diff --git a/manifests/config.pp b/manifests/config.pp index db5e98e2b..af79444bb 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -60,6 +60,9 @@ $ssl_dhfile = $rabbitmq::ssl_dhfile $ssl_versions = $rabbitmq::ssl_versions $ssl_ciphers = $rabbitmq::ssl_ciphers + $ssl_crl_check = $rabbitmq::ssl_crl_check + $ssl_crl_cache_hash_dir = $rabbitmq::ssl_crl_cache_hash_dir + $ssl_crl_cache_http_timeout = $rabbitmq::ssl_crl_cache_http_timeout $stomp_port = $rabbitmq::stomp_port $stomp_ssl_only = $rabbitmq::stomp_ssl_only $ldap_auth = $rabbitmq::ldap_auth diff --git a/manifests/init.pp b/manifests/init.pp index 90cf3a994..ec7689af0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -269,6 +269,15 @@ # Functionality can be tested with cipherscan or similar tool: https://github.com/mozilla/cipherscan # * Erlang style: `['ecdhe_rsa,aes_256_cbc,sha', 'dhe_rsa,aes_256_cbc,sha']` # * OpenSSL style: `['ECDHE-RSA-AES256-SHA', 'DHE-RSA-AES256-SHA']` +# @param ssl_crl_check +# Perform CRL (Certificate Revocation List) verification +# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_check) module documentation for more information. +# @param ssl_crl_cache_hash_dir +# This setting makes use of a directory where CRLs are stored in files named by the hash of the issuer name. +# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information. +# @param ssl_crl_cache_http_timeout +# This setting enables use of internal CRLs cache and sets HTTP timeout interval on fetching CRLs from distributino URLs defined inside certificate. +# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information. # @param stomp_port # The port to use for Stomp. # @param stomp_ssl_only @@ -368,6 +377,9 @@ Boolean $ssl_honor_cipher_order = true, Optional[Stdlib::Absolutepath] $ssl_dhfile = undef, Array $ssl_ciphers = [], + Enum['true','false','peer','best_effort'] $ssl_crl_check = 'false', + Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir = undef, + Optional[Integer] $ssl_crl_cache_http_timeout = undef, Boolean $stomp_ensure = false, Boolean $ldap_auth = false, Variant[String[1],Array[String[1]]] $ldap_server = 'ldap', @@ -413,6 +425,30 @@ } } + if $ssl_crl_check != 'false' { + unless $ssl { + fail('$ssl_crl_check requires that $ssl => true') + } + } + + if $ssl_crl_cache_hash_dir { + unless $ssl { + fail('$ssl_crl_cache_hash_dir requires that $ssl => true') + } + if $ssl_crl_check == 'false' { + fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort') + } + } + + if $ssl_crl_cache_http_timeout { + unless $ssl { + fail('$ssl_crl_cache_http_timeout requires that $ssl => true') + } + if $ssl_crl_check == 'false' { + fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort') + } + } + if $repos_ensure { case $facts['os']['family'] { 'RedHat': { diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb index 4ceb14442..800a3af3e 100644 --- a/spec/classes/rabbitmq_spec.rb +++ b/spec/classes/rabbitmq_spec.rb @@ -1161,6 +1161,102 @@ end end + describe 'ssl options with ssl_crl_check enabled' do + let(:params) do + { ssl: true, + ssl_port: 3141, + ssl_cacert: '/path/to/cacert', + ssl_cert: '/path/to/cert', + ssl_key: '/path/to/key', + ssl_crl_check: 'true' } + end + + it 'sets ssl crl check setting to specified value' do + is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true}) + end + end + + describe 'ssl options with ssl_crl_check and ssl_crl_hash_cache enabled' do + let(:params) do + { ssl: true, + ssl_port: 3141, + ssl_cacert: '/path/to/cacert', + ssl_cert: '/path/to/cert', + ssl_key: '/path/to/key', + ssl_crl_check: 'true', + ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' } + end + + it 'sets ssl crl check setting to specified value' do + is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_hash_dir,\s+{internal,\s+\[{dir, "/path/to/crl_cache/dir"}\]}}}) + end + end + + describe 'ssl options with ssl_crl_check and http cache enabled' do + let(:params) do + { ssl: true, + ssl_port: 3141, + ssl_cacert: '/path/to/cacert', + ssl_cert: '/path/to/cert', + ssl_key: '/path/to/key', + ssl_crl_check: 'true', + ssl_crl_cache_http_timeout: 5000 } + end + + it 'sets ssl crl check setting to specified value' do + is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_cache,\s+{internal,\s+\[{http, 5000}\]}}}) + end + end + + describe 'ssl options with ssl_crl_check enabled and not ssl' do + let(:params) do + { ssl: false, + ssl_port: 3141, + ssl_cacert: '/path/to/cacert', + ssl_cert: '/path/to/cert', + ssl_key: '/path/to/key', + ssl_crl_check: 'true' } + end + + it 'fails' do + expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_check requires that \$ssl => true}) + end + end + + describe 'ssl options with ssl_crl_cache_hash_dir set and not ssl_crl_check' do + let(:params) do + { ssl: true, + ssl_port: 3141, + ssl_cacert: '/path/to/cacert', + ssl_cert: '/path/to/cert', + ssl_key: '/path/to/key', + ssl_crl_check: 'false', + ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' } + end + + it 'fails' do + expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_hash_dir requires that \$ssl_crl_check => true|peer|best_effort}) + end + end + + describe 'ssl options with ssl_crl_cache_http_timeout set and not ssl_crl_check' do + let(:params) do + { ssl: true, + ssl_port: 3141, + ssl_cacert: '/path/to/cacert', + ssl_cert: '/path/to/cert', + ssl_key: '/path/to/key', + ssl_crl_check: 'false', + ssl_crl_cache_http_timeout: 5000 } + end + + it 'fails' do + expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_http_timeout requires that \$ssl_crl_check => true|peer|best_effort}) + end + end + describe 'ssl admin options with specific ssl versions' do let(:params) do { ssl: true, diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb index 9ddc3214e..5ba4db2e3 100644 --- a/templates/rabbitmq.config.erb +++ b/templates/rabbitmq.config.erb @@ -95,6 +95,15 @@ end <%= ssl_ciphers %> ]} <%- end -%> + <%- if @ssl_crl_check != 'false' -%> + ,{crl_check,<%= @ssl_crl_check %>} + <%- end -%> + <%- if @ssl_crl_cache_hash_dir -%> + ,{crl_cache, {ssl_crl_hash_dir, {internal, [{dir, "<%= @ssl_crl_cache_hash_dir %>"}]}}} + <%- end -%> + <%- if @ssl_crl_cache_http_timeout -%> + ,{crl_cache, {ssl_crl_cache, {internal, [{http, <%= @ssl_crl_cache_http_timeout %>}]}}} + <%- end -%> ]}, <%- end -%> <% if scope['rabbitmq::config_variables'] -%>