feat(keys-rotation): manage cookie secret key

[ofekisr]

SUMMARY

#15362 P2 implementaion, based on #15423

[codecov]

Codecov Report

Merging #15296 (4dc87f0) into master (2cb13e6) will decrease coverage by 0.29%.
The diff coverage is 17.85%.

@@            Coverage Diff             @@
##           master   #15296      +/-   ##
==========================================
- Coverage   76.96%   76.66%   -0.30%     
==========================================
  Files         976      979       +3     
  Lines       51296    51350      +54     
  Branches     6911     6911              
==========================================
- Hits        39478    39370     -108     
- Misses      11599    11761     +162     
  Partials      219      219              

Flag	Coverage Δ
hive	?
mysql	81.47% <14.81%> (-0.14%)	⬇️
postgres	81.48% <17.85%> (-0.14%)	⬇️
presto	?
python	81.57% <17.85%> (-0.58%)	⬇️
sqlite	81.10% <14.81%> (-0.14%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
superset/initialization/secret_keys/__init__.py	0.00% <0.00%> (ø)
superset/initialization/secret_keys/consts.py	0.00% <0.00%> (ø)
...t/initialization/secret_keys/cookie_signing_key.py	0.00% <0.00%> (ø)
superset/initialization/__init__.py	87.05% <40.00%> (-0.87%)	⬇️
superset/app.py	63.38% <70.00%> (-0.12%)	⬇️
superset/config.py	97.04% <100.00%> (+0.01%)	⬆️
superset/db_engines/hive.py	0.00% <0.00%> (-82.15%)	⬇️
superset/db_engine_specs/hive.py	69.44% <0.00%> (-17.07%)	⬇️
superset/db_engine_specs/presto.py	83.36% <0.00%> (-6.53%)	⬇️
superset/views/database/mixins.py	81.03% <0.00%> (-1.73%)	⬇️
... and 7 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2cb13e6...4dc87f0. Read the comment docs.

[amitmiran137]

Suggested change

	COOKIE_SIGNING_KEY = os.environ.get("COOKIE_SIGNING_KEY", SECRET_KEY)
	# it is also possible to use a lambda to load on every usage and change on the fly upon env var update like the following
	# COOKIE_SIGNING_KEY = lambda: os.environ.get("COOKIE_SIGNING_KEY", SECRET_KEY)
	COOKIE_SIGNING_KEY = os.environ.get("COOKIE_SIGNING_KEY", SECRET_KEY)

[ktmud]

Please add PR description or convert this to a draft if not ready for review yet

[craig-rueda]

Is this part of SIP 70? Should we wait for approval before this is merged?

[craig-rueda]

Let's keep init empty.

[craig-rueda]

Not sure I agree with this pattern of hanging fields off of the App. A more widely accepted/established pattern is to use a custom extension that can be added to the Flask app via the extensions. We already have a mechanism for this (extensions.py)

[craig-rueda]

Do we need this?

[craig-rueda]

Also wondering if there's some overlap with the encrypted field manager I added a while back. I'd prefer if we merged the functionality in order to prevent duplication.

Lastly, I don't see any tests.

[ofekisr]

Also wondering if there's some overlap with the encrypted field manager I added a while back. I'd prefer if we merged the functionality in order to prevent duplication.

Lastly, I don't see any tests.

what you added is a specific concern - encryptedColumnFactory
here is totally different concern

[craig-rueda]

Also wondering if there's some overlap with the encrypted field manager I added a while back. I'd prefer if we merged the functionality in order to prevent duplication.
Lastly, I don't see any tests.

what you added is a specific concern - encryptedColumnFactory
here is totally different concern

Sorta - They both deal with keys and the source of key material. I think it would be great to have a central secrets manager that can be easily overridden by orgs that want to extend functionality. Also, we have established patterns for this kinda stuff (app factory pattern) that should be followed here.