py3: Switch almost all shebang lines to use `python3`.
This causes `upgrade-zulip-from-git`, as well as a no-option run of
`tools/build-release-tarball`, to produce a Zulip install running
Python 3, rather than Python 2. In particular this means that the
virtualenv we create, in which all application code runs, is Python 3.
One shebang line, on `zulip-ec2-configure-interfaces`, explicitly
keeps Python 2, and at least one external ops script, `wal-e`, also
still runs on Python 2. See discussion on the respective previous
commits that made those explicit. There may also be some other
third-party scripts we use, outside of this source tree and running
outside our virtualenv, that still run on Python 2.
2017-08-02 23:15:16 +02:00
|
|
|
#!/usr/bin/env python3
|
2016-07-20 05:45:50 +02:00
|
|
|
# This tools generates /etc/zulip/zulip-secrets.conf
|
2017-01-24 06:36:39 +01:00
|
|
|
import os
|
2020-06-11 00:54:34 +02:00
|
|
|
import sys
|
2019-07-23 23:58:11 +02:00
|
|
|
from typing import Dict, List
|
2016-06-25 17:07:13 +02:00
|
|
|
|
2017-09-22 08:15:01 +02:00
|
|
|
BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
|
2016-06-25 17:07:13 +02:00
|
|
|
sys.path.append(BASE_DIR)
|
2020-01-08 00:06:39 +01:00
|
|
|
from scripts.lib.setup_path import setup_path
|
|
|
|
|
|
|
|
setup_path()
|
2013-10-25 19:35:24 +02:00
|
|
|
|
|
|
|
os.environ['DJANGO_SETTINGS_MODULE'] = 'zproject.settings'
|
|
|
|
|
2016-10-05 11:13:19 +02:00
|
|
|
import argparse
|
2017-09-27 10:16:35 +02:00
|
|
|
import configparser
|
2020-06-11 00:54:34 +02:00
|
|
|
import uuid
|
2013-10-25 19:35:24 +02:00
|
|
|
|
2013-11-14 14:59:33 +01:00
|
|
|
os.chdir(os.path.join(os.path.dirname(__file__), '..', '..'))
|
|
|
|
|
2017-05-17 07:02:02 +02:00
|
|
|
# Standard, 64-bit tokens
|
|
|
|
AUTOGENERATED_SETTINGS = [
|
|
|
|
'avatar_salt',
|
|
|
|
'rabbitmq_password',
|
|
|
|
'shared_secret',
|
2017-11-02 19:48:29 +01:00
|
|
|
'thumbor_key',
|
2017-05-17 07:02:02 +02:00
|
|
|
]
|
2013-10-25 19:35:24 +02:00
|
|
|
|
2020-04-30 15:40:38 +02:00
|
|
|
def random_string(cnt: int) -> str:
|
2020-04-30 19:44:27 +02:00
|
|
|
# We do in-function imports so that we only do the expensive work
|
|
|
|
# of importing cryptography modules when necessary.
|
|
|
|
#
|
|
|
|
# This helps optimize noop provision performance.
|
2020-04-30 15:40:38 +02:00
|
|
|
from django.utils.crypto import get_random_string
|
2020-04-30 19:44:27 +02:00
|
|
|
|
2020-04-30 15:40:38 +02:00
|
|
|
return get_random_string(cnt)
|
|
|
|
|
2020-04-30 15:23:13 +02:00
|
|
|
def random_token() -> str:
|
2020-04-30 19:44:27 +02:00
|
|
|
# We do in-function imports so that we only do the expensive work
|
|
|
|
# of importing cryptography modules when necessary.
|
|
|
|
#
|
|
|
|
# This helps optimize noop provision performance.
|
2020-09-05 04:02:13 +02:00
|
|
|
import secrets
|
2020-04-30 19:44:27 +02:00
|
|
|
|
2020-09-05 04:02:13 +02:00
|
|
|
return secrets.token_hex(32)
|
2020-04-30 15:23:13 +02:00
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def generate_django_secretkey() -> str:
|
2016-07-30 00:29:54 +02:00
|
|
|
"""Secret key generation taken from Django's startproject.py"""
