Commit Graph

122 Commits

Author SHA1 Message Date
Yoyo Zhou ef320c6e95 Remove Redis remote authentication feature.
We can add it back later but for now we can just stick with localhost
since that's what most people will want.

(imported from commit c5fe524282219dc62a0670f569c0cb6af04be339)
2015-08-20 21:58:59 -07:00
Yoyo Zhou e41c00107d Move twitter secret keys to use get_secrets in settings.py
(imported from commit cc21265ae64a49be20bec74386314d60ee822746)
2015-08-20 21:58:59 -07:00
Yoyo Zhou 32f6d1055d Get s3_key and s3_secret_key from secrets in settings.py.
(imported from commit 2c2574988486bbb6f0f769250664a5a2a4c9e6c9)
2015-08-20 21:58:51 -07:00
Yoyo Zhou d34d44e1d4 Read ANDROID_GCM_API_KEY from secrets; move to settings.py
(imported from commit 0d0d59116065956b9cbbe895eb09f0433b752cf1)
2015-08-20 21:54:55 -07:00
Yoyo Zhou ec5ed87ca0 Make get_secret return None instead of an exception if the secret isn't defined.
Remove empty key generation from generate_enterprise_secrets, since get_secret ignores missing keys now.

(imported from commit 32d61e3058f0d41bfb4b17775e581a3c84540fe7)
2015-08-20 21:54:38 -07:00
Yoyo Zhou 2cab113035 Rename getsecret -> get_secret and remove duplicate secret-reading code in settings.py
(imported from commit 097d6b4fad1fcf8b6f09dc212056fdb313efe5e4)
2015-08-20 21:52:26 -07:00
Cat Miller 0a20f168a7 Auto-generate dev-secrets file.
Source LOCAL_DATABASE_PASSWORD and INITIAL_PASSWORD_SALT from the secrets file.
Fix the creation of pgpass file.

Tim's note: This will definitely break the original purpose of the
tool but it should be pretty easy to add that back as an option.

(imported from commit 8ab31ea2b7cbc80a4ad2e843a2529313fad8f5cf)
2015-08-20 00:20:44 -07:00
Tim Abbott 2de3e2ebdd Move several secrets to using the get_secret function in settings.py.
(imported from commit 08fb828265c4a9e35294a51c0901bd5ad3990344)
2015-08-18 20:17:48 -07:00
Tim Abbott 8c88746912 Move iOS App IDs to settings.py since it's needed to run the app.
(imported from commit 891e32ffa82430487fc333fa549ee465f0d018c0)
2015-08-18 20:17:48 -07:00
David Roe 2ffd022a5f Include defaults for AUTHENTICATION_BACKENDS
(imported from commit cdfffacc45f30e6959085ba8bc5aed72ae3527cf)
2015-08-18 20:17:47 -07:00
David Roe 46e224997e Add a new dev login page for logging in without a password on the dev VM.
(imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-18 20:17:47 -07:00
Luke Faraone f5089e535d Add dummy secrets for use in development.
We also reference these secrets from zproject/local_settings.py, keying
off IS_DEPLOYED.

(imported from commit eb83310e219616ed1c6c253f0d6893134bbe3517)
2015-08-16 21:35:34 -07:00
Luke Faraone 48f1a84d6e Additional defaults for dev.
(imported from commit 1b4bd71ff4ed27a83a24e58e797d900a7869c72d)
2015-08-16 16:46:08 -07:00
Luke Faraone 8ea139c772 Fix bugdown fixture for dummy camo key
(imported from commit 698b261918457117a01ce51f69d49f54f35b3297)
2015-08-16 16:45:15 -07:00
Leo Franchi d865732e0d Maintain two APNS connections and send correct notifications to each
Now we have 2 different Zulip apps out there, and they are signed with
two certs: Zulip and Dropbox. The Dropbox-signed apps are going to need
to be sent APNS notifications from the appropriate APNS connection

(imported from commit 6db50c5811847db4f08e5c997c7bbb4b46cfc462)
2015-02-11 06:57:25 +00:00
Luke Faraone 910429f365 Move secrets to their own file
(imported from commit 4e46f217e8a1df9b7cc03db9dc9fc41a6c273365)
2015-02-10 17:31:26 -08:00
Zev Benjamin 2c760ae735 Remove mixpanel
(imported from commit 9b6cc58ee9be483db8bf2d2eaaaecabc14f821e4)
2015-02-06 13:59:30 -08:00
Jason Michalski 7e9c121ad3 Use the full_name if available
We were trying to default the users first name when using google auth,
but it was getting lost when rendering the form.

