Merge pull request #247 from selyx/master

ajroetker · web-flow · commit 63c654bd519d · 2017-01-23T15:05:00.000-08:00
add option to customize cipher suites in jetty
diff --git a/README.md b/README.md
@@ -371,6 +371,11 @@ If true, open the `ssl_listen_port` on the firewall. Defaults to `undef`.
 
 Specify the supported SSL protocols for PuppetDB (e.g. TLSv1, TLSv1.1, TLSv1.2.)
 
+####`cipher_suites`
+
+Configure jetty's supported `cipher-suites` (e.g. `SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`).
+Defaults to `undef`.
+
 ###`manage_dbserver`
 
 If true, the PostgreSQL server will be managed by this module. Defaults to `true`.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -19,6 +19,7 @@
   $ssl_cert                          = $puppetdb::params::ssl_cert,
   $ssl_ca_cert                       = $puppetdb::params::ssl_ca_cert,
   $ssl_protocols                     = $puppetdb::params::ssl_protocols,
+  $cipher_suites                     = $puppetdb::params::cipher_suites,
   $manage_dbserver                   = $puppetdb::params::manage_dbserver,
   $manage_package_repo               = $puppetdb::params::manage_pg_repo,
   $postgres_version                  = $puppetdb::params::postgres_version,
@@ -93,6 +94,7 @@
     ssl_cert                          => $ssl_cert,
     ssl_ca_cert                       => $ssl_ca_cert,
     ssl_protocols                     => $ssl_protocols,
+    cipher_suites                     => $cipher_suites,
     database                          => $database,
     database_host                     => $database_host,
     database_port                     => $database_port,
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -10,6 +10,7 @@
   $ssl_listen_port           = '8081'
   $ssl_protocols             = undef
   $disable_ssl               = false
+  $cipher_suites             = undef
   $open_ssl_listen_port      = undef
   $postgres_listen_addresses = 'localhost'
 
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -18,6 +18,7 @@
   $ssl_cert                          = $puppetdb::params::ssl_cert,
   $ssl_ca_cert                       = $puppetdb::params::ssl_ca_cert,
   $ssl_protocols                     = $puppetdb::params::ssl_protocols,
+  $cipher_suites                     = $puppetdb::params::cipher_suites,
   $database                          = $puppetdb::params::database,
   $database_host                     = $puppetdb::params::database_host,
   $database_port                     = $puppetdb::params::database_port,
@@ -251,6 +252,7 @@
     ssl_cert_path      => $ssl_cert_path,
     ssl_ca_cert_path   => $ssl_ca_cert_path,
     ssl_protocols      => $ssl_protocols,
+    cipher_suites      => $cipher_suites,
     disable_ssl        => $disable_ssl,
     confdir            => $confdir,
     max_threads        => $max_threads,
diff --git a/manifests/server/jetty.pp b/manifests/server/jetty.pp
@@ -11,6 +11,7 @@
   $ssl_key_path       = $puppetdb::params::ssl_key_path,
   $ssl_ca_cert_path   = $puppetdb::params::ssl_ca_cert_path,
   $ssl_protocols      = $puppetdb::params::ssl_protocols,
+  $cipher_suites      = $puppetdb::params::cipher_suites,
   $confdir            = $puppetdb::params::confdir,
   $max_threads        = $puppetdb::params::max_threads,
   $puppetdb_user      = $puppetdb::params::puppetdb_user,
@@ -79,6 +80,17 @@
     }
   }
 
+  if $cipher_suites != undef {
+
+    validate_string($cipher_suites)
+
+    ini_setting { 'puppetdb_cipher-suites':
+      ensure  => $ssl_setting_ensure,
+      setting => 'cipher-suites',
+      value   => $cipher_suites,
+    }
+  }
+
   if str2bool($ssl_set_cert_paths) == true {
     # assume paths have been validated in calling class
     ini_setting { 'puppetdb_ssl_key':
diff --git a/spec/unit/classes/server/jetty_ini_spec.rb b/spec/unit/classes/server/jetty_ini_spec.rb
@@ -171,6 +171,26 @@
       end
     end
 
+    describe 'when setting cipher_suites' do
+      context 'to a valid string' do
+        let(:params) do
+          {
+            'cipher_suites' => 'SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256'
+          }
+        end
+
+        it {
+          should contain_ini_setting('puppetdb_cipher-suites').with(
+            'ensure'  => 'present',
+            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+            'section' => 'jetty',
+            'setting' => 'cipher-suites',
+            'value'   => 'SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256'
+          )
+        }
+      end
+    end
+
     describe 'when disabling the cleartext HTTP port' do
       let(:params) do
         {
