Handle SSL
This commit is contained in:
parent
f5db4bff62
commit
63af9a89b3
|
@ -11,9 +11,13 @@
|
|||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
import base64
|
||||
|
||||
import charms_openstack.adapters
|
||||
import charms_openstack.charm
|
||||
|
||||
import charmhelpers.core as ch_core
|
||||
|
||||
|
||||
class BarbicanVaultCharm(charms_openstack.charm.OpenStackCharm):
|
||||
release = 'rocky'
|
||||
|
@ -22,7 +26,30 @@ class BarbicanVaultCharm(charms_openstack.charm.OpenStackCharm):
|
|||
python_version = 3
|
||||
adapters_class = charms_openstack.adapters.OpenStackRelationAdapters
|
||||
|
||||
_installed_ca_name = None
|
||||
|
||||
def install_ca_cert(self, ca_cert_data):
|
||||
"""Install CA certificate.
|
||||
|
||||
Takes Base64 encoded data from caller and installs it building
|
||||
filename from application name in Juju model.
|
||||
|
||||
:param ca_cert_data: Base64 encoded certificate data
|
||||
:type ca_cert_data: str
|
||||
:
|
||||
"""
|
||||
name = 'juju-' + self.configuration_class().application_name
|
||||
ch_core.host.install_ca_cert(
|
||||
base64.b64decode(ca_cert_data), name=name)
|
||||
self._installed_ca_name = (
|
||||
'/usr/local/share/ca-certificates/{}.crt'.format(name))
|
||||
|
||||
@property
|
||||
def secret_backend_name(self):
|
||||
"""Build secret backend name from name of the deployed charm."""
|
||||
return 'charm-' + self.configuration_class().application_name
|
||||
|
||||
@property
|
||||
def installed_ca_name(self):
|
||||
"""Return installed CA name if set."""
|
||||
return self._installed_ca_name
|
||||
|
|
|
@ -50,20 +50,25 @@ def plugin_info_barbican_publish():
|
|||
barbican = reactive.endpoint_from_flag('endpoint.secrets.joined')
|
||||
secrets_storage = reactive.endpoint_from_flag(
|
||||
'secrets-storage.available')
|
||||
ch_core.hookenv.log('Retrieving secret-id from vault ({})'
|
||||
.format(secrets_storage.vault_url),
|
||||
level=ch_core.hookenv.INFO)
|
||||
secret_id = vault_utils.retrieve_secret_id(
|
||||
secrets_storage.vault_url,
|
||||
secrets_storage.unit_token)
|
||||
with charm.provide_charm_instance() as barbican_vault_charm:
|
||||
if secrets_storage.vault_ca:
|
||||
ch_core.hookenv.log('Installing vault CA certificate')
|
||||
barbican_vault_charm.install_ca_cert(secrets_storage.vault_ca)
|
||||
ch_core.hookenv.log('Retrieving secret-id from vault ({})'
|
||||
.format(secrets_storage.vault_url),
|
||||
level=ch_core.hookenv.INFO)
|
||||
secret_id = vault_utils.retrieve_secret_id(
|
||||
secrets_storage.vault_url,
|
||||
secrets_storage.unit_token)
|
||||
vault_data = {
|
||||
'approle_role_id': secrets_storage.unit_role_id,
|
||||
'approle_secret_id': secret_id,
|
||||
'vault_url': secrets_storage.vault_url,
|
||||
'kv_mountpoint': barbican_vault_charm.secret_backend_name,
|
||||
'use_ssl': 'false', # XXX
|
||||
}
|
||||
if barbican_vault_charm.installed_ca_name:
|
||||
vault_data.update({
|
||||
'ssl_ca_crt_file': barbican_vault_charm.installed_ca_name})
|
||||
ch_core.hookenv.log('Publishing vault plugin info to barbican',
|
||||
level=ch_core.hookenv.INFO)
|
||||
barbican.publish_plugin_info('vault', vault_data)
|
||||
|
|
|
@ -95,8 +95,10 @@ class TestBarbicanVaultHandlers(test_utils.PatchHelper):
|
|||
'approle_secret_id': self.retrieve_secret_id(),
|
||||
'vault_url': secrets_storage.vault_url,
|
||||
'kv_mountpoint': barbican_vault_charm.secret_backend_name,
|
||||
'use_ssl': 'false', # XXX
|
||||
'ssl_ca_crt_file': barbican_vault_charm.installed_ca_name,
|
||||
}
|
||||
barbican_vault_charm.install_ca_cert.assert_called_once_with(
|
||||
secrets_storage.vault_ca)
|
||||
barbican.publish_plugin_info.assert_called_once_with(
|
||||
'vault', vault_data)
|
||||
self.clear_flag.assert_called_once_with(
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
# Copyright 2018 Canonical Ltd
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
import mock
|
||||
|
||||
import charms_openstack.test_utils as test_utils
|
||||
|
||||
import charm.openstack.barbican_vault as barbican_vault
|
||||
|
||||
|
||||
class Helper(test_utils.PatchHelper):
|
||||
|
||||
def setUp(self):
|
||||
super().setUp()
|
||||
self.patch_release(barbican_vault.BarbicanVaultCharm.release)
|
||||
|
||||
|
||||
class TestBarbicanVaultCharm(Helper):
|
||||
|
||||
def test_install_ca_cert(self):
|
||||
b = barbican_vault.BarbicanVaultCharm()
|
||||
self.patch('charmhelpers.core.host.install_ca_cert', 'install_ca_cert')
|
||||
self.patch('base64.b64decode', 'b64decode')
|
||||
cc = mock.MagicMock()
|
||||
b.configuration_class = cc
|
||||
b.install_ca_cert('data')
|
||||
b.configuration_class.assert_called_once_with()
|
||||
self.b64decode.assert_called_once_with('data')
|
||||
self.install_ca_cert.assert_called_once_with(
|
||||
self.b64decode(),
|
||||
name=cc().application_name.__radd__())
|
||||
|
||||
def test_secret_backend_name(self):
|
||||
b = barbican_vault.BarbicanVaultCharm()
|
||||
cc = mock.MagicMock()
|
||||
cc().application_name = 'application_name'
|
||||
b.configuration_class = cc
|
||||
self.assertEqual(b.secret_backend_name, 'charm-application_name')
|
||||
cc.assert_has_calls([mock.call(), mock.call()])
|
Loading…
Reference in New Issue