diff options
author | Jay Mundrawala <jdmundrawala@gmail.com> | 2016-01-26 14:04:59 -0800 |
---|---|---|
committer | Jay Mundrawala <jdmundrawala@gmail.com> | 2016-01-26 14:04:59 -0800 |
commit | 58112e1210cac991e7a9cf434c74ece0aa97414d (patch) | |
tree | d4a83406aadb8a756ab80f5c1660891ce33842f4 | |
parent | 92de2b34aa48daa878e47db2b00d4c669ada1d96 (diff) | |
parent | 15ee9bd1b9ff3332d2197e29fffdffff82dda06f (diff) | |
download | chef-58112e1210cac991e7a9cf434c74ece0aa97414d.tar.gz |
Merge pull request #4287 from chef/jdm/1.3-fips
Default Chef with FIPS OpenSSL to use sign v1.3
-rw-r--r-- | chef-config/lib/chef-config/config.rb | 27 | ||||
-rw-r--r-- | chef.gemspec | 2 | ||||
-rwxr-xr-x | ci/verify-chef.bat | 3 | ||||
-rwxr-xr-x | ci/verify-chef.sh | 7 | ||||
-rw-r--r-- | lib/chef/application.rb | 1 | ||||
-rw-r--r-- | lib/chef/application/apply.rb | 1 | ||||
-rw-r--r-- | lib/chef/application/client.rb | 7 | ||||
-rw-r--r-- | lib/chef/formatters/doc.rb | 1 | ||||
-rw-r--r-- | lib/chef/formatters/minimal.rb | 3 | ||||
-rw-r--r-- | lib/chef/http/authenticator.rb | 13 | ||||
-rw-r--r-- | lib/chef/knife.rb | 1 | ||||
-rw-r--r-- | lib/chef/knife/bootstrap.rb | 5 | ||||
-rw-r--r-- | lib/chef/knife/core/bootstrap_context.rb | 4 | ||||
-rw-r--r-- | omnibus/config/projects/chef-fips.rb | 2 | ||||
-rw-r--r-- | spec/spec_helper.rb | 5 | ||||
-rw-r--r-- | spec/support/chef_helpers.rb | 2 | ||||
-rw-r--r-- | spec/support/platform_helpers.rb | 4 | ||||
-rw-r--r-- | spec/unit/api_client/registration_spec.rb | 12 | ||||
-rw-r--r-- | spec/unit/application_spec.rb | 10 | ||||
-rw-r--r-- | spec/unit/client_spec.rb | 23 | ||||
-rw-r--r-- | spec/unit/encrypted_data_bag_item_spec.rb | 2 | ||||
-rw-r--r-- | spec/unit/http/authenticator_spec.rb | 4 | ||||
-rw-r--r-- | spec/unit/http/ssl_policies_spec.rb | 2 | ||||
-rw-r--r-- | spec/unit/rest/auth_credentials_spec.rb | 33 |
24 files changed, 120 insertions, 54 deletions
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb index 5705ffbf56..eda684a6b4 100644 --- a/chef-config/lib/chef-config/config.rb +++ b/chef-config/lib/chef-config/config.rb @@ -27,6 +27,7 @@ require "chef-config/windows" require "chef-config/path_helper" require "mixlib/shellout" require "uri" +require "openssl" module ChefConfig @@ -450,10 +451,32 @@ module ChefConfig # Where should chef-solo download recipes from? default :recipe_url, nil + # Set to true if Chef is to set OpenSSL to run in FIPS mode + default(:fips) { ENV["CHEF_FIPS"] == "1" } + + # Initialize openssl + def self.init_openssl + if fips + ChefConfig.logger.warn "The `fips` feature is still a work in progress. This feature is incomplete." + OpenSSL.fips_mode = true + require "digest" + require "digest/sha1" + require "digest/md5" + Digest.const_set("SHA1", OpenSSL::Digest::SHA1) + OpenSSL::Digest.const_set("MD5", Digest::MD5) + end + end + # Sets the version of the signed header authentication protocol to use (see # the 'mixlib-authorization' project for more detail). Currently, versions - # 1.0 and 1.1 are available. - default :authentication_protocol_version, "1.1" + # 1.0, 1.1, and 1.3 are available. + default :authentication_protocol_version do + if fips + "1.3" + else + "1.1" + end + end # This key will be used to sign requests to the Chef server. This location # must be writable by Chef during initial setup when generating a client diff --git a/chef.gemspec b/chef.gemspec index 818e654a4b..e50ef6c744 100644 --- a/chef.gemspec +++ b/chef.