Add API SSL policy

Adds config option to verify SSL certs for API requests only

1 files changed, 77 insertions, 56 deletions

diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb
index 6150967396..a15fd46164 100644
--- a/spec/unit/http/ssl_policies_spec.rb
+++ b/spec/unit/http/ssl_policies_spec.rb
@@ -19,7 +19,7 @@
 require 'spec_helper'
 require 'chef/http/ssl_policies'
 
-describe Chef::HTTP::DefaultSSLPolicy do
+describe "HTTP SSL Policy" do
 
   before do
     Chef::Config[:ssl_client_cert] = nil
@@ -29,84 +29,105 @@ describe Chef::HTTP::DefaultSSLPolicy do
   end
 
   let(:unconfigured_http_client) { Net::HTTP.new("example.com", 443) }
-  let(:ssl_policy) { Chef::HTTP::DefaultSSLPolicy.new(unconfigured_http_client) }
   let(:http_client) do
     unconfigured_http_client.use_ssl = true
     ssl_policy.apply
     unconfigured_http_client
   end
 
-  describe "when configured with :ssl_verify_mode set to :verify peer" do
-    before do
-      Chef::Config[:ssl_verify_mode] = :verify_peer
-    end
+  describe Chef::HTTP::DefaultSSLPolicy do
 
-    it "configures the HTTP client to use SSL when given a URL with the https protocol" do
-      http_client.use_ssl?.should be_true
-    end
+    let(:ssl_policy) { Chef::HTTP::DefaultSSLPolicy.new(unconfigured_http_client) }
 
-    it "sets the OpenSSL verify mode to verify_peer" do
-      http_client.verify_mode.should == OpenSSL::SSL::VERIFY_PEER
-    end
+    describe "when configured with :ssl_verify_mode set to :verify peer" do
+      before do
+        Chef::Config[:ssl_verify_mode] = :verify_peer
+      end
 
-    it "raises a ConfigurationError if :ssl_ca_path is set to a path that doesn't exist" do
-      Chef::Config[:ssl_ca_path] = "/dev/null/nothing_here"
-      lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
-    end
+      it "configures the HTTP client to use SSL when given a URL with the https protocol" do
+        http_client.use_ssl?.should be_true
+      end
 
-    it "should set the CA path if that is set in the configuration" do
-      Chef::Config[:ssl_ca_path] = File.join(CHEF_SPEC_DATA, "ssl")
-      http_client.ca_path.should == File.join(CHEF_SPEC_DATA, "ssl")
-    end
+      it "sets the OpenSSL verify mode to verify_peer" do
+        http_client.verify_mode.should == OpenSSL::SSL::VERIFY_PEER
+      end
 
-    it "raises a ConfigurationError if :ssl_ca_file is set to a file that does not exist" do
-      Chef::Config[:ssl_ca_file] = "/dev/null/nothing_here"
-      lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
-    end
+      it "raises a ConfigurationError if :ssl_ca_path is set to a path that doesn't exist" do
+        Chef::Config[:ssl_ca_path] = "/dev/null/nothing_here"
+        lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
+      end
+
+      it "should set the CA path if that is set in the configuration" do
+        Chef::Config[:ssl_ca_path] = File.join(CHEF_SPEC_DATA, "ssl")
+        http_client.ca_path.should == File.join(CHEF_SPEC_DATA, "ssl")
+      end
 
-    it "should set the CA file if that is set in the configuration" do
-      Chef::Config[:ssl_ca_file] = CHEF_SPEC_DATA + '/ssl/5e707473.0'
-      http_client.ca_file.should == CHEF_SPEC_DATA + '/ssl/5e707473.0'
+      it "raises a ConfigurationError if :ssl_ca_file is set to a file that does not exist" do
+        Chef::Config[:ssl_ca_file] = "/dev/null/nothing_here"
+        lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
+      end
+
+      it "should set the CA file if that is set in the configuration" do
+        Chef::Config[:ssl_ca_file] = CHEF_SPEC_DATA + '/ssl/5e707473.0'
+        http_client.ca_file.should == CHEF_SPEC_DATA + '/ssl/5e707473.0'
+      end
     end
-  end
 
