Merge "Add TLS protocols for listener and pool model"

2020-04-01 19:42:08 +00:00 · 2020-04-01 19:42:08 +00:00 · 52ea602c63
commit 52ea602c63
parent 0b76e18bbf 6bec133036
4 changed files with 42 additions and 2 deletions
--- a/octavia_lib/api/drivers/data_models.py
+++ b/octavia_lib/api/drivers/data_models.py
@ -133,7 +133,7 @@ class Listener(BaseDataModel):
                 client_ca_tls_container_data=Unset,
                 client_authentication=Unset, client_crl_container_ref=Unset,
                 client_crl_container_data=Unset, project_id=Unset,
-                 allowed_cidrs=Unset, tls_ciphers=Unset):
+                 allowed_cidrs=Unset, tls_versions=Unset, tls_ciphers=Unset):

        self.admin_state_up = admin_state_up
        self.connection_limit = connection_limit
@ -162,6 +162,7 @@ class Listener(BaseDataModel):
        self.client_crl_container_data = client_crl_container_data
        self.project_id = project_id
        self.allowed_cidrs = allowed_cidrs
+        self.tls_versions = tls_versions
        self.tls_ciphers = tls_ciphers


@ -174,7 +175,7 @@ class Pool(BaseDataModel):
                 tls_container_data=Unset, ca_tls_container_ref=Unset,
                 ca_tls_container_data=Unset, crl_container_ref=Unset,
                 crl_container_data=Unset, tls_enabled=Unset,
-                 project_id=Unset, tls_ciphers=Unset):
+                 project_id=Unset, tls_versions=Unset, tls_ciphers=Unset):

        self.admin_state_up = admin_state_up
        self.description = description
@ -195,6 +196,7 @@ class Pool(BaseDataModel):
        self.crl_container_data = crl_container_data
        self.tls_enabled = tls_enabled
        self.project_id = project_id
+        self.tls_versions = tls_versions
        self.tls_ciphers = tls_ciphers


--- a/octavia_lib/common/constants.py
+++ b/octavia_lib/common/constants.py
@ -251,6 +251,12 @@ TLS_CIPHERS = 'tls_ciphers'
 TLS_CONTAINER_DATA = 'tls_container_data'
 TLS_CONTAINER_REF = 'tls_container_ref'
 TLS_ENABLED = 'tls_enabled'
+TLS_VERSIONS = 'tls_versions'
+SSL_VERSION_3 = 'SSLv3'
+TLS_VERSION_1 = 'TLSv1'
+TLS_VERSION_1_1 = 'TLSv1.1'
+TLS_VERSION_1_2 = 'TLSv1.2'
+TLS_VERSION_1_3 = 'TLSv1.3'
 TYPE = 'type'
 URL_PATH = 'url_path'
 VALUE = 'value'
--- a/octavia_lib/tests/unit/api/drivers/test_data_models.py
+++ b/octavia_lib/tests/unit/api/drivers/test_data_models.py
@ -17,6 +17,7 @@ from copy import deepcopy
 from oslo_utils import uuidutils

 from octavia_lib.api.drivers import data_models
+from octavia_lib.common import constants
 from octavia_lib.tests.unit import base


@ -101,6 +102,11 @@ class TestProviderDataModels(base.TestCase):
            client_crl_container_data=None,
            client_crl_container_ref=None,
            allowed_cidrs=None,
+            tls_versions=[constants.SSL_VERSION_3,
+                          constants.TLS_VERSION_1,
+                          constants.TLS_VERSION_1_1,
+                          constants.TLS_VERSION_1_2,
+                          constants.TLS_VERSION_1_3],
            tls_ciphers=None)

        self.ref_lb = data_models.LoadBalancer(
@ -169,6 +175,11 @@ class TestProviderDataModels(base.TestCase):
            listener_id=self.listener_id,
            protocol='avian',
            session_persistence=self.session_persistence,
+            tls_versions=[constants.SSL_VERSION_3,
+                          constants.TLS_VERSION_1,
+                          constants.TLS_VERSION_1_1,
+                          constants.TLS_VERSION_1_2,
+                          constants.TLS_VERSION_1_3],
            tls_ciphers=None)

        self.ref_l7rule_dict = {'admin_state_up': True,
@ -237,6 +248,11 @@ class TestProviderDataModels(base.TestCase):
            'client_crl_container_data': None,
            'client_crl_container_ref': None,
            'allowed_cidrs': None,
+            'tls_versions': [constants.SSL_VERSION_3,
+                             constants.TLS_VERSION_1,
+                             constants.TLS_VERSION_1_1,
+                             constants.TLS_VERSION_1_2,
+                             constants.TLS_VERSION_1_3],
            'tls_ciphers': None}

        self.ref_lb_dict_with_listener = {
@ -305,6 +321,11 @@ class TestProviderDataModels(base.TestCase):
            'listener_id': self.listener_id,
            'protocol': 'avian',
            'session_persistence': self.session_persistence,
+            'tls_versions': [constants.SSL_VERSION_3,
+                             constants.TLS_VERSION_1,
+                             constants.TLS_VERSION_1_1,
+                             constants.TLS_VERSION_1_2,
+                             constants.TLS_VERSION_1_3],
            'tls_ciphers': None}

    def test_equality(self):
@ -345,9 +366,11 @@ class TestProviderDataModels(base.TestCase):
        ref_list_dict.pop('l7policies', None)
        ref_list_dict.pop('sni_container_data', None)
        ref_list_dict.pop('sni_container_refs', None)
+        ref_list_dict.pop('tls_versions', None)
        ref_pool_dict = deepcopy(self.ref_pool_dict)
        ref_pool_dict['healthmonitor'] = None
        ref_pool_dict.pop('members', None)
+        ref_pool_dict.pop('tls_versions', None)
        ref_l7policy_dict = deepcopy(self.ref_l7policy_dict)
        ref_l7policy_dict.pop('rules', None)

--- a/releasenotes/notes/add-tls-protocols-for-listener-and-pool-model-e9083b85afc62ef0.yaml
+++ b/releasenotes/notes/add-tls-protocols-for-listener-and-pool-model-e9083b85afc62ef0.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Added a parameter called ``tls_versions`` for
+    passing allowed TLS versions to pools and listeners.
+    The available TLS versions have corresponding
+    constants. The constants are prefixed with
+    ``TLS_VERSION`` (except SSLv3 which is
+    ``SSL_VERSION_3``).