settings: Add push_registration_encryption_keys map.

The `push_registration_encryption_keys` map stores the
assymetric key pair generated on bouncer.

The public key will be used by the client to encrypt
registration data and the bouncer will use the corresponding
private key to decrypt.

- Updated the `generate_secrets.py` script to generate the map
during installation in dev environment.
- Added a management command to add / remove key i.e. use it
for key rotation while retaining the older key-pair for a period
of time.

scripts/setup/generate_secrets.py

@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 # This tools generates /etc/zulip/zulip-secrets.conf
+import json
 import os
 import sys
 from contextlib import suppress
@@ -18,6 +19,9 @@ import argparse
 import configparser
 import uuid
 
+from nacl.encoding import Base64Encoder
+from nacl.public import PrivateKey
+
 os.chdir(os.path.join(os.path.dirname(__file__), "..", ".."))
 
 # Standard, 64-bit tokens
@@ -180,6 +184,17 @@ def generate_secrets(development: bool = False) -> None:
     if need_secret("zulip_org_id"):
         add_secret("zulip_org_id", str(uuid.uuid4()))
 
+    if development and need_secret("push_registration_encryption_keys"):
+        # 'settings.ZILENCER_ENABLED' would be a better check than
+        # 'development' for whether we need push bouncer secrets,
+        # but we're trying to avoid importing settings.
+        private_key = PrivateKey.generate()
+        private_key_str = Base64Encoder.encode(bytes(private_key)).decode("utf-8")
+        public_key_str = Base64Encoder.encode(bytes(private_key.public_key)).decode("utf-8")
+        add_secret(
+            "push_registration_encryption_keys", json.dumps({public_key_str: private_key_str})
+        )
+
     if len(lines) == 0:
         print("generate_secrets: No new secrets to generate.")
         return