class Chef::Knife::Bootstrap

Attributes

connection[R]

Public Instance Methods

base_opts() click to toggle source

Common configuration for all protocols

# File lib/chef/knife/bootstrap.rb, line 926
def base_opts
  port = config_for_protocol(:port)
  user = config_for_protocol(:user)
  {}.tap do |opts|
    opts[:logger] = Chef::Log
    opts[:password] = config[:connection_password] if config.key?(:connection_password)
    opts[:user] = user if user
    opts[:max_wait_until_ready] = config[:max_wait].to_f unless config[:max_wait].nil?
    # TODO - when would we need to provide rdp_port vs port?  Or are they not mutually exclusive?
    opts[:port] = port if port
  end
end
bootstrap_command(remote_path) click to toggle source

build the command string for bootstrapping @return String

# File lib/chef/knife/bootstrap.rb, line 1111
def bootstrap_command(remote_path)
  if connection.windows?
    "cmd.exe /C #{remote_path}"
  else
    cmd = "sh #{remote_path}"

    if config[:su_user]
      # su - USER is subject to required an interactive console
      # Otherwise, it will raise: su: must be run from a terminal
      set_transport_options(pty: true)
      cmd = "su - #{config[:su_user]} -c '#{cmd}'"
      cmd = "sudo " << cmd if config[:use_sudo]
    end

    cmd
  end
end
bootstrap_context() click to toggle source

Establish bootstrap context for template rendering. Requires connection to be a live connection in order to determine the correct platform.

# File lib/chef/knife/bootstrap.rb, line 531
def bootstrap_context
  @bootstrap_context ||=
    if connection.windows?
      require_relative "core/windows_bootstrap_context"
      Knife::Core::WindowsBootstrapContext.new(config, config[:run_list], Chef::Config, secret)
    else
      require_relative "core/bootstrap_context"
      Knife::Core::BootstrapContext.new(config, config[:run_list], Chef::Config, secret)
    end
end
bootstrap_run_command(cmd) click to toggle source

Actual bootstrap command to be run on the node. Handles recursive calls if su USER failed to authenticate.

# File lib/chef/knife/bootstrap.rb, line 609
def bootstrap_run_command(cmd)
  r = connection.run_command(cmd) do |data, channel|
    ui.msg("#{ui.color(" [#{connection.hostname}]", :cyan)} #{data}")
    channel.send_data("#{config[:su_password] || config[:connection_password]}\n") if data.match?("Password:")
  end

  if r.exit_status != 0
    ui.error("The following error occurred on #{server_name}:")
    ui.error("#{r.stdout} #{r.stderr}".strip)
    exit(r.exit_status)
  end
rescue Train::UserError => e
  limit ||= 0
  if e.reason == :bad_su_user_password && limit < 3
    limit += 1
    ui.warn("Failed to authenticate su - #{config[:su_user]} to #{server_name}")
    config[:su_password] = ui.ask("Enter password for su - #{config[:su_user]}@#{server_name}:", echo: false)
    retry
  else
    raise
  end
end
bootstrap_template() click to toggle source

@return [String] The CLI specific bootstrap template or the default

# File lib/chef/knife/bootstrap.rb, line 487
def bootstrap_template
  # Allow passing a bootstrap template or use the default
  config[:bootstrap_template] || default_bootstrap_template
end
check_license() click to toggle source

Determine if we need to accept the Chef Infra license locally in order to successfully bootstrap the remote node. Remote 'chef-client' run will fail if it is >= 15 and the license is not accepted locally.

# File lib/chef/knife/bootstrap.rb, line 447
def check_license
  Chef::Log.debug("Checking if we need to accept Chef license to bootstrap node")
  version = config[:bootstrap_version] || Chef::VERSION.split(".").first
  acceptor = LicenseAcceptance::Acceptor.new(logger: Chef::Log, provided: Chef::Config[:chef_license])
  if acceptor.license_required?("chef", version)
    Chef::Log.debug("License acceptance required for chef version: #{version}")
    license_id = acceptor.id_from_mixlib("chef")
    acceptor.check_and_persist(license_id, version)
    Chef::Config[:chef_license] ||= acceptor.acceptance_value
  end
end
chef_vault_handler() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 438
def chef_vault_handler
  @chef_vault_handler ||= Chef::Knife::Bootstrap::ChefVaultHandler.new(
    config: config,
    ui: ui
  )
end
client_builder() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 430
def client_builder
  @client_builder ||= Chef::Knife::Bootstrap::ClientBuilder.new(
    chef_config: Chef::Config,
    config: config,
    ui: ui
  )
end
config_value(key, fallback_key = nil, default = nil) click to toggle source

