From 3d4d7bc49de835c13250e760bbb87fb6fbc49dcd Mon Sep 17 00:00:00 2001 From: Mark Vanderwiel Date: Thu, 16 Apr 2015 12:56:20 -0500 Subject: [PATCH] Allow non-ssl to work correctly when use_ssl is false, several ssl related items are still in play, notably including mod_ssl. Closes-Bug: #1445047 Change-Id: Iafd26f8eddfd74a90b6a8bde579bf53af57b5893 --- recipes/apache2-server.rb | 102 ++++++++++++------------ spec/apache2-server_spec.rb | 13 ++- spec/horizon_spec.rb | 13 +++ templates/default/local_settings.py.erb | 2 + 4 files changed, 79 insertions(+), 51 deletions(-) diff --git a/recipes/apache2-server.rb b/recipes/apache2-server.rb index d5e8aae..b57d5f8 100644 --- a/recipes/apache2-server.rb +++ b/recipes/apache2-server.rb @@ -55,7 +55,7 @@ node.set['apache']['listen_ports'] = listen_ports include_recipe 'apache2' include_recipe 'apache2::mod_wsgi' include_recipe 'apache2::mod_rewrite' -include_recipe 'apache2::mod_ssl' +include_recipe 'apache2::mod_ssl' if node['openstack']['dashboard']['use_ssl'] # # Workaround to re-enable selinux after installing apache on a fedora machine that has @@ -78,62 +78,64 @@ file "#{node["apache"]["dir"]}/conf.d/openstack-dashboard.conf" do only_if { platform_family?('rhel') } # :pragma-foodcritic: ~FC024 - won't fix this end -cert_file = "#{node['openstack']['dashboard']['ssl']['dir']}/certs/#{node['openstack']['dashboard']['ssl']['cert']}" -cert_mode = 00644 -cert_owner = 'root' -cert_group = 'root' -if node['openstack']['dashboard']['ssl']['cert_url'] - remote_file cert_file do - sensitive true - source node['openstack']['dashboard']['ssl']['cert_url'] - mode cert_mode - owner cert_owner - group cert_group +if node['openstack']['dashboard']['use_ssl'] + cert_file = "#{node['openstack']['dashboard']['ssl']['dir']}/certs/#{node['openstack']['dashboard']['ssl']['cert']}" + cert_mode = 00644 + cert_owner = 'root' + cert_group = 'root' + if node['openstack']['dashboard']['ssl']['cert_url'] + remote_file cert_file do + sensitive true + source node['openstack']['dashboard']['ssl']['cert_url'] + mode cert_mode + owner cert_owner + group cert_group - notifies :run, 'execute[restore-selinux-context]', :immediately + notifies :run, 'execute[restore-selinux-context]', :immediately + end + else + cookbook_file cert_file do + sensitive true + source 'horizon.pem' + mode cert_mode + owner cert_owner + group cert_group + + notifies :run, 'execute[restore-selinux-context]', :immediately + end end -else - cookbook_file cert_file do - sensitive true - source 'horizon.pem' - mode cert_mode - owner cert_owner - group cert_group - notifies :run, 'execute[restore-selinux-context]', :immediately + key_file = "#{node['openstack']['dashboard']['ssl']['dir']}/private/#{node['openstack']['dashboard']['ssl']['key']}" + key_mode = 00640 + key_owner = 'root' + case node['platform_family'] + when 'debian' + key_group = 'ssl-cert' + else + key_group = 'root' end -end -key_file = "#{node['openstack']['dashboard']['ssl']['dir']}/private/#{node['openstack']['dashboard']['ssl']['key']}" -key_mode = 00640 -key_owner = 'root' -case node['platform_family'] -when 'debian' - key_group = 'ssl-cert' -else - key_group = 'root' -end + if node['openstack']['dashboard']['ssl']['key_url'] + remote_file key_file do + sensitive true + source node['openstack']['dashboard']['ssl']['key_url'] + mode key_mode + owner key_owner + group key_group -if node['openstack']['dashboard']['ssl']['key_url'] - remote_file key_file do - sensitive true - source node['openstack']['dashboard']['ssl']['key_url'] - mode key_mode - owner key_owner - group key_group + notifies :restart, 'service[apache2]', :immediately + notifies :run, 'execute[restore-selinux-context]', :immediately + end + else + cookbook_file key_file do + sensitive true + source 'horizon.key' + mode key_mode + owner key_owner + group key_group - notifies :restart, 'service[apache2]', :immediately - notifies :run, 'execute[restore-selinux-context]', :immediately - end -else - cookbook_file key_file do - sensitive true - source 'horizon.key' - mode key_mode - owner key_owner - group key_group - - notifies :run, 'execute[restore-selinux-context]', :immediately + notifies :run, 'execute[restore-selinux-context]', :immediately + end end end diff --git a/spec/apache2-server_spec.rb b/spec/apache2-server_spec.rb index 366f2a5..d06c1b5 100644 --- a/spec/apache2-server_spec.rb +++ b/spec/apache2-server_spec.rb @@ -56,13 +56,18 @@ describe 'openstack-dashboard::apache2-server' do expect(chef_run).not_to run_execute(cmd) end - it 'installs apache packages' do + it 'includes apache packages' do expect(chef_run).to include_recipe('apache2') expect(chef_run).to include_recipe('apache2::mod_wsgi') expect(chef_run).to include_recipe('apache2::mod_rewrite') expect(chef_run).to include_recipe('apache2::mod_ssl') end + it 'does not include the apache mod_ssl package when ssl disabled' do + node.set['openstack']['dashboard']['use_ssl'] = false + expect(chef_run).not_to include_recipe('apache2::mod_ssl') + end + it 'does not execute set-selinux-enforcing' do cmd = '/sbin/setenforce Enforcing ; restorecon -R /etc/httpd' expect(chef_run).not_to run_execute(cmd) @@ -117,6 +122,12 @@ describe 'openstack-dashboard::apache2-server' do ) expect(remote_key).to notify('service[apache2]').to(:restart) end + + it 'does not mess with certs if ssl not enabled' do + node.set['openstack']['dashboard']['use_ssl'] = false + expect(chef_run).not_to create_cookbook_file(crt) + expect(chef_run).not_to create_cookbook_file(key) + end end it 'creates .blackhole dir with proper owner' do diff --git a/spec/horizon_spec.rb b/spec/horizon_spec.rb index c927027..ee8adca 100644 --- a/spec/horizon_spec.rb +++ b/spec/horizon_spec.rb @@ -127,6 +127,13 @@ describe 'openstack-dashboard::horizon' do expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_NO_VERIFY = False$/) end end + + context 'not set when ssl disabled' do + it 'has a True value for the OPENSTACK_SSL_NO_VERIFY attribute' do + node.set['openstack']['dashboard']['use_ssl'] = false + expect(chef_run).not_to render_file(file.name).with_content(/^OPENSTACK_SSL_NO_VERIFY = True$/) + end + end end it 'config ssl_cacert' do @@ -134,6 +141,12 @@ describe 'openstack-dashboard::horizon' do expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_CACERT = '\/path_to_cacert.pem'$/) end + it 'does not config ssl_cacert when ssl disabled' do + node.set['openstack']['dashboard']['use_ssl'] = false + node.set['openstack']['dashboard']['ssl_cacert'] = '/path_to_cacert.pem' + expect(chef_run).not_to render_file(file.name).with_content(/^OPENSTACK_SSL_CACERT = '\/path_to_cacert.pem'$/) + end + it 'has some allowed hosts set' do node.set['openstack']['dashboard']['allowed_hosts'] = ['dashboard.example.net'] expect(chef_run).to render_file(file.name).with_content(/^ALLOWED_HOSTS = \["dashboard.example.net"\]$/) diff --git a/templates/default/local_settings.py.erb b/templates/default/local_settings.py.erb index 0b943c6..e112fcf 100644 --- a/templates/default/local_settings.py.erb +++ b/templates/default/local_settings.py.erb @@ -162,6 +162,7 @@ OPENSTACK_KEYSTONE_URL = "<%= @auth_uri %>" OPENSTACK_KEYSTONE_ADMIN_URL = "<%= @auth_admin_uri %>" OPENSTACK_KEYSTONE_DEFAULT_ROLE = "<%= node["openstack"]["dashboard"]["keystone_default_role"] %>" +<% if node["openstack"]["dashboard"]["use_ssl"] %> # Disable SSL certificate checks (useful for self-signed certificates): # OPENSTACK_SSL_NO_VERIFY = True OPENSTACK_SSL_NO_VERIFY = <%= node['openstack']['dashboard']['ssl_no_verify'] %> @@ -171,6 +172,7 @@ OPENSTACK_SSL_NO_VERIFY = <%= node['openstack']['dashboard']['ssl_no_verify'] %> <% if node['openstack']['dashboard']['ssl_cacert'] %> OPENSTACK_SSL_CACERT = '<%= node['openstack']['dashboard']['ssl_cacert'] %>' <% end %> +<% end %> # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the # capabilities of the auth backend for Keystone.