Add support for HTTP Strict Transport Security

Updates needed by Octavia for its HSTS support. Partial-Bug: #2017972 Change-Id: I3a97f526f9be38c814657a223125b398b5014122
2023-04-27 10:57:58 +02:00 · 2023-04-27 10:57:58 +02:00 · bad19004b0
commit bad19004b0
parent 53200266b3
4 changed files with 26 additions and 4 deletions
--- a/octavia_lib/api/drivers/data_models.py
+++ b/octavia_lib/api/drivers/data_models.py
@ -14,6 +14,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import typing as tp


 class BaseDataModel():
@ -133,7 +134,8 @@ class Listener(BaseDataModel):
                 client_authentication=Unset, client_crl_container_ref=Unset,
                 client_crl_container_data=Unset, project_id=Unset,
                 allowed_cidrs=Unset, tls_versions=Unset, tls_ciphers=Unset,
-                 alpn_protocols=Unset):
+                 alpn_protocols=Unset, hsts_max_age=Unset,
+                 hsts_include_subdomains=Unset, hsts_preload=Unset):

        self.admin_state_up = admin_state_up
        self.connection_limit = connection_limit
@ -165,6 +167,10 @@ class Listener(BaseDataModel):
        self.tls_versions = tls_versions
        self.tls_ciphers = tls_ciphers
        self.alpn_protocols = alpn_protocols
+        self.hsts_max_age: tp.Union[int, UnsetType] = hsts_max_age
+        self.hsts_include_subdomains: tp.Union[bool, UnsetType] = (
+            hsts_include_subdomains)
+        self.hsts_preload: tp.Union[bool, UnsetType] = hsts_preload


 class Pool(BaseDataModel):
--- a/octavia_lib/common/constants.py
+++ b/octavia_lib/common/constants.py
@ -234,6 +234,9 @@ EXPECTED_CODES = 'expected_codes'
 FALL_THRESHOLD = 'fall_threshold'
 HEALTHMONITOR = 'healthmonitor'
 HEALTHMONITOR_ID = 'healthmonitor_id'
+HSTS_MAX_AGE = 'hsts_max_age'
+HSTS_INCLUDE_SUBDOMAINS = 'hsts_include_subdomains'
+HSTS_PRELOAD = 'hsts_preload'
 HTTP_METHOD = 'http_method'
 HTTP_VERSION = 'http_version'
 INSERT_HEADERS = 'insert_headers'
--- a/octavia_lib/tests/unit/api/drivers/test_data_models.py
+++ b/octavia_lib/tests/unit/api/drivers/test_data_models.py
@ -110,7 +110,11 @@ class TestProviderDataModels(base.TestCase):
            tls_ciphers=None,
            alpn_protocols=[constants.ALPN_PROTOCOL_HTTP_1_0,
                            constants.ALPN_PROTOCOL_HTTP_1_1,
-                            constants.ALPN_PROTOCOL_HTTP_2])
+                            constants.ALPN_PROTOCOL_HTTP_2],
+            hsts_max_age=None,
+            hsts_include_subdomains=None,
+            hsts_preload=None,
+        )

        self.ref_lb = data_models.LoadBalancer(
            admin_state_up=False,
@ -262,7 +266,11 @@ class TestProviderDataModels(base.TestCase):
            'tls_ciphers': None,
            'alpn_protocols': [constants.ALPN_PROTOCOL_HTTP_1_0,
                               constants.ALPN_PROTOCOL_HTTP_1_1,
-                               constants.ALPN_PROTOCOL_HTTP_2]}
+                               constants.ALPN_PROTOCOL_HTTP_2],
+            'hsts_max_age': None,
+            'hsts_include_subdomains': None,
+            'hsts_preload': None,
+        }

        self.ref_lb_dict_with_listener = {
            'admin_state_up': False,
@ -277,7 +285,8 @@ class TestProviderDataModels(base.TestCase):
            'vip_port_id': self.vip_port_id,
            'vip_subnet_id': self.vip_subnet_id,
            'vip_qos_policy_id': self.vip_qos_policy_id,
-            'availability_zone': self.availability_zone}
+            'availability_zone': self.availability_zone,
+        }

        self.ref_vip_dict = {
            'vip_address': self.vip_address,
--- a/releasenotes/notes/Added-HSTS-support-7d1fbfc35ee5dc29.yaml
+++ b/releasenotes/notes/Added-HSTS-support-7d1fbfc35ee5dc29.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Added support for HTTP Strict Transport Security (HSTS).