chef 16.15.22 → 17.0.242

data/spec/unit/knife/ssl_check_spec.rb

@@ -1,256 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require "spec_helper"
-require "stringio"
-
-describe Chef::Knife::SslCheck do
-
-  let(:name_args) { [] }
-  let(:stdout_io) { StringIO.new }
-  let(:stderr_io) { StringIO.new }
-
-  def stderr
-    stderr_io.string
-  end
-
-  def stdout
-    stdout_io.string
-  end
-
-  subject(:ssl_check) do
-    s = Chef::Knife::SslCheck.new
-    allow(s.ui).to receive(:stdout).and_return(stdout_io)
-    allow(s.ui).to receive(:stderr).and_return(stderr_io)
-    s.name_args = name_args
-    s
-  end
-
-  before do
-    Chef::Config.chef_server_url = "https://example.com:8443/chef-server"
-  end
-
-  context "when no arguments are given" do
-    it "uses the chef_server_url as the host to check" do
-      expect(ssl_check.host).to eq("example.com")
-      expect(ssl_check.port).to eq(8443)
-    end
-  end
-
-  context "when a specific URI is given" do
-    let(:name_args) { %w{https://example.test:10443/foo} }
-
-    it "checks the SSL configuration against the given host" do
-      expect(ssl_check.host).to eq("example.test")
-      expect(ssl_check.port).to eq(10443)
-    end
-  end
-
-  context "when an invalid URI is given" do
-
-    let(:name_args) { %w{foo.test} }
-
-    it "prints an error and exits" do
-      expect { ssl_check.run }.to raise_error(SystemExit)
-      expected_stdout = <<~E
-        USAGE: knife ssl check [URL] (options)
-      E
-      expected_stderr = <<~E
-        ERROR: Given URI: `foo.test' is invalid
-      E
-      expect(stdout_io.string).to eq(expected_stdout)
-      expect(stderr_io.string).to eq(expected_stderr)
-    end
-
-    context "and its malformed enough to make URI.parse barf" do
-
-      let(:name_args) { %w{ftp://lkj\\blah:example.com/blah} }
-
-      it "prints an error and exits" do
-        expect { ssl_check.run }.to raise_error(SystemExit)
-        expected_stdout = <<~E
-          USAGE: knife ssl check [URL] (options)
-        E
-        expected_stderr = <<~E
-          ERROR: Given URI: `#{name_args[0]}' is invalid
-        E
-        expect(stdout_io.string).to eq(expected_stdout)
-        expect(stderr_io.string).to eq(expected_stderr)
-      end
-    end
-  end
-
-  describe "verifying trusted certificate X509 properties" do
-    let(:name_args) { %w{https://foo.example.com:8443} }
-
-    let(:trusted_certs_dir) { File.join(CHEF_SPEC_DATA, "trusted_certs") }
-    let(:trusted_cert_file) { File.join(trusted_certs_dir, "example.crt") }
-
-    let(:store) { OpenSSL::X509::Store.new }
-    let(:certificate) { OpenSSL::X509::Certificate.new(IO.read(trusted_cert_file)) }
-
-    before do
-      Chef::Config[:trusted_certs_dir] = trusted_certs_dir
-      allow(ssl_check).to receive(:trusted_certificates).and_return([trusted_cert_file])
-      allow(store).to receive(:add_cert).with(certificate)
-      allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
-      allow(OpenSSL::X509::Certificate).to receive(:new).with(IO.read(trusted_cert_file)).and_return(certificate)
-      allow(ssl_check).to receive(:verify_cert).and_return(true)
-      allow(ssl_check).to receive(:verify_cert_host).and_return(true)
-    end
-
-    context "when the trusted certificates directory is not glob escaped", :windows_only do
-      let(:trusted_certs_dir) { File.join(CHEF_SPEC_DATA.tr("/", "\\"), "trusted_certs") }
-
-      before do
-        allow(ssl_check).to receive(:trusted_certificates).and_call_original
-        allow(store).to receive(:verify).with(certificate).and_return(true)
-      end
-
-      it "escpaes the trusted certificates directory" do
-        expect(Dir).to receive(:glob)
-          .with("#{ChefConfig::PathHelper.escape_glob_dir(trusted_certs_dir)}/*.{crt,pem}")
-          .and_return([trusted_cert_file])
-        ssl_check.run
-      end
-    end
-
-    context "when the trusted certificates have valid X509 properties" do
-      before do
-        allow(store).to receive(:verify).with(certificate).and_return(true)
-      end
-
-      it "does not generate any X509 warnings" do
-        expect(ssl_check.ui).not_to receive(:warn).with(/There are invalid certificates in your trusted_certs_dir/)
-        ssl_check.run
-      end
-    end
-
-    context "when the trusted certificates have invalid X509 properties" do
-      before do
-        allow(store).to receive(:verify).with(certificate).and_return(false)
-        allow(store).to receive(:error_string).and_return("unable to get local issuer certificate")
-      end
-
-      it "generates a warning message with invalid certificate file names" do
-        expect(ssl_check.ui).to receive(:warn).with(/#{trusted_cert_file}: unable to get local issuer certificate/)
-        ssl_check.run
-      end
-    end
-  end
-
-  describe "verifying the remote certificate" do
-    let(:name_args) { %w{https://foo.example.com:8443} }
-
-    let(:tcp_socket) { double(TCPSocket) }
-    let(:ssl_socket) { double(OpenSSL::SSL::SSLSocket) }
-
-    before do
-      expect(ssl_check).to receive(:proxified_socket).with("foo.example.com", 8443).and_return(tcp_socket)
-      expect(OpenSSL::SSL::SSLSocket).to receive(:new).with(tcp_socket, ssl_check.verify_peer_ssl_context).and_return(ssl_socket)
-    end
-
-    def run
-      ssl_check.run
-    rescue Exception
-      # puts "OUT: #{stdout_io.string}"
-      # puts "ERR: #{stderr_io.string}"
-      raise
-    end
-
-    context "when the remote host's certificate is valid" do
-
-      before do
-        expect(ssl_check).to receive(:verify_X509).and_return(true) # X509 valid certs (no warn)
-        expect(ssl_socket).to receive(:connect) # no error
-        expect(ssl_socket).to receive(:post_connection_check).with("foo.example.com") # no error
-        expect(ssl_socket).to receive(:hostname=).with("foo.example.com") # no error
-      end
-
-      it "prints a success message" do
-        ssl_check.run
-        expect(stdout_io.string).to include("Successfully verified certificates from `foo.example.com'")
-      end
-    end
-
-    describe "and the certificate is not valid" do
-
-      let(:tcp_socket_for_debug) { double(TCPSocket) }
-      let(:ssl_socket_for_debug) { double(OpenSSL::SSL::SSLSocket) }
-
-      let(:self_signed_crt_path) { File.join(CHEF_SPEC_DATA, "trusted_certs", "example.crt") }
-      let(:self_signed_crt) { OpenSSL::X509::Certificate.new(File.read(self_signed_crt_path)) }
-
-      before do
-        @old_signal = trap(:INT, "DEFAULT")
-
-        expect(ssl_check).to receive(:proxified_socket)
-          .with("foo.example.com", 8443)
-          .and_return(tcp_socket_for_debug)
-        expect(OpenSSL::SSL::SSLSocket).to receive(:new)
-          .with(tcp_socket_for_debug, ssl_check.noverify_peer_ssl_context)
-          .and_return(ssl_socket_for_debug)
-      end
-
-      after do
-        trap(:INT, @old_signal)
-      end
-
-      context "when the certificate's CN does not match the hostname" do
-        before do
-          expect(ssl_check).to receive(:verify_X509).and_return(true) # X509 valid certs
-          expect(ssl_socket).to receive(:connect) # no error
-          expect(ssl_socket).to receive(:post_connection_check)
-            .with("foo.example.com")
