chef 16.7.61-universal-mingw32 → 16.9.20-universal-mingw32

data/spec/unit/compliance/reporter/chef_server_automate_spec.rb

@@ -0,0 +1,177 @@
+require "spec_helper"
+
+describe Chef::Compliance::Reporter::ChefServerAutomate do
+  before do
+    WebMock.disable_net_connect!
+
+    Chef::Config[:client_key] = File.expand_path("../../../data/ssl/private_key.pem", __dir__)
+    Chef::Config[:node_name] = "spec-node"
+  end
+
+  let(:reporter) { Chef::Compliance::Reporter::ChefServerAutomate.new(opts) }
+
+  let(:opts) do
+    {
+      entity_uuid: "aaaaaaaa-709a-475d-bef5-zzzzzzzzzzzz",
+      run_id: "3f0536f7-3361-4bca-ae53-b45118dceb5d",
+      node_info: {
+        node: "chef-client.solo",
+        environment: "My Prod Env",
+        roles: %w{base_linux apache_linux},
+        recipes: ["some_cookbook::some_recipe", "some_cookbook"],
+        policy_name: "test_policy_name",
+        policy_group: "test_policy_group",
+        chef_tags: ["mylinux", "my.tag", "some=tag"],
+        organization_name: "test_org",
+        source_fqdn: "api.chef.io",
+        ipaddress: "192.168.56.33",
+        fqdn: "lb1.prod.example.com",
+      },
+      url: "https://chef.server/data_collector",
+      control_results_limit: 2,
+      timestamp: Time.parse("2016-07-19T19:19:19+01:00"),
+    }
+  end
+
+  let(:inspec_report) do
+    {
+      "version": "1.2.1",
+      "profiles":
+      [{ "name": "tmp_compliance_profile",
+         "title": "/tmp Compliance Profile",
+         "summary": "An Example Compliance Profile",
+         "sha256": "7bd598e369970002fc6f2d16d5b988027d58b044ac3fa30ae5fc1b8492e215cd",
+         "version": "0.1.1",
+         "maintainer": "Nathen Harvey <nharvey@chef.io>",
+         "license": "Apache 2.0 License",
+         "copyright": "Nathen Harvey <nharvey@chef.io>",
+         "supports": [],
+         "controls":
+         [{ "title": "A /tmp directory must exist",
+            "desc": "A /tmp directory must exist",
+            "impact": 0.3,
+            "refs": [],
+            "tags": {},
+            "code": "control 'tmp-1.0' do\n  impact 0.3\n  title 'A /tmp directory must exist'\n  desc 'A /tmp directory must exist'\n  describe file '/tmp' do\n    it { should be_directory }\n  end\nend\n",
+            "source_location": { "ref": "/Users/vjeffrey/code/delivery/insights/data_generator/chef-client/cache/cookbooks/test-cookbook/recipes/../files/default/compliance_profiles/tmp_compliance_profile/controls/tmp.rb", "line": 3 },
+            "id": "tmp-1.0",
+            "results": [
+              { "status": "passed", "code_desc": "File /tmp should be directory", "run_time": 0.002312, "start_time": "2016-10-19 11:09:43 -0400" },
+            ],
+          },
+          { "title": "/tmp directory is owned by the root user",
+            "desc": "The /tmp directory must be owned by the root user",
+            "impact": 0.3,
+            "refs": [{ "url": "https://pages.chef.io/rs/255-VFB-268/images/compliance-at-velocity2015.pdf", "ref": "Compliance Whitepaper" }],
+            "tags": { "production": nil, "development": nil, "identifier": "value", "remediation": "https://github.com/chef-cookbooks/audit" },
