chef-config 18.10.17 → 19.1.164

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7f25d6c5f5a6ed06c65ffd04ce45e7c086fc4efa2ed7dbfb970e6941ab09bb4a
-  data.tar.gz: 8e3af92f55a0cd3d345dcf5137cca5cfc5ea2493c85efbe68510421aca98793b
+  metadata.gz: 309b22099435d14e4f8be71a98aff1005772ac64dbf60c440e5d33f4fce10d53
+  data.tar.gz: 8c46f82f7c17fdb2330ca0f2182f9e9476b3d7f96c18b13728d8749d1b86831a
 SHA512:
-  metadata.gz: 823eb67bb06058cf1bd535f20cb01917dcc2e16b0bc52a77895c4bb2c0fd38a21a25638f09921042e8287a7a56101409fba407fe2549c539b9c5679abd16377d
-  data.tar.gz: fba1c92cb4db7c997707d11871b744dd79b73d37d63640dd3b1c3fc1907e3e8f6f871b3e47a276a99b16522e225a5c5538002c47c5f23feae3a870f43ef5e6d5
+  metadata.gz: c822ebbe0118452e6240c8d1c0818f90a13701694fa3d93fd700d123ce8150130ab911d076409c76989928678c0d3e04326c367499fc3bbea6902239833d8521
+  data.tar.gz: 968e6d6a478e2ec8ef34fe3651fb9c7badc6c1b6a5bf59c832a916ee3d48a398104fe6f64c47f275d082c72c609158b3bfdda802f1ced9de4bc1c3de9f9ffab5

data/chef-config.gemspec

@@ -30,6 +30,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "fuzzyurl"
   spec.add_dependency "addressable"
   spec.add_dependency "tomlrb", "~> 1.2"
+  spec.add_dependency "racc"
 
   spec.files = %w{Rakefile LICENSE} + Dir.glob("*.gemspec") +
     Dir.glob("{lib,spec}/**/*", File::FNM_DOTMATCH).reject { |f| File.directory?(f) }

data/lib/chef-config/config.rb

@@ -4,7 +4,7 @@
 # Author:: AJ Christensen (<aj@chef.io>)
 # Author:: Mark Mzyk (<mmzyk@chef.io>)
 # Author:: Kyle Goodwin (<kgoodwin@primerevenue.com>)
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -421,7 +421,14 @@ module ChefConfig
     # If your `file_cache_path` resides on a NFS (or non-flock()-supporting
     # fs), it's recommended to set this to something like
     # '/tmp/chef-client-running.pid'
-    default(:lockfile) { PathHelper.join(file_cache_path, "#{ChefUtils::Dist::Infra::CLIENT}-running.pid") }
+    # In Target Mode, the node name will be used as a prefix to allow
+    # parallel execution of Chef against different targets
+    default(:lockfile) do
+      prefix = ""
+      prefix = "#{ChefConfig::Config.node_name}-" if ChefConfig::Config.target_mode?
+
+      PathHelper.join(file_cache_path, "#{prefix}#{ChefUtils::Dist::Infra::CLIENT}-running.pid")
+    end
 
     ## Daemonization Settings ##
     # What user should Chef run as?
@@ -917,7 +924,11 @@ module ChefConfig
     default :profile, nil
 
     default :chef_guid_path do
-      PathHelper.join(config_dir, "#{ChefUtils::Dist::Infra::SHORT}_guid")
+      if target_mode?
+        PathHelper.join(config_dir, target_mode.host, "#{ChefUtils::Dist::Infra::SHORT}_guid")
+      else
+        PathHelper.join(config_dir, "#{ChefUtils::Dist::Infra::SHORT}_guid")
+      end
     end
 
     default :chef_guid, nil

data/lib/chef-config/exceptions.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -23,5 +23,8 @@ module ChefConfig
   class ConfigurationError < ArgumentError; end
   class InvalidPath < StandardError; end
   class UnparsableConfigOption < StandardError; end
+  class NoCredentialsFound < StandardError; end
 
