From f428e318d2ca4406d8a68d99a7a1fec342373612 2020-07-27 00:30:32
From: Branko Majic <branko@majic.rs>
Date: 2020-07-27 00:30:32
Subject: [PATCH] MAR-162: Make the https_tls_certificate and https_tls_key parameters mandatory in wsgi_website role:

- Dropped the defaults from wsgi_server role.
- Updated group variables in role tests.
- Changed the key/certificate file extensions to be more descriptive.
- Updated role reference documentation.
- Updated usage instructions to include the mandatory parameters.

---

diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 3c2857034d4a6fa239f72bd49ea57d8618ba1281..04e053e326577c50fac9e2b748567ff7d1e611e4 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1814,11 +1814,11 @@ Parameters
   Version of Gunicorn to deploy in virtual environment for running the WSGI
   application. Default version is tested with the test site.
 
-**https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}``)
+**https_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ fqdn }}_https.pem``.
 
-**https_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}``)
+**https_tls_key** (string, mandatory)
   Private key used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ fqdn }}_https.key``.
 
diff --git a/docs/usage.rst b/docs/usage.rst
index 33174c8f5e5be40ef5ee885cfbcf9fbd8af9916d..f55fda988a2835c0b588c90c29ea682c09c129ba 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -1727,6 +1727,9 @@ on the safe side:
       dependencies:
         - role: wsgi_website
           fqdn: wiki.example.com
+          # TLS key and certificate to use for the virtual host.
+          https_tls_certificate: "{{ lookup('file', 'tls/wiki.example.com_https.pem') }}"
+          https_tls_key: "{{ lookup('file', 'tls/wiki.example.com_https.key') }}"
           # In many cases you need to have some development packages available
           # in order to build Python packages installed via pip
           packages:
diff --git a/roles/wsgi_website/defaults/main.yml b/roles/wsgi_website/defaults/main.yml
index 27fe4ec967bcfcb691e3ab8abf945de37ed9ecb5..b62bfe8dc71a21cef8cbdd379307ca5c8dd87bd2 100644
--- a/roles/wsgi_website/defaults/main.yml
+++ b/roles/wsgi_website/defaults/main.yml
@@ -8,8 +8,6 @@ static_locations: []
 use_paste: false
 virtualenv_packages: []
 environment_variables: {}
-https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}"
-https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}"
 gunicorn_version: "19.9.0"
 futures_version: "3.2.0"
 website_mail_recipients: "root"
diff --git a/roles/wsgi_website/molecule/default/playbook.yml b/roles/wsgi_website/molecule/default/playbook.yml
index a4643d6c3efe3352b527bb414402abcc37a6a9f6..f7ca47a388e6789c177af87fb7196ee60a8c7295 100644
--- a/roles/wsgi_website/molecule/default/playbook.yml
+++ b/roles/wsgi_website/molecule/default/playbook.yml
@@ -11,17 +11,17 @@
     default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/wsgi-website_https.cert.pem') }}"
     default_https_tls_key: "{{ lookup('file', 'tests/data/x509/wsgi-website_https.key.pem') }}"
 
-    # Common parameters (general, not role).
-    tls_certificate_dir: tests/data/x509/
-    tls_private_key_dir: tests/data/x509/
-
   roles:
     - role: wsgi_website
       fqdn: parameters-mandatory
+      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-mandatory_https.cert.pem') }}"
+      https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-mandatory_https.key.pem') }}"
       wsgi_application: testapp:application
 
     - role: wsgi_website
       fqdn: parameters-optional.local
+      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.local_https.cert.pem') }}"
+      https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.local_https.key.pem') }}"
       additional_nginx_config:
         - comment: Custom missing page.
           value: error_page 404 /my/own/error/page;
@@ -35,8 +35,6 @@
         MY_ENV_VAR: "My environment variable"
       futures_version: 3.1.0
       gunicorn_version: 19.7.0
-      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.local_https.cert.pem') }}"
-      https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.local_https.key.pem') }}"
       packages:
         - "libmariadbclient-dev-compat"
         - global
diff --git a/roles/wsgi_website/molecule/default/tests/data/x509/parameters-mandatory_https.pem b/roles/wsgi_website/molecule/default/tests/data/x509/parameters-mandatory_https.cert.pem
similarity index 100%
rename from roles/wsgi_website/molecule/default/tests/data/x509/parameters-mandatory_https.pem
rename to roles/wsgi_website/molecule/default/tests/data/x509/parameters-mandatory_https.cert.pem
diff --git a/roles/wsgi_website/molecule/default/tests/data/x509/parameters-mandatory_https.key b/roles/wsgi_website/molecule/default/tests/data/x509/parameters-mandatory_https.key.pem
similarity index 100%
rename from roles/wsgi_website/molecule/default/tests/data/x509/parameters-mandatory_https.key
rename to roles/wsgi_website/molecule/default/tests/data/x509/parameters-mandatory_https.key.pem
diff --git a/roles/wsgi_website/molecule/default/tests/test_default.py b/roles/wsgi_website/molecule/default/tests/test_default.py
index 8ee813ee6eca141c64fd1d10fcbb92b4ac8e67b1..141a3fb2bbfed358ebed42bead4cc11295ac9ff0 100644
--- a/roles/wsgi_website/molecule/default/tests/test_default.py
+++ b/roles/wsgi_website/molecule/default/tests/test_default.py
@@ -453,7 +453,7 @@ def test_static_file_directory(host, directory_path, expected_owner, expected_gr
 
 @pytest.mark.parametrize("private_key_path, certificate_path, expected_private_key, expected_certificate", [
     ('/etc/ssl/private/parameters-mandatory_https.key', '/etc/ssl/certs/parameters-mandatory_https.pem',
-     'tests/data/x509/parameters-mandatory_https.key', 'tests/data/x509/parameters-mandatory_https.pem'),
+     'tests/data/x509/parameters-mandatory_https.key.pem', 'tests/data/x509/parameters-mandatory_https.cert.pem'),
     ('/etc/ssl/private/parameters-optional.local_https.key', '/etc/ssl/certs/parameters-optional.local_https.pem',
      'tests/data/x509/parameters-optional.local_https.key.pem', 'tests/data/x509/parameters-optional.local_https.cert.pem'),
     ('/etc/ssl/private/parameters-paste-req_https.key', '/etc/ssl/certs/parameters-paste-req_https.pem',