class Chef::HTTP::DefaultSSLPolicy

Chef::HTTP::DefaultSSLPolicy

Configures SSL behavior on an HTTP object via visitor pattern.

Attributes

http_client[R]

Public Class Methods

apply_to(http_client) click to toggle source
# File lib/chef/http/ssl_policies.rb, line 34
def self.apply_to(http_client)
  new(http_client).apply
  http_client
end
new(http_client) click to toggle source
# File lib/chef/http/ssl_policies.rb, line 41
def initialize(http_client)
  @http_client = http_client
end

Public Instance Methods

apply() click to toggle source
# File lib/chef/http/ssl_policies.rb, line 45
def apply
  set_verify_mode
  set_ca_store
  set_custom_certs
  set_client_credentials
end
config() click to toggle source
# File lib/chef/http/ssl_policies.rb, line 126
def config
  Chef::Config
end
set_ca_store() click to toggle source
# File lib/chef/http/ssl_policies.rb, line 60
def set_ca_store
  if config[:ssl_ca_path]
    unless ::File.exist?(config[:ssl_ca_path])
      raise Chef::Exceptions::ConfigurationError, "The configured ssl_ca_path #{config[:ssl_ca_path]} does not exist"
    end

    http_client.ca_path = config[:ssl_ca_path]
  elsif config[:ssl_ca_file]
    unless ::File.exist?(config[:ssl_ca_file])
      raise Chef::Exceptions::ConfigurationError, "The configured ssl_ca_file #{config[:ssl_ca_file]} does not exist"
    end

    http_client.ca_file = config[:ssl_ca_file]
  elsif ENV["SSL_CERT_FILE"]
    unless ::File.exist?(ENV["SSL_CERT_FILE"])
      raise Chef::Exceptions::ConfigurationError, "The configured ssl_ca_file #{ENV["SSL_CERT_FILE"]} does not exist"
    end

    http_client.ca_file = ENV["SSL_CERT_FILE"]
  end
end
set_client_credentials() click to toggle source
# File lib/chef/http/ssl_policies.rb, line 100
def set_client_credentials
  return unless config[:ssl_client_cert] || config[:ssl_client_key]

  unless config[:ssl_client_cert] && config[:ssl_client_key]
    raise Chef::Exceptions::ConfigurationError, "You must configure ssl_client_cert and ssl_client_key together"
  end
  unless ::File.exists?(config[:ssl_client_cert])
    raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_cert #{config[:ssl_client_cert]} does not exist"
  end
  unless ::File.exists?(config[:ssl_client_key])
    raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_key #{config[:ssl_client_key]} does not exist"
  end

  begin
    http_client.cert = OpenSSL::X509::Certificate.new(::File.binread(config[:ssl_client_cert]))
  rescue OpenSSL::X509::CertificateError => e
    raise Chef::Exceptions::ConfigurationError, "Error reading cert file '#{config[:ssl_client_cert]}', original error '#{e.class}: #{e.message}'"
  end

  begin
    http_client.key = OpenSSL::PKey::RSA.new(::File.binread(config[:ssl_client_key]))
  rescue OpenSSL::PKey::RSAError => e
    raise Chef::Exceptions::ConfigurationError, "Error reading key file '#{config[:ssl_client_key]}', original error '#{e.class}: #{e.message}'"
  end
end
set_custom_certs() click to toggle source
# File lib/chef/http/ssl_policies.rb, line 82
def set_custom_certs
  unless http_client.cert_store
    http_client.cert_store = OpenSSL::X509::Store.new
    http_client.cert_store.set_default_paths
  end
  if config.trusted_certs_dir
    certs = Dir.glob(::File.join(Chef::Util::PathHelper.escape_glob_dir(config.trusted_certs_dir), "*.{crt,pem}"))
    certs.each do |cert_file|
      cert = begin
        OpenSSL::X509::Certificate.new(::File.binread(cert_file))
             rescue OpenSSL::X509::CertificateError => e
               raise Chef::Exceptions::ConfigurationError, "Error reading cert file '#{cert_file}', original error '#{e.class}: #{e.message}'"
      end
      add_trusted_cert(cert)
    end
  end
end
set_verify_mode() click to toggle source
# File lib/chef/http/ssl_policies.rb, line 52
def set_verify_mode
  if config[:ssl_verify_mode] == :verify_none
    http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE
  elsif config[:ssl_verify_mode] == :verify_peer
    http_client.verify_mode = OpenSSL::SSL::VERIFY_PEER
  end
end

Private Instance Methods

add_trusted_cert(cert) click to toggle source
# File lib/chef/http/ssl_policies.rb, line 132
def add_trusted_cert(cert)
  http_client.cert_store.add_cert(cert)
rescue OpenSSL::X509::StoreError => e
  raise e unless e.message == "cert already in hash table"
end