Closed Bug 796088 Opened 13 years ago Closed 13 years ago

Add support for SSL-only products and mirrors to Bouncer

Categories

(Webtools :: Bouncer, defect)

Product:
Webtools
Component:
Bouncer
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: laura, Assigned: brandon)

References

Details

Bouncer needs a simple flag on each product indicating if it has to be delivered over SSL or non-SSL (or if either is allowed), and this flag should automatically dis-allow the wrong 'types' of mirrors from ever being used for that product. This will also involve testing mirror URLs for https at the start of the string.
Blocks: 796103
Blocks: 795441
Code is up for review: https://github.com/mozilla/tuxedo/pull/14 :wenzel, :Rik: I need one of you to review the code and let me know of any changes.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2.0
Brandon, for the sake of clarity and brevity, mind putting step-by-step instructions for us to test, here? Looks like, from comment 1, there are a couple cases, at least, we need to consider. Thanks!
The easiest way to test this is with a new product and two new mirrors: one https and one http. We will need IT to manually make the product available on both mirrors. Then, when the SSL option is checked, only the SSL mirror is served; when SSL is unchecked, only the non-SSL mirror is served.
Environments: ============= * For all of the manual + automation tests below, we tested on: 1. download.allizom.org (staging) and https://bounceradmin.allizom.org/ (Bouncer-Admin staging) 2. Against 'new-prod,' before deploy, for which we tricked-out /etc/HOSTS, locally, and on our Jenkins box: #63.245.217.79 download.mozilla.org 3. download.mozilla.org 4. #63.245.217.79 bounceradmin.mozilla.com, where we set up 'qa-awesome-ssl' (SSL-only) and 'qa-awesome-nonssl' (non-SSL) products, with appropriate SSL and non-SSL mirrors (see below for specific positive and negative tests) Automation: =========== * We set up a repo at https://github.com/mozilla/bouncer-tests, and are still working on augmenting the manual + automation work we did, but it's running in our Jenkins, now, at http://qa-selenium.mv.mozilla.com:8080/view/Bouncer/ * The specific test is https://github.com/mozilla/bouncer-tests/blob/55fe3f70dc7b0589a6d294e8eabee7e5e938d95b/tests/test_redirects.py#L56 (positive test -- we'll augment this to include the negative cases too) Manual: ======= * In addition to the above, we negative and positive-tested this manually, ensuring that: ** calls to Bouncer for an SSL-CDN-only-delivered product (both directly and through an alias, like so: host-7-68:~ sdonner$ curl -IL 'https://download.mozilla.org/?product=firefox-beta-stub&lang=en-US&os=win' HTTP/1.1 302 Found) sent us to: Location: https://download-installer.cdn.mozilla.net/pub/mozilla.org/firefox/releases/stub/Firefox Beta Stub Installer.exe * and that, unchecking the "SSL-only" flag for an SSL product in Bouncer, and calling out via curl for an SSL-only product 404'd (expected, as we should never serve an SSL product (stub-installer, for now) over plain-old HTTP * furthermore, that deleting wholesale the SSL mirror (in staging) and leaving 'SSL-only' checked for an SSL-only product still 404'd us (again, didn't deliver stub-installer/SSL-only product(s) over plain-old HTTP * re-enabling the SSL-only flag with an SSL-only mirror for stub-installer (SSL-only) product immediately served us, correctly, the stub-installer, or equivalent (depending on staging/prod environment**) over the SSL CDN ** Disclaimer: we didn't want to live-test, with a real product, so, on production only, post-rollout, that the 'qa-awesome-ssl' product was served over the SSL CDN, and the non-SSL product, 'qa-awesome-nonssl' was served over plain-old HTTP Phew! Verified FIXED!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.