From a8900fa5f2b8963e9f57ba4ae5520a5d339aeaad Mon Sep 17 00:00:00 2001
From: Xiaodong <xd_deng@hotmail.com>
Date: Fri, 10 Aug 2018 18:30:41 +0800
Subject: [PATCH] [AIRFLOW-2884] Fix Flask SECRET_KEY security issue in
 www_rbac (#3729)

The same issue was fixed for /www previously in
PR https://github.com/apache/incubator-airflow/pull/3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a54f83468e296777d3b83b65a2ae7169ec)
---
 airflow/config_templates/config.yml          | 3 ++-
 airflow/config_templates/default_airflow.cfg | 3 ++-
 airflow/www_rbac/app.py                      | 6 ++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml
index 87ee928384485..7f0f714a60013 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -737,7 +737,8 @@
     - name: secret_key
       description: |
         Secret key used to run your flask app
-        It should be as random as possible
+        If default value is given ("temporary_key"), a random secret_key will be generated
+        when you launch your webserver for security reason
       version_added: ~
       type: string
       example: ~
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index 662fd00c19b01..765b1cee19022 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -362,7 +362,8 @@ worker_refresh_interval = 30
 reload_on_plugin_change = False
 
 # Secret key used to run your flask app
-# It should be as random as possible
+# If default value is given ("temporary_key"), a random secret_key will be generated
+# when you launch your webserver for security reason
 secret_key = temporary_key
 
 # Number of workers to run the Gunicorn web server
diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py
index a2ebf7b753775..2e653a2cf4a29 100644
--- a/airflow/www_rbac/app.py
+++ b/airflow/www_rbac/app.py
@@ -19,6 +19,7 @@
 #
 import logging
 import socket
+import os
 from datetime import timedelta
 from typing import Any
 
@@ -63,6 +64,11 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
     app.secret_key = conf.get('webserver', 'SECRET_KEY')
     app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config())
 
+    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
+        app.secret_key = os.urandom(16)
+    else:
+        app.secret_key = conf.get('webserver', 'SECRET_KEY')
+
     app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True)
     app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
     app.config['APP_NAME'] = app_name