CIDM-1283 Add SSL Include/Exclude protocol and TLS renegotiation options to container filter.

Author: scarlettmoonbell

manifests/filter/container.pp

@@ -1,7 +1,9 @@
 # == Class: repose::filter::container
 #
 # This is a class for managing the container configuration file
-# and log4j.properties
+# and log4j.properties Container configuration is fully documented in the
+# Repose project wiki.
+# https://repose.atlassian.net/wiki/spaces/REPOSE/pages/527236/Container
 #
 # === Parameters
 #
@@ -173,6 +175,18 @@
 # Array [String]. The cipher strings to deny connections for.
 # Defaults to <tt>undef</tt>
 #
+# [*ssl_include_protocol*]
+# Array [String]. The protocol strings to allow connections for.
+# Defaults to <tt>undef</tt>
+#
+# [*ssl_exclude_protocol*]
+# Array [String]. The protocol strings to deny connections for.
+# Defaults to <tt>undef</tt>
+#
+# [*ssl_tls_renegotiation*]
+# Boolean. Explicitly allow or deny TLS renegotiation.
+# Defaults to <tt>undef</tt>
+#
 # [*via*]
 # String. String used in the Via header.
 # Defaults to <tt>undef</tt>
@@ -290,6 +304,9 @@
   $ssl_key_password                     = undef,
   $ssl_include_cipher                   = undef,
   $ssl_exclude_cipher                   = undef,
+  $ssl_include_protocol                 = undef,
+  $ssl_exclude_protocol                 = undef,
+  $ssl_tls_renegotiation                = undef,
   $syslog_server                        = undef,
   $syslog_port                          = $repose::params::syslog_port,
   $syslog_protocol                      = $repose::params::syslog_protocol,

puppet-module-repose.spec

@@ -2,7 +2,7 @@
 %define base_name repose
 
 Name:      puppet-module-%{user}-%{base_name}
-Version:   2.7.0
+Version:   2.8.0
 Release:   1
 BuildArch: noarch
 Summary:   Puppet module to configure %{base_name}
@@ -30,6 +30,8 @@ cp -pr * %{buildroot}%{module_dir}/
 %{module_dir}
 
 %changelog
+* Mon May 12 2018  Josh Bell <josh.bell@rackspace.com> - 2.8.0-1
+- Add ssl protocol and tls renegotiation options to container filter
 * Mon Apr 02 2018 Dimitry Ushakov <dimitry.ushakov@rackspace.com> - 2.7.0-1
 - Add opentracing module and tests
 * Wed Mar 21 2018 Meynard Alconis <meynard.alconis@rackspace.com> - 2.6.2-1

spec/classes/filter/container_spec.rb

@@ -77,8 +77,11 @@
         :ssl_keystore_filename             => 'keystore.name',
         :ssl_keystore_password             => 'mypassword',
         :ssl_key_password                  => 'keypassword',
-        :ssl_include_cipher		   => ['include'],
-        :ssl_exclude_cipher		   => ['exclude'],
+        :ssl_include_cipher                => ['include'],
+        :ssl_exclude_cipher                => ['exclude'],
+        :ssl_include_protocol              => ['include'],
+        :ssl_exclude_protocol              => ['exclude'],
+        :ssl_tls_renegotiation             => 'true',
         :content_body_read_limit           => '10240000',
         :jmx_reset_time                    => '3600000',
         :client_request_logging            => 'false',
@@ -109,6 +112,9 @@
           with_content(/<key-password>keypassword<\/key-password>/).
           with_content(/<included-ciphers>/).
           with_content(/<excluded-ciphers>/).
+          with_content(/<included-protocols>/).
+          with_content(/<excluded-protocols>/).
+          with_content(/<tls-renegotiation-allowed>true<\/tls-renegotiation-allowed>/).
           with_content(/<\/ssl-configuration>/)
       }
     end

templates/container.cfg.xml.erb

@@ -48,19 +48,36 @@
             <keystore-password><%= @ssl_keystore_password %></keystore-password>
             <key-password><%= @ssl_key_password %></key-password>
 	    <%- unless @ssl_include_cipher.nil? -%>
-	    <included-ciphers>
-	        <%- @ssl_include_cipher.each do |cipher| -%>
-		<cipher><%= cipher %></cipher>
-                <%- end -%>
-	    </included-ciphers>
-            <%- end -%>
+          <included-ciphers>
+	      <%- @ssl_include_cipher.each do |cipher| -%>
+            <cipher><%= cipher %></cipher>
+          <%- end -%>
+          </included-ciphers>
+        <%- end -%>
 	    <%- unless @ssl_exclude_cipher.nil? -%>
-	    <excluded-ciphers>
-	        <%- @ssl_exclude_cipher.each do |cipher| -%>
-		<cipher><%= cipher %></cipher>
-                <%- end -%>
-	    </excluded-ciphers>
-            <%- end -%>
+          <excluded-ciphers>
+          <%- @ssl_exclude_cipher.each do |cipher| -%>
+            <cipher><%= cipher %></cipher>
+          <%- end -%>
+	      </excluded-ciphers>
+        <%- end -%>
+	    <%- unless @ssl_exclude_protocol.nil? -%>
+          <excluded-protocols>
+	      <%- @ssl_exclude_protocol.each do |protocol| -%>
+            <protocol><%= protocol %></protocol>
+          <%- end -%>
+          </excluded-protocols>
+        <%- end -%>
+	    <%- unless @ssl_include_protocol.nil? -%>
+          <included-protocols>
+	      <%- @ssl_include_protocol.each do |protocol| -%>
+            <protocol><%= protocol %></protocol>
+          <%- end -%>
+          </included-protocols>
+        <%- end -%>
+        <%- unless @ssl_tls_renegotiation.nil? -%>
+          <tls-renegotiation-allowed><%= @ssl_tls_renegotiation -%></tls-renegotiation-allowed>
+        <%- end -%>
         </ssl-configuration>
 <%- end -%>
     </deployment-config>