Merge "Validate server_certs_key_passphrase is 32 chars"

2019-09-19 09:03:27 +00:00 · 2019-09-19 09:03:27 +00:00 · 49ea96df73
parent fbe328397b a77667339d
commit 49ea96df73
3 changed files with 33 additions and 2 deletions
--- a/octavia/certificates/common/local.py
+++ b/octavia/certificates/common/local.py
@ -53,8 +53,10 @@ certgen_opts = [
    cfg.StrOpt('server_certs_key_passphrase',
               default=TLS_PASS_AMPS_DEFAULT,
               help='Passphrase for encrypting Amphora Certificates and '
-                    'Private Keys. Defaults to env[TLS_PASS_AMPS_DEFAULT] or '
-                    'insecure-key-do-not-use-this-key',
+                    'Private Keys. Must be 32, base64(url) compatible, '
+                    'characters long. Defaults to env[TLS_PASS_AMPS_DEFAULT] '
+                    'or insecure-key-do-not-use-this-key',
+               regex=r'^[A-Za-z0-9\-_=]{32}$',
               required=True),
    cfg.StrOpt('signing_digest',
               default=TLS_DIGEST_DEFAULT,
--- a/octavia/tests/unit/common/test_config.py
+++ b/octavia/tests/unit/common/test_config.py
@ -13,6 +13,7 @@
 #    under the License.

 from oslo_config import cfg
+from oslo_config import fixture as oslo_fixture

 import octavia.common.config as config
 import octavia.tests.unit.base as base
@ -26,3 +27,25 @@ class TestConfig(base.TestCase):
        # Resetting because this will cause inconsistent errors when run with
        # other tests
        self.addCleanup(cfg.CONF.reset)
+
+    def test_validate_server_certs_key_passphrase(self):
+        conf = self.useFixture(oslo_fixture.Config(config.cfg.CONF))
+        conf.config(
+            group="certificates",
+            server_certs_key_passphrase="insecure-key-do-not-use-this-key"
+        )
+
+        # Test too short
+        self.assertRaises(ValueError, conf.config,
+                          group="certificates",
+                          server_certs_key_passphrase="short_passphrase")
+
+        # Test too long
+        self.assertRaises(
+            ValueError, conf.config, group="certificates",
+            server_certs_key_passphrase="long-insecure-key-do-not-use-this")
+
+        # Test invalid characters
+        self.assertRaises(
+            ValueError, conf.config, group="certificates",
+            server_certs_key_passphrase="insecure-key-do-not-u$e-this-key")
--- a/releasenotes/notes/input-validation-server_certs_key_passphrase-6a9dfc190c9deba8.yaml
+++ b/releasenotes/notes/input-validation-server_certs_key_passphrase-6a9dfc190c9deba8.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - The passphrase for config option 'server_certs_key_passphrase' is used as
+    a Fernet key in Octavia and thus must be 32, base64(url) compatible,
+    characters long. Octavia will now validate the passphrase length and
+    format.