openstack
/
charm-vault
Code Issues Proposed changes

Merge "Surround IPv6 addresses with []"

This commit is contained in:
Zuul 2021-11-23 21:28:54 +00:00 committed by Gerrit Code Review
parent ac27608d02 3742fcbc32
commit 0a03b2b36d
3 changed files with 127 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/lib/charm/vault.py
View File

@ -127,6 +127,8 @@ def binding_address(binding):
def get_vault_url(binding, port, address=None):
protocol = 'http'
ip = address or binding_address(binding)
if ':' in ip:
ip = '[{}]'.format(ip)
if charms.reactive.is_state('vault.ssl.available'):
protocol = 'https'
return '{}://{}:{}'.format(protocol, ip, port)
@ -165,6 +167,8 @@ def get_access_address():
addr = hookenv.config('dns-ha-access-record')
addr = addr or get_vip('access')
addr = addr or binding_address('access')
if ':' in addr:
addr = '[{}]'.format(addr)
if charms.reactive.is_state('vault.ssl.available'):
protocol = 'https'
return '{}://{}:{}'.format(protocol, addr, 8200)

36
unit_tests/test_lib_charm_vault.py
View File

@ -83,6 +83,14 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
self.assertEqual(vault.get_api_url(), 'https://1.2.3.4:8200')
network_get_primary_address.assert_called_with('access')
@patch.object(vault.hookenv, 'network_get_primary_address')
@patch.object(vault.charms.reactive, 'is_state')
def test_get_api_url_sslv6(self, is_state, network_get_primary_address):
is_state.return_value = True
network_get_primary_address.return_value = '2001:db8::'
self.assertEqual(vault.get_api_url(), 'https://[2001:db8::]:8200')
network_get_primary_address.assert_called_with('access')
@patch.object(vault.hookenv, 'network_get_primary_address')
@patch.object(vault.charms.reactive, 'is_state')
def test_get_api_url_nossl(self, is_state, network_get_primary_address):
@ -91,6 +99,14 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
self.assertEqual(vault.get_api_url(), 'http://1.2.3.4:8200')
network_get_primary_address.assert_called_with('access')
@patch.object(vault.hookenv, 'network_get_primary_address')
@patch.object(vault.charms.reactive, 'is_state')
def test_get_api_url_nosslv6(self, is_state, network_get_primary_address):
is_state.return_value = False
network_get_primary_address.return_value = '2001:db8::'
self.assertEqual(vault.get_api_url(), 'http://[2001:db8::]:8200')
network_get_primary_address.assert_called_with('access')
@patch.object(vault.hookenv, 'network_get_primary_address')
@patch.object(vault.charms.reactive, 'is_state')
def test_get_cluster_url_ssl(self, is_state, network_get_primary_address):
@ -99,6 +115,16 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
self.assertEqual(vault.get_cluster_url(), 'https://1.2.3.4:8201')
network_get_primary_address.assert_called_with('cluster')
@patch.object(vault.hookenv, 'network_get_primary_address')
@patch.object(vault.charms.reactive, 'is_state')
def test_get_cluster_url_sslv6(
self, is_state, network_get_primary_address
):
is_state.return_value = True
network_get_primary_address.return_value = '2001:db8::'
self.assertEqual(vault.get_cluster_url(), 'https://[2001:db8::]:8201')
network_get_primary_address.assert_called_with('cluster')
@patch.object(vault.hookenv, 'network_get_primary_address')
@patch.object(vault.charms.reactive, 'is_state')
def test_get_cluster_url_nossl(self, is_state,
@ -108,6 +134,16 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
self.assertEqual(vault.get_cluster_url(), 'http://1.2.3.4:8201')
network_get_primary_address.assert_called_with('cluster')
@patch.object(vault.hookenv, 'network_get_primary_address')
@patch.object(vault.charms.reactive, 'is_state')
def test_get_cluster_url_nosslv6(
self, is_state, network_get_primary_address
):
is_state.return_value = False
network_get_primary_address.return_value = '2001:db8::'
self.assertEqual(vault.get_cluster_url(), 'http://[2001:db8::]:8201')
network_get_primary_address.assert_called_with('cluster')
@patch.object(vault.hvac, 'Client')
@patch.object(vault, 'get_api_url')
def test_get_client(self, get_api_url, hvac_Client):

