chef 12.18.31 → 12.19.33

data/spec/support/chef_helpers.rb

@@ -53,13 +53,11 @@ end
 # This is a temporary fix to get tests passing on systems that have no `diff`
 # until we can replace shelling out to `diff` with ruby diff-lcs
 def has_diff?
-  begin
-    diff_cmd = Mixlib::ShellOut.new("diff -v")
-    diff_cmd.run_command
-    true
-  rescue Errno::ENOENT
-    false
-  end
+  diff_cmd = Mixlib::ShellOut.new("diff -v")
+  diff_cmd.run_command
+  true
+rescue Errno::ENOENT
+  false
 end
 
 # This is a helper to determine if the ruby in the PATH contains

data/spec/support/platform_helpers.rb

@@ -92,6 +92,12 @@ def windows_nano_server?
   Chef::Platform.windows_nano_server?
 end
 
+def windows_user_right?(right)
+  return false unless windows?
+  require "chef/win32/security"
+  Chef::ReservedNames::Win32::Security.get_account_right(ENV["USERNAME"]).include?(right)
+end
+
 def mac_osx_106?
   if File.exists? "/usr/bin/sw_vers"
     result = ShellHelpers.shell_out("/usr/bin/sw_vers")

data/spec/support/platforms/prof/gc.rb

@@ -35,12 +35,10 @@ module RSpec
         end
 
         def working_set_size
-          begin
-            ::GC.start
-            ::GC::Profiler.result.scan(LINE_PATTERN)[-1][2].to_i if ::GC::Profiler.enabled?
-          ensure
-            ::GC::Profiler.clear
-          end
+          ::GC.start
+          ::GC::Profiler.result.scan(LINE_PATTERN)[-1][2].to_i if ::GC::Profiler.enabled?
+        ensure
+          ::GC::Profiler.clear
         end
 
         def handle_count

data/spec/support/shared/context/client.rb

@@ -95,7 +95,7 @@ shared_context "a client run" do
 
   def stub_for_data_collector_init
     expect(Chef::ServerAPI).to receive(:new).
-      with(Chef::Config[:data_collector][:server_url]).
+      with(Chef::Config[:data_collector][:server_url], validate_utf8: false).
       exactly(:once).
       and_return(http_data_collector)
   end

