chef 14.6.47 → 14.7.17

data/lib/chef/resource/sudo.rb

@@ -37,17 +37,17 @@ class Chef
       # acording to the sudo man pages sudo will ignore files in an include dir that have a `.` or `~`
       # We convert either to `__`
       property :filename, String,
-               description: "The name of the sudoers.d file.",
+               description: "The name of the sudoers.d file, if it differs from the name of the resource block",
                name_property: true,
                coerce: proc { |x| x.gsub(/[\.~]/, "__") }
 
       property :users, [String, Array],
-               description: "User(s) to provide sudo privileges to. This accepts either an array or a comma separated.",
+               description: "User(s) to provide sudo privileges to. This property accepts either an array or a comma separated list.",
                default: lazy { [] },
                coerce: proc { |x| x.is_a?(Array) ? x : x.split(/\s*,\s*/) }
 
       property :groups, [String, Array],
-               description: "Group(s) to provide sudo privileges to. This accepts either an array or a comma separated list. Leading % on group names is optional.",
+               description: "Group(s) to provide sudo privileges to. This property accepts either an array or a comma separated list. Leading % on group names is optional.",
                default: lazy { [] },
                coerce: proc { |x| coerce_groups(x) }
 
@@ -72,10 +72,10 @@ class Chef
                default: false
 
       property :template, String,
-               description: "The name of the erb template in your cookbook if you wish to supply your own template."
+               description: "The name of the erb template in your cookbook, if you wish to supply your own template."
 
       property :variables, [Hash, nil],
-               description: "The variables to pass to the custom template. Ignored if not using a custom template.",
+               description: "The variables to pass to the custom template. This property is ignored if not using a custom template.",
                default: nil
 
       property :defaults, Array,
@@ -99,15 +99,15 @@ class Chef
                default: lazy { [] }
 
       property :visudo_path, String,
-               description: "Deprecated property. Do not use."
+               deprecated: true
 
       property :visudo_binary, String,
                description: "The path to visudo for configuration verification.",
                default: "/usr/sbin/visudo"
 
       property :config_prefix, String,
-               description: "The directory that contains the sudoers configuration file",
-               default: lazy { platform_config_prefix }
+               description: "The directory that contains the sudoers configuration file.",
+               default: lazy { platform_config_prefix }, default_description: "Prefix values based on the node's platform"
 
       # handle legacy cookbook property
       def after_created

data/lib/chef/resource/swap_file.rb

@@ -27,7 +27,7 @@ class Chef
       introduced "14.0"
 
       property :path, String,
-               description: "The path to put the swap file on the system.",
+               description: "The path where the swap file will be created on the system, if it differs from the resource block name.",
                name_property: true
 
       property :size, Integer,

data/lib/chef/resource/sysctl.rb

@@ -24,7 +24,7 @@ class Chef
       provides(:sysctl) { true }
       provides(:sysctl_param) { true }
 
-      description "Use the sysctl resource to set kernel parameters using the sysctl"\
+      description "Use the sysctl resource to set or remove kernel parameters using the sysctl"\
                   " command line tool and configuration files in the system's sysctl.d directory. "\
                   "Configuration files managed by this resource are named 99-chef-KEYNAME.conf. If"\
                   " an existing value was already set for the value it will be backed up to the node"\
@@ -33,7 +33,7 @@ class Chef
       introduced "14.0"
 
       property :key, String,
-               description: "The kernel parameter key in dotted format.",
+               description: "The kernel parameter key in dotted format, if it differs from the resource block name.",
                name_property: true
 
       property :ignore_error, [TrueClass, FalseClass],

data/lib/chef/resource/systemd_unit.rb

@@ -38,22 +38,30 @@ class Chef
                       :reload_or_try_restart
 
       # Internal provider-managed properties
-      property :enabled, [TrueClass, FalseClass]
-      property :active, [TrueClass, FalseClass]
-      property :masked, [TrueClass, FalseClass]
-      property :static, [TrueClass, FalseClass]
+      property :enabled, [TrueClass, FalseClass], skip_docs: true
+      property :active, [TrueClass, FalseClass], skip_docs: true
+      property :masked, [TrueClass, FalseClass], skip_docs: true
+      property :static, [TrueClass, FalseClass], skip_docs: true
 
