chef 16.10.8-universal-mingw32 → 17.0.242-universal-mingw32

data/lib/chef/knife/ssl_check.rb

@@ -1,284 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require_relative "../knife"
-require "chef-utils/dist" unless defined?(ChefUtils::Dist)
-
-class Chef
-  class Knife
-    class SslCheck < Chef::Knife
-
-      deps do
-        require_relative "../config"
-        require "pp" unless defined?(PP)
-        require "socket" unless defined?(Socket)
-        require "uri" unless defined?(URI)
-        require_relative "../http/ssl_policies"
-        require "openssl" unless defined?(OpenSSL)
-        require_relative "../mixin/proxified_socket"
-        include Chef::Mixin::ProxifiedSocket
-      end
-
-      banner "knife ssl check [URL] (options)"
-
-      def initialize(*args)
-        @host = nil
-        @verify_peer_socket = nil
-        @ssl_policy = HTTP::DefaultSSLPolicy
-        super
-      end
-
-      def uri
-        @uri ||= begin
-          Chef::Log.trace("Checking SSL cert on #{given_uri}")
-          URI.parse(given_uri)
-        end
-      end
-
-      def given_uri
-        (name_args[0] || Chef::Config.chef_server_url)
-      end
-
-      def host
-        uri.host
-      end
-
-      def port
-        uri.port
-      end
-
-      def validate_uri
-        unless host && port
-          invalid_uri!
-        end
-      rescue URI::Error
-        invalid_uri!
-      end
-
-      def invalid_uri!
-        ui.error("Given URI: `#{given_uri}' is invalid")
-        show_usage
-        exit 1
-      end
-
-      def verify_peer_socket
-        @verify_peer_socket ||= begin
-          tcp_connection = proxified_socket(host, port)
-          ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_connection, verify_peer_ssl_context)
-          ssl_client.hostname = host
-          ssl_client
-        end
-      end
-
-      def verify_peer_ssl_context
-        @verify_peer_ssl_context ||= begin
-          verify_peer_context = OpenSSL::SSL::SSLContext.new
-          @ssl_policy.apply_to(verify_peer_context)
-          verify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
-          verify_peer_context
-        end
-      end
-
-      def noverify_socket
-        @noverify_socket ||= begin
-          tcp_connection = proxified_socket(host, port)
-          OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
-        end
-      end
-
-      def noverify_peer_ssl_context
-        @noverify_peer_ssl_context ||= begin
-          noverify_peer_context = OpenSSL::SSL::SSLContext.new
-          @ssl_policy.apply_to(noverify_peer_context)
-          noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
-          noverify_peer_context
-        end
-      end
-
-      def verify_X509
-        cert_debug_msg = ""
-        trusted_certificates.each do |cert_name|
-          message = check_X509_certificate(cert_name)
-          unless message.nil?
-            cert_debug_msg << File.expand_path(cert_name) + ": " + message + "\n"
-          end
-        end
-
-        unless cert_debug_msg.empty?
-          debug_invalid_X509(cert_debug_msg)
-        end
-
-        true # Maybe the bad certs won't hurt...
-      end
-
-      def verify_cert
-        ui.msg("Connecting to host #{host}:#{port}")
-        verify_peer_socket.connect
-        true
-      rescue OpenSSL::SSL::SSLError => e
-        ui.error "The SSL certificate of #{host} could not be verified"
-        Chef::Log.trace e.message
-        debug_invalid_cert
-        false
-      end
-
-      def verify_cert_host
-        verify_peer_socket.post_connection_check(host)
-        true
-      rescue OpenSSL::SSL::SSLError => e
-        ui.error "The SSL cert is signed by a trusted authority but is not valid for the given hostname"
-        Chef::Log.trace(e)
-        debug_invalid_host
-        false
-      end
-
-      def debug_invalid_X509(cert_debug_msg)
-        ui.msg("\n#{ui.color("Configuration Info:", :bold)}\n\n")
-        debug_ssl_settings
-        debug_chef_ssl_config
-
-        ui.warn(<<~BAD_CERTS)
-          There are invalid certificates in your trusted_certs_dir.
-          OpenSSL will not use the following certificates when verifying SSL connections:
-
-          #{cert_debug_msg}
-
-          #{ui.color("TO FIX THESE WARNINGS:", :bold)}
-
-          We are working on documentation for resolving common issues uncovered here.
-
-          * If the certificate is generated by the server, you may try redownloading the
-          server's certificate. By default, the certificate is stored in the following
-          location on the host where your chef-server runs:
-
-            /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt
-
-          Copy that file to your trusted_certs_dir (currently: #{configuration.trusted_certs_dir})
-          using SSH/SCP or some other secure method, then re-run this command to confirm
-          that the server's certificate is now trusted.
-
-        BAD_CERTS
-        # @TODO: ^ needs URL once documentation is posted.
-      end
-
-      def debug_invalid_cert
-        noverify_socket.connect
-        issuer_info = noverify_socket.peer_cert.issuer
-        ui.msg("Certificate issuer data: #{issuer_info}")
-
-        ui.msg("\n#{ui.color("Configuration Info:", :bold)}\n\n")
-        debug_ssl_settings
-        debug_chef_ssl_config
-
-        ui.err(<<~ADVICE)
-
-          #{ui.color("TO FIX THIS ERROR:", :bold)}
-
-          If the server you are connecting to uses a self-signed certificate, you must
-          configure #{ChefUtils::Dist::Infra::PRODUCT} to trust that server's certificate.
-
-          By default, the certificate is stored in the following location on the host
-          where your chef-server runs:
-
-            /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt
-
-          Copy that file to your trusted_certs_dir (currently: #{configuration.trusted_certs_dir})
-          using SSH/SCP or some other secure method, then re-run this command to confirm
-          that the server's certificate is now trusted.
-
-        ADVICE
-      end
-
-      def debug_invalid_host
-        noverify_socket.connect
-        subject = noverify_socket.peer_cert.subject
-        cn_field_tuple = subject.to_a.find { |field| field[0] == "CN" }
-        cn = cn_field_tuple[1]
-
-        ui.error("You are attempting to connect to:   '#{host}'")
-        ui.error("The server's certificate belongs to '#{cn}'")
-        ui.err(<<~ADVICE)
-
-          #{ui.color("TO FIX THIS ERROR:", :bold)}
-
-          The solution for this issue depends on your networking configuration. If you
-          are able to connect to this server using the hostname #{cn}
-          instead of #{host}, then you can resolve this issue by updating chef_server_url
-          in your configuration file.
-
-          If you are not able to connect to the server using the hostname #{cn}
-          you will have to update the certificate on the server to use the correct hostname.
-        ADVICE
-      end
-
-      def debug_ssl_settings
-        ui.err "OpenSSL Configuration:"
-        ui.err "* Version: #{OpenSSL::OPENSSL_VERSION}"
-        ui.err "* Certificate file: #{OpenSSL::X509::DEFAULT_CERT_FILE}"
-        ui.err "* Certificate directory: #{OpenSSL::X509::DEFAULT_CERT_DIR}"
-      end
-
-      def debug_chef_ssl_config
-        ui.err "#{ChefUtils::Dist::Infra::PRODUCT} SSL Configuration:"
-        ui.err "* ssl_ca_path: #{configuration.ssl_ca_path.inspect}"
-        ui.err "* ssl_ca_file: #{configuration.ssl_ca_file.inspect}"
-        ui.err "* trusted_certs_dir: #{configuration.trusted_certs_dir.inspect}"
-      end
-
-      def configuration
-        Chef::Config
-      end
-
-      def run
-        validate_uri
-
-        if verify_X509 && verify_cert && verify_cert_host
-          ui.msg "Successfully verified certificates from `#{host}'"
-        else
-          exit 1
-        end
-      end
-
-      private
-
-      def trusted_certificates
-        if configuration.trusted_certs_dir && Dir.exist?(configuration.trusted_certs_dir)
-          glob_dir = ChefConfig::PathHelper.escape_glob_dir(configuration.trusted_certs_dir)
-          Dir.glob(File.join(glob_dir, "*.{crt,pem}"))
-        else
-          []
-        end
-      end
-
-      def check_X509_certificate(cert_file)
-        store = OpenSSL::X509::Store.new
-        cert = OpenSSL::X509::Certificate.new(IO.read(File.expand_path(cert_file)))
-        begin
-          store.add_cert(cert)
-          # test if the store can verify the cert we just added
-          unless store.verify(cert) # true if verified, false if not
-            return store.error_string
-          end
-        rescue OpenSSL::X509::StoreError => e
-          return e.message
-        end
-        nil
-      end
-    end
-  end
-end

data/lib/chef/knife/ssl_fetch.rb

@@ -1,161 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require_relative "../knife"
-
-class Chef
-  class Knife
-    class SslFetch < Chef::Knife
-
-      deps do
-        require_relative "../config"
-        require "pp" unless defined?(PP)
-        require "socket" unless defined?(Socket)
-        require "uri" unless defined?(URI)
-        require "openssl" unless defined?(OpenSSL)
-        require_relative "../mixin/proxified_socket"
-        include Chef::Mixin::ProxifiedSocket
-      end
-
-      banner "knife ssl fetch [URL] (options)"
-
-      def initialize(*args)
-        super
-        @uri = nil
-      end
-
-      def uri
-        @uri ||= begin
-          Chef::Log.trace("Checking SSL cert on #{given_uri}")
-          URI.parse(given_uri)
-        end
-      end
-
-      def given_uri
-        (name_args[0] || Chef::Config.chef_server_url)
-      end
-
-      def host
-        uri.host
-      end
-
-      def port
-        uri.port
-      end
-
-      def validate_uri
-        unless host && port
-          invalid_uri!
-        end
-      rescue URI::Error
-        invalid_uri!
-      end
-
-      def invalid_uri!
-        ui.error("Given URI: `#{given_uri}' is invalid")
-        show_usage
-        exit 1
-      end
-
-      def remote_cert_chain
-        tcp_connection = proxified_socket(host, port)
-        shady_ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
-        shady_ssl_connection.connect
-        shady_ssl_connection.peer_cert_chain
-      end
-
-      def noverify_peer_ssl_context
-        @noverify_peer_ssl_context ||= begin
-          noverify_peer_context = OpenSSL::SSL::SSLContext.new
-          noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
-          noverify_peer_context
-        end
-      end
-
-      def cn_of(certificate)
-        subject = certificate.subject
-        if cn_field_tuple = subject.to_a.find { |field| field[0] == "CN" }
-          cn_field_tuple[1]
-        else
-          nil
-        end
-      end
-
-      # Convert the CN of a certificate into something that will work well as a
-      # filename. To do so, all `*` characters are converted to the string
-      # "wildcard" and then all characters other than alphanumeric and hyphen
-      # characters are converted to underscores.
-      # NOTE: There is some confusion about what the CN will contain when
-      # using internationalized domain names. RFC 6125 mandates that the ascii
-      # representation be used, but it is not clear whether this is followed in
-      # practice.
-      # https://tools.ietf.org/html/rfc6125#section-6.4.2
-      def normalize_cn(cn)
-        cn.gsub("*", "wildcard").gsub(/[^[:alnum:]\-]/, "_")
-      end
-
-      def configuration
-        Chef::Config
-      end
-
-      def trusted_certs_dir
-        configuration.trusted_certs_dir
-      end
-
-      def write_cert(cert)
-        FileUtils.mkdir_p(trusted_certs_dir)
-        cn = cn_of(cert)
-        filename = cn.nil? ? "#{host}_#{Time.new.to_i}" : normalize_cn(cn)
-        full_path = File.join(trusted_certs_dir, "#{filename}.crt")
-        ui.msg("Adding certificate for #{filename} in #{full_path}")
-        File.open(full_path, File::CREAT | File::TRUNC | File::RDWR, 0644) do |f|
-          f.print(cert.to_s)
-        end
-      end
-
-      def run
-        validate_uri
-        ui.warn(<<~TRUST_TRUST)
-          Certificates from #{host} will be fetched and placed in your trusted_cert
-          directory (#{trusted_certs_dir}).
-
-          Knife has no means to verify these are the correct certificates. You should
-          verify the authenticity of these certificates after downloading.
-
-        TRUST_TRUST
-        remote_cert_chain.each do |cert|
-          write_cert(cert)
-        end
-      rescue OpenSSL::SSL::SSLError => e
-        # 'unknown protocol' usually means you tried to connect to a non-ssl
-        # service. We handle that specially here, any other error we let bubble
-        # up (probably a bug of some sort).
-        raise unless e.message.include?("unknown protocol")
-
-        ui.error("The service at the given URI (#{uri}) does not accept SSL connections")
-
-        if uri.scheme == "http"
-          https_uri = uri.to_s.sub(/^http/, "https")
-          ui.error("Perhaps you meant to connect to '#{https_uri}'?")
-        end
-        exit 1
-      end
-
-    end
-  end
-end

data/lib/chef/knife/status.rb

@@ -1,95 +0,0 @@
-#
-# Author:: Ian Meyer (<ianmmeyer@gmail.com>)
-# Copyright:: Copyright 2010-2020, Ian Meyer
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require_relative "../knife"
-require_relative "core/status_presenter"
-require_relative "core/formatting_options"
-require "chef-utils/dist" unless defined?(ChefUtils::Dist)
-
-class Chef
-  class Knife
-    class Status < Knife
-      include Knife::Core::FormattingOptions
-
-      deps do
-        require_relative "../search/query"
-      end
-
-      banner "knife status QUERY (options)"
-
-      option :run_list,
-        short: "-r",
-        long: "--run-list",
-        description: "Show the run list"
-
-      option :sort_reverse,
-        short: "-s",
-        long: "--sort-reverse",
-        description: "Sort the status list by last run time descending"
-
-      option :hide_by_mins,
-        long: "--hide-by-mins MINS",
-        description: "Hide nodes that have run #{ChefUtils::Dist::Infra::CLIENT} in the last MINS minutes"
-
-      def append_to_query(term)
-        @query << " AND " unless @query.empty?
-        @query << term
-      end
-
-      def run
-        ui.use_presenter Knife::Core::StatusPresenter
-
-        if config[:long_output]
-          opts = {}
-        else
-          opts = { filter_result:
-                 { name: ["name"], ipaddress: ["ipaddress"], ohai_time: ["ohai_time"],
-                   cloud: ["cloud"], run_list: ["run_list"], platform: ["platform"],
-                   platform_version: ["platform_version"], chef_environment: ["chef_environment"] } }
-        end
-
-        @query ||= ""
-        append_to_query(@name_args[0]) if @name_args[0]
-        append_to_query("chef_environment:#{config[:environment]}") if config[:environment]
-
-        if config[:hide_by_mins]
-          hide_by_mins = config[:hide_by_mins].to_i
-          time = Time.now.to_i
-          # AND NOT is not valid lucene syntax, so don't use append_to_query
-          @query << " " unless @query.empty?
-          @query << "NOT ohai_time:[#{(time - hide_by_mins * 60)} TO #{time}]"
-        end
-
-        @query = @query.empty? ? "*:*" : @query
-
-        all_nodes = []
-        q = Chef::Search::Query.new
-        Chef::Log.info("Sending query: #{@query}")
-        q.search(:node, @query, opts) do |node|
-          all_nodes << node
-        end
-
-        all_nodes.sort_by! { |n| n["ohai_time"] || 0 }
-        all_nodes.reverse! if config[:sort_reverse] || config[:sort_status_reverse]
-
-        output(all_nodes)
-      end
-
-    end
-  end
-end