paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-11 01:16:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move several secrets to using the get_secret function in settings.py.

Browse Source 
(imported from commit 08fb828265c4a9e35294a51c0901bd5ad3990344)
This commit is contained in:
Tim Abbott
2015-08-18 16:26:51 -07:00
parent 8c88746912
commit 2de3e2ebdd
4 changed files with 32 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
zproject/dev-secrets.conf
View File

@@ -1,7 +1,7 @@
[secrets] [secrets]
secret_key = dummy secret_key = dummy
shared_secret = dummy shared_secret = dummy
rabbitmq_password = s13kr3t rabbitmq_password = xxxxxxxxxxxxxxxx
deployment_role_key = dummy deployment_role_key = dummy
mandrill_api_key = dummy mandrill_api_key = dummy
mailchimp_api_key = dummy-us4 mailchimp_api_key = dummy-us4
@@ -11,3 +11,4 @@ s3_key = dummy
s3_secret_key= dummy s3_secret_key= dummy
google_oauth2_client_secret = dummy google_oauth2_client_secret = dummy
dev_google_oauth2_client_secret = dummy dev_google_oauth2_client_secret = dummy
avatar_salt = dummy

17
zproject/local_settings.py
View File

@@ -23,25 +23,10 @@ else:
getsecret = lambda x: secrets_file.get('secrets', x) getsecret = lambda x: secrets_file.get('secrets', x)
# Make this unique, and don't share it with anybody.
SECRET_KEY = getsecret("secret_key") if DEPLOYED else "foobar"
# Use this salt to hash a user's email into a filename for their user-uploaded
# avatar. If this salt is discovered, attackers will only be able to determine
# that the owner of an email account has uploaded an avatar to Zulip, which isn't
# the end of the world. Don't use the salt where there is more security exposure.
AVATAR_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
# Used just for generating initial passwords (only used in testing environments). # Used just for generating initial passwords (only used in testing environments).
if not DEPLOYED: if not DEPLOYED:
INITIAL_PASSWORD_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' INITIAL_PASSWORD_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
# A shared secret, used to authenticate different parts of the app to each other.
# FIXME: store this password more securely
SHARED_SECRET = getsecret("shared_secret") if DEPLOYED else "dummy"
RABBITMQ_PASSWORD = getsecret("rabbitmq_password") if DEPLOYED else 'xxxxxxxxxxxxxxxx'
MAILCHIMP_API_KEY = getsecret("mailchimp_api_key") MAILCHIMP_API_KEY = getsecret("mailchimp_api_key")
ZULIP_FRIENDS_LIST_ID = '84b2f3da6b' ZULIP_FRIENDS_LIST_ID = '84b2f3da6b'
@@ -52,8 +37,6 @@ DEPLOYMENT_ROLE_KEY = getsecret("deployment_role_key")
# This comes from our mandrill accounts page # This comes from our mandrill accounts page
MANDRILL_API_KEY = getsecret("mandrill_api_key") MANDRILL_API_KEY = getsecret("mandrill_api_key")
# This should be synced with our camo installation
CAMO_KEY = getsecret("camo_key") if DEPLOYED else "dummy"
# XXX: replace me # XXX: replace me
CAMO_URI = 'https://external-content.zulipcdn.net/' CAMO_URI = 'https://external-content.zulipcdn.net/'

11
zproject/local_settings_template.py
View File

@@ -189,14 +189,3 @@ AUTH_LDAP_USER_ATTR_MAP = {
# Populate the Django user's name from the LDAP directory. # Populate the Django user's name from the LDAP directory.
"full_name": "cn", "full_name": "cn",
} }
# The following secrets are randomly generated during the install
# process, are used for security purposes, and should not be shared
# with anyone.
#
# PLEASE DO NOT CHANGE THEM WITHOUT INSTRUCTIONS FROM ZULIP SUPPORT
CAMO_KEY = ''
SECRET_KEY = ''
RABBITMQ_PASSWORD = ''
AVATAR_SALT = ''
SHARED_SECRET = ''

26
zproject/settings.py
View File

@@ -27,6 +27,27 @@ ENTERPRISE = DEPLOYED and config_file.get('machine', 'deploy_type') == 'enterpri
# Import local_settings after determining the deployment/machine type # Import local_settings after determining the deployment/machine type
from local_settings import * from local_settings import *
secrets_file = ConfigParser.RawConfigParser()
if DEPLOYED:
secrets_file.read("/etc/zulip/zulip-secrets.conf")
else:
secrets_file.read("zproject/dev-secrets.conf")
get_secret = lambda x: secrets_file.get('secrets', x)
# Make this unique, and don't share it with anybody.
SECRET_KEY = get_secret("secret_key")
# A shared secret, used to authenticate different parts of the app to each other.
# FIXME: store this password more securely
SHARED_SECRET = get_secret("shared_secret")
# We use this salt to hash a user's email into a filename for their user-uploaded
# avatar. If this salt is discovered, attackers will only be able to determine
# that the owner of an email account has uploaded an avatar to Zulip, which isn't
# the end of the world. Don't use the salt where there is more security exposure.
AVATAR_SALT = get_secret("avatar_salt")
SERVER_GENERATION = int(time.time()) SERVER_GENERATION = int(time.time())
if not 'DEBUG' in globals(): if not 'DEBUG' in globals():
@@ -609,6 +630,11 @@ PIPELINE_YUI_BINARY = '/usr/bin/env yui-compressor'
USING_RABBITMQ = True USING_RABBITMQ = True
RABBITMQ_USERNAME = 'zulip' RABBITMQ_USERNAME = 'zulip'
RABBITMQ_PASSWORD = get_secret("rabbitmq_password")
if CAMO_URI is not None:
# This needs to be synced with the Camo installation
CAMO_KEY = get_secret("camo_key")
SESSION_ENGINE = "django.contrib.sessions.backends.cached_db" SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"