Add --ssl-verify-mode and --[no-]verify-api-cert options.

4 files changed, 106 insertions, 0 deletions

diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb
index cf4f3c7a0c..3c934431ec 100644
--- a/lib/chef/knife/bootstrap.rb
+++ b/lib/chef/knife/bootstrap.rb
@@ -188,6 +188,23 @@ class Chef
         :description => "Add options to curl when install chef-client",
         :proc        => Proc.new { |co| Chef::Config[:knife][:bootstrap_curl_options] = co }
 
+      option :ssl_verify_mode,
+        :long        => "--ssl-verify-mode [none|all]",
+        :description => "Whether or not to verify the SSL cert for all HTTPS requests.",
+        :proc        => Proc.new { |verify_mode|
+          if verify_mode == "all"
+            mode = :verify_peer
+          elsif verify_mode == "none"
+            mode = :verify_none
+          end
+          Chef::Config[:knife][:ssl_verify_mode] = mode
+        }
+
+      option :verify_api_cert,
+        :long        => "--[no-]verify-api-cert",
+        :description => "Verify the SSL cert for HTTPS requests to the Chef server API.",
+        :boolean     => true
+
       def bootstrap_template
         # For some reason knife.merge_configs doesn't pick up the default values from
         # Chef::Config[:knife][:bootstrap_template] unless Chef::Config[:knife][:bootstrap_template]
@@ -204,6 +221,7 @@ class Chef
         if File.exists?(template)
           Chef::Log.debug("Using the specified bootstrap template: #{File.dirname(template)}")
           return template
+
         end
 
         # Otherwise search the template directories until we find the right one
diff --git a/lib/chef/knife/core/bootstrap_context.rb b/lib/chef/knife/core/bootstrap_context.rb
index 0fdd77594a..831a214e66 100644
--- a/lib/chef/knife/core/bootstrap_context.rb
+++ b/lib/chef/knife/core/bootstrap_context.rb
@@ -64,6 +64,14 @@ CONFIG
             client_rb << "# Using default node name (fqdn)\n"
           end
 
+          unless @config[:verify_api_cert].nil?
+            client_rb << %Q{verify_api_cert #{@config[:verify_api_cert]}\n}
+          end
+
+          if knife_config[:ssl_verify_mode]
+            client_rb << %Q{ssl_verify_mode :#{knife_config[:ssl_verify_mode]}\n}
+          end
+
           if knife_config[:bootstrap_proxy]
             client_rb << %Q{http_proxy        "#{knife_config[:bootstrap_proxy]}"\n}
             client_rb << %Q{https_proxy       "#{knife_config[:bootstrap_proxy]}"\n}
diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb
index f28879fb4e..f36f07e87e 100644
--- a/spec/unit/knife/bootstrap_spec.rb
+++ b/spec/unit/knife/bootstrap_spec.rb
@@ -248,6 +248,55 @@ describe Chef::Knife::Bootstrap do
     end
   end
 
+  describe "specifying ssl verification" do
+    subject(:knife) do
+      k = described_class.new
+      k.instance_variable_set("@template_file", template_file)
+      k.parse_options(options)
+      k.merge_configs
+      k
+    end
+
+    let(:template_file) { File.expand_path(File.join(CHEF_SPEC_DATA, "bootstrap", "no_proxy.erb")) }
+
+    let(:rendered_template) do
+      template_string = knife.read_template
+      knife.render_template(template_string)
+    end
+
+    context "via --ssl-verify-mode none" do
+      let(:options) { ["--ssl-verify-mode", "none"] }
+
+      it "renders the client.rb with ssl_verify_mode set to :verify_none" do
+        rendered_template.should match(/ssl_verify_mode :verify_none/)
+      end
+    end
+
+    context "via --ssl-verify-mode verify-all" do
+      let(:options) { ["--ssl-verify-mode", "all"] }
+
+      it "renders the client.rb with ssl_verify_mode set to :verify_peer" do
+        rendered_template.should match(/ssl_verify_mode :verify_peer/)
+      end
+    end
+
+    context "via --verify-api-cert" do
+      let(:options) { ["--verify-api-cert"] }
+
+      it "renders the client.rb with verify_api_cert set to true" do
+        rendered_template.should match(/verify_api_cert true/)
+      end
+    end
+
+    context "via --no-verify-api-cert" do
+      let(:options) { ["--no-verify-api-cert"] }
+
+      it "renders the client.rb with verify_api_cert set to false" do
+        rendered_template.should match(/verify_api_cert false/)
+      end
+    end
+  end
+
   describe "specifying the encrypted data bag secret key" do
     let(:secret) { "supersekret" }
     let(:secret_file) { File.join(CHEF_SPEC_DATA, 'bootstrap', 'encrypted_data_bag_secret') }
@@ -483,6 +532,9 @@ describe Chef::Knife::Bootstrap do
       knife_ssh.should_receive(:run).and_raise(Net::SSH::AuthenticationFailed)
       lambda { knife.run }.should raise_error(Net::SSH::AuthenticationFailed)
     end
+  end
+
+  describe "specifying ssl verification" do
 
   end
 
diff --git a/spec/unit/knife/core/bootstrap_context_spec.rb b/spec/unit/knife/core/bootstrap_context_spec.rb
index c5ad531a27..39ce9e51ca 100644
--- a/spec/unit/knife/core/bootstrap_context_spec.rb
+++ b/spec/unit/knife/core/bootstrap_context_spec.rb
@@ -168,4 +168,32 @@ EXPECTED
       bootstrap_context.latest_current_chef_version_string.should eq("-v #{Chef::VERSION.to_i}")
     end
   end
+
+  describe "via --ssl-verify-mode is specified" do
+    let(:chef_config) do
+      {
+        :knife => {:ssl_verify_mode => :verify_peer}
+      }
+    end
+
+    it "should set ssl_verify_mode in the config" do
+      bootstrap_context.config_content.should include("ssl_verify_mode :verify_peer")
+    end
+  end
+
+  describe "via --no-verify-api-cert" do
+    let(:config) {{:verify_api_cert => false}}
+
+    it "should set verify_api_cert to false in the config" do
+      bootstrap_context.config_content.should include("verify_api_cert false")
+    end
+  end
+
+  describe "via --verify-api-cert" do
+    let(:config) {{:verify_api_cert => true}}
+
+    it "should set verify_api_cert to true in the config" do
+      bootstrap_context.config_content.should include("verify_api_cert true")
+    end
+  end
 end