openstack/octavia
Code Issues Proposed changes

Merge "Add 2 new fields into Pool API for support re-encryption"

Browse Source
This commit is contained in:
Zuul 2019-03-02 08:13:23 +00:00 committed by Gerrit Code Review
commit 51e93fe4fd
38 changed files with 848 additions and 186 deletions

34
api-ref/source/parameters.yaml

@ -226,6 +226,24 @@ bytes_out:
in: body
required: true
type: integer
ca_tls_container_ref:
description: |
The reference of the `key manager service
<https://docs.openstack.org/castellan/latest/>`__ secret containing a
PEM format CA certificate bundle for ``tls_enabled`` pools.
in: body
min_version: 2.8
required: true
type: string
ca_tls_container_ref-optional:
description: |
The reference of the `key manager service
<https://docs.openstack.org/castellan/latest/>`__ secret containing a
PEM format CA certificate bundle for ``tls_enabled`` pools.
in: body
min_version: 2.8
required: false
type: string
cached-zone:
description: |
The availability zone of a compute instance, cached at create time. This
@ -333,6 +351,22 @@ created_at:
in: body
required: true
type: string
crl_container_ref:
description: |
The reference of the `key manager service
<https://docs.openstack.org/castellan/latest/>`__ secret containing a
PEM format CA revocation list file for ``tls_enabled`` pools.
in: body
required: true
type: string
crl_container_ref-optional:
description: |
The reference of the `key manager service
<https://docs.openstack.org/castellan/latest/>`__ secret containing a
PEM format CA revocation list file for ``tls_enabled`` pools.
in: body
required: false
type: string
default_pool_id:
description: |
The ID of the pool used by the listener if no L7 policies match.

2
api-ref/source/v2/examples/pool-create-curl

@ -1 +1 @@
curl -X POST -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"pool":{"lb_algorithm":"ROUND_ROBIN","protocol":"HTTP","description":"Super Round Robin Pool","admin_state_up":true,"session_persistence":{"cookie_name":"ChocolateChip","type":"APP_COOKIE"},"listener_id":"023f2e34-7806-443b-bfae-16c324569a3d","name":"super-pool","tags":["test_tag"],"tls_container_ref":"http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6"}}' http://198.51.100.10:9876/v2/lbaas/pools
curl -X POST -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"pool":{"lb_algorithm":"ROUND_ROBIN","protocol":"HTTP","description":"Super Round Robin Pool","admin_state_up":true,"session_persistence":{"cookie_name":"ChocolateChip","type":"APP_COOKIE"},"listener_id":"023f2e34-7806-443b-bfae-16c324569a3d","name":"super-pool","tags":["test_tag"],"tls_container_ref":"http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6","ca_tls_container_ref":"http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb","crl_container_ref":"http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"}}' http://198.51.100.10:9876/v2/lbaas/pools

4
api-ref/source/v2/examples/pool-create-request.json

@ -11,6 +11,8 @@
"listener_id": "023f2e34-7806-443b-bfae-16c324569a3d",
"name": "super-pool",
"tags": ["test_tag"],
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6"
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6",
"ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb",
"crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"
}
}

4
api-ref/source/v2/examples/pool-create-response.json

@ -28,6 +28,8 @@
"operating_status": "ONLINE",
"name": "super-pool",
"tags": ["test_tag"],
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6"
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6",
"ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb",
"crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"
}
}

4
api-ref/source/v2/examples/pool-show-response.json

@ -28,6 +28,8 @@
"operating_status": "ONLINE",
"name": "super-pool",
"tags": ["test_tag"],
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6"
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6",
"ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb",
"crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"
}
}

2
api-ref/source/v2/examples/pool-update-curl

@ -1 +1 @@
curl -X PUT -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"pool":{"lb_algorithm":"LEAST_CONNECTIONS","session_persistence":{"type":"SOURCE_IP"},"description":"second description","name":"second_name","tags":["updated_tag"],"tls_container_ref":"http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929"}}' http://198.51.100.10:9876/v2/lbaas/pools/4029d267-3983-4224-a3d0-afb3fe16a2cd
curl -X PUT -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"pool":{"lb_algorithm":"LEAST_CONNECTIONS","session_persistence":{"type":"SOURCE_IP"},"description":"second description","name":"second_name","tags":["updated_tag"],"tls_container_ref":"http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929","ca_tls_container_ref":null,"crl_container_ref":null}}' http://198.51.100.10:9876/v2/lbaas/pools/4029d267-3983-4224-a3d0-afb3fe16a2cd

4
api-ref/source/v2/examples/pool-update-request.json

@ -7,6 +7,8 @@
"description": "Super Least Connections Pool",
"name": "super-least-conn-pool",
"tags": ["updated_tag"],
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929"
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929",
"ca_tls_container_ref": null,
"crl_container_ref": null
}
}

4
api-ref/source/v2/examples/pool-update-response.json

@ -28,6 +28,8 @@
"operating_status": "ONLINE",
"name": "super-least-conn-pool",
"tags": ["updated_tag"],
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929"
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929",
"ca_tls_container_ref": null,
"crl_container_ref": null
}
}

4
api-ref/source/v2/examples/pools-list-response.json

@ -34,7 +34,9 @@
"operating_status": "ONLINE",
"name": "round_robin_pool",
"tags": ["test_tag"],
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6"
"tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6",
"ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb",
"crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"
}
]
}

12
api-ref/source/v2/pool.inc

@ -46,7 +46,9 @@ Response Parameters
.. rest_parameters:: ../parameters.yaml
- admin_state_up: admin_state_up
- ca_tls_container_ref: ca_tls_container_ref
- created_at: created_at
- crl_container_ref: crl_container_ref
- description: description
- healthmonitor_id: healthmonitor-id
- id: pool-id
@ -161,6 +163,8 @@ Request
.. rest_parameters:: ../parameters.yaml
- admin_state_up: admin_state_up-default-optional
- ca_tls_container_ref: ca_tls_container_ref-optional
- crl_container_ref: crl_container_ref-optional
- description: description-optional
- lb_algorithm: lb-algorithm
- listener_id: listener-id-pool-optional
@ -233,7 +237,9 @@ Response Parameters
.. rest_parameters:: ../parameters.yaml
- admin_state_up: admin_state_up
- ca_tls_container_ref: ca_tls_container_ref
- created_at: created_at
- crl_container_ref: crl_container_ref
- description: description
- healthmonitor_id: healthmonitor-id
- id: pool-id
@ -301,7 +307,9 @@ Response Parameters
.. rest_parameters:: ../parameters.yaml
- admin_state_up: admin_state_up
- ca_tls_container_ref: ca_tls_container_ref
- created_at: created_at
- crl_container_ref: crl_container_ref
- description: description
- healthmonitor_id: healthmonitor-id
- id: pool-id
@ -359,6 +367,8 @@ Request
.. rest_parameters:: ../parameters.yaml
- admin_state_up: admin_state_up-default-optional
- ca_tls_container_ref: ca_tls_container_ref-optional
- crl_container_ref: crl_container_ref-optional
- description: description-optional
- lb_algorithm: lb-algorithm-optional
- name: name-optional
@ -385,7 +395,9 @@ Response Parameters
.. rest_parameters:: ../parameters.yaml
- admin_state_up: admin_state_up
- ca_tls_container_ref: ca_tls_container_ref
- created_at: created_at
- crl_container_ref: crl_container_ref
- description: description
- healthmonitor_id: healthmonitor-id
- id: pool-id

20
doc/source/contributor/guides/providers.rst

@ -648,6 +648,16 @@ contain the following:
+=======================+========+==========================================+
| admin_state_up | bool | Admin state: True if up, False if down. |
+-----------------------+--------+------------------------------------------+
| ca_tls_container_data | string | A PEM encoded certificate. |
+-----------------------+--------+------------------------------------------+
| ca_tls_container_ref | string | The reference to the secrets |
| | | container. |
+-----------------------+--------+------------------------------------------+
| crl_container_data | string | A PEM encoded CRL file. |
+-----------------------+--------+------------------------------------------+
| crl_container_ref | string | The reference to the secrets |
| | | container. |
+-----------------------+--------+------------------------------------------+
| description | string | A human-readable description for the |
| | | pool. |
+-----------------------+--------+------------------------------------------+
@ -712,6 +722,16 @@ contain the following:
+=======================+========+==========================================+
| admin_state_up | bool | Admin state: True if up, False if down. |
+-----------------------+--------+------------------------------------------+
| ca_tls_container_data | string | A PEM encoded certificate. |
+-----------------------+--------+------------------------------------------+
| ca_tls_container_ref | string | The reference to the secrets |
| | | container. |
+-----------------------+--------+------------------------------------------+
| crl_container_data | string | A PEM encoded CRL file. |
+-----------------------+--------+------------------------------------------+
| crl_container_ref | string | The reference to the secrets |
| | | container. |
+-----------------------+--------+------------------------------------------+
| description | string | A human-readable description for the |
| | | pool. |
+-----------------------+--------+------------------------------------------+

