chef 13.3.42 → 13.4.19

data/lib/chef/version.rb

@@ -14,15 +14,16 @@
 # limitations under the License.
 
 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-# NOTE: This file is modified via the `.expeditor/update_version.sh` script, which
-# is triggered automatically by Chef Expeditor when a Pull Request is merged.
+# NOTE: This file is generated by running `rake version` in the top level of
+# this repo. Do not edit this manually. Edit the VERSION file and run the rake
+# task instead.
 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 require "chef/version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("../..", __FILE__)
-  VERSION = Chef::VersionString.new("13.3.42")
+  VERSION = Chef::VersionString.new("13.4.19")
 end
 
 #

data/lib/chef/win32/api/security.rb

@@ -453,6 +453,8 @@ class Chef
         safe_attach_function :SetSecurityDescriptorSacl, [ :pointer, :BOOL, :pointer, :BOOL ], :BOOL
         safe_attach_function :GetTokenInformation, [ :HANDLE, :TOKEN_INFORMATION_CLASS, :pointer, :DWORD, :PDWORD ], :BOOL
         safe_attach_function :LogonUserW, [:LPTSTR, :LPTSTR, :LPTSTR, :DWORD, :DWORD, :PHANDLE], :BOOL
+        safe_attach_function :ImpersonateLoggedOnUser, [:HANDLE], :BOOL
+        safe_attach_function :RevertToSelf, [], :BOOL
 
       end
     end

data/spec/functional/mixin/user_context_spec.rb

@@ -0,0 +1,117 @@
+#
+# Copyright:: Copyright (c) 2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+require "chef/win32/api" if Chef::Platform.windows?
+require "chef/win32/api/error" if Chef::Platform.windows?
+require "chef/mixin/user_context"
+
+describe Chef::Mixin::UserContext, windows_only: true do
+  include Chef::Mixin::UserContext
+
+  let(:get_user_name_a) do
+    FFI.ffi_lib "advapi32.dll"
+    FFI.attach_function :GetUserNameA, [ :pointer, :pointer ], :bool
+  end
+
+  let(:process_username) do
+    name_size = FFI::Buffer.new(:long).write_long(0)
+    succeeded = get_user_name_a.call(nil, name_size)
+    last_error = FFI::LastError.error
+    if succeeded || last_error != Chef::ReservedNames::Win32::API::Error::ERROR_INSUFFICIENT_BUFFER
+      raise Chef::Exceptions::Win32APIError, "Expected ERROR_INSUFFICIENT_BUFFER from GetUserNameA but it returned the following error: #{last_error}"
+    end
+    user_name = FFI::MemoryPointer.new :char, (name_size.read_long)
+    succeeded = get_user_name_a.call(user_name, name_size)
+    last_error = FFI::LastError.error
+    if succeeded == 0 || last_error != 0
+      raise Chef::Exceptions::Win32APIError, "GetUserNameA failed with #{lasterror}"
+    end
+    user_name.read_string
+  end
+
+  let(:test_user) { "chefuserctx3" }
+  let(:test_domain) { windows_nonadmin_user_domain }
+  let(:test_password) { "j823jfxK3;2Xe1" }
+
+  let(:username_domain_qualification) { nil }
+  let(:username_with_conditional_domain) { username_domain_qualification.nil? ? username_to_impersonate : "#{username_domain_qualification}\\#{username_to_impersonate}" }
+
+  let(:windows_nonadmin_user) { test_user }
+  let(:windows_nonadmin_user_password) { test_password }
+
+  let(:username_while_impersonating) do
+    username = nil
+    with_user_context(username_with_conditional_domain, username_to_impersonate_password, domain_to_impersonate) do
+      username = process_username
+    end
+    username
+  end
+
+  before do
+    allow_any_instance_of(described_class).to receive(:node).and_return({ "platform_family" => "windows" })
+  end
+
+  shared_examples_for "method that executes the block while impersonating the alternate user" do
+    it "uses different credentials for other network connections" do
+      allow_any_instance_of(Chef::Util::Windows::LogonSession).to receive(:validate_session_open!).and_return(true)
+      expect(username_while_impersonating.downcase).not_to eq(username_to_impersonate.downcase)
+    end
+  end
+
+  describe "#with_user_context" do
+    context "when the user and domain are both nil" do
+      let(:username_to_impersonate) { nil }
+      let(:domain_to_impersonate) { nil }
+      let(:username_to_impersonate_password) { nil }
+
+      it "has the same token and username as the process" do
+        expect(username_while_impersonating.downcase).to eq(ENV["username"].downcase)
+      end
+    end
+
+    context "when a non-nil user is specified" do
+      include_context "a non-admin Windows user"
+      context "when a username different than the process user is specified" do
+        let(:username_to_impersonate) { test_user }
+        let(:username_to_impersonate_password) { test_password }
+        context "when an explicit domain is given with a valid password" do
+          let(:domain_to_impersonate) { test_domain }
+          it "uses different credentials for other network connections" do
+            expect(username_while_impersonating.downcase).not_to eq(username_to_impersonate.downcase)
+          end
+        end
+
+        context "when a valid password and a non-qualified user is given and no domain is specified" do
+          let(:domain_to_impersonate) { "." }
+          it_behaves_like "method that executes the block while impersonating the alternate user"
+        end
+
+        it "raises an error user if specified with the wrong password" do
+          expect { with_user_context(username_to_impersonate, username_to_impersonate_password + "1", nil) }.to raise_error(ArgumentError)
+        end
+      end
+    end
+
+    context "when invalid arguments are passed" do
+      it "raises an ArgumentError exception if the password is not specified but the user is specified" do
+        expect { with_user_context(test_user, nil, nil) }.to raise_error(ArgumentError)
+      end
+    end
+  end
+end

