Handle SSL

src/lib/charm/openstack/barbican_vault.py

@@ -11,9 +11,13 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+import base64
+
 import charms_openstack.adapters
 import charms_openstack.charm
 
+import charmhelpers.core as ch_core
+
 
 class BarbicanVaultCharm(charms_openstack.charm.OpenStackCharm):
     release = 'rocky'
@@ -22,7 +26,30 @@ class BarbicanVaultCharm(charms_openstack.charm.OpenStackCharm):
     python_version = 3
     adapters_class = charms_openstack.adapters.OpenStackRelationAdapters
 
+    _installed_ca_name = None
+
+    def install_ca_cert(self, ca_cert_data):
+        """Install CA certificate.
+
+        Takes Base64 encoded data from caller and installs it building
+        filename from application name in Juju model.
+
+        :param ca_cert_data: Base64 encoded certificate data
+        :type ca_cert_data: str
+        :
+        """
+        name = 'juju-' + self.configuration_class().application_name
+        ch_core.host.install_ca_cert(
+            base64.b64decode(ca_cert_data), name=name)
+        self._installed_ca_name = (
+            '/usr/local/share/ca-certificates/{}.crt'.format(name))
+
     @property
     def secret_backend_name(self):
         """Build secret backend name from name of the deployed charm."""
         return 'charm-' + self.configuration_class().application_name
+
+    @property
+    def installed_ca_name(self):
+        """Return installed CA name if set."""
+        return self._installed_ca_name

src/reactive/barbican_vault_handlers.py

@@ -50,20 +50,25 @@ def plugin_info_barbican_publish():
     barbican = reactive.endpoint_from_flag('endpoint.secrets.joined')
     secrets_storage = reactive.endpoint_from_flag(
         'secrets-storage.available')
-    ch_core.hookenv.log('Retrieving secret-id from vault ({})'
-                        .format(secrets_storage.vault_url),
-                        level=ch_core.hookenv.INFO)
-    secret_id = vault_utils.retrieve_secret_id(
-        secrets_storage.vault_url,
-        secrets_storage.unit_token)
     with charm.provide_charm_instance() as barbican_vault_charm:
+        if secrets_storage.vault_ca:
+            ch_core.hookenv.log('Installing vault CA certificate')
+            barbican_vault_charm.install_ca_cert(secrets_storage.vault_ca)
+        ch_core.hookenv.log('Retrieving secret-id from vault ({})'
+                            .format(secrets_storage.vault_url),
+                            level=ch_core.hookenv.INFO)
+        secret_id = vault_utils.retrieve_secret_id(
+            secrets_storage.vault_url,
+            secrets_storage.unit_token)
         vault_data = {
             'approle_role_id': secrets_storage.unit_role_id,
             'approle_secret_id': secret_id,
             'vault_url': secrets_storage.vault_url,
             'kv_mountpoint': barbican_vault_charm.secret_backend_name,
-            'use_ssl': 'false',  # XXX
         }
+        if barbican_vault_charm.installed_ca_name:
+            vault_data.update({
+                'ssl_ca_crt_file': barbican_vault_charm.installed_ca_name})
         ch_core.hookenv.log('Publishing vault plugin info to barbican',
                             level=ch_core.hookenv.INFO)
         barbican.publish_plugin_info('vault', vault_data)

unit_tests/test_barbican_vault_handlers.py

@@ -95,8 +95,10 @@ class TestBarbicanVaultHandlers(test_utils.PatchHelper):
             'approle_secret_id': self.retrieve_secret_id(),
             'vault_url': secrets_storage.vault_url,
             'kv_mountpoint': barbican_vault_charm.secret_backend_name,
-            'use_ssl': 'false',  # XXX
+            'ssl_ca_crt_file': barbican_vault_charm.installed_ca_name,
         }
+        barbican_vault_charm.install_ca_cert.assert_called_once_with(
+            secrets_storage.vault_ca)
         barbican.publish_plugin_info.assert_called_once_with(
             'vault', vault_data)
         self.clear_flag.assert_called_once_with(

unit_tests/test_lib_charm_openstack_barbican_vault.py

@@ -0,0 +1,49 @@
+# Copyright 2018 Canonical Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import mock
+
+import charms_openstack.test_utils as test_utils
+
+import charm.openstack.barbican_vault as barbican_vault
+
+
+class Helper(test_utils.PatchHelper):
+
+    def setUp(self):
+        super().setUp()
+        self.patch_release(barbican_vault.BarbicanVaultCharm.release)
+
+
+class TestBarbicanVaultCharm(Helper):
+
+    def test_install_ca_cert(self):
+        b = barbican_vault.BarbicanVaultCharm()
+        self.patch('charmhelpers.core.host.install_ca_cert', 'install_ca_cert')
+        self.patch('base64.b64decode', 'b64decode')
+        cc = mock.MagicMock()
+        b.configuration_class = cc
+        b.install_ca_cert('data')
+        b.configuration_class.assert_called_once_with()
+        self.b64decode.assert_called_once_with('data')
+        self.install_ca_cert.assert_called_once_with(
+            self.b64decode(),
+            name=cc().application_name.__radd__())
+
+    def test_secret_backend_name(self):
+        b = barbican_vault.BarbicanVaultCharm()
+        cc = mock.MagicMock()
+        cc().application_name = 'application_name'
+        b.configuration_class = cc
+        self.assertEqual(b.secret_backend_name, 'charm-application_name')
+        cc.assert_has_calls([mock.call(), mock.call()])