Merge pull request #10331 from chef/client_trusted

Signed-off-by: Tim Smith <tsmith@chef.io>

8 files changed, 191 insertions, 0 deletions

diff --git a/cspell.json b/cspell.json
index b93f247e1e..96ee3a0d21 100644
--- a/cspell.json
+++ b/cspell.json
@@ -16,6 +16,7 @@
   "words": [
     "abcz",
     "Abdulin",
+    "badssl",
     "ABORTIFHUNG",
     "ACCOUNTDISABLE",
     "activationkey",
@@ -1879,6 +1880,7 @@
     "Zanetti",
     "Zapp",
     "zeproc",
+    "PATHEXT",
     "ZEROEXEC",
     "ZEROINIT",
     "Zimmek",
diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb b/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb
new file mode 100644
index 0000000000..486d5f36c6
--- /dev/null
+++ b/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb
@@ -0,0 +1,30 @@
+chef_client_trusted_certificate "self-signed.badssl.com" do
+  certificate <<~CERT
+  -----BEGIN CERTIFICATE-----
+  MIIDeTCCAmGgAwIBAgIJAPziuikCTox4MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
+  BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+  c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x
+  OTEwMDkyMzQxNTJaFw0yMTEwMDgyMzQxNTJaMGIxCzAJBgNVBAYTAlVTMRMwEQYD
+  VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK
+  DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
+  BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2
+  PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW
+  hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A
+  xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve
+  ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY
+  QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T
+  BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI
+  hvcNAQELBQADggEBAGlwCdbPxflZfYOaukZGCaxYK6gpincX4Lla4Ui2WdeQxE95
+  w7fChXvP3YkE3UYUE7mupZ0eg4ZILr/A0e7JQDsgIu/SRTUE0domCKgPZ8v99k3A
+  vka4LpLK51jHJJK7EFgo3ca2nldd97GM0MU41xHFk8qaK1tWJkfrrfcGwDJ4GQPI
+  iLlm6i0yHq1Qg1RypAXJy5dTlRXlCLd8ufWhhiwW0W75Va5AEnJuqpQrKwl3KQVe
+  wGj67WWRgLfSr+4QG1mNvCZb2CkjZWmxkGPuoP40/y7Yu5OFqxP5tAjj4YixCYTW
+  EVA0pmzIzgBg+JIe3PdRy27T0asgQW/F4TY61Yk=
+  -----END CERTIFICATE-----
+  CERT
+end
+
+# see if we can fetch from our new trusted domain
+remote_file ::File.join(Chef::Config[:file_cache_path], "index.html") do
+  source "https://self-signed.badssl.com/index.html"
+end
\ No newline at end of file
diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb b/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb
index 012a9a7507..8fae36662c 100644
--- a/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb
+++ b/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb
@@ -50,6 +50,7 @@ ssh_known_hosts_entry "github.com"
 
 include_recipe "chef-client::delete_validation"
 include_recipe "chef-client::config"
+include_recipe "::_chef_client_trusted_certificate"
 
 include_recipe "openssh"
 
diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/macos.rb b/kitchen-tests/cookbooks/end_to_end/recipes/macos.rb
index 6ac2607caa..9c7416cfd9 100644
--- a/kitchen-tests/cookbooks/end_to_end/recipes/macos.rb
+++ b/kitchen-tests/cookbooks/end_to_end/recipes/macos.rb
@@ -41,6 +41,7 @@ ssh_known_hosts_entry "github.com"
 
 include_recipe "chef-client::delete_validation"
 include_recipe "chef-client::config"
+include_recipe "::_chef_client_trusted_certificate"
 
 include_recipe "git"
 
diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb
index aa53ca6365..3e069a43b0 100644
--- a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb
+++ b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb
@@ -47,6 +47,7 @@ end
 
 include_recipe "chef-client::delete_validation"
 include_recipe "chef-client::config"
+include_recipe "::_chef_client_trusted_certificate"
 
 include_recipe "git"
 
