Add ssl options for client renegotiation to rabbitmq-server

Author: kperronne-godaddy

REFERENCE.md

@@ -278,6 +278,7 @@ The following parameters are available in the `rabbitmq` class:
 * [`ssl_management_fail_if_no_peer_cert`](#-rabbitmq--ssl_management_fail_if_no_peer_cert)
 * [`ssl_port`](#-rabbitmq--ssl_port)
 * [`ssl_reuse_sessions`](#-rabbitmq--ssl_reuse_sessions)
+* [`ssl_client_renegotiation`](#-rabbitmq--ssl_client_renegotiation)
 * [`ssl_secure_renegotiate`](#-rabbitmq--ssl_secure_renegotiate)
 * [`ssl_stomp_port`](#-rabbitmq--ssl_stomp_port)
 * [`ssl_verify`](#-rabbitmq--ssl_verify)
@@ -995,6 +996,14 @@ Reuse ssl sessions
 
 Default value: `true`
 
+##### <a name="-rabbitmq--ssl_client_renegotiation"></a>`ssl_client_renegotiation`
+
+Data type: `Optional[Boolean]`
+
+Allow ssl client renegotiation
+
+Default value: `undef`
+
 ##### <a name="-rabbitmq--ssl_secure_renegotiate"></a>`ssl_secure_renegotiate`
 
 Data type: `Boolean`

data/common.yaml

@@ -62,6 +62,7 @@ rabbitmq::ssl_fail_if_no_peer_cert: false
 rabbitmq::ssl_management_verify: 'verify_none'
 rabbitmq::ssl_management_fail_if_no_peer_cert: false
 rabbitmq::ssl_versions: ~
+rabbitmq::ssl_client_renegotiation: ~
 rabbitmq::ssl_secure_renegotiate: true
 rabbitmq::ssl_reuse_sessions: true
 rabbitmq::ssl_honor_cipher_order: true

manifests/config.pp

@@ -56,6 +56,7 @@
   $ssl_stomp_port                      = $rabbitmq::ssl_stomp_port
   $ssl_verify                          = $rabbitmq::ssl_verify
   $ssl_fail_if_no_peer_cert            = $rabbitmq::ssl_fail_if_no_peer_cert
+  $ssl_client_renegotiation            = $rabbitmq::ssl_client_renegotiation
   $ssl_secure_renegotiate              = $rabbitmq::ssl_secure_renegotiate
   $ssl_reuse_sessions                  = $rabbitmq::ssl_reuse_sessions
   $ssl_honor_cipher_order              = $rabbitmq::ssl_honor_cipher_order

manifests/init.pp

@@ -291,6 +291,8 @@
 #   SSL port for RabbitMQ
 # @param ssl_reuse_sessions
 #   Reuse ssl sessions
+# @param ssl_client_renegotiation
+#   Allow ssl client renegotiation
 # @param ssl_secure_renegotiate
 #   Use ssl secure renegotiate
 # @param ssl_stomp_port
@@ -419,13 +421,14 @@
   Enum['verify_none','verify_peer'] $ssl_management_verify                                         = 'verify_none',
   Boolean $ssl_management_fail_if_no_peer_cert                                                     = false,
   Optional[Array] $ssl_versions                                                                    = undef,
+  Optional[Boolean] $ssl_client_renegotiation                                                      = undef,
   Boolean $ssl_secure_renegotiate                                                                  = true,
   Boolean $ssl_reuse_sessions                                                                      = true,
   Boolean $ssl_honor_cipher_order                                                                  = true,
   Optional[Stdlib::Absolutepath] $ssl_dhfile                                                       = undef,
   Array $ssl_ciphers                                                                               = [],
   Enum['true','false','peer','best_effort'] $ssl_crl_check                                         = 'false',
-  Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir                                                         = undef,
+  Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir                                           = undef,
   Optional[Integer] $ssl_crl_cache_http_timeout                                                    = undef,
   Boolean $stomp_ensure                                                                            = false,
   Boolean $ldap_auth                                                                               = false,

spec/classes/rabbitmq_spec.rb

@@ -1194,6 +1194,34 @@
         end
       end
 
+      # tlsv1.3 not supported on older RMQ/Erlang with this distro
+      describe 'ssl options with ssl version tlsv1.3', unless: facts[:osfamily] == 'RedHat' do
+        let(:params) do
+          { ssl: true,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_versions: ['tlsv1.3'] }
+        end
+
+        it 'sets ssl options to specified values' do
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[3141\]})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_options, \[})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, \[\{versions, \['tlsv1.3'\]\}\]})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{versions, \['tlsv1.3'\]})
+        end
+
+        it 'does not set ssl negotiation options with tlsv1.3' do
+          is_expected.to contain_file('rabbitmq.config'). \
+            without_content(%r{client_renegotiation}). \
+            without_content(%r{secure_renegotiate})
+        end
+      end
+
       describe 'ssl options with ssl_versions and not ssl' do
         let(:params) do
           { ssl: false,
@@ -1379,6 +1407,16 @@
         it { is_expected.to contain_file('rabbitmq.config').without_content(%r{dhfile,}) }
       end
 
+      describe 'ssl with ssl_client_renegotiation false' do
+        let(:params) do
+          { ssl: true,
+            ssl_interface: '0.0.0.0',
+            ssl_client_renegotiation: false }
+        end
+
+        it { is_expected.to contain_file('rabbitmq.config').with_content(%r{client_renegotiation,false}) }
+      end
+
       describe 'ssl with ssl_secure_renegotiate false' do
         let(:params) do
           { ssl: true,

templates/rabbitmq.config.erb

@@ -0,0 +1,223 @@
+% This file managed by Puppet
+% Template Path: <%= @module_name %>/templates/rabbitmq.config
+[
+<%-
+if @ssl_ciphers && @ssl_ciphers.size > 0
+  ssl_ciphers = @ssl_ciphers.map do |cipher|
+    if cipher.split(',').size > 1
+      "{#{cipher}}"
+    else
+      "\"#{cipher}\""
+    end
+  end.join(",\n                      ")
+else
+  ssl_ciphers = nil
+end
+-%>
+<%- if @ssl and @ssl_versions -%>
+  {ssl, [{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}]},
+<%- end -%>
+  {rabbit, [
+<%- if @heartbeat -%>
+    {heartbeat, <%=@heartbeat%>},
+<% end -%>
+    {loopback_users, [<%= @loopback_users.map { |u| "<<\"#{u}\">>" }.join(', ') %>]},
+<% if @auth_backends -%>
+    {auth_backends, [<%= @auth_backends.map { |v| "#{v}" }.join(', ') %>]},
+<% elsif @ldap_auth -%>
+    {auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]},
+<% end -%>
+<% if @config_cluster -%>
+    {cluster_nodes, {[<%= @cluster_nodes.map { |n| "\'rabbit@#{n}\'" }.join(', ') %>], <%= @cluster_node_type %>}},
+    {cluster_partition_handling, <%= @cluster_partition_handling %>},
+<% end -%>
+    {tcp_listen_options, [
+         <%- unless @config_ranch -%>
+         binary,
+         {packet,        raw},
+         {reuseaddr,     true},
+         <%- end -%>
+         <%- if @tcp_keepalive -%>
+         {keepalive,     true},
+         <%- end -%>
+         <%- if @tcp_backlog -%>
+         {backlog,       <%= @tcp_backlog %>},
+         <%- end -%>
+         <%- if @tcp_sndbuf -%>
+         {sndbuf,       <%= @tcp_sndbuf %>},
+         <%- end -%>
+         <%- if @tcp_recbuf -%>
+         {recbuf,       <%= @tcp_recbuf %>},
+         <%- end -%>
+         {nodelay,       true},
+         {linger,        {true, 0}},
+         {exit_on_close, false}
+    ]},
+<%- if @collect_statistics_interval -%>
+    {collect_statistics_interval, <%= @collect_statistics_interval %>},
+<%- end -%>
+<%- if @ssl_only -%>
+    {tcp_listeners, []},
+<%- elsif @interface -%>
+    {tcp_listeners, [{"<%= @interface%>", <%= @port %>}]},
+<%- end -%>
+<%- if @ssl -%>
+  <%- if @ssl_interface -%>
+    {ssl_listeners, [{"<%= @ssl_interface%>", <%= @ssl_port %>}]},
+  <%- else -%>
+    {ssl_listeners, [<%= @ssl_port %>]},
+  <%- end -%>
+    {ssl_options, [
+                   <%- if @ssl_cacert -%>
+                   {cacertfile,"<%= @ssl_cacert %>"},
+                   <%- end -%>
+                   {certfile,"<%= @ssl_cert %>"},
+                   {keyfile,"<%= @ssl_key %>"},
+                   <%- if @ssl_cert_password -%>
+                   {password, "<%= @ssl_cert_password %>"},
+                   <%- end -%>
+                   <%- if @ssl_depth -%>
+                   {depth,<%= @ssl_depth %>},
+                   <%- end -%>
+                   <%- if @ssl_dhfile -%>
+                   {dhfile, "<%= @ssl_dhfile %>"},
+                   <%- end -%>
+                   <%- if !@ssl_versions || !@ssl_versions.include?('tlsv1.3') -%>
+                   <%- if defined?(@ssl_client_renegotiation) -%>
+                   {client_renegotiation,<%= @ssl_client_renegotiation %>},
+                   <%- end -%>
+                   {secure_renegotiate,<%= @ssl_secure_renegotiate %>},
+                   <%- end -%>
+                   {reuse_sessions,<%= @ssl_reuse_sessions %>},
+                   {honor_cipher_order,<%= @ssl_honor_cipher_order %>},
+                   {verify,<%= @ssl_verify %>},
+                   {fail_if_no_peer_cert,<%= @ssl_fail_if_no_peer_cert %>}
+                   <%- if @ssl_versions -%>
+                   ,{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}
+                   <%- end -%>
+                   <%- if @ssl_ciphers and @ssl_ciphers.size > 0 -%>
+                   ,{ciphers,[
+                     <%= ssl_ciphers %>
+                   ]}
+                   <%- end -%>
+                   <%- if @ssl_crl_check != 'false' -%>
+                   ,{crl_check,<%= @ssl_crl_check %>}
+                   <%- end -%>
+                   <%- if @ssl_crl_cache_hash_dir -%>
+                   ,{crl_cache, {ssl_crl_hash_dir, {internal, [{dir, "<%= @ssl_crl_cache_hash_dir %>"}]}}}
+                   <%- end -%>
+                   <%- if @ssl_crl_cache_http_timeout -%>