9
octavia/amphorae/drivers/haproxy/rest_api_driver.py

@ -349,6 +349,15 @@ class HaproxyAmphoraLoadBalancerDriver(
self._apply(self._upload_cert, listener, None, pem, md5, name)
pool_cert_dict['client_cert'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
if pool.ca_tls_certificate_id:
name = self._process_secret(listener, pool.ca_tls_certificate_id)
pool_cert_dict['ca_cert'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
if pool.crl_container_id:
name = self._process_secret(listener, pool.crl_container_id)
pool_cert_dict['crl'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
return pool_cert_dict
def _upload_cert(self, amp, listener_id, pem, md5, name):

9
octavia/api/drivers/amphora_driver/driver.py

@ -138,6 +138,15 @@ class AmphoraProviderDriver(driver_base.ProviderDriver):
if 'tls_container_ref' in pool_dict:
pool_dict['tls_container_id'] = pool_dict.pop('tls_container_ref')
pool_dict.pop('tls_container_data', None)
if 'ca_tls_container_ref' in pool_dict:
pool_dict['ca_tls_certificate_id'] = pool_dict.pop(
'ca_tls_container_ref')
pool_dict.pop('ca_tls_container_data', None)
if 'client_crl_container_ref' in pool_dict:
pool_dict['client_crl_container_id'] = pool_dict.pop(
'client_crl_container_ref')
pool_dict.pop('client_crl_container_data', None)
payload = {consts.POOL_ID: pool_id,
consts.POOL_UPDATES: pool_dict}
self.client.cast({}, 'update_pool', **payload)

8
octavia/api/drivers/data_models.py

@ -171,7 +171,9 @@ class Pool(BaseDataModel):
loadbalancer_id=Unset, members=Unset, name=Unset,
pool_id=Unset, listener_id=Unset, protocol=Unset,
session_persistence=Unset, tls_container_ref=Unset,
tls_container_data=Unset):
tls_container_data=Unset, ca_tls_container_ref=Unset,
ca_tls_container_data=Unset, crl_container_ref=Unset,
crl_container_data=Unset):
self.admin_state_up = admin_state_up
self.description = description
@ -186,6 +188,10 @@ class Pool(BaseDataModel):
self.session_persistence = session_persistence
self.tls_container_ref = tls_container_ref
self.tls_container_data = tls_container_data
self.ca_tls_container_ref = ca_tls_container_ref
self.ca_tls_container_data = ca_tls_container_data
self.crl_container_ref = crl_container_ref
self.crl_container_data = crl_container_data
class Member(BaseDataModel):

27
octavia/api/drivers/utils.py

@ -155,12 +155,12 @@ def db_listener_to_provider_listener(db_listener):
return provider_listener
def _get_secret_data(cert_manager, listener, secret_ref):
def _get_secret_data(cert_manager, project_id, secret_ref):
"""Get the secret from the certificate manager and upload it to the amp.
:returns: The secret data.
"""
context = oslo_context.RequestContext(project_id=listener.project_id)
context = oslo_context.RequestContext(project_id=project_id)
return cert_manager.get_secret(context, secret_ref)
@ -219,11 +219,11 @@ def listener_dict_to_provider_dict(listener_dict):
new_listener_dict['sni_container_data'] = sni_data_list
if listener_obj.client_ca_tls_certificate_id:
cert = _get_secret_data(cert_manager, listener_obj,
cert = _get_secret_data(cert_manager, listener_obj.project_id,
listener_obj.client_ca_tls_certificate_id)
new_listener_dict['client_ca_tls_container_data'] = cert
if listener_obj.client_crl_container_id:
crl_file = _get_secret_data(cert_manager, listener_obj,
crl_file = _get_secret_data(cert_manager, listener_obj.project_id,
listener_obj.client_crl_container_id)
new_listener_dict['client_crl_container_data'] = crl_file
@ -286,9 +286,16 @@ def pool_dict_to_provider_dict(pool_dict):
if 'tls_certificate_id' in new_pool_dict:
new_pool_dict['tls_container_ref'] = new_pool_dict.pop(
'tls_certificate_id')
if 'ca_tls_certificate_id' in new_pool_dict:
new_pool_dict['ca_tls_container_ref'] = new_pool_dict.pop(
'ca_tls_certificate_id')
if 'crl_container_id' in new_pool_dict:
new_pool_dict['crl_container_ref'] = new_pool_dict.pop(
'crl_container_id')
pool_obj = data_models.Pool(**pool_dict)
if pool_obj.tls_certificate_id:
if (pool_obj.tls_certificate_id or pool_obj.ca_tls_certificate_id or
pool_obj.crl_container_id):
cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
@ -300,6 +307,16 @@ def pool_dict_to_provider_dict(pool_dict):
new_pool_dict['tls_container_data'] = (
cert_dict['tls_cert'].to_dict())
if pool_obj.ca_tls_certificate_id:
cert = _get_secret_data(cert_manager, pool_obj.project_id,
pool_obj.ca_tls_certificate_id)
new_pool_dict['ca_tls_container_data'] = cert
if pool_obj.crl_container_id:
crl_file = _get_secret_data(cert_manager, pool_obj.project_id,
pool_obj.crl_container_id)
new_pool_dict['crl_container_data'] = crl_file
# Remove the DB back references
if ('session_persistence' in new_pool_dict and
new_pool_dict['session_persistence']):

81
octavia/api/v2/controllers/base.py

@ -12,9 +12,12 @@
# License for the specific language governing permissions and limitations
# under the License.
from cryptography.hazmat.backends import default_backend
from cryptography import x509
from oslo_config import cfg
from oslo_log import log as logging
from pecan import rest
import pecan
from stevedore import driver as stevedore_driver
from wsme import types as wtypes
from octavia.common import constants
@ -22,16 +25,23 @@ from octavia.common import data_models
from octavia.common import exceptions
from octavia.common import policy
from octavia.db import repositories
from octavia.i18n import _
CONF = cfg.CONF
LOG = logging.getLogger(__name__)
class BaseController(rest.RestController):
class BaseController(pecan.rest.RestController):
RBAC_TYPE = None
def __init__(self):
super(BaseController, self).__init__()
self.cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
invoke_on_load=True,
).driver
self.repositories = repositories.Repositories()
@staticmethod
@ -228,3 +238,70 @@ class BaseController(rest.RestController):
attrs = [attr for attr in dir(obj) if not callable(
getattr(obj, attr)) and not attr.startswith("_")]
return attrs
def _validate_tls_refs(self, tls_refs):
context = pecan.request.context.get('octavia_context')
bad_refs = []
for ref in tls_refs:
try:
self.cert_manager.set_acls(context, ref)
self.cert_manager.get_cert(context, ref, check_only=True)
except Exception:
bad_refs.append(ref)
if bad_refs:
raise exceptions.CertificateRetrievalException(ref=bad_refs)
def _validate_client_ca_and_crl_refs(self, client_ca_ref, crl_ref):
context = pecan.request.context.get('octavia_context')
bad_refs = []
try:
self.cert_manager.set_acls(context, client_ca_ref)
ca_pem = self.cert_manager.get_secret(context, client_ca_ref)
except Exception:
bad_refs.append(client_ca_ref)
pem_crl = None
if crl_ref:
try:
self.cert_manager.set_acls(context, crl_ref)
pem_crl = self.cert_manager.get_secret(context, crl_ref)
except Exception:
bad_refs.append(crl_ref)
if bad_refs:
raise exceptions.CertificateRetrievalException(ref=bad_refs)
ca_cert = None
try:
# Test if it needs to be UTF-8 encoded
try:
ca_pem = ca_pem.encode('utf-8')
except AttributeError:
pass
ca_cert = x509.load_pem_x509_certificate(ca_pem, default_backend())
except Exception as e:
raise exceptions.ValidationException(detail=_(
"The client authentication CA certificate is invalid. "
"It must be a valid x509 PEM format certificate. "
"Error: %s") % str(e))
# Validate the CRL is for the client CA
if pem_crl:
ca_pub_key = ca_cert.public_key()
crl = None
# Test if it needs to be UTF-8 encoded
try:
pem_crl = pem_crl.encode('utf-8')
except AttributeError:
pass
try:
crl = x509.load_pem_x509_crl(pem_crl, default_backend())
except Exception as e:
raise exceptions.ValidationException(detail=_(
"The client authentication certificate revocation list "
"is invalid. It must be a valid x509 PEM format "
"certificate revocation list. Error: %s") % str(e))
if not crl.is_signature_valid(ca_pub_key):
raise exceptions.ValidationException(detail=_(
"The CRL specified is not valid for client certificate "
"authority reference supplied."))

