openstack
/
neutron-lbaas
Code Issues Proposed changes

Merge "Fixing TLS configuration issues"

This commit is contained in:
Jenkins 2015-11-19 18:24:54 +00:00 committed by Gerrit Code Review
parent d2262461c0 305cff1d18
commit 0e0a40b2f5
4 changed files with 37 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
neutron_lbaas/common/cert_manager/barbican_cert_manager.py
View File

@ -14,6 +14,7 @@
from barbicanclient import client as barbican_client from barbicanclient import client as barbican_client
from neutron.i18n import _LI, _LW, _LE from neutron.i18n import _LI, _LW, _LE
from neutron.plugins.common import constants
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log as logging from oslo_log import log as logging
from oslo_utils import excutils from oslo_utils import excutils
@ -169,13 +170,13 @@ class CertManager(cert_manager.CertManager):
@staticmethod @staticmethod
def get_cert(cert_ref, service_name='lbaas', def get_cert(cert_ref, service_name='lbaas',
resource_ref=None, lb_id=None,
check_only=False, **kwargs): check_only=False, **kwargs):
"""Retrieves the specified cert and registers as a consumer. """Retrieves the specified cert and registers as a consumer.
:param cert_ref: the UUID of the cert to retrieve :param cert_ref: the UUID of the cert to retrieve
:param service_name: Friendly name for the consuming service :param service_name: Friendly name for the consuming service
:param resource_ref: Full HATEOAS reference to the consuming resource :param lb_id: Loadbalancer id for building resource consumer URL
:param check_only: Read Certificate data without registering :param check_only: Read Certificate data without registering
:return: octavia.certificates.common.Cert representation of the :return: octavia.certificates.common.Cert representation of the
@ -196,7 +197,7 @@ class CertManager(cert_manager.CertManager):
cert_container = connection.containers.register_consumer( cert_container = connection.containers.register_consumer(
container_ref=cert_ref, container_ref=cert_ref,
name=service_name, name=service_name,
url=resource_ref url=CertManager._get_service_url(lb_id)
) )
return Cert(cert_container) return Cert(cert_container)
except Exception: except Exception:
@ -204,12 +205,12 @@ class CertManager(cert_manager.CertManager):
LOG.exception(_LE("Error getting {0}").format(cert_ref)) LOG.exception(_LE("Error getting {0}").format(cert_ref))
@staticmethod @staticmethod
def delete_cert(cert_ref, resource_ref, service_name='lbaas', **kwargs): def delete_cert(cert_ref, lb_id, service_name='lbaas', **kwargs):
"""Deregister as a consumer for the specified cert. """Deregister as a consumer for the specified cert.
:param cert_ref: the UUID of the cert to retrieve :param cert_ref: the UUID of the cert to retrieve
:param service_name: Friendly name for the consuming service :param service_name: Friendly name for the consuming service
:param resource_ref: Full HATEOAS reference to the consuming resource :param lb_id: Loadbalancer id for building resource consumer URL
:raises Exception: if deregistration fails :raises Exception: if deregistration fails
""" """
@ -222,7 +223,7 @@ class CertManager(cert_manager.CertManager):
connection.containers.remove_consumer( connection.containers.remove_consumer(
container_ref=cert_ref, container_ref=cert_ref,
name=service_name, name=service_name,
url=resource_ref url=CertManager._get_service_url(lb_id)
) )
except Exception: except Exception:
with excutils.save_and_reraise_exception(): with excutils.save_and_reraise_exception():
@ -256,3 +257,12 @@ class CertManager(cert_manager.CertManager):
LOG.exception(_LE( LOG.exception(_LE(
"Error recursively deleting certificate container {0}" "Error recursively deleting certificate container {0}"
).format(cert_ref)) ).format(cert_ref))
@staticmethod
def _get_service_url(lb_id):
# Format: <servicename>://<region>/<resource>/<object_id>
return "{0}://{1}/{2}/{3}".format(
cfg.CONF.service_auth.service_name,
cfg.CONF.service_auth.region,
constants.LOADBALANCER,
lb_id)