|
2020-04-30 19:44:27 +02:00
|
|
|
|
|
|
|
# We do in-function imports so that we only do the expensive work
|
|
|
|
# of importing cryptography modules when necessary.
|
|
|
|
#
|
|
|
|
# This helps optimize noop provision performance.
|
2020-04-30 15:40:38 +02:00
|
|
|
from django.utils.crypto import get_random_string
|
2020-04-30 19:44:27 +02:00
|
|
|
|
2013-10-25 19:35:24 +02:00
|
|
|
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
|
|
|
|
return get_random_string(50, chars)
|
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def get_old_conf(output_filename: str) -> Dict[str, str]:
|
2018-05-07 07:12:32 +02:00
|
|
|
if not os.path.exists(output_filename) or os.path.getsize(output_filename) == 0:
|
2016-06-20 14:00:27 +02:00
|
|
|
return {}
|
|
|
|
|
2017-09-27 10:16:35 +02:00
|
|
|
secrets_file = configparser.RawConfigParser()
|
2017-05-17 09:05:57 +02:00
|
|
|
secrets_file.read(output_filename)
|
2016-06-20 14:00:27 +02:00
|
|
|
|
2017-08-25 20:01:20 +02:00
|
|
|
return dict(secrets_file.items("secrets"))
|
2016-06-20 14:00:27 +02:00
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def generate_secrets(development: bool = False) -> None:
|
2015-08-21 01:46:52 +02:00
|
|
|
if development:
|
|
|
|
OUTPUT_SETTINGS_FILENAME = "zproject/dev-secrets.conf"
|
|
|
|
else:
|
|
|
|
OUTPUT_SETTINGS_FILENAME = "/etc/zulip/zulip-secrets.conf"
|
2017-05-17 07:02:24 +02:00
|
|
|
current_conf = get_old_conf(OUTPUT_SETTINGS_FILENAME)
|
2015-08-21 01:46:52 +02:00
|
|
|
|
2020-04-22 01:09:50 +02:00
|
|
|
lines: List[str] = []
|
2017-05-17 07:02:24 +02:00
|
|
|
if len(current_conf) == 0:
|
2017-11-04 05:19:06 +01:00
|
|
|
lines = ['[secrets]\n']
|
2015-08-20 08:15:21 +02:00
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def need_secret(name: str) -> bool:
|
2017-05-17 07:02:24 +02:00
|
|
|
return name not in current_conf
|
2015-08-20 08:15:21 +02:00
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def add_secret(name: str, value: str) -> None:
|
2020-06-10 06:41:04 +02:00
|
|
|
lines.append(f"{name} = {value}\n")
|
2017-05-17 07:02:24 +02:00
|
|
|
current_conf[name] = value
|
2016-06-20 14:00:27 +02:00
|
|
|
|
2017-05-17 07:02:24 +02:00
|
|
|
for name in AUTOGENERATED_SETTINGS:
|
|
|
|
if need_secret(name):
|
2020-04-30 15:23:13 +02:00
|
|
|
add_secret(name, random_token())
|
2015-08-20 08:15:21 +02:00
|
|
|
|
2020-08-11 01:47:44 +02:00
|
|
|
# These secrets are exclusive to a Zulip development environment.
|
2020-10-26 22:27:53 +01:00
|
|
|
# We use PostgreSQL peer authentication by default in production,
|
2020-04-30 19:44:27 +02:00
|
|
|
# and initial_password_salt is used to generate passwords for the
|
|
|
|
# test/development database users. See `manage.py
|
|
|
|
# print_initial_password`.
|
2019-12-10 02:50:53 +01:00
|
|
|
if development and need_secret("initial_password_salt"):
|
2020-04-30 15:23:13 +02:00
|
|
|
add_secret("initial_password_salt", random_token())
|
2019-12-05 05:48:29 +01:00
|
|
|
if development and need_secret("local_database_password"):
|
2020-04-30 15:23:13 +02:00
|
|
|
add_secret("local_database_password", random_token())
|
2019-12-05 05:48:29 +01:00
|
|
|
|
2020-04-30 19:44:27 +02:00
|
|
|
# The core Django SECRET_KEY setting, used by Django internally to
|
|
|
|
# secure sessions. If this gets changed, all users will be logged out.
|
2017-05-17 07:02:24 +02:00
|
|
|
if need_secret('secret_key'):
|
2020-01-04 04:50:52 +01:00
|
|
|
secret_key = generate_django_secretkey()
|
|
|
|
add_secret('secret_key', secret_key)
|
|
|
|
# To prevent Django ImproperlyConfigured error
|
2020-04-30 15:34:31 +02:00
|
|
|
from zproject import settings
|
2020-01-04 04:50:52 +01:00
|
|
|
settings.SECRET_KEY = secret_key
|
2016-06-20 14:00:27 +02:00
|
|
|
|
2020-04-30 19:44:27 +02:00
|
|
|
# Secret key for the Camo HTTPS proxy.
|
2017-05-17 07:02:24 +02:00
|
|
|
if need_secret('camo_key'):
|
2020-04-30 15:40:38 +02:00
|
|
|
add_secret('camo_key', random_string(64))
|
2016-10-28 00:04:05 +02:00
|
|
|
|
2020-04-30 15:34:31 +02:00
|
|
|
if not development:
|
2020-04-30 19:44:27 +02:00
|
|
|
# The memcached_password and redis_password secrets are only
|
|
|
|
# required/relevant in production.
|
|
|
|
|
|
|
|
# Password for authentication to memcached.
|
2020-04-30 15:34:31 +02:00
|
|
|
if need_secret("memcached_password"):
|
2020-04-30 19:44:27 +02:00
|
|
|
# We defer importing settings unless we need it, because
|
|
|
|
# importing settings is expensive (mostly because of
|
|
|
|
# django-auth-ldap) and we want the noop case to be fast.
|
2020-04-30 15:34:31 +02:00
|
|
|
from zproject import settings
|
|
|
|
|
|
|
|
if settings.MEMCACHED_LOCATION == "127.0.0.1:11211":
|
|
|
|
add_secret("memcached_password", random_token())
|
|
|
|
|
2020-10-23 02:43:28 +02:00
|
|
|
# Password for authentication to Redis.
|
2020-04-30 15:34:31 +02:00
|
|
|
if need_secret("redis_password"):
|
2020-04-30 19:44:27 +02:00
|
|
|
# We defer importing settings unless we need it, because
|
|
|
|
# importing settings is expensive (mostly because of
|
|
|
|
# django-auth-ldap) and we want the noop case to be fast.
|
2020-04-30 15:34:31 +02:00
|
|
|
from zproject import settings
|
|
|
|
|
|
|
|
if settings.REDIS_HOST == "127.0.0.1":
|
|
|
|
# To prevent Puppet from restarting Redis, which would lose
|
|
|
|
# data because we configured Redis to disable persistence, set
|
|
|
|
# the Redis password on the running server and edit the config
|
|
|
|
# file directly.
|
|
|
|
|
|
|
|
import redis
|
2020-06-11 00:54:34 +02:00
|
|
|
|
2020-04-30 15:34:31 +02:00
|
|
|
from zerver.lib.redis_utils import get_redis_client
|
|
|
|
|
|
|
|
redis_password = random_token()
|
|
|
|
|
|
|
|
for filename in ["/etc/redis/zuli-redis.conf", "/etc/redis/zulip-redis.conf"]:
|
|
|
|
if os.path.exists(filename):
|
|
|
|
with open(filename, "a") as f:
|
|
|
|
f.write(
|
|
|
|
"# Set a Redis password based on zulip-secrets.conf\n"
|
2020-06-14 02:57:50 +02:00
|
|
|
f"requirepass '{redis_password}'\n",
|
2020-04-30 15:34:31 +02:00
|
|
|
)
|
|
|
|
break
|
|
|
|
|
|
|
|
try:
|
|
|
|
get_redis_client().config_set("requirepass", redis_password)
|
|
|
|
except redis.exceptions.ConnectionError:
|
|
|
|
pass
|
|
|
|
|
|
|
|
add_secret("redis_password", redis_password)
|
2020-01-04 04:50:52 +01:00
|
|
|
|
2020-04-30 19:44:27 +02:00
|
|
|
# Random id and secret used to identify this installation when
|
|
|
|
# accessing the Zulip mobile push notifications service.
|
|
|
|
# * zulip_org_key is generated using os.urandom().
|
|
|
|
# * zulip_org_id only needs to be unique, so we use a UUID.
|
2017-05-17 07:02:24 +02:00
|
|
|
if need_secret('zulip_org_key'):
|
2020-04-30 15:40:38 +02:00
|
|
|
add_secret('zulip_org_key', random_string(64))
|
2017-05-17 07:02:24 +02:00
|
|
|
if need_secret('zulip_org_id'):
|
|
|
|
add_secret('zulip_org_id', str(uuid.uuid4()))
|
2016-10-28 00:04:05 +02:00
|
|
|
|
2017-05-17 07:02:24 +02:00
|
|
|
if len(lines) == 0:
|
|
|
|
print("generate_secrets: No new secrets to generate.")
|
|
|
|
return
|
2015-08-20 08:15:21 +02:00
|
|
|
|
2019-07-14 21:37:08 +02:00
|
|
|
with open(OUTPUT_SETTINGS_FILENAME, 'a') as f:
|
|
|
|
# Write a newline at the start, in case there was no newline at
|
|
|
|
# the end of the file due to human editing.
|
|
|
|
f.write("\n" + "".join(lines))
|
2013-10-25 19:35:24 +02:00
|
|
|
|
2020-06-10 06:41:04 +02:00
|
|
|
print(f"Generated new secrets in {OUTPUT_SETTINGS_FILENAME}.")
|
2015-08-20 08:15:21 +02:00
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
2016-10-05 11:13:19 +02:00
|
|
|
parser = argparse.ArgumentParser()
|
|
|
|
group = parser.add_mutually_exclusive_group(required=True)
|
2020-09-02 04:49:02 +02:00
|
|
|
group.add_argument('--development', action='store_true',
|
2017-10-27 02:31:10 +02:00
|
|
|
help='For setting up the developer env for zulip')
|
|
|
|
group.add_argument('--production', action='store_false', dest='development',
|
|
|
|
help='For setting up the production env for zulip')
|
2016-10-05 11:13:19 +02:00
|
|
|
results = parser.parse_args()
|
2015-08-20 08:15:21 +02:00
|
|
|
|
2016-10-05 11:13:19 +02:00
|
|
|
generate_secrets(results.development)
|