From e9721dc63ddfa9a1d5063a17892e9785228e4205 Mon Sep 17 00:00:00 2001
From: Patrick Mayr <patrick@fet.at>
Date: Sun, 24 Apr 2022 10:48:04 +0000
Subject: [PATCH] add secure defines and sort settings file

---
 fet2020/fet2020/settings.py | 280 ++++++++++++++++++------------------
 1 file changed, 140 insertions(+), 140 deletions(-)

diff --git a/fet2020/fet2020/settings.py b/fet2020/fet2020/settings.py
index 488c463d..037ea814 100644
--- a/fet2020/fet2020/settings.py
+++ b/fet2020/fet2020/settings.py
@@ -17,44 +17,15 @@ env = environ.Env(
     GALLERY_PATH=(str, "uploads/gallery"),
 )
 
-# Prints and logs are written to console
-# TODO: Change before release
-LOGGING = {
-    "version": 1,
-    "disable_existing_loggers": False,
-    "handlers": {
-        "console": {
-            "class": "logging.StreamHandler",
-        },
-    },
-    "root": {
-        "handlers": ["console"],
-        "level": "DEBUG",
-    },
-}
-
-
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
 
-# SECURITY WARNING: don't run with debug turned on in production!
+# DEBUGGING
 DEBUG = env("DEBUG")
-if DEBUG:
-    # SECURITY WARNING: keep the secret key used in production secret!
-    SECRET_KEY = "r37-i7l)vrduzz2-gira+z#u!p!di9#f+%s*5-bb($hg)55@ns"
-else:
-    SECRET_KEY = env("SECRET_KEY")
-
-
-# HOST
-ALLOWED_HOSTS = ["127.0.0.1", env("HOST_NAME"), "fet.at"]
-HOST_NAME = env("HOST_NAME")
-
-
-DATA_UPLOAD_MAX_MEMORY_SIZE = 1024 * 1024 * 1024
 
 
+# MODELS
 INSTALLED_APPS = [
     "django.contrib.admin",
     "django.contrib.admindocs",
@@ -90,44 +61,16 @@ INSTALLED_APPS = [
     "intern.apps.InternConfig",
 ]
 
-MIDDLEWARE = [
-    "django.middleware.security.SecurityMiddleware",
-    "django.contrib.sessions.middleware.SessionMiddleware",
-    "django.middleware.locale.LocaleMiddleware",
-    "django.middleware.common.CommonMiddleware",
-    "django.middleware.csrf.CsrfViewMiddleware",
-    "django.contrib.auth.middleware.AuthenticationMiddleware",
-    "fet2020.middleware.FETHeaderMiddleware",
-    "django.contrib.messages.middleware.MessageMiddleware",
-    "django.middleware.clickjacking.XFrameOptionsMiddleware",
-    "django.contrib.flatpages.middleware.FlatpageFallbackMiddleware",
+
+# AUTHENTICATIONS
+AUTHENTICATION_BACKENDS = [
+    "django.contrib.auth.backends.ModelBackend",
 ]
 
-ROOT_URLCONF = "fet2020.urls"
-
-TEMPLATES = [
-    {
-        "BACKEND": "django.template.backends.django.DjangoTemplates",
-        "DIRS": [
-            os.path.join(BASE_DIR, "templates"),
-        ],
-        "APP_DIRS": True,
-        "OPTIONS": {
-            "context_processors": [
-                "django.template.context_processors.debug",
-                "django.template.context_processors.request",
-                "django.contrib.auth.context_processors.auth",
-                "django.contrib.messages.context_processors.messages",
-                "django.template.context_processors.i18n",
-            ],
-        },
-    },
-]
-
-WSGI_APPLICATION = "fet2020.wsgi.application"
+LOGIN_URL = "/auth/login"
 
 
-# Database
+# DATABASE
 if DEBUG:
     DATABASES = {
         "default": {
@@ -148,61 +91,135 @@ else:
     }
 
