Commit Graph

52 Commits

Author SHA1 Message Date
Zev Benjamin 2f7af69091 Add customizations for CUSTOMER16 employees' realm
CUSTOMER16 wants their employee realm to:
* only use JWT logins
* have name changes be disabled (they want users' full names to be the
  their CUSTOMER16 user name).
* not show the suggestion that users download the desktop app

(imported from commit cb5f72c993ddc26132ce50165bb68c3000276de0)
2014-04-04 16:51:32 -07:00
Zev Benjamin bd3f1c6a9e Add JSON web token (JWT) authentication
We currently expect the use of HMAC SHA-256, although there shouldn't be
anything preventing us from using other algorithms.

(imported from commit 354510a0b7e9e273d062a1ab5b2b03d4a749d6a3)
2014-04-04 16:51:32 -07:00
Zev Benjamin f999440cc6 Add bot1@customer36.invalid to the list of API super users
(imported from commit 07767022db0f894d398d0031053f93439258ea0d)
2014-03-04 23:02:27 -05:00
Zev Benjamin 631783f3cd [manual] Use dedicated Redis server for staging
Before we deploy this commit, we must migrate the data from the staging redis
server to the new, dedicated redis server.  The steps for doing so are the
following:

* Remove the zulip::redis puppet class from staging's zulip.conf
* ssh once from staging to redis-staging.zulip.net so that the host key is known
* Create a tunnel from redis0.zulip.net to staging.zulip.net
  * zulip@redis0:~$ ssh -N -L 127.0.0.1:6380:127.0.0.1:6379 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 staging.zulip.net
* Set the redis instance on redis0.zulip.net to replicate the one on staging.zulip.net
  * redis 127.0.0.1:6379> slaveof 127.0.0.1 6380
* Stop the app on staging
* Stop redis-server on staging
* Promote the redis server on redis0.zulip.net to a master
  * redis 127.0.0.1:6379> slaveof no one
* Do a puppet apply at this commit on staging (this will bring up the tunnel to redis0)
* Deploy this commit to staging (start the app on staging)
* Kill the tunnel from redis0.zulip.net to staging.zulip.net
* Uninstall redis-server on staging

The steps for migrating prod will be the same modulo s/staging/prod0/.

(imported from commit 546d258883ac299d65e896710edd0974b6bd60f8)
2014-02-10 13:23:28 -05:00
Luke Faraone ffdc254e2d Restore EMAIL_GATEWAY_BOT parameter
(imported from commit bda6b39c60b4e5b642db47fd3ba1be2ac8c19650)
2014-02-06 10:43:06 -05:00
Luke Faraone 24f8492236 [manual] Enable local email mirror on all frontends.
This removed the cronjob from all app_frontend servers and enables the
local Postfix mail server on the same.

This is a no-op on staging if the parent commit has already been
applied.

To deploy this commit, run a puppet-apply on prod.

(imported from commit 6d3977fd12088abcd33418279e9fa28f9b2a2006)
2014-02-06 10:26:56 -05:00
Luke Faraone 30a6fd3bd7 [manual] Enable postfix email mirror on staging
This will cause us to recieve messages sent to streams.staging.zulip.com
via the local Postfix daemon running on staging.

This commit does not impact prod. To deploy, a puppet-apply is needed on
staging.

(imported from commit 9eaedc28359f55a65b672a2e078c57362897c0de)
2014-02-04 10:38:17 -05:00
Leo Franchi 4b7d061bbf Simplify conditional for APNS sandbox and feedback service
(imported from commit f7c15cd3eec93eda7152ea133e8008bc072d67d8)
2014-01-22 13:22:20 -05:00
Leo Franchi de1ec7ae43 Always use the apns-dist.pem cert for staging/prod
(imported from commit 9f01f971f1c3cbd500771c074e9dc7e8bc327b69)
2014-01-22 13:17:53 -05:00
Luke Faraone 3948e1673d [manual] Accept OAuth2 tokens for API login via Google Apps
This is used by the Android app to authenticate without prompting for a
password.

