*: provide better feedback for invalid secrets

[mccutchen]

TL;DR

If an invalid COOKIE_SECRET value is given, sso should provide guidance for how to generate a valid one rather than a cryptic error message. Bonus points for providing a separate sso-gen-secret binary that will Just Work!

Let's make it as easy as possible for users to generate good, secure secrets!

A bit more context

The error message sso gives for an invalid COOKIE_SECRET value takes this general form (for abcd as the secret value):

{"error":"Invalid configuration:\n  cookie_secret must be 32 or 64 bytes to create an AES cipher but is 4 bytes. note: cookie secret was base64 decoded from \"abcd\"","level":"error","msg":"error validating opts","service":"sso-authenticator","time":"2018-08-25 00:15:04.82512"}

But we still get an error message if we try a 32 byte secret (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx):

{"error":"Invalid configuration:\n  cookie_secret must be 32 or 64 bytes to create an AES cipher but is 24 bytes. note: cookie secret was base64 decoded from \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"","level":"error","msg":"error validating opts","service":"sso-authenticator","time":"2018-08-25 00:17:33.82512"}

Having dug into this a bit, I know that sso is trying to base64-decode the given secret value (that's why it reports a length of 24 bytes above), but, as I'll illustrate in a follow-up issue, it can be difficult to generate a valid secret even with this knowledge.

Working example

Here's one way that works, assuming python is available (note the use of urlsafe_b64encode, which seems to agree with the golang decoder used in sso):

python -c 'import base64, os, sys; sys.stdout.write(base64.urlsafe_b64encode(os.urandom(32)))'