+            "code": "control 'tmp-1.1' do\n  impact 0.3\n  title '/tmp directory is owned by the root user'\n  desc 'The /tmp directory must be owned by the root user'\n  tag 'production','development'\n  tag identifier: 'value'\n  tag remediation: 'https://github.com/chef-cookbooks/audit'\n  ref 'Compliance Whitepaper', url: 'https://pages.chef.io/rs/255-VFB-268/images/compliance-at-velocity2015.pdf'\n  describe file '/tmp' do\n    it { should be_owned_by 'root' }\n  end\nend\n",
+            "source_location": { "ref": "/Users/vjeffrey/code/delivery/insights/data_generator/chef-client/cache/cookbooks/test-cookbook/recipes/../files/default/compliance_profiles/tmp_compliance_profile/controls/tmp.rb", "line": 12 },
+            "id": "tmp-1.1",
+            "results": [
+              { "status": "passed", "code_desc": 'File /tmp should be owned by "root"', "run_time": 1.228845, "start_time": "2016-10-19 11:09:43 -0400" },
+              { "status": "skipped", "code_desc": 'File /tmp should be owned by "root"', "run_time": 1.228845, "start_time": "2016-10-19 11:09:43 -0400" },
+              { "status": "failed", "code_desc": "File /etc/hosts is expected to be directory", "run_time": 1.228845, "start_time": "2016-10-19 11:09:43 -0400", "message": "expected `File /etc/hosts.directory?` to return true, got false" },
+            ],
+          },
+        ],
+         "groups": [{ "title": "/tmp Compliance Profile", "controls": ["tmp-1.0", "tmp-1.1"], "id": "controls/tmp.rb" }],
+         "attributes": [{ "name": "syslog_pkg", "options": { "default": "rsyslog", "description": "syslog package..." } }] }],
+      "other_checks": [],
+      "statistics": { "duration": 0.032332 },
+    }
+  end
+
+  let(:enriched_report) do
+    {
+      "version": "1.2.1",
+      "profiles": [
+        {
+          "name": "tmp_compliance_profile",
+          "title": "/tmp Compliance Profile",
+          "summary": "An Example Compliance Profile",
+          "sha256": "7bd598e369970002fc6f2d16d5b988027d58b044ac3fa30ae5fc1b8492e215cd",
+          "version": "0.1.1",
+          "maintainer": "Nathen Harvey <nharvey@chef.io>",
+          "license": "Apache 2.0 License",
+          "copyright": "Nathen Harvey <nharvey@chef.io>",
+          "supports": [],
+          "controls": [
+            {
+              "title": "A /tmp directory must exist",
+              "desc": "A /tmp directory must exist",
+              "impact": 0.3,
+              "refs": [],
+              "tags": {},
+              "code":
+              "control 'tmp-1.0' do\n  impact 0.3\n  title 'A /tmp directory must exist'\n  desc 'A /tmp directory must exist'\n  describe file '/tmp' do\n    it { should be_directory }\n  end\nend\n",
+              "source_location": { "ref": "/Users/vjeffrey/code/delivery/insights/data_generator/chef-client/cache/cookbooks/test-cookbook/recipes/../files/default/compliance_profiles/tmp_compliance_profile/controls/tmp.rb", "line": 3 },
+              "id": "tmp-1.0",
+              "results": [{ "status": "passed", "code_desc": "File /tmp should be directory", "run_time": 0.002312, "start_time": "2016-10-19 11:09:43 -0400" }],
+            },
+            {
+              "title": "/tmp directory is owned by the root user",
+              "desc": "The /tmp directory must be owned by the root user",
+              "impact": 0.3,
+              "refs": [{ "url": "https://pages.chef.io/rs/255-VFB-268/images/compliance-at-velocity2015.pdf", "ref": "Compliance Whitepaper" }],
+              "tags": { "production": nil, "development": nil, "identifier": "value", "remediation": "https://github.com/chef-cookbooks/audit" },
