Start warning about upcoming SECRET_KEY default removal

Related to #721
voxpupuli · Dec 5, 2022 · 1cae1f0 · 1cae1f0
1 parent 9c41b29
commit 1cae1f0
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -175,9 +175,8 @@ Other settings that might be interesting, in no particular order:
     Defaults to `friendly`.
 - `CODE_PREFIX_TO_REMOVE`: what code path that should be shortened in "Friendly errors" to "…" for readability.
     A regexp. Defaults to `/etc/puppetlabs/code/environments(/.*?/modules)?`.
-- `SECRET_KEY`: Refer to [Flask documentation](https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions),
-    section "How to generate good secret keys" for more info. Defaults to a random 24-char string generated by
-    `os.random(24)`.
+- `SECRET_KEY`: Refer to [Flask documentation](https://flask.palletsprojects.com/en/2.0.x/quickstart/#sessions),
+    section "How to generate good secret keys" for more info. Defaults to a random 24-char string generated by `os.random(24)`. **Note**: the default will stop working in Puppetboard 5.x. Please start setting this key to your own value and make sure to set the same for all instances of your app. See issue [#721](https://github.com/voxpupuli/puppetboard/issues/721) for more info.
 - `PUPPETDB_TIMEOUT`: Defaults to 20 seconds, but you might need to increase this value. It depends on how big the
     results are when querying PuppetDB. This behaviour will change in a future release when pagination will be introduced.
 - `UNRESPONSIVE_HOURS`: The amount of hours since the last check-in after which a node is considered unresponsive.

diff --git a/puppetboard/default_settings.py b/puppetboard/default_settings.py
@@ -8,7 +8,13 @@
 PUPPETDB_CERT = None
 PUPPETDB_TIMEOUT = 20
 DEFAULT_ENVIRONMENT = 'production'
-SECRET_KEY = os.urandom(24)
+
+SECRET_KEY = f"random-{os.urandom(17)}"
+if SECRET_KEY.startswith("random-"):
+    print("WARNING: Starting with Puppetboard 5.x you will have to set "
+          "SECRET_KEY env variable. Please see "
+          "https://github.com/voxpupuli/puppetboard/issues/721 for more info.")
+
 UNRESPONSIVE_HOURS = 2
 ENABLE_QUERY = True
 # Uncomment to restrict the enabled PuppetDB endpoints in the query page.

diff --git a/puppetboard/docker_settings.py b/puppetboard/docker_settings.py
@@ -59,7 +59,16 @@ def coerce_bool(v, default):
 PUPPETDB_PROTO = os.getenv('PUPPETDB_PROTO', None)
 PUPPETDB_TIMEOUT = int(os.getenv('PUPPETDB_TIMEOUT', '20'))
 DEFAULT_ENVIRONMENT = os.getenv('DEFAULT_ENVIRONMENT', 'production')
-SECRET_KEY = os.getenv('SECRET_KEY', os.urandom(24))
+
+secret_key_in_env = os.getenv('SECRET_KEY')
+if secret_key_in_env:
+    SECRET_KEY = secret_key_in_env
+else:
+    print("WARNING: Starting with Puppetboard 5.x you will have to set "
+          "SECRET_KEY env variable. Please see "
+          "https://github.com/voxpupuli/puppetboard/issues/721 for more info.")
+    os.getenv('SECRET_KEY', os.urandom(24))
+
 UNRESPONSIVE_HOURS = int(os.getenv('UNRESPONSIVE_HOURS', '2'))
 ENABLE_QUERY = coerce_bool(os.getenv('ENABLE_QUERY'), True)
 # Uncomment to restrict the enabled PuppetDB endpoints in the query page.