Commit b854be8d authored by Peter Fern's avatar Peter Fern Committed by Sean OMeara
Browse files

[COOK-4018] Add TLS encryption support for client and server


Signed-off-by: default avatarSean OMeara <someara@opscode.com>
parent ba12eddc
......@@ -44,7 +44,11 @@ See `attributes/default.rb` for default values.
* `node['rsyslog']['default_facility_logs']` - Hash containing log facilities and destinations used in `50-default.conf` template.
* `node['rsyslog']['rate_limit_interval']` - Value of the $SystemLogRateLimitInterval configuration directive in `/etc/rsyslog.conf`. Default is nil, leaving it to the platform default.
* `node['rsyslog']['rate_limit_burst']` - Value of the $SystemLogRateLimitBurst configuration directive in `/etc/rsyslog.conf`. Default is nil, leaving it to the platform default.
* `node['rsyslog']['enable_tls']` - Whether or not to enable TLS encryption. When enabled, forces protocol to `tcp`. Default is `false`.
* `node['rsyslog']['tls_ca_file']` - Path to TLS CA file. Required for both server and clients.
* `node['rsyslog']['tls_certificate_file']` - Path to TLS certificate file. Required for server, optional for clients.
* `node['rsyslog']['tls_key_file']` - Path to TLS key file. Required for server, optional for clients.
* `node['rsyslog']['tls_auth_mode']` - Value for `$InputTCPServerStreamDriverAuthMode`/`$ActionSendStreamDriverAuthMode`, determines whether client certs are validated. Defaults to `anon` (no validation).
Recipes
-------
......
......@@ -36,6 +36,11 @@ default['rsyslog']['enable_imklog'] = true
default['rsyslog']['config_prefix'] = '/etc'
default['rsyslog']['rate_limit_interval'] = nil
default['rsyslog']['rate_limit_burst'] = nil
default['rsyslog']['enable_tls'] = false
default['rsyslog']['tls_ca_file'] = nil
default['rsyslog']['tls_certificate_file'] = nil
default['rsyslog']['tls_key_file'] = nil
default['rsyslog']['tls_auth_mode'] = 'anon'
# The most likely platform-specific attributes
default['rsyslog']['service_name'] = 'rsyslog'
......
......@@ -87,3 +87,25 @@ attribute 'rsyslog/priv_seperation',
:display_name => 'Privilege separation',
:description => 'Whether or not to make use of Rsyslog privilege separation',
:default => 'false'
attribute 'rsyslog/enable_tls',
:display_name => 'Enable TLS',
:description => 'Whether or not to enable TLS encryption. When enabled, forces protocol to "tcp"',
:default => 'false'
attribute 'rsyslog/tls_ca_file',
:display_name => 'TLS CA file',
:description => 'Path to TLS CA file. Required for both server and clients.'
attribute 'rsyslog/tls_certificate_file',
:display_name => 'TLS certificate file',
:description => 'Path to TLS certificate file. Required for server, optional for clients.'
attribute 'rsyslog/tls_key_file',
:display_name => 'TLS key file',
:description => 'Path to TLS key file. Required for server, optional for clients.'
attribute 'rsyslog/tls_auth_mode',
:display_name => 'TLS auth mode',
:description => 'Value for "$InputTCPServerStreamDriverAuthMode"/"$ActionSendStreamDriverAuthMode", determines whether client certs are validated.',
:default => 'anon'
......@@ -20,6 +20,11 @@
package 'rsyslog'
package 'rsyslog-relp' if node['rsyslog']['use_relp']
if node['rsyslog']['enable_tls'] && node['rsyslog']['tls_ca_file']
Chef::Application.fatal!("Recipe rsyslog::default can not use 'enable_tls' with protocol '#{node['rsyslog']['protocol']}' (requires 'tcp')") unless node['rsyslog']['protocol'] == 'tcp'
package 'rsyslog-gnutls'
end
directory "#{node['rsyslog']['config_prefix']}/rsyslog.d" do
owner 'root'
group 'root'
......
