Engine: validate auth_encryption_key

When using a string with a length != 16, 24, or 32 as value for the auth_encryption_key parameter in the /etc/heat/heat.conf file it is not possible to create new stacks. Creating a new stack (and probably anything else) will fail with the following exception: ValueError: AES key must be either 16, 24, or 32 bytes long. Change-Id: I4e35cf0f782f22861319d05a3f028e5784ad26d5 Closes-bug: #1415887
2015-04-28 22:27:58 -04:00 · 2015-04-28 22:27:58 -04:00 · 23d58ec2b6
parent 2d33876661
commit 23d58ec2b6
3 changed files with 21 additions and 4 deletions
--- a/manifests/engine.pp
+++ b/manifests/engine.pp
@ -5,6 +5,7 @@
 # === Parameters
 # [*auth_encryption_key*]
 #   (required) Encryption key used for authentication info in database
+#   Must be either 16, 24, or 32 bytes long.
 #
 # [*package_ensure*]
 #    (Optional) Ensure state for package.
@ -72,6 +73,15 @@ class heat::engine (
  $configure_delegated_roles     = true,                  #DEPRECATED
 ) {

+  # Validate Heat Engine AES key
+  # must be either 16, 24, or 32 bytes long
+  # https://bugs.launchpad.net/heat/+bug/1415887
+  $allowed_sizes = ['16','24','32']
+  $param_size = size($auth_encryption_key)
+  if ! (member($allowed_sizes, "${param_size}")) { # lint:ignore:only_variable_string
+    fail("${param_size} is not a correct size for auth_encryption_key parameter, it must be either 16, 24, 32 bytes long.")
+  }
+
  include ::heat
  include ::heat::params

--- a/spec/classes/heat_engine_spec.rb
+++ b/spec/classes/heat_engine_spec.rb
@ -19,8 +19,8 @@ describe 'heat::engine' do
  shared_examples_for 'heat-engine' do
    [
      {},
-      { :auth_encryption_key           => '1234567890AZERTYUIOPMLKJHGFDSQ' },
-      { :auth_encryption_key           => 'foodummybar',
+      { :auth_encryption_key           => '1234567890AZERTYUIOPMLKJHGFDSQ12' },
+      { :auth_encryption_key           => '0234567890AZERTYUIOPMLKJHGFDSQ24',
        :enabled                       => false,
        :heat_stack_user_role          => 'heat_stack_user',
        :heat_metadata_server_url      => 'http://127.0.0.1:8000',
@ -114,6 +114,13 @@ describe 'heat::engine' do
       )
     end
    end
+    context 'with wrong auth_encryption_key parameter size' do
+      before do
+        params.merge!({
+          :auth_encryption_key => 'hello' })
+      end
+      it_raises 'a Puppet::Error', /5 is not a correct size for auth_encryption_key parameter, it must be either 16, 24, 32 bytes long./
+    end
  end

  context 'on Debian platforms' do
--- a/spec/classes/heat_keystone_auth_spec.rb
+++ b/spec/classes/heat_keystone_auth_spec.rb
@ -154,7 +154,7 @@ describe 'heat::keystone::auth' do
  context 'when configuring delegated roles' do
    let :pre_condition do
      "class { 'heat::engine':
-         auth_encryption_key       => 'abcdef',
+         auth_encryption_key       => '1234567890AZERTYUIOPMLKJHGFDSQ12',
         configure_delegated_roles => false,
       }
      "
@ -179,7 +179,7 @@ describe 'heat::keystone::auth' do
  describe 'with deprecated and new params both set' do
    let :pre_condition do
      "class { 'heat::engine':
-         auth_encryption_key => 'abcdef',
+         auth_encryption_key => '1234567890AZERTYUIOPMLKJHGFDSQ12',
       }
      "
    end