berkshelf 5.2.0 → 5.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5089b7006471b9e1a535ab4fc5f3ee1b83ae6114
-  data.tar.gz: 15c5ac0f94f60ea0d741975e13ed4af81fa5ef70
+  metadata.gz: ca3e18fe34db1ef6247c982bfcdee59145909ace
+  data.tar.gz: 2349d6fd268fe58dd5f28096bbd16aa57f8a4d57
 SHA512:
-  metadata.gz: a6a0945ca8000eb04ae6d381c04235ad9c9657635ba6eda6453134207421a8054df09407972988750ff89b5d93d183e2f2a966933eabc977471672ffd07ab530
-  data.tar.gz: ae1cfadeee18dda60605775d86d31720524636eb4e600a13d1802a75e4fa955621ba37463af8dc5b41c9537b5028d2274eda88e3a4c398dfae75a59c71dfafe3
+  metadata.gz: 670473789eb3606bc9e867fbb6f28ce2858bfa1ef0092862627043008ffb7b807580bcfa06c3a01fb111a847144f9ff262041f93e0cc103e3b2db2a944101ecf
+  data.tar.gz: 0beb850938db36494f3ed5b272c6974706c57731cacc74ec62578a5c9f821fad1737dadbdd91a5f30f28be791b0b9781de9c685bcc73b121ad2202c1d7f3698e

data/.travis.yml

@@ -41,6 +41,9 @@ matrix:
     - rvm: 2.2.5
     - rvm: 2.3.1
     - rvm: ruby-head
+    - rvm: 2.3.1
+      before_install:
+        rm Gemfile.lock
 #    - rvm: 2.2.5
 #      before_install:
 #        # Failures in the berkshelf-api gemspec were happening with bundler 1.8

data/CHANGELOG.md

@@ -1,7 +1,15 @@
 # Change Log
 
-## [5.2.0](https://github.com/berkshelf/berkshelf/tree/5.2.0) (2016-11-07)
-[Full Changelog](https://github.com/berkshelf/berkshelf/compare/v5.1.0...5.2.0)
+## [5.3.0](https://github.com/berkshelf/berkshelf/tree/5.3.0) (2016-12-15)
+[Full Changelog](https://github.com/berkshelf/berkshelf/compare/v5.2.0...5.3.0)
+
+**Merged pull requests:**
+
+- Add SSLPolicy class that will use chefdk trusted certs path [\#1640](https://github.com/berkshelf/berkshelf/pull/1640) ([afiune](https://github.com/afiune))
+- Add alternative way to run tests [\#1626](https://github.com/berkshelf/berkshelf/pull/1626) ([gliptak](https://github.com/gliptak))
+
+## [v5.2.0](https://github.com/berkshelf/berkshelf/tree/v5.2.0) (2016-11-07)
+[Full Changelog](https://github.com/berkshelf/berkshelf/compare/v5.1.0...v5.2.0)
 
 **Merged pull requests:**
 

data/CONTRIBUTING.md

@@ -36,10 +36,14 @@ Bundler will install all gems and their dependencies required for testing and de
 
 ### Running unit (RSpec) and acceptance (Cucumber) tests
 
-We use Chef Zero - an in-memory Chef Server for running tests. It is automatically managed by the Specs and Cukes. Simply run:
+We use Chef Zero - an in-memory Chef Server for running tests. It is automatically managed by the Specs and Cukes. Run:
 
     $ bundle exec guard start
 
+or
+   
+    $ bundle exec thor spec:ci
+
 See [here](https://github.com/tdegrunt/vagrant-chef-server-bootstrap) for a
 quick way to get a testing chef server up.
 

data/Gemfile.lock

@@ -20,7 +20,7 @@ GIT
 PATH
   remote: .
   specs:
-    berkshelf (5.2.0)
+    berkshelf (5.3.0)
       addressable (~> 2.3, >= 2.3.4)
       berkshelf-api-client (>= 2.0.2, < 4.0)
       buff-config (~> 2.0)
@@ -35,7 +35,7 @@ PATH
       retryable (~> 2.0)
       ridley (~> 5.0)
       solve (> 2.0, < 4.0)
-      thor (~> 0.19)
+      thor (~> 0.19, < 0.19.2)
 
 GEM
   remote: https://rubygems.org/
@@ -49,7 +49,7 @@ GEM
     addressable (2.4.0)
     archive (0.0.6)
       ffi (~> 1.9.3)
-    artifactory (2.5.0)
+    artifactory (2.5.1)
     aruba (0.14.2)
       childprocess (~> 0.5.6)
       contracts (~> 0.9)
@@ -80,7 +80,7 @@ GEM
     celluloid-io (0.16.2)
       celluloid (>= 0.16.0)
       nio4r (>= 1.1.0)
-    chef-config (12.15.19)
+    chef-config (12.16.42)
       addressable
       fuzzyurl
       mixlib-config (~> 2.0)
@@ -187,10 +187,10 @@ GEM
       guard (~> 2.0)
       guard-compat (~> 1.0)
       spork (>= 0.8.4)
-    hashdiff (0.3.0)
+    hashdiff (0.3.1)
     hashie (3.4.6)
     hitimes (1.2.4)
-    http (2.0.3)
+    http (2.1.0)
       addressable (~> 2.3)
       http-cookie (~> 1.0)
       http-form_data (~> 1.0.1)
@@ -219,7 +219,7 @@ GEM
     mixlib-authentication (1.4.1)
       mixlib-log
     mixlib-config (2.2.4)
-    mixlib-install (2.1.6)
+    mixlib-install (2.1.7)
       artifactory
       mixlib-shellout
       mixlib-versioning
@@ -227,7 +227,7 @@ GEM
     mixlib-log (1.7.1)
     mixlib-shellout (2.2.7)
     mixlib-versioning (1.1.0)
-    molinillo (0.5.3)
+    molinillo (0.5.4)
     msgpack (1.0.2)
     multi_json (1.12.1)
     multi_test (0.1.2)
@@ -253,12 +253,12 @@ GEM
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    octokit (4.4.1)
-      sawyer (~> 0.7.0, >= 0.5.3)
+    octokit (4.6.2)
+      sawyer (~> 0.8.0, >= 0.5.3)
     overcommit (0.37.0)
       childprocess (~> 0.5.8)
       iniparse (~> 1.4)
-    parser (2.3.1.4)
+    parser (2.3.3.0)
       ast (~> 2.2)
     powerpack (0.1.1)
     pry (0.10.4)
@@ -320,17 +320,17 @@ GEM
     ruby-progressbar (1.8.1)
     ruby_dep (1.5.0)
     safe_yaml (1.0.4)
-    sawyer (0.7.0)
-      addressable (>= 2.3.5, < 2.5)
-      faraday (~> 0.8, < 0.10)
+    sawyer (0.8.1)
+      addressable (>= 2.3.5, < 2.6)
+      faraday (~> 0.8, < 1.0)
     semverse (2.0.0)
     shellany (0.0.1)
     slop (3.6.0)
-    solve (3.0.1)
-      molinillo (~> 0.4)
+    solve (3.1.0)
+      molinillo (>= 0.5)
       semverse (>= 1.1, < 3.0)
     spork (0.9.2)
-    test-kitchen (1.13.2)
+    test-kitchen (1.14.0)
       mixlib-install (>= 1.2, < 3.0)
       mixlib-shellout (>= 1.2, < 3.0)
       net-scp (~> 1.1)

data/README.md

@@ -31,7 +31,7 @@ $ gem install berkshelf
 
 ## Usage
 
-See [berkshelf.com](http://berkshelf.com) for up-to-date usage instructions.
+See [docs.chef.io](https://docs.chef.io/berkshelf.html) for up-to-date usage instructions.
 
 ## Supported Platforms
 

data/berkshelf.gemspec

@@ -42,7 +42,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'retryable',            '~> 2.0'
   s.add_dependency 'ridley',               '~> 5.0'
   s.add_dependency 'solve',                '> 2.0', '< 4.0'
-  s.add_dependency 'thor',                 '~> 0.19'
+  s.add_dependency 'thor',                 '~> 0.19', '< 0.19.2'
   s.add_dependency 'octokit',              '~> 4.0'
   s.add_dependency 'mixlib-archive',       '~> 0.1'
 end

data/lib/berkshelf.rb

@@ -118,14 +118,25 @@ module Berkshelf
       @formatter ||= HumanFormatter.new
     end
 
