py3: Switch almost all shebang lines to use `python3`.
This causes `upgrade-zulip-from-git`, as well as a no-option run of
`tools/build-release-tarball`, to produce a Zulip install running
Python 3, rather than Python 2. In particular this means that the
virtualenv we create, in which all application code runs, is Python 3.
One shebang line, on `zulip-ec2-configure-interfaces`, explicitly
keeps Python 2, and at least one external ops script, `wal-e`, also
still runs on Python 2. See discussion on the respective previous
commits that made those explicit. There may also be some other
third-party scripts we use, outside of this source tree and running
outside our virtualenv, that still run on Python 2.
2017-08-02 23:15:16 +02:00
|
|
|
#!/usr/bin/env python3
|
2016-07-20 05:45:50 +02:00
|
|
|
# This tools generates /etc/zulip/zulip-secrets.conf
|
2013-10-25 19:35:24 +02:00
|
|
|
|
2017-01-24 06:36:39 +01:00
|
|
|
import sys
|
|
|
|
import os
|
2019-07-23 23:58:11 +02:00
|
|
|
|
|
|
|
from typing import Dict, List
|
2016-06-25 17:07:13 +02:00
|
|
|
|
2017-09-22 08:15:01 +02:00
|
|
|
BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
|
2016-06-25 17:07:13 +02:00
|
|
|
sys.path.append(BASE_DIR)
|
2020-01-08 00:06:39 +01:00
|
|
|
from scripts.lib.setup_path import setup_path
|
|
|
|
|
|
|
|
setup_path()
|
2013-10-25 19:35:24 +02:00
|
|
|
|
|
|
|
os.environ['DJANGO_SETTINGS_MODULE'] = 'zproject.settings'
|
|
|
|
|
|
|
|
from django.utils.crypto import get_random_string
|
2016-10-05 11:13:19 +02:00
|
|
|
import argparse
|
2016-10-28 00:04:05 +02:00
|
|
|
import uuid
|
2017-09-27 10:16:35 +02:00
|
|
|
import configparser
|
2013-10-25 19:35:24 +02:00
|
|
|
from zerver.lib.utils import generate_random_token
|
2020-01-03 01:30:40 +01:00
|
|
|
from zproject import settings
|
2013-10-25 19:35:24 +02:00
|
|
|
|
2013-11-14 14:59:33 +01:00
|
|
|
os.chdir(os.path.join(os.path.dirname(__file__), '..', '..'))
|
|
|
|
|
2017-05-17 07:02:02 +02:00
|
|
|
# Standard, 64-bit tokens
|
|
|
|
AUTOGENERATED_SETTINGS = [
|
|
|
|
'avatar_salt',
|
|
|
|
'rabbitmq_password',
|
|
|
|
'shared_secret',
|
2017-11-02 19:48:29 +01:00
|
|
|
'thumbor_key',
|
2017-05-17 07:02:02 +02:00
|
|
|
]
|
2013-10-25 19:35:24 +02:00
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def generate_django_secretkey() -> str:
|
2016-07-30 00:29:54 +02:00
|
|
|
"""Secret key generation taken from Django's startproject.py"""
|
2013-10-25 19:35:24 +02:00
|
|
|
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
|
|
|
|
return get_random_string(50, chars)
|
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def get_old_conf(output_filename: str) -> Dict[str, str]:
|
2018-05-07 07:12:32 +02:00
|
|
|
if not os.path.exists(output_filename) or os.path.getsize(output_filename) == 0:
|
2016-06-20 14:00:27 +02:00
|
|
|
return {}
|
|
|
|
|
2017-09-27 10:16:35 +02:00
|
|
|
secrets_file = configparser.RawConfigParser()
|
2017-05-17 09:05:57 +02:00
|
|
|
secrets_file.read(output_filename)
|
2016-06-20 14:00:27 +02:00
|
|
|
|
2017-08-25 20:01:20 +02:00
|
|
|
return dict(secrets_file.items("secrets"))
|
2016-06-20 14:00:27 +02:00
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def generate_secrets(development: bool = False) -> None:
|
2015-08-21 01:46:52 +02:00
|
|
|
if development:
|
|
|
|
OUTPUT_SETTINGS_FILENAME = "zproject/dev-secrets.conf"
|
|
|
|
else:
|
|
|
|
OUTPUT_SETTINGS_FILENAME = "/etc/zulip/zulip-secrets.conf"
|
2017-05-17 07:02:24 +02:00
|
|
|
current_conf = get_old_conf(OUTPUT_SETTINGS_FILENAME)
|
2015-08-21 01:46:52 +02:00
|
|
|
|
2018-05-10 18:54:59 +02:00
|
|
|
lines = [] # type: List[str]
|
2017-05-17 07:02:24 +02:00
|
|
|
if len(current_conf) == 0:
|
2017-11-04 05:19:06 +01:00
|
|
|
lines = ['[secrets]\n']
|
2015-08-20 08:15:21 +02:00
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def need_secret(name: str) -> bool:
|
2017-05-17 07:02:24 +02:00
|
|
|
return name not in current_conf
|
2015-08-20 08:15:21 +02:00
|
|
|
|
python: Convert function type annotations to Python 3 style.
