From 585462d8eba6e18308134be15114e61c0a9865ab Mon Sep 17 00:00:00 2001 From: Simon Unge Date: Fri, 7 Jun 2024 17:45:11 +0000 Subject: [PATCH 1/3] cuttlefish tls schema for amqp_client --- deps/amqp_client/BUILD.bazel | 4 + deps/amqp_client/app.bzl | 9 + .../priv/schema/amqp_client.schema | 129 ++++++++++++++ deps/amqp_client/test/config_schema_SUITE.erl | 53 ++++++ .../amqp_client.snippets | 166 ++++++++++++++++++ .../certs/invalid_cacert.pem | 1 + .../certs/invalid_cert.pem | 1 + .../certs/invalid_key.pem | 1 + 8 files changed, 364 insertions(+) create mode 100644 deps/amqp_client/priv/schema/amqp_client.schema create mode 100644 deps/amqp_client/test/config_schema_SUITE.erl create mode 100644 deps/amqp_client/test/config_schema_SUITE_data/amqp_client.snippets create mode 100644 deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cacert.pem create mode 100644 deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cert.pem create mode 100644 deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_key.pem diff --git a/deps/amqp_client/BUILD.bazel b/deps/amqp_client/BUILD.bazel index ed36ed8b6b79..c93a1812f341 100644 --- a/deps/amqp_client/BUILD.bazel +++ b/deps/amqp_client/BUILD.bazel @@ -124,6 +124,10 @@ rabbitmq_integration_suite( ], ) +rabbitmq_integration_suite( + name = "config_schema_SUITE", +) + rabbitmq_suite( name = "unit_SUITE", size = "small", diff --git a/deps/amqp_client/app.bzl b/deps/amqp_client/app.bzl index 11ded2ce4e2b..c5ae137dc2fd 100644 --- a/deps/amqp_client/app.bzl +++ b/deps/amqp_client/app.bzl @@ -118,6 +118,7 @@ def all_srcs(name = "all_srcs"): filegroup( name = "priv", + srcs = ["priv/schema/amqp_client.schema"], ) filegroup( @@ -190,3 +191,11 @@ def test_suite_beam_files(name = "test_suite_beam_files"): erlc_opts = "//:test_erlc_opts", deps = ["//deps/rabbit_common:erlang_app"], ) + erlang_bytecode( + name = "config_schema_SUITE_beam_files", + testonly = True, + srcs = ["test/config_schema_SUITE.erl"], + outs = ["test/config_schema_SUITE.beam"], + app_name = "amqp_client", + erlc_opts = "//:test_erlc_opts", + ) diff --git a/deps/amqp_client/priv/schema/amqp_client.schema b/deps/amqp_client/priv/schema/amqp_client.schema new file mode 100644 index 000000000000..59c77d435f51 --- /dev/null +++ b/deps/amqp_client/priv/schema/amqp_client.schema @@ -0,0 +1,129 @@ +%% ---------------------------------------------------------------------------- +%% RabbitMQ amqp_client TLS options +%% ---------------------------------------------------------------------------- + +{mapping, "amqp_client.ssl_options", "amqp_client.ssl_options", [ + {datatype, {enum, [none]}} +]}. + +{translation, "amqp_client.ssl_options", +fun(Conf) -> + case cuttlefish:conf_get("amqp_client.ssl_options", Conf, undefined) of + none -> []; + _ -> cuttlefish:invalid("Invalid amqp_client.ssl_options") + end +end}. + +{mapping, "amqp_client.ssl_options.verify", "amqp_client.ssl_options.verify", [ + {datatype, {enum, [verify_peer, verify_none]}}]}. + +{mapping, "amqp_client.ssl_options.fail_if_no_peer_cert", "amqp_client.ssl_options.fail_if_no_peer_cert", [ + {datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.cacertfile", "amqp_client.ssl_options.cacertfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp_client.ssl_options.certfile", "amqp_client.ssl_options.certfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp_client.ssl_options.cacerts.$name", "amqp_client.ssl_options.cacerts", + [{datatype, string}]}. + +{translation, "amqp_client.ssl_options.cacerts", +fun(Conf) -> + Settings = cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.cacerts", Conf), + [ list_to_binary(V) || {_, V} <- Settings ] +end}. + +{mapping, "amqp_client.ssl_options.cert", "amqp_client.ssl_options.cert", + [{datatype, string}]}. + +{translation, "amqp_client.ssl_options.cert", +fun(Conf) -> + list_to_binary(cuttlefish:conf_get("amqp_client.ssl_options.cert", Conf)) +end}. + +{mapping, "amqp_client.ssl_options.client_renegotiation", "amqp_client.ssl_options.client_renegotiation", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.crl_check", "amqp_client.ssl_options.crl_check", + [{datatype, [{enum, [true, false, peer, best_effort]}]}]}. + +{mapping, "amqp_client.ssl_options.depth", "amqp_client.ssl_options.depth", + [{datatype, integer}, {validators, ["byte"]}]}. + +{mapping, "amqp_client.ssl_options.dh", "amqp_client.ssl_options.dh", + [{datatype, string}]}. + +{translation, "amqp_client.ssl_options.dh", +fun(Conf) -> + list_to_binary(cuttlefish:conf_get("amqp_client.ssl_options.dh", Conf)) +end}. + +{mapping, "amqp_client.ssl_options.dhfile", "amqp_client.ssl_options.dhfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp_client.ssl_options.honor_cipher_order", "amqp_client.ssl_options.honor_cipher_order", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.honor_ecc_order", "amqp_client.ssl_options.honor_ecc_order", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.key.RSAPrivateKey", "amqp_client.ssl_options.key", + [{datatype, string}]}. + +{mapping, "amqp_client.ssl_options.key.DSAPrivateKey", "amqp_client.ssl_options.key", + [{datatype, string}]}. + +{mapping, "amqp_client.ssl_options.key.PrivateKeyInfo", "amqp_client.ssl_options.key", + [{datatype, string}]}. + +{translation, "amqp_client.ssl_options.key", +fun(Conf) -> + case cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.key", Conf) of + [{[_,_,Key], Val}|_] -> {list_to_atom(Key), list_to_binary(Val)}; + _ -> undefined + end +end}. + +{mapping, "amqp_client.ssl_options.keyfile", "amqp_client.ssl_options.keyfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp_client.ssl_options.log_alert", "amqp_client.ssl_options.log_alert", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.password", "amqp_client.ssl_options.password", + [{datatype, string}]}. + +{mapping, "amqp_client.ssl_options.psk_identity", "amqp_client.ssl_options.psk_identity", + [{datatype, string}]}. + +{mapping, "amqp_client.ssl_options.reuse_sessions", "amqp_client.ssl_options.reuse_sessions", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.secure_renegotiate", "amqp_client.ssl_options.secure_renegotiate", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.versions.$version", "amqp_client.ssl_options.versions", + [{datatype, atom}]}. + +{translation, "amqp_client.ssl_options.versions", +fun(Conf) -> + Settings = cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.versions", Conf), + [ V || {_, V} <- Settings ] +end}. + +{mapping, "amqp_client.ssl_options.sni", "amqp_client.ssl_options.server_name_indication", + [{datatype, [{enum, [none]}, string]}]}. + +{translation, "amqp_client.ssl_options.server_name_indication", +fun(Conf) -> + case cuttlefish:conf_get("amqp_client.ssl_options.sni", Conf, undefined) of + undefined -> cuttlefish:unset(); + none -> cuttlefish:unset(); + Hostname -> Hostname + end +end}. + +{mapping, "amqp_client.ssl_options.hostname_verification", "amqp_client.ssl_hostname_verification", [ + {datatype, {enum, [wildcard, none]}}]}. diff --git a/deps/amqp_client/test/config_schema_SUITE.erl b/deps/amqp_client/test/config_schema_SUITE.erl new file mode 100644 index 000000000000..e6f4c1120fe1 --- /dev/null +++ b/deps/amqp_client/test/config_schema_SUITE.erl @@ -0,0 +1,53 @@ +%% This Source Code Form is subject to the terms of the Mozilla Public +%% License, v. 2.0. If a copy of the MPL was not distributed with this +%% file, You can obtain one at https://mozilla.org/MPL/2.0/. +%% +%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved. +%% + +-module(config_schema_SUITE). + +-compile(export_all). + +all() -> + [ + run_snippets + ]. + +%% ------------------------------------------------------------------- +%% Testsuite setup/teardown. +%% ------------------------------------------------------------------- + +init_per_suite(Config) -> + rabbit_ct_helpers:log_environment(), + Config1 = rabbit_ct_helpers:run_setup_steps(Config), + rabbit_ct_config_schema:init_schemas(amqp_client, Config1). + +end_per_suite(Config) -> + rabbit_ct_helpers:run_teardown_steps(Config). + +init_per_testcase(Testcase, Config) -> + rabbit_ct_helpers:testcase_started(Config, Testcase), + Config1 = rabbit_ct_helpers:set_config(Config, [ + {rmq_nodename_suffix, Testcase} + ]), + rabbit_ct_helpers:run_steps(Config1, + rabbit_ct_broker_helpers:setup_steps() ++ + rabbit_ct_client_helpers:setup_steps()). + +end_per_testcase(Testcase, Config) -> + Config1 = rabbit_ct_helpers:run_steps(Config, + rabbit_ct_client_helpers:teardown_steps() ++ + rabbit_ct_broker_helpers:teardown_steps()), + rabbit_ct_helpers:testcase_finished(Config1, Testcase). + +%% ------------------------------------------------------------------- +%% Testcases. +%% ------------------------------------------------------------------- + +run_snippets(Config) -> + ok = rabbit_ct_broker_helpers:rpc(Config, 0, + ?MODULE, run_snippets1, [Config]). + +run_snippets1(Config) -> + rabbit_ct_config_schema:run_snippets(Config). diff --git a/deps/amqp_client/test/config_schema_SUITE_data/amqp_client.snippets b/deps/amqp_client/test/config_schema_SUITE_data/amqp_client.snippets new file mode 100644 index 000000000000..147fd1fa10b9 --- /dev/null +++ b/deps/amqp_client/test/config_schema_SUITE_data/amqp_client.snippets @@ -0,0 +1,166 @@ +[{ssl_options, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.verify = verify_peer + amqp_client.ssl_options.fail_if_no_peer_cert = true", + [{amqp_client, [ + {ssl_options, + [{cacertfile, "test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile, "test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile, "test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {verify, verify_peer}, + {fail_if_no_peer_cert, true}]} + ]}], + [amqp_client]}, + {ssl_options_verify_peer, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.verify = verify_peer + amqp_client.ssl_options.fail_if_no_peer_cert = false", + [{amqp_client, + [ + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {verify,verify_peer}, + {fail_if_no_peer_cert,false}]}]}], + []}, + {ssl_options_password, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.password = t0p$3kRe7", + [{amqp_client, + [ + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {password,"t0p$3kRe7"}]}]}], + []}, + {ssl_options_tls_versions, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp_client.ssl_options.versions.tls1_1 = tlsv1.1", + [], + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}]} + ]}], + []}, + {ssl_options_depth, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.depth = 2 + amqp_client.ssl_options.verify = verify_peer + amqp_client.ssl_options.fail_if_no_peer_cert = false", + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {depth,2}, + {verify,verify_peer}, + {fail_if_no_peer_cert,false}]}]}], + []}, + {ssl_options_honor_cipher_order, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.depth = 2 + amqp_client.ssl_options.verify = verify_peer + amqp_client.ssl_options.fail_if_no_peer_cert = false + amqp_client.ssl_options.honor_cipher_order = true", + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {depth,2}, + {verify,verify_peer}, + {fail_if_no_peer_cert, false}, + {honor_cipher_order, true}]}]}], + []}, + {ssl_options_honor_ecc_order, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.depth = 2 + amqp_client.ssl_options.verify = verify_peer + amqp_client.ssl_options.fail_if_no_peer_cert = false + amqp_client.ssl_options.honor_ecc_order = true", + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {depth,2}, + {verify,verify_peer}, + {fail_if_no_peer_cert, false}, + {honor_ecc_order, true}]} + ]}], + []}, + {ssl_options_sni_disabled, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp_client.ssl_options.sni = none", + [], + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}] + }] + }], + []}, + {ssl_options_sni_hostname, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp_client.ssl_options.sni = hostname.dev", + [], + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}, + {server_name_indication, "hostname.dev"} + ]} + ]}], + []}, + {ssl_options_hostname_verification_wildcard, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem + amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp_client.ssl_options.hostname_verification = wildcard", + [], + [{amqp_client, + [ + {ssl_hostname_verification, wildcard}, + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, + {versions,['tlsv1.2','tlsv1.1']} + ]} + ]}], + []} +]. diff --git a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cacert.pem b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cacert.pem new file mode 100644 index 000000000000..eaf6b67806ce --- /dev/null +++ b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cacert.pem @@ -0,0 +1 @@ +I'm not a certificate diff --git a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cert.pem b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cert.pem new file mode 100644 index 000000000000..eaf6b67806ce --- /dev/null +++ b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cert.pem @@ -0,0 +1 @@ +I'm not a certificate diff --git a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_key.pem b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_key.pem new file mode 100644 index 000000000000..eaf6b67806ce --- /dev/null +++ b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_key.pem @@ -0,0 +1 @@ +I'm not a certificate From 145592efe95788f96da1d6d96c9b3667ebe5e733 Mon Sep 17 00:00:00 2001 From: Simon Unge Date: Mon, 10 Jun 2024 20:30:55 +0000 Subject: [PATCH 2/3] Remove server options and move to rabbit schema --- deps/amqp_client/BUILD.bazel | 4 - deps/amqp_client/app.bzl | 9 - .../priv/schema/amqp_client.schema | 129 -------------- deps/amqp_client/test/config_schema_SUITE.erl | 53 ------ .../amqp_client.snippets | 166 ------------------ .../certs/invalid_cacert.pem | 1 - .../certs/invalid_cert.pem | 1 - .../certs/invalid_key.pem | 1 - deps/rabbit/priv/schema/rabbit.schema | 104 +++++++++++ .../config_schema_SUITE_data/rabbit.snippets | 110 +++++++++++- 10 files changed, 213 insertions(+), 365 deletions(-) delete mode 100644 deps/amqp_client/priv/schema/amqp_client.schema delete mode 100644 deps/amqp_client/test/config_schema_SUITE.erl delete mode 100644 deps/amqp_client/test/config_schema_SUITE_data/amqp_client.snippets delete mode 100644 deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cacert.pem delete mode 100644 deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cert.pem delete mode 100644 deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_key.pem diff --git a/deps/amqp_client/BUILD.bazel b/deps/amqp_client/BUILD.bazel index c93a1812f341..ed36ed8b6b79 100644 --- a/deps/amqp_client/BUILD.bazel +++ b/deps/amqp_client/BUILD.bazel @@ -124,10 +124,6 @@ rabbitmq_integration_suite( ], ) -rabbitmq_integration_suite( - name = "config_schema_SUITE", -) - rabbitmq_suite( name = "unit_SUITE", size = "small", diff --git a/deps/amqp_client/app.bzl b/deps/amqp_client/app.bzl index c5ae137dc2fd..11ded2ce4e2b 100644 --- a/deps/amqp_client/app.bzl +++ b/deps/amqp_client/app.bzl @@ -118,7 +118,6 @@ def all_srcs(name = "all_srcs"): filegroup( name = "priv", - srcs = ["priv/schema/amqp_client.schema"], ) filegroup( @@ -191,11 +190,3 @@ def test_suite_beam_files(name = "test_suite_beam_files"): erlc_opts = "//:test_erlc_opts", deps = ["//deps/rabbit_common:erlang_app"], ) - erlang_bytecode( - name = "config_schema_SUITE_beam_files", - testonly = True, - srcs = ["test/config_schema_SUITE.erl"], - outs = ["test/config_schema_SUITE.beam"], - app_name = "amqp_client", - erlc_opts = "//:test_erlc_opts", - ) diff --git a/deps/amqp_client/priv/schema/amqp_client.schema b/deps/amqp_client/priv/schema/amqp_client.schema deleted file mode 100644 index 59c77d435f51..000000000000 --- a/deps/amqp_client/priv/schema/amqp_client.schema +++ /dev/null @@ -1,129 +0,0 @@ -%% ---------------------------------------------------------------------------- -%% RabbitMQ amqp_client TLS options -%% ---------------------------------------------------------------------------- - -{mapping, "amqp_client.ssl_options", "amqp_client.ssl_options", [ - {datatype, {enum, [none]}} -]}. - -{translation, "amqp_client.ssl_options", -fun(Conf) -> - case cuttlefish:conf_get("amqp_client.ssl_options", Conf, undefined) of - none -> []; - _ -> cuttlefish:invalid("Invalid amqp_client.ssl_options") - end -end}. - -{mapping, "amqp_client.ssl_options.verify", "amqp_client.ssl_options.verify", [ - {datatype, {enum, [verify_peer, verify_none]}}]}. - -{mapping, "amqp_client.ssl_options.fail_if_no_peer_cert", "amqp_client.ssl_options.fail_if_no_peer_cert", [ - {datatype, {enum, [true, false]}}]}. - -{mapping, "amqp_client.ssl_options.cacertfile", "amqp_client.ssl_options.cacertfile", - [{datatype, string}, {validators, ["file_accessible"]}]}. - -{mapping, "amqp_client.ssl_options.certfile", "amqp_client.ssl_options.certfile", - [{datatype, string}, {validators, ["file_accessible"]}]}. - -{mapping, "amqp_client.ssl_options.cacerts.