Add ssl_options to schema

Author: MarcialRosales

deps/rabbitmq_auth_backend_http/BUILD.bazel

@@ -94,15 +94,14 @@ eunit(
 
 broker_for_integration_suites()
 
-rabbitmq_suite(
+rabbitmq_integration_suite(
     name = "auth_SUITE",
     size = "small",
     additional_beam = [
         "test/auth_http_mock.beam",
     ],
     deps = [
-        "//deps/rabbit_common:erlang_app",
-        "@cowboy//:erlang_app",
+        "@cowboy//:erlang_app"
     ],
 )
 

deps/rabbitmq_auth_backend_http/priv/schema/rabbitmq_auth_backend_http.schema

@@ -25,3 +25,131 @@
 
 {mapping, "auth_http.connection_timeout", "rabbitmq_auth_backend_http.connection_timeout",
     [{datatype, integer}]}.
+
+
+%% TLS options
+
+
+{mapping, "auth_http.ssl_options", "rabbitmq_auth_backend_http.ssl_options", [
+    {datatype, {enum, [none]}}
+]}.
+
+{translation, "rabbitmq_auth_backend_http.ssl_options",
+fun(Conf) ->
+    case cuttlefish:conf_get("auth_http.ssl_options", Conf, undefined) of
+        none -> [];
+        _    -> cuttlefish:invalid("Invalid auth_http.ssl_options")
+    end
+end}.
+
+{mapping, "auth_http.ssl_options.verify", "rabbitmq_auth_backend_http.ssl_options.verify", [
+    {datatype, {enum, [verify_peer, verify_none]}}]}.
+
+{mapping, "auth_http.ssl_options.fail_if_no_peer_cert", "rabbitmq_auth_backend_http.ssl_options.fail_if_no_peer_cert", [
+    {datatype, {enum, [true, false]}}]}.
+
+{mapping, "auth_http.ssl_options.cacertfile", "rabbitmq_auth_backend_http.ssl_options.cacertfile",
+    [{datatype, string}, {validators, ["file_accessible"]}]}.
+
+{mapping, "auth_http.ssl_options.certfile", "rabbitmq_auth_backend_http.ssl_options.certfile",
+    [{datatype, string}, {validators, ["file_accessible"]}]}.
+
+{mapping, "auth_http.ssl_options.cacerts.$name", "rabbitmq_auth_backend_http.ssl_options.cacerts",
+    [{datatype, string}]}.
+
+{translation, "rabbitmq_auth_backend_http.ssl_options.cacerts",
+fun(Conf) ->
+    Settings = cuttlefish_variable:filter_by_prefix("auth_http.ssl_options.cacerts", Conf),
+    [ list_to_binary(V) || {_, V} <- Settings ]
+end}.
+
+{mapping, "auth_http.ssl_options.cert", "rabbitmq_auth_backend_http.ssl_options.cert",
+    [{datatype, string}]}.
+
+{translation, "rabbitmq_auth_backend_http.ssl_options.cert",
+fun(Conf) ->
+    list_to_binary(cuttlefish:conf_get("auth_http.ssl_options.cert", Conf))
+end}.
+
+{mapping, "auth_http.ssl_options.client_renegotiation", "rabbitmq_auth_backend_http.ssl_options.client_renegotiation",
+    [{datatype, {enum, [true, false]}}]}.
+
+{mapping, "auth_http.ssl_options.crl_check", "rabbitmq_auth_backend_http.ssl_options.crl_check",
+    [{datatype, [{enum, [true, false, peer, best_effort]}]}]}.
+
+{mapping, "auth_http.ssl_options.depth", "rabbitmq_auth_backend_http.ssl_options.depth",
+    [{datatype, integer}, {validators, ["byte"]}]}.
+
+{mapping, "auth_http.ssl_options.dh", "rabbitmq_auth_backend_http.ssl_options.dh",
+    [{datatype, string}]}.
+
+{translation, "rabbitmq_auth_backend_http.ssl_options.dh",
+fun(Conf) ->
+    list_to_binary(cuttlefish:conf_get("auth_http.ssl_options.dh", Conf))
+end}.
+
+{mapping, "auth_http.ssl_options.dhfile", "rabbitmq_auth_backend_http.ssl_options.dhfile",
+    [{datatype, string}, {validators, ["file_accessible"]}]}.
+
+{mapping, "auth_http.ssl_options.honor_cipher_order", "rabbitmq_auth_backend_http.ssl_options.honor_cipher_order",
+    [{datatype, {enum, [true, false]}}]}.
+
+{mapping, "auth_http.ssl_options.honor_ecc_order", "rabbitmq_auth_backend_http.ssl_options.honor_ecc_order",
+    [{datatype, {enum, [true, false]}}]}.
+
+{mapping, "auth_http.ssl_options.key.RSAPrivateKey", "rabbitmq_auth_backend_http.ssl_options.key",
+    [{datatype, string}]}.
+
+{mapping, "auth_http.ssl_options.key.DSAPrivateKey", "rabbitmq_auth_backend_http.ssl_options.key",
+    [{datatype, string}]}.
+
+{mapping, "auth_http.ssl_options.key.PrivateKeyInfo", "rabbitmq_auth_backend_http.ssl_options.key",
+    [{datatype, string}]}.
+
+{translation, "rabbitmq_auth_backend_http.ssl_options.key",
+fun(Conf) ->
+    case cuttlefish_variable:filter_by_prefix("auth_http.ssl_options.key", Conf) of
+        [{[_,_,Key], Val}|_] -> {list_to_atom(Key), list_to_binary(Val)};
+        _ -> undefined
+    end
+end}.
+
+{mapping, "auth_http.ssl_options.keyfile", "rabbitmq_auth_backend_http.ssl_options.keyfile",
+    [{datatype, string}, {validators, ["file_accessible"]}]}.
+
+{mapping, "auth_http.ssl_options.log_alert", "rabbitmq_auth_backend_http.ssl_options.log_alert",
+    [{datatype, {enum, [true, false]}}]}.
+
+{mapping, "auth_http.ssl_options.password", "rabbitmq_auth_backend_http.ssl_options.password",
+    [{datatype, string}]}.
+
+{mapping, "auth_http.ssl_options.psk_identity", "rabbitmq_auth_backend_http.ssl_options.psk_identity",
+    [{datatype, string}]}.
+
+{mapping, "auth_http.ssl_options.reuse_sessions", "rabbitmq_auth_backend_http.ssl_options.reuse_sessions",
+    [{datatype, {enum, [true, false]}}]}.
+
+{mapping, "auth_http.ssl_options.secure_renegotiate", "rabbitmq_auth_backend_http.ssl_options.secure_renegotiate",
+    [{datatype, {enum, [true, false]}}]}.
+
+{mapping, "auth_http.ssl_options.versions.$version", "rabbitmq_auth_backend_http.ssl_options.versions",
+    [{datatype, atom}]}.
+
+{translation, "rabbitmq_auth_backend_http.ssl_options.versions",
+fun(Conf) ->
+    Settings = cuttlefish_variable:filter_by_prefix("auth_http.ssl_options.versions", Conf),
+    [ V || {_, V} <- Settings ]
+end}.
+
+{mapping, "auth_http.ssl_options.sni", "rabbitmq_auth_backend_http.ssl_options.server_name_indication",
+    [{datatype, [{enum, [none]}, string]}]}.
+
+{translation, "rabbitmq_auth_backend_http.ssl_options.server_name_indication",
+fun(Conf) ->
+    case cuttlefish:conf_get("auth_http.ssl_options.sni", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        none      -> cuttlefish:unset();
+        Hostname  -> Hostname
+    end
+end}.
+

