Module: Chef::SslCertificateCookbook::ServiceHelpers

Defined in:
libraries/service_helpers.rb

Overview

Helper methods to configure SSL Services specific parameters.

These methods should be included using class include method.

This library can be used to configure your service specific SSL options like enabled cipher suites or allowed SSL protocols.

The following example is used to generate the apache template:

self.class.send(:include, Chef::SslCertificateCookbook::ServiceHelpers)
ssl_config = ssl_config_for_service('apache')

This will read the apache configuration from node['ssl_certificate']['service']['apache'] or node['ssl_certificate']['service'][compatibility]['apache'] and merge it with the default configuraion.

So you can use something like the following to integrate with your own service (Postfix in this case):

# attributes file
%w(old intermediate modern).each do |level|
  # Read protocols array.
  protos = node['ssl_certificate']['service'][level]['protocols']
  # Format the protocols list for Postfix
  default['ssl_certificate']['service'][level]['postfix']['protocols'] =
    protos.join(', ')
end

Then in your template:

<%
self.class.send(:include, Chef::SslCertificateCookbook::ServiceHelpers)
ssl_config = ssl_config_for_service('postfix')
-%>
# ...
smtpd_tls_mandatory_protocols = <%= ssl_config['protocols'] %>

Instance Method Summary collapse

Instance Method Details

#default_ssl_configObject

Returns the recommended SSL configuration.

The returned hash has the following keys:

  • 'use_hsts': Whether to enable HSTS.
  • 'use_stapling': Whether to enable OCSP stapling.
  • 'description': Compatibility level description.
  • 'cipher_suite': List of SSL ciphers as String.
  • 'protocols': List of protocols as Array or merged String.

Examples:

default_ssl_config
#=> {"use_hsts"=>true, "use_stapling"=>true,
#    "description"=>"Modern compatibility: ...",
#    "cipher_suite"=>"...", "protocols"=>["TLSv1.1", "TLSv1.2"]}


157
158
159
160
161
# File 'libraries/service_helpers.rb', line 157

def default_ssl_config
  deprecated_config_check
  config = ssl_config_default
  ssl_config_merge!(config, ssl_config_compatibility)
end

#nginx_versionString

Gets installed nginx version.

Examples:

nginx_version #=> '1.7.9'

Returns:

  • (String)

    nginx version number.



197
198
199
200
# File 'libraries/service_helpers.rb', line 197

def nginx_version
  return nil unless node.key?('nginx')
  node['nginx']['version']
end

#nginx_version_satisfies?(requirement) ⇒ Boolean

Checks if installed nginx version satisfies a versions requirement.

Examples:

nginx_version_satisfies?('>= 1.7') #=> true

Parameters:

  • requirement (String)

    version requirement to check.

Returns:

  • (Boolean)

    whether it meets the versions requirement.



209
210
211
212
213
# File 'libraries/service_helpers.rb', line 209

def nginx_version_satisfies?(requirement)
  return false if nginx_version.nil?
  version = Gem::Version.new(nginx_version)
  Gem::Requirement.new(requirement).satisfied_by?(version)
end

#ssl_config_for_service(service) ⇒ Hash

Returns the recommended SSL configuration for a specific service.

You can create your own service specific configurations creating service subkeys under node['ssl_certificate']['service'].

default['ssl_certificate']['service'][:modern]['postfix']['protocols'] =
  'TLSv1.1, TLSv1.2'

By default, comes with configurations for 'apache' and 'nginx'. Will return default configuration for others ([#default_ssl_config]).

Examples:

ssl_config_for_service('apache')
#=> {"use_hsts"=>true, "use_stapling"=>true,
#    "description"=>"Modern compatibility: ...",
#    "cipher_suite"=>"...", "protocols"=>"all -SSLv2 -SSLv3 -TLSv1"}

Parameters:

  • service (String)

    service name.

Returns:

  • (Hash)

    SSL specific configuration.

See Also:



185
186
187
188
189
# File 'libraries/service_helpers.rb', line 185

def ssl_config_for_service(service)
  config = default_ssl_config
  config_service = ssl_config_service(config, service)
  ssl_config_merge!(config, config_service)
end