data/spec/support/shared/functional/execute_resource.rb

@@ -0,0 +1,150 @@
+#
+# Author:: Adam Edwards (<adamed@chef.io>)
+# Copyright:: Copyright (c) 2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+shared_context "a non-admin Windows user" do
+  include Chef::Mixin::ShellOut
+
+  let(:windows_nonadmin_user_domain) { ENV["COMPUTERNAME"] }
+  let(:windows_nonadmin_user_qualified) { "#{windows_nonadmin_user_domain}\\#{windows_nonadmin_user}" }
+  let(:temp_profile_path) { "#{ENV['USERPROFILE']}\\..\\cheftesttempuser" }
+  before do
+    shell_out!("net.exe user /delete #{windows_nonadmin_user}", returns: [0, 2])
+
+    # Supply a profile path when creating a user to avoid an apparent Windows bug where deleting
+    # the user actually creates the profile when it did not immediately exist before executing
+    # net user /delete! For some reason, specifying an explicit path ensures that the path
+    # profile doesn't get created at deletion.
+    shell_out!("net.exe user /add #{windows_nonadmin_user} \"#{windows_nonadmin_user_password}\" /profilepath:#{temp_profile_path}")
+  end
+
+  after do
+    shell_out!("net.exe user /delete #{windows_nonadmin_user}", returns: [0, 2])
+  end
+end
+
+shared_context "alternate user identity" do
+  let(:windows_alternate_user) { "chef%02d%02d%02d" % [Time.now.year % 100, Time.now.month, Time.now.day] }
+  let(:windows_alternate_user_password) { "lj28;fx3T!x,2" }
+  let(:windows_alternate_user_qualified) { "#{ENV['COMPUTERNAME']}\\#{windows_alternate_user}" }
+
+  let(:windows_nonadmin_user) { windows_alternate_user }
+  let(:windows_nonadmin_user_password) { windows_alternate_user_password }
+
+  include_context "a non-admin Windows user"
+end
+
+shared_context "a command that can be executed as an alternate user" do
+  include_context "alternate user identity"
+
+  let(:script_output_dir) { Dir.mktmpdir }
+  let(:script_output_path) { File.join(script_output_dir, make_tmpname("chef_execute_identity_test")) }
+  let(:script_output) { File.read(script_output_path) }
+
+  include Chef::Mixin::ShellOut
+
+  before do
+    shell_out!("icacls \"#{script_output_dir.gsub(/\//, '\\')}\" /grant \"authenticated users:(F)\"")
+  end
+
+  after do
+    File.delete(script_output_path) if File.exists?(script_output_path)
+    Dir.rmdir(script_output_dir) if Dir.exists?(script_output_dir)
+  end
+end
+
+shared_examples_for "an execute resource that supports alternate user identity" do
+  context "when running on Windows", :windows_only, :windows_service_requires_assign_token do
+
+    include_context "a command that can be executed as an alternate user"
+
+    let(:windows_current_user) { ENV["USERNAME"] }
+    let(:windows_current_user_qualified) { "#{ENV['USERDOMAIN'] || ENV['COMPUTERNAME']}\\#{windows_current_user}" }
+    let(:resource_identity_command) { "powershell.exe -noprofile -command \"import-module microsoft.powershell.utility;([Security.Principal.WindowsPrincipal]([Security.Principal.WindowsIdentity]::GetCurrent())).identity.name | out-file -encoding ASCII '#{script_output_path}'\"" }
+
+    let(:execute_resource) do
+      resource.user(windows_alternate_user)
+      resource.password(windows_alternate_user_password)
+      resource.send(resource_command_property, resource_identity_command)
+      resource
+    end
+
+    it "executes the process as an alternate user" do
+      expect(windows_current_user.length).to be > 0
+      expect { execute_resource.run_action(:run) }.not_to raise_error
+      expect(script_output.chomp.length).to be > 0
+      expect(script_output.chomp.downcase).to eq(windows_alternate_user_qualified.downcase)
+      expect(script_output.chomp.downcase).not_to eq(windows_current_user.downcase)
+      expect(script_output.chomp.downcase).not_to eq(windows_current_user_qualified.downcase)
+    end
+
+    let(:windows_alternate_user_password_invalid) { "#{windows_alternate_user_password}x" }
+
+    it "raises an exception if the user's password is invalid" do
+      execute_resource.password(windows_alternate_user_password_invalid)
+      expect { execute_resource.run_action(:run) }.to raise_error(SystemCallError)
+    end
+  end
+end
+
+shared_examples_for "a resource with a guard specifying an alternate user identity" do
+  context "when running on Windows", :windows_only, :windows_service_requires_assign_token do
+    include_context "alternate user identity"
+
+    let(:resource_command_property) { :command }
+
+    let(:powershell_equal_to_alternate_user) { "-eq" }
+    let(:powershell_not_equal_to_alternate_user) { "-ne" }
+    let(:guard_identity_command) { "powershell.exe -noprofile -command \"import-module microsoft.powershell.utility;exit @(392,0)[[int32](([Security.Principal.WindowsPrincipal]([Security.Principal.WindowsIdentity]::GetCurrent())).Identity.Name #{comparison_to_alternate_user} '#{windows_alternate_user_qualified}')]\"" }
+
+    before do
+      resource.guard_interpreter(guard_interpreter_resource)
+    end
+
+    context "when the guard expression is true if the user is alternate and false otherwise" do
+      let(:comparison_to_alternate_user) { powershell_equal_to_alternate_user }
+
+      it "causes the resource to be updated for only_if" do
+        resource.only_if(guard_identity_command, { user: windows_alternate_user, password: windows_alternate_user_password })
+        resource.run_action(:run)
+        expect(resource).to be_updated_by_last_action
+      end
+
+      it "causes the resource to not be updated for not_if" do
+        resource.not_if(guard_identity_command, { user: windows_alternate_user, password: windows_alternate_user_password })
+        resource.run_action(:run)
+        expect(resource).not_to be_updated_by_last_action
+      end
+    end
+
+    context "when the guard expression is false if the user is alternate and true otherwise" do
+      let(:comparison_to_alternate_user) { powershell_not_equal_to_alternate_user }
+
+      it "causes the resource not to be updated for only_if" do
+        resource.only_if(guard_identity_command, { user: windows_alternate_user, password: windows_alternate_user_password })
+        resource.run_action(:run)
+        expect(resource).not_to be_updated_by_last_action
+      end
+
+      it "causes the resource to be updated for not_if" do
+        resource.not_if(guard_identity_command, { user: windows_alternate_user, password: windows_alternate_user_password })
+        resource.run_action(:run)
+        expect(resource).to be_updated_by_last_action
+      end
+    end
+  end
+end

