diff options
author | Tim Smith <tsmith@chef.io> | 2020-05-27 09:53:15 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-05-27 09:53:15 -0700 |
commit | eb2598d5d2acdf8e9960062c75e1d26a58739e33 (patch) | |
tree | aeddf59624f4fd6cec8551f32a0e1752b14a278b | |
parent | 33765e6be755c1289df6cb75a3cc167d64f993ea (diff) | |
parent | 28c548500f5a2de3babfd05fbd27b2e9a76ca266 (diff) | |
download | chef-eb2598d5d2acdf8e9960062c75e1d26a58739e33.tar.gz |
Merge pull request #9833 from jaymzh/remote_file_ssl
Add ssl_verify option for remote_file
-rw-r--r-- | lib/chef/http.rb | 3 | ||||
-rw-r--r-- | lib/chef/http/ssl_policies.rb | 18 | ||||
-rw-r--r-- | lib/chef/provider/remote_file/http.rb | 8 | ||||
-rw-r--r-- | lib/chef/resource/remote_file.rb | 3 | ||||
-rw-r--r-- | spec/unit/http/ssl_policies_spec.rb | 20 |
5 files changed, 51 insertions, 1 deletions
diff --git a/lib/chef/http.rb b/lib/chef/http.rb index d31d4d3027..d34718d048 100644 --- a/lib/chef/http.rb +++ b/lib/chef/http.rb @@ -304,7 +304,8 @@ class Chef SocketlessChefZeroClient.new(base_url) else - BasicClient.new(base_url, ssl_policy: Chef::HTTP::APISSLPolicy, keepalives: keepalives) + ssl_policy = @options[:ssl_verify_mode] || Chef::HTTP::APISSLPolicy + BasicClient.new(base_url, ssl_policy: ssl_policy, keepalives: keepalives) end end diff --git a/lib/chef/http/ssl_policies.rb b/lib/chef/http/ssl_policies.rb index 66cbea048b..05e4baf581 100644 --- a/lib/chef/http/ssl_policies.rb +++ b/lib/chef/http/ssl_policies.rb @@ -129,5 +129,23 @@ class Chef end end + # This policy is used when we want to explicitly turn on verification + # for a specific request regardless of the API Policy. For example, when + # doing a `remote_file` where the user specified `verify_mode :verify_peer` + class VerifyPeerSSLPolicy < DefaultSSLPolicy + def set_verify_mode + http_client.verify_mode = OpenSSL::SSL::VERIFY_PEER + end + end + + # This policy is used when we want to explicitly turn off verification + # for a specific request regardless of the API Policy. For example, when + # doing a `remote_file` where the user specified `verify_mode :verify_none` + class VerifyNoneSSLPolicy < DefaultSSLPolicy + def set_verify_mode + http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE + end + end + end end diff --git a/lib/chef/provider/remote_file/http.rb b/lib/chef/provider/remote_file/http.rb index 86c7b84858..ef7398f756 100644 --- a/lib/chef/provider/remote_file/http.rb +++ b/lib/chef/provider/remote_file/http.rb @@ -134,6 +134,14 @@ class Chef logger.trace("Turning gzip compression off due to filename ending in gz") opts[:disable_gzip] = true end + if new_resource.ssl_verify_mode + opts[:ssl_verify_mode] = case new_resource.ssl_verify_mode + when :verify_none + Chef::HTTP::VerifyNoneSSLPolicy + else :verify_peer + Chef::HTTP::VerifyPeerSSLPolicy + end + end opts end diff --git a/lib/chef/resource/remote_file.rb b/lib/chef/resource/remote_file.rb index 8056cac922..965301411a 100644 --- a/lib/chef/resource/remote_file.rb +++ b/lib/chef/resource/remote_file.rb @@ -94,6 +94,9 @@ class Chef property :show_progress, [ TrueClass, FalseClass ], default: false + property :ssl_verify_mode, equal_to: %i{verify_none verify_peer}, default: nil, + description: "Optional property to override SSL policy. If not specified, uses the SSL polify from config.rb." + property :remote_user, String property :remote_domain, String diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb index 9dc5adcce5..73ee2790e3 100644 --- a/spec/unit/http/ssl_policies_spec.rb +++ b/spec/unit/http/ssl_policies_spec.rb @@ -166,4 +166,24 @@ describe "HTTP SSL Policy" do end end + + describe Chef::HTTP::VerifyPeerSSLPolicy do + + let(:ssl_policy) { Chef::HTTP::VerifyPeerSSLPolicy.new(unconfigured_http_client) } + + it "sets the OpenSSL verify mode to verify_peer" do + expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER) + end + + end + + describe Chef::HTTP::VerifyNoneSSLPolicy do + + let(:ssl_policy) { Chef::HTTP::VerifyNoneSSLPolicy.new(unconfigured_http_client) } + + it "sets the OpenSSL verify mode to verify_peer" do + expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE) + end + + end end |