chef 11.12.0.alpha.1 → 11.12.0.rc.1

data/lib/chef/knife/ssl_fetch.rb

@@ -0,0 +1,145 @@
+#
+# Author:: Daniel DeLeo (<dan@getchef.com>)
+# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife/ssl_fetch'
+require 'chef/config'
+
+class Chef
+  class Knife
+    class SslFetch < Chef::Knife
+
+      deps do
+        require 'pp'
+        require 'socket'
+        require 'uri'
+        require 'openssl'
+      end
+
+      banner "knife ssl fetch [URL] (options)"
+
+      def initialize(*args)
+        super
+        @uri = nil
+      end
+
+      def uri
+        @uri ||= begin
+          Chef::Log.debug("Checking SSL cert on #{given_uri}")
+          URI.parse(given_uri)
+        end
+      end
+
+      def given_uri
+        (name_args[0] or Chef::Config.chef_server_url)
+      end
+
+      def host
+        uri.host
+      end
+
+      def port
+        uri.port
+      end
+
+      def validate_uri
+        unless host && port
+          invalid_uri!
+        end
+      rescue URI::Error
+        invalid_uri!
+      end
+
+      def invalid_uri!
+        ui.error("Given URI: `#{given_uri}' is invalid")
+        show_usage
+        exit 1
+      end
+
+      def remote_cert_chain
+        tcp_connection = TCPSocket.new(host, port)
+        shady_ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_ssl_context)
+        shady_ssl_connection.connect
+        shady_ssl_connection.peer_cert_chain
+      end
+
+      def noverify_peer_ssl_context
+        @noverify_peer_ssl_context ||= begin
+          noverify_peer_context = OpenSSL::SSL::SSLContext.new
+          noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          noverify_peer_context
+        end
+      end
+
+
+      def cn_of(certificate)
+        subject = certificate.subject
+        cn_field_tuple = subject.to_a.find {|field| field[0] == "CN" }
+        cn_field_tuple[1]
+      end
+
+      # Convert the CN of a certificate into something that will work well as a
+      # filename. To do so, all `*` characters are converted to the string
+      # "wildcard" and then all characters other than alphanumeric and hypen
+      # characters are converted to underscores.
+      # NOTE: There is some confustion about what the CN will contain when
+      # using internationalized domain names. RFC 6125 mandates that the ascii
+      # representation be used, but it is not clear whether this is followed in
+      # practice.
+      # https://tools.ietf.org/html/rfc6125#section-6.4.2
+      def normalize_cn(cn)
+        cn.gsub("*", "wildcard").gsub(/[^[:alnum:]\-]/, '_')
+      end
+
+      def configuration
+        Chef::Config
+      end
+
+      def trusted_certs_dir
+        configuration.trusted_certs_dir
+      end
+
+      def write_cert(cert)
+        FileUtils.mkdir_p(trusted_certs_dir)
+        cn = cn_of(cert)
+        filename = File.join(trusted_certs_dir, "#{normalize_cn(cn)}.crt")
+        ui.msg("Adding certificate for #{cn} in #{filename}")
+        File.open(filename, File::CREAT|File::TRUNC|File::RDWR, 0644) do |f|
+          f.print(cert.to_s)
+        end
+      end
+
+      def run
+        validate_uri
+        ui.warn(<<-TRUST_TRUST)
+Certificates from #{host} will be fetched and placed in your trusted_cert
+directory (#{trusted_certs_dir}).
+
+Knife has no means to verify these are the correct certificates. You should
+verify the authenticity of these certificates after downloading.
+
+TRUST_TRUST
+        remote_cert_chain.each do |cert|
+          write_cert(cert)
+        end
+      end
+
+
+    end
+  end
+end
+

data/lib/chef/mixin/deep_merge.rb

@@ -111,7 +111,13 @@ class Chef
       end # deep_merge!
 
       def hash_only_merge(merge_onto, merge_with)
-        hash_only_merge!(merge_onto.dup, merge_with.dup)
+        hash_only_merge!(safe_dup(merge_onto), safe_dup(merge_with))
+      end
+
+      def safe_dup(thing)
+        thing.dup
+      rescue TypeError
+        thing
       end
 
       # Deep merge without Array merge.
@@ -122,7 +128,11 @@ class Chef
         # If there are two Hashes, recursively merge.
         if merge_onto.kind_of?(Hash) && merge_with.kind_of?(Hash)
           merge_with.each do |key, merge_with_value|
-            merge_onto[key] = hash_only_merge!(merge_onto[key], merge_with_value)
+            merge_onto[key] = if merge_onto.has_key?(key)
+                                hash_only_merge(merge_onto[key], merge_with_value)
+                              else
+                                merge_with_value
+                              end
           end
           merge_onto
 
