enforce-ssl: evaluate all sources of cert/key

When the dashboard charm is deployed with Vault using the certificates relation the enforce-ssl configuration option is not honoured as the certificates relation is supported by the get_cert function provided by charmhelpers. https does much the same set of checks but also looks at the certificates relation when considering whether https is actually enabled for the charm. Minor style tweak to the code to avoid nested conditionals. Change-Id: Ieb519adef53e8ab68c9119eb38344e5cb8540411 Closes-Bug: 1846189
2020-05-19 13:46:10 +01:00 · 2020-05-19 13:46:10 +01:00 · 476fe0b2ca
parent 4159b9bbd2
commit 476fe0b2ca
2 changed files with 11 additions and 13 deletions
--- a/hooks/horizon_contexts.py
+++ b/hooks/horizon_contexts.py
@ -32,8 +32,8 @@ from charmhelpers.contrib.openstack.context import (
    OSContextGenerator,
    context_complete
 )
-from charmhelpers.contrib.hahelpers.apache import (
-    get_cert,
+from charmhelpers.contrib.hahelpers.cluster import (
+    https,
 )
 from charmhelpers.contrib.network.ip import (
    get_ipv6_addr,
@ -251,13 +251,11 @@ class ApacheContext(OSContextGenerator):
            "custom_theme": config('custom-theme'),
        }

-        if config('enforce-ssl'):
-            # NOTE(dosaboy): if ssl is not configured we shouldn't allow this
-            if all(get_cert()):
-                ctxt['enforce_ssl'] = True
-            else:
-                log("Enforce ssl redirect requested but ssl not configured - "
-                    "skipping redirect", level=WARNING)
+        if config('enforce-ssl') and https():
+            ctxt['enforce_ssl'] = True
+        else:
+            log("Enforce ssl redirect requested but ssl not configured - "
+                "skipping redirect", level=WARNING)

        return ctxt

--- a/unit_tests/test_horizon_contexts.py
+++ b/unit_tests/test_horizon_contexts.py
@ -26,7 +26,7 @@ TO_PATCH = [
    'relation_ids',
    'related_units',
    'log',
-    'get_cert',
+    'https',
    'context_complete',
    'local_unit',
    'get_relation_ip',
@ -68,7 +68,7 @@ class TestHorizonContexts(CharmTestCase):

    def test_Apachecontext_enforce_ssl(self):
        self.test_config.set('enforce-ssl', True)
-        self.get_cert.return_value = ('cert', 'key')
+        self.https.return_value = True
        self.assertEquals(horizon_contexts.ApacheContext()(),
                          {'http_port': 70, 'https_port': 433,
                           'enforce_ssl': True,
@ -77,7 +77,7 @@ class TestHorizonContexts(CharmTestCase):

    def test_Apachecontext_enforce_ssl_no_cert(self):
        self.test_config.set('enforce-ssl', True)
-        self.get_cert.return_value = (None, 'key')
+        self.https.return_value = False
        self.assertEquals(horizon_contexts.ApacheContext()(),
                          {'http_port': 70, 'https_port': 433,
                           'enforce_ssl': False,
@ -86,7 +86,7 @@ class TestHorizonContexts(CharmTestCase):

    def test_Apachecontext_hsts_max_age_seconds(self):
        self.test_config.set('enforce-ssl', True)
-        self.get_cert.return_value = ('cert', 'key')
+        self.https.return_value = True
        self.test_config.set('hsts-max-age-seconds', 15768000)
        self.assertEquals(horizon_contexts.ApacheContext()(),
                          {'http_port': 70, 'https_port': 433,