Merge "Add Tsig empty secret validation"

designate/conf/api.py

@@ -60,6 +60,10 @@ APT_V2_OPTS = [
     cfg.BoolOpt('quotas_verify_project_id', default=False,
                 help='Verify that the requested Project ID for quota target '
                      'is a valid project in Keystone.'),
+    cfg.BoolOpt('allow_empty_secrets_for_tsig', default=True,
+                help='Allow tsig creation with empty secrets. While in theory '
+                     'an empty string is valid for tsig secrets, it is highly '
+                     'not recommended'),
 ]
 
 API_ADMIN_OPTS = [

designate/objects/tsigkey.py

@@ -13,8 +13,15 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 from designate.common import constants
+import designate.conf
+from designate import exceptions
 from designate.objects import base
 from designate.objects import fields
+from designate.objects.validation_error import ValidationError
+from designate.objects.validation_error import ValidationErrorList
+
+
+CONF = designate.conf.CONF
 
 
 @base.DesignateRegistry.register
@@ -40,6 +47,25 @@ class TsigKey(base.DictObjectMixin, base.PersistentObjectMixin,
         'id', 'name', 'algorithm', 'scope', 'resource_id'
     ]
 
+    def _raise(self, errors):
+        if len(errors) != 0:
+            raise exceptions.InvalidObject(
+                "Provided object does not match "
+                "schema", errors=errors, object=self)
+
+    def validate(self):
+        errors = ValidationErrorList()
+        if not self.secret and not (
+                CONF['service:api'].allow_empty_secrets_for_tsig):
+            e = ValidationError()
+            e.path = ['type']
+            e.validator = 'value'
+            e.validator_value = ['secret']
+            e.message = "'secret' should not be empty"
+            errors.append(e)
+        self._raise(errors)
+        super().validate()
+
 
 @base.DesignateRegistry.register
 class TsigKeyList(base.ListObjectMixin, base.DesignateObject):

designate/tests/functional/api/v2/test_tsigkeys.py

@@ -18,10 +18,14 @@ from unittest.mock import patch
 import oslo_messaging as messaging
 
 from designate.central import service as central_service
+import designate.conf
 from designate import exceptions
 from designate.tests.functional.api import v2
 
 
+CONF = designate.conf.CONF
+
+
 class ApiV2TsigKeysTest(v2.ApiV2TestCase):
     def setUp(self):
         super().setUp()
@@ -101,6 +105,18 @@ class ApiV2TsigKeysTest(v2.ApiV2TestCase):
         self._assert_exception('invalid_object', 400, self.client.post_json,
                                '/tsigkeys', body)
 
+    def test_create_tsigkey_empty_secret(self):
+        CONF.set_override(
+            'allow_empty_secrets_for_tsig',
+            False,
+            'service:api'
+        )
+        fixture = self.get_tsigkey_fixture(0)
+        fixture['secret'] = ''
+        body = fixture
+        self._assert_exception('invalid_object', 400, self.client.post_json,
+                               '/tsigkeys', body)
+
     def test_create_tsigkey_secret_too_long(self):
         fixture = self.get_tsigkey_fixture(0)
         fixture['secret'] = 'x' * 161

releasenotes/notes/Add-Tsig-secret-validation-5d2f3875d32efd83.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    So far, Tsig could have been created with empty secrets. This
+    patch adds a configuration option to enable/disable empty secrets
+    on tsig creation, to maintain compatibility.