+  class UnsupportedSecretsProvider < ConfigurationError; end
+  class UnresolvedSecret < ConfigurationError; end
 end

data/lib/chef-config/fips.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Matt Wrock (<matt@mattwrock.com>)
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-config/logger.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-config/mixin/credentials.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -26,6 +26,8 @@ module ChefConfig
     # @since 13.7
     # @api internal
     module Credentials
+      attr_reader :credentials_config
+
       # Compute the active credentials profile name.
       #
       # The lookup order is argument (from --profile), environment variable
@@ -54,6 +56,11 @@ module ChefConfig
       # @since 14.4
       # @return [String]
       def credentials_file_path
+        return Chef::Config[:credentials] if defined?(Chef::Config) && Chef::Config.key?(:credentials)
+
+        env_file = ENV["CHEF_CREDENTIALS_FILE"]
+        return env_file if env_file && File.file?(env_file)
+
         PathHelper.home(ChefUtils::Dist::Infra::USER_CONF_DIR, "credentials").freeze
       end
 
@@ -68,7 +75,7 @@ module ChefConfig
         return nil unless File.file?(credentials_file)
 
         begin
-          Tomlrb.load_file(credentials_file)
+          @credentials_config = Tomlrb.load_file(credentials_file)
         rescue => e
           # TOML's error messages are mostly rubbish, so we'll just give a generic one
           message = "Unable to parse Credentials file: #{credentials_file}\n"
@@ -85,17 +92,129 @@ module ChefConfig
       # @return [void]
       def load_credentials(profile = nil)
         profile = credentials_profile(profile)
-        cred_config = parse_credentials_file
-        return if cred_config.nil? # No credentials, nothing to do here.
 
-        if cred_config[profile].nil?
+        parse_credentials_file
+        return if credentials_config.nil? # No credentials, nothing to do here.
+
+        if credentials_config[profile].nil?
           # Unknown profile name. For "default" just silently ignore, otherwise
           # raise an error.
           return if profile == "default"
 
           raise ChefConfig::ConfigurationError, "Profile #{profile} doesn't exist. Please add it to #{credentials_file_path}."
         end
-        apply_credentials(cred_config[profile], profile)
+
+        resolve_secrets(profile)
+
+        apply_credentials(credentials_config[profile], profile)
+      end
+
+      GLOBAL_CONFIG_HASHES = %w{ default_secrets_provider }.freeze
+
+      # Extract global (non-profile) settings from credentials file.
+      #
+      # @since 19.1
+      # @return [Hash]
+      def global_options
+        globals = credentials_config.filter { |_, v| v.is_a? String }
+        globals.merge! credentials_config.filter { |k, _| GLOBAL_CONFIG_HASHES.include? k }
+      end
+
+      SUPPORTED_SECRETS_PROVIDERS = %w{ hashicorp-vault }.freeze
+
+      # Resolve all secrets in a credentials file
+      #
+      # @since 19.1
+      # @param profile [String] Profile to resolve secrets in.
+      # @return [Hash]
+      def resolve_secrets(profile)
+        return unless credentials_config
+        raise NoCredentialsFound.new("No credentials found for profile '#{profile}'") unless credentials_config[profile]
+
+        secrets = credentials_config[profile].filter { |k, v| v.is_a?(Hash) && v.keys.include?("secret") }
+        return if secrets.empty?
+
+        secrets.each do |option, secrets_config|
+          unless valid_secrets_provider?(secrets_config)
+            raise UnsupportedSecretsProvider.new("Unsupported credentials secrets provider on '#{option}' for profile '#{profile}'")
+          end
+
+          secrets_config.merge!(default_secrets_provider)
+
+          logger.debug("Resolving credentials secret '#{option}' for profile '#{profile}'")
+          begin
+            resolved_value = resolve_secret(secrets_config)
+          ensure
+            raise UnresolvedSecret.new("Could not resolve secret '#{option}' for profile '#{profile}'") if resolved_value.nil?
+          end
+
+          credentials_config[profile][option] = resolved_value
+        end
+      end
+
+      # Check, if referenced secrets provider is supported.
+      #
+      # @since 19.1
+      # @param secrets_config [Hash] Parsed contents of a secret in a profile.
+      # @return [true, false]
+      def valid_secrets_provider?(secrets_config)
+        provider_config = secrets_config["secrets_provider"] || default_secrets_provider
+        provider = provider_config["name"]
+
+        provider && SUPPORTED_SECRETS_PROVIDERS.include?(provider)
+      end
+
+      def default_secrets_provider
+        global_options["default_secrets_provider"]
+      end
+
+      # Resolve a specific secret.
+      #
+      # To be replaced later by a Train-like framework to support multiple backends.
+      #
+      # @since 19.1
+      # @param secrets_config [Hash] Parsed contents of a secret in a profile.
+      # @return [String]
+      def resolve_secret(secrets_config)
+        resolve_secret_hashicorp(secrets_config)
+      end
+
+      # Resolver logic for Hashicorp Vault.
+      #
+      # Local lazy loading of Gems which are not part of chef-config or chef-utils,
+      # but chef itself to be switched by a unified secrets mechanism for credentials
+      # and Chef DSL later. Showstopper mitigation for 19 GA.
+      #
+      # @since 19.1
+      # @param secrets_config [Hash] Parsed contents of a secret in a profile.
+      # @return [String]
+      def resolve_secret_hashicorp(secrets_config)
+        vault_config = secrets_config.transform_keys(&:to_sym)
+        vault_config[:address] = vault_config[:endpoint]
+
+        # Lazy require due to Gem being part of Chef and rarely used functionality
+        require "vault" unless defined? Vault
+        @vault ||= Vault::Client.new(vault_config)
+
+        secret = secrets_config["secret"]
+        engine = vault_config[:engine] || "secret"
+        engine_type = vault_config[:engine_type] || "kv2"
+        secret_value = case engine_type
+                       when "kv", "kv1"
+                         @vault.logical.read("#{engine_type}/#{secret}")
+                       when "kv2"
+                         @vault.kv(engine).read(secret)&.data
+                       else
+                         raise UnsupportedSecretsProvider.new("No support for secrets engine #{engine_type}")
+                       end
+
+        # Always JSON for Hashicorp Vault, but this is future compatible to other providers
+        if secret_value.is_a?(Hash)
+          require "jmespath" unless defined? ::JMESPath
+          ::JMESPath.search(secrets_config["field"], secret_value)
+        else
+          secret_value
+        end
       end
     end
   end

