feat: multiple improvements for REANA 0.9.4

reana_server/config.py

@@ -136,8 +136,10 @@ def _(x):
 # Accounts
 # ========
 #: Redis URL
-ACCOUNTS_SESSION_REDIS_URL = "redis://{host}:6379/1".format(
-    host=REANA_INFRASTRUCTURE_COMPONENTS_HOSTNAMES["cache"]
+REANA_CACHE_PASSWORD = os.getenv("REANA_CACHE_PASSWORD", "")
+ACCOUNTS_SESSION_REDIS_URL = "redis://:{password}@{host}:6379/1".format(
+    password=REANA_CACHE_PASSWORD,
+    host=REANA_INFRASTRUCTURE_COMPONENTS_HOSTNAMES["cache"],
 )
 #: Email address used as sender of account registration emails.
 SECURITY_EMAIL_SENDER = SUPPORT_EMAIL
@@ -148,7 +150,9 @@ def _(x):
 #: and X-User-ID headers to HTTP response. You MUST ensure that NGINX (or other
 #: proxies) removes these headers again before sending the response to the
 #: client. Set to False, in case of doubt.
-ACCOUNTS_USERINFO_HEADERS = True
+ACCOUNTS_USERINFO_HEADERS = bool(
+    strtobool(os.getenv("ACCOUNTS_USERINFO_HEADERS", "False"))
+)
 #: Disable password recovery by users.
 SECURITY_RECOVERABLE = False
 REANA_USER_EMAIL_CONFIRMATION = strtobool(
@@ -186,7 +190,9 @@ def _(x):
 
 #: Secret key - each installation (dev, production, ...) needs a separate key.
 #: It should be changed before deploying.
-SECRET_KEY = "CHANGE_ME"
+SECRET_KEY = os.getenv("REANA_SECRET_KEY", "CHANGE_ME")
+"""Secret key used for the application user sessions."""
+
 #: Sets cookie with the secure flag by default
 SESSION_COOKIE_SECURE = True
 #: Sets session to be samesite to avoid CSRF attacks
@@ -203,8 +209,17 @@ def _(x):
 
 # Security configuration
 # ======================
-PROXYFIX_CONFIG = {"x_proto": 1}
+PROXYFIX_CONFIG = json.loads(os.getenv("PROXYFIX_CONFIG", '{"x_proto": 1}'))
+
 APP_DEFAULT_SECURE_HEADERS["content_security_policy"] = {}
+APP_DEFAULT_SECURE_HEADERS.update(
+    json.loads(os.getenv("APP_DEFAULT_SECURE_HEADERS", "{}"))
+)
+if "REANA_FORCE_HTTPS" in os.environ:
+    APP_DEFAULT_SECURE_HEADERS["force_https"] = bool(
+        strtobool(os.getenv("REANA_FORCE_HTTPS"))
+    )
+
 APP_HEALTH_BLUEPRINT_ENABLED = False
 
 
@@ -316,8 +331,6 @@ def _get_rate_limit(env_variable: str, default: str) -> str:
 OAUTHCLIENT_REMOTE_APPS["cern_openid"] = OAUTH_REMOTE_REST_APP
 OAUTHCLIENT_REST_REMOTE_APPS["cern_openid"] = OAUTH_REMOTE_REST_APP
 
-DEBUG = True
-
 SECURITY_PASSWORD_SALT = "security-password-salt"
 
 SECURITY_SEND_REGISTER_EMAIL = False

reana_server/ext.py

@@ -14,8 +14,10 @@
 from flask_limiter.errors import RateLimitExceeded
 from marshmallow.exceptions import ValidationError
 from reana_commons.config import REANA_LOG_FORMAT, REANA_LOG_LEVEL
+from sqlalchemy_utils.types.encrypted.padding import InvalidPaddingError
 from werkzeug.exceptions import UnprocessableEntity
 
+
 from reana_server import config
 
 
@@ -52,6 +54,17 @@ def handle_args_validation_error(error: UnprocessableEntity):
     return jsonify({"message": error_message}), 400
 
 
+def handle_invalid_padding_error(error: InvalidPaddingError):
+    """Error handler for sqlalchemy_utils exception ``InvalidPaddingError``.
+
+    This error handler raises an exception with a more understandable message.
+    """
+    raise InvalidPaddingError(
+        "Error decrypting the database. Did you set the correct secret key? "
+        "If you changed the secret key, did you run the migration command?"
+    ) from error
+
+
 class REANA(object):
     """REANA Invenio app."""
 
@@ -103,3 +116,4 @@ def init_error_handlers(self, app):
         """Initialize custom error handlers."""
         app.register_error_handler(RateLimitExceeded, handle_rate_limit_error)
         app.register_error_handler(UnprocessableEntity, handle_args_validation_error)
+        app.register_error_handler(InvalidPaddingError, handle_invalid_padding_error)

reana_server/factory.py

@@ -31,7 +31,6 @@ def create_app(config_mapping=None):
     app.config.from_object("reana_server.config")
     if config_mapping:
         app.config.from_mapping(config_mapping)
-    app.secret_key = "hyper secret key"
 
     app.session = Session