Log the app config on startup

app/__init__.py

@@ -37,12 +37,15 @@ def to_url(self, value):
 def create_app():
     application = Flask("app", static_folder=None)
     application.config.from_object(configs[os.environ["NOTIFY_ENVIRONMENT"]])
+    config = configs[os.environ["NOTIFY_ENVIRONMENT"]]
 
     application.url_map.converters["base64_uuid"] = Base64UUIDConverter
 
     request_helper.init_app(application)
     logging.init_app(application)
 
+    application.logger.info(f"Notify config: {config.get_safe_config()}")
+
     document_store.init_app(application)
     scan_files_document_store.init_app(application)
     antivirus_client.init_app(application)

app/config.py

@@ -1,13 +1,17 @@
 import os
+from typing import Any
 
 from dotenv import load_dotenv
+from environs import Env
 from flask_env import MetaFlaskEnv
 
+env = Env()
+env.read_env()
 load_dotenv()
 
 
 class Config(metaclass=MetaFlaskEnv):
-    DEBUG = os.getenv("DEBUG", False)
+    DEBUG = env.bool("DEBUG", False)
 
     SECRET_KEY = os.getenv("SECRET_KEY", "secret-key")
     AUTH_TOKENS = os.getenv("AUTH_TOKENS", "auth-token")
@@ -43,6 +47,30 @@ class Config(metaclass=MetaFlaskEnv):
     ANTIVIRUS_API_HOST = os.getenv("ANTIVIRUS_API_HOST", "http://localhost:6016")
     ANTIVIRUS_API_KEY = os.getenv("ANTIVIRUS_API_KEY", "")
 
+    @classmethod
+    def get_sensitive_config(cls) -> list[str]:
+        "List of config keys that contain sensitive information"
+        return [
+            "SECRET_KEY",
+            "AUTH_TOKENS",
+            "ANTIVIRUS_API_KEY",
+        ]
+
+    @classmethod
+    def get_config(cls, sensitive_config: list[str]) -> dict[str, Any]:
+        "Returns a dict of config keys and values"
+        config = {}
+        for attr in dir(cls):
+            attr_value = "***" if attr in sensitive_config else getattr(cls, attr)
+            if not attr.startswith("__") and not callable(attr_value):
+                config[attr] = attr_value
+        return config
+
+    @classmethod
+    def get_safe_config(cls) -> dict[str, Any]:
+        "Returns a dict of config keys and values with sensitive values masked"
+        return cls.get_config(cls.get_sensitive_config())
+
 
 class Test(Config):
     DEBUG = True

pyproject.toml

@@ -21,6 +21,7 @@ python = "~3.12.7"
 aws-xray-sdk = "^2.14.0"
 
 awscli-cwlogs = "1.4.6"
+environs = "^11.2.1"
 Flask = "2.3.3"
 Flask-Env = "2.0.0"
 gevent = "24.2.1"

tests/test_config.py

@@ -0,0 +1,48 @@
+import importlib
+import os
+
+import pytest
+from app import config
+
+
+@pytest.fixture
+def reload_config():
+    """
+    Reset config, by simply re-running config.py from a fresh environment
+    """
+    old_env = os.environ.copy()
+    yield
+    os.environ = old_env
+    importlib.reload(config)
+
+
+def test_get_config(reload_config):
+    config.Config.DOCUMENTS_BUCKET = "test-documents-bucket"
+    config.Config.SCAN_FILES_DOCUMENTS_BUCKET = "test-scan-files-bucket"
+    logged_config = config.Config.get_config([])
+    assert logged_config["DOCUMENTS_BUCKET"] == "test-documents-bucket"
+    assert logged_config["SCAN_FILES_DOCUMENTS_BUCKET"] == "test-scan-files-bucket"
+
+    config.Config.SECRET_KEY = "1234"
+    logged_config = config.Config.get_config(["SECRET_KEY"])
+    assert logged_config["SECRET_KEY"] == "***"
+
+    for key, _ in logged_config.items():
+        assert not key.startswith("__")
+        assert not callable(getattr(config.Config, key))
+
+
+def test_get_safe_config(mocker, reload_config):
+    mock_get_config = mocker.patch("app.config.Config.get_config")
+    mock_get_sensitive_config = mocker.patch("app.config.Config.get_sensitive_config")
+
+    config.Config.get_safe_config()
+    assert mock_get_config.called
+    assert mock_get_sensitive_config.called
+
+
+def get_sensitive_config():
+    sensitive_config = config.Config.get_sensitive_config()
+    assert sensitive_config
+    for key in sensitive_config:
+        assert key