TripleO should configure and validate server_certs_key_passphrase to be 32 chars long

Bug #1833942 reported by Nir Magnezi on 2019-06-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Undecided
Nir Magnezi

Bug Description

Description of problem:
Initially reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1723051

The following patches added support for Octavia configuration option named: server_certs_key_passphrase:

tripleo-heat-templates https://review.opendev.org/#/c/647467/
tripleo-common https://review.opendev.org/#/c/647413/
puppet-octavia https://review.opendev.org/#/c/647502/

with those, TripleO will auto-generate a passphrase to avoid from falling back to a non-secure default passphrase.

The mentioned passphrase is used for Fernet key and should be 32 characters long. see: https://bugzilla.redhat.com/show_bug.cgi?id=1723051#c3

We should:
1. Generate passphrase in that length.
2. Validate that operator-provided passphrase obeys the same rule.

Nir Magnezi (nmagnezi) on 2019-06-24
Changed in tripleo:
assignee: nobody → Nir Magnezi (nmagnezi)
Nir Magnezi (nmagnezi) on 2019-06-24
description: updated
description: updated
description: updated
Changed in tripleo:
status: New → In Progress

Reviewed: https://review.opendev.org/666971
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2
Submitter: Zuul
Branch: master

commit de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 00:54:19 2019 +0300

    Ensure that OctaviaServerCertsKeyPassphrase is 32-byte long

    Related-Bug: #1833942

    Change-Id: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/stein
Review: https://review.opendev.org/669657
Reason: Temporarily abandoning this patch to merge https://review.opendev.org/#/c/666987/ into master. will restore afterwards.

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/669829
Reason: Temporarily abandoning this patch to merge https://review.opendev.org/#/c/666987/ into master. will restore afterwards.

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/669825
Reason: Temporarily abandoning this patch to merge https://review.opendev.org/#/c/666987/ into master. will restore afterwards.

Reviewed: https://review.opendev.org/666987
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f
Submitter: Zuul
Branch: master

commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 16:10:50 2019 +0300

    Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

    Closes-bug: #1833942

    Depends-On: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
    Depends-On: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/669657
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=94620dd5e67fa3a0775b2df1ae312533e392a7f9
Submitter: Zuul
Branch: stable/stein

commit 94620dd5e67fa3a0775b2df1ae312533e392a7f9
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 00:54:19 2019 +0300

    Ensure that OctaviaServerCertsKeyPassphrase is 32-byte long

    Related-Bug: #1833942

    Change-Id: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    (cherry picked from commit de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2)

tags: added: in-stable-stein

Reviewed: https://review.opendev.org/669667
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=cfb8e97867e2cd546efcb46303ae8583765d3876
Submitter: Zuul
Branch: stable/stein

commit cfb8e97867e2cd546efcb46303ae8583765d3876
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 16:10:50 2019 +0300

    Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

    Closes-bug: #1833942

    Depends-On: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
    Depends-On: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
    (cherry picked from commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f)

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/669856

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/669825

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/669848

Reviewed: https://review.opendev.org/669141
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1f3088c4aa2612a772e023f14fafc72c61c6cb07
Submitter: Zuul
Branch: master

commit 1f3088c4aa2612a772e023f14fafc72c61c6cb07
Author: Nir Magnezi <email address hidden>
Date: Thu Jul 4 13:46:36 2019 +0300

    CI should auto-generate server_certs_key_passphrase

    Bug 1833942 showed that in a case that the generated value
    server_certs_key_passphrase is invalid, Octavia will fail to operate.

    In CI, we currently provide a pre-defined passphrase that might cover
    for potential breakages in the future. This patch removes the
    pre-defined passphrase so it will get generated on each run.

    Note that, TripleO will now[1] either auto-generate a valid passphrase
    or validate a pre-defined one.

    Related-Bug: #1833942

    [1] https://review.opendev.org/#/q/topic:OctaviaServerCertsKeyPassphrase-32chars

    Depends-On: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
    Depends-On: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    Depends-On: I886f2b8ac7092d9b3da38852e92a615d5666eea7

    Change-Id: Ie596b04614c2ca9d961694f4012c1553a092aa3e

This issue was fixed in the openstack/tripleo-heat-templates 11.1.0 release.

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/669854

Reviewed: https://review.opendev.org/669825
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=35913d62664424075392dcaca6324164fb19380a
Submitter: Zuul
Branch: stable/rocky

commit 35913d62664424075392dcaca6324164fb19380a
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 00:54:19 2019 +0300

    Ensure that OctaviaServerCertsKeyPassphrase is 32-byte long

    Related-Bug: #1833942

    Change-Id: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    (cherry picked from commit de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2)
    (cherry picked from commit 94620dd5e67fa3a0775b2df1ae312533e392a7f9)

tags: added: in-stable-rocky

Reviewed: https://review.opendev.org/669670
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=680f341f19060ffa42b6c832018874656a4f339a
Submitter: Zuul
Branch: stable/stein

commit 680f341f19060ffa42b6c832018874656a4f339a
Author: Nir Magnezi <email address hidden>
Date: Thu Jul 4 13:46:36 2019 +0300

    CI should auto-generate server_certs_key_passphrase

    Bug 1833942 showed that in a case that the generated value
    server_certs_key_passphrase is invalid, Octavia will fail to operate.

    In CI, we currently provide a pre-defined passphrase that might cover
    for potential breakages in the future. This patch removes the
    pre-defined passphrase so it will get generated on each run.

    Note that, TripleO will now[1] either auto-generate a valid passphrase
    or validate a pre-defined one.

