knife-bastion 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: cde0ad1420a7e4754cbd8a540b711217f7547382
+  data.tar.gz: e99a6bad8478a5ea09b294dbbe882e62dac8ccbe
+SHA512:
+  metadata.gz: 0b21d9651473242ddfed9b7de693057020b3b4e2253b317eacab1e22ea9963783adc53eb1f567a119ca64d02dce244b336a4c7a63f29b6e8b2af55ef60f7d19b
+  data.tar.gz: 6bd170228b796ee6195706d30817c86277314818dd753262161595612c94ea1290b5617884f8548295b7f0c487fa72be381be9da3a8043f333dcc78c764fd7c4

checksums.yaml.gz.sig

@@ -0,0 +1,2 @@
+a�Q
�c�U�^_��Pt�HRWVˢ#���ļ�t����z0�1��<K��4E�S"7�X�Uա�(�\�0#��*7H�a��f��<��oE}�׏�����`������T&F�
+,���х�����f��C��f��R�$2������� �T)Jo��

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+*.gem
+
+.ruby-gemset
+.ruby-version

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in knife-bastion.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013-2016 Eligible
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,98 @@
+# knife-bastion
+
+This plugin allows Knife to access Chef server over a secure SSH connection,
+without exposing Chef server port to your VPN network.
+
+## Installation
+
+Add this line to your Chef repository's Gemfile:
+
+```ruby
+gem 'knife-bastion'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install knife-bastion
+
+## Usage
+
+Configure your bastion server in `.chef/knife.rb` (at the bottom):
+
+```ruby
+# ...
+# your knife configurations goes here
+# ...
+
+# Bastion host SSH settings
+knife[:bastion_host] = "bastion.mycorp.net"
+knife[:bastion_user] = ENV["MYCORP_USER"] || ENV["CHEF_USER"] || ENV["USER"]
+
+# If you have multiple networks, that require different MFA tokens, specify
+# each network name here. (This configuration is referenced to clarify the
+# token a user should employ.)
+# knife[:bastion_network] = "mynet"
+
+# By default, the proxy server is created on port 4443. You may configure the
+# local bastion port here:
+# knife[:bastion_local_port] = 4443
+
+require "knife-bastion/activate"
+```
+
+Now, your workflow will look like this:
+
+1. Run `knife bastion start` - this command will establish SSH connection to
+   bastion box for 10 minutes, and create a SOCKS proxy on port `4443`, that
+   will forward all Chef requests to Chef server via bastion box.
+2. Use Chef to do your work.
+3. At any time you can use `knife bastion status` - which will verify the proxy
+   and make sure everything works as expected.
+4. After you finished, run `knife bastion stop` to shutdown the connection
+   and turn off the proxy. If you forget to do this, it will die automatically
+   after 10 minutes.
+
+Sometimes when you work on a big change, default timeout of 10 minutes is too short.
+You can increase timeout with `--timeout` flag:
+
+```
+knife bastion start --timeout 1800
+```
+
+Maximum timeout is 3600 (1 hour) for security reasons. You can re-establish bastion
+connection by executing `knife bastion start` (if the connection is currently active,
+it will be forcibly closed.)
+
+### Bastion troubleshooting
+
+If something is not right, you need to ensure you have access to bastion box.
+Try connecting to `bastion.mycorp.net` via SSH:
+
+```bash
+ssh ${MYCORP_USER-$USER}@bastion.mycorp.net
+```
+
+Check current bastion connection status (it will tell you if there is anything
+wrong with your box):
+
+```
+knife bastion status
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/eligible/knife-bastion.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/certs/eligible.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMREwDwYDVQQDDAhzZWN1
+cml0eTEYMBYGCgmSJomT8ixkARkWCGVsaWdpYmxlMRMwEQYKCZImiZPyLGQBGRYD
+Y29tMB4XDTE2MDgyMjIxNTI0NVoXDTE3MDgyMjIxNTI0NVowQjERMA8GA1UEAwwI
+c2VjdXJpdHkxGDAWBgoJkiaJk/IsZAEZFghlbGlnaWJsZTETMBEGCgmSJomT8ixk
+ARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyXvxbyCjdJ
+eUPxJzt0cBv+fk9xnXq1Gu+EiFLayUAoADC9KtNDPRLe8Gd0yK5UmQD8F0wL89D4
+y8vEXOm5hfHpgG7qQ01S11SRM7ksgId8OM0MyZkBTBcvpPqTyU06dbyRSy7Ir4Tn
+Ro4Qb5+iOfZk3gcE9+StsJYn7l8mQFRHOZVgf8kVaAVTR8FWMLr3PMgKHsHiFJnn
+Jm7eFlvQPQ8Mf56WnX4fPCO/caNqM4RFRHTjW+LYan3KsA7mg/FAt7LstONfS422
+sUv0EhwprWRF1483e7b6KBcXhrk8RK447JRyKzqfw9jPONl/d5XodFGGesZ/XNHK
+d0vvWDsmRSUCAwEAAaN9MHswCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0O
+BBYEFGKTLK26F60J6VzTer7W4T/gMN2SMCAGA1UdEQQZMBeBFXNlY3VyaXR5QGVs
+aWdpYmxlLmNvbTAgBgNVHRIEGTAXgRVzZWN1cml0eUBlbGlnaWJsZS5jb20wDQYJ
+KoZIhvcNAQEFBQADggEBAF6VvkLEzKE9CPmQ4UXS0aHlRNwCVhSOpYeBfXWVVQqJ
+ez7ftmxXLFGZ8N1wHxM7gEBFKCOB3Cu80F1uioxVMEPJAg1TT7t17GWNorG0aP7g
+W5iMS2bfdLMFv8Z9Cljvn12ba+2tTn7hrzplf8gW/sxlaP3Q1lK/2cpiKqFVHLNJ
+AR7q+NSrOmenHnTiKB4wTD3bRw0lv8iMVOnL97EQ/j8zp7m7dR3bJaGf5xLYeYkc
+DHSQkPQADqf52XlDQ7I6fBAn6E2bH38Wvwpu593AvE02KRKqaK8XEtBBldE4d/It
+2ysZ/sPJras9LFb2MpjJNRCdXr3z2ed6QwuLnsyEfuk=
+-----END CERTIFICATE-----

