mirror of https://github.com/zulip/zulip.git
Auto-generate dev-secrets file.
Source LOCAL_DATABASE_PASSWORD and INITIAL_PASSWORD_SALT from the secrets file. Fix the creation of pgpass file. Tim's note: This will definitely break the original purpose of the tool but it should be pretty easy to add that back as an option. (imported from commit 8ab31ea2b7cbc80a4ad2e843a2529313fad8f5cf)
This commit is contained in:
parent
86278804c9
commit
0a20f168a7
|
@ -112,6 +112,7 @@ with sh.sudo:
|
||||||
# Management commands expect to be run from the root of the project.
|
# Management commands expect to be run from the root of the project.
|
||||||
os.chdir(ZULIP_PATH)
|
os.chdir(ZULIP_PATH)
|
||||||
|
|
||||||
|
os.system("generate_enterprise_secrets.py -d")
|
||||||
sh.configure_rabbitmq()
|
sh.configure_rabbitmq()
|
||||||
sh.postgres_init_db()
|
sh.postgres_init_db()
|
||||||
sh.do_destroy_rebuild_database()
|
sh.do_destroy_rebuild_database()
|
||||||
|
|
|
@ -11,14 +11,14 @@ from zerver.lib.utils import generate_random_token
|
||||||
|
|
||||||
os.chdir(os.path.join(os.path.dirname(__file__), '..', '..'))
|
os.chdir(os.path.join(os.path.dirname(__file__), '..', '..'))
|
||||||
|
|
||||||
SETTINGS_FILENAME = "zproject/local_settings_template.py"
|
OUTPUT_SETTINGS_FILENAME = "zproject/dev-secrets.conf"
|
||||||
OUTPUT_SETTINGS_FILENAME = "zproject/local_settings_generated.py"
|
|
||||||
CAMO_CONFIG_FILENAME = '/etc/default/camo'
|
CAMO_CONFIG_FILENAME = '/etc/default/camo'
|
||||||
|
|
||||||
if not os.path.exists(SETTINGS_FILENAME):
|
AUTOGENERATED_SETTINGS = ['shared_secret', 'avatar_salt', 'rabbitmq_password', 'local_database_password',
|
||||||
print "Unable to find settings file at %s" % (SETTINGS_FILENAME,)
|
'initial_password_salt']
|
||||||
|
|
||||||
AUTOGENERATED_SETTINGS = ['SHARED_SECRET', 'AVATAR_SALT', 'RABBITMQ_PASSWORD']
|
EMPTY_SETTINGS = ['deployment_role_key', 'mandrill_api_key', 'mailchimp_api_key', 'email_password', 's3_key', 's3_secret_key',
|
||||||
|
'google_oauth2_client_secret', 'dev_google_oauth2_client_secret']
|
||||||
|
|
||||||
def generate_camo_config_file(camo_key):
|
def generate_camo_config_file(camo_key):
|
||||||
camo_config = """ENABLED=yes
|
camo_config = """ENABLED=yes
|
||||||
|
@ -34,30 +34,37 @@ def generate_django_secretkey():
|
||||||
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
|
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
|
||||||
return get_random_string(50, chars)
|
return get_random_string(50, chars)
|
||||||
|
|
||||||
if __name__ == '__main__':
|
def generate_secrets(development=False):
|
||||||
f = open(SETTINGS_FILENAME, 'r')
|
lines = ['[secrets]\n']
|
||||||
lines = f.readlines()
|
|
||||||
|
|
||||||
for idx, line in enumerate(lines):
|
|
||||||
parts = [part.strip() for part in line.split('=')]
|
|
||||||
if len(parts) != 2:
|
|
||||||
continue
|
|
||||||
|
|
||||||
def config_line(var, value):
|
def config_line(var, value):
|
||||||
return "%s = '%s'\n" % (var, value)
|
return "%s = %s\n" % (var, value)
|
||||||
|
|
||||||
if parts[0] in AUTOGENERATED_SETTINGS:
|
for name in AUTOGENERATED_SETTINGS:
|
||||||
lines[idx] = config_line(parts[0], generate_random_token(64))
|
lines.append(config_line(name, generate_random_token(64)))
|
||||||
elif parts[0] == 'SECRET_KEY':
|
|
||||||
lines[idx] = config_line("SECRET_KEY", generate_django_secretkey())
|
lines.append(config_line('secret_key', generate_django_secretkey()))
|
||||||
elif parts[0] == 'CAMO_KEY':
|
|
||||||
camo_key = get_random_string(64)
|
camo_key = get_random_string(64)
|
||||||
lines[idx] = config_line(parts[0], camo_key)
|
lines.append(config_line('camo_key', camo_key))
|
||||||
|
if not development:
|
||||||
# Write the Camo config file directly
|
# Write the Camo config file directly
|
||||||
generate_camo_config_file(camo_key)
|
generate_camo_config_file(camo_key)
|
||||||
|
|
||||||
|
for name in EMPTY_SETTINGS:
|
||||||
|
lines.append(config_line(name, ''))
|
||||||
|
|
||||||
out = open(OUTPUT_SETTINGS_FILENAME, 'w')
|
out = open(OUTPUT_SETTINGS_FILENAME, 'w')
|
||||||
out.write("".join(lines))
|
out.write("".join(lines))
