From 286626dafb6a3d28cd7ad684315783f9b7f27c64 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Fri, 20 Nov 2020 12:57:47 +0100 Subject: [PATCH] Add TLS versions support for listeners and pools Story 2006733 Task 37206 Change-Id: I0eea32565ade95d14ecf00faafc17f3dc0c15ac9 --- octavia_dashboard/api/rest/lbaasv2.py | 4 + .../lbaasv2/listeners/details/detail.html | 2 +- .../lbaasv2/listeners/listeners.module.js | 1 + .../project/lbaasv2/pools/details/detail.html | 3 +- .../project/lbaasv2/pools/pools.module.js | 1 + .../lbaasv2/workflow/listener/listener.html | 9 ++ .../project/lbaasv2/workflow/model.service.js | 6 + .../lbaasv2/workflow/model.service.spec.js | 107 +++++++++++++++++- .../project/lbaasv2/workflow/pool/pool.html | 9 ++ ...-pools-and-listeners-ecc45d0182b33cbe.yaml | 4 + 10 files changed, 142 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/add-support-for-tls-versions-in-pools-and-listeners-ecc45d0182b33cbe.yaml diff --git a/octavia_dashboard/api/rest/lbaasv2.py b/octavia_dashboard/api/rest/lbaasv2.py index 2b70563c..823d2f05 100644 --- a/octavia_dashboard/api/rest/lbaasv2.py +++ b/octavia_dashboard/api/rest/lbaasv2.py @@ -188,6 +188,7 @@ def create_listener(request, **kwargs): allowed_cidrs=data['listener'].get('allowed_cidrs'), # Replace empty string by None (uses default tls cipher string) tls_ciphers=data['listener'].get('tls_ciphers') or None, + tls_versions=data['listener'].get('tls_versions') or None, ) if data.get('pool'): @@ -258,6 +259,7 @@ def create_pool(request, **kwargs): tls_enabled=data['pool'].get('tls_enabled'), # Replace empty string by None (uses default tls cipher string) tls_ciphers=data['pool'].get('tls_ciphers') or None, + tls_versions=data['pool'].get('tls_versions') or None, ) if data.get('members'): @@ -466,6 +468,7 @@ def update_listener(request, **kwargs): allowed_cidrs=data['listener'].get('allowed_cidrs'), # Replace empty string by None (uses default tls cipher string) tls_ciphers=data['listener'].get('tls_ciphers') or None, + tls_versions=data['listener'].get('tls_versions') or None, ) if data.get('pool'): @@ -538,6 +541,7 @@ def update_pool(request, **kwargs): tls_enabled=data['pool'].get('tls_enabled'), # Replace empty string by None (uses default tls cipher string) tls_ciphers=data['pool'].get('tls_ciphers') or None, + tls_versions=data['pool'].get('tls_versions') or None, ) # Assemble the lists of member id's to add and remove, if any exist diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/details/detail.html b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/details/detail.html index ab933e37..283ad3f4 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/details/detail.html +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/details/detail.html @@ -54,7 +54,7 @@ 'connection_limit', 'insert_headers', 'default_pool_id', 'timeout_client_data', 'timeout_member_connect', 'timeout_member_data', 'timeout_tcp_inspect', 'allowed_cidrs', - 'tls_ciphers' + 'tls_versions', 'tls_ciphers' ]]"> diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/listeners.module.js b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/listeners.module.js index befa6ede..d955b198 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/listeners.module.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/listeners.module.js @@ -186,6 +186,7 @@ timeout_member_data: gettext('Member Data Timeout'), timeout_tcp_inspect: gettext('TCP Inspect Timeout'), load_balancers: gettext('Load Balancers'), + tls_versions: gettext('TLS Versions'), tls_ciphers: gettext('TLS Cipher String') }; } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/details/detail.html b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/details/detail.html index 9e1d28a0..faa7306d 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/details/detail.html +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/details/detail.html @@ -52,7 +52,8 @@ item="ctrl.pool" property-groups="[[ 'id', 'name', 'description', 'project_id', 'created_at', 'updated_at', - 'session_persistence', 'health_monitor_id', 'tls_enabled', 'tls_ciphers']]"> + 'session_persistence', 'health_monitor_id', 'tls_enabled', 'tls_versions', + 'tls_ciphers']]"> diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/pools.module.js b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/pools.module.js index 7322ca00..5e5d5cc2 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/pools.module.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/pools.module.js @@ -180,6 +180,7 @@ label: gettext('TLS Enabled'), filters: ['yesno'] }, + tls_versions: gettext('TLS Versions'), tls_ciphers: gettext('TLS Cipher String') }; } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/listener/listener.html b/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/listener/listener.html index 37de5ef3..6c420e9d 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/listener/listener.html +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/listener/listener.html @@ -189,6 +189,15 @@
+
+
+ + +
+
+
diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/model.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/model.service.js index 57519a1d..c8eee796 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/model.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/model.service.js @@ -174,6 +174,7 @@ timeout_member_data: 50000, timeout_tcp_inspect: 0, allowed_cidrs: null, + tls_versions: null, tls_ciphers: null }, l7policy: { @@ -207,6 +208,7 @@ }, admin_state_up: true, tls_enabled: false, + tls_versions: null, tls_ciphers: null }, monitor: { @@ -523,6 +525,7 @@ // Remove certificate containers if not using TERMINATED_HTTPS delete finalSpec.certificates; delete finalSpec.listener.tls_ciphers; + delete finalSpec.listener.tls_versions; } else { var containers = []; angular.forEach(finalSpec.certificates, function(cert) { @@ -545,6 +548,7 @@ finalSpec.pool.protocol = protocol === 'TERMINATED_HTTPS' ? 'HTTP' : protocol; if (!finalSpec.pool.tls_enabled) { delete finalSpec.pool.tls_ciphers; + delete finalSpec.pool.tls_versions; } if (angular.isObject(finalSpec.pool.session_persistence)) { if (!finalSpec.pool.session_persistence.type) { @@ -814,6 +818,7 @@ spec.timeout_tcp_inspect = listener.timeout_tcp_inspect; spec.allowed_cidrs = listener.allowed_cidrs; spec.tls_ciphers = listener.tls_ciphers; + spec.tls_versions = listener.tls_versions; } function setL7PolicySpec(l7policy) { @@ -850,6 +855,7 @@ spec.session_persistence = pool.session_persistence; spec.tls_enabled = pool.tls_enabled; spec.tls_ciphers = pool.tls_ciphers; + spec.tls_versions = pool.tls_versions; } function setMembersSpec(membersList) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/model.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/model.service.spec.js index e1e2e0e4..bf2b6446 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/model.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/model.service.spec.js @@ -1077,6 +1077,7 @@ beforeEach(function() { includeChildResources = true; + listenerResources.pool.tls_versions = "v1\nv2"; model.initialize('pool', '1234', 'loadbalancerId'); scope.$apply(); }); @@ -1123,6 +1124,7 @@ expect(model.spec.pool.lb_algorithm).toBe('ROUND_ROBIN'); expect(model.spec.pool.session_persistence.type).toBe('APP_COOKIE'); expect(model.spec.pool.session_persistence.cookie_name).toBe('cookie_name'); + expect(model.spec.pool.tls_versions).toBe("v1\nv2"); }); it('should initialize all monitor properties', function() { @@ -1258,6 +1260,7 @@ beforeEach(function() { includeChildResources = true; listenerResources.listener.protocol = 'TERMINATED_HTTPS'; + listenerResources.listener.tls_versions = 'v1\nv2'; model.initialize('listener', '1234'); scope.$apply(); }); @@ -1266,6 +1269,7 @@ expect(model.certificates.length).toBe(3); expect(model.spec.certificates.length).toBe(1); expect(model.spec.certificates[0].id).toBe('container2'); + expect(model.spec.listener.tls_versions).toBe('v1\nv2'); }); }); @@ -1298,10 +1302,10 @@ it('has the right number of properties', function() { expect(Object.keys(model.spec).length).toBe(11); expect(Object.keys(model.spec.loadbalancer).length).toBe(7); - expect(Object.keys(model.spec.listener).length).toBe(16); + expect(Object.keys(model.spec.listener).length).toBe(17); expect(Object.keys(model.spec.l7policy).length).toBe(8); expect(Object.keys(model.spec.l7rule).length).toBe(7); - expect(Object.keys(model.spec.pool).length).toBe(9); + expect(Object.keys(model.spec.pool).length).toBe(10); expect(Object.keys(model.spec.monitor).length).toBe(11); expect(model.spec.members).toEqual([]); }); @@ -2291,6 +2295,56 @@ expect(finalSpec.listener.protocol).toBe('HTTP'); expect(finalSpec.listener.protocol_port).toBe(80); + expect(finalSpec.pool.name).toBe('Pool 1'); + expect(finalSpec.pool.description).toBe('pool description'); + expect(finalSpec.pool.protocol).toBe('HTTP'); + expect(finalSpec.pool.lb_algorithm).toBe('ROUND_ROBIN'); + expect(finalSpec.pool.session_persistence.type).toBe('APP_COOKIE'); + expect(finalSpec.pool.session_persistence.cookie_name).toBe('cookie_name'); + expect(finalSpec.pool.tls_versions).toBeUndefined(); + + expect(finalSpec.members.length).toBe(2); + expect(finalSpec.members[0].id).toBe('1234'); + expect(finalSpec.members[0].address).toBe('1.2.3.4'); + expect(finalSpec.members[0].subnet_id).toBe('subnet-1'); + expect(finalSpec.members[0].protocol_port).toBe(80); + expect(finalSpec.members[0].weight).toBe(1); + expect(finalSpec.members[1].id).toBe('5678'); + expect(finalSpec.members[1].address).toBe('5.6.7.8'); + expect(finalSpec.members[1].subnet_id).toBe('subnet-1'); + expect(finalSpec.members[1].protocol_port).toBe(80); + expect(finalSpec.members[1].weight).toBe(1); + + expect(finalSpec.monitor.type).toBe('HTTP'); + expect(finalSpec.monitor.delay).toBe(1); + expect(finalSpec.monitor.max_retries).toBe(1); + expect(finalSpec.monitor.max_retries_down).toBe(1); + expect(finalSpec.monitor.timeout).toBe(1); + }); + }); + + describe('Model submit function (edit listener TERMINATED_HTTPS)', function() { + + beforeEach(function() { + includeChildResources = true; + listenerResources.listener.protocol = 'TERMINATED_HTTPS'; + listenerResources.listener.tls_versions = ['v1', 'v2']; + model.initialize('listener', '1234'); + scope.