summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Butcher <abutcher@redhat.com>2015-12-16 17:56:09 -0500
committerAndrew Butcher <abutcher@redhat.com>2016-01-04 09:16:11 -0500
commitef014ae06a50c5f2050aa183638165895154db5f (patch)
tree33255ae9e62f9551a83bf7586beefb322df5b13c
parent9b760b0a89a77c5be0b3521a2c35b5afcb2a20d2 (diff)
downloadopenshift-ef014ae06a50c5f2050aa183638165895154db5f.tar.gz
openshift-ef014ae06a50c5f2050aa183638165895154db5f.tar.bz2
openshift-ef014ae06a50c5f2050aa183638165895154db5f.tar.xz
openshift-ef014ae06a50c5f2050aa183638165895154db5f.zip
Secrets validation.
-rw-r--r--filter_plugins/openshift_master.py29
-rw-r--r--playbooks/common/openshift-master/config.yml14
-rw-r--r--roles/openshift_master/tasks/main.yml14
3 files changed, 52 insertions, 5 deletions
diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py
index f12017967..40c1083e0 100644
--- a/filter_plugins/openshift_master.py
+++ b/filter_plugins/openshift_master.py
@@ -463,7 +463,34 @@ class FilterModule(object):
IdentityProviderBase.validate_idp_list(idp_list)
return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False)
+ @staticmethod
+ def validate_auth_secrets(secrets):
+ ''' validate type and length '''
+
+ if not issubclass(type(secrets), list):
+ raise errors.AnsibleFilterError("|failed expects openshift_master_session_auth_secrets is a list")
+
+ for secret in secrets:
+ if len(secret) < 32:
+ return False
+ return True
+
+ @staticmethod
+ def validate_encryption_secrets(secrets):
+ ''' validate type and length '''
+
+ if not issubclass(type(secrets), list):
+ raise errors.AnsibleFilterError("|failed expects openshift_master_session_encryption_secrets is a list")
+
+ for secret in secrets:
+ if len(secret) not in [16, 24, 32]:
+ return False
+ return True
def filters(self):
''' returns a mapping of filters to methods '''
- return {"translate_idps": self.translate_idps}
+ return {
+ "translate_idps": self.translate_idps,
+ "validate_auth_secrets": self.validate_auth_secrets,
+ "validate_encryption_secrets": self.validate_encryption_secrets
+ }
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 07ee4aca6..b7e9362cd 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -240,11 +240,21 @@
hosts: oo_first_master
pre_tasks:
- fail:
- msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set"
+ msg: >
+ Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set
when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
- fail:
- msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length"
+ msg: >
+ openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length
when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
+ - fail:
+ msg: >
+ Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters
+ when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool
+ - fail:
+ msg: >
+ Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters
+ when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool
roles:
- role: openshift_facts
post_tasks:
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 1c7fdfcf9..e6ddd1c49 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -11,11 +11,21 @@
# Session Options Validation
- fail:
- msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set"
+ msg: >
+ Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set
when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
- fail:
- msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length"
+ msg: >
+ openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length
when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
+- fail:
+ msg: >
+ Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters
+ when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool
+- fail:
+ msg: >
+ Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters
+ when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool
# HA Variable Validation
- fail: