From 382780660306a21e51b53e09ae62416fd7781e51 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Wed, 24 Apr 2019 16:01:47 +1000 Subject: [PATCH 1/4] SECRET_KEY is now generated by a script and stored as a local file - key file ignored from git --- .gitignore | 5 ++++- InvenTree/InvenTree/settings.py | 6 ++++-- InvenTree/key.py | 20 ++++++++++++++++++++ Makefile | 3 +++ 4 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 InvenTree/key.py diff --git a/.gitignore b/.gitignore index ec0bae4220..e304877626 100644 --- a/.gitignore +++ b/.gitignore @@ -30,7 +30,10 @@ local_settings.py # Local media storage (only when running in development mode) InvenTree/media -# Ignore PyCharm project configuration +# Key file +secret_key.txt + +# Ignore python IDE project configuration .idea/ # Coverage reports diff --git a/InvenTree/InvenTree/settings.py b/InvenTree/InvenTree/settings.py index 813d0d8ad4..038e7429b5 100644 --- a/InvenTree/InvenTree/settings.py +++ b/InvenTree/InvenTree/settings.py @@ -21,8 +21,10 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # See https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -# TODO: remove this -SECRET_KEY = 'oc2z%5)lu#jsxi#wpg)700z@v48)2aa_yn(a(3qg!z!fw&tr9f' + +key_file = open('secret_key.txt', 'r') + +SECRET_KEY = key_file.read().strip() # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True diff --git a/InvenTree/key.py b/InvenTree/key.py new file mode 100644 index 0000000000..20471a3a9f --- /dev/null +++ b/InvenTree/key.py @@ -0,0 +1,20 @@ +# Generate a SECRET_KEY file + +import random +import string +import os + +fn = 'secret_key.txt' + +def generate_key(): + return ''.join(random.choices(string.digits + string.ascii_letters + string.punctuation, k=50)) + +if __name__ == '__main__': + + # Ensure key file is placed in same directory as this script + path = os.path.dirname(os.path.realpath(__file__)) + key_file = os.path.join(path, fn) + + with open(key_file, 'w') as key: + key.write(generate_key()) + print('Generated SECRET_KEY to {f}'.format(f=key_file)) \ No newline at end of file diff --git a/Makefile b/Makefile index 831ab4ff3a..7586b678a4 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,9 @@ migrate: install: # TODO: replace this with a proper setup.py pip install -U -r requirements/base.txt + + # Generate a secret key + python InvenTree/key.py setup: install migrate From 7a651446413b2391284fd13f7df9b9c6ae1b78a7 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Wed, 24 Apr 2019 16:08:59 +1000 Subject: [PATCH 2/4] Use random.choice instead of random.choices - Allows compatibility with python3.5 --- InvenTree/key.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/InvenTree/key.py b/InvenTree/key.py index 20471a3a9f..60ff54df18 100644 --- a/InvenTree/key.py +++ b/InvenTree/key.py @@ -7,7 +7,9 @@ import os fn = 'secret_key.txt' def generate_key(): - return ''.join(random.choices(string.digits + string.ascii_letters + string.punctuation, k=50)) + options = string.digits + string.ascii_letters + string.punctuation + key = ''.join([random.choice(options) for i in range(50)]) + return key if __name__ == '__main__': @@ -15,6 +17,6 @@ if __name__ == '__main__': path = os.path.dirname(os.path.realpath(__file__)) key_file = os.path.join(path, fn) - with open(key_file, 'w') as key: - key.write(generate_key()) + with open(key_file, 'w') as kf: + kf.write(generate_key()) print('Generated SECRET_KEY to {f}'.format(f=key_file)) \ No newline at end of file From 40a18d0ce4b51476b24fad5b690f7c13282f4fb9 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Wed, 24 Apr 2019 23:19:36 +1000 Subject: [PATCH 3/4] Ensure settings.py knows how to access secret_key.txt --- InvenTree/InvenTree/settings.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/InvenTree/InvenTree/settings.py b/InvenTree/InvenTree/settings.py index 038e7429b5..65581eb4e6 100644 --- a/InvenTree/InvenTree/settings.py +++ b/InvenTree/InvenTree/settings.py @@ -21,8 +21,7 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # See https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! - -key_file = open('secret_key.txt', 'r') +key_file = open(os.path.join(BASE_DIR, 'secret_key.txt'), 'r') SECRET_KEY = key_file.read().strip() From 887250cd06329605cbf39b4d8222ce6f0fa5d65b Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Wed, 24 Apr 2019 23:26:16 +1000 Subject: [PATCH 4/4] PEP fixes --- InvenTree/key.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/InvenTree/key.py b/InvenTree/key.py index 60ff54df18..c28b9c6a30 100644 --- a/InvenTree/key.py +++ b/InvenTree/key.py @@ -6,11 +6,13 @@ import os fn = 'secret_key.txt' + def generate_key(): options = string.digits + string.ascii_letters + string.punctuation key = ''.join([random.choice(options) for i in range(50)]) return key + if __name__ == '__main__': # Ensure key file is placed in same directory as this script @@ -19,4 +21,4 @@ if __name__ == '__main__': with open(key_file, 'w') as kf: kf.write(generate_key()) - print('Generated SECRET_KEY to {f}'.format(f=key_file)) \ No newline at end of file + print('Generated SECRET_KEY to {f}'.format(f=key_file))