Validate AuthEncryptionKey length

controllers/heat_controller.go

@@ -952,7 +952,10 @@ func (r *HeatReconciler) generateServiceSecrets(
 		return err
 	}
 	password := strings.TrimSuffix(string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]), "\n")
-	authEncryptionKey := strings.TrimSuffix(string(ospSecret.Data[instance.Spec.PasswordSelectors.AuthEncryptionKey]), "\n")
+	authEncryptionKey, err := validateAuthEncryptionKey(instance, ospSecret)
+	if err != nil {
+		return err
+	}
 
 	transportURLSecret, _, err := oko_secret.GetSecret(ctx, h, instance.Status.TransportURLSecret, instance.Namespace)
 	if err != nil {
@@ -1347,3 +1350,18 @@ func renderVhost(instance *heatv1beta1.Heat, endpt service.Endpoint, serviceName
 
 	return httpdVhostConfig
 }
+
+// validateAuthEncryptionKey - the heat_auth_encrption_key needs to be 32 characters long. This function validates
+// the length of the user provided key and returns an error if it isn't long enough.
+func validateAuthEncryptionKey(instance *heatv1beta1.Heat, ospSecret *corev1.Secret) (string, error) {
+	const HeatAuthEncKeyLen int = 32
+
+	heatAuthEncKey := strings.TrimSuffix(string(ospSecret.Data[instance.Spec.PasswordSelectors.AuthEncryptionKey]), "\n")
+
+	if len(heatAuthEncKey) < HeatAuthEncKeyLen {
+		return "", fmt.Errorf("AuthEncryptionKey must be at least %d characters", HeatAuthEncKeyLen)
+	}
+
+	return heatAuthEncKey, nil
+
+}

tests/functional/base_test.go

@@ -34,6 +34,9 @@ func GetDefaultHeatSpec() map[string]interface{} {
 		"heatEngine":       GetDefaultHeatEngineSpec(),
 		"heatAPI":          GetDefaultHeatAPISpec(),
 		"heatCfnAPI":       GetDefaultHeatCFNAPISpec(),
+		"passwordSelectors": map[string]interface{}{
+			"AuthEncryptionKey": "HeatAuthEncryptionKey",
+		},
 	}
 }
 
@@ -75,8 +78,8 @@ func CreateHeatSecret(namespace string, name string) *corev1.Secret {
 	return th.CreateSecret(
 		types.NamespacedName{Namespace: namespace, Name: name},
 		map[string][]byte{
-			"HeatPassword":      []byte("12345678"),
-			"AuthEncryptionKey": []byte("1234567812345678123456781212345678345678"),
+			"HeatPassword":          []byte("12345678"),
+			"HeatAuthEncryptionKey": []byte("1234567812345678123456781212345678345678"),
 		},
 	)
 }

tests/functional/heat_controller_test.go

@@ -644,4 +644,59 @@ var _ = Describe("Heat controller", func() {
 		return GetEnvVarValue(deployment.Spec.Template.Spec.Containers[0].Env, "CONFIG_HASH", "")
 	})*/
 
+	When("HeatAuthEncryptionKey is too short", func() {
+
+		BeforeEach(func() {
+			DeferCleanup(th.DeleteInstance, CreateHeat(heatName, GetDefaultHeatSpec()))
+			DeferCleanup(
+				k8sClient.Delete, ctx, CreateHeatSecret(namespace, SecretName))
+			DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, "memcached", memcachedSpec))
+			infra.SimulateMemcachedReady(types.NamespacedName{
+				Name:      "memcached",
+				Namespace: namespace,
+			})
+			DeferCleanup(
+				k8sClient.Delete, ctx, CreateHeatMessageBusSecret(namespace, HeatMessageBusSecretName))
+			infra.SimulateTransportURLReady(heatTransportURLName)
+			keystoneAPI := keystone.CreateKeystoneAPI(namespace)
+			DeferCleanup(keystone.DeleteKeystoneAPI, keystoneAPI)
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(
+					namespace,
+					GetHeat(heatName).Spec.DatabaseInstance,
+					corev1.ServiceSpec{
+						Ports: []corev1.ServicePort{{Port: 3306}},
+					},
+				),
+			)
+			mariadb.SimulateMariaDBAccountCompleted(types.NamespacedName{Namespace: namespace, Name: GetHeat(heatName).Spec.DatabaseAccount})
+			mariadb.SimulateMariaDBDatabaseCompleted(types.NamespacedName{Namespace: namespace, Name: heat.DatabaseCRName})
+			dbSyncJobName := types.NamespacedName{
+				Name:      "heat-db-sync",
+				Namespace: namespace,
+			}
+			th.SimulateJobSuccess(dbSyncJobName)
+
+		})
+
+		It("Should complain about the Key length", func() {
+			Eventually(func(g Gomega) {
+				heat := GetHeat(heatName)
+				heat.Spec.PasswordSelectors.AuthEncryptionKey = "TooShortAuthEncKey"
+				g.Expect(th.K8sClient.Update(ctx, heat)).Should(Succeed())
+			}, timeout, interval).Should(Succeed())
+
+			th.ExpectCondition(
+				heatName,
+				ConditionGetterFunc(HeatConditionGetter),
+				condition.ServiceConfigReadyCondition,
+				corev1.ConditionFalse,
+			)
+
+			conditions := HeatConditionGetter(heatName)
+			message := &conditions.Get(condition.ServiceConfigReadyCondition).Message
+			Expect(*message).Should(ContainSubstring("AuthEncryptionKey must be at least 32 characters"))
+		})
+	})
 })