from __future__ import annotations from functools import lru_cache from typing import Any, List, Literal from urllib.parse import quote from dotenv import find_dotenv, load_dotenv from pydantic import Field, PrivateAttr from pydantic_settings import BaseSettings, SettingsConfigDict from src.infrastructure.vault.client import VaultClient env_file = find_dotenv('.env') if env_file: load_dotenv(env_file) def _as_int(value: object, default: int) -> int: if value is None: return default if isinstance(value, int): return value return int(str(value).strip()) class Settings(BaseSettings): model_config = SettingsConfigDict(env_file='.env', env_file_encoding='utf-8', case_sensitive=True, extra='ignore') _vault_database_secrets: dict[str, Any] = PrivateAttr(default_factory=dict) VAULT_ADDR: str = 'https://corp.vault.elcsa.ru' VAULT_ROLE_ID: str = '' VAULT_SECRET_ID: str = '' VAULT_NAMESPACE: str | None = None VAULT_MOUNT_POINT: str = 'dev-secrets' VAULT_DATABASE_SECRET_PATH: str = 'database' VAULT_RABBIT_SECRET_PATH: str = 'rabbitmq' VAULT_CSRF_SECRET_PATH: str = 'csrf' VAULT_DOCS_SECRET_PATH: str = 'docs' VAULT_JWT_KID_PATH: str = 'jwt/kid' VAULT_JWT_KIDS_PREFIX: str = 'jwt/kids' DATABASE_URL_DIRECT: str | None = Field(default=None, validation_alias='DATABASE_URL') DATABASE_HOST: str = '' DATABASE_PORT: int = Field(default=5432, ge=1, le=65535) DATABASE_NAME: str = '' DATABASE_USER: str = '' DATABASE_PASSWORD: str = '' DATABASE_POOL_SIZE: int = 10 DATABASE_MAX_OVERFLOW: int = 20 DATABASE_POOL_TIMEOUT: int = 30 DATABASE_POOL_RECYCLE: int = 3600 DATABASE_ECHO: bool = False CSRF_SECRET_KEY: str = Field( default='change-me-change-me-change-me-change-me', min_length=32, ) CSRF_COOKIE_SECURE: bool = False CSRF_COOKIE_HTTPONLY: bool = True CSRF_COOKIE_SAMESITE: Literal['Lax', 'Strict', 'None'] = 'Lax' CSRF_COOKIE_PATH: str = '/' CSRF_COOKIE_DOMAIN: str | None = None DOCS_USERNAME: str = 'admin' DOCS_PASSWORD: str = 'admin' JWT_ACCESS_TTL_SECONDS: int = 15 * 60 JWT_REFRESH_TTL_SECONDS: int = 30 * 24 * 60 * 60 JWT_ISSUER: str | None = None JWT_AUDIENCE: str | None = None JWT_ALGORITHM: str = 'RS256' JWT_KEYS_REFRESH_SECONDS: int = 3600 REDIS_HOST: str = 'keydb' REDIS_PORT: int = 6379 REDIS_PASSWORD: str | None = None REDIS_DB: int = 0 RABBIT_HOST: str = 'localhost' RABBIT_PORT: int = 5672 RABBIT_USER: str = 'guest' RABBIT_PASSWORD: str = 'guest' RABBIT_VHOST: str = '/' RABBIT_PUBLISH_PERSIST: bool = True RABBIT_CONNECT_TIMEOUT: int = 5 RABBIT_EMAIL_CODE_QUEUE: str = 'email.verification_code' LOG_LEVEL: Literal['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL'] = 'INFO' LOG_FORMAT: Literal['JSON', 'TEXT'] = 'JSON' def _get_vault_secret(self, secrets: dict[str, Any], *keys: str) -> str: for key in keys: value = secrets.get(key) if value is not None and str(value).strip() != '': return str(value) return '' def model_post_init(self, __context: Any) -> None: if not self.VAULT_ROLE_ID.strip() or not self.VAULT_SECRET_ID.strip(): if not self.DATABASE_URL: raise ValueError( 'Set VAULT_ROLE_ID and VAULT_SECRET_ID for Vault, or set DATABASE_URL ' '(or DATABASE_HOST, DATABASE_USER, DATABASE_PASSWORD, DATABASE_NAME) in the environment', ) return client = VaultClient( addr=self.VAULT_ADDR, role_id=self.VAULT_ROLE_ID, secret_id=self.VAULT_SECRET_ID, namespace=self.VAULT_NAMESPACE, mount_point=self.VAULT_MOUNT_POINT, ) db = client.read_secret(self.VAULT_DATABASE_SECRET_PATH) object.__setattr__(self, '_vault_database_secrets', db) def kv(d: dict[str, Any], *keys: str) -> Any: for k in keys: if k in d and d[k] is not None: return d[k] return None if kv(db, 'HOST', 'host') is not None: object.__setattr__(self, 'DATABASE_HOST', str(kv(db, 'HOST', 'host'))) if kv(db, 'PORT', 'port') is not None: object.