+              "code": "control 'tmp-1.1' do\n  impact 0.3\n  title '/tmp directory is owned by the root user'\n  desc 'The /tmp directory must be owned by the root user'\n  tag 'production','development'\n  tag identifier: 'value'\n  tag remediation: 'https://github.com/chef-cookbooks/audit'\n  ref 'Compliance Whitepaper', url: 'https://pages.chef.io/rs/255-VFB-268/images/compliance-at-velocity2015.pdf'\n  describe file '/tmp' do\n    it { should be_owned_by 'root' }\n  end\nend\n",
+              "source_location": { "ref": "/Users/vjeffrey/code/delivery/insights/data_generator/chef-client/cache/cookbooks/test-cookbook/recipes/../files/default/compliance_profiles/tmp_compliance_profile/controls/tmp.rb", "line": 12 },
+              "id": "tmp-1.1",
+              "results": [
+                { "status": "failed", "code_desc": "File /etc/hosts is expected to be directory", "run_time": 1.228845, "start_time": "2016-10-19 11:09:43 -0400", "message": "expected `File /etc/hosts.directory?` to return true, got false" },
+                { "status": "skipped", "code_desc": 'File /tmp should be owned by "root"', "run_time": 1.228845, "start_time": "2016-10-19 11:09:43 -0400" },
+              ],
+              "removed_results_counts": { "failed": 0, "skipped": 0, "passed": 1 },
+            },
+          ],
+          "groups": [{ "title": "/tmp Compliance Profile", "controls": ["tmp-1.0", "tmp-1.1"], "id": "controls/tmp.rb" }],
+          "attributes": [{ "name": "syslog_pkg", "options": { "default": "rsyslog", "description": "syslog package..." } }],
+        },
+      ],
+      "other_checks": [],
+      "statistics": { "duration": 0.032332 },
+      "type": "inspec_report",
+      "node_name": "chef-client.solo",
+      "end_time": "2016-07-19T18:19:19Z",
+      "node_uuid": "aaaaaaaa-709a-475d-bef5-zzzzzzzzzzzz",
+      "environment": "My Prod Env",
+      "roles": %w{base_linux apache_linux},
+      "recipes": ["some_cookbook::some_recipe", "some_cookbook"],
+      "report_uuid": "3f0536f7-3361-4bca-ae53-b45118dceb5d",
+      "source_fqdn": "api.chef.io",
+      "organization_name": "test_org",
+      "policy_group": "test_policy_group",
+      "policy_name": "test_policy_name",
+      "chef_tags": ["mylinux", "my.tag", "some=tag"],
+      "ipaddress": "192.168.56.33",
+      "fqdn": "lb1.prod.example.com",
+    }
+  end
+
+  it "sends report successfully" do
+    # TODO: Had to change 'X-Ops-Server-Api-Version' from 1 to 2, is that correct?
+    report_stub = stub_request(:post, "https://chef.server/data_collector")
+      .with(
+        body: enriched_report,
+        headers: {
+          "X-Chef-Version" => Chef::VERSION,
+          "X-Ops-Authorization-1" => /.+/,
+          "X-Ops-Authorization-2" => /.+/,
+          "X-Ops-Authorization-3" => /.+/,
+          "X-Ops-Authorization-4" => /.+/,
+          "X-Ops-Authorization-5" => /.+/,
+          "X-Ops-Authorization-6" => /.+/,
+          "X-Ops-Content-Hash" => "yfck5nQDcRWta06u45Q+J463LYY=",
+          "X-Ops-Server-Api-Version" => "2",
+          "X-Ops-Sign" => "algorithm=sha1;version=1.1;",
+          "X-Ops-Timestamp" => /.+/,
+          "X-Ops-Userid" => "spec-node",
+          "X-Remote-Request-Id" => /.+/,
+        }
+      ).to_return(status: 200)
+
+    expect(reporter.send_report(inspec_report)).to eq(true)
+
+    expect(report_stub).to have_been_requested
+  end
+end

