Merge pull request #9833 from jaymzh/remote_file_ssl

Add ssl_verify option for remote_file

5 files changed, 51 insertions, 1 deletions

diff --git a/lib/chef/http.rb b/lib/chef/http.rb
index d31d4d3027..d34718d048 100644
--- a/lib/chef/http.rb
+++ b/lib/chef/http.rb
@@ -304,7 +304,8 @@ class Chef
 
         SocketlessChefZeroClient.new(base_url)
       else
-        BasicClient.new(base_url, ssl_policy: Chef::HTTP::APISSLPolicy, keepalives: keepalives)
+        ssl_policy = @options[:ssl_verify_mode] || Chef::HTTP::APISSLPolicy
+        BasicClient.new(base_url, ssl_policy: ssl_policy, keepalives: keepalives)
       end
     end
 
diff --git a/lib/chef/http/ssl_policies.rb b/lib/chef/http/ssl_policies.rb
index 66cbea048b..05e4baf581 100644
--- a/lib/chef/http/ssl_policies.rb
+++ b/lib/chef/http/ssl_policies.rb
@@ -129,5 +129,23 @@ class Chef
       end
     end
 
+    # This policy is used when we want to explicitly turn on verification
+    # for a specific request regardless of the API Policy. For example, when
+    # doing a `remote_file` where the user specified `verify_mode :verify_peer`
+    class VerifyPeerSSLPolicy < DefaultSSLPolicy
+      def set_verify_mode
+        http_client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      end
+    end
+
+    # This policy is used when we want to explicitly turn off verification
+    # for a specific request regardless of the API Policy. For example, when
+    # doing a `remote_file` where the user specified `verify_mode :verify_none`
+    class VerifyNoneSSLPolicy < DefaultSSLPolicy
+      def set_verify_mode
+        http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+    end
+
   end
 end
diff --git a/lib/chef/provider/remote_file/http.rb b/lib/chef/provider/remote_file/http.rb
index 86c7b84858..ef7398f756 100644
--- a/lib/chef/provider/remote_file/http.rb
+++ b/lib/chef/provider/remote_file/http.rb
@@ -134,6 +134,14 @@ class Chef
             logger.trace("Turning gzip compression off due to filename ending in gz")
             opts[:disable_gzip] = true
           end
+          if new_resource.ssl_verify_mode
+            opts[:ssl_verify_mode] = case new_resource.ssl_verify_mode
+                                     when :verify_none
+                                       Chef::HTTP::VerifyNoneSSLPolicy
+                                     else :verify_peer
+                                       Chef::HTTP::VerifyPeerSSLPolicy
+                                     end
+          end
           opts
         end
 
diff --git a/lib/chef/resource/remote_file.rb b/lib/chef/resource/remote_file.rb
index 8056cac922..965301411a 100644
--- a/lib/chef/resource/remote_file.rb
+++ b/lib/chef/resource/remote_file.rb
@@ -94,6 +94,9 @@ class Chef
 
       property :show_progress, [ TrueClass, FalseClass ], default: false
 
+      property :ssl_verify_mode, equal_to: %i{verify_none verify_peer}, default: nil,
+        description: "Optional property to override SSL policy. If not specified, uses the SSL polify from config.rb."
+
       property :remote_user, String
 
       property :remote_domain, String
diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb
index 9dc5adcce5..73ee2790e3 100644
--- a/spec/unit/http/ssl_policies_spec.rb
+++ b/spec/unit/http/ssl_policies_spec.rb
@@ -166,4 +166,24 @@ describe "HTTP SSL Policy" do
     end
 
   end
+
+  describe Chef::HTTP::VerifyPeerSSLPolicy do
+
+    let(:ssl_policy) { Chef::HTTP::VerifyPeerSSLPolicy.new(unconfigured_http_client) }
+
+    it "sets the OpenSSL verify mode to verify_peer" do
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
+    end
+
+  end
+
+  describe Chef::HTTP::VerifyNoneSSLPolicy do
+
+    let(:ssl_policy) { Chef::HTTP::VerifyNoneSSLPolicy.new(unconfigured_http_client) }
+
+    it "sets the OpenSSL verify mode to verify_peer" do
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)
+    end
+
+  end
 end