__setattr__(self, 'DATABASE_PORT', _as_int(kv(db, 'PORT', 'port'), self.DATABASE_PORT)) if kv(db, 'NAME', 'name') is not None: object.__setattr__(self, 'DATABASE_NAME', str(kv(db, 'NAME', 'name'))) if kv(db, 'USER', 'user') is not None: object.__setattr__(self, 'DATABASE_USER', str(kv(db, 'USER', 'user'))) if kv(db, 'PASSWORD', 'password') is not None: object.__setattr__(self, 'DATABASE_PASSWORD', str(kv(db, 'PASSWORD', 'password'))) rabbit = client.read_secret_optional(self.VAULT_RABBIT_SECRET_PATH) if rabbit: if kv(rabbit, 'HOST', 'host') is not None: object.__setattr__(self, 'RABBIT_HOST', str(kv(rabbit, 'HOST', 'host'))) if kv(rabbit, 'PORT', 'port') is not None: object.__setattr__(self, 'RABBIT_PORT', _as_int(kv(rabbit, 'PORT', 'port'), self.RABBIT_PORT)) if kv(rabbit, 'USER', 'user') is not None: object.__setattr__(self, 'RABBIT_USER', str(kv(rabbit, 'USER', 'user'))) if kv(rabbit, 'PASSWORD', 'password') is not None: object.__setattr__(self, 'RABBIT_PASSWORD', str(kv(rabbit, 'PASSWORD', 'password'))) if kv(rabbit, 'VHOST', 'vhost') is not None: object.__setattr__(self, 'RABBIT_VHOST', str(kv(rabbit, 'VHOST', 'vhost'))) csrf = client.read_secret_optional(self.VAULT_CSRF_SECRET_PATH) if csrf and kv(csrf, 'KEY', 'key') is not None: key = str(kv(csrf, 'KEY', 'key')) if len(key) >= 32: object.__setattr__(self, 'CSRF_SECRET_KEY', key) docs = client.read_secret_optional(self.VAULT_DOCS_SECRET_PATH) if docs: u = docs.get('DOCS_USERNAME') or docs.get('USERNAME') p = docs.get('DOCS_PASSWORD') or docs.get('PASSWORD') if u is not None: object.__setattr__(self, 'DOCS_USERNAME', str(u)) if p is not None: object.__setattr__(self, 'DOCS_PASSWORD', str(p)) if not self.DATABASE_URL: raise ValueError('Database URL could not be built from Vault database secret') @property def DATABASE_URL(self) -> str: direct = (self.DATABASE_URL_DIRECT or '').strip() if direct: return direct ready_url = self._get_vault_secret( self._vault_database_secrets, 'DATABASE_URL', 'database_url', ) if ready_url: return ready_url host = self._get_vault_secret(self._vault_database_secrets, 'host', 'HOST') port = self._get_vault_secret(self._vault_database_secrets, 'port', 'PORT') or str(self.DATABASE_PORT) user = self._get_vault_secret(self._vault_database_secrets, 'user', 'USER') password = self._get_vault_secret(self._vault_database_secrets, 'password', 'PASSWORD') name = self._get_vault_secret(self._vault_database_secrets, 'name', 'NAME', 'database', 'DATABASE') if not host or not user or not password or not name: h = (self.DATABASE_HOST or '').strip() u = (self.DATABASE_USER or '').strip() p = (self.DATABASE_PASSWORD or '').strip() n = (self.DATABASE_NAME or '').strip() if h and u and p and n: quoted_user = quote(u, safe='') quoted_password = quote(p, safe='') po = str(self.DATABASE_PORT) return f'postgresql+asyncpg://{quoted_user}:{quoted_password}@{h}:{po}/{n}' return '' quoted_user = quote(user, safe='') quoted_password = quote(password, safe='') return f'postgresql+asyncpg://{quoted_user}:{quoted_password}@{host}:{port}/{name}' @property def REDIS_URL(self) -> str: auth = f':{self.REDIS_PASSWORD}@' if self.REDIS_PASSWORD else '' return f'redis://{auth}{self.REDIS_HOST}:{self.REDIS_PORT}/{self.REDIS_DB}' @property def RABBIT_URL(self) -> str: vhost = '%2F' if self.RABBIT_VHOST == '/' else self.RABBIT_VHOST.lstrip('/') return f'amqp://{self.RABBIT_USER}:{self.RABBIT_PASSWORD}@{self.RABBIT_HOST}:{self.RABBIT_PORT}/{vhost}' @property def EXCLUDED_PATHS(self) -> List[str]: return ['/docs', '/redoc', '/openapi.json', '/ping', '/health'] @lru_cache(maxsize=1) def get_settings() -> Settings: return Settings() settings = get_settings()