feature/api: Add TLS detail settings

ssl_protocolmin and ssl_cipher_list
voxpupuli · Jan 4, 2017 · 60d2a50 · 60d2a50
1 parent f60d772
commit 60d2a50
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+[![Build Status](https://travis-ci.org/Icinga/puppet-icinga2-rewrite.svg?branch=master)](https://travis-ci.org/Icinga/puppet-icinga2-rewrite)
+
 # Icinga2 Puppet Module
 
 ![Icinga Logo](https://www.icinga.com/wp-content/uploads/2014/06/icinga_logo.png)
@@ -555,6 +557,15 @@ This module offers following options to create these certificates:
   }
 ```
 
+* Fine tune TLS / SSL settings
+
+``` puppet
+  class { 'icinga2::feature::api':
+    ssl_protocolmin => 'TLSv1.2',
+    ssl_cipher_list => 'HIGH:MEDIUM:!aNULL:!MD5:!RC4',
+  }
+```
+
 ### Custom configuration
 Sometimes it's necessary to cover very special configurations that you cannot handle with this module. In this case you
 can use the `icinga2::config::file` tag on your file ressource. This module collects all file ressource types with this

diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp
@@ -68,6 +68,12 @@
 #   Hash to configure zone objects. Defaults to { 'ZoneName' => {'endpoints' => ['NodeName']} }.
 #   ZoneName and NodeName are icinga2 constants.
 #
+# [*ssl_protocolmin*]
+#   Minimal TLS version to require. Default undef (e.g. "TLSv1.2")
+#
+# [*ssl_cipher_list*]
+#   List of allowed TLS ciphers, to finetune encryption. Default undef (e.g. "HIGH:MEDIUM:!aNULL:!MD5:!RC4")
+#
 # === Variables
 #
 # [*node_name*]
@@ -138,6 +144,8 @@
   $ssl_key         = undef,
   $ssl_cert        = undef,
   $ssl_cacert      = undef,
+  $ssl_protocolmin = undef,
+  $ssl_cipher_list = undef,
 ) {
 
   $conf_dir  = $::icinga2::params::conf_dir
@@ -184,6 +192,13 @@
   else {
     $_ssl_cacert_path = "${pki_dir}/ca.crt" }
 
+  if $ssl_protocolmin {
+    validate_string($ssl_protocolmin)
+  }
+  if $ssl_cipher_list {
+    validate_string($ssl_cipher_list)
+  }
+
   # handle the certificate's stuff
   case $pki {
     'puppet': {
@@ -291,6 +306,8 @@
     accept_commands => $accept_commands,
     accept_config   => $accept_config,
     ticket_salt     => $ticket_salt,
+    tls_protocolmin => $ssl_protocolmin,
+    cipher_list     => $ssl_cipher_list,
   }
 
   # create endpoints and zones
@@ -314,5 +331,4 @@
   icinga2::feature { 'api':
     ensure      => $ensure,
   }
-
 }
diff --git a/spec/classes/api_spec.rb b/spec/classes/api_spec.rb
@@ -260,6 +260,17 @@
 
       it { is_expected.to raise_error(Puppet::Error, /"foo" is not a Hash/) }
     end
+
+    context "#{os} with TLS detail settings" do
+      let(:params) { { ssl_protocolmin: 'TLSv1.2', ssl_cipher_list: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4' } }
+
+      it 'should set TLS detail setting' do
+        is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
+          .with({ 'target' => '/etc/icinga2/features-available/api.conf' })
+          .with_content(/tls_protocolmin = "TLSv1.2"/)
+          .with_content(/cipher_list = "HIGH:MEDIUM:!aNULL:!MD5:!RC4"/)
+      end
+    end
   end
 end