From 45078e6566c5021521862751ce13e089620c58d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?= <cuu508@gmail.com>
Date: Thu, 28 Jan 2021 15:38:14 +0200
Subject: [PATCH] Set the SECRET_KEY default value back to "---"

Previously, I had changed the default value to "", to force
users to set the SECRET_KEY value (the app refuses to start
if SECRET_KEY is empty).

The problem with that is, out of the box, with the default
configuration, the tests also don't run and complain about the
empty SECRET_KEY.

So, a compromise: revert back to the default value "---".
At runtime, if SECRET_KEY has the default value, show a  warning
at the top of every page.
---
 docker/.env                                   |  2 +-
 hc/front/templatetags/hc_extras.py            |  9 +++++++++
 hc/front/tests/test_basics.py                 | 11 +++++++++--
 hc/settings.py                                |  2 +-
 templates/docs/self_hosted_configuration.html |  5 +++--
 templates/docs/self_hosted_configuration.md   |  5 +++--
 6 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/docker/.env b/docker/.env
index b9d7625f..161796e6 100644
--- a/docker/.env
+++ b/docker/.env
@@ -38,7 +38,7 @@ PUSHOVER_SUBSCRIPTION_URL=
 REGISTRATION_OPEN=True
 REMOTE_USER_HEADER=
 RP_ID=
-SECRET_KEY=
+SECRET_KEY=---
 SHELL_ENABLED=False
 SIGNAL_CLI_ENABLED=False
 SITE_NAME=Mychecks
diff --git a/hc/front/templatetags/hc_extras.py b/hc/front/templatetags/hc_extras.py
index c440627b..145f825c 100644
--- a/hc/front/templatetags/hc_extras.py
+++ b/hc/front/templatetags/hc_extras.py
@@ -70,6 +70,15 @@ def debug_warning():
         """
         )
 
+    if settings.SECRET_KEY == "---":
+        return mark_safe(
+            """
+            <div id="debug-warning">
+            Running with an insecure SECRET_KEY value, do not use in production.
+            </div>
+        """
+        )
+
     return ""
 
 
diff --git a/hc/front/tests/test_basics.py b/hc/front/tests/test_basics.py
index fd3cbbaf..c1d20f74 100644
--- a/hc/front/tests/test_basics.py
+++ b/hc/front/tests/test_basics.py
@@ -3,15 +3,22 @@ from django.test.utils import override_settings
 
 
 class BasicsTestCase(TestCase):
+    @override_settings(DEBUG=False, SECRET_KEY="abc")
     def test_it_shows_welcome(self):
         r = self.client.get("/")
         self.assertContains(r, "Get Notified", status_code=200)
         self.assertNotContains(r, "do not use in production")
 
-    @override_settings(DEBUG=True)
+    @override_settings(DEBUG=True, SECRET_KEY="abc")
     def test_it_shows_debug_warning(self):
         r = self.client.get("/")
-        self.assertContains(r, "do not use in production")
+        self.assertContains(r, "Running in debug mode")
+
+    @override_settings(DEBUG=False, SECRET_KEY="---")
+    def test_it_shows_secret_key_warning(self):
+        r = self.client.get("/")
+        self.assertContains(r, "Get Notified", status_code=200)
+        self.assertContains(r, "Running with an insecure SECRET_KEY value")
 
     @override_settings(REGISTRATION_OPEN=False)
     def test_it_obeys_registration_open(self):
diff --git a/hc/settings.py b/hc/settings.py
index 94fae727..a8427596 100644
--- a/hc/settings.py
+++ b/hc/settings.py
@@ -26,7 +26,7 @@ def envint(s, default):
     return int(v)
 
 
-SECRET_KEY = os.getenv("SECRET_KEY", "")
+SECRET_KEY = os.getenv("SECRET_KEY", "---")
 METRICS_KEY = os.getenv("METRICS_KEY")
 DEBUG = envbool("DEBUG", "True")
 ALLOWED_HOSTS = os.getenv("ALLOWED_HOSTS", "*").split(",")
diff --git a/templates/docs/self_hosted_configuration.html b/templates/docs/self_hosted_configuration.html
index 8c72d3e4..b7f78507 100644
--- a/templates/docs/self_hosted_configuration.html
+++ b/templates/docs/self_hosted_configuration.html
@@ -230,8 +230,9 @@ if your site runs on <code>https://my-hc.example.org</code>, set <code>RP_ID</co
 locally with a self-signed certificate, you can use the <code>runsslserver</code> command
 from the <code>django-sslserver</code> package.</p>
 <h2 id="SECRET_KEY"><code>SECRET_KEY</code></h2>
-<p>Default: <code>""</code> (empty string)</p>
-<p>A secret key used for cryptographic signing.</p>
+<p>Default: <code>---</code></p>
+<p>A secret key used for cryptographic signing, and should be set to a unique,
+unpredictable value.</p>
 <p>This is a standard Django setting, read more in
 <a href="https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key">Django documentation</a>.</p>
 <h2 id="SHELL_ENABLED"><code>SHELL_ENABLED</code></h2>
diff --git a/templates/docs/self_hosted_configuration.md b/templates/docs/self_hosted_configuration.md
index 9f58089c..b2f2b71e 100644
--- a/templates/docs/self_hosted_configuration.md
+++ b/templates/docs/self_hosted_configuration.md
@@ -370,9 +370,10 @@ from the `django-sslserver` package.
 
 ## `SECRET_KEY` {: #SECRET_KEY }
 
-Default: `""` (empty string)
+Default: `---`
 
-A secret key used for cryptographic signing.
+A secret key used for cryptographic signing, and should be set to a unique,
+unpredictable value.
 
 This is a standard Django setting, read more in
 [Django documentation](https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key).