diff options
-rw-r--r-- | filter_plugins/openshift_master.py | 29 | ||||
-rw-r--r-- | playbooks/common/openshift-master/config.yml | 14 | ||||
-rw-r--r-- | roles/openshift_master/tasks/main.yml | 14 |
3 files changed, 52 insertions, 5 deletions
diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index f12017967..40c1083e0 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -463,7 +463,34 @@ class FilterModule(object): IdentityProviderBase.validate_idp_list(idp_list) return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False) + @staticmethod + def validate_auth_secrets(secrets): + ''' validate type and length ''' + + if not issubclass(type(secrets), list): + raise errors.AnsibleFilterError("|failed expects openshift_master_session_auth_secrets is a list") + + for secret in secrets: + if len(secret) < 32: + return False + return True + + @staticmethod + def validate_encryption_secrets(secrets): + ''' validate type and length ''' + + if not issubclass(type(secrets), list): + raise errors.AnsibleFilterError("|failed expects openshift_master_session_encryption_secrets is a list") + + for secret in secrets: + if len(secret) not in [16, 24, 32]: + return False + return True def filters(self): ''' returns a mapping of filters to methods ''' - return {"translate_idps": self.translate_idps} + return { + "translate_idps": self.translate_idps, + "validate_auth_secrets": self.validate_auth_secrets, + "validate_encryption_secrets": self.validate_encryption_secrets + } diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 07ee4aca6..b7e9362cd 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -240,11 +240,21 @@ hosts: oo_first_master pre_tasks: - fail: - msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" + msg: > + Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - fail: - msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" + msg: > + openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) + - fail: + msg: > + Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters + when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool + - fail: + msg: > + Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters + when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool roles: - role: openshift_facts post_tasks: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 1c7fdfcf9..e6ddd1c49 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -11,11 +11,21 @@ # Session Options Validation - fail: - msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" + msg: > + Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - fail: - msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" + msg: > + openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) +- fail: + msg: > + Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters + when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool +- fail: + msg: > + Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters + when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool # HA Variable Validation - fail: |