chef 11.6.2 → 11.8.0.rc.1

data/lib/chef/chef_fs/file_system/multiplexed_dir.rb

@@ -17,7 +17,7 @@ class Chef
         end
 
         def children
-          @children ||= begin
+          begin
             result = []
             seen = {}
             # If multiple things have the same name, the first one wins.
@@ -40,6 +40,7 @@ class Chef
         end
 
         def create_child(name, file_contents = nil)
+          @children = nil
           write_dir.create_child(name, file_contents)
         end
       end

data/lib/chef/chef_fs/file_system/nodes_dir.rb

@@ -32,7 +32,7 @@ class Chef
         # Identical to RestListDir.children, except supports environments
         def children
           begin
-            @children ||= Chef::ChefFS::RawRequest.raw_json(rest, env_api_path).keys.sort.map do |key|
+            @children ||= root.get_json(env_api_path).keys.sort.map do |key|
               _make_child_entry("#{key}.json", true)
             end
           rescue Timeout::Error => e

data/lib/chef/chef_fs/file_system/operation_failed_error.rb

@@ -27,6 +27,14 @@ class Chef
           @operation = operation
         end
 
+        def message
+          if cause && cause.is_a?(Net::HTTPExceptions) && cause.response.code == "400"
+            "#{super} cause: #{cause.response.body}"
+          else
+            super
+          end
+        end
+
         attr_reader :operation
       end
     end

data/lib/chef/chef_fs/file_system/rest_list_dir.rb

@@ -45,7 +45,7 @@ class Chef
 
         def children
           begin
-            @children ||= Chef::ChefFS::RawRequest.raw_json(rest, api_path).keys.sort.map do |key|
+            @children ||= root.get_json(api_path).keys.sort.map do |key|
               _make_child_entry("#{key}.json", true)
             end
           rescue Timeout::Error => e
@@ -76,7 +76,7 @@ class Chef
           end
 
           begin
-            rest.post_rest(api_path, object)
+            rest.post(api_path, object)
           rescue Timeout::Error => e
             raise Chef::ChefFS::FileSystem::OperationFailedError.new(:create_child, self, e), "Timeout creating '#{name}': #{e}"
           rescue Net::HTTPServerException => e
@@ -89,6 +89,8 @@ class Chef
             end
           end
 
+          @children = nil
+
           result
         end
 

data/lib/chef/chef_fs/file_system/rest_list_entry.rb

@@ -19,7 +19,6 @@
 require 'chef/chef_fs/file_system/base_fs_object'
 require 'chef/chef_fs/file_system/not_found_error'
 require 'chef/chef_fs/file_system/operation_failed_error'
-require 'chef/chef_fs/raw_request'
 require 'chef/role'
 require 'chef/node'
 
@@ -68,7 +67,7 @@ class Chef
 
         def delete(recurse)
           begin
-            rest.delete_rest(api_path)
+            rest.delete(api_path)
           rescue Timeout::Error => e
             raise Chef::ChefFS::FileSystem::OperationFailedError.new(:delete, self, e), "Timeout deleting: #{e}"
           rescue Net::HTTPServerException => e
@@ -86,7 +85,8 @@ class Chef
 
         def _read_hash
           begin
-            json = Chef::ChefFS::RawRequest.raw_request(rest, api_path)
+            # Minimize the value (get rid of defaults) so the results don't look terrible
+            minimize_value(root.get_json(api_path))
           rescue Timeout::Error => e
             raise Chef::ChefFS::FileSystem::OperationFailedError.new(:read, self, e), "Timeout reading: #{e}"
           rescue Net::HTTPServerException => e
@@ -96,8 +96,6 @@ class Chef
               raise Chef::ChefFS::FileSystem::OperationFailedError.new(:read, self, e), "HTTP error reading: #{e}"
             end
           end
-          # Minimize the value (get rid of defaults) so the results don't look terrible
-          minimize_value(JSON.parse(json, :create_additions => false))
         end
 
         def chef_object
@@ -160,7 +158,7 @@ class Chef
           end
 
           begin
-            rest.put_rest(api_path, object)
+            rest.put(api_path, object)
           rescue Timeout::Error => e
             raise Chef::ChefFS::FileSystem::OperationFailedError.new(:write, self, e), "Timeout writing: #{e}"
           rescue Net::HTTPServerException => e

data/lib/chef/chef_fs/knife.rb

@@ -35,37 +35,40 @@ class Chef
 
       def self.inherited(c)
         super
+
         # Ensure we always get to do our includes, whether subclass calls deps or not
         c.deps do
         end
 
