chef 11.12.0.alpha.1 → 11.12.0.rc.1

data/lib/chef/knife/core/bootstrap_context.rb

@@ -62,7 +62,6 @@ class Chef
 
         def config_content
           client_rb = <<-CONFIG
-log_level        :auto
 log_location     STDOUT
 chef_server_url  "#{@chef_config[:chef_server_url]}"
 validation_client_name "#{@chef_config[:validation_client_name]}"
@@ -93,6 +92,7 @@ CONFIG
           # If the user doesn't have a client path configure, let bash use the PATH for what it was designed for
           client_path = @chef_config[:chef_client_path] || 'chef-client'
           s = "#{client_path} -j /etc/chef/first-boot.json"
+          s << ' -l debug' if @config[:verbosity] and @config[:verbosity] >= 2
           s << " -E #{bootstrap_environment}" if chef_version.to_f != 0.9 # only use the -E option on Chef 0.10+
           s
         end

data/lib/chef/knife/core/ui.rb

@@ -205,24 +205,61 @@ class Chef
         output(format_for_display(object)) if config[:print_after]
       end
 
-      def confirm(question, append_instructions=true)
+      def confirmation_instructions(default_choice)
+        case default_choice
+        when true
+          '? (Y/n)'
+        when false
+          '? (y/N)'
+        else
+          '? (Y/N)'
+        end
+      end
+
+      # See confirm method for argument information
+      def confirm_without_exit(question, append_instructions=true, default_choice=nil)
         return true if config[:yes]
 
         stdout.print question
-        stdout.print "? (Y/N) " if append_instructions
+        stdout.print confirmation_instructions(default_choice) if append_instructions
+
         answer = stdin.readline
         answer.chomp!
+
         case answer
         when "Y", "y"
           true
         when "N", "n"
           self.msg("You said no, so I'm done here.")
-          exit 3
+          false
+        when ""
+          unless default_choice.nil?
+            default_choice
+          else
+            self.msg("I have no idea what to do with '#{answer}'")
+            self.msg("Just say Y or N, please.")
+            confirm_without_exit(question, append_instructions, default_choice)
+          end
         else
-          self.msg("I have no idea what to do with #{answer}")
+          self.msg("I have no idea what to do with '#{answer}'")
           self.msg("Just say Y or N, please.")
-          confirm(question)
+          confirm_without_exit(question, append_instructions, default_choice)
+        end
+      end
+
+      #
+      # Not the ideal signature for a function but we need to stick with this
+      # for now until we get a chance to break our API in Chef 12.
+      #
+      # question => Question to print  before asking for confirmation
+      # append_instructions => Should print '? (Y/N)' as instructions
+      # default_choice => Set to true for 'Y', and false for 'N' as default answer
+      #
+      def confirm(question, append_instructions=true, default_choice=nil)
+        unless confirm_without_exit(question, append_instructions, default_choice)
+          exit 3
         end
+        true
       end
 
     end

data/lib/chef/knife/node_run_list_add.rb

@@ -34,6 +34,11 @@ class Chef
         :long  => "--after ITEM",
         :description => "Place the ENTRY in the run list after ITEM"
 
+      option :before,
+             :short => "-b ITEM",
+             :long  => "--before ITEM",
+             :description => "Place the ENTRY in the run list before ITEM"
+
       def run
         node = Chef::Node.load(@name_args[0])
         if @name_args.size > 2
@@ -46,7 +51,18 @@ class Chef
           entries = @name_args[1].split(',').map { |e| e.strip }
         end
 
-        add_to_run_list(node, entries, config[:after])
+        if config[:after] && config[:before]
+          ui.fatal("You cannot specify both --before and --after!")
+          exit 1
+        end
+
+        if config[:after]
+          add_to_run_list_after(node, entries, config[:after])
+        elsif config[:before]
+          add_to_run_list_before(node, entries, config[:before])
+        else
+          add_to_run_list_after(node, entries)
+        end
 
         node.save
 
@@ -55,7 +71,9 @@ class Chef
         output(format_for_display(node))
       end
 
-      def add_to_run_list(node, entries, after=nil)
+      private
+
+      def add_to_run_list_after(node, entries, after=nil)
         if after
           nlist = []
           node.run_list.each do |entry|
@@ -70,6 +88,17 @@ class Chef
         end
       end
 
+      def add_to_run_list_before(node, entries, before)
+        nlist = []
+        node.run_list.each do |entry|
+          if entry == before
+            entries.each { |e| nlist << e }
+          end
+          nlist << entry
+        end
+        node.run_list.reset!(nlist)
+      end
+
     end
   end
 end

data/lib/chef/knife/ssh.rb

@@ -114,7 +114,7 @@ class Chef
           end
           case config[:on_error]
           when :skip
-            ui.warn "Failed to connect to #{node_name} -- #{$!.class.name}: #{$!.message}"
+            ui.warn "Failed to connect to #{server.host} -- #{$!.class.name}: #{$!.message}"
             $!.backtrace.each { |l| Chef::Log.debug(l) }
           when :raise
             #Net::SSH::Multi magic to force exception to be re-raised.
@@ -142,31 +142,9 @@ class Chef
       end
 
       def configure_session
-        list = case config[:manual]
-               when true
-                 @name_args[0].split(" ")
-               when false
-                 r = Array.new
-                 q = Chef::Search::Query.new
-                 @action_nodes = q.search(:node, @name_args[0])[0]
-                 @action_nodes.each do |item|
-                   # we should skip the loop to next iteration if the item returned by the search is nil
-                   next if item.nil?
-                   # if a command line attribute was not passed, and we have a cloud public_hostname, use that.
-                   # see #configure_attribute for the source of config[:attribute] and config[:override_attribute]
-                   if !config[:override_attribute] && item[:cloud] and item[:cloud][:public_hostname]
-                     i = item[:cloud][:public_hostname]
-                   elsif config[:override_attribute]
-                     i = extract_nested_value(item, config[:override_attribute])
-                   else
-                     i = extract_nested_value(item, config[:attribute])
-                   end
-                   # next if we couldn't find the specified attribute in the returned node object
-                   next if i.nil?
-                   r.push(i)
-                 end
-                 r
-               end
+        list = config[:manual] ?
+               @name_args[0].split(" ") :
+               search_nodes
         if list.length == 0
           if @action_nodes.length == 0
             ui.fatal("No nodes returned from search!")
@@ -180,21 +158,54 @@ class Chef
         session_from_list(list)
       end
 
+      def search_nodes
+        list = Array.new
+        query = Chef::Search::Query.new
+        @action_nodes = query.search(:node, @name_args[0])[0]
+        @action_nodes.each do |item|
+          # we should skip the loop to next iteration if the item
+          # returned by the search is nil
+          next if item.nil?
+          # if a command line attribute was not passed, and we have a
+          # cloud public_hostname, use that.  see #configure_attribute
+          # for the source of config[:attribute] and
+          # config[:override_attribute]
+          if config[:override_attribute]
+            host = extract_nested_value(item, config[:override_attribute])
+          elsif item[:cloud] && item[:cloud][:public_hostname]
+            host = item[:cloud][:public_hostname]
+          else
+            host = extract_nested_value(item, config[:attribute])
+          end
+          # next if we couldn't find the specified attribute in the
+          # returned node object
+          next if host.nil?
+          ssh_port = item[:cloud].nil? ? nil : item[:cloud][:public_ssh_port]
+          srv = [host, ssh_port]
+          list.push(srv)
+        end
+        list
+      end
+
       def session_from_list(list)
         list.each do |item|
-          Chef::Log.debug("Adding #{item}")
+          host, ssh_port = item
+          Chef::Log.debug("Adding #{host}")
           session_opts = {}
 
-          ssh_config = Net::SSH.configuration_for(item)
+          ssh_config = Net::SSH.configuration_for(host)
 
           # Chef::Config[:knife][:ssh_user] is parsed in #configure_user and written to config[:ssh_user]
           user = config[:ssh_user] || ssh_config[:user]
-          hostspec = user ? "#{user}@#{item}" : item
+          hostspec = user ? "#{user}@#{host}" : host
           session_opts[:keys] = File.expand_path(config[:identity_file]) if config[:identity_file]
           session_opts[:keys_only] = true if config[:identity_file]
           session_opts[:password] = config[:ssh_password] if config[:ssh_password]
           session_opts[:forward_agent] = config[:forward_agent]
-          session_opts[:port] = config[:ssh_port] || Chef::Config[:knife][:ssh_port] || ssh_config[:port]
+          session_opts[:port] = config[:ssh_port] ||
+                                ssh_port || # Use cloud port if available
+                                Chef::Config[:knife][:ssh_port] ||
+                                ssh_config[:port]
           session_opts[:logger] = Chef::Log.logger if Chef::Log.level == :debug
 
           if !config[:host_key_verify]
@@ -204,7 +215,7 @@ class Chef
 
           session.use(hostspec, session_opts)
 
-          @longest = item.length if item.length > @longest
+          @longest = host.length if host.length > @longest
         end
 
         session
@@ -510,6 +521,8 @@ class Chef
         end
       end
 
+      private :search_nodes
+
     end
   end
 end

data/lib/chef/knife/ssl_check.rb

@@ -0,0 +1,213 @@
+#
+# Author:: Daniel DeLeo (<dan@getchef.com>)
+# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/config'
+
+class Chef
+  class Knife
+    class SslCheck < Chef::Knife
+
+      deps do
+        require 'pp'
+        require 'socket'
+        require 'uri'
+        require 'chef/http/ssl_policies'
+        require 'openssl'
+      end
+
+      banner "knife ssl check [URL] (options)"
+
+      def initialize(*args)
+        @host = nil
+        @verify_peer_socket = nil
+        @ssl_policy = HTTP::DefaultSSLPolicy
+        super
+      end
+
+      def uri
+        @uri ||= begin
+          Chef::Log.debug("Checking SSL cert on #{given_uri}")
+          URI.parse(given_uri)
+        end
+      end
+
+      def given_uri
+        (name_args[0] or Chef::Config.chef_server_url)
+      end
+
+      def host
+        uri.host
+      end
+
+      def port
+        uri.port
+      end
+
+      def validate_uri
+        unless host && port
+          invalid_uri!
+        end
+      rescue URI::Error
+        invalid_uri!
+      end
+
+      def invalid_uri!
+        ui.error("Given URI: `#{given_uri}' is invalid")
+        show_usage
+        exit 1
+      end
+
+
+      def verify_peer_socket
+        @verify_peer_socket ||= begin
+          tcp_connection = TCPSocket.new(host, port)
+          OpenSSL::SSL::SSLSocket.new(tcp_connection, verify_peer_ssl_context)
+        end
+      end
+
+      def verify_peer_ssl_context
+        @verify_peer_ssl_context ||= begin
+          verify_peer_context = OpenSSL::SSL::SSLContext.new
+          @ssl_policy.apply_to(verify_peer_context)
+          verify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          verify_peer_context
+        end
+      end
+
+      def noverify_socket
+        @noverify_socket ||= begin
+          tcp_connection = TCPSocket.new(host, port)
+          OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
+        end
+      end
+
+      def noverify_peer_ssl_context
+        @noverify_peer_ssl_context ||= begin
+          noverify_peer_context = OpenSSL::SSL::SSLContext.new
+          @ssl_policy.apply_to(noverify_peer_context)
+          noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          noverify_peer_context
+        end
+      end
+
+      def verify_cert
+        ui.msg("Connecting to host #{host}:#{port}")
+        verify_peer_socket.connect
+        true
+      rescue OpenSSL::SSL::SSLError => e
+        ui.error "The SSL certificate of #{host} could not be verified"
+        Chef::Log.debug e.message
+        debug_invalid_cert
+        false
+      end
+
+      def verify_cert_host
+        verify_peer_socket.post_connection_check(host)
+        true
+      rescue OpenSSL::SSL::SSLError => e
+        ui.error "The SSL cert is signed by a trusted authority but is not valid for the given hostname"
+        Chef::Log.debug(e)
+        debug_invalid_host
+        false
+      end
+
+      def debug_invalid_cert
+        noverify_socket.connect
+        issuer_info = noverify_socket.peer_cert.issuer
+        ui.msg("Certificate issuer data: #{issuer_info}")
+
+        ui.msg("\n#{ui.color("Configuration Info:", :bold)}\n\n")
+        debug_ssl_settings
+        debug_chef_ssl_config
+
+        ui.err(<<-ADVICE)
+
+#{ui.color("TO FIX THIS ERROR:", :bold)}
+
+If the server you are connecting to uses a self-signed certificate, you must
+configure chef to trust that server's certificate.
+
+By default, the certificate is stored in the following location on the host
+where your chef-server runs:
+
+  /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt
+
+Copy that file to you trusted_certs_dir (currently: #{configuration.trusted_certs_dir})
+using SSH/SCP or some other secure method, then re-run this command to confirm
+that the server's certificate is now trusted.
+
+ADVICE
+      end
+
+      def debug_invalid_host
+        noverify_socket.connect
+        subject = noverify_socket.peer_cert.subject
+        cn_field_tuple = subject.to_a.find {|field| field[0] == "CN" }
+        cn = cn_field_tuple[1]
+
+        ui.error("You are attempting to connect to:   '#{host}'")
+        ui.error("The server's certificate belongs to '#{cn}'")
+        ui.err(<<-ADVICE)
+
+#{ui.color("TO FIX THIS ERROR:", :bold)}
+
+The solution for this issue depends on your networking configuration. If you
+are able to connect to this server using the hostname #{cn}
+instead of #{host}, then you can resolve this issue by updating chef_server_url
+in your configuration file.
+
+If you are not able to connect to the server using the hostname #{cn}
+you will have to update the certificate on the server to use the correct hostname.
+ADVICE
+      end
+
+      def debug_ssl_settings
+        ui.err "OpenSSL Configuration:"
+        ui.err "* Version: #{OpenSSL::OPENSSL_VERSION}"
+        ui.err "* Certificate file: #{OpenSSL::X509::DEFAULT_CERT_FILE}"
+        ui.err "* Certificate directory: #{OpenSSL::X509::DEFAULT_CERT_DIR}"
+      end
+
+      def debug_chef_ssl_config
+        ui.err "Chef SSL Configuration:"
+        ui.err "* ssl_ca_path: #{configuration.ssl_ca_path.inspect}"
+        ui.err "* ssl_ca_file: #{configuration.ssl_ca_file.inspect}"
+        ui.err "* trusted_certs_dir: #{configuration.trusted_certs_dir.inspect}"
+      end
+
+      def configuration
+        Chef::Config
+      end
+
+      def run
+        validate_uri
+        if verify_cert && verify_cert_host
+          ui.msg "Successfully verified certificates from `#{host}'"
+        else
+          exit 1
+        end
+      end
+
+    end
+  end
+end
+
+
+
+