Revision cbda993f
Added by Dominic Cleal about 8 years ago
| manifests/init.pp | ||
|---|---|---|
|
# $foreman_ssl_key:: Corresponding key to a foreman_ssl_cert certificate
|
||
|
# When not specified, the ssl_key is used instead.
|
||
|
#
|
||
|
# $ssl_disabled_ciphers:: List of OpenSSL cipher suite names that will be disabled from the default
|
||
|
# type:array
|
||
|
#
|
||
|
# $trusted_hosts:: Only hosts listed will be permitted, empty array to disable authorization
|
||
|
# type:array
|
||
|
#
|
||
| ... | ... | |
|
$foreman_ssl_cert = $foreman_proxy::params::foreman_ssl_cert,
|
||
|
$foreman_ssl_key = $foreman_proxy::params::foreman_ssl_key,
|
||
|
$trusted_hosts = $foreman_proxy::params::trusted_hosts,
|
||
|
$ssl_disabled_ciphers = $foreman_proxy::params::ssl_disabled_ciphers,
|
||
|
$manage_sudoersd = $foreman_proxy::params::manage_sudoersd,
|
||
|
$use_sudoersd = $foreman_proxy::params::use_sudoersd,
|
||
|
$puppetca = $foreman_proxy::params::puppetca,
|
||
| ... | ... | |
|
# Validate misc params
|
||
|
validate_string($bind_host)
|
||
|
validate_bool($ssl, $manage_sudoersd, $use_sudoersd, $register_in_foreman)
|
||
|
validate_array($trusted_hosts)
|
||
|
validate_array($trusted_hosts, $ssl_disabled_ciphers)
|
||
|
validate_re($log_level, '^(UNKNOWN|FATAL|ERROR|WARN|INFO|DEBUG)$')
|
||
|
validate_re($plugin_version, '^(installed|present|latest|absent)$')
|
||
|
validate_re($ensure_packages_version, '^(installed|present|latest|absent)$')
|
||
| manifests/params.pp | ||
|---|---|---|
|
# Used to communicate to Foreman
|
||
|
$ssl_cert = "${ssldir}/certs/${lower_fqdn}.pem"
|
||
|
$ssl_key = "${ssldir}/private_keys/${lower_fqdn}.pem"
|
||
|
$ssl_disabled_ciphers = []
|
||
|
|
||
|
$foreman_ssl_ca = undef
|
||
|
$foreman_ssl_cert = undef
|
||
| spec/classes/foreman_proxy__config__spec.rb | ||
|---|---|---|
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
context 'with ssl_disabled_ciphers' do
|
||
|
let :pre_condition do
|
||
|
'class {"foreman_proxy":
|
||
|
ssl_disabled_ciphers => ["CIPHER-SUITE-1", "CIPHER-SUITE-2"],
|
||
|
}'
|
||
|
end
|
||
|
|
||
|
it 'should set ssl_disabled_ciphers to YAML array in setting.yml' do
|
||
|
verify_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.yml", [
|
||
|
':ssl_disabled_ciphers:',
|
||
|
' - CIPHER-SUITE-1',
|
||
|
' - CIPHER-SUITE-2',
|
||
|
])
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|
||
| templates/settings.yml.erb | ||
|---|---|---|
|
#:ssl_private_key: ssl/private_keys/fqdn.key
|
||
|
<% end -%>
|
||
|
|
||
|
# Use this option only if you need to disable certain cipher suites.
|
||
|
# Note: we use the OpenSSL suite name, take a look at:
|
||
|
# https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-SUITE-NAMES
|
||
|
# for more information.
|
||
|
<% if ciphers = scope.lookupvar("foreman_proxy::ssl_disabled_ciphers") and ciphers.any? -%>
|
||
|
:ssl_disabled_ciphers:
|
||
|
<% ciphers.each do |c| -%>
|
||
|
<%= " - #{c}" %>
|
||
|
<% end -%>
|
||
|
<% else -%>
|
||
|
#:ssl_disabled_ciphers: [CIPHER-SUITE-1, CIPHER-SUITE-2]
|
||
|
<% end -%>
|
||
|
|
||
|
# the hosts which the proxy accepts connections from
|
||
|
# commenting the following lines would mean every verified SSL connection allowed
|
||
|
<% if thosts = scope.lookupvar("foreman_proxy::trusted_hosts") and thosts.any? -%>
|
||
Also available in: Unified diff
Add ssl_disabled_ciphers configuration option for 1.12