+    def ssl_policy
+      @ssl_policy ||= SSLPolicy.new
+    end
+
     # @raise [Berkshelf::ChefConnectionError]
     def ridley_connection(options = {}, &block)
-      ridley_options               = options.slice(:ssl)
+      ssl_options              = {}
+      ssl_options[:verify]     = if options[:ssl_verify].nil?
+                                   Berkshelf.config.ssl.verify
+                                 else
+                                   options[:ssl_verify]
+                                 end
+      ssl_options[:cert_store] = ssl_policy.store if ssl_policy.store
 
+      ridley_options               = options.slice(:ssl)
       ridley_options[:server_url]  = options[:server_url] || Berkshelf.config.chef.chef_server_url
       ridley_options[:client_name] = options[:client_name] || Berkshelf.config.chef.node_name
       ridley_options[:client_key]  = options[:client_key] || Berkshelf.config.chef.client_key
-      ridley_options[:ssl]         = { verify: (options[:ssl_verify].nil?) ? Berkshelf.config.ssl.verify : options[:ssl_verify]}
+      ridley_options[:ssl]         = ssl_options
 
       unless ridley_options[:server_url].present?
         raise ChefConnectionError, 'Missing required attribute in your Berkshelf configuration: chef.server_url'
@@ -207,6 +218,7 @@ require_relative 'berkshelf/resolver'
 require_relative 'berkshelf/source'
 require_relative 'berkshelf/source_uri'
 require_relative 'berkshelf/validator'
+require_relative 'berkshelf/ssl_policies'
 
 Ridley.logger          = Berkshelf.logger
 Berkshelf.logger.level = Logger::WARN

data/lib/berkshelf/config.rb

@@ -106,6 +106,9 @@ module Berkshelf
     attribute 'chef.node_name',
       type: String,
       default: Berkshelf.chef_config.node_name
+    attribute 'chef.trusted_certs_dir',
+      type: String,
+      default: Berkshelf.chef_config.trusted_certs_dir
     attribute 'cookbook.copyright',
       type: String,
       default: Berkshelf.chef_config.cookbook_copyright

data/lib/berkshelf/downloader.rb

@@ -1,5 +1,6 @@
 require 'net/http'
 require 'mixlib/archive'
+require 'berkshelf/ssl_policies'
 
 module Berkshelf
   class Downloader
@@ -14,6 +15,10 @@ module Berkshelf
       @berksfile = berksfile
     end
 
+    def ssl_policy
+      @ssl_policy ||= SSLPolicy.new
+    end
+
     # Download the given Berkshelf::Dependency. If the optional block is given,
     # the temporary path to the cookbook is yielded and automatically deleted
     # when the block returns. If no block is given, it is the responsibility of
@@ -61,11 +66,14 @@ module Berkshelf
         CommunityREST.new(remote_cookbook.location_path).download(name, version)
       when :chef_server
         # @todo Dynamically get credentials for remote_cookbook.location_path
+        ssl_options = {verify: Berkshelf::Config.instance.ssl.verify}
+        ssl_options[:cert_store] = ssl_policy.store if ssl_policy.store
+
         credentials = {
           server_url: remote_cookbook.location_path,
           client_name: Berkshelf::Config.instance.chef.node_name,
           client_key: Berkshelf::Config.instance.chef.client_key,
-          ssl: Berkshelf::Config.instance.ssl
+          ssl: ssl_options
         }
         # @todo  Something scary going on here - getting an instance of Kitchen::Logger from test-kitchen
         # https://github.com/opscode/test-kitchen/blob/master/lib/kitchen.rb#L99

data/lib/berkshelf/source.rb

@@ -1,4 +1,6 @@
 require 'berkshelf/api-client'
+require 'berkshelf/ssl_policies'
+require 'openssl'
 
 module Berkshelf
   class Source
@@ -12,11 +14,18 @@ module Berkshelf
       @universe   = nil
     end
 
