diff options
author | Claire McQuin <claire@getchef.com> | 2014-08-22 11:12:10 -0700 |
---|---|---|
committer | Serdar Sutay <serdar@opscode.com> | 2014-08-26 15:49:51 -0700 |
commit | 3812f7cb6b267014c4057cd6787b7fc2011ef816 (patch) | |
tree | aa243d522421364716df0da0bc020cedf6907668 | |
parent | de8e2612785c1f9f4bdd05787dcc47d55ef348c6 (diff) | |
download | chef-3812f7cb6b267014c4057cd6787b7fc2011ef816.tar.gz |
Add --ssl-verify-mode and --[no-]verify-api-cert options.
-rw-r--r-- | lib/chef/knife/bootstrap.rb | 18 | ||||
-rw-r--r-- | lib/chef/knife/core/bootstrap_context.rb | 8 | ||||
-rw-r--r-- | spec/unit/knife/bootstrap_spec.rb | 52 | ||||
-rw-r--r-- | spec/unit/knife/core/bootstrap_context_spec.rb | 28 |
4 files changed, 106 insertions, 0 deletions
diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb index cf4f3c7a0c..3c934431ec 100644 --- a/lib/chef/knife/bootstrap.rb +++ b/lib/chef/knife/bootstrap.rb @@ -188,6 +188,23 @@ class Chef :description => "Add options to curl when install chef-client", :proc => Proc.new { |co| Chef::Config[:knife][:bootstrap_curl_options] = co } + option :ssl_verify_mode, + :long => "--ssl-verify-mode [none|all]", + :description => "Whether or not to verify the SSL cert for all HTTPS requests.", + :proc => Proc.new { |verify_mode| + if verify_mode == "all" + mode = :verify_peer + elsif verify_mode == "none" + mode = :verify_none + end + Chef::Config[:knife][:ssl_verify_mode] = mode + } + + option :verify_api_cert, + :long => "--[no-]verify-api-cert", + :description => "Verify the SSL cert for HTTPS requests to the Chef server API.", + :boolean => true + def bootstrap_template # For some reason knife.merge_configs doesn't pick up the default values from # Chef::Config[:knife][:bootstrap_template] unless Chef::Config[:knife][:bootstrap_template] @@ -204,6 +221,7 @@ class Chef if File.exists?(template) Chef::Log.debug("Using the specified bootstrap template: #{File.dirname(template)}") return template + end # Otherwise search the template directories until we find the right one diff --git a/lib/chef/knife/core/bootstrap_context.rb b/lib/chef/knife/core/bootstrap_context.rb index 0fdd77594a..831a214e66 100644 --- a/lib/chef/knife/core/bootstrap_context.rb +++ b/lib/chef/knife/core/bootstrap_context.rb @@ -64,6 +64,14 @@ CONFIG client_rb << "# Using default node name (fqdn)\n" end + unless @config[:verify_api_cert].nil? + client_rb << %Q{verify_api_cert #{@config[:verify_api_cert]}\n} + end + + if knife_config[:ssl_verify_mode] + client_rb << %Q{ssl_verify_mode :#{knife_config[:ssl_verify_mode]}\n} + end + if knife_config[:bootstrap_proxy] client_rb << %Q{http_proxy "#{knife_config[:bootstrap_proxy]}"\n} client_rb << %Q{https_proxy "#{knife_config[:bootstrap_proxy]}"\n} diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb index f28879fb4e..f36f07e87e 100644 --- a/spec/unit/knife/bootstrap_spec.rb +++ b/spec/unit/knife/bootstrap_spec.rb @@ -248,6 +248,55 @@ describe Chef::Knife::Bootstrap do end end + describe "specifying ssl verification" do + subject(:knife) do + k = described_class.new + k.instance_variable_set("@template_file", template_file) + k.parse_options(options) + k.merge_configs + k + end + + let(:template_file) { File.expand_path(File.join(CHEF_SPEC_DATA, "bootstrap", "no_proxy.erb")) } + + let(:rendered_template) do + template_string = knife.read_template + knife.render_template(template_string) + end + + context "via --ssl-verify-mode none" do + let(:options) { ["--ssl-verify-mode", "none"] } + + it "renders the client.rb with ssl_verify_mode set to :verify_none" do + rendered_template.should match(/ssl_verify_mode :verify_none/) + end + end + + context "via --ssl-verify-mode verify-all" do + let(:options) { ["--ssl-verify-mode", "all"] } + + it "renders the client.rb with ssl_verify_mode set to :verify_peer" do + rendered_template.should match(/ssl_verify_mode :verify_peer/) + end + end + + context "via --verify-api-cert" do + let(:options) { ["--verify-api-cert"] } + + it "renders the client.rb with verify_api_cert set to true" do + rendered_template.should match(/verify_api_cert true/) + end + end + + context "via --no-verify-api-cert" do + let(:options) { ["--no-verify-api-cert"] } + + it "renders the client.rb with verify_api_cert set to false" do + rendered_template.should match(/verify_api_cert false/) + end + end + end + describe "specifying the encrypted data bag secret key" do let(:secret) { "supersekret" } let(:secret_file) { File.join(CHEF_SPEC_DATA, 'bootstrap', 'encrypted_data_bag_secret') } @@ -483,6 +532,9 @@ describe Chef::Knife::Bootstrap do knife_ssh.should_receive(:run).and_raise(Net::SSH::AuthenticationFailed) lambda { knife.run }.should raise_error(Net::SSH::AuthenticationFailed) end + end + + describe "specifying ssl verification" do end diff --git a/spec/unit/knife/core/bootstrap_context_spec.rb b/spec/unit/knife/core/bootstrap_context_spec.rb index c5ad531a27..39ce9e51ca 100644 --- a/spec/unit/knife/core/bootstrap_context_spec.rb +++ b/spec/unit/knife/core/bootstrap_context_spec.rb @@ -168,4 +168,32 @@ EXPECTED bootstrap_context.latest_current_chef_version_string.should eq("-v #{Chef::VERSION.to_i}") end end + + describe "via --ssl-verify-mode is specified" do + let(:chef_config) do + { + :knife => {:ssl_verify_mode => :verify_peer} + } + end + + it "should set ssl_verify_mode in the config" do + bootstrap_context.config_content.should include("ssl_verify_mode :verify_peer") + end + end + + describe "via --no-verify-api-cert" do + let(:config) {{:verify_api_cert => false}} + + it "should set verify_api_cert to false in the config" do + bootstrap_context.config_content.should include("verify_api_cert false") + end + end + + describe "via --verify-api-cert" do + let(:config) {{:verify_api_cert => true}} + + it "should set verify_api_cert to true in the config" do + bootstrap_context.config_content.should include("verify_api_cert true") + end + end end |