diff options
author | Tim Smith <tsmith@chef.io> | 2020-08-19 15:29:49 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-19 15:29:49 -0700 |
commit | 1913f854675d09fe4d05102f1c5a141aa8496f8a (patch) | |
tree | cbe134573786c9ff878f7bd3b0b8f6366cbfbce3 | |
parent | 6eeb56b2889bc152c78a22d2b133183728023f1d (diff) | |
parent | 3adef7acd5689cbac5d1f14424e772336d57f23f (diff) | |
download | chef-1913f854675d09fe4d05102f1c5a141aa8496f8a.tar.gz |
Merge pull request #10331 from chef/client_trusted
Signed-off-by: Tim Smith <tsmith@chef.io>
-rw-r--r-- | cspell.json | 2 | ||||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb | 30 | ||||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/linux.rb | 1 | ||||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/macos.rb | 1 | ||||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/windows.rb | 1 | ||||
-rw-r--r-- | lib/chef/resource/chef_client_trusted_certificate.rb | 101 | ||||
-rw-r--r-- | lib/chef/resources.rb | 1 | ||||
-rw-r--r-- | spec/unit/resource/chef_client_trusted_certificate_spec.rb | 54 |
8 files changed, 191 insertions, 0 deletions
diff --git a/cspell.json b/cspell.json index b93f247e1e..96ee3a0d21 100644 --- a/cspell.json +++ b/cspell.json @@ -16,6 +16,7 @@ "words": [ "abcz", "Abdulin", + "badssl", "ABORTIFHUNG", "ACCOUNTDISABLE", "activationkey", @@ -1879,6 +1880,7 @@ "Zanetti", "Zapp", "zeproc", + "PATHEXT", "ZEROEXEC", "ZEROINIT", "Zimmek", diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb b/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb new file mode 100644 index 0000000000..486d5f36c6 --- /dev/null +++ b/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb @@ -0,0 +1,30 @@ +chef_client_trusted_certificate "self-signed.badssl.com" do + certificate <<~CERT + -----BEGIN CERTIFICATE----- + MIIDeTCCAmGgAwIBAgIJAPziuikCTox4MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV + BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp + c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x + OTEwMDkyMzQxNTJaFw0yMTEwMDgyMzQxNTJaMGIxCzAJBgNVBAYTAlVTMRMwEQYD + VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK + DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2 + PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW + hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A + xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve + ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY + QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T + BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI + hvcNAQELBQADggEBAGlwCdbPxflZfYOaukZGCaxYK6gpincX4Lla4Ui2WdeQxE95 + w7fChXvP3YkE3UYUE7mupZ0eg4ZILr/A0e7JQDsgIu/SRTUE0domCKgPZ8v99k3A + vka4LpLK51jHJJK7EFgo3ca2nldd97GM0MU41xHFk8qaK1tWJkfrrfcGwDJ4GQPI + iLlm6i0yHq1Qg1RypAXJy5dTlRXlCLd8ufWhhiwW0W75Va5AEnJuqpQrKwl3KQVe + wGj67WWRgLfSr+4QG1mNvCZb2CkjZWmxkGPuoP40/y7Yu5OFqxP5tAjj4YixCYTW + EVA0pmzIzgBg+JIe3PdRy27T0asgQW/F4TY61Yk= + -----END CERTIFICATE----- + CERT +end + +# see if we can fetch from our new trusted domain +remote_file ::File.join(Chef::Config[:file_cache_path], "index.html") do + source "https://self-signed.badssl.com/index.html" +end
\ No newline at end of file diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb b/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb index 012a9a7507..8fae36662c 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb @@ -50,6 +50,7 @@ ssh_known_hosts_entry "github.com" include_recipe "chef-client::delete_validation" include_recipe "chef-client::config" +include_recipe "::_chef_client_trusted_certificate" include_recipe "openssh" diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/macos.rb b/kitchen-tests/cookbooks/end_to_end/recipes/macos.rb index 6ac2607caa..9c7416cfd9 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/macos.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/macos.rb @@ -41,6 +41,7 @@ ssh_known_hosts_entry "github.com" include_recipe "chef-client::delete_validation" include_recipe "chef-client::config" +include_recipe "::_chef_client_trusted_certificate" include_recipe "git" diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb index aa53ca6365..3e069a43b0 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb @@ -47,6 +47,7 @@ end include_recipe "chef-client::delete_validation" include_recipe "chef-client::config" +include_recipe "::_chef_client_trusted_certificate" include_recipe "git" diff --git a/lib/chef/resource/chef_client_trusted_certificate.rb b/lib/chef/resource/chef_client_trusted_certificate.rb new file mode 100644 index 0000000000..855407b12a --- /dev/null +++ b/lib/chef/resource/chef_client_trusted_certificate.rb @@ -0,0 +1,101 