From 9c3109d366a8caf5e6136e55453823f24e4071e8 Mon Sep 17 00:00:00 2001
From: Stephen Benjamin <stephen@redhat.com>
Date: Wed, 13 Jun 2018 08:30:05 -0400
Subject: [PATCH] Support ssl-protocols option for puppetserver configuration

---
 manifests/server/puppetserver.pp          |  2 ++
 spec/classes/puppet_server_config_spec.rb | 41 +++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
index 4f4f5dbc..3d19f817 100644
--- a/manifests/server/puppetserver.pp
+++ b/manifests/server/puppetserver.pp
@@ -585,6 +585,8 @@
     'webserver.ssl-key'                   => $server_ssl_cert_key,
     'webserver.ssl-ca-cert'               => $server_ssl_ca_cert,
     'webserver.idle-timeout-milliseconds' => $server_web_idle_timeout,
+    'webserver.ssl-protocols'             => $server_ssl_protocols,
+    'webserver.cipher-suites'             => $server_cipher_suites,
   }
 
   $webserver_general_settings.each |$setting, $value| {
diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb
index c7810368..bb286ffd 100644
--- a/spec/classes/puppet_server_config_spec.rb
+++ b/spec/classes/puppet_server_config_spec.rb
@@ -770,6 +770,47 @@
         end
       end
 
+      describe 'with ssl_protocols overwritten' do
+        let :pre_condition do
+          "class {'puppet':
+              server                    => true,
+              server_implementation     => 'puppetserver',
+              server_ca                 => true,
+              server_puppetserver_dir   => '/etc/custom/puppetserver',
+              server_ssl_protocols      => ['TLSv1.1', 'TLSv1.2'],
+           }"
+        end
+
+        it 'should set the ssl protocols' do
+          should contain_hocon_setting('webserver.ssl-protocols').
+            with_path('/etc/custom/puppetserver/conf.d/webserver.conf').
+            with_setting('webserver.ssl-protocols').
+            with_value(['TLSv1.1', 'TLSv1.2']).
+            with_ensure('present')
+        end
+      end
+
+      describe 'with cipher-suites overwritten' do
+        let :pre_condition do
+          "class {'puppet':
+              server                    => true,
+              server_implementation     => 'puppetserver',
+              server_ca                 => true,
+              server_puppetserver_dir   => '/etc/custom/puppetserver',
+              server_cipher_suites      => ['TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA'],
+           }"
+        end
+
+        it 'should set the cipher suite' do
+          should contain_hocon_setting('webserver.cipher-suites').
+            with_path('/etc/custom/puppetserver/conf.d/webserver.conf').
+            with_setting('webserver.cipher-suites').
+            with_value(['TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA']).
+            with_ensure('present')
+        end
+      end
+
+
       describe 'with ssl_chain_filepath overwritten' do
         let :pre_condition do
           "class {'puppet':