-            .and_raise(OpenSSL::SSL::SSLError)
-          expect(ssl_socket).to receive(:hostname=).with("foo.example.com") # no error
-          expect(ssl_socket_for_debug).to receive(:connect)
-          expect(ssl_socket_for_debug).to receive(:peer_cert).and_return(self_signed_crt)
-        end
-
-        it "shows the CN used by the certificate and prints an error" do
-          expect { run }.to raise_error(SystemExit)
-          expect(stderr).to include("The SSL cert is signed by a trusted authority but is not valid for the given hostname")
-          expect(stderr).to include("You are attempting to connect to:   'foo.example.com'")
-          expect(stderr).to include("The server's certificate belongs to 'example.local'")
-        end
-
-      end
-
-      context "when the cert is not signed by any trusted authority" do
-        before do
-          expect(ssl_check).to receive(:verify_X509).and_return(true) # X509 valid certs
-          expect(ssl_socket).to receive(:connect)
-            .and_raise(OpenSSL::SSL::SSLError)
-          expect(ssl_socket).to receive(:hostname=)
-            .with("foo.example.com") # no error
-          expect(ssl_socket_for_debug).to receive(:connect)
-          expect(ssl_socket_for_debug).to receive(:peer_cert).and_return(self_signed_crt)
-        end
-
-        it "shows the CN used by the certificate and prints an error" do
-          expect { run }.to raise_error(SystemExit)
-          expect(stderr).to include("The SSL certificate of foo.example.com could not be verified")
-        end
-
-      end
-    end
-
-  end
-
-end

data/spec/unit/knife/ssl_fetch_spec.rb

@@ -1,222 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require "spec_helper"
-require "chef/knife/ssl_fetch"
-
-describe Chef::Knife::SslFetch do
-
-  let(:name_args) { [] }
-  let(:stdout_io) { StringIO.new }
-  let(:stderr_io) { StringIO.new }
-
-  def stderr
-    stderr_io.string
-  end
-
-  def stdout
-    stdout_io.string
-  end
-
-  subject(:ssl_fetch) do
-    s = Chef::Knife::SslFetch.new
-    s.name_args = name_args
-    allow(s.ui).to receive(:stdout).and_return(stdout_io)
-    allow(s.ui).to receive(:stderr).and_return(stderr_io)
-    s
-  end
-
-  context "when no arguments are given" do
-
-    before do
-      Chef::Config.chef_server_url = "https://example.com:8443/chef-server"
-    end
-
-    it "uses the chef_server_url as the host to fetch" do
-      expect(ssl_fetch.host).to eq("example.com")
-      expect(ssl_fetch.port).to eq(8443)
-    end
-  end
-
-  context "when a specific URI is given" do
-    let(:name_args) { %w{https://example.test:10443/foo} }
-
-    it "fetches the SSL configuration against the given host" do
-      expect(ssl_fetch.host).to eq("example.test")
-      expect(ssl_fetch.port).to eq(10443)
-    end
-  end
-
-  context "when an invalid URI is given" do
-
-    let(:name_args) { %w{foo.test} }
-
-    it "prints an error and exits" do
-      expect { ssl_fetch.run }.to raise_error(SystemExit)
-      expected_stdout = <<~E
-        USAGE: knife ssl fetch [URL] (options)
-      E
-      expected_stderr = <<~E
-        ERROR: Given URI: `foo.test' is invalid
-      E
-      expect(stdout_io.string).to eq(expected_stdout)
-      expect(stderr_io.string).to eq(expected_stderr)
-    end
-
-    context "and its malformed enough to make URI.parse barf" do
-
-      let(:name_args) { %w{ftp://lkj\\blah:example.com/blah} }
-
-      it "prints an error and exits" do
-        expect { ssl_fetch.run }.to raise_error(SystemExit)
-        expected_stdout = <<~E
-          USAGE: knife ssl fetch [URL] (options)
-        E
-        expected_stderr = <<~E