-        option :repo_mode,
-          :long => '--repo-mode MODE',
-          :description => "Specifies the local repository layout.  Values: static, everything, hosted_everything.  Default: everything/hosted_everything"
+        c.options.merge!(options)
+      end
 
-        option :chef_repo_path,
-          :long => '--chef-repo-path PATH',
-          :description => 'Overrides the location of chef repo. Default is specified by chef_repo_path in the config'
+      option :repo_mode,
+        :long => '--repo-mode MODE',
+        :description => "Specifies the local repository layout.  Values: static, everything, hosted_everything.  Default: everything/hosted_everything"
 
-        option :concurrency,
-          :long => '--concurrency THREADS',
-          :description => 'Maximum number of simultaneous requests to send (default: 10)'
-      end
+      option :chef_repo_path,
+        :long => '--chef-repo-path PATH',
+        :description => 'Overrides the location of chef repo. Default is specified by chef_repo_path in the config'
+
+      option :concurrency,
+        :long => '--concurrency THREADS',
+        :description => 'Maximum number of simultaneous requests to send (default: 10)'
 
       def configure_chef
         super
         Chef::Config[:repo_mode] = config[:repo_mode] if config[:repo_mode]
         Chef::Config[:concurrency] = config[:concurrency].to_i if config[:concurrency]
 
-        # --chef-repo-path overrides all other paths
+        # --chef-repo-path forcibly overrides all other paths
         if config[:chef_repo_path]
           Chef::Config[:chef_repo_path] = config[:chef_repo_path]
-          Chef::ChefFS::Config::PATH_VARIABLES.each do |variable_name|
-            Chef::Config[variable_name.to_sym] = chef_repo_paths.map { |path| File.join(path, "#{variable_name[0..-6]}s") }
+          %w(acl client cookbook container data_bag environment group node role user).each do |variable_name|
+            Chef::Config.delete("#{variable_name}_path".to_sym)
           end
         end
 
-        @chef_fs_config = Chef::ChefFS::Config.new(Chef::Config)
+        @chef_fs_config = Chef::ChefFS::Config.new(Chef::Config, Dir.pwd, config)
 
         Chef::ChefFS::Parallelizer.threads = (Chef::Config[:concurrency] || 10) - 1
       end
@@ -91,17 +94,18 @@ class Chef
       end
 
       def pattern_args_from(args)
+        args.map { |arg| pattern_arg_from(arg) }
+      end
+
+      def pattern_arg_from(arg)
         # TODO support absolute file paths and not just patterns?  Too much?
         # Could be super useful in a world with multiple repo paths
-        args.map do |arg|
-          if !@chef_fs_config.base_path && !Chef::ChefFS::PathUtils.is_absolute?(arg)
-            # Check if chef repo path is specified to give a better error message
-            @chef_fs_config.require_chef_repo_path
-            ui.error("Attempt to use relative path '#{arg}' when current directory is outside the repository path")
-            exit(1)
-          end
-          Chef::ChefFS::FilePattern.relative_to(@chef_fs_config.base_path, arg)
+        if !@chef_fs_config.base_path && !Chef::ChefFS::PathUtils.is_absolute?(arg)
+          # Check if chef repo path is specified to give a better error message
+          ui.error("Attempt to use relative path '#{arg}' when current directory is outside the repository path")
+          exit(1)
         end
+        Chef::ChefFS::FilePattern.relative_to(@chef_fs_config.base_path, arg)
       end
 
       def format_path(entry)
@@ -111,6 +115,19 @@ class Chef
       def parallelize(inputs, options = {}, &block)
         Chef::ChefFS::Parallelizer.parallelize(inputs, options, &block)
       end
+
+      def discover_repo_dir(dir)
+        %w(.chef cookbooks data_bags environments roles).each do |subdir|
+          return dir if File.directory?(File.join(dir, subdir))
+        end
+        # If this isn't it, check the parent
+        parent = File.dirname(dir)
+        if parent && parent != dir
+          discover_repo_dir(parent)
+        else
+          nil
+        end
+      end
     end
   end
 end

data/lib/chef/chef_fs/path_utils.rb

@@ -82,6 +82,11 @@ class Chef
         end
       end
 
+      def self.descendant_of?(path, ancestor)
+        path[0,ancestor.length] == ancestor &&
+          (ancestor.length == path.length || path[ancestor.length,1] =~ /#{PathUtils.regexp_path_separator}/)
+      end
+
       def self.is_absolute?(path)
         path =~ /^#{regexp_path_separator}/
       end

data/lib/chef/client.rb

@@ -198,6 +198,7 @@ class Chef
             Chef::Log.debug "Forked instance now converging"
             do_run
           rescue Exception
+            Chef::Log.error $!
             exit 1
           else
             exit 0
@@ -206,7 +207,7 @@ class Chef
         Chef::Log.debug "Fork successful. Waiting for new chef pid: #{pid}"
         result = Process.waitpid2(pid)
         handle_child_exit(result)
-        Chef::Log.debug "Forked child successfully reaped (pid: #{pid})"
+        Chef::Log.debug "Forked instance successfully reaped (pid: #{pid})"
         true
       else
         do_run
@@ -367,7 +368,10 @@ class Chef
     # === Returns
     # rest<Chef::REST>:: returns Chef::REST connection object
     def register(client_name=node_name, config=Chef::Config)
-      if File.exists?(config[:client_key])
+      if !config[:client_key]
+        @events.skipping_registration(client_name, config)
+        Chef::Log.debug("Client key is unspecified - skipping registration")
+      elsif File.exists?(config[:client_key])
         @events.skipping_registration(client_name, config)
         Chef::Log.debug("Client key #{config[:client_key]} is present - skipping registration")
       else
@@ -467,13 +471,15 @@ class Chef
     # === Returns
     # true:: Always returns true.
     def do_run
-      runlock = RunLock.new(Chef::Config)
+      runlock = RunLock.new(Chef::Config.lockfile)
       runlock.acquire
       # don't add code that may fail before entering this section to be sure to release lock
       begin
+        runlock.save_pid
         run_context = nil
         @events.run_start(Chef::VERSION)
         Chef::Log.info("*** Chef #{Chef::VERSION} ***")
+        Chef::Log.info "Chef-client pid: #{Process.pid}"
         enforce_path_sanity
         run_ohai
         @events.ohai_completed(node)

data/lib/chef/config.rb

@@ -23,12 +23,20 @@ require 'chef/log'
 require 'chef/exceptions'
 require 'mixlib/config'
 require 'chef/util/selinux'
+require 'pathname'
 
 class Chef
   class Config
 
     extend Mixlib::Config
 
+    # Evaluates the given string as config.
+    #
+    # +filename+ is used for context in stacktraces, but doesn't need to be the name of an actual file.
+    def self.from_string(string, filename)
+      self.instance_eval(string, filename, 1)
+    end
+
     # Manages the chef secret session key
     # === Returns
     # <newkey>:: A new or retrieved session key
@@ -50,8 +58,32 @@ class Chef
       configuration.inspect
     end
 
+    def self.on_windows?
+      RUBY_PLATFORM =~ /mswin|mingw|windows/
+    end
+
+    BACKSLASH = '\\'.freeze
+
+    def self.platform_path_separator
+      if on_windows?
+        File::ALT_SEPARATOR || BACKSLASH
+      else
+        File::SEPARATOR
+      end
+    end
+
+    def self.path_join(*args)
+      args = args.flatten
+      args.inject do |joined_path, component|
+        unless joined_path[-1,1] == platform_path_separator
+          joined_path += platform_path_separator
+        end
+        joined_path += component
+      end
+    end
+
     def self.platform_specific_path(path)
-      if RUBY_PLATFORM =~ /mswin|mingw|windows/
+      if on_windows?
         # turns /etc/chef/client.rb into C:/chef/client.rb
         system_drive = ENV['SYSTEMDRIVE'] ? ENV['SYSTEMDRIVE'] : ""
         path = File.join(system_drive, path.split('/')[2..-1])
@@ -65,32 +97,35 @@ class Chef
       formatters << [name, file_path]
     end
 
-    def self.formatters
-      @formatters ||= []
+    # Config file to load (client.rb, knife.rb, etc. defaults set differently in knife, chef-client, etc.)
+    configurable(:config_file)
+
+    default(:config_dir) do
+      if local_mode
+        path_join(user_home, ".chef#{platform_path_separator}")
+      else
+        config_file && ::File.dirname(config_file)
+      end
     end
 
+    # No config file (client.rb / knife.rb / etc.) will be loaded outside this path.
+    # Major use case is tests, where we don't want to load the user's config files.
+    configurable(:config_file_jail)
+
+    default :formatters, []
+
     # Override the config dispatch to set the value of multiple server options simultaneously
     #
     # === Parameters
     # url<String>:: String to be set for all of the chef-server-api URL's
     #
-    config_attr_writer :chef_server_url do |url|
-      url = url.strip
-      configure do |c|
-        c[:chef_server_url] = url
-      end
-      url
-    end
+    configurable(:chef_server_url).writes_value { |url| url.strip }
 
     # When you are using ActiveSupport, they monkey-patch 'daemonize' into Kernel.
     # So while this is basically identical to what method_missing would do, we pull
     # it up here and get a real method written so that things get dispatched
     # properly.
-    config_attr_writer :daemonize do |v|
-      configure do |c|
-        c[:daemonize] = v
-      end
-    end
+    configurable(:daemonize).writes_value { |v| v }
 
     # Override the config dispatch to set the value of log_location configuration option
     #
@@ -108,50 +143,148 @@ class Chef
         rescue Errno::ENOENT
           raise Chef::Exceptions::ConfigurationError, "Failed to open or create log file at #{location.to_str}"
         end
-          f
+        f
+      end
+    end
+
+    # The root where all local chef object data is stored.  cookbooks, data bags,
+    # environments are all assumed to be in separate directories under this.
+    # chef-solo uses these directories for input data.  knife commands
+    # that upload or download files (such as knife upload, knife role from file,
+    # etc.) work.
+    default :chef_repo_path do
+      if self.configuration[:cookbook_path]
+        if self.configuration[:cookbook_path].kind_of?(String)
+          File.expand_path('..', self.configuration[:cookbook_path])
+        else
+          self.configuration[:cookbook_path].map do |path|
+            File.expand_path('..', path)
+          end
+        end
+      else
+        platform_specific_path("/var/chef")
+      end
+    end
+
+    def self.find_chef_repo_path(cwd)
+      # In local mode, we auto-discover the repo root by looking for a path with "cookbooks" under it.
+      # This allows us to run config-free.
+      path = cwd
+      until File.directory?(path_join(path, "cookbooks"))
+        new_path = File.expand_path('..', path)
+        if new_path == path
+          Chef::Log.warn("No cookbooks directory found at or above current directory.  Assuming #{Dir.pwd}.")
+          return Dir.pwd
+        end
+        path = new_path
+      end
+      Chef::Log.info("Auto-discovered chef repository at #{path}")
+      path
+    end
+
+    def self.derive_path_from_chef_repo_path(child_path)
+      if chef_repo_path.kind_of?(String)
+        path_join(chef_repo_path, child_path)
+      else
+        chef_repo_path.map { |path| path_join(path, child_path)}
+      end
+    end
+
+    # Location of acls on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/acls.
+    # Only applies to Enterprise Chef commands.
+    default(:acl_path) { derive_path_from_chef_repo_path('acls') }
+
+    # Location of clients on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/acls.
+    default(:client_path) { derive_path_from_chef_repo_path('clients') }
+
+    # Location of cookbooks on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/cookbooks.  If chef_repo_path
+    # is not specified, this is set to [/var/chef/cookbooks, /var/chef/site-cookbooks]).
+    default(:cookbook_path) do
+      if self.configuration[:chef_repo_path]
+        derive_path_from_chef_repo_path('cookbooks')
+      else
+        Array(derive_path_from_chef_repo_path('cookbooks')).flatten +
+          Array(derive_path_from_chef_repo_path('site-cookbooks')).flatten
       end
     end
 
