{ "info": { "author": "Carsten E. Mahr", "author_email": "impressum@carsten-mahr.de", "bugtrack_url": null, "classifiers": [ "Environment :: Web Environment", "Framework :: Django", "Framework :: Django :: 2.1", "Framework :: Django :: 2.2", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Operating System :: POSIX :: Linux", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3 :: Only", "Topic :: Internet :: WWW/HTTP :: WSGI :: Application", "Topic :: Security :: Cryptography" ], "description": "# django-secret-settings\nSecure and convenient secret management for your Django settings!\n\n[![build status](https://gitlab.com/cmahr/django-secret-settings/badges/master/pipeline.svg)](https://gitlab.com/cmahr/django-secret-settings/commits/master)\n[![code coverage](https://gitlab.com/cmahr/django-secret-settings/badges/master/coverage.svg)](https://cmahr.gitlab.io/django-secret-settings)\n\n## Purpose and rationale\n*django-secret-settings* is a Python 3 package designed to augment a 'typical' Django settings package of the structure\n\n settings/\n \u251c\u2500\u2500 __init__.py\n \u251c\u2500\u2500 development.py\n \u251c\u2500\u2500 production.py\n \u251c\u2500\u2500 ...\n \u2514\u2500\u2500 staging.py\n\nwhere the `__init__.py` is used to include an environment-specific settings module (e.g., `from .development import *`).\nSwitching the Django settings based on the server nature (development, testing, production, ...) is particularly easy in\nsuch a setup. Additionally, settings that are equal may be extracted into a `base` module that is imported into any\nspecialized settings module if appropriate. This helps maintaining the settings package by following established design\nchoices (the DRY principle, in particular).\n\nHowever, in order to avoid any secrets to be part of the settings files in plain text, some custom additional deployment\nhook must be used to add those secrets at the latest possible time. Depending on the implemented solution, this step\nmight be rather intricate and thus render the deployment process error-prone. More simple solutions, on the other hand\n(e.g., separately deploying the settings module or even the whole package), tend to make it very hard for a developer\nhaving access to the source repository to gain an overview of the available settings, let alone to add new values.\n\nThis is where *django-secret-settings* comes in: Instead of forcibly keeping all secrets out of version control or in a\nseparate submodule (both remains possible), it allows for secrets to be stored as RSA-encrypted JSON files in the\nrepository itself, one 'secret store' per environment: For each kind of server nature, e.g., staging, a directory is\nplaced in a `secrets` folder. This folder contains multiple JSON-encoded secret files, e.g., `django` for all Django\nconfiguration values and `email` for username, password and other secret settings of the mail server. In the example\ngiven above, the directory structure would resemble\n\n settings/\n \u251c\u2500\u2500 __init__.py\n \u251c\u2500\u2500 development.py\n \u251c\u2500\u2500 production.py\n \u251c\u2500\u2500 secrets\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 staging.pem\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 production\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 django\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 email\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 public-key.pem\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 ...\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 staging\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 django\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 email\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 public-key.pem\n \u251c\u2500\u2500 ...\n \u2514\u2500\u2500 staging.py\n\nThis way, only one secret per environment remains: The private key file (e.g., `staging.pem`) necessary to decrypt the\nvarious RSA-encrypted files, which is the only quantity that is *not* kept in version control. Consequently, this\nremaining secret is still to be deployed otherwise \u2013 but separately deploying one single file seems feasible. Further,\nchanging the settings based on the environment remains simple, as *django-secret-settings* decides based on the name of\nthe private key file (e.g. `staging.pem`) which settings to load (i.e., `staging.py` in this case). Finally, adding new\nsecrets in a safe manner is possible for every developer having access to the source repository: Simply wrap your\nsecrets in a valid JSON string and encrypt it with the corresponding public key available in the directory of each\nsecret store!\n\n\n## Requirements\n### Production\n*django-secret-settings* intends to be minimalistic but opinionated when it comes to production dependencies:\n* **Python >= 3.5**: Currently, the CI pipeline runs on Python 3.5 and 3.6, testing additional Python versions\n is the goal of [issue #20](https://gitlab.com/cmahr/django-secret-settings/issues/20). Python 2.x will not be\n supported.\n* **OpenSSL >= 3.0.0-dev**: OpenSSL is the basis of `mod_ssl` (Apache HTTP Server) and `ngx_http_ssl_module` (Nginx) and\nis probably present if you use SSL (you should). We discourage using older versions due to possible licensing issues.