data/spec/unit/compliance/reporter/compliance_enforcer_spec.rb

@@ -0,0 +1,48 @@
+require "spec_helper"
+
+describe Chef::Compliance::Reporter::AuditEnforcer do
+  let(:reporter) { Chef::Compliance::Reporter::AuditEnforcer.new }
+
+  it "does not raise error for a successful InSpec report" do
+    report = {
+      "profiles": [
+        {
+          "controls": [
+            { "id": "c1", "results": [{ "status": "passed" }] },
+            { "id": "c2", "results": [{ "status": "passed" }] },
+          ],
+        },
+      ],
+    }
+
+    expect(reporter.send_report(report)).to eq(true)
+  end
+
+  it "does not raise error for an InSpec report with no controls" do
+    report = { "profiles": [{ "name": "empty" }] }
+
+    expect(reporter.send_report(report)).to eq(true)
+  end
+
+  it "does not raise error for an InSpec report with controls but no results" do
+    report = { "profiles": [{ "controls": [{ "id": "empty" }] }] }
+    expect(reporter.send_report(report)).to eq(true)
+  end
+
+  it "raises an error for a failed InSpec report" do
+    report = {
+      "profiles": [
+        {
+          "controls": [
+            { "id": "c1", "results": [{ "status": "passed" }] },
+            { "id": "c2", "results": [{ "status": "failed" }] },
+          ],
+        },
+      ],
+    }
+
+    expect {
+      reporter.send_report(report)
+    }.to raise_error(Chef::Compliance::Reporter::AuditEnforcer::ControlFailure, "Audit c2 has failed. Aborting chef-client run.")
+  end
+end

