Skip to content

Commit 9b10a78

Browse files
yosifkityosifkit
authored
Merge pull request #97 from infosiftr/fix-management-ssl
Fix management SSL issues (needs separate "verify" and "fail_if_no_peer_cert" defaults)
2 parents 3569ec7 + 01cebb7 commit 9b10a78

File tree

1 file changed

+105
-70
lines changed

1 file changed

+105
-70
lines changed

docker-entrypoint.sh

Lines changed: 105 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
#!/bin/bash
2-
set -e
2+
set -eu
33

44
# allow the container to be started with `--user`
55
if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then
@@ -14,32 +14,62 @@ fi
1414
: "${RABBITMQ_SSL_KEYFILE:=${RABBITMQ_SSL_KEY_FILE:-}}"
1515
: "${RABBITMQ_SSL_CACERTFILE:=${RABBITMQ_SSL_CA_FILE:-}}"
1616

17+
# "management" SSL config should default to using the same certs
18+
: "${RABBITMQ_MANAGEMENT_SSL_CACERTFILE:=$RABBITMQ_SSL_CACERTFILE}"
19+
: "${RABBITMQ_MANAGEMENT_SSL_CERTFILE:=$RABBITMQ_SSL_CERTFILE}"
20+
: "${RABBITMQ_MANAGEMENT_SSL_KEYFILE:=$RABBITMQ_SSL_KEYFILE}"
21+
1722
# https://www.rabbitmq.com/configure.html
18-
fileConfigs=(
19-
ssl_cacertfile
20-
ssl_certfile
21-
ssl_keyfile
23+
sslConfigKeys=(
24+
cacertfile
25+
certfile
26+
fail_if_no_peer_cert
27+
keyfile
28+
verify
2229
)
23-
configs=(
30+
managementConfigKeys=(
31+
"${sslConfigKeys[@]/#/ssl_}"
32+
)
33+
rabbitConfigKeys=(
2434
default_pass
2535
default_user
2636
default_vhost
2737
hipe_compile
28-
ssl_fail_if_no_peer_cert
29-
ssl_verify
30-
"${fileConfigs[@]}"
38+
)
39+
fileConfigKeys=(
40+
management_ssl_cacertfile
41+
management_ssl_certfile
42+
management_ssl_keyfile
43+
ssl_cacertfile
44+
ssl_certfile
45+
ssl_keyfile
46+
)
47+
allConfigKeys=(
48+
"${managementConfigKeys[@]/#/management_}"
49+
"${rabbitConfigKeys[@]}"
50+
"${sslConfigKeys[@]/#/ssl_}"
51+
)
52+
53+
declare -A configDefaults=(
54+
[management_ssl_fail_if_no_peer_cert]='false'
55+
[management_ssl_verify]='verify_none'
56+
57+
[ssl_fail_if_no_peer_cert]='true'
58+
[ssl_verify]='verify_peer'
3159
)
3260

3361
haveConfig=
3462
haveSslConfig=
35-
for conf in "${configs[@]}"; do
63+
haveManagementSslConfig=
64+
for conf in "${allConfigKeys[@]}"; do
3665
var="RABBITMQ_${conf^^}"
37-
val="${!var}"
66+
val="${!var:-}"
3867
if [ "$val" ]; then
3968
haveConfig=1
40-
if [[ "$conf" == ssl_* ]]; then
41-
haveSslConfig=1
42-
fi
69+
case "$conf" in
70+
ssl_*) haveSslConfig=1 ;;
71+
management_ssl_*) haveManagementSslConfig=1 ;;
72+
esac
4373
fi
4474
done
4575
if [ "$haveSslConfig" ]; then
@@ -64,7 +94,7 @@ if [ "$haveSslConfig" ]; then
6494
fi
6595
fi
6696
missingFiles=()
67-
for conf in "${fileConfigs[@]}"; do
97+
for conf in "${fileConfigKeys[@]}"; do
6898
var="RABBITMQ_${conf^^}"
6999
val="${!var}"
70100
if [ "$val" ] && [ ! -f "$val" ]; then
@@ -83,12 +113,20 @@ if [ "${#missingFiles[@]}" -gt 0 ]; then
83113
exit 1
84114
fi
85115

116+
# set defaults for missing values (but only after we're done with all our checking so we don't throw any of that off)
117+
for conf in "${!configDefaults[@]}"; do
118+
default="${configDefaults[$conf]}"
119+
var="RABBITMQ_${conf^^}"
120+
[ -z "${!var:-}" ] || continue
121+
eval "export $var=\"\$default\""
122+
done
123+
86124
# If long & short hostnames are not the same, use long hostnames
87125
if [ "$(hostname)" != "$(hostname -s)" ]; then
88126
: "${RABBITMQ_USE_LONGNAME:=true}"
89127
fi
90128

