Merge pull request #11369 from cloudamqp/amqp10_client_ssl_options

amqp10_client: allow configuring global TLS options
2024-06-04 14:38:40 -04:00 · 2024-06-04 14:38:40 -04:00 · 55b38bd642
parent 45d0672c6d 2779bf7375
commit 55b38bd642
2 changed files with 36 additions and 1 deletions
--- a/deps/amqp10_client/src/amqp10_client.erl
+++ b/deps/amqp10_client/src/amqp10_client.erl
@ -107,7 +107,8 @@ open_connection(ConnectionConfig0) ->
        notify_when_closed => NotifyWhenClosed
    },
    Sasl = maps:get(sasl, ConnectionConfig1),
-    ConnectionConfig = ConnectionConfig1#{sasl => amqp10_client_connection:encrypt_sasl(Sasl)},
+    ConnectionConfig2 = ConnectionConfig1#{sasl => amqp10_client_connection:encrypt_sasl(Sasl)},
+    ConnectionConfig = merge_default_tls_options(ConnectionConfig2),
    amqp10_client_connection:open(ConnectionConfig).

 %% @doc Closes a connection.
@ -513,6 +514,19 @@ try_to_existing_atom(L) when is_list(L) ->
 ensure_started() ->
    _ = application:ensure_all_started(credentials_obfuscation).

+
+-spec merge_default_tls_options(connection_config()) -> connection_config().
+merge_default_tls_options(#{tls_opts := {secure_port, TlsOpts0}} = Config) ->
+    GlobalTlsOpts = application:get_env(amqp10_client, ssl_options, []),
+    TlsOpts =
+        orddict:to_list(
+          orddict:merge(fun (_, _A, B) -> B end,
+                        orddict:from_list(GlobalTlsOpts),
+                        orddict:from_list(TlsOpts0))),
+    Config#{tls_opts => {secure_port, TlsOpts}};
+merge_default_tls_options(Config) ->
+    Config.
+
 -ifdef(TEST).
 -include_lib("eunit/include/eunit.hrl").

--- a/deps/amqp10_client/test/system_SUITE.erl
+++ b/deps/amqp10_client/test/system_SUITE.erl
@ -34,6 +34,7 @@ groups() ->
     {activemq, [], shared()},
     {rabbitmq_strict, [], [
                            basic_roundtrip_tls,
+                            roundtrip_tls_global_config,
                            open_connection_plain_sasl,
                            open_connection_plain_sasl_failure,
                            open_connection_plain_sasl_parse_uri
@ -269,6 +270,26 @@ basic_roundtrip_tls(Config) ->
                sasl => ?config(sasl, Config)},
    roundtrip(OpnConf).

+%% ssl option validation fails if verify_peer is enabled without cacerts.
+%% Test that cacertfile option takes effect taken from the application env.
+roundtrip_tls_global_config(Config) ->
+    Hostname = ?config(rmq_hostname, Config),
+    Port = rabbit_ct_broker_helpers:get_node_config(Config, 0, tcp_port_amqp_tls),
+    CACertFile = ?config(rmq_certsdir, Config) ++ "/testca/cacert.pem",
+    CertFile = ?config(rmq_certsdir, Config) ++ "/client/cert.pem",
+    KeyFile = ?config(rmq_certsdir, Config) ++ "/client/key.pem",
+    ok = application:set_env(amqp10_client, ssl_options, [{cacertfile, CACertFile},
+                                                          {certfile, CertFile},
+                                                          {keyfile, KeyFile}]),
+    OpnConf = #{address => Hostname,
+                port => Port,
+                tls_opts => {secure_port, [{verify, verify_peer}]},
+                notify => self(),
+                container_id => <<"open_connection_tls_container">>,
+                sasl => ?config(sasl, Config)},
+    roundtrip(OpnConf),
+    application:unset_env(amqp10_client, ssl_options).
+
 service_bus_config(Config, ContainerId) ->
    Hostname = ?config(sb_endpoint, Config),
    Port = ?config(sb_port, Config),