data/knife-bastion.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'knife-bastion/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "knife-bastion"
+  spec.version       = Knife::Bastion::VERSION
+  spec.authors       = ["Dmytro Shteflyuk"]
+  spec.email         = ["dmytro@eligible.com"]
+
+  spec.summary       = %q{Access Chef securely via bastion server.}
+  spec.description   = %q{Protect your Chef server by restricting direct access to Chef HTTPS port to be only accessible from your internal network.}
+  spec.homepage      = "https://github.com/eligible/knife-bastion"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.cert_chain    = ['certs/eligible.pem']
+  spec.signing_key   = File.expand_path("~/.ssh/gem-eligible.pem") if $0 =~ /gem\z/
+
+  spec.add_runtime_dependency 'chef'
+  spec.add_runtime_dependency 'highline'
+  spec.add_runtime_dependency 'socksify'
+
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/lib/chef/knife/bastion_base.rb

@@ -0,0 +1,75 @@
+require 'chef/knife'
+
+class Chef
+  class Knife
+    class BastionBase < Knife
+      include Chef::Mixin::ShellOut
+
+      def initialize_params
+        @bastion_user    = Chef::Config[:knife][:bastion_user] || ENV['CHEF_USER'] || ENV['USER']
+        @bastion_host    = Chef::Config[:knife][:bastion_host]
+        @bastion_network = Chef::Config[:knife][:bastion_network]
+        @chef_host       = URI.parse(Chef::Config[:chef_server_url]).host
+        @local_port      = Chef::Config[:knife][:bastion_local_port] || 4443
+      end
+
+      def tunnel_pid(local_port, raise_on_closed_port = true)
+        # Check if local port is open, get proxy process PID
+        pid_result = shell_out("lsof -nPt -i4TCP:#{local_port} -sTCP:LISTEN")
+        unless pid_result.status.success?
+          if raise_on_closed_port
+            ui.fatal "Tunnel is not open on port #{local_port}"
+            abort
+          end
+          return nil
+        end
+        proxy_pid = pid_result.stdout.chomp
+
+        # Verify tunnel destination
+        bastion_ip_addr = Resolv.getaddress(@bastion_host)
+        dest_result = shell_out("lsof -an -p #{proxy_pid} -i4@#{bastion_ip_addr}:ssh")
+        unless dest_result.status.success?
+          ui.fatal "There is a process with PID #{proxy_pid} listening on port #{local_port}, but it does not look like a tunnel"
+          abort
+        end
+
+        proxy_pid
+      end
+
+      def print_tunnel_info(header, timeout: nil, pid: nil)
+        ui.info <<-INFO
+#{header}
+  * Bastion host: #{ui.color "#{@bastion_user}@#{@bastion_host}", [:bold, :white]}
+  *    Chef host: #{ui.color @chef_host, [:bold, :white]}
+  *   Local port: #{ui.color @local_port.to_s, [:bold, :white]}
+        INFO
+        if timeout
+          ui.info <<-INFO
+  *      Timeout: #{ui.color timeout.to_s, [:bold, :white]} seconds
+          INFO
+        end
+        if pid
+          ui.info <<-INFO
+  *    Proxy PID: #{ui.color pid.to_s, [:bold, :white]}
+          INFO
+        end
+      end
+
+      def run
+        initialize_params
+
+        # Retrieve proxy process PID. Raises an error if something is wrong
+        proxy_pid = tunnel_pid(@local_port)
+        print_tunnel_info("Found an esablished tunnel:", pid: proxy_pid)
+
+        require 'socksify'
+        TCPSocket::socks_server = "127.0.0.1"
+        TCPSocket::socks_port = @local_port
+
+        # This line will raise an exception if tunnel is broken
+        rest.get_rest("/policies")
+        ui.info ui.color("OK:  ", :green) + "The tunnel is up and running"
+      end
+    end
+  end
+end

data/lib/chef/knife/bastion_start.rb

@@ -0,0 +1,83 @@
+require_relative 'bastion_base'
+
+class Chef
+  class Knife
+    class BastionStart < BastionBase
+      option :timeout,
+             long:        "--timeout SECONDS",
+             description: "Sets the tunnel life time, in seconds (10 minutes by default)",
+             default:     600,
+             proc:        lambda { |s| s.to_i }
+
+      deps do
+        require 'shellwords'
+      end
+
+      banner "knife bastion start (options)"
+      category "bastion"
+
+      def initialize_params
+        super
+
+        @timeout = config[:timeout]
+        @timeout = 600  if @timeout < 1    # timeout should be greater than 0
+        @timeout = 3600 if @timeout > 3600 # timeout should be less than 1 hour
+      end
+
+      def run
+        initialize_params
+
+        # Check if proxy is already running and restart it
+        kill_proxy_if_running
+
+        print_tunnel_info("Creating a tunnel to Chef server:", timeout: @timeout)
+
+        ui.info "Establishing connection to #{ui.color @bastion_host, [:bold, :white]}"
+        ui.warn "Please make sure to use your #{ui.color @bastion_network, [:bold, :magenta]} token" if @bastion_network
+
+        start_proxy
+      end
+
+      def kill_proxy_if_running
+        proxy_pid = tunnel_pid(@local_port, false)
+        if proxy_pid
+          ui.warn "Proxy on #{@local_port} is up and running. Restarting it"
+          shell_out!("kill -9 '#{proxy_pid}'")
+        end
+      end
+
+      def start_proxy
+        # Not using shell_out! here because it disables tty via Process.setsid,
+        # so it will not be possible to enter password/token for bastion host.
+        system ssh_proxy_command(@timeout)
+
+        if $?.exitstatus == 0
+          ui.info ui.color("OK:  ", :green) + "Successfully started proxy on port #{@local_port}"
+        else
+          ui.fatal "Failed to start proxy"
+        end
+      end
+
+      def ssh_proxy_command(timeout)
+        cmd = [
+          "/usr/bin/ssh",
+          # go to background just before command execution
+          "-f",
+          # prevent reading from stdin
+          "-n",
+          # application-level port forwarding (SOCKS proxy)
+          "-D", "127.0.0.1:#{@local_port}",
+          # wait for all remote port forwards to be successfully established
+          "-o", "ExitOnForwardFailure=yes",
+          # Disable sharing of multiple connections
+          "-o", "ControlPath=none",
+          # SSH host to connect to
+          "#{@bastion_user}@#{@bastion_host}",
+          # Enforce tunnel timeout
+          "sleep #{timeout}"
+        ]
+        Shellwords.join(cmd)
+      end
+    end
+  end
+end

data/lib/chef/knife/bastion_status.rb

@@ -0,0 +1,28 @@
+require_relative 'bastion_base'
+
+class Chef
+  class Knife
+    class BastionStatus < BastionBase
+      include Chef::Mixin::ShellOut
+
+      banner "knife bastion status (options)"
+      category "bastion"
+
+      def run
+        initialize_params
+
+        # Retrieve proxy process PID. Raises an error if something is wrong
+        proxy_pid = tunnel_pid(@local_port)
+        print_tunnel_info("Found an esablished tunnel:", pid: proxy_pid)
+
+        require 'socksify'
+        TCPSocket::socks_server = "127.0.0.1"
+        TCPSocket::socks_port   = @local_port
+
+        # This line will raise an exception if tunnel is broken
+        rest.get_rest("/policies")
+        ui.info ui.color("OK:  ", :green) + "The tunnel is up and running"
+      end
+    end
+  end
+end

data/lib/chef/knife/bastion_stop.rb

@@ -0,0 +1,23 @@
+require_relative 'bastion_base'
+
+class Chef
+  class Knife
+    class BastionStop < BastionBase
+      include Chef::Mixin::ShellOut
+
+      banner "knife bastion stop (options)"
+      category "bastion"
+
+      def run
+        initialize_params
+
+        # Retrieve proxy process PID. Raises an error if something is wrong
+        pid = tunnel_pid(@local_port)
+
+        shell_out!("kill -9 '#{pid}'")
+
+        ui.info ui.color("OK:  ", :green) + "Tunnel closed, you're safe now"
+      end
+    end
+  end
+end

data/lib/knife-bastion/activate.rb

@@ -0,0 +1,4 @@
+# Only activate socks proxy for Knife
+if defined?(Chef::Application::Knife)
+  require_relative 'chef_socks_proxy'
+end

data/lib/knife-bastion/chef_socks_proxy.rb

@@ -0,0 +1,62 @@
+# Load socksify gem, required to make Chef work with SOCKS proxy
+begin
+  require 'socksify'
+rescue LoadError
+  puts HighLine.color("FATAL:", [:bold, :red]) + " Failed to load #{HighLine.color("socksify", [:bold, :magenta])} gem. Please run #{HighLine.color("bundle install", [:bold, :magenta])} to continue"
+  # Hard exit to skip Chef exception reporting
+  exit! 1
+end
+
+# Simple class, that delegates all the calls to the base client object, except
+# for `request`. The latter is overwritten to first configure SOCKS proxy,
+# and if connection fails - show warning about the bastion setup.
+class BastionChefClientProxy < BasicObject
+  NETWORK_ERRORS = [
+    ::SocketError,
+    ::Errno::ETIMEDOUT,
+    ::Errno::ECONNRESET,
+    ::Errno::ECONNREFUSED,
+    ::Timeout::Error,
+    ::OpenSSL::SSL::SSLError,
+  ]
+
+  def initialize(client)
+    @client = client
+  end
+
+  def request(*args, &block)
+    with_socks_proxy do
+      @client.request(*args, &block)
+    end
+  end
+
+  def method_missing(method, *args, &block)
+    @client.send(method, *args, &block)
+  end
+
+  def with_socks_proxy
+    old_socks_server, old_socks_port = ::TCPSocket::socks_server, ::TCPSocket::socks_port
+    ::TCPSocket::socks_server, ::TCPSocket::socks_port = '127.0.0.1', ::Chef::Config[:knife][:bastion_local_port] || 4443
+    yield
+  rescue *NETWORK_ERRORS
+    puts ::HighLine.color("WARNING:", [:bold, :red]) + " Failed to contact Chef server!"
+    puts "You might need to start bastion connection with #{::HighLine.color("knife bastion start", [:bold, :magenta])} to access Chef."
+    puts
+    raise
+  ensure
+    ::TCPSocket::socks_server, ::TCPSocket::socks_port = old_socks_server, old_socks_port
+  end
+end
+
+# Override `http_client` method in `Chef::HTTP` to return proxy object instead
+# of normal client object.
+Chef::HTTP.class_eval do
+  alias_method :http_client_without_bastion, :http_client
+  protected :http_client_without_bastion
+
+  protected
+
+  def http_client(*args)
+    BastionChefClientProxy.new(http_client_without_bastion(*args))
+  end
+end

data/lib/knife-bastion/version.rb

@@ -0,0 +1,6 @@
+module Knife
+  module Bastion
+    VERSION = "1.0.0"
+    MAJOR, MINOR, TINY = VERSION.split('.')
+  end
+end

metadata

@@ -0,0 +1,151 @@
+--- !ruby/object:Gem::Specification
+name: knife-bastion
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Dmytro Shteflyuk
+autorequire: 
+bindir: exe
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMREwDwYDVQQDDAhzZWN1
+  cml0eTEYMBYGCgmSJomT8ixkARkWCGVsaWdpYmxlMRMwEQYKCZImiZPyLGQBGRYD
+  Y29tMB4XDTE2MDgyMjIxNTI0NVoXDTE3MDgyMjIxNTI0NVowQjERMA8GA1UEAwwI
+  c2VjdXJpdHkxGDAWBgoJkiaJk/IsZAEZFghlbGlnaWJsZTETMBEGCgmSJomT8ixk
+  ARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyXvxbyCjdJ
+  eUPxJzt0cBv+fk9xnXq1Gu+EiFLayUAoADC9KtNDPRLe8Gd0yK5UmQD8F0wL89D4
+  y8vEXOm5hfHpgG7qQ01S11SRM7ksgId8OM0MyZkBTBcvpPqTyU06dbyRSy7Ir4Tn
+  Ro4Qb5+iOfZk3gcE9+StsJYn7l8mQFRHOZVgf8kVaAVTR8FWMLr3PMgKHsHiFJnn
+  Jm7eFlvQPQ8Mf56WnX4fPCO/caNqM4RFRHTjW+LYan3KsA7mg/FAt7LstONfS422
+  sUv0EhwprWRF1483e7b6KBcXhrk8RK447JRyKzqfw9jPONl/d5XodFGGesZ/XNHK
+  d0vvWDsmRSUCAwEAAaN9MHswCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0O
+  BBYEFGKTLK26F60J6VzTer7W4T/gMN2SMCAGA1UdEQQZMBeBFXNlY3VyaXR5QGVs
+  aWdpYmxlLmNvbTAgBgNVHRIEGTAXgRVzZWN1cml0eUBlbGlnaWJsZS5jb20wDQYJ
+  KoZIhvcNAQEFBQADggEBAF6VvkLEzKE9CPmQ4UXS0aHlRNwCVhSOpYeBfXWVVQqJ
+  ez7ftmxXLFGZ8N1wHxM7gEBFKCOB3Cu80F1uioxVMEPJAg1TT7t17GWNorG0aP7g
+  W5iMS2bfdLMFv8Z9Cljvn12ba+2tTn7hrzplf8gW/sxlaP3Q1lK/2cpiKqFVHLNJ
+  AR7q+NSrOmenHnTiKB4wTD3bRw0lv8iMVOnL97EQ/j8zp7m7dR3bJaGf5xLYeYkc
+  DHSQkPQADqf52XlDQ7I6fBAn6E2bH38Wvwpu593AvE02KRKqaK8XEtBBldE4d/It
+  2ysZ/sPJras9LFb2MpjJNRCdXr3z2ed6QwuLnsyEfuk=
+  -----END CERTIFICATE-----
+date: 2016-08-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: chef
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: socksify
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Protect your Chef server by restricting direct access to Chef HTTPS port
+  to be only accessible from your internal network.
+email:
+- dmytro@eligible.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- certs/eligible.pem
+- knife-bastion.gemspec
+- lib/chef/knife/bastion_base.rb
+- lib/chef/knife/bastion_start.rb
+- lib/chef/knife/bastion_status.rb
+- lib/chef/knife/bastion_stop.rb
+- lib/knife-bastion/activate.rb
+- lib/knife-bastion/chef_socks_proxy.rb
+- lib/knife-bastion/version.rb
+homepage: https://github.com/eligible/knife-bastion
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Access Chef securely via bastion server.
+test_files: []