This is for deprecating config options. The fallback_key can be used to pull an old knife config option out of the config file when the cli value has been renamed. This is different from the deprecated cli values, since these are for config options that have no corresponding cli value.

DO NOT USE - this whole API is considered deprecated

@api deprecated

# File lib/chef/knife/bootstrap.rb, line 1089
def config_value(key, fallback_key = nil, default = nil)
  Chef.deprecated(:knife_bootstrap_apis, "Use of config_value is deprecated.  Knife plugin authors should access the config hash directly, which does correct merging of cli and config options.")
  if config.key?(key)
    # the first key is the primary key so we check the merged hash first
    config[key]
  elsif config.key?(fallback_key)
    # we get the old config option here (the deprecated cli option shouldn't exist)
    config[fallback_key]
  else
    default
  end
end
connect!() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 632
      def connect!
        ui.info("Connecting to #{ui.color(server_name, :bold)} using #{connection_protocol}")
        opts ||= connection_opts.dup
        do_connect(opts)
      rescue Train::Error => e
        # We handle these by message text only because train only loads the
        # transports and protocols that it needs - so the exceptions may not be defined,
        # and we don't want to require files internal to train.
        if e.message =~ /fingerprint (\S+) is unknown for "(.+)"/ # Train::Transports::SSHFailed
          fingerprint = $1
          hostname, ip = $2.split(",")
          # TODO: convert the SHA256 base64 value to hex with colons
          # 'ssh' example output:
          # RSA key fingerprint is e5:cb:c0:e2:21:3b:12:52:f8:ce:cb:00:24:e2:0c:92.
          # ECDSA key fingerprint is 5d:67:61:08:a9:d7:01:fd:5e:ae:7e:09:40:ef:c0:3c.
          # will exit 3 on N
          ui.confirm <<~EOM
            The authenticity of host '#{hostname} (#{ip})' can't be established.
            fingerprint is #{fingerprint}.

            Are you sure you want to continue connecting
          EOM
          # FIXME: this should save the key to known_hosts but doesn't appear to be
          config[:ssh_verify_host_key] = :accept_new
          conn_opts = connection_opts(reset: true)
          opts.merge! conn_opts
          retry
        elsif (ssh? && e.cause && e.cause.class == Net::SSH::AuthenticationFailed) || (ssh? && e.class == Train::ClientError && e.reason == :no_ssh_password_or_key_available)
          if connection.password_auth?
            raise
          else
            ui.warn("Failed to authenticate #{opts[:user]} to #{server_name} - trying password auth")
            password = ui.ask("Enter password for #{opts[:user]}@#{server_name}:", echo: false)
          end

          opts.merge! force_ssh_password_opts(password)
          retry
        else
          raise
        end
      rescue RuntimeError => e
        if winrm? && e.message == "password is a required option"
          if connection.password_auth?
            raise
          else
            ui.warn("Failed to authenticate #{opts[:user]} to #{server_name} - trying password auth")
            password = ui.ask("Enter password for #{opts[:user]}@#{server_name}:", echo: false)
          end

          opts.merge! force_winrm_password_opts(password)
          retry
        else
          raise
        end
      end
connection_opts(reset: false) click to toggle source

@return a configuration hash suitable for connecting to the remote host via train

# File lib/chef/knife/bootstrap.rb, line 903
def connection_opts(reset: false)
  return @connection_opts unless @connection_opts.nil? || reset == true

  @connection_opts = {}
  @connection_opts.merge! base_opts
  @connection_opts.merge! host_verify_opts
  @connection_opts.merge! gateway_opts
  @connection_opts.merge! sudo_opts
  @connection_opts.merge! winrm_opts
  @connection_opts.merge! ssh_opts
  @connection_opts.merge! ssh_identity_opts
  @connection_opts
end
connection_protocol() click to toggle source

url values override CLI flags, if you provide both we'll use the one that you gave in the URL.

