Skip to content

Commit

Permalink
Merge pull request #657 from paebersold/master
Browse files Browse the repository at this point in the history 
Add options for ssl verify and 'fail_if_no_peer_cert' for the management interface
  • Loading branch information
@wyardley
wyardley authored Oct 27, 2017
2 parents fb6b160 + 9e6c94b commit 09e8af2
Show file tree
Hide file tree
Showing 5 changed files with 145 additions and 131 deletions.
146 changes: 74 additions & 72 deletions manifests/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,78 +3,80 @@
# config and ssl.
class rabbitmq::config {

$admin_enable = $rabbitmq::admin_enable
$cluster_node_type = $rabbitmq::cluster_node_type
$cluster_nodes = $rabbitmq::cluster_nodes
$config = $rabbitmq::config
$config_cluster = $rabbitmq::config_cluster
$config_path = $rabbitmq::config_path
$config_ranch = $rabbitmq::config_ranch
$config_stomp = $rabbitmq::config_stomp
$config_shovel = $rabbitmq::config_shovel
$config_shovel_statics = $rabbitmq::config_shovel_statics
$default_user = $rabbitmq::default_user
$default_pass = $rabbitmq::default_pass
$env_config = $rabbitmq::env_config
$env_config_path = $rabbitmq::env_config_path
$erlang_cookie = $rabbitmq::erlang_cookie
$interface = $rabbitmq::interface
$management_port = $rabbitmq::management_port
$management_ssl = $rabbitmq::management_ssl
$management_hostname = $rabbitmq::management_hostname
$node_ip_address = $rabbitmq::node_ip_address
$rabbitmq_user = $rabbitmq::rabbitmq_user
$rabbitmq_group = $rabbitmq::rabbitmq_group
$rabbitmq_home = $rabbitmq::rabbitmq_home
$port = $rabbitmq::port
$tcp_keepalive = $rabbitmq::tcp_keepalive
$tcp_backlog = $rabbitmq::tcp_backlog
$tcp_sndbuf = $rabbitmq::tcp_sndbuf
$tcp_recbuf = $rabbitmq::tcp_recbuf
$heartbeat = $rabbitmq::heartbeat
$service_name = $rabbitmq::service_name
$ssl = $rabbitmq::ssl
$ssl_only = $rabbitmq::ssl_only
$ssl_cacert = $rabbitmq::ssl_cacert
$ssl_cert = $rabbitmq::ssl_cert
$ssl_key = $rabbitmq::ssl_key
$ssl_depth = $rabbitmq::ssl_depth
$ssl_cert_password = $rabbitmq::ssl_cert_password
$ssl_port = $rabbitmq::ssl_port
$ssl_interface = $rabbitmq::ssl_interface
$ssl_management_port = $rabbitmq::ssl_management_port
$ssl_stomp_port = $rabbitmq::ssl_stomp_port
$ssl_verify = $rabbitmq::ssl_verify
$ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert
$ssl_secure_renegotiate = $rabbitmq::ssl_secure_renegotiate
$ssl_reuse_sessions = $rabbitmq::ssl_reuse_sessions
$ssl_honor_cipher_order = $rabbitmq::ssl_honor_cipher_order
$ssl_dhfile = $rabbitmq::ssl_dhfile
$ssl_versions = $rabbitmq::ssl_versions
$ssl_ciphers = $rabbitmq::ssl_ciphers
$stomp_port = $rabbitmq::stomp_port
$stomp_ssl_only = $rabbitmq::stomp_ssl_only
$ldap_auth = $rabbitmq::ldap_auth
$ldap_server = $rabbitmq::ldap_server
$ldap_user_dn_pattern = $rabbitmq::ldap_user_dn_pattern
$ldap_other_bind = $rabbitmq::ldap_other_bind
$ldap_use_ssl = $rabbitmq::ldap_use_ssl
$ldap_port = $rabbitmq::ldap_port
$ldap_log = $rabbitmq::ldap_log
$ldap_config_variables = $rabbitmq::ldap_config_variables
$wipe_db_on_cookie_change = $rabbitmq::wipe_db_on_cookie_change
$config_variables = $rabbitmq::config_variables
$config_kernel_variables = $rabbitmq::config_kernel_variables
$config_management_variables = $rabbitmq::config_management_variables
$config_additional_variables = $rabbitmq::config_additional_variables
$auth_backends = $rabbitmq::auth_backends
$cluster_partition_handling = $rabbitmq::cluster_partition_handling
$file_limit = $rabbitmq::file_limit
