fix(sonarcloud): move DATABASE_URL default to .env.example

fix https://rules.sonarsource.com/secrets/RSPEC-6698/ by not using
a hardcoded DATABASE_URL in compose.yaml or settings.py but having a
default value for it in `.env.example` file

also:
 - combine `.env.keycloak.example` and `docker-compose.env.example`
   into `.env.example`
 - make Docker Compose use `.env` for environment variables
 - update README related to environment variable files
 - add more .env.* files explicitly into .gitignore
 - fix comment in docker-entrypoint.sh (was the other way around)

refs KK-1417

.env.keycloak.example → .env.example

@@ -1,10 +1,32 @@
 SECRET_KEY=
+CORS_ORIGIN_ALLOW_ALL=1
+APPLY_MIGRATIONS=1
+ADD_DEFAULT_LANGUAGES=1
 DEBUG=1
-DATABASE_URL=postgres://kukkuu:kukkuu@localhost:5434/kukkuu
+# Values in DATABASE_* and POSTGRES_* variables must match!
+# DATABASE_URL is used by Django
+# DATABASE_HOST is used by docker-entrypoint.sh
+# POSTGRES_* variables are used by the Postgres Docker container
+# i.e. DATABASE_URL should be:
+# postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${DATABASE_HOST}/${POSTGRES_DB}
+# or optionally contain a port number e.g. ":5434" after the host
+# Database settings for Docker + Docker compose based local development:
+DATABASE_URL=postgres://kukkuu:[email protected]/kukkuu
+DATABASE_HOST=kukkuu-db.helsinki
+# Database settings for non-Docker local development:
+# DATABASE_URL=postgres://kukkuu:kukkuu@localhost/kukkuu
+# DATABASE_HOST=localhost
+POSTGRES_USER=kukkuu
+POSTGRES_PASSWORD=kukkuu
+POSTGRES_DB=kukkuu
+SKIP_DATABASE_CHECK=0
+ALLOWED_HOSTS=*
 CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:3001,http://localhost:3002
 CORS_ORIGIN_ALLOW_ALL=True
-ALLOWED_HOSTS=*
+# For Keycloak test environment authentication service:
 TOKEN_AUTH_AUTHSERVER_URL=https://tunnistus.test.hel.ninja/auth/realms/helsinki-tunnistus
+# For local Tunnistamo authentication service:
+# TOKEN_AUTH_AUTHSERVER_URL=http://tunnistamo-backend:8000/openid
 # For local Kukkuu API:
 TOKEN_AUTH_ACCEPTED_AUDIENCE=kukkuu-api-dev,profile-api-test
 # For test env Kukkuu API:
@@ -15,9 +37,10 @@ GDPR_API_QUERY_SCOPE=gdprquery
 GDPR_API_DELETE_SCOPE=gdprdelete
 GDPR_API_AUTHORIZATION_FIELD=authorization.permissions.scopes
 HELUSERS_BACK_CHANNEL_LOGOUT_ENABLED=True
+HELUSERS_PASSWORD_LOGIN_DISABLED=False
 KUKKUU_HASHID_SALT=abcdefg123456
 KUKKUU_TICKET_VERIFICATION_URL=http://localhost:3000/ticket-verification-endpoint/{reference_id}
-MAIL_MAILGUN_KEY
+MAIL_MAILGUN_KEY=
 MAIL_MAILGUN_DOMAIN=hel.fi
 MAIL_MAILGUN_API=https://api.eu.mailgun.net/v3
 KUKKUU_NOTIFICATIONS_SHEET_ID=1TkdQsO50DHOg5pi1JhzudOL1GKpiK-V2DCIoAipKj-M

.gitignore

@@ -24,6 +24,13 @@
 .DS_Store
 .eggs/
 .env
+.env.development
+.env.development.local
+.env.local
+.env.production
+.env.production.local
+.env.test
+.env.test.local
 .grunt
 .hypothesis/
 .idea

README.md

@@ -103,9 +103,9 @@ Optionally if you want to use pre-commit hooks:
 
 ### Development with Docker
 
-1. Copy `docker-compose.env.example` to `docker-compose.env`
-2. Set value for `SECRET_KEY` to `docker-compose.env` with [Generating secret key for Django](#generating-secret-key-for-django) instructions
-3. Set value for `SOCIAL_AUTH_TUNNISTAMO_SECRET` with [Getting secret for django admin login](#getting-secret-for-django-admin-login) instructions
+1. Copy `.env.example` to `.env`
+2. Set value for `SECRET_KEY` to `.env` with [Generating secret key for Django](#generating-secret-key-for-django) instructions
+3. Set value for `SOCIAL_AUTH_TUNNISTAMO_SECRET` to `.env` with [Getting secret for django admin login](#getting-secret-for-django-admin-login) instructions
 4. Run `docker compose up`
 
 If you do not have a super user / admin to administrate the API yet, you can create one with:
@@ -120,8 +120,10 @@ The project is now running at http://localhost:8081 and using public Keycloak te
 ### Development without Docker
 
 1. Install [requirements](#requirements)
-2. Set value for `SECRET_KEY` with [Generating secret key for Django](#generating-secret-key-for-django) instructions
-3. Set value for `SOCIAL_AUTH_TUNNISTAMO_SECRET` with [Getting secret for django admin login](#getting-secret-for-django-admin-login) instructions
+2. Copy `.env.example` to `.env`
+3. Set value for `SECRET_KEY` to `.env` with [Generating secret key for Django](#generating-secret-key-for-django) instructions
+4. Set value for `SOCIAL_AUTH_TUNNISTAMO_SECRET` to `.env` with [Getting secret for django admin login](#getting-secret-for-django-admin-login) instructions
+5. Modify `DATABASE_URL` and `DATABASE_HOST` in your `.env` file based on where your PostgreSQL database is set up
 
 #### Installing Python requirements
 
@@ -206,8 +208,7 @@ value for local development i.e. `kukkuu-django-admin-dev` client:
 - Find `SOCIAL-AUTH-TUNNISTAMO-SECRET` (may need pressing `Load more`), and open it
 - Click on the hexadecimal current version value to open the secret's current version
 - Click on the "Copy to clipboard" icon after the `Secret value` to copy it to clipboard
-- Paste the value into your env file (`.env` or `docker-compose.env` depending on your setup)
-  as `SOCIAL_AUTH_TUNNISTAMO_SECRET=paste-the-copied-value-here`
+- Paste the value into your `.env` file as `SOCIAL_AUTH_TUNNISTAMO_SECRET=paste-the-copied-value-here`
 
 ### Keeping Python requirements up to date
 

compose.yaml

@@ -2,10 +2,8 @@ services:
     postgres:
         image: postgres:13
         restart: on-failure
-        environment:
-            POSTGRES_USER: kukkuu
-            POSTGRES_PASSWORD: kukkuu
-            POSTGRES_DB: kukkuu
+        env_file:
+            - .env  # For POSTGRES_USER, POSTGRES_PASSWORD and POSTGRES_DB
         ports:
             - 5434:5432
         volumes:
@@ -15,13 +13,9 @@ services:
     django:
         build:
             context: .
-            target: ${DOCKER_TARGET:-development}
+            target: ${DOCKER_TARGET:-development}  # stage of Dockerfile to build
         env_file:
-            - docker-compose.env
-        environment:
-            DATABASE_URL: postgres://kukkuu:kukkuu@kukkuu-db/kukkuu
-            DATABASE_HOST: kukkuu-db.helsinki
-            SKIP_DATABASE_CHECK: 1
+            - .env
         volumes:
             - .:/app
         ports:

docker-entrypoint.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e
 
-# -z for empty / not assigned variable or -o to check whether the value is 0 (=should be skipped)
+# -z for empty / not assigned variable or -o to check whether the value is 0 (=should not be skipped)
 if [ -z "$SKIP_DATABASE_CHECK" -o "$SKIP_DATABASE_CHECK" = "0" ]; then
   until nc -z -v -w30 "$DATABASE_HOST" 5432
   do

kukkuu/settings.py

@@ -37,7 +37,7 @@
     STATIC_URL=(str, "/static/"),
     ALLOWED_HOSTS=(list, []),
     USE_X_FORWARDED_HOST=(bool, False),
-    DATABASE_URL=(str, "postgres://kukkuu:kukkuu@localhost/kukkuu"),
+    DATABASE_URL=(str, ""),
     CACHE_URL=(str, "locmemcache://"),
     MAILER_EMAIL_BACKEND=(str, "django.core.mail.backends.console.EmailBackend"),
     MAILER_LOCK_PATH=(str, ""),