From b849530eb0fb93ee3c482c7cd170678c9218fa98 Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Wed, 31 Oct 2018 14:12:08 +0000
Subject: [PATCH] Update identity endpoints when switching to ssl

When keystone recieves certificates down the certificates relation
it needs to update the identity endpoint to https.

Change-Id: I9a423096b77a73f78a6cc9e3d250bdea2fb861b6
---
 hooks/keystone_hooks.py           |  4 +++
 unit_tests/test_keystone_hooks.py | 42 +++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/hooks/keystone_hooks.py b/hooks/keystone_hooks.py
index deddc93e..07c02f4f 100755
--- a/hooks/keystone_hooks.py
+++ b/hooks/keystone_hooks.py
@@ -838,6 +838,10 @@ def certs_changed(relation_id=None, unit=None):
         process_certificates('keystone', relation_id, unit)
         configure_https()
     write_certs_and_config()
+    # If enabling https the identity endpoints need updating.
+    if (is_db_initialised() and is_elected_leader(CLUSTER_RES) and not
+            is_unit_paused_set()):
+        ensure_initial_admin(config)
     update_all_identity_relation_units()
     update_all_domain_backends()
 
diff --git a/unit_tests/test_keystone_hooks.py b/unit_tests/test_keystone_hooks.py
index 6ee9aebf..2fe4786e 100644
--- a/unit_tests/test_keystone_hooks.py
+++ b/unit_tests/test_keystone_hooks.py
@@ -1032,3 +1032,45 @@ class KeystoneRelationTests(CharmTestCase):
             'fid-restart-nonce-{}'.format(rel),
             'nonce2')
         self.assertTrue(mock_kv.flush.called)
+
+    @patch.object(hooks, 'relation_set')
+    @patch.object(hooks, 'get_certificate_request')
+    def test_certs_joined(self, get_certificate_request, relation_set):
+        get_certificate_request.return_value = {'cn': 'this-unit'}
+        hooks.certs_joined(relation_id='rid:23')
+        relation_set.assert_called_once_with(
+            relation_id='rid:23',
+            relation_settings={'cn': 'this-unit'})
+
+    @patch.object(hooks, 'config')
+    @patch.object(hooks, 'update_all_domain_backends')
+    @patch.object(hooks, 'update_all_identity_relation_units')
+    @patch.object(hooks, 'ensure_initial_admin')
+    @patch.object(hooks, 'is_unit_paused_set')
+    @patch.object(hooks, 'is_elected_leader')
+    @patch.object(hooks, 'is_db_initialised')
+    @patch.object(hooks, 'configure_https')
+    @patch.object(hooks, 'process_certificates')
+    def test_certs_changed(self, process_certificates, configure_https,
+                           is_db_initialised,
+                           is_elected_leader, is_unit_paused_set,
+                           ensure_initial_admin,
+                           update_all_identity_relation_units,
+                           update_all_domain_backends, config):
+        is_db_initialised.return_value = True
+        is_elected_leader.return_value = True
+        is_unit_paused_set.return_value = False
+        hooks.certs_changed()
+        process_certificates.assert_called_once_with('keystone', None, None)
+        configure_https.assert_called_once_with()
+        is_db_initialised.assert_called_once_with()
+        is_elected_leader.assert_called_once_with('grp_ks_vips')
+        is_unit_paused_set.assert_called_once_with()
+        ensure_initial_admin.assert_called_once_with(config)
+        update_all_identity_relation_units.assert_called_once_with()
+        update_all_domain_backends.assert_called_once_with()
+
+        ensure_initial_admin.reset_mock()
+        is_db_initialised.return_value = False
+        hooks.certs_changed()
+        self.assertFalse(ensure_initial_admin.called)