# File lib/chef/knife/bootstrap.rb, line 692
def connection_protocol
  return @connection_protocol if @connection_protocol

  from_url = host_descriptor =~ %r{^(.*)://} ? $1 : nil
  from_knife = config[:connection_protocol]
  @connection_protocol = from_url || from_knife || "ssh"
end
default_bootstrap_template() click to toggle source

The default bootstrap template to use to bootstrap a server. This is a public API hook which knife plugins use or inherit and override.

@return [String] Default bootstrap template

# File lib/chef/knife/bootstrap.rb, line 463
def default_bootstrap_template
  if connection.windows?
    "windows-chef-client-msi"
  else
    "chef-full"
  end
end
do_connect(conn_options) click to toggle source
# File lib/chef/knife/bootstrap.rb, line 700
def do_connect(conn_options)
  @connection = TrainConnector.new(host_descriptor, connection_protocol, conn_options)
  connection.connect!
rescue Train::UserError => e
  limit ||= 1
  if !conn_options.key?(:pty) && e.reason == :sudo_no_tty
    ui.warn("#{e.message} - trying with pty request")
    conn_options[:pty] = true # ensure we can talk to systems with requiretty set true in sshd config
    retry
  elsif e.reason == :sudo_missing_terminal
    ui.error "Sudo password is required for this operation. Please enter password using -P or --ssh-password option"
  elsif config[:use_sudo_password] && (e.reason == :sudo_password_required || e.reason == :bad_sudo_password) && limit < 3
    ui.warn("Failed to authenticate #{conn_options[:user]} to #{server_name} - #{e.message} \n sudo: #{limit} incorrect password attempt")
    sudo_password = ui.ask("Enter sudo password for #{conn_options[:user]}@#{server_name}:", echo: false)
    limit += 1
    conn_options[:sudo_password] = sudo_password

    retry
  else
    raise
  end
end
find_template() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 492
def find_template
  template = bootstrap_template

  # Use the template directly if it's a path to an actual file
  if File.exist?(template)
    Chef::Log.trace("Using the specified bootstrap template: #{File.dirname(template)}")
    return template
  end

  # Otherwise search the template directories until we find the right one
  bootstrap_files = []
  bootstrap_files << File.join(__dir__, "bootstrap/templates", "#{template}.erb")
  bootstrap_files << File.join(Knife.chef_config_dir, "bootstrap", "#{template}.erb") if Chef::Knife.chef_config_dir
  ChefConfig::PathHelper.home(".chef", "bootstrap", "#{template}.erb") { |p| bootstrap_files << p }
  bootstrap_files << Gem.find_files(File.join("chef", "knife", "bootstrap", "#{template}.erb"))
  bootstrap_files.flatten!

  template_file = Array(bootstrap_files).find do |bootstrap_template|
    Chef::Log.trace("Looking for bootstrap template in #{File.dirname(bootstrap_template)}")
    File.exist?(bootstrap_template)
  end

  unless template_file
    ui.info("Can not find bootstrap definition for #{template}")
    raise Errno::ENOENT
  end

  Chef::Log.trace("Found bootstrap template: #{template_file}")

  template_file
end
first_boot_attributes() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 542
def first_boot_attributes
  @config[:first_boot_attributes] || @config[:first_boot_attributes_from_file] || {}
end
force_ssh_password_opts(password) click to toggle source

Config overrides to force password auth.

