def test_get_ssl_enabled_relation_certs(self, get_relation_cert_data):
get_relation_cert_data.return_value = {
'cert': 'vaultcert',
'key': 'vaultkey',
'ca': 'vaultca'
}
self.assertEqual(ssl_utils.get_ssl_mode(), ('certs-relation', True))
def test_get_ssl_enabled_relation_certs(self, get_relation_cert_data):
get_relation_cert_data.return_value = {
'cert': 'vaultcert',
'key': 'vaultkey',
'ca': 'vaultca'}
self.assertEqual(
ssl_utils.get_ssl_mode(),
('certs-relation', True))
def test_get_ssl_enabled_external_ca(self):
test_config = {
'ssl': 'on',
'ssl_enabled': False,
'ssl_on': False,
'ssl_key': 'key1',
'ssl_cert': 'cert1'
}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(ssl_utils.get_ssl_mode(), ('on', True))
def test_get_ssl_enabled_false(self):
test_config = {
'ssl': 'on',
'ssl_enabled': False,
'ssl_on': False,
'ssl_key': None,
'ssl_cert': None
}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(ssl_utils.get_ssl_mode(), ('on', False))
def test_get_ssl_enabled_true(self, get_relation_cert_data):
get_relation_cert_data.return_value = {}
test_config = {
'ssl': 'off',
'ssl_enabled': True,
'ssl_on': False,
'ssl_key': None,
'ssl_cert': None
}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(ssl_utils.get_ssl_mode(), ('on', False))
def test_get_ssl_enabled_external_ca(self, get_relation_cert_data):
get_relation_cert_data.return_value = {}
test_config = {
'ssl': 'on',
'ssl_enabled': False,
'ssl_on': False,
'ssl_key': 'key1',
'ssl_cert': 'cert1'
}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(ssl_utils.get_ssl_mode(), ('on', True))
def test_get_ssl_enabled_true(self, get_relation_cert_data):
get_relation_cert_data.return_value = {}
test_config = {
'ssl': 'off',
'ssl_enabled': True,
'ssl_on': False,
'ssl_key': None,
'ssl_cert': None}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(
ssl_utils.get_ssl_mode(),
('on', False))
def test_get_ssl_enabled_external_ca(self, get_relation_cert_data):
get_relation_cert_data.return_value = {}
test_config = {
'ssl': 'on',
'ssl_enabled': False,
'ssl_on': False,
'ssl_key': 'key1',
'ssl_cert': 'cert1'}
self.config.side_effect = lambda x: test_config[x]
self.assertEqual(
ssl_utils.get_ssl_mode(),
('on', True))
def __call__(self):
"""
The legacy config support adds some additional complications.
ssl_enabled = True, ssl = off -> ssl enabled
ssl_enabled = False, ssl = on -> ssl enabled
"""
ssl_mode, external_ca = ssl_utils.get_ssl_mode()
ctxt = {
'ssl_mode': ssl_mode,
}
if ssl_mode == 'off':
close_port(config('ssl_port'))
ssl_utils.reconfigure_client_ssl()
return ctxt
if ssl_mode == ssl_utils.CERTS_FROM_RELATION:
relation_certs = ssl_utils.get_relation_cert_data()
ctxt['ssl_mode'] = 'on'
ssl_key = convert_from_base64(relation_certs['key'])
ssl_cert = convert_from_base64(relation_certs['cert'])
ssl_ca = convert_from_base64(relation_certs['ca'])
ssl_port = config('ssl_port')
else:
ssl_key = convert_from_base64(config('ssl_key'))
ssl_cert = convert_from_base64(config('ssl_cert'))
ssl_ca = convert_from_base64(config('ssl_ca'))
ssl_port = config('ssl_port')
# If external managed certs then we need all the fields.
if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert))
and not all((ssl_key, ssl_cert))):
log('If ssl_key or ssl_cert are specified both are required.',
level=ERROR)
sys.exit(1)
if not external_ca:
ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert()
ctxt.update(
self.enable_ssl(ssl_key,
ssl_cert,
ssl_port,
ssl_ca,
ssl_only=(ssl_mode == "only"),
ssl_client=False))
ssl_utils.reconfigure_client_ssl(True)
open_port(ssl_port)
return ctxt
def __call__(self):
"""
The legacy config support adds some additional complications.
ssl_enabled = True, ssl = off -> ssl enabled
ssl_enabled = False, ssl = on -> ssl enabled
"""
ssl_mode, external_ca = ssl_utils.get_ssl_mode()
ctxt = {
'ssl_mode': ssl_mode,
}
if ssl_mode == 'off':
close_port(config('ssl_port'))
ssl_utils.reconfigure_client_ssl()
return ctxt
if ssl_mode == ssl_utils.CERTS_FROM_RELATION:
relation_certs = ssl_utils.get_relation_cert_data()
ctxt['ssl_mode'] = 'on'
ssl_key = convert_from_base64(relation_certs['key'])
ssl_cert = convert_from_base64(relation_certs['cert'])
ssl_ca = convert_from_base64(relation_certs['ca'])
ssl_port = config('ssl_port')
else:
ssl_key = convert_from_base64(config('ssl_key'))
ssl_cert = convert_from_base64(config('ssl_cert'))
ssl_ca = convert_from_base64(config('ssl_ca'))
ssl_port = config('ssl_port')
# If external managed certs then we need all the fields.
if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and
not all((ssl_key, ssl_cert))):
log('If ssl_key or ssl_cert are specified both are required.',
level=ERROR)
sys.exit(1)
if not external_ca:
ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert()
ctxt.update(self.enable_ssl(
ssl_key, ssl_cert, ssl_port, ssl_ca,
ssl_only=(ssl_mode == "only"), ssl_client=False
))
ssl_utils.reconfigure_client_ssl(True)
open_port(ssl_port)
return ctxt