data/spec/unit/compliance/runner_spec.rb

@@ -0,0 +1,167 @@
+require "spec_helper"
+
+describe Chef::Compliance::Runner do
+  let(:logger) { double(:logger).as_null_object }
+  let(:node) { Chef::Node.new(logger: logger) }
+
+  let(:runner) do
+    described_class.new.tap do |r|
+      r.node = node
+      r.run_id = "my_run_id"
+    end
+  end
+
+  describe "#enabled?" do
+    it "is true if the node attributes have audit profiles and the audit cookbook is not present" do
+      node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }
+      node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos }
+
+      expect(runner).to be_enabled
+    end
+
+    it "is false if the node attributes have audit profiles and the audit cookbook is present" do
+      node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }
+      node.automatic["recipes"] = %w{ audit::default fancy_cookbook::fanciness tacobell::nachos }
+
+      expect(runner).not_to be_enabled
+    end
+
+    it "is false if the node attributes do not have audit profiles and the audit cookbook is not present" do
+      node.normal["audit"]["profiles"] = {}
+      node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos }
+
+      expect(runner).not_to be_enabled
+    end
+
+    it "is false if the node attributes do not have audit profiles and the audit cookbook is present" do
+      node.normal["audit"]["profiles"] = {}
+      node.automatic["recipes"] = %w{ audit::default fancy_cookbook::fanciness tacobell::nachos }
+
+      expect(runner).not_to be_enabled
+    end
+
+    it "is false if the node attributes do not have audit attributes and the audit cookbook is not present" do
+      node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos }
+      expect(runner).not_to be_enabled
+    end
+  end
+
+  describe "#inspec_profiles" do
+    it "returns an empty list with no profiles defined" do
+      expect(runner.inspec_profiles).to eq([])
+    end
+
+    it "converts from the attribute format to the format Inspec expects" do
+      node.normal["audit"]["profiles"]["linux-baseline"] = {
+        'compliance': "user/linux-baseline",
+        'version': "2.1.0",
+      }
+
+      node.normal["audit"]["profiles"]["ssh"] = {
+        'supermarket': "hardening/ssh-hardening",
+      }
+
+      expected = [
+        {
+          compliance: "user/linux-baseline",
+          name: "linux-baseline",
+          version: "2.1.0",
+        },
+        {
+          name: "ssh",
+          supermarket: "hardening/ssh-hardening",
+        },
+      ]
+
+      expect(runner.inspec_profiles).to eq(expected)
+    end
+
+    it "raises an error when the profiles are in the old audit-cookbook format" do
+      node.normal["audit"]["profiles"] = [
+        {
+          name: "Windows 2019 Baseline",
+          compliance: "admin/windows-2019-baseline",
+        },
+      ]
+
+      expect { runner.inspec_profiles }.to raise_error(/profiles specified in an unrecognized format, expected a hash of hashes./)
+    end
+  end
+
+  describe "#warn_for_deprecated_config_values!" do
+    it "logs a warning when deprecated config values are present" do
+      node.normal["audit"]["owner"] = "my_org"
+      node.normal["audit"]["inspec_version"] = "90210"
+
+      expect(logger).to receive(:warn).with(/config values 'inspec_version', 'owner' are not supported/)
+
+      runner.warn_for_deprecated_config_values!
+    end
+
+    it "does not log a warning with no deprecated config values" do
+      node.normal["audit"]["profiles"]["linux-baseline"] = {
+        'compliance': "user/linux-baseline",
+        'version': "2.1.0",
+      }
+
+      expect(logger).not_to receive(:warn)
+
+      runner.warn_for_deprecated_config_values!
+    end
+  end
+
+  describe "#reporter" do
+    context "chef-server-automate reporter" do
+      it "uses the correct URL when 'server' attribute is set" do
+        Chef::Config[:chef_server_url] = "https://chef_config_url.example.com/my_org"
+        node.normal["audit"]["server"] = "https://server_attribute_url.example.com/application/sub_application"
+
+        reporter = runner.reporter("chef-server-automate")
+
+        expect(reporter).to be_kind_of(Chef::Compliance::Reporter::ChefServerAutomate)
+        expect(reporter.url).to eq(URI("https://server_attribute_url.example.com/application/sub_application/organizations/my_org/data-collector"))
+      end
+
+      it "falls back to chef_server_url for URL when 'server' attribute is not set" do
+        Chef::Config[:chef_server_url] = "https://chef_config_url.example.com/my_org"
+
+        reporter = runner.reporter("chef-server-automate")
+
+        expect(reporter).to be_kind_of(Chef::Compliance::Reporter::ChefServerAutomate)
+        expect(reporter.url).to eq(URI("https://chef_config_url.example.com/organizations/my_org/data-collector"))
+      end
+    end
+
+    it "fails with unexpected reporter value" do
+      expect { runner.reporter("tacos") }.to raise_error(/'tacos' is not a supported reporter for Compliance Phase/)
+    end
+  end
+
+  describe "#inspec_opts" do
+    it "does not include chef_node in inputs by default" do
+      node.normal["audit"]["attributes"] = {
+        "tacos" => "lunch",
+        "nachos" => "dinner",
+      }
+
+      inputs = runner.inspec_opts[:inputs]
+
+      expect(inputs["tacos"]).to eq("lunch")
+      expect(inputs.key?("chef_node")).to eq(false)
+    end
+
+    it "includes chef_node in inputs with chef_node_attribute_enabled set" do
+      node.normal["audit"]["chef_node_attribute_enabled"] = true
+      node.normal["audit"]["attributes"] = {
+        "tacos" => "lunch",
+        "nachos" => "dinner",
+      }
+
+      inputs = runner.inspec_opts[:inputs]
+
+      expect(inputs["tacos"]).to eq("lunch")
+      expect(inputs["chef_node"]["audit"]["reporter"]).to eq("json-file")
+      expect(inputs["chef_node"]["chef_environment"]).to eq("_default")
+    end
+  end
+end

data/spec/unit/http/ssl_policies_spec.rb

@@ -26,83 +26,86 @@ describe "HTTP SSL Policy" do
     Chef::Config[:ssl_client_key]  = nil
     Chef::Config[:ssl_ca_path]     = nil
     Chef::Config[:ssl_ca_file]     = nil
+    ENV["SSL_CERT_FILE"]           = nil
   end
 