$name", "amqp_client.ssl_options.cacerts", - [{datatype, string}]}. - -{translation, "amqp_client.ssl_options.cacerts", -fun(Conf) -> - Settings = cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.cacerts", Conf), - [ list_to_binary(V) || {_, V} <- Settings ] -end}. - -{mapping, "amqp_client.ssl_options.cert", "amqp_client.ssl_options.cert", - [{datatype, string}]}. - -{translation, "amqp_client.ssl_options.cert", -fun(Conf) -> - list_to_binary(cuttlefish:conf_get("amqp_client.ssl_options.cert", Conf)) -end}. - -{mapping, "amqp_client.ssl_options.client_renegotiation", "amqp_client.ssl_options.client_renegotiation", - [{datatype, {enum, [true, false]}}]}. - -{mapping, "amqp_client.ssl_options.crl_check", "amqp_client.ssl_options.crl_check", - [{datatype, [{enum, [true, false, peer, best_effort]}]}]}. - -{mapping, "amqp_client.ssl_options.depth", "amqp_client.ssl_options.depth", - [{datatype, integer}, {validators, ["byte"]}]}. - -{mapping, "amqp_client.ssl_options.dh", "amqp_client.ssl_options.dh", - [{datatype, string}]}. - -{translation, "amqp_client.ssl_options.dh", -fun(Conf) -> - list_to_binary(cuttlefish:conf_get("amqp_client.ssl_options.dh", Conf)) -end}. - -{mapping, "amqp_client.ssl_options.dhfile", "amqp_client.ssl_options.dhfile", - [{datatype, string}, {validators, ["file_accessible"]}]}. - -{mapping, "amqp_client.ssl_options.honor_cipher_order", "amqp_client.ssl_options.honor_cipher_order", - [{datatype, {enum, [true, false]}}]}. - -{mapping, "amqp_client.ssl_options.honor_ecc_order", "amqp_client.ssl_options.honor_ecc_order", - [{datatype, {enum, [true, false]}}]}. - -{mapping, "amqp_client.ssl_options.key.RSAPrivateKey", "amqp_client.ssl_options.key", - [{datatype, string}]}. - -{mapping, "amqp_client.ssl_options.key.DSAPrivateKey", "amqp_client.ssl_options.key", - [{datatype, string}]}. - -{mapping, "amqp_client.ssl_options.key.PrivateKeyInfo", "amqp_client.ssl_options.key", - [{datatype, string}]}. - -{translation, "amqp_client.ssl_options.key", -fun(Conf) -> - case cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.key", Conf) of - [{[_,_,Key], Val}|_] -> {list_to_atom(Key), list_to_binary(Val)}; - _ -> undefined - end -end}. - -{mapping, "amqp_client.ssl_options.keyfile", "amqp_client.ssl_options.keyfile", - [{datatype, string}, {validators, ["file_accessible"]}]}. - -{mapping, "amqp_client.ssl_options.log_alert", "amqp_client.ssl_options.log_alert", - [{datatype, {enum, [true, false]}}]}. - -{mapping, "amqp_client.ssl_options.password", "amqp_client.ssl_options.password", - [{datatype, string}]}. - -{mapping, "amqp_client.ssl_options.psk_identity", "amqp_client.ssl_options.psk_identity", - [{datatype, string}]}. - -{mapping, "amqp_client.ssl_options.reuse_sessions", "amqp_client.ssl_options.reuse_sessions", - [{datatype, {enum, [true, false]}}]}. - -{mapping, "amqp_client.ssl_options.secure_renegotiate", "amqp_client.ssl_options.secure_renegotiate", - [{datatype, {enum, [true, false]}}]}. - -{mapping, "amqp_client.ssl_options.versions.$version", "amqp_client.ssl_options.versions", - [{datatype, atom}]}. - -{translation, "amqp_client.ssl_options.versions", -fun(Conf) -> - Settings = cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.versions", Conf), - [ V || {_, V} <- Settings ] -end}. - -{mapping, "amqp_client.ssl_options.sni", "amqp_client.ssl_options.server_name_indication", - [{datatype, [{enum, [none]}, string]}]}. - -{translation, "amqp_client.ssl_options.server_name_indication", -fun(Conf) -> - case cuttlefish:conf_get("amqp_client.ssl_options.sni", Conf, undefined) of - undefined -> cuttlefish:unset(); - none -> cuttlefish:unset(); - Hostname -> Hostname - end -end}. - -{mapping, "amqp_client.ssl_options.hostname_verification", "amqp_client.ssl_hostname_verification", [ - {datatype, {enum, [wildcard, none]}}]}. diff --git a/deps/amqp_client/test/config_schema_SUITE.erl b/deps/amqp_client/test/config_schema_SUITE.erl deleted file mode 100644 index e6f4c1120fe1..000000000000 --- a/deps/amqp_client/test/config_schema_SUITE.erl +++ /dev/null @@ -1,53 +0,0 @@ -%% This Source Code Form is subject to the terms of the Mozilla Public -%% License, v. 2.0. If a copy of the MPL was not distributed with this -%% file, You can obtain one at https://mozilla.org/MPL/2.0/. -%% -%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved. -%% - --module(config_schema_SUITE). - --compile(export_all). - -all() -> - [ - run_snippets - ]. - -%% ------------------------------------------------------------------- -%% Testsuite setup/teardown. -%% ------------------------------------------------------------------- - -init_per_suite(Config) -> - rabbit_ct_helpers:log_environment(), - Config1 = rabbit_ct_helpers:run_setup_steps(Config), - rabbit_ct_config_schema:init_schemas(amqp_client, Config1). - -end_per_suite(Config) -> - rabbit_ct_helpers:run_teardown_steps(Config). - -init_per_testcase(Testcase, Config) -> - rabbit_ct_helpers:testcase_started(Config, Testcase), - Config1 = rabbit_ct_helpers:set_config(Config, [ - {rmq_nodename_suffix, Testcase} - ]), - rabbit_ct_helpers:run_steps(Config1, - rabbit_ct_broker_helpers:setup_steps() ++ - rabbit_ct_client_helpers:setup_steps()). - -end_per_testcase(Testcase, Config) -> - Config1 = rabbit_ct_helpers:run_steps(Config, - rabbit_ct_client_helpers:teardown_steps() ++ - rabbit_ct_broker_helpers:teardown_steps()), - rabbit_ct_helpers:testcase_finished(Config1, Testcase). - -%% ------------------------------------------------------------------- -%% Testcases. -%% ------------------------------------------------------------------- - -run_snippets(Config) -> - ok = rabbit_ct_broker_helpers:rpc(Config, 0, - ?MODULE, run_snippets1, [Config]). - -run_snippets1(Config) -> - rabbit_ct_config_schema:run_snippets(Config). diff --git a/deps/amqp_client/test/config_schema_SUITE_data/amqp_client.snippets b/deps/amqp_client/test/config_schema_SUITE_data/amqp_client.snippets deleted file mode 100644 index 147fd1fa10b9..000000000000 --- a/deps/amqp_client/test/config_schema_SUITE_data/amqp_client.snippets +++ /dev/null @@ -1,166 +0,0 @@ -[{ssl_options, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.verify = verify_peer - amqp_client.ssl_options.fail_if_no_peer_cert = true", - [{amqp_client, [ - {ssl_options, - [{cacertfile, "test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile, "test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile, "test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {verify, verify_peer}, - {fail_if_no_peer_cert, true}]} - ]}], - [amqp_client]}, - {ssl_options_verify_peer, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.verify = verify_peer - amqp_client.ssl_options.fail_if_no_peer_cert = false", - [{amqp_client, - [ - {ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {verify,verify_peer}, - {fail_if_no_peer_cert,false}]}]}], - []}, - {ssl_options_password, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.password = t0p$3kRe7", - [{amqp_client, - [ - {ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {password,"t0p$3kRe7"}]}]}], - []}, - {ssl_options_tls_versions, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 - amqp_client.ssl_options.versions.tls1_1 = tlsv1.1", - [], - [{amqp_client, - [{ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {versions,['tlsv1.2','tlsv1.1']}]} - ]}], - []}, - {ssl_options_depth, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.depth = 2 - amqp_client.ssl_options.verify = verify_peer - amqp_client.ssl_options.fail_if_no_peer_cert = false", - [{amqp_client, - [{ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {depth,2}, - {verify,verify_peer}, - {fail_if_no_peer_cert,false}]}]}], - []}, - {ssl_options_honor_cipher_order, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.depth = 2 - amqp_client.ssl_options.verify = verify_peer - amqp_client.ssl_options.fail_if_no_peer_cert = false - amqp_client.ssl_options.honor_cipher_order = true", - [{amqp_client, - [{ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {depth,2}, - {verify,verify_peer}, - {fail_if_no_peer_cert, false}, - {honor_cipher_order, true}]}]}], - []}, - {ssl_options_honor_ecc_order, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.depth = 2 - amqp_client.ssl_options.verify = verify_peer - amqp_client.ssl_options.fail_if_no_peer_cert = false - amqp_client.ssl_options.honor_ecc_order = true", - [{amqp_client, - [{ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {depth,2}, - {verify,verify_peer}, - {fail_if_no_peer_cert, false}, - {honor_ecc_order, true}]} - ]}], - []}, - {ssl_options_sni_disabled, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 - amqp_client.ssl_options.versions.tls1_1 = tlsv1.1 - amqp_client.ssl_options.sni = none", - [], - [{amqp_client, - [{ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {versions,['tlsv1.2','tlsv1.1']}] - }] - }], - []}, - {ssl_options_sni_hostname, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 - amqp_client.ssl_options.versions.tls1_1 = tlsv1.1 - amqp_client.ssl_options.sni = hostname.dev", - [], - [{amqp_client, - [{ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {versions,['tlsv1.2','tlsv1.1']}, - {server_name_indication, "hostname.dev"} - ]} - ]}], - []}, - {ssl_options_hostname_verification_wildcard, - "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/invalid_cacert.pem - amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/invalid_cert.pem - amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/invalid_key.pem - amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 - amqp_client.ssl_options.versions.tls1_1 = tlsv1.1 - amqp_client.ssl_options.hostname_verification = wildcard", - [], - [{amqp_client, - [ - {ssl_hostname_verification, wildcard}, - {ssl_options, - [{cacertfile,"test/config_schema_SUITE_data/certs/invalid_cacert.pem"}, - {certfile,"test/config_schema_SUITE_data/certs/invalid_cert.pem"}, - {keyfile,"test/config_schema_SUITE_data/certs/invalid_key.pem"}, - {versions,['tlsv1.2','tlsv1.1']} - ]} - ]}], - []} -]. diff --git a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cacert.pem b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cacert.pem deleted file mode 100644 index eaf6b67806ce..000000000000 --- a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cacert.pem +++ /dev/null @@ -1 +0,0 @@ -I'm not a certificate diff --git a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cert.pem b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cert.pem deleted file mode 100644 index eaf6b67806ce..000000000000 --- a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_cert.pem +++ /dev/null @@ -1 +0,0 @@ -I'm not a certificate diff --git a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_key.pem b/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_key.pem deleted file mode 100644 index eaf6b67806ce..000000000000 --- a/deps/amqp_client/test/config_schema_SUITE_data/certs/invalid_key.pem +++ /dev/null @@ -1 +0,0 @@ -I'm not a certificate diff --git a/deps/rabbit/priv/schema/rabbit.schema b/deps/rabbit/priv/schema/rabbit.schema index e82dcd455596..4ffc73696212 100644 --- a/deps/rabbit/priv/schema/rabbit.schema +++ b/deps/rabbit/priv/schema/rabbit.schema @@ -2662,6 +2662,110 @@ fun(Conf) -> end}. +%% ---------------------------------------------------------------------------- +%% amqp_client TLS options +%% ---------------------------------------------------------------------------- + +{mapping, "amqp_client.ssl_options", "amqp_client.ssl_options", [ + {datatype, {enum, [none]}} +]}. + +{translation, "amqp_client.ssl_options", +fun(Conf) -> + case cuttlefish:conf_get("amqp_client.ssl_options", Conf, undefined) of + none -> []; + _ -> cuttlefish:invalid("Invalid amqp_client.ssl_options") + end +end}. + +{mapping, "amqp_client.ssl_options.verify", "amqp_client.ssl_options.verify", [ + {datatype, {enum, [verify_peer, verify_none]}}]}. + +{mapping, "amqp_client.ssl_options.cacertfile", "amqp_client.ssl_options.cacertfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp_client.ssl_options.certfile", "amqp_client.ssl_options.certfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp_client.ssl_options.cacerts.$name", "amqp_client.ssl_options.cacerts", + [{datatype, string}]}. + +{translation, "amqp_client.ssl_options.cacerts", +fun(Conf) -> + Settings = cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.cacerts", Conf), + [ list_to_binary(V) || {_, V} <- Settings ] +end}. + +{mapping, "amqp_client.ssl_options.cert", "amqp_client.ssl_options.cert", + [{datatype, string}]}. + +{translation, "amqp_client.ssl_options.cert", +fun(Conf) -> + list_to_binary(cuttlefish:conf_get("amqp_client.ssl_options.cert", Conf)) +end}. + +{mapping, "amqp_client.ssl_options.crl_check", "amqp_client.ssl_options.crl_check", + [{datatype, [{enum, [true, false, peer, best_effort]}]}]}. + +{mapping, "amqp_client.ssl_options.depth", "amqp_client.ssl_options.depth", + [{datatype, integer}, {validators, ["byte"]}]}. + +{mapping, "amqp_client.ssl_options.key.RSAPrivateKey", "amqp_client.ssl_options.key", + [{datatype, string}]}. + +{mapping, "amqp_client.ssl_options.key.DSAPrivateKey", "amqp_client.ssl_options.key", + [{datatype, string}]}. + +{mapping, "amqp_client.ssl_options.key.PrivateKeyInfo", "amqp_client.ssl_options.key", + [{datatype, string}]}. + +{translation, "amqp_client.ssl_options.key", +fun(Conf) -> + case cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.key", Conf) of + [{[_,_,Key], Val}|_] -> {list_to_atom(Key), list_to_binary(Val)}; + _ -> undefined + end +end}. + +{mapping, "amqp_client.ssl_options.keyfile", "amqp_client.ssl_options.keyfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp_client.ssl_options.log_alert", "amqp_client.ssl_options.log_alert", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.password", "amqp_client.ssl_options.password", + [{datatype, string}]}. + +{mapping, "amqp_client.ssl_options.psk_identity", "amqp_client.ssl_options.psk_identity", + [{datatype, string}]}. + +{mapping, "amqp_client.ssl_options.reuse_sessions", "amqp_client.ssl_options.reuse_sessions", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.secure_renegotiate", "amqp_client.ssl_options.secure_renegotiate", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp_client.ssl_options.versions.$version", "amqp_client.ssl_options.versions", + [{datatype, atom}]}. + +{translation, "amqp_client.ssl_options.versions", +fun(Conf) -> + Settings = cuttlefish_variable:filter_by_prefix("amqp_client.ssl_options.versions", Conf), + [ V || {_, V} <- Settings ] +end}. + +{mapping, "amqp_client.ssl_options.sni", "amqp_client.ssl_options.server_name_indication", + [{datatype, [{enum, [none]}, string]}]}. + +{translation, "amqp_client.ssl_options.server_name_indication", +fun(Conf) -> + case cuttlefish:conf_get("amqp_client.ssl_options.sni", Conf, undefined) of + undefined -> cuttlefish:unset(); + none -> cuttlefish:unset(); + Hostname -> Hostname + end +end}. + % =============================== % Validators % =============================== diff --git a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets index 424bdaf97d44..4b31ff80e2ef 100644 --- a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets +++ b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets @@ -1057,6 +1057,114 @@ credential_validator.regexp = ^abc\\d+", {incoming_message_interceptors, [{set_header_routing_node, false}, {set_header_timestamp, false}]} ]}], - []} + []}, + + %% + %% AMQP TLS options + %% + + {ssl_options, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp_client.ssl_options.verify = verify_peer", + [{amqp_client, [ + {ssl_options, + [{cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile, "test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile, "test/config_schema_SUITE_data/certs/key.pem"}, + {verify, verify_peer}]} + ]}], + [amqp_client]}, + {ssl_options_verify_peer, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp_client.ssl_options.verify = verify_peer", + [{amqp_client, + [ + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {verify,verify_peer}]}]}], + []}, + {ssl_options_password, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp_client.ssl_options.password = t0p$3kRe7", + [{amqp_client, + [ + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {password,"t0p$3kRe7"}]}]}], + []}, + {ssl_options_tls_versions, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp_client.ssl_options.versions.tls1_1 = tlsv1.1", + [], + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}]} + ]}], + []}, + {ssl_options_depth, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp_client.ssl_options.depth = 2 + amqp_client.ssl_options.verify = verify_peer", + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {depth,2}, + {verify,verify_peer}]}]}], + []}, + {ssl_options_sni_disabled, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp_client.ssl_options.sni = none", + [], + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}] + }] + }], + []}, + {ssl_options_sni_hostname, + "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp_client.ssl_options.sni = hostname.dev", + [], + [{amqp_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}, + {server_name_indication, "hostname.dev"} + ]} + ]}], + []} ]. From 24fb0334acaf25af76a5a7af707a25549912d90f Mon Sep 17 00:00:00 2001 From: Simon Unge Date: Wed, 12 Jun 2024 17:14:54 +0000 Subject: [PATCH 3/3] Add schema duplicate for amqp 1.0 --- deps/rabbit/priv/schema/rabbit.schema | 110 ++++++++++++- .../config_schema_SUITE_data/rabbit.snippets | 146 +++++++++++++++--- 2 files changed, 235 insertions(+), 21 deletions(-) diff --git a/deps/rabbit/priv/schema/rabbit.schema b/deps/rabbit/priv/schema/rabbit.schema index 4ffc73696212..c893ac560eed 100644 --- a/deps/rabbit/priv/schema/rabbit.schema +++ b/deps/rabbit/priv/schema/rabbit.schema @@ -2661,9 +2661,117 @@ fun(Conf) -> list_to_binary(cuttlefish:conf_get("amqp1_0.default_vhost", Conf)) end}. +%% ---------------------------------------------------------------------------- +%% AMQP client 1.0 TLS options +%% ---------------------------------------------------------------------------- + +{mapping, "amqp10_client.ssl_options", "amqp10_client.ssl_options", [ + {datatype, {enum, [none]}} +]}. + +{translation, "amqp10_client.ssl_options", +fun(Conf) -> + case cuttlefish:conf_get("amqp10_client.ssl_options", Conf, undefined) of + none -> []; + _ -> cuttlefish:invalid("Invalid amqp10_client.ssl_options") + end +end}. + +{mapping, "amqp10_client.ssl_options.verify", "amqp10_client.ssl_options.verify", [ + {datatype, {enum, [verify_peer, verify_none]}}]}. + +{mapping, "amqp10_client.ssl_options.cacertfile", "amqp10_client.ssl_options.cacertfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp10_client.ssl_options.certfile", "amqp10_client.ssl_options.certfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp10_client.ssl_options.cacerts.$name", "amqp10_client.ssl_options.cacerts", + [{datatype, string}]}. + +{translation, "amqp10_client.ssl_options.cacerts", +fun(Conf) -> + Settings = cuttlefish_variable:filter_by_prefix("amqp10_client.ssl_options.cacerts", Conf), + [ list_to_binary(V) || {_, V} <- Settings ] +end}. + +{mapping, "amqp10_client.ssl_options.cert", "amqp10_client.ssl_options.cert", + [{datatype, string}]}. + +{translation, "amqp10_client.ssl_options.cert", +fun(Conf) -> + list_to_binary(cuttlefish:conf_get("amqp10_client.ssl_options.cert", Conf)) +end}. + +{mapping, "amqp10_client.ssl_options.crl_check", "amqp10_client.ssl_options.crl_check", + [{datatype, [{enum, [true, false, peer, best_effort]}]}]}. + +{mapping, "amqp10_client.ssl_options.depth", "amqp10_client.ssl_options.depth", + [{datatype, integer}, {validators, ["byte"]}]}. + +{mapping, "amqp10_client.ssl_options.key.RSAPrivateKey", "amqp10_client.ssl_options.key", + [{datatype, string}]}. + +{mapping, "amqp10_client.ssl_options.key.DSAPrivateKey", "amqp10_client.ssl_options.key", + [{datatype, string}]}. + +{mapping, "amqp10_client.ssl_options.key.PrivateKeyInfo", "amqp10_client.ssl_options.key", + [{datatype, string}]}. + +{translation, "amqp10_client.ssl_options.key", +fun(Conf) -> + case cuttlefish_variable:filter_by_prefix("amqp10_client.ssl_options.key", Conf) of + [{[_,_,Key], Val}|_] -> {list_to_atom(Key), list_to_binary(Val)}; + _ -> undefined + end +end}. + +{mapping, "amqp10_client.ssl_options.keyfile", "amqp10_client.ssl_options.keyfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp10_client.ssl_options.log_alert", "amqp10_client.ssl_options.log_alert", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp10_client.ssl_options.password", "amqp10_client.ssl_options.password", + [{datatype, string}]}. + +{mapping, "amqp10_client.ssl_options.psk_identity", "amqp10_client.ssl_options.psk_identity", + [{datatype, string}]}. + +{mapping, "amqp10_client.ssl_options.reuse_sessions", "amqp10_client.ssl_options.reuse_sessions", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp10_client.ssl_options.secure_renegotiate", "amqp10_client.ssl_options.secure_renegotiate", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp10_client.ssl_options.versions.$version", "amqp10_client.ssl_options.versions", + [{datatype, atom}]}. + +{translation, "amqp10_client.ssl_options.versions", +fun(Conf) -> + Settings = cuttlefish_variable:filter_by_prefix("amqp10_client.ssl_options.versions", Conf), + [ V || {_, V} <- Settings ] +end}. + +{mapping, "amqp10_client.ssl_options.sni", "amqp10_client.ssl_options.server_name_indication", + [{datatype, [{enum, [none]}, string]}]}. + +{translation, "amqp10_client.ssl_options.server_name_indication", +fun(Conf) -> + case cuttlefish:conf_get("amqp10_client.ssl_options.sni", Conf, undefined) of + undefined -> cuttlefish:unset(); + none -> cuttlefish:unset(); + Hostname -> Hostname + end +end}. + + +% =============================== +% AMQP 0.9.1 +% =============================== %% ---------------------------------------------------------------------------- -%% amqp_client TLS options +%% AMQP client 0.9.1 TLS options %% ---------------------------------------------------------------------------- {mapping, "amqp_client.ssl_options", "amqp_client.ssl_options", [ diff --git