Merge pull request #726 from voxpupuli/warn_about_secret_key

Start warning about upcoming SECRET_KEY default removal

README.md

@@ -175,9 +175,8 @@ Other settings that might be interesting, in no particular order:
     Defaults to `friendly`.
 - `CODE_PREFIX_TO_REMOVE`: what code path that should be shortened in "Friendly errors" to "…" for readability.
     A regexp. Defaults to `/etc/puppetlabs/code/environments(/.*?/modules)?`.
-- `SECRET_KEY`: Refer to [Flask documentation](https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions),
-    section "How to generate good secret keys" for more info. Defaults to a random 24-char string generated by
-    `os.random(24)`.
+- `SECRET_KEY`: Refer to [Flask documentation](https://flask.palletsprojects.com/en/2.0.x/quickstart/#sessions),
+    section "How to generate good secret keys" for more info. Defaults to a random 64-char string generated by `secrets.token_hex(32)`, prepended with a `default-` string. **Warning** Leaving SECRET_KEY set to a default value WILL cause issues when the app is restarted or has more than 1 replica (f.e. uWSGI workers, k8s replicas etc.) and some features (in particular: queries) are used. Please set SECRET_KEY to your own value, the same for all app replicas. This will be REQUIRED starting with Puppetboard 5.x which will NOT contain the default value anymore. Please see [#721](https://github.com/voxpupuli/puppetboard/issues/721) for more info.
 - `PUPPETDB_TIMEOUT`: Defaults to 20 seconds, but you might need to increase this value. It depends on how big the
     results are when querying PuppetDB. This behaviour will change in a future release when pagination will be introduced.
 - `UNRESPONSIVE_HOURS`: The amount of hours since the last check-in after which a node is considered unresponsive.

puppetboard/app.py

@@ -35,13 +35,14 @@
 
 from puppetboard.core import get_app, get_puppetdb
 from puppetboard.version import __version__
-from puppetboard.utils import check_db_version
+from puppetboard.utils import check_db_version, check_secret_key
 
 app = get_app()
 puppetdb = get_puppetdb()
 running_as = os.path.basename(sys.argv[0])
 if running_as not in ['pytest', 'py.test']:
     check_db_version(puppetdb)
+check_secret_key(app.config.get('SECRET_KEY'))
 
 logging.basicConfig(level=app.config['LOGLEVEL'].upper())
 log = logging.getLogger(__name__)

puppetboard/default_settings.py

@@ -1,4 +1,4 @@
-import os
+import secrets
 
 PUPPETDB_HOST = 'localhost'
 PUPPETDB_PORT = 8080
@@ -8,7 +8,7 @@
 PUPPETDB_CERT = None
 PUPPETDB_TIMEOUT = 20
 DEFAULT_ENVIRONMENT = 'production'
-SECRET_KEY = os.urandom(24)
+SECRET_KEY = f"default-{secrets.token_hex(32)}"
 UNRESPONSIVE_HOURS = 2
 ENABLE_QUERY = True
 # Uncomment to restrict the enabled PuppetDB endpoints in the query page.

puppetboard/docker_settings.py

@@ -1,5 +1,6 @@
 import json
 import os
+import secrets
 import tempfile
 import base64
 import binascii
@@ -59,7 +60,7 @@ def coerce_bool(v, default):
 PUPPETDB_PROTO = os.getenv('PUPPETDB_PROTO', None)
 PUPPETDB_TIMEOUT = int(os.getenv('PUPPETDB_TIMEOUT', '20'))
 DEFAULT_ENVIRONMENT = os.getenv('DEFAULT_ENVIRONMENT', 'production')
-SECRET_KEY = os.getenv('SECRET_KEY', os.urandom(24))
+SECRET_KEY = os.getenv('SECRET_KEY', f"default-{secrets.token_hex(32)}")
 UNRESPONSIVE_HOURS = int(os.getenv('UNRESPONSIVE_HOURS', '2'))
 ENABLE_QUERY = coerce_bool(os.getenv('ENABLE_QUERY'), True)
 # Uncomment to restrict the enabled PuppetDB endpoints in the query page.

puppetboard/utils.py

@@ -48,6 +48,27 @@ def check_db_version(puppetdb):
         sys.exit(2)
 
 
+def check_secret_key(secret_key_value):
+    """
+    Check if the secret key value is set to a default value, that will stop
+    being accepted in v5.x of the app.
+    """
+    if secret_key_value.startswith("default-"):
+        log.warning(
+            "Leaving SECRET_KEY set to a default value WILL cause issues"
+            " when the app is restarted or has more than 1 replica"
+            " (f.e. uWSGI workers, k8s replicas etc.) and some features"
+            " (in particular: queries) are used.\n"
+            "Please set SECRET_KEY to your own value, the same for all app"
+            " replicas.\n"
+            "This will be REQUIRED starting with Puppetboard 5.x which"
+            " will NOT contain the default value anymore.\n"
+            "Please see"
+            " https://github.com/voxpupuli/puppetboard/issues/721"
+            " for more info."
+            )
+
+
 def parse_python(value: str):
     """
     :param value: any string, number, bool, list or a dict