handler: avoid to tune backend pki when service is pause/sealed

Change-Id: I0e59655446c3d76ba290d8a9e53c897890b99929 Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
2019-11-20 13:25:20 +00:00 · 2019-11-20 13:25:20 +00:00 · b0ba16efd1
parent c982239239
commit b0ba16efd1
2 changed files with 38 additions and 5 deletions
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@ -843,7 +843,15 @@ def tune_pki_backend():
@when('config.set.default-ttl')
@when('config.set.max-ttl')
 def tune_pki_backend_config_changed():
-    ttl = config()['default-ttl']
-    max_ttl = config()['max-ttl']
-    vault_pki.tune_pki_backend(ttl=ttl, max_ttl=max_ttl)
-    vault_pki.update_roles(max_ttl=max_ttl)
+    if is_unit_paused_set():
+        log("The Vault unit is paused, passing on tunning pki backend.")
+        return
+    # TODO(sahid): Add check when service is not running
+    client = vault.get_client(url=vault.VAULT_LOCALHOST_URL)
+    if client.is_sealed():
+        log("Unable to tune pki backend, service sealed.")
+    else:
+        ttl = config()['default-ttl']
+        max_ttl = config()['max-ttl']
+        vault_pki.tune_pki_backend(ttl=ttl, max_ttl=max_ttl)
+        vault_pki.update_roles(max_ttl=max_ttl)
--- a/unit_tests/test_reactive_vault_handlers.py
+++ b/unit_tests/test_reactive_vault_handlers.py
@ -875,8 +875,11 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
                                                           ttl='8759h')
        self.set_flag.assert_called_once_with('pki.backend.tuned')

+    @mock.patch.object(handlers, 'vault')
    @mock.patch.object(handlers, 'vault_pki')
-    def test_tune_pki_backend_config_changed(self, vault_pki):
+    def test_tune_pki_backend_config_changed(self, vault_pki, _vault):
+        self.is_unit_paused_set.return_value = False
+        self._set_sealed(_vault, False)
        self.config.return_value = {
            'default-ttl': '8759h',
            'max-ttl': '87600h',
@ -887,6 +890,28 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
                                                           ttl='8759h')
        vault_pki.update_roles.assert_called_once_with(max_ttl='87600h')

+    @mock.patch.object(handlers, 'vault')
+    @mock.patch.object(handlers, 'vault_pki')
+    def test_tune_pki_backend_config_changed_sealed(self, vault_pki, _vault):
+        self.is_unit_paused_set.return_value = False
+        self._set_sealed(_vault, True)
+        self.config.return_value = {
+            'default-ttl': '8759h',
+            'max-ttl': '87600h',
+        }
+
+        handlers.tune_pki_backend_config_changed()
+        assert not vault_pki.tune_pki_backend.called
+        assert not vault_pki.update_roles.called
+
+    @mock.patch.object(handlers, 'vault_pki')
+    def test_tune_pki_backend_config_changed_paused(self, vault_pki):
+        self.is_unit_paused_set.return_value = True
+
+        handlers.tune_pki_backend_config_changed()
+        assert not vault_pki.tune_pki_backend.called
+        assert not vault_pki.update_roles.called
+
    @mock.patch.object(handlers, 'config')
    @mock.patch.object(handlers, 'clear_flag')
    @mock.patch.object(handlers, 'set_flag')