enhance settings.ini system

README.md

@@ -1,7 +1,7 @@
 univnautes-idp : IdP multi-tenants pour UnivNautes
 
-cp settings.ini.example /somewhere/settings.ini
-export UNIVNAUTES_IDP_SETTINGS_INI=/somewhere/settings.ini
+# config :
+cp settings.ini.example /etc/univnautes-idp/settings.ini
 
 # creation du schema public
 python manage.py sync_schemas --shared --noinput
@@ -12,3 +12,4 @@ python manage.py createsuperuser -s public
 python manage.py create-tenant xyz.univnautes-idp.dev.entrouvert.org xyz
 python manage.py createsuperuser -s xyz 
 
+

settings.ini.example

@@ -1,8 +1,22 @@
+#
+# override default-settings.ini
+#
+
+[general]
+multitenants_settings_ini: %(base)s/tenants/{tenant}-settings.ini ## currently not used
+
+[database]
+name: univnautes_idp
+host:
+port:
+user:
+password:
+
 [saml]
 local_metadata_cache_timeout: 600
 # Whether to autoload SAML 2.0 identity providers and services metadata
 # Only https URLS are accepted. Can be none, sp, idp or both
-metadata_autoload: both
+metadata_autoload: none
 # these keys will changed by tenants :
 signature_public_key: -----BEGIN CERTIFICATE-----
   MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
@@ -51,7 +65,6 @@ signature_private_key: -----BEGIN RSA PRIVATE KEY-----
   TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
   -----END RSA PRIVATE KEY-----
 
-
 [dirs]
 base: /home/thomas/univnautes-idp
 template_dirs: %(base)s/templates
@@ -62,13 +75,6 @@ media_root: %(base)s/media
 static_root: %(base)s/static
 static_dirs:
 
-[database]
-name: univnautes_idp
-host:
-port:
-user:
-password:
-
 [cache]
 memcached: on
 
@@ -92,7 +98,7 @@ template: true
 toolbar: true
 internal_ips: 127.0.0.1
 skip_csrf: true
-sentry_dsn: 
+sentry_dsn: https://eef065f871974893a88ff14bebec6620:6a3b570aa38c4d6da763ce551b260ef3@sentry.entrouvert.org/30
 