-  let(:unconfigured_http_client) { Net::HTTP.new("example.com", 443) }
   let(:http_client) do
-    unconfigured_http_client.use_ssl = true
-    ssl_policy.apply
-    unconfigured_http_client
+    ssl_policy_class.apply_to(Net::HTTP.new("example.com"))
   end
 
   describe Chef::HTTP::DefaultSSLPolicy do
 
-    let(:ssl_policy) { Chef::HTTP::DefaultSSLPolicy.new(unconfigured_http_client) }
+    let(:ssl_policy_class) { Chef::HTTP::DefaultSSLPolicy }
 
-    describe "when configured with :ssl_verify_mode set to :verify peer" do
-      before do
-        Chef::Config[:ssl_verify_mode] = :verify_peer
-      end
-
-      it "configures the HTTP client to use SSL when given a URL with the https protocol" do
-        expect(http_client.use_ssl?).to be_truthy
-      end
+    it "raises a ConfigurationError if :ssl_ca_path is set to a path that doesn't exist" do
+      Chef::Config[:ssl_ca_path] = "/dev/null/nothing_here"
+      expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
+    end
 
-      it "sets the OpenSSL verify mode to verify_peer" do
-        expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
-      end
+    it "should set the CA path if that is set in the configuration" do
+      Chef::Config[:ssl_ca_path] = File.join(CHEF_SPEC_DATA, "ssl")
+      expect(http_client.ca_path).to eq(File.join(CHEF_SPEC_DATA, "ssl"))
+    end
 
-      it "raises a ConfigurationError if :ssl_ca_path is set to a path that doesn't exist" do
-        Chef::Config[:ssl_ca_path] = "/dev/null/nothing_here"
-        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
-      end
+    it "raises a ConfigurationError if :ssl_ca_file is set to a file that does not exist" do
+      Chef::Config[:ssl_ca_file] = "/dev/null/nothing_here"
+      expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
+    end
 
-      it "should set the CA path if that is set in the configuration" do
-        Chef::Config[:ssl_ca_path] = File.join(CHEF_SPEC_DATA, "ssl")
-        expect(http_client.ca_path).to eq(File.join(CHEF_SPEC_DATA, "ssl"))
-      end
+    it "should set the CA file if that is set in the configuration" do
+      Chef::Config[:ssl_ca_file] = CHEF_SPEC_DATA + "/ssl/5e707473.0"
+      expect(http_client.ca_file).to eq(CHEF_SPEC_DATA + "/ssl/5e707473.0")
+    end
 
-      it "raises a ConfigurationError if :ssl_ca_file is set to a file that does not exist" do
-        Chef::Config[:ssl_ca_file] = "/dev/null/nothing_here"
-        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
-      end
+    it "should set the custom CA file if SSL_CERT_FILE environment variable is set" do
+      ENV["SSL_CERT_FILE"] = CHEF_SPEC_DATA + "/trusted_certs/intermediate.pem"
+      expect(http_client.ca_file).to eq(CHEF_SPEC_DATA + "/trusted_certs/intermediate.pem")
+    end
 
-      it "should set the CA file if that is set in the configuration" do
-        Chef::Config[:ssl_ca_file] = CHEF_SPEC_DATA + "/ssl/5e707473.0"
-        expect(http_client.ca_file).to eq(CHEF_SPEC_DATA + "/ssl/5e707473.0")
-      end
+    it "raises a ConfigurationError if SSL_CERT_FILE environment variable is set to a file that does not exist" do
+      ENV["SSL_CERT_FILE"] = "/dev/null/nothing_here"
+      expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
     end
 
-    describe "when configured with :ssl_verify_mode set to :verify peer" do
-      before do
-        @url = URI.parse("https://chef.example.com:4443/")
-        Chef::Config[:ssl_verify_mode] = :verify_none
-      end
+    it "sets the OpenSSL verify mode to verify_peer when configured with :ssl_verify_mode set to :verify_peer" do
+      Chef::Config[:ssl_verify_mode] = :verify_peer
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
+    end
 
