Ensure security of etcd connection
The code assumes that etc.tls.available has been set; however that might not be the case so guard the configuration of vault to use etcd to check for this flag before adding etcd configuration. Change-Id: I52f6fb2db309564634ba1698bd7905b2c1e8ceeb
This commit is contained in:
parent
6d593a01c0
commit
60c7d15d80
@ -169,8 +169,9 @@ def configure_vault(context):
|
|||||||
log("Running configure_vault", level=DEBUG)
|
log("Running configure_vault", level=DEBUG)
|
||||||
context['disable_mlock'] = config()['disable-mlock']
|
context['disable_mlock'] = config()['disable-mlock']
|
||||||
context['ssl_available'] = is_state('vault.ssl.available')
|
context['ssl_available'] = is_state('vault.ssl.available')
|
||||||
|
|
||||||
|
if is_flag_set('etcd.tls.available'):
|
||||||
etcd = endpoint_from_flag('etcd.available')
|
etcd = endpoint_from_flag('etcd.available')
|
||||||
if etcd:
|
|
||||||
log("Etcd detected, adding to context", level=DEBUG)
|
log("Etcd detected, adding to context", level=DEBUG)
|
||||||
context['etcd_conn'] = etcd.connection_string()
|
context['etcd_conn'] = etcd.connection_string()
|
||||||
context['etcd_tls_ca_file'] = '/var/snap/vault/common/etcd-ca.pem'
|
context['etcd_tls_ca_file'] = '/var/snap/vault/common/etcd-ca.pem'
|
||||||
|
@ -104,6 +104,7 @@ class TestHandlers(unittest.TestCase):
|
|||||||
db_context = {
|
db_context = {
|
||||||
'storage_name': 'psql',
|
'storage_name': 'psql',
|
||||||
'psql_db_conn': 'myuri'}
|
'psql_db_conn': 'myuri'}
|
||||||
|
self.is_flag_set.return_value = False
|
||||||
self.endpoint_from_flag.return_value = None
|
self.endpoint_from_flag.return_value = None
|
||||||
handlers.configure_vault(db_context)
|
handlers.configure_vault(db_context)
|
||||||
expected_context = {
|
expected_context = {
|
||||||
@ -235,6 +236,7 @@ class TestHandlers(unittest.TestCase):
|
|||||||
self.config.return_value = {'disable-mlock': False}
|
self.config.return_value = {'disable-mlock': False}
|
||||||
etcd_mock = mock.MagicMock()
|
etcd_mock = mock.MagicMock()
|
||||||
etcd_mock.connection_string.return_value = 'http://etcd'
|
etcd_mock.connection_string.return_value = 'http://etcd'
|
||||||
|
self.is_flag_set.return_value = True
|
||||||
self.endpoint_from_flag.return_value = etcd_mock
|
self.endpoint_from_flag.return_value = etcd_mock
|
||||||
self.is_state.return_value = True
|
self.is_state.return_value = True
|
||||||
handlers.configure_vault({})
|
handlers.configure_vault({})
|
||||||
@ -266,6 +268,7 @@ class TestHandlers(unittest.TestCase):
|
|||||||
cert=expected_context['etcd_tls_cert_file'],
|
cert=expected_context['etcd_tls_cert_file'],
|
||||||
ca=expected_context['etcd_tls_ca_file'],
|
ca=expected_context['etcd_tls_ca_file'],
|
||||||
)
|
)
|
||||||
|
self.is_flag_set.assert_called_with('etcd.tls.available')
|
||||||
|
|
||||||
@patch.object(handlers.hvac, 'Client')
|
@patch.object(handlers.hvac, 'Client')
|
||||||
@patch.object(handlers, 'get_api_url')
|
@patch.object(handlers, 'get_api_url')
|
||||||
|
Loading…
Reference in New Issue
Block a user