diff options
| -rw-r--r-- | Gemfile.lock | 2 | ||||
| -rw-r--r-- | docs/dev/how_to/building_chef_client_and_related_gems.md | 113 | ||||
| -rw-r--r-- | lib/chef/api_client_v1.rb | 11 | ||||
| -rw-r--r-- | lib/chef/client.rb | 124 | ||||
| -rw-r--r-- | lib/chef/event_dispatch/base.rb | 3 | ||||
| -rw-r--r-- | lib/chef/http/authenticator.rb | 142 | ||||
| -rw-r--r-- | omnibus/Gemfile.lock | 8 | ||||
| -rw-r--r-- | spec/unit/http/authenticator_spec.rb | 17 |
8 files changed, 375 insertions, 45 deletions
diff --git a/Gemfile.lock b/Gemfile.lock index 12b79c7737..6a4dc6579e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -219,6 +219,7 @@ GEM fauxhai-ng (9.3.0) net-ssh ffi (1.15.5) + ffi (1.15.5-x64-mingw-ucrt) ffi (1.15.5-x64-mingw32) ffi (1.15.5-x86-mingw32) ffi-libarchive (1.1.3) @@ -492,6 +493,7 @@ GEM PLATFORMS ruby + x64-mingw-ucrt x64-mingw32 x86-mingw32 diff --git a/docs/dev/how_to/building_chef_client_and_related_gems.md b/docs/dev/how_to/building_chef_client_and_related_gems.md new file mode 100644 index 0000000000..621de2a19f --- /dev/null +++ b/docs/dev/how_to/building_chef_client_and_related_gems.md @@ -0,0 +1,113 @@ +# How to Build Chef Client and Associated Products + + + +This page endeavors to explain the vagaries of building out Chef Client and its accoutrements. The team is responsible for several gems in addition to the Chef Client codebase. We release the following gems: + +- Chef-Config +- Chef-Utils +- Chef-PowerShell +- Knife +- Chef-bin +- Chef-Client + + + +### Contact Us: #eng-infra-chef in Slack + +**Codebase**: [chef-powershell-shim](https://github.com/chef/chef-powershell-shim) + +**Action**: Build + +**Access**: Github Actions + +**What to do**: + +When you peruse the repo you’ll note that there are a number of directories here. You will need to manage the accompanying .NET code bases in addition to the chef-powershell code itself. + +There are 2 ways to use this pipeline. The first is to merely merge your PR back into main once all the tests pass. This triggers an automated Github Actions pipeline that will push a compiled gem to RubyGems.org. The second way is to manually build and test the gem and then manually push it to Rubygems.org. You will need access to the RubyGems - chef-powershell repo via API key to do a manual upload. **NOTE**: This code base is entirely windows based. Meaning, you will compile and test on Windows and the gem will only run on a Windows device. The code supports PowerShell Core but the gcc libraries needed to run on Mac/Linux have not been built out yet. + + + +**Codebase**: [win32-certstore](https://github.com/chef/win32-certstore) + +**Access**: Pull Requests / Expeditor + +**What to do**: + +The Win32-Certstore code provides an FFI/Win32 based gem used to manage certificates on a Windows node. + +This one is a bit gnarly, see the notes below. Chef Infra team has backlogged issues to add functionality to the C++ libraries. If you have some spare cycles, we need the help. + +To start `git checkout -b`There are 2 parts of the code here. You’ll need to do your thing in C++ and then make sure the corresponding FFI/Ruby interfaces and methods are all working. Then push your branch back to main and open a PR. Once your code is green and merged, you’re done . **NOTE:** This code base is Windows based and contains C++ code. You’ll need a windows machine to test on. You can probably get away with developing on Mac or Linux. + + + +**Codebase**: [chef](https://github.com/chef/chef) + +**Action**: Promote a Build + +**Access**: Chef Internal Slack + +**What to do**: + +There are a few steps in performing a release. They are documented here : https://github.com/chef/chef/blob/main/docs/dev/how_to/releasing_chef_infra.md + +In Essence: + +1. Is your current build clean - no random errors, no busted tests? +2. Have you documented all the changes in this build? This is a critical step to help customers and partner understand the changes we’re releasing. +3. Promote the build +4. Announce the build in Slack to #sous-chefs and #general +5. Update Homebrew +6. Update Chocolatey +7. Backport to Chef 17 and Chef 16 as appropriate + 1. Git Pull Chef + 2. git checkout chef17 + 3. git checkout -b mybranch_based_on_chef17 + 4. Do my work on chef17 branch + 5. Merge it back to Chef17 + + + +**Codebase**: [chef](https://github.com/chef/chef) + +**Action**: Build Chef Client + +**Access**: Pull Requests / Expeditor + +**What to do**: + +You have a feature or a bug you just fixed. Now what? Write your tests and, run rake to look for linting errors, spelling mistakes etc. Then push your branch back to main and create a pull request. This kicks off a build that will run your code against all 20 or so operating systems we support. Builds take a while. Once your build starts you have 2-3 hours or so to do something else. Once your build passes, get it approved and merged back to main. You’re done, unless you’re in charge of releases this week, in which case see the item just above about promoting builds + + + +**Codebase**: [chef](https://github.com/chef/chef) + +**Action**: Ad Hoc builds + +**Access**: Buildkite + +**What to do**: + +You have some code that may or may not really dodgy and you kinda need/want to see where the possible problems are with it. You can do an ad-hoc build against your branch to give it a go. To do that, you do this: There are 2 paths you can follow for a build. Chef stand-alone and Chef as part of the Chef Workstation product. + +[Chef Client Ad-Hoc Build Site](https://buildkite.com/chef/chef-chef-master-omnibus-adhoc/) + +[Chef Workstation Ad Hoc Build Site](https://buildkite.com/chef/chef-chef-workstation-master-omnibus-adhoc/) + +Steps: + +1. Click either link and if asked, confirm your login settings and then click the link in the verification email. + +2. Once past that you’ll need to add a ‘Pipeline’ - create a name for your pipeline and git it the root of github repo you want to build from + +3. Past that you’ll be asked to create a new build that uses your pipeline. Notice you can use any branch, you’ll enter yours here. + +4. You can use the options page to add environment variables that are unique to your build or do things like build only Windows nodes: + + ``` + OMNIBUS_BUILD_FILTER=windows* + ``` + + diff --git a/lib/chef/api_client_v1.rb b/lib/chef/api_client_v1.rb index 6178cb91c3..f7a41cdb5b 100644 --- a/lib/chef/api_client_v1.rb +++ b/lib/chef/api_client_v1.rb @@ -64,6 +64,10 @@ class Chef @chef_rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { api_version: "1", inflate_json_class: false }) end + def chef_rest_v1_with_validator + @chef_rest_v1_with_validator ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { client_name: Chef::Config[:validation_client_name], signing_key_filename: Chef::Config[:validation_key], api_version: "1", inflate_json_class: false }) + end + def self.http_api Chef::ServerAPI.new(Chef::Config[:chef_server_url], { api_version: "1", inflate_json_class: false }) end @@ -293,7 +297,12 @@ class Chef payload[:public_key] = public_key unless public_key.nil? payload[:create_key] = create_key unless create_key.nil? - new_client = chef_rest_v1.post("clients", payload) + # the new method only gets called when migrating keys to the certificate store. + new_client = if Chef::Config[:migrate_key_to_keystore] == true + chef_rest_v1_with_validator.post("clients", payload) + else + chef_rest_v1.post("clients", payload) + end # get the private_key out of the chef_key hash if it exists if new_client["chef_key"] diff --git a/lib/chef/client.rb b/lib/chef/client.rb index 5ec15fb582..29eaf3df83 100644 --- a/lib/chef/client.rb +++ b/lib/chef/client.rb @@ -52,10 +52,12 @@ Chef.autoload :PolicyBuilder, File.expand_path("policy_builder", __dir__) require_relative "request_id" require_relative "platform/rebooter" require_relative "mixin/deprecation" +# require_relative "mixin/powershell_exec" require "chef-utils" unless defined?