-          ERROR: Given URI: `#{name_args[0]}' is invalid
-        E
-        expect(stdout_io.string).to eq(expected_stdout)
-        expect(stderr_io.string).to eq(expected_stderr)
-      end
-    end
-  end
-
-  describe "normalizing CNs for use as paths" do
-
-    it "normalizes '*' to 'wildcard'" do
-      expect(ssl_fetch.normalize_cn("*.example.com")).to eq("wildcard_example_com")
-    end
-
-    it "normalizes non-alnum and hyphen characters to underscores" do
-      expect(ssl_fetch.normalize_cn("Billy-Bob's Super Awesome CA!")).to eq("Billy-Bob_s_Super_Awesome_CA_")
-    end
-
-  end
-
-  describe "#cn_of" do
-    let(:certificate) { double("Certificate", subject: subject) }
-
-    describe "when the certificate has a common name" do
-      let(:subject) { [["CN", "common name"]] }
-      it "returns the common name" do
-        expect(ssl_fetch.cn_of(certificate)).to eq("common name")
-      end
-    end
-
-    describe "when the certificate does not have a common name" do
-      let(:subject) { [] }
-      it "returns nil" do
-        expect(ssl_fetch.cn_of(certificate)).to eq(nil)
-      end
-    end
-  end
-
-  describe "fetching the remote cert chain" do
-
-    let(:name_args) { %w{https://foo.example.com:8443} }
-
-    let(:tcp_socket) { double(TCPSocket) }
-    let(:ssl_socket) { double(OpenSSL::SSL::SSLSocket) }
-
-    let(:self_signed_crt_path) { File.join(CHEF_SPEC_DATA, "trusted_certs", "example.crt") }
-    let(:self_signed_crt) { OpenSSL::X509::Certificate.new(File.read(self_signed_crt_path)) }
-
-    let(:trusted_certs_dir) { Dir.mktmpdir }
-
-    def run
-      ssl_fetch.run
-    rescue Exception
-      puts "OUT: #{stdout_io.string}"
-      puts "ERR: #{stderr_io.string}"
-      raise
-    end
-
-    before do
-      Chef::Config.trusted_certs_dir = trusted_certs_dir
-    end
-
-    after do
-      FileUtils.rm_rf(trusted_certs_dir)
-    end
-
-    context "when the TLS connection is successful" do
-
-      before do
-        expect(ssl_fetch).to receive(:proxified_socket).with("foo.example.com", 8443).and_return(tcp_socket)
-        expect(OpenSSL::SSL::SSLSocket).to receive(:new).with(tcp_socket, ssl_fetch.noverify_peer_ssl_context).and_return(ssl_socket)
-        expect(ssl_socket).to receive(:connect)
-        expect(ssl_socket).to receive(:peer_cert_chain).and_return([self_signed_crt])
-      end
-
-      it "fetches the cert chain and writes the certs to the trusted_certs_dir" do
-        run
-        stored_cert_path = File.join(trusted_certs_dir, "example_local.crt")
-        expect(File).to exist(stored_cert_path)
-        expect(File.read(stored_cert_path)).to eq(File.read(self_signed_crt_path))
-      end
-
-    end
-
-    context "when connecting to a non-SSL service (like HTTP)" do
-
-      let(:name_args) { %w{http://foo.example.com} }
-
-      let(:unknown_protocol_error) { OpenSSL::SSL::SSLError.new("SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol") }
-
-      before do
-        expect(ssl_fetch).to receive(:proxified_socket).with("foo.example.com", 80).and_return(tcp_socket)
-        expect(OpenSSL::SSL::SSLSocket).to receive(:new).with(tcp_socket, ssl_fetch.noverify_peer_ssl_context).and_return(ssl_socket)
-        expect(ssl_socket).to receive(:connect).and_raise(unknown_protocol_error)
-
-        expect(ssl_fetch).to receive(:exit).with(1)
-      end
-
-      it "tells the user their URL is for a non-ssl service" do
-        expected_error_text = <<~ERROR_TEXT
-          ERROR: The service at the given URI (http://foo.example.com) does not accept SSL connections
-          ERROR: Perhaps you meant to connect to 'https://foo.example.com'?