75
octavia/api/v2/controllers/listener.py

@ -13,14 +13,11 @@
# License for the specific language governing permissions and limitations
# under the License.
from cryptography.hazmat.backends import default_backend
from cryptography import x509
from oslo_config import cfg
from oslo_db import exception as odb_exceptions
from oslo_log import log as logging
from oslo_utils import excutils
import pecan
from stevedore import driver as stevedore_driver
from wsme import types as wtypes
from wsmeext import pecan as wsme_pecan
@ -48,11 +45,6 @@ class ListenersController(base.BaseController):
def __init__(self):
super(ListenersController, self).__init__()
self.cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
invoke_on_load=True,
).driver
@wsme_pecan.wsexpose(listener_types.ListenerRootResponse, wtypes.text,
[wtypes.text], ignore_extra_args=True)
@ -129,73 +121,6 @@ class ListenersController(base.BaseController):
"type UDP.") % constants.PROTOCOL_UDP
raise exceptions.ValidationException(detail=msg)
def _validate_tls_refs(self, tls_refs):
context = pecan.request.context.get('octavia_context')
bad_refs = []
for ref in tls_refs:
try:
self.cert_manager.set_acls(context, ref)
self.cert_manager.get_cert(context, ref, check_only=True)
except Exception:
bad_refs.append(ref)
if bad_refs:
raise exceptions.CertificateRetrievalException(ref=bad_refs)
def _validate_client_ca_and_crl_refs(self, client_ca_ref, crl_ref):
context = pecan.request.context.get('octavia_context')
bad_refs = []
try:
self.cert_manager.set_acls(context, client_ca_ref)
ca_pem = self.cert_manager.get_secret(context, client_ca_ref)
except Exception:
bad_refs.append(client_ca_ref)
pem_crl = None
if crl_ref:
try:
self.cert_manager.set_acls(context, crl_ref)
pem_crl = self.cert_manager.get_secret(context, crl_ref)
except Exception:
bad_refs.append(crl_ref)
if bad_refs:
raise exceptions.CertificateRetrievalException(ref=bad_refs)
ca_cert = None
try:
# Test if it needs to be UTF-8 encoded
try:
ca_pem = ca_pem.encode('utf-8')
except AttributeError:
pass
ca_cert = x509.load_pem_x509_certificate(ca_pem, default_backend())
except Exception as e:
raise exceptions.ValidationException(detail=_(
"The client authentication CA certificate is invalid. "
"It must be a valid x509 PEM format certificate. "
"Error: %s") % str(e))
# Validate the CRL is for the client CA
if pem_crl:
ca_pub_key = ca_cert.public_key()
crl = None
# Test if it needs to be UTF-8 encoded
try:
pem_crl = pem_crl.encode('utf-8')
except AttributeError:
pass
try:
crl = x509.load_pem_x509_crl(pem_crl, default_backend())
except Exception as e:
raise exceptions.ValidationException(detail=_(
"The client authentication certificate revocation list "
"is invalid. It must be a valid x509 PEM format "
"certificate revocation list. Error: %s") % str(e))
if not crl.is_signature_valid(ca_pub_key):
raise exceptions.ValidationException(detail=_(
"The CRL specified is not valid for client certificate "
"authority reference supplied."))
def _has_tls_container_refs(self, listener_dict):
return (listener_dict.get('tls_certificate_id') or
listener_dict.get('client_ca_tls_container_id') or

109
octavia/api/v2/controllers/pool.py

@ -18,7 +18,6 @@ from oslo_db import exception as odb_exceptions
from oslo_log import log as logging
from oslo_utils import excutils
import pecan
from stevedore import driver as stevedore_driver
from wsme import types as wtypes
from wsmeext import pecan as wsme_pecan
@ -47,11 +46,6 @@ class PoolsController(base.BaseController):
def __init__(self):
super(PoolsController, self).__init__()
self.cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
invoke_on_load=True,
).driver
@wsme_pecan.wsexpose(pool_types.PoolRootResponse, wtypes.text,
[wtypes.text], ignore_extra_args=True)
@ -104,29 +98,30 @@ class PoolsController(base.BaseController):
raise exceptions.ImmutableObject(resource=_('Load Balancer'),
id=lb_id)
def _validate_tls_refs(self, tls_refs):
context = pecan.request.context.get('octavia_context')
bad_refs = []
for ref in tls_refs:
try:
self.cert_manager.set_acls(context, ref)
self.cert_manager.get_cert(context, ref, check_only=True)
except Exception:
bad_refs.append(ref)
if bad_refs:
raise exceptions.CertificateRetrievalException(ref=bad_refs)
def _validate_create_pool(self, lock_session, pool_dict, listener_id=None):
"""Validate creating pool on load balancer.
Update database for load balancer and (optional) listener based on
provisioning status.
"""
# Make sure we have a client CA if they specify a CRL
if (pool_dict.get('crl_container_id') and
not pool_dict.get('ca_tls_certificate_id')):
raise exceptions.ValidationException(detail=_(
"A CA certificate reference is required to "
"specify a revocation list."))
tls_certificate_id = pool_dict.get('tls_certificate_id', None)
tls_refs = [tls_certificate_id] if tls_certificate_id else []
self._validate_tls_refs(tls_refs)
# Validate the client CA cert and optional client CRL
if pool_dict.get('ca_tls_certificate_id'):
self._validate_client_ca_and_crl_refs(
pool_dict.get('ca_tls_certificate_id'),
pool_dict.get('crl_container_id', None))
try:
tls_certificate_id = pool_dict.get('tls_certificate_id', None)
tls_refs = [tls_certificate_id] if tls_certificate_id else []
self._validate_tls_refs(tls_refs)
return self.repositories.create_pool_on_load_balancer(
lock_session, pool_dict,
listener_id=listener_id)
@ -318,23 +313,8 @@ class PoolsController(base.BaseController):
db_pool.members = new_members
return db_pool
@wsme_pecan.wsexpose(pool_types.PoolRootResponse, wtypes.text,
body=pool_types.PoolRootPut, status_code=200)
def put(self, id, pool_):
"""Updates a pool on a load balancer."""
pool = pool_.pool
context = pecan.request.context.get('octavia_context')
db_pool = self._get_db_pool(context.session, id, show_deleted=False)
def _validate_pool_PUT(self, pool, db_pool):
project_id, provider = self._get_lb_project_id_provider(
context.session, db_pool.load_balancer_id)
if (pool.session_persistence and
not pool.session_persistence.type and
db_pool.session_persistence and
db_pool.session_persistence.type):
pool.session_persistence.type = db_pool.session_persistence.type
self._auth_validate_action(context, project_id, constants.RBAC_PUT)
if db_pool.protocol == constants.PROTOCOL_UDP:
self._validate_pool_request_for_udp(pool)
else:
@ -349,9 +329,62 @@ class PoolsController(base.BaseController):
sp_dict = pool.session_persistence.to_dict(render_unsets=False)
validate.check_session_persistence(sp_dict)
crl_ref = None
if (pool.crl_container_ref and
pool.crl_container_ref != wtypes.Unset):
crl_ref = pool.crl_container_ref
elif db_pool.crl_container_id:
crl_ref = db_pool.crl_container_id
ca_ref = None
db_ca_ref = db_pool.ca_tls_certificate_id
if pool.ca_tls_container_ref != wtypes.Unset:
if not pool.ca_tls_container_ref and db_ca_ref and crl_ref:
raise exceptions.ValidationException(detail=_(
"A CA reference cannot be removed when a "
"certificate revocation list is present."))
if not pool.ca_tls_container_ref and not db_ca_ref and crl_ref:
raise exceptions.ValidationException(detail=_(
"A CA reference is required to "
"specify a certificate revocation list."))
if pool.ca_tls_container_ref:
ca_ref = pool.ca_tls_container_ref
elif db_ca_ref:
ca_ref = db_ca_ref
elif crl_ref and not db_ca_ref:
raise exceptions.ValidationException(detail=_(
"A CA reference is required to "
"specify a certificate revocation list."))
if pool.tls_container_ref:
self._validate_tls_refs([pool.tls_container_ref])
# Validate the client CA cert and optional client CRL
if ca_ref:
self._validate_client_ca_and_crl_refs(ca_ref, crl_ref)
@wsme_pecan.wsexpose(pool_types.PoolRootResponse, wtypes.text,
body=pool_types.PoolRootPut, status_code=200)
def put(self, id, pool_):
"""Updates a pool on a load balancer."""
pool = pool_.pool
context = pecan.request.context.get('octavia_context')
db_pool = self._get_db_pool(context.session, id, show_deleted=False)
project_id, provider = self._get_lb_project_id_provider(
context.session, db_pool.load_balancer_id)
self._auth_validate_action(context, project_id, constants.RBAC_PUT)
if (pool.session_persistence and
not pool.session_persistence.type and
db_pool.session_persistence and
db_pool.session_persistence.type):
pool.session_persistence.type = db_pool.session_persistence.type
self._validate_pool_PUT(pool, db_pool)
# Load the driver early as it also provides validation
driver = driver_factory.get_driver(provider)

