81 lines
2.5 KiB
Python
81 lines
2.5 KiB
Python
|
# -*- coding: utf-8 -*-
|
|||
|
|
"""Zentrale Konfiguration – über Umgebungsvariablen oder .env steuerbar."""
|
|||
|
|
|
|||
|
|
import os
|
|||
|
|
import sys
|
|||
|
|
import secrets
|
|||
|
|
from pathlib import Path
|
|||
|
|
|
|||
|
|
from dotenv import load_dotenv
|
|||
|
|
|
|||
|
|
load_dotenv()
|
|||
|
|
|
|||
|
|
BASE_DIR = Path(__file__).resolve().parent.parent
|
|||
|
|
|
|||
|
|
DATABASE_URL = os.getenv(
|
|||
|
|
"WP_DATABASE_URL",
|
|||
|
|
f"sqlite:///{BASE_DIR / 'workforce_planner.db'}"
|
|||
|
|
)
|
|||
|
|
|
|||
|
|
_WEAK_PATTERNS = ("dev", "test", "password", "secret", "changeme", "default", "example", "123")
|
|||
|
|
|
|||
|
|
def _reject_weak(pattern: str):
|
|||
|
|
print(
|
|||
|
|
f"FEHLER: AZA_SECRET_KEY enthält triviales Muster ('{pattern}').\n"
|
|||
|
|
"Verwenden Sie einen kryptografisch sicheren Key.",
|
|||
|
|
file=sys.stderr,
|
|||
|
|
)
|
|||
|
|
sys.exit(1)
|
|||
|
|
|
|||
|
|
|
|||
|
|
def _load_secret_key() -> str:
|
|||
|
|
"""Lädt AZA_SECRET_KEY aus ENV. Fail-Start bei fehlendem oder schwachem Key.
|
|||
|
|
Im DEV-Modus (AZA_ENV=dev) wird ein temporärer Key auto-generiert."""
|
|||
|
|
key = os.getenv("AZA_SECRET_KEY", "").strip()
|
|||
|
|
env_mode = os.getenv("AZA_ENV", "").strip().lower()
|
|||
|
|
|
|||
|
|
if not key:
|
|||
|
|
if env_mode == "dev":
|
|||
|
|
key = secrets.token_hex(64)
|
|||
|
|
print(
|
|||
|
|
"WARNUNG: AZA_SECRET_KEY nicht gesetzt. "
|
|||
|
|
"Auto-generierter Key (nur gültig für diese Session, AZA_ENV=dev).",
|
|||
|
|
file=sys.stderr,
|
|||
|
|
)
|
|||
|
|
return key
|
|||
|
|
print(
|
|||
|
|
"FEHLER: AZA_SECRET_KEY ist nicht gesetzt.\n"
|
|||
|
|
"Setzen Sie die Umgebungsvariable mit mindestens 32 Zeichen.\n"
|
|||
|
|
"Beispiel: AZA_SECRET_KEY=$(python -c \"import secrets; print(secrets.token_hex(64))\")\n"
|
|||
|
|
"Für Entwicklung: AZA_ENV=dev erlaubt auto-generierten Key.",
|
|||
|
|
file=sys.stderr,
|
|||
|
|
)
|
|||
|
|
sys.exit(1)
|
|||
|
|
|
|||
|
|
if len(key) < 32:
|
|||
|
|
print(
|
|||
|
|
f"FEHLER: AZA_SECRET_KEY ist zu kurz ({len(key)} Zeichen, Minimum: 32).\n"
|
|||
|
|
"Generieren Sie einen sicheren Key:\n"
|
|||
|
|
" python -c \"import secrets; print(secrets.token_hex(64))\"",
|
|||
|
|
file=sys.stderr,
|
|||
|
|
)
|
|||
|
|
sys.exit(1)
|
|||
|
|
|
|||
|
|
key_lower = key.lower()
|
|||
|
|
for pattern in _WEAK_PATTERNS:
|
|||
|
|
if key_lower == pattern:
|
|||
|
|
_reject_weak(pattern)
|
|||
|
|
if key_lower.startswith(pattern) and (
|
|||
|
|
len(key) < 40 or not key[len(pattern):len(pattern)+1].isalnum()
|
|||
|
|
):
|
|||
|
|
_reject_weak(pattern)
|
|||
|
|
|
|||
|
|
return key
|
|||
|
|
|
|||
|
|
SECRET_KEY = _load_secret_key()
|
|||
|
|
ACCESS_TOKEN_EXPIRE_MINUTES = int(os.getenv("WP_TOKEN_EXPIRE", "480"))
|
|||
|
|
|
|||
|
|
MIN_STAFF_COUNT = int(os.getenv("WP_MIN_STAFF", "2"))
|
|||
|
|
|
|||
|
|
DEBUG = os.getenv("WP_DEBUG", "0") == "1"
|