#!/usr/bin/env python3 # This tools generates /etc/zulip/zulip-secrets.conf import json import os import sys from contextlib import suppress BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) sys.path.append(BASE_DIR) from scripts.lib.setup_path import setup_path from scripts.lib.zulip_tools import get_config, get_config_file setup_path() os.environ["DISABLE_MANDATORY_SECRET_CHECK"] = "True" os.environ["DJANGO_SETTINGS_MODULE"] = "zproject.settings" import argparse import configparser import uuid from nacl.encoding import Base64Encoder from nacl.public import PrivateKey os.chdir(os.path.join(os.path.dirname(__file__), "..", "..")) # Standard, 64-bit tokens AUTOGENERATED_SETTINGS = [ "avatar_salt", "rabbitmq_password", "shared_secret", ] def random_string(cnt: int) -> str: # We do in-function imports so that we only do the expensive work # of importing cryptography modules when necessary. # # This helps optimize noop provision performance. from django.utils.crypto import get_random_string return get_random_string(cnt) def random_token() -> str: # We do in-function imports so that we only do the expensive work # of importing cryptography modules when necessary. # # This helps optimize noop provision performance. import secrets return secrets.token_hex(32) def generate_django_secretkey() -> str: """Secret key generation taken from Django's startproject.py""" # We do in-function imports so that we only do the expensive work # of importing cryptography modules when necessary. # # This helps optimize noop provision performance. from django.utils.crypto import get_random_string chars = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)" return get_random_string(50, chars) def get_old_conf(output_filename: str) -> dict[str, str]: if not os.path.exists(output_filename) or os.path.getsize(output_filename) == 0: return {} secrets_file = configparser.RawConfigParser() secrets_file.read(output_filename) return dict(secrets_file.items("secrets")) def generate_secrets(development: bool = False) -> None: if development: OUTPUT_SETTINGS_FILENAME = "zproject/dev-secrets.conf" else: OUTPUT_SETTINGS_FILENAME = "/etc/zulip/zulip-secrets.conf" current_conf = get_old_conf(OUTPUT_SETTINGS_FILENAME) lines: list[str] = [] if len(current_conf) == 0: lines = ["[secrets]\n"] def need_secret(name: str) -> bool: return name not in current_conf def add_secret(name: str, value: str) -> None: lines.append(f"{name} = {value}\n") current_conf[name] = value for name in AUTOGENERATED_SETTINGS: if need_secret(name): add_secret(name, random_token()) # These secrets are exclusive to a Zulip development environment. # We use PostgreSQL peer authentication by default in production, # and initial_password_salt is used to generate passwords for the # test/development database users. See `manage.py # print_initial_password`. if development and need_secret("initial_password_salt"): add_secret("initial_password_salt", random_token()) if development and need_secret("local_database_password"): add_secret("local_database_password", random_token()) # We only need a secret if the database username does not match # the OS username, as identd auth works in that case. if get_config( get_config_file(), "postgresql", "database_user", "zulip" ) != "zulip" and need_secret("postgres_password"): add_secret("postgres_password", random_token()) # The core Django SECRET_KEY setting, used by Django internally to # secure sessions. If this gets changed, all users will be logged out. if need_secret("secret_key"): secret_key = generate_django_secretkey() add_secret("secret_key", secret_key) # To prevent Django ImproperlyConfigured error from zproject import settings settings.SECRET_KEY = secret_key # Secret key for the Camo HTTPS proxy. if need_secret("camo_key"): add_secret("camo_key", random_string(64)) # We enable Altcha in development if development and need_secret("altcha_hmac"): add_secret("altcha_hmac", random_token()) if not development: # The memcached_password and redis_password secrets are only # required/relevant in production. # Password for authentication to memcached. if need_secret("memcached_password"): # We defer importing settings unless we need it, because # importing settings is expensive (mostly because of # django-auth-ldap) and we want the noop case to be fast. from zproject import settings if settings.MEMCACHED_LOCATION == "127.0.0.1:11211": add_secret("memcached_password", random_token()) # Password for authentication to Redis. if need_secret("redis_password"): # We defer importing settings unless we need it, because # importing settings is expensive (mostly because of # django-auth-ldap) and we want the noop case to be fast. from zproject import settings if settings.REDIS_HOST == "127.0.0.1": # To prevent Puppet from restarting Redis, which would lose # data because we configured Redis to disable persistence, set # the Redis password on the running server and edit the config # file directly. import redis from zerver.lib.redis_utils import get_redis_client redis_password = random_token() for filename in ["/etc/redis/zuli-redis.conf", "/etc/redis/zulip-redis.conf"]: if os.path.exists(filename): with open(filename, "a") as f: f.write( "# Set a Redis password based on zulip-secrets.conf\n" f"requirepass '{redis_password}'\n", ) break with suppress(redis.exceptions.ConnectionError): get_redis_client().config_set("requirepass", redis_password) add_secret("redis_password", redis_password) # Random id and secret used to identify this installation when # accessing the Zulip mobile push notifications service. # * zulip_org_key is generated using os.urandom(). # * zulip_org_id only needs to be unique, so we use a UUID. if need_secret("zulip_org_key"): add_secret("zulip_org_key", random_string(64)) if need_secret("zulip_org_id"): add_secret("zulip_org_id", str(uuid.uuid4())) if development and need_secret("push_registration_encryption_keys"): # 'settings.ZILENCER_ENABLED' would be a better check than # 'development' for whether we need push bouncer secrets, # but we're trying to avoid importing settings. private_key = PrivateKey.generate() private_key_str = Base64Encoder.encode(bytes(private_key)).decode("utf-8") public_key_str = Base64Encoder.encode(bytes(private_key.public_key)).decode("utf-8") add_secret( "push_registration_encryption_keys", json.dumps({public_key_str: private_key_str}) ) if len(lines) == 0: print("generate_secrets: No new secrets to generate.") return with open(OUTPUT_SETTINGS_FILENAME, "a") as f: # Write a newline at the start, in case there was no newline at # the end of the file due to human editing. f.write("\n" + "".join(lines)) print(f"Generated new secrets in {OUTPUT_SETTINGS_FILENAME}.") if __name__ == "__main__": parser = argparse.ArgumentParser() group = parser.add_mutually_exclusive_group(required=True) group.add_argument( "--development", action="store_true", help="For setting up the developer env for zulip" ) group.add_argument( "--production", action="store_false", dest="development", help="For setting up the production env for zulip", ) results = parser.parse_args() generate_secrets(results.development)