Class: Chef::Knife::SslCheck

Inherits:
Chef::Knife show all
Defined in:
lib/chef/knife/ssl_check.rb

Instance Attribute Summary

Attributes inherited from Chef::Knife

#name_args, #ui

Instance Method Summary collapse

Methods inherited from Chef::Knife

#api_key, #apply_computed_config, category, common_name, config_fetcher, #config_file_settings, #configure_chef, #create_object, #delete_object, dependency_loaders, deps, #format_rest_error, guess_category, #highlight_config_error, #humanize_exception, #humanize_http_exception, inherited, list_commands, load_commands, load_deps, locate_config_file, #merge_configs, msg, #noauth_rest, #parse_options, #read_config, reset_subcommands!, #rest, run, #run_with_pretty_exceptions, #server_url, #show_usage, snake_case_name, subcommand_category, subcommand_class_from, subcommand_loader, subcommands, subcommands_by_category, ui, unnamed?, use_separate_defaults?, #username

Methods included from Mixin::ConvertToClassName

#convert_to_class_name, #convert_to_snake_case, #filename_to_qualified_string, #snake_case_basename

Methods included from Mixin::PathSanity

#enforce_path_sanity

Constructor Details

#initialize(*args) ⇒ SslCheck

Returns a new instance of SslCheck.



36
37
38
39
40
41
 
# File 'lib/chef/knife/ssl_check.rb', line 36

def initialize(*args)
  @host = nil
  @verify_peer_socket = nil
  @ssl_policy = HTTP::DefaultSSLPolicy
  super
end

Instance Method Details

#configurationObject 



194
195
196
 
# File 'lib/chef/knife/ssl_check.rb', line 194

def configuration
  Chef::Config
end

#debug_chef_ssl_configObject 



187
188
189
190
191
192
 
# File 'lib/chef/knife/ssl_check.rb', line 187

def debug_chef_ssl_config
  ui.err "Chef SSL Configuration:"
  ui.err "* ssl_ca_path: #{configuration.ssl_ca_path.inspect}"
  ui.err "* ssl_ca_file: #{configuration.ssl_ca_file.inspect}"
  ui.err "* trusted_certs_dir: #{configuration.trusted_certs_dir.inspect}"
end

#debug_invalid_certObject 



130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
 
# File 'lib/chef/knife/ssl_check.rb', line 130

def debug_invalid_cert
  noverify_socket.connect
  issuer_info = noverify_socket.peer_cert.issuer
  ui.msg("Certificate issuer data: #{issuer_info}")

  ui.msg("\n#{ui.color("Configuration Info:", :bold)}\n\n")
  debug_ssl_settings
  debug_chef_ssl_config

  ui.err("\n\#{ui.color(\"TO FIX THIS ERROR:\", :bold)}\n\nIf the server you are connecting to uses a self-signed certificate, you must\nconfigure chef to trust that server's certificate.\n\nBy default, the certificate is stored in the following location on the host\nwhere your chef-server runs:\n\n  /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt\n\nCopy that file to you trusted_certs_dir (currently: \#{configuration.trusted_certs_dir})\nusing SSH/SCP or some other secure method, then re-run this command to confirm\nthat the server's certificate is now trusted.\n\n")
end

#debug_invalid_hostObject 



158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
 
# File 'lib/chef/knife/ssl_check.rb', line 158

def debug_invalid_host
  noverify_socket.connect
  subject = noverify_socket.peer_cert.subject
  cn_field_tuple = subject.to_a.find {|field| field[0] == "CN" }
  cn = cn_field_tuple[1]

  ui.error("You are attempting to connect to:   '#{host}'")
  ui.error("The server's certificate belongs to '#{cn}'")
  ui.err("\n\#{ui.color(\"TO FIX THIS ERROR:\", :bold)}\n\nThe solution for this issue depends on your networking configuration. If you\nare able to connect to this server using the hostname \#{cn}\ninstead of \#{host}, then you can resolve this issue by updating chef_server_url\nin your configuration file.\n\nIf you are not able to connect to the server using the hostname \#{cn}\nyou will have to update the certificate on the server to use the correct hostname.\n")
end

