djangosaml2 icon indicating copy to clipboard operation
djangosaml2 copied to clipboard
verified publisher icon IdentityPython

Disable notice regarding django-csp

Open GertBurger opened this issue 1 year ago • 5 comments

Is there a way to disable the notice regarding django-csp when it is not in use and CSP is managed via another mechanism?

WARNING [djangosaml2:90] django-csp could not be found, not updating Content-Security-Policy. Please make sure CSP is configured at least by httpd or setup django-csp. See https://djangosaml2.readthedocs.io/contents/security.html#content-security-policy for more information

FYI, the link is also broken.

GertBurger avatar Feb 07 '24 16:02 GertBurger

mhh.. probably the CD of the docs has some problem, I have to check.

generally that warning is for security reason

you can configure pylogging, by saying that that specific part of the code, when produces a warning, it could be sent to dev null, for example

peppelinux avatar Feb 07 '24 22:02 peppelinux

Via a logging.Filter()? That seems a bit excessive just to remove a warning about an optional dependency that is not required when CSP is managed via a different mechanism.

That log output is on the djangosaml2 logger name with all other logging output from this library, so adjusting the level of it to filter out warnings will also affect valuable logging output.

Were you thinking of a different method?

For now I'll just patch out the csp module namespace with a dummy.

GertBurger avatar Feb 07 '24 23:02 GertBurger

we can move this https://github.com/IdentityPython/djangosaml2/blob/169fc486fc387a0ed57ae01ee67140a424a83a46/djangosaml2/views.py#L90

into another file and import it where we want, then and configure this https://github.com/IdentityPython/djangosaml2/blob/master/tests/settings.py#L144

to ignore the warning raised in that file

OR

we can create a settings parameter to disable that specific warning, by default the warning is raised.

peppelinux avatar Feb 08 '24 00:02 peppelinux

Another option to consider is a setting that points to the CSP handler, which by default can be the django-csp one. Allowing the user to specify their own or disable the feature.

One can then still emit the current log entry if the default value for the setting is set but django-csp is not installed.

Just a thought, either of the ways you mentioned would work fine for us.

GertBurger avatar Feb 08 '24 15:02 GertBurger

could you please provide a PR with your preferred approach, we'll do a revision and a new release together

peppelinux avatar Feb 15 '24 08:02 peppelinux