diff options
author | Phil Dibowitz <phil@ipom.com> | 2020-05-09 15:53:44 -0700 |
---|---|---|
committer | Phil Dibowitz <phil@ipom.com> | 2020-05-18 19:06:02 -0700 |
commit | 28c548500f5a2de3babfd05fbd27b2e9a76ca266 (patch) | |
tree | 71640215d9a28b2858bff0fc8b5ffad02d478cd9 | |
parent | a3908d26aa86e0d04bac2a87438e484311f1d763 (diff) | |
download | chef-28c548500f5a2de3babfd05fbd27b2e9a76ca266.tar.gz |
Add ssl_verify option for remote_file
Different servers have different https requirements and enforcing
the API policy on all `remote_file` resources isn't reasonable.
The logic around the HTTP clients and policies in Chef is... complex.
This approach seemed like the best one, but I'm open to others.
By default here if the user specifies nothing, `remote_file`'s http
clients will fall back to the API policy, otherwise, it'll use whatever
the specify.
This fixes #8897
Signed-off-by: Phil Dibowitz <phil@ipom.com>
-rw-r--r-- | lib/chef/http.rb | 3 | ||||
-rw-r--r-- | lib/chef/http/ssl_policies.rb | 18 | ||||
-rw-r--r-- | lib/chef/provider/remote_file/http.rb | 8 | ||||
-rw-r--r-- | lib/chef/resource/remote_file.rb | 3 | ||||
-rw-r--r-- | spec/unit/http/ssl_policies_spec.rb | 20 |
5 files changed, 51 insertions, 1 deletions
diff --git a/lib/chef/http.rb b/lib/chef/http.rb index 80db24fa3b..17382b0380 100644 --- a/lib/chef/http.rb +++ b/lib/chef/http.rb @@ -304,7 +304,8 @@ class Chef SocketlessChefZeroClient.new(base_url) else - BasicClient.new(base_url, ssl_policy: Chef::HTTP::APISSLPolicy, keepalives: keepalives) + ssl_policy = @options[:ssl_verify_mode] || Chef::HTTP::APISSLPolicy + BasicClient.new(base_url, ssl_policy: ssl_policy, keepalives: keepalives) end end diff --git a/lib/chef/http/ssl_policies.rb b/lib/chef/http/ssl_policies.rb index 66cbea048b..05e4baf581 100644 --- a/lib/chef/http/ssl_policies.rb +++ b/lib/chef/http/ssl_policies.rb @@ -129,5 +129,23 @@ class Chef end end + # This policy is used when we want to explicitly turn on verification + # for a specific request regardless of the API Policy. For example, when + # doing a `remote_file` where the user specified `verify_mode :verify_peer` + class VerifyPeerSSLPolicy < DefaultSSLPolicy + def set_verify_mode + http_client.verify_mode = OpenSSL::SSL::VERIFY_PEER + end + end + + # This policy is used when we want to explicitly turn off verification + # for a specific request regardless of the API Policy. For example, when + # doing a `remote_file` where the user specified `verify_mode :verify_none` + class VerifyNoneSSLPolicy < DefaultSSLPolicy + def set_verify_mode + http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE + end + end + end end diff --git a/lib/chef/provider/remote_file/http.rb b/lib/chef/provider/remote_file/http.rb index 86c7b84858..ef7398f756 100644 --- a/lib/chef/provider/remote_file/http.rb +++ b/lib/chef/provider/remote_file/http.rb @@ -134,6 +134,14 @@ class Chef logger.trace("Turning gzip compression off due to filename ending in gz") opts[:disable_gzip] = true end + if new_resource.ssl_verify_mode + opts[:ssl_verify_mode] = case new_resource.ssl_verify_mode + when :verify_none + Chef::HTTP::VerifyNoneSSLPolicy + else :verify_peer + Chef::HTTP::VerifyPeerSSLPolicy + end + end opts end diff --git a/lib/chef/resource/remote_file.rb b/lib/chef/resource/remote_file.rb index 8056cac922..965301411a 100644 --- a/lib/chef/resource/remote_file.rb +++ b/lib/chef/resource/remote_file.rb @@ -94,6 +94,9 @@ class Chef property :show_progress, [ TrueClass, FalseClass ], default: false + property :ssl_verify_mode, equal_to: %i{verify_none verify_peer}, default: nil, + description: "Optional property to override SSL policy. If not specified, uses the SSL polify from config.rb." + property :remote_user, String property :remote_domain, String diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb index 9dc5adcce5..73ee2790e3 100644 --- a/spec/unit/http/ssl_policies_spec.rb +++ b/spec/unit/http/ssl_policies_spec.rb @@ -166,4 +166,24 @@ describe "HTTP SSL Policy" do end end + + describe Chef::HTTP::VerifyPeerSSLPolicy do + + let(:ssl_policy) { Chef::HTTP::VerifyPeerSSLPolicy.new(unconfigured_http_client) } + + it "sets the OpenSSL verify mode to verify_peer" do + expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER) + end + + end + + describe Chef::HTTP::VerifyNoneSSLPolicy do + + let(:ssl_policy) { Chef::HTTP::VerifyNoneSSLPolicy.new(unconfigured_http_client) } + + it "sets the OpenSSL verify mode to verify_peer" do + expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE) + end + + end end |