 
-AUTHENTICATION_BACKENDS = [
-    "django.contrib.auth.backends.ModelBackend",
-]
+# EMAIL
+EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
+EMAIL_HOST = "buran.htu.tuwien.ac.at"
+EMAIL_PORT = 587
+EMAIL_USE_TLS = True
 
 
-# Password validation
-AUTH_PASSWORD_VALIDATORS = [
-    {
-        "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator",
-    },
-    {
-        "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator",
-    },
-    {
-        "NAME": "django.contrib.auth.password_validation.CommonPasswordValidator",
-    },
-    {
-        "NAME": "django.contrib.auth.password_validation.NumericPasswordValidator",
-    },
-]
+# FILE UPLOADS
+MEDIA_ROOT = os.path.join(BASE_DIR, "files/")
+MEDIA_URL = "files/"
 
 
-# Internationalization
+# GLOBALIZATION 
 LANGUAGE_CODE = "de-at"
+LOCALE_PATHS = [os.path.join(BASE_DIR, "locale")]
 TIME_ZONE = "CET"
 USE_I18N = True
 USE_L10N = True
 USE_TZ = True
-LOCALE_PATHS = [os.path.join(BASE_DIR, "locale")]
 
 
-# Sites
+# HOST
+ALLOWED_HOSTS = ["127.0.0.1", env("HOST_NAME"), "fet.at"]
+HOST_NAME = env("HOST_NAME")
+
+
+# HTTP
+DATA_UPLOAD_MAX_MEMORY_SIZE = 1024 * 1024 * 1024
+
+MIDDLEWARE = [
+    "django.middleware.security.SecurityMiddleware",
+    "django.contrib.sessions.middleware.SessionMiddleware",
+    "django.middleware.locale.LocaleMiddleware",
+    "django.middleware.common.CommonMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
+    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "fet2020.middleware.FETHeaderMiddleware",
+    "django.contrib.messages.middleware.MessageMiddleware",
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "django.contrib.flatpages.middleware.FlatpageFallbackMiddleware",
+]
+
+SECURE_HSTS_PRELOAD = True
+SECURE_HSTS_SECONDS = 60
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SESSION_COOKIE_SECURE = True
+
+# TODO: Warning (security.W008) - should be True
+SECURE_SSL_REDIRECT = False
+
+WSGI_APPLICATION = "fet2020.wsgi.application"
+
+
+# LOGGING
+LOGGING = {
+    "version": 1,
+    "disable_existing_loggers": False,
+    "handlers": {
+        "console": {
+            "class": "logging.StreamHandler",
+        },
+    },
+    "root": {
+        "handlers": ["console"],
+        "level": "DEBUG",
+    },
+}
+
+
+# MIGRATION TO DJANGO 3.2
+DEFAULT_AUTO_FIELD = "django.db.models.AutoField"
+
+
+# SITES
 SITE_ID = 1
 
 
-# Static files (CSS, JavaScript, Images)
+# STATIC FILES
+STATIC_ROOT = "assets/"
+
 if DEBUG:
-    STATIC_URL = "/static/"
+    STATIC_URL = "static/"
 else:
-    STATIC_URL = "/assets/"
+    STATIC_URL = "assets/"
 
 STATICFILES_DIRS = [
     os.path.join(BASE_DIR, "gallery/static"),
     os.path.join(BASE_DIR, "static"),
 ]
 
-STATIC_ROOT = "assets/"
-MEDIA_ROOT = os.path.join(BASE_DIR, "files/")
-MEDIA_URL = "/files/"
+
+# SECURITY
+CSRF_COOKIE_SECURE = True
+CSRF_TRUSTED_ORIGINS = [
+    "https://" + env("HOST_NAME"),
+]
+
+if DEBUG:
+    SECRET_KEY = "r37-i7l)vrduzz2-gira+z#u!p!di9#f+%s*5-bb($hg)55@ns"
+else:
+    SECRET_KEY = env("SECRET_KEY")
 
