Bug #7323

[SSO] [API] [Workbench] Have config:check sanity check secrets

Added by Brett Smith over 4 years ago. Updated over 4 years ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
Story points:


Short secrets pass the config:check rake task, but then the server refuses to run with them. Extend config:check to do all the same sanity checks on these settings as the underlying code.


#1 Updated by Brett Smith over 4 years ago

  • Target version set to Arvados Future Sprints

#2 Updated by Brett Smith over 4 years ago

SSO server might be the only server actually enforces this currently. Then another question comes up: do we want to enforce a minimum secret length in other servers? Ward says yes, which makes sense for security.

#3 Updated by Brett Smith over 4 years ago

Apparently this is only enforced on blob_signing_key in API server.

#4 Updated by Brett Smith over 4 years ago

Not correct, but the error only happens when the server actually receives a request. Then you get:

ArgumentError (Secret should be something secure, like "ac6ae2f2d43b746ce6237029adeaeb47". The value you provided, "ng", is shorter than the minimum length of 30 characters):
  app/middlewares/arvados_api_token.rb:59:in `call'

That line just calls the app, so the real check is not in our code. That said, "minimum length of 30 characters" is easy to add to our own checks.

Also available in: Atom PDF