enforce-ssl: evaluate all sources of cert/key
When the dashboard charm is deployed with Vault using the certificates relation the enforce-ssl configuration option is not honoured as the certificates relation is supported by the get_cert function provided by charmhelpers. https does much the same set of checks but also looks at the certificates relation when considering whether https is actually enabled for the charm. Minor style tweak to the code to avoid nested conditionals. Change-Id: Ieb519adef53e8ab68c9119eb38344e5cb8540411 Closes-Bug: 1846189
This commit is contained in:
parent
4159b9bbd2
commit
476fe0b2ca
|
@ -32,8 +32,8 @@ from charmhelpers.contrib.openstack.context import (
|
|||
OSContextGenerator,
|
||||
context_complete
|
||||
)
|
||||
from charmhelpers.contrib.hahelpers.apache import (
|
||||
get_cert,
|
||||
from charmhelpers.contrib.hahelpers.cluster import (
|
||||
https,
|
||||
)
|
||||
from charmhelpers.contrib.network.ip import (
|
||||
get_ipv6_addr,
|
||||
|
@ -251,13 +251,11 @@ class ApacheContext(OSContextGenerator):
|
|||
"custom_theme": config('custom-theme'),
|
||||
}
|
||||
|
||||
if config('enforce-ssl'):
|
||||
# NOTE(dosaboy): if ssl is not configured we shouldn't allow this
|
||||
if all(get_cert()):
|
||||
ctxt['enforce_ssl'] = True
|
||||
else:
|
||||
log("Enforce ssl redirect requested but ssl not configured - "
|
||||
"skipping redirect", level=WARNING)
|
||||
if config('enforce-ssl') and https():
|
||||
ctxt['enforce_ssl'] = True
|
||||
else:
|
||||
log("Enforce ssl redirect requested but ssl not configured - "
|
||||
"skipping redirect", level=WARNING)
|
||||
|
||||
return ctxt
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ TO_PATCH = [
|
|||
'relation_ids',
|
||||
'related_units',
|
||||
'log',
|
||||
'get_cert',
|
||||
'https',
|
||||
'context_complete',
|
||||
'local_unit',
|
||||
'get_relation_ip',
|
||||
|
@ -68,7 +68,7 @@ class TestHorizonContexts(CharmTestCase):
|
|||
|
||||
def test_Apachecontext_enforce_ssl(self):
|
||||
self.test_config.set('enforce-ssl', True)
|
||||
self.get_cert.return_value = ('cert', 'key')
|
||||
self.https.return_value = True
|
||||
self.assertEquals(horizon_contexts.ApacheContext()(),
|
||||
{'http_port': 70, 'https_port': 433,
|
||||
'enforce_ssl': True,
|
||||
|
@ -77,7 +77,7 @@ class TestHorizonContexts(CharmTestCase):
|
|||
|
||||
def test_Apachecontext_enforce_ssl_no_cert(self):
|
||||
self.test_config.set('enforce-ssl', True)
|
||||
self.get_cert.return_value = (None, 'key')
|
||||
self.https.return_value = False
|
||||
self.assertEquals(horizon_contexts.ApacheContext()(),
|
||||
{'http_port': 70, 'https_port': 433,
|
||||
'enforce_ssl': False,
|
||||
|
@ -86,7 +86,7 @@ class TestHorizonContexts(CharmTestCase):
|
|||
|
||||
def test_Apachecontext_hsts_max_age_seconds(self):
|
||||
self.test_config.set('enforce-ssl', True)
|
||||
self.get_cert.return_value = ('cert', 'key')
|
||||
self.https.return_value = True
|
||||
self.test_config.set('hsts-max-age-seconds', 15768000)
|
||||
self.assertEquals(horizon_contexts.ApacheContext()(),
|
||||
{'http_port': 70, 'https_port': 433,
|
||||
|
|
Loading…
Reference in New Issue