Merge pull request #11 from nhr/templatized

Templatized Django package

Author: kraman

.openshift/README.md

@@ -0,0 +1,25 @@
+# Django Template for OpenShift
+
+## Template App Information
+Product: Django  
+Version: 1.4  
+Source:  https://github.com/django/django.git  
+Commit:  2591fb8d4c0246f68b79554976c012039df75359
+
+## Maintenance
+This folder contains a diff file that includes the changes made to the
+stock Django app in order to make it OpenShift-Template-ready. If
+you are a maintainer tasked with updating the Django template, you
+may be able to use this patch file on the updated Django code to
+automatically reapply these changes.
+
+Here are the steps involved:
+
+1. Under the 'wsgi' directory, apply any patches required to update the 'openshift' Django app.
+2. From the template root directory, run 'git apply --check .openshift/template.patch' to test for patching problems.
+3. Next run 'git am --signoff < .openshift/template.patch' to apply the patch to the template.
+
+If this process succeeds, then the changes have been automatically
+applied. Otherwise it may be necessary to manually apply the
+changes. If the base package has changed enough, you may need to
+re-audit the base code and generate a new patch file.

.openshift/action_hooks/deploy

@@ -10,10 +10,11 @@ if [ ! -f $OPENSHIFT_DATA_DIR/sqlite3.db ]
 then
     echo "Copying $OPENSHIFT_REPO_DIR/wsgi/openshift/sqlite3.db to $OPENSHIFT_DATA_DIR"
     cp "$OPENSHIFT_REPO_DIR"wsgi/openshift/sqlite3.db $OPENSHIFT_DATA_DIR
+    python "$OPENSHIFT_REPO_DIR".openshift/action_hooks/secure_db.py
 else
     echo "Executing 'python $OPENSHIFT_REPO_DIR/wsgi/openshift/manage.py syncdb --noinput'"
     python "$OPENSHIFT_REPO_DIR"wsgi/openshift/manage.py syncdb --noinput
 fi
 
 echo "Executing 'python $OPENSHIFT_REPO_DIR/wsgi/openshift/manage.py collectstatic --noinput'"
-python "$OPENSHIFT_REPO_DIR"wsgi/openshift/manage.py collectstatic --noinput
+python "$OPENSHIFT_REPO_DIR"wsgi/openshift/manage.py collectstatic --noinput

.openshift/action_hooks/secure_db.py

@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+import hashlib, imp, os, sqlite3
+
+# Load the openshift helper library
+lib_path      = os.environ['OPENSHIFT_REPO_DIR'] + 'wsgi/openshift/'
+modinfo       = imp.find_module('openshiftlibs', [lib_path])
+openshiftlibs = imp.load_module('openshiftlibs', modinfo[0], modinfo[1], modinfo[2])
+
+# Open the database
+conn = sqlite3.connect(os.environ['OPENSHIFT_DATA_DIR'] + '/sqlite3.db')
+c    = conn.cursor()
+
+# Grab the default security info
+c.execute('SELECT password FROM AUTH_USER WHERE id = 1')
+pw_info = c.fetchone()[0]
+
+# The password is stored as [hashtype]$[salt]$[hashed]
+pw_fields = pw_info.split("$")
+hashtype  = pw_fields[0]
+old_salt  = pw_fields[1]
+old_pass  = pw_fields[2]
+
+# Randomly generate a new password and a new salt
+# The PASSWORD value below just sets the length (12)
+# for the real new password.
+old_keys = { 'SALT': old_salt, 'PASS': '123456789ABC' }
+use_keys = openshiftlibs.openshift_secure(old_keys)
+
+# Encrypt the new password
+new_salt    = use_keys['SALT']
+new_pass    = use_keys['PASS']
+new_hashed  = hashlib.sha1(new_salt + new_pass).hexdigest()
+new_pw_info = "$".join([hashtype,new_salt,new_hashed])
+
+# Update the database
+c.execute('UPDATE AUTH_USER SET password = ? WHERE id = 1', [new_pw_info])
+conn.commit()
+c.close()
+conn.close()
+
+# Print the new password info
+print "CLIENT_MESSAGE: The password for user 'admin' in your Django app is " + new_pass + " ...be sure to write this down as you will not see this message again.\n"

.openshift/template.patch

@@ -0,0 +1,133 @@
+From 2b49faba38b8ceb8abe639b5f7ec022a59f47ce0 Mon Sep 17 00:00:00 2001
+From: "N. Harrison Ripps" <[email protected]>
+Date: Mon, 23 Jul 2012 11:05:13 -0400
+Subject: [PATCH] Added changes to templatize the quick start.
+
+---
+ wsgi/openshift/openshiftlibs.py |   81 +++++++++++++++++++++++++++++++++++++++
+ wsgi/openshift/settings.py      |   14 ++++++-
+ 2 files changed, 93 insertions(+), 2 deletions(-)
+ create mode 100644 wsgi/openshift/openshiftlibs.py
+
+diff --git a/wsgi/openshift/openshiftlibs.py b/wsgi/openshift/openshiftlibs.py
+new file mode 100644
+index 0000000..a11e0e5
+--- /dev/null
++++ b/wsgi/openshift/openshiftlibs.py
+@@ -0,0 +1,81 @@
++#!/usr/bin/env python
++import hashlib, inspect, os, random, sys
++
++# Gets the secret token provided by OpenShift 
++# or generates one (this is slightly less secure, but good enough for now)
++def get_openshift_secret_token():
++    token = os.getenv('OPENSHIFT_SECRET_TOKEN')
++    name  = os.getenv('OPENSHIFT_APP_NAME')
++    uuid  = os.getenv('OPENSHIFT_APP_UUID')
++    if token is not None:
++        return token
++    elif (name is not None and uuid is not None):
++        return hashlib.sha256(name + '-' + uuid).hexdigest()
++    return None
++
++# Loop through all provided variables and generate secure versions
++# If not running on OpenShift, returns defaults and logs an error message
++#
++# This function calls secure_function and passes an array of:
++#  {
++#    'hash':     generated sha hash,
++#    'variable': name of variable,
++#    'original': original value
++#  }
++def openshift_secure(default_keys, secure_function = 'make_secure_key'):
++    # Attempts to get secret token
++    my_token = get_openshift_secret_token()
++
++    # Only generate random values if on OpenShift
++    my_list  = default_keys
++    
++    if my_token is not None:
++        # Loop over each default_key and set the new value
++        for key, value in default_keys.iteritems():
++            # Create hash out of token and this key's name
++            sha = hashlib.sha256(my_token + '-' + key).hexdigest()
++            # Pass a dictionary so we can add stuff without breaking existing calls
++            vals = { 'hash': sha, 'variable': key, 'original': value }
++            # Call user specified function or just return hash
++            my_list[key] = sha
++            if secure_function is not None:
++                # Pick through the global and local scopes to find the function.
++                possibles = globals().copy()
++                possibles.update(locals())
++                supplied_function = possibles.get(secure_function)
++                if not supplied_function:
++                    raise Exception("Cannot find supplied security function")
++                else:
++                    my_list[key] = supplied_function(vals)
++    else:
++        calling_file = inspect.stack()[1][1]
++        if os.getenv('OPENSHIFT_REPO_DIR'):
++            base = os.getenv('OPENSHIFT_REPO_DIR')
++            calling_file.replace(base,'')
++        sys.stderr.write("OPENSHIFT WARNING: Using default values for secure variables, please manually modify in " + calling_file + "\n")
++
++    return my_list
++
++
++# This function transforms default keys into per-deployment random keys;
++def make_secure_key(key_info):
++	hashcode = key_info['hash']
++	key      = key_info['variable']
++	original = key_info['original']
++	
++	chars = '0123456789abcdef'
++
++	# Use the hash to seed the RNG
++	random.seed(int("0x" + hashcode[:8], 0))
++
++    # Create a random string the same length as the default
++	rand_key = ''
++	for _ in range(len(original)):
++		rand_pos = random.randint(0,len(chars))
++		rand_key += chars[rand_pos:(rand_pos+1)]
++
++	# Reset the RNG
++	random.seed()
++
++	# Set the value
++	return rand_key
+diff --git a/wsgi/openshift/settings.py b/wsgi/openshift/settings.py
+index 842669e..2f44079 100644
+--- a/wsgi/openshift/settings.py
++++ b/wsgi/openshift/settings.py
+@@ -1,6 +1,6 @@
+ # -*- coding: utf-8 -*-
+ # Django settings for openshift project.
+-import os
++import imp, os
+ 
+ # a setting to determine whether we are running on OpenShift
+ ON_OPENSHIFT = False
+@@ -104,8 +104,18 @@ STATICFILES_FINDERS = (
+     #'django.contrib.staticfiles.finders.DefaultStorageFinder',
+ )
+ 
++# Make a dictionary of default keys
++default_keys = { 'SECRET_KEY': 'vm4rl5*ymb@2&d_(gc$gb-^twq9w(u69hi--%$5xrh!xk(t%hw' }
++
++# Replace default keys with dynamic values if we are in OpenShift
++use_keys = default_keys
++if ON_OPENSHIFT:
++    imp.find_module('openshiftlibs')
++    import openshiftlibs
++    use_keys = openshiftlibs.openshift_secure(default_keys)
++
+ # Make this unique, and don't share it with anybody.
+-SECRET_KEY = 'vm4rl5*ymb@2&d_(gc$gb-^twq9w(u69hi--%$5xrh!xk(t%hw'
++SECRET_KEY = use_keys['SECRET_KEY']
+ 
+ # List of callables that know how to import templates from various sources.
+ TEMPLATE_LOADERS = (
+-- 
+1.7.5.4
+

README.md

@@ -1,26 +1,31 @@
+
 Django on OpenShift
 ===================
 
-This git repository helps you get up and running quickly w/ a Django installation
-on OpenShift.  The Django project name used in this repo is 'openshift'
-but you can feel free to change it.  Right now the backend is sqlite3 and the
-database runtime is @ $OPENSHIFT_DATA_DIR/sqlite3.db.
+This git repository helps you get up and running quickly w/ a Django
+installation on OpenShift.  The Django project name used in this repo
+is 'openshift' but you can feel free to change it.  Right now the
+backend is sqlite3 and the database runtime is @
+$OPENSHIFT_DATA_DIR/sqlite3.db.
 
-When you push this application up for the first time, the sqlite database is
-copied from wsgi/openshift/sqlite3.db.  This is the stock database that is created
-when 'python manage.py syncdb' is run with only the admin app installed.
+Before you push this app for the first time, you will need to change
+the Django admin password (see below). Then, when you first push this
+application to the cloud instance, the sqlite database is copied from
+wsgi/openshift/sqlite3.db with your newly changed login
+credentials. Other than the password change, this is the stock
+database that is created when 'python manage.py syncdb' is run with
+only the admin app installed.
 
-You can delete the database from your git repo after the first push (you probably
-should for security).  On subsequent pushes, a 'python manage.py syncdb' is
-executed to make sure that any models you added are created in the DB.  If you
-do anything that requires an alter table, you could add the alter statements
-in GIT_ROOT/.openshift/action_hooks/alter.sql and then use
-GIT_ROOT/.openshift/action_hooks/deploy to execute that script (make sure to
-back up your database w/ 'rhc app snapshot save' first :) )
+On subsequent pushes, a 'python manage.py syncdb' is executed to make
+sure that any models you added are created in the DB.  If you do
+anything that requires an alter table, you could add the alter
+statements in GIT_ROOT/.openshift/action_hooks/alter.sql and then use
+GIT_ROOT/.openshift/action_hooks/deploy to execute that script (make
+sure to back up your database w/ 'rhc app snapshot save' first :) )
 
 
 Running on OpenShift
-----------------------------
+--------------------
 
 Create an account at http://openshift.redhat.com/
 
@@ -37,12 +42,17 @@ Add this upstream repo
     cd django
     git remote add upstream -m master git://github.com/openshift/django-example.git
     git pull -s recursive -X theirs upstream master
-    
+
 Then push the repo upstream
 
     git push
+	
+**Note**: As the git push output scrolls by, keep an eye out for a
+  line of output that starts with 'CLIENT_MESSAGE: '. This line
+  contains the generated admin password that you will need to begin
+  administering your Django app. This is the only time the password
+  will be displayed, so be sure to save it somewhere!
 
 That's it, you can now checkout your application at (default admin account is admin/admin):
 
     http://django-$yournamespace.rhcloud.com
-

wsgi/openshift/openshiftlibs.py

@@ -0,0 +1,84 @@
+#!/usr/bin/env python
+import hashlib, inspect, os, random, sys
+
+# Gets the secret token provided by OpenShift
+# or generates one (this is slightly less secure, but good enough for now)
+def get_openshift_secret_token():
+    token = os.getenv('OPENSHIFT_SECRET_TOKEN')
+    name  = os.getenv('OPENSHIFT_APP_NAME')
+    uuid  = os.getenv('OPENSHIFT_APP_UUID')
+    if token is not None:
+        return token
+    elif (name is not None and uuid is not None):
+        return hashlib.sha256(name + '-' + uuid).hexdigest()
+    return None
+
+# Loop through all provided variables and generate secure versions
+# If not running on OpenShift, returns defaults and logs an error message
+#
+# This function calls secure_function and passes an array of:
+#  {
+#    'hash':     generated sha hash,
+#    'variable': name of variable,
+#    'original': original value
+#  }
+def openshift_secure(default_keys, secure_function = 'make_secure_key'):
+    # Attempts to get secret token
+    my_token = get_openshift_secret_token()
+
+    # Only generate random values if on OpenShift
+    my_list  = default_keys
+
+    if my_token is not None:
+        # Loop over each default_key and set the new value
+        for key, value in default_keys.iteritems():
+            # Create hash out of token and this key's name
+            sha = hashlib.sha256(my_token + '-' + key).hexdigest()
+            # Pass a dictionary so we can add stuff without breaking existing calls
+            vals = { 'hash': sha, 'variable': key, 'original': value }
+            # Call user specified function or just return hash
+            my_list[key] = sha
+            if secure_function is not None:
+                # Pick through the global and local scopes to find the function.
+                possibles = globals().copy()
+                possibles.update(locals())
+                supplied_function = possibles.get(secure_function)
+                if not supplied_function:
+                    raise Exception("Cannot find supplied security function")
+                else:
+                    my_list[key] = supplied_function(vals)
+    else:
+        calling_file = inspect.stack()[1][1]
+        if os.getenv('OPENSHIFT_REPO_DIR'):
+            base = os.getenv('OPENSHIFT_REPO_DIR')
+            calling_file.replace(base,'')
+        sys.stderr.write("OPENSHIFT WARNING: Using default values for secure variables, please manually modify in " + calling_file + "\n")
+
+    return my_list
+
+
+# This function transforms default keys into per-deployment random keys;
+def make_secure_key(key_info):
+	hashcode = key_info['hash']
+	key      = key_info['variable']
+	original = key_info['original']
+
+	chars  = '0123456789'
+	chars += 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+	chars += '!@#%^&*()'
+	chars += '-_ []{}<>~`+=,.;:/?|'
+
+	# Use the hash to seed the RNG
+	random.seed(int("0x" + hashcode[:8], 0))
+
+    # Create a random string the same length as the default
+	rand_key = ''
+	for _ in range(len(original)):
+		rand_pos = random.randint(0,len(chars))
+		rand_key += chars[rand_pos:(rand_pos+1)]
+
+	# Reset the RNG
+	random.seed()
+
+	# Set the value
+	return rand_key

wsgi/openshift/settings.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 # Django settings for openshift project.
-import os
+import imp, os
 
 # a setting to determine whether we are running on OpenShift
 ON_OPENSHIFT = False
@@ -104,8 +104,18 @@
     #'django.contrib.staticfiles.finders.DefaultStorageFinder',
 )
 
+# Make a dictionary of default keys
+default_keys = { 'SECRET_KEY': 'vm4rl5*ymb@2&d_(gc$gb-^twq9w(u69hi--%$5xrh!xk(t%hw' }
+
+# Replace default keys with dynamic values if we are in OpenShift
+use_keys = default_keys
+if ON_OPENSHIFT:
+    imp.find_module('openshiftlibs')
+    import openshiftlibs
+    use_keys = openshiftlibs.openshift_secure(default_keys)
+
 # Make this unique, and don't share it with anybody.
-SECRET_KEY = 'vm4rl5*ymb@2&d_(gc$gb-^twq9w(u69hi--%$5xrh!xk(t%hw'
+SECRET_KEY = use_keys['SECRET_KEY']
 
 # List of callables that know how to import templates from various sources.
 TEMPLATE_LOADERS = (