(imported from commit 710e0c2ce591488920458dca74209c75e7031abd)
2015-02-05 21:54:28 -05:00
Jason Michalski 439b86fe3b Migrate the google SSO from openid to oauth2
(imported from commit 6938c1cc5d245cc5642043279470365ff04df903)
2015-02-05 21:54:28 -05:00
Jason Michalski 2a5826242d Add the hipchat bot to the list of API_SUPER_USERS
This is a public mirroring bot that needs to be able to send forged
messages to a stream.

(imported from commit 3fa691b1f1d06bf68a8cbc2c31ed5e3e5efef177)
2014-10-06 15:27:55 -07:00
Zev Benjamin 2f7af69091 Add customizations for CUSTOMER16 employees' realm
CUSTOMER16 wants their employee realm to:
* only use JWT logins
* have name changes be disabled (they want users' full names to be the
  their CUSTOMER16 user name).
* not show the suggestion that users download the desktop app

(imported from commit cb5f72c993ddc26132ce50165bb68c3000276de0)
2014-04-04 16:51:32 -07:00
Zev Benjamin bd3f1c6a9e Add JSON web token (JWT) authentication
We currently expect the use of HMAC SHA-256, although there shouldn't be
anything preventing us from using other algorithms.

(imported from commit 354510a0b7e9e273d062a1ab5b2b03d4a749d6a3)
2014-04-04 16:51:32 -07:00
Zev Benjamin f999440cc6 Add bot1@customer36.invalid to the list of API super users
(imported from commit 07767022db0f894d398d0031053f93439258ea0d)
2014-03-04 23:02:27 -05:00
Zev Benjamin 631783f3cd [manual] Use dedicated Redis server for staging
Before we deploy this commit, we must migrate the data from the staging redis
server to the new, dedicated redis server.  The steps for doing so are the
following:

* Remove the zulip::redis puppet class from staging's zulip.conf
* ssh once from staging to redis-staging.zulip.net so that the host key is known
* Create a tunnel from redis0.zulip.net to staging.zulip.net
  * zulip@redis0:~$ ssh -N -L 127.0.0.1:6380:127.0.0.1:6379 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 staging.zulip.net
* Set the redis instance on redis0.zulip.net to replicate the one on staging.zulip.net
  * redis 127.0.0.1:6379> slaveof 127.0.0.1 6380
* Stop the app on staging
* Stop redis-server on staging
* Promote the redis server on redis0.zulip.net to a master
  * redis 127.0.0.1:6379> slaveof no one
* Do a puppet apply at this commit on staging (this will bring up the tunnel to redis0)
* Deploy this commit to staging (start the app on staging)
* Kill the tunnel from redis0.zulip.net to staging.zulip.net
* Uninstall redis-server on staging

The steps for migrating prod will be the same modulo s/staging/prod0/.

(imported from commit 546d258883ac299d65e896710edd0974b6bd60f8)
2014-02-10 13:23:28 -05:00
Luke Faraone ffdc254e2d Restore EMAIL_GATEWAY_BOT parameter
(imported from commit bda6b39c60b4e5b642db47fd3ba1be2ac8c19650)
2014-02-06 10:43:06 -05:00
Luke Faraone 24f8492236 [manual] Enable local email mirror on all frontends.
This removed the cronjob from all app_frontend servers and enables the
local Postfix mail server on the same.

This is a no-op on staging if the parent commit has already been
applied.

To deploy this commit, run a puppet-apply on prod.

(imported from commit 6d3977fd12088abcd33418279e9fa28f9b2a2006)
2014-02-06 10:26:56 -05:00
Luke Faraone 30a6fd3bd7 [manual] Enable postfix email mirror on staging
This will cause us to recieve messages sent to streams.staging.zulip.com
via the local Postfix daemon running on staging.

This commit does not impact prod. To deploy, a puppet-apply is needed on
staging.