# File lib/chef/knife/bootstrap.rb, line 1063
def force_ssh_password_opts(password)
  {
    password: password,
    non_interactive: false,
    keys_only: false,
    key_files: [],
    auth_methods: %i{password keyboard_interactive},
  }
end
force_winrm_password_opts(password) click to toggle source
# File lib/chef/knife/bootstrap.rb, line 1073
def force_winrm_password_opts(password)
  {
    password: password,
  }
end
gateway_opts() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 992
def gateway_opts
  opts = {}
  if config[:ssh_gateway]
    split = config[:ssh_gateway].split("@", 2)
    if split.length == 1
      gw_host = split[0]
    else
      gw_user = split[0]
      gw_host = split[1]
    end
    gw_host, gw_port = gw_host.split(":", 2)
    # TODO - validate convertible port in config validation?
    gw_port = Integer(gw_port) rescue nil
    opts[:bastion_host] = gw_host
    opts[:bastion_user] = gw_user
    opts[:bastion_port] = gw_port
  end
  opts
end
handle_ssh_error(e) click to toggle source
# File lib/chef/knife/bootstrap.rb, line 688
def handle_ssh_error(e); end
host_descriptor() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 471
def host_descriptor
  Array(@name_args).first
end
host_verify_opts() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 939
def host_verify_opts
  if winrm?
    { self_signed: config[:winrm_no_verify_cert] === true }
  elsif ssh?
    # Fall back to the old knife config key name for back compat.
    { verify_host_key: ssh_verify_host_key }
  else
    {}
  end
end
perform_bootstrap(remote_bootstrap_script_path) click to toggle source
# File lib/chef/knife/bootstrap.rb, line 601
def perform_bootstrap(remote_bootstrap_script_path)
  ui.info("Bootstrapping #{ui.color(server_name, :bold)}")
  cmd = bootstrap_command(remote_bootstrap_script_path)
  bootstrap_run_command(cmd)
end
plugin_create_instance!() click to toggle source

Create the server that we will bootstrap, if necessary

Plugins that subclass bootstrap, e.g. knife-ec2, can use this method to call out to an API to build an instance of the server we wish to bootstrap

@return [TrueClass] If instance successfully created, or exits

# File lib/chef/knife/bootstrap.rb, line 839
def plugin_create_instance!
  true
end
plugin_finalize() click to toggle source

Perform any teardown or cleanup necessary by the plugin

Plugins that subclass bootstrap, e.g. knife-ec2, can use this method to display a message or perform any cleanup

@return [void]

# File lib/chef/knife/bootstrap.rb, line 855
def plugin_finalize; end
plugin_setup!() click to toggle source

Perform any setup necessary by the plugin

Plugins that subclass bootstrap, e.g. knife-ec2, can use this method to create connection objects

@return [TrueClass] If instance successfully created, or exits

# File lib/chef/knife/bootstrap.rb, line 848
def plugin_setup!; end
plugin_validate_options!() click to toggle source

Validate any additional options

Plugins that subclass bootstrap, e.g. knife-ec2, can use this method to validate any additional options before any other actions are executed

@return [TrueClass] If options are valid or exits

# File lib/chef/knife/bootstrap.rb, line 830
def plugin_validate_options!
  true
end
register_client() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 580
def register_client
  # chef-vault integration must use the new client-side hawtness, otherwise to use the
  # new client-side hawtness, just delete your validation key.
  if chef_vault_handler.doing_chef_vault? ||
      (Chef::Config[:validation_key] &&
       !File.exist?(File.expand_path(Chef::Config[:validation_key])))

    unless config[:chef_node_name]
      ui.error("You must pass a node name with -N when bootstrapping with user credentials")
      exit 1
    end
    client_builder.run
    chef_vault_handler.run(client_builder.client)

    bootstrap_context.client_pem = client_builder.client_path
  else
    ui.warn "Performing legacy client registration with the validation key at #{Chef::Config[:validation_key]}..."
    ui.warn "Remove the key file or remove the 'validation_key' configuration option from your config.rb (knife.rb) to use more secure user credentials for client registration."
  end
end
render_template() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 546
def render_template
  @config[:first_boot_attributes] = first_boot_attributes
  template_file = find_template
  template = IO.read(template_file).chomp
  Erubis::Eruby.new(template).evaluate(bootstrap_context)
end
run() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 553
def run
  check_license if ChefUtils::Dist::Org::ENFORCE_LICENSE

  plugin_setup!
  validate_name_args!
  validate_protocol!
  validate_first_boot_attributes!
  validate_winrm_transport_opts!
  validate_policy_options!
  plugin_validate_options!

  winrm_warn_no_ssl_verification
  warn_on_short_session_timeout

  plugin_create_instance!
  $stdout.sync = true
  connect!
  register_client

  content = render_template
  bootstrap_path = upload_bootstrap(content)
  perform_bootstrap(bootstrap_path)
  plugin_finalize
ensure
  connection.del_file!(bootstrap_path) if connection && bootstrap_path
end
secret() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 524
def secret
  @secret ||= encryption_secret_provided_ignore_encrypt_flag? ? read_secret : nil
end
server_name() click to toggle source

The server_name is the DNS or IP we are going to connect to, it is not necessarily the node name, the fqdn, or the hostname of the server. This is a public API hook which knife plugins use or inherit and override.