       # User-provided properties
-      property :user, String, desired_state: false
-      property :content, [String, Hash]
+      property :user, String, desired_state: false,
+               description: "The user account that the systemd unit process is run under. The path to the unit for that user would be something like '/etc/systemd/user/sshd.service'. If no user account is specified, the systemd unit will run under a 'system' account, with the path to the unit being something like '/etc/systemd/system/sshd.service'."
+
+      property :content, [String, Hash],
+                description: "A string or hash that contains a systemd `unit file <https://www.freedesktop.org/software/systemd/man/systemd.unit.html>`_ definition that describes the properties of systemd-managed entities, such as services, sockets, devices, and so on. In Chef 14.4 or later, repeatable options can be implemented with an array."
+
       property :triggers_reload, [TrueClass, FalseClass],
-                                 default: true, desired_state: false
+               description: "Specifies whether to trigger a daemon reload when creating or deleting a unit.",
+               default: true, desired_state: false
+
       property :verify, [TrueClass, FalseClass],
-                        default: true, desired_state: false
+               default: true, desired_state: false,
+               description: "Specifies if the unit will be verified before installation. Systemd can be overly strict when verifying units, so in certain cases it is preferable not to verify the unit."
+
       property :unit_name, String, desired_state: false,
-                                   identity: true,
-                                   name_property: true,
-                                   introduced: "13.7"
+               identity: true, name_property: true,
+               description: "The name of the unit file if it differs from the resource block name.",
+               introduced: "13.7"
 
       def to_ini
         case content

data/lib/chef/resource/timezone.rb

@@ -25,7 +25,7 @@ class Chef
       preview_resource true
       resource_name :timezone
 
-      description "Use the timezone resource to change the system timezone."
+      description "Use the timezone resource to change the system timezone on Linux and macOS hosts. Timezones are specified in tz database format, with a complete list of available TZ values here https://en.wikipedia.org/wiki/List_of_tz_database_time_zones."
       introduced "14.6"
 
       property :timezone, String,
@@ -35,12 +35,15 @@ class Chef
       action :set do
         description "Set the timezone."
 
-        package "tzdata" do
-          package_name platform_family?("suse") ? "timezone" : "tzdata"
+        # some linux systems may be missing the timezone data
+        if node["os"] == "linux"
+          package "tzdata" do
+            package_name platform_family?("suse") ? "timezone" : "tzdata"
+          end
         end
 
+        # Modern Amazon, Fedora, RHEL, Ubuntu & Debian
         if node["init_package"] == "systemd"
-          # Modern Amazon, Fedora, CentOS, RHEL, Ubuntu & Debian
           cmd_set_tz = "/usr/bin/timedatectl --no-ask-password set-timezone #{new_resource.timezone}"
 
           cmd_check_if_set = "/usr/bin/timedatectl status"
@@ -51,38 +54,63 @@ class Chef
             action :run
             not_if cmd_check_if_set
           end
-        elsif platform_family?("rhel", "amazon")
-          # Old version of RHEL & CentOS
-          file "/etc/sysconfig/clock" do
-            owner "root"
-            group "root"
-            mode "0644"
-            action :create
-            content %{ZONE="#{new_resource.timezone}"\nUTC="true"\n}
-          end
+        else
+          case node["platform_family"]
+          # Old version of RHEL < 7 and Amazon 201X
+          when "rhel", "amazon"
+            file "/etc/sysconfig/clock" do
+              owner "root"
+              group "root"
+              mode "0644"
+              action :create
+              content %{ZONE="#{new_resource.timezone}"\nUTC="true"\n}
+            end
 
-          execute "tzdata-update" do
-            command "/usr/sbin/tzdata-update"
-            action :nothing
-            only_if { ::File.executable?("/usr/sbin/tzdata-update") }
-            subscribes :run, "file[/etc/sysconfig/clock]", :immediately
-          end
+            execute "tzdata-update" do
+              command "/usr/sbin/tzdata-update"
+              action :nothing
+              only_if { ::File.executable?("/usr/sbin/tzdata-update") }
+              subscribes :run, "file[/etc/sysconfig/clock]", :immediately
+            end
 
-          link "/etc/localtime" do
-            to "/usr/share/zoneinfo/#{new_resource.timezone}"
-            not_if { ::File.executable?("/usr/sbin/tzdata-update") }
-          end
-        elsif platform_family?("debian")
-          file "/etc/timezone" do
-            action :create
-            content "#{new_resource.timezone}\n"
+            link "/etc/localtime" do
+              to "/usr/share/zoneinfo/#{new_resource.timezone}"
+              not_if { ::File.executable?("/usr/sbin/tzdata-update") }
+            end
+          # debian < 8 and Ubuntu < 16.04
+          when "debian"
+            file "/etc/timezone" do
+              action :create
+              content "#{new_resource.timezone}\n"
+            end
+
+            bash "dpkg-reconfigure tzdata" do
+              user "root"
+              code "/usr/sbin/dpkg-reconfigure -f noninteractive tzdata"
+              action :nothing
+              subscribes :run, "file[/etc/timezone]", :immediately
+            end
+          when "mac_os_x"
+            unless current_darwin_tz == new_resource.timezone
+              converge_by("set timezone to #{new_resource.timezone}") do
+                shell_out!("sudo systemsetup -settimezone #{new_resource.timezone}")
+              end
+            end
           end
+        end
+      end
 
-          bash "dpkg-reconfigure tzdata" do
-            user "root"
-            code "/usr/sbin/dpkg-reconfigure -f noninteractive tzdata"
-            action :nothing
-            subscribes :run, "file[/etc/timezone]", :immediately
+      action_class do
+        # detect the current TZ on darwin hosts
+        #
+        # @since 14.7
+        # @return [String] TZ database value
+        def current_darwin_tz
+          tz_shellout = shell_out!("systemsetup -gettimezone")
+          if /You need administrator access/.match?(tz_shellout.stdout)
+            raise "The timezone resource requires adminstrative priveleges to run on macOS hosts!"
+          else
+            /Time Zone: (.*)/.match(tz_shellout.stdout)[1]
           end
         end
       end

data/lib/chef/resource/windows_ad_join.rb

@@ -58,7 +58,7 @@ class Chef
 
       # define this again so we can default it to true. Otherwise failures print the password
       property :sensitive, [TrueClass, FalseClass],
-               default: true
+               default: true, desired_state: false
 
       action :join do
         description "Join the Active Directory domain."

data/lib/chef/resource/windows_auto_run.rb

@@ -28,7 +28,7 @@ class Chef
       introduced "14.0"
 
       property :program_name, String,
-               description: "The name of the program to run at login if different from the resource name.",
+               description: "The name of the program to run at login, if it differs from the resource block name.",
                name_property: true
 
       property :path, String,

data/lib/chef/resource/windows_certificate.rb

@@ -0,0 +1,269 @@
+#
+# Author:: Richard Lavey (richard.lavey@calastone.com)
+#
+# Copyright:: 2015-2017, Calastone Ltd.
+# Copyright:: 2018, Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef/resource"
+require "win32-certstore" if Chef::Platform.windows?
+require "openssl"
+
+class Chef
+  class Resource
+    class WindowsCertificate < Chef::Resource
+      preview_resource true
+      resource_name :windows_certificate
+
+      description "Use the windows_certificate resource to install a certificate into the Windows certificate store from a file. The resource grants read-only access to the private key for designated accounts. Due to current limitations in WinRM, installing certificates remotely may not work if the operation requires a user profile. Operations on the local machine store should still work."
+      introduced "14.7"
+
+      property :source, String,
+               description: "The source file (for create and acl_add), thumbprint (for delete and acl_add) or subject (for delete).",
+               name_property: true
+
+      property :pfx_password, String,
+               description: "The password to access the source if it is a pfx file."
+
+      property :private_key_acl, Array,
+               description: "An array of 'domain\account' entries to be granted read-only access to the certificate's private key. Not idempotent."
+
+      property :store_name, String,
+               description: "The certificate store to manipulate.",
+               default: "MY", equal_to: ["TRUSTEDPUBLISHER", "TrustedPublisher", "CLIENTAUTHISSUER", "REMOTE DESKTOP", "ROOT", "TRUSTEDDEVICES", "WEBHOSTING", "CA", "AUTHROOT", "TRUSTEDPEOPLE", "MY", "SMARTCARDROOT", "TRUST", "DISALLOWED"]
+
+      property :user_store, [TrueClass, FalseClass],
+               description: "Use the user store of the local machine store if set to false.",
+               default: false
+
+      property :cert_path, String,
+               description: ""
+
+      # lazy used to set default value of sensitive to true if password is set
+      property :sensitive, [ TrueClass, FalseClass ],
+               description: "Ensure that sensitive resource data is not logged by the chef-client.",
+               default: lazy { |r| r.pfx_password ? true : false }, skip_docs: true
+
+      action :create do
+        description "Creates or updates a certificate."
+
+        add_cert(OpenSSL::X509::Certificate.new(raw_source))
+      end
+
+      # acl_add is a modify-if-exists operation : not idempotent
+      action :acl_add do
+        description "Adds read-only entries to a certificate's private key ACL."
+
+        if ::File.exist?(new_resource.source)
+          hash = "$cert.GetCertHashString()"
+          code_script = cert_script(false)
+          guard_script = cert_script(false)
+        else
+          # make sure we have no spaces in the hash string
+          hash = "\"#{new_resource.source.gsub(/\s/, '')}\""
+          code_script = ""
+          guard_script = ""
+        end
+        code_script << acl_script(hash)
+        guard_script << cert_exists_script(hash)
+
+        powershell_script "setting the acls on #{new_resource.source} in #{cert_location}\\#{new_resource.store_name}" do
+          guard_interpreter :powershell_script
+          convert_boolean_return true
+          code code_script
+          only_if guard_script
+          sensitive if new_resource.sensitive
+        end
+      end
+
+      action :delete do
+        description "Deletes a certificate."
+
+        delete_cert
+      end
+
+      action :fetch do
+        description "Fetches a certificate."
+
+        cert_obj = fetch_cert
+        if cert_obj
+          show_or_store_cert(cert_obj)
+        else
+          Chef::Log.info("Certificate not found")
+        end
+      end
+
+      action :verify do
+        description ""
+
+        out = verify_cert
+        if !!out == out
+          out = out ? "Certificate is valid" : "Certificate not valid"
+        end
+        Chef::Log.info(out.to_s)
+      end
+
+      action_class do
+        def add_cert(cert_obj)
+          store = ::Win32::Certstore.open(new_resource.store_name)
+          store.add(cert_obj)
+        end
+
+        def delete_cert
+          store = ::Win32::Certstore.open(new_resource.store_name)
+          store.delete(new_resource.source)
+        end
+
+        def fetch_cert
+          store = ::Win32::Certstore.open(new_resource.store_name)
+          store.get(new_resource.source)
+        end
+
+        def verify_cert
+          store = ::Win32::Certstore.open(new_resource.store_name)
+          store.valid?(new_resource.source)
+        end
+
+        def show_or_store_cert(cert_obj)
+          if new_resource.cert_path
+            export_cert(cert_obj, new_resource.cert_path)
+            if ::File.size(new_resource.cert_path) > 0
+              Chef::Log.info("Certificate export in #{new_resource.cert_path}")
+            else
+              ::File.delete(new_resource.cert_path)