96
unit_tests/test_lib_charm_vault_pki.py
View File

@ -147,7 +147,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
get_local_client.return_value = client_mock
is_ca_ready.return_value = False
with self.assertRaises(vault_pki.vault.VaultNotReady):
vault_pki.generate_certificate('server', 'exmaple.com', [],
vault_pki.generate_certificate('server', 'example.com', [],
ttl='3456h', max_ttl='3456h')
@patch.object(vault_pki, 'is_ca_ready')
@ -160,7 +160,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
get_local_client.return_value = client_mock
is_ca_ready.return_value = True
with self.assertRaises(vault_pki.vault.VaultInvalidRequest):
vault_pki.generate_certificate('unknown', 'exmaple.com', [],
vault_pki.generate_certificate('unknown', 'example.com', [],
'3456h', '3456h')
@patch.object(vault_pki, 'is_ca_ready')
@ -174,7 +174,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
is_ca_ready.return_value = True
client_mock.write.side_effect = hvac.exceptions.InvalidRequest
with self.assertRaises(vault_pki.vault.VaultInvalidRequest):
vault_pki.generate_certificate('server', 'exmaple.com', [],
vault_pki.generate_certificate('server', 'example.com', [],
ttl='3456h', max_ttl='3456h')
@patch.object(vault_pki, 'configure_pki_backend')
@ -234,7 +234,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
crl_distribution_points='{}/crl'.format(local_url)),
mock.call(
'charm-pki-local/roles/local',
allowed_domains='exmaple.com',
allowed_domains='example.com',
allow_subdomains=True,
enforce_hostnames=False,
allow_any_name=True,
@ -243,7 +243,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
client_flag=True),
mock.call(
'charm-pki-local/roles/local-client',
allowed_domains='exmaple.com',
allowed_domains='example.com',
allow_subdomains=True,
enforce_hostnames=False,
allow_any_name=True,
@ -251,7 +251,85 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
server_flag=False,
client_flag=True),
]
vault_pki.upload_signed_csr('MYPEM', 'exmaple.com')
vault_pki.upload_signed_csr('MYPEM', 'example.com')
client_mock._post.assert_called_once_with(
'v1/charm-pki-local/intermediate/set-signed',
json={'certificate': 'MYPEM'})
client_mock.write.assert_has_calls(write_calls)
@patch.object(vault_pki.vault, 'get_access_address')
@patch.object(vault_pki.vault, 'get_local_client')
def test_upload_signed_csr_ipv4(
self, get_local_client, get_access_address
):
get_access_address.return_value = 'https://127.0.0.1:8200'
client_mock = mock.MagicMock()
get_local_client.return_value = client_mock
local_url = 'https://127.0.0.1:8200/v1/charm-pki-local'
write_calls = [
mock.call(
'charm-pki-local/config/urls',
issuing_certificates='{}/ca'.format(local_url),
crl_distribution_points='{}/crl'.format(local_url)),
mock.call(
'charm-pki-local/roles/local',
allowed_domains='example.com',
allow_subdomains=True,
enforce_hostnames=False,
allow_any_name=True,
max_ttl='87598h',
server_flag=True,
client_flag=True),
mock.call(
'charm-pki-local/roles/local-client',
allowed_domains='example.com',
allow_subdomains=True,
enforce_hostnames=False,
allow_any_name=True,
max_ttl='87598h',
server_flag=False,
client_flag=True),
]
vault_pki.upload_signed_csr('MYPEM', 'example.com')
client_mock._post.assert_called_once_with(
'v1/charm-pki-local/intermediate/set-signed',
json={'certificate': 'MYPEM'})
client_mock.write.assert_has_calls(write_calls)
@patch.object(vault_pki.vault, 'get_access_address')
@patch.object(vault_pki.vault, 'get_local_client')
def test_upload_signed_csr_ipv6(
self, get_local_client, get_access_address
):
get_access_address.return_value = 'https://[::1]:8200'
client_mock = mock.MagicMock()
get_local_client.return_value = client_mock
local_url = 'https://[::1]:8200/v1/charm-pki-local'
write_calls = [
mock.call(
'charm-pki-local/config/urls',
issuing_certificates='{}/ca'.format(local_url),
crl_distribution_points='{}/crl'.format(local_url)),
mock.call(
'charm-pki-local/roles/local',
allowed_domains='example.com',
allow_subdomains=True,
enforce_hostnames=False,
allow_any_name=True,
max_ttl='87598h',
server_flag=True,
client_flag=True),
mock.call(
'charm-pki-local/roles/local-client',
allowed_domains='example.com',
allow_subdomains=True,
enforce_hostnames=False,
allow_any_name=True,
max_ttl='87598h',
server_flag=False,
client_flag=True),
]
vault_pki.upload_signed_csr('MYPEM', 'example.com')
client_mock._post.assert_called_once_with(
'v1/charm-pki-local/intermediate/set-signed',
json={'certificate': 'MYPEM'})
@ -272,7 +350,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
crl_distribution_points='{}/crl'.format(local_url)),
mock.call(
'charm-pki-local/roles/local',
allowed_domains='exmaple.com',
allowed_domains='example.com',
allow_subdomains=False,
enforce_hostnames=True,
allow_any_name=False,
@ -281,7 +359,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
client_flag=True),
mock.call(
'charm-pki-local/roles/local-client',
allowed_domains='exmaple.com',
allowed_domains='example.com',
allow_subdomains=False,
enforce_hostnames=True,
allow_any_name=False,
@ -291,7 +369,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
]
vault_pki.upload_signed_csr(
'MYPEM',
'exmaple.com',
'example.com',
allow_subdomains=False,
enforce_hostnames=True,
allow_any_name=False,