Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add options for ssl verify and 'fail_if_no_peer_cert' for the managem… #657

Merged
merged 1 commit into from
Oct 27, 2017
Merged

Add options for ssl verify and 'fail_if_no_peer_cert' for the managem… #657

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Add options for ssl verify and 'fail_if_no_peer_cert' for the managem… 
…ent ssl options
  • Loading branch information
@paebersold-tyro
paebersold-tyro committed Oct 24, 2017
commit 9e6c94b7d14c351a7c1a9268222f2ca63ee80588
146 changes: 74 additions & 72 deletions manifests/config.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,78 +3,80 @@
# config and ssl.
class rabbitmq::config {

$admin_enable = $rabbitmq::admin_enable
$cluster_node_type = $rabbitmq::cluster_node_type
$cluster_nodes = $rabbitmq::cluster_nodes
$config = $rabbitmq::config
$config_cluster = $rabbitmq::config_cluster
$config_path = $rabbitmq::config_path
$config_ranch = $rabbitmq::config_ranch
$config_stomp = $rabbitmq::config_stomp
$config_shovel = $rabbitmq::config_shovel
$config_shovel_statics = $rabbitmq::config_shovel_statics
$default_user = $rabbitmq::default_user
$default_pass = $rabbitmq::default_pass
$env_config = $rabbitmq::env_config
$env_config_path = $rabbitmq::env_config_path
$erlang_cookie = $rabbitmq::erlang_cookie
$interface = $rabbitmq::interface
$management_port = $rabbitmq::management_port
$management_ssl = $rabbitmq::management_ssl
$management_hostname = $rabbitmq::management_hostname
$node_ip_address = $rabbitmq::node_ip_address
$rabbitmq_user = $rabbitmq::rabbitmq_user
$rabbitmq_group = $rabbitmq::rabbitmq_group
$rabbitmq_home = $rabbitmq::rabbitmq_home
$port = $rabbitmq::port
$tcp_keepalive = $rabbitmq::tcp_keepalive
$tcp_backlog = $rabbitmq::tcp_backlog
$tcp_sndbuf = $rabbitmq::tcp_sndbuf
$tcp_recbuf = $rabbitmq::tcp_recbuf
$heartbeat = $rabbitmq::heartbeat
$service_name = $rabbitmq::service_name
$ssl = $rabbitmq::ssl
$ssl_only = $rabbitmq::ssl_only
$ssl_cacert = $rabbitmq::ssl_cacert
$ssl_cert = $rabbitmq::ssl_cert
$ssl_key = $rabbitmq::ssl_key
$ssl_depth = $rabbitmq::ssl_depth
$ssl_cert_password = $rabbitmq::ssl_cert_password
$ssl_port = $rabbitmq::ssl_port
$ssl_interface = $rabbitmq::ssl_interface
$ssl_management_port = $rabbitmq::ssl_management_port
$ssl_stomp_port = $rabbitmq::ssl_stomp_port
$ssl_verify = $rabbitmq::ssl_verify
$ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert
$ssl_secure_renegotiate = $rabbitmq::ssl_secure_renegotiate
$ssl_reuse_sessions = $rabbitmq::ssl_reuse_sessions
$ssl_honor_cipher_order = $rabbitmq::ssl_honor_cipher_order
$ssl_dhfile = $rabbitmq::ssl_dhfile
$ssl_versions = $rabbitmq::ssl_versions
$ssl_ciphers = $rabbitmq::ssl_ciphers
$stomp_port = $rabbitmq::stomp_port
$stomp_ssl_only = $rabbitmq::stomp_ssl_only
$ldap_auth = $rabbitmq::ldap_auth
$ldap_server = $rabbitmq::ldap_server
$ldap_user_dn_pattern = $rabbitmq::ldap_user_dn_pattern
$ldap_other_bind = $rabbitmq::ldap_other_bind
$ldap_use_ssl = $rabbitmq::ldap_use_ssl
$ldap_port = $rabbitmq::ldap_port
$ldap_log = $rabbitmq::ldap_log
$ldap_config_variables = $rabbitmq::ldap_config_variables
$wipe_db_on_cookie_change = $rabbitmq::wipe_db_on_cookie_change
$config_variables = $rabbitmq::config_variables
$config_kernel_variables = $rabbitmq::config_kernel_variables
$config_management_variables = $rabbitmq::config_management_variables
$config_additional_variables = $rabbitmq::config_additional_variables
$auth_backends = $rabbitmq::auth_backends
$cluster_partition_handling = $rabbitmq::cluster_partition_handling
