config: do some basic checks on settings before starting app

* SAMBAL_REDIS_URL is present * SAMBAL_SESSION_SECRET is present * SAMBAL_AUTH_SECRET is present * there is a password in SAMBAL_REDIS_URL * SAMBAL_SESSION_SECRET and SAMBAL_AUTH_SECRET are not identical Closes #14
wainuiomata · Mar 9, 2024 · 2fc3811 · 2fc3811
1 parent 2153184
commit 2fc3811
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 11 deletions.
diff --git a/src/sambal/security.py b/src/sambal/security.py
@@ -7,15 +7,15 @@
 from zope.interface import implementer
 
 from .client import connect_samdb
-from .settings import SETTINGS
+from .settings import USE_HTTPS
 
 
 @implementer(ISecurityPolicy)
 class SambalSecurityPolicy:
     def __init__(self, secret):
         self.authtkt = AuthTktCookieHelper(
             secret=secret,
-            secure=SETTINGS["sambal.https"],
+            secure=USE_HTTPS,
             samesite="Strict",
             http_only=True,
         )

diff --git a/src/sambal/settings.py b/src/sambal/settings.py
@@ -2,21 +2,45 @@
 import os
 
 from pyramid.settings import asbool
+from redis.connection import parse_url
+
+# Read environment variables then do some sanity checks.
+DEBUG = asbool(os.getenv("SAMBAL_DEBUG", default=False))
+USE_HTTPS = asbool(os.getenv("SAMBAL_HTTPS", default=False))
+USE_HSTS = asbool(os.getenv("SAMBAL_HSTS", default=False))
+REDIS_URL = os.getenv("SAMBAL_REDIS_URL")
+SESSION_SECRET = os.getenv("SAMBAL_SESSION_SECRET")
+AUTH_SECRET = os.getenv("SAMBAL_AUTH_SECRET")
+
+if REDIS_URL is None:
+    raise ValueError("Missing SAMBAL_REDIS_URL environment variable.")
+
+if "password" not in parse_url(REDIS_URL):
+    raise ValueError("Missing password in SAMBAL_REDIS_URL, please add one.")
+
+if SESSION_SECRET is None:
+    raise ValueError("Missing SAMBAL_SESSION_SECRET environment variable.")
+
+if AUTH_SECRET is None:
+    raise ValueError("Missing SAMBAL_AUTH_SECRET environment variable.")
+
+if SESSION_SECRET == AUTH_SECRET:
+    raise ValueError(
+        "Use different values for SAMBAL_AUTH_SECRET and SAMBAL_SESSION_SECRET"
+    )
 
 # Pyramid settings are traditionally loaded via PasteDeploy ini file.
 # With this project we went a different way with env vars.
 SETTINGS = {
-    "sambal.debug": asbool(os.getenv("SAMBAL_DEBUG", default=False)),
-    "sambal.https": asbool(os.getenv("SAMBAL_HTTPS", default=False)),
-    "sambal.hsts": asbool(os.getenv("SAMBAL_HSTS", default=False)),
-    "auth.secret": os.getenv("SAMBAL_AUTH_SECRET"),
-    "redis.sessions.url": os.getenv("SAMBAL_REDIS_URL"),
-    "redis.sessions.secret": os.getenv("SAMBAL_SESSION_SECRET"),
+    "sambal.debug": DEBUG,
+    "sambal.https": USE_HTTPS,
+    "sambal.hsts": USE_HSTS,
+    "auth.secret": AUTH_SECRET,
+    "redis.sessions.url": REDIS_URL,
+    "redis.sessions.secret": SESSION_SECRET,
     "redis.sessions.serialize": lambda s: json.dumps(s).encode("utf-8"),
     "redis.sessions.deserialize": lambda s: json.loads(s.decode("utf-8")),
     "redis.sessions.cookie_samesite": "Strict",
     "redis.sessions.cookie_httponly": True,
+    "redis.sessions.cookie_secure": USE_HTTPS,
 }
-
-# Only if https is used set cookie_secure.
-SETTINGS["redis.sessions.cookie_secure"] = SETTINGS["sambal.https"]