Commit 631aab21 authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

fixup! stack/erp5: support frontend-caucase-url-list option.

parent b1904514
...@@ -4,6 +4,7 @@ from slapos.testing.utils import findFreeTCPPort ...@@ -4,6 +4,7 @@ from slapos.testing.utils import findFreeTCPPort
from BaseHTTPServer import HTTPServer from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler from BaseHTTPServer import BaseHTTPRequestHandler
import OpenSSL.SSL
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization, hashes from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.asymmetric import rsa
...@@ -237,10 +238,19 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase): ...@@ -237,10 +238,19 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
'apachedex-configuration': '', 'apachedex-configuration': '',
'apachedex-promise-threshold': 100, 'apachedex-promise-threshold': 100,
'haproxy-server-check-path': '/', 'haproxy-server-check-path': '/',
'zope-family-dict': {'default': ['dummy_http_server']}, 'zope-family-dict': {
'default': ['dummy_http_server'],
'default-auth': ['dummy_http_server'],
},
'dummy_http_server': [[cls.http_server_netloc, 1, False]], 'dummy_http_server': [[cls.http_server_netloc, 1, False]],
'backend-path-dict': {'default': '/'}, 'backend-path-dict': {
'ssl-authentication-dict': {'default': False}, 'default': '/',
'default-auth': '/',
},
'ssl-authentication-dict': {
'default': False,
'default-auth': True,
},
'ssl': { 'ssl': {
'caucase-url': cls.backend_caucased_url, 'caucase-url': cls.backend_caucased_url,
'frontend-caucase-url-list': [cls.frontend_caucased_url], 'frontend-caucase-url-list': [cls.frontend_caucased_url],
...@@ -264,14 +274,15 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase): ...@@ -264,14 +274,15 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
super(TestFrontendXForwardedFor, cls)._cleanup(snapshot_name) super(TestFrontendXForwardedFor, cls)._cleanup(snapshot_name)
def test_x_forwarded_for_added_when_verified_connection(self): def test_x_forwarded_for_added_when_verified_connection(self):
balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default'] for backend in ('default', 'default-auth'):
result = requests.get( balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])[backend]
balancer_url, result = requests.get(
headers={'X-Forwarded-For': '1.2.3.4'}, balancer_url,
cert=self.client_certificate, headers={'X-Forwarded-For': '1.2.3.4'},
verify=False, cert=self.client_certificate,
).json() verify=False,
self.assertEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4') ).json()
self.assertEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')
def test_x_forwarded_for_stripped_when_not_verified_connection(self): def test_x_forwarded_for_stripped_when_not_verified_connection(self):
balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default'] balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
...@@ -281,3 +292,10 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase): ...@@ -281,3 +292,10 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
verify=False, verify=False,
).json() ).json()
self.assertNotEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4') self.assertNotEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')
balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
with self.assertRaises(OpenSSL.SSL.Error):
requests.get(
balancer_url,
headers={'X-Forwarded-For': '1.2.3.4'},
verify=False,
)
...@@ -78,7 +78,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e ...@@ -78,7 +78,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e
[template-erp5] [template-erp5]
filename = instance-erp5.cfg.in filename = instance-erp5.cfg.in
md5sum = 038c367b7c4249d854bb0535891f29b3 md5sum = 82dc695e212be124d60ceb1143e56b0d
[template-zeo] [template-zeo]
filename = instance-zeo.cfg.in filename = instance-zeo.cfg.in
...@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57 ...@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
[template-balancer] [template-balancer]
filename = instance-balancer.cfg.in filename = instance-balancer.cfg.in
md5sum = e2d2a94caed4d8a45912cd37a96a08f6 md5sum = 0097e49b5bd7ad4978c722c1cdd27d6c
[template-haproxy-cfg] [template-haproxy-cfg]
filename = haproxy.cfg.in filename = haproxy.cfg.in
......
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
{% set part_list = [] -%} {% set part_list = [] -%}
{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%} {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
{% set ssl_parameter_dict = slapparameter_dict['ssl'] -%} {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
{# {#
XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
per partition. No more (undefined result), no less (IndexError). per partition. No more (undefined result), no less (IndexError).
...@@ -39,7 +40,7 @@ mode = 644 ...@@ -39,7 +40,7 @@ mode = 644
{% do section('caucase-updater-promise') -%} {% do section('caucase-updater-promise') -%}
{% set frontend_caucase_url_hash_list = [] -%} {% set frontend_caucase_url_hash_list = [] -%}
{% for frontend_caucase_url in ssl_parameter_dict['frontend-caucase-url-list'] -%} {% for frontend_caucase_url in frontend_caucase_url_list -%}
{% set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%} {% set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
{% do frontend_caucase_url_hash_list.append(hash) -%} {% do frontend_caucase_url_hash_list.append(hash) -%}
{% set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%} {% set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
...@@ -181,7 +182,7 @@ key = ${directory:apache-conf}/apache.pem ...@@ -181,7 +182,7 @@ key = ${directory:apache-conf}/apache.pem
# XXX caucase certificate is not supported by caddy for now # XXX caucase certificate is not supported by caddy for now
caucase-cert = ${directory:apache-conf}/apache-caucase.crt caucase-cert = ${directory:apache-conf}/apache-caucase.crt
caucase-key = ${directory:apache-conf}/apache-caucase.pem caucase-key = ${directory:apache-conf}/apache-caucase.pem
{% if ssl_parameter_dict['frontend-caucase-url-list'] -%} {% if frontend_caucase_url_list -%}
depends = ${caucase-updater-housekeeper-run:recipe} depends = ${caucase-updater-housekeeper-run:recipe}
ca-cert-dir = ${directory:apache-ca-cert-dir} ca-cert-dir = ${directory:apache-ca-cert-dir}
crl-dir = ${directory:apache-crl-dir} crl-dir = ${directory:apache-crl-dir}
...@@ -231,7 +232,7 @@ cert = ${apache-ssl:cert} ...@@ -231,7 +232,7 @@ cert = ${apache-ssl:cert}
key = ${apache-ssl:key} key = ${apache-ssl:key}
cipher = cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache ssl-session-cache = ${directory:log}/apache-ssl-session-cache
{% if ssl_parameter_dict['frontend-caucase-url-list'] -%} {% if frontend_caucase_url_list -%}
# Client x509 auth # Client x509 auth
ca-cert-dir = ${apache-conf-ssl:ca-cert-dir} ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
crl-dir = ${apache-conf-ssl:crl-dir} crl-dir = ${apache-conf-ssl:crl-dir}
...@@ -288,7 +289,7 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi ...@@ -288,7 +289,7 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
[directory] [directory]
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache apache-conf = ${:etc}/apache
{% if ssl_parameter_dict['frontend-caucase-url-list'] -%} {% if frontend_caucase_url_list -%}
apache-ca-cert-dir = ${:apache-conf}/ssl.crt apache-ca-cert-dir = ${:apache-conf}/ssl.crt
apache-crl-dir = ${:apache-conf}/ssl.crl apache-crl-dir = ${:apache-conf}/ssl.crl
{% endif -%} {% endif -%}
......
...@@ -98,7 +98,6 @@ backup-caucased = ${:srv}/backup/caucased ...@@ -98,7 +98,6 @@ backup-caucased = ${:srv}/backup/caucased
{% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%} {% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
{% set balancer_dict = slapparameter_dict.get('balancer', {}) -%} {% set balancer_dict = slapparameter_dict.get('balancer', {}) -%}
{% do balancer_dict.setdefault('ssl', {}).setdefault('caucase-url', caucase_url) -%} {% do balancer_dict.setdefault('ssl', {}).setdefault('caucase-url', caucase_url) -%}
{% do balancer_dict['ssl'].setdefault('frontend-caucase-url-list', []) -%}
{{ request('memcached-persistent', 'kumofs', 'kumofs', {'tcpv4-port': 2000}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }} {{ request('memcached-persistent', 'kumofs', 'kumofs', {'tcpv4-port': 2000}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
{{ request('memcached-volatile', 'kumofs', 'memcached', {'tcpv4-port': 2010, 'ram-storage-size': 64}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }} {{ request('memcached-volatile', 'kumofs', 'memcached', {'tcpv4-port': 2010, 'ram-storage-size': 64}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment