Merge pull request #632 from wyardley/rework_563_ssl

Add additional SSL configuration options (original PR from xepa)

Gemfile

@@ -56,6 +56,7 @@ group :system_tests do
   end
   gem 'serverspec',                    :require => false
   gem 'beaker-puppet_install_helper',  :require => false
+  gem 'beaker-module_install_helper',  :require => false
 end
 
 

manifests/config.pp

@@ -46,6 +46,10 @@
   $ssl_stomp_port              = $rabbitmq::ssl_stomp_port
   $ssl_verify                  = $rabbitmq::ssl_verify
   $ssl_fail_if_no_peer_cert    = $rabbitmq::ssl_fail_if_no_peer_cert
+  $ssl_secure_renegotiate      = $rabbitmq::ssl_secure_renegotiate
+  $ssl_reuse_sessions          = $rabbitmq::ssl_reuse_sessions
+  $ssl_honor_cipher_order      = $rabbitmq::ssl_honor_cipher_order
+  $ssl_dhfile                  = $rabbitmq::ssl_dhfile
   $ssl_versions                = $rabbitmq::ssl_versions
   $ssl_ciphers                 = $rabbitmq::ssl_ciphers
   $stomp_port                  = $rabbitmq::stomp_port

manifests/init.pp

@@ -156,12 +156,16 @@
 # @param ssl_cert Cert to use for SSL.
 # @param ssl_cert_password Password used when generating CSR.
 # @param ssl_depth SSL verification depth.
+# @param ssl_dhfile Use this dhparam file [example: generate with `openssl dhparam -out /etc/rabbitmq/ssl/dhparam.pem 2048`
 # @param ssl_erl_dist Whether to use the erlang package's SSL (relies on the ssl_erl_path fact)
+# @param ssl_honor_cipher_order Force use of server cipher order
 # @param ssl_interface Interface for SSL listener to bind to
 # @param ssl_key Key to use for SSL.
 # @param ssl_only Configures the service to only use SSL.  No cleartext TCP listeners will be created. Requires that ssl => true and
 # @param ssl_management_port SSL management port.
 # @param ssl_port SSL port for RabbitMQ
+# @param ssl_reuse_sessions Reuse ssl sessions
+# @param ssl_secure_renegotiate Use ssl secure renegotiate
 # @param ssl_stomp_port SSL stomp port.
 # @param ssl_verify rabbitmq.config SSL verify setting.
 # @param ssl_fail_if_no_peer_cert rabbitmq.config `fail_if_no_peer_cert` setting.
@@ -243,6 +247,10 @@
   $ssl_verify                                    = $rabbitmq::params::ssl_verify,
   $ssl_fail_if_no_peer_cert                      = $rabbitmq::params::ssl_fail_if_no_peer_cert,
   Optional[Array] $ssl_versions                  = undef,
+  Boolean $ssl_secure_renegotiate                = $rabbitmq::params::ssl_secure_renegotiate,
+  Boolean $ssl_reuse_sessions                    = $rabbitmq::params::ssl_reuse_sessions,
+  Boolean $ssl_honor_cipher_order                = $rabbitmq::params::ssl_honor_cipher_order,
+  Optional[String] $ssl_dhfile                   = undef,
   Array $ssl_ciphers                             = $rabbitmq::params::ssl_ciphers,
   Boolean $stomp_ensure                          = $rabbitmq::params::stomp_ensure,
   Boolean $ldap_auth                             = $rabbitmq::params::ldap_auth,

manifests/params.pp

@@ -98,14 +98,21 @@
   $tcp_keepalive               = false
   $tcp_backlog                 = 128
   $ssl                         = false
+  $ssl_ciphers                 = []
+  $ssl_erl_dist                = false
+  $ssl_fail_if_no_peer_cert    = false
+  $ssl_honor_cipher_order      = true
+  $ssl_management_port         = 15671
   $ssl_only                    = false
   $ssl_port                    = 5671
-  $ssl_management_port         = 15671
+  $ssl_reuse_sessions          = true
+  $ssl_secure_renegotiate      = true
   $ssl_stomp_port              = 6164
   $ssl_verify                  = 'verify_none'
-  $ssl_fail_if_no_peer_cert    = false
-  $ssl_ciphers                 = []
+  $ssl_versions                = undef
   $stomp_ensure                = false
+  $stomp_port                  = 6163
+  $stomp_ssl_only              = false
   $ldap_auth                   = false
   $ldap_server                 = 'ldap'
   $ldap_user_dn_pattern        = 'cn=username,ou=People,dc=example,dc=com'
@@ -114,8 +121,6 @@
   $ldap_port                   = 389
   $ldap_log                    = false
   $ldap_config_variables       = {}
-  $stomp_port                  = 6163
-  $stomp_ssl_only              = false
   $wipe_db_on_cookie_change    = false
   $cluster_partition_handling  = 'ignore'
   $environment_variables       = {}
@@ -127,5 +132,4 @@
   $ipv6                        = false
   $inetrc_config               = 'rabbitmq/inetrc.erb'
   $inetrc_config_path          = '/etc/rabbitmq/inetrc'
-  $ssl_erl_dist                = false
 }

spec/acceptance/class_spec.rb

@@ -17,20 +17,18 @@
   end
 
   context 'default class inclusion' do
-    it 'runs successfully' do
-      pp = <<-EOS
+    let(:pp) do
+      <<-EOS
       class { 'rabbitmq': }
       if $facts['os']['family'] == 'RedHat' {
         class { 'erlang': epel_enable => true}
         Class['erlang'] -> Class['rabbitmq']
       }
       EOS
-
-      # Apply twice to ensure no errors the second time.
-      apply_manifest(pp, catch_failures: true)
-      expect(apply_manifest(pp, catch_changes: true).exit_code).to be_zero
     end
 