13
octavia/api/v2/types/pool.py

@ -53,7 +53,9 @@ class BasePoolType(types.BaseType):
_type_to_model_map = {'admin_state_up': 'enabled',
'healthmonitor': 'health_monitor',
'healthmonitor_id': 'health_monitor.id',
'tls_container_ref': 'tls_certificate_id'}
'tls_container_ref': 'tls_certificate_id',
'ca_tls_container_ref': 'ca_tls_certificate_id',
'crl_container_ref': 'crl_container_id'}
_child_map = {'health_monitor': {'id': 'healthmonitor_id'}}
@ -78,6 +80,8 @@ class PoolResponse(BasePoolType):
members = wtypes.wsattr([types.IdOnlyType])
tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType()))
tls_container_ref = wtypes.wsattr(wtypes.StringType())
ca_tls_container_ref = wtypes.wsattr(wtypes.StringType())
crl_container_ref = wtypes.wsattr(wtypes.StringType())
@classmethod
def from_data_model(cls, data_model, children=False):
@ -104,7 +108,6 @@ class PoolResponse(BasePoolType):
member_model = types.IdOnlyType
if data_model.health_monitor:
pool.healthmonitor_id = data_model.health_monitor.id
pool.listeners = [
types.IdOnlyType.from_data_model(i) for i in data_model.listeners]
pool.members = [
@ -151,6 +154,8 @@ class PoolPOST(BasePoolType):
tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType(max_length=255)))
tls_container_ref = wtypes.wsattr(
wtypes.StringType(max_length=255))
ca_tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
crl_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
class PoolRootPOST(types.BaseType):
@ -167,6 +172,8 @@ class PoolPUT(BasePoolType):
session_persistence = wtypes.wsattr(SessionPersistencePUT)
tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType(max_length=255)))
tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
ca_tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
crl_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
class PoolRootPut(types.BaseType):
@ -186,6 +193,8 @@ class PoolSingleCreate(BasePoolType):
members = wtypes.wsattr([member.MemberSingleCreate])
tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType(max_length=255)))
tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
ca_tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
crl_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
class PoolStatusResponse(BasePoolType):

3
octavia/certificates/manager/barbican.py

@ -178,5 +178,4 @@ class BarbicanCertManager(cert_mgr.CertManager):
except Exception as e:
LOG.error("Failed to access secret for %s due to: %s.",
secret_ref, str(e))
raise exceptions.CertificateStorageException(
msg="Secret could not be accessed.")
raise exceptions.CertificateRetrievalException(ref=secret_ref)

3
octavia/certificates/manager/castellan_mgr.py

@ -79,6 +79,5 @@ class CastellanCertManager(cert_mgr.CertManager):
except Exception as e:
LOG.error("Failed to access secret for %s due to: %s.",
secret_ref, str(e))
raise exceptions.CertificateStorageException(
msg="Secret could not be accessed.")
raise exceptions.CertificateRetrievalException(ref=secret_ref)
return certbag_data

3
octavia/certificates/manager/local.py

@ -194,7 +194,6 @@ class LocalCertManager(cert_mgr.CertManager):
secret_data = secret_file.read()
except IOError:
LOG.error("Failed to read secret for %s.", secret_ref)
raise exceptions.CertificateStorageException(
msg="secret could not be read.")
raise exceptions.CertificateRetrievalException(ref=secret_ref)
return secret_data

5
octavia/common/data_models.py

@ -263,7 +263,8 @@ class Pool(BaseDataModel):
session_persistence=None, load_balancer_id=None,
load_balancer=None, listeners=None, l7policies=None,
created_at=None, updated_at=None, provisioning_status=None,
tags=None, tls_certificate_id=None):
tags=None, tls_certificate_id=None,
ca_tls_certificate_id=None, crl_container_id=None):
self.id = id
self.project_id = project_id
self.name = name
@ -284,6 +285,8 @@ class Pool(BaseDataModel):
self.provisioning_status = provisioning_status
self.tags = tags
self.tls_certificate_id = tls_certificate_id
self.ca_tls_certificate_id = ca_tls_certificate_id
self.crl_container_id = crl_container_id
def update(self, update_dict):
for key, value in update_dict.items():

10
octavia/common/jinja/haproxy/jinja_cfg.py

@ -295,7 +295,9 @@ class JinjaTemplater(object):
'operating_status': pool.operating_status,
'stick_size': CONF.haproxy_amphora.haproxy_stick_size,
constants.HTTP_REUSE: feature_compatibility.get(
constants.HTTP_REUSE, False)
constants.HTTP_REUSE, False),
'ca_tls_path': '',
'crl_path': ''
}
members = [self._transform_member(x, feature_compatibility)
for x in pool.members]
@ -310,6 +312,12 @@ class JinjaTemplater(object):
if (pool.tls_certificate_id and pool_tls_certs and
pool_tls_certs.get('client_cert')):
ret_value['client_cert'] = pool_tls_certs.get('client_cert')
if (pool.ca_tls_certificate_id and pool_tls_certs and
pool_tls_certs.get('ca_cert')):
ret_value['ca_cert'] = pool_tls_certs.get('ca_cert')
if (pool.crl_container_id and pool_tls_certs and
pool_tls_certs.get('crl')):
ret_value['crl'] = pool_tls_certs.get('crl')
return ret_value

29
octavia/common/jinja/haproxy/templates/macros.j2

@ -210,19 +210,34 @@ frontend {{ listener.id }}
{% else %}
{% set member_enabled_opt = " disabled" %}
{% endif %}
{% if pool.client_cert %}
{% if pool.client_cert or pool.ca_cert %}
{% set def_opt_prefix = " ssl" %}
{% set def_crt_opt = " crt %s"|format(pool.client_cert) %}
{% set def_verify_opt = " verify none" %}
{% else %}
{% set def_opt_prefix = "" %}
{% set def_crt_opt = "" %}
{% set def_verify_opt = "" %}
{% endif %}
{{ "server %s %s:%d weight %s%s%s%s%s%s%s%s%s"|e|format(
{% if pool.client_cert %}
{% set def_crt_opt = " crt %s"|format(pool.client_cert) %}
{% else %}
{% set def_crt_opt = "" %}
{% endif %}
{% if pool.ca_cert %}
{% set ca_opt = " ca-file %s"|format(pool.ca_cert) %}
{% set def_verify_opt = " verify required" %}
{% if pool.crl %}
{% set crl_opt = " crl-file %s"|format(pool.crl) %}
{% else %}
{% set crl_opt = "" %}
{% endif %}
{% else %}
{% set ca_opt = "" %}
{% set def_verify_opt = "" %}
{% set crl_opt = "" %}
{% endif %}
{{ "server %s %s:%d weight %s%s%s%s%s%s%s%s%s%s%s"|e|format(
member.id, member.address, member.protocol_port, member.weight,
hm_opt, persistence_opt, proxy_protocol_opt, member_backup_opt,
member_enabled_opt, def_opt_prefix, def_crt_opt, def_verify_opt)|trim() }}
member_enabled_opt, def_opt_prefix, def_crt_opt, ca_opt, crl_opt,
def_verify_opt)|trim() }}
{% endmacro %}

36
octavia/db/migration/alembic_migrations/versions/74aae261694c_extend_pool_for_backend_ca_and_crl.py Normal file

@ -0,0 +1,36 @@
# Copyright 2019 Rackspace US Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
"""extend pool for backend CA and CRL
Revision ID: 74aae261694c
Revises: a1f689aecc1d
Create Date: 2019-02-27 09:22:24.779576
"""
from alembic import op
import sqlalchemy as sa
# revision identifiers, used by Alembic.
revision = '74aae261694c'
down_revision = 'a1f689aecc1d'
def upgrade():
op.add_column(u'pool', sa.Column(u'ca_tls_certificate_id', sa.String(255),
nullable=True))
op.add_column(u'pool', sa.Column(u'crl_container_id', sa.String(255),
nullable=True))

2
octavia/db/models.py

@ -329,6 +329,8 @@ class Pool(base_models.BASE, base_models.IdMixin, base_models.ProjectMixin,
primaryjoin='and_(foreign(Tags.resource_id)==Pool.id)'
)
tls_certificate_id = sa.Column(sa.String(255), nullable=True)
ca_tls_certificate_id = sa.Column(sa.String(255), nullable=True)
crl_container_id = sa.Column(sa.String(255), nullable=True)
# This property should be a unique list of any listeners that reference
# this pool as its default_pool and any listeners referenced by enabled

