diff options
author | Phil Dibowitz <phil@ipom.com> | 2020-05-09 15:53:44 -0700 |
---|---|---|
committer | Phil Dibowitz <phil@ipom.com> | 2020-05-18 19:06:02 -0700 |
commit | 28c548500f5a2de3babfd05fbd27b2e9a76ca266 (patch) | |
tree | 71640215d9a28b2858bff0fc8b5ffad02d478cd9 /lib/chef/http | |
parent | a3908d26aa86e0d04bac2a87438e484311f1d763 (diff) | |
download | chef-28c548500f5a2de3babfd05fbd27b2e9a76ca266.tar.gz |
Add ssl_verify option for remote_file
Different servers have different https requirements and enforcing
the API policy on all `remote_file` resources isn't reasonable.
The logic around the HTTP clients and policies in Chef is... complex.
This approach seemed like the best one, but I'm open to others.
By default here if the user specifies nothing, `remote_file`'s http
clients will fall back to the API policy, otherwise, it'll use whatever
the specify.
This fixes #8897
Signed-off-by: Phil Dibowitz <phil@ipom.com>
Diffstat (limited to 'lib/chef/http')
-rw-r--r-- | lib/chef/http/ssl_policies.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/chef/http/ssl_policies.rb b/lib/chef/http/ssl_policies.rb index 66cbea048b..05e4baf581 100644 --- a/lib/chef/http/ssl_policies.rb +++ b/lib/chef/http/ssl_policies.rb @@ -129,5 +129,23 @@ class Chef end end + # This policy is used when we want to explicitly turn on verification + # for a specific request regardless of the API Policy. For example, when + # doing a `remote_file` where the user specified `verify_mode :verify_peer` + class VerifyPeerSSLPolicy < DefaultSSLPolicy + def set_verify_mode + http_client.verify_mode = OpenSSL::SSL::VERIFY_PEER + end + end + + # This policy is used when we want to explicitly turn off verification + # for a specific request regardless of the API Policy. For example, when + # doing a `remote_file` where the user specified `verify_mode :verify_none` + class VerifyNoneSSLPolicy < DefaultSSLPolicy + def set_verify_mode + http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE + end + end + end end |