Added a check for proper API key settings in production, and added workable default API key settings for development.

levkowetz · levkowetz · commit 4f8f9d5c3f0e · 2017-11-07T15:49:15.000Z
- Legacy-Id: 14319
diff --git a/docker/settings_local.py b/docker/settings_local.py
@@ -30,6 +30,9 @@
 
 TRAC_WIKI_DIR_PATTERN = "test/wiki/%s"
 TRAC_SVN_DIR_PATTERN = "test/svn/%s"
+TRAC_CREATE_ADHOC_WIKIS = [
+    ('iesg', 'Meeting', TRAC_WIKI_DIR_PATTERN % "ietf/meeting"),
+]
 
 MEDIA_BASE_DIR = 'test'
 MEDIA_ROOT = MEDIA_BASE_DIR + '/media/'
@@ -45,3 +48,46 @@
 SUBMIT_YANG_INVAL_MODEL_DIR = 'data/developers/ietf-ftp/yang/invalmod/'
 SUBMIT_YANGLINT_COMMAND = 'yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model}'
 
+
+API_PUBLIC_KEY_PEM = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIm3wBpMEhFmy40ZBNHU
+jn6cMVeDwynedDtww+071mQFIyidDn0UYCTfLn8dLQDpbdoreMz9Zzb0tMygMyMb
+5fsOItkEd7J5jVqpPWqlvspaa5qb5zuB8NHAxRjPfomgn0Sl1Uvwl1Gc3N2UElCb
+mJ+wEK+C55YVLj1k/9GU34G//XLcSnBF7bmjcycP+z8wkAtjE51ZR2Y6oP6o11jO
+yL5X7Y+1Nk9cPlUbtrvmmyXEKnjUXbRUoK4CJ87dYjFk8CHWmqolY++bgp4Ro6gK
+k6RAy1XaC6uCaVnlJQKpIZ8XvJyv34ku65KUuLQMlxBbVt7z+ybrMvU7NNpCVTGp
+kwIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+API_PRIVATE_KEY_PEM = """
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4ibfAGkwSEWbL
+jRkE0dSOfpwxV4PDKd50O3DD7TvWZAUjKJ0OfRRgJN8ufx0tAOlt2it4zP1nNvS0
+zKAzIxvl+w4i2QR3snmNWqk9aqW+ylprmpvnO4Hw0cDFGM9+iaCfRKXVS/CXUZzc
+3ZQSUJuYn7AQr4LnlhUuPWT/0ZTfgb/9ctxKcEXtuaNzJw/7PzCQC2MTnVlHZjqg
+/qjXWM7Ivlftj7U2T1w+VRu2u+abJcQqeNRdtFSgrgInzt1iMWTwIdaaqiVj75uC
+nhGjqAqTpEDLVdoLq4JpWeUlAqkhnxe8nK/fiS7rkpS4tAyXEFtW3vP7Jusy9Ts0
+2kJVMamTAgMBAAECggEBAKV46EnbysaQ0ApKFVsbBGxZ35jnDoGcM5sqCa3GNlfC
+DFFAg8SQKAsmRPIejXzjSm10qnKB7d/1iWvt6OCx5LxOaJia3MSwRwqXdxZZYRI5
+xOakFpQ76gKVMzQJUVX39w2ZstIWbEBjsDLkhXf+y+cJmgj8OHeNPqTd7Ijv13yq
+B8JVFhtrARTE9X5bxxl5FMrqchVv7HyCS6FBTK+rPPaE3gK2XyiNKHokcV2NfmeF
+OHqqDn9LPN4ERRU13FNv5/wvH6/Z0AXsRWFkxuCdYcVzG9xEnf/72b0jumRqnSAN
+bVK+/b37SOky/L0mwfXwhQoMvePgbYE1qv2Lx4maVcECgYEA5Im7Ys2FfFAGWV3Y
+eNizNHmJYXuvLVsEEYtxT1tM/yPTvlljA27s5rrXdtRDS67Hnj28b9nrHp0COlZp
+GycbppQcPEKiDupLlvstdQ+b+t1MO3xAqW2ZeM47A1SmPKa7XmTAL+6ZReeN/Eg6
+QCmqY5HHANhX+OwN+zwAg9ZQlBECgYEAzrZ1qr8RBBP4/0NY3WMkAiJpluIOc6kO
+8lP0tNk6FJ9OaIMAI6FKxh/7KKcgWzINWSVqz+8te5HUCUt5JWZXcn2NMkk2ufm4
+4OV0vXz3ba6RhIXtDxJW9qbihhZ+EJYPvgwWUF3W1Onu4BuirD+74LSTWG8Ko3lK
+m0qbAl5s92MCgYEAuJQxHwyE6jEr35O3GWtT2WbruSsPAd/Hum/X9VL1Lf/+rXc+
+S/CUL4nqKdQoAgFIwhp0jhYAGrqOqRVPUJnWcEShRV4/yzIaGPgG78vKm+OOBWFG
+TFDzqilOalM87DFxlTxkKJJZgqcQ+xhOy7GbJ03+30TcUHQ+mpIMjG5UqDECgYBG
+yc8T0OiX1+seJ0cIUYokPPqh0/oU+6EFtWCIihdMtp1YRvxGN1bu8EbHTixTbpmJ
+nLmuSX7u4SqWoET1XM23hG1U+iOGnpEEWy+WMHRfGDf3BRIAZkxnnRDX0F4NegYc
