Auto-generate dev-secrets file.

Source LOCAL_DATABASE_PASSWORD and INITIAL_PASSWORD_SALT from the secrets file.
Fix the creation of pgpass file.

Tim's note: This will definitely break the original purpose of the
tool but it should be pretty easy to add that back as an option.

(imported from commit 8ab31ea2b7cbc80a4ad2e843a2529313fad8f5cf)

provision.py

@@ -112,6 +112,7 @@ with sh.sudo:
 # Management commands expect to be run from the root of the project.
 os.chdir(ZULIP_PATH)
 
+os.system("generate_enterprise_secrets.py -d")
 sh.configure_rabbitmq()
 sh.postgres_init_db()
 sh.do_destroy_rebuild_database()

scripts/setup/generate_enterprise_secrets.py

@@ -11,14 +11,14 @@ from zerver.lib.utils import generate_random_token
 
 os.chdir(os.path.join(os.path.dirname(__file__), '..', '..'))
 
-SETTINGS_FILENAME = "zproject/local_settings_template.py"
-OUTPUT_SETTINGS_FILENAME = "zproject/local_settings_generated.py"
+OUTPUT_SETTINGS_FILENAME = "zproject/dev-secrets.conf"
 CAMO_CONFIG_FILENAME = '/etc/default/camo'
 
-if not os.path.exists(SETTINGS_FILENAME):
-    print "Unable to find settings file at %s" % (SETTINGS_FILENAME,)
+AUTOGENERATED_SETTINGS = ['shared_secret', 'avatar_salt', 'rabbitmq_password', 'local_database_password',
+                          'initial_password_salt']
 
-AUTOGENERATED_SETTINGS = ['SHARED_SECRET', 'AVATAR_SALT', 'RABBITMQ_PASSWORD']
+EMPTY_SETTINGS = ['deployment_role_key', 'mandrill_api_key', 'mailchimp_api_key', 'email_password', 's3_key', 's3_secret_key',
+                  'google_oauth2_client_secret', 'dev_google_oauth2_client_secret']
 
 def generate_camo_config_file(camo_key):
     camo_config = """ENABLED=yes
@@ -34,30 +34,37 @@ def generate_django_secretkey():
     chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
     return get_random_string(50, chars)
 
-if __name__ == '__main__':
-    f = open(SETTINGS_FILENAME, 'r')
-    lines = f.readlines()
-
-    for idx, line in enumerate(lines):
-        parts = [part.strip() for part in line.split('=')]
-        if len(parts) != 2:
-            continue
+def generate_secrets(development=False):
+    lines = ['[secrets]\n']
 
     def config_line(var, value):
-            return "%s = '%s'\n" % (var, value)
+        return "%s = %s\n" % (var, value)
 
-        if parts[0] in AUTOGENERATED_SETTINGS:
-            lines[idx] = config_line(parts[0], generate_random_token(64))
-        elif parts[0] == 'SECRET_KEY':
-            lines[idx] = config_line("SECRET_KEY", generate_django_secretkey())
-        elif parts[0] == 'CAMO_KEY':
+    for name in AUTOGENERATED_SETTINGS:
+        lines.append(config_line(name, generate_random_token(64)))
+
+    lines.append(config_line('secret_key', generate_django_secretkey()))
     camo_key = get_random_string(64)
-            lines[idx] = config_line(parts[0], camo_key)
+    lines.append(config_line('camo_key', camo_key))
+    if not development:
         # Write the Camo config file directly
         generate_camo_config_file(camo_key)
 
+    for name in EMPTY_SETTINGS:
+        lines.append(config_line(name, ''))
+
     out = open(OUTPUT_SETTINGS_FILENAME, 'w')
     out.write("".join(lines))
     out.close()
 
     print "Generated %s with auto-generated secrets!" % (OUTPUT_SETTINGS_FILENAME,)
+
+if __name__ == '__main__':
+
+    development = False
+    extra_args = sys.argv[1:]
+
+    if len(extra_args) and extra_args[0] in ('-d', '--development'):
+        development = True
+
+    generate_secrets(development)

tools/postgres-init-db

@@ -48,9 +48,12 @@ ALTER ROLE $VAGRANTUSERNAME SET search_path TO $SEARCH_PATH;
 EOF
 
 umask go-rw
-PGPASS_LINE="*:*:*:$USERNAME:$PASSWORD"
-if ! $(grep -q "$PGPASS_LINE" ~/.pgpass); then
-    echo $PGPASS_LINE >> ~/.pgpass
+PGPASS_PREFIX="*:*:*:$USERNAME:"
+PGPASS_ESCAPED_PREFIX="*:\*:\*:$USERNAME:"
+if ! $(grep -q "$PGPASS_ESCAPED_PREFIX" ~/.pgpass); then
+    echo $PGPASS_PREFIX$PASSWORD >> ~/.pgpass
+else
+    sed -i 's/$PGPASS_ESCAPED_PREFIX.*$/$PGPASS_PREFIX$PASSWORD/' ~/.pgpass
 fi
 chmod go-rw ~/.pgpass
 

zproject/dev-secrets.conf

@@ -1,14 +0,0 @@
-[secrets]
-secret_key = dummy
-shared_secret = dummy
-rabbitmq_password = xxxxxxxxxxxxxxxx
-deployment_role_key = dummy
-mandrill_api_key = dummy
-mailchimp_api_key = dummy-us4
-camo_key = dummy
-email_password = dummy
-s3_key = dummy
-s3_secret_key= dummy
-google_oauth2_client_secret  = dummy
-dev_google_oauth2_client_secret  = dummy
-avatar_salt = dummy

zproject/local_settings.py

@@ -23,10 +23,6 @@ else:
 
 getsecret = lambda x: secrets_file.get('secrets', x)
 
-# Used just for generating initial passwords (only used in testing environments).
-if not DEPLOYED:
-    INITIAL_PASSWORD_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
-
 MAILCHIMP_API_KEY = getsecret("mailchimp_api_key")
 ZULIP_FRIENDS_LIST_ID = '84b2f3da6b'
 
@@ -83,8 +79,6 @@ else:
     S3_AUTH_UPLOADS_BUCKET = "zulip-user-uploads-test"
     S3_AVATAR_BUCKET="humbug-user-avatars-test"
 
-    LOCAL_DATABASE_PASSWORD="xxxxxxxxxxxx"
-
 # Twitter API credentials
 # Secrecy not required because its only used for R/O requests.
 # Please don't make us go over our rate limit.

zproject/settings.py

@@ -211,6 +211,7 @@ if ENTERPRISE:
             }
             })
 elif not DEPLOYED:
+    LOCAL_DATABASE_PASSWORD = get_secret("local_database_password")
     DATABASES["default"].update({
             'PASSWORD': LOCAL_DATABASE_PASSWORD,
             'HOST': 'localhost',
@@ -333,6 +334,9 @@ if not DEPLOYED:
                 'django.contrib.auth.hashers.SHA1PasswordHasher',
                 'django.contrib.auth.hashers.PBKDF2PasswordHasher'
             )
+    # Also we auto-generate passwords for the default users which you
+    # can query using ./manage.py print_initial_password
+    INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")
 
 if TESTING_DEPLOYED or ENTERPRISE:
     # XXX we should probably tighten this for ENTERPRISE