To do so, we implement a custom authentication backend that validates
the ID token provided by Google and then tries to see if we have a
corresponding UserProfile on file for them.

If the attestation is valid but the user is unregistered, we return that
fact by modifying a dictionary passed in as a parameter. We then return
the appropriate error message via the API.

This commit adds a dependency on the "googleapi" module. On Debian-based
systems with the Zulip APT repository:
    sudo apt-get install python-googleapi

For OS X and other platforms:
    pip install googleapi

(imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-13 13:30:55 -05:00
Luke Faraone 2627f229c4 Clarifying comment for local_settings.py
(imported from commit 64c0f4d032515dbeee4565de8581ea68edd7cd1f)
2014-01-13 13:09:12 -05:00
Tim Abbott 411b0a8777 Fix EXTERNAL_API_PATH and friends for prod and localhost.
We were incorrectly manually setting EXTERNAL_API_PATH for localhost
in local_settings.py, but the exception case we should be setting it
manually for is prod.

(imported from commit cbdf75c87ffccdeb306407a59c6594880f4461eb)
2013-12-18 16:01:19 -05:00
Kevin Mehall 662edc2558 [manual] Backend support for Android GCM push notifications
This adds a dependency on gcmclient:
http://gcm-client.readthedocs.org/en/latest/gcmclient.html

pip install gcm-client

or

apt-get install python-gcm-client

(imported from commit 9f1fbf1f793e4a27baed85c6f1aa7a7b03106a10)
2013-12-11 15:37:48 -05:00
Tim Abbott e5be713103 Clean up EXTERNAL_API_HOST usage and defaults.
We now have 2 variablse:
EXTERNAL_API_PATH: e.g. staging.zulip.com/api
EXTERNAL_API_URI: e.g. https://staging.zulip.com/api

The former is primarily needed for certain integrations.

(imported from commit 3878b99a4d835c5fcc2a2c6001bc7eeeaf4c9363)
2013-12-04 15:10:54 -05:00
acrefoot ccb7446d5c move Enterprise Email options into better places
(imported from commit f205c29b224f31474e2983c7f2bdb1ee5e2c754b)
2013-11-15 21:31:37 -05:00
Kevin Mehall fe0dcd4313 Disable camo on enterprise.
CUSTOMER13 doesn't want it, and there's currently no nginx config
or configurable Camo URI, so it wouldn't work if image preview
were enabled.

(imported from commit 615d4a32acbc4d4d590f88cf4e7d45d8f49db1d3)
2013-11-15 14:27:16 -05:00
acrefoot f7b5a10da0 [schema] Add ScheduledJob table, and update mandrill related code
ScheduledJobs with type Email displace the usual mandrill codepaths
in the Zulip Enterprise deploys

* Email-specific helper functions will appear in deliver_email.py
* 0058_auto__add_scheduledjob.py

(imported from commit 8db08d8a279600322acfdbed792dc1a676f7a0ab)
2013-11-13 16:41:36 -05:00
Jessica McKellar b69cc46be6 Add back the ability to do local email mirror testing against the Test folder.
(imported from commit 01f1f58bb365a9827f25329446f4b2c2666fb92a)
2013-11-13 16:28:29 -05:00
Tim Abbott c66556381a Set the ADMINS to be the ZULIP_ADMINISTRATOR by default.
(imported from commit 6ff4e611bb2e145e49ea6f477d79415816372a16)
2013-11-13 15:35:45 -05:00
Luke Faraone a7237938c8 Set FEEDBACK_TARGET for enterprise case.
(imported from commit 478033bf3eefb8406d93fb2f0225420812dee7b0)
2013-11-13 12:02:49 -05:00
Tim Abbott cb9931110f Automatically configure EMAIL_GATEWAY_BOT as a superuser.
(imported from commit 1e74ae458e446edec59eb1ab238cede969c4dbbc)
2013-11-13 12:02:49 -05:00
Tim Abbott e18a08c69e settings: Move hardcoded API super users into local_settings.py.
(imported from commit fea7550a771c837db0fb948238488f778bedf73a)
2013-11-13 12:02:49 -05:00
Leo Franchi 306ce65ea3 Only create initial passwords for local dev setups
(imported from commit 2ef33ebbab0fe21486acbb1a3a78ed434abac2db)
2013-11-12 22:42:05 -05:00
Tim Abbott 966fde261a puppet: Rename local_server => enterprise.
(imported from commit 5faa269df5937f6db99098e44aaea7d0a4f2c14a)
2013-11-12 15:57:02 -05:00
Tim Abbott 5293cdebe8 Rename LOCAL_SERVER to ENTERPRISE.
(imported from commit 7edf353eefe6c9e7aac74b7bbc37b923cac1b913)
2013-11-12 15:57:01 -05:00
Tim Abbott c03050f2b9 [Django 1.6] Use the legacy PickleSerializer for sessions.
This is for backwards compatible.  Later we should actually switch to
the JSON serializer, because it means having our SECRET_KEY stolen
isn't an immediate arbitrary code execution vulnerability.