$file_limit = $rabbitmq::file_limit
$collect_statistics_interval = $rabbitmq::collect_statistics_interval
$ipv6 = $rabbitmq::ipv6
$inetrc_config = $rabbitmq::inetrc_config
$inetrc_config_path = $rabbitmq::inetrc_config_path
$ssl_erl_dist = $rabbitmq::ssl_erl_dist
$admin_enable = $rabbitmq::admin_enable
$cluster_node_type = $rabbitmq::cluster_node_type
$cluster_nodes = $rabbitmq::cluster_nodes
$config = $rabbitmq::config
$config_cluster = $rabbitmq::config_cluster
$config_path = $rabbitmq::config_path
$config_ranch = $rabbitmq::config_ranch
$config_stomp = $rabbitmq::config_stomp
$config_shovel = $rabbitmq::config_shovel
$config_shovel_statics = $rabbitmq::config_shovel_statics
$default_user = $rabbitmq::default_user
$default_pass = $rabbitmq::default_pass
$env_config = $rabbitmq::env_config
$env_config_path = $rabbitmq::env_config_path
$erlang_cookie = $rabbitmq::erlang_cookie
$interface = $rabbitmq::interface
$management_port = $rabbitmq::management_port
$management_ssl = $rabbitmq::management_ssl
$management_hostname = $rabbitmq::management_hostname
$node_ip_address = $rabbitmq::node_ip_address
$rabbitmq_user = $rabbitmq::rabbitmq_user
$rabbitmq_group = $rabbitmq::rabbitmq_group
$rabbitmq_home = $rabbitmq::rabbitmq_home
$port = $rabbitmq::port
$tcp_keepalive = $rabbitmq::tcp_keepalive
$tcp_backlog = $rabbitmq::tcp_backlog
$tcp_sndbuf = $rabbitmq::tcp_sndbuf
$tcp_recbuf = $rabbitmq::tcp_recbuf
$heartbeat = $rabbitmq::heartbeat
$service_name = $rabbitmq::service_name
$ssl = $rabbitmq::ssl
$ssl_only = $rabbitmq::ssl_only
$ssl_cacert = $rabbitmq::ssl_cacert
$ssl_cert = $rabbitmq::ssl_cert
$ssl_key = $rabbitmq::ssl_key
$ssl_depth = $rabbitmq::ssl_depth
$ssl_cert_password = $rabbitmq::ssl_cert_password
$ssl_port = $rabbitmq::ssl_port
$ssl_interface = $rabbitmq::ssl_interface
$ssl_management_port = $rabbitmq::ssl_management_port
$ssl_management_verify = $rabbitmq::ssl_management_verify
$ssl_management_fail_if_no_peer_cert = $rabbitmq::ssl_management_fail_if_no_peer_cert
$ssl_stomp_port = $rabbitmq::ssl_stomp_port
$ssl_verify = $rabbitmq::ssl_verify
$ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert
$ssl_secure_renegotiate = $rabbitmq::ssl_secure_renegotiate
$ssl_reuse_sessions = $rabbitmq::ssl_reuse_sessions
$ssl_honor_cipher_order = $rabbitmq::ssl_honor_cipher_order
$ssl_dhfile = $rabbitmq::ssl_dhfile
$ssl_versions = $rabbitmq::ssl_versions
$ssl_ciphers = $rabbitmq::ssl_ciphers
$stomp_port = $rabbitmq::stomp_port
$stomp_ssl_only = $rabbitmq::stomp_ssl_only
$ldap_auth = $rabbitmq::ldap_auth
$ldap_server = $rabbitmq::ldap_server
$ldap_user_dn_pattern = $rabbitmq::ldap_user_dn_pattern
$ldap_other_bind = $rabbitmq::ldap_other_bind
$ldap_use_ssl = $rabbitmq::ldap_use_ssl
$ldap_port = $rabbitmq::ldap_port
$ldap_log = $rabbitmq::ldap_log
$ldap_config_variables = $rabbitmq::ldap_config_variables
$wipe_db_on_cookie_change = $rabbitmq::wipe_db_on_cookie_change
$config_variables = $rabbitmq::config_variables
$config_kernel_variables = $rabbitmq::config_kernel_variables
$config_management_variables = $rabbitmq::config_management_variables
$config_additional_variables = $rabbitmq::config_additional_variables
$auth_backends = $rabbitmq::auth_backends
$cluster_partition_handling = $rabbitmq::cluster_partition_handling
$file_limit = $rabbitmq::file_limit
$collect_statistics_interval = $rabbitmq::collect_statistics_interval
$ipv6 = $rabbitmq::ipv6
$inetrc_config = $rabbitmq::inetrc_config
$inetrc_config_path = $rabbitmq::inetrc_config_path
$ssl_erl_dist = $rabbitmq::ssl_erl_dist

if $ssl_only {
$default_ssl_env_variables = {}
Expand Down
4 changes: 4 additions & 0 deletions manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,8 @@
# @param ssl_stomp_port SSL stomp port.
# @param ssl_verify rabbitmq.config SSL verify setting.
# @param ssl_fail_if_no_peer_cert rabbitmq.config `fail_if_no_peer_cert` setting.
# @param ssl_management_verify rabbitmq.config SSL verify setting for rabbitmq_management.
# @param ssl_manaagement_fail_if_no_peer_cert rabbitmq.config `fail_if_no_peer_cert` setting for rabbitmq_management.
# @param ssl_versions Choose which SSL versions to enable. Example: `['tlsv1.2', 'tlsv1.1']` Note that it is recommended to disable `sslv3
# and `tlsv1` to prevent against POODLE and BEAST attacks. Please see the [RabbitMQ SSL](https://www.rabbitmq.com/ssl.html) documentation
# for more information.
Expand Down Expand Up @@ -239,6 +241,8 @@
Integer[1, 65535] $ssl_stomp_port = $rabbitmq::params::ssl_stomp_port,
Enum['verify_none','verify_peer'] $ssl_verify = $rabbitmq::params::ssl_verify,
Boolean $ssl_fail_if_no_peer_cert = $rabbitmq::params::ssl_fail_if_no_peer_cert,
Enum['verify_none','verify_peer'] $ssl_management_verify = $rabbitmq::params::ssl_management_verify,
Boolean $ssl_management_fail_if_no_peer_cert = $rabbitmq::params::ssl_management_fail_if_no_peer_cert,
Optional[Array] $ssl_versions = undef,
Boolean $ssl_secure_renegotiate = $rabbitmq::params::ssl_secure_renegotiate,
Boolean $ssl_reuse_sessions = $rabbitmq::params::ssl_reuse_sessions,
Expand Down
118 changes: 60 additions & 58 deletions manifests/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,63 +83,65 @@
}

#install
$admin_enable = true
$management_port = 15672
$management_ssl = true
$repos_ensure = false
$service_ensure = 'running'
$service_manage = true
$admin_enable = true
$management_port = 15672
$management_ssl = true
$repos_ensure = false
$service_ensure = 'running'
$service_manage = true
#config
$cluster_node_type = 'disc'
$cluster_nodes = []
$config = 'rabbitmq/rabbitmq.config.erb'
$config_cluster = false
$config_path = '/etc/rabbitmq/rabbitmq.config'
$config_ranch = true
$config_stomp = false
$config_shovel = false
$config_shovel_statics = {}
$default_user = 'guest'
$default_pass = 'guest'
$delete_guest_user = false
$env_config = 'rabbitmq/rabbitmq-env.conf.erb'
$env_config_path = '/etc/rabbitmq/rabbitmq-env.conf'
$port = 5672
$tcp_keepalive = false
$tcp_backlog = 128
$ssl = false
$ssl_ciphers = []
$ssl_erl_dist = false
$ssl_fail_if_no_peer_cert = false
$ssl_honor_cipher_order = true
$ssl_management_port = 15671
$ssl_only = false
$ssl_port = 5671
$ssl_reuse_sessions = true
$ssl_secure_renegotiate = true
$ssl_stomp_port = 6164
$ssl_verify = 'verify_none'
$ssl_versions = undef
$stomp_ensure = false
$stomp_port = 6163
$stomp_ssl_only = false
$ldap_auth = false
$ldap_server = 'ldap'
$ldap_user_dn_pattern = undef
$ldap_other_bind = 'anon'
$ldap_use_ssl = false
$ldap_port = 389
$ldap_log = false
$ldap_config_variables = {}
$wipe_db_on_cookie_change = false
$cluster_partition_handling = 'ignore'
$environment_variables = {}
$config_variables = {}
$config_kernel_variables = {}
$config_management_variables = {}
$config_additional_variables = {}
$file_limit = 16384
$ipv6 = false
$inetrc_config = 'rabbitmq/inetrc.erb'
$inetrc_config_path = '/etc/rabbitmq/inetrc'
$cluster_node_type = 'disc'
$cluster_nodes = []
$config = 'rabbitmq/rabbitmq.config.erb'
$config_cluster = false
$config_path = '/etc/rabbitmq/rabbitmq.config'
$config_ranch = true
$config_stomp = false
$config_shovel = false
$config_shovel_statics = {}
$default_user = 'guest'
$default_pass = 'guest'
$delete_guest_user = false
$env_config = 'rabbitmq/rabbitmq-env.conf.erb'
$env_config_path = '/etc/rabbitmq/rabbitmq-env.conf'
$port = 5672
$tcp_keepalive = false
$tcp_backlog = 128
$ssl = false
$ssl_ciphers = []
$ssl_erl_dist = false
$ssl_fail_if_no_peer_cert = false
$ssl_honor_cipher_order = true
$ssl_management_port = 15671
$ssl_only = false
$ssl_port = 5671
$ssl_reuse_sessions = true
$ssl_secure_renegotiate = true
$ssl_stomp_port = 6164
$ssl_verify = 'verify_none'
$ssl_versions = undef
$ssl_management_verify = 'verify_none'
$ssl_management_fail_if_no_peer_cert = false
$stomp_ensure = false
$stomp_port = 6163
$stomp_ssl_only = false
$ldap_auth = false
$ldap_server = 'ldap'
$ldap_user_dn_pattern = undef
$ldap_other_bind = 'anon'
$ldap_use_ssl = false
$ldap_port = 389
$ldap_log = false
$ldap_config_variables = {}
$wipe_db_on_cookie_change = false
$cluster_partition_handling = 'ignore'
$environment_variables = {}
$config_variables = {}
$config_kernel_variables = {}
$config_management_variables = {}
$config_additional_variables = {}
$file_limit = 16384
$ipv6 = false
$inetrc_config = 'rabbitmq/inetrc.erb'
$inetrc_config_path = '/etc/rabbitmq/inetrc'
}
4 changes: 4 additions & 0 deletions spec/classes/rabbitmq_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1083,6 +1083,8 @@
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_management_verify: 'verify_peer',
ssl_management_fail_if_no_peer_cert: true,
admin_enable: true }
end

Expand All @@ -1092,6 +1094,8 @@
is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 3141\}})
is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, true\}})
is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[})
is_expected.to contain_file('rabbitmq.config').with_content(%r{verify,verify_peer\},})
is_expected.to contain_file('rabbitmq.config').with_content(%r{fail_if_no_peer_cert,true\}})
is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile, "/path/to/cacert"\},})
is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/cert"\},})
is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}})
Expand Down
4 changes: 3 additions & 1 deletion templates/rabbitmq.config.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,9 @@
{cacertfile, "<%= @ssl_cacert %>"},
<%- end -%>
{certfile, "<%= @ssl_cert %>"},
{keyfile, "<%= @ssl_key %>"}
{keyfile, "<%= @ssl_key %>"},
{verify,<%= @ssl_management_verify %>},
{fail_if_no_peer_cert,<%= @ssl_management_fail_if_no_peer_cert %>}
<%- if @ssl_versions -%>
,{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}
<%- end -%>
Expand Down