Add some tests, add docs via strings, switch to undef from 'UNSET'

voxpupuli · Sep 13, 2017 · d66d0d8 · d66d0d8
1 parent cc15f82
commit d66d0d8
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 3 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -156,12 +156,16 @@
 # @param ssl_cert Cert to use for SSL.
 # @param ssl_cert_password Password used when generating CSR.
 # @param ssl_depth SSL verification depth.
+# @param ssl_dhfile Use this dhparam file [example: generate with `openssl dhparam -out /etc/rabbitmq/ssl/dhparam.pem 2048`
 # @param ssl_erl_dist Whether to use the erlang package's SSL (relies on the ssl_erl_path fact)
+# @param ssl_honor_cipher_order Force use of server cipher order
 # @param ssl_interface Interface for SSL listener to bind to
 # @param ssl_key Key to use for SSL.
 # @param ssl_only Configures the service to only use SSL.  No cleartext TCP listeners will be created. Requires that ssl => true and
 # @param ssl_management_port SSL management port.
 # @param ssl_port SSL port for RabbitMQ
+# @param ssl_reuse_sessions Reuse ssl sessions
+# @param ssl_secure_renegotiate Use ssl secure renegotiate
 # @param ssl_stomp_port SSL stomp port.
 # @param ssl_verify rabbitmq.config SSL verify setting.
 # @param ssl_fail_if_no_peer_cert rabbitmq.config `fail_if_no_peer_cert` setting.

diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb
@@ -686,6 +686,10 @@
             ssl_cacert: '/path/to/cacert',
             ssl_cert: '/path/to/cert',
             ssl_key: '/path/to/key',
+            ssl_secure_renegotiate: true,
+            ssl_reuse_sessions: true,
+            ssl_honor_cipher_order: true,
+            ssl_dhfile: :undef,
             management_ssl: false,
             management_port: 13_142 }
         end
@@ -706,6 +710,18 @@
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{keyfile,"/path/to/key"}
           )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{secure_renegotiate,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{reuse_sessions,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{honor_cipher_order,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').without_content(
+            %r{dhfile,}
+          )
         end
         it 'sets non ssl port for management port' do
           is_expected.to contain_file('rabbitmq.config').with_content(
@@ -724,6 +740,11 @@
             ssl_cacert: '/path/to/cacert',
             ssl_cert: '/path/to/cert',
             ssl_key: '/path/to/key',
+            ssl_secure_renegotiate: true,
+            ssl_reuse_sessions: true,
+            ssl_honor_cipher_order: true,
+            ssl_dhfile: :undef,
+
             management_ssl: true,
             ssl_management_port: 13_141 }
         end
@@ -747,6 +768,18 @@
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{keyfile,"/path/to/key"}
           )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{secure_renegotiate,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{reuse_sessions,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{honor_cipher_order,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').without_content(
+            %r{dhfile,}
+          )
         end
         it 'sets ssl managment port to specified values' do
           is_expected.to contain_file('rabbitmq.config').with_content(
@@ -778,7 +811,11 @@
             ssl_port: 3141,
             ssl_cacert: '/path/to/cacert',
             ssl_cert: '/path/to/cert',
-            ssl_key: '/path/to/key' }
+            ssl_key: '/path/to/key',
+            ssl_secure_renegotiate: true,
+            ssl_reuse_sessions: true,
+            ssl_honor_cipher_order: true,
+            ssl_dhfile: :undef }
         end
 
         it 'sets ssl options to specified values' do
@@ -797,6 +834,18 @@
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{keyfile,"/path/to/key"}
           )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{secure_renegotiate,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{reuse_sessions,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{honor_cipher_order,true}
+          )
+          is_expected.to contain_file('rabbitmq.config').without_content(
+            %r{dhfile,}
+          )
         end
       end
 
@@ -938,6 +987,56 @@
         end
       end
 
+      describe 'ssl with ssl_dhfile' do
+        let(:params) do
+          { ssl: true,
+            ssl_interface: '0.0.0.0',
+            ssl_dhfile: '/etc/pki/tls/dh-params.pem' }
+        end
+
+        it { is_expected.to contain_file('rabbitmq.config').with_content(%r{dhfile, "/etc/pki/tls/dh-params\.pem}) }
+      end
+
+      describe 'ssl with ssl_dhfile unset' do
+        let(:params) do
+          { ssl: true,
+            ssl_interface: '0.0.0.0',
+            ssl_dhfile: :undef }
+        end
+
+        it { is_expected.to contain_file('rabbitmq.config').without_content(%r{dhfile,}) }
+      end
+
+      describe 'ssl with ssl_secure_renegotiate false' do
+        let(:params) do
+          { ssl: true,
+            ssl_interface: '0.0.0.0',
+            ssl_secure_renegotiate: false }
+        end
+
+        it { is_expected.to contain_file('rabbitmq.config').with_content(%r{secure_renegotiate,false}) }
+      end
+
+      describe 'ssl with ssl_reuse_sessions false' do
+        let(:params) do
+          { ssl: true,
+            ssl_interface: '0.0.0.0',
+            ssl_reuse_sessions: false }
+        end
+
+        it { is_expected.to contain_file('rabbitmq.config').with_content(%r{reuse_sessions,false}) }
+      end
+
+      describe 'ssl with ssl_honor_cipher_order false' do
+        let(:params) do
+          { ssl: true,
+            ssl_interface: '0.0.0.0',
+            ssl_honor_cipher_order: false }
+        end
+
+        it { is_expected.to contain_file('rabbitmq.config').with_content(%r{honor_cipher_order,false}) }
+      end
+
       describe 'ssl admin options' do
         let(:params) do
           { ssl: true,

diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb
@@ -65,7 +65,7 @@
                    <%- if @ssl_depth -%>
                    {depth,<%= @ssl_depth %>},
                    <%- end -%>
-                   <%- if @ssl_dhfile != 'UNSET' -%>
+                   <%- if @ssl_dhfile -%>
                    {dhfile, "<%= @ssl_dhfile %>"},
                    <%- end -%>
                    {secure_renegotiate,<%= @ssl_secure_renegotiate %>},
@@ -112,7 +112,6 @@
       {ssl_opts, [<%- if @ssl_cacert %>
                   {cacertfile, "<%= @ssl_cacert %>"},
                   <%- end -%>
-
                   {certfile, "<%= @ssl_cert %>"},
                   {keyfile, "<%= @ssl_key %>"}
                    <%- if @ssl_versions -%>