@@ -158,11 +168,9 @@ class Chef
       end
 
       def deep_merge(source, dest)
-        deep_merge!(source.dup, dest.dup)
+        deep_merge!(safe_dup(source), safe_dup(dest))
       end
 
     end
   end
 end
-
-

data/lib/chef/mixin/shell_out.rb

@@ -33,9 +33,7 @@ class Chef
 
       def shell_out(*command_args)
         cmd = Mixlib::ShellOut.new(*run_command_compatible_options(command_args))
-        if STDOUT.tty? && !Chef::Config[:daemon] && Chef::Log.debug?
-          cmd.live_stream = STDOUT
-        end
+        cmd.live_stream = io_for_live_stream
         cmd.run_command
         cmd
       end
@@ -73,6 +71,14 @@ class Chef
       def deprecate_option(old_option, new_option)
         Chef::Log.logger.warn "DEPRECATION: Chef::Mixin::ShellOut option :#{old_option} is deprecated. Use :#{new_option}"
       end
+
+      def io_for_live_stream
+        if STDOUT.tty? && !Chef::Config[:daemon] && Chef::Log.debug?
+          STDOUT
+        else
+          nil
+        end
+      end
     end
   end
 end

data/lib/chef/node.rb

@@ -42,7 +42,7 @@ class Chef
 
     def_delegators :attributes, :keys, :each_key, :each_value, :key?, :has_key?
 
-    attr_accessor :recipe_list, :run_state, :run_list
+    attr_accessor :recipe_list, :run_state, :override_runlist
 
     # RunContext will set itself as run_context via this setter when
     # initialized. This is needed so DSL::IncludeAttribute (in particular,
@@ -63,7 +63,8 @@ class Chef
       @name = nil
 
       @chef_environment = '_default'
-      @run_list = Chef::RunList.new
+      @primary_runlist = Chef::RunList.new
+      @override_runlist = Chef::RunList.new
 
       @attributes = Chef::Node::Attribute.new({}, {}, {}, {})
 
@@ -259,10 +260,28 @@ class Chef
       run_list.include?("role[#{role_name}]")
     end
 
+    def primary_runlist
+      @primary_runlist
+    end
+
+    def override_runlist(*args)
+      args.length > 0 ? @override_runlist.reset!(args) : @override_runlist
+    end
+
+    def select_run_list
+      @override_runlist.empty? ? @primary_runlist : @override_runlist
+    end
+
     # Returns an Array of roles and recipes, in the order they will be applied.
     # If you call it with arguments, they will become the new list of roles and recipes.
     def run_list(*args)
-      args.length > 0 ? @run_list.reset!(args) : @run_list
+      rl = select_run_list
+      args.length > 0 ? rl.reset!(args) : rl
+    end
+
+    def run_list=(list)
+      rl = select_run_list
+      rl = list
     end
 
     # Returns true if this Node expects a given role, false if not.
@@ -410,7 +429,7 @@ class Chef
         "default" => attributes.combined_default,
         "override" => attributes.combined_override,
         #Render correctly for run_list items so malformed json does not result
-        "run_list" => run_list.run_list.map { |item| item.to_s }
+        "run_list" => @primary_runlist.run_list.map { |item| item.to_s }
       }
       result
     end

data/lib/chef/node/immutable_collections.rb

@@ -96,6 +96,22 @@ class Chef
         Array.new(map {|e| safe_dup(e)})
       end
 
+      def to_a
+        a = Array.new
+        each do |v|
+          a <<
+            case v
+            when ImmutableArray
+              v.to_a
+            when ImmutableMash
+              v.to_hash
+            else
+              v
+            end
+        end
+        a
+      end
+
     end
 
     # == ImmutableMash
@@ -187,6 +203,22 @@ class Chef
         Mash.new(self)
       end
 
+      def to_hash
+        h = Hash.new
+        each_pair do |k, v|
+          h[k] =
+            case v
+            when ImmutableMash
+              v.to_hash
+            when ImmutableArray
+              v.to_a
+            else
+              v
+            end
+        end
+        h
+      end
+
     end
 