(ChefUtils::CANARY) require "ohai" unless defined?(Ohai::System) require "rbconfig" unless defined?(RbConfig) require "forwardable" unless defined?(Forwardable) +require "singleton" require_relative "compliance/runner" @@ -64,7 +66,21 @@ class Chef # The main object in a Chef run. Preps a Chef::Node and Chef::RunContext, # syncs cookbooks if necessary, and triggers convergence. class Client + class KeyMigration + include Singleton + attr_accessor :key_migrated + attr_accessor :old_priv_key + def initialize + @key_migrated = false + @old_priv_key = nil + end + end + + attr_reader :local_context + extend Chef::Mixin::Deprecation + # extend Chef::Mixin::PowershellExec + # include Chef::Mixin::PowershellExec extend Forwardable # @@ -229,7 +245,7 @@ class Chef start_profiling runlock = RunLock.new(Chef::Config.lockfile) - # TODO: feels like acquire should have its own block arg for this + # TODO feels like acquire should have its own block arg for this runlock.acquire # don't add code that may fail before entering this section to be sure to release lock begin @@ -637,16 +653,20 @@ class Chef # @api private # def register(client_name = node_name, config = Chef::Config) - if Chef::HTTP::Authenticator.detect_certificate_key(client_name) - if File.exists?(config[:client_key]) - logger.warn("WARNING - Client key #{client_name} is present on disk, ignoring that in favor of key stored in CertStore") - end - events.skipping_registration(client_name, config) - logger.trace("Client key #{client_name} is present in certificate repository - skipping registration") - config[:client_key] = "Cert:\\LocalMachine\\My\\chef-#{client_name}" - elsif !config[:client_key] + if !config[:client_key] events.skipping_registration(client_name, config) logger.trace("Client key is unspecified - skipping registration") + elsif ::Chef::Config[:migrate_key_to_keystore] == true && ChefUtils.windows? + cert_name = "chef-#{client_name}" + result = check_certstore_for_key(cert_name) + if result.rassoc("#{cert_name}") + logger.trace("Client key #{config[:client_key]} is present in Certificate Store - skipping registration") + else + move_key_and_register(cert_name) + KeyMigration.instance.key_migrated = false + logger.trace("Client key #{config[:client_key]} moved to the Certificate Store - skipping registration") + end + events.skipping_registration(client_name, config) elsif File.exists?(config[:client_key]) events.skipping_registration(client_name, config) logger.trace("Client key #{config[:client_key]} is present - skipping registration") @@ -666,6 +686,92 @@ class Chef end # + # In the brave new world of No Certs On Disk, we want to put the pem file into Keychain or the Certstore + # But is it already there? + def check_certstore_for_key(cert_name) + require "win32-certstore" + win32certstore = ::Win32::Certstore.open("MY") + win32certstore.search("#{cert_name}") + end + + # def generate_pfx_package(cert_name) + # self.generate_pfx_package(cert_name) + # end + + def generate_pfx_package(cert_name, date = nil) + require_relative "mixin/powershell_exec" + extend Chef::Mixin::PowershellExec + ::Chef::HTTP::Authenticator.get_cert_password + powershell_code = <<~EOH + + $date = "#{date}" + + $certSplat = @{ + Subject = "#{cert_name}" + KeyExportPolicy = 'Exportable' + KeyUsage = @('KeyEncipherment','DigitalSignature') + CertStoreLocation = 'Cert:\\LocalMachine\\My' + TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1") + }; + if ([string]$date -as [DateTime]){ + $certSplat.add('NotAfter', $date) + } + + New-SelfSignedCertificate @certSplat; + EOH + powershell_exec!