293
octavia/tests/functional/api/v2/test_pool.py

@ -23,6 +23,7 @@ import octavia.common.context
from octavia.common import data_models
from octavia.common import exceptions
from octavia.tests.functional.api.v2 import base
from octavia.tests.unit.common.sample_configs import sample_certs
class TestPool(base.BaseAPITest):
@ -884,9 +885,42 @@ class TestPool(base.BaseAPITest):
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'))
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_create_with_ca_and_crl(self, mock_cert_data):
self.cert_manager_mock().get_secret.side_effect = [
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
ca_tls_container_ref = uuidutils.generate_uuid()
crl_container_ref = uuidutils.generate_uuid()
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
ca_tls_container_ref=ca_tls_container_ref,
crl_container_ref=crl_container_ref).get(self.root_tag)
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'),
lb_prov_status=constants.PENDING_UPDATE,
listener_prov_status=constants.PENDING_UPDATE,
pool_prov_status=constants.PENDING_CREATE,
pool_op_status=constants.OFFLINE)
self.set_lb_status(self.lb_id)
self.assertEqual(ca_tls_container_ref,
api_pool.get('ca_tls_container_ref'))
self.assertEqual(crl_container_ref,
api_pool.get('crl_container_ref'))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'))
def test_create_with_bad_tls_container_ref(self):
tls_container_ref = uuidutils.generate_uuid()
self.cert_manager_mock().get_cert.side_effect = [Exception(
"bad cert")]
self.cert_manager_mock().get_secret.side_effect = [Exception(
"bad secret")]
api_pool = self.create_pool(
self.lb_id, constants.PROTOCOL_HTTP,
@ -895,6 +929,45 @@ class TestPool(base.BaseAPITest):
tls_container_ref=tls_container_ref, status=400)
self.assertIn(tls_container_ref, api_pool['faultstring'])
def test_create_with_bad_ca_tls_container_ref(self):
ca_tls_container_ref = uuidutils.generate_uuid()
self.cert_manager_mock().get_cert.side_effect = [Exception(
"bad ca cert")]
self.cert_manager_mock().get_secret.side_effect = [Exception(
"bad ca secret")]
api_pool = self.create_pool(
self.lb_id, constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
ca_tls_container_ref=ca_tls_container_ref, status=400)
self.assertIn(ca_tls_container_ref, api_pool['faultstring'])
def test_create_with_unreachable_crl(self):
ca_tls_container_ref = uuidutils.generate_uuid()
crl_container_ref = uuidutils.generate_uuid()
self.cert_manager_mock().get_cert.side_effect = [
'cert 1', Exception('unknow/bad cert')]
self.cert_manager_mock().get_secret.side_effect = [Exception(
'bad secret')]
api_pool = self.create_pool(
self.lb_id, constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
ca_tls_container_ref=ca_tls_container_ref,
crl_container_ref=crl_container_ref, status=400)
self.assertIn(crl_container_ref, api_pool['faultstring'])
def test_create_with_crl_only(self):
crl_container_ref = uuidutils.generate_uuid()
api_pool = self.create_pool(
self.lb_id, constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
crl_container_ref=crl_container_ref, status=400)
self.assertIn(
'A CA certificate reference is required to specify a '
'revocation list.', api_pool['faultstring'])
def test_negative_create_udp_case(self):
# Error create pool with udp protocol but non-udp-type
sp = {"type": constants.SESSION_PERSISTENCE_HTTP_COOKIE,
@ -1337,11 +1410,231 @@ class TestPool(base.BaseAPITest):
new_pool = {'tls_container_ref': tls_container_ref}
self.cert_manager_mock().get_cert.side_effect = [Exception(
"bad cert")]
self.cert_manager_mock().get_secret.side_effect = [Exception(
"bad secret")]
resp = self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool), status=400).json
self.assertIn(tls_container_ref, resp['faultstring'])
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_update_with_ca_and_crl(self, mock_cert_data):
self.cert_manager_mock().get_secret.side_effect = [
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
ca_tls_container_ref = uuidutils.generate_uuid()
crl_container_ref = uuidutils.generate_uuid()
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
new_pool = {'ca_tls_container_ref': ca_tls_container_ref,
'crl_container_ref': crl_container_ref}
self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'),
lb_prov_status=constants.PENDING_UPDATE,
listener_prov_status=constants.PENDING_UPDATE,
pool_prov_status=constants.PENDING_UPDATE)
self.set_lb_status(self.lb_id)
response = self.get(self.POOL_PATH.format(
pool_id=api_pool.get('id'))).json.get(self.root_tag)
self.assertEqual(ca_tls_container_ref,
response.get('ca_tls_container_ref'))
self.assertEqual(crl_container_ref,
response.get('crl_container_ref'))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=response.get('id'))
def test_update_with_bad_ca_tls_container_ref(self):
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
ca_tls_container_ref = uuidutils.generate_uuid()
new_pool = {'ca_tls_container_ref': ca_tls_container_ref}
self.cert_manager_mock().get_cert.side_effect = [Exception(
"bad cert")]
self.cert_manager_mock().get_secret.side_effect = [Exception(
"bad secret")]
resp = self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool), status=400).json
self.assertIn(ca_tls_container_ref, resp['faultstring'])
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_update_with_crl(self, mock_cert_data):
ca_tls_container_ref = uuidutils.generate_uuid()
crl_container_ref = uuidutils.generate_uuid()
self.cert_manager_mock().get_secret.side_effect = [
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
ca_tls_container_ref=ca_tls_container_ref,
crl_container_ref=crl_container_ref).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
new_crl_container_ref = uuidutils.generate_uuid()
new_pool = {'crl_container_ref': new_crl_container_ref}
self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'),
lb_prov_status=constants.PENDING_UPDATE,
listener_prov_status=constants.PENDING_UPDATE,
pool_prov_status=constants.PENDING_UPDATE)
self.set_lb_status(self.lb_id)
response = self.get(self.POOL_PATH.format(
pool_id=api_pool.get('id'))).json.get(self.root_tag)
self.assertEqual(new_crl_container_ref,
response.get('crl_container_ref'))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=response.get('id'))
def test_update_with_crl_only_negative_case(self):
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
crl_container_ref = uuidutils.generate_uuid()
new_pool = {'crl_container_ref': crl_container_ref}
resp = self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool), status=400).json
self.assertIn(
'A CA reference is required to specify a certificate revocation '
'list.', resp['faultstring'])
def test_update_with_crl_only_none_ca(self):
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
crl_container_ref = uuidutils.generate_uuid()
new_pool = {'ca_tls_container_ref': None,
'crl_container_ref': crl_container_ref}
resp = self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool), status=400).json
self.assertIn(
'A CA reference is required to specify a certificate revocation '
'list.', resp['faultstring'])
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_update_with_unreachable_crl(self, mock_cert_data):
crl_container_ref = uuidutils.generate_uuid()
new_crl_container_ref = uuidutils.generate_uuid()
ca_tls_container_ref = uuidutils.generate_uuid()
self.cert_manager_mock().get_secret.side_effect = [
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
ca_tls_container_ref=ca_tls_container_ref,
crl_container_ref=crl_container_ref).get(self.root_tag)
self.set_lb_status(self.lb_id)
new_crl_container_ref = uuidutils.generate_uuid()
new_pool = {'crl_container_ref': new_crl_container_ref}
self.cert_manager_mock().get_secret.side_effect = [
exceptions.CertificateRetrievalException(
ref=new_crl_container_ref)]
resp = self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool), status=400).json
self.assertIn(new_crl_container_ref, resp['faultstring'])
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_update_unset_ca_cert(self, mock_cert_data):
self.cert_manager_mock().get_secret.return_value = (
sample_certs.X509_CA_CERT)
ca_tls_uuid = uuidutils.generate_uuid()
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
ca_tls_container_ref=ca_tls_uuid).get(self.root_tag)
self.set_lb_status(self.lb_id)
new_pool = {'ca_tls_container_ref': None}
body = self._build_body(new_pool)
listener_path = self.POOL_PATH.format(
pool_id=api_pool['id'])
api_pool = self.put(listener_path, body).json.get(self.root_tag)
self.assertIsNone(api_pool.get('ca_tls_container_ref'))
self.assertIsNone(api_pool.get('crl_container_ref'))
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_update_unset_ca_cert_with_crl(self, mock_cert_data):
self.cert_manager_mock().get_secret.side_effect = [
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
ca_tls_uuid = uuidutils.generate_uuid()
crl_uuid = uuidutils.generate_uuid()
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
ca_tls_container_ref=ca_tls_uuid,
crl_container_ref=crl_uuid).get(self.root_tag)
self.set_lb_status(self.lb_id)
new_pool = {'ca_tls_container_ref': None}
body = self._build_body(new_pool)
listener_path = self.POOL_PATH.format(
pool_id=api_pool['id'])
response = self.put(listener_path, body, status=400).json
self.assertIn('A CA reference cannot be removed when a certificate '
'revocation list is present.', response['faultstring'])
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_update_unset_crl(self, mock_cert_data):
self.cert_manager_mock().get_secret.side_effect = [
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
ca_tls_uuid = uuidutils.generate_uuid()
crl_uuid = uuidutils.generate_uuid()
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
listener_id=self.listener_id,
ca_tls_container_ref=ca_tls_uuid,
crl_container_ref=crl_uuid).get(self.root_tag)
self.set_lb_status(self.lb_id)
new_pool = {'crl_container_ref': None}
body = self._build_body(new_pool)
listener_path = self.POOL_PATH.format(
pool_id=api_pool['id'])
update_pool = self.put(listener_path, body).json.get(self.root_tag)
self.assertEqual(api_pool.get('ca_tls_container_ref'),
update_pool.get('ca_tls_container_ref'))
self.assertIsNone(update_pool.get('crl_container_ref'))
def test_delete(self):
api_pool = self.create_pool(
self.lb_id,