data/spec/functional/resource/remote_file_spec.rb

@@ -123,6 +123,177 @@ describe Chef::Resource::RemoteFile do
 
   end
 
+  context "when running on Windows", :windows_only do
+    describe "when fetching files over SMB" do
+      include Chef::Mixin::ShellOut
+      let(:smb_share_root_directory) { directory = File.join(Dir.tmpdir, make_tmpname("windows_script_test")); Dir.mkdir(directory); directory }
+      let(:smb_file_local_file_name) { "smb_file.txt" }
+      let(:smb_file_local_path) { File.join( smb_share_root_directory, smb_file_local_file_name ) }
+      let(:smb_share_name) { "chef_smb_test" }
+      let(:smb_remote_path) { File.join("//#{ENV['COMPUTERNAME']}", smb_share_name, smb_file_local_file_name).gsub(/\//, "\\") }
+      let(:smb_file_content) { "hellofun" }
+      let(:local_destination_path) { File.join(Dir.tmpdir, make_tmpname("chef_remote_file")) }
+      let(:windows_current_user) { ENV["USERNAME"] }
+      let(:windows_current_user_domain) { ENV["USERDOMAIN"] || ENV["COMPUTERNAME"] }
+      let(:windows_current_user_qualified) { "#{windows_current_user_domain}\\#{windows_current_user}" }
+
+      let(:remote_domain) { nil }
+      let(:remote_user) { nil }
+      let(:remote_password) { nil }
+
+      let(:resource) do
+        node = Chef::Node.new
+        events = Chef::EventDispatch::Dispatcher.new
+        run_context = Chef::RunContext.new(node, {}, events)
+        resource = Chef::Resource::RemoteFile.new(path, run_context)
+      end
+
+      before do
+        shell_out("net.exe share #{smb_share_name} /delete")
+        File.write(smb_file_local_path, smb_file_content )
+        shell_out!("net.exe share #{smb_share_name}=\"#{smb_share_root_directory.gsub(/\//, '\\')}\" /grant:\"authenticated users\",read")
+      end
+
+      after do
+        shell_out("net.exe share #{smb_share_name} /delete")
+        File.delete(smb_file_local_path) if File.exist?(smb_file_local_path)
+        File.delete(local_destination_path) if File.exist?(local_destination_path)
+        Dir.rmdir(smb_share_root_directory)
+      end
+
+      context "when configuring the Windows identity used to access the remote file" do
+        before do
+          resource.path(local_destination_path)
+          resource.source(smb_remote_path)
+          resource.remote_domain(remote_domain)
+          resource.remote_user(remote_user)
+          resource.remote_password(remote_password)
+          resource.node.default["platform_family"] = "windows"
+          allow_any_instance_of(Chef::Provider::RemoteFile::NetworkFile).to receive(:node).and_return({ "platform_family" => "windows" })
+        end
+
+        shared_examples_for "a remote_file resource accessing a remote file to which the specified user has access" do
+          it "has the same content as the original file" do
+            expect { resource.run_action(:create) }.not_to raise_error
+            expect(::File.read(local_destination_path).chomp).to eq smb_file_content
+          end
+        end
+
+        shared_examples_for "a remote_file resource accessing a remote file to which the specified user does not have access" do
+          it "causes an error to be raised" do
+            expect { resource.run_action(:create) }.to raise_error(Errno::EACCES)
+          end
+        end
+
+        shared_examples_for "a remote_file resource accessing a remote file with invalid user" do
+          it "causes an error to be raised" do
+            allow(Chef::Util::Windows::LogonSession).to receive(:validate_session_open!).and_return(true)
+            expect { resource.run_action(:create) }.to raise_error(Chef::Exceptions::Win32APIError)
+          end
+        end
+
+        context "when the file is accessible to non-admin users only as the current identity" do
+          before do
+            shell_out!("icacls #{smb_file_local_path} /grant:r \"authenticated users:(W)\" /grant \"#{windows_current_user_qualified}:(R)\" /inheritance:r")
+          end
+
+          context "when the resource is accessed using the current user's identity" do
+            let(:remote_user) { nil }
+            let(:remote_domain) { nil }
+            let(:remote_password) { nil }
+
+            it_behaves_like "a remote_file resource accessing a remote file to which the specified user has access"
+
+            describe "uses the ::Chef::Provider::RemoteFile::NetworkFile::TRANSFER_CHUNK_SIZE constant to chunk the file" do
+              let(:invalid_chunk_size) { -1 }
