From c6d587c791e6902730bb13ec62726bc22e1f6014 Mon Sep 17 00:00:00 2001 From: Carlos Goncalves Date: Mon, 3 Aug 2020 00:05:18 +0200 Subject: [PATCH] Add ALPN support for listeners Users can define a list of application layer protocols to be negotiated over a secure connection. For example, users can limit to HTTP/2 or to HTTP/2 and HTTP/1.1 but exclude HTTP/1.0. Depends-On: https://review.opendev.org/#/c/744520/ Change-Id: Ia7afa9268650744710bc486de1302eb36ac3849d --- octaviaclient/osc/v2/constants.py | 3 ++- octaviaclient/osc/v2/listener.py | 23 +++++++++++++++++++ octaviaclient/osc/v2/utils.py | 1 + octaviaclient/tests/unit/osc/v2/constants.py | 3 ++- .../tests/unit/osc/v2/test_listener.py | 20 ++++++++++++---- ...pn-support-listeners-6508704b5c8944d2.yaml | 7 ++++++ 6 files changed, 51 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/add-alpn-support-listeners-6508704b5c8944d2.yaml diff --git a/octaviaclient/osc/v2/constants.py b/octaviaclient/osc/v2/constants.py index 94770d5..33d799f 100644 --- a/octaviaclient/osc/v2/constants.py +++ b/octaviaclient/osc/v2/constants.py @@ -78,7 +78,8 @@ LISTENER_ROWS = ( 'client_crl_container_ref', 'allowed_cidrs', 'tls_ciphers', - 'tls_versions') + 'tls_versions', + 'alpn_protocols') LISTENER_COLUMNS = ( 'id', diff --git a/octaviaclient/osc/v2/listener.py b/octaviaclient/osc/v2/listener.py index 24e5f46..b8a8ff8 100644 --- a/octaviaclient/osc/v2/listener.py +++ b/octaviaclient/osc/v2/listener.py @@ -190,6 +190,15 @@ class CreateListener(command.ShowOne): help="Set the TLS protocol version to be used " "by the listener (can be set multiple times)." ) + parser.add_argument( + '--alpn-protocol', + dest='alpn_protocols', + metavar='', + nargs='?', + action='append', + help="Set the ALPN protocol to be used " + "by the listener (can be set multiple times)." + ) return parser @@ -500,6 +509,15 @@ class SetListener(command.Command): help="Set the TLS protocol version to be used " "by the listener (can be set multiple times)." ) + parser.add_argument( + '--alpn-protocol', + dest='alpn_protocols', + metavar='', + nargs='?', + action='append', + help="Set the ALPN protocol to be used " + "by the listener (can be set multiple times)." + ) return parser @@ -615,6 +633,11 @@ class UnsetListener(command.Command): action='store_true', help='Wait for action to complete', ) + parser.add_argument( + '--alpn-protocols', + action='store_true', + help="Clear all ALPN protocols from the listener." + ) return parser def take_action(self, parsed_args): diff --git a/octaviaclient/osc/v2/utils.py b/octaviaclient/osc/v2/utils.py index e67d41a..5607d6a 100644 --- a/octaviaclient/osc/v2/utils.py +++ b/octaviaclient/osc/v2/utils.py @@ -227,6 +227,7 @@ def get_listener_attrs(client_manager, parsed_args): 'allowed_cidrs': ('allowed_cidrs', list), 'tls_ciphers': ('tls_ciphers', str), 'tls_versions': ('tls_versions', list), + 'alpn_protocols': ('alpn_protocols', list), } _attrs = vars(parsed_args) diff --git a/octaviaclient/tests/unit/osc/v2/constants.py b/octaviaclient/tests/unit/osc/v2/constants.py index f9af4aa..9c0f14e 100644 --- a/octaviaclient/tests/unit/osc/v2/constants.py +++ b/octaviaclient/tests/unit/osc/v2/constants.py @@ -80,7 +80,8 @@ LISTENER_ATTRS = { 'client_crl_container_ref': uuidutils.generate_uuid(dashed=True), "allowed_cidrs": ['192.0.2.0/24', '198.51.100.0/24'], 'tls_ciphers': "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256", - 'tls_versions': ['TLSv1.1', 'TLSv1.2'] + 'tls_versions': ['TLSv1.1', 'TLSv1.2'], + 'alpn_protocols': ['h2', 'http/1.1'] } LOADBALANCER_ATTRS = { diff --git a/octaviaclient/tests/unit/osc/v2/test_listener.py b/octaviaclient/tests/unit/osc/v2/test_listener.py index d6c6972..9b225de 100644 --- a/octaviaclient/tests/unit/osc/v2/test_listener.py +++ b/octaviaclient/tests/unit/osc/v2/test_listener.py @@ -196,7 +196,11 @@ class TestListenerCreate(TestListener): '--tls-version', self._listener.tls_versions[0], '--tls-version', - self._listener.tls_versions[1]] + self._listener.tls_versions[1], + '--alpn-protocol', + self._listener.alpn_protocols[0], + '--alpn-protocol', + self._listener.alpn_protocols[1]] verifylist = [ ('loadbalancer', 'mock_lb_id'), @@ -214,7 +218,9 @@ class TestListenerCreate(TestListener): ('tls_ciphers', self._listener.tls_ciphers), ('tls_versions', - self._listener.tls_versions) + self._listener.tls_versions), + ('alpn_protocols', + self._listener.alpn_protocols), ] parsed_args = self.check_parser(self.cmd, arglist, verifylist) @@ -300,7 +306,11 @@ class TestListenerSet(TestListener): '--tls-version', self._listener.tls_versions[0], '--tls-version', - self._listener.tls_versions[1]] + self._listener.tls_versions[1], + '--alpn-protocol', + self._listener.alpn_protocols[0], + '--alpn-protocol', + self._listener.alpn_protocols[1]] verifylist = [ ('listener', self._listener.id), ('name', 'new_name'), @@ -315,7 +325,8 @@ class TestListenerSet(TestListener): self._listener.client_crl_container_ref), ('allowed_cidrs', self._listener.allowed_cidrs), ('tls_ciphers', self._listener.tls_ciphers), - ('tls_versions', self._listener.tls_versions) + ('tls_versions', self._listener.tls_versions), + ('alpn_protocols', self._listener.alpn_protocols) ] parsed_args = self.check_parser(self.cmd, arglist, verifylist) @@ -336,6 +347,7 @@ class TestListenerSet(TestListener): 'allowed_cidrs': self._listener.allowed_cidrs, 'tls_ciphers': self._listener.tls_ciphers, 'tls_versions': self._listener.tls_versions, + 'alpn_protocols': self._listener.alpn_protocols, }}) @mock.patch('osc_lib.utils.wait_for_status') diff --git a/releasenotes/notes/add-alpn-support-listeners-6508704b5c8944d2.yaml b/releasenotes/notes/add-alpn-support-listeners-6508704b5c8944d2.yaml new file mode 100644 index 0000000..5adfaf4 --- /dev/null +++ b/releasenotes/notes/add-alpn-support-listeners-6508704b5c8944d2.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Added ALPN support for listeners with parameter ``--alpn-protocol`` (can + be set multiple times). Users can define a list of application layer + protocols to be negotiated over a secure connection. For example, users + can limit to HTTP/2 or to HTTP/2 and HTTP/1.1 but exclude HTTP/1.0.