data/lib/chef-config/mixin/dot_d.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-config/mixin/fuzzy_hostname_matcher.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-config/mixin/train_transport.rb

@@ -1,5 +1,5 @@
 # Author:: Bryan McLellan <btm@loftninjas.org>
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -36,15 +36,17 @@ module ChefConfig
       #
       def load_credentials(profile)
         # Tomlrb.load_file returns a hash with keys as strings
-        credentials = parse_credentials_file
-        if contains_split_fqdn?(credentials, profile)
+        credentials_config = parse_credentials_file
+        if contains_split_fqdn?(credentials_config, profile)
           logger.warn("Credentials file #{credentials_file_path} contains target '#{profile}' as a Hash, expected a string.")
           logger.warn("Hostnames must be surrounded by single quotes, e.g. ['host.example.org']")
         end
 
+        resolve_secrets(profile)
+
         # host names must be specified in credentials file as ['foo.example.org'] with quotes
-        if !credentials.nil? && !credentials[profile].nil?
-          credentials[profile].transform_keys(&:to_sym) # return symbolized keys to match Train.options()
+        if !credentials_config.nil? && !credentials_config[profile].nil?
+          credentials_config[profile].transform_keys(&:to_sym) # return symbolized keys to match Train.options()
         else
           nil
         end
@@ -59,6 +61,8 @@ module ChefConfig
       # This will be a common mistake so we should catch it
       #
       def contains_split_fqdn?(hash, fqdn)
+        return unless fqdn.include?(".")
+
         fqdn.split(".").reduce(hash) do |h, k|
           v = h[k]
           if Hash === v
@@ -74,21 +78,25 @@ module ChefConfig
       #
       # Credentials file preference:
       #
-      # 1) target_mode.credentials_file
-      # 2) /etc/chef/TARGET_MODE_HOST/credentials
-      # 3) #credentials_file_path from parent ($HOME/.chef/credentials)
+      # 1) environment variable CHEF_CREDENTIALS_FILE
+      # 2) target_mode.credentials_file
+      # 3) /etc/chef/TARGET_MODE_HOST/credentials
+      # 4) user configuration ($HOME/.chef/target_credentials)
       #
       def credentials_file_path
         tm_config = config.target_mode
         profile = tm_config.host
 
