Rework enforce_ssl to use host name, not address
If enforce_ssl is set to true in openstack-dashboard, a user is redirected to the IP address of the server, not its hostname. This boils down to the template used to construct the site, which is always fed an IP address by horizon_context.py. Instead of using an IP address, use the result of resolve_address. (This is part of an odd quirk whereby the charm doesn't use the standard https tooling but does its own. A conversion to standard tooling would be required for a full fix to #1664954.) Closes-Bug: #1689882 Related-Bug: #1664954 Change-Id: I93365b75211e3c48d64ba8510898750dbc7b73cd Signed-off-by: Daniel Axtens <dja@axtens.net>
This commit is contained in:
parent
1cdefcb5e9
commit
51b099c79e
@ -31,8 +31,10 @@ from charmhelpers.contrib.openstack.context import (
|
|||||||
HAProxyContext,
|
HAProxyContext,
|
||||||
context_complete
|
context_complete
|
||||||
)
|
)
|
||||||
|
from charmhelpers.contrib.openstack.ip import (
|
||||||
|
resolve_address,
|
||||||
|
)
|
||||||
from charmhelpers.contrib.openstack.utils import (
|
from charmhelpers.contrib.openstack.utils import (
|
||||||
get_host_ip,
|
|
||||||
git_default_repos,
|
git_default_repos,
|
||||||
git_pip_venv_dir,
|
git_pip_venv_dir,
|
||||||
)
|
)
|
||||||
@ -215,14 +217,7 @@ class ApacheContext(OSContextGenerator):
|
|||||||
if config('enforce-ssl'):
|
if config('enforce-ssl'):
|
||||||
# NOTE(dosaboy): if ssl is not configured we shouldn't allow this
|
# NOTE(dosaboy): if ssl is not configured we shouldn't allow this
|
||||||
if all(get_cert()):
|
if all(get_cert()):
|
||||||
if config('vip'):
|
ctxt['ssl_addr'] = resolve_address()
|
||||||
addr = config('vip')
|
|
||||||
elif config('prefer-ipv6'):
|
|
||||||
addr = format_ipv6_addr(get_ipv6_addr()[0])
|
|
||||||
else:
|
|
||||||
addr = get_host_ip(unit_get('private-address'))
|
|
||||||
|
|
||||||
ctxt['ssl_addr'] = addr
|
|
||||||
else:
|
else:
|
||||||
log("Enforce ssl redirect requested but ssl not configured - "
|
log("Enforce ssl redirect requested but ssl not configured - "
|
||||||
"skipping redirect", level=WARNING)
|
"skipping redirect", level=WARNING)
|
||||||
|
@ -32,7 +32,7 @@ TO_PATCH = [
|
|||||||
'local_unit',
|
'local_unit',
|
||||||
'unit_get',
|
'unit_get',
|
||||||
'pwgen',
|
'pwgen',
|
||||||
'get_host_ip'
|
'resolve_address',
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
@ -67,10 +67,10 @@ class TestHorizonContexts(CharmTestCase):
|
|||||||
|
|
||||||
def test_Apachecontext_enforce_ssl(self):
|
def test_Apachecontext_enforce_ssl(self):
|
||||||
self.test_config.set('enforce-ssl', True)
|
self.test_config.set('enforce-ssl', True)
|
||||||
self.get_host_ip.return_value = '10.0.0.1'
|
self.resolve_address.return_value = 'horizon.example.stack'
|
||||||
self.assertEqual(horizon_contexts.ApacheContext()(),
|
self.assertEqual(horizon_contexts.ApacheContext()(),
|
||||||
{'http_port': 70, 'https_port': 433,
|
{'http_port': 70, 'https_port': 433,
|
||||||
'ssl_addr': '10.0.0.1'})
|
'ssl_addr': 'horizon.example.stack'})
|
||||||
|
|
||||||
@patch.object(horizon_contexts, 'get_ca_cert', lambda: None)
|
@patch.object(horizon_contexts, 'get_ca_cert', lambda: None)
|
||||||
@patch('os.chmod')
|
@patch('os.chmod')
|
||||||
|
Loading…
Reference in New Issue
Block a user