    Related-Bug: #1833942

    [1] https://review.opendev.org/#/q/topic:OctaviaServerCertsKeyPassphrase-32chars

    Depends-On: https://review.opendev.org/#/c/669653/
    Depends-On: https://review.opendev.org/#/c/669657/
    Depends-On: https://review.opendev.org/#/c/669667/

    Change-Id: Ie596b04614c2ca9d961694f4012c1553a092aa3e
    (cherry picked from commit 1f3088c4aa2612a772e023f14fafc72c61c6cb07)

Reviewed: https://review.opendev.org/669856
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=992ad5437cf21696958ca86f6675d23848f7c547
Submitter: Zuul
Branch: stable/rocky

commit 992ad5437cf21696958ca86f6675d23848f7c547
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 16:10:50 2019 +0300

    Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

    Conflicts:
          deployment/octavia/octavia-base.yaml

    Closes-bug: #1833942

    Depends-On: https://review.opendev.org/#/c/669822/
    Depends-On: https://review.opendev.org/#/c/669825/
    Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
    (cherry picked from commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f)
    (cherry picked from commit cfb8e97867e2cd546efcb46303ae8583765d3876)

Reviewed: https://review.opendev.org/669829
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=32d7bb44ab61cb0fcca1a78dfa822511d1d640d4
Submitter: Zuul
Branch: stable/queens

commit 32d7bb44ab61cb0fcca1a78dfa822511d1d640d4
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 00:54:19 2019 +0300

    Ensure that OctaviaServerCertsKeyPassphrase is 32-byte long

    Conflicts:
          tripleo_common/utils/passwords.py

    Related-Bug: #1833942

    Change-Id: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    (cherry picked from commit de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2)
    (cherry picked from commit 94620dd5e67fa3a0775b2df1ae312533e392a7f9)
    (cherry picked from commit 35913d62664424075392dcaca6324164fb19380a)

tags: added: in-stable-queens

Reviewed: https://review.opendev.org/669848
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b2065e2be485c756d4bdd868c9594e47d5b80373
Submitter: Zuul
Branch: stable/queens

commit b2065e2be485c756d4bdd868c9594e47d5b80373
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 16:10:50 2019 +0300

    Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

    Conflicts:
          deployment/octavia/octavia-base.yaml

    Closes-bug: #1833942

    Depends-On: https://review.opendev.org/#/c/669824/
    Depends-On: https://review.opendev.org/#/c/669829/
    Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
    (cherry picked from commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f)
    (cherry picked from commit cfb8e97867e2cd546efcb46303ae8583765d3876)
    (cherry picked from commit 992ad5437cf21696958ca86f6675d23848f7c547)

Reviewed: https://review.opendev.org/669831
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=31b9d601759a71670a8213bfd0550d9d059e34aa
Submitter: Zuul
Branch: stable/rocky

commit 31b9d601759a71670a8213bfd0550d9d059e34aa
Author: Nir Magnezi <email address hidden>
Date: Thu Jul 4 13:46:36 2019 +0300

    CI should auto-generate server_certs_key_passphrase

    Bug 1833942 showed that in a case that the generated value
    server_certs_key_passphrase is invalid, Octavia will fail to operate.

    In CI, we currently provide a pre-defined passphrase that might cover
    for potential breakages in the future. This patch removes the
    pre-defined passphrase so it will get generated on each run.

    Note that, TripleO will now[1] either auto-generate a valid passphrase
    or validate a pre-defined one.

    Related-Bug: #1833942

    [1] https://review.opendev.org/#/q/topic:OctaviaServerCertsKeyPassphrase-32chars

    Depends-On: https://review.opendev.org/#/c/669822/
    Depends-On: https://review.opendev.org/#/c/669825/
    Depends-On: https://review.opendev.org/#/c/669856/

    Change-Id: Ie596b04614c2ca9d961694f4012c1553a092aa3e
    (cherry picked from commit 1f3088c4aa2612a772e023f14fafc72c61c6cb07)
    (cherry picked from commit 680f341f19060ffa42b6c832018874656a4f339a)

This issue was fixed in the openstack/tripleo-heat-templates 10.6.1 release.

This issue was fixed in the openstack/tripleo-heat-templates 9.4.1 release.

This issue was fixed in the openstack/tripleo-heat-templates 8.4.1 release.

Reviewed: https://review.opendev.org/669854
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a6e81dbfaf8f86ac316f41e92cb9ff3095570808
Submitter: Zuul
Branch: stable/queens

commit a6e81dbfaf8f86ac316f41e92cb9ff3095570808
Author: Nir Magnezi <email address hidden>
Date: Thu Jul 4 13:46:36 2019 +0300

    CI should auto-generate server_certs_key_passphrase

    Bug 1833942 showed that in a case that the generated value
    server_certs_key_passphrase is invalid, Octavia will fail to operate.

    In CI, we currently provide a pre-defined passphrase that might cover
    for potential breakages in the future. This patch removes the
    pre-defined passphrase so it will get generated on each run.

    Note that, TripleO will now[1] either auto-generate a valid passphrase
    or validate a pre-defined one.

    Related-Bug: #1833942

    [1] https://review.opendev.org/#/q/topic:OctaviaServerCertsKeyPassphrase-32chars

    Depends-On: https://review.opendev.org/#/c/669824/
    Depends-On: https://review.opendev.org/#/c/669829/
    Depends-On: https://review.opendev.org/#/c/669848/

    Change-Id: Ie596b04614c2ca9d961694f4012c1553a092aa3e
    (cherry picked from commit 1f3088c4aa2612a772e023f14fafc72c61c6cb07)
    (cherry picked from commit 680f341f19060ffa42b6c832018874656a4f339a)
    (cherry picked from commit 31b9d601759a71670a8213bfd0550d9d059e34aa)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers