCiUsgB40uc90pa1evX8tctSXOuzh +qlOfAYmntqZaggU8f3gGh7EPjw== +-----END PRIVATE KEY----- +""" diff --git a/ietf/checks.py b/ietf/checks.py index a1e394d25..20277f8f3 100644 --- a/ietf/checks.py +++ b/ietf/checks.py @@ -344,3 +344,39 @@ def check_svn_import(app_configs, **kwargs): id = "datatracker.E0014", )) return errors + +@checks.register('security') +def check_api_key_in_local_settings(app_configs, **kwargs): + errors = [] + import settings_local + if settings.SERVER_MODE == 'development': + if not ( hasattr(settings_local, 'API_PUBLIC_KEY_PEM') + and hasattr(settings_local, 'API_PRIVATE_KEY_PEM')): + errors.append(checks.Critical( + "There are no API key settings in your settings_local.py", + hint = dedent(""" + You are running in production mode, and need API key settings that are + different than the default settings. Please add settings for + API_PUBLIC_KEY_PEM and API_PRIVATE_KEY_PEM to your settings local. The + content should be matching public and private keys in PEM format. You + can generate a suitable keypair with 'ssh-keygen -f apikey.pem', and then + extract the public key with 'openssl rsa -in apikey.pem -pubout > apikey.pub'. + + """).replace('\n', '\n ').rstrip(), + id = "datatracker.E0015", + )) + elif not ( settings_local.API_PUBLIC_KEY_PEM == settings.API_PUBLIC_KEY_PEM + and settings_local.API_PRIVATE_KEY_PEM == settings.API_PRIVATE_KEY_PEM ): + errors.append(checks.Critical( + "Your API key settings in your settings_local.py are not picked up in settings.", + hint = dedent(""" + You are running in production mode, and need API key settings which are + different than the default settings. You seem to have API key settings + in settings_local.py, but they don't seem to propagate to django.conf.settings. + Please check if you have multiple settings_local.py files. + """).replace('\n', '\n ').rstrip(), + id = "datatracker.E0016", + )) + + return errors + diff --git a/ietf/settings.py b/ietf/settings.py index fd4de4487..3cdd3b67b 100644 --- a/ietf/settings.py +++ b/ietf/settings.py @@ -933,8 +933,48 @@ STATS_NAMES_LIMIT = 25 UTILS_TEST_RANDOM_STATE_FILE = '.factoryboy_random_state' -API_PUBLIC_KEY_PEM = "Set this in settings_local.py" -API_PRIVATE_KEY_PEM = "Set this in settings_local.py" +API_PUBLIC_KEY_PEM = """ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIm3wBpMEhFmy40ZBNHU +jn6cMVeDwynedDtww+071mQFIyidDn0UYCTfLn8dLQDpbdoreMz9Zzb0tMygMyMb +5fsOItkEd7J5jVqpPWqlvspaa5qb5zuB8NHAxRjPfomgn0Sl1Uvwl1Gc3N2UElCb +mJ+wEK+C55YVLj1k/9GU34G//XLcSnBF7bmjcycP+z8wkAtjE51ZR2Y6oP6o11jO +yL5X7Y+1Nk9cPlUbtrvmmyXEKnjUXbRUoK4CJ87dYjFk8CHWmqolY++bgp4Ro6gK +k6RAy1XaC6uCaVnlJQKpIZ8XvJyv34ku65KUuLQMlxBbVt7z+ybrMvU7NNpCVTGp +kwIDAQAB +-----END PUBLIC KEY----- +""" + +API_PRIVATE_KEY_PEM = """ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4ibfAGkwSEWbL +jRkE0dSOfpwxV4PDKd50O3DD7TvWZAUjKJ0OfRRgJN8ufx0tAOlt2it4zP1nNvS0 +zKAzIxvl+w4i2QR3snmNWqk9aqW+ylprmpvnO4Hw0cDFGM9+iaCfRKXVS/CXUZzc +3ZQSUJuYn7AQr4LnlhUuPWT/0ZTfgb/9ctxKcEXtuaNzJw/7PzCQC2MTnVlHZjqg +/qjXWM7Ivlftj7U2T1w+VRu2u+abJcQqeNRdtFSgrgInzt1iMWTwIdaaqiVj75uC +nhGjqAqTpEDLVdoLq4JpWeUlAqkhnxe8nK/fiS7rkpS4tAyXEFtW3vP7Jusy9Ts0 +2kJVMamTAgMBAAECggEBAKV46EnbysaQ0ApKFVsbBGxZ35jnDoGcM5sqCa3GNlfC +DFFAg8SQKAsmRPIejXzjSm10qnKB7d/1iWvt6OCx5LxOaJia3MSwRwqXdxZZYRI5 +xOakFpQ76gKVMzQJUVX39w2ZstIWbEBjsDLkhXf+y+cJmgj8OHeNPqTd7Ijv13yq +B8JVFhtrARTE9X5bxxl5FMrqchVv7HyCS6FBTK+rPPaE3gK2XyiNKHokcV2NfmeF +OHqqDn9LPN4ERRU13FNv5/wvH6/Z0AXsRWFkxuCdYcVzG9xEnf/72b0jumRqnSAN +bVK+/b37SOky/L0mwfXwhQoMvePgbYE1qv2Lx4maVcECgYEA5Im7Ys2FfFAGWV3Y +eNizNHmJYXuvLVsEEYtxT1tM/yPTvlljA27s5rrXdtRDS67Hnj28b9nrHp0COlZp +GycbppQcPEKiDupLlvstdQ+b+t1MO3xAqW2ZeM47A1SmPKa7XmTAL+6ZReeN/Eg6 +QCmqY5HHANhX+OwN+zwAg9ZQlBECgYEAzrZ1qr8RBBP4/0NY3WMkAiJpluIOc6kO +8lP0tNk6FJ9OaIMAI6FKxh/7KKcgWzINWSVqz+8te5HUCUt5JWZXcn2NMkk2ufm4 +4OV0vXz3ba6RhIXtDxJW9qbihhZ+EJYPvgwWUF3W1Onu4BuirD+74LSTWG8Ko3lK +m0qbAl5s92MCgYEAuJQxHwyE6jEr35O3GWtT2WbruSsPAd/Hum/X9VL1Lf/+rXc+ +S/CUL4nqKdQoAgFIwhp0jhYAGrqOqRVPUJnWcEShRV4/yzIaGPgG78vKm+OOBWFG +TFDzqilOalM87DFxlTxkKJJZgqcQ+xhOy7GbJ03+30TcUHQ+mpIMjG5UqDECgYBG +yc8T0OiX1+seJ0cIUYokPPqh0/oU+6EFtWCIihdMtp1YRvxGN1bu8EbHTixTbpmJ +nLmuSX7u4SqWoET1XM23hG1U+iOGnpEEWy+WMHRfGDf3BRIAZkxnnRDX0F4NegYc +E/GURf5q3U2Ta4NSr2S8d7o5v5UKFGBLO8pHjmSMdwKBgQCbZMPV/ogqNbsuEXsP +rZQg+DTonX55os7Dnii715NAzzP7zaZ/RF/zEJrYKKATiaYFNIpz66wuAIX6UrcO +N1mb6IlkRXoou2mawSFAPuwOFyKHDfohlA7lCiUsgB40uc90pa1evX8tctSXOuzh +qlOfAYmntqZaggU8f3gGh7EPjw== +-----END PRIVATE KEY----- +""" # Put the production SECRET_KEY in settings_local.py, and also any other