diff --git a/lib/chef/resource/chef_client_trusted_certificate.rb b/lib/chef/resource/chef_client_trusted_certificate.rb
new file mode 100644
index 0000000000..855407b12a
--- /dev/null
+++ b/lib/chef/resource/chef_client_trusted_certificate.rb
@@ -0,0 +1,101 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+require_relative "../dist"
+
+class Chef
+  class Resource
+    class ChefClientTrustedCertificate < Chef::Resource
+      unified_mode true
+
+      provides :chef_client_trusted_certificate
+
+      description "Use the **chef_client_trusted_certificate** resource to add certificates to #{Chef::Dist::PRODUCT}'s trusted certificate directory. This allows the #{Chef::Dist::PRODUCT} to communicate with internal encrypted resources without errors."
+      introduced "16.5"
+      examples <<~DOC
+      **Trust a self signed certificate**:
+
+      ```ruby
+      chef_client_trusted_certificate 'self-signed.badssl.com' do
+        certificate <<~CERT
+        -----BEGIN CERTIFICATE-----
+        MIIDeTCCAmGgAwIBAgIJAPziuikCTox4MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
+        BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+        c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x
+        OTEwMDkyMzQxNTJaFw0yMTEwMDgyMzQxNTJaMGIxCzAJBgNVBAYTAlVTMRMwEQYD
+        VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK
+        DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
+        BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2
+        PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW
+        hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A
+        xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve
+        ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY
+        QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T
+        BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI
+        hvcNAQELBQADggEBAGlwCdbPxflZfYOaukZGCaxYK6gpincX4Lla4Ui2WdeQxE95
+        w7fChXvP3YkE3UYUE7mupZ0eg4ZILr/A0e7JQDsgIu/SRTUE0domCKgPZ8v99k3A
+        vka4LpLK51jHJJK7EFgo3ca2nldd97GM0MU41xHFk8qaK1tWJkfrrfcGwDJ4GQPI
+        iLlm6i0yHq1Qg1RypAXJy5dTlRXlCLd8ufWhhiwW0W75Va5AEnJuqpQrKwl3KQVe
+        wGj67WWRgLfSr+4QG1mNvCZb2CkjZWmxkGPuoP40/y7Yu5OFqxP5tAjj4YixCYTW
+        EVA0pmzIzgBg+JIe3PdRy27T0asgQW/F4TY61Yk=
+        -----END CERTIFICATE-----
+        CERT
+      end
+      ```
+      DOC
+
+      property :cert_name, String, name_property: true,
+        description: "The name to use for the certificate file on disk. If not provided the name of the resource block will be used instead."
+
+      property :certificate, String, required: [:add],
+        description: "The text of the certificate file including the BEGIN/END comment lines."
+
+      action :add do
+        unless ::Dir.exist?(Chef::Config[:trusted_certs_dir])
+          directory Chef::Config[:trusted_certs_dir] do
+            mode "0640"
+            recursive true
+          end
+        end
+
+        file cert_path do
+          content new_resource.certificate
+          mode "0640"
+        end
+      end
+
+      action :remove do
+        file cert_path do
+          action :delete
+        end
+      end
+
+      action_class do
+        #
+        # The path to the string on disk
+        #
+        # @return [String]
+        #
+        def cert_path
+          path = ::File.join(Chef::Config[:trusted_certs_dir], new_resource.cert_name)
+          path << ".pem" unless path.end_with?(".pem")
+          path
+        end
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb
index a47b96cb5c..a3f23532b4 100644
--- a/lib/chef/resources.rb
+++ b/lib/chef/resources.rb
@@ -30,6 +30,7 @@ require_relative "resource/cookbook_file"
 require_relative "resource/chef_client_cron"
 require_relative "resource/chef_client_scheduled_task"
 require_relative "resource/chef_client_systemd_timer"
+require_relative "resource/chef_client_trusted_certificate"
 require_relative "resource/chef_gem"
 require_relative "resource/chef_handler"
 require_relative "resource/chef_sleep"
diff --git a/spec/unit/resource/chef_client_trusted_certificate_spec.rb b/spec/unit/resource/chef_client_trusted_certificate_spec.rb
new file mode 100644
index 0000000000..558e737555
--- /dev/null
+++ b/spec/unit/resource/chef_client_trusted_certificate_spec.rb
@@ -0,0 +1,54 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::ChefClientTrustedCertificate do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::ChefClientTrustedCertificate.new("foo", run_context) }
+  let(:provider) { resource.provider_for_action(:add) }
+
+  it "has a resource name of :chef_client_trusted_certificate" do
+    expect(resource.resource_name).to eql(:chef_client_trusted_certificate)
+  end
+
+  it "has a name property of cert_name" do
+    expect(resource.cert_name).to eql("foo")
+  end
+
+  it "sets the default action as :add" do
+    expect(resource.action).to eql([:add])
+  end
+
+  it "supports :remove action" do
+    expect { resource.action :remove }.not_to raise_error
+  end
+
+  describe "#cert_path" do
+    it "appends .pem to new_resource.cert_name value" do
+      resource.cert_name "something"
+      expect(provider.cert_path).to match(%r{trusted_certs/something.pem$})
+    end
+
+    it "does not append .pem if cert_name already ends in .pem" do
+      resource.cert_name "something.pem"
+      expect(provider.cert_path).to match(%r{trusted_certs/something.pem$})
+    end
+  end
+end