$collect_statistics_interval = $rabbitmq::collect_statistics_interval
$ipv6 = $rabbitmq::ipv6
$inetrc_config = $rabbitmq::inetrc_config
$inetrc_config_path = $rabbitmq::inetrc_config_path
$ssl_erl_dist = $rabbitmq::ssl_erl_dist
$admin_enable = $rabbitmq::admin_enable
$cluster_node_type = $rabbitmq::cluster_node_type
$cluster_nodes = $rabbitmq::cluster_nodes
$config = $rabbitmq::config
$config_cluster = $rabbitmq::config_cluster
$config_path = $rabbitmq::config_path
$config_ranch = $rabbitmq::config_ranch
$config_stomp = $rabbitmq::config_stomp
$config_shovel = $rabbitmq::config_shovel
$config_shovel_statics = $rabbitmq::config_shovel_statics
$default_user = $rabbitmq::default_user
$default_pass = $rabbitmq::default_pass
$env_config = $rabbitmq::env_config
$env_config_path = $rabbitmq::env_config_path
$erlang_cookie = $rabbitmq::erlang_cookie
$interface = $rabbitmq::interface
$management_port = $rabbitmq::management_port
$management_ssl = $rabbitmq::management_ssl
$management_hostname = $rabbitmq::management_hostname
$node_ip_address = $rabbitmq::node_ip_address
$rabbitmq_user = $rabbitmq::rabbitmq_user
$rabbitmq_group = $rabbitmq::rabbitmq_group
$rabbitmq_home = $rabbitmq::rabbitmq_home
$port = $rabbitmq::port
$tcp_keepalive = $rabbitmq::tcp_keepalive
$tcp_backlog = $rabbitmq::tcp_backlog
$tcp_sndbuf = $rabbitmq::tcp_sndbuf
$tcp_recbuf = $rabbitmq::tcp_recbuf
$heartbeat = $rabbitmq::heartbeat
$service_name = $rabbitmq::service_name
$ssl = $rabbitmq::ssl
$ssl_only = $rabbitmq::ssl_only
$ssl_cacert = $rabbitmq::ssl_cacert
$ssl_cert = $rabbitmq::ssl_cert
$ssl_key = $rabbitmq::ssl_key
$ssl_depth = $rabbitmq::ssl_depth
$ssl_cert_password = $rabbitmq::ssl_cert_password
$ssl_port = $rabbitmq::ssl_port
$ssl_interface = $rabbitmq::ssl_interface
$ssl_management_port = $rabbitmq::ssl_management_port
$ssl_management_verify = $rabbitmq::ssl_management_verify
$ssl_management_fail_if_no_peer_cert = $rabbitmq::ssl_management_fail_if_no_peer_cert
$ssl_stomp_port = $rabbitmq::ssl_stomp_port
$ssl_verify = $rabbitmq::ssl_verify
$ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert
$ssl_secure_renegotiate = $rabbitmq::ssl_secure_renegotiate
$ssl_reuse_sessions = $rabbitmq::ssl_reuse_sessions
$ssl_honor_cipher_order = $rabbitmq::ssl_honor_cipher_order
$ssl_dhfile = $rabbitmq::ssl_dhfile
$ssl_versions = $rabbitmq::ssl_versions
$ssl_ciphers = $rabbitmq::ssl_ciphers
$stomp_port = $rabbitmq::stomp_port
$stomp_ssl_only = $rabbitmq::stomp_ssl_only
$ldap_auth = $rabbitmq::ldap_auth
$ldap_server = $rabbitmq::ldap_server
$ldap_user_dn_pattern = $rabbitmq::ldap_user_dn_pattern
$ldap_other_bind = $rabbitmq::ldap_other_bind
$ldap_use_ssl = $rabbitmq::ldap_use_ssl
$ldap_port = $rabbitmq::ldap_port
$ldap_log = $rabbitmq::ldap_log
$ldap_config_variables = $rabbitmq::ldap_config_variables
$wipe_db_on_cookie_change = $rabbitmq::wipe_db_on_cookie_change
$config_variables = $rabbitmq::config_variables
$config_kernel_variables = $rabbitmq::config_kernel_variables
$config_management_variables = $rabbitmq::config_management_variables
$config_additional_variables = $rabbitmq::config_additional_variables
$auth_backends = $rabbitmq::auth_backends
$cluster_partition_handling = $rabbitmq::cluster_partition_handling
$file_limit = $rabbitmq::file_limit
$collect_statistics_interval = $rabbitmq::collect_statistics_interval
$ipv6 = $rabbitmq::ipv6
$inetrc_config = $rabbitmq::inetrc_config
$inetrc_config_path = $rabbitmq::inetrc_config_path
$ssl_erl_dist = $rabbitmq::ssl_erl_dist

