queue: Allow enabling TLS for the RabbitMQ connection.

This allows using cloud-based RabbitMQ services like AmazonMQ. Fixes: #24699.
2023-03-23 19:04:19 +00:00 · 2023-03-23 19:04:19 +00:00 · bf532de8bb
parent 262b19346e
commit bf532de8bb
3 changed files with 14 additions and 1 deletions
--- a/zerver/lib/queue.py
+++ b/zerver/lib/queue.py
@ -1,10 +1,11 @@
 import logging
 import random
+import ssl
 import threading
 import time
 from abc import ABCMeta, abstractmethod
 from collections import defaultdict
-from typing import Any, Callable, Dict, Generic, List, Mapping, Optional, Set, TypeVar, Union
+from typing import Any, Callable, Dict, Generic, List, Mapping, Optional, Set, Type, TypeVar, Union

 import orjson
 import pika
@ -77,11 +78,18 @@ class QueueClient(Generic[ChannelT], metaclass=ABCMeta):
        if self.rabbitmq_heartbeat == 0:
            tcp_options = dict(TCP_KEEPIDLE=60 * 5)

+        ssl_options: Union[
+            Type[pika.ConnectionParameters._DEFAULT], pika.SSLOptions
+        ] = pika.ConnectionParameters._DEFAULT
+        if settings.RABBITMQ_USE_TLS:
+            ssl_options = pika.SSLOptions(context=ssl.create_default_context())
+
        return pika.ConnectionParameters(
            settings.RABBITMQ_HOST,
            port=settings.RABBITMQ_PORT,
            heartbeat=self.rabbitmq_heartbeat,
            tcp_options=tcp_options,
+            ssl_options=ssl_options,
            credentials=credentials,
        )

--- a/zproject/default_settings.py
+++ b/zproject/default_settings.py
@ -173,6 +173,7 @@ MEMCACHED_USERNAME = None if get_secret("memcached_password") is None else "zuli
 RABBITMQ_HOST = "127.0.0.1"
 RABBITMQ_PORT = 5672
 RABBITMQ_USERNAME = "zulip"
+RABBITMQ_USE_TLS = False
 REDIS_HOST = "127.0.0.1"
 REDIS_PORT = 6379
 REMOTE_POSTGRES_HOST = ""
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@ -584,6 +584,10 @@ SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {
 # RABBITMQ_PORT = 5672
 ## To use another RabbitMQ user than the default "zulip", set RABBITMQ_USERNAME here.
 # RABBITMQ_USERNAME = "zulip"
+## To access the RabbitMQ server over TLS, set this to True; this is
+## generally only necessary if RabbitMQ is running on a separate,
+## cloud-managed, host.
+# RABBITMQ_USE_TLS = False

 ########
 ## Redis configuration.