diff --git a/octavia/api/drivers/amphora_driver/v2/driver.py b/octavia/api/drivers/amphora_driver/v2/driver.py index e2c060b67d..b2afbbe02f 100644 --- a/octavia/api/drivers/amphora_driver/v2/driver.py +++ b/octavia/api/drivers/amphora_driver/v2/driver.py @@ -136,17 +136,30 @@ class AmphoraProviderDriver(driver_base.ProviderDriver): consts.LOAD_BALANCER_UPDATES: lb_dict} self.client.cast({}, 'update_load_balancer', **payload) + def _encrypt_tls_container_data(self, tls_container_data): + for key, val in tls_container_data.items(): + if isinstance(val, bytes): + tls_container_data[key] = self.fernet.encrypt(val) + elif isinstance(val, list): + encrypt_vals = [] + for i in val: + if isinstance(i, bytes): + encrypt_vals.append(self.fernet.encrypt(i)) + else: + encrypt_vals.append(i) + tls_container_data[key] = encrypt_vals + def _encrypt_listener_dict(self, listener_dict): # We need to encrypt the user cert/key data for sending it # over messaging. if listener_dict.get(consts.DEFAULT_TLS_CONTAINER_DATA, False): - listener_dict[consts.DEFAULT_TLS_CONTAINER_DATA] = ( - self.fernet.encrypt( - listener_dict[consts.DEFAULT_TLS_CONTAINER_DATA])) + container_data = listener_dict[consts.DEFAULT_TLS_CONTAINER_DATA] + self._encrypt_tls_container_data(container_data) if listener_dict.get(consts.SNI_CONTAINER_DATA, False): sni_list = [] for sni_data in listener_dict[consts.SNI_CONTAINER_DATA]: - sni_list.append(self.fernet.encrypt(sni_data)) + self._encrypt_tls_container_data(sni_data) + sni_list.append(sni_data) if sni_list: listener_dict[consts.SNI_CONTAINER_DATA] = sni_list @@ -154,7 +167,7 @@ class AmphoraProviderDriver(driver_base.ProviderDriver): def listener_create(self, listener): self._validate_alpn_protocols(listener) payload = {consts.LISTENER: listener.to_dict()} - self._encrypt_listener_dict(payload) + self._encrypt_listener_dict(payload[consts.LISTENER]) self.client.cast({}, 'create_listener', **payload) diff --git a/octavia/api/drivers/utils.py b/octavia/api/drivers/utils.py index cad611cb8b..ea1a2e6d84 100644 --- a/octavia/api/drivers/utils.py +++ b/octavia/api/drivers/utils.py @@ -206,6 +206,10 @@ def _get_secret_data(cert_manager, project_id, secret_ref, for_delete=False): secret_data = None else: raise exceptions.CertificateRetrievalException(ref=secret_ref) + # We need to have json convertible data for storing it in + # persistence jobboard backend. + if isinstance(secret_data, bytes): + return secret_data.decode() return secret_data diff --git a/octavia/common/data_models.py b/octavia/common/data_models.py index 0a5f39e3a4..a5ad838d6e 100644 --- a/octavia/common/data_models.py +++ b/octavia/common/data_models.py @@ -43,6 +43,9 @@ class BaseDataModel(object): if isinstance(value, datetime.datetime): ret[attr] = value.isoformat() continue + if isinstance(value, bytes): + ret[attr] = value.decode() + continue if recurse: if isinstance(getattr(self, attr), list): ret[attr] = [] diff --git a/octavia/tests/unit/api/drivers/amphora_driver/v2/test_amphora_driver.py b/octavia/tests/unit/api/drivers/amphora_driver/v2/test_amphora_driver.py index 54d6a45b60..da7ef16da0 100644 --- a/octavia/tests/unit/api/drivers/amphora_driver/v2/test_amphora_driver.py +++ b/octavia/tests/unit/api/drivers/amphora_driver/v2/test_amphora_driver.py @@ -744,9 +744,9 @@ class TestAmphoraDriver(base.TestRpc): def test_encrypt_listener_dict(self, mock_fernet): mock_fern = mock.MagicMock() mock_fernet.return_value = mock_fern - TEST_DATA = 'some data' - TEST_DATA2 = 'more data' - FAKE_ENCRYPTED_DATA = 'alqwkhjetrhth' + TEST_DATA = {'cert': b'some data'} + TEST_DATA2 = {'test': 'more data'} + FAKE_ENCRYPTED_DATA = b'alqwkhjetrhth' mock_fern.encrypt.return_value = FAKE_ENCRYPTED_DATA # We need a class instance with the mock @@ -757,21 +757,21 @@ class TestAmphoraDriver(base.TestRpc): amp_driver._encrypt_listener_dict(list_dict) - mock_fern.encrypt.assert_called_once_with(TEST_DATA) + mock_fern.encrypt.assert_called_once_with(b'some data') - self.assertEqual(FAKE_ENCRYPTED_DATA, + self.assertEqual({'cert': FAKE_ENCRYPTED_DATA}, list_dict[consts.DEFAULT_TLS_CONTAINER_DATA]) mock_fern.reset_mock() # Test just sni_container_data - list_dict = {consts.SNI_CONTAINER_DATA: [TEST_DATA, TEST_DATA2]} + TEST_DATA = {'cert': b'some data'} + sni_dict = {consts.SNI_CONTAINER_DATA: [TEST_DATA, TEST_DATA2]} - amp_driver._encrypt_listener_dict(list_dict) + amp_driver._encrypt_listener_dict(sni_dict) - calls = [mock.call(TEST_DATA), mock.call(TEST_DATA2)] + mock_fern.encrypt.assert_called_once_with(b'some data') - mock_fern.encrypt.assert_has_calls(calls) - - encrypted_sni = [FAKE_ENCRYPTED_DATA, FAKE_ENCRYPTED_DATA] - self.assertEqual(encrypted_sni, list_dict[consts.SNI_CONTAINER_DATA]) + encrypted_sni = [{'cert': FAKE_ENCRYPTED_DATA}, + TEST_DATA2] + self.assertEqual(encrypted_sni, sni_dict[consts.SNI_CONTAINER_DATA])