@return [String] The DNS or IP that bootstrap will connect to

# File lib/chef/knife/bootstrap.rb, line 480
def server_name
  if host_descriptor
    @server_name ||= host_descriptor.split("@").reverse[0]
  end
end
ssh?() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 921
def ssh?
  connection_protocol == "ssh"
end
ssh_identity_opts() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 960
def ssh_identity_opts
  opts = {}
  return opts if winrm?

  identity_file = config[:ssh_identity_file]
  if identity_file
    opts[:key_files] = [identity_file]
    # We only set keys_only based on the explicit ssh_identity_file;
    # someone may use a gateway key and still expect password auth
    # on the target.  Similarly, someone may have a default key specified
    # in knife config, but have provided a password on the CLI.

    # REVIEW NOTE: this is a new behavior. Originally, ssh_identity_file
    # could only be populated from CLI options, so there was no need to check
    # for this. We will also set keys_only to false only if there are keys
    # and no password.
    # If both are present, train(via net/ssh)  will prefer keys, falling back to password.
    # Reference: https://github.com/chef/chef/blob/master/lib/chef/knife/ssh.rb#L272
    opts[:keys_only] = config.key?(:connection_password) == false
  else
    opts[:key_files] = []
    opts[:keys_only] = false
  end

  gateway_identity_file = config[:ssh_gateway] ? config[:ssh_gateway_identity] : nil
  unless gateway_identity_file.nil?
    opts[:key_files] << gateway_identity_file
  end

  opts
end
ssh_opts() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 950
def ssh_opts
  opts = {}
  return opts if winrm?

  opts[:non_interactive] = true # Prevent password prompts from underlying net/ssh
  opts[:forward_agent] = (config[:ssh_forward_agent] === true)
  opts[:connection_timeout] = session_timeout
  opts
end
ssh_verify_host_key() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 742
def ssh_verify_host_key
  config.key?(:ssh_verify_host_key) ? config[:ssh_verify_host_key] : config.key?(:host_key_verify) ? config[:host_key_verify] : "always" # rubocop:disable Style/NestedTernaryOperator
end
sudo_opts() click to toggle source

use_sudo - tells bootstrap to use the sudo command to run bootstrap use_sudo_password - tells bootstrap to use the sudo command to run bootstrap

and to use the password specified with --password

TODO: I'd like to make our sudo options sane: –sudo (bool) - use sudo –sudo-password PASSWORD (default: :password) - use this password for sudo –sudo-options “opt,opt,opt” to pass into sudo –sudo-command COMMAND sudo command other than sudo REVIEW NOTE: knife bootstrap did not pull sudo values from Chef::Config,

should we change that for consistency?
# File lib/chef/knife/bootstrap.rb, line 1022
def sudo_opts
  return {} if winrm?

  opts = { sudo: false }
  if config[:use_sudo]
    opts[:sudo] = true
    if config[:use_sudo_password]
      opts[:sudo_password] = config[:connection_password]
    end
    if config[:preserve_home]
      opts[:sudo_options] = "-H"
    end
  end
  opts
end
upload_bootstrap(content) click to toggle source
# File lib/chef/knife/bootstrap.rb, line 1102
def upload_bootstrap(content)
  script_name = connection.windows? ? "bootstrap.bat" : "bootstrap.sh"
  remote_path = connection.normalize_path(File.join(connection.temp_dir, script_name))
  connection.upload_file_content!(content, remote_path)
  remote_path
end
validate_first_boot_attributes!() click to toggle source

Fail if both first_boot_attributes and first_boot_attributes_from_file are set.