+    def ssl_policy
+      @ssl_policy ||= SSLPolicy.new
+    end
+
     def api_client
       @api_client ||= begin
+                        ssl_options = {verify: Berkshelf::Config.instance.ssl.verify}
+                        ssl_options[:cert_store] = ssl_policy.store if ssl_policy.store
+
                         if source == :chef_server
                           APIClient.chef_server(
-                            ssl: Berkshelf::Config.instance.ssl,
+                            ssl: ssl_options,
                             timeout: api_timeout,
                             open_timeout: [(api_timeout / 10), 3].max,
                             client_name: Berkshelf::Config.instance.chef.node_name,

data/lib/berkshelf/ssl_policies.rb

@@ -0,0 +1,40 @@
+require 'openssl'
+
+module Berkshelf
+  class SSLPolicy
+
+    # @return [Store]
+    #   Holds trusted CA certificates used to verify peer certificates
+    attr_reader :store
+
+    def initialize
+      @store = OpenSSL::X509::Store.new.tap do |store|
+        store.set_default_paths
+      end
+
+      set_custom_certs if ::File.exist?(trusted_certs_dir)
+    end
+
+    def add_trusted_cert(cert)
+      @store.add_cert(cert)
+    rescue OpenSSL::X509::StoreError => e
+      raise e unless e.message == 'cert already in hash table'
+    end
+
+    def trusted_certs_dir
+      config_dir = Berkshelf.config.chef.trusted_certs_dir.to_s
+      if config_dir.empty? || !::File.exist?(config_dir)
+        File.join(ENV['HOME'], '.chef', 'trusted_certs')
+      else
+        config_dir
+      end
+    end
+
+    def set_custom_certs
+      ::Dir.glob("#{trusted_certs_dir}/" "{*.crt,*.pem}").each do |cert|
+        cert = OpenSSL::X509::Certificate.new(IO.read(cert))
+        add_trusted_cert(cert)
+      end
+    end
+  end
+end

data/lib/berkshelf/version.rb

@@ -1,3 +1,3 @@
 module Berkshelf
-  VERSION = "5.2.0"
+  VERSION = "5.3.0"
 end

data/spec/data/trusted_certs/example.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnoCCQDihI8kxGYTFTANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRAwDgYDVQQKEwdZb3VD
+b3JwMRMwEQYDVQQLEwpPcGVyYXRpb25zMRYwFAYDVQQDEw1leGFtcGxlLmxvY2Fs
+MR0wGwYJKoZIhvcNAQkBFg5tZUBleGFtcGxlLmNvbTAeFw0xMzEwMTcxODAxMzVa
+Fw0yMzEwMTUxODAxMzVaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAO
+BgNVBAcTB1NlYXR0bGUxEDAOBgNVBAoTB1lvdUNvcnAxEzARBgNVBAsTCk9wZXJh
+dGlvbnMxFjAUBgNVBAMTDWV4YW1wbGUubG9jYWwxHTAbBgkqhkiG9w0BCQEWDm1l
+QGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyKBo
+U+Bdni0xZK/NCzdLdi2X+TyW5eahbYMx+r1GDcVqCICvrthBCVLVFsQ8rvOHwTPi
+AxQJGxb9TLSXRgXQSlH6FLjIUceuOtpan3qYVJ1v7AxY4DgNvYBpbtJz5MQedJnT
+g2F+rXzkwaD6CWBqWHeGU0oP3r7bq1AMD6XEsK2w2/zHtG7TEnL45ARv1PsyrU5M
+ZAW/XyoMyq1k2Lpv7YR5kAvTq1+4RSt/it2RFE7R0AVbaQ0MeAnllfySiHHHlaOT
+FVd/qPSiGISxsUmmzA3Z08+0sfJwkrnJXbLscCBYndd7gMGgtczGjJtul0Ch3GFa
+/Pn5McjwF272+usJ1wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzPePWifWNECsG
+nL8on1AtFMkczE1/pdRS4YUl/Tc926MpezptSja8rL31+4Bom37/wYPG7HygtAQl
+R4FHpAtuqJKPOfjUmDNsIXRFnytrnflTpctDu/Nbj4PDCy01k/sTDUQt+s+lEBL8
+M8ArmfLZ8PCfAwnXmJQ5rggDFKqegjt6z1RsSglbMiASE7+KkpBnzaqH6fET6IQz
+WgAjv6WdRfwgfJjOTSX4XMpCSet9KaWmXExKrxiVng2Uu6E+ShVAyKaGMuc1B7VA
+oxnnVaVapFv5lOWucQr4KkC7EgaUZnyt8duOc8+Yvd+y3Xd2dcHUnmegRxly4jRV
+/lXbFAUb
+-----END CERTIFICATE-----

data/spec/spec_helper.rb

@@ -4,6 +4,8 @@ def windows?
   !!(RUBY_PLATFORM =~ /mswin|mingw|windows/)
 end
 
+BERKS_SPEC_DATA = File.expand_path("../data", __FILE__)
+
 Spork.prefork do
   require 'rspec'
   require 'cleanroom/rspec'

data/spec/unit/berkshelf/downloader_spec.rb

@@ -1,43 +1,116 @@
 require 'spec_helper'
 
-describe Berkshelf::Downloader do
-  let(:berksfile) { double('berksfile') }
-  subject { described_class.new(berksfile) }
-
-  describe "#download" do
-    skip
-  end
-
-  describe "#try_download" do
-    let(:remote_cookbook) { double('remote-cookbook') }
-    let(:source) do
-      source = double('source')
-      allow(source).to receive(:cookbook) { remote_cookbook }
-      source
-    end
-    let(:name) { "fake" }
-    let(:version) { "1.0.0" }
-
-    it "supports the 'opscode' location type" do
-      allow(remote_cookbook).to receive(:location_type) { :opscode }
-      allow(remote_cookbook).to receive(:location_path) { "http://api.opscode.com" }
-      rest = double('community-rest')
-      expect(Berkshelf::CommunityREST).to receive(:new).with("http://api.opscode.com") { rest }
-      expect(rest).to receive(:download).with(name, version)
-      subject.try_download(source, name, version)
+module Berkshelf
+  describe Downloader do
+    let(:berksfile) do
+      double(Berksfile,
+        lockfile: lockfile,
+        dependencies: [],
+      )
     end
 
-    it "supports the 'supermarket' location type" do
-      allow(remote_cookbook).to receive(:location_type) { :supermarket }
-      allow(remote_cookbook).to receive(:location_path) { "http://api.supermarket.com" }
-      rest = double('community-rest')
-      expect(Berkshelf::CommunityREST).to receive(:new).with("http://api.supermarket.com") { rest }
-      expect(rest).to receive(:download).with(name, version)
-      subject.try_download(source, name, version)
+    let(:lockfile) do
+      double(Lockfile,
+        graph: graph
+      )
     end
 
-    it "supports the 'file_store' location type" do
+    let(:graph) { double(Lockfile::Graph, locks: {}) }
+    let(:self_signed_crt_path) { File.join(BERKS_SPEC_DATA, 'trusted_certs') }
+    let(:self_signed_crt) { OpenSSL::X509::Certificate.new(IO.read("#{self_signed_crt_path}/example.crt")) }
+    let(:cert_store) { OpenSSL::X509::Store.new.add_cert(self_signed_crt) }
+    let(:ssl_policy) { double(SSLPolicy, store: cert_store) }
+
+    subject { described_class.new(berksfile) }
+
+    describe "#download" do
       skip
     end
+
+    describe "#try_download" do
+      let(:remote_cookbook) { double('remote-cookbook') }
+      let(:source) do
+        source = double('source')
+        allow(source).to receive(:cookbook) { remote_cookbook }
+        source
+      end
+      let(:name) { "fake" }
+      let(:version) { "1.0.0" }
+
+      it "supports the 'opscode' location type" do
+        allow(remote_cookbook).to receive(:location_type) { :opscode }
+        allow(remote_cookbook).to receive(:location_path) { "http://api.opscode.com" }
+        rest = double('community-rest')
+        expect(CommunityREST).to receive(:new).with("http://api.opscode.com") { rest }
+        expect(rest).to receive(:download).with(name, version)
+        subject.try_download(source, name, version)
+      end
+
+      it "supports the 'supermarket' location type" do
+        allow(remote_cookbook).to receive(:location_type) { :supermarket }
+        allow(remote_cookbook).to receive(:location_path) { "http://api.supermarket.com" }
+        rest = double('community-rest')
+        expect(CommunityREST).to receive(:new).with("http://api.supermarket.com") { rest }
+        expect(rest).to receive(:download).with(name, version)
+        subject.try_download(source, name, version)
+      end
+
+      describe 'chef_server location type' do
+        let(:chef_server_url) { 'http://configured-chef-server/' }
+        let(:ridley_client) do
+          double(Ridley::Client,
+            cookbook: double('cookbook', download: "fake")
+          )
+        end
+        let(:chef_config) do
+          double(Ridley::Chef::Config,
+            node_name: 'fake-client',
+            client_key: 'client-key',
+            chef_server_url: chef_server_url,
+            validation_client_name: 'validator',
+            validation_key: 'validator.pem',
+            cookbook_copyright: 'user',
+            cookbook_email: 'user@example.com',
+            cookbook_license: 'apachev2',
+            trusted_certs_dir: self_signed_crt_path,
+            knife: {
+              chef_guard: false
+            }
+          )
+        end
+
+        let(:berkshelf_config) do
+          double(Config,
+            ssl:  double(verify: true),
+            chef: chef_config
+          )
+        end
+
+        before do
+          allow(Berkshelf).to receive(:config).and_return(berkshelf_config)
+          allow(subject).to receive(:ssl_policy).and_return(ssl_policy)
+          allow(remote_cookbook).to receive(:location_type) { :chef_server }
+          allow(remote_cookbook).to receive(:location_path) { chef_server_url }
+        end
+
+        it "uses the berkshelf config and provides a custom cert_store" do
+          credentials = {
+            server_url: chef_server_url,
+            client_name: chef_config.node_name,
+            client_key: chef_config.client_key,
+            ssl: {
+              verify: berkshelf_config.ssl.verify,
+              cert_store: cert_store
+            }
+          }
+          expect(Ridley).to receive(:open).with(credentials) { ridley_client }
+          subject.try_download(source, name, version)
+        end
+      end
+
+      it "supports the 'file_store' location type" do
+        skip
+      end
+    end
   end
 end