(imported from commit 9eaedc28359f55a65b672a2e078c57362897c0de)
2014-02-04 10:38:17 -05:00
Leo Franchi 4b7d061bbf Simplify conditional for APNS sandbox and feedback service
(imported from commit f7c15cd3eec93eda7152ea133e8008bc072d67d8)
2014-01-22 13:22:20 -05:00
Leo Franchi de1ec7ae43 Always use the apns-dist.pem cert for staging/prod
(imported from commit 9f01f971f1c3cbd500771c074e9dc7e8bc327b69)
2014-01-22 13:17:53 -05:00
Luke Faraone 3948e1673d [manual] Accept OAuth2 tokens for API login via Google Apps
This is used by the Android app to authenticate without prompting for a
password.

To do so, we implement a custom authentication backend that validates
the ID token provided by Google and then tries to see if we have a
corresponding UserProfile on file for them.

If the attestation is valid but the user is unregistered, we return that
fact by modifying a dictionary passed in as a parameter. We then return
the appropriate error message via the API.

This commit adds a dependency on the "googleapi" module. On Debian-based
systems with the Zulip APT repository:
    sudo apt-get install python-googleapi

For OS X and other platforms:
    pip install googleapi

(imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-13 13:30:55 -05:00
Luke Faraone 2627f229c4 Clarifying comment for local_settings.py
(imported from commit 64c0f4d032515dbeee4565de8581ea68edd7cd1f)
2014-01-13 13:09:12 -05:00
Tim Abbott 411b0a8777 Fix EXTERNAL_API_PATH and friends for prod and localhost.
We were incorrectly manually setting EXTERNAL_API_PATH for localhost
in local_settings.py, but the exception case we should be setting it
manually for is prod.

(imported from commit cbdf75c87ffccdeb306407a59c6594880f4461eb)
2013-12-18 16:01:19 -05:00
Kevin Mehall 662edc2558 [manual] Backend support for Android GCM push notifications
This adds a dependency on gcmclient:
http://gcm-client.readthedocs.org/en/latest/gcmclient.html

pip install gcm-client

or

apt-get install python-gcm-client

(imported from commit 9f1fbf1f793e4a27baed85c6f1aa7a7b03106a10)
2013-12-11 15:37:48 -05:00
Tim Abbott e5be713103 Clean up EXTERNAL_API_HOST usage and defaults.
We now have 2 variablse:
EXTERNAL_API_PATH: e.g. staging.zulip.com/api
EXTERNAL_API_URI: e.g. https://staging.zulip.com/api

The former is primarily needed for certain integrations.

(imported from commit 3878b99a4d835c5fcc2a2c6001bc7eeeaf4c9363)
2013-12-04 15:10:54 -05:00
acrefoot ccb7446d5c move Enterprise Email options into better places
(imported from commit f205c29b224f31474e2983c7f2bdb1ee5e2c754b)
2013-11-15 21:31:37 -05:00
Kevin Mehall fe0dcd4313 Disable camo on enterprise.
CUSTOMER13 doesn't want it, and there's currently no nginx config
or configurable Camo URI, so it wouldn't work if image preview
were enabled.

(imported from commit 615d4a32acbc4d4d590f88cf4e7d45d8f49db1d3)
2013-11-15 14:27:16 -05:00
acrefoot f7b5a10da0 [schema] Add ScheduledJob table, and update mandrill related code
ScheduledJobs with type Email displace the usual mandrill codepaths
in the Zulip Enterprise deploys

* Email-specific helper functions will appear in deliver_email.py
* 0058_auto__add_scheduledjob.py

(imported from commit 8db08d8a279600322acfdbed792dc1a676f7a0ab)
2013-11-13 16:41:36 -05:00
Jessica McKellar b69cc46be6 Add back the ability to do local email mirror testing against the Test folder.
(imported from commit 01f1f58bb365a9827f25329446f4b2c2666fb92a)
2013-11-13 16:28:29 -05:00
Tim Abbott c66556381a Set the ADMINS to be the ZULIP_ADMINISTRATOR by default.
(imported from commit 6ff4e611bb2e145e49ea6f477d79415816372a16)
2013-11-13 15:35:45 -05:00
Luke Faraone a7237938c8 Set FEEDBACK_TARGET for enterprise case.
(imported from commit 478033bf3eefb8406d93fb2f0225420812dee7b0)
2013-11-13 12:02:49 -05:00
Tim Abbott cb9931110f Automatically configure EMAIL_GATEWAY_BOT as a superuser.
(imported from commit 1e74ae458e446edec59eb1ab238cede969c4dbbc)
2013-11-13 12:02:49 -05:00
Tim Abbott e18a08c69e settings: Move hardcoded API super users into local_settings.py.
(imported from commit fea7550a771c837db0fb948238488f778bedf73a)
2013-11-13 12:02:49 -05:00
Leo Franchi 306ce65ea3 Only create initial passwords for local dev setups
(imported from commit 2ef33ebbab0fe21486acbb1a3a78ed434abac2db)
2013-11-12 22:42:05 -05:00
Tim Abbott 966fde261a puppet: Rename local_server => enterprise.
(imported from commit 5faa269df5937f6db99098e44aaea7d0a4f2c14a)
2013-11-12 15:57:02 -05:00
Tim Abbott 5293cdebe8 Rename LOCAL_SERVER to ENTERPRISE.
(imported from commit 7edf353eefe6c9e7aac74b7bbc37b923cac1b913)
2013-11-12 15:57:01 -05:00
Tim Abbott c03050f2b9 [Django 1.6] Use the legacy PickleSerializer for sessions.
This is for backwards compatible.  Later we should actually switch to
the JSON serializer, because it means having our SECRET_KEY stolen
isn't an immediate arbitrary code execution vulnerability.

