From 298fd45380a937f21f09a4532615fe3af139ab56 Mon Sep 17 00:00:00 2001 From: Aishwarya Thangappa Date: Wed, 23 Mar 2016 19:41:50 -0700 Subject: [PATCH] Fixes the SNI issues in master(mitaka) for octavia 1. Fixes the mismatch between the tls_container_id lengths in neutron.lbaas_sni and octavia.sni tables. 2. Fixes the syntax error in cert_parser.py field. (tls_container.id => tls_container_id) 3. Removes the certs['sni_certs'] parameter from the rest_api_driver.py as it gets wrongly assigned to socket_path parameter in the jinja_cfg.py file. 4. Modifies the sample_configs to make the unit tests work with the above changes. Change-Id: I8fe5854ef2dc508e37a368294c44eef63b5bccba Closes-Bug: #1520990 --- .../drivers/haproxy/rest_api_driver.py | 3 +- octavia/common/tls_utils/cert_parser.py | 2 +- ..._change_tls_container_id_length_in_sni_.py | 37 +++++++++++++++++++ .../common/sample_configs/sample_configs.py | 18 +++++---- 4 files changed, 50 insertions(+), 10 deletions(-) create mode 100644 octavia/db/migration/alembic_migrations/versions/8c0851bdf6c3_change_tls_container_id_length_in_sni_.py diff --git a/octavia/amphorae/drivers/haproxy/rest_api_driver.py b/octavia/amphorae/drivers/haproxy/rest_api_driver.py index 96ff0da196..810bc84f1f 100644 --- a/octavia/amphorae/drivers/haproxy/rest_api_driver.py +++ b/octavia/amphorae/drivers/haproxy/rest_api_driver.py @@ -67,8 +67,7 @@ class HaproxyAmphoraLoadBalancerDriver( # Process listener certificate info certs = self._process_tls_certificates(listener) # Generate HaProxy configuration from listener object - config = self.jinja.build_config(listener, certs['tls_cert'], - certs['sni_certs']) + config = self.jinja.build_config(listener, certs['tls_cert']) for amp in listener.load_balancer.amphorae: if amp.status != constants.DELETED: diff --git a/octavia/common/tls_utils/cert_parser.py b/octavia/common/tls_utils/cert_parser.py index 2de171fae9..fdda2f6617 100644 --- a/octavia/common/tls_utils/cert_parser.py +++ b/octavia/common/tls_utils/cert_parser.py @@ -197,7 +197,7 @@ def load_certificates_data(cert_mngr, listener): for sni_cont in listener.sni_containers: cert_container = _map_cert_tls_container( cert_mngr.get_cert(listener.project_id, - sni_cont.tls_container.id, + sni_cont.tls_container_id, check_only=True)) sni_certs.append(cert_container) return {'tls_cert': tls_cert, 'sni_certs': sni_certs} diff --git a/octavia/db/migration/alembic_migrations/versions/8c0851bdf6c3_change_tls_container_id_length_in_sni_.py b/octavia/db/migration/alembic_migrations/versions/8c0851bdf6c3_change_tls_container_id_length_in_sni_.py new file mode 100644 index 0000000000..235820cd0d --- /dev/null +++ b/octavia/db/migration/alembic_migrations/versions/8c0851bdf6c3_change_tls_container_id_length_in_sni_.py @@ -0,0 +1,37 @@ +# Copyright 2016 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""change_tls_container_id_length_in_sni_table + +Revision ID: 8c0851bdf6c3 +Revises: 186509101b9b +Create Date: 2016-03-23 19:08:53.148812 + +""" + +# revision identifiers, used by Alembic. +revision = '8c0851bdf6c3' +down_revision = '186509101b9b' + +from alembic import op +import sqlalchemy as sa + + +def upgrade(): + op.alter_column(u'sni', u'tls_container_id', type_=sa.String(128), + existing_type=sa.String(36), nullable=True) + + +def downgrade(): + pass diff --git a/octavia/tests/unit/common/sample_configs/sample_configs.py b/octavia/tests/unit/common/sample_configs/sample_configs.py index 7d24648676..55f9285b62 100644 --- a/octavia/tests/unit/common/sample_configs/sample_configs.py +++ b/octavia/tests/unit/common/sample_configs/sample_configs.py @@ -403,12 +403,14 @@ def sample_listener_tuple(proto=None, monitor=True, persistence=True, ) if tls else '', sni_containers=[ sample_tls_sni_container_tuple( + tls_container_id='cont_id_2', tls_container=sample_tls_container_tuple( id='cont_id_2', certificate='--imapem2--\n', private_key='--imakey2--\n', intermediates=[ '--imainter2--\n', '--imainter2too--\n' ], primary_cn='aFakeCN')), sample_tls_sni_container_tuple( + tls_container_id='cont_id_3', tls_container=sample_tls_container_tuple( id='cont_id_3', certificate='--imapem3--\n', private_key='--imakey3--\n', intermediates=[ @@ -421,14 +423,16 @@ def sample_listener_tuple(proto=None, monitor=True, persistence=True, ) -def sample_tls_sni_container_tuple(tls_container=None): - sc = collections.namedtuple('sni_container', 'tls_container') - return sc(tls_container=tls_container) +def sample_tls_sni_container_tuple(tls_container_id=None, tls_container=None): + sc = collections.namedtuple('sni_container', 'tls_container_id, ' + 'tls_container') + return sc(tls_container_id=tls_container_id, tls_container=tls_container) -def sample_tls_sni_containers_tuple(tls_container=None): - sc = collections.namedtuple('sni_containers', 'tls_container') - return [sc(tls_container=tls_container)] +def sample_tls_sni_containers_tuple(tls_container_id=None, tls_container=None): + sc = collections.namedtuple('sni_containers', 'tls_container_id, ' + 'tls_container') + return [sc(tls_container_id=tls_container_id, tls_container=tls_container)] def sample_tls_container_tuple(id='cont_id_1', certificate=None, @@ -633,4 +637,4 @@ def sample_base_expected_config(frontend=None, backend=None, peers=None): " option redispatch\n" " timeout connect 5000\n" " timeout client 50000\n" - " timeout server 50000\n\n" + peers + frontend + backend) + " timeout server 50000\n\n" + peers + frontend + backend) \ No newline at end of file