|
||||||
out.close()
|
out.close()
|
||||||
|
|
||||||
print "Generated %s with auto-generated secrets!" % (OUTPUT_SETTINGS_FILENAME,)
|
print "Generated %s with auto-generated secrets!" % (OUTPUT_SETTINGS_FILENAME,)
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
|
||||||
|
development = False
|
||||||
|
extra_args = sys.argv[1:]
|
||||||
|
|
||||||
|
if len(extra_args) and extra_args[0] in ('-d', '--development'):
|
||||||
|
development = True
|
||||||
|
|
||||||
|
generate_secrets(development)
|
||||||
|
|
|
@ -48,9 +48,12 @@ ALTER ROLE $VAGRANTUSERNAME SET search_path TO $SEARCH_PATH;
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
umask go-rw
|
umask go-rw
|
||||||
PGPASS_LINE="*:*:*:$USERNAME:$PASSWORD"
|
PGPASS_PREFIX="*:*:*:$USERNAME:"
|
||||||
if ! $(grep -q "$PGPASS_LINE" ~/.pgpass); then
|
PGPASS_ESCAPED_PREFIX="*:\*:\*:$USERNAME:"
|
||||||
echo $PGPASS_LINE >> ~/.pgpass
|
if ! $(grep -q "$PGPASS_ESCAPED_PREFIX" ~/.pgpass); then
|
||||||
|
echo $PGPASS_PREFIX$PASSWORD >> ~/.pgpass
|
||||||
|
else
|
||||||
|
sed -i 's/$PGPASS_ESCAPED_PREFIX.*$/$PGPASS_PREFIX$PASSWORD/' ~/.pgpass
|
||||||
fi
|
fi
|
||||||
chmod go-rw ~/.pgpass
|
chmod go-rw ~/.pgpass
|
||||||
|
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
[secrets]
|
|
||||||
secret_key = dummy
|
|
||||||
shared_secret = dummy
|
|
||||||
rabbitmq_password = xxxxxxxxxxxxxxxx
|
|
||||||
deployment_role_key = dummy
|
|
||||||
mandrill_api_key = dummy
|
|
||||||
mailchimp_api_key = dummy-us4
|
|
||||||
camo_key = dummy
|
|
||||||
email_password = dummy
|
|
||||||
s3_key = dummy
|
|
||||||
s3_secret_key= dummy
|
|
||||||
google_oauth2_client_secret = dummy
|
|
||||||
dev_google_oauth2_client_secret = dummy
|
|
||||||
avatar_salt = dummy
|
|
|
@ -23,10 +23,6 @@ else:
|
||||||
|
|
||||||
getsecret = lambda x: secrets_file.get('secrets', x)
|
getsecret = lambda x: secrets_file.get('secrets', x)
|
||||||
|
|
||||||
# Used just for generating initial passwords (only used in testing environments).
|
|
||||||
if not DEPLOYED:
|
|
||||||
INITIAL_PASSWORD_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
|
|
||||||
|
|
||||||
MAILCHIMP_API_KEY = getsecret("mailchimp_api_key")
|
MAILCHIMP_API_KEY = getsecret("mailchimp_api_key")
|
||||||
ZULIP_FRIENDS_LIST_ID = '84b2f3da6b'
|
ZULIP_FRIENDS_LIST_ID = '84b2f3da6b'
|
||||||
|
|
||||||
|
@ -83,8 +79,6 @@ else:
|
||||||
S3_AUTH_UPLOADS_BUCKET = "zulip-user-uploads-test"
|
S3_AUTH_UPLOADS_BUCKET = "zulip-user-uploads-test"
|
||||||
S3_AVATAR_BUCKET="humbug-user-avatars-test"
|
S3_AVATAR_BUCKET="humbug-user-avatars-test"
|
||||||
|
|
||||||
LOCAL_DATABASE_PASSWORD="xxxxxxxxxxxx"
|
|
||||||
|
|
||||||
# Twitter API credentials
|
# Twitter API credentials
|
||||||
# Secrecy not required because its only used for R/O requests.
|
# Secrecy not required because its only used for R/O requests.
|
||||||
# Please don't make us go over our rate limit.
|
# Please don't make us go over our rate limit.
|
||||||
|
|
|
@ -211,6 +211,7 @@ if ENTERPRISE:
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
elif not DEPLOYED:
|
elif not DEPLOYED:
|
||||||
|
LOCAL_DATABASE_PASSWORD = get_secret("local_database_password")
|
||||||
DATABASES["default"].update({
|
DATABASES["default"].update({
|
||||||
'PASSWORD': LOCAL_DATABASE_PASSWORD,
|
'PASSWORD': LOCAL_DATABASE_PASSWORD,
|
||||||
'HOST': 'localhost',
|
'HOST': 'localhost',
|
||||||
|
@ -333,6 +334,9 @@ if not DEPLOYED:
|
||||||
'django.contrib.auth.hashers.SHA1PasswordHasher',
|
'django.contrib.auth.hashers.SHA1PasswordHasher',
|
||||||
'django.contrib.auth.hashers.PBKDF2PasswordHasher'
|
'django.contrib.auth.hashers.PBKDF2PasswordHasher'
|
||||||
)
|
)
|
||||||
|
# Also we auto-generate passwords for the default users which you
|
||||||
|
# can query using ./manage.py print_initial_password
|
||||||
|
INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")
|
||||||
|
|
||||||
if TESTING_DEPLOYED or ENTERPRISE:
|
if TESTING_DEPLOYED or ENTERPRISE:
|
||||||
# XXX we should probably tighten this for ENTERPRISE
|
# XXX we should probably tighten this for ENTERPRISE
|
||||||
|
|
Loading…
Reference in New Issue