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.add_dependency "mixlib-cli", "~> 1.4" s.add_dependency "mixlib-log", "~> 1.3" - s.add_dependency "mixlib-authentication", "~> 1.3" + s.add_dependency "mixlib-authentication", "~> 1.4" s.add_dependency "mixlib-shellout", "~> 2.0" s.add_dependency "ohai", ">= 8.6.0.alpha.1", "< 9" diff --git a/ci/verify-chef.bat b/ci/verify-chef.bat index 1c159f0668..2c16eb83f6 100755 --- a/ci/verify-chef.bat +++ b/ci/verify-chef.bat @@ -52,5 +52,8 @@ IF "%PIPELINE_NAME%" == "chef-13" ( call bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o %WORKSPACE%\test.xml -f documentation spec/unit spec/functional ) ELSE ( REM ; Running unit tests + IF "%PIPELINE_NAME%" == "chef-fips" ( + set CHEF_FIPS=1 + ) call bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o %WORKSPACE%\test.xml -f documentation spec/unit spec/functional ) diff --git a/ci/verify-chef.sh b/ci/verify-chef.sh index 4e60b1fd9f..1e384c7018 100755 --- a/ci/verify-chef.sh +++ b/ci/verify-chef.sh @@ -86,4 +86,9 @@ if [ ! -f "Gemfile.lock" ]; then exit 1 fi -sudo env PATH=$PATH TERM=xterm bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o $WORKSPACE/test.xml -f documentation spec/functional spec/unit +CHEF_FIPS=0 +if [ $PIPELINE_NAME='chef-fips']; +then + CHEF_FIPS=1 +fi +sudo env PATH=$PATH TERM=xterm CHEF_FIPS=$CHEF_FIPS bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o $WORKSPACE/test.xml -f documentation spec/functional spec/unit diff --git a/lib/chef/application.rb b/lib/chef/application.rb index 4562d84a5d..a4d4fc209d 100644 --- a/lib/chef/application.rb +++ b/lib/chef/application.rb @@ -84,6 +84,7 @@ class Chef parse_options load_config_file Chef::Config.export_proxies + Chef::Config.init_openssl end # Parse the config file diff --git a/lib/chef/application/apply.rb b/lib/chef/application/apply.rb index f6348a951b..42b2d5fc9a 100644 --- a/lib/chef/application/apply.rb +++ b/lib/chef/application/apply.rb @@ -125,6 +125,7 @@ class Chef::Application::Apply < Chef::Application Chef::Config.merge!(config) configure_logging Chef::Config.export_proxies + Chef::Config.init_openssl parse_json end diff --git a/lib/chef/application/client.rb b/lib/chef/application/client.rb index ba357b420d..5b124b60a7 100644 --- a/lib/chef/application/client.rb +++ b/lib/chef/application/client.rb @@ -274,6 +274,11 @@ class Chef::Application::Client < Chef::Application :description => "Whether a local mode (-z) server binds to a port", :boolean => true + option :fips, + :long => "--fips", + :description => "Enable fips mode", + :boolean => true + IMMEDIATE_RUN_SIGNAL = "1".freeze attr_reader :chef_client_json @@ -287,6 +292,8 @@ class Chef::Application::Client < Chef::Application set_specific_recipes + Chef::Config[:fips] = config[:fips] if config.has_key? :fips + Chef::Config[:chef_server_url] = config[:chef_server_url] if config.has_key? :chef_server_url Chef::Config.local_mode = config[:local_mode] if config.has_key?