(imported from commit e68ba5cfdb79c0c1f7b178279ecd0307016f5eff)
2013-11-08 08:22:04 -05:00
acrefoot 4c88a909cb If EMAIL_HOST is unset or blank, don't send email via django.core.mail
It will instead use the dummy EmailBackend

(imported from commit 6faec7f3e087901226a120b9268cf687ed165c05)
2013-11-06 17:36:41 -05:00
Luke Faraone c11b65590b SSO / REMOTE_USER support
(imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-05 16:14:13 -05:00
Zev Benjamin 787215d743 [manual] Switch over to new /etc/zulip/zulip.conf config file
Run the following commands as root before deploying this branch:
 # /root/zulip/tools/migrate-server-config
 # rm /etc/zulip/machinetype /etc/zulip/server /etc/zulip/local /etc/humbug-machinetype /etc/humbug-server /etc/humbug-local

(imported from commit aa7dcc50d2f4792ce33834f14761e76512fca252)
2013-11-05 14:14:19 -05:00
Leo Franchi 6765ec0795 Use a site-specific Zulip Admin email in django error pages
(imported from commit 2d5415d7cd81befc3051b5de3835c0cd258b6375)
2013-11-04 16:35:50 -05:00
Leo Franchi 9b4491db6a Don't use hardcoded bots in nagios' check_send_receive
(imported from commit 82add135bf5b819bcc992af8420eec14cf829ccc)
2013-11-01 14:13:05 -04:00
Leo Franchi db6550e99a Make built-in bots come from settings.py, and allow localserver-specific ones
(imported from commit e21933e37487314ac986147562817a19227e8960)
2013-11-01 14:13:05 -04:00
Zev Benjamin 57bef07832 [manual] Move /etc/humbug-* files into /etc/zulip
The moved files are:
humbug-server
humbug-local
humbug-machinetype

Their new names are their old names with 'humbug-' removed.

zulip-puppet-apply must be run before this commit is deployed

(imported from commit f4eb523244d3409b5809c279301225d3fdf0c230)
2013-10-30 15:42:25 -04:00
Leo Franchi 8e05f76511 Only enable analytics and dropbox on non-LOCAL_SERVER
(imported from commit 1ba877550b3afde51bec6f344762ea998800c5b6)
2013-10-29 17:33:36 -04:00
Tim Abbott 0a44ba2a28 Move servers/configure-rabbitmq to scripts/setup/.
(imported from commit 2b4d5ccb88675447ae744fb985246211deef7486)
2013-10-28 10:54:48 -04:00
Waseem Daher 66f48288b4 Rename LOCALSERVER -> LOCAL_SERVER.
(imported from commit b3abdd10d54d2ad7a9c463af9a291d2e2127707f)
2013-10-25 17:37:06 -04:00
Luke Faraone e552307511 Send feedback to a queue to be forwarded to staging.
(imported from commit 4a9a1bfc6c95763a816263a726cc61b3ca90bf15)
2013-10-25 14:13:30 -04:00
Luke Faraone 81d7dd1fda [schema] Support for authenticating Deployments via the API.
Here we introduce a new Django app, zilencer. The intent is to not have
this app enabled on LOCALSERVER instances, and for it to grow to include
all the functionality we want to have in our central server that isn't
relevant for local deployments.