\n\n### Development\nBesides the requirements listed above, additional dependencies necessary for development are listed in the\n[requirements file](https://gitlab.com/cmahr/django-secret-settings/blob/master/requirements-dev.txt). They may, of\ncourse, be installed using `pip`:\n```bash\npip install -r requirements-dev.txt\n```\n\n\n## Installation\nIt is as simple as running\n```bash\npip install django-secret-settings\n```\n\n\n## Quick start\nAlthough *security* is one of the major design criteria for *django-secret-settings*, the setup and usage of encrypted\nconfiguration values remains simple:\n\n1. Rewrite your `settings/__init__.py` as follows:\n\n ```python\n from django_secret_settings.autoload import *\n ```\n\n2. Add environment folders with public keys and secret files according to the schema described above. The secret files\n contain RSA-encrypted JSON data, e.g. the **de**crypted `django` file would look like:\n\n ```json\n {\n \"SECRET_KEY\": \"l#!6p7)-4xhy25@pu5$y$%k&7#8a(#1^89=^m*=e69xl**&!11\"\n }\n ```\n\n Encryption is to be done using the corresponding public key.\n\n3. Adapt your specialized settings to use the `secret_store`:\n\n ```python\n from django_secret_settings.autoload import secret_store\n\n # SECURITY WARNING: keep the secret key used in production secret!\n SECRET_KEY = secret_store.get('django', 'SECRET_KEY')\n\n # Other settings omitted for brevity...\n ```\n\n4. Also adapt your deployment to add the private key file designating the settings to use. Optionally, you'll want to add a\n `.gitignore` file to your settings package to make sure these secret files are *never* stored in version control.\n\n\n## Tutorial\nA more detailed introduction to the ideas behind *django-secret-settings* and its usage can be found in the\n[tutorial](https://gitlab.com/cmahr/django-secret-settings/blob/master/docs/tutorial.md).\n\n\n## Things to come\nThe best is yet to come, I'm sure! Why don't you take a look at our\n[board](https://gitlab.com/cmahr/django-secret-settings/boards) to browse all open and closed issues? Or if you are\ninterested in the things that are projected to be part of the next release, why not browse our\n[milestones](https://gitlab.com/cmahr/django-secret-settings/milestones)?\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://gitlab.com/cmahr/django-secret-settings", "keywords": "", "license": "http://www.apache.org/licenses/LICENSE-2.0", "maintainer": "", "maintainer_email": "", "name": "django-secret-settings", "package_url": "https://pypi.org/project/django-secret-settings/", "platform": "", "project_url": "https://pypi.org/project/django-secret-settings/", "project_urls": { "Homepage": "https://gitlab.com/cmahr/django-secret-settings" }, "release_url": "https://pypi.org/project/django-secret-settings/1.0.0/", "requires_dist": null, "requires_python": "", "summary": "A Python package facilitating the inclusion of encrypted secrets in the Django settings.", "version": "1.0.0" }, "last_serial": 5317180, "releases": { "1.0.0": [ { "comment_text": "", "digests": { "md5": "203b9a43e749e06a24171ebad4e8d130", "sha256": "2a31a3f948828b2ec4672eb17a87b385615221a5032aa0cd0ef8b94830a2a17c" }, "downloads": -1, "filename": "django_secret_settings-1.0.0-py3-none-any.whl", "has_sig": false, "md5_digest": "203b9a43e749e06a24171ebad4e8d130", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 36445, "upload_time": "2019-05-25T19:32:03", "url": "https://files.pythonhosted.org/packages/38/a4/a2cdb0adf08873053aaf9b34700550be41000ae6e351953cd22b40115b28/django_secret_settings-1.0.0-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "b9f323404143b082d4f69d9815643389", "sha256": "504bf09564d48e4e5cef1ecc8588a6c876b05a1dd4ef72b1cb6ca36d24710fde" }, "downloads": -1, "filename": "django-secret-settings-1.0.0.tar.gz", "has_sig": false, "md5_digest": "b9f323404143b082d4f69d9815643389", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 25107, "upload_time": "2019-05-25T19:32:05", "url": "https://files.pythonhosted.org/packages/17/41/6d98fc05cbc37a372912401ee50ffb69b6a49d38045705b100f86d2cc0b3/django-secret-settings-1.0.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "203b9a43e749e06a24171ebad4e8d130", "sha256": "2a31a3f948828b2ec4672eb17a87b385615221a5032aa0cd0ef8b94830a2a17c" }, "downloads": -1, "filename": "django_secret_settings-1.0.0-py3-none-any.whl", "has_sig": false, "md5_digest": "203b9a43e749e06a24171ebad4e8d130", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 36445, "upload_time": "2019-05-25T19:32:03", "url": "https://files.pythonhosted.org/packages/38/a4/a2cdb0adf08873053aaf9b34700550be41000ae6e351953cd22b40115b28/django_secret_settings-1.0.0-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "b9f323404143b082d4f69d9815643389", "sha256": "504bf09564d48e4e5cef1ecc8588a6c876b05a1dd4ef72b1cb6ca36d24710fde" }, "downloads": -1, "filename": "django-secret-settings-1.0.0.tar.gz", "has_sig": false, "md5_digest": "b9f323404143b082d4f69d9815643389", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 25107, "upload_time": "2019-05-25T19:32:05", "url": "https://files.pythonhosted.org/packages/17/41/6d98fc05cbc37a372912401ee50ffb69b6a49d38045705b100f86d2cc0b3/django-secret-settings-1.0.0.tar.gz" } ] }