Split off django changes

Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Substra · Jun 5, 2023 · 0100bf4 · 0100bf4
1 parent 847cd48
commit 0100bf4
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 18 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,8 +11,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - BREAKING: Support for multiple API tokens with expanded functionality ([#639](https://github.com/Substra/substra-backend/pull/639))
 
-- New `JWT_SECRET_PATH` and `JWT_SECRET_NEEDED` environment variables ([#657](https://github.com/Substra/substra-backend/pull/657))
-
 ## [0.37.0](https://github.com/Substra/substra-backend/releases/tag/0.37.0) 2023-05-11
 
 ### Changed

diff --git a/backend/backend/settings/common.py b/backend/backend/settings/common.py
@@ -15,11 +15,11 @@
 import pathlib
 import sys
 from datetime import timedelta
-import secrets
 
 import structlog
 from django.core.files.storage import FileSystemStorage
 
+from libs.gen_secret_key import write_secret_key
 from substrapp.compute_tasks.errors import CeleryRetryError
 
 from .deps.org import *
@@ -63,21 +63,20 @@ def build_broker_url(user: str, password: str, host: str, port: str) -> str:
 # See https://docs.djangoproject.com/en/2.0/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-JWT_SECRET_PATH = os.environ.get("JWT_SECRET_PATH", os.path.normpath(os.path.join(PROJECT_ROOT, "SECRET")))
-
-# Key configuration for JSON web tokens (JWT) authentication
-if to_bool(os.environ.get("JWT_SECRET_NEEDED", "False")):
+SECRET_FILE = os.path.normpath(os.path.join(PROJECT_ROOT, "SECRET"))
+
+# KEY CONFIGURATION
+# Try to load the SECRET_KEY from our SECRET_FILE. If that fails, then generate
+# a random SECRET_KEY and save it into our SECRET_FILE for future loading. If
+# everything fails, then just raise an exception.
+try:
+    SECRET_KEY = pathlib.Path(SECRET_FILE).read_text().strip()
+except IOError:
     try:
-        SECRET_KEY = pathlib.Path(JWT_SECRET_PATH).read_text().strip()
+        SECRET_KEY = write_secret_key(SECRET_FILE)
     except IOError:
-        try:
-            SECRET_KEY = secrets.token_urlsafe()  # uses a "reasonable default" length
-            with open(JWT_SECRET_PATH, "w") as fp:
-                fp.write(SECRET_KEY)
-        except IOError:
-            raise Exception(f"Cannot open file `{JWT_SECRET_PATH}` for writing.")
-else:
-    SECRET_KEY = "unused default value " + secrets.token_urlsafe()
+        raise Exception(f"Cannot open file `{SECRET_FILE}` for writing.")
+# END KEY CONFIGURATION
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True

diff --git a/backend/libs/gen_secret_key.py b/backend/libs/gen_secret_key.py
@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+from secrets import choice
+
+
+def gen_secret_key(r):
+    return "".join([choice("abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)") for _ in range(r)])
+
+
+def write_secret_key(path):
+    secret_key = gen_secret_key(50)
+
+    with open(path, "w") as f:
+        f.write(secret_key)
+
+    return secret_key
+
+
+if __name__ == "__main__":
+    print(gen_secret_key(50))
diff --git a/docs/settings.md b/docs/settings.md
@@ -42,8 +42,6 @@ Accepted true values for `bool` are: `1`, `ON`, `On`, `on`, `T`, `t`, `TRUE`, `T
 | string | `HOST_IP` | nil |  |
 | int | `HTTP_CLIENT_TIMEOUT_SECONDS` | `30` |  |
 | bool | `ISOLATED` | nil |  |
-| bool | `JWT_SECRET_NEEDED` | `False` |  |
-| string | `JWT_SECRET_PATH` | `?` (`os.path.normpath(os.path.join(PROJECT_ROOT, 'SECRET'))`) |  |
 | string | `K8S_SECRET_NAMESPACE` | `default` |  |
 | string | `KANIKO_DOCKER_CONFIG_SECRET_NAME` | nil |  |
 | string | `KANIKO_IMAGE` | nil |  |