Project

General

Profile

Actions

Bug #7323

closed

[SSO] [API] [Workbench] Have config:check sanity check secrets

Added by Brett Smith over 8 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
-
Story points:
-

Description

Short secrets pass the config:check rake task, but then the server refuses to run with them. Extend config:check to do all the same sanity checks on these settings as the underlying code.

Actions #1

Updated by Brett Smith over 8 years ago

  • Target version set to Arvados Future Sprints
Actions #2

Updated by Brett Smith over 8 years ago

SSO server might be the only server actually enforces this currently. Then another question comes up: do we want to enforce a minimum secret length in other servers? Ward says yes, which makes sense for security.

Actions #3

Updated by Brett Smith over 8 years ago

Apparently this is only enforced on blob_signing_key in API server.

Actions #4

Updated by Brett Smith over 8 years ago

Not correct, but the error only happens when the server actually receives a request. Then you get:

ArgumentError (Secret should be something secure, like "ac6ae2f2d43b746ce6237029adeaeb47". The value you provided, "ng", is shorter than the minimum length of 30 characters):
  app/middlewares/arvados_api_token.rb:59:in `call'

That line just calls the app, so the real check is not in our code. That said, "minimum length of 30 characters" is easy to add to our own checks.

Actions #5

Updated by Ward Vandewege over 3 years ago

  • Status changed from New to Closed
Actions #6

Updated by Ward Vandewege over 3 years ago

  • Target version deleted (Arvados Future Sprints)
Actions

Also available in: Atom PDF