+        env_file = ENV["CHEF_CREDENTIALS_FILE"]
         credentials_file =
-          if tm_config.credentials_file && File.exist?(tm_config.credentials_file)
+          if env_file && File.exist?(env_file)
+            env_file
+          elsif tm_config.credentials_file && File.exist?(tm_config.credentials_file)
             tm_config.credentials_file
           elsif File.exist?(config.platform_specific_path("#{ChefConfig::Config.etc_chef_dir}/#{profile}/credentials"))
             config.platform_specific_path("#{ChefConfig::Config.etc_chef_dir}/#{profile}/credentials")
           else
-            super
+            PathHelper.home(ChefUtils::Dist::Infra::USER_CONF_DIR, "target_credentials").freeze
           end
 
         raise ArgumentError, "No credentials file found for target '#{profile}'" unless credentials_file
@@ -112,7 +120,7 @@ module ChefConfig
         # Load the credentials file, and place any valid settings into the train configuration
         credentials = load_credentials(tm_config.host)
 
-        protocol = credentials[:transport_protocol] || tm_config.protocol
+        protocol = credentials&.dig(:transport_protocol) || tm_config.protocol
         train_config = tm_config.to_hash.select { |k| Train.options(protocol).key?(k) }
         logger.trace("Using target mode options from #{ChefUtils::Dist::Infra::PRODUCT} config file: #{train_config.keys.join(", ")}") if train_config
 

data/lib/chef-config/path_helper.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Bryan McLellan <btm@loftninjas.org>
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -57,8 +57,8 @@ module ChefConfig
 
     def self.join(*args, windows: ChefUtils.windows?)
       path_separator_regex = Regexp.escape(windows ? "#{File::SEPARATOR}#{BACKSLASH}" : File::SEPARATOR)
-      trailing_slashes_regex = /[#{path_separator_regex}]+$/.freeze
-      leading_slashes_regex = /^[#{path_separator_regex}]+/.freeze
+      trailing_slashes_regex = /[#{path_separator_regex}]+$/
+      leading_slashes_regex = /^[#{path_separator_regex}]+/
       separator = path_separator(windows: windows)
 
       args.flatten!
@@ -152,11 +152,12 @@ module ChefConfig
       path = Pathname.new(path).cleanpath.to_s
       if windows
         # ensure all forward slashes are backslashes
-        path.gsub(File::SEPARATOR, path_separator(windows: windows))
+        path.gsub!(File::SEPARATOR, path_separator(windows: windows))
       else
         # ensure all backslashes are forward slashes
-        path.gsub(BACKSLASH, File::SEPARATOR)
+        path.gsub!(BACKSLASH, File::SEPARATOR)
       end
+      path
     end
 
     # This is not just escaping for something like use in Regexps, or in globs.  For the former

data/lib/chef-config/version.rb

@@ -1,4 +1,4 @@
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,5 +15,5 @@
 
 module ChefConfig
   CHEFCONFIG_ROOT = File.expand_path("..", __dir__)
-  VERSION = "18.10.17".freeze
+  VERSION = "19.1.164".freeze
 end

data/lib/chef-config/windows.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-config/workstation_config_loader.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-config.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/spec/unit/config_spec.rb

@@ -1,7 +1,7 @@
 #
 # Author:: Adam Jacob (<adam@chef.io>)
 # Author:: Kyle Goodwin (<kgoodwin@primerevenue.com>)
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -22,6 +22,8 @@ require "chef-config/config"
 require "date" unless defined?(Date)
 
 RSpec.describe ChefConfig::Config do
+  let(:target_mode_host) { "fluffy.kittens.org".freeze }
+
   before(:each) do
     ChefConfig::Config.reset
 
@@ -379,8 +381,6 @@ RSpec.describe ChefConfig::Config do
           end
 
           context "when target mode is enabled" do
-            let(:target_mode_host) { "fluffy.kittens.org" }
-
             before do
               ChefConfig::Config.target_mode.enabled = true
               ChefConfig::Config.target_mode.host = target_mode_host
@@ -400,6 +400,25 @@ RSpec.describe ChefConfig::Config do
           end
         end
 
+        describe "ChefConfig::Config[:chef_guid_path]" do
+          it "sets the default path to the chef guid" do
+            expected_path = ChefConfig::PathHelper.join(ChefConfig::Config.config_dir, "chef_guid")
+            expect(ChefConfig::Config.chef_guid_path).to eq(expected_path)
+          end
+
+          context "when target mode is enabled" do
+            before do
+              ChefConfig::Config.target_mode.enabled = true
+              ChefConfig::Config.target_mode.host = target_mode_host
+            end
+
+            it "sets the default path to the chef guid with the target host name" do
+              expected_path = ChefConfig::PathHelper.join(ChefConfig::Config.config_dir, target_mode_host, "chef_guid")
+              expect(ChefConfig::Config.chef_guid_path).to eq(expected_path)
+            end
+          end
+        end
+
         describe "ChefConfig::Config[:fips]" do
           let(:fips_enabled) { false }
 
