Merge pull request #17149 from carbonin/encryption_key_validation

Add encryption key validation rake task
ManageIQ · Mar 13, 2018 · 9d11818 · 9d11818
2 parents ffd2be0 + 6fa1bf5
commit 9d11818
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/lib/tasks/evm.rake b/lib/tasks/evm.rake
@@ -56,6 +56,12 @@ namespace :evm do
     puts inventory.tableize if inventory.present?
   end
 
+  desc "Determine if the configured encryption key is valid"
+  task :validate_encryption_key => :environment do
+    raise "Invalid encryption key" unless EvmApplication.encryption_key_valid?
+    puts "Encryption key valid"
+  end
+
   desc "Write a remote region id to this server's REGION file"
   task :join_region => :environment do
     configured_region = ApplicationRecord.region_number_from_sequence.to_i

diff --git a/lib/tasks/evm_application.rb b/lib/tasks/evm_application.rb
@@ -142,6 +142,21 @@ def self.set_region_file(region_file, new_region)
     region_file.write(new_region)
   end
 
+  def self.encryption_key_valid?
+    # if we're a new deployment we won't even be able to get the database row
+    # and if there is no database row, allow this key to be used
+    return true if deployment_status == "new_deployment"
+    return true unless (db = MiqDatabase.first)
+
+    # both of these should raise if we have the wrong key
+    db.session_secret_token
+    db.csrf_secret_token
+
+    true
+  rescue MiqPassword::MiqPasswordError
+    false
+  end
+
   def self.deployment_status
     return "new_deployment" if ActiveRecord::Migrator.current_version.zero?
     return "new_replica"    if MiqServer.my_server.nil?

diff --git a/spec/lib/tasks/evm_application_spec.rb b/spec/lib/tasks/evm_application_spec.rb
@@ -206,4 +206,10 @@ def pad(val, col)
       expect(described_class.deployment_status).to eq("redeployment")
     end
   end
+
+  describe ".encryption_key_valid?" do
+    it "returns true when we are using the correct encryption key" do
+      expect(described_class.encryption_key_valid?).to be_truthy
+    end
+  end
 end