diff --git a/octavia/certificates/common/local.py b/octavia/certificates/common/local.py index 03ffab7966..03552b9955 100644 --- a/octavia/certificates/common/local.py +++ b/octavia/certificates/common/local.py @@ -53,8 +53,10 @@ certgen_opts = [ cfg.StrOpt('server_certs_key_passphrase', default=TLS_PASS_AMPS_DEFAULT, help='Passphrase for encrypting Amphora Certificates and ' - 'Private Keys. Defaults to env[TLS_PASS_AMPS_DEFAULT] or ' - 'insecure-key-do-not-use-this-key', + 'Private Keys. Must be 32, base64(url) compatible, ' + 'characters long. Defaults to env[TLS_PASS_AMPS_DEFAULT] ' + 'or insecure-key-do-not-use-this-key', + regex=r'^[A-Za-z0-9\-_=]{32}$', required=True), cfg.StrOpt('signing_digest', default=TLS_DIGEST_DEFAULT, diff --git a/octavia/tests/unit/common/test_config.py b/octavia/tests/unit/common/test_config.py index 275599697f..2da1bb38b6 100644 --- a/octavia/tests/unit/common/test_config.py +++ b/octavia/tests/unit/common/test_config.py @@ -13,6 +13,7 @@ # under the License. from oslo_config import cfg +from oslo_config import fixture as oslo_fixture import octavia.common.config as config import octavia.tests.unit.base as base @@ -26,3 +27,25 @@ class TestConfig(base.TestCase): # Resetting because this will cause inconsistent errors when run with # other tests self.addCleanup(cfg.CONF.reset) + + def test_validate_server_certs_key_passphrase(self): + conf = self.useFixture(oslo_fixture.Config(config.cfg.CONF)) + conf.config( + group="certificates", + server_certs_key_passphrase="insecure-key-do-not-use-this-key" + ) + + # Test too short + self.assertRaises(ValueError, conf.config, + group="certificates", + server_certs_key_passphrase="short_passphrase") + + # Test too long + self.assertRaises( + ValueError, conf.config, group="certificates", + server_certs_key_passphrase="long-insecure-key-do-not-use-this") + + # Test invalid characters + self.assertRaises( + ValueError, conf.config, group="certificates", + server_certs_key_passphrase="insecure-key-do-not-u$e-this-key") diff --git a/releasenotes/notes/input-validation-server_certs_key_passphrase-6a9dfc190c9deba8.yaml b/releasenotes/notes/input-validation-server_certs_key_passphrase-6a9dfc190c9deba8.yaml new file mode 100644 index 0000000000..6a4858e130 --- /dev/null +++ b/releasenotes/notes/input-validation-server_certs_key_passphrase-6a9dfc190c9deba8.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The passphrase for config option 'server_certs_key_passphrase' is used as + a Fernet key in Octavia and thus must be 32, base64(url) compatible, + characters long. Octavia will now validate the passphrase length and + format.