Merge "Allow operators to disallow creation of TLS Termination listeners"
This commit is contained in:
commit
3ccd8a3162
@ -37,6 +37,9 @@
|
||||
# api_v1_enabled = True
|
||||
# api_v2_enabled = True
|
||||
|
||||
# Enable/disable ability for users to create TLS Terminated listeners
|
||||
# allow_tls_terminated_listeners = True
|
||||
|
||||
[database]
|
||||
# This line MUST be changed to actually run the plugin.
|
||||
# Example:
|
||||
|
@ -196,6 +196,11 @@ class ListenersController(base.BaseController):
|
||||
self._auth_validate_action(context, listener.project_id,
|
||||
constants.RBAC_POST)
|
||||
|
||||
if (not CONF.api_settings.allow_tls_terminated_listeners and
|
||||
listener.protocol == constants.PROTOCOL_TERMINATED_HTTPS):
|
||||
raise exceptions.DisabledOption(
|
||||
value=constants.PROTOCOL_TERMINATED_HTTPS, option='protocol')
|
||||
|
||||
lock_session = db_api.get_session(autocommit=False)
|
||||
if self.repositories.check_quota_met(
|
||||
context.session,
|
||||
|
@ -95,6 +95,8 @@ api_opts = [
|
||||
help=_("Expose the v1 API?")),
|
||||
cfg.BoolOpt('api_v2_enabled', default=True,
|
||||
help=_("Expose the v2 API?")),
|
||||
cfg.BoolOpt('allow_tls_terminated_listeners', default=True,
|
||||
help=_("Allow users to create TLS Terminated listeners?")),
|
||||
]
|
||||
|
||||
# Options only used by the amphora agent
|
||||
|
@ -80,6 +80,12 @@ class InvalidOption(APIException):
|
||||
code = 400
|
||||
|
||||
|
||||
class DisabledOption(APIException):
|
||||
msg = _("The selected %(option)s is not allowed in this deployment: "
|
||||
"%(value)s")
|
||||
code = 400
|
||||
|
||||
|
||||
class L7RuleValidation(APIException):
|
||||
msg = _("Error parsing L7Rule: %(error)s")
|
||||
code = 400
|
||||
|
@ -1051,8 +1051,8 @@ class TestListener(base.BaseAPITest):
|
||||
|
||||
def test_create_with_tls_termination_data(self):
|
||||
cert_id = uuidutils.generate_uuid()
|
||||
listener = self.create_listener(constants.PROTOCOL_HTTP, 80,
|
||||
self.lb_id,
|
||||
listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
|
||||
80, self.lb_id,
|
||||
default_tls_container_ref=cert_id)
|
||||
listener_path = self.LISTENER_PATH.format(
|
||||
listener_id=listener['listener']['id'])
|
||||
@ -1061,8 +1061,8 @@ class TestListener(base.BaseAPITest):
|
||||
|
||||
def test_update_with_tls_termination_data(self):
|
||||
cert_id = uuidutils.generate_uuid()
|
||||
listener = self.create_listener(constants.PROTOCOL_HTTP, 80,
|
||||
self.lb_id)
|
||||
listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
|
||||
80, self.lb_id)
|
||||
self.set_lb_status(self.lb_id)
|
||||
listener_path = self.LISTENER_PATH.format(
|
||||
listener_id=listener['listener']['id'])
|
||||
@ -1073,6 +1073,19 @@ class TestListener(base.BaseAPITest):
|
||||
get_listener = self.get(listener_path).json['listener']
|
||||
self.assertIsNone(get_listener.get('default_tls_container_ref'))
|
||||
|
||||
def test_create_with_tls_termination_disabled(self):
|
||||
self.conf.config(group='api_settings',
|
||||
allow_tls_terminated_listeners=False)
|
||||
cert_id = uuidutils.generate_uuid()
|
||||
listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
|
||||
80, self.lb_id,
|
||||
default_tls_container_ref=cert_id,
|
||||
status=400)
|
||||
self.assertIn(
|
||||
'The selected protocol is not allowed in this deployment: {0}'
|
||||
.format(constants.PROTOCOL_TERMINATED_HTTPS),
|
||||
listener.get('faultstring'))
|
||||
|
||||
def test_create_with_sni_data(self):
|
||||
sni_id1 = uuidutils.generate_uuid()
|
||||
sni_id2 = uuidutils.generate_uuid()
|
||||
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Add a config variable to disable creation of TLS Terminated listeners.
|
Loading…
Reference in New Issue
Block a user