-      it "sets the OpenSSL verify mode to :verify_none" do
-        expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)
-      end
+    it "sets the OpenSSL verify mode to :verify_none when configured with :ssl_verify_mode set to :verify_none" do
+      Chef::Config[:ssl_verify_mode] = :verify_none
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)
     end
 
     describe "when configured with a client certificate" do
-      before { @url = URI.parse("https://chef.example.com:4443/") }
-
       it "raises ConfigurationError if the certificate file doesn't exist" do
         Chef::Config[:ssl_client_cert] = "/dev/null/nothing_here"
         Chef::Config[:ssl_client_key]  = CHEF_SPEC_DATA + "/ssl/chef-rspec.key"
-        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
+        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError, /ssl_client_cert .* does not exist/)
       end
 
-      it "raises ConfigurationError if the certificate file doesn't exist" do
+      it "raises ConfigurationError if the private key file doesn't exist" do
         Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/chef-rspec.cert"
         Chef::Config[:ssl_client_key]  = "/dev/null/nothing_here"
-        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
+        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError, /ssl_client_key .* does not exist/)
       end
 
       it "raises a ConfigurationError if one of :ssl_client_cert and :ssl_client_key is set but not both" do
         Chef::Config[:ssl_client_cert] = "/dev/null/nothing_here"
         Chef::Config[:ssl_client_key]  = nil
-        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
+        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError, /configure ssl_client_cert and ssl_client_key together/)
+      end
+
+      it "raises a ConfigurationError with a bad cert file" do
+        Chef::Config[:ssl_client_cert] = __FILE__
+        Chef::Config[:ssl_client_key]  = CHEF_SPEC_DATA + "/ssl/chef-rspec.key"
+        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError, /Error reading cert file '#{__FILE__}'/)
+      end
+
+      it "raises a ConfigurationError with a bad key file" do
+        Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/chef-rspec.cert"
+        Chef::Config[:ssl_client_key]  = __FILE__
+        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError, /Error reading key file '#{__FILE__}'/)
       end
 
       it "configures the HTTP client's cert and private key" do
@@ -111,20 +114,31 @@ describe "HTTP SSL Policy" do
         expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s)
         expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s)
       end
-    end
 
-    context "when additional certs are located in the trusted_certs dir" do
-      let(:self_signed_crt_path) { File.join(CHEF_SPEC_DATA, "trusted_certs", "example.crt") }
-      let(:self_signed_crt) { OpenSSL::X509::Certificate.new(File.read(self_signed_crt_path)) }
+      it "configures the HTTP client's cert and private key with a DER encoded cert" do
+        Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/binary/chef-rspec-der.cert"
+        Chef::Config[:ssl_client_key]  = CHEF_SPEC_DATA + "/ssl/chef-rspec.key"
+        expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s)
+        expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s)
+      end
 
-      let(:additional_pem_path) { File.join(CHEF_SPEC_DATA, "trusted_certs", "opscode.pem") }
-      let(:additional_pem) { OpenSSL::X509::Certificate.new(File.read(additional_pem_path)) }
+      it "configures the HTTP client's cert and private key with a DER encoded key" do
+        Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/chef-rspec.cert"
+        Chef::Config[:ssl_client_key]  = CHEF_SPEC_DATA + "/ssl/binary/chef-rspec-der.key"
+        expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s)
+        expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s)
+      end
+    end
 
+    context "when additional certs are located in the trusted_certs dir" do
       before do
         Chef::Config.trusted_certs_dir = File.join(CHEF_SPEC_DATA, "trusted_certs")
       end
 
       it "enables verification of self-signed certificates" do
+        path = File.join(CHEF_SPEC_DATA, "trusted_certs", "example.crt")
+        self_signed_crt = OpenSSL::X509::Certificate.new(File.binread(path))
+
         expect(http_client.cert_store.verify(self_signed_crt)).to be_truthy
       end
 
