Secrets validation.

filter_plugins/openshift_master.py

@@ -463,7 +463,34 @@ class FilterModule(object):
         IdentityProviderBase.validate_idp_list(idp_list)
         return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False)
 
+    @staticmethod
+    def validate_auth_secrets(secrets):
+        ''' validate type and length '''
+
+        if not issubclass(type(secrets), list):
+            raise errors.AnsibleFilterError("|failed expects openshift_master_session_auth_secrets is a list")
+
+        for secret in secrets:
+            if len(secret) < 32:
+                return False
+        return True
+
+    @staticmethod
+    def validate_encryption_secrets(secrets):
+        ''' validate type and length '''
+
+        if not issubclass(type(secrets), list):
+            raise errors.AnsibleFilterError("|failed expects openshift_master_session_encryption_secrets is a list")
+
+        for secret in secrets:
+            if len(secret) not in [16, 24, 32]:
+                return False
+        return True
 
     def filters(self):
         ''' returns a mapping of filters to methods '''
-        return {"translate_idps": self.translate_idps}
+        return {
+            "translate_idps": self.translate_idps,
+            "validate_auth_secrets": self.validate_auth_secrets,
+            "validate_encryption_secrets": self.validate_encryption_secrets
+        }

playbooks/common/openshift-master/config.yml

@@ -240,11 +240,21 @@
   hosts: oo_first_master
   pre_tasks:
   - fail:
-      msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set"
+      msg: >
+        Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set
     when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
   - fail:
-      msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length"
+      msg: >
+        openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length
     when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
+  - fail:
+      msg: >
+        Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters
+    when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool
+  - fail:
+      msg: >
+        Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters
+    when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool
   roles:
   - role: openshift_facts
   post_tasks:

roles/openshift_master/tasks/main.yml

@@ -11,11 +11,21 @@
 
 # Session Options Validation
 - fail:
-    msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set"
+    msg: >
+      Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set
   when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
 - fail:
-    msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length"
+    msg: >
+      openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length
   when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
+- fail:
+    msg: >
+      Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters
+  when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool
+- fail:
+    msg: >
+      Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters
+  when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool
 
 # HA Variable Validation
 - fail: