Adopt dedicated secrets management library #2728

[phillxnet]

Adopt password-store by Jason A. Donenfeld of wireguard fame as our base OS password store; under the root user. Employ as back-end to python-keyring via adapter shim keyring-pass. Enabling lightweight/secure (via GPG encryption) secrets management from both an OS level and from within our Python Poetry venv.

Includes:

• Keyring-pass additional dependency, with secondary dependency on python-keyring.
• ExecStartPre additions to initialise GNUPG, pass, and rotate/generate Django's SECRET_KEY.
• PASSWORD_STORE_DIR environmental variable in all main rockstor systemd services.
• Add Django's new-in-4.1 SECRET_KEY_FALLBACKS setting.
• Incidental update to cryptography: 41.0.5 to 41.0.7.
• Incidental update to idna: 3.4 to 3.6.
• Set CLIENT_SECRET in keyring via initrock.py, and maintain as install instance persistent. Set only during db initialisation, or if this key does not exist: i.e. updating from pre keyring install.
• Get CLIENT_SECRET (settings.py) from keyring.
• Update build.sh with developer instructions re GnuPG & pass.
• Additional minimal setup of GNUPG & pass in build.sh as we need a valid Django config for collectstatic, and we now store SECRET_KEY in OS provided 'pass'.
• Incidental addition of Poetry 1.2 style dev dependencies group, with the addition of black as an optional install.
• Incidental black re-format of initrock.py
• Simplify logging within initrock.py.

Fixes #2728

[phillxnet]

Testing

Please see partner rockstor-rpmbuild comments in linked PR:
rockstor/rockstor-rpmbuild#54

A custom rpm was build and installed on the rpmbuild host (15.5 amd64) successfully, and initial Web-UI setup worked as intended. A successful reboot was also accomplished. This build is by way of double check post squash operations performed in the interim from the Draft version of this PR: #2756

[phillxnet]

RPM installed instance update via Web-UI.

A 5.0.5 rpm was installed fresh. After (for root):

zypper remove rockstor
rm -rf ~/.gnupg/
rm -rf ~/.password-store/
rm -rf /opt/rockstor/

So no old rpm, remnants of rockstor, or pass, or gnupg.

5.0.5-0 rpm install

zypper in rockstor-5.0.5-0
systemctl enable --now rockstor-bootstrap

• 5.0.5-0 WebUI setup was completed.
• Pool imported.
• Underlying OS had yum and zypper setup with repos containing the test 5.0.5-2758 rpm
• WebUI prompt and update mechanism for 5.0.5-2758 was presented and enacted.

The resulting instance successfully established a new gnupg setup and pass and proceeded as expected re WebUI once the timeout dialog expired and a fresh login was enacted.

The resulting 'pass' state was as follows:

rleap15-5:~ # pass
Password Store
└── python-keyring
    └── rockstor
        ├── CLIENT_SECRET
        ├── SECRET_KEY_FALLBACK
        └── SECRET_KEY

The 5.0.5-2758 rpm upgraded instance also rebooted successfully via WebUI and accepted login.

[phillxnet]

@FroggyFlox & @Hooverdan96 I'll go ahead and merge this one - looks to be fairly solid give the indicated testing.