deps/rabbitmq_auth_backend_http/test/auth_SUITE.erl

@@ -14,12 +14,6 @@
 
 -define(AUTH_PORT, 8000).
 -define(USER_PATH, "/auth/user").
--define(BACKEND_CONFIG,
-	[{http_method, get},
-     {user_path, "http://localhost:" ++ integer_to_list(?AUTH_PORT) ++ ?USER_PATH},
-	 {vhost_path, "http://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/vhost"},
-     {resource_path, "http://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/resource"},
-	 {topic_path, "http://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/topic"}]).
 -define(ALLOWED_USER, #{username => <<"Ala1">>,
                         password => <<"Kocur">>,
 												expected_credentials => [username, password],
@@ -33,26 +27,62 @@
 											 password => <<"Cat">>
 											 }).
 
-all() -> [grants_access_to_user,
-					denies_access_to_user,
-					grants_access_to_user_passing_additional_required_authprops,
-					grants_access_to_user_skipping_internal_authprops,
-					grants_access_to_user_with_credentials_in_rabbit_auth_backend_http,
-					grants_access_to_user_with_credentials_in_rabbit_auth_backend_cache].
-
-init_per_suite(Config) ->
-    configure_http_auth_backend(),
+all() ->  
+    [
+        {group, over_https},
+        {group, over_http}
+    ].
+
+groups() ->
+    [
+        {over_http, [], shared()},
+        {over_https, [], shared()}
+    ].
+
+shared() ->
+    [
+        grants_access_to_user,
+        denies_access_to_user,
+        grants_access_to_user_passing_additional_required_authprops,
+        grants_access_to_user_skipping_internal_authprops,
+        grants_access_to_user_with_credentials_in_rabbit_auth_backend_http,
+        grants_access_to_user_with_credentials_in_rabbit_auth_backend_cache
+    ].
+
+init_per_suite(Config) ->    
+    rabbit_ct_helpers:run_setup_steps(Config) ++ 
+        [{allowed_user, ?ALLOWED_USER},
+        {allowed_user_with_extra_credentials, ?ALLOWED_USER_WITH_EXTRA_CREDENTIALS},
+        {denied_user, ?DENIED_USER}].
+
+init_per_group(over_http, Config) ->
+    configure_http_auth_backend("http", Config),
     {User1, Tuple1} = extractUserTuple(?ALLOWED_USER),
-		{User2, Tuple2} = extractUserTuple(?ALLOWED_USER_WITH_EXTRA_CREDENTIALS),
+    {User2, Tuple2} = extractUserTuple(?ALLOWED_USER_WITH_EXTRA_CREDENTIALS),    
     start_http_auth_server(?AUTH_PORT, ?USER_PATH, #{User1 => Tuple1, User2 => Tuple2}),
-    [{allowed_user, ?ALLOWED_USER},
-			{allowed_user_with_extra_credentials, ?ALLOWED_USER_WITH_EXTRA_CREDENTIALS},
-			{denied_user, ?DENIED_USER} | Config].
+    Config;
+
+init_per_group(over_https, Config) ->
+    configure_http_auth_backend("https", Config),
+    {User1, Tuple1} = extractUserTuple(?ALLOWED_USER),
+    {User2, Tuple2} = extractUserTuple(?ALLOWED_USER_WITH_EXTRA_CREDENTIALS),    
+    CertsDir = ?config(rmq_certsdir, Config),
+    start_https_auth_server(?AUTH_PORT, CertsDir, ?USER_PATH, #{User1 => Tuple1, User2 => Tuple2}),
+    Config.
+
+
 extractUserTuple(User) ->
 	#{username := Username, password := Password, tags := Tags, expected_credentials := ExpectedCredentials} = User,
 	{Username, {Password, Tags, ExpectedCredentials}}.
 
-end_per_suite(_Config) ->
+end_per_suite(Config) ->
+    Config.
+
+end_per_group(over_http, Config) ->
+    undo_configure_http_auth_backend("http", Config),
+    stop_http_auth_server();
+end_per_group(over_https, Config) ->
+    undo_configure_http_auth_backend("https", Config),
     stop_http_auth_server().
 
 grants_access_to_user(Config) ->
@@ -102,15 +132,49 @@ grants_access_to_user_with_credentials_in_rabbit_auth_backend_cache(Config) ->
 
 %%% HELPERS
 
-configure_http_auth_backend() ->
-    {ok, _} = application:ensure_all_started(inets),
-    [application:set_env(rabbitmq_auth_backend_http, K, V) || {K, V} <- ?BACKEND_CONFIG].
+configure_http_auth_backend(Scheme, Config) ->
+    [application:set_env(rabbitmq_auth_backend_http, K, V) || {K, V} <- generate_backend_config(Scheme, Config)].
+undo_configure_http_auth_backend(Scheme, Config) ->    
+    [application:unset_env(rabbitmq_auth_backend_http, K) || {K, _V} <- generate_backend_config(Scheme, Config)].
 
 start_http_auth_server(Port, Path, Users) ->
+    {ok, _} = application:ensure_all_started(inets),
     application:ensure_all_started(cowboy),
     Dispatch = cowboy_router:compile([{'_', [{Path, auth_http_mock, Users}]}]),
     {ok, _} = cowboy:start_clear(
         mock_http_auth_listener, [{port, Port}], #{env => #{dispatch => Dispatch}}).
 
+start_https_auth_server(Port, CertsDir, Path, Users) ->
+    {ok, _} = application:ensure_all_started(inets),
+    {ok, _} = application:ensure_all_started(ssl),
+    {ok, _} = application:ensure_all_started(cowboy),    
+    
+    Dispatch = cowboy_router:compile([{'_', [{Path, auth_http_mock, Users}]}]),
+    {ok, _} = cowboy:start_tls(mock_http_auth_listener,
+                      [{port, Port},
+                       {certfile, filename:join([CertsDir, "server", "cert.pem"])},
+                       {keyfile, filename:join([CertsDir, "server", "key.pem"])}],
+                      #{env => #{dispatch => Dispatch}}).
+    
 stop_http_auth_server() ->
     cowboy:stop_listener(mock_http_auth_listener).
+
+generate_backend_config(Scheme, Config) ->
+    Config0 = [{http_method, get},
+     {user_path, Scheme ++ "://localhost:" ++ integer_to_list(?AUTH_PORT) ++ ?USER_PATH},
+	 {vhost_path, Scheme ++ "://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/vhost"},
+     {resource_path, Scheme ++ "://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/resource"},
+	 {topic_path, Scheme ++ "://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/topic"}],
+    Config1 = case Scheme of 
+        "https" -> 
+            CertsDir = ?config(rmq_certsdir, Config),
+            [{ssl_options, [
+                {cacertfile, filename:join([CertsDir, "testca", "cacert.pem"])},
+                {certfile, filename:join([CertsDir, "server", "cert.pem"])},
+                {keyfile, filename:join([CertsDir, "server", "key.pem"])},
+                {verify, verify_peer},
+                {fail_if_no_peer_cert, false}]
+            }];
+        "http" -> []
+    end,
+    Config0 ++ Config1.

deps/rabbitmq_auth_backend_http/test/config_schema_SUITE_data/certs/cacert.pem

@@ -0,0 +1 @@
+I'm not a certificate

deps/rabbitmq_auth_backend_http/test/config_schema_SUITE_data/certs/cert.pem

@@ -0,0 +1 @@
+I'm not a certificate

deps/rabbitmq_auth_backend_http/test/config_schema_SUITE_data/certs/key.pem

@@ -0,0 +1 @@
+I'm not a certificate