+    # Location of containers on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/containers.
+    # Only applies to Enterprise Chef commands.
+    default(:container_path) { derive_path_from_chef_repo_path('containers') }
+
+    # Location of data bags on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/data_bags.
+    default(:data_bag_path) { derive_path_from_chef_repo_path('data_bags') }
+
+    # Location of environments on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/environments.
+    default(:environment_path) { derive_path_from_chef_repo_path('environments') }
+
+    # Location of groups on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/groups.
+    # Only applies to Enterprise Chef commands.
+    default(:group_path) { derive_path_from_chef_repo_path('groups') }
+
+    # Location of nodes on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/nodes.
+    default(:node_path) { derive_path_from_chef_repo_path('nodes') }
+
+    # Location of roles on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/roles.
+    default(:role_path) { derive_path_from_chef_repo_path('roles') }
+
+    # Location of users on disk. String or array of strings.
+    # Defaults to <chef_repo_path>/users.
+    # Does not apply to Enterprise Chef commands.
+    default(:user_path) { derive_path_from_chef_repo_path('users') }
+
     # Turn on "path sanity" by default. See also: http://wiki.opscode.com/display/chef/User+Environment+PATH+Sanity
-    enforce_path_sanity(true)
+    default :enforce_path_sanity, true
 
     # Formatted Chef Client output is a beta feature, disabled by default:
-    formatter "null"
+    default :formatter, "null"
 
     # The number of times the client should retry when registering with the server
-    client_registration_retries 5
-
-    # Where the cookbooks are located. Meaning is somewhat context dependent between
-    # knife, chef-client, and chef-solo.
-    cookbook_path [ platform_specific_path("/var/chef/cookbooks"),
-                    platform_specific_path("/var/chef/site-cookbooks") ]
+    default :client_registration_retries, 5
 
     # An array of paths to search for knife exec scripts if they aren't in the current directory
-    script_path []
+    default :script_path, []
+
+    # The root of all caches (checksums, cache and backup).  If local mode is on,
+    # this is under the user's home directory.
+    default(:cache_path) do
+      if local_mode
+        "#{config_dir}local-mode-cache"
+      else
+        platform_specific_path("/var/chef")
+      end
+    end
 
     # Where cookbook files are stored on the server (by content checksum)
-    checksum_path "/var/chef/checksums"
+    default(:checksum_path) { path_join(cache_path, "checksums") }
 
     # Where chef's cache files should be stored
-    file_cache_path platform_specific_path("/var/chef/cache")
+    default(:file_cache_path) { path_join(cache_path, "cache") }
 
-    # By default, chef-client (or solo) creates a lockfile in
-    # `file_cache_path`/chef-client-running.pid
-    # If `lockfile` is explicitly set, this path will be used instead.
+    # Where backups of chef-managed files should go
+    default(:file_backup_path) { path_join(cache_path, "backup") }
+
+    # The chef-client (or solo) lockfile.
     #
     # If your `file_cache_path` resides on a NFS (or non-flock()-supporting
     # fs), it's recommended to set this to something like
     # '/tmp/chef-client-running.pid'
-    lockfile nil
-
-    # Where backups of chef-managed files should go
-    file_backup_path platform_specific_path("/var/chef/backup")
+    default(:lockfile) { path_join(file_cache_path, "chef-client-running.pid") }
 
     ## Daemonization Settings ##
     # What user should Chef run as?
-    user nil
-    group nil
-    umask 0022
+    default :user, nil
+    default :group, nil
+    default :umask, 0022
 
     # Valid log_levels are:
     # * :debug
@@ -164,57 +297,83 @@ class Chef
     # in a console), the log level is set to :warn, and output formatters are
     # used as the primary mode of output. When a tty is not available, the
     # logger is the primary mode of output, and the log level is set to :info
-    log_level :auto
+    default :log_level, :auto
 
