Validate server_certs_key_passphrase is 32 chars

Fernet checks[1] for 32 characters long key, so Octavia should validate the value provided for server_certs_key_passphrase, to reject an invalid passphrase as early as possible. This[2] Red Hat Bug showed a case in which an invalid passphrase got configured, and as a result, Octavia was unable to create any load balancers. Related-bug: #1833942 [1] 784676de33/src/cryptography/fernet.py (L36) [2] https://bugzilla.redhat.com/show_bug.cgi?id=1723051 Change-Id: I334364d4654491bc0d289472ca9ab5fe462d5139 (cherry picked from commit a77667339d)
2019-07-14 17:50:43 +03:00 · 2019-07-14 17:50:43 +03:00 · 1769de3549
parent de0827e464
commit 1769de3549
3 changed files with 33 additions and 2 deletions
--- a/octavia/certificates/common/local.py
+++ b/octavia/certificates/common/local.py
@ -53,8 +53,10 @@ certgen_opts = [
    cfg.StrOpt('server_certs_key_passphrase',
               default=TLS_PASS_AMPS_DEFAULT,
               help='Passphrase for encrypting Amphora Certificates and '
-                    'Private Keys. Defaults to env[TLS_PASS_AMPS_DEFAULT] or '
-                    'insecure-key-do-not-use-this-key',
+                    'Private Keys. Must be 32, base64(url) compatible, '
+                    'characters long. Defaults to env[TLS_PASS_AMPS_DEFAULT] '
+                    'or insecure-key-do-not-use-this-key',
+               regex=r'^[A-Za-z0-9\-_=]{32}$',
               required=True),
    cfg.StrOpt('signing_digest',
               default=TLS_DIGEST_DEFAULT,
--- a/octavia/tests/unit/common/test_config.py
+++ b/octavia/tests/unit/common/test_config.py
@ -13,6 +13,7 @@
 #    under the License.

 from oslo_config import cfg
+from oslo_config import fixture as oslo_fixture

 import octavia.common.config as config
 import octavia.tests.unit.base as base
@ -26,3 +27,25 @@ class TestConfig(base.TestCase):
        # Resetting because this will cause inconsistent errors when run with
        # other tests
        self.addCleanup(cfg.CONF.reset)
+
+    def test_validate_server_certs_key_passphrase(self):
+        conf = self.useFixture(oslo_fixture.Config(config.cfg.CONF))
+        conf.config(
+            group="certificates",
+            server_certs_key_passphrase="insecure-key-do-not-use-this-key"
+        )
+
+        # Test too short
+        self.assertRaises(ValueError, conf.config,
+                          group="certificates",
+                          server_certs_key_passphrase="short_passphrase")
+
+        # Test too long
+        self.assertRaises(
+            ValueError, conf.config, group="certificates",
+            server_certs_key_passphrase="long-insecure-key-do-not-use-this")
+
+        # Test invalid characters
+        self.assertRaises(
+            ValueError, conf.config, group="certificates",
+            server_certs_key_passphrase="insecure-key-do-not-u$e-this-key")
--- a/releasenotes/notes/input-validation-server_certs_key_passphrase-6a9dfc190c9deba8.yaml
+++ b/releasenotes/notes/input-validation-server_certs_key_passphrase-6a9dfc190c9deba8.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - The passphrase for config option 'server_certs_key_passphrase' is used as
+    a Fernet key in Octavia and thus must be 32, base64(url) compatible,
+    characters long. Octavia will now validate the passphrase length and
+    format.