Actions
Bug #7323
closed[SSO] [API] [Workbench] Have config:check sanity check secrets
Status:
Closed
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
-
Story points:
-
Description
Short secrets pass the config:check rake task, but then the server refuses to run with them. Extend config:check to do all the same sanity checks on these settings as the underlying code.
Updated by Brett Smith over 8 years ago
- Target version set to Arvados Future Sprints
Updated by Brett Smith over 8 years ago
SSO server might be the only server actually enforces this currently. Then another question comes up: do we want to enforce a minimum secret length in other servers? Ward says yes, which makes sense for security.
Updated by Brett Smith over 8 years ago
Apparently this is only enforced on blob_signing_key in API server.
Updated by Brett Smith over 8 years ago
Not correct, but the error only happens when the server actually receives a request. Then you get:
ArgumentError (Secret should be something secure, like "ac6ae2f2d43b746ce6237029adeaeb47". The value you provided, "ng", is shorter than the minimum length of 30 characters): app/middlewares/arvados_api_token.rb:59:in `call'
That line just calls the app, so the real check is not in our code. That said, "minimum length of 30 characters" is easy to add to our own checks.
Updated by Ward Vandewege over 3 years ago
- Target version deleted (
Arvados Future Sprints)
Actions