openstack
/
charm-openstack-dashboard
Code Issues Proposed changes

Enable vault tls-certificates for SAML Mellon 

The charm assumed the use of ssl_cert and ssl_key. The current best
practice is to deploy with vault and the tls-certificates relation.
Enable tls-certificates relation aware configuration for the
websso-trusted-dashboard relation.

Simplify hostname, IP, VIP selection using resolve_address.

Change-Id: Ibcd963946a3956f9b2d2963fe9455d6d9ee78ab6
This commit is contained in:
David Ames 2019-02-28 16:21:43 +01:00
parent 0599bdd433
commit 601875867d
2 changed files with 98 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
hooks/horizon_hooks.py
View File

@ -45,7 +45,6 @@ from charmhelpers.core.hookenv import (
status_set,
is_leader,
local_unit,
network_get,
)
from charmhelpers.fetch import (
apt_update, apt_install,
@ -56,6 +55,10 @@ from charmhelpers.core.host import (
service_reload,
service_restart,
)
from charmhelpers.contrib.openstack.ip import (
PUBLIC,
resolve_address,
)
from charmhelpers.contrib.openstack.utils import (
configure_installation_source,
openstack_upgrade_available,
@ -338,24 +341,18 @@ def websso_trusted_dashboard_changed():
return
# TODO: check for vault relation in order to determine url scheme
tls_configured = config('ssl-key') or config('enforce-ssl')
tls_configured = (relation_ids('certificates') or
config('ssl-key') or config('enforce-ssl'))
scheme = 'https://' if tls_configured else 'http://'
if config('dns-ha') or config('os-public-hostname'):
hostname = config('os-public-hostname')
elif config('vip'):
hostname = config('vip')
else:
# use an ingress-address of a given unit as a fallback
netinfo = network_get('websso-trusted-dashboard')
hostname = netinfo['ingress-addresses'][0]
hostname = resolve_address(endpoint_type=PUBLIC, override=True)
path = "{}/auth/websso/".format(config('webroot'))
# provide trusted dashboard URL details
for rid in relations:
relation_set(relation_id=rid, relation_settings={
"scheme": scheme,
"hostname": hostname,
"path": "/auth/websso/"
"path": path,
})

97
unit_tests/test_horizon_hooks.py
View File

@ -62,6 +62,7 @@ TO_PATCH = [
'service_restart',
'remove_old_packages',
'generate_ha_relation_data',
'resolve_address',
]
@ -297,37 +298,117 @@ class TestHorizonHooks(CharmTestCase):
self._call_hook('websso-fid-service-provider-relation-changed')
self.CONFIGS.write_all.assert_called_with()
def test_websso_trusted_dashboard_changed(self):
def test_websso_trusted_dashboard_changed_no_tls(self):
def relation_ids_side_effect(rname):
return {
'websso-trusted-dashboard': [
'websso-trusted-dashboard:0',
'websso-trusted-dashboard:1',
]
],
'certificates': [],
}[rname]
self.relation_ids.side_effect = relation_ids_side_effect
hostname = 'dashboard.intranet.test'
def config_side_effect(key):
return {
'ssl-key': 'somekey',
'enforce-ssl': True,
'dns-ha': True,
'os-public-hostname': 'dashboard.intranet.test',
'ssl-key': None,
'enforce-ssl': None,
'dns-ha': None,
'os-public-hostname': hostname,
'webroot': '/horizon',
}[key]
self.config.side_effect = config_side_effect
self.resolve_address.return_value = hostname
self._call_hook('websso-trusted-dashboard-relation-changed')
self.relation_set.assert_has_calls([
call(relation_id='websso-trusted-dashboard:0',
relation_settings={
"scheme": "http://",
"hostname": "dashboard.intranet.test",
"path": "/horizon/auth/websso/",
}),
call(relation_id='websso-trusted-dashboard:1',
relation_settings={
"scheme": "http://",
"hostname": "dashboard.intranet.test",
"path": "/horizon/auth/websso/",
}),
])
def test_websso_trusted_dashboard_changed_tls_certificates_relation(self):
def relation_ids_side_effect(rname):
return {
'websso-trusted-dashboard': [
'websso-trusted-dashboard:0',
'websso-trusted-dashboard:1',
],
'certificates': ['certificates:9'],
}[rname]
self.relation_ids.side_effect = relation_ids_side_effect
hostname = 'dashboard.intranet.test'
def config_side_effect(key):
return {
'ssl-key': None,
'enforce-ssl': None,
'dns-ha': None,
'os-public-hostname': hostname,
'webroot': '/horizon'
}[key]
self.config.side_effect = config_side_effect
self.resolve_address.return_value = hostname
self._call_hook('websso-trusted-dashboard-relation-changed')
self.relation_set.assert_has_calls([
call(relation_id='websso-trusted-dashboard:0',
relation_settings={
"scheme": "https://",
"hostname": "dashboard.intranet.test",
"path": "/auth/websso/",
"path": "/horizon/auth/websso/",
}),
call(relation_id='websso-trusted-dashboard:1',
relation_settings={
"scheme": "https://",
"hostname": "dashboard.intranet.test",
"path": "/auth/websso/",
"path": "/horizon/auth/websso/",
}),
])
def test_websso_trusted_dashboard_changed_ssl_config(self):
def relation_ids_side_effect(rname):
return {
'websso-trusted-dashboard': [
'websso-trusted-dashboard:0',
'websso-trusted-dashboard:1',
],
'certificates': [],
}[rname]
self.relation_ids.side_effect = relation_ids_side_effect
hostname = 'dashboard.intranet.test'
def config_side_effect(key):
return {
'ssl-key': 'somekey',
'enforce-ssl': True,
'dns-ha': True,
'os-public-hostname': hostname,
'webroot': '/horizon',
}[key]
self.config.side_effect = config_side_effect
self.resolve_address.return_value = hostname
self._call_hook('websso-trusted-dashboard-relation-changed')
self.relation_set.assert_has_calls([
call(relation_id='websso-trusted-dashboard:0',
relation_settings={
"scheme": "https://",
"hostname": "dashboard.intranet.test",
"path": "/horizon/auth/websso/",
}),
call(relation_id='websso-trusted-dashboard:1',
relation_settings={
"scheme": "https://",
"hostname": "dashboard.intranet.test",
"path": "/horizon/auth/websso/",
}),
])