mirror of
https://github.com/zulip/zulip.git
synced 2025-10-31 20:13:46 +00:00
059d0e7be8
This implements get_mandatory_secret that ensures SHARED_SECRET is set when we hit zerver.decorator.authenticate_notify. To avoid getting ZulipSettingsError when setting up the secrets, we set an environment variable DISABLE_MANDATORY_SECRET_CHECK to skip the check and default its value to an empty string. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
213 lines
7.4 KiB
Python
Executable File
213 lines
7.4 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
# This tools generates /etc/zulip/zulip-secrets.conf
|
|
import os
|
|
import sys
|
|
from typing import Dict, List
|
|
|
|
BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
|
|
sys.path.append(BASE_DIR)
|
|
from scripts.lib.setup_path import setup_path
|
|
from scripts.lib.zulip_tools import get_config, get_config_file
|
|
|
|
setup_path()
|
|
|
|
os.environ["DISABLE_MANDATORY_SECRET_CHECK"] = "True"
|
|
os.environ["DJANGO_SETTINGS_MODULE"] = "zproject.settings"
|
|
|
|
import argparse
|
|
import configparser
|
|
import uuid
|
|
|
|
os.chdir(os.path.join(os.path.dirname(__file__), "..", ".."))
|
|
|
|
# Standard, 64-bit tokens
|
|
AUTOGENERATED_SETTINGS = [
|
|
"avatar_salt",
|
|
"rabbitmq_password",
|
|
"shared_secret",
|
|
]
|
|
|
|
|
|
def random_string(cnt: int) -> str:
|
|
# We do in-function imports so that we only do the expensive work
|
|
# of importing cryptography modules when necessary.
|
|
#
|
|
# This helps optimize noop provision performance.
|
|
from django.utils.crypto import get_random_string
|
|
|
|
return get_random_string(cnt)
|
|
|
|
|
|
def random_token() -> str:
|
|
# We do in-function imports so that we only do the expensive work
|
|
# of importing cryptography modules when necessary.
|
|
#
|
|
# This helps optimize noop provision performance.
|
|
import secrets
|
|
|
|
return secrets.token_hex(32)
|
|
|
|
|
|
def generate_django_secretkey() -> str:
|
|
"""Secret key generation taken from Django's startproject.py"""
|
|
|
|
# We do in-function imports so that we only do the expensive work
|
|
# of importing cryptography modules when necessary.
|
|
#
|
|
# This helps optimize noop provision performance.
|
|
from django.utils.crypto import get_random_string
|
|
|
|
chars = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)"
|
|
return get_random_string(50, chars)
|
|
|
|
|
|
def get_old_conf(output_filename: str) -> Dict[str, str]:
|
|
if not os.path.exists(output_filename) or os.path.getsize(output_filename) == 0:
|
|
return {}
|
|
|
|
secrets_file = configparser.RawConfigParser()
|
|
secrets_file.read(output_filename)
|
|
|
|
return dict(secrets_file.items("secrets"))
|
|
|
|
|
|
def generate_secrets(development: bool = False) -> None:
|
|
if development:
|
|
OUTPUT_SETTINGS_FILENAME = "zproject/dev-secrets.conf"
|
|
else:
|
|
OUTPUT_SETTINGS_FILENAME = "/etc/zulip/zulip-secrets.conf"
|
|
current_conf = get_old_conf(OUTPUT_SETTINGS_FILENAME)
|
|
|
|
lines: List[str] = []
|
|
if len(current_conf) == 0:
|
|
lines = ["[secrets]\n"]
|
|
|
|
def need_secret(name: str) -> bool:
|
|
return name not in current_conf
|
|
|
|
def add_secret(name: str, value: str) -> None:
|
|
lines.append(f"{name} = {value}\n")
|
|
current_conf[name] = value
|
|
|
|
for name in AUTOGENERATED_SETTINGS:
|
|
if need_secret(name):
|
|
add_secret(name, random_token())
