From 51c5bad4b74c19ccb1d6f9d7b0fabe9bc310e54e Mon Sep 17 00:00:00 2001 From: Dougal Matthews Date: Fri, 13 Nov 2015 12:39:14 +0000 Subject: [PATCH] Set NeutronMetadataProxySharedSecret This patch uses the standard password generation functionality to randomly set the NeutronMetadataProxySharedSecret parameter. Without this parameter, Neutron has a blank value for it's shared secret. This value is used to to prevent spoofing, thus the default value of "unset" is bad. This exposes a potential attack vector. Change-Id: Id1fcf9a61900c43207eaf16af3ef27d9cb9a17f8 Resolves: rhbz#1269786 --- rdomanager_oscplugin/tests/test_utils.py | 8 +++++--- .../tests/v1/overcloud_deploy/test_overcloud_deploy.py | 10 ++++++++-- rdomanager_oscplugin/tests/v1/utils.py | 1 + rdomanager_oscplugin/utils.py | 1 + rdomanager_oscplugin/v1/overcloud_deploy.py | 4 ++++ 5 files changed, 19 insertions(+), 5 deletions(-) diff --git a/rdomanager_oscplugin/tests/test_utils.py b/rdomanager_oscplugin/tests/test_utils.py index ececb3b..9b84387 100644 --- a/rdomanager_oscplugin/tests/test_utils.py +++ b/rdomanager_oscplugin/tests/test_utils.py @@ -34,6 +34,7 @@ class TestPasswordsUtil(TestCase): passwords = utils.generate_overcloud_passwords() self.assertEqual(sorted(mock_open().write.mock_calls), [ + mock.call('NEUTRON_METADATA_PROXY_SHARED_SECRET=PASSWORD\n'), mock.call('OVERCLOUD_ADMIN_PASSWORD=PASSWORD\n'), mock.call('OVERCLOUD_ADMIN_TOKEN=PASSWORD\n'), mock.call('OVERCLOUD_CEILOMETER_PASSWORD=PASSWORD\n'), @@ -48,9 +49,9 @@ class TestPasswordsUtil(TestCase): mock.call('OVERCLOUD_SWIFT_HASH=PASSWORD\n'), mock.call('OVERCLOUD_SWIFT_PASSWORD=PASSWORD\n'), ]) - self.assertEqual(generate_password_mock.call_count, 13) + self.assertEqual(generate_password_mock.call_count, 14) - self.assertEqual(len(passwords), 13) + self.assertEqual(len(passwords), 14) @mock.patch("os.path.isfile", return_value=True) @mock.patch("rdomanager_oscplugin.utils._generate_password", @@ -70,6 +71,7 @@ class TestPasswordsUtil(TestCase): 'OVERCLOUD_NOVA_PASSWORD=PASSWORD\n', 'OVERCLOUD_SWIFT_HASH=PASSWORD\n', 'OVERCLOUD_SWIFT_PASSWORD=PASSWORD\n', + 'NEUTRON_METADATA_PROXY_SHARED_SECRET=PASSWORD\n', ] mock_open = mock.mock_open(read_data=''.join(PASSWORDS)) @@ -82,7 +84,7 @@ class TestPasswordsUtil(TestCase): mock_open().write.assert_not_called() generate_password_mock.assert_not_called() - self.assertEqual(len(passwords), 13) + self.assertEqual(len(passwords), 14) class TestCheckHypervisorUtil(TestCase): diff --git a/rdomanager_oscplugin/tests/v1/overcloud_deploy/test_overcloud_deploy.py b/rdomanager_oscplugin/tests/v1/overcloud_deploy/test_overcloud_deploy.py index 2f2f1d5..2bd12b6 100644 --- a/rdomanager_oscplugin/tests/v1/overcloud_deploy/test_overcloud_deploy.py +++ b/rdomanager_oscplugin/tests/v1/overcloud_deploy/test_overcloud_deploy.py @@ -160,6 +160,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud): 'NeutronDnsmasqOptions': 'dhcp-option-force=26,1400', 'NeutronFlatNetworks': 'datacentre', 'NeutronL3HA': False, + 'NeutronMetadataProxySharedSecret': 'password', 'NeutronNetworkVLANRanges': 'datacentre:1:1000', 'NeutronPassword': 'password', 'NeutronPublicInterface': 'nic1', @@ -322,13 +323,14 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud): 'NeutronEnableTunnelling': 'True', 'NeutronFlatNetworks': 'datacentre', 'NeutronL3HA': False, + 'NeutronMetadataProxySharedSecret': 'password', 'NeutronNetworkType': 'vxlan', 'NeutronNetworkVLANRanges': 'datacentre:1:1000', 'NeutronPassword': 'password', 'NeutronPublicInterface': 'nic1', - 'NeutronVniRanges': '1:1000', 'NeutronTunnelIdRanges': ['1:1000'], 'NeutronTunnelTypes': 'vxlan', + 'NeutronVniRanges': '1:1000', 'NeutronVniRanges': ['1:1000'], 'NovaComputeLibvirtType': 'kvm', 'NovaImage': 'overcloud-full', @@ -474,13 +476,14 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud): 'NeutronEnableTunnelling': 'True', 'NeutronFlatNetworks': 'datacentre', 'NeutronL3HA': False, + 'NeutronMetadataProxySharedSecret': 'password', 'NeutronNetworkType': 'vxlan', 'NeutronNetworkVLANRanges': 'datacentre:1:1000', 'NeutronPassword': 'password', 'NeutronPublicInterface': 'nic1', - 'NeutronVniRanges': '1:1000', 'NeutronTunnelIdRanges': ['1:1000'], 'NeutronTunnelTypes': 'vxlan', + 'NeutronVniRanges': '1:1000', 'NeutronVniRanges': ['1:1000'], 'NovaComputeLibvirtType': 'kvm', 'NovaImage': 'overcloud-full', @@ -632,6 +635,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud): 'Controller-1::NeutronDhcpAgentsPerNetwork': 3, 'Controller-1::NeutronL3HA': True, 'Controller-1::NeutronMechanismDrivers': 'linuxbridge', + 'Controller-1::NeutronMetadataProxySharedSecret': 'password', 'Controller-1::NeutronPassword': 'password', 'Controller-1::NovaPassword': 'password', 'Controller-1::NtpServer': 'ntp.local', @@ -749,6 +753,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud): 'Controller-1::NeutronDhcpAgentsPerNetwork': 3, 'Controller-1::NeutronL3HA': True, 'Controller-1::NeutronMechanismDrivers': 'linuxbridge', + 'Controller-1::NeutronMetadataProxySharedSecret': 'password', 'Controller-1::NeutronPassword': 'password', 'Controller-1::NovaPassword': 'password', 'Controller-1::NtpServer': 'ntp.local', @@ -869,6 +874,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud): 'Controller-1::NeutronBridgeMappings': 'datacentre:br-test', 'Controller-1::NeutronDhcpAgentsPerNetwork': 3, 'Controller-1::NeutronL3HA': True, + 'Controller-1::NeutronMetadataProxySharedSecret': 'password', 'Controller-1::NeutronPassword': 'password', 'Controller-1::NovaPassword': 'password', 'Controller-1::NtpServer': 'ntp.local', diff --git a/rdomanager_oscplugin/tests/v1/utils.py b/rdomanager_oscplugin/tests/v1/utils.py index 1cbb855..71aa3d2 100644 --- a/rdomanager_oscplugin/tests/v1/utils.py +++ b/rdomanager_oscplugin/tests/v1/utils.py @@ -29,6 +29,7 @@ def generate_overcloud_passwords_mock(): "OVERCLOUD_NOVA_PASSWORD", "OVERCLOUD_SWIFT_HASH", "OVERCLOUD_SWIFT_PASSWORD", + "NEUTRON_METADATA_PROXY_SHARED_SECRET", ) return dict((password, 'password') for password in passwords) diff --git a/rdomanager_oscplugin/utils.py b/rdomanager_oscplugin/utils.py index 470c1b5..704842d 100644 --- a/rdomanager_oscplugin/utils.py +++ b/rdomanager_oscplugin/utils.py @@ -86,6 +86,7 @@ def generate_overcloud_passwords(output_file="tripleo-overcloud-passwords"): "OVERCLOUD_NOVA_PASSWORD", "OVERCLOUD_SWIFT_HASH", "OVERCLOUD_SWIFT_PASSWORD", + "NEUTRON_METADATA_PROXY_SHARED_SECRET", ) passwords = dict((p, _generate_password()) for p in password_names) diff --git a/rdomanager_oscplugin/v1/overcloud_deploy.py b/rdomanager_oscplugin/v1/overcloud_deploy.py index 8db92de..654ec71 100644 --- a/rdomanager_oscplugin/v1/overcloud_deploy.py +++ b/rdomanager_oscplugin/v1/overcloud_deploy.py @@ -134,6 +134,8 @@ class DeployOvercloud(command.Command): parameters['SwiftPassword'] = passwords['OVERCLOUD_SWIFT_PASSWORD'] parameters['SnmpdReadonlyUserPassword'] = ( undercloud_ceilometer_snmpd_password) + parameters['NeutronMetadataProxySharedSecret'] = ( + passwords['NEUTRON_METADATA_PROXY_SHARED_SECRET']) else: parameters['Controller-1::AdminPassword'] = passwords[ 'OVERCLOUD_ADMIN_PASSWORD'] @@ -175,6 +177,8 @@ class DeployOvercloud(command.Command): passwords['OVERCLOUD_SWIFT_HASH']) parameters['Controller-1::SwiftPassword'] = ( passwords['OVERCLOUD_SWIFT_PASSWORD']) + parameters['Controller-1::NeutronMetadataProxySharedSecret'] = ( + passwords['NEUTRON_METADATA_PROXY_SHARED_SECRET']) def _get_stack(self, orchestration_client, stack_name): """Get the ID for the current deployed overcloud stack if it exists.""" -- 2.4.3