From 38a5563abcaed9521fed3e94b32d4811bb61da3b Mon Sep 17 00:00:00 2001 From: Adam Harwell Date: Thu, 22 Jun 2017 13:43:50 -0700 Subject: [PATCH] Allow operators to disallow creation of TLS Termination listeners Change-Id: I93fbc26c775d1a7f6c69a0ab0b5f47a573cb125d --- etc/octavia.conf | 3 +++ octavia/api/v2/controllers/listener.py | 5 +++++ octavia/common/config.py | 2 ++ octavia/common/exceptions.py | 6 ++++++ .../tests/functional/api/v2/test_listener.py | 21 +++++++++++++++---- ...terminated-listeners-965ec7c1a8a9f732.yaml | 4 ++++ 6 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/add-ability-to-disable-tls-terminated-listeners-965ec7c1a8a9f732.yaml diff --git a/etc/octavia.conf b/etc/octavia.conf index e56684932c..990387508b 100644 --- a/etc/octavia.conf +++ b/etc/octavia.conf @@ -37,6 +37,9 @@ # api_v1_enabled = True # api_v2_enabled = True +# Enable/disable ability for users to create TLS Terminated listeners +# allow_tls_terminated_listeners = True + [database] # This line MUST be changed to actually run the plugin. # Example: diff --git a/octavia/api/v2/controllers/listener.py b/octavia/api/v2/controllers/listener.py index 2bed89204a..cf2fa6e3e3 100644 --- a/octavia/api/v2/controllers/listener.py +++ b/octavia/api/v2/controllers/listener.py @@ -196,6 +196,11 @@ class ListenersController(base.BaseController): self._auth_validate_action(context, listener.project_id, constants.RBAC_POST) + if (not CONF.api_settings.allow_tls_terminated_listeners and + listener.protocol == constants.PROTOCOL_TERMINATED_HTTPS): + raise exceptions.DisabledOption( + value=constants.PROTOCOL_TERMINATED_HTTPS, option='protocol') + lock_session = db_api.get_session(autocommit=False) if self.repositories.check_quota_met( context.session, diff --git a/octavia/common/config.py b/octavia/common/config.py index 01a05b2d9e..1d642fb549 100644 --- a/octavia/common/config.py +++ b/octavia/common/config.py @@ -95,6 +95,8 @@ api_opts = [ help=_("Expose the v1 API?")), cfg.BoolOpt('api_v2_enabled', default=True, help=_("Expose the v2 API?")), + cfg.BoolOpt('allow_tls_terminated_listeners', default=True, + help=_("Allow users to create TLS Terminated listeners?")), ] # Options only used by the amphora agent diff --git a/octavia/common/exceptions.py b/octavia/common/exceptions.py index 39f688ac56..f97c6e8558 100644 --- a/octavia/common/exceptions.py +++ b/octavia/common/exceptions.py @@ -80,6 +80,12 @@ class InvalidOption(APIException): code = 400 +class DisabledOption(APIException): + msg = _("The selected %(option)s is not allowed in this deployment: " + "%(value)s") + code = 400 + + class L7RuleValidation(APIException): msg = _("Error parsing L7Rule: %(error)s") code = 400 diff --git a/octavia/tests/functional/api/v2/test_listener.py b/octavia/tests/functional/api/v2/test_listener.py index 41d68e72b7..7ba4fec1ec 100644 --- a/octavia/tests/functional/api/v2/test_listener.py +++ b/octavia/tests/functional/api/v2/test_listener.py @@ -1051,8 +1051,8 @@ class TestListener(base.BaseAPITest): def test_create_with_tls_termination_data(self): cert_id = uuidutils.generate_uuid() - listener = self.create_listener(constants.PROTOCOL_HTTP, 80, - self.lb_id, + listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS, + 80, self.lb_id, default_tls_container_ref=cert_id) listener_path = self.LISTENER_PATH.format( listener_id=listener['listener']['id']) @@ -1061,8 +1061,8 @@ class TestListener(base.BaseAPITest): def test_update_with_tls_termination_data(self): cert_id = uuidutils.generate_uuid() - listener = self.create_listener(constants.PROTOCOL_HTTP, 80, - self.lb_id) + listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS, + 80, self.lb_id) self.set_lb_status(self.lb_id) listener_path = self.LISTENER_PATH.format( listener_id=listener['listener']['id']) @@ -1073,6 +1073,19 @@ class TestListener(base.BaseAPITest): get_listener = self.get(listener_path).json['listener'] self.assertIsNone(get_listener.get('default_tls_container_ref')) + def test_create_with_tls_termination_disabled(self): + self.conf.config(group='api_settings', + allow_tls_terminated_listeners=False) + cert_id = uuidutils.generate_uuid() + listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS, + 80, self.lb_id, + default_tls_container_ref=cert_id, + status=400) + self.assertIn( + 'The selected protocol is not allowed in this deployment: {0}' + .format(constants.PROTOCOL_TERMINATED_HTTPS), + listener.get('faultstring')) + def test_create_with_sni_data(self): sni_id1 = uuidutils.generate_uuid() sni_id2 = uuidutils.generate_uuid() diff --git a/releasenotes/notes/add-ability-to-disable-tls-terminated-listeners-965ec7c1a8a9f732.yaml b/releasenotes/notes/add-ability-to-disable-tls-terminated-listeners-965ec7c1a8a9f732.yaml new file mode 100644 index 0000000000..4d819d273a --- /dev/null +++ b/releasenotes/notes/add-ability-to-disable-tls-terminated-listeners-965ec7c1a8a9f732.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Add a config variable to disable creation of TLS Terminated listeners.