data/spec/unit/berkshelf/ssl_policies_spec.rb

@@ -0,0 +1,75 @@
+require 'spec_helper'
+
+describe Berkshelf::SSLPolicy do
+  let(:self_signed_crt_path) { File.join(BERKS_SPEC_DATA, 'trusted_certs') }
+
+  let(:chef_config) do
+    double(Ridley::Chef::Config,
+      node_name: 'fake-client',
+      client_key: 'client-key',
+      chef_server_url: 'http://configured-chef-server/',
+      validation_client_name: 'validator',
+      validation_key: 'validator.pem',
+      cookbook_copyright: 'user',
+      cookbook_email: 'user@example.com',
+      cookbook_license: 'apachev2',
+      trusted_certs_dir: self_signed_crt_path,
+      knife: {
+        chef_guard: false
+      }
+    )
+  end
+
+  let(:berkshelf_config) do
+    double(Berkshelf::Config,
+      ssl:  double(verify: true),
+      chef: chef_config
+    )
+  end
+
+  subject do
+    Berkshelf::SSLPolicy.new()
+  end
+
+  before do
+    allow(Berkshelf).to receive(:config).and_return(berkshelf_config)
+  end
+
+  describe '#initialize' do
+    it 'sets up the store' do
+      expect(subject.store.class).to be(OpenSSL::X509::Store)
+    end
+
+    it 'sets up custom certificates for chef' do
+    end
+  end
+
+  describe '#trusted_certs_dir' do
+    it 'uses the trusted_certs_dir from Berkshelf config' do
+        expect(subject.trusted_certs_dir).to eq(self_signed_crt_path)
+    end
+
+    context 'trusted_certs_dir in Berkshelf' do
+
+      context 'config is not set' do
+        before { allow(chef_config).to receive_messages(trusted_certs_dir: nil) }
+
+        it 'defaults to ~/.chef/trusted_certs' do
+          expect(subject.trusted_certs_dir).to eq(
+            File.join(ENV['HOME'], '.chef', 'trusted_certs')
+          )
+        end
+      end
+
+      context 'config is seti but does not exist' do
+        before { allow(chef_config).to receive_messages(trusted_certs_dir: '/fake') }
+
+        it 'defaults to ~/.chef/trusted_certs' do
+          expect(subject.trusted_certs_dir).to eq(
+            File.join(ENV['HOME'], '.chef', 'trusted_certs')
+          )
+        end
+      end
+    end
+  end
+end

data/spec/unit/berkshelf/uploader_spec.rb

@@ -16,6 +16,10 @@ module Berkshelf
     end
 
     let(:graph) { double(Lockfile::Graph, locks: {}) }
+    let(:self_signed_crt_path) { File.join(BERKS_SPEC_DATA, 'trusted_certs') }
+    let(:self_signed_crt) { OpenSSL::X509::Certificate.new(IO.read("#{self_signed_crt_path}/example.crt")) }
+    let(:cert_store) { OpenSSL::X509::Store.new.add_cert(self_signed_crt) }
+    let(:ssl_policy) { double(SSLPolicy, store: cert_store) }
 
     subject { Uploader.new(berksfile) }
 
@@ -56,6 +60,7 @@ module Berkshelf
           cookbook_copyright: 'user',
           cookbook_email: 'user@example.com',
           cookbook_license: 'apachev2',
+          trusted_certs_dir: self_signed_crt_path,
           knife: {
             chef_guard: false
           }
@@ -81,6 +86,7 @@ module Berkshelf
 
       before do
         allow(Berkshelf).to receive(:config).and_return(berkshelf_config)
+        allow(Berkshelf).to receive(:ssl_policy).and_return(ssl_policy)
       end
 
       context 'when there is no value for :chef_server_url' do
@@ -123,7 +129,25 @@ module Berkshelf
             client_name: chef_config.node_name,
             client_key:  chef_config.client_key,
             ssl: {
-              verify: berkshelf_config.ssl.verify
+              verify: berkshelf_config.ssl.verify,
+              cert_store: cert_store
+            }
+          )
+          subject.run
+        end
+      end
+
+      context 'when ssl_verify: false is passed as an option' do
+        subject { Uploader.new(berksfile, ssl_verify: false) }
+
+        it 'uses the passed option' do
+          expect(Ridley).to receive(:open).with(
+            server_url:  chef_config.chef_server_url,
+            client_name: chef_config.node_name,
+            client_key:  chef_config.client_key,
+            ssl: {
+              verify: false,
+              cert_store: cert_store
             }
           )
           subject.run

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: berkshelf
 version: !ruby/object:Gem::Version
-  version: 5.2.0
+  version: 5.3.0
 platform: ruby
 authors:
 - Jamie Winsor
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-07 00:00:00.000000000 Z
+date: 2016-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -213,6 +213,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.19'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.19.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -220,6 +223,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.19'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.19.2
 - !ruby/object:Gem::Dependency
   name: octokit
   requirement: !ruby/object:Gem::Requirement
@@ -373,6 +379,7 @@ files:
 - lib/berkshelf/shell.rb
 - lib/berkshelf/source.rb
 - lib/berkshelf/source_uri.rb
+- lib/berkshelf/ssl_policies.rb
 - lib/berkshelf/thor.rb
 - lib/berkshelf/thor_ext.rb
 - lib/berkshelf/thor_ext/hash_with_indifferent_access.rb
@@ -383,6 +390,7 @@ files:
 - spec/config/berkshelf.pem
 - spec/config/knife.rb
 - spec/config/validator.pem
+- spec/data/trusted_certs/example.crt
 - spec/fixtures/Berksfile
 - spec/fixtures/berksfiles/default
 - spec/fixtures/cookbook-path/jenkins-config/metadata.rb
@@ -445,6 +453,7 @@ files:
 - spec/unit/berkshelf/shell_spec.rb
 - spec/unit/berkshelf/source_spec.rb
 - spec/unit/berkshelf/source_uri_spec.rb
+- spec/unit/berkshelf/ssl_policies_spec.rb
 - spec/unit/berkshelf/uploader_spec.rb
 - spec/unit/berkshelf/validator_spec.rb
 - spec/unit/berkshelf/visualizer_spec.rb
@@ -469,7 +478,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 2.0.0
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: Manages a Cookbook's, or an Application's, Cookbook dependencies
@@ -515,6 +524,7 @@ test_files:
 - spec/config/berkshelf.pem
 - spec/config/knife.rb
 - spec/config/validator.pem
+- spec/data/trusted_certs/example.crt
 - spec/fixtures/Berksfile
 - spec/fixtures/berksfiles/default
 - spec/fixtures/cookbook-path/jenkins-config/metadata.rb
@@ -577,6 +587,7 @@ test_files:
 - spec/unit/berkshelf/shell_spec.rb
 - spec/unit/berkshelf/source_spec.rb
 - spec/unit/berkshelf/source_uri_spec.rb
+- spec/unit/berkshelf/ssl_policies_spec.rb
 - spec/unit/berkshelf/uploader_spec.rb
 - spec/unit/berkshelf/validator_spec.rb
 - spec/unit/berkshelf/visualizer_spec.rb