@@ -495,7 +514,6 @@ RSpec.describe ChefConfig::Config do
         end
 
         describe "ChefConfig::Config[:cache_path]" do
-          let(:target_mode_host) { "fluffy.kittens.org" }
           let(:target_mode_primary_cache_path) { ChefUtils.windows? ? "#{primary_cache_path}\\#{target_mode_host}" : "#{primary_cache_path}/#{target_mode_host}" }
           let(:target_mode_secondary_cache_path) { ChefUtils.windows? ? "#{secondary_cache_path}\\#{target_mode_host}" : "#{secondary_cache_path}/#{target_mode_host}" }
 

data/spec/unit/credentials_spec.rb

@@ -0,0 +1,181 @@
+#
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "chef-config/config"
+require "chef-config/mixin/credentials"
+
+module Vault
+  class Client; end
+end
+
+RSpec.describe ChefConfig::Mixin::Credentials do
+
+  let(:test_class) { Class.new { include ChefConfig::Mixin::Credentials } }
+  subject(:test_obj) { test_class.new }
+
+  describe "#credentials_profile" do
+    context "when an explicit profile is given" do
+      it "passes it through" do
+        expect(test_obj.credentials_profile("webserver")).to eq("webserver")
+      end
+    end
+
+    context "when an environment variable is set" do
+      before(:all) do
+        @original_env = ENV.to_hash
+      end
+
+      after(:all) do
+        ENV.clear
+        ENV.update(@original_env)
+      end
+
+      before(:each) do
+        ENV["CHEF_PROFILE"] = "acme-server"
+      end
+
+      it "picks the profile correctly" do
+        expect(test_obj.credentials_profile).to eq("acme-server")
+      end
+    end
+
+    context "when no profile is given" do
+      it "picks the default one" do
+        expect(test_obj.credentials_profile).to eq("default")
+      end
+    end
+  end
+
+  describe "#resolve_secrets" do
+    context "when no credentials were loaded" do
+      it "returns" do
+        allow(test_obj).to receive(:credentials_config).and_return(nil)
+        expect(test_obj.resolve_secrets("dummy")).to eq(nil)
+      end
+    end
+
+    context "when credentials do not contain specified profile" do
+      it "raises an error" do
+        allow(test_obj).to receive(:credentials_config).and_return({ "webserver" => {} })
+        expect { test_obj.resolve_secrets("dummy") }.to raise_error(ChefConfig::NoCredentialsFound, /No credentials found for profile/)
+      end
+    end
+
+    context "when no secrets were referenced in profile" do
+      it "returns" do
+        allow(test_obj).to receive(:credentials_config).and_return({ "webserver2" => {} })
+        expect(test_obj.resolve_secrets("webserver2")).to eq(nil)
+      end
+    end
+  end
+
+  describe "#valid_secrets_provider?" do
+    context "when global, valid configuration was provided" do
+      let(:global_options) { { "default_secrets_provider" => { "name" => "hashicorp-vault", "endpoint" => "https://198.51.100.5:8200", "token" => "hvs.1234567890" } } }
+      let(:secrets_config) { { "secret" => "/chef/sudo_password", "field" => "password" } }
+
+      it "returns true" do
+        allow(test_obj).to receive(:global_options).and_return(global_options)
+        expect(test_obj.valid_secrets_provider?(secrets_config)).to be(true)
+      end
+    end
+
+    context "when global, invalid configuration was provided" do
+      let(:global_options) { { "default_secrets_provider" => { "name" => "hashicorp-consul" } } }
+      let(:secrets_config) { { "secret" => "/chef/sudo_password", "field" => "password" } }
+
+      it "returns false" do
+        allow(test_obj).to receive(:global_options).and_return(global_options)
+        expect(test_obj.valid_secrets_provider?(secrets_config)).to be(false)
+      end
+    end
+
+    context "when global, invalid configuration is overridden with a correct value" do
+      let(:global_options) { { "default_secrets_provider" => { "name" => "hashicorp-consul" } } }
+      let(:secrets_config) { { "secrets_provider" => { "name" => "hashicorp-vault" }, "secret" => "/chef/sudo_password", "field" => "password" } }
+
+      it "returns false" do
+        allow(test_obj).to receive(:global_options).and_return(global_options)
+        expect(test_obj.valid_secrets_provider?(secrets_config)).to be(true)
+      end
+    end
+  end
+
+  describe "#resolve_secret" do
+    before do
+      allow(test_obj).to receive(:global_options).and_return(global_options)
+
+      # Simulate "vault" gem
+      allow(test_obj).to receive(:require).with("vault")
+      vault_double = double("Vault::Client")
+      allow(vault_double).to receive_message_chain("logical.read") { secrets_result }
+      allow(vault_double).to receive_message_chain("kv.read.data") { secrets_result }
+      test_obj.instance_variable_set(:@vault, vault_double)
+
+      # Simulate "jmespath" gem
+      allow(test_obj).to receive(:require).with("jmespath")
+      jmespath_double = double("JMESPath")
+      allow(jmespath_double).to receive_message_chain("search") { search_for = secrets_config["field"]; secrets_result[search_for] }
+      stub_const("::JMESPath", jmespath_double)
+    end
+
+    context "without default secrets provider being set" do
+      let(:global_options) {}
+
+      context "for a secret of type string" do
+        let(:secrets_result) { "secret" }
+        let(:secrets_config) { { "secrets_provider" => { "name" => "hashicorp-vault" }, "secret" => "/chef/sudo_password" } }
+
+        it "returns the complete value" do
+          expect(test_obj.resolve_secret(secrets_config)).to eq("secret")
+        end
+      end
+
+      context "for a secret of type hash" do
+        let(:secrets_result) { { "password" => "secret" } }
+        let(:secrets_config) { { "secrets_provider" => { "name" => "hashicorp-vault", "endpoint" => "https://198.51.100.5:8200", "token" => "hvs.1234567890" }, "secret" => "/chef/sudo_password", "field" => "password" } }
+
+        it "returns the correct subkey" do
+          expect(test_obj.resolve_secret(secrets_config)).to eq("secret")
+        end
+      end
+    end
+
+    context "with default secrets provider being set" do
+      let(:global_options) { { "default_secrets_provider" => { "name" => "hashicorp-vault", "endpoint" => "https://198.51.100.5:8200", "token" => "hvs.1234567890" } } }
+
+      context "for a secret of type string" do
+        let(:secrets_result) { "secret" }
+        let(:secrets_config) { { "secret" => "/chef/sudo_password" } }
+
+        it "returns the complete value" do
+          expect(test_obj.resolve_secret(secrets_config)).to eq("secret")
+        end
+      end
+
+      context "for a secret of type hash" do
+        let(:secrets_result) { { "password" => "secret" } }
+        let(:secrets_config) { { "secret" => "/chef/sudo_password", "field" => "password" } }
+
+        it "returns the correct subkey" do
+          expect(test_obj.resolve_secret(secrets_config)).to eq("secret")
+        end
+      end
+    end
+  end
+end

