PR#122: Fix db-uri leakage and add Proxy support - fedora-qa/blockerbugs

fedora-qa / blockerbugs

#122 Fix db-uri leakage and add Proxy support

Merged 3 years ago by frantisekz. Opened 3 years ago by jskladan.

feature/proxyfix into develop

Fix db-uri leakage and add Proxy support

Josef Skladanka • 3 years ago

1c376db

blockerbugs/__init__.py

file modified

+7 -2

		`@@ -53,6 +53,11 @@`
		`if os.getenv('DEBUG') == 'true':`
		`app.config["DEBUG"] = True`

		`+ # "Hotfix" for proxy handling on current deployment, my guess is that the proxy server is set differently than it was, but what do I know...`
		`+ if app.config["BEHIND_PROXY"]:`
		`+ from werkzeug.contrib.fixers import ProxyFix`
		`+ app.wsgi_app = ProxyFix(app.wsgi_app, num_proxies=1)`
		`+`
		`# setup logging`
		`fmt = '[%(filename)s:%(lineno)d] ' if app.debug else '%(module)-12s '`
		`fmt += '%(asctime)s %(levelname)-7s %(message)s'`
		`@@ -93,8 +98,8 @@`

		`setup_logging()`

		`-`
		`- app.logger.debug('using DBURI: %s' % app.config['SQLALCHEMY_DATABASE_URI'])`
		`+ if app.config['SHOW_DB_URI']:`
		`+ app.logger.debug('using DBURI: %s' % app.config['SQLALCHEMY_DATABASE_URI'])`

		`# database`
		`db = SQLAlchemy(app)`

blockerbugs/config.py

file modified

		`@@ -43,6 +43,7 @@`
		`FILE_LOGGING = False`
		`SYSLOG_LOGGING = False`
		`STREAM_LOGGING = True`
		`+ SHOW_DB_URI = False`
		`FEDMENU_URL = ""`
		`FEDMENU_DATA_URL = ""`
		`PAGURE_URL = "https://stg.pagure.io/"`
		`@@ -77,11 +78,13 @@`
		`PAGURE_URL = "https://pagure.io/"`
		`PAGURE_API = "https://pagure.io/api/0/"`
		`PAGURE_REPO = "fedora-qa/blocker-review"`
		`+ SHOW_DB_URI = False`


		`class DevelopmentConfig(Config):`
		`TRAP_BAD_REQUEST_ERRORS = True`
		`SQLALCHEMY_DATABASE_URI = 'sqlite:////var/tmp/blockerbugs_db.sqlite'`
		`+ SHOW_DB_URI = True`


		`class TestingConfig(Config):`

conf/settings.py.example

file modified

		`@@ -21,3 +21,5 @@`
		`PAGURE_REPO = "fedora-qa/blocker-review"`
		`PAGURE_REPO_TOKEN = "YOUR SECRET API TOKEN FROM PROJECT SETTINGS"`
		`PAGURE_BOT_USERNAME = 'blockerbot'`
		`+ SHOW_DB_URI = False`
		`+ BEHIND_PROXY = False`

jskladan commented 3 years ago

Adds Proxy handling to fix the broken openid login.

Not sure what changed between the deployments, that this is now needed out of the blue, but the issue was that the request.url was set to localhost:8081/blockerbugs instead of the "public" URL.

Also fixes the DB-uri (contains login and password) leakage to logs.

Requires fix in the ansible playbook to work on production - add BEHIND_PROXY = True to the config file.