(:local_mode) diff --git a/lib/chef/formatters/doc.rb b/lib/chef/formatters/doc.rb index 5510956754..ab450cdeac 100644 --- a/lib/chef/formatters/doc.rb +++ b/lib/chef/formatters/doc.rb @@ -43,6 +43,7 @@ class Chef def run_start(version) puts_line "Starting Chef Client, version #{version}" + puts_line "OpenSSL FIPS 140 mode enabled" if Chef::Config[:fips] end def total_resources diff --git a/lib/chef/formatters/minimal.rb b/lib/chef/formatters/minimal.rb index 2e32968b4b..94fbfd3818 100644 --- a/lib/chef/formatters/minimal.rb +++ b/lib/chef/formatters/minimal.rb @@ -29,7 +29,8 @@ class Chef # Called at the very start of a Chef Run def run_start(version) - puts "Starting Chef Client, version #{version}" + puts_line "Starting Chef Client, version #{version}" + puts_line "OpenSSL FIPS 140 mode enabled" if Chef::Config[:fips] end # Called at the end of the Chef run. diff --git a/lib/chef/http/authenticator.rb b/lib/chef/http/authenticator.rb index 02074171f8..ab4804c964 100644 --- a/lib/chef/http/authenticator.rb +++ b/lib/chef/http/authenticator.rb @@ -47,8 +47,8 @@ class Chef end def handle_request(method, url, headers={}, data=false) - headers.merge!(authentication_headers(method, url, data)) if sign_requests? headers.merge!({"X-Ops-Server-API-Version" => @api_version}) + headers.merge!(authentication_headers(method, url, data, headers)) if sign_requests? [method, url, headers, data] end @@ -90,12 +90,17 @@ class Chef raise Chef::Exceptions::InvalidPrivateKey, msg end - def authentication_headers(method, url, json_body=nil) - request_params = {:http_method => method, :path => url.path, :body => json_body, :host => "#{url.host}:#{url.port}"} + def authentication_headers(method, url, json_body=nil, headers=nil) + request_params = { + :http_method => method, + :path => url.path, + :body => json_body, + :host => "#{url.host}:#{url.port}", + :headers => headers, + } request_params[:body] ||= "" auth_credentials.signature_headers(request_params) end - end end end diff --git a/lib/chef/knife.rb b/lib/chef/knife.rb index a070c6c858..5cfcc7182a 100644 --- a/lib/chef/knife.rb +++ b/lib/chef/knife.rb @@ -398,6 +398,7 @@ class Chef merge_configs apply_computed_config Chef::Config.export_proxies + Chef::Config.init_openssl # This has to be after apply_computed_config so that Mixlib::Log is configured Chef::Log.info("Using configuration from #{config[:config_file]}") if config[:config_file] end diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb index 23ec98e563..4db6c22f2e 100644 --- a/lib/chef/knife/bootstrap.rb +++ b/lib/chef/knife/bootstrap.rb @@ -250,6 +250,11 @@ class Chef Chef::Config[:knife][:bootstrap_vault_item] } + option :fips, + :long => "--fips", + :description => "Set openssl to run in fips mode", + :boolean => true + def initialize(argv=[]) super @client_builder = Chef::Knife::Bootstrap::ClientBuilder.new( diff --git a/lib/chef/knife/core/bootstrap_context.rb b/lib/chef/knife/core/bootstrap_context.rb index b0a759dd05..46ade9f00f 100644 --- a/lib/chef/knife/core/bootstrap_context.rb +++ b/lib/chef/knife/core/bootstrap_context.rb @@ -120,6 +120,10 @@ validation_client_name "#{@chef_config[:validation_client_name]}" client_rb << %Q{trusted_certs_dir "/etc/chef/trusted_certs"\n} end + if @config[:fips] + client_rb << %Q{fips true\n} + end + client_rb end diff --git a/omnibus/config/projects/chef-fips.rb b/omnibus/config/projects/chef-fips.rb index fbb28fa5cc..37410b0e49 100644 --- a/omnibus/config/projects/chef-fips.rb +++ b/omnibus/config/projects/chef-fips.rb @@ -38,7 +38,7 @@ end override :fips, enabled: true override :'ruby-windows', version: "2.0.0-p647" -override :chef, version: "jdm/1.3-fips" +override :chef, version: "local_source" override :ohai, version: "master" msi_upgrade_code = "819F5DB3-B818-4358-BB2B-54B8171D0A26" diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index e69d61a7b3..34716e5fd8 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -67,6 +67,10 @@ require "chef/util/file_edit" require "chef/config" +if ENV["CHEF_FIPS"] == "1" + Chef::Config.init_openssl +end + # If you want to load anything into the testing environment # without versioning it, add it to spec/support/local_gems.rb require "spec/support/local_gems.rb" if File.exists?(File.join(File.dirname(__FILE__), "support", "local_gems.rb")) @@ -165,6 +169,7 @@ RSpec.configure do |config| config.filter_run_excluding :aes_256_gcm_only => true unless aes_256_gcm? config.filter_run_excluding :broken => true config.filter_run_excluding :not_wpar => true unless wpar? + config.filter_run_excluding :not_fips => true unless fips? running_platform_arch = `uname -m`.strip unless windows? diff --git a/spec/support/chef_helpers.rb b/spec/support/chef_helpers.rb index a792cd3c5f..cfc876ffd3 100644 --- a/spec/support/chef_helpers.rb +++ b/spec/support/chef_helpers.rb @@ -27,7 +27,7 @@ Chef::Config.solo(false) def sha256_checksum(path) - Digest::SHA256.hexdigest(File.read(path)) + OpenSSL::Digest::SHA256.hexdigest(File.read(path)) end # From Ruby 1.9.2+ diff --git a/spec/support/platform_helpers.rb b/spec/support/platform_helpers.rb index 0259dc6dfb..a29cb61d00 100644 --- a/spec/support/platform_helpers.rb +++ b/spec/support/platform_helpers.rb @@ -204,6 +204,10 @@ def aes_256_gcm? OpenSSL::Cipher.ciphers.include?("aes-256-gcm") end +def fips? + ENV["CHEF_FIPS"] == "1" +end + class GCEDetector extend Ohai::Mixin::GCEMetadata end diff --git a/spec/unit/api_client/registration_spec.rb b/spec/unit/api_client/registration_spec.rb index bddb33fa0d..97ed1c719c 100644 --- a/spec/unit/api_client/registration_spec.rb +++ b/spec/unit/api_client/registration_spec.rb @@ -113,7 +113,7 @@ describe Chef::ApiClient::Registration do with("clients", expected_post_data). and_return(create_with_pkey_response) expect(registration.run.public_key).to eq(create_with_pkey_response["chef_key"]["public_key"]) - expect(registration.private_key).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end it "puts a locally generated public key to the server to update a client" do @@ -124,7 +124,7 @@ describe Chef::ApiClient::Registration do with("clients/#{client_name}", expected_put_data). and_return(update_with_pkey_response) expect(registration.run.public_key).to eq(update_with_pkey_response["public_key"].to_pem) - expect(registration.private_key).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end it "writes the generated private key to disk" do @@ -132,7 +132,7 @@ describe Chef::ApiClient::Registration do with("clients", expected_post_data). and_return(create_with_pkey_response) registration.run - expect(IO.read(key_location)).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end context "and the client already exists on a Chef 11 server" do @@ -142,7 +142,7 @@ describe Chef::ApiClient::Registration do with("clients/#{client_name}", expected_put_data). and_return(update_with_pkey_response) expect(registration.run.public_key).to eq(update_with_pkey_response["public_key"].to_pem) - expect(registration.private_key).