Bug: ScanCode.io does not allow to use TLS for Redis connection

[rogu-beta]

Describe the bug
Currently ScanCode.io does not use TLS when connecting to Redis and does not offer an option to enable it. This is an issue when attempting to deploy ScanCode.io with Redis hosted on a separate system (e.g. a cloud deployment with ElastiCache), unlike the default docker-compose deployment.

The root cause is that ScanCode.io uses django-rq, which disables TLS by default unless specific options are passed.

As can be seen in the following lines, only HOST, PORT, PASSWORD, and DEFAULT_TIMEOUT are being set by ScanCode.io:

scancode.io/scancodeio/settings.py

Lines 357 to 364 in d3e537a

	RQ_QUEUES = {
	"default": {
	"HOST": env.str("SCANCODEIO_REDIS_HOST", default="localhost"),
	"PORT": env.str("SCANCODEIO_REDIS_PORT", default="6379"),
	"PASSWORD": env.str("SCANCODEIO_REDIS_PASSWORD", default=""),
	"DEFAULT_TIMEOUT": env.int("SCANCODEIO_REDIS_DEFAULT_TIMEOUT", default=360),
	},
	}

Without either SSL or URL set to contain rediss:// (two s!), it will not use TLS:
https://github.com/rq/django-rq/blob/cd05d2f427e6bd54ce91f78549f05884fa96753e/django_rq/queues.py#L137

System configuration
Not relevant.

To Reproduce
See above.

Expected behavior
ScanCode.io should provide an option to enable TLS for the REDIS connection.

Screenshots
Not applicable.

[rogu-beta]

The proposed solution would be to add an environment variable like REDIS_USE_TLS that is passed for the SSL option to django-rq.

[dee077]

I would like to pick up this issue as my first contribution to ScanCode.io. I plan to add the following line to the RQ_QUEUES configuration to enable TLS for Redis connections:

RQ_QUEUES = {
    "default": {
        "URL": env.str("SCANCODEIO_REDIS_URL", default="rediss://localhost:6379"),
        "PASSWORD": env.str("SCANCODEIO_REDIS_PASSWORD", default=""),
        "DEFAULT_TIMEOUT": env.int("SCANCODEIO_REDIS_DEFAULT_TIMEOUT", default=360),
    },
}

Add in docker.env

SCANCODEIO_REDIS_URL=rediss://redis:6379

But our redis server does not support TLS, nothing is mentioned regarding TLS in below image.

For moving the whole redis to cloud deployment and then using their url (example url: rediss://example.redis.amazonaws.com) for that server it will work.

But if I add rediss:// (with 2 s) in the current url now then current server's connection will not work, should I make the current redis server TLS enabled? or there is anything else I can do?

and also should I include a test case for this?

[tdruez]

@dee077 Thanks for your enthusiasm about this issue, but we already have a fix on the DejaCode side at aboutcode-org/dejacode#208 that is currently being ported to ScanCode.io

I'm sure you'll find plenty of other issues in this repo that would need your contribution.
Cheers!

[dee077]

Thank you for letting me know! I'll explore other issues in the repository. Looking forward to collaborating! 😊

[tdruez]

Implemented in #1467