Merge "Validate server_certs_key_passphrase is 32 chars"
This commit is contained in:
commit
49ea96df73
|
@ -53,8 +53,10 @@ certgen_opts = [
|
|||
cfg.StrOpt('server_certs_key_passphrase',
|
||||
default=TLS_PASS_AMPS_DEFAULT,
|
||||
help='Passphrase for encrypting Amphora Certificates and '
|
||||
'Private Keys. Defaults to env[TLS_PASS_AMPS_DEFAULT] or '
|
||||
'insecure-key-do-not-use-this-key',
|
||||
'Private Keys. Must be 32, base64(url) compatible, '
|
||||
'characters long. Defaults to env[TLS_PASS_AMPS_DEFAULT] '
|
||||
'or insecure-key-do-not-use-this-key',
|
||||
regex=r'^[A-Za-z0-9\-_=]{32}$',
|
||||
required=True),
|
||||
cfg.StrOpt('signing_digest',
|
||||
default=TLS_DIGEST_DEFAULT,
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_config import fixture as oslo_fixture
|
||||
|
||||
import octavia.common.config as config
|
||||
import octavia.tests.unit.base as base
|
||||
|
@ -26,3 +27,25 @@ class TestConfig(base.TestCase):
|
|||
# Resetting because this will cause inconsistent errors when run with
|
||||
# other tests
|
||||
self.addCleanup(cfg.CONF.reset)
|
||||
|
||||
def test_validate_server_certs_key_passphrase(self):
|
||||
conf = self.useFixture(oslo_fixture.Config(config.cfg.CONF))
|
||||
conf.config(
|
||||
group="certificates",
|
||||
server_certs_key_passphrase="insecure-key-do-not-use-this-key"
|
||||
)
|
||||
|
||||
# Test too short
|
||||
self.assertRaises(ValueError, conf.config,
|
||||
group="certificates",
|
||||
server_certs_key_passphrase="short_passphrase")
|
||||
|
||||
# Test too long
|
||||
self.assertRaises(
|
||||
ValueError, conf.config, group="certificates",
|
||||
server_certs_key_passphrase="long-insecure-key-do-not-use-this")
|
||||
|
||||
# Test invalid characters
|
||||
self.assertRaises(
|
||||
ValueError, conf.config, group="certificates",
|
||||
server_certs_key_passphrase="insecure-key-do-not-u$e-this-key")
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
fixes:
|
||||
- The passphrase for config option 'server_certs_key_passphrase' is used as
|
||||
a Fernet key in Octavia and thus must be 32, base64(url) compatible,
|
||||
characters long. Octavia will now validate the passphrase length and
|
||||
format.
|
Loading…
Reference in New Issue