Currently we have to modify functions in zerver/* to match; in the
future, it would be cool to have the relevant shared code broken out
into a separate library.

This commit inclues both the migration to create the models as well as a
data migration that (for non-LOCALSERVER) creates a single default
Deployment for zulip.com.

To apply this migration to your system, run:
   ./manage.py migrate zilencer

(imported from commit 86d5497ac120e03fa7f298a9cc08b192d5939b43)
2013-10-25 14:13:30 -04:00
Leo Franchi 0bc5b13648 Fix Zulip username of email gateway bot
(imported from commit f24c5fd3fc5888bf7dc4d9501723777ad8447704)
2013-10-25 11:51:13 -04:00
Leo Franchi 2d276179d0 Refactor email-mirror to handle running on any machine
(imported from commit 2971449ceaacb564770e66874fc095f77e68d445)
2013-10-25 11:37:34 -04:00
Kevin Mehall 0a3a22cb3d Support authenticated upload URLs.
Trac #1734

This is implemented by bouncing uploaded file links through a view
that checks authentication and redirects to an expiring S3 URL.

This makes file uploads return a domain-relative URI. The client converts
this to an absolute URI when it's in the composebox, then back to relative
when it's submitted to the server.

We need the relative URI because the same message may be viewed across
{staging,www,zephyr}.zulip.com, which have different cookies.

(imported from commit 33acb2abaa3002325f389d5198fb20ee1b30f5fa)
2013-10-24 17:01:06 -04:00
Leo Franchi 410ee44eb6 Send users push notifications when they miss messages
(imported from commit 6c54fe44a82c5796268e56d3f5577bf4cfc8163a)
2013-10-24 14:54:31 -04:00
Zev Benjamin 5979af3a45 [manual] Add asynchronous message sender via sockjs-tornado
New dependency: sockjs-tornado

One known limitation is that we don't clean up sessions for
non-websockets transports.  This is a bug in Tornado so I'm going to
look at upgrading us to the latest version:
https://github.com/mrjoes/sockjs-tornado/issues/47

(imported from commit 31cdb7596dd5ee094ab006c31757db17dca8899b)
2013-10-22 18:45:11 -04:00
Jessica McKellar d4e2cdd09e Determine DEPLOYED only based on /etc/humbug-server.
The other zulip.net check was for a transition to using that file that
has now completed.

(imported from commit 991d9165515b5611865957255f9da7a69a75fd7b)
2013-10-16 13:18:49 -04:00
acrefoot f8662c16f7 Add Mandrill decorators, credentials, actions
You can queue email for future delivery or send immediately via mandrill now

(imported from commit e6b6d11a2d94fcdeaffab80793e7ba31955b9031)
2013-10-10 19:32:21 -04:00
Luke Faraone 1d9391e867 Initial local server configuration.
(imported from commit ac9b9896b74b78c6ca03af7f411d0788ae402cff)
2013-10-10 14:14:14 -04:00
Luke Faraone 7d03614a1b Store the feedback bot key in local_settings.py
(imported from commit 3322d8976328db61cd382acb06775c6a6df3fea0)
2013-10-10 11:31:15 -04:00
Tim Abbott 70c666c3c6 [manual] Rename humbug@humbughq.com to zulip@zulip.com.
This requires renaming the account in Google Apps at the time we
deploy this; we'll probably want to do this during off hours to avoid
any user-visible downtime.

This also updates some related email addresses.

(imported from commit fce7629b359a4f278bbf7815c8d177a8fa0484fe)
2013-10-08 08:57:29 -04:00
Tim Abbott 6d49a7c880 Move passwords for our localhost databases to local_settings.py.
(imported from commit 5f6dacdfdfd64fadc2995b393d7c59be0b049d79)
2013-10-08 08:57:28 -04:00
Tim Abbott e154877e26 Fix twitter access token secret for staging.
(imported from commit 2a567b06f4e811561f41a84bc000cf4e8694295a)
2013-10-01 13:58:55 -04:00
Tim Abbott 8a5fffa7cf Move twitter API credentials to local_settings.py.
(imported from commit 6b95db113b91816fbc5e91db4b1be90d3df8e028)
2013-09-25 15:40:21 -04:00
Tim Abbott fff4244b54 Move various settings into local_settings.py.
(imported from commit 03c4a61383f3f8cf8207050d68d5ce870e12fcca)
2013-09-25 15:40:21 -04:00