Support "_FILE" environmental variables (#9069)

* Use environ.FileAwareEnv

* Load _FILE in shell

* Change error to warning

Dockerfile.django-alpine

@@ -75,6 +75,7 @@ COPY \
   docker/entrypoint-unit-tests.sh \
   docker/entrypoint-unit-tests-devDocker.sh \
   docker/wait-for-it.sh \
+  docker/secret-file-loader.sh \
   docker/certs/* \
   /
 COPY wsgi.py manage.py docker/unit-tests.sh ./

Dockerfile.django-debian

@@ -80,6 +80,7 @@ COPY \
   docker/entrypoint-unit-tests.sh \
   docker/entrypoint-unit-tests-devDocker.sh \
   docker/wait-for-it.sh \
+  docker/secret-file-loader.sh \
   docker/certs/* \
   /
 COPY wsgi.py manage.py docker/unit-tests.sh ./

Dockerfile.integration-tests-debian

@@ -61,6 +61,7 @@ WORKDIR /app
 COPY --from=openapitools /opt/openapi-generator/modules/openapi-generator-cli/target/openapi-generator-cli.jar /usr/local/bin/openapi-generator-cli.jar
 
 COPY docker/wait-for-it.sh \
+  docker/secret-file-loader.sh \
   docker/entrypoint-integration-tests.sh \
   /
 

docker/entrypoint-celery-worker.sh

@@ -3,6 +3,8 @@ umask 0002
 
 id
 
+. /secret-file-loader.sh
+
 # Allow for bind-mount multiple settings.py overrides
 FILES=$(ls /app/docker/extra_settings/* 2>/dev/null)
 NUM_FILES=$(echo "$FILES" | wc -w)

docker/entrypoint-initializer.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+. /secret-file-loader.sh
+
 initialize_data()
 {
     # Test types shall be initialized every time by the initializer, to make sure test types are complete

docker/entrypoint-integration-tests.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+. /secret-file-loader.sh
+
 echo "Testing DefectDojo Service"
 
 echo "Waiting max 60s for services to start"

docker/entrypoint-unit-tests-devDocker.sh

@@ -6,6 +6,8 @@ set -x
 set -e
 set -v
 
+. /secret-file-loader.sh
+
 cd /app
 # Unset the database URL so that we can force the DD_TEST_DATABASE_NAME (see django "DATABASES" configuration in settings.dist.py)
 unset DD_DATABASE_URL

docker/entrypoint-unit-tests.sh

@@ -6,6 +6,8 @@
 # set -e
 # set -v
 
+. /secret-file-loader.sh
+
 cd /app
 # Unset the database URL so that we can force the DD_TEST_DATABASE_NAME (see django "DATABASES" configuration in settings.dist.py)
 unset DD_DATABASE_URL

docker/entrypoint-uwsgi-dev.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+. /secret-file-loader.sh
+
 
 cd /app
 

docker/entrypoint-uwsgi.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+. /secret-file-loader.sh
+
 # Allow for bind-mount multiple settings.py overrides
 FILES=$(ls /app/docker/extra_settings/* 2>/dev/null)
 NUM_FILES=$(echo "$FILES" | wc -w)

docker/entrypoint.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+. /secret-file-loader.sh
+
 # Waits for the database to come up.
 ./docker/wait-for-it.sh $DD_DATABASE_HOST:$DD_DATABASE_PORT
 

docker/secret-file-loader.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Convert all environment variables with names ending in _FILE into the content of
+# the file that they point at and use the name without the trailing _FILE.
+# This can be used to carry in Docker secrets.
+# Inspired by https://github.com/grafana/grafana-docker/pull/166
+# But rewrote for /bin/sh
+for VAR_NAME in $(env | grep '^DD_[^=]\+_FILE=.\+' | sed -r "s/([^=]*)_FILE=.*/\1/g"); do
+    VAR_NAME_FILE="$VAR_NAME"_FILE
+    if [ -n "$(eval echo "\$$VAR_NAME")" ]; then
+        echo >&2 "WARNING: Both $VAR_NAME and $VAR_NAME_FILE are set. Content of $VAR_NAME will be overridden."
+    fi
+    echo "Getting secret $VAR_NAME from $(eval echo "\$$VAR_NAME_FILE")"
+    export "$VAR_NAME"="$(cat "$(eval echo "\$$VAR_NAME_FILE")")"
+    unset "$VAR_NAME_FILE"
+done

dojo/settings/settings.dist.py

@@ -16,7 +16,7 @@
 root = environ.Path(__file__) - 3  # Three folders back
 
 # reference: https://pypi.org/project/django-environ/
-env = environ.Env(
+env = environ.FileAwareEnv(
     # Set casting and default values
     DD_SITE_URL=(str, 'http://localhost:8080'),
     DD_DEBUG=(bool, False),