+                   ,{crl_cache, {ssl_crl_cache, {internal, [{http, <%= @ssl_crl_cache_http_timeout %>}]}}}
+                   <%- end -%>
+                  ]},
+<%- end -%>
+<% if scope['rabbitmq::config_variables'] -%>
+<%- scope['rabbitmq::config_variables'].keys.sort.each do |key| -%>
+    {<%= key %>, <%= scope['rabbitmq::config_variables'][key] %>},
+<%- end -%>
+<%- end -%>
+    {default_user, <<"<%= @default_user %>">>},
+    {default_pass, <<"<%= @default_pass %>">>}
+  ]}<% if @config_kernel_variables -%>,
+  {kernel, [
+    <%= @config_kernel_variables.sort.map{|k,v| "{#{k}, #{v}}"}.join(",\n    ") %>
+  ]}
+<%- end -%>
+<%- if @admin_enable or @management_enable or !@config_management_variables.empty? -%>,
+  {rabbitmq_management, [
+    <%- if !@config_management_variables.empty? -%>
+    <%= @config_management_variables.sort.map{|k,v| "{#{k}, #{v}}"}.join(",\n    ") %>
+    <%- end -%>
+<%- if @admin_enable or @management_enable -%>
+<%- if  !@config_management_variables.empty? -%>,<%-end-%>
+    {listener, [
+<%- if @ssl && @management_ssl -%>
+  <%- if @management_ip_address -%>
+      {ip, "<%= @management_ip_address %>"},
+  <%- end -%>
+      {port, <%= @ssl_management_port %>},
+      {ssl, true},
+      {ssl_opts, [<%- if @ssl_management_cacert %>
+                  {cacertfile, "<%= @ssl_management_cacert %>"},
+                  <%- end -%>
+                  {certfile, "<%= @ssl_management_cert %>"},
+                  {keyfile, "<%= @ssl_management_key %>"},
+                  <%- if !@ssl_versions || !@ssl_versions.include?('tlsv1.3') -%>
+                  <%- if defined?(@ssl_client_renegotiation) -%>
+                  {client_renegotiation,<%= @ssl_client_renegotiation %>},
+                  <%- end -%>
+                  {secure_renegotiate,<%= @ssl_secure_renegotiate %>},
+                  <%- end -%>
+                  {reuse_sessions,<%= @ssl_reuse_sessions %>},
+                  {honor_cipher_order,<%= @ssl_honor_cipher_order %>},
+                  {verify,<%= @ssl_management_verify %>},
+                  {fail_if_no_peer_cert,<%= @ssl_management_fail_if_no_peer_cert %>}
+                   <%- if @ssl_versions -%>
+                     ,{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}
+                   <%- end -%>
+                  <%- if @ssl_ciphers and @ssl_ciphers.size > 0 -%>
+                  ,{ciphers,[
+                      <%= ssl_ciphers %>
+                  ]}
+                  <%- end -%>
+                 ]}
+<%- else -%>
+  <%- if @management_ip_address -%>
+      {ip, "<%= @management_ip_address %>"},
+  <%- end -%>
+      {port, <%= @management_port %>}
+<%- end -%>
+    ]}
+<%- end -%>
+  ]}
+<%- end -%>
+<% if @config_stomp -%>,
+% Configure the Stomp Plugin listening port
+  {rabbitmq_stomp, [
+  <%- if @stomp_ssl_only -%>
+    {tcp_listeners, []}
+  <%- else -%>
+    {tcp_listeners, [<%= @stomp_port %>]}
+  <%- end -%>
+  <%- if @ssl && @ssl_stomp_port -%>
+    ,
+    {ssl_listeners, [<%= @ssl_stomp_port %>]}
+  <%- end -%>
+  ]}
+<% end -%>
+<%- if @ldap_auth -%>,
+% Configure the LDAP authentication plugin
+  {rabbitmq_auth_backend_ldap, [
+    {other_bind, <%= @ldap_other_bind %>},
+<% if @ldap_server.class == Array -%>
+    {servers, <%= @ldap_server %>},
+<% else -%>
+    {servers, ["<%= @ldap_server %>"]},
+<% end -%>
+<% if @ldap_user_dn_pattern -%>
+    {user_dn_pattern, "<%= @ldap_user_dn_pattern %>"},
+<%- end -%>
+    {use_ssl, <%= @ldap_use_ssl %>},
+    {port, <%= @ldap_port %>},
+<% if @ldap_config_variables -%>
+<%- @ldap_config_variables.keys.sort.each do |key| -%>
+    {<%= key %>, <%= @ldap_config_variables[key] %>},
+<%- end -%>
+<%- end -%>
+    {log, <%= @ldap_log %>}
+  ]}
+<%- end -%>
+<%- if @config_shovel and not @config_shovel_statics.empty? -%>,
+  {rabbitmq_shovel,
+    [{shovels,[
+      <%= @config_shovel_statics.sort.map{|k,v| "{#{k},[#{v}]}"}.join(",\n      ") %>
+    ]}]}
+<%- end -%>
+<%- if @config_additional_variables and not @config_additional_variables.empty? -%>,
+% Additional config
+<%- @config_additional_variables.keys.sort.each do |key| -%>
+  {<%= key %>, <%= @config_additional_variables[key] %>}<%- if key != @config_additional_variables.keys.sort.last %>,<% end %>
+<%- end -%>
+<%- end -%>
+].
+% EOF