Add optional variables to support SSL CRL check configuration (voxpupuli#869)

* Add optional variables to support SSL CRL check configuration

* Fix specs and lots of typos

* Remove defaults from common.yaml (definition in init.pp is prefered)

* Use Stdlib::Absolutepath instead of String for setting with path

Co-authored-by: Dmitriy Myaskovskiy <[email protected]>

Author: dimonzozo

manifests/config.pp

@@ -60,6 +60,9 @@
   $ssl_dhfile                          = $rabbitmq::ssl_dhfile
   $ssl_versions                        = $rabbitmq::ssl_versions
   $ssl_ciphers                         = $rabbitmq::ssl_ciphers
+  $ssl_crl_check                       = $rabbitmq::ssl_crl_check
+  $ssl_crl_cache_hash_dir              = $rabbitmq::ssl_crl_cache_hash_dir
+  $ssl_crl_cache_http_timeout          = $rabbitmq::ssl_crl_cache_http_timeout
   $stomp_port                          = $rabbitmq::stomp_port
   $stomp_ssl_only                      = $rabbitmq::stomp_ssl_only
   $ldap_auth                           = $rabbitmq::ldap_auth

manifests/init.pp

@@ -269,6 +269,15 @@
 #   Functionality can be tested with cipherscan or similar tool: https://github.com/mozilla/cipherscan
 #   * Erlang style: `['ecdhe_rsa,aes_256_cbc,sha', 'dhe_rsa,aes_256_cbc,sha']`
 #   * OpenSSL style: `['ECDHE-RSA-AES256-SHA', 'DHE-RSA-AES256-SHA']`
+# @param ssl_crl_check
+#   Perform CRL (Certificate Revocation List) verification
+#   Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_check) module documentation for more information.
+# @param ssl_crl_cache_hash_dir
+#   This setting makes use of a directory where CRLs are stored in files named by the hash of the issuer name.
+#   Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information.
+# @param ssl_crl_cache_http_timeout
+#   This setting enables use of internal CRLs cache and sets HTTP timeout interval on fetching CRLs from distributino URLs defined inside certificate.
+#   Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information.
 # @param stomp_port
 #   The port to use for Stomp.
 # @param stomp_ssl_only
@@ -368,6 +377,9 @@
   Boolean $ssl_honor_cipher_order                                                                  = true,
   Optional[Stdlib::Absolutepath] $ssl_dhfile                                                       = undef,
   Array $ssl_ciphers                                                                               = [],
+  Enum['true','false','peer','best_effort'] $ssl_crl_check                                         = 'false',
+  Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir                                                         = undef,
+  Optional[Integer] $ssl_crl_cache_http_timeout                                                    = undef,
   Boolean $stomp_ensure                                                                            = false,
   Boolean $ldap_auth                                                                               = false,
   Variant[String[1],Array[String[1]]] $ldap_server                                                 = 'ldap',
@@ -413,6 +425,30 @@
     }
   }
 
+  if $ssl_crl_check != 'false' {
+    unless $ssl {
+      fail('$ssl_crl_check requires that $ssl => true')
+    }
+  }
+
+  if $ssl_crl_cache_hash_dir {
+    unless $ssl {
+      fail('$ssl_crl_cache_hash_dir requires that $ssl => true')
+    }
+    if $ssl_crl_check == 'false' {
+      fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort')
+    }
+  }
+
+  if $ssl_crl_cache_http_timeout {
+    unless $ssl {
+      fail('$ssl_crl_cache_http_timeout requires that $ssl => true')
+    }
+    if $ssl_crl_check == 'false' {
+      fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort')
+    }
+  }
+
   if $repos_ensure {
     case $facts['os']['family'] {
       'RedHat': {

spec/classes/rabbitmq_spec.rb

@@ -1161,6 +1161,102 @@
         end
       end
 
+      describe 'ssl options with ssl_crl_check enabled' do
+        let(:params) do
+          { ssl: true,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_crl_check: 'true' }
+        end
+
+        it 'sets ssl crl check setting to specified value' do
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
+        end
+      end
+
+      describe 'ssl options with ssl_crl_check and ssl_crl_hash_cache enabled' do
+        let(:params) do
+          { ssl: true,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_crl_check: 'true',
+            ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' }
+        end
+
+        it 'sets ssl crl check setting to specified value' do
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_hash_dir,\s+{internal,\s+\[{dir, "/path/to/crl_cache/dir"}\]}}})
+        end
+      end
+
+      describe 'ssl options with ssl_crl_check and http cache enabled' do
+        let(:params) do
+          { ssl: true,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_crl_check: 'true',
+            ssl_crl_cache_http_timeout: 5000 }
+        end
+
+        it 'sets ssl crl check setting to specified value' do
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_cache,\s+{internal,\s+\[{http, 5000}\]}}})
+        end
+      end
+
+      describe 'ssl options with ssl_crl_check enabled and not ssl' do
+        let(:params) do
+          { ssl: false,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_crl_check: 'true' }
+        end
+
+        it 'fails' do
+          expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_check requires that \$ssl => true})
+        end
+      end
+
+      describe 'ssl options with ssl_crl_cache_hash_dir set and not ssl_crl_check' do
+        let(:params) do
+          { ssl: true,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_crl_check: 'false',
+            ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' }
+        end
+
+        it 'fails' do
+          expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_hash_dir requires that \$ssl_crl_check => true|peer|best_effort})
+        end
+      end
+
+      describe 'ssl options with ssl_crl_cache_http_timeout set and not ssl_crl_check' do
+        let(:params) do
+          { ssl: true,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_crl_check: 'false',
+            ssl_crl_cache_http_timeout: 5000 }
+        end
+
+        it 'fails' do
+          expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_http_timeout requires that \$ssl_crl_check => true|peer|best_effort})
+        end
+      end
+
       describe 'ssl admin options with specific ssl versions' do
         let(:params) do
           { ssl: true,

templates/rabbitmq.config.erb

@@ -95,6 +95,15 @@ end
                      <%= ssl_ciphers %>
                    ]}
                    <%- end -%>
+                   <%- if @ssl_crl_check != 'false' -%>
+                   ,{crl_check,<%= @ssl_crl_check %>}
+                   <%- end -%>
+                   <%- if @ssl_crl_cache_hash_dir -%>
+                   ,{crl_cache, {ssl_crl_hash_dir, {internal, [{dir, "<%= @ssl_crl_cache_hash_dir %>"}]}}}
+                   <%- end -%>
+                   <%- if @ssl_crl_cache_http_timeout -%>
+                   ,{crl_cache, {ssl_crl_cache, {internal, [{http, <%= @ssl_crl_cache_http_timeout %>}]}}}
+                   <%- end -%>
                   ]},
 <%- end -%>
 <% if scope['rabbitmq::config_variables'] -%>