Merge pull request #1895 from opscode/mcquin/CHEF-5282

Add --ssl-verify-mode and --[no-]verify-api-cert options.
author: Serdar Sutay <serdar@opscode.com> 2014-08-28 13:51:08 -0700
committer: Serdar Sutay <serdar@opscode.com> 2014-08-28 13:51:08 -0700
commit: f0cc9ee51c50fb5f896b329d243ec273a65ff14a (patch)
tree: f080d2a38c9b42134c42d8db456ee1057d59be78
parent: 395534b88d54e6ec57eadfaab81c736c688e7938 (diff)
parent: 753e7162f6fb2e45cd6082c3b58ebc41cd1c01a0 (diff)
download: chef-f0cc9ee51c50fb5f896b329d243ec273a65ff14a.tar.gz
6 files changed, 145 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca8cff3958..48cefb0b68 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -109,6 +109,8 @@
 * Remove the unused bootstrap templates that install chef from rubygems
 * Remove the Chef 10 functionality from bootstrap.
 * Deprecate --distro / --template_file options in favor of --boostrap-template
+* Add `:node_ssl_verify_mode` & `:node_verify_api_cert` options to bootstrap
+  to be able to configure these settings on the bootstrapped node.
 
 ## Last Release: 11.14.2
 
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index d67a1b9a04..33e405d273 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -6,7 +6,7 @@ Chef Client 12 introduces a set of changes to `knife bootstrap`. Here is the lis
 
 * Unused / untested bootstrap templates that install Chef Client from rubygems are removed. The recommended installation path for Chef Client is to use the omnibus packages. `chef-full` template (which is the default) installs Chef Client using omnibus packages on all the supported platforms.
 * `--distro` & `--template-file` options are deprecated in Chef 12 in favor of `--boostrap-template` option. This option can take a boostrap template name (e.g. 'chef-full') or the full path to a bootstrap template.
-
+* Chef now configures `:ssl_verify_mode` & `:verify_api_cert` config options on the node that is being bootstrapped. This setting can be controlled by `:node_ssl_verify_mode` & `:node_verify_api_cert` CLI options. If these are not specified the configured value will be inferred from knife config.
 
 ## Solaris Mount Provider
 
diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb
index cf4f3c7a0c..36a0fc1e47 100644
--- a/lib/chef/knife/bootstrap.rb
+++ b/lib/chef/knife/bootstrap.rb
@@ -188,6 +188,21 @@ class Chef
         :description => "Add options to curl when install chef-client",
         :proc        => Proc.new { |co| Chef::Config[:knife][:bootstrap_curl_options] = co }
 
+      option :node_ssl_verify_mode,
+        :long        => "--node-ssl-verify-mode [peer|none]",
+        :description => "Whether or not to verify the SSL cert for all HTTPS requests.",
+        :proc        => Proc.new { |v|
+          valid_values = ["none", "peer"]
+          unless valid_values.include?(v)
+            raise "Invalid value '#{v}' for --node-ssl-verify-mode. Valid values are: #{valid_values.join(", ")}"
+          end
+        }
+
+      option :node_verify_api_cert,
+        :long        => "--[no-]node-verify-api-cert",
+        :description => "Verify the SSL cert for HTTPS requests to the Chef server API.",
+        :boolean     => true
+
       def bootstrap_template
         # For some reason knife.merge_configs doesn't pick up the default values from
         # Chef::Config[:knife][:bootstrap_template] unless Chef::Config[:knife][:bootstrap_template]
@@ -204,6 +219,7 @@ class Chef
         if File.exists?(template)
           Chef::Log.debug("Using the specified bootstrap template: #{File.dirname(template)}")
           return template
+
         end
 
         # Otherwise search the template directories until we find the right one
diff --git a/lib/chef/knife/core/bootstrap_context.rb b/lib/chef/knife/core/bootstrap_context.rb
index 0fdd77594a..12d422a162 100644
--- a/lib/chef/knife/core/bootstrap_context.rb
+++ b/lib/chef/knife/core/bootstrap_context.rb
@@ -64,6 +64,36 @@ CONFIG
             client_rb << "# Using default node name (fqdn)\n"
           end
 