data/spec/support/shared/functional/windows_script.rb

@@ -46,10 +46,6 @@ shared_context Chef::Resource::WindowsScript do
     File.delete(script_output_path) if File.exists?(script_output_path)
   end
 
-  let!(:resource) do
-    Chef::Resource::WindowsScript::Batch.new("Batch resource functional test", @run_context)
-  end
-
   shared_examples_for "a script resource with architecture attribute" do
     context "with the given architecture attribute value" do
       let(:expected_architecture) do
@@ -125,6 +121,55 @@ shared_context Chef::Resource::WindowsScript do
   end
 
   shared_examples_for "a Windows script running on Windows" do
+    shared_examples_for "a script that cannot be accessed by other users if they are not administrators" do
+      include Chef::Mixin::ShellOut
+
+      let(:script_provider) { resource.provider_for_action(:run) }
+      let(:script_file) { script_provider.script_file }
+      let(:script_file_path) { script_file.to_path }
+
+      let(:read_access_denied_command) { "::File.read('#{script_file_path}')" }
+      let(:modify_access_denied_command) { "::File.write('#{script_file_path}', 'stuff')" }
+      let(:delete_access_denied_command) { "::File.delete('#{script_file_path}')" }
+      let(:access_denied_sentinel) { 7334 }
+      let(:access_allowed_sentinel) { 1586 }
+      let(:access_command_invalid) { 0 }
+
+      let(:ruby_interpreter_path) { RbConfig.ruby }
+      let(:ruby_command_template) { "require 'FileUtils';status = 0;begin; #{ruby_access_command};rescue Exception => e; puts e; status = e.class == Errno::EACCES ? #{access_denied_sentinel} : #{access_allowed_sentinel};end;exit status" }
+      let(:command_template) { "set BUNDLE_GEMFILE=&#{ruby_interpreter_path} -e \"#{ruby_command_template}\"" }
+      let(:access_command) { command_template }
+
+      before do
+        expect(script_provider).to receive(:unlink_script_file)
+        resource.code("echo hi")
+        script_provider.action_run
+      end
+
+      after do
+        script_file.close! if script_file
+        ::File.delete(script_file.to_path) if script_file && ::File.exists?(script_file.to_path)
+      end
+
+      include_context "alternate user identity"
+
+      shared_examples_for "a script whose file system location cannot be accessed by other non-admin users" do
+        let(:ruby_access_command) { file_access_command }
+        it "generates a script in the local file system that prevents read access to other non-admin users" do
+          shell_out!(access_command, { user: windows_nonadmin_user, password: windows_nonadmin_user_password, returns: [access_denied_sentinel] })
+        end
+      end
+
+      context "when a different non-admin user attempts write (modify) to access the script" do
+        let(:file_access_command) { modify_access_denied_command }
+        it_behaves_like "a script whose file system location cannot be accessed by other non-admin users"
+      end
+
+      context "when a different non-admin user attempts write (delete) to access the script" do
+        let(:file_access_command) { delete_access_denied_command }
+        it_behaves_like "a script whose file system location cannot be accessed by other non-admin users"
+      end
+    end
 