91-
if [ "$RABBITMQ_ERLANG_COOKIE" ]; then
129+
if [ "${RABBITMQ_ERLANG_COOKIE:-}" ]; then
92130
cookieFile='/var/lib/rabbitmq/.erlang.cookie'
93131
if [ -e "$cookieFile" ]; then
94132
if [ "$(cat "$cookieFile" 2>/dev/null)" != "$RABBITMQ_ERLANG_COOKIE" ]; then
@@ -127,6 +165,45 @@ rabbit_array() {
127165
esac
128166
echo -n ']'
129167
}
168+
rabbit_env_config() {
169+
local prefix="$1"; shift
170+
171+
local ret=()
172+
local conf
173+
for conf; do
174+
local var="rabbitmq${prefix:+_$prefix}_$conf"
175+
var="${var^^}"
176+
177+
local val="${!var:-}"
178+
179+
local rawVal=
180+
case "$conf" in
181+
verify|fail_if_no_peer_cert)
182+
[ "$val" ] || continue
183+
rawVal="$val"
184+
;;
185+
186+
hipe_compile)
187+
[ "$val" ] && rawVal='true' || rawVal='false'
188+
;;
189+
190+
cacertfile|certfile|keyfile)
191+
[ "$val" ] || continue
192+
rawVal='"'"$val"'"'
193+
;;
194+
195+
*)
196+
[ "$val" ] || continue
197+
rawVal='<<"'"$val"'">>'
198+
;;
199+
esac
200+
[ "$rawVal" ] || continue
201+
202+
ret+=( "{ $conf, $rawVal }" )
203+
done
204+
205+
join $'\n' "${ret[@]}"
206+
}
130207

131208
if [ "$1" = 'rabbitmq-server' ] && [ "$haveConfig" ]; then
132209
fullConfig=()
@@ -135,34 +212,10 @@ if [ "$1" = 'rabbitmq-server' ] && [ "$haveConfig" ]; then
135212
"{ loopback_users, $(rabbit_array) }"
136213
)
137214

138-
rabbitSslOptions=()
139215
if [ "$haveSslConfig" ]; then
140-
for conf in "${configs[@]}"; do
141-
sslConf="${conf#ssl_}"
142-
[ "$sslConf" != "$conf" ] || continue
143-
144-
var="RABBITMQ_${conf^^}"
145-
val="${!var}"
146-
147-
# default values
148-
case "$sslConf" in
149-
verify) : "${val:=verify_peer}" ;;
150-
fail_if_no_peer_cert) : "${val:=true}" ;;
151-
esac
152-
153-
rawVal=
154-
case "$sslConf" in
155-
verify|fail_if_no_peer_cert) rawVal="$val" ;;
156-
157-
*)
158-
[ "$val" ] || continue
159-
rawVal='"'"$val"'"'
160-
;;
161-
esac
162-
[ "$rawVal" ] || continue
163-
164-
rabbitSslOptions+=( "{ $sslConf, $rawVal }" )
165-
done
216+
IFS=$'\n'
217+
rabbitSslOptions=( $(rabbit_env_config 'ssl' "${sslConfigKeys[@]}") )
218+
unset IFS
166219

167220
rabbitConfig+=(
168221
"{ tcp_listeners, $(rabbit_array) }"
@@ -176,41 +229,23 @@ if [ "$1" = 'rabbitmq-server' ] && [ "$haveConfig" ]; then
176229
)
177230
fi
178231

179-
for conf in "${configs[@]}"; do
180-
var="RABBITMQ_${conf^^}"
181-
val="${!var}"
182-
183-
rawVal=
184-
case "$conf" in
185-
# SSL-related options are configured above, so should be ignored here
186-
ssl_*) continue ;;
187-
188-
# convert shell booleans into Erlang booleans
189-
hipe_compile)
190-
[ "$val" ] && rawVal='true' || rawVal='false'
191-
;;
192-
193-
# otherwise, assume string-based (and skip or add appropriate decorations)
194-
*)
195-
[ "$val" ] || continue
196-
rawVal='<<"'"$val"'">>'
197-
;;
198-
esac
199-
[ "$rawVal" ] || continue
200-
201-
rabbitConfig+=( "{ $conf, $rawVal }" )
202-
done
232+
IFS=$'\n'
233+
rabbitConfig+=( $(rabbit_env_config '' "${rabbitConfigKeys[@]}") )
234+
unset IFS
203235

204236
fullConfig+=( "{ rabbit, $(rabbit_array "${rabbitConfig[@]}") }" )
205237

206238
# If management plugin is installed, then generate config consider this
207239
if [ "$(rabbitmq-plugins list -m -e rabbitmq_management)" ]; then
208-
rabbitManagementListenerConfig=()
209-
if [ "$haveSslConfig" ]; then
240+
if [ "$haveManagementSslConfig" ]; then
241+
IFS=$'\n'
242+
rabbitManagementSslOptions=( $(rabbit_env_config 'management_ssl' "${sslConfigKeys[@]}") )
243+
unset IFS
244+
210245
rabbitManagementListenerConfig+=(
211246
'{ port, 15671 }'
212247
'{ ssl, true }'
213-
"{ ssl_opts, $(rabbit_array "${rabbitSslOptions[@]}") }"
248+
"{ ssl_opts, $(rabbit_array "${rabbitManagementSslOptions[@]}") }"
214249
)
215250
else
216251
rabbitManagementListenerConfig+=(

0 commit comments

Comments
 (0)