+          # We configure :verify_api_cert only when it's overridden on the CLI
+          # or when specified in the knife config.
+          if !@config[:node_verify_api_cert].nil? || knife_config.has_key?(:verify_api_cert)
+            value = @config[:node_verify_api_cert].nil? ? knife_config[:verify_api_cert] : @config[:node_verify_api_cert]
+            client_rb << %Q{verify_api_cert #{value}\n}
+          end
+
+          # We configure :ssl_verify_mode only when it's overridden on the CLI
+          # or when specified in the knife config.
+          if @config[:node_ssl_verify_mode] || knife_config.has_key?(:ssl_verify_mode)
+            value = case @config[:node_ssl_verify_mode]
+            when "peer"
+              :verify_peer
+            when "none"
+              :verify_none
+            when nil
+              knife_config[:ssl_verify_mode]
+            else
+              nil
+            end
+
+            if value
+              client_rb << %Q{ssl_verify_mode :#{value}\n}
+            end
+          end
+
+          if @config[:ssl_verify_mode]
+            client_rb << %Q{ssl_verify_mode :#{knife_config[:ssl_verify_mode]}\n}
+          end
+
           if knife_config[:bootstrap_proxy]
             client_rb << %Q{http_proxy        "#{knife_config[:bootstrap_proxy]}"\n}
             client_rb << %Q{https_proxy       "#{knife_config[:bootstrap_proxy]}"\n}
diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb
index f28879fb4e..78be9632f6 100644
--- a/spec/unit/knife/bootstrap_spec.rb
+++ b/spec/unit/knife/bootstrap_spec.rb
@@ -246,6 +246,46 @@ describe Chef::Knife::Bootstrap do
         rendered_template.should match(%r{.*no_proxy\s*"api.opscode.com,172.16.10.\*".*})
       end
     end
+
+    context "via --ssl-verify-mode none" do
+      let(:options) { ["--node-ssl-verify-mode", "none"] }
+
+      it "renders the client.rb with ssl_verify_mode set to :verify_none" do
+        rendered_template.should match(/ssl_verify_mode :verify_none/)
+      end
+    end
+
+    context "via --node-ssl-verify-mode peer" do
+      let(:options) { ["--node-ssl-verify-mode", "peer"] }
+
+      it "renders the client.rb with ssl_verify_mode set to :verify_peer" do
+        rendered_template.should match(/ssl_verify_mode :verify_peer/)
+      end
+    end
+
+    context "via --node-ssl-verify-mode all" do
+      let(:options) { ["--node-ssl-verify-mode", "all"] }
+
+      it "raises error" do
+        lambda{ rendered_template }.should raise_error
+      end
+    end
+
+    context "via --node-verify-api-cert" do
+      let(:options) { ["--node-verify-api-cert"] }
+
+      it "renders the client.rb with verify_api_cert set to true" do
+        rendered_template.should match(/verify_api_cert true/)
+      end
+    end
+
+    context "via --no-node-verify-api-cert" do
+      let(:options) { ["--no-node-verify-api-cert"] }
+
+      it "renders the client.rb with verify_api_cert set to false" do
+        rendered_template.should match(/verify_api_cert false/)
+      end
+    end
   end
 
   describe "specifying the encrypted data bag secret key" do
@@ -483,6 +523,9 @@ describe Chef::Knife::Bootstrap do
       knife_ssh.should_receive(:run).and_raise(Net::SSH::AuthenticationFailed)
       lambda { knife.run }.should raise_error(Net::SSH::AuthenticationFailed)
     end
+  end
+
+  describe "specifying ssl verification" do
 
   end
 
diff --git a/spec/unit/knife/core/bootstrap_context_spec.rb b/spec/unit/knife/core/bootstrap_context_spec.rb
index c5ad531a27..064f8c5621 100644
--- a/spec/unit/knife/core/bootstrap_context_spec.rb
+++ b/spec/unit/knife/core/bootstrap_context_spec.rb
@@ -168,4 +168,57 @@ EXPECTED
       bootstrap_context.latest_current_chef_version_string.should eq("-v #{Chef::VERSION.to_i}")
     end
   end
+
+  describe "ssl_verify_mode" do
+    it "isn't set in the config_content by default" do
+      bootstrap_context.config_content.should_not include("ssl_verify_mode")
+    end
+
+    describe "when configured in config" do
+      let(:chef_config) do
+        {
+          :knife => {:ssl_verify_mode => :verify_peer}
+        }
+      end
+
+      it "uses the config value" do
+        bootstrap_context.config_content.should include("ssl_verify_mode :verify_peer")
+      end
+
+      describe "when configured via CLI" do
+        let(:config) {{:node_ssl_verify_mode => "none"}}
+
+        it "uses CLI value" do
+          bootstrap_context.config_content.should include("ssl_verify_mode :verify_none")
+        end
+      end
+    end
+  end
+
+  describe "verify_api_cert" do
+    it "isn't set in the config_content by default" do
+      bootstrap_context.config_content.should_not include("verify_api_cert")
+    end
+
+    describe "when configured in config" do
+      let(:chef_config) do
+        {
+          :knife => {:verify_api_cert => :false}
+        }
+      end
+
+      it "uses the config value" do
+        bootstrap_context.config_content.should include("verify_api_cert false")
+      end
+
+      describe "when configured via CLI" do
+        let(:config) {{:node_verify_api_cert => true}}
+
+        it "uses CLI value" do
+          bootstrap_context.config_content.should include("verify_api_cert true")
+        end
+      end
+    end
+  end
+
 end
author	Serdar Sutay <serdar@opscode.com>	2014-08-28 13:51:08 -0700
committer	Serdar Sutay <serdar@opscode.com>	2014-08-28 13:51:08 -0700
commit	f0cc9ee51c50fb5f896b329d243ec273a65ff14a (patch)
tree	f080d2a38c9b42134c42d8db456ee1057d59be78
parent	395534b88d54e6ec57eadfaab81c736c688e7938 (diff)
parent	753e7162f6fb2e45cd6082c3b58ebc41cd1c01a0 (diff)
download	chef-f0cc9ee51c50fb5f896b329d243ec273a65ff14a.tar.gz