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "../resource" +require_relative "../dist" + +class Chef + class Resource + class ChefClientTrustedCertificate < Chef::Resource + unified_mode true + + provides :chef_client_trusted_certificate + + description "Use the **chef_client_trusted_certificate** resource to add certificates to #{Chef::Dist::PRODUCT}'s trusted certificate directory. This allows the #{Chef::Dist::PRODUCT} to communicate with internal encrypted resources without errors." + introduced "16.5" + examples <<~DOC + **Trust a self signed certificate**: + + ```ruby + chef_client_trusted_certificate 'self-signed.badssl.com' do + certificate <<~CERT + -----BEGIN CERTIFICATE----- + MIIDeTCCAmGgAwIBAgIJAPziuikCTox4MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV + BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp + c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x + OTEwMDkyMzQxNTJaFw0yMTEwMDgyMzQxNTJaMGIxCzAJBgNVBAYTAlVTMRMwEQYD + VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK + DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2 + PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW + hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A + xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve + ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY + QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T + BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI + hvcNAQELBQADggEBAGlwCdbPxflZfYOaukZGCaxYK6gpincX4Lla4Ui2WdeQxE95 + w7fChXvP3YkE3UYUE7mupZ0eg4ZILr/A0e7JQDsgIu/SRTUE0domCKgPZ8v99k3A + vka4LpLK51jHJJK7EFgo3ca2nldd97GM0MU41xHFk8qaK1tWJkfrrfcGwDJ4GQPI + iLlm6i0yHq1Qg1RypAXJy5dTlRXlCLd8ufWhhiwW0W75Va5AEnJuqpQrKwl3KQVe + wGj67WWRgLfSr+4QG1mNvCZb2CkjZWmxkGPuoP40/y7Yu5OFqxP5tAjj4YixCYTW + EVA0pmzIzgBg+JIe3PdRy27T0asgQW/F4TY61Yk= + -----END CERTIFICATE----- + CERT + end + ``` + DOC + + property :cert_name, String, name_property: true, + description: "The name to use for the certificate file on disk. If not provided the name of the resource block will be used instead." + + property :certificate, String, required: [:add], + description: "The text of the certificate file including the BEGIN/END comment lines." + + action :add do + unless ::Dir.exist?(Chef::Config[:trusted_certs_dir]) + directory Chef::Config[:trusted_certs_dir] do + mode "0640" + recursive true + end + end + + file cert_path do + content new_resource.certificate + mode "0640" + end + end + + action :remove do + file cert_path do + action :delete + end + end + + action_class do + # + # The path to the string on disk + # + # @return [String] + # + def cert_path + path = ::File.join(Chef::Config[:trusted_certs_dir], new_resource.cert_name) + path << ".pem" unless path.end_with?(".pem") + path + end + end + end + end +end
\ No newline at end of file diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb index a47b96cb5c..a3f23532b4 100644 --- a/lib/chef/resources.rb +++ b/lib/chef/resources.rb @@ -30,6 +30,7 @@ require_relative "resource/cookbook_file" require_relative "resource/chef_client_cron" require_relative "resource/chef_client_scheduled_task" require_relative "resource/chef_client_systemd_timer" +require_relative "resource/chef_client_trusted_certificate" require_relative "resource/chef_gem" require_relative "resource/chef_handler" require_relative "resource/chef_sleep" diff --git a/spec/unit/resource/chef_client_trusted_certificate_spec.rb b/spec/unit/resource/chef_client_trusted_certificate_spec.rb new file mode 100644 index 0000000000..558e737555 --- /dev/null +++ b/spec/unit/resource/chef_client_trusted_certificate_spec.rb @@ -0,0 +1,54 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::ChefClientTrustedCertificate do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::ChefClientTrustedCertificate.new("foo", run_context) } + let(:provider) { resource.provider_for_action(:add) } + + it "has a resource name of :chef_client_trusted_certificate" do + expect(resource.resource_name).to eql(:chef_client_trusted_certificate) + end + + it "has a name property of cert_name" do + expect(resource.cert_name).to eql("foo") + end + + it "sets the default action as :add" do + expect(resource.action).to eql([:add]) + end + + it "supports :remove action" do + expect { resource.action :remove }.not_to raise_error + end + + describe "#cert_path" do + it "appends .pem to new_resource.cert_name value" do + resource.cert_name "something" + expect(provider.cert_path).to match(%r{trusted_certs/something.pem$}) + end + + it "does not append .pem if cert_name already ends in .pem" do + resource.cert_name "something.pem" + expect(provider.cert_path).to match(%r{trusted_certs/something.pem$}) + end + end +end |