 
-# TAGGIT
-TAGGIT_FORCE_LOWERCASE = True
+# TEMPLATES
+TEMPLATES = [
+    {
+        "BACKEND": "django.template.backends.django.DjangoTemplates",
+        "DIRS": [
+            os.path.join(BASE_DIR, "templates"),
+        ],
+        "APP_DIRS": True,
+        "OPTIONS": {
+            "context_processors": [
+                "django.template.context_processors.debug",
+                "django.template.context_processors.request",
+                "django.contrib.auth.context_processors.auth",
+                "django.contrib.messages.context_processors.messages",
+                "django.template.context_processors.i18n",
+            ],
+        },
+    },
+]
 
 
+# URLS
+ROOT_URLCONF = "fet2020.urls"
+
+
+### THIRD-PARTY ###
 # CKEDITOR
 CKEDITOR_UPLOAD_PATH = "upload"
 
@@ -274,22 +291,17 @@ CKEDITOR_CONFIGS = {
 }
 
 
-# THUMBNAIL
-THUMBNAIL_ALIASES = {
-    "": {
-        "avatar": {"size": (50, 50), "crop": True},
-        "thumb": {"size": (150, 150), "crop": True},
-        "portrait": {"size": (200, 300), "crop": False},
-    },
-}
+# CRON JOBS
+CRONJOBS = [
+    ("0 16 * * *", "posts.cronjobs.check_to_send_agenda_mail"),
+]
 
 
-# ETHERPAD HOST
+# ETHERPAD
 ETHERPAD_HOST = env("ETHERPAD_HOST").strip()
 if not ETHERPAD_HOST or ETHERPAD_HOST == "":
     ETHERPAD_HOST = urljoin("https://" + env("HOST_NAME"), "etherpad/")
 
-# ETHERPAD CLIENT
 if DEBUG:
     ETHERPAD_CLIENT = {
         "url": "http://etherpad:" + env("ETHERPAD_PORT"),
@@ -306,6 +318,22 @@ else:
     }
 
 
+# GALLERY
+GALLERY = {
+    "path": env("GALLERY_PATH"),
+    "thumb_path": env("GALLERY_PATH") + "_thumb",
+}
+
+
+# HAYSTACK
+HAYSTACK_CONNECTIONS = {
+    "default": {
+        "ENGINE": "haystack.backends.whoosh_backend.WhooshEngine",
+        "PATH": os.path.join(BASE_DIR, "whoosh_index"),
+    },
+}
+
+
 # REST FRAMEWORK
 REST_FRAMEWORK = {
     "DEFAULT_PERMISSION_CLASSES_CLASSES": [
@@ -315,43 +343,15 @@ REST_FRAMEWORK = {
 }
 
 
-# DJANGO MAIL
-EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
-EMAIL_HOST = "buran.htu.tuwien.ac.at"
-EMAIL_PORT = 587
-EMAIL_USE_TLS = True
+# TAGGIT
+TAGGIT_FORCE_LOWERCASE = True
 
 
-# CRON JOBS
-CRONJOBS = [
-    ("0 16 * * *", "posts.cronjobs.check_to_send_agenda_mail"),
-]
-
-
-# AUTHENTICATIONS
-LOGIN_URL = "/auth/login"
-
-
-# MIGRATION FROM DJANGO 3.1 TO DJANGO 3.2
-DEFAULT_AUTO_FIELD = "django.db.models.AutoField"
-
-
-# GALLERY
-GALLERY = {
-    "path": env("GALLERY_PATH"),
-    "thumb_path": env("GALLERY_PATH") + "_thumb",
-}
-
-# MIGRATION TO DJANGO 4.0
-CSRF_TRUSTED_ORIGINS = [
-    "https://" + env("HOST_NAME"),
-]
-
-
-# DJANGO HAYSTACK
-HAYSTACK_CONNECTIONS = {
-    "default": {
-        "ENGINE": "haystack.backends.whoosh_backend.WhooshEngine",
-        "PATH": os.path.join(BASE_DIR, "whoosh_index"),
+# THUMBNAIL
+THUMBNAIL_ALIASES = {
+    "": {
+        "avatar": {"size": (50, 50), "crop": True},
+        "thumb": {"size": (150, 150), "crop": True},
+        "portrait": {"size": (200, 300), "crop": False},
     },
 }