Fix handling of secret key: We now generate it on app startup if it doesn't exist in the config (which it doesn't anymore in the base config.py).

app.py

@@ -19,7 +19,7 @@ from util.exceptionlog import Sentry
 from util.queuemetrics import QueueMetrics
 from util.names import urn_generator
 from util.oauth import GoogleOAuthConfig, GithubOAuthConfig
-from util.configutil import import_yaml
+from util.configutil import import_yaml, generate_secret_key
 from data.billing import Billing
 from data.buildlogs import BuildLogs
 from data.archivedlogs import LogArchive
@@ -139,5 +139,10 @@ database.configure(app.config)
 model.config.app_config = app.config
 model.config.store = storage
 
+# Generate a secret key if none was specified.
+if app.config['SECRET_KEY'] is None:
+  logger.debug('Generating in-memory secret key')
+  app.config['SECRET_KEY'] = generate_secret_key()
+
 def get_app_url():
   return '%s://%s' % (app.config['PREFERRED_URL_SCHEME'], app.config['SERVER_HOSTNAME'])

conf/gunicorn_local.py

@@ -5,3 +5,4 @@ timeout = 2000
 daemon = False
 logconfig = 'conf/logging.conf'
 pythonpath = '.'
+preload_app = True

config.py

@@ -36,7 +36,6 @@ def getFrontendVisibleConfig(config_dict):
 
 class DefaultConfig(object):
   # Flask config
-  SECRET_KEY = 'a36c9d7d-25a9-4d3f-a586-3d2f8dc40a83'
   JSONIFY_PRETTYPRINT_REGULAR = False
   SESSION_COOKIE_SECURE = False
 

endpoints/api/suconfig.py

@@ -104,7 +104,7 @@ class SuperUserGetConfig(ApiResource):
       config_object = request.get_json()['config']
 
       # Add any enterprise defaults missing from the config.
-      add_enterprise_config_defaults(config_object)
+      add_enterprise_config_defaults(config_object, app.config['SECRET_KEY'])
 
       # Write the configuration changes to the YAML file.
       export_yaml(config_object, OVERRIDE_CONFIG_YAML_FILENAME)

test/testconfig.py

@@ -15,6 +15,7 @@ class FakeTransaction(object):
 
 class TestConfig(DefaultConfig):
   TESTING = True
+  SECRET_KEY = 'a36c9d7d-25a9-4d3f-a586-3d2f8dc40a83'
 
   DB_URI = os.environ.get('TEST_DATABASE_URI', 'sqlite:///:memory:')
   DB_CONNECTION_ARGS = {

util/configutil.py

@@ -36,7 +36,7 @@ def set_config_value(config_file, config_key, value):
   export_yaml(config_obj, config_file)
 
 
-def add_enterprise_config_defaults(config_obj):
+def add_enterprise_config_defaults(config_obj, current_secret_key):
   """ Adds/Sets the config defaults for enterprise registry config. """
   # These have to be false.
   config_obj['TESTING'] = False
@@ -52,7 +52,7 @@ def add_enterprise_config_defaults(config_obj):
 
   # Default secret key.
   if not 'SECRET_KEY' in config_obj:
-    config_obj['SECRET_KEY'] = generate_secret_key()
+    config_obj['SECRET_KEY'] = current_secret_key
 
   # Default storage configuration.
   if not 'DISTRIBUTED_STORAGE_CONFIG' in config_obj: