generate_secrets: Enable Redis authentication in production.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2025-11-06 06:53:25 +00:00 · 2020-01-03 19:50:52 -08:00
parent 3360df7ad1
commit a82032a182
1 changed files with 35 additions and 1 deletions
--- a/scripts/setup/generate_secrets.py
+++ b/scripts/setup/generate_secrets.py
@@ -76,7 +76,10 @@ def generate_secrets(development=False):
        add_secret("local_database_password", generate_random_token(64))

    if need_secret('secret_key'):
-        add_secret('secret_key', generate_django_secretkey())
+        secret_key = generate_django_secretkey()
+        add_secret('secret_key', secret_key)
+        # To prevent Django ImproperlyConfigured error
+        settings.SECRET_KEY = secret_key

    if need_secret('camo_key'):
        add_secret('camo_key', get_random_string(64))
@@ -88,6 +91,37 @@ def generate_secrets(development=False):
    ):
        add_secret("memcached_password", generate_random_token(64))

+    if (
+        not development
+        and settings.REDIS_HOST == "127.0.0.1"
+        and need_secret("redis_password")
+    ):
+        # To prevent Puppet from restarting Redis, which would lose
+        # data because we configured Redis to disable persistence, set
+        # the Redis password on the running server and edit the config
+        # file directly.
+
+        import redis
+        from zerver.lib.redis_utils import get_redis_client
+
+        redis_password = generate_random_token(64)
+
+        for filename in ["/etc/redis/zuli-redis.conf", "/etc/redis/zulip-redis.conf"]:
+            if os.path.exists(filename):
+                with open(filename, "a") as f:
+                    f.write(
+                        "# Set a Redis password based on zulip-secrets.conf\n"
+                        "requirepass '%s'\n" % (redis_password,)
+                    )
+                break
+
+        try:
+            get_redis_client().config_set("requirepass", redis_password)
+        except redis.exceptions.ConnectionError:
+            pass
+
+        add_secret("redis_password", redis_password)
+
    # zulip_org_key is generated using os.urandom().
    # zulip_org_id does not require a secure CPRNG,
    # it only needs to be unique.