     # Using `force_formatter` causes chef to default to formatter output when STDOUT is not a tty
-    force_formatter false
+    default :force_formatter, false
 
     # Using `force_logger` causes chef to default to logger output when STDOUT is a tty
-    force_logger false
-
-    http_retry_count 5
-    http_retry_delay 5
-    interval nil
-    json_attribs nil
-    log_location STDOUT
+    default :force_logger, false
+
+    default :http_retry_count, 5
+    default :http_retry_delay, 5
+    default :interval, nil
+    default :once, nil
+    default :json_attribs, nil
+    default :log_location, STDOUT
     # toggle info level log items that can create a lot of output
-    verbose_logging true
-    node_name nil
-    diff_disabled           false
-    diff_filesize_threshold 10000000
-    diff_output_threshold   1000000
-
-    pid_file nil
-
-    chef_server_url   "https://localhost:443"
-
-    rest_timeout 300
-    yum_timeout 900
-    solo  false
-    splay nil
-    why_run false
-    color false
-    client_fork true
-    enable_reporting true
-    enable_reporting_url_fatals false
+    default :verbose_logging, true
+    default :node_name, nil
+    default :diff_disabled,           false
+    default :diff_filesize_threshold, 10000000
+    default :diff_output_threshold,   1000000
+    default :local_mode, false
+
+    default :pid_file, nil
+
+    config_context :chef_zero do
+      config_strict_mode true
+      default(:enabled) { Chef::Config.local_mode }
+      default :port, 8889
+    end
+    default :chef_server_url,   "https://localhost:443"
+
+    default :rest_timeout, 300
+    default :yum_timeout, 900
+    default :solo,  false
+    default :splay, nil
+    default :why_run, false
+    default :color, false
+    default :client_fork, true
+    default :enable_reporting, true
+    default :enable_reporting_url_fatals, false
 
     # Set these to enable SSL authentication / mutual-authentication
     # with the server
-    ssl_client_cert nil
-    ssl_client_key nil
-    ssl_verify_mode :verify_none
-    ssl_ca_path nil
-    ssl_ca_file nil
-
-    # Where should chef-solo look for role files?
-    role_path platform_specific_path("/var/chef/roles")
 
-    data_bag_path platform_specific_path("/var/chef/data_bags")
+    # Client side SSL cert/key for mutual auth
+    default :ssl_client_cert, nil
+    default :ssl_client_key, nil
+
+    # Whether or not to verify the SSL cert for all HTTPS requests. If set to
+    # :verify_peer, all HTTPS requests will be validated regardless of other
+    # SSL verification settings.
+    default :ssl_verify_mode, :verify_none
+
+    # Whether or not to verify the SSL cert for HTTPS requests to the Chef
+    # server API. If set to `true`, the server's cert will be validated
+    # regardless of the :ssl_verify_mode setting.
+    default :verify_api_cert, false
+
+    # Path to the default CA bundle files.
+    default :ssl_ca_path, nil
+    default(:ssl_ca_file) do
+      if on_windows? and embedded_path = embedded_dir
+        cacert_path = File.join(embedded_path, "ssl/certs/cacert.pem")
+        cacert_path if File.exist?(cacert_path)
+      else
+        nil
+      end
+    end
 
-    environment_path platform_specific_path("/var/chef/environments")
+    # A directory that contains additional SSL certificates to trust. Any
+    # certificates in this directory will be added to whatever CA bundle ruby
+    # is using. Use this to add self-signed certs for your Chef Server or local
+    # HTTP file servers.
+    default(:trusted_certs_dir) { config_dir && path_join(config_dir, "trusted_certs") }
 
     # Where should chef-solo download recipes from?
-    recipe_url nil
+    default :recipe_url, nil
 
     # Sets the version of the signed header authentication protocol to use (see
     # the 'mixlib-authorization' project for more detail). Currently, versions
@@ -230,7 +389,7 @@ class Chef
     #
     # In the future, this configuration option may be replaced with an
     # automatic negotiation scheme.
-    authentication_protocol_version "1.0"
+    default :authentication_protocol_version, "1.0"
 
