Auto-generate dev-secrets file.

Source LOCAL_DATABASE_PASSWORD and INITIAL_PASSWORD_SALT from the secrets file.
Fix the creation of pgpass file.

Tim's note: This will definitely break the original purpose of the
tool but it should be pretty easy to add that back as an option.

(imported from commit 8ab31ea2b7cbc80a4ad2e843a2529313fad8f5cf)
This commit is contained in:
Cat Miller 2015-08-19 23:15:21 -07:00 committed by Tim Abbott
parent 86278804c9
commit 0a20f168a7
6 changed files with 41 additions and 46 deletions

View File

@ -112,6 +112,7 @@ with sh.sudo:
# Management commands expect to be run from the root of the project. # Management commands expect to be run from the root of the project.
os.chdir(ZULIP_PATH) os.chdir(ZULIP_PATH)
os.system("generate_enterprise_secrets.py -d")
sh.configure_rabbitmq() sh.configure_rabbitmq()
sh.postgres_init_db() sh.postgres_init_db()
sh.do_destroy_rebuild_database() sh.do_destroy_rebuild_database()

View File

@ -11,14 +11,14 @@ from zerver.lib.utils import generate_random_token
os.chdir(os.path.join(os.path.dirname(__file__), '..', '..')) os.chdir(os.path.join(os.path.dirname(__file__), '..', '..'))
SETTINGS_FILENAME = "zproject/local_settings_template.py" OUTPUT_SETTINGS_FILENAME = "zproject/dev-secrets.conf"
OUTPUT_SETTINGS_FILENAME = "zproject/local_settings_generated.py"
CAMO_CONFIG_FILENAME = '/etc/default/camo' CAMO_CONFIG_FILENAME = '/etc/default/camo'
if not os.path.exists(SETTINGS_FILENAME): AUTOGENERATED_SETTINGS = ['shared_secret', 'avatar_salt', 'rabbitmq_password', 'local_database_password',
print "Unable to find settings file at %s" % (SETTINGS_FILENAME,) 'initial_password_salt']
AUTOGENERATED_SETTINGS = ['SHARED_SECRET', 'AVATAR_SALT', 'RABBITMQ_PASSWORD'] EMPTY_SETTINGS = ['deployment_role_key', 'mandrill_api_key', 'mailchimp_api_key', 'email_password', 's3_key', 's3_secret_key',
'google_oauth2_client_secret', 'dev_google_oauth2_client_secret']
def generate_camo_config_file(camo_key): def generate_camo_config_file(camo_key):
camo_config = """ENABLED=yes camo_config = """ENABLED=yes
@ -34,30 +34,37 @@ def generate_django_secretkey():
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)' chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
return get_random_string(50, chars) return get_random_string(50, chars)
if __name__ == '__main__': def generate_secrets(development=False):
f = open(SETTINGS_FILENAME, 'r') lines = ['[secrets]\n']
lines = f.readlines()
for idx, line in enumerate(lines):
parts = [part.strip() for part in line.split('=')]
if len(parts) != 2:
continue
def config_line(var, value): def config_line(var, value):
return "%s = '%s'\n" % (var, value) return "%s = %s\n" % (var, value)
if parts[0] in AUTOGENERATED_SETTINGS: for name in AUTOGENERATED_SETTINGS:
lines[idx] = config_line(parts[0], generate_random_token(64)) lines.append(config_line(name, generate_random_token(64)))
elif parts[0] == 'SECRET_KEY':
lines[idx] = config_line("SECRET_KEY", generate_django_secretkey()) lines.append(config_line('secret_key', generate_django_secretkey()))
elif parts[0] == 'CAMO_KEY':
camo_key = get_random_string(64) camo_key = get_random_string(64)
lines[idx] = config_line(parts[0], camo_key) lines.append(config_line('camo_key', camo_key))
if not development:
# Write the Camo config file directly # Write the Camo config file directly
generate_camo_config_file(camo_key) generate_camo_config_file(camo_key)
for name in EMPTY_SETTINGS:
lines.append(config_line(name, ''))
out = open(OUTPUT_SETTINGS_FILENAME, 'w') out = open(OUTPUT_SETTINGS_FILENAME, 'w')
out.write("".join(lines)) out.write("".join(lines))
out.close() out.close()
print "Generated %s with auto-generated secrets!" % (OUTPUT_SETTINGS_FILENAME,) print "Generated %s with auto-generated secrets!" % (OUTPUT_SETTINGS_FILENAME,)
if __name__ == '__main__':
development = False
extra_args = sys.argv[1:]
if len(extra_args) and extra_args[0] in ('-d', '--development'):
development = True
generate_secrets(development)