+    it_behaves_like 'an idempotent resource'
+
     describe package(package_name) do
       it { is_expected.to be_installed }
     end
@@ -42,20 +40,20 @@ class { 'erlang': epel_enable => true}
   end
 
   context 'disable and stop service' do
-    it 'runs successfully' do
-      pp = <<-EOS
-      class { 'rabbitmq':
-        service_ensure => 'stopped',
-      }
-      if $facts['os']['family'] == 'RedHat' {
-        class { 'erlang': epel_enable => true}
-        Class['erlang'] -> Class['rabbitmq']
-      }
+    let(:pp) do
+      <<-EOS
+        class { 'rabbitmq':
+          service_ensure => 'stopped',
+        }
+        if $facts['os']['family'] == 'RedHat' {
+          class { 'erlang': epel_enable => true}
+          Class['erlang'] -> Class['rabbitmq']
+        }
       EOS
-
-      apply_manifest(pp, catch_failures: true)
     end
 
+    it_behaves_like 'an idempotent resource'
+
     describe service(service_name) do
       it { is_expected.not_to be_enabled }
       it { is_expected.not_to be_running }
@@ -65,22 +63,22 @@ class { 'erlang': epel_enable => true}
   context 'service is unmanaged' do
     it 'runs successfully' do
       pp_pre = <<-EOS
-      class { 'rabbitmq': }
-      if $facts['os']['family'] == 'RedHat' {
-        class { 'erlang': epel_enable => true}
-        Class['erlang'] -> Class['rabbitmq']
-      }
+        class { 'rabbitmq': }
+        if $facts['os']['family'] == 'RedHat' {
+          class { 'erlang': epel_enable => true}
+          Class['erlang'] -> Class['rabbitmq']
+        }
       EOS
 
       pp = <<-EOS
-      class { 'rabbitmq':
-        service_manage => false,
-        service_ensure  => 'stopped',
-      }
-      if $facts['os']['family'] == 'RedHat' {
-        class { 'erlang': epel_enable => true}
-        Class['erlang'] -> Class['rabbitmq']
-      }
+        class { 'rabbitmq':
+          service_manage => false,
+          service_ensure  => 'stopped',
+        }
+        if $facts['os']['family'] == 'RedHat' {
+          class { 'erlang': epel_enable => true}
+          Class['erlang'] -> Class['rabbitmq']
+        }
       EOS
 
       apply_manifest(pp_pre, catch_failures: true)
@@ -94,19 +92,19 @@ class { 'erlang': epel_enable => true}
   end
 
   context 'binding on all interfaces' do
-    it 'runs successfully' do
-      pp = <<-EOS
+    let(:pp) do
+      <<-EOS
       class { 'rabbitmq':
         service_manage    => true,
         port              => 5672,
         admin_enable      => true,
         node_ip_address   => '0.0.0.0'
       }
       EOS
-
-      apply_manifest(pp, catch_failures: true)
     end
 
+    it_behaves_like 'an idempotent resource'
+
     describe service(service_name) do
       it { is_expected.to be_running }
     end
@@ -124,19 +122,19 @@ class { 'rabbitmq':
   end
 
   context 'binding to localhost only' do
-    it 'runs successfully' do
-      pp = <<-EOS
-      class { 'rabbitmq':
-        service_manage    => true,
-        port              => 5672,
-        admin_enable      => true,
-        node_ip_address   => '127.0.0.1'
-      }
+    let(:pp) do
+      <<-EOS
+        class { 'rabbitmq':
+          service_manage    => true,
+          port              => 5672,
+          admin_enable      => true,
+          node_ip_address   => '127.0.0.1'
+        }
       EOS
-
-      apply_manifest(pp, catch_failures: true)
     end
 
+    it_behaves_like 'an idempotent resource'
+
     describe service(service_name) do
       it { is_expected.to be_running }
     end
@@ -154,20 +152,49 @@ class { 'rabbitmq':
     end
   end
 
-  context 'different management_ip_address and node_ip_address' do
-    it 'runs successfully' do
-      pp = <<-EOS
-      class { 'rabbitmq':
-        service_manage        => true,
-        port                  => 5672,
-        admin_enable          => true,
-        node_ip_address       => '0.0.0.0',
-        management_ip_address => '127.0.0.1'
-      }
+  context 'ssl enabled' do
+    let(:pp) do
+      <<-EOS
+        class { 'rabbitmq':
+          service_manage  => true,
+          admin_enable    => true,
+          node_ip_address => '0.0.0.0',
+          ssl_interface   => '0.0.0.0',
+          ssl             => true,
+          ssl_cacert      => '/tmp/cacert.crt',
+          ssl_cert        => '/tmp/rabbitmq.crt',
+          ssl_key         => '/tmp/rabbitmq.key',
+        }
       EOS
+    end
 
-      apply_manifest(pp, catch_failures: true)
+    it_behaves_like 'an idempotent resource'
+
+    describe service(service_name) do
+      it { is_expected.to be_running }
+    end
+    describe port(5671) do
+      it { is_expected.to be_listening.on('0.0.0.0').with('tcp') }
     end
+    describe port(15_671) do
+      it { is_expected.to be_listening.on('0.0.0.0').with('tcp') }
+    end
+  end
+
+  context 'different management_ip_address and node_ip_address' do
+    let(:pp) do
+      <<-EOS
+        class { 'rabbitmq':
+          service_manage        => true,
+          port                  => 5672,
+          admin_enable          => true,
+          node_ip_address       => '0.0.0.0',
+          management_ip_address => '127.0.0.1'
+        }
+      EOS
+    end
+
+    it_behaves_like 'an idempotent resource'
 
     describe service(service_name) do
       it { is_expected.to be_running }