Add restriction on saving django_settings_override - EDLY_2403 (#64)

edly-io · Jan 12, 2021 · 29fca84 · 29fca84
1 parent 13bec58
commit 29fca84
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 0 deletions.
diff --git a/ecommerce/core/models.py b/ecommerce/core/models.py
@@ -21,6 +21,7 @@
 from analytics import Client as SegmentClient
 from ecommerce.core.url_utils import get_lms_url
 from ecommerce.core.utils import log_message_and_raise_validation_error
+from ecommerce.extensions.edly_ecommerce_app.helpers import clean_django_settings_override
 from ecommerce.extensions.payment.exceptions import ProcessorNotFoundError
 from ecommerce.extensions.payment.helpers import get_processor_class, get_processor_class_by_name
 from ecommerce.journals.constants import JOURNAL_DISCOVERY_API_PATH  # TODO: journals dependency
@@ -368,6 +369,13 @@ def build_program_dashboard_url(self, uuid):
         """ Returns a URL to a specific student program dashboard (hosted by LMS). """
         return self.build_lms_url('/dashboard/programs/{}'.format(uuid))
 
+    def clean(self):
+        """
+        Add check for allowed django settings override.
+        """
+        super(SiteConfiguration, self).clean()
+        clean_django_settings_override(self.get_edly_configuration_value('DJANGO_SETTINGS_OVERRIDE', None))
+
     @property
     def student_dashboard_url(self):
         """ Returns a URL to the student dashboard (hosted by LMS). """

diff --git a/ecommerce/extensions/edly_ecommerce_app/helpers.py b/ecommerce/extensions/edly_ecommerce_app/helpers.py
@@ -1,6 +1,8 @@
 from django.conf import settings
 
 import jwt
+from django.core.exceptions import ValidationError
+from django.utils.translation import ugettext_lazy as _
 
 from opaque_keys.edx.keys import CourseKey
 
@@ -109,3 +111,37 @@ def user_is_course_creator(request):
 
     decoded_cookie_data = decode_edly_user_info_cookie(edly_user_info_cookie)
     return decoded_cookie_data.get('is_course_creator', False)
+
+def clean_django_settings_override(django_settings_override):
+    """
+    Enforce only allowed django settings to be overridden.
+    """
+    if not django_settings_override:
+        return
+
+    django_settings_override_keys = django_settings_override.keys()
+    disallowed_override_keys = list(set(django_settings_override_keys) - set(settings.ALLOWED_DJANGO_SETTINGS_OVERRIDE))
+    updated_override_keys = list(set(django_settings_override_keys) - set(disallowed_override_keys))
+    missing_override_keys = list(set(settings.ALLOWED_DJANGO_SETTINGS_OVERRIDE) - set(updated_override_keys))
+
+    validation_errors = []
+    if disallowed_override_keys:
+        disallowed_override_keys_string = ', '.join(disallowed_override_keys)
+        validation_errors.append(
+            ValidationError(
+                _('Django settings override(s) "%(disallowed_override_keys)s" is/are not allowed to be overridden.'),
+                params={'disallowed_override_keys': disallowed_override_keys_string},
+            )
+        )
+
+    if missing_override_keys:
+        missing_override_keys_string = ', '.join(missing_override_keys)
+        validation_errors.append(
+            ValidationError(
+                _('Django settings override(s) "%(missing_override_keys)s" is/are missing.'),
+                params={'missing_override_keys': missing_override_keys_string},
+            )
+        )
+
+    if validation_errors:
+        raise ValidationError(validation_errors)
diff --git a/ecommerce/extensions/edly_ecommerce_app/tests/test_helpers.py b/ecommerce/extensions/edly_ecommerce_app/tests/test_helpers.py
@@ -1,17 +1,20 @@
 from django.conf import settings
+from django.core.exceptions import ValidationError
 from django.test import RequestFactory
 
 from factory.fuzzy import FuzzyText
 import jwt
 
 from ecommerce.courses.tests.factories import CourseFactory
+from ecommerce.extensions.edly_ecommerce_app.tests.factories import SiteFactory
 from ecommerce.extensions.edly_ecommerce_app.helpers import (
     decode_edly_user_info_cookie,
     encode_edly_user_info_cookie,
     get_edx_org_from_edly_cookie,
     is_valid_site_course,
     user_is_course_creator,
 )
+from ecommerce.tests.factories import SiteConfigurationFactory
 from ecommerce.tests.testcases import TestCase
 
 
@@ -101,3 +104,41 @@ def test_user_is_course_creator_works(self):
         self._set_edly_user_info_cookie()
         assert self.test_edly_user_info_cookie_data.get('is_course_creator') == user_is_course_creator(self.request)
 
+    def test_clean_django_settings_override_for_disallowed_settings(self):
+        """
+        Test disallowed settings raise correct validation error.
+        """
+        default_settings = {
+            key: getattr(settings, key, None) for key in settings.ALLOWED_DJANGO_SETTINGS_OVERRIDE
+        }
+        dissallowed_test_settings = dict(default_settings, HELLO='world')
+        expected_error_message = 'Django settings override(s) "HELLO" is/are not allowed to be overridden.'
+
+        with self.assertRaisesMessage(ValidationError, expected_error_message):
+            site_configuration = SiteConfigurationFactory(
+                site=SiteFactory(),
+                edly_client_theme_branding_settings={
+                    'DJANGO_SETTINGS_OVERRIDE': dissallowed_test_settings
+                }
+            )
+            site_configuration.clean()
+
+    def test_clean_django_settings_override_for_missing_settings(self):
+        """
+        Test missing settings raise correct validation error.
+        """
+        default_settings = {
+            key: getattr(settings, key, None) for key in settings.ALLOWED_DJANGO_SETTINGS_OVERRIDE
+        }
+        missing_test_settings = default_settings.copy()
+        missing_test_settings.pop('LANGUAGE_CODE')
+        expected_error_message = 'Django settings override(s) "LANGUAGE_CODE" is/are missing.'
+
+        with self.assertRaisesMessage(ValidationError, expected_error_message):
+            site_configuration = SiteConfigurationFactory(
+                site=SiteFactory(),
+                edly_client_theme_branding_settings={
+                    'DJANGO_SETTINGS_OVERRIDE': missing_test_settings
+                }
+            )
+            site_configuration.clean()
diff --git a/ecommerce/settings/base.py b/ecommerce/settings/base.py
@@ -745,3 +745,8 @@
 EDLY_USER_INFO_COOKIE_NAME = 'edly-user-info'
 EDLY_COOKIE_SECRET_KEY = 'EDLY-COOKIE-SECRET-KEY'
 EDLY_JWT_ALGORITHM = 'HS256'
+
+ALLOWED_DJANGO_SETTINGS_OVERRIDE = [
+    'OSCAR_FROM_EMAIL', 'SESSION_COOKIE_DOMAIN', 'LANGUAGE_CODE',
+    'EDLY_WORDPRESS_URL', 'FRONTEND_LOGOUT_URL', 'PAYMENT_PROCESSOR_CONFIG',
+]