29
octavia/tests/functional/db/test_repositories.py

@ -184,6 +184,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
pool_dm = self.repos.create_pool_on_load_balancer(
self.session, pool, listener_id=self.listener.id)
pool_dm_dict = pool_dm.to_dict()
# These are not defiend in the sample pool dict but will
# be in the live data.
del pool_dm_dict['members']
del pool_dm_dict['health_monitor']
del pool_dm_dict['session_persistence']
@ -193,6 +195,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
del pool_dm_dict['l7policies']
del pool_dm_dict['created_at']
del pool_dm_dict['updated_at']
del pool_dm_dict['ca_tls_certificate_id']
del pool_dm_dict['crl_container_id']
self.assertEqual(pool, pool_dm_dict)
new_listener = self.repos.listener.get(self.session,
id=self.listener.id)
@ -217,6 +221,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
pool_dm = self.repos.create_pool_on_load_balancer(
self.session, pool, listener_id=self.listener.id)
pool_dm_dict = pool_dm.to_dict()
# These are not defiend in the sample pool dict but will
# be in the live data.
del pool_dm_dict['members']
del pool_dm_dict['health_monitor']
del pool_dm_dict['session_persistence']
@ -226,6 +232,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
del pool_dm_dict['l7policies']
del pool_dm_dict['created_at']
del pool_dm_dict['updated_at']
del pool_dm_dict['ca_tls_certificate_id']
del pool_dm_dict['crl_container_id']
self.assertEqual(pool, pool_dm_dict)
sp_dm_dict = pool_dm.session_persistence.to_dict()
del sp_dm_dict['pool']
@ -253,6 +261,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
new_pool_dm = self.repos.update_pool_and_sp(
self.session, pool_dm.id, update_pool)
pool_dm_dict = new_pool_dm.to_dict()
# These are not defiend in the sample pool dict but will
# be in the live data.
del pool_dm_dict['members']
del pool_dm_dict['health_monitor']
del pool_dm_dict['session_persistence']
@ -262,6 +272,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
del pool_dm_dict['l7policies']
del pool_dm_dict['created_at']
del pool_dm_dict['updated_at']
del pool_dm_dict['ca_tls_certificate_id']
del pool_dm_dict['crl_container_id']
pool.update(update_pool)
pool['tls_certificate_id'] = None
self.assertEqual(pool, pool_dm_dict)
@ -291,6 +303,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
new_pool_dm = self.repos.update_pool_and_sp(
self.session, pool_dm.id, update_pool)
pool_dm_dict = new_pool_dm.to_dict()
# These are not defiend in the sample pool dict but will
# be in the live data.
del pool_dm_dict['members']
del pool_dm_dict['health_monitor']
del pool_dm_dict['session_persistence']
@ -300,6 +314,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
del pool_dm_dict['l7policies']
del pool_dm_dict['created_at']
del pool_dm_dict['updated_at']
del pool_dm_dict['ca_tls_certificate_id']
del pool_dm_dict['crl_container_id']
pool.update(update_pool)
self.assertEqual(pool, pool_dm_dict)
sp_dm_dict = new_pool_dm.session_persistence.to_dict()
@ -382,6 +398,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
new_pool_dm = self.repos.update_pool_and_sp(
self.session, pool_dm.id, update_pool)
pool_dm_dict = new_pool_dm.to_dict()
# These are not defiend in the sample pool dict but will
# be in the live data.
del pool_dm_dict['members']
del pool_dm_dict['health_monitor']
del pool_dm_dict['session_persistence']
@ -392,6 +410,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
del pool_dm_dict['created_at']
del pool_dm_dict['updated_at']
del pool_dm_dict['tags']
del pool_dm_dict['ca_tls_certificate_id']
del pool_dm_dict['crl_container_id']
pool.update(update_pool)
self.assertEqual(pool, pool_dm_dict)
@ -3166,6 +3186,15 @@ class AmphoraRepositoryTest(BaseRepositoryTest):
self.assertIsInstance(new_amphora, models.Amphora)
def test_get_lb_for_amphora(self):
# TODO(bzhao) this test will raise error as there are more than 64
# tables in a Join statement in sqlite env. This is a new issue when
# we introduce resources tags and client certificates, both of them
# are 1:1 relationship. But we can image that if we have many
# associated loadbalancer subresources, such as listeners, pools,
# members and l7 resources. Even though, we don't have tags and
# client certificates features, we will still hit this issue in
# sqlite env.
self.skipTest("No idea how this should work yet")
amphora = self.create_amphora(self.FAKE_UUID_1)
self.amphora_repo.associate(self.session, self.lb.id, amphora.id)
lb = self.amphora_repo.get_lb_for_amphora(self.session, amphora.id)

33
octavia/tests/unit/amphorae/drivers/haproxy/test_rest_api_driver.py

@ -74,7 +74,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
persistence_granularity='255.255.0.0',
monitor_proto=constants.HEALTH_MONITOR_UDP_CONNECT)
self.pool_has_cert = sample_configs.sample_pool_tuple(
pool_cert=True, full_store=True)
pool_cert=True, pool_ca_cert=True, pool_crl=True)
self.amp = self.sl.load_balancer.amphorae[0]
self.sv = sample_configs.sample_vip_tuple()
self.lb = self.sl.load_balancer
@ -168,7 +168,6 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
self.driver.update(self.sl, self.sv)
# verify result
# this is called 5 times
gcm_calls = [
mock.call(self.amp, self.sl.id,
self.sl.default_tls_container.id + '.pem',
@ -178,6 +177,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
mock.call(self.amp, self.sl.id,
sconts[1].id + '.pem', ignore=(404,)),
]
self.driver.client.get_cert_md5sum.assert_has_calls(gcm_calls,
any_order=True)
@ -200,9 +200,10 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
mock.call(self.amp, self.sl.id,
sconts[1].id + '.pem', fp3),
]
self.driver.client.upload_cert_pem.assert_has_calls(ucp_calls,
any_order=True)
self.assertEqual(3, self.driver.client.upload_cert_pem.call_count)
# upload only one config file
self.driver.client.upload_config.assert_called_once_with(
self.amp, self.sl.id, 'fake_config')
@ -341,16 +342,19 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
self.assertEqual(ref_cert_dict, result)
@mock.patch('octavia.amphorae.drivers.haproxy.rest_api_driver.'
'HaproxyAmphoraLoadBalancerDriver._process_secret')
@mock.patch('octavia.amphorae.drivers.haproxy.rest_api_driver.'
'HaproxyAmphoraLoadBalancerDriver._apply')
@mock.patch('octavia.common.tls_utils.cert_parser.build_pem')
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test__process_pool_certs(self, mock_load_certs, mock_build_pem,
mock_apply):
mock_apply, mock_secret):
fake_cert_dir = '/fake/cert/dir'
conf = oslo_fixture.Config(cfg.CONF)
conf.config(group="haproxy_amphora", base_cert_dir=fake_cert_dir)
sample_listener = sample_configs.sample_listener_tuple(pool_cert=True)
sample_listener = sample_configs.sample_listener_tuple(
pool_cert=True, pool_ca_cert=True, pool_crl=True)
cert_data_mock = mock.MagicMock()
cert_data_mock.id = uuidutils.generate_uuid()
mock_load_certs.return_value = cert_data_mock
@ -360,15 +364,32 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
ref_name = '{id}.pem'.format(id=cert_data_mock.id)
ref_path = '{cert_dir}/{list_id}/{name}'.format(
cert_dir=fake_cert_dir, list_id=sample_listener.id, name=ref_name)
ref_result = {'client_cert': ref_path}
ref_ca_name = 'fake_ca.pem'
ref_ca_path = '{cert_dir}/{list_id}/{name}'.format(
cert_dir=fake_cert_dir, list_id=sample_listener.id,
name=ref_ca_name)
ref_crl_name = 'fake_crl.pem'
ref_crl_path = '{cert_dir}/{list_id}/{name}'.format(
cert_dir=fake_cert_dir, list_id=sample_listener.id,
name=ref_crl_name)
ref_result = {'client_cert': ref_path, 'ca_cert': ref_ca_path,
'crl': ref_crl_path}
mock_secret.side_effect = [ref_ca_name, ref_crl_name]
result = self.driver._process_pool_certs(sample_listener,
sample_listener.default_pool)
secret_calls = [
mock.call(sample_listener,
sample_listener.default_pool.ca_tls_certificate_id),
mock.call(sample_listener,
sample_listener.default_pool.crl_container_id)]
mock_build_pem.assert_called_once_with(cert_data_mock)
mock_apply.assert_called_once_with(
self.driver._upload_cert, sample_listener, None, fake_pem,
ref_md5, ref_name)
mock_secret.assert_has_calls(secret_calls)
self.assertEqual(ref_result, result)
def test_stop(self):

