Skip to content

Commit

Permalink
Add optional variables to support SSL CRL check configuration (voxpup…
Browse files Browse the repository at this point in the history 
…uli#869)

* Add optional variables to support SSL CRL check configuration

* Fix specs and lots of typos

* Remove defaults from common.yaml (definition in init.pp is prefered)

* Use Stdlib::Absolutepath instead of String for setting with path

Co-authored-by: Dmitriy Myaskovskiy <[email protected]>
  • Loading branch information
@dimonzozo
dimonzozo and dimonzozo authored Jan 10, 2021
1 parent 70958be commit 736c8d9
Show file tree
Hide file tree
Showing 4 changed files with 144 additions and 0 deletions.
3 changes: 3 additions & 0 deletions manifests/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@
$ssl_dhfile = $rabbitmq::ssl_dhfile
$ssl_versions = $rabbitmq::ssl_versions
$ssl_ciphers = $rabbitmq::ssl_ciphers
$ssl_crl_check = $rabbitmq::ssl_crl_check
$ssl_crl_cache_hash_dir = $rabbitmq::ssl_crl_cache_hash_dir
$ssl_crl_cache_http_timeout = $rabbitmq::ssl_crl_cache_http_timeout
$stomp_port = $rabbitmq::stomp_port
$stomp_ssl_only = $rabbitmq::stomp_ssl_only
$ldap_auth = $rabbitmq::ldap_auth
Expand Down
36 changes: 36 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,15 @@
# Functionality can be tested with cipherscan or similar tool: https://github.com/mozilla/cipherscan
# * Erlang style: `['ecdhe_rsa,aes_256_cbc,sha', 'dhe_rsa,aes_256_cbc,sha']`
# * OpenSSL style: `['ECDHE-RSA-AES256-SHA', 'DHE-RSA-AES256-SHA']`
# @param ssl_crl_check
# Perform CRL (Certificate Revocation List) verification
# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_check) module documentation for more information.
# @param ssl_crl_cache_hash_dir
# This setting makes use of a directory where CRLs are stored in files named by the hash of the issuer name.
# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information.
# @param ssl_crl_cache_http_timeout
# This setting enables use of internal CRLs cache and sets HTTP timeout interval on fetching CRLs from distributino URLs defined inside certificate.
# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information.
# @param stomp_port
# The port to use for Stomp.
# @param stomp_ssl_only
Expand Down Expand Up @@ -368,6 +377,9 @@
Boolean $ssl_honor_cipher_order = true,
Optional[Stdlib::Absolutepath] $ssl_dhfile = undef,
Array $ssl_ciphers = [],
Enum['true','false','peer','best_effort'] $ssl_crl_check = 'false',
Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir = undef,
Optional[Integer] $ssl_crl_cache_http_timeout = undef,
Boolean $stomp_ensure = false,
Boolean $ldap_auth = false,
Variant[String[1],Array[String[1]]] $ldap_server = 'ldap',
Expand Down Expand Up @@ -413,6 +425,30 @@
}
}

if $ssl_crl_check != 'false' {
unless $ssl {
fail('$ssl_crl_check requires that $ssl => true')
}
}

if $ssl_crl_cache_hash_dir {
unless $ssl {
fail('$ssl_crl_cache_hash_dir requires that $ssl => true')
}
if $ssl_crl_check == 'false' {
fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort')
}
}

if $ssl_crl_cache_http_timeout {
unless $ssl {
fail('$ssl_crl_cache_http_timeout requires that $ssl => true')
}
if $ssl_crl_check == 'false' {
fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort')
}
}

if $repos_ensure {
case $facts['os']['family'] {
'RedHat': {
Expand Down
96 changes: 96 additions & 0 deletions spec/classes/rabbitmq_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1161,6 +1161,102 @@
end
end

describe 'ssl options with ssl_crl_check enabled' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'true' }
end

it 'sets ssl crl check setting to specified value' do
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
end
end

describe 'ssl options with ssl_crl_check and ssl_crl_hash_cache enabled' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'true',
ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' }
end

it 'sets ssl crl check setting to specified value' do
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_hash_dir,\s+{internal,\s+\[{dir, "/path/to/crl_cache/dir"}\]}}})
end
end

describe 'ssl options with ssl_crl_check and http cache enabled' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'true',
ssl_crl_cache_http_timeout: 5000 }
end

it 'sets ssl crl check setting to specified value' do
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_cache,\s+{internal,\s+\[{http, 5000}\]}}})
end
end

describe 'ssl options with ssl_crl_check enabled and not ssl' do
let(:params) do
{ ssl: false,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'true' }
end

it 'fails' do
expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_check requires that \$ssl => true})
end
end

describe 'ssl options with ssl_crl_cache_hash_dir set and not ssl_crl_check' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'false',
ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' }
end

it 'fails' do
expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_hash_dir requires that \$ssl_crl_check => true|peer|best_effort})
end
end

describe 'ssl options with ssl_crl_cache_http_timeout set and not ssl_crl_check' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'false',
ssl_crl_cache_http_timeout: 5000 }
end

it 'fails' do
expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_http_timeout requires that \$ssl_crl_check => true|peer|best_effort})
end
end

describe 'ssl admin options with specific ssl versions' do
let(:params) do
{ ssl: true,
Expand Down
9 changes: 9 additions & 0 deletions templates/rabbitmq.config.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,15 @@ end
<%= ssl_ciphers %>
]}
<%- end -%>
<%- if @ssl_crl_check != 'false' -%>
,{crl_check,<%= @ssl_crl_check %>}
<%- end -%>
<%- if @ssl_crl_cache_hash_dir -%>
,{crl_cache, {ssl_crl_hash_dir, {internal, [{dir, "<%= @ssl_crl_cache_hash_dir %>"}]}}}
<%- end -%>
<%- if @ssl_crl_cache_http_timeout -%>
,{crl_cache, {ssl_crl_cache, {internal, [{http, <%= @ssl_crl_cache_http_timeout %>}]}}}
<%- end -%>
]},
<%- end -%>
<% if scope['rabbitmq::config_variables'] -%>
Expand Down

0 comments on commit 736c8d9

Please sign in to comment.