Allow specifying allowed ssl protocol versions via attributes #152
Conversation
|
You have repeated 3 times. |
|
Yes, this cookbook don't pass variables from the recipe to the template and I didn't want to change that. What would you suggest to remove the duplication? |
|
Use a function? You can even have it in the Erb template, if that's what the maintainer prefers. |
|
Thanks for your comment, I didn't see there was already a place to put this method. |
|
Please rebase off master, and if this is still relivant, i just need another 👍 and we'll merge it. |
16a32cf to
4938e26
Compare
|
Thanks, rebase done. |
|
If i can just get another 👍 on this, i think it's good to go. I'm pretty sure a spec wouldn't help around here, but i could be wrong. |
|
👍 LGTM, we need this patch merged. |
|
@jjasghar, I think it is common requirement to specify the ssl version with regard to some security concerns, and this option is documented well in http://www.rabbitmq.com/ssl.html which is the rabbitmq official site, would you please merge this patch? |
|
Yep, this seems like a great idea, I should have a push out for the cookbook today/tomorrow. |
| @@ -38,5 +38,9 @@ def format_kernel_parameters # rubocop:disable all | |||
|
|
|||
| rendered.each { |r| r.prepend(' ') }.join(",\n") | |||
| end | |||
|
|
|||
| def format_ssl_versions | |||
| Array(node['rabbitmq']['ssl_versions']).map { |n| "'#{n}'" }.join(',') | |||
There was a problem hiding this comment.
I find this less than obvious. How about we simply set default to an empty array instead of nil? nil seems illogical to me.
There was a problem hiding this comment.
@michaelklishin, I don't think it is proper to set the default value of ['rabbitmq']['ssl_versions'] to be nil, for:
- In the rabbitmq document, you don't bother to add a line of
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]},
to the /etc/rabbitmq.config to enable the default SSL versions rabbitmq-server supported. It is needed when you
want to customize the versions, most of time to limit the set of versions.
From this perspective, nil just work well, means void or nothiing, right? - If we merely change the default value to be a empty array in the attribute file:
default['rabbitmq']['ssl_versions'] = []
I am afraid some code logic will be affected:
format_ssl_versions if node['rabbitmq']['ssl_versions']
node['rabbitmq']['ssl_versions'] evaluates to true, thus
format_ssl_versions returns an empty string '', but unfortunately, '' is evaluated to true as well, so
finally, we shall end up with the following line in the /etc/rabbitmq.config file
{ssl, [{versions, []}]},
which I don't think is a rational result we both want to get, since it is not what the rabbitmq document tells. - If we do insist on using [] as the default value, and also follow the rabbitmq document, we have to change
something in the current patch, e.g:
:ssl_versions => (format_ssl_versions if node['rabbitmq']['ssl_versions'].length != 0)
But I believe you will also consider it to be less obvious than:
:ssl_versions => (format_ssl_versions if node['rabbitmq']['ssl_versions'])
So I would like to vote that the current patch is OK, @jjasghar, could you please share some insights here as well?
|
@jjasghar, since there is no other comments, What do you think if we can merge this pull request? |
Allow specifying allowed ssl protocol versions via attributes
Example taken from https://gist.github.com/michaelklishin/3f47bae850bdd9f1a79a