(powershell_code) + end + + def move_key_and_register(cert_name) + require 'time' + autoload :URI, "uri" + + base_url = "https://" + URI.parse(Chef::Config[:chef_server_url]).host + client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:validation_client_name], signing_key_filename: Chef::Config[:validation_key]) + + KeyMigration.instance.key_migrated = true + + node = Chef::Config[:node_name] + d = Time.now + end_date = Time.new(d.year, d.month + 3, d.day, d.hour, d.min, d.sec).utc.iso8601 + public_key = get_public_key(cert_name) + + payload = { + name: node, + clientname: node, + public_key: public_key, + expiration_date: end_date + } + + generate_pfx_package(cert_name,end_date) + + body = { "name": "#{node}" } + client.post("/organizations/cheftest2/nodes", body) + client.post("/organizations/cheftest2/clients", payload) + + Chef::Log.trace("Updated client data: #{client.inspect}") + end + + def get_public_key(cert_name) + binding.pry + password = ::Chef::HTTP::Authenticator.get_cert_password + require_relative "mixin/powershell_exec" + extend Chef::Mixin::PowershellExec + powershell_code = <<~EOH + $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText; + $tempfile = $([System.IO.Path]::GetTempPath()) + $([System.IO.Path]::GetRandomFileName()); + $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "#{cert_name}$" } -ErrorAction Stop; + Export-PFXCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile; + return $tempfile; + EOH + cert_file = powershell_exec!(powershell_code).result + path = cert_file[1] + p12 = OpenSSL::PKCS12.new(File.binread(path), password) + File.delete(path) + return p12.key.public_to_pem + end + + # # Converges all compiled resources. # # Fires the converge_start, converge_complete and converge_failed events. diff --git a/lib/chef/event_dispatch/base.rb b/lib/chef/event_dispatch/base.rb index a973c31612..669c1d6286 100644 --- a/lib/chef/event_dispatch/base.rb +++ b/lib/chef/event_dispatch/base.rb @@ -273,6 +273,9 @@ class Chef # Called if the converge phase fails def converge_failed(exception); end + # Called when migrating from a pem on disk to a pem stored in Keychain or Windows Certstore + def key_migration_status(key_migrated = false); end + # TODO: need events for notification resolve? # def notifications_resolved # end diff --git a/lib/chef/http/authenticator.rb b/lib/chef/http/authenticator.rb index 26413c283b..eaa5130647 100644 --- a/lib/chef/http/authenticator.rb +++ b/lib/chef/http/authenticator.rb @@ -22,6 +22,8 @@ require_relative "../exceptions" require_relative "../win32/registry" autoload :OpenSSL, "openssl" +require "pry" + class Chef class HTTP class Authenticator @@ -48,6 +50,7 @@ class Chef @auth_credentials = AuthCredentials.new(opts[:client_name], @key, use_ssh_agent: opts[:ssh_agent_signing]) @version_class = opts[:version_class] @api_version = opts[:api_version] + @old_priv_key = nil end def handle_request(method, url, headers = {}, data = false) @@ -115,7 +118,7 @@ class Chef def self.check_certstore_for_key(client_name) powershell_code = <<~CODE - $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force | Where-Object { $_.Subject -Match "#{client_name}" } -ErrorAction Stop + $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop if (($cert.HasPrivateKey -eq $true) -and ($cert.PrivateKey.Key.ExportPolicy -ne "NonExportable")) { return $true } @@ -127,19 +130,23 @@ class Chef end def load_signing_key(key_file, raw_key = nil) - results = retrieve_certificate_key(Chef::Config[:node_name]) - + results = if !!Chef::Client::KeyMigration.instance.old_priv_key + Chef::Client::KeyMigration.instance.old_priv_key + else + retrieve_certificate_key(Chef::Config[:node_name]) + end if key_file == nil? && raw_key == nil? puts "\nNo key detected\n" elsif !!results - # results variable can be 1 of 2 values - "False" or the contents of a key. @raw_key = results + elsif ::Chef::Config[:migrate_key_to_keystore] == true && Chef::Client::KeyMigration.instance.key_migrated == true + @raw_key = IO.read(Chef::Config[:validation_key]).strip elsif !!key_file @raw_key = IO.read(key_file).strip elsif !!raw_key @raw_key = raw_key.strip else - return nil + return end # Pass in '' as the passphrase to avoid OpenSSL prompting on the TTY if # given an encrypted key. This also helps if using a single file for @@ -154,7 +161,6 @@ class Chef raise Chef::Exceptions::InvalidPrivateKey, msg end - # takes no parameters. Checks for the password in the registry and returns it if there, otherwise returns false def self.get_cert_password @win32registry = Chef::Win32::Registry.new path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication" @@ -166,60 +172,136 @@ class Chef present.each do |secret| if secret[:name] == "PfxPass" - return secret[:data] + password = decrypt_pfx_pass(secret[:data]) + return password end end - # if we make it this far, that means there is no valid password in the Registry. Fail out to correct that. raise Chef::Exceptions::Win32RegKeyMissing rescue Chef::Exceptions::Win32RegKeyMissing # if we don't have a password, log that and generate one - Chef::Log.warn "Authentication Hive and value not present in registry, creating it now" + Chef::Log.warn "Authentication Hive and values not present in registry, creating them now" new_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication" unless @win32registry.key_exists?(new_path) @win32registry.create_key(new_path, true) end password = SOME_CHARS.sample(1 + rand(SOME_CHARS.count)).join[0...14] - values = { name: "PfxPass", type: :string, data: password } + encrypted_pass = encrypt_pfx_pass(password) + values = { name: "PfxPass", type: :string, data: encrypted_pass } @win32registry.set_value(new_path, values) password end + def get_cert_password + self.get_cert_password + end + + def encrypt_pfx_pass + self.ncrypt_pfx_pass + end + + def self.encrypt_pfx_pass(password) + powershell_code = <<~CODE + $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force + $secure_string = ConvertFrom-SecureString $encrypted_string + return $secure_string + CODE + powershell_exec!(powershell_code).result + end + + def self.decrypt_pfx_pass(password) + powershell_code = <<~CODE + $secure_string = "#{password}" | ConvertTo-SecureString + $string = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($secure_string)))) + return $string + CODE + powershell_exec!(powershell_code).result + end + def self.retrieve_certificate_key(client_name) require "openssl" unless defined?(OpenSSL) if ChefUtils.windows? - password = get_cert_password - return false unless password if check_certstore_for_key(client_name) - powershell_code = <<~CODE - Try { - $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText; - $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "#{client_name}" } -ErrorAction Stop; - $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx"; - Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile; - } - Catch { - return $false - } - CODE - my_result = powershell_exec!(powershell_code).result - - if !!my_result - pkcs = OpenSSL::PKCS12.new(File.binread(my_result["PSPath"].split("::")[1]), password) - ::File.delete(my_result["PSPath"].split("::")[1]) - return OpenSSL::PKey::RSA.new(pkcs.key.to_pem) - end + ps_blob = powershell_exec!