if $ssl_only {
$default_ssl_env_variables = {}
Expand Down
4 changes: 4 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,8 @@
# @param ssl_stomp_port SSL stomp port.
# @param ssl_verify rabbitmq.config SSL verify setting.
# @param ssl_fail_if_no_peer_cert rabbitmq.config `fail_if_no_peer_cert` setting.
# @param ssl_management_verify rabbitmq.config SSL verify setting for rabbitmq_management.
# @param ssl_manaagement_fail_if_no_peer_cert rabbitmq.config `fail_if_no_peer_cert` setting for rabbitmq_management.
# @param ssl_versions Choose which SSL versions to enable. Example: `['tlsv1.2', 'tlsv1.1']` Note that it is recommended to disable `sslv3
# and `tlsv1` to prevent against POODLE and BEAST attacks. Please see the [RabbitMQ SSL](https://www.rabbitmq.com/ssl.html) documentation
# for more information.
Expand Down Expand Up @@ -239,6 +241,8 @@
Integer[1, 65535] $ssl_stomp_port = $rabbitmq::params::ssl_stomp_port,
Enum['verify_none','verify_peer'] $ssl_verify = $rabbitmq::params::ssl_verify,
Boolean $ssl_fail_if_no_peer_cert = $rabbitmq::params::ssl_fail_if_no_peer_cert,
Enum['verify_none','verify_peer'] $ssl_management_verify = $rabbitmq::params::ssl_management_verify,
Boolean $ssl_management_fail_if_no_peer_cert = $rabbitmq::params::ssl_management_fail_if_no_peer_cert,
Optional[Array] $ssl_versions = undef,
Boolean $ssl_secure_renegotiate = $rabbitmq::params::ssl_secure_renegotiate,
Boolean $ssl_reuse_sessions = $rabbitmq::params::ssl_reuse_sessions,
Expand Down
118 changes: 60 additions & 58 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,63 +83,65 @@
}

