Ensure security of etcd connection
The code assumes that etc.tls.available has been set; however that might not be the case so guard the configuration of vault to use etcd to check for this flag before adding etcd configuration. Change-Id: I52f6fb2db309564634ba1698bd7905b2c1e8ceeb
This commit is contained in:
parent
6d593a01c0
commit
60c7d15d80
@ -169,8 +169,9 @@ def configure_vault(context):
|
||||
log("Running configure_vault", level=DEBUG)
|
||||
context['disable_mlock'] = config()['disable-mlock']
|
||||
context['ssl_available'] = is_state('vault.ssl.available')
|
||||
etcd = endpoint_from_flag('etcd.available')
|
||||
if etcd:
|
||||
|
||||
if is_flag_set('etcd.tls.available'):
|
||||
etcd = endpoint_from_flag('etcd.available')
|
||||
log("Etcd detected, adding to context", level=DEBUG)
|
||||
context['etcd_conn'] = etcd.connection_string()
|
||||
context['etcd_tls_ca_file'] = '/var/snap/vault/common/etcd-ca.pem'
|
||||
|
@ -104,6 +104,7 @@ class TestHandlers(unittest.TestCase):
|
||||
db_context = {
|
||||
'storage_name': 'psql',
|
||||
'psql_db_conn': 'myuri'}
|
||||
self.is_flag_set.return_value = False
|
||||
self.endpoint_from_flag.return_value = None
|
||||
handlers.configure_vault(db_context)
|
||||
expected_context = {
|
||||
@ -235,6 +236,7 @@ class TestHandlers(unittest.TestCase):
|
||||
self.config.return_value = {'disable-mlock': False}
|
||||
etcd_mock = mock.MagicMock()
|
||||
etcd_mock.connection_string.return_value = 'http://etcd'
|
||||
self.is_flag_set.return_value = True
|
||||
self.endpoint_from_flag.return_value = etcd_mock
|
||||
self.is_state.return_value = True
|
||||
handlers.configure_vault({})
|
||||
@ -266,6 +268,7 @@ class TestHandlers(unittest.TestCase):
|
||||
cert=expected_context['etcd_tls_cert_file'],
|
||||
ca=expected_context['etcd_tls_ca_file'],
|
||||
)
|
||||
self.is_flag_set.assert_called_with('etcd.tls.available')
|
||||
|
||||
@patch.object(handlers.hvac, 'Client')
|
||||
@patch.object(handlers, 'get_api_url')
|
||||
|
Loading…
Reference in New Issue
Block a user