Class: Chef::Knife::SslFetch

Inherits:
Chef::Knife show all
Defined in:
lib/chef/knife/ssl_fetch.rb

Constant Summary

Constants inherited from Chef::Knife

CHEF_ORGANIZATION_MANAGEMENT, KNIFE_ROOT, OFFICIAL_PLUGINS, OPSCODE_HOSTED_CHEF_ACCESS_CONTROL, VERSION

Instance Attribute Summary

Attributes inherited from Chef::Knife

#name_args, #ui

Instance Method Summary collapse

Methods inherited from Chef::Knife

#api_key, #apply_computed_config, category, chef_config_dir, common_name, #config_file_defaults, #config_file_settings, config_loader, #config_source, #configure_chef, #create_object, #delete_object, dependency_loaders, deps, #format_rest_error, guess_category, #humanize_exception, #humanize_http_exception, inherited, list_commands, load_commands, load_config, load_deps, #maybe_setup_fips, #merge_configs, msg, #noauth_rest, #parse_options, reset_config_loader!, reset_subcommands!, #rest, #root_rest, run, #run_with_pretty_exceptions, #server_url, #show_usage, snake_case_name, subcommand_category, subcommand_class_from, subcommand_files, subcommand_loader, subcommands, subcommands_by_category, #test_mandatory_field, ui, unnamed?, use_separate_defaults?, #username

Constructor Details

#initialize(*args) ⇒ SslFetch

Returns a new instance of SslFetch.



38
39
40
41
 
# File 'lib/chef/knife/ssl_fetch.rb', line 38

def initialize(*args)
  super
  @uri = nil
end

Instance Method Details

#cn_of(certificate) ⇒ Object 



91
92
93
94
95
96
97
98
 
# File 'lib/chef/knife/ssl_fetch.rb', line 91

def cn_of(certificate)
  subject = certificate.subject
  if cn_field_tuple = subject.to_a.find { |field| field[0] == "CN" }
    cn_field_tuple[1]
  else
    nil
  end
end

#configurationObject 



113
114
115
 
# File 'lib/chef/knife/ssl_fetch.rb', line 113

def configuration
  Chef::Config
end

#given_uriObject 



50
51
52
 
# File 'lib/chef/knife/ssl_fetch.rb', line 50

def given_uri
  (name_args[0] || Chef::Config.chef_server_url)
end

#hostObject 



54
55
56
 
# File 'lib/chef/knife/ssl_fetch.rb', line 54

def host
  uri.host
end

#invalid_uri!Object 



70
71
72
73
74
 
# File 'lib/chef/knife/ssl_fetch.rb', line 70

def invalid_uri!
  ui.error("Given URI: `#{given_uri}' is invalid")
  show_usage
  exit 1
end

#normalize_cn(cn) ⇒ Object

Convert the CN of a certificate into something that will work well as a filename. To do so, all ‘*` characters are converted to the string “wildcard” and then all characters other than alphanumeric and hyphen characters are converted to underscores. NOTE: There is some confusion about what the CN will contain when using internationalized domain names. RFC 6125 mandates that the ascii representation be used, but it is not clear whether this is followed in practice. tools.ietf.org/html/rfc6125#section-6.4.2



109
110
111
 
# File 'lib/chef/knife/ssl_fetch.rb', line 109

def normalize_cn(cn)
  cn.gsub("*", "wildcard").gsub(/[^[:alnum:]\-]/, "_")
end

#noverify_peer_ssl_contextObject 



83
84
85
86
87
88
89
 
# File 'lib/chef/knife/ssl_fetch.rb', line 83

def noverify_peer_ssl_context
  @noverify_peer_ssl_context ||= begin
    noverify_peer_context = OpenSSL::SSL::SSLContext.new
    noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
    noverify_peer_context
  end
end

#portObject 



58
59
60
 
# File 'lib/chef/knife/ssl_fetch.rb', line 58

def port
  uri.port
end

#remote_cert_chainObject 



76
77
78
79
80
81
 
# File 'lib/chef/knife/ssl_fetch.rb', line 76

def remote_cert_chain
  tcp_connection = proxified_socket(host, port)
  shady_ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
  shady_ssl_connection.connect
  shady_ssl_connection.peer_cert_chain
end

#runObject 



132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
 
# File 'lib/chef/knife/ssl_fetch.rb', line 132

def run
  validate_uri
  ui.warn(<<~TRUST_TRUST)
    Certificates from #{host} will be fetched and placed in your trusted_cert
    directory (#{trusted_certs_dir}).

    Knife has no means to verify these are the correct certificates. You should
    verify the authenticity of these certificates after downloading.

  TRUST_TRUST
  remote_cert_chain.each do |cert|
    write_cert(cert)
  end
rescue OpenSSL::SSL::SSLError => e
  # 'unknown protocol' usually means you tried to connect to a non-ssl
  # service. We handle that specially here, any other error we let bubble
  # up (probably a bug of some sort).
  raise unless e.message.include?("unknown protocol")

  ui.error("The service at the given URI (#{uri}) does not accept SSL connections")

  if uri.scheme == "http"
    https_uri = uri.to_s.sub(/^http/, "https")
    ui.error("Perhaps you meant to connect to '#{https_uri}'?")
  end
  exit 1
end

#trusted_certs_dirObject 



117
118
119
 
# File 'lib/chef/knife/ssl_fetch.rb', line 117

def trusted_certs_dir
  configuration.trusted_certs_dir
end

#uriObject 



43
44
45
46
47
48
 
# File 'lib/chef/knife/ssl_fetch.rb', line 43

def uri
  @uri ||= begin
    Chef::Log.trace("Checking SSL cert on #{given_uri}")
    URI.parse(given_uri)
  end
end

#validate_uriObject 



62
63
64
65
66
67
68
 
# File 'lib/chef/knife/ssl_fetch.rb', line 62

def validate_uri
  unless host && port
    invalid_uri!
  end
rescue URI::Error
  invalid_uri!
end

#write_cert(cert) ⇒ Object 



121
122
123
124
125
126
127
128
129
130
 
# File 'lib/chef/knife/ssl_fetch.rb', line 121

def write_cert(cert)
  FileUtils.mkdir_p(trusted_certs_dir)
  cn = cn_of(cert)
  filename = cn.nil? ? "#{host}_#{Time.new.to_i}" : normalize_cn(cn)
  full_path = File.join(trusted_certs_dir, "#{filename}.crt")
  ui.msg("Adding certificate for #{filename} in #{full_path}")
  File.open(full_path, File::CREAT | File::TRUNC | File::RDWR, 0644) do |f|
    f.print(cert.to_s)
  end
end