#install
$admin_enable = true
$management_port = 15672
$management_ssl = true
$repos_ensure = false
$service_ensure = 'running'
$service_manage = true
$admin_enable = true
$management_port = 15672
$management_ssl = true
$repos_ensure = false
$service_ensure = 'running'
$service_manage = true
#config
$cluster_node_type = 'disc'
$cluster_nodes = []
$config = 'rabbitmq/rabbitmq.config.erb'
$config_cluster = false
$config_path = '/etc/rabbitmq/rabbitmq.config'
$config_ranch = true
$config_stomp = false
$config_shovel = false
$config_shovel_statics = {}
$default_user = 'guest'
$default_pass = 'guest'
$delete_guest_user = false
$env_config = 'rabbitmq/rabbitmq-env.conf.erb'
$env_config_path = '/etc/rabbitmq/rabbitmq-env.conf'
$port = 5672
$tcp_keepalive = false
$tcp_backlog = 128
$ssl = false
$ssl_ciphers = []
$ssl_erl_dist = false
$ssl_fail_if_no_peer_cert = false
$ssl_honor_cipher_order = true
$ssl_management_port = 15671
$ssl_only = false
$ssl_port = 5671
$ssl_reuse_sessions = true
$ssl_secure_renegotiate = true
$ssl_stomp_port = 6164
$ssl_verify = 'verify_none'
$ssl_versions = undef
$stomp_ensure = false
$stomp_port = 6163
$stomp_ssl_only = false
$ldap_auth = false
$ldap_server = 'ldap'
$ldap_user_dn_pattern = undef
$ldap_other_bind = 'anon'
$ldap_use_ssl = false
$ldap_port = 389
$ldap_log = false
$ldap_config_variables = {}
$wipe_db_on_cookie_change = false
$cluster_partition_handling = 'ignore'
$environment_variables = {}
$config_variables = {}
$config_kernel_variables = {}
$config_management_variables = {}
$config_additional_variables = {}
$file_limit = 16384
$ipv6 = false
$inetrc_config = 'rabbitmq/inetrc.erb'
$inetrc_config_path = '/etc/rabbitmq/inetrc'
$cluster_node_type = 'disc'
$cluster_nodes = []
$config = 'rabbitmq/rabbitmq.config.erb'
$config_cluster = false
$config_path = '/etc/rabbitmq/rabbitmq.config'
$config_ranch = true
$config_stomp = false
$config_shovel = false
$config_shovel_statics = {}
$default_user = 'guest'
$default_pass = 'guest'
$delete_guest_user = false
$env_config = 'rabbitmq/rabbitmq-env.conf.erb'
$env_config_path = '/etc/rabbitmq/rabbitmq-env.conf'
$port = 5672
$tcp_keepalive = false
$tcp_backlog = 128
$ssl = false
$ssl_ciphers = []
$ssl_erl_dist = false
$ssl_fail_if_no_peer_cert = false
$ssl_honor_cipher_order = true
$ssl_management_port = 15671
$ssl_only = false
$ssl_port = 5671
$ssl_reuse_sessions = true
$ssl_secure_renegotiate = true
$ssl_stomp_port = 6164
$ssl_verify = 'verify_none'
$ssl_versions = undef
$ssl_management_verify = 'verify_none'
$ssl_management_fail_if_no_peer_cert = false
$stomp_ensure = false
$stomp_port = 6163
$stomp_ssl_only = false
$ldap_auth = false
$ldap_server = 'ldap'
$ldap_user_dn_pattern = undef
$ldap_other_bind = 'anon'
$ldap_use_ssl = false
$ldap_port = 389
$ldap_log = false
$ldap_config_variables = {}
$wipe_db_on_cookie_change = false
$cluster_partition_handling = 'ignore'
$environment_variables = {}
$config_variables = {}
$config_kernel_variables = {}
$config_management_variables = {}
$config_additional_variables = {}
$file_limit = 16384
$ipv6 = false
$inetrc_config = 'rabbitmq/inetrc.erb'
$inetrc_config_path = '/etc/rabbitmq/inetrc'
}
4 changes: 4 additions & 0 deletions spec/classes/rabbitmq_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1083,6 +1083,8 @@
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_management_verify: 'verify_peer',
ssl_management_fail_if_no_peer_cert: true,
admin_enable: true }
end

Expand All @@ -1092,6 +1094,8 @@
is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 3141\}})
is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, true\}})
is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[})
is_expected.to contain_file('rabbitmq.config').with_content(%r{verify,verify_peer\},})
is_expected.to contain_file('rabbitmq.config').with_content(%r{fail_if_no_peer_cert,true\}})
is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile, "/path/to/cacert"\},})
is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/cert"\},})
is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}})
Expand Down
4 changes: 3 additions & 1 deletion templates/rabbitmq.config.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,9 @@
{cacertfile, "<%= @ssl_cacert %>"},
<%- end -%>
{certfile, "<%= @ssl_cert %>"},
{keyfile, "<%= @ssl_key %>"}
{keyfile, "<%= @ssl_key %>"},
{verify,<%= @ssl_management_verify %>},
{fail_if_no_peer_cert,<%= @ssl_management_fail_if_no_peer_cert %>}
<%- if @ssl_versions -%>
,{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}
<%- end -%>
Expand Down

0 comments on commit 09e8af2

Please sign in to comment.