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end end @@ -247,7 +247,7 @@ describe Chef::ApiClient::Registration do it "creates the client on the server and writes the key" do expect(http_mock).to receive(:post).ordered.and_return(server_v10_response) registration.run - expect(IO.read(key_location)).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end it "retries up to 5 times" do @@ -262,7 +262,7 @@ describe Chef::ApiClient::Registration do expect(http_mock).to receive(:post).ordered.and_return(server_v10_response) registration.run - expect(IO.read(key_location)).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end it "gives up retrying after the max attempts" do diff --git a/spec/unit/application_spec.rb b/spec/unit/application_spec.rb index 6a78e5c827..d66cc26927 100644 --- a/spec/unit/application_spec.rb +++ b/spec/unit/application_spec.rb @@ -136,6 +136,16 @@ describe Chef::Application do expect(Chef::Config.rspec_ran).to eq("true") end + context "when openssl fips" do + before do + allow(Chef::Config).to receive(:fips).and_return(true) + end + + it "sets openssl in fips mode" do + expect(OpenSSL).to receive(:'fips_mode=').with(true) + @app.configure_chef + end + end end describe "when there is no config_file defined" do diff --git a/spec/unit/client_spec.rb b/spec/unit/client_spec.rb index 3b4d23da6e..60b274a774 100644 --- a/spec/unit/client_spec.rb +++ b/spec/unit/client_spec.rb @@ -45,8 +45,27 @@ describe Chef::Client do end describe "authentication protocol selection" do - it "defaults to 1.1" do - expect(Chef::Config[:authentication_protocol_version]).to eq("1.1") + context "when FIPS is disabled" do + before do + Chef::Config[:fips] = false + end + + it "defaults to 1.1" do + expect(Chef::Config[:authentication_protocol_version]).to eq("1.1") + end + end + context "when FIPS is enabled" do + before do + Chef::Config[:fips] = true + end + + it "defaults to 1.3" do + expect(Chef::Config[:authentication_protocol_version]).to eq("1.3") + end + + after do + Chef::Config[:fips] = false + end end end diff --git a/spec/unit/encrypted_data_bag_item_spec.rb b/spec/unit/encrypted_data_bag_item_spec.rb index 796ad8ff5b..ee69ecfddc 100644 --- a/spec/unit/encrypted_data_bag_item_spec.rb +++ b/spec/unit/encrypted_data_bag_item_spec.rb @@ -290,7 +290,7 @@ describe Chef::EncryptedDataBagItem::Decryptor do end - context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do + context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value", :not_fips do let(:encrypted_value) do Version0Encryptor.encrypt_value(plaintext_data, encryption_key) end diff --git a/spec/unit/http/authenticator_spec.rb b/spec/unit/http/authenticator_spec.rb index 1289ebb61e..031a483fe9 100644 --- a/spec/unit/http/authenticator_spec.rb +++ b/spec/unit/http/authenticator_spec.rb @@ -70,7 +70,9 @@ describe Chef::HTTP::Authenticator do it_behaves_like "merging the server API version into the headers" it "calls authentication_headers with the proper input" do - expect(class_instance).to receive(:authentication_headers).with(method, url, data).and_return({}) + expect(class_instance).to