Make resolver changeable on Nginx (closes #29)

zuazo · Nov 27, 2016 · 835072b · 835072b
1 parent 9b0b7da
commit 835072b
Show file tree

Hide file tree

Showing 8 changed files with 134 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -696,15 +696,16 @@ Attributes
 
 The following attributes are used to integrate SSL specific configurations with different services (Apache, nginx, ...). They are used internally by [the apache and nginx templates](#templates).
 
-| Attribute                                             | Default      | Description                        |
-|:------------------------------------------------------|:-------------|:-----------------------------------|
-| `node['ssl_certificate']['service']['cipher_suite']`  | `nil`        | Service default SSL cipher suite.
-| `node['ssl_certificate']['service']['protocols']`     | `nil`        | Service default SSL protocols.
-| `node['ssl_certificate']['service']['apache']`        | *calculated* | Apache web service httpd specific SSL attributes.
-| `node['ssl_certificate']['service']['nginx']`         | *calculated* | nginx web service specific SSL attributes.
-| `node['ssl_certificate']['service']['compatibility']` | `nil`        | Service SSL compatibility level (See [below](#securing-server-side-tls)).
-| `node['ssl_certificate']['service']['use_hsts']`      | `true`       | Whether to enable [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) in the service.
-| `node['ssl_certificate']['service']['use_stapling']`  | *calculated* | Whether to enable [OCSP stapling](http://en.wikipedia.org/wiki/OCSP_stapling) in the service (nginx only, use `node['apache']['mod_ssl']['use_stapling']` for apache).
+| Attribute                                                  | Default      | Description                        |
+|:-----------------------------------------------------------|:-------------|:-----------------------------------|
+| `node['ssl_certificate']['service']['cipher_suite']`       | `nil`        | Service default SSL cipher suite.
+| `node['ssl_certificate']['service']['protocols']`          | `nil`        | Service default SSL protocols.
+| `node['ssl_certificate']['service']['apache']`             | *calculated* | Apache web service httpd specific SSL attributes.
+| `node['ssl_certificate']['service']['nginx']`              | *calculated* | nginx web service specific SSL attributes.
+| `node['ssl_certificate']['service']['compatibility']`      | `nil`        | Service SSL compatibility level (See [below](#securing-server-side-tls)).
+| `node['ssl_certificate']['service']['use_hsts']`           | `true`       | Whether to enable [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) in the service.
+| `node['ssl_certificate']['service']['use_stapling']`       | *calculated* | Whether to enable [OCSP stapling](http://en.wikipedia.org/wiki/OCSP_stapling) in the service (nginx only, use `node['apache']['mod_ssl']['use_stapling']` for apache).
+| `node['ssl_certificate']['service']['stapling_resolver']`  | *calculated* | DNS resolver to use for OCSP. Only with Nginx.
 
 See the [`ServiceHelpers` class documentation](http://www.rubydoc.info/github/zuazo/ssl_certificate-cookbook/master/Chef/SslCertificateCookbook/ServiceHelpers) to learn how to integrate them with new services.
 

diff --git a/attributes/service.rb b/attributes/service.rb
@@ -24,6 +24,8 @@
 default['ssl_certificate']['service']['compatibility'] = nil
 default['ssl_certificate']['service']['use_hsts'] = true
 default['ssl_certificate']['service']['use_stapling'] = true
+default['ssl_certificate']['service']['stapling_resolver'] =
+  Chef::SslCertificateCookbook::AttributeHelpers.resolvers || '8.8.8.8'
 
 # SSL Recommended configurations from
 # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

diff --git a/libraries/attribute_helpers.rb b/libraries/attribute_helpers.rb
@@ -0,0 +1,50 @@
+# encoding: UTF-8
+#
+# Cookbook Name:: ssl_certificate
+# Library:: attribute_helpers
+# Author:: Xabier de Zuazo (<[email protected]>)
+# Copyright:: Copyright (c) 2016 Xabier de Zuazo
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'resolv'
+
+class Chef
+  module SslCertificateCookbook
+    # Helper methods to use from attribute files.
+    #
+    # Usage example:
+    #
+    # ```ruby
+    # # attributes/whatever.rb
+    # Chef::SslCertificateCookbook::AttributeHelpers.resolvers
+    #   #=> "8.8.8.8:53"
+    # ```
+    class AttributeHelpers
+      # Returns the system DNS resolvers separated by spaces.
+      #
+      # @return [String, nil] The DNS resolver address.
+      # @example
+      #   resolvers #=> "8.8.8.8:53 4.4.4.2:53"
+      # @api public
+      def self.resolvers
+        empty_ary = [nil, [], [[]], [['0.0.0.0', 53]]]
+        resolvers = Resolv::DNS::Config.new.lazy_initialize.nameserver_port
+        return nil if empty_ary.include?(resolvers)
+        resolvers.map { |x| x.join(':') }.join(' ')
+      end
+    end
+  end
+end
diff --git a/metadata.rb b/metadata.rb
@@ -119,6 +119,13 @@
           required: 'optional',
           calculated: true
 