(imported from commit e68ba5cfdb79c0c1f7b178279ecd0307016f5eff)
2013-11-08 08:22:04 -05:00
acrefoot 4c88a909cb If EMAIL_HOST is unset or blank, don't send email via django.core.mail
It will instead use the dummy EmailBackend

(imported from commit 6faec7f3e087901226a120b9268cf687ed165c05)
2013-11-06 17:36:41 -05:00
Luke Faraone c11b65590b SSO / REMOTE_USER support
(imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-05 16:14:13 -05:00
Zev Benjamin 787215d743 [manual] Switch over to new /etc/zulip/zulip.conf config file
Run the following commands as root before deploying this branch:
 # /root/zulip/tools/migrate-server-config
 # rm /etc/zulip/machinetype /etc/zulip/server /etc/zulip/local /etc/humbug-machinetype /etc/humbug-server /etc/humbug-local

(imported from commit aa7dcc50d2f4792ce33834f14761e76512fca252)
2013-11-05 14:14:19 -05:00
Leo Franchi 6765ec0795 Use a site-specific Zulip Admin email in django error pages
(imported from commit 2d5415d7cd81befc3051b5de3835c0cd258b6375)
2013-11-04 16:35:50 -05:00
Leo Franchi 9b4491db6a Don't use hardcoded bots in nagios' check_send_receive
(imported from commit 82add135bf5b819bcc992af8420eec14cf829ccc)
2013-11-01 14:13:05 -04:00
Leo Franchi db6550e99a Make built-in bots come from settings.py, and allow localserver-specific ones
(imported from commit e21933e37487314ac986147562817a19227e8960)
2013-11-01 14:13:05 -04:00
Zev Benjamin 57bef07832 [manual] Move /etc/humbug-* files into /etc/zulip
The moved files are:
humbug-server
humbug-local
humbug-machinetype

Their new names are their old names with 'humbug-' removed.

zulip-puppet-apply must be run before this commit is deployed

(imported from commit f4eb523244d3409b5809c279301225d3fdf0c230)
2013-10-30 15:42:25 -04:00
Leo Franchi 8e05f76511 Only enable analytics and dropbox on non-LOCAL_SERVER
(imported from commit 1ba877550b3afde51bec6f344762ea998800c5b6)
2013-10-29 17:33:36 -04:00
Tim Abbott 0a44ba2a28 Move servers/configure-rabbitmq to scripts/setup/.
(imported from commit 2b4d5ccb88675447ae744fb985246211deef7486)
2013-10-28 10:54:48 -04:00
Waseem Daher 66f48288b4 Rename LOCALSERVER -> LOCAL_SERVER.
(imported from commit b3abdd10d54d2ad7a9c463af9a291d2e2127707f)
2013-10-25 17:37:06 -04:00
Luke Faraone e552307511 Send feedback to a queue to be forwarded to staging.
(imported from commit 4a9a1bfc6c95763a816263a726cc61b3ca90bf15)
2013-10-25 14:13:30 -04:00
Luke Faraone 81d7dd1fda [schema] Support for authenticating Deployments via the API.
Here we introduce a new Django app, zilencer. The intent is to not have
this app enabled on LOCALSERVER instances, and for it to grow to include
all the functionality we want to have in our central server that isn't
relevant for local deployments.

Currently we have to modify functions in zerver/* to match; in the
future, it would be cool to have the relevant shared code broken out
into a separate library.

This commit inclues both the migration to create the models as well as a
data migration that (for non-LOCALSERVER) creates a single default
Deployment for zulip.com.

To apply this migration to your system, run:
   ./manage.py migrate zilencer

(imported from commit 86d5497ac120e03fa7f298a9cc08b192d5939b43)
2013-10-25 14:13:30 -04:00
Leo Franchi 0bc5b13648 Fix Zulip username of email gateway bot
(imported from commit f24c5fd3fc5888bf7dc4d9501723777ad8447704)
2013-10-25 11:51:13 -04:00
Leo Franchi 2d276179d0 Refactor email-mirror to handle running on any machine
(imported from commit 2971449ceaacb564770e66874fc095f77e68d445)
2013-10-25 11:37:34 -04:00
Kevin Mehall 0a3a22cb3d Support authenticated upload URLs.
Trac #1734

This is implemented by bouncing uploaded file links through a view
that checks authentication and redirects to an expiring S3 URL.

This makes file uploads return a domain-relative URI. The client converts
this to an absolute URI when it's in the composebox, then back to relative
when it's submitted to the server.

We need the relative URI because the same message may be viewed across
{staging,www,zephyr}.zulip.com, which have different cookies.

(imported from commit 33acb2abaa3002325f389d5198fb20ee1b30f5fa)
2013-10-24 17:01:06 -04:00
Leo Franchi 410ee44eb6 Send users push notifications when they miss messages
(imported from commit 6c54fe44a82c5796268e56d3f5577bf4cfc8163a)
2013-10-24 14:54:31 -04:00
Zev Benjamin 5979af3a45 [manual] Add asynchronous message sender via sockjs-tornado
New dependency: sockjs-tornado

One known limitation is that we don't clean up sessions for
non-websockets transports.  This is a bug in Tornado so I'm going to
look at upgrading us to the latest version:
https://github.com/mrjoes/sockjs-tornado/issues/47

(imported from commit 31cdb7596dd5ee094ab006c31757db17dca8899b)
2013-10-22 18:45:11 -04:00
Jessica McKellar d4e2cdd09e Determine DEPLOYED only based on /etc/humbug-server.
The other zulip.net check was for a transition to using that file that
has now completed.

(imported from commit 991d9165515b5611865957255f9da7a69a75fd7b)
2013-10-16 13:18:49 -04:00
acrefoot f8662c16f7 Add Mandrill decorators, credentials, actions
You can queue email for future delivery or send immediately via mandrill now

(imported from commit e6b6d11a2d94fcdeaffab80793e7ba31955b9031)
2013-10-10 19:32:21 -04:00
Luke Faraone 1d9391e867 Initial local server configuration.
(imported from commit ac9b9896b74b78c6ca03af7f411d0788ae402cff)
2013-10-10 14:14:14 -04:00
Luke Faraone 7d03614a1b Store the feedback bot key in local_settings.py
(imported from commit 3322d8976328db61cd382acb06775c6a6df3fea0)
2013-10-10 11:31:15 -04:00
Tim Abbott 70c666c3c6 [manual] Rename humbug@humbughq.com to zulip@zulip.com.
This requires renaming the account in Google Apps at the time we
deploy this; we'll probably want to do this during off hours to avoid
any user-visible downtime.

This also updates some related email addresses.

(imported from commit fce7629b359a4f278bbf7815c8d177a8fa0484fe)
2013-10-08 08:57:29 -04:00
Tim Abbott 6d49a7c880 Move passwords for our localhost databases to local_settings.py.
(imported from commit 5f6dacdfdfd64fadc2995b393d7c59be0b049d79)
2013-10-08 08:57:28 -04:00
Tim Abbott e154877e26 Fix twitter access token secret for staging.
(imported from commit 2a567b06f4e811561f41a84bc000cf4e8694295a)
2013-10-01 13:58:55 -04:00