     # This key will be used to sign requests to the Chef server. This location
     # must be writable by Chef during initial setup when generating a client
@@ -238,17 +397,21 @@ class Chef
     #
     # The chef-server will look up the public key for the client using the
     # `node_name` of the client.
-    client_key platform_specific_path("/etc/chef/client.pem")
+    #
+    # If chef-zero is enabled, this defaults to nil (no authentication).
+    default(:client_key) { chef_zero.enabled ? nil : platform_specific_path("/etc/chef/client.pem") }
 
     # This secret is used to decrypt encrypted data bag items.
-    encrypted_data_bag_secret platform_specific_path("/etc/chef/encrypted_data_bag_secret")
-
-    # We have to check for the existence of the default file before setting it
-    # since +Chef::Config[:encrypted_data_bag_secret]+ is read by older
-    # bootstrap templates to determine if the local secret should be uploaded to
-    # node being bootstrapped. This should be removed in Chef 12.
-    unless File.exist?(platform_specific_path("/etc/chef/encrypted_data_bag_secret"))
-      encrypted_data_bag_secret(nil)
+    default(:encrypted_data_bag_secret) do
+      # We have to check for the existence of the default file before setting it
+      # since +Chef::Config[:encrypted_data_bag_secret]+ is read by older
+      # bootstrap templates to determine if the local secret should be uploaded to
+      # node being bootstrapped. This should be removed in Chef 12.
+      if File.exist?(platform_specific_path("/etc/chef/encrypted_data_bag_secret"))
+        platform_specific_path("/etc/chef/encrypted_data_bag_secret")
+      else
+        nil
+      end
     end
 
     # As of Chef 11.0, version "1" is the default encrypted data bag item
@@ -256,7 +419,7 @@ class Chef
     # To maintain compatibility, versions other than 1 must be opt-in.
     #
     # Set this to `2` if you have chef-client 11.6.0+ in your infrastructure:
-    data_bag_encrypt_version 1
+    default :data_bag_encrypt_version, 1
 
     # When reading data bag items, any supported version is accepted. However,
     # if all encrypted data bags have been generated with the version 2 format,
@@ -264,7 +427,7 @@ class Chef
     # security. For example, the version 2 format is identical to version 1
     # except for the addition of an HMAC, so an attacker with MITM capability
     # could downgrade an encrypted data bag to version 1 as part of an attack.
-    data_bag_decrypt_minimum_version 0
+    default :data_bag_decrypt_minimum_version, 0
 
     # If there is no file in the location given by `client_key`, chef-client
     # will temporarily use the "validator" identity to generate one. If the
@@ -272,43 +435,53 @@ class Chef
     # chef-client will not be able to authenticate to the server.
     #
     # The `validation_key` is never used if the `client_key` exists.
-    validation_key platform_specific_path("/etc/chef/validation.pem")
-    validation_client_name "chef-validator"
+    #
+    # If chef-zero is enabled, this defaults to nil (no authentication).
+    default(:validation_key) { chef_zero.enabled ? nil : platform_specific_path("/etc/chef/validation.pem") }
+    default :validation_client_name, "chef-validator"
 
     # Zypper package provider gpg checks. Set to true to enable package
     # gpg signature checking. This will be default in the
     # future. Setting to false disables the warnings.
     # Leaving this set to nil or false is a security hazard!
-    zypper_check_gpg nil
+    default :zypper_check_gpg, nil
 
     # Report Handlers
-    report_handlers []
+    default :report_handlers, []
 
     # Exception Handlers
-    exception_handlers []
+    default :exception_handlers, []
 
     # Start handlers
-    start_handlers []
+    default :start_handlers, []
 
     # Syntax Check Cache. Knife keeps track of files that is has already syntax
     # checked by storing files in this directory. `syntax_check_cache_path` is
     # the new (and preferred) configuration setting. If not set, knife will
-    # fall back to using cache_options[:path].
-    #
-    # Because many users will have knife configs with cache_options (generated
-    # by `knife configure`), the default for now is to *not* set
-    # syntax_check_cache_path, and thus fallback to cache_options[:path]. We
-    # leave that value to the same default as was previously set.
-    syntax_check_cache_path nil
+    # fall back to using cache_options[:path], which is deprecated but exists in
+    # many client configs generated by pre-Chef-11 bootstrappers.
+    default(:syntax_check_cache_path) { cache_options[:path] }
 
