Merge "Allow operators to disallow creation of TLS Termination listeners"

This commit is contained in:
Jenkins 2017-06-28 02:15:20 +00:00 committed by Gerrit Code Review
commit 3ccd8a3162
6 changed files with 37 additions and 4 deletions

View File

@ -37,6 +37,9 @@
# api_v1_enabled = True
# api_v2_enabled = True
# Enable/disable ability for users to create TLS Terminated listeners
# allow_tls_terminated_listeners = True
[database]
# This line MUST be changed to actually run the plugin.
# Example:

View File

@ -196,6 +196,11 @@ class ListenersController(base.BaseController):
self._auth_validate_action(context, listener.project_id,
constants.RBAC_POST)
if (not CONF.api_settings.allow_tls_terminated_listeners and
listener.protocol == constants.PROTOCOL_TERMINATED_HTTPS):
raise exceptions.DisabledOption(
value=constants.PROTOCOL_TERMINATED_HTTPS, option='protocol')
lock_session = db_api.get_session(autocommit=False)
if self.repositories.check_quota_met(
context.session,

View File

@ -95,6 +95,8 @@ api_opts = [
help=_("Expose the v1 API?")),
cfg.BoolOpt('api_v2_enabled', default=True,
help=_("Expose the v2 API?")),
cfg.BoolOpt('allow_tls_terminated_listeners', default=True,
help=_("Allow users to create TLS Terminated listeners?")),
]
# Options only used by the amphora agent

View File

@ -80,6 +80,12 @@ class InvalidOption(APIException):
code = 400
class DisabledOption(APIException):
msg = _("The selected %(option)s is not allowed in this deployment: "
"%(value)s")
code = 400
class L7RuleValidation(APIException):
msg = _("Error parsing L7Rule: %(error)s")
code = 400

View File

@ -1051,8 +1051,8 @@ class TestListener(base.BaseAPITest):
def test_create_with_tls_termination_data(self):
cert_id = uuidutils.generate_uuid()
listener = self.create_listener(constants.PROTOCOL_HTTP, 80,
self.lb_id,
listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
80, self.lb_id,
default_tls_container_ref=cert_id)
listener_path = self.LISTENER_PATH.format(
listener_id=listener['listener']['id'])
@ -1061,8 +1061,8 @@ class TestListener(base.BaseAPITest):
def test_update_with_tls_termination_data(self):
cert_id = uuidutils.generate_uuid()
listener = self.create_listener(constants.PROTOCOL_HTTP, 80,
self.lb_id)
listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
80, self.lb_id)
self.set_lb_status(self.lb_id)
listener_path = self.LISTENER_PATH.format(
listener_id=listener['listener']['id'])
@ -1073,6 +1073,19 @@ class TestListener(base.BaseAPITest):
get_listener = self.get(listener_path).json['listener']
self.assertIsNone(get_listener.get('default_tls_container_ref'))
def test_create_with_tls_termination_disabled(self):
self.conf.config(group='api_settings',
allow_tls_terminated_listeners=False)
cert_id = uuidutils.generate_uuid()
listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
80, self.lb_id,
default_tls_container_ref=cert_id,
status=400)
self.assertIn(
'The selected protocol is not allowed in this deployment: {0}'
.format(constants.PROTOCOL_TERMINATED_HTTPS),
listener.get('faultstring'))
def test_create_with_sni_data(self):
sni_id1 = uuidutils.generate_uuid()
sni_id2 = uuidutils.generate_uuid()

View File

@ -0,0 +1,4 @@
---
features:
- |
Add a config variable to disable creation of TLS Terminated listeners.