Allow non-ssl to work correctly

when use_ssl is false, several ssl related items are still in play, notably including mod_ssl. Closes-Bug: #1445047 Change-Id: Iafd26f8eddfd74a90b6a8bde579bf53af57b5893
2015-04-16 12:56:20 -05:00 · 2015-04-16 12:56:20 -05:00 · 3d4d7bc49d
parent 4294dd9b57
commit 3d4d7bc49d
4 changed files with 79 additions and 51 deletions
--- a/recipes/apache2-server.rb
+++ b/recipes/apache2-server.rb
@ -55,7 +55,7 @@ node.set['apache']['listen_ports'] = listen_ports
 include_recipe 'apache2'
 include_recipe 'apache2::mod_wsgi'
 include_recipe 'apache2::mod_rewrite'
-include_recipe 'apache2::mod_ssl'
+include_recipe 'apache2::mod_ssl' if node['openstack']['dashboard']['use_ssl']

 #
 # Workaround to re-enable selinux after installing apache on a fedora machine that has
@ -78,62 +78,64 @@ file "#{node["apache"]["dir"]}/conf.d/openstack-dashboard.conf" do
  only_if { platform_family?('rhel') } # :pragma-foodcritic: ~FC024 - won't fix this
 end

-cert_file = "#{node['openstack']['dashboard']['ssl']['dir']}/certs/#{node['openstack']['dashboard']['ssl']['cert']}"
-cert_mode = 00644
-cert_owner = 'root'
-cert_group = 'root'
-if node['openstack']['dashboard']['ssl']['cert_url']
-  remote_file cert_file do
-    sensitive true
-    source node['openstack']['dashboard']['ssl']['cert_url']
-    mode cert_mode
-    owner  cert_owner
-    group  cert_group
+if node['openstack']['dashboard']['use_ssl']
+  cert_file = "#{node['openstack']['dashboard']['ssl']['dir']}/certs/#{node['openstack']['dashboard']['ssl']['cert']}"
+  cert_mode = 00644
+  cert_owner = 'root'
+  cert_group = 'root'
+  if node['openstack']['dashboard']['ssl']['cert_url']
+    remote_file cert_file do
+      sensitive true
+      source node['openstack']['dashboard']['ssl']['cert_url']
+      mode cert_mode
+      owner  cert_owner
+      group  cert_group

-    notifies :run, 'execute[restore-selinux-context]', :immediately
+      notifies :run, 'execute[restore-selinux-context]', :immediately
+    end
+  else
+    cookbook_file cert_file do
+      sensitive true
+      source 'horizon.pem'
+      mode cert_mode
+      owner  cert_owner
+      group  cert_group
+
+      notifies :run, 'execute[restore-selinux-context]', :immediately
+    end
  end
-else
-  cookbook_file cert_file do
-    sensitive true
-    source 'horizon.pem'
-    mode cert_mode
-    owner  cert_owner
-    group  cert_group

-    notifies :run, 'execute[restore-selinux-context]', :immediately
+  key_file = "#{node['openstack']['dashboard']['ssl']['dir']}/private/#{node['openstack']['dashboard']['ssl']['key']}"
+  key_mode = 00640
+  key_owner = 'root'
+  case node['platform_family']
+  when 'debian'
+    key_group = 'ssl-cert'
+  else
+    key_group = 'root'
  end
-end

-key_file = "#{node['openstack']['dashboard']['ssl']['dir']}/private/#{node['openstack']['dashboard']['ssl']['key']}"
-key_mode = 00640
-key_owner = 'root'
-case node['platform_family']
-when 'debian'
-  key_group = 'ssl-cert'
-else
-  key_group = 'root'
-end
+  if node['openstack']['dashboard']['ssl']['key_url']
+    remote_file key_file do
+      sensitive true
+      source node['openstack']['dashboard']['ssl']['key_url']
+      mode key_mode
+      owner  key_owner
+      group  key_group

-if node['openstack']['dashboard']['ssl']['key_url']
-  remote_file key_file do
-    sensitive true
-    source node['openstack']['dashboard']['ssl']['key_url']
-    mode key_mode
-    owner  key_owner
-    group  key_group
+      notifies :restart, 'service[apache2]', :immediately
+      notifies :run, 'execute[restore-selinux-context]', :immediately
+    end
+  else
+    cookbook_file key_file do
+      sensitive true
+      source 'horizon.key'
+      mode   key_mode
+      owner  key_owner
+      group  key_group