19
neutron_lbaas/services/loadbalancer/plugin.py
View File

@ -566,14 +566,17 @@ class LoadBalancerPluginv2(loadbalancerv2.LoadBalancerPluginBaseV2):
def _validate_tls(self, listener, curr_listener=None): def _validate_tls(self, listener, curr_listener=None):
def validate_tls_container(container_ref): def validate_tls_container(container_ref):
cert_container = None cert_container = None
lb_id = None
if curr_listener: if curr_listener:
service_url = self._get_service_url(curr_listener) lb_id = curr_listener['loadbalancer_id']
else: else:
service_url = self._get_service_url(listener) lb_id = listener.get('loadbalancer_id')
try: try:
cert_container = CERT_MANAGER_PLUGIN.CertManager.get_cert( cert_container = CERT_MANAGER_PLUGIN.CertManager.get_cert(
container_ref, container_ref,
resource_ref=service_url) lb_id=lb_id)
except Exception as e: except Exception as e:
if hasattr(e, 'status_code') and e.status_code == 404: if hasattr(e, 'status_code') and e.status_code == 404:
raise loadbalancerv2.TLSContainerNotFound( raise loadbalancerv2.TLSContainerNotFound(
@ -593,7 +596,7 @@ class LoadBalancerPluginv2(loadbalancerv2.LoadBalancerPluginBaseV2):
intermediates=cert_container.get_intermediates()) intermediates=cert_container.get_intermediates())
except Exception as e: except Exception as e:
CERT_MANAGER_PLUGIN.CertManager.delete_cert( CERT_MANAGER_PLUGIN.CertManager.delete_cert(
container_ref, self._get_service_url(listener)) container_ref, lb_id)
raise loadbalancerv2.TLSContainerInvalid( raise loadbalancerv2.TLSContainerInvalid(
container_id=container_ref, reason=str(e)) container_id=container_ref, reason=str(e))
@ -629,14 +632,6 @@ class LoadBalancerPluginv2(loadbalancerv2.LoadBalancerPluginBaseV2):
return len(to_validate) > 0 return len(to_validate) > 0
def _get_service_url(self, listener):
# Format: <servicename>://<region>/<resource>/<object_id>
return "{0}://{1}/{2}/{3}".format(
cfg.CONF.service_auth.service_name,
cfg.CONF.service_auth.region,
constants.LOADBALANCER,
listener['loadbalancer_id'])
def create_listener(self, context, listener): def create_listener(self, context, listener):
listener = listener.get('listener') listener = listener.get('listener')
lb_id = listener.get('loadbalancer_id') lb_id = listener.get('loadbalancer_id')

13
neutron_lbaas/tests/unit/common/cert_manager/test_barbican.py
View File

@ -18,6 +18,7 @@ import mock
import neutron_lbaas.common.cert_manager.barbican_cert_manager as bbq_common import neutron_lbaas.common.cert_manager.barbican_cert_manager as bbq_common
from neutron_lbaas.common import keystone from neutron_lbaas.common import keystone
import neutron_lbaas.tests.base as base import neutron_lbaas.tests.base as base
from oslo_config import cfg
class TestBarbicanAuth(base.BaseTestCase): class TestBarbicanAuth(base.BaseTestCase):
@ -51,6 +52,18 @@ class TestBarbicanAuth(base.BaseTestCase):
bc2 = bbq_common.BarbicanKeystoneAuth.get_barbican_client() bc2 = bbq_common.BarbicanKeystoneAuth.get_barbican_client()
self.assertIs(bc1, bc2) self.assertIs(bc1, bc2)
def test_get_service_url(self):
# Format: <servicename>://<region>/<resource>/<object_id>
cfg.CONF.set_override('service_name',
'lbaas',
'service_auth')
cfg.CONF.set_override('region',
'RegionOne',
'service_auth')
self.assertEqual(
'lbaas://RegionOne/LOADBALANCER/LB-ID',
bbq_common.CertManager._get_service_url('LB-ID'))
class TestBarbicanCert(base.BaseTestCase): class TestBarbicanCert(base.BaseTestCase):

17
neutron_lbaas/tests/unit/db/loadbalancer/test_db_loadbalancerv2.py
View File

@ -925,21 +925,6 @@ class LbaasListenerTests(ListenerTestBase):
context.get_admin_context(), context.get_admin_context(),
{'listener': listener_data}) {'listener': listener_data})
def test_get_service_url(self):
# Format: <servicename>://<region>/<resource>/<object_id>
cfg.CONF.set_override('service_name',
'lbaas',
'service_auth')
cfg.CONF.set_override('region',
'RegionOne',
'service_auth')
listner = {
'loadbalancer_id': self.lb_id
}
self.assertEqual(
'lbaas://RegionOne/LOADBALANCER/{0}'.format(self.lb_id),
self.plugin._get_service_url(listner))
def test_create_listener_with_tls_invalid_container(self, **extras): def test_create_listener_with_tls_invalid_container(self, **extras):
default_tls_container_ref = uuidutils.generate_uuid() default_tls_container_ref = uuidutils.generate_uuid()
cfg.CONF.set_override('service_name', cfg.CONF.set_override('service_name',
@ -977,7 +962,7 @@ class LbaasListenerTests(ListenerTestBase):
{'listener': listener_data}) {'listener': listener_data})
rm_consumer_mock.assert_called_once_with( rm_consumer_mock.assert_called_once_with(
listener_data['default_tls_container_ref'], listener_data['default_tls_container_ref'],
'lbaas://RegionOne/LOADBALANCER/{0}'.format(self.lb_id)) self.lb_id)
def test_create_listener_with_tls(self, **extras): def test_create_listener_with_tls(self, **extras):
default_tls_container_ref = uuidutils.generate_uuid() default_tls_container_ref = uuidutils.generate_uuid()