-  describe "when configured with :ssl_verify_mode set to :verify peer" do
-    before do
-      @url = URI.parse("https://chef.example.com:4443/")
-      Chef::Config[:ssl_verify_mode] = :verify_none
+    describe "when configured with :ssl_verify_mode set to :verify peer" do
+      before do
+        @url = URI.parse("https://chef.example.com:4443/")
+        Chef::Config[:ssl_verify_mode] = :verify_none
+      end
+
+      it "sets the OpenSSL verify mode to :verify_none" do
+        http_client.verify_mode.should == OpenSSL::SSL::VERIFY_NONE
+      end
     end
 
-    it "sets the OpenSSL verify mode to :verify_none" do
-      http_client.verify_mode.should == OpenSSL::SSL::VERIFY_NONE
+    describe "when configured with a client certificate" do
+      before {@url = URI.parse("https://chef.example.com:4443/")}
+
+      it "raises ConfigurationError if the certificate file doesn't exist" do
+        Chef::Config[:ssl_client_cert] = "/dev/null/nothing_here"
+        Chef::Config[:ssl_client_key]  = CHEF_SPEC_DATA + '/ssl/chef-rspec.key'
+        lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
+      end
+
+      it "raises ConfigurationError if the certificate file doesn't exist" do
+        Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + '/ssl/chef-rspec.cert'
+        Chef::Config[:ssl_client_key]  = "/dev/null/nothing_here"
+        lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
+      end
+
+      it "raises a ConfigurationError if one of :ssl_client_cert and :ssl_client_key is set but not both" do
+        Chef::Config[:ssl_client_cert] = "/dev/null/nothing_here"
+        Chef::Config[:ssl_client_key]  = nil
+        lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
+      end
+
+      it "configures the HTTP client's cert and private key" do
+        Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + '/ssl/chef-rspec.cert'
+        Chef::Config[:ssl_client_key]  = CHEF_SPEC_DATA + '/ssl/chef-rspec.key'
+        http_client.cert.to_s.should == OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + '/ssl/chef-rspec.cert')).to_s
+        http_client.key.to_s.should  == IO.read(CHEF_SPEC_DATA + '/ssl/chef-rspec.key')
+      end
     end
   end
 
-  describe "when configured with a client certificate" do
-    before {@url = URI.parse("https://chef.example.com:4443/")}
+  describe Chef::HTTP::APISSLPolicy do
 
-    it "raises ConfigurationError if the certificate file doesn't exist" do
-      Chef::Config[:ssl_client_cert] = "/dev/null/nothing_here"
-      Chef::Config[:ssl_client_key]  = CHEF_SPEC_DATA + '/ssl/chef-rspec.key'
-      lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
-    end
+    let(:ssl_policy) { Chef::HTTP::APISSLPolicy.new(unconfigured_http_client) }
 
-    it "raises ConfigurationError if the certificate file doesn't exist" do
-      Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + '/ssl/chef-rspec.cert'
-      Chef::Config[:ssl_client_key]  = "/dev/null/nothing_here"
-      lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
-    end
+    context "when verify_api_cert is set" do
+      before do
+        Chef::Config[:verify_api_cert] = true
+      end
 
-    it "raises a ConfigurationError if one of :ssl_client_cert and :ssl_client_key is set but not both" do
-      Chef::Config[:ssl_client_cert] = "/dev/null/nothing_here"
-      Chef::Config[:ssl_client_key]  = nil
-      lambda {http_client}.should raise_error(Chef::Exceptions::ConfigurationError)
+      it "sets the OpenSSL verify mode to verify_peer" do
+        http_client.verify_mode.should == OpenSSL::SSL::VERIFY_PEER
+      end
     end
 
-    it "configures the HTTP client's cert and private key" do
-      Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + '/ssl/chef-rspec.cert'
-      Chef::Config[:ssl_client_key]  = CHEF_SPEC_DATA + '/ssl/chef-rspec.key'
-      http_client.cert.to_s.should == OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + '/ssl/chef-rspec.cert')).to_s
-      http_client.key.to_s.should  == IO.read(CHEF_SPEC_DATA + '/ssl/chef-rspec.key')
-    end
   end
 end
+