-        ERROR_TEXT
-
-        run
-        expect(stderr).to include(expected_error_text)
-      end
-
-    end
-
-    describe "when the certificate does not have a CN" do
-      let(:self_signed_crt_path) { File.join(CHEF_SPEC_DATA, "trusted_certs", "example_no_cn.crt") }
-      let(:self_signed_crt) { OpenSSL::X509::Certificate.new(File.read(self_signed_crt_path)) }
-
-      before do
-        expect(ssl_fetch).to receive(:proxified_socket).with("foo.example.com", 8443).and_return(tcp_socket)
-        expect(OpenSSL::SSL::SSLSocket).to receive(:new).with(tcp_socket, ssl_fetch.noverify_peer_ssl_context).and_return(ssl_socket)
-        expect(ssl_socket).to receive(:connect)
-        expect(ssl_socket).to receive(:peer_cert_chain).and_return([self_signed_crt])
-        expect(Time).to receive(:new).and_return(1)
-      end
-
-      it "fetches the certificate and writes it to a file in the trusted_certs_dir" do
-        run
-        stored_cert_path = File.join(trusted_certs_dir, "foo.example.com_1.crt")
-        expect(File).to exist(stored_cert_path)
-        expect(File.read(stored_cert_path)).to eq(File.read(self_signed_crt_path))
-      end
-    end
-
-  end
-end

data/spec/unit/knife/status_spec.rb

@@ -1,112 +0,0 @@
-#
-# Author:: Sahil Muthoo (<sahil.muthoo@gmail.com>)
-# Copyright:: Copyright (c) Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require "spec_helper"
-
-describe Chef::Knife::Status do
-  before(:each) do
-    node = Chef::Node.new.tap do |n|
-      n.automatic_attrs["fqdn"] = "foobar"
-      n.automatic_attrs["ohai_time"] = 1343845969
-      n.automatic_attrs["platform"] = "mac_os_x"
-      n.automatic_attrs["platform_version"] = "10.12.5"
-    end
-    allow(Time).to receive(:now).and_return(Time.at(1428573420))
-    @query = double("Chef::Search::Query")
-    allow(@query).to receive(:search).and_yield(node)
-    allow(Chef::Search::Query).to receive(:new).and_return(@query)
-    @knife = Chef::Knife::Status.new
-    @stdout = StringIO.new
-    allow(@knife.ui).to receive(:stdout).and_return(@stdout)
-  end
-
-  describe "run" do
-    let(:opts) do
-      { filter_result:
-                 { name: ["name"], ipaddress: ["ipaddress"], ohai_time: ["ohai_time"],
-                   cloud: ["cloud"], run_list: ["run_list"], platform: ["platform"],
-                   platform_version: ["platform_version"], chef_environment: ["chef_environment"] } }
-    end
-
-    it "should default to searching for everything" do
-      expect(@query).to receive(:search).with(:node, "*:*", opts)
-      @knife.run
-    end
-
-    it "should filter by nodes older than some mins" do
-      @knife.config[:hide_by_mins] = 59
-      expect(@query).to receive(:search).with(:node, "NOT ohai_time:[1428569880 TO 1428573420]", opts)
-      @knife.run
-    end
-
-    it "should filter by environment" do
-      @knife.config[:environment] = "production"
-      expect(@query).to receive(:search).with(:node, "chef_environment:production", opts)
-      @knife.run
-    end
-
-    it "should filter by environment and nodes older than some mins" do
-      @knife.config[:environment] = "production"
-      @knife.config[:hide_by_mins] = 59
-      expect(@query).to receive(:search).with(:node, "chef_environment:production NOT ohai_time:[1428569880 TO 1428573420]", opts)
-      @knife.run
-    end
-
-    it "should not use partial search with long output" do
-      @knife.config[:long_output] = true
-      expect(@query).to receive(:search).with(:node, "*:*", {})
-      @knife.run
-    end
-
-    context "with a custom query" do
-      before :each do
-        @knife.instance_variable_set(:@name_args, ["name:my_custom_name"])
-      end
-
-      it "should allow a custom query to be specified" do
-        expect(@query).to receive(:search).with(:node, "name:my_custom_name", opts)
-        @knife.run
-      end
-
-      it "should filter by nodes older than some mins with nodename specified" do
-        @knife.config[:hide_by_mins] = 59
-        expect(@query).to receive(:search).with(:node, "name:my_custom_name NOT ohai_time:[1428569880 TO 1428573420]", opts)
-        @knife.run
-      end
-
-      it "should filter by environment with nodename specified" do
-        @knife.config[:environment] = "production"
-        expect(@query).to receive(:search).with(:node, "name:my_custom_name AND chef_environment:production", opts)
-        @knife.run
-      end
-
-      it "should filter by environment and nodes older than some mins with nodename specified" do
-        @knife.config[:environment] = "production"
-        @knife.config[:hide_by_mins] = 59
-        expect(@query).to receive(:search).with(:node, "name:my_custom_name AND chef_environment:production NOT ohai_time:[1428569880 TO 1428573420]", opts)
-        @knife.run
-      end
-    end
-
-    it "should not colorize output unless it's writing to a tty" do
-      @knife.run
-      expect(@stdout.string.match(/foobar/)).not_to be_nil
-      expect(@stdout.string.match(/\e.*ago/)).to be_nil
-    end
-  end
-end