View File

@ -48,9 +48,12 @@ ALTER ROLE $VAGRANTUSERNAME SET search_path TO $SEARCH_PATH;
EOF EOF
umask go-rw umask go-rw
PGPASS_LINE="*:*:*:$USERNAME:$PASSWORD" PGPASS_PREFIX="*:*:*:$USERNAME:"
if ! $(grep -q "$PGPASS_LINE" ~/.pgpass); then PGPASS_ESCAPED_PREFIX="*:\*:\*:$USERNAME:"
echo $PGPASS_LINE >> ~/.pgpass if ! $(grep -q "$PGPASS_ESCAPED_PREFIX" ~/.pgpass); then
echo $PGPASS_PREFIX$PASSWORD >> ~/.pgpass
else
sed -i 's/$PGPASS_ESCAPED_PREFIX.*$/$PGPASS_PREFIX$PASSWORD/' ~/.pgpass
fi fi
chmod go-rw ~/.pgpass chmod go-rw ~/.pgpass

View File

@ -1,14 +0,0 @@
[secrets]
secret_key = dummy
shared_secret = dummy
rabbitmq_password = xxxxxxxxxxxxxxxx
deployment_role_key = dummy
mandrill_api_key = dummy
mailchimp_api_key = dummy-us4
camo_key = dummy
email_password = dummy
s3_key = dummy
s3_secret_key= dummy
google_oauth2_client_secret = dummy
dev_google_oauth2_client_secret = dummy
avatar_salt = dummy

View File

@ -23,10 +23,6 @@ else:
getsecret = lambda x: secrets_file.get('secrets', x) getsecret = lambda x: secrets_file.get('secrets', x)
# Used just for generating initial passwords (only used in testing environments).
if not DEPLOYED:
INITIAL_PASSWORD_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
MAILCHIMP_API_KEY = getsecret("mailchimp_api_key") MAILCHIMP_API_KEY = getsecret("mailchimp_api_key")
ZULIP_FRIENDS_LIST_ID = '84b2f3da6b' ZULIP_FRIENDS_LIST_ID = '84b2f3da6b'
@ -83,8 +79,6 @@ else:
S3_AUTH_UPLOADS_BUCKET = "zulip-user-uploads-test" S3_AUTH_UPLOADS_BUCKET = "zulip-user-uploads-test"
S3_AVATAR_BUCKET="humbug-user-avatars-test" S3_AVATAR_BUCKET="humbug-user-avatars-test"
LOCAL_DATABASE_PASSWORD="xxxxxxxxxxxx"
# Twitter API credentials # Twitter API credentials
# Secrecy not required because its only used for R/O requests. # Secrecy not required because its only used for R/O requests.
# Please don't make us go over our rate limit. # Please don't make us go over our rate limit.

View File

@ -211,6 +211,7 @@ if ENTERPRISE:
} }
}) })
elif not DEPLOYED: elif not DEPLOYED:
LOCAL_DATABASE_PASSWORD = get_secret("local_database_password")
DATABASES["default"].update({ DATABASES["default"].update({
'PASSWORD': LOCAL_DATABASE_PASSWORD, 'PASSWORD': LOCAL_DATABASE_PASSWORD,
'HOST': 'localhost', 'HOST': 'localhost',
@ -333,6 +334,9 @@ if not DEPLOYED:
'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher' 'django.contrib.auth.hashers.PBKDF2PasswordHasher'
) )
# Also we auto-generate passwords for the default users which you
# can query using ./manage.py print_initial_password
INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")
if TESTING_DEPLOYED or ENTERPRISE: if TESTING_DEPLOYED or ENTERPRISE:
# XXX we should probably tighten this for ENTERPRISE # XXX we should probably tighten this for ENTERPRISE