Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(config): remove PASSWORD_UNENCRYPTED, use PASSWORD instead #68

Merged
merged 1 commit into from
Jun 29, 2023
Merged

feat(config): remove PASSWORD_UNENCRYPTED, use PASSWORD instead #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions src/dashboard/apigateway/apigateway/conf/.env.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,18 +11,15 @@ BK_APIGW_DATABASE_NAME="bk_apigateway"
BK_APIGW_DATABASE_HOST="localhost"
BK_APIGW_DATABASE_PORT=3306
BK_APIGW_DATABASE_USER="root"
BK_APIGW_DATABASE_PASSWORD_UNENCRYPTED=""
BK_APIGW_DATABASE_PASSWORD=""

BK_ESB_DATABASE_NAME="bk_esb"
BK_ESB_DATABASE_HOST="localhost"
BK_ESB_DATABASE_PORT=3306
BK_ESB_DATABASE_USER="root"
BK_ESB_DATABASE_PASSWORD_UNENCRYPTED=""
BK_ESB_DATABASE_PASSWORD=""

# FIXME: can't only set unencrypted to empty,
# in default.py env.str("BK_APIGW_REDIS_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_APIGW_REDIS_PASSWORD") will check the password
BK_APIGW_REDIS_PASSWORD=""
BK_APIGW_REDIS_PASSWORD_UNENCRYPTED=""

# add the frontend domain, will add to CORS_ORIGIN_REGEX_WHITELIST
DASHBOARD_FE_URL="http://apigw.example.com"
31 changes: 10 additions & 21 deletions src/dashboard/apigateway/apigateway/conf/default.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@

from celery.schedules import crontab
from tencent_apigateway_common.env import Env
from tencent_apigateway_common.secure.dj_environ import SecureEnv

from apigateway.conf.celery_conf import * # noqa
from apigateway.conf.celery_conf import CELERY_BEAT_SCHEDULE
Expand All @@ -44,9 +43,6 @@

ENCRYPT_KEY = env.str("ENCRYPT_KEY")

sec_env = SecureEnv()
sec_env.set_secure_key(ENCRYPT_KEY)

# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

Expand All @@ -69,9 +65,6 @@
# use the same nonce, should not be changed at all!!!!!!
CRYPTO_NONCE = env.str("BK_APIGW_CRYPTO_NONCE", "q76rE8srRuYM")

# 网关公钥,服务部分接口接入网关,配置此网关的公钥,以校验网关 jwt
APIGW_PUBLIC_KEY = sec_env.str("APIGW_PUBLIC_KEY", "")

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = env.bool("DEBUG", False)

Expand Down Expand Up @@ -234,7 +227,7 @@
# django translation, 避免循环引用
gettext = lambda s: s # noqa