-    notifies :restart, 'service[apache2]', :immediately
-    notifies :run, 'execute[restore-selinux-context]', :immediately
-  end
-else
-  cookbook_file key_file do
-    sensitive true
-    source 'horizon.key'
-    mode   key_mode
-    owner  key_owner
-    group  key_group
-
-    notifies :run, 'execute[restore-selinux-context]', :immediately
+      notifies :run, 'execute[restore-selinux-context]', :immediately
+    end
  end
 end

--- a/spec/apache2-server_spec.rb
+++ b/spec/apache2-server_spec.rb
@ -56,13 +56,18 @@ describe 'openstack-dashboard::apache2-server' do
      expect(chef_run).not_to run_execute(cmd)
    end

-    it 'installs apache packages' do
+    it 'includes apache packages' do
      expect(chef_run).to include_recipe('apache2')
      expect(chef_run).to include_recipe('apache2::mod_wsgi')
      expect(chef_run).to include_recipe('apache2::mod_rewrite')
      expect(chef_run).to include_recipe('apache2::mod_ssl')
    end

+    it 'does not include the apache mod_ssl package when ssl disabled' do
+      node.set['openstack']['dashboard']['use_ssl'] = false
+      expect(chef_run).not_to include_recipe('apache2::mod_ssl')
+    end
+
    it 'does not execute set-selinux-enforcing' do
      cmd = '/sbin/setenforce Enforcing ; restorecon -R /etc/httpd'
      expect(chef_run).not_to run_execute(cmd)
@ -117,6 +122,12 @@ describe 'openstack-dashboard::apache2-server' do
        )
        expect(remote_key).to notify('service[apache2]').to(:restart)
      end
+
+      it 'does not mess with certs if ssl not enabled' do
+        node.set['openstack']['dashboard']['use_ssl'] = false
+        expect(chef_run).not_to create_cookbook_file(crt)
+        expect(chef_run).not_to create_cookbook_file(key)
+      end
    end

    it 'creates .blackhole dir with proper owner' do
--- a/spec/horizon_spec.rb
+++ b/spec/horizon_spec.rb
@ -127,6 +127,13 @@ describe 'openstack-dashboard::horizon' do
              expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_NO_VERIFY = False$/)
            end
          end
+
+          context 'not set when ssl disabled' do
+            it 'has a True value for the OPENSTACK_SSL_NO_VERIFY attribute' do
+              node.set['openstack']['dashboard']['use_ssl'] = false
+              expect(chef_run).not_to render_file(file.name).with_content(/^OPENSTACK_SSL_NO_VERIFY = True$/)
+            end
+          end
        end

        it 'config ssl_cacert' do
@ -134,6 +141,12 @@ describe 'openstack-dashboard::horizon' do
          expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_CACERT = '\/path_to_cacert.pem'$/)
        end

+        it 'does not config ssl_cacert when ssl disabled' do
+          node.set['openstack']['dashboard']['use_ssl'] = false
+          node.set['openstack']['dashboard']['ssl_cacert'] = '/path_to_cacert.pem'
+          expect(chef_run).not_to render_file(file.name).with_content(/^OPENSTACK_SSL_CACERT = '\/path_to_cacert.pem'$/)
+        end
+
        it 'has some allowed hosts set' do
          node.set['openstack']['dashboard']['allowed_hosts'] = ['dashboard.example.net']
          expect(chef_run).to render_file(file.name).with_content(/^ALLOWED_HOSTS = \["dashboard.example.net"\]$/)
--- a/templates/default/local_settings.py.erb
+++ b/templates/default/local_settings.py.erb
@ -162,6 +162,7 @@ OPENSTACK_KEYSTONE_URL = "<%= @auth_uri %>"
 OPENSTACK_KEYSTONE_ADMIN_URL = "<%= @auth_admin_uri %>"
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "<%= node["openstack"]["dashboard"]["keystone_default_role"] %>"

+<% if node["openstack"]["dashboard"]["use_ssl"] %>
 # Disable SSL certificate checks (useful for self-signed certificates):
 # OPENSTACK_SSL_NO_VERIFY = True
 OPENSTACK_SSL_NO_VERIFY = <%= node['openstack']['dashboard']['ssl_no_verify'] %>
@ -171,6 +172,7 @@ OPENSTACK_SSL_NO_VERIFY = <%= node['openstack']['dashboard']['ssl_no_verify'] %>
 <% if node['openstack']['dashboard']['ssl_cacert'] %>
 OPENSTACK_SSL_CACERT = '<%= node['openstack']['dashboard']['ssl_cacert'] %>'
 <% end %>
+<% end %>

 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.