a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets index 4b31ff80e2ef..945a354555f7 100644 --- a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets +++ b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets @@ -251,7 +251,7 @@ cluster_formation.classic_config.nodes.peer2 = rabbit@hostname2", [{peer_discovery_backend,rabbit_peer_discovery_classic_config}]}, {cluster_nodes,{[rabbit@hostname2,rabbit@hostname1],disc}}]}], []}, - + {cluster_formation_module_dns_alias, "cluster_formation.peer_discovery_backend = dns cluster_formation.dns.hostname = discovery.eng.example.local", @@ -264,7 +264,7 @@ cluster_formation.dns.hostname = discovery.eng.example.local", ]}]} ]}], []}, - + {cluster_formation_disk, "cluster_formation.peer_discovery_backend = rabbit_peer_discovery_classic_config cluster_formation.classic_config.nodes.peer1 = rabbit@hostname1 @@ -698,17 +698,17 @@ tcp_listen_options.exit_on_close = false", {fail_if_no_peer_cert, false}, {honor_ecc_order, true}]}]}], []}, - + {ssl_cert_login_from_cn, "ssl_cert_login_from = common_name", [{rabbit,[{ssl_cert_login_from, common_name}]}], []}, - + {ssl_cert_login_from_dn, "ssl_cert_login_from = distinguished_name", [{rabbit,[{ssl_cert_login_from, distinguished_name}]}], []}, - + {ssl_cert_login_from_san_dns, "ssl_cert_login_from = subject_alternative_name ssl_cert_login_san_type = dns @@ -719,7 +719,7 @@ tcp_listen_options.exit_on_close = false", {ssl_cert_login_san_index, 0} ]}], []}, - + {ssl_options_bypass_pem_cache, "ssl_options.bypass_pem_cache = true", @@ -1063,20 +1063,21 @@ credential_validator.regexp = ^abc\\d+", %% AMQP TLS options %% - {ssl_options, + {amqp_client_ssl_options, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem amqp_client.ssl_options.verify = verify_peer", - [{amqp_client, [ - {ssl_options, - [{cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, - {certfile, "test/config_schema_SUITE_data/certs/cert.pem"}, - {keyfile, "test/config_schema_SUITE_data/certs/key.pem"}, - {verify, verify_peer}]} - ]}], + [{amqp_client, + [ + {ssl_options, + [{cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile, "test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile, "test/config_schema_SUITE_data/certs/key.pem"}, + {verify, verify_peer}]} + ]}], [amqp_client]}, - {ssl_options_verify_peer, + {amqp_client_ssl_options_verify_peer, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1089,7 +1090,7 @@ credential_validator.regexp = ^abc\\d+", {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, {verify,verify_peer}]}]}], []}, - {ssl_options_password, + {amqp_client_ssl_options_password, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1102,7 +1103,7 @@ credential_validator.regexp = ^abc\\d+", {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, {password,"t0p$3kRe7"}]}]}], []}, - {ssl_options_tls_versions, + {amqp_client_ssl_options_tls_versions, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1117,7 +1118,7 @@ credential_validator.regexp = ^abc\\d+", {versions,['tlsv1.2','tlsv1.1']}]} ]}], []}, - {ssl_options_depth, + {amqp_client_ssl_options_depth, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1131,7 +1132,7 @@ credential_validator.regexp = ^abc\\d+", {depth,2}, {verify,verify_peer}]}]}], []}, - {ssl_options_sni_disabled, + {amqp_client_ssl_options_sni_disabled, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1148,7 +1149,7 @@ credential_validator.regexp = ^abc\\d+", }] }], []}, - {ssl_options_sni_hostname, + {amqp_client_ssl_options_sni_hostname, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1165,6 +1166,111 @@ credential_validator.regexp = ^abc\\d+", {server_name_indication, "hostname.dev"} ]} ]}], + []}, + + {amqp10_client_ssl_options, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.verify = verify_peer", + [{amqp10_client, + [ + {ssl_options, + [{cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile, "test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile, "test/config_schema_SUITE_data/certs/key.pem"}, + {verify, verify_peer}]} + ]}], + [amqp10_client]}, + {amqp10_client_ssl_options_verify_peer, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.verify = verify_peer", + [{amqp10_client, + [ + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {verify,verify_peer}]}]}], + []}, + {amqp10_client_ssl_options_password, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.password = t0p$3kRe7", + [{amqp10_client, + [ + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {password,"t0p$3kRe7"}]}]}], + []}, + {amqp10_client_ssl_options_tls_versions, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp10_client.ssl_options.versions.tls1_1 = tlsv1.1", + [], + [{amqp10_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}]} + ]}], + []}, + {amqp10_client_ssl_options_depth, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.depth = 2 + amqp10_client.ssl_options.verify = verify_peer", + [{amqp10_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {depth,2}, + {verify,verify_peer}]}]}], + []}, + {amqp10_client_ssl_options_sni_disabled, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp10_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp10_client.ssl_options.sni = none", + [], + [{amqp10_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}] + }] + }], + []}, + {amqp10_client_ssl_options_sni_hostname, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp10_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp10_client.ssl_options.sni = hostname.dev", + [], + [{amqp10_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}, + {server_name_indication, "hostname.dev"} + ]} + ]}], []} ].