Showing with 184 additions and 37 deletions.
  1. +0 −35 .nodeset.yml
  2. +12 −0 CHANGELOG.md
  3. +27 −0 REFERENCE.md
  4. +3 −0 manifests/config.pp
  5. +36 −0 manifests/init.pp
  6. +1 −2 metadata.json
  7. +96 −0 spec/classes/rabbitmq_spec.rb
  8. +9 −0 templates/rabbitmq.config.erb
35 changes: 0 additions & 35 deletions .nodeset.yml
View file

This file was deleted.

12 changes: 12 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
Each new release typically also includes the latest modulesync defaults.
These should not affect the functionality of the module.

## [v11.0.0](https://github.com/voxpupuli/puppet-rabbitmq/tree/v11.0.0) (2021-01-16)

[Full Changelog](https://github.com/voxpupuli/puppet-rabbitmq/compare/v10.3.0...v11.0.0)

**Breaking changes:**

- Remove support for CentOS 6 [\#870](https://github.com/voxpupuli/puppet-rabbitmq/pull/870) ([towo](https://github.com/towo))

**Implemented enhancements:**

- Add optional variables to support SSL CRL check configuration [\#869](https://github.com/voxpupuli/puppet-rabbitmq/pull/869) ([dimonzozo](https://github.com/dimonzozo))

## [v10.3.0](https://github.com/voxpupuli/puppet-rabbitmq/tree/v10.3.0) (2020-12-01)

[Full Changelog](https://github.com/voxpupuli/puppet-rabbitmq/compare/v10.2.0...v10.3.0)
Expand Down
27 changes: 27 additions & 0 deletions REFERENCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -834,6 +834,33 @@ Functionality can be tested with cipherscan or similar tool: https://github.com/

Default value: []

##### `ssl_crl_check`

Data type: `Enum['true','false','peer','best_effort']`

Perform CRL (Certificate Revocation List) verification
Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_check) module documentation for more information.

Default value: 'false'

##### `ssl_crl_cache_hash_dir`

Data type: `Optional[Stdlib::Absolutepath]`

This setting makes use of a directory where CRLs are stored in files named by the hash of the issuer name.
Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information.

Default value: `undef`

##### `ssl_crl_cache_http_timeout`

Data type: `Optional[Integer]`

This setting enables use of internal CRLs cache and sets HTTP timeout interval on fetching CRLs from distributino URLs defined inside certificate.
Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information.

Default value: `undef`

##### `stomp_port`

Data type: `Integer[1, 65535]`
Expand Down
3 changes: 3 additions & 0 deletions manifests/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@
$ssl_dhfile = $rabbitmq::ssl_dhfile
$ssl_versions = $rabbitmq::ssl_versions
$ssl_ciphers = $rabbitmq::ssl_ciphers
$ssl_crl_check = $rabbitmq::ssl_crl_check
$ssl_crl_cache_hash_dir = $rabbitmq::ssl_crl_cache_hash_dir
$ssl_crl_cache_http_timeout = $rabbitmq::ssl_crl_cache_http_timeout
$stomp_port = $rabbitmq::stomp_port
$stomp_ssl_only = $rabbitmq::stomp_ssl_only
$ldap_auth = $rabbitmq::ldap_auth
Expand Down
36 changes: 36 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,15 @@
# Functionality can be tested with cipherscan or similar tool: https://github.com/mozilla/cipherscan
# * Erlang style: `['ecdhe_rsa,aes_256_cbc,sha', 'dhe_rsa,aes_256_cbc,sha']`
# * OpenSSL style: `['ECDHE-RSA-AES256-SHA', 'DHE-RSA-AES256-SHA']`
# @param ssl_crl_check
# Perform CRL (Certificate Revocation List) verification
# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_check) module documentation for more information.
# @param ssl_crl_cache_hash_dir
# This setting makes use of a directory where CRLs are stored in files named by the hash of the issuer name.
# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information.
# @param ssl_crl_cache_http_timeout
# This setting enables use of internal CRLs cache and sets HTTP timeout interval on fetching CRLs from distributino URLs defined inside certificate.
# Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information.
# @param stomp_port
# The port to use for Stomp.
# @param stomp_ssl_only
Expand Down Expand Up @@ -368,6 +377,9 @@
Boolean $ssl_honor_cipher_order = true,
Optional[Stdlib::Absolutepath] $ssl_dhfile = undef,
Array $ssl_ciphers = [],
Enum['true','false','peer','best_effort'] $ssl_crl_check = 'false',
Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir = undef,
Optional[Integer] $ssl_crl_cache_http_timeout = undef,
Boolean $stomp_ensure = false,
Boolean $ldap_auth = false,
Variant[String[1],Array[String[1]]] $ldap_server = 'ldap',
Expand Down Expand Up @@ -413,6 +425,30 @@
}
}

