diff --git a/octavia/api/v2/controllers/pool.py b/octavia/api/v2/controllers/pool.py index dde59e2e9f..bc31a04f24 100644 --- a/octavia/api/v2/controllers/pool.py +++ b/octavia/api/v2/controllers/pool.py @@ -433,6 +433,11 @@ class PoolsController(base.BaseController): self._auth_validate_action(context, project_id, constants.RBAC_PUT) + if pool.tls_versions is None: + pool.tls_versions = CONF.api_settings.default_pool_tls_versions + if pool.tls_ciphers is None: + pool.tls_ciphers = CONF.api_settings.default_pool_ciphers + if (pool.session_persistence and not pool.session_persistence.type and db_pool.session_persistence and diff --git a/octavia/tests/functional/api/v2/test_pool.py b/octavia/tests/functional/api/v2/test_pool.py index c9061c3868..0ec844e976 100644 --- a/octavia/tests/functional/api/v2/test_pool.py +++ b/octavia/tests/functional/api/v2/test_pool.py @@ -1844,6 +1844,156 @@ class TestPool(base.BaseAPITest): update_pool.get('ca_tls_container_ref')) self.assertIsNone(update_pool.get('crl_container_ref')) + def test_update_with_tls_versions(self): + tls_versions = [lib_consts.TLS_VERSION_1_3, + lib_consts.TLS_VERSION_1_2] + api_pool = self.create_pool( + self.lb_id, + constants.PROTOCOL_HTTP, + constants.LB_ALGORITHM_ROUND_ROBIN, + tls_enabled=True, + tls_versions=tls_versions, + listener_id=self.listener_id).get(self.root_tag) + self.set_lb_status(lb_id=self.lb_id) + self.assertTrue(api_pool['tls_enabled']) + self.assertCountEqual(tls_versions, + api_pool['tls_versions']) + + new_pool = {'tls_versions': [lib_consts.TLS_VERSION_1_3]} + self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')), + self._build_body(new_pool)) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=api_pool.get('id'), + lb_prov_status=constants.PENDING_UPDATE, + listener_prov_status=constants.PENDING_UPDATE, + pool_prov_status=constants.PENDING_UPDATE) + self.set_lb_status(self.lb_id) + response = self.get(self.POOL_PATH.format( + pool_id=api_pool.get('id'))).json.get(self.root_tag) + self.assertCountEqual([lib_consts.TLS_VERSION_1_3], + response['tls_versions']) + self.assertIsNotNone(response.get('created_at')) + self.assertIsNotNone(response.get('updated_at')) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=response.get('id')) + + def test_update_with_empty_tls_versions(self): + default_pool_tls_versions = [lib_consts.TLS_VERSION_1_3, + lib_consts.TLS_VERSION_1_2] + self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF)) + self.conf.config(group='api_settings', + default_pool_tls_versions=default_pool_tls_versions) + + tls_versions = [lib_consts.TLS_VERSION_1_3] + api_pool = self.create_pool( + self.lb_id, + constants.PROTOCOL_HTTP, + constants.LB_ALGORITHM_ROUND_ROBIN, + tls_enabled=True, + tls_versions=tls_versions, + listener_id=self.listener_id).get(self.root_tag) + self.set_lb_status(lb_id=self.lb_id) + self.assertTrue(api_pool['tls_enabled']) + self.assertCountEqual(tls_versions, + api_pool['tls_versions']) + + new_pool = {'tls_versions': None} + self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')), + self._build_body(new_pool)) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=api_pool.get('id'), + lb_prov_status=constants.PENDING_UPDATE, + listener_prov_status=constants.PENDING_UPDATE, + pool_prov_status=constants.PENDING_UPDATE) + self.set_lb_status(self.lb_id) + response = self.get(self.POOL_PATH.format( + pool_id=api_pool.get('id'))).json.get(self.root_tag) + self.assertCountEqual(default_pool_tls_versions, + response['tls_versions']) + self.assertIsNotNone(response.get('created_at')) + self.assertIsNotNone(response.get('updated_at')) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=response.get('id')) + + def test_update_with_tls_ciphers(self): + default_ciphers = ( + 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') + self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF)) + self.conf.config(group='api_settings', + default_pool_ciphers=default_ciphers) + + api_pool = self.create_pool( + self.lb_id, + constants.PROTOCOL_HTTP, + constants.LB_ALGORITHM_ROUND_ROBIN, + tls_enabled=True, + listener_id=self.listener_id).get(self.root_tag) + self.set_lb_status(lb_id=self.lb_id) + self.assertTrue(api_pool['tls_enabled']) + self.assertEqual(default_ciphers, api_pool['tls_ciphers']) + + new_tls_ciphers = 'DHE-RSA-AES128-GCM-SHA256' + new_pool = {'tls_ciphers': new_tls_ciphers} + self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')), + self._build_body(new_pool)) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=api_pool.get('id'), + lb_prov_status=constants.PENDING_UPDATE, + listener_prov_status=constants.PENDING_UPDATE, + pool_prov_status=constants.PENDING_UPDATE) + self.set_lb_status(self.lb_id) + response = self.get(self.POOL_PATH.format( + pool_id=api_pool.get('id'))).json.get(self.root_tag) + self.assertEqual(new_tls_ciphers, response['tls_ciphers']) + self.assertIsNotNone(response.get('created_at')) + self.assertIsNotNone(response.get('updated_at')) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=response.get('id')) + + def test_update_with_empty_tls_ciphers(self): + default_ciphers = ( + 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') + self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF)) + self.conf.config(group='api_settings', + default_pool_ciphers=default_ciphers) + + tls_ciphers = 'DHE-RSA-AES128-GCM-SHA256' + api_pool = self.create_pool( + self.lb_id, + constants.PROTOCOL_HTTP, + constants.LB_ALGORITHM_ROUND_ROBIN, + tls_enabled=True, + tls_ciphers=tls_ciphers, + listener_id=self.listener_id).get(self.root_tag) + self.set_lb_status(lb_id=self.lb_id) + self.assertTrue(api_pool['tls_enabled']) + self.assertEqual(tls_ciphers, api_pool['tls_ciphers']) + + new_pool = {'tls_ciphers': None} + self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')), + self._build_body(new_pool)) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=api_pool.get('id'), + lb_prov_status=constants.PENDING_UPDATE, + listener_prov_status=constants.PENDING_UPDATE, + pool_prov_status=constants.PENDING_UPDATE) + self.set_lb_status(self.lb_id) + response = self.get(self.POOL_PATH.format( + pool_id=api_pool.get('id'))).json.get(self.root_tag) + self.assertEqual(default_ciphers, response['tls_ciphers']) + self.assertIsNotNone(response.get('created_at')) + self.assertIsNotNone(response.get('updated_at')) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=response.get('id')) + def test_delete(self): api_pool = self.create_pool( self.lb_id, diff --git a/releasenotes/notes/fix-unset-for-tls_versions-tls_ciphers-in-pools-7534715ce28bd8cb.yaml b/releasenotes/notes/fix-unset-for-tls_versions-tls_ciphers-in-pools-7534715ce28bd8cb.yaml new file mode 100644 index 0000000000..f893ebde91 --- /dev/null +++ b/releasenotes/notes/fix-unset-for-tls_versions-tls_ciphers-in-pools-7534715ce28bd8cb.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fix an issue when updating ``tls_versions`` and ``tls_ciphers`` in Pools + with empty (None) values, unsetting theses parameters now resets their + values to the default values.