paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-09 00:18:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

generate_secrets: Enable Redis authentication in production.

Browse Source 
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
2020-01-03 19:50:52 -08:00
committed by Tim Abbott
parent 3360df7ad1
commit a82032a182
1 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
scripts/setup/generate_secrets.py
View File

@@ -76,7 +76,10 @@ def generate_secrets(development=False):
add_secret("local_database_password", generate_random_token(64)) add_secret("local_database_password", generate_random_token(64))
if need_secret('secret_key'): if need_secret('secret_key'):
add_secret('secret_key', generate_django_secretkey()) secret_key = generate_django_secretkey()
add_secret('secret_key', secret_key)
# To prevent Django ImproperlyConfigured error
settings.SECRET_KEY = secret_key
if need_secret('camo_key'): if need_secret('camo_key'):
add_secret('camo_key', get_random_string(64)) add_secret('camo_key', get_random_string(64))
@@ -88,6 +91,37 @@ def generate_secrets(development=False):
): ):
add_secret("memcached_password", generate_random_token(64)) add_secret("memcached_password", generate_random_token(64))
if (
not development
and settings.REDIS_HOST == "127.0.0.1"
and need_secret("redis_password")
):
# To prevent Puppet from restarting Redis, which would lose
# data because we configured Redis to disable persistence, set
# the Redis password on the running server and edit the config
# file directly.
import redis
from zerver.lib.redis_utils import get_redis_client
redis_password = generate_random_token(64)
for filename in ["/etc/redis/zuli-redis.conf", "/etc/redis/zulip-redis.conf"]:
if os.path.exists(filename):
with open(filename, "a") as f:
f.write(
"# Set a Redis password based on zulip-secrets.conf\n"
"requirepass '%s'\n" % (redis_password,)
)
break
try:
get_redis_client().config_set("requirepass", redis_password)
except redis.exceptions.ConnectionError:
pass
add_secret("redis_password", redis_password)
# zulip_org_key is generated using os.urandom(). # zulip_org_key is generated using os.urandom().
# zulip_org_id does not require a secure CPRNG, # zulip_org_id does not require a secure CPRNG,
# it only needs to be unique. # it only needs to be unique.