Rework enforce_ssl to use host name, not address

If enforce_ssl is set to true in openstack-dashboard, a user is redirected to the IP address of the server, not its hostname. This boils down to the template used to construct the site, which is always fed an IP address by horizon_context.py. Instead of using an IP address, use the result of resolve_address. (This is part of an odd quirk whereby the charm doesn't use the standard https tooling but does its own. A conversion to standard tooling would be required for a full fix to #1664954.) Closes-Bug: #1689882 Related-Bug: #1664954 Change-Id: I93365b75211e3c48d64ba8510898750dbc7b73cd Signed-off-by: Daniel Axtens <dja@axtens.net>
2017-05-11 04:41:19 +10:00 · 2017-05-11 04:41:19 +10:00 · 51b099c79e
parent 1cdefcb5e9
commit 51b099c79e
2 changed files with 7 additions and 12 deletions
--- a/hooks/horizon_contexts.py
+++ b/hooks/horizon_contexts.py
@ -31,8 +31,10 @@ from charmhelpers.contrib.openstack.context import (
    HAProxyContext,
    context_complete
 )
+from charmhelpers.contrib.openstack.ip import (
+    resolve_address,
+)
 from charmhelpers.contrib.openstack.utils import (
-    get_host_ip,
    git_default_repos,
    git_pip_venv_dir,
 )
@ -215,14 +217,7 @@ class ApacheContext(OSContextGenerator):
        if config('enforce-ssl'):
            # NOTE(dosaboy): if ssl is not configured we shouldn't allow this
            if all(get_cert()):
-                if config('vip'):
-                    addr = config('vip')
-                elif config('prefer-ipv6'):
-                    addr = format_ipv6_addr(get_ipv6_addr()[0])
-                else:
-                    addr = get_host_ip(unit_get('private-address'))
-
-                ctxt['ssl_addr'] = addr
+                ctxt['ssl_addr'] = resolve_address()
            else:
                log("Enforce ssl redirect requested but ssl not configured - "
                    "skipping redirect", level=WARNING)
--- a/unit_tests/test_horizon_contexts.py
+++ b/unit_tests/test_horizon_contexts.py
@ -32,7 +32,7 @@ TO_PATCH = [
    'local_unit',
    'unit_get',
    'pwgen',
-    'get_host_ip'
+    'resolve_address',
 ]


@ -67,10 +67,10 @@ class TestHorizonContexts(CharmTestCase):

    def test_Apachecontext_enforce_ssl(self):
        self.test_config.set('enforce-ssl', True)
-        self.get_host_ip.return_value = '10.0.0.1'
+        self.resolve_address.return_value = 'horizon.example.stack'
        self.assertEqual(horizon_contexts.ApacheContext()(),
                         {'http_port': 70, 'https_port': 433,
-                          'ssl_addr': '10.0.0.1'})
+                          'ssl_addr': 'horizon.example.stack'})

    @patch.object(horizon_contexts, 'get_ca_cert', lambda: None)
    @patch('os.chmod')