Allow empty string for ssl cert/key, question prompt for tls mode dis…

…plays valid tls modes based on roles
canonical · Sep 9, 2024 · 45a64f5 · 45a64f5
1 parent d18c119
commit 45a64f5
Showing 1 changed file with 5 additions and 15 deletions.
diff --git a/anvil-python/anvil/commands/haproxy.py b/anvil-python/anvil/commands/haproxy.py
@@ -47,12 +47,7 @@
 
 def validate_cert_file(filepath: str) -> None:
     if filepath == "":
-        # This question is only asked when tls_mode is "termination" or "passthrough"
-        # so not supplying a file is not an option.
-        raise ValueError(
-            "Please provide a certificate file when enabling TLS."
-        )
-
+        return
     if not os.path.isfile(filepath):
         raise ValueError(f"{filepath} does not exist")
     try:
@@ -65,11 +60,7 @@ def validate_cert_file(filepath: str) -> None:
 
 def validate_key_file(filepath: str) -> None:
     if filepath == "":
-        # This question is only asked when tls_mode is "termination" or "passthrough"
-        # so not supplying a file is not an option.
-        raise ValueError(
-            "Please provide a certificate file when enabling TLS."
-        )
+        return
     if not os.path.isfile(filepath):
         raise ValueError(f"{filepath} does not exist")
     try:
@@ -86,10 +77,9 @@ def validate_cacert_chain(filepath: str) -> None:
     if not os.path.isfile(filepath):
         raise ValueError(f"{filepath} does not exist")
     try:
+        # just make sure we can open the file
         with open(filepath) as f:
-            # TODO: better validation
-            if "BEGIN" not in f.read():
-                raise ValueError("Invalid cacert chain file")
+            pass
     except PermissionError:
         raise ValueError(f"Permission denied when trying to read {filepath}")
 
@@ -130,7 +120,7 @@ def tls_questions(tls_modes: list[str]) -> dict[str, questions.PromptQuestion]:
             validation_function=validate_cacert_chain,
         ),
         "tls_mode": questions.PromptQuestion(
-            'TLS termination at HA Proxy ("termination"), passthrough to MAAS ("passthrough"), or no TLS ("disabled")?',
+            f"TLS mode: {tls_modes}?",
             default_value="disabled",
             validation_function=get_validate_tls_mode_fn(tls_modes),
         ),