# File lib/chef/knife/bootstrap.rb, line 725
def validate_first_boot_attributes!
  if @config[:first_boot_attributes] && @config[:first_boot_attributes_from_file]
    raise Chef::Exceptions::BootstrapCommandInputError
  end

  true
end
validate_name_args!() click to toggle source

fail if the server_name is nil

# File lib/chef/knife/bootstrap.rb, line 771
def validate_name_args!
  if server_name.nil?
    ui.error("Must pass an FQDN or ip to bootstrap")
    exit 1
  end
end
validate_policy_options!() click to toggle source

Ensure options are valid by checking policyfile values.

The method call will cause the program to exit(1) if:

* Only one of --policy-name and --policy-group is specified
* Policyfile options are set and --run-list is set as well

@return [TrueClass] If options are valid.

# File lib/chef/knife/bootstrap.rb, line 785
def validate_policy_options!
  if incomplete_policyfile_options?
    ui.error("--policy-name and --policy-group must be specified together")
    exit 1
  elsif policyfile_and_run_list_given?
    ui.error("Policyfile options and --run-list are exclusive")
    exit 1
  end
end
validate_protocol!() click to toggle source

Ensure a valid protocol is provided for target host connection

The method call will cause the program to exit(1) if:

* Conflicting protocols are given via the target URI and the --protocol option
* The protocol is not a supported protocol

@return [TrueClass] If options are valid.

# File lib/chef/knife/bootstrap.rb, line 802
      def validate_protocol!
        from_cli = config[:connection_protocol]
        if from_cli && connection_protocol != from_cli
          # Hanging indent to align with the ERROR: prefix
          ui.error <<~EOM
            The URL '#{host_descriptor}' indicates protocol is '#{connection_protocol}'
            while the --protocol flag specifies '#{from_cli}'.  Please include
            only one or the other.
          EOM
          exit 1
        end

        unless SUPPORTED_CONNECTION_PROTOCOLS.include?(connection_protocol)
          ui.error <<~EOM
            Unsupported protocol '#{connection_protocol}'.

            Supported protocols are: #{SUPPORTED_CONNECTION_PROTOCOLS.join(" ")}
          EOM
          exit 1
        end
        true
      end
validate_winrm_transport_opts!() click to toggle source

Fail if using plaintext auth without ssl because this can expose keys in plaintext on the wire. TODO test for this method TODO check that the protocol is valid.

# File lib/chef/knife/bootstrap.rb, line 750
      def validate_winrm_transport_opts!
        return true unless winrm?

        if Chef::Config[:validation_key] && !File.exist?(File.expand_path(Chef::Config[:validation_key]))
          if winrm_auth_method == "plaintext" &&
              config[:winrm_ssl] != true
            ui.error <<~EOM
              Validatorless bootstrap over unsecure winrm channels could expose your
              key to network sniffing.
               Please use a 'winrm_auth_method' other than 'plaintext',
              or enable ssl on #{server_name} then use the ---winrm-ssl flag
              to connect.
            EOM

            exit 1
          end
        end
        true
      end
warn_on_short_session_timeout() click to toggle source

If session_timeout is too short, it is likely a holdover from “–winrm-session-timeout” which used minutes as its unit, instead of seconds. Warn the human so that they are not surprised.

# File lib/chef/knife/bootstrap.rb, line 862
      def warn_on_short_session_timeout
        if session_timeout && session_timeout <= 15
          ui.warn <<~EOM
            You provided '--session-timeout #{session_timeout}' second(s).
            Did you mean '--session-timeout #{session_timeout * 60}' seconds?
          EOM
        end
      end
winrm?() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 917
def winrm?
  connection_protocol == "winrm"
end
winrm_auth_method() click to toggle source

FIXME: someone needs to clean this up properly: github.com/chef/chef/issues/9645 This code is deliberately left without an abstraction around deprecating the config options to avoid knife plugins from using those methods (which will need to be deprecated and break them) via inheritance (ruby does not have a true `private` so the lack of any inheritable implementation is because of that).