     describe "when the run action is invoked on Windows" do
       it "executes the script code" do
@@ -132,6 +177,21 @@ shared_context Chef::Resource::WindowsScript do
         resource.returns(0)
         resource.run_action(:run)
       end
+
+      context "the script is executed with the identity of the current user", :windows_service_requires_assign_token do
+        it_behaves_like "a script that cannot be accessed by other users if they are not administrators"
+      end
+
+      context "the script is executed with an alternate non-admin identity", :windows_service_requires_assign_token do
+        include_context "alternate user identity"
+
+        before do
+          resource.user(windows_alternate_user)
+          resource.password(windows_alternate_user_password)
+        end
+
+        it_behaves_like "a script that cannot be accessed by other users if they are not administrators"
+      end
     end
 
     context "when $env:TMP has a space" do
@@ -165,6 +225,11 @@ shared_context Chef::Resource::WindowsScript do
         expect(resource.class).to receive(:new).and_call_original
         expect(resource.should_skip?(:run)).to be_falsey
       end
+
+      context "when this resource is used as a guard and it is specified with an alternate user identity" do
+        let(:guard_interpreter_resource) { resource.resource_name }
+        it_behaves_like "a resource with a guard specifying an alternate user identity"
+      end
     end
 
     context "when the architecture attribute is not set" do
@@ -181,6 +246,11 @@ shared_context Chef::Resource::WindowsScript do
       let(:resource_architecture) { :x86_64 }
       it_behaves_like "a script resource with architecture attribute"
     end
+
+    describe "when running with an alternate user identity" do
+      let(:resource_command_property) { :code }
+      it_behaves_like "an execute resource that supports alternate user identity"
+    end
   end
 
   def get_windows_script_output(suffix = "")

data/spec/support/shared/unit/execute_resource.rb

@@ -106,6 +106,16 @@ shared_examples_for "an execute resource" do
     expect(@resource.user).to eql(1)
   end
 
+  it "should accept a string for the domain" do
+    @resource.domain "mothership"
+    expect(@resource.domain).to eql("mothership")
+  end
+
+  it "should accept a string for the password" do
+    @resource.password "we.funk!"
+    expect(@resource.password).to eql("we.funk!")
+  end
+
   it "should accept a string for creates" do
     @resource.creates "something"
     expect(@resource.creates).to eql("something")
@@ -116,6 +126,33 @@ shared_examples_for "an execute resource" do
     expect(@resource.live_stream).to be true
   end
 
+  describe "the resource's sensitive attribute" do
+    it "should be false by default" do
+      expect(@resource.sensitive).to eq(false)
+    end
+
+    it "should be true if set to true" do
+      expect(@resource.sensitive).to eq(false)
+      @resource.sensitive true
+      expect(@resource.sensitive).to eq(true)
+    end
+
+    it "should be true if the password is non-nil" do
+      expect(@resource.sensitive).to eq(false)
+      @resource.password("we.funk!")
+      expect(@resource.sensitive).to eq(true)
+    end
+
+    it "should be true if the password is non-nil but the value is explicitly set to false" do
+      expect(@resource.sensitive).to eq(false)
+      @resource.password("we.funk!")
+      expect(@resource.sensitive).to eq(true)
+      @resource.sensitive false
+      expect(@resource.sensitive).to eq(true)
+    end
+
+  end
+
   describe "when it has cwd, environment, group, path, return value, and a user" do
     before do
       @resource.command("grep")

data/spec/support/shared/unit/provider/file.rb

@@ -683,6 +683,16 @@ shared_examples_for Chef::Provider::File do
       end
     end
 
+    context "in why run mode" do
+      before { Chef::Config[:why_run] = true }
+      after { Chef::Config[:why_run] = false }
+
+      it "does not modify new_resource" do
+        setup_missing_file
+        expect(provider).not_to receive(:load_resource_attributes_from_file).with(provider.new_resource)
+        provider.run_action(:create)
+      end
+    end
   end
 
   context "action delete" do

data/spec/unit/cookbook/cookbook_version_loader_spec.rb

@@ -104,6 +104,15 @@ describe Chef::Cookbook::CookbookVersionLoader do
 
     end
 
+    context "when a cookbook's metadata.rb does not parse but the compiled metadata.json is present" do
+      let(:cookbook_path) { File.join(CHEF_SPEC_DATA, "prefer_metadata_json") }
+
+      it "reads the cookbook" do
+        expect(loaded_cookbook.metadata.name.to_s).to eq("prefer_metadata_json")
+        expect(loaded_cookbook.metadata.version.to_s).to eq("1.2.3")
+      end
+    end
+
     context "when the given path is not actually a cookbook" do
 
       let(:cookbook_path) { File.join(CHEF_SPEC_DATA, "cookbooks/NOTHING_HERE_FOLKS") }

data/spec/unit/cookbook/syntax_check_spec.rb

@@ -25,6 +25,7 @@ describe Chef::Cookbook::SyntaxCheck do
   end
 
   let(:cookbook_path) { File.join(CHEF_SPEC_DATA, "cookbooks", "openldap") }
+  let(:unsafe_cookbook_path) { 'C:\AGENT-HOME\xml-data\build-dir\76808194-76906499\artifact\cookbooks/java' }
   let(:syntax_check) { Chef::Cookbook::SyntaxCheck.new(cookbook_path) }
 
   let(:open_ldap_cookbook_files) do
@@ -53,7 +54,7 @@ describe Chef::Cookbook::SyntaxCheck do
     @recipes = %w{default.rb gigantor.rb one.rb return.rb}.map { |f| File.join(cookbook_path, "recipes", f) }
     @spec_files = [ File.join(cookbook_path, "spec", "spec_helper.rb") ]
     @ruby_files = @attr_files + @libr_files + @defn_files + @recipes + @spec_files + [File.join(cookbook_path, "metadata.rb")]
-    basenames = %w{ helpers_via_partial_test.erb
+    @basenames = %w{ helpers_via_partial_test.erb
                     helper_test.erb
                     helpers.erb
                     openldap_stuff.conf.erb
@@ -64,7 +65,7 @@ describe Chef::Cookbook::SyntaxCheck do
                     some_windows_line_endings.erb
                     all_windows_line_endings.erb
                     no_windows_line_endings.erb }
-    @template_files = basenames.map { |f| File.join(cookbook_path, "templates", "default", f) }
+    @template_files = @basenames.map { |f| File.join(cookbook_path, "templates", "default", f) }
   end
 
   after do
@@ -94,6 +95,11 @@ describe Chef::Cookbook::SyntaxCheck do
     end
   end
 
+  it "safely handles a path containing control characters" do
+    syntax_check = Chef::Cookbook::SyntaxCheck.new(unsafe_cookbook_path)
+    expect { syntax_check.remove_uninteresting_ruby_files(@basenames) }.not_to raise_error
+  end
+
   describe "when first created" do
     it "has the path to the cookbook to syntax check" do
       expect(syntax_check.cookbook_path).to eq(cookbook_path)

data/spec/unit/http/api_versions_spec.rb

@@ -0,0 +1,69 @@
+#
+# Copyright:: Copyright 2017, Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::HTTP::APIVersions do
+  class TestVersionClient < Chef::HTTP
+    use Chef::HTTP::APIVersions
+  end
+
+  before do
+    Chef::ServerAPIVersions.instance.reset!
+  end
+
+  let(:method) { "GET" }
+  let(:url) { "http://dummy.com" }
+  let(:headers) { {} }
+  let(:data) { false }
+
+  let(:request) {}
+  let(:return_value) { "200" }
+
+  # Test Variables
+  let(:response_body) { "Thanks for checking in." }
+  let(:response_headers) do
+    {
+      "x-ops-server-api-version" => { "min_version" => 0, "max_version" => 2 },
+    }
+  end
+
+  let(:response) do
+    m = double("HttpResponse", :body => response_body)
+    allow(m).to receive(:key?).with("x-ops-server-api-version").and_return(true)
+    allow(m).to receive(:[]) do |key|
+      response_headers[key]
+    end
+
+    m
+  end
+
+  let(:middleware) do
+    client = TestVersionClient.new(url)
+    client.middlewares[0]
+  end
+
+  def run_api_version_handler
+    middleware.handle_request(method, url, headers, data)
+    middleware.handle_response(response, request, return_value)
+  end
+
+  it "correctly stores server api versions" do
+    run_api_version_handler
+    expect(Chef::ServerAPIVersions.instance.min_server_version).to eq(0)
+  end
+end