|
|
|
|
# These secrets are exclusive to a Zulip development environment.
|
|
# We use PostgreSQL peer authentication by default in production,
|
|
# and initial_password_salt is used to generate passwords for the
|
|
# test/development database users. See `manage.py
|
|
# print_initial_password`.
|
|
if development and need_secret("initial_password_salt"):
|
|
add_secret("initial_password_salt", random_token())
|
|
if development and need_secret("local_database_password"):
|
|
add_secret("local_database_password", random_token())
|
|
|
|
# We only need a secret if the database username does not match
|
|
# the OS username, as identd auth works in that case.
|
|
if get_config(
|
|
get_config_file(), "postgresql", "database_user", "zulip"
|
|
) != "zulip" and need_secret("postgres_password"):
|
|
add_secret("postgres_password", random_token())
|
|
|
|
# The core Django SECRET_KEY setting, used by Django internally to
|
|
# secure sessions. If this gets changed, all users will be logged out.
|
|
if need_secret("secret_key"):
|
|
secret_key = generate_django_secretkey()
|
|
add_secret("secret_key", secret_key)
|
|
# To prevent Django ImproperlyConfigured error
|
|
from zproject import settings
|
|
|
|
settings.SECRET_KEY = secret_key
|
|
|
|
# Secret key for the Camo HTTPS proxy.
|
|
if need_secret("camo_key"):
|
|
add_secret("camo_key", random_string(64))
|
|
|
|
if not development:
|
|
# The memcached_password and redis_password secrets are only
|
|
# required/relevant in production.
|
|
|
|
# Password for authentication to memcached.
|
|
if need_secret("memcached_password"):
|
|
# We defer importing settings unless we need it, because
|
|
# importing settings is expensive (mostly because of
|
|
# django-auth-ldap) and we want the noop case to be fast.
|
|
from zproject import settings
|
|
|
|
if settings.MEMCACHED_LOCATION == "127.0.0.1:11211":
|
|
add_secret("memcached_password", random_token())
|
|
|
|
# Password for authentication to Redis.
|
|
if need_secret("redis_password"):
|
|
# We defer importing settings unless we need it, because
|
|
# importing settings is expensive (mostly because of
|
|
# django-auth-ldap) and we want the noop case to be fast.
|
|
from zproject import settings
|
|
|
|
if settings.REDIS_HOST == "127.0.0.1":
|
|
# To prevent Puppet from restarting Redis, which would lose
|
|
# data because we configured Redis to disable persistence, set
|
|
# the Redis password on the running server and edit the config
|
|
# file directly.
|
|
|
|
import redis
|
|
|
|
from zerver.lib.redis_utils import get_redis_client
|
|
|
|
redis_password = random_token()
|
|
|
|
for filename in ["/etc/redis/zuli-redis.conf", "/etc/redis/zulip-redis.conf"]:
|
|
if os.path.exists(filename):
|
|
with open(filename, "a") as f:
|
|
f.write(
|
|
"# Set a Redis password based on zulip-secrets.conf\n"
|
|
f"requirepass '{redis_password}'\n",
|
|
)
|
|
break
|
|
|
|
try:
|
|
get_redis_client().config_set("requirepass", redis_password)
|
|
except redis.exceptions.ConnectionError:
|
|
pass
|
|
|
|
add_secret("redis_password", redis_password)
|
|
|
|
# Random id and secret used to identify this installation when
|
|
# accessing the Zulip mobile push notifications service.
|
|
# * zulip_org_key is generated using os.urandom().
|
|
# * zulip_org_id only needs to be unique, so we use a UUID.
|
|
if need_secret("zulip_org_key"):
|
|
add_secret("zulip_org_key", random_string(64))
|
|
if need_secret("zulip_org_id"):
|
|
add_secret("zulip_org_id", str(uuid.uuid4()))
|
|
|
|
if len(lines) == 0:
|
|
print("generate_secrets: No new secrets to generate.")
|
|
return
|
|
|
|
with open(OUTPUT_SETTINGS_FILENAME, "a") as f:
|
|
# Write a newline at the start, in case there was no newline at
|
|
# the end of the file due to human editing.
|
|
f.write("\n" + "".join(lines))
|
|
|
|
print(f"Generated new secrets in {OUTPUT_SETTINGS_FILENAME}.")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
parser = argparse.ArgumentParser()
|
|
group = parser.add_mutually_exclusive_group(required=True)
|
|
group.add_argument(
|
|
"--development", action="store_true", help="For setting up the developer env for zulip"
|
|
)
|
|
group.add_argument(
|
|
"--production",
|
|
action="store_false",
|
|
dest="development",
|
|
help="For setting up the production env for zulip",
|
|
)
|
|
results = parser.parse_args()
|
|
|
|
generate_secrets(results.development)
|