Enable vault tls-certificates for SAML Mellon
The charm assumed the use of ssl_cert and ssl_key. The current best practice is to deploy with vault and the tls-certificates relation. Enable tls-certificates relation aware configuration for the websso-trusted-dashboard relation. Simplify hostname, IP, VIP selection using resolve_address. Change-Id: Ibcd963946a3956f9b2d2963fe9455d6d9ee78ab6
This commit is contained in:
parent
0599bdd433
commit
601875867d
|
@ -45,7 +45,6 @@ from charmhelpers.core.hookenv import (
|
|||
status_set,
|
||||
is_leader,
|
||||
local_unit,
|
||||
network_get,
|
||||
)
|
||||
from charmhelpers.fetch import (
|
||||
apt_update, apt_install,
|
||||
|
@ -56,6 +55,10 @@ from charmhelpers.core.host import (
|
|||
service_reload,
|
||||
service_restart,
|
||||
)
|
||||
from charmhelpers.contrib.openstack.ip import (
|
||||
PUBLIC,
|
||||
resolve_address,
|
||||
)
|
||||
from charmhelpers.contrib.openstack.utils import (
|
||||
configure_installation_source,
|
||||
openstack_upgrade_available,
|
||||
|
@ -338,24 +341,18 @@ def websso_trusted_dashboard_changed():
|
|||
return
|
||||
|
||||
# TODO: check for vault relation in order to determine url scheme
|
||||
tls_configured = config('ssl-key') or config('enforce-ssl')
|
||||
tls_configured = (relation_ids('certificates') or
|
||||
config('ssl-key') or config('enforce-ssl'))
|
||||
scheme = 'https://' if tls_configured else 'http://'
|
||||
|
||||
if config('dns-ha') or config('os-public-hostname'):
|
||||
hostname = config('os-public-hostname')
|
||||
elif config('vip'):
|
||||
hostname = config('vip')
|
||||
else:
|
||||
# use an ingress-address of a given unit as a fallback
|
||||
netinfo = network_get('websso-trusted-dashboard')
|
||||
hostname = netinfo['ingress-addresses'][0]
|
||||
|
||||
hostname = resolve_address(endpoint_type=PUBLIC, override=True)
|
||||
path = "{}/auth/websso/".format(config('webroot'))
|
||||
# provide trusted dashboard URL details
|
||||
for rid in relations:
|
||||
relation_set(relation_id=rid, relation_settings={
|
||||
"scheme": scheme,
|
||||
"hostname": hostname,
|
||||
"path": "/auth/websso/"
|
||||
"path": path,
|
||||
})
|
||||
|
||||
|
||||
|
|
|
@ -62,6 +62,7 @@ TO_PATCH = [
|
|||
'service_restart',
|
||||
'remove_old_packages',
|
||||
'generate_ha_relation_data',
|
||||
'resolve_address',
|
||||
]
|
||||
|
||||
|
||||
|
@ -297,37 +298,117 @@ class TestHorizonHooks(CharmTestCase):
|
|||
self._call_hook('websso-fid-service-provider-relation-changed')
|
||||
self.CONFIGS.write_all.assert_called_with()
|
||||
|
||||
def test_websso_trusted_dashboard_changed(self):
|
||||
def test_websso_trusted_dashboard_changed_no_tls(self):
|
||||
def relation_ids_side_effect(rname):
|
||||
return {
|
||||
'websso-trusted-dashboard': [
|
||||
'websso-trusted-dashboard:0',
|
||||
'websso-trusted-dashboard:1',
|
||||
]
|
||||
],
|
||||
'certificates': [],
|
||||
}[rname]
|
||||
self.relation_ids.side_effect = relation_ids_side_effect
|
||||
hostname = 'dashboard.intranet.test'
|
||||
|
||||
def config_side_effect(key):
|
||||
return {
|
||||
'ssl-key': 'somekey',
|
||||
'enforce-ssl': True,
|
||||
'dns-ha': True,
|
||||
'os-public-hostname': 'dashboard.intranet.test',
|
||||
'ssl-key': None,
|
||||
'enforce-ssl': None,
|
||||
'dns-ha': None,
|
||||
'os-public-hostname': hostname,
|
||||
'webroot': '/horizon',
|
||||
}[key]
|
||||
self.config.side_effect = config_side_effect
|
||||
self.resolve_address.return_value = hostname
|
||||
self._call_hook('websso-trusted-dashboard-relation-changed')
|
||||
self.relation_set.assert_has_calls([
|
||||
call(relation_id='websso-trusted-dashboard:0',
|
||||
relation_settings={
|
||||
"scheme": "http://",
|
||||
"hostname": "dashboard.intranet.test",
|
||||
"path": "/horizon/auth/websso/",
|
||||
}),
|
||||
call(relation_id='websso-trusted-dashboard:1',
|
||||
relation_settings={
|
||||
"scheme": "http://",
|
||||
"hostname": "dashboard.intranet.test",
|
||||
"path": "/horizon/auth/websso/",
|
||||
}),
|
||||
])
|
||||
|
||||
def test_websso_trusted_dashboard_changed_tls_certificates_relation(self):
|
||||
def relation_ids_side_effect(rname):
|
||||
return {
|
||||
'websso-trusted-dashboard': [
|
||||
'websso-trusted-dashboard:0',
|
||||
'websso-trusted-dashboard:1',
|
||||
],
|
||||
'certificates': ['certificates:9'],
|
||||
}[rname]
|
||||
self.relation_ids.side_effect = relation_ids_side_effect
|
||||
hostname = 'dashboard.intranet.test'
|
||||
|
||||
def config_side_effect(key):
|
||||
return {
|
||||
'ssl-key': None,
|
||||
'enforce-ssl': None,
|
||||
'dns-ha': None,
|
||||
'os-public-hostname': hostname,
|
||||
'webroot': '/horizon'
|
||||
}[key]
|
||||
self.config.side_effect = config_side_effect
|
||||
self.resolve_address.return_value = hostname
|
||||
self._call_hook('websso-trusted-dashboard-relation-changed')
|
||||
self.relation_set.assert_has_calls([
|
||||
call(relation_id='websso-trusted-dashboard:0',
|
||||
relation_settings={
|
||||
"scheme": "https://",
|
||||
"hostname": "dashboard.intranet.test",
|
||||
"path": "/auth/websso/",
|
||||
"path": "/horizon/auth/websso/",
|
||||
}),
|
||||
call(relation_id='websso-trusted-dashboard:1',
|
||||
relation_settings={
|
||||
"scheme": "https://",
|
||||
"hostname": "dashboard.intranet.test",
|
||||
"path": "/auth/websso/",
|
||||
"path": "/horizon/auth/websso/",
|
||||
}),
|
||||
])
|
||||
|
||||
def test_websso_trusted_dashboard_changed_ssl_config(self):
|
||||
def relation_ids_side_effect(rname):
|
||||
return {
|
||||
'websso-trusted-dashboard': [
|
||||
'websso-trusted-dashboard:0',
|
||||
'websso-trusted-dashboard:1',
|
||||
],
|
||||
'certificates': [],
|
||||
}[rname]
|
||||
self.relation_ids.side_effect = relation_ids_side_effect
|
||||
hostname = 'dashboard.intranet.test'
|
||||
|
||||
def config_side_effect(key):
|
||||
return {
|
||||
'ssl-key': 'somekey',
|
||||
'enforce-ssl': True,
|
||||
'dns-ha': True,
|
||||
'os-public-hostname': hostname,
|
||||
'webroot': '/horizon',
|
||||
}[key]
|
||||
self.config.side_effect = config_side_effect
|
||||
self.resolve_address.return_value = hostname
|
||||
self._call_hook('websso-trusted-dashboard-relation-changed')
|
||||
self.relation_set.assert_has_calls([
|
||||
call(relation_id='websso-trusted-dashboard:0',
|
||||
relation_settings={
|
||||
"scheme": "https://",
|
||||
"hostname": "dashboard.intranet.test",
|
||||
"path": "/horizon/auth/websso/",
|
||||
}),
|
||||
call(relation_id='websso-trusted-dashboard:1',
|
||||
relation_settings={
|
||||
"scheme": "https://",
|
||||
"hostname": "dashboard.intranet.test",
|
||||
"path": "/horizon/auth/websso/",
|
||||
}),
|
||||
])
|
||||
|
||||
|
|
Loading…
Reference in New Issue