Properly set SSL cert paths when disabling certs databag

This fixes an oversight in a previous patch when disabling the certs databag. It would improperly not set the cert paths at all in the apache vhost config. This fixes it and also adds an addition test that should have caught it originally. Change-Id: I7726c949791658a750b9c382107f01e0a112247c
2016-08-01 19:08:32 -07:00 · 2016-08-01 19:08:32 -07:00 · 796945e658
parent 2685178b69
commit 796945e658
2 changed files with 26 additions and 5 deletions
--- a/recipes/apache2-server.rb
+++ b/recipes/apache2-server.rb
@ -77,15 +77,15 @@ end
 if node['openstack']['dashboard']['ssl']['use_data_bag']
  ssl_cert = secret('certs', node['openstack']['dashboard']['ssl']['cert'])
  ssl_key = secret('certs', node['openstack']['dashboard']['ssl']['key'])
-  ssl_cert_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['cert'])
-  ssl_key_file = File.join(node['openstack']['dashboard']['ssl']['key_dir'], node['openstack']['dashboard']['ssl']['key'])
  if node['openstack']['dashboard']['ssl']['chain']
    ssl_chain = secret('certs', node['openstack']['dashboard']['ssl']['chain'])
-    ssl_chain_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['chain'])
-  else
-    ssl_chain_file = nil
  end
 end
+ssl_cert_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['cert'])
+ssl_key_file = File.join(node['openstack']['dashboard']['ssl']['key_dir'], node['openstack']['dashboard']['ssl']['key'])
+ssl_chain_file = if node['openstack']['dashboard']['ssl']['chain']
+                   File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['chain'])
+                 end

 if node['openstack']['dashboard']['use_ssl'] &&
   node['openstack']['dashboard']['ssl']['use_data_bag']
--- a/spec/apache2-server_spec.rb
+++ b/spec/apache2-server_spec.rb
@ -314,6 +314,27 @@ describe 'openstack-dashboard::apache2-server' do
                .with_content(%r{^\s*SSLCertificateChainFile /etc/ssl/certs/horizon-chain.pem$})
            end
          end
+          context 'set use_data_bag to false' do
+            it 'shows ssl certificate related directives defaults' do
+              node.set['openstack']['dashboard']['ssl']['use_data_bag'] = false
+              [/^\s*SSLEngine on$/,
+               %r{^\s*SSLCertificateFile /etc/ssl/certs/horizon.pem$},
+               %r{^\s*SSLCertificateKeyFile /etc/ssl/private/horizon.key$},
+               /^\s*SSLProtocol All -SSLv2 -SSLv3$/].each do |ssl_certificate_directive|
+                expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
+              end
+              expect(chef_run).to_not render_file(file.name)
+                .with_content(/SSLCertificateChainFile/)
+            end
+            context 'set ssl chain' do
+              it 'shows chain directive' do
+                node.set['openstack']['dashboard']['ssl']['use_data_bag'] = false
+                node.set['openstack']['dashboard']['ssl']['chain'] = 'horizon-chain.pem'
+                expect(chef_run).to render_file(file.name)
+                  .with_content(%r{^\s*SSLCertificateChainFile /etc/ssl/certs/horizon-chain.pem$})
+              end
+            end
+          end
          it 'has no ssl ciphers configured by default' do
            expect(chef_run).not_to render_file(file.name).with_content(/^\s*SSLCipherSuite.*$/)
          end