+            end
+          else
+            Chef::Log.info(cert_obj.display)
+          end
+        end
+
+        def export_cert(cert_obj, cert_path)
+          out_file = ::File.new(cert_path, "w+")
+          case ::File.extname(cert_path)
+          when ".pem"
+            out_file.puts(cert_obj.to_pem)
+          when ".der"
+            out_file.puts(cert_obj.to_der)
+          when ".cer"
+            cert_out = powershell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CER").stdout
+            out_file.puts(cert_out)
+          when ".crt"
+            cert_out = powershell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CRT").stdout
+            out_file.puts(cert_out)
+          when ".pfx"
+            cert_out = powershell_out("openssl pkcs12 -export -nokeys -in #{cert_obj.to_pem} -outform PFX").stdout
+            out_file.puts(cert_out)
+          when ".p7b"
+            cert_out = powershell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
+            out_file.puts(cert_out)
+          else
+            Chef::Log.info("Supported certificate format .pem, .der, .cer, .crt, .pfx and .p7b")
+          end
+          out_file.close
+        end
+
+        def cert_location
+          @location ||= new_resource.user_store ? "CurrentUser" : "LocalMachine"
+        end
+
+        def cert_script(persist)
+          cert_script = "$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2"
+          file = win_friendly_path(new_resource.source)
+          cert_script << " \"#{file}\""
+          if ::File.extname(file.downcase) == ".pfx"
+            cert_script << ", \"#{new_resource.pfx_password}\""
+            if persist && new_resource.user_store
+              cert_script << ", ([System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet)"
+            elsif persist
+              cert_script << ", ([System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeyset)"
+            end
+          end
+          cert_script << "\n"
+        end
+
+        def cert_exists_script(hash)
+          <<-EOH
+  $hash = #{hash}
+  Test-Path "Cert:\\#{cert_location}\\#{new_resource.store_name}\\$hash"
+        EOH
+        end
+
+        def within_store_script
+          inner_script = yield "$store"
+          <<-EOH
+  $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "#{new_resource.store_name}", ([System.Security.Cryptography.X509Certificates.StoreLocation]::#{cert_location})
+  $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
+  #{inner_script}
+  $store.Close()
+        EOH
+        end
+
+        def acl_script(hash)
+          return "" if new_resource.private_key_acl.nil? || new_resource.private_key_acl.empty?
+          # this PS came from http://blogs.technet.com/b/operationsguy/archive/2010/11/29/provide-access-to-private-keys-commandline-vs-powershell.aspx
+          # and from https://msdn.microsoft.com/en-us/library/windows/desktop/bb204778(v=vs.85).aspx
+          set_acl_script = <<-EOH
+  $hash = #{hash}
+  $storeCert = Get-ChildItem "cert:\\#{cert_location}\\#{new_resource.store_name}\\$hash"
+  if ($storeCert -eq $null) { throw 'no key exists.' }
+  $keyname = $storeCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
+  if ($keyname -eq $null) { throw 'no private key exists.' }
+  if ($storeCert.PrivateKey.CspKeyContainerInfo.MachineKeyStore)
+  {
+    $fullpath = "$Env:ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\$keyname"
+  }
+  else
+  {
+    $currentUser = New-Object System.Security.Principal.NTAccount($Env:UserDomain, $Env:UserName)
+    $userSID = $currentUser.Translate([System.Security.Principal.SecurityIdentifier]).Value
+    $fullpath = "$Env:ProgramData\\Microsoft\\Crypto\\RSA\\$userSID\\$keyname"
+  }
+        EOH
+          new_resource.private_key_acl.each do |name|
+            set_acl_script << "$uname='#{name}'; icacls $fullpath /grant $uname`:RX\n"
+          end
+          set_acl_script
+        end
+
+        def raw_source
+          ext = ::File.extname(new_resource.source)
+          convert_pem(ext, new_resource.source)
+        end
+
+        def convert_pem(ext, source)
+          out = case ext
+                when ".crt", ".der"
+                  powershell_out("openssl x509 -text -inform DER -in #{source} -outform PEM").stdout
+                when ".cer"
+                  powershell_out("openssl x509 -text -inform DER -in #{source} -outform PEM").stdout
+                when ".pfx"
+                  powershell_out("openssl pkcs12 -in #{source} -nodes -passin pass:#{new_resource.pfx_password}").stdout
+                when ".p7b"
+                  powershell_out("openssl pkcs7 -print_certs -in #{source} -outform PEM").stdout
+                end
+          out = ::File.read(source) if out.nil? || out.empty?
+          format_raw_out(out)
+        end
+
+        def format_raw_out(out)
+          begin_cert = "-----BEGIN CERTIFICATE-----"
+          end_cert = "-----END CERTIFICATE-----"
+          begin_cert + out[/#{begin_cert}(.*?)#{end_cert}/m, 1] + end_cert
+        end
+      end
+
+    end
+  end
+end