Add --proxy-auth option to `knife raw`

Chef Server 12 and Enterprise Chef Server allow requests made on behalf of other users by setting the x-ops-request-source HTTP header to web and signing the request with a particular key (often known as the "webui key"). This scheme allows the management console to make requests to the API on behalf of the logged in user. However, it is also useful for administrators attempting to debug their Chef Servers or helping their users in large Chef Server installations. For example, using the webui_key and this option, an adminstrator can list nodes in different orgs, without access to a particular user's key. > knife raw /organizations/wonderbolts/nodes -k webui_priv.pem \ -u soarin -s https://api.opscode.piab --proxy-auth { } > knife raw /organizations/acme/nodes -k webui_priv.pem -u wei -s https://api.opscode.piab --proxy-auth { } The webui key exists on the Chef Server itself and is only accessible to an administrator with root access. As such, this is typically an advanced debugging tool and isn't likely needed in other knife subcommands.
author: Steven Danna <steve@opscode.com> 2014-11-13 12:41:20 +0000
committer: Lamont Granquist <lamont@scriptkiddie.org> 2015-01-25 13:27:02 -0800
commit: 508f14aec1f6e4b02233f4deefa3b93f019c59a4 (patch)
tree: c71bd3c73d08ca1aec5c642cb10a95b55c52d092
parent: 008e33f7f458562f1a390413800afbbd07c2cf3a (diff)
download: chef-508f14aec1f6e4b02233f4deefa3b93f019c59a4.tar.gz
2 files changed, 52 insertions, 3 deletions
diff --git a/lib/chef/knife/raw.rb b/lib/chef/knife/raw.rb
index 954d46beee..601cfcef9b 100644
--- a/lib/chef/knife/raw.rb
+++ b/lib/chef/knife/raw.rb
@@ -32,6 +32,12 @@ class Chef
         :short => '-i FILE',
         :description => "Name of file to use for PUT or POST"
 
+      option :proxy_auth,
+        :long => '--proxy-auth',
+        :boolean => true,
+        :default => false,
+        :description => "Use webui proxy authentication.  Client key must be the webui key."
+
       class RawInputServerAPI < Chef::HTTP
         def initialize(options = {})
           options[:client_name] ||= Chef::Config[:node_name]
@@ -64,15 +70,21 @@ class Chef
         begin
           method = config[:method].to_sym
 
+          headers = {'Content-Type' => 'application/json'}
+
+          if config[:proxy_auth]
+            headers['x-ops-request-source'] = 'web'
+          end
+
           if config[:pretty]
             chef_rest = RawInputServerAPI.new
-            result = chef_rest.request(method, name_args[0], {'Content-Type' => 'application/json'}, data)
+            result = chef_rest.request(method, name_args[0], headers, data)
             unless result.is_a?(String)
               result = Chef::JSONCompat.to_json_pretty(result)
             end
           else
             chef_rest = RawInputServerAPI.new(:raw_output => true)
-            result = chef_rest.request(method, name_args[0], {'Content-Type' => 'application/json'}, data)
+            result = chef_rest.request(method, name_args[0], headers, data)
           end
           output result
         rescue Timeout::Error => e
@@ -88,4 +100,3 @@ class Chef
     end # class Raw
   end
 end
-
diff --git a/spec/unit/knife/raw_spec.rb b/spec/unit/knife/raw_spec.rb
new file mode 100644
index 0000000000..547ddee992
--- /dev/null
+++ b/spec/unit/knife/raw_spec.rb
@@ -0,0 +1,38 @@
+#
+# Author:: Steven Danna (<steve@getchef.com>)
+# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+
+describe Chef::Knife::Raw do
+  before(:each) do
+    @rest = double('Chef::Knife::Raw::RawInputServerAPI')
+    allow(Chef::Knife::Raw::RawInputServerAPI).to receive(:new).and_return(@rest)
+    @knife = Chef::Knife::Raw.new
+    @knife.config[:method] = "GET"
+    @knife.name_args = [ "/nodes" ]
+  end
+
+  describe "run" do
+    it "should set the x-ops-request-source header when --proxy-auth is set" do
+      @knife.config[:proxy_auth] = true
+      expect(@rest).to receive(:request).with(:GET, "/nodes",
+                                              { 'Content-Type' => 'application/json',
+                                                'x-ops-request-source' => 'web'}, false)
+      @knife.run
+    end
+  end
+end
author	Steven Danna <steve@opscode.com>	2014-11-13 12:41:20 +0000
committer	Lamont Granquist <lamont@scriptkiddie.org>	2015-01-25 13:27:02 -0800
commit	508f14aec1f6e4b02233f4deefa3b93f019c59a4 (patch)
tree	c71bd3c73d08ca1aec5c642cb10a95b55c52d092
parent	008e33f7f458562f1a390413800afbbd07c2cf3a (diff)
download	chef-508f14aec1f6e4b02233f4deefa3b93f019c59a4.tar.gz