(get_the_key_ps(client_name, password)).result + file_path = ps_blob["PSPath"].split("::")[1] + pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password) + + # We test the pfx we just extracted the private key from + # if that cert is expiring in 7 days or less we generate a new pfx/p12 object + # then we post the new public key from that to the client endpoint on + # chef server. + # is_certificate_expiring(pkcs) + File.delete(file_path) + + return pkcs.key.private_to_pem end end false end + def self.get_the_key_ps(client_name, password) + powershell_code = <<~CODE + Try { + $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText; + $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "#{client_name}$" } -ErrorAction Stop; + $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx"; + Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile; + } + Catch { + return $false + } + CODE + end + + def self.is_certificate_expiring(pkcs) + require 'time' + cert_date = DateTime.parse(pkcs.certificate.not_after.iso8601) + today = DateTime.parse(Time.now.iso8601) + client_name = "chef-#{Chef::Config[:node_name]}" + if cert_date.mjd - today.mjd <= 7 + Chef::Client::KeyMigration.instance.old_priv_key = pkcs.key.private_to_pem + create_new_pfx_in_keystore(client_name) + end + end + + def self.create_new_pfx_in_keystore(client_name) + require 'time' + node = Chef::Config[:node_name] + delete_old_pfx(client_name) + new_client = Chef::Client.new + d = Time.now + end_date = Time.new(d.year, d.month + 3, d.day, d.hour, d.min, d.sec).utc.iso8601 + new_client.generate_pfx_package(client_name, end_date) + new_public_key = new_client.get_public_key(client_name) + base_url = "https://" + URI.parse(Chef::Config[:chef_server_url]).host + client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:client_name], signing_key_filename: "cert://#{client_name}") + + payload = { + name: "default", + public_key: new_public_key, + expiration_date: end_date + } + client.put("/organizations/cheftest2/clients/#{node}/keys/default", payload) + end + + def self.delete_old_pfx(cert_name) + powershell_code = <<~CODE + Try{ + Get-ChildItem Cert:\\LocalMachine\\My | Where-Object { $_.Subject -match "#{cert_name}$" } -ErrorAction Stop | Remove-Item; + } + Catch{ + return $false + } + CODE + powershell_exec!(powershell_code).result + end + def authentication_headers(method, url, json_body = nil, headers = nil) request_params = { http_method: method, diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock index 27136e3792..e2715e25f2 100644 --- a/omnibus/Gemfile.lock +++ b/omnibus/Gemfile.lock @@ -46,14 +46,12 @@ GEM aws-sdk-core (~> 3, >= 3.127.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.4) - aws-sdk-secretsmanager (1.57.0) - aws-sdk-core (~> 3, >= 3.126.0) + aws-sdk-secretsmanager (1.58.0) + aws-sdk-core (~> 3, >= 3.127.0) aws-sigv4 (~> 1.1) aws-sigv4 (1.4.0) aws-eventstream (~> 1, >= 1.0.2) bcrypt_pbkdf (1.1.0) - bcrypt_pbkdf (1.1.0-x64-mingw32) - bcrypt_pbkdf (1.1.0-x86-mingw32) berkshelf (7.2.2) chef (>= 15.7.32) chef-config @@ -378,7 +376,7 @@ GEM mixlib-shellout (>= 2.0, < 4.0) net-scp (>= 1.2, < 4.0) net-ssh (>= 2.9, < 7.0) - train-winrm (0.2.12) + train-winrm (0.2.13) winrm (>= 2.3.6, < 3.0) winrm-elevated (~> 1.2.2) winrm-fs (~> 1.0) diff --git a/spec/unit/http/authenticator_spec.rb b/spec/unit/http/authenticator_spec.rb index 4f43c19520..28bcc23677 100644 --- a/spec/unit/http/authenticator_spec.rb +++ b/spec/unit/http/authenticator_spec.rb @@ -68,6 +68,23 @@ describe Chef::HTTP::Authenticator do end end + context "when retrieving a certificate from the certificate store" :windows_only do + before each do + end + after each do + end + it "retrieves a certificate password from the registry" do + expect(class_instance.get_cert_password).not_to raise_error + end + # get a password when it does not already exist in the registry + # get a password that DOES already exist in the registry + # does retrieving a cert work + # does the password decrypt correctly + # does it encrypt correctly. + # is the decrypted password at least 14 characters + # does delete old pfx actually delete shit? + end + context "when !sign_requests?" do before do allow(class_instance).to receive(:sign_requests?).and_return(false) |