     # Deprecated:
-    cache_options({ :path => platform_specific_path("/var/chef/cache/checksums") })
+    default(:cache_options) { { :path => path_join(file_cache_path, "checksums") } }
 
     # Set to false to silence Chef 11 deprecation warnings:
-    chef11_deprecation_warnings true
-
-    # Arbitrary knife configuration data
-    knife Hash.new
+    default :chef11_deprecation_warnings, true
+
+    # knife configuration data
+    config_context :knife do
+      default :ssh_port, nil
+      default :ssh_user, nil
+      default :ssh_attribute, nil
+      default :ssh_gateway, nil
+      default :bootstrap_version, nil
+      default :bootstrap_proxy, nil
+      default :identity_file, nil
+      default :host_key_verify, nil
+      default :forward_agent, nil
+      default :sort_status_reverse, nil
+      default :hints, {}
+    end
 
     # Those lists of regular expressions define what chef considers a
     # valid user and group name
@@ -316,31 +489,49 @@ class Chef
       # From http://technet.microsoft.com/en-us/library/cc776019(WS.10).aspx
 
       principal_valid_regex_part = '[^"\/\\\\\[\]\:;|=,+*?<>]+'
-      user_valid_regex [ /^(#{principal_valid_regex_part}\\)?#{principal_valid_regex_part}$/ ]
-      group_valid_regex [ /^(#{principal_valid_regex_part}\\)?#{principal_valid_regex_part}$/ ]
+      default :user_valid_regex, [ /^(#{principal_valid_regex_part}\\)?#{principal_valid_regex_part}$/ ]
+      default :group_valid_regex, [ /^(#{principal_valid_regex_part}\\)?#{principal_valid_regex_part}$/ ]
 
-      fatal_windows_admin_check false
+      default :fatal_windows_admin_check, false
     else
-      user_valid_regex [ /^([-a-zA-Z0-9_.]+[\\@]?[-a-zA-Z0-9_.]+)$/, /^\d+$/ ]
-      group_valid_regex [ /^([-a-zA-Z0-9_.\\@^ ]+)$/, /^\d+$/ ]
+      default :user_valid_regex, [ /^([-a-zA-Z0-9_.]+[\\@]?[-a-zA-Z0-9_.]+)$/, /^\d+$/ ]
+      default :group_valid_regex, [ /^([-a-zA-Z0-9_.\\@^ ]+)$/, /^\d+$/ ]
     end
 
     # returns a platform specific path to the user home dir
     windows_home_path = ENV['SYSTEMDRIVE'] + ENV['HOMEPATH'] if ENV['SYSTEMDRIVE'] && ENV['HOMEPATH']
-    user_home(ENV['HOME'] || windows_home_path || ENV['USERPROFILE'])
+    default :user_home, (ENV['HOME'] || windows_home_path || ENV['USERPROFILE'])
 
     # Enable file permission fixup for selinux. Fixup will be done
     # only if selinux is enabled in the system.
-    enable_selinux_file_permission_fixup true
+    default :enable_selinux_file_permission_fixup, true
 
     # Use atomic updates (i.e. move operation) while updating contents
     # of the files resources. When set to false copy operation is
     # used to update files.
-    file_atomic_update true
+    default :file_atomic_update, true
 
     # If false file staging is will be done via tempfiles that are
     # created under ENV['TMP'] otherwise tempfiles will be created in
     # the directory that files are going to reside.
-    file_staging_uses_destdir false
+    default :file_staging_uses_destdir, false
+
+    # If installed via an omnibus installer, this gives the path to the
+    # "embedded" directory which contains all of the software packaged with
+    # omnibus. This is used to locate the cacert.pem file on windows.
+    def self.embedded_dir
+      Pathname.new(_this_file).ascend do |path|
+        if path.basename.to_s == "embedded"
+          return path.to_s
+        end
+      end
+
+      nil
+    end
+
+    # Path to this file in the current install.
+    def self._this_file
+      File.expand_path(__FILE__)
+    end
   end
 end