data/spec/unit/fips_spec.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Matt Wrock (<matt@mattwrock.com>)
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/spec/unit/path_helper_spec.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Bryan McLellan <btm@loftninjas.org>
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/spec/unit/workstation_config_loader_spec.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: Copyright (c) 2009-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: chef-config
 version: !ruby/object:Gem::Version
-  version: 18.10.17
+  version: 19.1.164
 platform: ruby
 authors:
 - Adam Jacob
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2026-02-25 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-utils
@@ -16,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.10.17
+        version: 19.1.164
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.10.17
+        version: 19.1.164
 - !ruby/object:Gem::Dependency
   name: mixlib-shellout
   requirement: !ruby/object:Gem::Requirement
@@ -106,7 +105,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
-description: 
+- !ruby/object:Gem::Dependency
+  name: racc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 email:
 - adam@chef.io
 executables: []
@@ -131,6 +143,7 @@ files:
 - lib/chef-config/workstation_config_loader.rb
 - spec/spec_helper.rb
 - spec/unit/config_spec.rb
+- spec/unit/credentials_spec.rb
 - spec/unit/fips_spec.rb
 - spec/unit/path_helper_spec.rb
 - spec/unit/workstation_config_loader_spec.rb
@@ -143,7 +156,6 @@ metadata:
   documentation_uri: https://github.com/chef/chef/tree/main/chef-config/README.md
   homepage_uri: https://github.com/chef/chef/tree/main/chef-config
   source_code_uri: https://github.com/chef/chef/tree/main/chef-config
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -158,8 +170,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.27
-signing_key: 
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Chef Infra's default configuration and config loading library
 test_files: []