# 站点URL
# 站点 URL
SITE_URL = "/"

# Static files (CSS, JavaScript, Images)
Expand Down Expand Up @@ -290,8 +283,7 @@
"ENGINE": env.str("BK_APIGW_DATABASE_ENGINE", "django.db.backends.mysql"),
"NAME": env.str("BK_APIGW_DATABASE_NAME", BK_APP_CODE),
"USER": env.str("BK_APIGW_DATABASE_USER", BK_APP_CODE),
"PASSWORD": env.str("BK_APIGW_DATABASE_PASSWORD_UNENCRYPTED", "")
or sec_env.str("BK_APIGW_DATABASE_PASSWORD", ""),
"PASSWORD": env.str("BK_APIGW_DATABASE_PASSWORD", ""),
"HOST": env.str("BK_APIGW_DATABASE_HOST", "localhost"),
"PORT": env.int("BK_APIGW_DATABASE_PORT", 3306),
"OPTIONS": {
Expand All @@ -302,7 +294,7 @@
"ENGINE": env.str("BK_ESB_DATABASE_ENGINE", "django.db.backends.mysql"),
"NAME": env.str("BK_ESB_DATABASE_NAME", "bk_esb"),
"USER": env.str("BK_ESB_DATABASE_USER", BK_APP_CODE),
"PASSWORD": env.str("BK_ESB_DATABASE_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_ESB_DATABASE_PASSWORD", ""),
"PASSWORD": env.str("BK_ESB_DATABASE_PASSWORD", ""),
"HOST": env.str("BK_ESB_DATABASE_HOST", "localhost"),
"PORT": env.int("BK_ESB_DATABASE_PORT", 3306),
"OPTIONS": {
Expand All @@ -313,8 +305,7 @@
"ENGINE": env.str("BK_PAAS2_DATABASE_ENGINE", "django.db.backends.mysql"),
"NAME": env.str("BK_PAAS2_DATABASE_NAME", ""),
"USER": env.str("BK_PAAS2_DATABASE_USER", ""),
"PASSWORD": env.str("BK_PAAS2_DATABASE_PASSWORD_UNENCRYPTED", "")
or sec_env.str("BK_PAAS2_DATABASE_PASSWORD", ""),
"PASSWORD": env.str("BK_PAAS2_DATABASE_PASSWORD", ""),
"HOST": env.str("BK_PAAS2_DATABASE_HOST", ""),
"PORT": env.int("BK_PAAS2_DATABASE_PORT", 3306),
"OPTIONS": {
Expand All @@ -331,7 +322,7 @@
# redis 配置
REDIS_HOST = env.str("BK_APIGW_REDIS_HOST", "localhost")
REDIS_PORT = env.int("BK_APIGW_REDIS_PORT", 6379)
REDIS_PASSWORD = env.str("BK_APIGW_REDIS_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_APIGW_REDIS_PASSWORD")
REDIS_PASSWORD = env.str("BK_APIGW_REDIS_PASSWORD", "")
REDIS_PREFIX = env.str("BK_APIGW_REDIS_PREFIX", "apigw::")
REDIS_MAX_CONNECTIONS = env.int("BK_APIGW_REDIS_MAX_CONNECTIONS", 100)
REDIS_DB = env.int("BK_APIGW_REDIS_DB", 0)
Expand Down Expand Up @@ -452,9 +443,7 @@
# Elasticsearch 配置
BK_APIGW_ES_USER = env.str("BK_APIGW_ES_USER", BK_APP_CODE)
# 密码中可能包含特殊字符
BK_APIGW_ES_PASSWORD = quote(
env.str("BK_APIGW_ES_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_APIGW_ES_PASSWORD", "")
)
BK_APIGW_ES_PASSWORD = quote(env.str("BK_APIGW_ES_PASSWORD", ""))
BK_APIGW_ES_HOST = env.list("BK_APIGW_ES_HOST", default=[])
BK_APIGW_ES_PORT = env.str("BK_APIGW_ES_PORT", "9200")
ELASTICSEARCH_HOSTS = []
Expand Down Expand Up @@ -483,7 +472,7 @@
"repository_url": env.str("DEFAULT_PYPI_REPOSITORY_URL", ""),
"index_url": env.str("DEFAULT_PYPI_INDEX_URL", ""),
"username": env.str("DEFAULT_PYPI_USERNAME", ""),
"password": env.str("DEFAULT_PYPI_PASSWORD_UNENCRYPTED", "") or sec_env.str("DEFAULT_PYPI_PASSWORD", ""),
"password": env.str("DEFAULT_PYPI_PASSWORD", ""),
}
}

Expand Down Expand Up @@ -686,9 +675,9 @@
# 网关资源数量限制
MAX_STAGE_COUNT_PER_GATEWAY = env.int("MAX_STAGE_COUNT_PER_GATEWAY", 20)
API_GATEWAY_RESOURCE_LIMITS = {
"max_gateway_count_per_app": env.int("MAX_GATEWAY_COUNT_PER_APP", 10), # 每个app最多创建的网关数量
"max_resource_count_per_gateway": env.int("MAX_RESOURCE_COUNT_PER_GATEWAY", 1000), # 每个网关最多创建的api数量
# 配置app的特殊规则
"max_gateway_count_per_app": env.int("MAX_GATEWAY_COUNT_PER_APP", 10), # 每个 app 最多创建的网关数量
"max_resource_count_per_gateway": env.int("MAX_RESOURCE_COUNT_PER_GATEWAY", 1000), # 每个网关最多创建的 api 数量
# 配置 app 的特殊规则
"max_gateway_count_per_app_whitelist": {
"bk_sops": 1000000, # 标准运维网关数量无限制
},
Expand Down
1 change: 0 additions & 1 deletion src/dashboard/apigateway/apigateway/conf/unittest_env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ export BK_APIGW_REDIS_PORT="6378"
export BK_APIGW_REDIS_PASSWORD="egrKq5TnJvlFiPLIrtquv3Mow792xVgTzqTiSrVkUIk="
export DEFAULT_TEST_APP_CODE="apigw-api-test"
export DEFAULT_TEST_APP_SECRET="egrKq5TnJvlFiPLIrtquv3Mow792xVgTzqTiSrVkUIk="
export APIGW_PUBLIC_KEY="egrKq5TnJvlFiPLIrtquv3Mow792xVgTzqTiSrVkUIk="
export BK_APIGW_ES_HOST="localhost"
export BK_APIGW_ES_PASSWORD="egrKq5TnJvlFiPLIrtquv3Mow792xVgTzqTiSrVkUIk="
export DASHBOARD_CSRF_COOKIE_DOMAIN=".example.com"
17 changes: 5 additions & 12 deletions src/esb/esb/conf/default.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,11 @@
#
import os

from tencent_apigateway_common.env import Env
from tencent_apigateway_common.secure.dj_environ import SecureEnv

from conf.log_utils import get_logging_config, makedirs_when_not_exists
from tencent_apigateway_common.env import Env

env = Env()

sec_env = SecureEnv()
sec_env.set_secure_key(env.bytes("ENCRYPT_KEY"))


BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

# SECURITY WARNING: keep the secret key used in production secret!
Expand Down Expand Up @@ -155,7 +149,7 @@ def _(s):
"ENGINE": env.str("BK_ESB_DATABASE_ENGINE", "django.db.backends.mysql"),
"NAME": env.str("BK_ESB_DATABASE_NAME"),
"USER": env.str("BK_ESB_DATABASE_USER", ""),
"PASSWORD": env.str("BK_ESB_DATABASE_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_ESB_DATABASE_PASSWORD", ""),
"PASSWORD": env.str("BK_ESB_DATABASE_PASSWORD", ""),
"HOST": env.str("BK_ESB_DATABASE_HOST", ""),
"PORT": env.int("BK_ESB_DATABASE_PORT", 3306),
"TEST_CHARSET": env.str("DATABASE_TEST_CHARSET", "utf8"),
Expand All @@ -168,8 +162,7 @@ def _(s):
"ENGINE": env.str("BK_PAAS2_DATABASE_ENGINE", "django.db.backends.mysql"),
"NAME": env.str("BK_PAAS2_DATABASE_NAME", "open_paas"),
"USER": env.str("BK_PAAS2_DATABASE_USER", ""),
"PASSWORD": env.str("BK_PAAS2_DATABASE_PASSWORD_UNENCRYPTED", "")
or sec_env.str("BK_PAAS2_DATABASE_PASSWORD", ""),
"PASSWORD": env.str("BK_PAAS2_DATABASE_PASSWORD", ""),
"HOST": env.str("BK_PAAS2_DATABASE_HOST", ""),
"PORT": env.int("BK_PAAS2_DATABASE_PORT", 3306),
"TEST_CHARSET": env.str("DATABASE_TEST_CHARSET", "utf8"),
Expand Down Expand Up @@ -256,7 +249,7 @@ def _(s):
# host for job, default 80 for http/8443 for https
HOST_JOB = env.str("BK_JOB_URL", "")

# JOB是否启用SSL验证
# JOB 是否启用 SSL 验证
JOB_SSL = env.bool("JOB_SSL", True)

# host for gse, default 80 for http/8443 for https
Expand All @@ -276,7 +269,7 @@ def _(s):
# host for gse config
BK_GSE_CONFIG_ADDR = env.str("BK_GSE_CONFIG_URL", "")

# host for DATA,数据平台监控告警系统, default 80 for http/8443 for https
# host for DATA,数据平台监控告警系统default 80 for http/8443 for https
HOST_DATA = env.str("BK_DATA_URL", "")

# host for DATA BKSQL service
Expand Down