From de02868a37d0c23c5e55357612656e599290be10 Mon Sep 17 00:00:00 2001
From: migromarj <miguelromeroarjona@gmail.com>
Date: Wed, 7 Dec 2022 19:08:12 +0100
Subject: [PATCH] feat(#75): Improve application security

Add python-decouple as a new project requirement.
Change the admin password to a stronger one in the initial.json file.
Add sensitive data like tokens and passwords to environment variables.
Add environment variables to the file associated with GitHub Actions.
---
 .github/workflows/main.yml      |  8 +++++++-
 fixtures/initial.json           |  2 +-
 innoweb/development_settings.py |  3 ++-
 innoweb/production_settings.py  |  7 ++++---
 innoweb/tests.py                | 12 +++++++-----
 requirements.txt                |  3 ++-
 6 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index acdd4cc..c24b826 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -9,6 +9,12 @@ on:
     branches: 
       - main
 
+env:
+  DJANGO_SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }}
+  PRODUCTION_DB_USER: ${{ secrets.PRODUCTION_DB_USER }}
+  PRODUCTION_DB_PASSWORD: ${{ secrets.PRODUCTION_DB_PASSWORD }}
+  USER_PASSWORD: ${{ secrets.USER_PASSWORD }}
+
 jobs:
   build:
 
@@ -42,13 +48,13 @@ jobs:
         python -m pip install --upgrade pip
         pip install -r requirements.txt
         pip install codacy-coverage
+        sudo apt-get install chromium-browser chromium-chromedriver
     - name: Make Migrations and Migrate
       run: | 
         python ./manage.py makemigrations
         python ./manage.py migrate
     - name: Run Tests
       run: | 
-        sudo apt-get install chromium-browser chromium-chromedriver
         coverage run --branch --source=. ./manage.py test  --keepdb 
         coverage xml 
     - name: Codacy Coverage Reporter
diff --git a/fixtures/initial.json b/fixtures/initial.json
index 889f8ca..60a20dd 100644
--- a/fixtures/initial.json
+++ b/fixtures/initial.json
@@ -3,7 +3,7 @@
     "model": "participant.participant",
     "pk": 1,
     "fields": {
-        "password": "pbkdf2_sha256$390000$t2OIZxvgHmdsCv5I9Rejfi$h8Dw3EaSUSvIR2MluhS9kivGhtlODqon8DAsqnfqorA=",
+        "password": "pbkdf2_sha256$390000$ftGcH8BvhGg7hPqAvbgA74$lxvUK1T1WCy7GOLEH1cmfDdrwr/AiL/xAGEvGOI1IKs=",
         "last_login": "2022-11-19T21:55:55.973Z",
         "is_superuser": true,
         "username": "admin",
diff --git a/innoweb/development_settings.py b/innoweb/development_settings.py
index 9494289..6eccdf1 100644
--- a/innoweb/development_settings.py
+++ b/innoweb/development_settings.py
@@ -13,6 +13,7 @@
 from pathlib import Path
 import os
 from django.contrib.messages import constants as messages
+from decouple import config
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -22,7 +23,7 @@
 # See https://docs.djangoproject.com/en/4.1/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-_$s8&xy9@woe3wlr(pqj3r(n8q78o4j##h-f4e%@3=ms_d$!i7'
+SECRET_KEY = config('DJANGO_SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
diff --git a/innoweb/production_settings.py b/innoweb/production_settings.py
index 0658818..5010044 100644
--- a/innoweb/production_settings.py
+++ b/innoweb/production_settings.py
@@ -12,6 +12,7 @@
 
 from pathlib import Path
 from django.contrib.messages import constants as messages
+from decouple import config
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -21,7 +22,7 @@
 # See https://docs.djangoproject.com/en/4.1/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-_$s8&xy9@woe3wlr(pqj3r(n8q78o4j##h-f4e%@3=ms_d$!i7'
+SECRET_KEY = config('DJANGO_SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False
@@ -86,8 +87,8 @@
     'default': {
         'ENGINE'  : 'django.db.backends.mysql',
         'NAME'    : 'innosoftinnoweb$innowebdb',
-        'USER'    : 'innosoftinnoweb',
-        'PASSWORD': 'Inn0$0ft_2k22',
+        'USER'    : config('PRODUCTION_DB_USER'),
+        'PASSWORD': config('PRODUCTION_DB_PASSWORD'),
         'HOST'    : 'innosoftinnoweb.mysql.pythonanywhere-services.com',
     }
 }
diff --git a/innoweb/tests.py b/innoweb/tests.py
index 6b3f9b1..cf898d2 100644
--- a/innoweb/tests.py
+++ b/innoweb/tests.py
@@ -5,7 +5,9 @@
 from score.models import Score
 from webdriver_manager.chrome import ChromeDriverManager
 from selenium.webdriver.chrome.options import Options
+from decouple import config
 
+USER_PASSWORD = config('USER_PASSWORD')
 
 class HomeViewTest(StaticLiveServerTestCase):
     fixtures = ['fixtures/initial.json']
@@ -130,7 +132,7 @@ def tearDownClass(cls):
     def test_login_success(self):
         
         username = "tomcambor"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
@@ -147,7 +149,7 @@ def test_login_success(self):
         
     def test_login_username_fail(self):
         username = "incorrectusername"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
@@ -195,7 +197,7 @@ def tearDownClass(cls):
     
     def test_register_event(self):
         username = "tomcambor"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
@@ -216,7 +218,7 @@ def test_register_event(self):
     
     def test_register_event_already_registered(self):
         username = "tomcambor"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
@@ -265,7 +267,7 @@ def tearDownClass(cls):
     
     def test_next_events_are_shown(self):
         username = "tomcambor"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
diff --git a/requirements.txt b/requirements.txt
index 09bc641..5a2c4e0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,4 +4,5 @@ selenium
 coverage==4.5.2
 locust
 Pillow==9.3.0
-webdriver_manager
\ No newline at end of file
+webdriver_manager
+python-decouple
\ No newline at end of file