if $ssl_crl_check != 'false' {
unless $ssl {
fail('$ssl_crl_check requires that $ssl => true')
}
}

if $ssl_crl_cache_hash_dir {
unless $ssl {
fail('$ssl_crl_cache_hash_dir requires that $ssl => true')
}
if $ssl_crl_check == 'false' {
fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort')
}
}

if $ssl_crl_cache_http_timeout {
unless $ssl {
fail('$ssl_crl_cache_http_timeout requires that $ssl => true')
}
if $ssl_crl_check == 'false' {
fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort')
}
}

if $repos_ensure {
case $facts['os']['family'] {
'RedHat': {
Expand Down
3 changes: 1 addition & 2 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "puppet-rabbitmq",
"version": "10.3.0",
"version": "11.0.0",
"author": "voxpupuli",
"summary": "Installs, configures, and manages RabbitMQ.",
"license": "Apache-2.0",
Expand All @@ -18,7 +18,6 @@
{
"operatingsystem": "CentOS",
"operatingsystemrelease": [
"6",
"7"
]
},
Expand Down
96 changes: 96 additions & 0 deletions spec/classes/rabbitmq_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1161,6 +1161,102 @@
end
end

describe 'ssl options with ssl_crl_check enabled' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'true' }
end

it 'sets ssl crl check setting to specified value' do
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
end
end

describe 'ssl options with ssl_crl_check and ssl_crl_hash_cache enabled' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'true',
ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' }
end

it 'sets ssl crl check setting to specified value' do
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_hash_dir,\s+{internal,\s+\[{dir, "/path/to/crl_cache/dir"}\]}}})
end
end

describe 'ssl options with ssl_crl_check and http cache enabled' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'true',
ssl_crl_cache_http_timeout: 5000 }
end

it 'sets ssl crl check setting to specified value' do
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_cache,\s+{internal,\s+\[{http, 5000}\]}}})
end
end

describe 'ssl options with ssl_crl_check enabled and not ssl' do
let(:params) do
{ ssl: false,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'true' }
end

it 'fails' do
expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_check requires that \$ssl => true})
end
end

describe 'ssl options with ssl_crl_cache_hash_dir set and not ssl_crl_check' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'false',
ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' }
end

it 'fails' do
expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_hash_dir requires that \$ssl_crl_check => true|peer|best_effort})
end
end

describe 'ssl options with ssl_crl_cache_http_timeout set and not ssl_crl_check' do
let(:params) do
{ ssl: true,
ssl_port: 3141,
ssl_cacert: '/path/to/cacert',
ssl_cert: '/path/to/cert',
ssl_key: '/path/to/key',
ssl_crl_check: 'false',
ssl_crl_cache_http_timeout: 5000 }
end

it 'fails' do
expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_http_timeout requires that \$ssl_crl_check => true|peer|best_effort})
end
end

describe 'ssl admin options with specific ssl versions' do
let(:params) do
{ ssl: true,
Expand Down
9 changes: 9 additions & 0 deletions templates/rabbitmq.config.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,15 @@ end
<%= ssl_ciphers %>
]}
<%- end -%>
<%- if @ssl_crl_check != 'false' -%>
,{crl_check,<%= @ssl_crl_check %>}
<%- end -%>
<%- if @ssl_crl_cache_hash_dir -%>
,{crl_cache, {ssl_crl_hash_dir, {internal, [{dir, "<%= @ssl_crl_cache_hash_dir %>"}]}}}
<%- end -%>
<%- if @ssl_crl_cache_http_timeout -%>
,{crl_cache, {ssl_crl_cache, {internal, [{http, <%= @ssl_crl_cache_http_timeout %>}]}}}
<%- end -%>
]},
<%- end -%>
<% if scope['rabbitmq::config_variables'] -%>
Expand Down