#debug_ssl_settingsObject 



180
181
182
183
184
185
 
# File 'lib/chef/knife/ssl_check.rb', line 180

def debug_ssl_settings
  ui.err "OpenSSL Configuration:"
  ui.err "* Version: #{OpenSSL::OPENSSL_VERSION}"
  ui.err "* Certificate file: #{OpenSSL::X509::DEFAULT_CERT_FILE}"
  ui.err "* Certificate directory: #{OpenSSL::X509::DEFAULT_CERT_DIR}"
end

#given_uriObject 



50
51
52
 
# File 'lib/chef/knife/ssl_check.rb', line 50

def given_uri
  (name_args[0] or Chef::Config.chef_server_url)
end

#hostObject 



54
55
56
 
# File 'lib/chef/knife/ssl_check.rb', line 54

def host
  uri.host
end

#invalid_uri!Object 



70
71
72
73
74
 
# File 'lib/chef/knife/ssl_check.rb', line 70

def invalid_uri!
  ui.error("Given URI: `#{given_uri}' is invalid")
  show_usage
  exit 1
end

#noverify_peer_ssl_contextObject 



100
101
102
103
104
105
106
107
 
# File 'lib/chef/knife/ssl_check.rb', line 100

def noverify_peer_ssl_context
  @noverify_peer_ssl_context ||= begin
    noverify_peer_context = OpenSSL::SSL::SSLContext.new
    @ssl_policy.apply_to(noverify_peer_context)
    noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
    noverify_peer_context
  end
end

#noverify_socketObject 



93
94
95
96
97
98
 
# File 'lib/chef/knife/ssl_check.rb', line 93

def noverify_socket
  @noverify_socket ||= begin
    tcp_connection = TCPSocket.new(host, port)
    OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
  end
end

#portObject 



58
59
60
 
# File 'lib/chef/knife/ssl_check.rb', line 58

def port
  uri.port
end

#runObject 



198
199
200
201
202
203
204
205
 
# File 'lib/chef/knife/ssl_check.rb', line 198

def run
  validate_uri
  if verify_cert && verify_cert_host
    ui.msg "Successfully verified certificates from `#{host}'"
  else
    exit 1
  end
end

#uriObject 



43
44
45
46
47
48
 
# File 'lib/chef/knife/ssl_check.rb', line 43

def uri
  @uri ||= begin
    Chef::Log.debug("Checking SSL cert on #{given_uri}")
    URI.parse(given_uri)
  end
end

#validate_uriObject 



62
63
64
65
66
67
68
 
# File 'lib/chef/knife/ssl_check.rb', line 62

def validate_uri
  unless host && port
    invalid_uri!
  end
rescue URI::Error
  invalid_uri!
end

#verify_certObject 



109
110
111
112
113
114
115
116
117
118
 
# File 'lib/chef/knife/ssl_check.rb', line 109

def verify_cert
  ui.msg("Connecting to host #{host}:#{port}")
  verify_peer_socket.connect
  true
rescue OpenSSL::SSL::SSLError => e
  ui.error "The SSL certificate of #{host} could not be verified"
  Chef::Log.debug e.message
  debug_invalid_cert
  false
end

#verify_cert_hostObject 



120
121
122
123
124
125
126
127
128
 
# File 'lib/chef/knife/ssl_check.rb', line 120

def verify_cert_host
  verify_peer_socket.post_connection_check(host)
  true
rescue OpenSSL::SSL::SSLError => e
  ui.error "The SSL cert is signed by a trusted authority but is not valid for the given hostname"
  Chef::Log.debug(e)
  debug_invalid_host
  false
end

#verify_peer_socketObject 



77
78
79
80
81
82
 
# File 'lib/chef/knife/ssl_check.rb', line 77

def verify_peer_socket
  @verify_peer_socket ||= begin
    tcp_connection = TCPSocket.new(host, port)
    OpenSSL::SSL::SSLSocket.new(tcp_connection, verify_peer_ssl_context)
  end
end

#verify_peer_ssl_contextObject 



84
85
86
87
88
89
90
91
 
# File 'lib/chef/knife/ssl_check.rb', line 84

def verify_peer_ssl_context
  @verify_peer_ssl_context ||= begin
    verify_peer_context = OpenSSL::SSL::SSLContext.new
    @ssl_policy.apply_to(verify_peer_context)
    verify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
    verify_peer_context
  end
end