From 533a8b8b26297f2324efe5161a598233bc6dc3ed Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Thu, 5 Sep 2019 20:01:12 -0700
Subject: [PATCH] Add parameters for console proxy SSL/TLS settings

This adds new console_ssl_ciphers and console_ssl_minimum_version
parameters for configuring the allowed TLS ciphers and minimum protocol
version to enforce for incoming client connections to the console proxy
services (VNC, SPICE, etc).

Depends-On: I23ac1cc79482d0fabb359486a4b934463854cae5
Change-Id: I3a1262f70f6a801db276701a39ebb01f40025192
Related-Bug: 1842149
---
 manifests/init.pp                               | 17 +++++++++++++++++
 ...cipher-protocol-params-2ad72898a85dbe17.yaml |  7 +++++++
 spec/classes/nova_init_spec.rb                  |  6 ++++++
 3 files changed, 30 insertions(+)
 create mode 100644 releasenotes/notes/add-console-ssl-cipher-protocol-params-2ad72898a85dbe17.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index dd9885d44..43b803c32 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -285,6 +285,19 @@
 #   (optional) SSL key file (if separate from cert).
 #   Defaults to $::os_service_default
 #
+# [*console_ssl_ciphers*]
+#   (optional) OpenSSL cipher preference string that specifies what ciphers to
+#   allow for TLS connections from clients.  See the man page for the OpenSSL
+#   'ciphers' command for details of the cipher preference string format and
+#   allowed values.
+#   Defaults to $::os_service_default
+#
+# [*console_ssl_minimum_version*]
+#   (optional) Minimum allowed SSL/TLS protocol version.  Valid values are
+#   'default', 'tlsv1_1', 'tlsv1_2', and 'tlsv1_3'.  A value of 'default' will
+#   use the underlying system OpenSSL defaults.
+#   Defaults to $::os_service_default
+#
 # [*notification_transport_url*]
 #   (optional) A URL representing the messaging driver to use for notifications
 #   and its full configuration. Transport URLs take the form:
@@ -490,6 +503,8 @@ class nova(
   $ssl_only                               = false,
   $cert                                   = $::os_service_default,
   $key                                    = $::os_service_default,
+  $console_ssl_ciphers                    = $::os_service_default,
+  $console_ssl_minimum_version            = $::os_service_default,
   $notification_transport_url             = $::os_service_default,
   $notification_driver                    = $::os_service_default,
   $notification_topics                    = $::os_service_default,
@@ -638,6 +653,8 @@ but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.")
     'DEFAULT/ssl_only':              value => $ssl_only;
     'DEFAULT/cert':                  value => $cert;
     'DEFAULT/key':                   value => $key;
+    'console/ssl_ciphers':           value => $console_ssl_ciphers;
+    'console/ssl_minimum_version':   value => $console_ssl_minimum_version;
     'DEFAULT/my_ip':                 value => $my_ip;
     'api/auth_strategy':             value => $auth_strategy;
     'DEFAULT/host':                  value => $host;
diff --git a/releasenotes/notes/add-console-ssl-cipher-protocol-params-2ad72898a85dbe17.yaml b/releasenotes/notes/add-console-ssl-cipher-protocol-params-2ad72898a85dbe17.yaml
new file mode 100644
index 000000000..f902dad5d
--- /dev/null
+++ b/releasenotes/notes/add-console-ssl-cipher-protocol-params-2ad72898a85dbe17.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added parameters nova::console_ssl_ciphers and
+    nova::console_ssl_minimum_version to manage the allowed TLS ciphers and
+    minimum protocol version to enforce for incoming client connections to the
+    console proxy services (VNC, SPICE, etc).
diff --git a/spec/classes/nova_init_spec.rb b/spec/classes/nova_init_spec.rb
index 66f7b17b5..2610b0905 100644
--- a/spec/classes/nova_init_spec.rb
+++ b/spec/classes/nova_init_spec.rb
@@ -62,6 +62,8 @@ describe 'nova' do
         is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(false)
         is_expected.to contain_nova_config('DEFAULT/cert').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('DEFAULT/key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('console/ssl_ciphers').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('console/ssl_minimum_version').with_value('<SERVICE DEFAULT>')
       end
 
       it 'configures block_device_allocate params' do
@@ -110,6 +112,8 @@ describe 'nova' do
           :ssl_only                                => true,
           :cert                                    => '/etc/ssl/private/snakeoil.pem',
           :key                                     => '/etc/ssl/certs/snakeoil.pem',
+          :console_ssl_ciphers                     => 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES',
+          :console_ssl_minimum_version             => 'tlsv1_2',
         }
       end
 
@@ -177,6 +181,8 @@ describe 'nova' do
         is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(true)
         is_expected.to contain_nova_config('DEFAULT/cert').with_value('/etc/ssl/private/snakeoil.pem')
         is_expected.to contain_nova_config('DEFAULT/key').with_value('/etc/ssl/certs/snakeoil.pem')
+        is_expected.to contain_nova_config('console/ssl_ciphers').with_value('kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES')
+        is_expected.to contain_nova_config('console/ssl_minimum_version').with_value('tlsv1_2')
       end
 
       context 'with multiple notification_driver' do