@@ -137,39 +151,64 @@ describe "HTTP SSL Policy" do
         # If the machine running the test doesn't have ruby SSL configured correctly,
         # then the root cert also has to be loaded for the test to succeed.
         # The system under test **SHOULD** do both of these things.
+        path = File.join(CHEF_SPEC_DATA, "trusted_certs", "opscode.pem")
+        additional_pem = OpenSSL::X509::Certificate.new(File.binread(path))
+
         expect(http_client.cert_store.verify(additional_pem)).to be_truthy
       end
 
-      context "and some certs are duplicates" do
-        it "skips duplicate certs" do
-          # For whatever reason, OpenSSL errors out when adding a
-          # cert you already have to the certificate store.
-          ssl_policy.set_custom_certs
-          ssl_policy.set_custom_certs # should not raise an error
+      it "skips duplicate certs" do
+        # For whatever reason, OpenSSL errors out when adding a
+        # cert you already have to the certificate store.
+        ssl_policy = ssl_policy_class.new(Net::HTTP.new("example.com"))
+        ssl_policy.set_custom_certs
+        ssl_policy.set_custom_certs # should not raise an error
+      end
+
+      it "raises ConfigurationError with a bad cert file in the trusted_certs dir" do
+        ssl_policy = ssl_policy_class.new(Net::HTTP.new("example.com"))
+
+        Dir.mktmpdir do |dir|
+          bad_cert_file = File.join(dir, "bad_cert_file.crt")
+          File.write(bad_cert_file, File.read(__FILE__))
+
+          Chef::Config.trusted_certs_dir = dir
+          expect { ssl_policy.set_custom_certs }.to raise_error(Chef::Exceptions::ConfigurationError, /Error reading cert file/)
         end
       end
+
+      it "works with binary certs" do
+        Chef::Config.trusted_certs_dir = File.join(CHEF_SPEC_DATA, "ssl", "binary")
+
+        ssl_policy = ssl_policy_class.new(Net::HTTP.new("example.com"))
+        ssl_policy.set_custom_certs
+      end
     end
   end
 
   describe Chef::HTTP::APISSLPolicy do
 
-    let(:ssl_policy) { Chef::HTTP::APISSLPolicy.new(unconfigured_http_client) }
+    let(:ssl_policy_class) { Chef::HTTP::APISSLPolicy }
 
-    context "when verify_api_cert is set" do
-      before do
-        Chef::Config[:verify_api_cert] = true
-      end
+    it "sets the OpenSSL verify mode to verify_peer when configured with :ssl_verify_mode set to :verify_peer" do
+      Chef::Config[:ssl_verify_mode] = :verify_peer
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
+    end
 
-      it "sets the OpenSSL verify mode to verify_peer" do
-        expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
-      end
+    it "sets the OpenSSL verify mode to :verify_none when configured with :ssl_verify_mode set to :verify_none" do
+      Chef::Config[:ssl_verify_mode] = :verify_none
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)
     end
 
+    it "sets the OpenSSL verify mode to verify_peer when verify_api_cert is set" do
+      Chef::Config[:verify_api_cert] = true
+      expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
+    end
   end
 
   describe Chef::HTTP::VerifyPeerSSLPolicy do
 
-    let(:ssl_policy) { Chef::HTTP::VerifyPeerSSLPolicy.new(unconfigured_http_client) }
+    let(:ssl_policy_class) { Chef::HTTP::VerifyPeerSSLPolicy }
 
     it "sets the OpenSSL verify mode to verify_peer" do
       expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
@@ -179,7 +218,7 @@ describe "HTTP SSL Policy" do
 
   describe Chef::HTTP::VerifyNoneSSLPolicy do
 
-    let(:ssl_policy) { Chef::HTTP::VerifyNoneSSLPolicy.new(unconfigured_http_client) }
+    let(:ssl_policy_class) { Chef::HTTP::VerifyNoneSSLPolicy }
 
     it "sets the OpenSSL verify mode to verify_peer" do
       expect(http_client.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)