Merge "Use separate file to store SECRET_KEY"

manifests/init.pp

@@ -810,6 +810,17 @@ class horizon(
     tag    => ['openstack', 'horizon-package'],
   }
 
+  $secret_key_path = "${::horizon::params::config_dir}/.secret_key_store"
+  file { $secret_key_path:
+    mode      => '0600',
+    content   => $secret_key,
+    owner     => $::horizon::params::wsgi_user,
+    group     => $::horizon::params::wsgi_group,
+    show_diff => false,
+    require   => Anchor['horizon::config::begin'],
+    notify    => Anchor['horizon::config::end'],
+  }
+
   concat { $::horizon::params::config_file:
     mode      => '0640',
     owner     => $::horizon::params::wsgi_user,

spec/classes/horizon_init_spec.rb

@@ -44,7 +44,7 @@ describe 'horizon' do
           :mode      => '0640',
           :owner     => platforms_params[:wsgi_user],
           :group     => platforms_params[:wsgi_group],
-          :show_diff => false
+          :show_diff => false,
         )
       }
 
@@ -67,7 +67,7 @@ describe 'horizon' do
           "LOGIN_REDIRECT_URL = '#{platforms_params[:root_url]}/'",
           "ALLOWED_HOSTS = ['foo.example.com', ]",
           'HORIZON_CONFIG["password_autocomplete"] = "off"',
-          "SECRET_KEY = 'elj1IWiLoWHgcyYxFVLj7cM5rGOOxWl0'",
+          "SECRET_KEY = secret_key.generate_or_read_from_file('#{platforms_params[:secret_key_file]}')",
           'OPENSTACK_KEYSTONE_URL = "http://127.0.0.1:5000"',
           'OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"',
           "    'can_set_mount_point': True,",
@@ -92,6 +92,15 @@ describe 'horizon' do
         expect(content).not_to match(/^SESSION_ENGINE/)
       end
 
+      it 'creates a key file' do
+        is_expected.to contain_file(platforms_params[:secret_key_file]).with(
+          :mode      => '0600',
+          :content   => 'elj1IWiLoWHgcyYxFVLj7cM5rGOOxWl0',
+          :owner     => platforms_params[:wsgi_user],
+          :group     => platforms_params[:wsgi_group],
+          :show_diff => false,
+        )
+      end
       it { is_expected.not_to contain_file('/tmp') }
     end
 
@@ -160,7 +169,6 @@ describe 'horizon' do
           "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
           "OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'domain.tld'",
           'HORIZON_CONFIG["password_autocomplete"] = "on"',
-          "SECRET_KEY = 'elj1IWiLoWHgcyYxFVLj7cM5rGOOxWl0'",
           "        'OPTIONS': {",
           "            'DEAD_RETRY': 1,",
           "            'SERVER_RETRIES': 1,",
@@ -767,6 +775,7 @@ describe 'horizon' do
           if facts[:os]['name'] == 'Debian'
             { :config_file        => '/etc/openstack-dashboard/local_settings.py',
               :conf_d_dir         => '/etc/openstack-dashboard/local_settings.d',
+              :secret_key_file    => '/etc/openstack-dashboard/.secret_key_store',
               :package_name       => 'openstack-dashboard-apache',
               :root_url           => '/horizon',
               :root_path          => '/var/lib/openstack-dashboard',
@@ -778,6 +787,7 @@ describe 'horizon' do
           else
             { :config_file        => '/etc/openstack-dashboard/local_settings.py',
               :conf_d_dir         => '/etc/openstack-dashboard/local_settings.d',
+              :secret_key_file    => '/etc/openstack-dashboard/.secret_key_store',
               :package_name       => 'openstack-dashboard',
               :root_url           => '/horizon',
               :root_path          => '/var/lib/openstack-dashboard',
@@ -790,6 +800,7 @@ describe 'horizon' do
         when 'RedHat'
           { :config_file        => '/etc/openstack-dashboard/local_settings',
             :conf_d_dir         => '/etc/openstack-dashboard/local_settings.d',
+            :secret_key_file    => '/etc/openstack-dashboard/.secret_key_store',
             :package_name       => 'openstack-dashboard',
             :root_url           => '/dashboard',
             :root_path          => '/usr/share/openstack-dashboard',

templates/local_settings.py.erb

@@ -199,7 +199,7 @@ LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
 # SECRET_KEY for all of them.
 #SECRET_KEY = secret_key.generate_or_read_from_file(
 #    os.path.join(LOCAL_PATH, '.secret_key_store'))
-SECRET_KEY = '<%= @secret_key %>'
+SECRET_KEY = secret_key.generate_or_read_from_file('<%= @secret_key_path %>')
 
 # We recommend you use memcached for development; otherwise after every reload
 # of the django development server, you will have to login again. To use