From c514599c8aa3dd9128b58b3fba956148ef8c64bd Mon Sep 17 00:00:00 2001
From: Ashwanth Balakrishnan <ashwanthbalakrishnan5@gmail.com>
Date: Tue, 19 Mar 2024 14:14:43 +0530
Subject: [PATCH] Added production settings and support for secret values from
 env variables (#118)

* Added Django-environ support and Production settings

* Option to set db settings in both ways

* Added setuptools in req.txt

* Minor bug fix

---------

Co-authored-by: Horilla <131998600+horilla-opensource@users.noreply.github.com>
---
 .env.dist           | 41 ++++++++++++++++++++++++++++
 horilla/settings.py | 65 ++++++++++++++++++++++++++++++++++-----------
 requirements.txt    |  1 +
 3 files changed, 91 insertions(+), 16 deletions(-)
 create mode 100644 .env.dist

diff --git a/.env.dist b/.env.dist
new file mode 100644
index 000000000..aceac6503
--- /dev/null
+++ b/.env.dist
@@ -0,0 +1,41 @@
+# Set "DEBUG=False" for production
+DEBUG=True
+
+# Get a secure secret key from https://djecrety.ir
+SECRET_KEY=django-insecure-j8op9)1q8$1&0^s&p*_0%d#pr@w9qj@1o=3#@d=a(^@9@zd@%j
+
+# Don't use "*" for ALLOWED_HOSTS in production
+ALLOWED_HOSTS=www.example.com,example.com,*
+
+# Database URL
+
+DATABASE_URL=postgresql://user:password@localhost:5432/dbname
+
+# ----OR----
+
+# Database Configuration 
+
+DB_ENGINE=django.db.backends.postgresql
+DB_NAME=dbname
+DB_USER=user
+DB_PASSWORD=password
+DB_HOST=localhost
+DB_PORT=5432
+
+
+# Supportted Formats for DATABASE_URL :
+
+# PostgreSQL: ``postgres[ql]?://`` or ``p[g]?sql://``
+# PostGIS: ``postgis://``
+# MySQL: ``mysql://`` or ``mysql2://``
+# MySQL (GIS): ``mysqlgis://``
+# MySQL Connector Python from Oracle: ``mysql-connector://``
+# SQLite: ``sqlite://``
+# SQLite with SpatiaLite for GeoDjango: ``spatialite://``
+# Oracle: ``oracle://``
+# Microsoft SQL Server: ``mssql://``
+# PyODBC: ``pyodbc://``
+# Amazon Redshift: ``redshift://``
+# LDAP: ``ldap://``
+
+
diff --git a/horilla/settings.py b/horilla/settings.py
index 4d40ba4df..be9a31dc4 100755
--- a/horilla/settings.py
+++ b/horilla/settings.py
@@ -14,23 +14,33 @@ from pathlib import Path
 import os
 from django.contrib.messages import constants as messages
 from os.path import join
-
+import environ
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
-
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/4.1/howto/deployment/checklist/
 
+env = environ.Env(
+    DEBUG=(bool, True),
+    SECRET_KEY=(
+        str,
+        "django-insecure-j8op9)1q8$1&0^s&p*_0%d#pr@w9qj@1o=3#@d=a(^@9@zd@%j",
+    ),
+    ALLOWED_HOSTS=(list, ["*"]),
+    CSRF_TRUSTED_ORIGINS=(list, ["http://localhost:8000"]),
+)
+
+env.read_env(os.path.join(BASE_DIR, ".env"), overwrite=True)
+
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "django-insecure-j8op9)1q8$1&0^s&p*_0%d#pr@w9qj@1o=3#@d=a(^@9@zd@%j"
+SECRET_KEY = env("SECRET_KEY")
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
-
-ALLOWED_HOSTS = ["*"]
+DEBUG = env("DEBUG")
 
+ALLOWED_HOSTS = env("ALLOWED_HOSTS")
 
 # Application definition
 
@@ -103,13 +113,27 @@ WSGI_APPLICATION = "horilla.wsgi.application"
 # Database
 # https://docs.djangoproject.com/en/4.1/ref/settings/#databases
 
-DATABASES = {
-    "default": {
-        "ENGINE": "django.db.backends.sqlite3",
-        "NAME": BASE_DIR / "TestDB_Horilla.sqlite3",
+if env("DATABASE_URL", default=None):
+    DATABASES = {
+        "default": env.db(),
+    }
+else:
+    DATABASES = {
+        "default": {
+            "ENGINE": env("DB_ENGINE", default="django.db.backends.sqlite3"),
+            "NAME": env(
+                "DB_NAME",
+                default=os.path.join(
+                    BASE_DIR,
+                    "TestDB_Horilla.sqlite3",
+                ),
+            ),
+            "USER": env("DB_USER", default=""),
+            "PASSWORD": env("DB_PASSWORD", default=""),
+            "HOST": env("DB_HOST", default=""),
+            "PORT": env("DB_PORT", default=""),
+        }
     }
-}
-
 
 # Password validation
 # https://docs.djangoproject.com/en/4.1/ref/settings/#auth-password-validators
@@ -171,10 +195,7 @@ MESSAGE_TAGS = {
 }
 
 
-CSRF_TRUSTED_ORIGINS = [
-    "http://localhost:8000",
-]
-
+CSRF_TRUSTED_ORIGINS = env("CSRF_TRUSTED_ORIGINS")
 
 LOGIN_URL = "/login"
 
@@ -213,3 +234,15 @@ USE_I18N = True
 USE_L10N = True
 
 USE_TZ = True
+
+# Production settings
+if not DEBUG:
+    SECURE_BROWSER_XSS_FILTER = True
+    SECURE_SSL_REDIRECT = True
+    SECURE_HSTS_SECONDS = 31536000
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    SECURE_HSTS_PRELOAD = True
+    SECURE_CONTENT_TYPE_NOSNIFF = True
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
+    SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
diff --git a/requirements.txt b/requirements.txt
index e3ca43347..ce730ba37 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12,6 +12,7 @@ cssselect2
 Django>=4.2
 django-apscheduler
 django-cors-headers
+django-environ
 django-filter
 django-haystack
 django-jsonfield