Class: Chef::Knife::SslFetch

Inherits:
Chef::Knife show all
Defined in:
lib/chef/knife/ssl_fetch.rb

Constant Summary

Constants inherited from Chef::Knife

OFFICIAL_PLUGINS

Instance Attribute Summary

Attributes inherited from Chef::Knife

#name_args, #ui

Instance Method Summary collapse

Methods inherited from Chef::Knife

#api_key, #apply_computed_config, category, chef_config_dir, #cli_keys, common_name, #config_file_settings, config_loader, #configure_chef, #create_object, #delete_object, dependency_loaders, deps, #format_rest_error, guess_category, #humanize_exception, #humanize_http_exception, inherited, list_commands, load_commands, load_config, load_deps, #maybe_setup_fips, #merge_configs, msg, #noauth_rest, #parse_options, reset_config_loader!, reset_subcommands!, #rest, run, #run_with_pretty_exceptions, #server_url, #show_usage, snake_case_name, subcommand_category, subcommand_class_from, subcommand_files, subcommand_loader, subcommands, subcommands_by_category, #test_mandatory_field, ui, unnamed?, use_separate_defaults?, #username

Methods included from Mixin::ConvertToClassName

#constantize, #convert_to_class_name, #convert_to_snake_case, #filename_to_qualified_string, #normalize_snake_case_name, #snake_case_basename

Methods included from Mixin::PathSanity

#enforce_path_sanity, #sanitized_path

Constructor Details

#initialize(*args) ⇒ SslFetch


37
38
39
40
# File 'lib/chef/knife/ssl_fetch.rb', line 37

def initialize(*args)
  super
  @uri = nil
end

Instance Method Details

#cn_of(certificate) ⇒ Object


90
91
92
93
94
95
96
97
# File 'lib/chef/knife/ssl_fetch.rb', line 90

def cn_of(certificate)
  subject = certificate.subject
  if cn_field_tuple = subject.to_a.find { |field| field[0] == "CN" }
    cn_field_tuple[1]
  else
    nil
  end
end

#configurationObject


112
113
114
# File 'lib/chef/knife/ssl_fetch.rb', line 112

def configuration
  Chef::Config
end

#given_uriObject


49
50
51
# File 'lib/chef/knife/ssl_fetch.rb', line 49

def given_uri
  (name_args[0] || Chef::Config.chef_server_url)
end

#hostObject


53
54
55
# File 'lib/chef/knife/ssl_fetch.rb', line 53

def host
  uri.host
end

#invalid_uri!Object


69
70
71
72
73
# File 'lib/chef/knife/ssl_fetch.rb', line 69

def invalid_uri!
  ui.error("Given URI: `#{given_uri}' is invalid")
  show_usage
  exit 1
end

#normalize_cn(cn) ⇒ Object

Convert the CN of a certificate into something that will work well as a filename. To do so, all * characters are converted to the string "wildcard" and then all characters other than alphanumeric and hypen characters are converted to underscores. NOTE: There is some confustion about what the CN will contain when using internationalized domain names. RFC 6125 mandates that the ascii representation be used, but it is not clear whether this is followed in practice. https://tools.ietf.org/html/rfc6125#section-6.4.2


108
109
110
# File 'lib/chef/knife/ssl_fetch.rb', line 108

def normalize_cn(cn)
  cn.gsub("*", "wildcard").gsub(/[^[:alnum:]\-]/, "_")
end

#noverify_peer_ssl_contextObject


82
83
84
85
86
87
88
# File 'lib/chef/knife/ssl_fetch.rb', line 82

def noverify_peer_ssl_context
  @noverify_peer_ssl_context ||= begin
    noverify_peer_context = OpenSSL::SSL::SSLContext.new
    noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
    noverify_peer_context
  end
end

#portObject


57
58
59
# File 'lib/chef/knife/ssl_fetch.rb', line 57

def port
  uri.port
end

#remote_cert_chainObject


75
76
77
78
79
80
# File 'lib/chef/knife/ssl_fetch.rb', line 75

def remote_cert_chain
  tcp_connection = proxified_socket(host, port)
  shady_ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
  shady_ssl_connection.connect
  shady_ssl_connection.peer_cert_chain
end

#runObject


131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# File 'lib/chef/knife/ssl_fetch.rb', line 131

def run
  validate_uri
  ui.warn(<<-TRUST_TRUST)
Certificates from #{host} will be fetched and placed in your trusted_cert
directory (#{trusted_certs_dir}).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

TRUST_TRUST
  remote_cert_chain.each do |cert|
    write_cert(cert)
  end
rescue OpenSSL::SSL::SSLError => e
  # 'unknown protocol' usually means you tried to connect to a non-ssl
  # service. We handle that specially here, any other error we let bubble
  # up (probably a bug of some sort).
  raise unless e.message.include?("unknown protocol")

  ui.error("The service at the given URI (#{uri}) does not accept SSL connections")

  if uri.scheme == "http"
    https_uri = uri.to_s.sub(/^http/, "https")
    ui.error("Perhaps you meant to connect to '#{https_uri}'?")
  end
  exit 1
end

#trusted_certs_dirObject


116
117
118
# File 'lib/chef/knife/ssl_fetch.rb', line 116

def trusted_certs_dir
  configuration.trusted_certs_dir
end

#uriObject


42
43
44
45
46
47
# File 'lib/chef/knife/ssl_fetch.rb', line 42

def uri
  @uri ||= begin
    Chef::Log.debug("Checking SSL cert on #{given_uri}")
    URI.parse(given_uri)
  end
end

#validate_uriObject


61
62
63
64
65
66
67
# File 'lib/chef/knife/ssl_fetch.rb', line 61

def validate_uri
  unless host && port
    invalid_uri!
  end
rescue URI::Error
  invalid_uri!
end

#write_cert(cert) ⇒ Object


120
121
122
123
124
125
126
127
128
129
# File 'lib/chef/knife/ssl_fetch.rb', line 120

def write_cert(cert)
  FileUtils.mkdir_p(trusted_certs_dir)
  cn = cn_of(cert)
  filename = cn.nil? ? "#{host}_#{Time.new.to_i}" : normalize_cn(cn)
  full_path = File.join(trusted_certs_dir, "#{filename}.crt")
  ui.msg("Adding certificate for #{filename} in #{full_path}")
  File.open(full_path, File::CREAT | File::TRUNC | File::RDWR, 0644) do |f|
    f.print(cert.to_s)
  end
end