Unset ssl_port when disabling ssl

Some Rabbitmq clients gate enabling ssl on the presence of the
ssl_port option in the amqp relation. However, when ssl is disabled
the rabbitmq-server charm does not explicitly unset ssl_port so it
persists down the relation. This change unsets the ssl_port
option along with the other ssl options when they are not needed.

There seemed to be no unit test coverage for ssl_utils so I've
added some as part of this change.

Change-Id: If957899427ec979d09045baca010375ba7273579
Closes-Bug: #1717982
This commit is contained in:
Liam Young 2017-09-21 14:42:24 +00:00
parent 1ec1269a1c
commit 407cfa8097
2 changed files with 143 additions and 1 deletions

View File

@ -66,7 +66,8 @@ def reconfigure_client_ssl(ssl_enabled=False):
rdata = relation_get(rid=rid, unit=local_unit())
if not ssl_enabled and ssl_config_keys.intersection(rdata):
# No clean way to remove entirely, but blank them.
relation_set(relation_id=rid, ssl_key='', ssl_cert='', ssl_ca='')
relation_set(relation_id=rid, ssl_key='', ssl_cert='', ssl_ca='',
ssl_port='')
elif ssl_enabled and not ssl_config_keys.intersection(rdata):
configure_client_ssl(rdata)
relation_set(relation_id=rid, **rdata)

View File

@ -0,0 +1,141 @@
# Copyright 2017 Canonical Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from test_utils import CharmTestCase
from mock import patch
import ssl_utils
TO_PATCH = [
'config',
]
class TestSSLUtils(CharmTestCase):
def setUp(self):
super(TestSSLUtils, self).setUp(ssl_utils, TO_PATCH)
def test_get_ssl_mode_off(self):
test_config = {
'ssl': 'off',
'ssl_enabled': False,
'ssl_on': False,
'ssl_key': None,
'ssl_cert': None}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(
ssl_utils.get_ssl_mode(),
('off', False))
def test_get_ssl_enabled_true(self):
test_config = {
'ssl': 'off',
'ssl_enabled': True,
'ssl_on': False,
'ssl_key': None,
'ssl_cert': None}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(
ssl_utils.get_ssl_mode(),
('on', False))
def test_get_ssl_enabled_false(self):
test_config = {
'ssl': 'on',
'ssl_enabled': False,
'ssl_on': False,
'ssl_key': None,
'ssl_cert': None}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(
ssl_utils.get_ssl_mode(),
('on', False))
def test_get_ssl_enabled_external_ca(self):
test_config = {
'ssl': 'on',
'ssl_enabled': False,
'ssl_on': False,
'ssl_key': 'key1',
'ssl_cert': 'cert1'}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(
ssl_utils.get_ssl_mode(),
('on', True))
@patch('ssl_utils.get_ssl_mode')
def test_get_ssl_mode_ssl_off(self, get_ssl_mode):
get_ssl_mode.return_value = ('off', False)
relation_data = {}
ssl_utils.configure_client_ssl(relation_data)
self.assertEqual(relation_data, {})
@patch('ssl_utils.ServiceCA')
@patch('ssl_utils.get_ssl_mode')
def test_get_ssl_mode_ssl_on_no_ca(self, get_ssl_mode, ServiceCA):
ServiceCA.get_ca().get_ca_bundle.return_value = 'cert1'
get_ssl_mode.return_value = ('on', False)
test_config = {
'ssl_port': '9090'}
self.config.side_effect = lambda x: test_config[x]
relation_data = {}
ssl_utils.configure_client_ssl(relation_data)
self.assertEqual(
relation_data,
{'ssl_port': '9090', 'ssl_ca': 'Y2VydDE='})
@patch('ssl_utils.get_ssl_mode')
def test_get_ssl_mode_ssl_on_ext_ca(self, get_ssl_mode):
get_ssl_mode.return_value = ('on', True)
test_config = {
'ssl_port': '9090',
'ssl_ca': 'ext_ca'}
self.config.side_effect = lambda x: test_config[x]
relation_data = {}
ssl_utils.configure_client_ssl(relation_data)
self.assertEqual(
relation_data,
{'ssl_port': '9090', 'ssl_ca': 'ZXh0X2Nh'})
@patch('ssl_utils.local_unit')
@patch('ssl_utils.relation_ids')
@patch('ssl_utils.relation_get')
@patch('ssl_utils.configure_client_ssl')
@patch('ssl_utils.relation_set')
def test_reconfigure_client_ssl_no_ssl(self, relation_set,
configure_client_ssl, relation_get,
relation_ids, local_unit):
relation_ids.return_value = ['rel1']
relation_get.return_value = {'ssl_key': 'aa'}
ssl_utils.reconfigure_client_ssl(ssl_enabled=False)
relation_set.assert_called_with(
relation_id='rel1',
ssl_ca='',
ssl_cert='',
ssl_key='',
ssl_port='')
@patch('ssl_utils.local_unit')
@patch('ssl_utils.relation_ids')
@patch('ssl_utils.relation_get')
@patch('ssl_utils.configure_client_ssl')
@patch('ssl_utils.relation_set')
def test_reconfigure_client_ssl(self, relation_set, configure_client_ssl,
relation_get, relation_ids, local_unit):
relation_ids.return_value = ['rel1']
relation_get.return_value = {}
ssl_utils.reconfigure_client_ssl(ssl_enabled=True)
configure_client_ssl.assert_called_with({})