+E/GURf5q3U2Ta4NSr2S8d7o5v5UKFGBLO8pHjmSMdwKBgQCbZMPV/ogqNbsuEXsP
+rZQg+DTonX55os7Dnii715NAzzP7zaZ/RF/zEJrYKKATiaYFNIpz66wuAIX6UrcO
+N1mb6IlkRXoou2mawSFAPuwOFyKHDfohlA7lCiUsgB40uc90pa1evX8tctSXOuzh
+qlOfAYmntqZaggU8f3gGh7EPjw==
+-----END PRIVATE KEY-----
+"""
diff --git a/ietf/checks.py b/ietf/checks.py
@@ -344,3 +344,39 @@ def check_svn_import(app_configs, **kwargs):
                 id = "datatracker.E0014",
             ))
     return errors
+
+@checks.register('security')
+def check_api_key_in_local_settings(app_configs, **kwargs):
+    errors = []
+    import settings_local
+    if settings.SERVER_MODE == 'development':
+        if not (    hasattr(settings_local, 'API_PUBLIC_KEY_PEM')
+                and hasattr(settings_local, 'API_PRIVATE_KEY_PEM')):
+            errors.append(checks.Critical(
+                "There are no API key settings in your settings_local.py",
+                hint = dedent("""
+                    You are running in production mode, and need API key settings that are
+                    different than the default settings.  Please add settings for
+                    API_PUBLIC_KEY_PEM and API_PRIVATE_KEY_PEM to your settings local.  The
+                    content should be matching public and private keys in PEM format.  You
+                    can generate a suitable keypair with 'ssh-keygen -f apikey.pem', and then
+                    extract the public key with 'openssl rsa -in apikey.pem -pubout > apikey.pub'.
+                    
+                    """).replace('\n', '\n   ').rstrip(),
+                id = "datatracker.E0015",
+            ))
+        elif not ( settings_local.API_PUBLIC_KEY_PEM == settings.API_PUBLIC_KEY_PEM
+                    and settings_local.API_PRIVATE_KEY_PEM == settings.API_PRIVATE_KEY_PEM ):
+            errors.append(checks.Critical(
+                "Your API key settings in your settings_local.py are not picked up in settings.",
+                hint = dedent("""
+                    You are running in production mode, and need API key settings which are
+                    different than the default settings.  You seem to have  API key settings
+                    in settings_local.py, but they don't seem to propagate to django.conf.settings.
+                    Please check if you have multiple settings_local.py files.
+                    """).replace('\n', '\n   ').rstrip(),
+                id = "datatracker.E0016",
+            ))
+
+    return errors
+    
diff --git a/ietf/settings.py b/ietf/settings.py
@@ -933,8 +933,48 @@ def skip_unreadable_post(record):
 
 UTILS_TEST_RANDOM_STATE_FILE = '.factoryboy_random_state'
 