Generated by com2ann (slightly patched to avoid also converting
assignment type annotations, which require Python 3.6), followed by
some manual whitespace adjustment, and six fixes for runtime issues:
- def __init__(self, token: Token, parent: Optional[Node]) -> None:
+ def __init__(self, token: Token, parent: "Optional[Node]") -> None:
-def main(options: argparse.Namespace) -> NoReturn:
+def main(options: argparse.Namespace) -> "NoReturn":
-def fetch_request(url: str, callback: Any, **kwargs: Any) -> Generator[Callable[..., Any], Any, None]:
+def fetch_request(url: str, callback: Any, **kwargs: Any) -> "Generator[Callable[..., Any], Any, None]":
-def assert_server_running(server: subprocess.Popen[bytes], log_file: Optional[str]) -> None:
+def assert_server_running(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> None:
-def server_is_up(server: subprocess.Popen[bytes], log_file: Optional[str]) -> bool:
+def server_is_up(server: "subprocess.Popen[bytes]", log_file: Optional[str]) -> bool:
- method_kwarg_pairs: List[FuncKwargPair],
+ method_kwarg_pairs: "List[FuncKwargPair]",
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-19 03:48:37 +02:00
|
|
|
def add_secret(name: str, value: str) -> None:
|
2017-05-17 07:02:24 +02:00
|
|
|
lines.append("%s = %s\n" % (name, value))
|
|
|
|
current_conf[name] = value
|
2016-06-20 14:00:27 +02:00
|
|
|
|
2017-05-17 07:02:24 +02:00
|
|
|
for name in AUTOGENERATED_SETTINGS:
|
|
|
|
if need_secret(name):
|
|
|
|
add_secret(name, generate_random_token(64))
|
2015-08-20 08:15:21 +02:00
|
|
|
|
2019-12-10 02:50:53 +01:00
|
|
|
if development and need_secret("initial_password_salt"):
|
|
|
|
add_secret("initial_password_salt", generate_random_token(64))
|
2019-12-05 05:48:29 +01:00
|
|
|
if development and need_secret("local_database_password"):
|
|
|
|
add_secret("local_database_password", generate_random_token(64))
|
|
|
|
|
2017-05-17 07:02:24 +02:00
|
|
|
if need_secret('secret_key'):
|
2020-01-04 04:50:52 +01:00
|
|
|
secret_key = generate_django_secretkey()
|
|
|
|
add_secret('secret_key', secret_key)
|
|
|
|
# To prevent Django ImproperlyConfigured error
|
|
|
|
settings.SECRET_KEY = secret_key
|
2016-06-20 14:00:27 +02:00
|
|
|
|
2017-05-17 07:02:24 +02:00
|
|
|
if need_secret('camo_key'):
|
|
|
|
add_secret('camo_key', get_random_string(64))
|
2016-10-28 00:04:05 +02:00
|
|
|
|
2020-01-03 01:30:40 +01:00
|
|
|
if (
|
|
|
|
not development
|
|
|
|
and settings.MEMCACHED_LOCATION == "127.0.0.1:11211"
|
|
|
|
and need_secret("memcached_password")
|
|
|
|
):
|
|
|
|
add_secret("memcached_password", generate_random_token(64))
|
|
|
|
|
2020-01-04 04:50:52 +01:00
|
|
|
if (
|
|
|
|
not development
|
|
|
|
and settings.REDIS_HOST == "127.0.0.1"
|
|
|
|
and need_secret("redis_password")
|
|
|
|
):
|
|
|
|
# To prevent Puppet from restarting Redis, which would lose
|
|
|
|
# data because we configured Redis to disable persistence, set
|
|
|
|
# the Redis password on the running server and edit the config
|
|
|
|
# file directly.
|
|
|
|
|
|
|
|
import redis
|
|
|
|
from zerver.lib.redis_utils import get_redis_client
|
|
|
|
|
|
|
|
redis_password = generate_random_token(64)
|
|
|
|
|
|
|
|
for filename in ["/etc/redis/zuli-redis.conf", "/etc/redis/zulip-redis.conf"]:
|
|
|
|
if os.path.exists(filename):
|
|
|
|
with open(filename, "a") as f:
|
|
|
|
f.write(
|
|
|
|
"# Set a Redis password based on zulip-secrets.conf\n"
|
|
|
|
"requirepass '%s'\n" % (redis_password,)
|
|
|
|
)
|
|
|
|
break
|
|
|
|
|
|
|
|
try:
|
|
|
|
get_redis_client().config_set("requirepass", redis_password)
|
|
|
|
except redis.exceptions.ConnectionError:
|
|
|
|
pass
|
|
|
|
|
|
|
|
add_secret("redis_password", redis_password)
|
|
|
|
|
2017-07-11 21:12:08 +02:00
|
|
|
# zulip_org_key is generated using os.urandom().
|
|
|
|
# zulip_org_id does not require a secure CPRNG,
|
|
|
|
# it only needs to be unique.
|
2017-05-17 07:02:24 +02:00
|
|
|
if need_secret('zulip_org_key'):
|
|
|
|
add_secret('zulip_org_key', get_random_string(64))
|
|
|
|
if need_secret('zulip_org_id'):
|
|
|
|
add_secret('zulip_org_id', str(uuid.uuid4()))
|
2016-10-28 00:04:05 +02:00
|
|
|
|
2017-05-17 07:02:24 +02:00
|
|
|
if len(lines) == 0:
|
|
|
|
print("generate_secrets: No new secrets to generate.")
|
|
|
|
return
|
2015-08-20 08:15:21 +02:00
|
|
|
|
2019-07-14 21:37:08 +02:00
|
|
|
with open(OUTPUT_SETTINGS_FILENAME, 'a') as f:
|
|
|
|
# Write a newline at the start, in case there was no newline at
|
|
|
|
# the end of the file due to human editing.
|
|
|
|
f.write("\n" + "".join(lines))
|
2013-10-25 19:35:24 +02:00
|
|
|
|
2017-05-17 07:02:24 +02:00
|
|
|
print("Generated new secrets in %s." % (OUTPUT_SETTINGS_FILENAME,))
|
2015-08-20 08:15:21 +02:00
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
2016-10-05 11:13:19 +02:00
|
|
|
parser = argparse.ArgumentParser()
|
|
|
|
group = parser.add_mutually_exclusive_group(required=True)
|
2017-10-27 02:31:10 +02:00
|
|
|
group.add_argument('--development', action='store_true', dest='development',
|
|
|
|
help='For setting up the developer env for zulip')
|
|
|
|
group.add_argument('--production', action='store_false', dest='development',
|
|
|
|
help='For setting up the production env for zulip')
|
2016-10-05 11:13:19 +02:00
|
|
|
results = parser.parse_args()
|
2015-08-20 08:15:21 +02:00
|
|
|
|
2016-10-05 11:13:19 +02:00
|
|
|
generate_secrets(results.development)
|