23
octavia/tests/unit/api/drivers/sample_data_models.py

@ -40,6 +40,8 @@ class SampleDriverDataModels(object):
self.client_ca_tls_certificate_ref = uuidutils.generate_uuid()
self.client_crl_container_ref = uuidutils.generate_uuid()
self.pool_sni_container_ref = uuidutils.generate_uuid()
self.pool_ca_container_ref = uuidutils.generate_uuid()
self.pool_crl_container_ref = uuidutils.generate_uuid()
self.pool1_id = uuidutils.generate_uuid()
self.pool2_id = uuidutils.generate_uuid()
@ -208,7 +210,11 @@ class SampleDriverDataModels(object):
'listeners': [],
'l7policies': [],
'tls_certificate_id':
self.pool_sni_container_ref}
self.pool_sni_container_ref,
'ca_tls_certificate_id':
self.pool_ca_container_ref,
'crl_container_id':
self.pool_crl_container_ref}
self.test_pool1_dict.update(self._common_test_dict)
@ -218,6 +224,8 @@ class SampleDriverDataModels(object):
self.test_pool2_dict['description'] = 'Pool 2'
self.test_pool2_dict['members'] = self.test_pool2_members_dict
del self.test_pool2_dict['tls_certificate_id']
del self.test_pool2_dict['ca_tls_certificate_id']
del self.test_pool2_dict['crl_container_id']
self.test_pools = [self.test_pool1_dict, self.test_pool2_dict]
@ -230,6 +238,8 @@ class SampleDriverDataModels(object):
self.test_db_pools = [self.db_pool1, self.db_pool2]
pool_cert = data_models.TLSContainer(certificate='pool cert')
pool_ca_file_content = 'X509 POOL CA CERT FILE'
pool_crl_file_content = 'X509 POOL CRL FILE'
self.provider_pool1_dict = {
'admin_state_up': True,
@ -243,7 +253,12 @@ class SampleDriverDataModels(object):
'protocol': 'avian',
'session_persistence': {'type': 'SOURCE'},
'tls_container_ref': self.pool_sni_container_ref,
'tls_container_data': pool_cert.to_dict()}
'tls_container_data': pool_cert.to_dict(),
'ca_tls_container_ref': self.pool_ca_container_ref,
'ca_tls_container_data': pool_ca_file_content,
'crl_container_ref': self.pool_crl_container_ref,
'crl_container_data': pool_crl_file_content
}
self.provider_pool2_dict = copy.deepcopy(self.provider_pool1_dict)
self.provider_pool2_dict['pool_id'] = self.pool2_id
@ -253,6 +268,10 @@ class SampleDriverDataModels(object):
self.provider_pool2_dict['healthmonitor'] = self.provider_hm2_dict
self.provider_pool2_dict['tls_container_ref'] = None
del self.provider_pool2_dict['tls_container_data']
self.provider_pool2_dict['ca_tls_container_ref'] = None
del self.provider_pool2_dict['ca_tls_container_data']
self.provider_pool2_dict['crl_container_ref'] = None
del self.provider_pool2_dict['crl_container_data']
self.provider_pool1 = driver_dm.Pool(**self.provider_pool1_dict)
self.provider_pool1.members = self.provider_pool1_members

43
octavia/tests/unit/api/drivers/test_utils.py

@ -90,7 +90,11 @@ class TestUtils(base.TestCase):
cert1 = data_models.TLSContainer(certificate='cert 1')
cert2 = data_models.TLSContainer(certificate='cert 2')
cert3 = data_models.TLSContainer(certificate='cert 3')
mock_secret.side_effect = ['ca cert', 'X509 CRL FILE']
mock_secret.side_effect = ['X509 POOL CA CERT FILE',
'X509 POOL CRL FILE', 'ca cert',
'X509 CRL FILE', 'ca cert', 'X509 CRL FILE',
'X509 POOL CA CERT FILE',
'X509 CRL FILE']
listener_certs = {'tls_cert': cert1, 'sni_certs': [cert2, cert3]}
pool_cert = data_models.TLSContainer(certificate='pool cert')
pool_certs = {'tls_cert': pool_cert, 'sni_certs': []}
@ -166,7 +170,9 @@ class TestUtils(base.TestCase):
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_db_listeners_to_provider_listeners(self, mock_load_cert,
mock_secret):
mock_secret.side_effect = ['ca cert', 'X509 CRL FILE']
mock_secret.side_effect = ['ca cert', 'X509 CRL FILE',
'ca cert', 'X509 CRL FILE',
'ca cert', 'X509 CRL FILE']
cert1 = data_models.TLSContainer(certificate='cert 1')
cert2 = data_models.TLSContainer(certificate='cert 2')
cert3 = data_models.TLSContainer(certificate='cert 3')
@ -180,7 +186,9 @@ class TestUtils(base.TestCase):
@mock.patch('octavia.api.drivers.utils._get_secret_data')
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_listener_dict_to_provider_dict(self, mock_load_cert, mock_secret):
mock_secret.side_effect = ['ca cert', 'X509 CRL FILE']
mock_secret.side_effect = ['ca cert', 'X509 CRL FILE',
'X509 POOL CA CERT FILE',
'X509 POOL CRL FILE']
cert1 = data_models.TLSContainer(certificate='cert 1')
cert2 = data_models.TLSContainer(certificate='cert 2')
cert3 = data_models.TLSContainer(certificate='cert 3')
@ -195,6 +203,8 @@ class TestUtils(base.TestCase):
# just contain the client_ca_tls_certificate_id for client certificate,
# not any other related fields. So we need to delete them.
expect_prov = copy.deepcopy(self.sample_data.provider_listener1_dict)
expect_pool_prov = copy.deepcopy(self.sample_data.provider_pool1_dict)
expect_prov['default_pool'] = expect_pool_prov
provider_listener = utils.listener_dict_to_provider_dict(
self.sample_data.test_listener1_dict)
self.assertEqual(expect_prov, provider_listener)
@ -216,47 +226,62 @@ class TestUtils(base.TestCase):
utils.listener_dict_to_provider_dict,
test_listener)
@mock.patch('octavia.api.drivers.utils._get_secret_data')
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_db_pool_to_provider_pool(self, mock_load_cert):
def test_db_pool_to_provider_pool(self, mock_load_cert, mock_secret):
pool_cert = data_models.TLSContainer(certificate='pool cert')
mock_load_cert.return_value = {'tls_cert': pool_cert,
'sni_certs': None,
'client_ca_cert': None}
mock_secret.side_effect = ['X509 POOL CA CERT FILE',
'X509 POOL CRL FILE']
provider_pool = utils.db_pool_to_provider_pool(
self.sample_data.db_pool1)
self.assertEqual(self.sample_data.provider_pool1, provider_pool)
@mock.patch('octavia.api.drivers.utils._get_secret_data')
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_db_pool_to_provider_pool_partial(self, mock_load_cert):
def test_db_pool_to_provider_pool_partial(self, mock_load_cert,
mock_secret):
pool_cert = data_models.TLSContainer(certificate='pool cert')
mock_load_cert.return_value = {'tls_cert': pool_cert,
'sni_certs': None,
'client_ca_cert': None}
mock_secret.side_effect = ['X509 POOL CA CERT FILE',
'X509 POOL CRL FILE']
test_db_pool = self.sample_data.db_pool1
test_db_pool.members = [self.sample_data.db_member1]
provider_pool = utils.db_pool_to_provider_pool(test_db_pool)
self.assertEqual(self.sample_data.provider_pool1, provider_pool)
@mock.patch('octavia.api.drivers.utils._get_secret_data')
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_db_pools_to_provider_pools(self, mock_load_cert):
def test_db_pools_to_provider_pools(self, mock_load_cert, mock_secret):
pool_cert = data_models.TLSContainer(certificate='pool cert')
mock_load_cert.return_value = {'tls_cert': pool_cert,
'sni_certs': None,
'client_ca_cert': None}
mock_secret.side_effect = ['X509 POOL CA CERT FILE',
'X509 POOL CRL FILE']
provider_pools = utils.db_pools_to_provider_pools(
self.sample_data.test_db_pools)
self.assertEqual(self.sample_data.provider_pools, provider_pools)
@mock.patch('octavia.api.drivers.utils._get_secret_data')
@mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
def test_pool_dict_to_provider_dict(self, mock_load_cert):
def test_pool_dict_to_provider_dict(self, mock_load_cert, mock_secret):
pool_cert = data_models.TLSContainer(certificate='pool cert')
mock_load_cert.return_value = {'tls_cert': pool_cert,
'sni_certs': None,
'client_ca_cert': None}
mock_secret.side_effect = ['X509 POOL CA CERT FILE',
'X509 POOL CRL FILE']
expect_prov = copy.deepcopy(self.sample_data.provider_pool1_dict)
expect_prov.pop('crl_container_ref')
provider_pool_dict = utils.pool_dict_to_provider_dict(
self.sample_data.test_pool1_dict)
self.assertEqual(self.sample_data.provider_pool1_dict,
provider_pool_dict)
provider_pool_dict.pop('crl_container_ref')
self.assertEqual(expect_prov, provider_pool_dict)
def test_db_HM_to_provider_HM(self):
provider_hm = utils.db_HM_to_provider_HM(self.sample_data.db_hm1)

2
octavia/tests/unit/certificates/manager/test_barbican.py

@ -197,6 +197,6 @@ class TestBarbicanManager(base.TestCase):
self.assertEqual(self.fake_secret, data)
# Test with a failure
self.assertRaises(exceptions.CertificateStorageException,
self.assertRaises(exceptions.CertificateRetrievalException,
self.cert_manager.get_secret,
context=self.context, secret_ref=self.secret_ref)