-API_PUBLIC_KEY_PEM = "Set this in settings_local.py"
-API_PRIVATE_KEY_PEM = "Set this in settings_local.py"
+API_PUBLIC_KEY_PEM = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIm3wBpMEhFmy40ZBNHU
+jn6cMVeDwynedDtww+071mQFIyidDn0UYCTfLn8dLQDpbdoreMz9Zzb0tMygMyMb
+5fsOItkEd7J5jVqpPWqlvspaa5qb5zuB8NHAxRjPfomgn0Sl1Uvwl1Gc3N2UElCb
+mJ+wEK+C55YVLj1k/9GU34G//XLcSnBF7bmjcycP+z8wkAtjE51ZR2Y6oP6o11jO
+yL5X7Y+1Nk9cPlUbtrvmmyXEKnjUXbRUoK4CJ87dYjFk8CHWmqolY++bgp4Ro6gK
+k6RAy1XaC6uCaVnlJQKpIZ8XvJyv34ku65KUuLQMlxBbVt7z+ybrMvU7NNpCVTGp
+kwIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+API_PRIVATE_KEY_PEM = """
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4ibfAGkwSEWbL
+jRkE0dSOfpwxV4PDKd50O3DD7TvWZAUjKJ0OfRRgJN8ufx0tAOlt2it4zP1nNvS0
+zKAzIxvl+w4i2QR3snmNWqk9aqW+ylprmpvnO4Hw0cDFGM9+iaCfRKXVS/CXUZzc
+3ZQSUJuYn7AQr4LnlhUuPWT/0ZTfgb/9ctxKcEXtuaNzJw/7PzCQC2MTnVlHZjqg
+/qjXWM7Ivlftj7U2T1w+VRu2u+abJcQqeNRdtFSgrgInzt1iMWTwIdaaqiVj75uC
+nhGjqAqTpEDLVdoLq4JpWeUlAqkhnxe8nK/fiS7rkpS4tAyXEFtW3vP7Jusy9Ts0
+2kJVMamTAgMBAAECggEBAKV46EnbysaQ0ApKFVsbBGxZ35jnDoGcM5sqCa3GNlfC
+DFFAg8SQKAsmRPIejXzjSm10qnKB7d/1iWvt6OCx5LxOaJia3MSwRwqXdxZZYRI5
+xOakFpQ76gKVMzQJUVX39w2ZstIWbEBjsDLkhXf+y+cJmgj8OHeNPqTd7Ijv13yq
+B8JVFhtrARTE9X5bxxl5FMrqchVv7HyCS6FBTK+rPPaE3gK2XyiNKHokcV2NfmeF
+OHqqDn9LPN4ERRU13FNv5/wvH6/Z0AXsRWFkxuCdYcVzG9xEnf/72b0jumRqnSAN
+bVK+/b37SOky/L0mwfXwhQoMvePgbYE1qv2Lx4maVcECgYEA5Im7Ys2FfFAGWV3Y
+eNizNHmJYXuvLVsEEYtxT1tM/yPTvlljA27s5rrXdtRDS67Hnj28b9nrHp0COlZp
+GycbppQcPEKiDupLlvstdQ+b+t1MO3xAqW2ZeM47A1SmPKa7XmTAL+6ZReeN/Eg6
+QCmqY5HHANhX+OwN+zwAg9ZQlBECgYEAzrZ1qr8RBBP4/0NY3WMkAiJpluIOc6kO
+8lP0tNk6FJ9OaIMAI6FKxh/7KKcgWzINWSVqz+8te5HUCUt5JWZXcn2NMkk2ufm4
+4OV0vXz3ba6RhIXtDxJW9qbihhZ+EJYPvgwWUF3W1Onu4BuirD+74LSTWG8Ko3lK
+m0qbAl5s92MCgYEAuJQxHwyE6jEr35O3GWtT2WbruSsPAd/Hum/X9VL1Lf/+rXc+
+S/CUL4nqKdQoAgFIwhp0jhYAGrqOqRVPUJnWcEShRV4/yzIaGPgG78vKm+OOBWFG
+TFDzqilOalM87DFxlTxkKJJZgqcQ+xhOy7GbJ03+30TcUHQ+mpIMjG5UqDECgYBG
+yc8T0OiX1+seJ0cIUYokPPqh0/oU+6EFtWCIihdMtp1YRvxGN1bu8EbHTixTbpmJ
+nLmuSX7u4SqWoET1XM23hG1U+iOGnpEEWy+WMHRfGDf3BRIAZkxnnRDX0F4NegYc
+E/GURf5q3U2Ta4NSr2S8d7o5v5UKFGBLO8pHjmSMdwKBgQCbZMPV/ogqNbsuEXsP
+rZQg+DTonX55os7Dnii715NAzzP7zaZ/RF/zEJrYKKATiaYFNIpz66wuAIX6UrcO
+N1mb6IlkRXoou2mawSFAPuwOFyKHDfohlA7lCiUsgB40uc90pa1evX8tctSXOuzh
+qlOfAYmntqZaggU8f3gGh7EPjw==
+-----END PRIVATE KEY-----
+"""
 
 
 # Put the production SECRET_KEY in settings_local.py, and also any other
