From c892cd5ae18e13628cd55b1a159dfabd30c62db0 Mon Sep 17 00:00:00 2001
From: Hossein Shafagh <hshafagh@netflix.com>
Date: Fri, 18 Sep 2020 17:38:52 -0700
Subject: [PATCH] removing anything that remotely looks like a secret in code
 to set a good example

---
 docker/src/lemur.conf.py | 19 ++++++++++++++++---
 lemur/tests/conf.py      | 22 ++++++++++++++++++----
 2 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py
index 3cc51792..89448b29 100644
--- a/docker/src/lemur.conf.py
+++ b/docker/src/lemur.conf.py
@@ -1,4 +1,7 @@
 import os
+import random
+import string
+import base64
 from ast import literal_eval
 
 _basedir = os.path.abspath(os.path.dirname(__file__))
@@ -6,10 +9,20 @@ _basedir = os.path.abspath(os.path.dirname(__file__))
 CORS = os.environ.get("CORS") == "True"
 debug = os.environ.get("DEBUG") == "True"
 
-SECRET_KEY = repr(os.environ.get('SECRET_KEY','Hrs8kCDNPuT9vtshsSWzlrYW+d+PrAXvg/HwbRE6M3vzSJTTrA/ZEw=='))
 
-LEMUR_TOKEN_SECRET = repr(os.environ.get('LEMUR_TOKEN_SECRET','YVKT6nNHnWRWk28Lra1OPxMvHTqg1ZXvAcO7bkVNSbrEuDQPABM0VQ=='))
-LEMUR_ENCRYPTION_KEYS = repr(os.environ.get('LEMUR_ENCRYPTION_KEYS','Ls-qg9j3EMFHyGB_NL0GcQLI6622n9pSyGM_Pu0GdCo='))
+def get_random_secret(length):
+    secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(length/4))
+    secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(length/4))
+    secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(length/4))
+    return secret_key + ''.join(random.choice(string.digits) for x in range(length/4))
+
+
+SECRET_KEY = repr(os.environ.get('SECRET_KEY', get_random_secret(32).encode('utf8')))
+
+LEMUR_TOKEN_SECRET = repr(os.environ.get('LEMUR_TOKEN_SECRET',
+                                         base64.b64encode(get_random_secret(32).encode('utf8'))))
+LEMUR_ENCRYPTION_KEYS = repr(os.environ.get('LEMUR_ENCRYPTION_KEYS',
+                                            base64.b64encode(get_random_secret(32).encode('utf8'))))
 
 LEMUR_WHITELISTED_DOMAINS = []
 
diff --git a/lemur/tests/conf.py b/lemur/tests/conf.py
index af0c09ce..62df5a68 100644
--- a/lemur/tests/conf.py
+++ b/lemur/tests/conf.py
@@ -1,9 +1,21 @@
 # This is just Python which means you can inherit and tweak settings
 
 import os
+import random
+import string
+import base64
 
 _basedir = os.path.abspath(os.path.dirname(__file__))
 
+
+# generate random secrets for unittest
+def get_random_secret(length):
+    secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(length/4))
+    secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(length/4))
+    secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(length/4))
+    return secret_key + ''.join(random.choice(string.digits) for x in range(length/4))
+
+
 THREADS_PER_PAGE = 8
 
 # General
@@ -14,12 +26,14 @@ debug = False
 
 TESTING = True
 
-# this is the secret key used by flask session management
-SECRET_KEY = "I/dVhOZNSMZMqrFJa5tWli6VQccOGudKerq3eWPMSzQNmHHVhMAQfQ=="
+# this is the secret key used by flask session management (utf8 encoded)
+SECRET_KEY = get_random_secret(length=32).encode('utf8')
 
-# You should consider storing these separately from your config
+
+# You should consider storing these separately from your config (should be URL-safe)
 LEMUR_TOKEN_SECRET = "test"
-LEMUR_ENCRYPTION_KEYS = "o61sBLNBSGtAckngtNrfVNd8xy8Hp9LBGDstTbMbqCY="
+LEMUR_ENCRYPTION_KEYS = base64.urlsafe_b64encode(get_random_secret(length=32).encode('utf8'))
+
 
 # List of domain regular expressions that non-admin users can issue
 LEMUR_WHITELISTED_DOMAINS = [