openstack/octavia
Code Issues Proposed changes

Fix setting None in tls_versions and tls_ciphers in pools

Browse Source 
Setting None in tls_versions and tls_ciphers should reset their value
to the default value

Story 2008367
Task 41276

Change-Id: I64a7072b2c4e1a12b5d908647f1eddcad7ec3b90
This commit is contained in:
Gregory Thiemonge 2020-11-18 14:43:19 +01:00
parent f96b0986cd
commit 8a207a7e03
3 changed files with 161 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
octavia/api/v2/controllers/pool.py
View File

@ -433,6 +433,11 @@ class PoolsController(base.BaseController):
self._auth_validate_action(context, project_id, constants.RBAC_PUT) self._auth_validate_action(context, project_id, constants.RBAC_PUT)
if pool.tls_versions is None:
pool.tls_versions = CONF.api_settings.default_pool_tls_versions
if pool.tls_ciphers is None:
pool.tls_ciphers = CONF.api_settings.default_pool_ciphers
if (pool.session_persistence and if (pool.session_persistence and
not pool.session_persistence.type and not pool.session_persistence.type and
db_pool.session_persistence and db_pool.session_persistence and

150
octavia/tests/functional/api/v2/test_pool.py
View File

@ -1844,6 +1844,156 @@ class TestPool(base.BaseAPITest):
update_pool.get('ca_tls_container_ref')) update_pool.get('ca_tls_container_ref'))
self.assertIsNone(update_pool.get('crl_container_ref')) self.assertIsNone(update_pool.get('crl_container_ref'))
def test_update_with_tls_versions(self):
tls_versions = [lib_consts.TLS_VERSION_1_3,
lib_consts.TLS_VERSION_1_2]
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
tls_enabled=True,
tls_versions=tls_versions,
listener_id=self.listener_id).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
self.assertTrue(api_pool['tls_enabled'])
self.assertCountEqual(tls_versions,
api_pool['tls_versions'])
new_pool = {'tls_versions': [lib_consts.TLS_VERSION_1_3]}
self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'),
lb_prov_status=constants.PENDING_UPDATE,
listener_prov_status=constants.PENDING_UPDATE,
pool_prov_status=constants.PENDING_UPDATE)
self.set_lb_status(self.lb_id)
response = self.get(self.POOL_PATH.format(
pool_id=api_pool.get('id'))).json.get(self.root_tag)
self.assertCountEqual([lib_consts.TLS_VERSION_1_3],
response['tls_versions'])
self.assertIsNotNone(response.get('created_at'))
self.assertIsNotNone(response.get('updated_at'))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=response.get('id'))
def test_update_with_empty_tls_versions(self):
default_pool_tls_versions = [lib_consts.TLS_VERSION_1_3,
lib_consts.TLS_VERSION_1_2]
self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
self.conf.config(group='api_settings',
default_pool_tls_versions=default_pool_tls_versions)
tls_versions = [lib_consts.TLS_VERSION_1_3]
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
tls_enabled=True,
tls_versions=tls_versions,
listener_id=self.listener_id).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
self.assertTrue(api_pool['tls_enabled'])
self.assertCountEqual(tls_versions,
api_pool['tls_versions'])
new_pool = {'tls_versions': None}
self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'),
lb_prov_status=constants.PENDING_UPDATE,
listener_prov_status=constants.PENDING_UPDATE,
pool_prov_status=constants.PENDING_UPDATE)
self.set_lb_status(self.lb_id)
response = self.get(self.POOL_PATH.format(
pool_id=api_pool.get('id'))).json.get(self.root_tag)
self.assertCountEqual(default_pool_tls_versions,
response['tls_versions'])
self.assertIsNotNone(response.get('created_at'))
self.assertIsNotNone(response.get('updated_at'))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=response.get('id'))
def test_update_with_tls_ciphers(self):
default_ciphers = (
'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256')
self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
self.conf.config(group='api_settings',
default_pool_ciphers=default_ciphers)
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
tls_enabled=True,
listener_id=self.listener_id).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
self.assertTrue(api_pool['tls_enabled'])
self.assertEqual(default_ciphers, api_pool['tls_ciphers'])
new_tls_ciphers = 'DHE-RSA-AES128-GCM-SHA256'
new_pool = {'tls_ciphers': new_tls_ciphers}
self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'),
lb_prov_status=constants.PENDING_UPDATE,
listener_prov_status=constants.PENDING_UPDATE,
pool_prov_status=constants.PENDING_UPDATE)
self.set_lb_status(self.lb_id)
response = self.get(self.POOL_PATH.format(
pool_id=api_pool.get('id'))).json.get(self.root_tag)
self.assertEqual(new_tls_ciphers, response['tls_ciphers'])
self.assertIsNotNone(response.get('created_at'))
self.assertIsNotNone(response.get('updated_at'))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=response.get('id'))
def test_update_with_empty_tls_ciphers(self):
default_ciphers = (
'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256')
self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
self.conf.config(group='api_settings',
default_pool_ciphers=default_ciphers)
tls_ciphers = 'DHE-RSA-AES128-GCM-SHA256'
api_pool = self.create_pool(
self.lb_id,
constants.PROTOCOL_HTTP,
constants.LB_ALGORITHM_ROUND_ROBIN,
tls_enabled=True,
tls_ciphers=tls_ciphers,
listener_id=self.listener_id).get(self.root_tag)
self.set_lb_status(lb_id=self.lb_id)
self.assertTrue(api_pool['tls_enabled'])
self.assertEqual(tls_ciphers, api_pool['tls_ciphers'])
new_pool = {'tls_ciphers': None}
self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
self._build_body(new_pool))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=api_pool.get('id'),
lb_prov_status=constants.PENDING_UPDATE,
listener_prov_status=constants.PENDING_UPDATE,
pool_prov_status=constants.PENDING_UPDATE)
self.set_lb_status(self.lb_id)
response = self.get(self.POOL_PATH.format(
pool_id=api_pool.get('id'))).json.get(self.root_tag)
self.assertEqual(default_ciphers, response['tls_ciphers'])
self.assertIsNotNone(response.get('created_at'))
self.assertIsNotNone(response.get('updated_at'))
self.assert_correct_status(
lb_id=self.lb_id, listener_id=self.listener_id,
pool_id=response.get('id'))
def test_delete(self): def test_delete(self):
api_pool = self.create_pool( api_pool = self.create_pool(
self.lb_id, self.lb_id,

6
releasenotes/notes/fix-unset-for-tls_versions-tls_ciphers-in-pools-7534715ce28bd8cb.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Fix an issue when updating ``tls_versions`` and ``tls_ciphers`` in Pools
with empty (None) values, unsetting theses parameters now resets their
values to the default values.