Add ssl_verify option for remote_file

Different servers have different https requirements and enforcing the API policy on all `remote_file` resources isn't reasonable. The logic around the HTTP clients and policies in Chef is... complex. This approach seemed like the best one, but I'm open to others. By default here if the user specifies nothing, `remote_file`'s http clients will fall back to the API policy, otherwise, it'll use whatever the specify. This fixes #8897 Signed-off-by: Phil Dibowitz <phil@ipom.com>
author: Phil Dibowitz <phil@ipom.com> 2020-05-09 15:53:44 -0700
committer: Phil Dibowitz <phil@ipom.com> 2020-05-18 19:06:02 -0700
commit: 28c548500f5a2de3babfd05fbd27b2e9a76ca266 (patch)
tree: 71640215d9a28b2858bff0fc8b5ffad02d478cd9
parent: a3908d26aa86e0d04bac2a87438e484311f1d763 (diff)
download: chef-28c548500f5a2de3babfd05fbd27b2e9a76ca266.tar.gz
5 files changed, 51 insertions, 1 deletions
diff --git a/lib/chef/http.rb b/lib/chef/http.rb
index 80db24fa3b..17382b0380 100644
--- a/lib/chef/http.rb
+++ b/lib/chef/http.rb
@@ -304,7 +304,8 @@ class Chef
 
         SocketlessChefZeroClient.new(base_url)
       else
-        BasicClient.new(base_url, ssl_policy: Chef::HTTP::APISSLPolicy, keepalives: keepalives)
+        ssl_policy = @options[:ssl_verify_mode] || Chef::HTTP::APISSLPolicy
+        BasicClient.new(base_url, ssl_policy: ssl_policy, keepalives: keepalives)
       end
     end
 
diff --git a/lib/chef/http/ssl_policies.rb b/lib/chef/http/ssl_policies.rb
index 66cbea048b..05e4baf581 100644
--- a/lib/chef/http/ssl_policies.rb
+++ b/lib/chef/http/ssl_policies.rb
@@ -129,5 +129,23 @@ class Chef
       end
     end
 
+    # This policy is used when we want to explicitly turn on verification
+    # for a specific request regardless of the API Policy. For example, when
+    # doing a `remote_file` where the user specified `verify_mode :verify_peer`
+    class VerifyPeerSSLPolicy < DefaultSSLPolicy
+      def set_verify_mode
+        http_client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      end
+    end
+
+    # This policy is used when we want to explicitly turn off verification
+    # for a specific request regardless of the API Policy. For example, when
+    # doing a `remote_file` where the user specified `verify_mode :verify_none`
+    class VerifyNoneSSLPolicy < DefaultSSLPolicy
+      def set_verify_mode
+        http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+    end
+
   end
 end
diff --git a/lib/chef/provider/remote_file/http.rb b/lib/chef/provider/remote_file/http.rb
index 86c7b84858..ef7398f756 100644
--- a/lib/chef/provider/remote_file/http.rb
+++ b/lib/chef/provider/remote_file/http.rb
@@ -134,6 +134,14 @@ class Chef
             logger.trace("Turning gzip compression off due to filename ending in gz")
             opts[:disable_gzip] = true
           end
+          if new_resource.ssl_verify_mode
+            opts[:ssl_verify_mode] = case new_resource.ssl_verify_mode
+                                     when :verify_none
+                                       Chef::HTTP::VerifyNoneSSLPolicy
+                                     else :verify_peer
+                                       Chef::HTTP::VerifyPeerSSLPolicy
+                                     end
+          end
           opts
         end
 
diff --git a/lib/chef/resource/remote_file.rb b/lib/chef/resource/remote_file.rb
index 8056cac922..965301411a 100644
--- a/lib/chef/resource/remote_file.rb
+++ b/lib/chef/resource/remote_file.rb
@@ -94,6 +94,9 @@ class Chef
 
       property :show_progress, [ TrueClass, FalseClass ], default: false
 
+      property :ssl_verify_mode, equal_to: %i{verify_none verify_peer}, default: nil,
+        description: "Optional property to override SSL policy. If not specified, uses the SSL polify from config.rb."
+
       property :remote_user, String
 
       property :remote_domain, String
diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb
index 9dc5adcce5..73ee2790e3 100644
--- a/spec/unit/http/ssl_policies_spec.rb
+++ b/spec/unit/http/ssl_policies_spec.rb
@@ -166,4 +166,24 @@ describe "HTTP SSL Policy" do
     end
 
   end
+
+  describe Chef::HTTP::VerifyPeerSSLPolicy do
+
+    let(:ssl_policy) { Chef::HTTP::VerifyPeerSSLPolicy.new(unconfigured_http_client) }
+
+    it "sets the OpenSSL verify mode to verify_peer" do
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
+    end
+
+  end
+
+  describe Chef::HTTP::VerifyNoneSSLPolicy do
+
+    let(:ssl_policy) { Chef::HTTP::VerifyNoneSSLPolicy.new(unconfigured_http_client) }
+
+    it "sets the OpenSSL verify mode to verify_peer" do
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)
+    end
+
+  end
 end
author	Phil Dibowitz <phil@ipom.com>	2020-05-09 15:53:44 -0700
committer	Phil Dibowitz <phil@ipom.com>	2020-05-18 19:06:02 -0700
commit	28c548500f5a2de3babfd05fbd27b2e9a76ca266 (patch)
tree	71640215d9a28b2858bff0fc8b5ffad02d478cd9
parent	a3908d26aa86e0d04bac2a87438e484311f1d763 (diff)
download	chef-28c548500f5a2de3babfd05fbd27b2e9a76ca266.tar.gz