feat: add 12-factor compliant configuration with environment variable support

CuriousLearner · CuriousLearner · commit a24319482b60 · 2025-09-28T07:30:44.000+05:30
diff --git a/README.md b/README.md
@@ -774,21 +774,39 @@ python manage.py anon_fix_permissions [--role name | --all]  # Fix role permissi
 
 ### Configuration Settings
 
-```python
-POSTGRES_ANON = {
-    # Core settings
-    'DEFAULT_MASKED_ROLE': 'masked_reader',     # Default role for anonymization
-    'ANONYMIZED_DATA_ROLE': 'masked_reader',    # Role for anonymized_data()
-    'MASKED_GROUP': 'masked_users',             # Django group for middleware
-
-    # Behavior settings
-    'ENABLED': True,                            # Enable anonymization features
-    'AUTO_APPLY_RULES': False,                  # Auto-apply when enabled
-    'VALIDATE_FUNCTIONS': True,                 # Validate function syntax
-    'ALLOW_CUSTOM_FUNCTIONS': False,            # Allow non-anon functions
-    'ENABLE_LOGGING': True,                     # Enable audit logging
-}
-```
+Configuration follows [12-factor app principles](https://12factor.net/config). Settings can be configured via:
+
+1. **Environment variables (recommended for production)**:
+
+   ```bash
+   export POSTGRES_ANON_ENABLED=true
+   export POSTGRES_ANON_DEFAULT_MASKED_ROLE=masked_reader
+   export POSTGRES_ANON_MASKED_GROUP=view_masked_data
+   export POSTGRES_ANON_AUTO_APPLY_RULES=false
+   export POSTGRES_ANON_VALIDATE_FUNCTIONS=true
+   export POSTGRES_ANON_ALLOW_CUSTOM_FUNCTIONS=false
+   export POSTGRES_ANON_ENABLE_LOGGING=true
+   ```
+
+2. **Django settings (for development)**:
+
+   ```python
+   POSTGRES_ANON = {
+       # Core settings
+       'DEFAULT_MASKED_ROLE': 'masked_reader',     # Default role for anonymization
+       'ANONYMIZED_DATA_ROLE': 'masked_reader',    # Role for anonymized_data()
+       'MASKED_GROUP': 'masked_users',             # Django group for middleware
+
+       # Behavior settings
+       'ENABLED': True,                            # Enable anonymization features
+       'AUTO_APPLY_RULES': False,                  # Auto-apply when enabled
+       'VALIDATE_FUNCTIONS': True,                 # Validate function syntax
+       'ALLOW_CUSTOM_FUNCTIONS': False,            # Allow non-anon functions
+       'ENABLE_LOGGING': True,                     # Enable audit logging
+   }
+   ```
+
+**Priority**: Environment variables override Django settings, which override defaults.
 
 ## Documentation
 
diff --git a/django_postgres_anon/config.py b/django_postgres_anon/config.py
@@ -1,5 +1,7 @@
 """Simple configuration helpers for django-postgres-anonymizer"""
 
+import os
+
 from django.conf import settings
 
 
@@ -20,7 +22,39 @@ def get_setting(key: str, default=None):
     "ENABLE_LOGGING": True,
 }
 
+# Environment variable mappings (12-factor compliant)
+ENV_VAR_MAPPING = {
+    "DEFAULT_MASKED_ROLE": "POSTGRES_ANON_DEFAULT_MASKED_ROLE",
+    "MASKED_GROUP": "POSTGRES_ANON_MASKED_GROUP",
+    "ANONYMIZED_DATA_ROLE": "POSTGRES_ANON_ANONYMIZED_DATA_ROLE",
+    "ENABLED": "POSTGRES_ANON_ENABLED",
+    "AUTO_APPLY_RULES": "POSTGRES_ANON_AUTO_APPLY_RULES",
+    "VALIDATE_FUNCTIONS": "POSTGRES_ANON_VALIDATE_FUNCTIONS",
+    "ALLOW_CUSTOM_FUNCTIONS": "POSTGRES_ANON_ALLOW_CUSTOM_FUNCTIONS",
+    "ENABLE_LOGGING": "POSTGRES_ANON_ENABLE_LOGGING",
+}
+
+
+def _parse_env_bool(value: str) -> bool:
+    """Parse environment variable as boolean"""
+    return value.lower() in ("true", "1", "yes", "on")
+
 
 def get_anon_setting(key: str):
-    """Get anonymization setting with built-in default"""
-    return get_setting(key, DEFAULTS.get(key))
+    """Get anonymization setting with built-in default (12-factor compliant)"""
+    # First check environment variables (12-factor principle)
+    env_var = ENV_VAR_MAPPING.get(key)
+    if env_var and env_var in os.environ:
+        env_value = os.environ[env_var]
+        # Handle boolean conversion for known boolean settings
+        if key in ["ENABLED", "AUTO_APPLY_RULES", "VALIDATE_FUNCTIONS", "ALLOW_CUSTOM_FUNCTIONS", "ENABLE_LOGGING"]:
+            return _parse_env_bool(env_value)
+        return env_value
+
+    # Fall back to Django settings
+    django_setting = get_setting(key)
+    if django_setting is not None:
+        return django_setting
+
+    # Finally use default
+    return DEFAULTS.get(key)