 [email]
 server_email: django@localhost

univnautes_idp/default-settings.ini

@@ -0,0 +1,114 @@
+[saml]
+local_metadata_cache_timeout: 600
+# Whether to autoload SAML 2.0 identity providers and services metadata
+# Only https URLS are accepted. Can be none, sp, idp or both
+metadata_autoload: both
+# these keys will changed by tenants :
+signature_public_key: -----BEGIN CERTIFICATE-----
+  MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+  BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV
+  MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZn9Kqm4Cp
+  06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrUH8QT8NGh
+  ABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59xihSqsoFr
+  kmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9Hri8JRdXi
+  VT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziazZfvvw/VG
+  Tm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABo3YwdDAdBgNVHQ4EFgQUeF8ePnu0
+  fcAK50iBQDgAhHkOu8kwRQYDVR0jBD4wPIAUeF8ePnu0fcAK50iBQDgAhHkOu8mh
+  GaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQDVAaInJNaQ6TAMBgNVHRMEBTAD
+  AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAy8l3GhUtpPHx0FxzbRHVaaUSgMwYKGPhE
+  IdGhqekKUJIx8et4xpEMFBl5XQjBNq/mp5vO3SPb2h2PVSks7xWnG3cvEkqJSOeo
+  fEEhkqnM45b2MH1S5uxp4i8UilPG6kmQiXU2rEUBdRk9xnRWos7epVivTSIv1Ncp
+  lG6l41SXp6YgIb2ToT+rOKdIGIQuGDlzeR88fDxWEU0vEujZv/v1PE1YOV0xKjTT
+  JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j
+  o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy
+  -----END CERTIFICATE-----
+signature_private_key: -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZ
+  n9Kqm4Cp06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrU
+  H8QT8NGhABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59x
+  ihSqsoFrkmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9H
+  ri8JRdXiVT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziaz
+  Zfvvw/VGTm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABAoIBAQCj8t2iKXya10HG
+  V6Saaeih8aftoLBV38VwFqqjPU0+iKqDpk2JSXBhjI6s7uFIsaTNJpR2Ga1qvns1
+  hJQEDMQSLhJvXfBgSkHylRWCpJentr4E3D7mnw5pRsd61Ev9U+uHcdv/WHP4K5hM
+  xsdiwXNXD/RYd1Q1+6bKrCuvnNJVmWe0/RV+r3T8Ni5xdMVFbRWt/VEoE620XX6c
+  a9TQPiA5i/LRVyie+js7Yv+hVjGOlArtuLs6ECQsivfPrqKLOBRWcofKdcf+4N2e
+  3cieUqwzC15C31vcMliD9Hax9c1iuTt9Q3Xzo20fOSazAnQ5YBEExyTtrFBwbfQu
+  ku6hp81pAoGBAN6bc6iJtk5ipYpsaY4ZlbqdjjG9KEXB6G1MExPU7SHXOhOF0cDH
+  /pgMsv9hF2my863MowsOj3OryVhdQhwA6RrV263LRh+JU8NyHV71BwAIfI0BuVfj
+  6r24KudwtUcvMr9pJIrJyMAMaw5ZyNoX7YqFpS6fcisSJYdSBSoxzrzVAoGBANu6
+  xVeMqGavA/EHSOQP3ipDZ3mnWbkDUDxpNhgJG8Q6lZiwKwLoSceJ8z0PNY3VetGA
+  RbqtqBGfR2mcxHyzeqVBpLnXZC4vs/Vy7lrzTiHDRZk2SG5EkHMSKFA53jN6S/nJ
+  JWpYZC8lG8w4OHaUfDHFWbptxdGYCgY4//sjeiuXAoGBANuhurJ99R5PnA8AOgEW
+  4zD1hLc0b4ir8fvshCIcAj9SUB20+afgayRv2ye3Dted1WkUL4WYPxccVhLWKITi
+  rRtqB03o8m3pG3kJnUr0LIzu0px5J/o8iH3ZOJOTE3iBa+uI/KHmxygc2H+XPGFa
+  HGeAxuJCNO2kAN0Losbnz5dlAoGAVsCn94gGWPxSjxA0PC7zpTYVnZdwOjbPr/pO
+  LDE0cEY9GBq98JjrwEd77KibmVMm+Z4uaaT0jXiYhl8pyJ5IFwUS13juCbo1z/u/
+  ldMoDvZ8/R/MexTA/1204u/mBecMJiO/jPw3GdIJ5phv2omHe1MSuSNsDfN8Sbap
+  gmsgaiMCgYB/nrTk89Fp7050VKCNnIt1mHAcO9cBwDV8qrJ5O3rIVmrg1T6vn0aY
+  wRiVcNacaP+BivkrMjr4BlsUM6yH4MOBsNhLURiiCL+tLJV7U0DWlCse/doWij4U
+  TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
+  -----END RSA PRIVATE KEY-----
+
+
+[dirs]
+base: /home/thomas/univnautes-idp
+template_dirs: %(base)s/templates
+multitenant_template_dirs: %(base)s/tenants/templates
+  /var/lib/truc/encore
+  /bidule/machin
+media_root: %(base)s/media
+static_root: %(base)s/static
+static_dirs:
+
+[database]
+name: univnautes_idp
+host:
+port:
+user:
+password:
+
+[cache]
+memcached: on
+
+[secrets]
+secret_key: random-string-of-ascii
+csrf_secret: random-string-of-ascii
+
+[session]
+expire_at_browser_close: yes
+cookie_age:
+cookie_name:
+cookie_path:
+coolie_secure:
+cookie_domain:
+
+# all settings in debug section should be false in production
+# INTERNAL_IPS should be empty in productive environment
+[debug]
+general: true
+template: true
+toolbar: true
+internal_ips: 127.0.0.1
+skip_csrf: true
+sentry_dsn: 
+
+[email]
+server_email: django@localhost
+default_from_email: django@localhost
+subject_prefix: [unidp]
+host: localhost
+port: 25
+use_tls: no
+user:
+password:
+
+# the [admins] and [managers] sections are special. Just add lines with
+#   full name: email_address@domain.xx
+# each section must be present but may be empty.
+[admins]
+#Thomas: tnoel+unidp@entrouvert.com
+[managers]
+#Thomas: tnoel+unidp@entrouvert.com
+

univnautes_idp/settings.py

@@ -1,11 +1,26 @@
 # Django settings for univnautes_idp project.
 
 import os
-from ConfigParser import ConfigParser
-from django.core.exceptions import ImproperlyConfigured
+from ConfigParser import SafeConfigParser
 
-SETTINGS_INI = os.environ.get('UNIVNAUTES_IDP_SETTINGS_INI', '/etc/univnautes-idp/settings.ini')
-config = ConfigParser()
+# get configuration files from :
+# 1. default-settings.ini from source code
+# 2. os.environ.get('SETTINGS_INI') if it exists
+#    else /etc/univnautes-idp/settings.ini
+#         and then /etc/univnautes-idp/local-settings.ini
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+SETTINGS_INI = (os.path.join(BASE_DIR, 'default-settings.ini'),)
+if os.environ.get('SETTINGS_INI'):
+    SETTINGS_INI += (os.environ.get('SETTINGS_INI'),)
+else:
+    ETC_DIR = os.path.join('/', 'etc', 'univnautes-idp')
+    SETTINGS_INI += (
+        os.path.join(ETC_DIR, 'settings.ini'),
+        os.path.join(ETC_DIR, 'local-settings.ini')
+    )
+
+config = SafeConfigParser()
 config.read(SETTINGS_INI)