From 6bada6660a499a81086de8413239dee31bf9c47d Mon Sep 17 00:00:00 2001 From: eemil Date: Wed, 13 May 2020 15:44:41 +0300 Subject: [PATCH 1/3] Prefer secret to env variable if both are configured --- configuration/configuration.py | 16 ++++++++-------- configuration/ldap_config.py | 6 +++--- docker/docker-entrypoint.sh | 20 ++++++++------------ 3 files changed, 19 insertions(+), 23 deletions(-) diff --git a/configuration/configuration.py b/configuration/configuration.py index 6e5ff19..0081072 100644 --- a/configuration/configuration.py +++ b/configuration/configuration.py @@ -6,11 +6,11 @@ import socket # Based on https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/configuration.example.py # Read secret from file -def read_secret(secret_name): +def read_secret(secret_name, default=''): try: f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8') except EnvironmentError: - return '' + return default else: with f: return f.readline().strip() @@ -33,7 +33,7 @@ ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '*').split(' ') DATABASE = { 'NAME': os.environ.get('DB_NAME', 'netbox'), # Database name 'USER': os.environ.get('DB_USER', ''), # PostgreSQL username - 'PASSWORD': os.environ.get('DB_PASSWORD', read_secret('db_password')), + 'PASSWORD': read_secret('db_password', os.environ.get('DB_PASSWORD', '')), # PostgreSQL password 'HOST': os.environ.get('DB_HOST', 'localhost'), # Database server 'PORT': os.environ.get('DB_PORT', ''), # Database port (leave blank for default) @@ -47,7 +47,7 @@ DATABASE = { # For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and # symbols. NetBox will not run without this defined. For more information, see # https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY -SECRET_KEY = os.environ.get('SECRET_KEY', read_secret('secret_key')) +SECRET_KEY = read_secret('secret_key', os.environ.get('SECRET_KEY', '')) # Redis database settings. The Redis database is used for caching and background processing such as webhooks REDIS = { @@ -62,7 +62,7 @@ REDIS = { 'webhooks': { # legacy setting, can be removed after Netbox seizes support for it 'HOST': os.environ.get('REDIS_HOST', 'localhost'), 'PORT': int(os.environ.get('REDIS_PORT', 6379)), - 'PASSWORD': os.environ.get('REDIS_PASSWORD', read_secret('redis_password')), + 'PASSWORD': read_secret('redis_password', os.environ.get('REDIS_PASSWORD', '')), 'DATABASE': int(os.environ.get('REDIS_DATABASE', 0)), 'DEFAULT_TIMEOUT': int(os.environ.get('REDIS_TIMEOUT', 300)), 'SSL': os.environ.get('REDIS_SSL', 'False').lower() == 'true', @@ -70,7 +70,7 @@ REDIS = { 'caching': { 'HOST': os.environ.get('REDIS_CACHE_HOST', os.environ.get('REDIS_HOST', 'localhost')), 'PORT': int(os.environ.get('REDIS_CACHE_PORT', os.environ.get('REDIS_PORT', 6379))), - 'PASSWORD': os.environ.get('REDIS_CACHE_PASSWORD', os.environ.get('REDIS_PASSWORD', read_secret('redis_cache_password'))), + 'PASSWORD': read_secret('redis_cache_password', os.environ.get('REDIS_CACHE_PASSWORD', read_secret('redis_password', os.environ.get('REDIS_PASSWORD', '')))), 'DATABASE': int(os.environ.get('REDIS_CACHE_DATABASE', 1)), 'DEFAULT_TIMEOUT': int(os.environ.get('REDIS_CACHE_TIMEOUT', os.environ.get('REDIS_TIMEOUT', 300))), 'SSL': os.environ.get('REDIS_CACHE_SSL', os.environ.get('REDIS_SSL', 'False')).lower() == 'true', @@ -124,7 +124,7 @@ EMAIL = { 'SERVER': os.environ.get('EMAIL_SERVER', 'localhost'), 'PORT': int(os.environ.get('EMAIL_PORT', 25)), 'USERNAME': os.environ.get('EMAIL_USERNAME', ''), - 'PASSWORD': os.environ.get('EMAIL_PASSWORD', read_secret('email_password')), + 'PASSWORD': read_secret('email_password', os.environ.get('EMAIL_PASSWORD', '')), 'TIMEOUT': int(os.environ.get('EMAIL_TIMEOUT', 10)), # seconds 'FROM_EMAIL': os.environ.get('EMAIL_FROM', ''), 'USE_SSL': os.environ.get('EMAIL_USE_SSL', 'False').lower() == 'true', @@ -171,7 +171,7 @@ METRICS_ENABLED = os.environ.get('METRICS_ENABLED', 'False').lower() == 'true' # Credentials that NetBox will use to access live devices. NAPALM_USERNAME = os.environ.get('NAPALM_USERNAME', '') -NAPALM_PASSWORD = os.environ.get('NAPALM_PASSWORD', read_secret('napalm_password')) +NAPALM_PASSWORD = read_secret('napalm_password', os.environ.get('NAPALM_PASSWORD', '')) # NAPALM timeout (in seconds). (Default: 30) NAPALM_TIMEOUT = int(os.environ.get('NAPALM_TIMEOUT', 30)) diff --git a/configuration/ldap_config.py b/configuration/ldap_config.py index 23a1e6d..da6c6fe 100644 --- a/configuration/ldap_config.py +++ b/configuration/ldap_config.py @@ -5,11 +5,11 @@ from django_auth_ldap.config import LDAPSearch from importlib import import_module # Read secret from file -def read_secret(secret_name): +def read_secret(secret_name, default=''): try: f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8') except EnvironmentError: - return '' + return default else: with f: return f.readline().strip() @@ -32,7 +32,7 @@ AUTH_LDAP_CONNECTION_OPTIONS = { # Set the DN and password for the NetBox service account. AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '') -AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', read_secret('auth_ldap_bind_password')) +AUTH_LDAP_BIND_PASSWORD = read_secret('auth_ldap_bind_password', os.environ.get('AUTH_LDAP_BIND_PASSWORD', '')) # Set a string template that describes any user’s distinguished name based on the username. AUTH_LDAP_USER_DN_TEMPLATE = os.environ.get('AUTH_LDAP_USER_DN_TEMPLATE', None) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index f555695..4887d96 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -31,19 +31,15 @@ else if [ -z ${SUPERUSER_EMAIL+x} ]; then SUPERUSER_EMAIL='admin@example.com' fi - if [ -z ${SUPERUSER_PASSWORD+x} ]; then - if [ -f "/run/secrets/superuser_password" ]; then - SUPERUSER_PASSWORD="$(< /run/secrets/superuser_password)" - else - SUPERUSER_PASSWORD='admin' - fi + if [ -f "/run/secrets/superuser_password" ]; then + SUPERUSER_PASSWORD="$(< /run/secrets/superuser_password)" + elif [ -z ${SUPERUSER_PASSWORD+x} ]; then + SUPERUSER_PASSWORD='admin' fi - if [ -z ${SUPERUSER_API_TOKEN+x} ]; then - if [ -f "/run/secrets/superuser_api_token" ]; then - SUPERUSER_API_TOKEN="$(< /run/secrets/superuser_api_token)" - else - SUPERUSER_API_TOKEN='0123456789abcdef0123456789abcdef01234567' - fi + if [ -f "/run/secrets/superuser_api_token" ]; then + SUPERUSER_API_TOKEN="$(< /run/secrets/superuser_api_token)" + elif [ -z ${SUPERUSER_API_TOKEN+x} ]; then + SUPERUSER_API_TOKEN='0123456789abcdef0123456789abcdef01234567' fi ./manage.py shell --interface python << END From 85fbb0af7046a8f3784c192eae0b716b4e11fe23 Mon Sep 17 00:00:00 2001 From: eemil Date: Thu, 14 May 2020 17:46:26 +0000 Subject: [PATCH 2/3] fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Christian Mäder --- configuration/configuration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/configuration.py b/configuration/configuration.py index 0081072..ae777e4 100644 --- a/configuration/configuration.py +++ b/configuration/configuration.py @@ -62,7 +62,7 @@ REDIS = { 'webhooks': { # legacy setting, can be removed after Netbox seizes support for it 'HOST': os.environ.get('REDIS_HOST', 'localhost'), 'PORT': int(os.environ.get('REDIS_PORT', 6379)), - 'PASSWORD': read_secret('redis_password', os.environ.get('REDIS_PASSWORD', '')), + 'PASSWORD': read_secret('redis_password', os.environ.get('REDIS_PASSWORD', '')), 'DATABASE': int(os.environ.get('REDIS_DATABASE', 0)), 'DEFAULT_TIMEOUT': int(os.environ.get('REDIS_TIMEOUT', 300)), 'SSL': os.environ.get('REDIS_SSL', 'False').lower() == 'true', From 9287995df4ad5f126514c274895935c9c785d267 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20M=C3=A4der?= Date: Tue, 20 Oct 2020 19:22:52 +0200 Subject: [PATCH 3/3] Update to latest configuration --- configuration/configuration.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configuration/configuration.py b/configuration/configuration.py index ae777e4..f7c8ed5 100644 --- a/configuration/configuration.py +++ b/configuration/configuration.py @@ -6,7 +6,7 @@ import socket # Based on https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/configuration.example.py # Read secret from file -def read_secret(secret_name, default=''): +def read_secret(secret_name, default=None): try: f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8') except EnvironmentError: @@ -54,7 +54,7 @@ REDIS = { 'tasks': { 'HOST': os.environ.get('REDIS_HOST', 'localhost'), 'PORT': int(os.environ.get('REDIS_PORT', 6379)), - 'PASSWORD': os.environ.get('REDIS_PASSWORD', read_secret('redis_password')), + 'PASSWORD': read_secret('redis_password', os.environ.get('REDIS_PASSWORD', ''), 'DATABASE': int(os.environ.get('REDIS_DATABASE', 0)), 'DEFAULT_TIMEOUT': int(os.environ.get('REDIS_TIMEOUT', 300)), 'SSL': os.environ.get('REDIS_SSL', 'False').lower() == 'true', @@ -62,7 +62,7 @@ REDIS = { 'webhooks': { # legacy setting, can be removed after Netbox seizes support for it 'HOST': os.environ.get('REDIS_HOST', 'localhost'), 'PORT': int(os.environ.get('REDIS_PORT', 6379)), - 'PASSWORD': read_secret('redis_password', os.environ.get('REDIS_PASSWORD', '')), + 'PASSWORD': read_secret('redis_password', os.environ.get('REDIS_PASSWORD', ''), 'DATABASE': int(os.environ.get('REDIS_DATABASE', 0)), 'DEFAULT_TIMEOUT': int(os.environ.get('REDIS_TIMEOUT', 300)), 'SSL': os.environ.get('REDIS_SSL', 'False').lower() == 'true',