diff --git a/deps/rabbit/priv/schema/rabbit.schema b/deps/rabbit/priv/schema/rabbit.schema index 4ffc736962..c893ac560e 100644 --- a/deps/rabbit/priv/schema/rabbit.schema +++ b/deps/rabbit/priv/schema/rabbit.schema @@ -2661,9 +2661,117 @@ fun(Conf) -> list_to_binary(cuttlefish:conf_get("amqp1_0.default_vhost", Conf)) end}. +%% ---------------------------------------------------------------------------- +%% AMQP client 1.0 TLS options +%% ---------------------------------------------------------------------------- + +{mapping, "amqp10_client.ssl_options", "amqp10_client.ssl_options", [ + {datatype, {enum, [none]}} +]}. + +{translation, "amqp10_client.ssl_options", +fun(Conf) -> + case cuttlefish:conf_get("amqp10_client.ssl_options", Conf, undefined) of + none -> []; + _ -> cuttlefish:invalid("Invalid amqp10_client.ssl_options") + end +end}. + +{mapping, "amqp10_client.ssl_options.verify", "amqp10_client.ssl_options.verify", [ + {datatype, {enum, [verify_peer, verify_none]}}]}. + +{mapping, "amqp10_client.ssl_options.cacertfile", "amqp10_client.ssl_options.cacertfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp10_client.ssl_options.certfile", "amqp10_client.ssl_options.certfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp10_client.ssl_options.cacerts.$name", "amqp10_client.ssl_options.cacerts", + [{datatype, string}]}. + +{translation, "amqp10_client.ssl_options.cacerts", +fun(Conf) -> + Settings = cuttlefish_variable:filter_by_prefix("amqp10_client.ssl_options.cacerts", Conf), + [ list_to_binary(V) || {_, V} <- Settings ] +end}. + +{mapping, "amqp10_client.ssl_options.cert", "amqp10_client.ssl_options.cert", + [{datatype, string}]}. + +{translation, "amqp10_client.ssl_options.cert", +fun(Conf) -> + list_to_binary(cuttlefish:conf_get("amqp10_client.ssl_options.cert", Conf)) +end}. + +{mapping, "amqp10_client.ssl_options.crl_check", "amqp10_client.ssl_options.crl_check", + [{datatype, [{enum, [true, false, peer, best_effort]}]}]}. + +{mapping, "amqp10_client.ssl_options.depth", "amqp10_client.ssl_options.depth", + [{datatype, integer}, {validators, ["byte"]}]}. + +{mapping, "amqp10_client.ssl_options.key.RSAPrivateKey", "amqp10_client.ssl_options.key", + [{datatype, string}]}. + +{mapping, "amqp10_client.ssl_options.key.DSAPrivateKey", "amqp10_client.ssl_options.key", + [{datatype, string}]}. + +{mapping, "amqp10_client.ssl_options.key.PrivateKeyInfo", "amqp10_client.ssl_options.key", + [{datatype, string}]}. + +{translation, "amqp10_client.ssl_options.key", +fun(Conf) -> + case cuttlefish_variable:filter_by_prefix("amqp10_client.ssl_options.key", Conf) of + [{[_,_,Key], Val}|_] -> {list_to_atom(Key), list_to_binary(Val)}; + _ -> undefined + end +end}. + +{mapping, "amqp10_client.ssl_options.keyfile", "amqp10_client.ssl_options.keyfile", + [{datatype, string}, {validators, ["file_accessible"]}]}. + +{mapping, "amqp10_client.ssl_options.log_alert", "amqp10_client.ssl_options.log_alert", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp10_client.ssl_options.password", "amqp10_client.ssl_options.password", + [{datatype, string}]}. + +{mapping, "amqp10_client.ssl_options.psk_identity", "amqp10_client.ssl_options.psk_identity", + [{datatype, string}]}. + +{mapping, "amqp10_client.ssl_options.reuse_sessions", "amqp10_client.ssl_options.reuse_sessions", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp10_client.ssl_options.secure_renegotiate", "amqp10_client.ssl_options.secure_renegotiate", + [{datatype, {enum, [true, false]}}]}. + +{mapping, "amqp10_client.ssl_options.versions.$version", "amqp10_client.ssl_options.versions", + [{datatype, atom}]}. + +{translation, "amqp10_client.ssl_options.versions", +fun(Conf) -> + Settings = cuttlefish_variable:filter_by_prefix("amqp10_client.ssl_options.versions", Conf), + [ V || {_, V} <- Settings ] +end}. + +{mapping, "amqp10_client.ssl_options.sni", "amqp10_client.ssl_options.server_name_indication", + [{datatype, [{enum, [none]}, string]}]}. + +{translation, "amqp10_client.ssl_options.server_name_indication", +fun(Conf) -> + case cuttlefish:conf_get("amqp10_client.ssl_options.sni", Conf, undefined) of + undefined -> cuttlefish:unset(); + none -> cuttlefish:unset(); + Hostname -> Hostname + end +end}. + + +% =============================== +% AMQP 0.9.1 +% =============================== %% ---------------------------------------------------------------------------- -%% amqp_client TLS options +%% AMQP client 0.9.1 TLS options %% ---------------------------------------------------------------------------- {mapping, "amqp_client.ssl_options", "amqp_client.ssl_options", [ diff --git a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets index 4b31ff80e2..945a354555 100644 --- a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets +++ b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets @@ -251,7 +251,7 @@ cluster_formation.classic_config.nodes.peer2 = rabbit@hostname2", [{peer_discovery_backend,rabbit_peer_discovery_classic_config}]}, {cluster_nodes,{[rabbit@hostname2,rabbit@hostname1],disc}}]}], []}, - + {cluster_formation_module_dns_alias, "cluster_formation.peer_discovery_backend = dns cluster_formation.dns.hostname = discovery.eng.example.local", @@ -264,7 +264,7 @@ cluster_formation.dns.hostname = discovery.eng.example.local", ]}]} ]}], []}, - + {cluster_formation_disk, "cluster_formation.peer_discovery_backend = rabbit_peer_discovery_classic_config cluster_formation.classic_config.nodes.peer1 = rabbit@hostname1 @@ -698,17 +698,17 @@ tcp_listen_options.exit_on_close = false", {fail_if_no_peer_cert, false}, {honor_ecc_order, true}]}]}], []}, - + {ssl_cert_login_from_cn, "ssl_cert_login_from = common_name", [{rabbit,[{ssl_cert_login_from, common_name}]}], []}, - + {ssl_cert_login_from_dn, "ssl_cert_login_from = distinguished_name", [{rabbit,[{ssl_cert_login_from, distinguished_name}]}], []}, - + {ssl_cert_login_from_san_dns, "ssl_cert_login_from = subject_alternative_name ssl_cert_login_san_type = dns @@ -719,7 +719,7 @@ tcp_listen_options.exit_on_close = false", {ssl_cert_login_san_index, 0} ]}], []}, - + {ssl_options_bypass_pem_cache, "ssl_options.bypass_pem_cache = true", @@ -1063,20 +1063,21 @@ credential_validator.regexp = ^abc\\d+", %% AMQP TLS options %% - {ssl_options, + {amqp_client_ssl_options, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem amqp_client.ssl_options.verify = verify_peer", - [{amqp_client, [ - {ssl_options, - [{cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, - {certfile, "test/config_schema_SUITE_data/certs/cert.pem"}, - {keyfile, "test/config_schema_SUITE_data/certs/key.pem"}, - {verify, verify_peer}]} - ]}], + [{amqp_client, + [ + {ssl_options, + [{cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile, "test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile, "test/config_schema_SUITE_data/certs/key.pem"}, + {verify, verify_peer}]} + ]}], [amqp_client]}, - {ssl_options_verify_peer, + {amqp_client_ssl_options_verify_peer, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1089,7 +1090,7 @@ credential_validator.regexp = ^abc\\d+", {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, {verify,verify_peer}]}]}], []}, - {ssl_options_password, + {amqp_client_ssl_options_password, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1102,7 +1103,7 @@ credential_validator.regexp = ^abc\\d+", {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, {password,"t0p$3kRe7"}]}]}], []}, - {ssl_options_tls_versions, + {amqp_client_ssl_options_tls_versions, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1117,7 +1118,7 @@ credential_validator.regexp = ^abc\\d+", {versions,['tlsv1.2','tlsv1.1']}]} ]}], []}, - {ssl_options_depth, + {amqp_client_ssl_options_depth, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1131,7 +1132,7 @@ credential_validator.regexp = ^abc\\d+", {depth,2}, {verify,verify_peer}]}]}], []}, - {ssl_options_sni_disabled, + {amqp_client_ssl_options_sni_disabled, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1148,7 +1149,7 @@ credential_validator.regexp = ^abc\\d+", }] }], []}, - {ssl_options_sni_hostname, + {amqp_client_ssl_options_sni_hostname, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem amqp_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem amqp_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem @@ -1165,6 +1166,111 @@ credential_validator.regexp = ^abc\\d+", {server_name_indication, "hostname.dev"} ]} ]}], + []}, + + {amqp10_client_ssl_options, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.verify = verify_peer", + [{amqp10_client, + [ + {ssl_options, + [{cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile, "test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile, "test/config_schema_SUITE_data/certs/key.pem"}, + {verify, verify_peer}]} + ]}], + [amqp10_client]}, + {amqp10_client_ssl_options_verify_peer, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.verify = verify_peer", + [{amqp10_client, + [ + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {verify,verify_peer}]}]}], + []}, + {amqp10_client_ssl_options_password, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.password = t0p$3kRe7", + [{amqp10_client, + [ + {ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {password,"t0p$3kRe7"}]}]}], + []}, + {amqp10_client_ssl_options_tls_versions, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp10_client.ssl_options.versions.tls1_1 = tlsv1.1", + [], + [{amqp10_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}]} + ]}], + []}, + {amqp10_client_ssl_options_depth, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.depth = 2 + amqp10_client.ssl_options.verify = verify_peer", + [{amqp10_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {depth,2}, + {verify,verify_peer}]}]}], + []}, + {amqp10_client_ssl_options_sni_disabled, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp10_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp10_client.ssl_options.sni = none", + [], + [{amqp10_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}] + }] + }], + []}, + {amqp10_client_ssl_options_sni_hostname, + "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem + amqp10_client.ssl_options.certfile = test/config_schema_SUITE_data/certs/cert.pem + amqp10_client.ssl_options.keyfile = test/config_schema_SUITE_data/certs/key.pem + amqp10_client.ssl_options.versions.tls1_2 = tlsv1.2 + amqp10_client.ssl_options.versions.tls1_1 = tlsv1.1 + amqp10_client.ssl_options.sni = hostname.dev", + [], + [{amqp10_client, + [{ssl_options, + [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"}, + {certfile,"test/config_schema_SUITE_data/certs/cert.pem"}, + {keyfile,"test/config_schema_SUITE_data/certs/key.pem"}, + {versions,['tlsv1.2','tlsv1.1']}, + {server_name_indication, "hostname.dev"} + ]} + ]}], []} ].