Add SSLPolicy class that will use chefdk trusted certs path #1640
Conversation
…with the trusted_certs_dir that knife uses for self-signed certificates. Tests are not passing and there is a lot left to be desired
…ail when you pass in a trusted_certs_dir attribute for Ridley::Config as well a cert store into connection constructors - one test is skipped and that's on my todo list to mock out and fix
…er or not a trusted_certs_dir exists and whether or not it's specified in a knife.rb file for a workstation; I also created a fixture for providing a dummy ssl cert for the Ridley::Chef::Config double object so that tests function
Signed-off-by: Stephan Renatus <srenatus@chef.io>
Signed-off-by: Stephan Renatus <srenatus@chef.io>
Signed-off-by: Stephan Renatus <srenatus@chef.io>
If we pass the option `false`, we would expect to assert for the same option. Signed-off-by: Salim Afiune <afiune@chef.io>
Signed-off-by: Salim Afiune <afiune@chef.io>
|
ping @howdoicomputer @srenatus !! Gotta open a new PR but look at this, tests passed!! |
|
cc/ @berkshelf/berks-core |
|
huzzah Edit: HUZZAH! |
|
Looking more in detail I really don't see how this is going to work. 😂 At the end of the day we need Ridley to understand the trusted_cert_dir and I don't think we do that there. I might look closer at this tomorrow morning. |
Signed-off-by: Salim Afiune <afiune@chef.io>
|
This commit will fail on the tests intentionally so we have time to make some analysis on the missing parts of the puzzle. Im putting this on hold for a moment since we have some other priorities with ChefDK release. I'll come back soon though! |
|
Alright Im back to work on this!! 👍 |
Also added test for the chef_server location type! 😄 Signed-off-by: Salim Afiune <afiune@chef.io>
afiune
changed the title
|
If someone looks like this after reading through this PR; I will understand... |
|
cc/ @berkshelf/berks-core |
|
This looks good to me. If you wanted to go a step further, you could move some of the code into |
|
Oh, yeah, this thing. |
|
👍 |
|
I am approving this since we have two +1 @danielsdeleo I am creating an issue to go the extra mile on a different card. It is indeed a great idea that we would love to implement on the next iteration. 💯 |
|
Ahhhh code I wrote ended up in berkshellf 😄 I can look into that additional ticket. |
|
|
|
Ok, so I wanted to make sure the code in this PR handles a particular usecase: Chef server is using a cert issued by company's internal CA. All of their machines come with a CA built-in, so all chef-clients run succeed without the need to have full cert chain in trusted_certs folder. If Berks only knows about the trusted_cert folder, it may still fail, because root CA is in a different store. |
We are introducing a new class called
SSLPolicythat, by default, will create the SSL Store pointing to the chef trusted certificates path. The class has been implemented in the mainUploaderandDownloaderso that they now pass an extra SSL option calledcert_store. This options are passed to the underlayer gemRidleythat itself passes them toFaraday(HTTP client) so that on every connection we use the SSL store we provided for authentication. :mindblown:Fixes #1470