   end

data/lib/chef/platform/provider_mapping.rb

@@ -180,6 +180,7 @@ class Chef
               :package => Chef::Provider::Package::Zypper,
               :group => Chef::Provider::Group::Suse
             },
+            # Only OpenSuSE 12.3+ should use the Usermod group provider:
             ">= 12.3" => {
               :group => Chef::Provider::Group::Usermod
             }
@@ -190,19 +191,6 @@ class Chef
               :cron => Chef::Provider::Cron,
               :package => Chef::Provider::Package::Zypper,
               :group => Chef::Provider::Group::Suse
-            },
-            ###############################################
-            # TODO: Remove this after ohai update is released.
-            # Only OpenSuSE 12.3+ should use the Usermod group provider:
-            # Ohai before OHAI-339 is applied reports both OpenSuSE and SuSE
-            # Enterprise as "suse", Ohai after OHAI-339 will report OpenSuSE as
-            # "opensuse".
-            #
-            # In order to support OpenSuSE both before and after the Ohai
-            # change, I'm leaving this here. It needs to get removed before
-            # SuSE enterprise 12.3 ships.
-            ">= 12.3" => {
-              :group => Chef::Provider::Group::Usermod
             }
           },
           :oracle  => {
@@ -222,6 +210,15 @@ class Chef
               :ifconfig => Chef::Provider::Ifconfig::Redhat
             }
           },
+          :ibm_powerkvm   => {
+            :default => {
+              :service => Chef::Provider::Service::Redhat,
+              :cron => Chef::Provider::Cron,
+              :package => Chef::Provider::Package::Yum,
+              :mdadm => Chef::Provider::Mdadm,
+              :ifconfig => Chef::Provider::Ifconfig::Redhat
+            }
+          },
           :gentoo   => {
             :default => {
               :package => Chef::Provider::Package::Portage,
@@ -233,7 +230,7 @@ class Chef
           :arch   => {
             :default => {
               :package => Chef::Provider::Package::Pacman,
-              :service => Chef::Provider::Service::Arch,
+              :service => Chef::Provider::Service::Systemd,
               :cron => Chef::Provider::Cron,
               :mdadm => Chef::Provider::Mdadm
             }
@@ -244,7 +241,9 @@ class Chef
               :service => Chef::Provider::Service::Windows,
               :user => Chef::Provider::User::Windows,
               :group => Chef::Provider::Group::Windows,
-              :mount => Chef::Provider::Mount::Windows
+              :mount => Chef::Provider::Mount::Windows,
+              :batch => Chef::Provider::Batch,
+              :powershell_script => Chef::Provider::PowershellScript
             }
           },
           :mingw32 => {
@@ -253,7 +252,9 @@ class Chef
               :service => Chef::Provider::Service::Windows,
               :user => Chef::Provider::User::Windows,
               :group => Chef::Provider::Group::Windows,
-              :mount => Chef::Provider::Mount::Windows
+              :mount => Chef::Provider::Mount::Windows,
+              :batch => Chef::Provider::Batch,
+              :powershell_script => Chef::Provider::PowershellScript
             }
           },
           :windows => {
@@ -262,7 +263,9 @@ class Chef
               :service => Chef::Provider::Service::Windows,
               :user => Chef::Provider::User::Windows,
               :group => Chef::Provider::Group::Windows,
-              :mount => Chef::Provider::Mount::Windows
+              :mount => Chef::Provider::Mount::Windows,
+              :batch => Chef::Provider::Batch,
+              :powershell_script => Chef::Provider::PowershellScript
             }
           },
           :solaris  => {},
@@ -307,7 +310,7 @@ class Chef
               :group => Chef::Provider::Group::Usermod,
               :user => Chef::Provider::User::Solaris,
             },
-            ">= 5.9" => {
+            "< 5.11" => {
               :service => Chef::Provider::Service::Solaris,
               :package => Chef::Provider::Package::Solaris,
               :cron => Chef::Provider::Cron::Solaris,

data/lib/chef/platform/query_helpers.rb

@@ -30,11 +30,19 @@ class Chef
 
       def windows_server_2003?
         return false unless windows?
-
         require 'ruby-wmi'
 
+        # CHEF-4888: Work around ruby #2618, expected to be fixed in Ruby 2.1.0
+        # https://github.com/ruby/ruby/commit/588504b20f5cc880ad51827b93e571e32446e5db
+        # https://github.com/ruby/ruby/commit/27ed294c7134c0de582007af3c915a635a6506cd
+        WIN32OLE.ole_initialize
+
         host = WMI::Win32_OperatingSystem.find(:first)
-        (host.version && host.version.start_with?("5.2"))
+        is_server_2003 = (host.version && host.version.start_with?("5.2"))
+
+        WIN32OLE.ole_uninitialize
+
+        is_server_2003
       end
     end
 

data/lib/chef/policy_builder/expand_node_object.rb

@@ -40,7 +40,6 @@ class Chef
       attr_reader :ohai_data
       attr_reader :json_attribs
       attr_reader :override_runlist
-      attr_reader :original_runlist
       attr_reader :run_context
       attr_reader :run_list_expansion
 
@@ -52,7 +51,6 @@ class Chef
         @events = events
 
         @node = nil
-        @original_runlist = nil
         @run_list_expansion = nil
       end
 
@@ -190,7 +188,7 @@ class Chef
       # override_runlist was provided. Chef::Client uses this to decide whether
       # to do the final node save at the end of the run or not.
       def temporary_policy?
-        !!@original_runlist
+        !node.override_runlist.empty?
       end
 
       ########################################
@@ -200,10 +198,9 @@ class Chef
       def setup_run_list_override
         runlist_override_sanity_check!
         unless(override_runlist.empty?)
-          @original_runlist = node.run_list.run_list_items.dup
-          node.run_list(*override_runlist)
+          node.override_runlist(*override_runlist)
           Chef::Log.warn "Run List override has been provided."
-          Chef::Log.warn "Original Run List: [#{original_runlist.join(', ')}]"
+          Chef::Log.warn "Original Run List: [#{node.primary_runlist}]"
           Chef::Log.warn "Overridden Run List: [#{node.run_list}]"
         end
       end