openstack/octavia
Code Issues Proposed changes

Validate server_certs_key_passphrase is 32 chars

Browse Source 
Fernet checks[1] for 32 characters long key, so Octavia should validate
the value provided for server_certs_key_passphrase, to reject an invalid
passphrase as early as possible.

This[2] Red Hat Bug showed a case in which an invalid passphrase got
configured, and as a result, Octavia was unable to create any
load balancers.

Related-bug: #1833942

[1] 784676de33/src/cryptography/fernet.py (L36)
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1723051

Change-Id: I334364d4654491bc0d289472ca9ab5fe462d5139
This commit is contained in:
Nir Magnezi 2019-07-14 17:50:43 +03:00 committed by Adam Harwell
parent a498823789
commit a77667339d
3 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
octavia/certificates/common/local.py
View File

@ -53,8 +53,10 @@ certgen_opts = [
cfg.StrOpt('server_certs_key_passphrase', cfg.StrOpt('server_certs_key_passphrase',
default=TLS_PASS_AMPS_DEFAULT, default=TLS_PASS_AMPS_DEFAULT,
help='Passphrase for encrypting Amphora Certificates and ' help='Passphrase for encrypting Amphora Certificates and '
'Private Keys. Defaults to env[TLS_PASS_AMPS_DEFAULT] or ' 'Private Keys. Must be 32, base64(url) compatible, '
'insecure-key-do-not-use-this-key', 'characters long. Defaults to env[TLS_PASS_AMPS_DEFAULT] '
'or insecure-key-do-not-use-this-key',
regex=r'^[A-Za-z0-9\-_=]{32}$',
required=True), required=True),
cfg.StrOpt('signing_digest', cfg.StrOpt('signing_digest',
default=TLS_DIGEST_DEFAULT, default=TLS_DIGEST_DEFAULT,

23
octavia/tests/unit/common/test_config.py
View File

@ -13,6 +13,7 @@
# under the License. # under the License.
from oslo_config import cfg from oslo_config import cfg
from oslo_config import fixture as oslo_fixture
import octavia.common.config as config import octavia.common.config as config
import octavia.tests.unit.base as base import octavia.tests.unit.base as base
@ -26,3 +27,25 @@ class TestConfig(base.TestCase):
# Resetting because this will cause inconsistent errors when run with # Resetting because this will cause inconsistent errors when run with
# other tests # other tests
self.addCleanup(cfg.CONF.reset) self.addCleanup(cfg.CONF.reset)
def test_validate_server_certs_key_passphrase(self):
conf = self.useFixture(oslo_fixture.Config(config.cfg.CONF))
conf.config(
group="certificates",
server_certs_key_passphrase="insecure-key-do-not-use-this-key"
)
# Test too short
self.assertRaises(ValueError, conf.config,
group="certificates",
server_certs_key_passphrase="short_passphrase")
# Test too long
self.assertRaises(
ValueError, conf.config, group="certificates",
server_certs_key_passphrase="long-insecure-key-do-not-use-this")
# Test invalid characters
self.assertRaises(
ValueError, conf.config, group="certificates",
server_certs_key_passphrase="insecure-key-do-not-u$e-this-key")

6
releasenotes/notes/input-validation-server_certs_key_passphrase-6a9dfc190c9deba8.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- The passphrase for config option 'server_certs_key_passphrase' is used as
a Fernet key in Octavia and thus must be 32, base64(url) compatible,
characters long. Octavia will now validate the passphrase length and
format.