# File lib/chef/knife/bootstrap.rb, line 738
def winrm_auth_method
  config.key?(:winrm_auth_method) ? config[:winrm_auth_method] : config.key?(:winrm_authentications_protocol) ? config[:winrm_authentication_protocol] : "negotiate" # rubocop:disable Style/NestedTernaryOperator
end
winrm_opts() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 1038
def winrm_opts
  return {} unless winrm?

  opts = {
    winrm_transport: winrm_auth_method, # winrm gem and train calls auth method 'transport'
    winrm_basic_auth_only: config[:winrm_basic_auth_only] || false,
    ssl: config[:winrm_ssl] === true,
    ssl_peer_fingerprint: config[:winrm_ssl_peer_fingerprint],
  }

  if winrm_auth_method == "kerberos"
    opts[:kerberos_service] = config[:kerberos_service] if config[:kerberos_service]
    opts[:kerberos_realm] = config[:kerberos_realm] if config[:kerberos_service]
  end

  if config[:ca_trust_file]
    opts[:ca_trust_path] = config[:ca_trust_file]
  end

  opts[:operation_timeout] = session_timeout

  opts
end
winrm_warn_no_ssl_verification() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 871
      def winrm_warn_no_ssl_verification
        return unless winrm?

        # REVIEWER NOTE
        # The original check from knife plugin did not include winrm_ssl_peer_fingerprint
        # Reference:
        # https://github.com/chef/knife-windows/blob/92d151298142be4a4750c5b54bb264f8d5b81b8a/lib/chef/knife/winrm_knife_base.rb#L271-L273
        # TODO Seems like we should also do a similar warning if ssh_verify_host == false
        if config[:ca_trust_file].nil? &&
            config[:winrm_no_verify_cert] &&
            config[:winrm_ssl_peer_fingerprint].nil?
          ui.warn <<~WARN
            * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
            SSL validation of HTTPS requests for the WinRM transport is disabled.
            HTTPS WinRM connections are still encrypted, but knife is not able
            to detect forged replies or spoofing attacks.

            To work around this issue you can use the flag `--winrm-no-verify-cert`
            or add an entry like this to your knife configuration file:

               # Verify all WinRM HTTPS connections
               knife[:winrm_no_verify_cert] = true

            You can also specify a ca_trust_file via --ca-trust-file,
            or the expected fingerprint of the target host's certificate
            via --winrm-ssl-peer-fingerprint.
          WARN
        end
      end

Private Instance Methods

config_for_protocol(option) click to toggle source

@api private

# File lib/chef/knife/bootstrap.rb, line 1141
def config_for_protocol(option)
  if option == :port
    config[:connection_port] || config[knife_key_for_protocol(option)]
  else
    config[:connection_user] || config[knife_key_for_protocol(option)]
  end
end
incomplete_policyfile_options?() click to toggle source

True if one of policy_name or policy_group was given, but not both

# File lib/chef/knife/bootstrap.rb, line 1168
def incomplete_policyfile_options?
  (!!config[:policy_name] ^ config[:policy_group])
end
knife_key_for_protocol(option) click to toggle source

@api private

# File lib/chef/knife/bootstrap.rb, line 1150
def knife_key_for_protocol(option)
  "#{connection_protocol}_#{option}".to_sym
end
policyfile_and_run_list_given?() click to toggle source

True if policy_name and run_list are both given

# File lib/chef/knife/bootstrap.rb, line 1155
def policyfile_and_run_list_given?
  run_list_given? && policyfile_options_given?
end
policyfile_options_given?() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 1163
def policyfile_options_given?
  !!config[:policy_name]
end
run_list_given?() click to toggle source
# File lib/chef/knife/bootstrap.rb, line 1159
def run_list_given?
  !config[:run_list].nil? && !config[:run_list].empty?
end
session_timeout() click to toggle source

session_timeout option has a default that may not arrive, particularly if we're being invoked from a plugin that doesn't merge_config.

# File lib/chef/knife/bootstrap.rb, line 1174
def session_timeout
  timeout = config[:session_timeout]
  return options[:session_timeout][:default] if timeout.nil?

  timeout.to_i
end
set_transport_options(opts) click to toggle source

Train::Transports::SSH::Connection#transport_options Append the options to connection transport_options

@param opts [Hash] the opts to be added to connection transport_options. @return [Hash] transport_options if the opts contains any option to be set.

# File lib/chef/knife/bootstrap.rb, line 1187
def set_transport_options(opts)
  return unless opts.is_a?(Hash) || !opts.empty?

  connection&.connection&.transport_options&.merge! opts
end