Class: Chef::Knife::SslFetch

Inherits:

Chef::Knife

• Object
• Chef::Knife
• Chef::Knife::SslFetch

Defined in:

lib/chef/knife/ssl_fetch.rb

Instance Attribute Summary

Attributes inherited from Chef::Knife

#name_args, #ui

Instance Method Summary

• #cn_of(certificate) ⇒ Object
• #configuration ⇒ Object
• #given_uri ⇒ Object
• #host ⇒ Object
• #initialize(*args) ⇒ SslFetch constructor

  A new instance of SslFetch.

• #invalid_uri! ⇒ Object
• #normalize_cn(cn) ⇒ Object

  Convert the CN of a certificate into something that will work well as a filename.

• #noverify_peer_ssl_context ⇒ Object
• #port ⇒ Object
• #remote_cert_chain ⇒ Object
• #run ⇒ Object
• #trusted_certs_dir ⇒ Object
• #uri ⇒ Object
• #validate_uri ⇒ Object
• #write_cert(cert) ⇒ Object

Methods inherited from Chef::Knife

#api_key, #apply_computed_config, category, chef_config_dir, common_name, #config_file_settings, config_loader, #configure_chef, #create_object, #delete_object, dependency_loaders, deps, #format_rest_error, guess_category, #humanize_exception, #humanize_http_exception, inherited, list_commands, load_commands, load_config, load_deps, #merge_configs, msg, #noauth_rest, #parse_options, reset_config_loader!, reset_subcommands!, #rest, run, #run_with_pretty_exceptions, #server_url, #show_usage, snake_case_name, subcommand_category, subcommand_class_from, subcommand_loader, subcommands, subcommands_by_category, ui, unnamed?, use_separate_defaults?, #username

Methods included from Mixin::ConvertToClassName

#constantize, #convert_to_class_name, #convert_to_snake_case, #filename_to_qualified_string, #snake_case_basename

Methods included from Mixin::PathSanity

#enforce_path_sanity

Constructor Details

#initialize(*args) ⇒ SslFetch

Returns a new instance of SslFetch.

# File 'lib/chef/knife/ssl_fetch.rb', line 35

def initialize(*args)
  super
  @uri = nil
end

Instance Method Details

#cn_of(certificate) ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 89

def cn_of(certificate)
  subject = certificate.subject
  cn_field_tuple = subject.to_a.find {|field| field[0] == "CN" }
  cn_field_tuple[1]
end

#configuration ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 108

def configuration
  Chef::Config
end

#given_uri ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 47

def given_uri
  (name_args[0] or Chef::Config.chef_server_url)
end

#host ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 51

def host
  uri.host
end

#invalid_uri! ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 67

def invalid_uri!
  ui.error("Given URI: `#{given_uri}' is invalid")
  show_usage
  exit 1
end

#normalize_cn(cn) ⇒ Object

Convert the CN of a certificate into something that will work well as a filename. To do so, all ‘*` characters are converted to the string “wildcard” and then all characters other than alphanumeric and hypen characters are converted to underscores. NOTE: There is some confustion about what the CN will contain when using internationalized domain names. RFC 6125 mandates that the ascii representation be used, but it is not clear whether this is followed in practice. tools.ietf.org/html/rfc6125#section-6.4.2

# File 'lib/chef/knife/ssl_fetch.rb', line 104

def normalize_cn(cn)
  cn.gsub("*", "wildcard").gsub(/[^[:alnum:]\-]/, '_')
end

#noverify_peer_ssl_context ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 80

def noverify_peer_ssl_context
  @noverify_peer_ssl_context ||= begin
    noverify_peer_context = OpenSSL::SSL::SSLContext.new
    noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
    noverify_peer_context
  end
end

#port ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 55

def port
  uri.port
end

#remote_cert_chain ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 73

def remote_cert_chain
  tcp_connection = TCPSocket.new(host, port)
  shady_ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
  shady_ssl_connection.connect
  shady_ssl_connection.peer_cert_chain
end

#run ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 126

def run
  validate_uri
  ui.warn("Certificates from \#{host} will be fetched and placed in your trusted_cert\ndirectory (\#{trusted_certs_dir}).\n\nKnife has no means to verify these are the correct certificates. You should\nverify the authenticity of these certificates after downloading.\n\n")
  remote_cert_chain.each do |cert|
    write_cert(cert)
  end
rescue OpenSSL::SSL::SSLError => e
  # 'unknown protocol' usually means you tried to connect to a non-ssl
  # service. We handle that specially here, any other error we let bubble
  # up (probably a bug of some sort).
  raise unless e.message.include?("unknown protocol")

  ui.error("The service at the given URI (#{uri}) does not accept SSL connections")

  if uri.scheme == "http"
    https_uri = uri.to_s.sub(/^http/, 'https')
    ui.error("Perhaps you meant to connect to '#{https_uri}'?")
  end
  exit 1
end

#trusted_certs_dir ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 112

def trusted_certs_dir
  configuration.trusted_certs_dir
end

#uri ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 40

def uri
  @uri ||= begin
    Chef::Log.debug("Checking SSL cert on #{given_uri}")
    URI.parse(given_uri)
  end
end

#validate_uri ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 59

def validate_uri
  unless host && port
    invalid_uri!
  end
rescue URI::Error
  invalid_uri!
end

#write_cert(cert) ⇒ Object

# File 'lib/chef/knife/ssl_fetch.rb', line 116

def write_cert(cert)
  FileUtils.mkdir_p(trusted_certs_dir)
  cn = cn_of(cert)
  filename = File.join(trusted_certs_dir, "#{normalize_cn(cn)}.crt")
  ui.msg("Adding certificate for #{cn} in #{filename}")
  File.open(filename, File::CREAT|File::TRUNC|File::RDWR, 0644) do |f|
    f.print(cert.to_s)
  end
end