fixup! stack/erp5: support frontend-caucase-url-list option.

631aab21 · Kazuhiko Shiozaki · b1904514 · 631aab21 · 631aab21 · 631aab21
Commit 631aab21 authored Jun 15, 2020 by Kazuhiko Shiozaki
4 changed files
--- a/software/erp5/test/test/test_balancer.py
+++ b/software/erp5/test/test/test_balancer.py
@@ -4,6 +4,7 @@ from slapos.testing.utils import findFreeTCPPort

 from BaseHTTPServer import HTTPServer
 from BaseHTTPServer import BaseHTTPRequestHandler
+import OpenSSL.SSL
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization, hashes
 from cryptography.hazmat.primitives.asymmetric import rsa
@@ -237,10 +238,19 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
        'apachedex-configuration': '',
        'apachedex-promise-threshold': 100,
        'haproxy-server-check-path': '/',
-        'zope-family-dict': {'default': ['dummy_http_server']},
+        'zope-family-dict': {
+          'default': ['dummy_http_server'],
+          'default-auth': ['dummy_http_server'],
+        },
        'dummy_http_server': [[cls.http_server_netloc, 1, False]],
-        'backend-path-dict': {'default': '/'},
-        'ssl-authentication-dict': {'default': False},
+        'backend-path-dict': {
+          'default': '/',
+          'default-auth': '/',
+        },
+        'ssl-authentication-dict': {
+          'default': False,
+          'default-auth': True,
+        },
        'ssl': {
          'caucase-url': cls.backend_caucased_url,
          'frontend-caucase-url-list': [cls.frontend_caucased_url],
@@ -264,14 +274,15 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
    super(TestFrontendXForwardedFor, cls)._cleanup(snapshot_name)

  def test_x_forwarded_for_added_when_verified_connection(self):
-    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
-    result = requests.get(
-      balancer_url,
-      headers={'X-Forwarded-For': '1.2.3.4'},
-      cert=self.client_certificate,
-      verify=False,
-    ).json()
-    self.assertEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')
+    for backend in ('default', 'default-auth'):
+      balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])[backend]
+      result = requests.get(
+        balancer_url,
+        headers={'X-Forwarded-For': '1.2.3.4'},
+        cert=self.client_certificate,
+        verify=False,
+      ).json()
+      self.assertEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')

  def test_x_forwarded_for_stripped_when_not_verified_connection(self):
    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
@@ -281,3 +292,10 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
      verify=False,
    ).json()
    self.assertNotEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
+    with self.assertRaises(OpenSSL.SSL.Error):
+      requests.get(
+        balancer_url,
+        headers={'X-Forwarded-For': '1.2.3.4'},
+        verify=False,
+      )
--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -78,7 +78,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e

 [template-erp5]
 filename = instance-erp5.cfg.in
-md5sum = 038c367b7c4249d854bb0535891f29b3
+md5sum = 82dc695e212be124d60ceb1143e56b0d

 [template-zeo]
 filename = instance-zeo.cfg.in
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = e2d2a94caed4d8a45912cd37a96a08f6
+md5sum = 0097e49b5bd7ad4978c722c1cdd27d6c

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -2,6 +2,7 @@
 {% set part_list = [] -%}
 {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
 {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
+{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
 {#
 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
 per partition. No more (undefined result), no less (IndexError).
@@ -39,7 +40,7 @@ mode = 644
 {% do section('caucase-updater-promise') -%}

 {% set frontend_caucase_url_hash_list = [] -%}
-{% for frontend_caucase_url in ssl_parameter_dict['frontend-caucase-url-list'] -%}
+{% for frontend_caucase_url in frontend_caucase_url_list -%}
 {%   set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
 {%   do frontend_caucase_url_hash_list.append(hash) -%}
 {%   set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
@@ -181,7 +182,7 @@ key = ${directory:apache-conf}/apache.pem
 # XXX caucase certificate is not supported by caddy for now
 caucase-cert = ${directory:apache-conf}/apache-caucase.crt
 caucase-key = ${directory:apache-conf}/apache-caucase.pem
-{% if ssl_parameter_dict['frontend-caucase-url-list'] -%}
+{% if frontend_caucase_url_list -%}
 depends = ${caucase-updater-housekeeper-run:recipe}
 ca-cert-dir = ${directory:apache-ca-cert-dir}
 crl-dir = ${directory:apache-crl-dir}
@@ -231,7 +232,7 @@ cert = ${apache-ssl:cert}
 key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
-{% if ssl_parameter_dict['frontend-caucase-url-list'] -%}
+{% if frontend_caucase_url_list -%}
 # Client x509 auth
 ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
 crl-dir = ${apache-conf-ssl:crl-dir}
@@ -288,7 +289,7 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
 [directory]
 recipe = slapos.cookbook:mkdirectory
 apache-conf = ${:etc}/apache
-{% if ssl_parameter_dict['frontend-caucase-url-list'] -%}
+{% if frontend_caucase_url_list -%}
 apache-ca-cert-dir = ${:apache-conf}/ssl.crt
 apache-crl-dir = ${:apache-conf}/ssl.crl
 {% endif -%}

--- a/stack/erp5/instance-erp5.cfg.in
+++ b/stack/erp5/instance-erp5.cfg.in
@@ -98,7 +98,6 @@ backup-caucased = ${:srv}/backup/caucased
 {% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
 {% set balancer_dict = slapparameter_dict.get('balancer', {}) -%}
 {% do balancer_dict.setdefault('ssl', {}).setdefault('caucase-url', caucase_url) -%}
-{% do balancer_dict['ssl'].setdefault('frontend-caucase-url-list', []) -%}

 {{ request('memcached-persistent', 'kumofs', 'kumofs', {'tcpv4-port': 2000}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
 {{ request('memcached-volatile', 'kumofs', 'memcached', {'tcpv4-port': 2010, 'ram-storage-size': 64}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}