Do not hardcode django secret key used in production

dmf-unicatt · Feb 11, 2024 · 0b78e60 · 0b78e60
1 parent ce948ee
commit 0b78e60
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 5 deletions.
diff --git a/.github/workflows/docker_ci.yml b/.github/workflows/docker_ci.yml
@@ -23,6 +23,8 @@ jobs:
           submodules: true
       - name: Create volume
         run: bash docker_create_volume.sh
+      - name: Create secret key
+        run: bash docker_create_secret_key.sh
       - name: Create image
         run: bash docker_create_image.sh
       - name: Create container

diff --git a/docker/.gitignore b/docker/.gitignore
@@ -1,2 +1,3 @@
 .docker_container_id
+.docker_secret_key
 .docker_volume_id
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -7,6 +7,8 @@
 FROM debian:12
 MAINTAINER Francesco Ballarin <[email protected]>
 
+ARG SECRET_KEY
+
 WORKDIR /root
 
 RUN apt update -y -q && \
@@ -20,7 +22,7 @@ RUN bash patches/turing/apply_patches.sh && \
 
 RUN cat <<EOF >> /root/turing/Turing/settings.ini
 [settings]
-SECRET_KEY=ab&v1v}7G+$*m$pg:zkUNHUhhYA&yKuWPETi!r{b?T{UXKuj=t
+SECRET_KEY=$SECRET_KEY
 DEBUG=True
 DEV_MODE=False
 ALLOWED_HOSTS=*

diff --git a/docker/README.md b/docker/README.md
@@ -20,15 +20,19 @@ cd turing-dmf/docker
 ```
 bash docker_create_volume.sh
 ```
-3. Create a `turing-dmf:latest` docker image based on the current **Turing @ DMF** repository:
+3. Create a secret key for `django`:
+```
+bash docker_create_secret_key.sh
+```
+4. Create a `turing-dmf:latest` docker image based on the current **Turing @ DMF** repository:
 ```
 bash docker_create_image.sh
 ```
-4. Create a docker container based on the current `turing-dmf:latest` docker image:
+5. Create a docker container based on the current `turing-dmf:latest` docker image:
 ```
 bash docker_create_container.sh
 ```
-5. Create a database for **Turing**:
+6. Create a database for **Turing**:
 ```
 bash docker_create_database.sh
 ```

diff --git a/docker/docker_create_image.sh b/docker/docker_create_image.sh
@@ -10,4 +10,7 @@ set -e
 # Do not run any further if we are not connected to the internet
 wget -q --spider https://www.google.com
 
-docker build --pull -t turing-dmf:latest -f Dockerfile ..
+SECRET_KEY_FILE=".docker_secret_key"
+SECRET_KEY=$(cat "${SECRET_KEY_FILE}")
+
+docker build --pull --build-arg SECRET_KEY=${SECRET_KEY} -t turing-dmf:latest -f Dockerfile ..
diff --git a/docker/docker_create_secret_key.sh b/docker/docker_create_secret_key.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright (C) 2024 by the Turing @ DMF authors
+#
+# This file is part of Turing @ DMF.
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -e
+
+SECRET_KEY_FILE=".docker_secret_key"
+if [[ -f "${SECRET_KEY_FILE}" ]]; then
+    echo "A secret key already exists!"
+    echo "If you want to destroy it and create a new one, please remove the ${SECRET_KEY_FILE} file"
+    exit 1
+else
+    SECRET_KEY=$(cat /dev/urandom | tr -dc 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)' | head -c 50; echo)
+    echo ${SECRET_KEY} > ${SECRET_KEY_FILE}
+fi