+              before do
+                stub_const("::Chef::Provider::RemoteFile::NetworkFile::TRANSFER_CHUNK_SIZE", invalid_chunk_size)
+              end
+
+              it "raises an ArgumentError when the chunk size is negative" do
+                expect(::Chef::Provider::RemoteFile::NetworkFile::TRANSFER_CHUNK_SIZE).to eq(invalid_chunk_size)
+                expect { resource.run_action(:create) }.to raise_error(ArgumentError)
+              end
+            end
+
+            context "when the file must be transferred in more than one chunk" do
+              before do
+                stub_const("::Chef::Provider::RemoteFile::NetworkFile::TRANSFER_CHUNK_SIZE", 3)
+              end
+              it_behaves_like "a remote_file resource accessing a remote file to which the specified user has access"
+            end
+          end
+
+          context "when the resource is accessed using an alternate user's identity with no access to the file" do
+            let (:windows_nonadmin_user) { "chefremfile1" }
+            let (:windows_nonadmin_user_password) { "j82ajfxK3;2Xe1" }
+            include_context "a non-admin Windows user"
+
+            before do
+              shell_out!("icacls #{smb_file_local_path} /grant:r \"authenticated users:(W)\" /deny \"#{windows_current_user_qualified}:(R)\" /inheritance:r")
+            end
+
+            let(:remote_user) { windows_nonadmin_user }
+            let(:remote_domain) { windows_nonadmin_user_domain }
+            let(:remote_password) { windows_nonadmin_user_password }
+
+            it_behaves_like "a remote_file resource accessing a remote file to which the specified user does not have access"
+          end
+        end
+
+        context "when the the file is only accessible as a specific alternate identity" do
+          let (:windows_nonadmin_user) { "chefremfile2" }
+          let (:windows_nonadmin_user_password) { "j82ajfxK3;2Xe2" }
+          include_context "a non-admin Windows user"
+
+          before do
+            shell_out!("icacls #{smb_file_local_path} /grant:r \"authenticated users:(W)\" /grant \"#{windows_current_user_qualified}:(R)\" /inheritance:r")
+          end
+
+          context "when the resource is accessed using the specific non-qualified alternate user identity with access" do
+            let(:remote_user) { windows_nonadmin_user }
+            let(:remote_domain) { "." }
+            let(:remote_password) { windows_nonadmin_user_password }
+
+            it_behaves_like "a remote_file resource accessing a remote file to which the specified user has access"
+          end
+
+          context "when the resource is accessed using the specific alternate user identity with access and the domain is specified" do
+            let(:remote_user) { windows_nonadmin_user }
+            let(:remote_domain) { windows_nonadmin_user_domain }
+            let(:remote_password) { windows_nonadmin_user_password }
+
+            it_behaves_like "a remote_file resource accessing a remote file to which the specified user has access"
+          end
+
+          context "when the resource is accessed using the current user's identity" do
+            before do
+              shell_out!("icacls #{smb_file_local_path} /grant:r \"authenticated users:(W)\" /grant \"#{windows_nonadmin_user_qualified}:(R)\" /deny #{windows_current_user_qualified}:(R) /inheritance:r")
+            end
+
+            it_behaves_like "a remote_file resource accessing a remote file to which the specified user does not have access"
+          end
+
+          context "when the resource is accessed using an alternate user's identity with no access to the file" do
+            let (:windows_nonadmin_user) { "chefremfile3" }
+            let (:windows_nonadmin_user_password) { "j82ajfxK3;2Xe3" }
+            include_context "a non-admin Windows user"
+
+            let(:remote_user) { windows_nonadmin_user_qualified }
+            let(:remote_domain) { nil }
+            let(:remote_password) { windows_nonadmin_user_password }
+
+            before do
+              allow_any_instance_of(Chef::Util::Windows::LogonSession).to receive(:validate_session_open!).and_return(true)
+            end
+
+            it_behaves_like "a remote_file resource accessing a remote file with invalid user"
+          end
+        end
+      end
+    end
+  end
+
   context "when dealing with content length checking" do
     before(:each) do
       start_tiny_server