$apply(); + }); + + it('should set final spec properties', function() { + var finalSpec = model.submit(); + + expect(finalSpec.loadbalancer).toBeUndefined(); + + expect(finalSpec.listener.name).toBe('Listener 1'); + expect(finalSpec.listener.description).toBe('listener description'); + expect(finalSpec.listener.protocol).toBe('TERMINATED_HTTPS'); + expect(finalSpec.listener.protocol_port).toBe(80); + expect(finalSpec.listener.tls_versions).toContain('v1'); + expect(finalSpec.listener.tls_versions).toContain('v2'); + expect(finalSpec.pool.name).toBe('Pool 1'); expect(finalSpec.pool.description).toBe('pool description'); expect(finalSpec.pool.protocol).toBe('HTTP'); @@ -2405,6 +2459,7 @@ beforeEach(function() { includeChildResources = true; listenerResources.pool.tls_enabled = true; + listenerResources.pool.tls_versions = ['v1', 'v2']; listenerResources.pool.tls_ciphers = "A:B:C"; model.initialize('pool', 'poolId', 'loadbalancerId'); scope.$apply(); @@ -2424,6 +2479,8 @@ expect(finalSpec.pool.session_persistence.type).toBe('APP_COOKIE'); expect(finalSpec.pool.session_persistence.cookie_name).toBe('cookie_name'); expect(finalSpec.pool.tls_enabled).toBe(true); + expect(finalSpec.pool.tls_versions).toContain('v1'); + expect(finalSpec.pool.tls_versions).toContain('v2'); expect(finalSpec.pool.tls_ciphers).toBe("A:B:C"); expect(finalSpec.members.length).toBe(2); @@ -2446,6 +2503,52 @@ }); }); + describe('Model submit function (edit pool tls_enabled without tls_versions)', function() { + + beforeEach(function() { + includeChildResources = true; + listenerResources.pool.tls_enabled = true; + listenerResources.pool.tls_versions = ''; + model.initialize('pool', 'poolId', 'loadbalancerId'); + scope.$apply(); + }); + + it('should set final spec properties', function() { + + var finalSpec = model.submit(); + + expect(finalSpec.loadbalancer).toBeUndefined(); + expect(finalSpec.listener).toBeUndefined(); + + expect(finalSpec.pool.name).toBe('Pool 1'); + expect(finalSpec.pool.description).toBe('pool description'); + expect(finalSpec.pool.protocol).toBe('HTTP'); + expect(finalSpec.pool.lb_algorithm).toBe('ROUND_ROBIN'); + expect(finalSpec.pool.session_persistence.type).toBe('APP_COOKIE'); + expect(finalSpec.pool.session_persistence.cookie_name).toBe('cookie_name'); + expect(finalSpec.pool.tls_enabled).toBe(true); + expect(finalSpec.pool.tls_versions).toBe(''); + + expect(finalSpec.members.length).toBe(2); + expect(finalSpec.members[0].id).toBe('1234'); + expect(finalSpec.members[0].address).toBe('1.2.3.4'); + expect(finalSpec.members[0].subnet_id).toBe('subnet-1'); + expect(finalSpec.members[0].protocol_port).toBe(80); + expect(finalSpec.members[0].weight).toBe(1); + expect(finalSpec.members[1].id).toBe('5678'); + expect(finalSpec.members[1].address).toBe('5.6.7.8'); + expect(finalSpec.members[1].subnet_id).toBe('subnet-1'); + expect(finalSpec.members[1].protocol_port).toBe(80); + expect(finalSpec.members[1].weight).toBe(1); + + expect(finalSpec.monitor.type).toBe('HTTP'); + expect(finalSpec.monitor.delay).toBe(1); + expect(finalSpec.monitor.max_retries).toBe(1); + expect(finalSpec.monitor.max_retries_down).toBe(1); + expect(finalSpec.monitor.timeout).toBe(1); + }); + }); + describe('Model submit function (update member list)', function() { beforeEach(function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/pool/pool.html b/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/pool/pool.html index bb4bc808..50c4f8dd 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/pool/pool.html +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/workflow/pool/pool.html @@ -124,6 +124,15 @@
+
+
+ + +
+
+
diff --git a/releasenotes/notes/add-support-for-tls-versions-in-pools-and-listeners-ecc45d0182b33cbe.yaml b/releasenotes/notes/add-support-for-tls-versions-in-pools-and-listeners-ecc45d0182b33cbe.yaml new file mode 100644 index 00000000..642f5e68 --- /dev/null +++ b/releasenotes/notes/add-support-for-tls-versions-in-pools-and-listeners-ecc45d0182b33cbe.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Add support for setting TLS Versions parameter in listeners and pools.