Class: Chef::Knife::SslFetch
Instance Attribute Summary
Attributes inherited from Chef::Knife
#name_args, #ui
Instance Method Summary
collapse
Methods inherited from Chef::Knife
#api_key, #apply_computed_config, category, chef_config_dir, common_name, #config_file_settings, config_loader, #configure_chef, #create_object, #delete_object, dependency_loaders, deps, #format_rest_error, guess_category, #humanize_exception, #humanize_http_exception, inherited, load_commands, load_config, load_deps, #maybe_setup_fips, #merge_configs, msg, #noauth_rest, #parse_options, reset_config_loader!, reset_subcommands!, #rest, run, #run_with_pretty_exceptions, #server_url, #show_usage, snake_case_name, subcommand_category, subcommand_class_from, subcommand_files, subcommand_loader, subcommands, subcommands_by_category, #test_mandatory_field, ui, unnamed?, use_separate_defaults?, #username
#constantize, #convert_to_class_name, #convert_to_snake_case, #filename_to_qualified_string, #normalize_snake_case_name, #snake_case_basename
#enforce_path_sanity
Constructor Details
#initialize(*args) ⇒ SslFetch
Returns a new instance of SslFetch.
37
38
39
40
|
# File 'lib/chef/knife/ssl_fetch.rb', line 37
def initialize(*args)
super
@uri = nil
end
|
Instance Method Details
#cn_of(certificate) ⇒ Object
90
91
92
93
94
|
# File 'lib/chef/knife/ssl_fetch.rb', line 90
def cn_of(certificate)
subject = certificate.subject
cn_field_tuple = subject.to_a.find { |field| field[0] == "CN" }
cn_field_tuple[1]
end
|
#configuration ⇒ Object
109
110
111
|
# File 'lib/chef/knife/ssl_fetch.rb', line 109
def configuration
Chef::Config
end
|
#given_uri ⇒ Object
49
50
51
|
# File 'lib/chef/knife/ssl_fetch.rb', line 49
def given_uri
(name_args[0] || Chef::Config.chef_server_url)
end
|
#host ⇒ Object
53
54
55
|
# File 'lib/chef/knife/ssl_fetch.rb', line 53
def host
uri.host
end
|
#invalid_uri! ⇒ Object
69
70
71
72
73
|
# File 'lib/chef/knife/ssl_fetch.rb', line 69
def invalid_uri!
ui.error("Given URI: `#{given_uri}' is invalid")
show_usage
exit 1
end
|
#normalize_cn(cn) ⇒ Object
Convert the CN of a certificate into something that will work well as a filename. To do so, all ‘*` characters are converted to the string “wildcard” and then all characters other than alphanumeric and hypen characters are converted to underscores. NOTE: There is some confustion about what the CN will contain when using internationalized domain names. RFC 6125 mandates that the ascii representation be used, but it is not clear whether this is followed in practice. tools.ietf.org/html/rfc6125#section-6.4.2
105
106
107
|
# File 'lib/chef/knife/ssl_fetch.rb', line 105
def normalize_cn(cn)
cn.gsub("*", "wildcard").gsub(/[^[:alnum:]\-]/, "_")
end
|
#noverify_peer_ssl_context ⇒ Object
82
83
84
85
86
87
88
|
# File 'lib/chef/knife/ssl_fetch.rb', line 82
def noverify_peer_ssl_context
@noverify_peer_ssl_context ||= begin
noverify_peer_context = OpenSSL::SSL::SSLContext.new
noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
noverify_peer_context
end
end
|
#port ⇒ Object
57
58
59
|
# File 'lib/chef/knife/ssl_fetch.rb', line 57
def port
uri.port
end
|
#remote_cert_chain ⇒ Object
75
76
77
78
79
80
|
# File 'lib/chef/knife/ssl_fetch.rb', line 75
def remote_cert_chain
tcp_connection = proxified_socket(host, port)
shady_ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
shady_ssl_connection.connect
shady_ssl_connection.peer_cert_chain
end
|
#run ⇒ Object
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
# File 'lib/chef/knife/ssl_fetch.rb', line 127
def run
validate_uri
ui.warn(<<-TRUST_TRUST)
Certificates from #{host} will be fetched and placed in your trusted_cert
directory (#{trusted_certs_dir}).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
TRUST_TRUST
remote_cert_chain.each do |cert|
write_cert(cert)
end
rescue OpenSSL::SSL::SSLError => e
raise unless e.message.include?("unknown protocol")
ui.error("The service at the given URI (#{uri}) does not accept SSL connections")
if uri.scheme == "http"
https_uri = uri.to_s.sub(/^http/, "https")
ui.error("Perhaps you meant to connect to '#{https_uri}'?")
end
exit 1
end
|
#trusted_certs_dir ⇒ Object
113
114
115
|
# File 'lib/chef/knife/ssl_fetch.rb', line 113
def trusted_certs_dir
configuration.trusted_certs_dir
end
|
#uri ⇒ Object
42
43
44
45
46
47
|
# File 'lib/chef/knife/ssl_fetch.rb', line 42
def uri
@uri ||= begin
Chef::Log.debug("Checking SSL cert on #{given_uri}")
URI.parse(given_uri)
end
end
|
#validate_uri ⇒ Object
61
62
63
64
65
66
67
|
# File 'lib/chef/knife/ssl_fetch.rb', line 61
def validate_uri
unless host && port
invalid_uri!
end
rescue URI::Error
invalid_uri!
end
|
#write_cert(cert) ⇒ Object
117
118
119
120
121
122
123
124
125
|
# File 'lib/chef/knife/ssl_fetch.rb', line 117
def write_cert(cert)
FileUtils.mkdir_p(trusted_certs_dir)
cn = cn_of(cert)
filename = File.join(trusted_certs_dir, "#{normalize_cn(cn)}.crt")
ui.msg("Adding certificate for #{cn} in #{filename}")
File.open(filename, File::CREAT | File::TRUNC | File::RDWR, 0644) do |f|
f.print(cert.to_s)
end
end
|