9aa2dda073
Implements blueprint automatic-secure-key-generation Reduce the likeliness that the (commented-out) default key is abused and document possible options instead. Also use a non-empty SECRET_KEY for development / testing environments. A later patch would make it a hard error if no SECRET_KEY is defined (i.e. Django defaults to an empty string which is anything but secure). Unfortunately, I can't do it now as the devstack integration test would fail (they don't set a SECRET_KEY either) currently. So, when this blueprint is accepted, I would submit a fix to devstack and afterwards add the error message to warn the user about insecure defaults. Addressed PEP-8 issues Change-Id: Ifdab8e6b6fb3025fde7a2b92beb046ec9c5cba7f
69 lines
2.3 KiB
Python
69 lines
2.3 KiB
Python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright 2012 Nebula, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
from __future__ import with_statement # Python 2.5 compliance
|
|
|
|
import lockfile
|
|
import random
|
|
import string
|
|
import tempfile
|
|
import os
|
|
|
|
|
|
class FilePermissionError(Exception):
|
|
"""The key file permissions are insecure."""
|
|
pass
|
|
|
|
|
|
def generate_key(key_length=64):
|
|
"""Secret key generator.
|
|
|
|
The quality of randomness depends on operating system support,
|
|
see http://docs.python.org/library/random.html#random.SystemRandom.
|
|
"""
|
|
if hasattr(random, 'SystemRandom'):
|
|
choice = random.SystemRandom().choice
|
|
else:
|
|
choice = random.choice
|
|
return ''.join(map(lambda x: choice(string.digits + string.letters),
|
|
range(key_length)))
|
|
|
|
|
|
def generate_or_read_from_file(key_file='.secret_key', key_length=64):
|
|
"""Multiprocess-safe secret key file generator.
|
|
|
|
Useful to replace the default (and thus unsafe) SECRET_KEY in settings.py
|
|
upon first start. Save to use, i.e. when multiple Python interpreters
|
|
serve the dashboard Django application (e.g. in a mod_wsgi + daemonized
|
|
environment). Also checks if file permissions are set correctly and
|
|
throws an exception if not.
|
|
"""
|
|
lock = lockfile.FileLock(key_file)
|
|
with lock:
|
|
if not os.path.exists(key_file):
|
|
key = generate_key(key_length)
|
|
old_umask = os.umask(0177) # Use '0600' file permissions
|
|
with open(key_file, 'w') as f:
|
|
f.write(key)
|
|
os.umask(old_umask)
|
|
else:
|
|
if oct(os.stat(key_file).st_mode & 0777) != '0600':
|
|
raise FilePermissionError("Insecure key file permissions!")
|
|
with open(key_file, 'r') as f:
|
|
key = f.readline()
|
|
return key
|