+attribute 'ssl_certificate/service/stapling_resolver',
+          display_name: 'ssl_certificate stapling resolver',
+          description: 'DNS resolver to use for OCSP. Only with Nginx.',
+          type: 'string',
+          required: 'optional',
+          calculated: true
+
 attribute 'chef-vault/databag_fallback',
           display_name: 'fallback to unencrypted data bags',
           description: 'Whether to fallback to unencrypted data bag if'\

diff --git a/templates/default/nginx.erb b/templates/default/nginx.erb
@@ -29,5 +29,5 @@ self.class.send(:include, Chef::SslCertificateCookbook::ServiceHelpers)
   <% if @ssl_config[:use_stapling] && nginx_version_satisfies?('>= 1.3.7') -%>
   ssl_stapling on;
   ssl_stapling_verify on;
-  resolver 8.8.8.8;
+  resolver <%= @ssl_config[:stapling_resolver] %>;
   <% end -%>
diff --git a/test/unit/libraries/attribute_helpers_spec.rb b/test/unit/libraries/attribute_helpers_spec.rb
@@ -0,0 +1,58 @@
+# encoding: UTF-8
+#
+# Author:: Xabier de Zuazo (<[email protected]>)
+# Copyright:: Copyright (c) 2016 Xabier de Zuazo
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative '../spec_helper'
+require 'attribute_helpers'
+
+describe Chef::SslCertificateCookbook::AttributeHelpers, order: :random do
+  let(:helpers) { described_class }
+  let(:resolv_dns_config) { instance_double('Resolv::DNS::Config') }
+  let(:nameserver_port) { [%w(1.2.3.4 53)] }
+
+  context '.resolvers' do
+    before do
+      expect(Resolv::DNS::Config).to receive(:new)
+        .and_return(resolv_dns_config)
+      allow(resolv_dns_config).to receive(:lazy_initialize)
+        .and_return(resolv_dns_config)
+      allow(resolv_dns_config).to receive(:nameserver_port)
+        .and_return(nameserver_port)
+    end
+
+    it 'returns the DNS resolver as a string' do
+      expect(helpers.resolvers).to eq('1.2.3.4:53')
+    end
+
+    context 'with multiple DNS resolvers' do
+      let(:nameserver_port) { [%w(1.2.3.4 53), %w(5.6.7.8 5353)] }
+
+      it 'returns all DNS resolvers' do
+        expect(helpers.resolvers).to eq('1.2.3.4:53 5.6.7.8:5353')
+      end
+    end
+
+    context 'without DNS resolvers' do
+      let(:nameserver_port) { [['0.0.0.0', 53]] } # tested on GNU/Linux
+
+      it 'returns nil' do
+        expect(helpers.resolvers).to eq(nil)
+      end
+    end
+  end
+end
diff --git a/test/unit/spec_helper.rb b/test/unit/spec_helper.rb
@@ -24,6 +24,7 @@
 require 'should_not/rspec'
 
 # require_relative 'support/coverage'
+require 'attribute_helpers'
 
 RSpec.configure do |config|
   # Prohibit using the should syntax

diff --git a/test/unit/templates/nginx_partial_spec.rb b/test/unit/templates/nginx_partial_spec.rb
@@ -57,6 +57,11 @@
       expect(template.render(variables))
         .to match(/^\s*ssl_stapling on;/)
     end
+
+    it 'sets DNS resolver' do
+      expect(template.render(variables))
+        .to match(/^\s*resolver( [a-zA-Z0-9.:-]+)+;/)
+    end
   end
 
   context 'with nginx < 1.3.7' do