data/spec/functional/resource/windows_path_spec.rb

@@ -0,0 +1,64 @@
+#
+# Author:: Nimisha Sharad (<nimisha.sharad@msystechnologies.com>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::WindowsPath, :windows_only do
+  let(:path) { "test_path" }
+
+  before(:all) do
+    @old_path = ENV["PATH"].dup
+  end
+
+  after(:all) do
+    ENV["PATH"] = @old_path
+  end
+
+  subject do
+    new_resource = Chef::Resource::WindowsPath.new(path, run_context)
+    new_resource
+  end
+
+  describe "adding path" do
+    after { remove_path }
+
+    it "appends the user given path in the Environment variable Path" do
+      subject.run_action(:add)
+      expect(ENV["PATH"]).to include(path)
+    end
+  end
+
+  describe "removing path" do
+    before { add_path }
+
+    it "removes the user given path from the Environment variable Path" do
+      subject.run_action(:remove)
+      expect(ENV["PATH"]).not_to include(path)
+    end
+  end
+
+  def remove_path
+    new_resource = Chef::Resource::WindowsPath.new(path, run_context)
+    new_resource.run_action(:remove)
+  end
+
+  def add_path
+    new_resource = Chef::Resource::WindowsPath.new(path, run_context)
+    new_resource.run_action(:add)
+  end
+end

data/spec/unit/knife/client_delete_spec.rb

@@ -35,7 +35,7 @@ describe Chef::Knife::ClientDelete do
     end
 
     context "receives multiple clients" do
-      let(:clients) { %w{ "adam", "ben", "charlie" } }
+      let(:clients) { %w{ adam ben charlie } }
 
       before(:each) do
         @knife.name_args = clients

data/spec/unit/mixin/user_context_spec.rb

@@ -0,0 +1,109 @@
+#
+# Author:: Adam Edwards (<adamed@chef.io>)
+# Copyright:: Copyright (c) 2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "chef/mixin/user_context"
+require "chef/util/windows/logon_session"
+
+describe "a class that mixes in user_context" do
+  let(:instance_with_user_context) do
+    class UserContextConsumer
+      include ::Chef::Mixin::UserContext
+      def with_context(user, domain, password, &block)
+        with_user_context(user, password, domain, &block)
+      end
+    end
+    UserContextConsumer.new
+  end
+
+  shared_examples_for "a method that requires a block" do
+    it "raises an ArgumentError exception if a block is not supplied" do
+      expect { instance_with_user_context.with_context(nil, nil, nil) }.to raise_error(ArgumentError)
+    end
+  end
+
+  context "when running on Windows" do
+    before do
+      allow(::Chef::Platform).to receive(:windows?).and_return(true)
+      allow(::Chef::Util::Windows::LogonSession).to receive(:new).and_return(logon_session)
+      allow(instance_with_user_context).to receive(:node).and_return({ "platform_family" => "windows" })
+    end
+
+    let(:logon_session) { instance_double("::Chef::Util::Windows::LogonSession", :set_user_context => nil, :open => nil, :close => nil) }
+
+    it "does not raise an exception when the user and all parameters are nil" do
+      expect { instance_with_user_context.with_context(nil, nil, nil) {} }.not_to raise_error
+    end
+
+    context "when given valid user credentials" do
+      before do
+        expect(::Chef::Util::Windows::LogonSession).to receive(:new).and_return(logon_session)
+      end
+
+      let(:block_object) do
+        class BlockClass
+          def block_method
+          end
+        end
+        BlockClass.new
+      end
+
+      let(:block_parameter) { Proc.new { block_object.block_method } }
+
+      context "when the block doesn't raise an exception" do
+        before do
+          expect( block_object ).to receive(:block_method)
+        end
+        it "calls the supplied block" do
+          expect { instance_with_user_context.with_context("kamilah", nil, "chef4life", &block_parameter) }.not_to raise_error
+        end
+
+        it "does not raise an exception if the user, password, and domain are specified" do
+          expect { instance_with_user_context.with_context("kamilah", "xanadu", "chef4life", &block_parameter) }.not_to raise_error
+        end
+      end
+
+      context "when the block raises an exception" do
+        class UserContextTestException < RuntimeError
+        end
+        let(:block_parameter) { Proc.new { raise UserContextTextException } }
+
+        it "raises the exception raised by the block" do
+          expect { instance_with_user_context.with_context("kamilah", nil, "chef4life", &block_parameter) }.not_to raise_error(UserContextTestException)
+        end
+
+        it "closes the logon session so resources are not leaked" do
+          expect(logon_session).to receive(:close)
+          expect { instance_with_user_context.with_context("kamilah", nil, "chef4life", &block_parameter) }.not_to raise_error(UserContextTestException)
+        end
+      end
+    end
+
+    it_behaves_like "a method that requires a block"
+  end
+
+  context "when not running on Windows" do
+    before do
+      allow(instance_with_user_context).to receive(:node).and_return({ "platform_family" => "ubuntu" })
+    end
+
+    it "raises a ::Chef::Exceptions::UnsupportedPlatform exception" do
+      expect { instance_with_user_context.with_context(nil, nil, nil) {} }.to raise_error(::Chef::Exceptions::UnsupportedPlatform)
+    end
+  end
+end