1199179 - Heroku is using a default of "my-secret-key" for Django's SECRET_KEY

Status: RESOLVED FIXED

(Tree Management :: Treeherder: Infrastructure, defect, P1)

Description

[Ed Morley [:emorley]]

The current Heroku project doesn't define TREEHERDER_DJANGO_SECRET_KEY in the environment, and if none is specified, we fall back to a hardcoded string:

https://github.com/mozilla/treeherder/blob/5c085724b32b89e49a7af3e5a46670a70e2f41dd/treeherder/settings/base.py#L39
SECRET_KEY = os.environ.get("TREEHERDER_DJANGO_SECRET_KEY", "my-secret-key")

We should:
1) Set TREEHERDER_DJANGO_SECRET_KEY on Heroku
2) Make sure Travis/Vagrant set a key, so the fallback isn't required
3) Remove the fallback, so a missing key will result in an error

Comment 1

[Ed Morley [:emorley]]

TREEHERDER_DJANGO_SECRET_KEY has now been set on Heroku, using Django's startproject command template's SECRET key generation for inspiration as to complexity:
https://github.com/django/django/blob/1.8.4/django/core/management/commands/startproject.py#L29-L31

Comment 2

[Ed Morley [:emorley]]

Opening bug now Heroku is using the new key.

Comment 3

[Ed Morley [:emorley]]

Attachment: Remove default Django SECRET_KEY

Comment 4

[Treeherder GitHub Bugbot]

Commit pushed to master at https://github.com/mozilla/treeherder

https://github.com/mozilla/treeherder/commit/ad3dc73715b844039fbbb03976029a6ec01685e1
Bug 1199179 - Remove default Django SECRET_KEY

Previously if TREEHERDER_DJANGO_SECRET_KEY was not set, we'd silently
fall back to a default value for SECRET_KEY, meaning we wouldn't realise
we were using an insecure key on a live deployment instance.

With this change, TREEHERDER_DJANGO_SECRET_KEY being missing from the
environment is fatal, resulting in:
"ImproperlyConfigured: The SECRET_KEY setting must not be empty."