Require JWT Key to be specified for server startup (#1480)

If server is started without a JWT key, a message like the following is printed:
```
################################################################################
# ERROR:
#   A value must be supplied for --auth_jwt_key. This value is used to create
#   session tokens for users.
#
#   Consider using the following randomly generated key:
#   om3w95gMA2drT5xAdLd2Q5oE8fLw+Miz
################################################################################
```

Closes #1480.

CHANGELOG.md

@@ -1,3 +1,7 @@
+* Kolide server now requires `--auth_jwt_key` to be specified at startup.
+
+  If no JWT key is provided by the user, the server will print a new suggested random JWT key for use.
+
 * Fix rounding error when showing % of online hosts
 
 ## Kolide 1.0.3 (April 3, 2017)
@@ -33,7 +37,7 @@ See https://wiki.mozilla.org/Security/Server_Side_TLS for more information on th
 
 * The Options Configuration item in the sidebar is now only available to admin users.
 
-  Previously this item was visible to non-admin users and if selected, a blank options page would be displayed since server side authorization constraints prevent regular users from viewing or changing options.  
+  Previously this item was visible to non-admin users and if selected, a blank options page would be displayed since server side authorization constraints prevent regular users from viewing or changing options.
 
 * Improved validation for the Kolide server URL supplied in setup and configuration.
 

cli/serve.go

@@ -99,6 +99,23 @@ the way that the kolide server works.
 				os.Exit(1)
 			}
 
+			if config.Auth.JwtKey == "" {
+				jwtKey, err := kolide.RandomText(24)
+				if err != nil {
+					initFatal(err, "generating sample jwt key")
+				}
+				fmt.Printf("################################################################################\n"+
+					"# ERROR:\n"+
+					"#   A value must be supplied for --auth_jwt_key. This value is used to create\n"+
+					"#   session tokens for users.\n"+
+					"#\n"+
+					"#   Consider using the following randomly generated key:\n"+
+					"#   %s\n"+
+					"################################################################################\n",
+					jwtKey)
+				os.Exit(1)
+			}
+
 			if initializingDS, ok := ds.(initializer); ok {
 				if err := initializingDS.Initialize(); err != nil {
 					initFatal(err, "loading built in data")

docs/infrastructure/configuring-the-kolide-binary.md

@@ -313,9 +313,9 @@ Whether or not the server should be served over TLS.
 
 ##### `auth_jwt_key`
 
-The [JWT](https://jwt.io/) key to use when signing and validating session keys.
+The [JWT](https://jwt.io/) key to use when signing and validating session keys. If this value is not specified the Kolide server will fail to start and a randomly generated key will be provided for use.
 
-- Default value: `CHANGEME`
+- Default value: None
 - Environment variable: `KOLIDE_AUTH_JWT_KEY`
 - Config file format:
 

server/config/config.go

@@ -142,8 +142,8 @@ func (man Manager) addConfigs() {
 			TLSProfileModern, TLSProfileIntermediate, TLSProfileOld))
 
 	// Auth
-	man.addConfigString(
-		"auth.jwt_key", "CHANGEME", "JWT session token key")
+	man.addConfigString("auth.jwt_key", "",
+		"JWT session token key (required)")
 	man.addConfigInt("auth.bcrypt_cost", 12,
 		"Bcrypt iterations")
 	man.addConfigInt("auth.salt_key_size", 24,

tools/app/kolide.yaml

@@ -2,9 +2,8 @@ server:
   cert: "./tools/osquery/kolide.crt"
   key: "./tools/osquery/kolide.key"
 auth:
-  jwt_key: very secure
+  jwt_key: very secure dev setup jwt key
 osquery:
-  enroll_secret: super secure
   result_log_file: /tmp/osquery_result
   status_log_file: /tmp/osquery_status
 logging:

tools/ci/k8s-templates/branch-deployment.template

@@ -48,6 +48,8 @@ spec:
               value: kolide_{{ .Name }}
             - name: KOLIDE_REDIS_ADDRESS
               value: redis-kolide-{{ .Name }}:6379
+            - name: KOLIDE_AUTH_JWT_KEY
+              value: changeme_fake_jwt_key
         ports:
         - containerPort: 8080
       - name: cloudsql-proxy

tools/ci/k8s-templates/pr-deployment.template

@@ -51,6 +51,8 @@ spec:
               value: pr_{{ .Number }}_{{ .RevShort }}
             - name: KOLIDE_REDIS_ADDRESS
               value: redis-kolide-pr-{{ .Number }}:6379
+            - name: KOLIDE_AUTH_JWT_KEY
+              value: changeme_fake_jwt_key
         ports:
         - containerPort: 8080
       - name: cloudsql-proxy