-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS/mTLS settings for postgreSQL and Redis #47
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,7 @@ | |
import os | ||
import sys | ||
from urllib.parse import urlparse | ||
|
||
from .settings_helpers import * | ||
import django.conf.locale | ||
from django.utils.crypto import get_random_string | ||
from kombu import Queue | ||
|
@@ -83,6 +83,11 @@ | |
db_options['charset'] = 'utf8mb4' | ||
JSON_FIELD_AVAILABLE = db_backend in ('mysql', 'postgresql') | ||
|
||
db_tls_config = build_db_tls_config(config, db_backend) | ||
if(db_tls_config is not None): | ||
db_options.update(db_tls_config) | ||
|
||
|
||
DATABASES = { | ||
'default': { | ||
'ENGINE': 'django.db.backends.' + db_backend, | ||
|
@@ -209,22 +214,28 @@ | |
|
||
HAS_REDIS = config.has_option('redis', 'location') | ||
if HAS_REDIS: | ||
CACHES['redis'] = { | ||
"BACKEND": "django_redis.cache.RedisCache", | ||
"LOCATION": config.get('redis', 'location'), | ||
"OPTIONS": { | ||
OPTIONS = { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please rename it to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Renamed to |
||
"CLIENT_CLASS": "django_redis.client.DefaultClient", | ||
"REDIS_CLIENT_KWARGS": {"health_check_interval": 30} | ||
} | ||
redis_tls_config = build_redis_tls_config(config) | ||
if(redis_tls_config is not None): | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You didn't format your code with Ruff? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, this file is an existing file, we don't run Ruff on it. Then you have to format your code manually, based on PEP8 coding style. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. formatted the code. |
||
OPTIONS["CONNECTION_POOL_KWARGS"] = redis_tls_config | ||
OPTIONS["REDIS_CLIENT_KWARGS"].update(redis_tls_config) | ||
|
||
if config.has_option('redis', 'password'): | ||
OPTIONS["PASSWORD"] = config.get('redis', 'password') | ||
|
||
CACHES['redis'] = { | ||
"BACKEND": "django_redis.cache.RedisCache", | ||
"LOCATION": config.get('redis', 'location'), | ||
"OPTIONS": OPTIONS | ||
} | ||
CACHES['redis_sessions'] = { | ||
"BACKEND": "django_redis.cache.RedisCache", | ||
"LOCATION": config.get('redis', 'location'), | ||
"TIMEOUT": 3600 * 24 * 30, | ||
"OPTIONS": { | ||
"CLIENT_CLASS": "django_redis.client.DefaultClient", | ||
"REDIS_CLIENT_KWARGS": {"health_check_interval": 30} | ||
} | ||
"OPTIONS": OPTIONS | ||
} | ||
if not HAS_MEMCACHED: | ||
CACHES['default'] = CACHES['redis'] | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
def build_db_tls_config(config, db_backend): | ||
db_ssl_mode = config.get("database", "sslmode", fallback="disable") | ||
# add postgresql TLS options | ||
if db_ssl_mode != "disable" and db_backend == "postgresql": | ||
db_tls_config = { | ||
"sslmode": db_ssl_mode, | ||
"sslrootcert": config.get("database", "sslrootcert"), | ||
} | ||
# add postgresql mTLS options | ||
if config.has_option("database", "sslcert"): | ||
db_tls_config.update( | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I thinks in these lines, writing like this is clearer: db_tls_config['sslcert'] = config.get('database', 'sslcert') There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have made the changes. |
||
{ | ||
"sslcert": config.get("database", "sslcert"), | ||
"sslkey": config.get("database", "sslkey"), | ||
} | ||
) | ||
return db_tls_config | ||
return None | ||
|
||
|
||
def build_redis_tls_config(config): | ||
redis_ssl_cert_reqs = config.get("redis", "ssl_cert_reqs", fallback="none") | ||
# add redis tls options | ||
if redis_ssl_cert_reqs != "none": | ||
redis_tls_config = { | ||
"ssl_cert_reqs": redis_ssl_cert_reqs, | ||
"ssl_ca_certs": config.get("redis", "ssl_ca_certs"), | ||
} | ||
# add redis mTLS options | ||
if config.has_option("redis", "ssl_certfile"): | ||
redis_tls_config.update( | ||
{ | ||
"ssl_keyfile": config.get("redis", "ssl_keyfile"), | ||
"ssl_certfile": config.get("redis", "ssl_certfile"), | ||
} | ||
) | ||
return redis_tls_config | ||
return None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please not use
import *
. Be explicit about what you want to import.PEP8 coding style
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made these changes.