From 3742fcbc323fbb0b0621c6f9677763f98eb38c86 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 21 Oct 2021 15:24:48 -0400 Subject: [PATCH] Surround IPv6 addresses with [] Fix typo in tests (s/exmaple/example/g) and add IPv4 and IPv6 tests URLs. Signed-off-by: Simon Deziel Change-Id: I283f88069371d661535f675cc046b04aec2f3f99 --- src/lib/charm/vault.py | 4 ++ unit_tests/test_lib_charm_vault.py | 36 ++++++++++ unit_tests/test_lib_charm_vault_pki.py | 96 +++++++++++++++++++++++--- 3 files changed, 127 insertions(+), 9 deletions(-) diff --git a/src/lib/charm/vault.py b/src/lib/charm/vault.py index 90f36ed..9b3bdba 100644 --- a/src/lib/charm/vault.py +++ b/src/lib/charm/vault.py @@ -127,6 +127,8 @@ def binding_address(binding): def get_vault_url(binding, port, address=None): protocol = 'http' ip = address or binding_address(binding) + if ':' in ip: + ip = '[{}]'.format(ip) if charms.reactive.is_state('vault.ssl.available'): protocol = 'https' return '{}://{}:{}'.format(protocol, ip, port) @@ -165,6 +167,8 @@ def get_access_address(): addr = hookenv.config('dns-ha-access-record') addr = addr or get_vip('access') addr = addr or binding_address('access') + if ':' in addr: + addr = '[{}]'.format(addr) if charms.reactive.is_state('vault.ssl.available'): protocol = 'https' return '{}://{}:{}'.format(protocol, addr, 8200) diff --git a/unit_tests/test_lib_charm_vault.py b/unit_tests/test_lib_charm_vault.py index c6722ad..0e5580f 100644 --- a/unit_tests/test_lib_charm_vault.py +++ b/unit_tests/test_lib_charm_vault.py @@ -83,6 +83,14 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): self.assertEqual(vault.get_api_url(), 'https://1.2.3.4:8200') network_get_primary_address.assert_called_with('access') + @patch.object(vault.hookenv, 'network_get_primary_address') + @patch.object(vault.charms.reactive, 'is_state') + def test_get_api_url_sslv6(self, is_state, network_get_primary_address): + is_state.return_value = True + network_get_primary_address.return_value = '2001:db8::' + self.assertEqual(vault.get_api_url(), 'https://[2001:db8::]:8200') + network_get_primary_address.assert_called_with('access') + @patch.object(vault.hookenv, 'network_get_primary_address') @patch.object(vault.charms.reactive, 'is_state') def test_get_api_url_nossl(self, is_state, network_get_primary_address): @@ -91,6 +99,14 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): self.assertEqual(vault.get_api_url(), 'http://1.2.3.4:8200') network_get_primary_address.assert_called_with('access') + @patch.object(vault.hookenv, 'network_get_primary_address') + @patch.object(vault.charms.reactive, 'is_state') + def test_get_api_url_nosslv6(self, is_state, network_get_primary_address): + is_state.return_value = False + network_get_primary_address.return_value = '2001:db8::' + self.assertEqual(vault.get_api_url(), 'http://[2001:db8::]:8200') + network_get_primary_address.assert_called_with('access') + @patch.object(vault.hookenv, 'network_get_primary_address') @patch.object(vault.charms.reactive, 'is_state') def test_get_cluster_url_ssl(self, is_state, network_get_primary_address): @@ -99,6 +115,16 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): self.assertEqual(vault.get_cluster_url(), 'https://1.2.3.4:8201') network_get_primary_address.assert_called_with('cluster') + @patch.object(vault.hookenv, 'network_get_primary_address') + @patch.object(vault.charms.reactive, 'is_state') + def test_get_cluster_url_sslv6( + self, is_state, network_get_primary_address + ): + is_state.return_value = True + network_get_primary_address.return_value = '2001:db8::' + self.assertEqual(vault.get_cluster_url(), 'https://[2001:db8::]:8201') + network_get_primary_address.assert_called_with('cluster') + @patch.object(vault.hookenv, 'network_get_primary_address') @patch.object(vault.charms.reactive, 'is_state') def test_get_cluster_url_nossl(self, is_state, @@ -108,6 +134,16 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): self.assertEqual(vault.get_cluster_url(), 'http://1.2.3.4:8201') network_get_primary_address.assert_called_with('cluster') + @patch.object(vault.hookenv, 'network_get_primary_address') + @patch.object(vault.charms.reactive, 'is_state') + def test_get_cluster_url_nosslv6( + self, is_state, network_get_primary_address + ): + is_state.return_value = False + network_get_primary_address.return_value = '2001:db8::' + self.assertEqual(vault.get_cluster_url(), 'http://[2001:db8::]:8201') + network_get_primary_address.assert_called_with('cluster') + @patch.object(vault.hvac, 'Client') @patch.object(vault, 'get_api_url') def test_get_client(self, get_api_url, hvac_Client): diff --git a/unit_tests/test_lib_charm_vault_pki.py b/unit_tests/test_lib_charm_vault_pki.py index 24fa310..73db5d8 100644 --- a/unit_tests/test_lib_charm_vault_pki.py +++ b/unit_tests/test_lib_charm_vault_pki.py @@ -147,7 +147,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): get_local_client.return_value = client_mock is_ca_ready.return_value = False with self.assertRaises(vault_pki.vault.VaultNotReady): - vault_pki.generate_certificate('server', 'exmaple.com', [], + vault_pki.generate_certificate('server', 'example.com', [], ttl='3456h', max_ttl='3456h') @patch.object(vault_pki, 'is_ca_ready') @@ -160,7 +160,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): get_local_client.return_value = client_mock is_ca_ready.return_value = True with self.assertRaises(vault_pki.vault.VaultInvalidRequest): - vault_pki.generate_certificate('unknown', 'exmaple.com', [], + vault_pki.generate_certificate('unknown', 'example.com', [], '3456h', '3456h') @patch.object(vault_pki, 'is_ca_ready') @@ -174,7 +174,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): is_ca_ready.return_value = True client_mock.write.side_effect = hvac.exceptions.InvalidRequest with self.assertRaises(vault_pki.vault.VaultInvalidRequest): - vault_pki.generate_certificate('server', 'exmaple.com', [], + vault_pki.generate_certificate('server', 'example.com', [], ttl='3456h', max_ttl='3456h') @patch.object(vault_pki, 'configure_pki_backend') @@ -234,7 +234,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): crl_distribution_points='{}/crl'.format(local_url)), mock.call( 'charm-pki-local/roles/local', - allowed_domains='exmaple.com', + allowed_domains='example.com', allow_subdomains=True, enforce_hostnames=False, allow_any_name=True, @@ -243,7 +243,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): client_flag=True), mock.call( 'charm-pki-local/roles/local-client', - allowed_domains='exmaple.com', + allowed_domains='example.com', allow_subdomains=True, enforce_hostnames=False, allow_any_name=True, @@ -251,7 +251,85 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): server_flag=False, client_flag=True), ] - vault_pki.upload_signed_csr('MYPEM', 'exmaple.com') + vault_pki.upload_signed_csr('MYPEM', 'example.com') + client_mock._post.assert_called_once_with( + 'v1/charm-pki-local/intermediate/set-signed', + json={'certificate': 'MYPEM'}) + client_mock.write.assert_has_calls(write_calls) + + @patch.object(vault_pki.vault, 'get_access_address') + @patch.object(vault_pki.vault, 'get_local_client') + def test_upload_signed_csr_ipv4( + self, get_local_client, get_access_address + ): + get_access_address.return_value = 'https://127.0.0.1:8200' + client_mock = mock.MagicMock() + get_local_client.return_value = client_mock + local_url = 'https://127.0.0.1:8200/v1/charm-pki-local' + write_calls = [ + mock.call( + 'charm-pki-local/config/urls', + issuing_certificates='{}/ca'.format(local_url), + crl_distribution_points='{}/crl'.format(local_url)), + mock.call( + 'charm-pki-local/roles/local', + allowed_domains='example.com', + allow_subdomains=True, + enforce_hostnames=False, + allow_any_name=True, + max_ttl='87598h', + server_flag=True, + client_flag=True), + mock.call( + 'charm-pki-local/roles/local-client', + allowed_domains='example.com', + allow_subdomains=True, + enforce_hostnames=False, + allow_any_name=True, + max_ttl='87598h', + server_flag=False, + client_flag=True), + ] + vault_pki.upload_signed_csr('MYPEM', 'example.com') + client_mock._post.assert_called_once_with( + 'v1/charm-pki-local/intermediate/set-signed', + json={'certificate': 'MYPEM'}) + client_mock.write.assert_has_calls(write_calls) + + @patch.object(vault_pki.vault, 'get_access_address') + @patch.object(vault_pki.vault, 'get_local_client') + def test_upload_signed_csr_ipv6( + self, get_local_client, get_access_address + ): + get_access_address.return_value = 'https://[::1]:8200' + client_mock = mock.MagicMock() + get_local_client.return_value = client_mock + local_url = 'https://[::1]:8200/v1/charm-pki-local' + write_calls = [ + mock.call( + 'charm-pki-local/config/urls', + issuing_certificates='{}/ca'.format(local_url), + crl_distribution_points='{}/crl'.format(local_url)), + mock.call( + 'charm-pki-local/roles/local', + allowed_domains='example.com', + allow_subdomains=True, + enforce_hostnames=False, + allow_any_name=True, + max_ttl='87598h', + server_flag=True, + client_flag=True), + mock.call( + 'charm-pki-local/roles/local-client', + allowed_domains='example.com', + allow_subdomains=True, + enforce_hostnames=False, + allow_any_name=True, + max_ttl='87598h', + server_flag=False, + client_flag=True), + ] + vault_pki.upload_signed_csr('MYPEM', 'example.com') client_mock._post.assert_called_once_with( 'v1/charm-pki-local/intermediate/set-signed', json={'certificate': 'MYPEM'}) @@ -272,7 +350,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): crl_distribution_points='{}/crl'.format(local_url)), mock.call( 'charm-pki-local/roles/local', - allowed_domains='exmaple.com', + allowed_domains='example.com', allow_subdomains=False, enforce_hostnames=True, allow_any_name=False, @@ -281,7 +359,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): client_flag=True), mock.call( 'charm-pki-local/roles/local-client', - allowed_domains='exmaple.com', + allowed_domains='example.com', allow_subdomains=False, enforce_hostnames=True, allow_any_name=False, @@ -291,7 +369,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): ] vault_pki.upload_signed_csr( 'MYPEM', - 'exmaple.com', + 'example.com', allow_subdomains=False, enforce_hostnames=True, allow_any_name=False,