receive(:authentication_headers).with( + method, url, data, + {"X-Ops-Server-API-Version" => Chef::HTTP::Authenticator::DEFAULT_SERVER_API_VERSION}).and_return({}) class_instance.handle_request(method, url, headers, data) end end diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb index 98f1fa9c37..510a1a66bc 100644 --- a/spec/unit/http/ssl_policies_spec.rb +++ b/spec/unit/http/ssl_policies_spec.rb @@ -109,7 +109,7 @@ describe "HTTP SSL Policy" do Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/chef-rspec.cert" Chef::Config[:ssl_client_key] = CHEF_SPEC_DATA + "/ssl/chef-rspec.key" expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s) - expect(http_client.key.to_s).to eq(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")) + expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s) end end diff --git a/spec/unit/rest/auth_credentials_spec.rb b/spec/unit/rest/auth_credentials_spec.rb index 88da44319b..c3ce695387 100644 --- a/spec/unit/rest/auth_credentials_spec.rb +++ b/spec/unit/rest/auth_credentials_spec.rb @@ -23,37 +23,6 @@ require "spec_helper" require "uri" require "net/https" -KEY_DOT_PEM=<<-END_RSA_KEY ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA49TA0y81ps0zxkOpmf5V4/c4IeR5yVyQFpX3JpxO4TquwnRh -8VSUhrw8kkTLmB3cS39Db+3HadvhoqCEbqPE6915kXSuk/cWIcNozujLK7tkuPEy -YVsyTioQAddSdfe+8EhQVf3oHxaKmUd6waXrWqYCnhxgOjxocenREYNhZ/OETIei -PbOku47vB4nJK/0GhKBytL2XnsRgfKgDxf42BqAi1jglIdeq8lAWZNF9TbNBU21A -O1iuT7Pm6LyQujhggPznR5FJhXKRUARXBJZawxpGV4dGtdcahwXNE4601aXPra+x -PcRd2puCNoEDBzgVuTSsLYeKBDMSfs173W1QYwIDAQABAoIBAGF05q7vqOGbMaSD -2Q7YbuE/JTHKTBZIlBI1QC2x+0P5GDxyEFttNMOVzcs7xmNhkpRw8eX1LrInrpMk -WsIBKAFFEfWYlf0RWtRChJjNl+szE9jQxB5FJnWtJH/FHa78tR6PsF24aQyzVcJP -g0FGujBihwgfV0JSCNOBkz8MliQihjQA2i8PGGmo4R4RVzGfxYKTIq9vvRq/+QEa -Q4lpVLoBqnENpnY/9PTl6JMMjW2b0spbLjOPVwDaIzXJ0dChjNXo15K5SHI5mALJ -I5gN7ODGb8PKUf4619ez194FXq+eob5YJdilTFKensIUvt3YhP1ilGMM+Chi5Vi/ -/RCTw3ECgYEA9jTw4wv9pCswZ9wbzTaBj9yZS3YXspGg26y6Ohq3ZmvHz4jlT6uR -xK+DDcUiK4072gci8S4Np0fIVS7q6ivqcOdzXPrTF5/j+MufS32UrBbUTPiM1yoO -ECcy+1szl/KoLEV09bghPbvC58PFSXV71evkaTETYnA/F6RK12lEepcCgYEA7OSy -bsMrGDVU/MKJtwqyGP9ubA53BorM4Pp9VVVSCrGGVhb9G/XNsjO5wJC8J30QAo4A -s59ZzCpyNRy046AB8jwRQuSwEQbejSdeNgQGXhZ7aIVUtuDeFFdaIz/zjVgxsfj4 -DPOuzieMmJ2MLR4F71ocboxNoDI7xruPSE8dDhUCgYA3vx732cQxgtHwAkeNPJUz -dLiE/JU7CnxIoSB9fYUfPLI+THnXgzp7NV5QJN2qzMzLfigsQcg3oyo6F2h7Yzwv -GkjlualIRRzCPaCw4Btkp7qkPvbs1QngIHALt8fD1N69P3DPHkTwjG4COjKWgnJq -qoHKS6Fe/ZlbigikI6KsuwKBgQCTlSLoyGRHr6oj0hqz01EDK9ciMJzMkZp0Kvn8 -OKxlBxYW+jlzut4MQBdgNYtS2qInxUoAnaz2+hauqhSzntK3k955GznpUatCqx0R -b857vWviwPX2/P6+E3GPdl8IVsKXCvGWOBZWTuNTjQtwbDzsUepWoMgXnlQJSn5I -YSlLxQKBgQD16Gw9kajpKlzsPa6XoQeGmZALT6aKWJQlrKtUQIrsIWM0Z6eFtX12 -2jjHZ0awuCQ4ldqwl8IfRogWMBkHOXjTPVK0YKWWlxMpD/5+bGPARa5fir8O1Zpo -Y6S6MeZ69Rp89ma4ttMZ+kwi1+XyHqC/dlcVRW42Zl5Dc7BALRlJjQ== ------END RSA PRIVATE KEY----- - END_RSA_KEY - - describe Chef::REST::AuthCredentials do before do @key_file_fixture = CHEF_SPEC_DATA + "/ssl/private_key.pem" @@ -67,7 +36,7 @@ describe Chef::REST::AuthCredentials do it "loads the private key when initialized with the path to the key" do expect(@auth_credentials.key).to respond_to(:private_encrypt) - expect(@auth_credentials.key.to_s).to eq(KEY_DOT_PEM) + expect(@auth_credentials.key).to eq(@key) end describe "when loading the private key" do |