Merge pull request #11375 from rabbitmq/mergify/bp/v3.13.x/pr-11369

amqp10_client: allow configuring global TLS options (backport #11369)

Author: michaelklishin

deps/amqp10_client/src/amqp10_client.erl

@@ -110,7 +110,8 @@ open_connection(ConnectionConfig0) ->
     },
     Sasl = maps:get(sasl, ConnectionConfig1),
     ConnectionConfig2 = ConnectionConfig1#{sasl => amqp10_client_connection:encrypt_sasl(Sasl)},
-    amqp10_client_connection:open(ConnectionConfig2).
+    ConnectionConfig = merge_default_tls_options(ConnectionConfig2),
+    amqp10_client_connection:open(ConnectionConfig).
 
 %% @doc Opens a connection using a connection_config map
 %% This is asynchronous and will notify completion to the caller using
@@ -506,6 +507,19 @@ try_to_existing_atom(L) when is_list(L) ->
 ensure_started() ->
     _ = application:ensure_all_started(credentials_obfuscation).
 
+
+-spec merge_default_tls_options(connection_config()) -> connection_config().
+merge_default_tls_options(#{tls_opts := {secure_port, TlsOpts0}} = Config) ->
+    GlobalTlsOpts = application:get_env(amqp10_client, ssl_options, []),
+    TlsOpts =
+        orddict:to_list(
+          orddict:merge(fun (_, _A, B) -> B end,
+                        orddict:from_list(GlobalTlsOpts),
+                        orddict:from_list(TlsOpts0))),
+    Config#{tls_opts => {secure_port, TlsOpts}};
+merge_default_tls_options(Config) ->
+    Config.
+
 -ifdef(TEST).
 -include_lib("eunit/include/eunit.hrl").
 

deps/amqp10_client/test/system_SUITE.erl

@@ -45,6 +45,7 @@ groups() ->
      {activemq, [], shared()},
      {rabbitmq_strict, [], [
                             basic_roundtrip_tls,
+                            roundtrip_tls_global_config,
                             open_connection_plain_sasl,
                             open_connection_plain_sasl_failure,
                             open_connection_plain_sasl_parse_uri
@@ -281,6 +282,26 @@ basic_roundtrip_tls(Config) ->
                 sasl => ?config(sasl, Config)},
     roundtrip(OpnConf).
 
+%% ssl option validation fails if verify_peer is enabled without cacerts.
+%% Test that cacertfile option takes effect taken from the application env.
+roundtrip_tls_global_config(Config) ->
+    Hostname = ?config(rmq_hostname, Config),
+    Port = rabbit_ct_broker_helpers:get_node_config(Config, 0, tcp_port_amqp_tls),
+    CACertFile = ?config(rmq_certsdir, Config) ++ "/testca/cacert.pem",
+    CertFile = ?config(rmq_certsdir, Config) ++ "/client/cert.pem",
+    KeyFile = ?config(rmq_certsdir, Config) ++ "/client/key.pem",
+    ok = application:set_env(amqp10_client, ssl_options, [{cacertfile, CACertFile},
+                                                          {certfile, CertFile},
+                                                          {keyfile, KeyFile}]),
+    OpnConf = #{address => Hostname,
+                port => Port,
+                tls_opts => {secure_port, [{verify, verify_peer}]},
+                notify => self(),
+                container_id => <<"open_connection_tls_container">>,
+                sasl => ?config(sasl, Config)},
+    roundtrip(OpnConf),
+    application:unset_env(amqp10_client, ssl_options).
+
 service_bus_config(Config, ContainerId) ->
     Hostname = ?config(sb_endpoint, Config),
     Port = ?config(sb_port, Config),