2
octavia/tests/unit/certificates/manager/test_castellan_mgr.py

@ -44,6 +44,6 @@ class TestCastellanCertManager(base.TestCase):
self.manager.get.assert_called_once_with('context', 'secret_ref')
self.certbag.get_encoded.assert_called_once()
self.assertRaises(exceptions.CertificateStorageException,
self.assertRaises(exceptions.CertificateRetrievalException,
castellan_mgr_obj.get_secret, 'context',
'secret_ref')

2
octavia/tests/unit/certificates/manager/test_local.py

@ -154,6 +154,6 @@ class TestLocalManager(base.TestCase):
with mock.patch('os.open', open_mock), mock.patch.object(
os, 'fdopen', fd_mock) as mock_open:
mock_open.side_effect = IOError
self.assertRaises(exceptions.CertificateStorageException,
self.assertRaises(exceptions.CertificateRetrievalException,
local_cert_mgr.LocalCertManager.get_secret,
None, secret_id)

44
octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py

@ -768,14 +768,54 @@ class TestHaproxyCfg(base.TestCase):
"check inter 30s fall 3 rise 2 cookie sample_member_id_2 "
"{opts}\n\n").format(
maxconn=constants.HAPROXY_MAX_MAXCONN,
opts="%s %s %s %s" % ("ssl", "crt", cert_file_path, "verify none"))
opts="%s %s %s" % ("ssl", "crt", cert_file_path))
rendered_obj = self.jinja_cfg.render_loadbalancer_obj(
sample_configs.sample_amphora_tuple(),
sample_configs.sample_listener_tuple(pool_cert=True),
pool_tls_certs={
'sample_pool_id_1':
{'client_cert': cert_file_path,
'sni_certs': []}})
'ca_cert': None, 'crl': None}})
self.assertEqual(
sample_configs.sample_base_expected_config(backend=be),
rendered_obj)
def test_render_template_with_full_pool_cert(self):
pool_client_cert = '/foo/cert.pem'
pool_ca_cert = '/foo/ca.pem'
pool_crl = '/foo/crl.pem'
be = ("backend sample_pool_id_1\n"
" mode http\n"
" balance roundrobin\n"
" cookie SRV insert indirect nocache\n"
" timeout check 31s\n"
" option httpchk GET /index.html\n"
" http-check expect rstatus 418\n"
" fullconn {maxconn}\n"
" option allbackups\n"
" timeout connect 5000\n"
" timeout server 50000\n"
" server sample_member_id_1 10.0.0.99:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_1 "
"{opts}\n"
" server sample_member_id_2 10.0.0.98:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_2 "
"{opts}\n\n").format(
maxconn=constants.HAPROXY_MAX_MAXCONN,
opts="%s %s %s %s %s %s" % (
"ssl", "crt", pool_client_cert,
"ca-file %s" % pool_ca_cert,
"crl-file %s" % pool_crl,
"verify required"))
rendered_obj = self.jinja_cfg.render_loadbalancer_obj(
sample_configs.sample_amphora_tuple(),
sample_configs.sample_listener_tuple(
pool_cert=True, pool_ca_cert=True, pool_crl=True),
pool_tls_certs={
'sample_pool_id_1':
{'client_cert': pool_client_cert,
'ca_cert': pool_ca_cert,
'crl': pool_crl}})
self.assertEqual(
sample_configs.sample_base_expected_config(backend=be),
rendered_obj)

42
octavia/tests/unit/common/sample_configs/sample_configs.py

@ -119,7 +119,9 @@ RET_POOL_1 = {
'enabled': True,
'operating_status': 'ACTIVE',
'stick_size': '10k',
constants.HTTP_REUSE: False}
constants.HTTP_REUSE: False,
'ca_tls_path': '',
'crl_path': ''}
RET_POOL_2 = {
'id': 'sample_pool_id_2',
@ -131,7 +133,10 @@ RET_POOL_2 = {
'enabled': True,
'operating_status': 'ACTIVE',
'stick_size': '10k',
constants.HTTP_REUSE: False}
constants.HTTP_REUSE: False,
'ca_tls_path': '',
'crl_path': ''}
RET_DEF_TLS_CONT = {'id': 'cont_id_1', 'allencompassingpem': 'imapem',
'primary_cn': 'FakeCn'}
@ -528,7 +533,8 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
timeout_member_data=50000,
timeout_tcp_inspect=0,
client_ca_cert=False, client_crl_cert=False,
ssl_type_l7=False, pool_cert=False):
ssl_type_l7=False, pool_cert=False,
pool_ca_cert=False, pool_crl=False):
proto = 'HTTP' if proto is None else proto
if be_proto is None:
be_proto = 'HTTP' if proto is 'TERMINATED_HTTPS' else proto
@ -553,13 +559,15 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
persistence_type=persistence_type,
persistence_cookie=persistence_cookie,
monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto,
pool_cert=pool_cert),
pool_cert=pool_cert, pool_ca_cert=pool_ca_cert,
pool_crl=pool_crl),
sample_pool_tuple(
proto=be_proto, monitor=monitor, persistence=persistence,
persistence_type=persistence_type,
persistence_cookie=persistence_cookie, sample_pool=2,
monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto,
pool_cert=pool_cert)]
pool_cert=pool_cert, pool_ca_cert=pool_ca_cert,
pool_crl=pool_crl)]
l7policies = [
sample_l7policy_tuple('sample_l7policy_id_1', sample_policy=1),
sample_l7policy_tuple('sample_l7policy_id_2', sample_policy=2),
@ -579,7 +587,8 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
persistence_cookie=persistence_cookie,
monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto,
backup_member=backup_member, disabled_member=disabled_member,
pool_cert=pool_cert)]
pool_cert=pool_cert, pool_ca_cert=pool_ca_cert,
pool_crl=pool_crl)]
l7policies = []
return in_listener(
id='sample_listener_id_1',
@ -597,7 +606,10 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
persistence_granularity=persistence_granularity,
monitor_ip_port=monitor_ip_port,
monitor_proto=monitor_proto,
pool_cert=pool_cert) if alloc_default_pool else '',
pool_cert=pool_cert,
pool_ca_cert=pool_ca_cert,
pool_crl=pool_crl
) if alloc_default_pool else '',
connection_limit=connection_limit,
tls_certificate_id='cont_id_1' if tls else '',
sni_container_ids=['cont_id_2', 'cont_id_3'] if sni else [],
@ -671,14 +683,14 @@ def sample_pool_tuple(proto=None, monitor=True, persistence=True,
sample_pool=1, monitor_ip_port=False,
monitor_proto=None, backup_member=False,
disabled_member=False, has_http_reuse=True,
pool_cert=False, full_store=False):
pool_cert=False, pool_ca_cert=False, pool_crl=False):
proto = 'HTTP' if proto is None else proto
monitor_proto = proto if monitor_proto is None else monitor_proto
in_pool = collections.namedtuple(
'pool', 'id, protocol, lb_algorithm, members, health_monitor, '
'session_persistence, enabled, operating_status, '
'tls_certificate_id, tls_container, load_balancer, '
'listeners, ' + constants.HTTP_REUSE)
'tls_certificate_id, ca_tls_certificate_id, '
'crl_container_id, ' + constants.HTTP_REUSE)
if (proto == constants.PROTOCOL_UDP and
persistence_type == constants.SESSION_PERSISTENCE_SOURCE_IP):
kwargs = {'persistence_type': persistence_type,
@ -706,7 +718,6 @@ def sample_pool_tuple(proto=None, monitor=True, persistence=True,
if monitor is True:
mon = sample_health_monitor_tuple(proto=monitor_proto, sample_hm=2)
in_pool_listener = collections.namedtuple('listener', 'id',)
return in_pool(
id=id,
protocol=proto,
@ -717,13 +728,8 @@ def sample_pool_tuple(proto=None, monitor=True, persistence=True,
enabled=True,
operating_status='ACTIVE', has_http_reuse=has_http_reuse,
tls_certificate_id='pool_cont_1' if pool_cert else None,
tls_container={'client_cert': 'fake path'} if pool_cert else '',
load_balancer=sample_listener_loadbalancer_tuple(
proto=proto,
topology=constants.TOPOLOGY_ACTIVE_STANDBY) if full_store else '',
listeners=[in_pool_listener(id='used_as_default_pool_listener_id'),
in_pool_listener(id='used_as_redirect_pool_l7_listener_id')]
if full_store else [])
ca_tls_certificate_id='pool_ca_1' if pool_ca_cert else None,
crl_container_id='pool_crl' if pool_crl else None)
def sample_member_tuple(id, ip, enabled=True, operating_status='ACTIVE',

5
releasenotes/notes/Add-pool-CA-and-CRL-bb467b17188ed022.yaml Normal file

@ -0,0 +1,5 @@
---
features:
- |
You can now specify a ca_tls_container_ref and crl_container_ref on pools
for validating backend pool members using TLS.