Allow ssl ciphers to be optionally configured for horizon

Add the SSLCipherSuite to the dash-site template. Change-Id: I7b87761dd1ab0618e6ae6de428ec0b736e4aa483 Closes-Bug: #1447668
2015-04-23 10:44:01 -05:00 · 2015-04-23 10:44:01 -05:00 · 7ccbfe76a6
parent 9a68087e76
commit 7ccbfe76a6
3 changed files with 17 additions and 5 deletions
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -52,6 +52,9 @@ default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
 default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
 # Which versions of the SSL/TLS protocol will be accepted in new connections.
 default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
+# Which ciphers to use with the SSL/TLS protocol.
+# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
+default['openstack']['dashboard']['ssl']['ciphers'] = nil

 # List of hosts/domains the dashboard can serve. This should be changed, a '*'
 # allows everything
--- a/spec/apache2-server_spec.rb
+++ b/spec/apache2-server_spec.rb
@ -218,17 +218,23 @@ describe 'openstack-dashboard::apache2-server' do
            end
          end

-          it 'shows ssl certificate related directives overrides' do
+          it 'has no ssl ciphers configured by default' do
+            expect(chef_run).not_to render_file(file.name).with_content(/^\s*SSLCipherSuite.*$/)
+          end
+
+          it 'shows ssl related directives overrides' do
            node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value'
            node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value'
            node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value'
            node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value'
+            node.set['openstack']['dashboard']['ssl']['ciphers'] = 'ssl_ciphers_value'

            [/^\s*SSLEngine on$/,
             %r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$),
             %r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$),
-             /^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive|
-              expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
+             /^\s*SSLProtocol ssl_protocol_value$/,
+             /^\s*SSLCipherSuite ssl_ciphers_value$/].each do |ssl_directive|
+              expect(chef_run).to render_file(file.name).with_content(ssl_directive)
            end
          end
        end
--- a/templates/default/dash-site.erb
+++ b/templates/default/dash-site.erb
@ -63,12 +63,15 @@ NameVirtualHost <%= @https_bind_address %>:<%= @https_bind_port %>
    <% end -%>
  </Directory>

-  <% if node["openstack"]["dashboard"]["use_ssl"] %>
+  <% if node["openstack"]["dashboard"]["use_ssl"] -%>
  SSLEngine on
  SSLCertificateFile <%= @ssl_cert_file %>
  SSLCertificateKeyFile <%= @ssl_key_file %>
  SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
-  <% end %>
+    <% if node["openstack"]["dashboard"]["ssl"]["ciphers"] -%>
+  SSLCipherSuite <%= node["openstack"]["dashboard"]["ssl"]["ciphers"] %>
+    <% end -%>
+  <% end -%>

  # Allow custom files to overlay the site (such as logo.png)
  RewriteEngine On