......@@ -23,6 +23,53 @@ describe 'rsyslog::default' do
end
end
context "when node['rsyslog']['enable_tls'] is true" do
context "when node['rsyslog']['tls_ca_file'] is not set" do
let(:chef_run) do
ChefSpec::ChefRunner.new(platform: 'ubuntu', version: '12.04') do |node|
node.set['rsyslog']['enable_tls'] = true
end.converge('rsyslog::default')
end
it 'does not install the rsyslog-gnutls package' do
expect(chef_run).not_to install_package('rsyslog-gnutls')
end
end
context "when node['rsyslog']['tls_ca_file'] is set" do
let(:chef_run) do
ChefSpec::ChefRunner.new(platform: 'ubuntu', version: '12.04') do |node|
node.set['rsyslog']['enable_tls'] = true
node.set['rsyslog']['tls_ca_file'] = '/etc/path/to/ssl-ca.crt'
end.converge('rsyslog::default')
end
it 'installs the rsyslog-gnutls package' do
expect(chef_run).to install_package('rsyslog-gnutls')
end
context "when protocol is not 'tcp'" do
before do
Chef::Log.stub(:fatal)
$stdout.stub(:puts)
end
let(:chef_run) do
ChefSpec::ChefRunner.new(platform: 'ubuntu', version: '12.04') do |node|
node.set['rsyslog']['enable_tls'] = true
node.set['rsyslog']['tls_ca_file'] = '/etc/path/to/ssl-ca.crt'
node.set['rsyslog']['protocol'] = 'udp'
end.converge('rsyslog::default')
end
it 'exits fatally' do
expect{ chef_run }.to raise_error(SystemExit)
end
end
end
end
context '/etc/rsyslog.d directory' do
let(:directory) { chef_run.directory('/etc/rsyslog.d') }
......
......@@ -3,11 +3,25 @@ $ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
<% if node['rsyslog']['enable_tls'] && node['rsyslog']['tls_ca_file'] -%>
$DefaultNetstreamDriverCAFile <%= node['rsyslog']['tls_ca_file'] %>
<% if node['rsyslog']['tls_certificate_file'] -%>
$DefaultNetstreamDriverCertFile <%= node['rsyslog']['tls_certificate_file'] %>
<% end -%>
<% if node['rsyslog']['tls_key_file'] -%>
$DefaultNetstreamDriverKeyFile <%= node['rsyslog']['tls_key_file'] %>
<% end -%>
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode <%= node['rsyslog']['tls_auth_mode'] %>
<% end -%>
<% @servers.each do |server| -%>
<% case node['rsyslog']['protocol'] -%>
<% when "tcp" -%>
<% case node['rsyslog']['protocol'] -%>
<% when "tcp" -%>
<%= node['rsyslog']['logs_to_forward'] %> @@<%= server %>:<%= node['rsyslog']['port'] %>
<% when "udp" -%>
<% when "udp" -%>
<%= node['rsyslog']['logs_to_forward'] %> @<%= server %>:<%= node['rsyslog']['port'] %>
<% end -%>
<% end -%>
<% end -%>
......@@ -24,7 +24,20 @@ $ModLoad <%= mod %>
<% end %>
<% if node['rsyslog']['server'] -%>
<% if node['rsyslog']['enable_tls'] && node['rsyslog']['tls_ca_file'] &&
node['rsyslog']['tls_key_file'] && node['rsyslog']['tls_certificate_file'] -%>
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile <%= node['rsyslog']['tls_ca_file'] %>
$DefaultNetstreamDriverCertFile <%= node['rsyslog']['tls_certificate_file'] %>
$DefaultNetstreamDriverKeyFile <%= node['rsyslog']['tls_key_file'] %>
$ModLoad imtcp
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode <%= node['rsyslog']['tls_auth_mode'] || 'anon' %>
$InputTCPServerRun <%= node['rsyslog']['port'] %>
# Provide <%= node['rsyslog']['protocol'].upcase %> log reception
<% else -%>
<% case node['rsyslog']['protocol'] -%>
<% when "tcp" -%>
$ModLoad imtcp
......@@ -33,6 +46,7 @@ $InputTCPServerRun <%= node['rsyslog']['port'] %>
$ModLoad imudp
$UDPServerRun <%= node['rsyslog']['port'] %>
<% end -%>
<% end -%>
<% end -%>
###########################
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment