Unverified Commit 827fe6a7 authored by Tim Smith's avatar Tim Smith Committed by GitHub
Browse files

Merge pull request #59 from chef-cookbooks/property_cleanup

Upgrade recipe improvement, deprecate the old library, and add more testing
parents 561352b7 7e710eae
......@@ -18,7 +18,17 @@ platforms:
- name: debian-8
- name: debian-9
- name: fedora-26
- name: freebsd-11
- name: opensuse-leap-42
- name: sles-11-sp2
driver:
box: chef/sles-11-sp2-x86_64 # private box
- name: sles-12-sp1
driver:
box: chef/sles-12-sp1-x86_64 # private box
- name: solaris-11.3
driver:
box: chef/solaris-11.3 # private box
- name: ubuntu-14.04
- name: ubuntu-16.04
......
......@@ -19,6 +19,7 @@ services: docker
env:
matrix:
- INSTANCE=resources-amazonlinux
- INSTANCE=resources-ubuntu-1404
- INSTANCE=resources-ubuntu-1604
- INSTANCE=resources-debian-7
......
......@@ -2,6 +2,23 @@
This file is used to list changes made in each version of the openssl cookbook.
## 8.0.0 (2017-12-11)
- Added a new openssl_rsa_public_key resource which generates a public key from a private key
- Rename openssl_rsa_key to openssl_rsa_private_key, while still allowing the old name to function. This resource actually generates private keys, but the previous name didn't make that clear
- Added owner, group, and mode properties to all of the resources so you could control who owned the files you generated
- Set the default modes of generated files to 640 instead of 644
- Set the files to generate using node['root_group'] not 'root' for compatibility on other *nix systems such as FreeBSD and macOS
- Added a new property to openssl_rsa_private_key for specifying the cipher to use
- Converted integration tests to InSpec and moved all resources to a single Kitchen suite for quicker testing
- Added a force property to allow overwriting any existing key that may exist
- Fixed upgrade recipe failures on Debian 9
- Added a new path property which allows you to set the path there instead of in the resource's name
- Improved input validation in some of the helpers
- Added a deprecation message in Opscode::OpenSSL::Password helper "secure_password" and removed readme documentation
- Added a warning in the upgrade recipe if we're on an unsupported platform
- Switched the upgrade recipe to a multipackage upgrade to speed up Chef runs
## 7.1.0 (2017-05-30)
- Add supported platforms to the metdata
......
......@@ -6,22 +6,20 @@ This cookbook provides tools for working with the Ruby OpenSSL library. It inclu
- A library method to generate secure random passwords in recipes, using the Ruby SecureRandom library.
- A resource for generating RSA private keys.
- A resource for generating RSA public keys.
- A resource for generating x509 certificates.
- A resource for generating dhparam.pem files.
- An attribute-driven recipe for upgrading OpenSSL packages.
## Platforms
The `random_password` mixin works on any platform with the Ruby SecureRandom module. This module is already included with Chef.
The `openssl_x509`, `openssl_rsa_private_key` and `openssl_dhparam` resources work on any platform with the OpenSSL Ruby bindings installed. These bindings are already included with Chef.
The `upgrade` recipe has been tested on the following platforms:
- Debian / Ubuntu derivatives
- RHEL and derivatives
- Fedora
- FreeBSD
- macOS
- openSUSE / SUSE Linux Enterprises
- RHEL/CentOS/Scientific/Amazon/Oracle
- Solaris
## Chef
......@@ -58,7 +56,7 @@ include_recipe 'openssl::upgrade'
When executed, this recipe will ensure that openssl is upgraded to the latest version, and that the `stats_collector` service is restarted to pick up the latest security fixes released in the openssl package.
## Libraries & Resources
## Libraries
There are two mixins packaged with this cookbook.
......@@ -79,18 +77,7 @@ node.normal['my_secure_attribute'] = random_password(length: 50, mode: :base64,
Note that node attributes are widely accessible. Storing unencrypted passwords in node attributes, as in this example, carries risk.
### ~~secure_password (`Opscode::OpenSSL::Password`)~~
This library should be considered deprecated and will be removed in a future version. Please use `OpenSSLCookbook::RandomPassword` instead. The documentation is kept here for historical reasons.
#### ~~Example Usage~~
```ruby
::Chef::Recipe.send(:include, Opscode::OpenSSL::Password)
node.normal_unless['my_password'] = secure_password
```
~~Note that node attributes are widely accessible. Storing unencrypted passwords in node attributes, as in this example, carries risk.~~
## Resources
### openssl_x509
......@@ -100,6 +87,7 @@ This resource generates self-signed, PEM-formatted x509 certificates. If no exis
Name | Type | Description
------------------ | ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
`path` | String (Optional) | Optional path to write the file to if you'd like to specify it here instead of in the resource name
`common_name` | String (Required) | Value for the `CN` certificate field.
`org` | String (Required) | Value for the `O` certificate field.
`org_unit` | String (Required) | Value for the `OU` certificate field.
......@@ -135,7 +123,8 @@ This resource generates dhparam.pem files. If a valid dhparam.pem file is found
#### Properties
Name | Type | Description
------------ | ---------------------------- | ---------------------------------------------------------------------------
------------ | ---------------------------- | ---------------------------------------------------------------------------------------------------
`path` | String (Optional) | Optional path to write the file to if you'd like to specify it here instead of in the resource name
`key_length` | Integer (Optional) | The desired Bit Length of the generated key. _Default: 2048_
`generator` | Integer (Optional) | The desired Diffie-Hellmann generator. Can be _2_ or _5_.
`owner` | String (optional) | The owner of all files created by the resource. _Default: "root"_
......@@ -165,6 +154,7 @@ Note: This resource was renamed from openssl_rsa_key to openssl_rsa_private_key.
Name | Type | Description
------------ | ---------------------------- | -----------------------------------------------------------------------------------------------------------------------------------
`path` | String (Optional) | Optional path to write the file to if you'd like to specify it here instead of in the resource name
`key_length` | Integer (Optional) | The desired Bit Length of the generated key. _Default: 2048_
`cipher` | String (Optional) | The designed cipher to use when generating your key. Run `openssl list-cipher-algorithms` to see available options. _Default: des3_
`key_pass` | String (Optional) | The desired passphrase for the key.
......@@ -185,16 +175,38 @@ end
When executed, this recipe will generate a passwordless RSA key file at `/etc/httpd/ssl/server.key`.
## License and Author
### openssl_rsa_public_key
This resource generates rsa public key files given a private key.
#### Properties
Name | Type | Description
------------------ | ---------------------------- | ---------------------------------------------------------------------------------------------------
`path` | String (Optional) | Optional path to write the file to if you'd like to specify it here instead of in the resource name
`private_key_path` | String | The path to the private key to generate the public key from
`private_key_pass` | String (Optional) | The passphrase of the provided private key
`owner` | String (optional) | The owner of all files created by the resource. _Default: "root"_
`group` | String (optional) | The group of all files created by the resource. _Default: "root or wheel depending on platform"_
`mode` | String or Integer (Optional) | The permission mode of all files created by the resource. _Default: "0640"_
#### Example Usage
```ruby
openssl_rsa_public_key '/etc/foo/something.pub' do
priv_key_path '/etc/foo/something.pem'
end
```
Author:: Jesse Nelson ([spheromak@gmail.com](mailto:spheromak@gmail.com))<br>
Author:: Seth Vargo ([sethvargo@gmail.com](mailto:sethvargo@gmail.com))<br>
Author:: Charles Johnson ([charles@chef.io](mailto:charles@chef.io))<br>
Author:: Joshua Timberman ([joshua@chef.io](mailto:joshua@chef.io))
## Maintainers
```text
Copyright:: 2009-2016, Chef Software, Inc <legal@chef.io>
This cookbook is maintained by Chef's Community Cookbook Engineering team. Our goal is to improve cookbook quality and to aid the community in contributing to cookbooks. To learn more about our team, process, and design goals see our [team documentation](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/COOKBOOK_TEAM.MD). To learn more about contributing to cookbooks like this see our [contributing documentation](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD), or if you have general questions about this cookbook come chat with us in #cookbok-engineering on the [Chef Community Slack](http://community-slack.chef.io/)
## License
**Copyright:** 2009-2017, Chef Software, Inc.
```
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
......
......@@ -25,6 +25,8 @@ module Opscode
# Generate secure passwords with OpenSSL
module Password
def secure_password(length = 20)
Chef::Log.warn('The Opscode::OpenSSL::Password helper "secure_password" has been deprecated. Use the random_password method in OpenSSLCookbook::RandomPassword instead.')
pw = ''
while pw.length < length
......
......@@ -2,14 +2,13 @@ name 'openssl'
maintainer 'Chef Software, Inc.'
maintainer_email 'cookbooks@chef.io'
license 'Apache-2.0'
description 'Provides a library with a method for generating secure random passwords.'
description 'Resources and libraries for interacting with certificates, keys, passwords, and dhparam files.'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '7.1.0'
version '8.0.0'
recipe 'openssl', 'Empty, this cookbook provides a library, see README.md'
recipe 'upgrade', 'Upgrade OpenSSL library and restart dependent services'
recipe 'openssl::upgrade', 'Upgrade OpenSSL library and restart dependent services'
%w(ubuntu debian redhat centos suse opensuse opensuseleap scientific oracle amazon zlinux).each do |os|
%w(amazon centos debian fedora freebsd opensuse opensuseleap oracle redhat scientific solaris2 suse ubuntu zlinux).each do |os|
supports os
end
......
......@@ -30,8 +30,10 @@ else
packages = []
end
packages.each do |ssl_pkg|
package ssl_pkg do
if packages.empty?
Chef::Log.warn("The openssl::upgrade recipe does not currently support #{node['platform']}. If you believe it could please open a PR at https://github.com/chef-cookbooks/openssl")
else
package packages do
action :upgrade
node['openssl']['restart_services'].each do |ssl_svc|
notifies :restart, "service[#{ssl_svc}]"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment