Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop using default SECRET_KEY and prepare 5.0.0 release #909

Merged
merged 3 commits into from
Jul 27, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,19 @@ Changelog

This is the changelog for Puppetboard.

5.0.0
-----

* Stop setting `SECRET_KEY` value to a random string by default. This has caused issues in deployments with more than one app replica or when the app was restarted. Please set this to your own long, random string, **the same for each application replica**. Implements [#721](https://github.com/voxpupuli/puppetboard/issues/721).
* Drop support for Python 3.7 (end-of-life in June 2023). PR [#899](https://github.com/voxpupuli/puppetboard/pull/899)
* Fix broken links in Classes view. PR [#868](https://github.com/voxpupuli/puppetboard/pull/868), fixes [#816](https://github.com/voxpupuli/puppetboard/issues/816).
* Fix if fact is `None` (default for full node view). PR [#908](https://github.com/voxpupuli/puppetboard/pull/908), fixes [#907](https://github.com/voxpupuli/puppetboard/issues/907).
* Dependencies update.

Thanks to the following contributors of this release:
* [Louis Charreau](https://github.com/lcharreau)
* [Yehuda Katz](https://github.com/yakatz)

4.3.0
-----

Expand Down
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,9 @@ to explicitly specify the protocol to be used setting the `PUPPETDB_PROTO` varia

Other settings that might be interesting, in no particular order:

- `SECRET_KEY`: set this to a long string, **the same for each application replica** and keep it secret. Refer to
[Flask documentation](https://flask.palletsprojects.com/en/2.1.x/quickstart/#sessions), section
"How to generate good secret keys" for more info.
- `FAVORITE_ENVS`: an ordered list of Puppet environment names that will be shown immediately after "All Environments"
and before other environments (which are sorted by name) in the dropdown for choosing the environment shown
in the top-right of the UI. Environments listed here that do not really exist in your deployment are silently ignored.
Expand All @@ -175,8 +178,6 @@ Other settings that might be interesting, in no particular order:
Defaults to `friendly`.
- `CODE_PREFIX_TO_REMOVE`: what code path that should be shortened in "Friendly errors" to "…" for readability.
A regexp. Defaults to `/etc/puppetlabs/code/environments(/.*?/modules)?`.
- `SECRET_KEY`: Refer to [Flask documentation](https://flask.palletsprojects.com/en/2.0.x/quickstart/#sessions),
section "How to generate good secret keys" for more info. Defaults to a random 64-char string generated by `secrets.token_hex(32)`, prepended with a `default-` string. **Warning** Leaving SECRET_KEY set to a default value WILL cause issues when the app is restarted or has more than 1 replica (f.e. uWSGI workers, k8s replicas etc.) and some features (in particular: queries) are used. Please set SECRET_KEY to your own value, the same for all app replicas. This will be REQUIRED starting with Puppetboard 5.x which will NOT contain the default value anymore. Please see [#721](https://github.com/voxpupuli/puppetboard/issues/721) for more info.
- `PUPPETDB_TIMEOUT`: Defaults to 20 seconds, but you might need to increase this value. It depends on how big the
results are when querying PuppetDB. This behaviour will change in a future release when pagination will be introduced.
- `UNRESPONSIVE_HOURS`: The amount of hours since the last check-in after which a node is considered unresponsive.
Expand Down
2 changes: 1 addition & 1 deletion puppetboard/app.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
running_as = os.path.basename(sys.argv[0])
if not is_a_test():
check_db_version(puppetdb)
check_secret_key(app.config.get('SECRET_KEY'))
check_secret_key(app.config.get('SECRET_KEY'))

logging.basicConfig(level=app.config['LOGLEVEL'].upper())
log = logging.getLogger(__name__)
Expand Down
4 changes: 2 additions & 2 deletions puppetboard/core.py
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
import logging
import re
import socket
from importlib.metadata import version

import pkg_resources
from flask import Flask
from flask_caching import Cache
from flask_apscheduler import APScheduler
Expand Down Expand Up @@ -70,7 +70,7 @@ def get_puppetdb():
timeout=app.config['PUPPETDB_TIMEOUT'],
protocol=app.config['PUPPETDB_PROTO'], )

requests_version = pkg_resources.get_distribution("requests").version
requests_version = version("requests")
user_agent_header = {
"user-agent": f"puppetboard/{own_version} (r/{requests_version})",
}
Expand Down
5 changes: 3 additions & 2 deletions puppetboard/default_settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
PUPPETDB_CERT = None
PUPPETDB_TIMEOUT = 20
DEFAULT_ENVIRONMENT = 'production'
SECRET_KEY = f"default-{secrets.token_hex(32)}"
# this empty string has to be changed, we validate it with check_secret_key()
SECRET_KEY = '' # nosec
UNRESPONSIVE_HOURS = 2
ENABLE_QUERY = True
# Uncomment to restrict the enabled PuppetDB endpoints in the query page.
Expand Down Expand Up @@ -78,7 +79,7 @@
('noop', 'Noop'),
]
# Type of caching object to use when `SCHEDULER_ENABLED` is set to `True`.
# If more than one worker, use a shared backend (e.g. `MemcachedCache`)
# If more than one worker, use a shared backend (e.g. `MemcachedCache`)
# to allow the sharing of the cache between the processes.
CACHE_TYPE = 'SimpleCache'
# Cache litefime in second
Expand Down
5 changes: 3 additions & 2 deletions puppetboard/docker_settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,8 @@ def coerce_bool(v, default):
PUPPETDB_PROTO = os.getenv('PUPPETDB_PROTO', None)
PUPPETDB_TIMEOUT = int(os.getenv('PUPPETDB_TIMEOUT', '20'))
DEFAULT_ENVIRONMENT = os.getenv('DEFAULT_ENVIRONMENT', 'production')
SECRET_KEY = os.getenv('SECRET_KEY', f"default-{secrets.token_hex(32)}")
# this empty string has to be changed, we validate it with check_secret_key()
SECRET_KEY = os.getenv('SECRET_KEY', '') # nosec
UNRESPONSIVE_HOURS = int(os.getenv('UNRESPONSIVE_HOURS', '2'))
ENABLE_QUERY = coerce_bool(os.getenv('ENABLE_QUERY'), True)
# Uncomment to restrict the enabled PuppetDB endpoints in the query page.
Expand Down Expand Up @@ -177,7 +178,7 @@ def coerce_bool(v, default):
CLASS_EVENTS_STATUS_COLUMNS = [(CLASS_EVENTS_STATUS_COLUMNS_STR[i].strip(),
CLASS_EVENTS_STATUS_COLUMNS_STR[i + 1].strip()) for i in range(0, len(CLASS_EVENTS_STATUS_COLUMNS_STR), 2)]

# Enabled a scheduler instance to trigger jobs in background.
# Enabled a scheduler instance to trigger jobs in background.
SCHEDULER_ENABLED = coerce_bool(os.getenv('SCHEDULER_ENABLED'), False)

# Tuples are hard to express as an environment variable, so here
Expand Down
24 changes: 5 additions & 19 deletions puppetboard/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,25 +49,11 @@ def check_db_version(puppetdb):


def check_secret_key(secret_key_value):
"""
Check if the secret key value is set to a default value, that will stop
being accepted in v5.x of the app.
"""

if type(secret_key_value) is str and secret_key_value.startswith("default-"):
log.warning(
"Leaving SECRET_KEY set to a default value WILL cause issues"
" when the app is restarted or has more than 1 replica"
" (f.e. uWSGI workers, k8s replicas etc.) and some features"
" (in particular: queries) are used.\n"
"Please set SECRET_KEY to your own value, the same for all app"
" replicas.\n"
"This will be REQUIRED starting with Puppetboard 5.x which"
" will NOT contain the default value anymore.\n"
"Please see"
" https://github.com/voxpupuli/puppetboard/issues/721"
" for more info."
)
if not secret_key_value:
log.critical('Please set SECRET_KEY to a long, random string,'
' **the same for each application replica**,'
' and do not share it.')
sys.exit(1)


def parse_python(value: str):
Expand Down
2 changes: 1 addition & 1 deletion puppetboard/version.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
# Puppetboard version module
#

__version__ = '4.3.0'
__version__ = '5.0.0'
8 changes: 6 additions & 2 deletions test/test_form.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
from puppetboard import app, forms
from puppetboard import forms
from puppetboard.core import get_app

app = get_app()
app.config['SECRET_KEY'] = 'the random string'


def test_form_valid(capsys):
for form in [forms.QueryForm]:
with app.app.test_request_context():
with app.test_request_context():
qf = form()
out, err = capsys.readouterr()
assert qf is not None
Expand Down