Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warn if $ssl=false but $ssl_port == $listen_port (#1015) #1022

Merged
merged 1 commit into from
Apr 13, 2017
Merged

Warn if $ssl=false but $ssl_port == $listen_port (#1015) #1022

merged 1 commit into from
Apr 13, 2017

Conversation

wyardley
Copy link
Collaborator

See #1015
I would appreciate review on this... I'm not totally sure why these tests exist, or why there appear to be 2 sets of identical tests there:
https://github.com/voxpupuli/puppet-nginx/blob/master/spec/defines/resource_server_spec.rb#L1019-L1057
vs, say, https://github.com/voxpupuli/puppet-nginx/blob/master/spec/defines/resource_server_spec.rb#L1071-L1086

or what the use case is for having ssl_port == listen_port when ssl is _not_true, but I think this PR might make some sense.

# Try to error in the case where the user sets ssl_port == listen_port but
# doesn't set ssl = true
if (!($ssl == true) and ($ssl_port == $listen_port)) {
fail('nginx: ssl must be true if listen_port is the same as ssl_port')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd support a warning here, but a failure seems over the top.

Copy link
Collaborator Author

@wyardley wyardley Apr 12, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I agree. It's now a warning.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The failure is still here :/

@oranenj
Copy link
Contributor

oranenj commented Apr 2, 2017

Is this the correct fix? Setting $ssl_port to $listen_port and $ssl = true sounds like valid configuration, so perhaps the module behaviour should be fixed instead?

@oranenj
Copy link
Contributor

oranenj commented Apr 2, 2017

I think this might be at least tangentially related to #1029 as well?

@wyardley
Copy link
Collaborator Author

wyardley commented Apr 4, 2017

@oranenj I am not sure if this should fail either, but, just to be clear, it's !($ssl = true), not $ssl = true.

@wyardley
Copy link
Collaborator Author

wyardley commented Apr 6, 2017

I updated it to just warn, and rebased. Still need to look into what the rspec syntax is to test for a warning, and fix the test

@wyardley wyardley changed the title Fail with error if $ssl=false but $ssl_port == $listen_port (#1015) warn if $ssl=false but $ssl_port == $listen_port (#1015) Apr 6, 2017
@vinzent
Copy link
Contributor

vinzent commented Apr 11, 2017

maybe @oranenj can review this again?

@wyardley wyardley removed the bug Something isn't working label Apr 12, 2017
@wyardley wyardley requested a review from oranenj April 12, 2017 04:40
@wyardley
Copy link
Collaborator Author

Do folks think this is a reasonable way to handle the inability to test warnings in this context for now? Basically, I left the test there as a pending test, and the message string is still in there for reference.

@oranenj
Copy link
Contributor

oranenj commented Apr 12, 2017

@wyardley: I have no idea how to test for warnings, unfortunately. All I know of rspec is what I've seen in other specs.

Anyway, the code I see still has a fail() call. It might also be possible to enforce $ssl = true (maybe with a warning) if $ssl_port is set. Would that be surprising behaviour?

# Try to error in the case where the user sets ssl_port == listen_port but
# doesn't set ssl = true
if (!($ssl == true) and ($ssl_port == $listen_port)) {
fail('nginx: ssl must be true if listen_port is the same as ssl_port')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The failure is still here :/

@wyardley
Copy link
Collaborator Author

wyardley commented Apr 12, 2017

@oranenj D'oh, sorry about that. Updated. Take a look.

It might also be possible to enforce $ssl = true (maybe with a warning) if $ssl_port is set. Would that be surprising behaviour?

I think there are valid use cases for this; it's only when ssl_port and listen_port are the same that it's an issue, as there are valid configs that have both SSL and non-SSL in the same server resource, if that makes sense.

ssl_port defaults to 443, so it doesn't have to be set unless you're using a non-default port. But I think you could have a single resource with listen_port=80 and ssl_port=4443 and that would be valid.

Edit: I see what you're saying, warn if ssl is not true but ssl_port is set, right? I thought there was another ticket or PR about that, but not sure. It would definitely be easy to accomplish.

@oranenj
Copy link
Contributor

oranenj commented Apr 12, 2017

Yeah, these changes look fine to me.

@wyardley wyardley merged commit 7ffd7b3 into voxpupuli:master Apr 13, 2017
@alexjfisher alexjfisher added the enhancement New feature or request label Aug 1, 2017
@alexjfisher alexjfisher changed the title warn if $ssl=false but $ssl_port == $listen_port (#1015) Warn if $ssl=false but $ssl_port == $listen_port (#1015) Aug 1, 2017
cegeka-jenkins pushed a commit to cegeka/puppet-nginx that referenced this pull request Sep 13, 2019
warn if $ssl=false but $ssl_port == $listen_port (voxpupuli#1015)
Rubueno pushed a commit to Rubueno/puppet-nginx that referenced this pull request Oct 19, 2020
warn if $ssl=false but $ssl_port == $listen_port (voxpupuli#1015)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants