Merge lp:~roadmr/canonical-identity-provider/ssl-utilities into lp:canonical-identity-provider/release

Proposed by Daniel Manrique on 2019-08-30
Status: Merged
Approved by: Daniel Manrique on 2019-08-30
Approved revision: 1695
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: lp:~roadmr/canonical-identity-provider/ssl-utilities
Merge into: lp:canonical-identity-provider/release
Diff against target: 54 lines (+31/-1)
2 files modified
Makefile (+8/-1)
README (+23/-0)
To merge this branch: bzr merge lp:~roadmr/canonical-identity-provider/ssl-utilities
Reviewer Review Type Date Requested Status
Guillermo Gonzalez 2019-08-30 Approve on 2019-08-30
Review via email: mp+372079@code.launchpad.net

Commit message

Add run-ssl makefile target and README instructions

Description of the change

This is preliminary to U2F-enablement work as U2F only works over a secure connection - this makes dev/testing on non-localhost easier/possible.

To post a comment you must log in.
Guillermo Gonzalez (verterok) wrote :

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'Makefile'
2--- Makefile 2019-04-30 19:14:58 +0000
3+++ Makefile 2019-08-30 16:20:39 +0000
4@@ -186,8 +186,15 @@
5 $(DJANGO_MANAGE) $(ARGS)
6
7 run: ARGS=0.0.0.0:8000
8+run: PID_ID=gunicorn
9 run: collectstatic django-check ## Start development server
10- $(ENV)/bin/gunicorn django_project.wsgi:application --workers=2 --reload --pid=logs/gunicorn.pid --bind=$(ARGS) --timeout=99999 --error-logfile=- --access-logfile=-
11+ $(ENV)/bin/gunicorn django_project.wsgi:application --workers=2 --reload --pid=logs/$(PID_ID).pid --bind=$(ARGS) --timeout=99999 --error-logfile=- --access-logfile=- $(SSL_CONFIG)
12+
13+run-ssl: dev-sso.crt
14+ $(MAKE) run SSL_CONFIG="--certfile=dev-sso.crt --keyfile=dev-sso.key --ssl-version 2" ARGS=0.0.0.0:8443 SSO_ROOT_URL=https://sso-xenial:8443 PID_ID=gunicorn-ssl
15+
16+dev-sso.crt:
17+ openssl req -x509 -nodes -newkey rsa:4096 -keyout dev-sso.key -out dev-sso.crt -days 365 -subj '/CN=sso-xenial'
18
19 start: bootstrap start-db
20
21
22=== modified file 'README'
23--- README 2019-03-13 20:49:20 +0000
24+++ README 2019-08-30 16:20:39 +0000
25@@ -242,6 +242,29 @@
26
27 Add the output config (LP_API_URL etc.) to "../local_config/settings.py"
28
29+14. (Optional) Use SSL for the development service
30+
31+ Testing some features on a development instance might require this: an
32+ example is SAML because SAML only works over a secure connection.
33+
34+ There's a run-ssl target just for this. It will start the service on port
35+ 8443 with a self-signed certificate (which is created if it didn't exist).
36+
37+ Importantly, a non-ssl process must also be running ("make run") because
38+ internal API communication goes over http.
39+
40+ $ # On one terminal/tmux window
41+ $ make run
42+ $ # On another terminal/tmux window
43+ $ make run-ssl
44+ $ # Test that SSL works
45+ $ curl -k --head https://sso-xenial:8443
46+ HTTP/1.1 200 OK
47+
48+ If the self-signed certificates are not enough for your purposes, you can
49+ place any certificate in dev-sso.crt and its key in dev-sso.key in the
50+ project's root and run-ssl will use those.
51+
52
53 BAZAAR
54 ------