chef 15.17.4-universal-mingw32 → 16.0.257-universal-mingw32

data/lib/chef/resource/action_class.rb

@@ -29,42 +29,44 @@ class Chef
         "#{new_resource || "<no resource>"} action #{action ? action.inspect : "<no action>"}"
       end
 
-      #
-      # If load_current_value! is defined on the resource, use that.
-      #
-      def load_current_resource
+      def return_load_current_value
+        resource = nil
         if new_resource.respond_to?(:load_current_value!)
-          # dup the resource and then reset desired-state properties.
-          current_resource = new_resource.dup
+          resource = new_resource.class.new(new_resource.name, new_resource.run_context)
 
-          # We clear desired state in the copy, because it is supposed to be actual state.
-          # We keep identity properties and non-desired-state, which are assumed to be
-          # "control" values like `recurse: true`
-          current_resource.class.properties.each_value do |property|
-            if property.desired_state? && !property.identity? && !property.name_property?
-              property.reset(current_resource)
+          # copy the non-desired state, the identity properties and name property to the new resource
+          # (the desired state values must be loaded by load_current_value)
+          resource.class.properties.each_value do |property|
+            if !property.desired_state? || property.identity? || property.name_property?
+              property.set(resource, new_resource.send(property.name)) if new_resource.class.properties[property.name].is_set?(new_resource)
             end
           end
 
-          # Call the actual load_current_value! method. If it raises
-          # CurrentValueDoesNotExist, set current_resource to `nil`.
+          # we support optionally passing the new_resource as an arg to load_current_value and
+          # load_current_value can raise in order to clear the current_resource to nil
           begin
-            # If the user specifies load_current_value do |desired_resource|, we
-            # pass in the desired resource as well as the current one.
-            if current_resource.method(:load_current_value!).arity > 0
-              current_resource.load_current_value!(new_resource)
+            if resource.method(:load_current_value!).arity > 0
+              resource.load_current_value!(new_resource)
             else
-              current_resource.load_current_value!
+              resource.load_current_value!
             end
           rescue Chef::Exceptions::CurrentValueDoesNotExist
-            current_resource = nil
+            resource = nil
           end
         end
+        resource
+      end
+
+      # build the before state (current_resource)
+      def load_current_resource
+        @current_resource = return_load_current_value
+      end
 
-        @current_resource = current_resource
+      # build the after state (after_resource)
+      def load_after_resource
+        @after_resource = return_load_current_value
       end
 
-      # @todo: remove in Chef-15
       def self.include_resource_dsl?
         true
       end

data/lib/chef/resource/alternatives.rb

@@ -0,0 +1,149 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# Copyright:: 2016-2020, Virender Khatri
+#
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class Alternatives < Chef::Resource
+      unified_mode true
+
+      provides(:alternatives) { true }
+
+      description "The alternatives resource allows for configuration of command alternatives in Linux using the alternatives or update-alternatives packages."
+      introduced "16.0"
+
+      property :link_name, String, name_property: true
+      property :link, String, default: lazy { |n| "/usr/bin/#{n.link_name}" }
+      property :path, String
+      property :priority, [String, Integer], coerce: proc { |n| n.to_i }
+
+      def define_resource_requirements
+        requirements.assert(:install) do |a|
+          a.assertion do
+            !new_resource.priority.nil?
+          end
+
+          a.failure_message("Could not set alternatives for #{new_resource.link_name}, you must provide the :priority property")
+        end
+
+        requirements.assert(:install, :set, :remove) do |a|
+          a.assertion do
+            !new_resource.path.nil?
+          end
+
+          a.failure_message("Could not set alternatives for #{new_resource.link_name}, you must provide the :path property")
+        end
+
+        requirements.assert(:install, :set, :remove) do |a|
+          a.assertion do
+            ::File.exist?(new_resource.path)
+          end
+
+          a.whyrun("Assuming file #{new_resource.path} already exists or was created already")
+          a.failure_message("Could not set alternatives for #{new_resource.link_name}, missing #{new_resource.path}")
+        end
+      end
+
+      action :install do
+        if path_priority != new_resource.priority
+          converge_by("adding alternative #{new_resource.link} #{new_resource.link_name} #{new_resource.path} #{new_resource.priority}") do
+            output = shell_out(alternatives_cmd, "--install", new_resource.link, new_resource.link_name, new_resource.path, new_resource.priority)
+            unless output.exitstatus == 0
+              raise "failed to add alternative #{new_resource.link} #{new_resource.link_name} #{new_resource.path} #{new_resource.priority}"
+            end
+          end
+        end
+      end
+
+      action :set do
+        if current_path != new_resource.path
+          converge_by("setting alternative #{new_resource.link_name} #{new_resource.path}") do
+            output = shell_out(alternatives_cmd, "--set", new_resource.link_name, new_resource.path)
+            unless output.exitstatus == 0
+              raise "failed to set alternative #{new_resource.link_name} #{new_resource.path} \n #{output.stdout.strip}"
+            end
+          end
+        end
+      end
+
+      action :remove do
+        if path_exists?
+          converge_by("removing alternative #{new_resource.link_name} #{new_resource.path}") do
+            shell_out(alternatives_cmd, "--remove", new_resource.link_name, new_resource.path)
+          end
+        end
+      end
+
+      action :auto do
+        converge_by("setting auto alternative #{new_resource.link_name}") do
+          shell_out(alternatives_cmd, "--auto", new_resource.link_name)
+        end
+      end
+
+      action :refresh do
+        converge_by("refreshing alternative #{new_resource.link_name}") do
+          shell_out(alternatives_cmd, "--refresh", new_resource.link_name)
+        end
+      end
+
+      action_class do
+        #
+        # @return [String] The appropriate alternatives command based on the platform
+        #
+        def alternatives_cmd
+          if debian?
+            "update-alternatives"
+          else
+            "alternatives"
+          end
+        end
+
+        #
+        # @return [Integer] The current path priority for the link_name alternative
+        #
+        def path_priority
+          # https://rubular.com/r/IcUlEU0mSNaMm3
+          escaped_path = Regexp.new(Regexp.escape("#{new_resource.path} - priority ") + "(.*)")
+          match = shell_out(alternatives_cmd, "--display", new_resource.link_name).stdout.match(escaped_path)
+
+          match.nil? ? nil : match[1].to_i
+        end
+
+        #
+        # @return [String] The current path for the link_name alternative
+        #
+        def current_path
+          # https://rubular.com/r/ylsuvzUtquRPqc
+          match = shell_out(alternatives_cmd, "--display", new_resource.link_name).stdout.match(/link currently points to (.*)/)
+          match[1]
+        end
+
+        #
+        # @return [Boolean] does the path exist for the link_name alternative
+        #
+        def path_exists?
+          # https://rubular.com/r/ogvDdq8h2IKRff
+          escaped_path = Regexp.new(Regexp.escape("#{new_resource.path} - priority"))
+          shell_out(alternatives_cmd, "--display", new_resource.link_name).stdout.match?(escaped_path)
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/apt_package.rb

@@ -21,7 +21,8 @@ require_relative "package"
 class Chef
   class Resource
     class AptPackage < Chef::Resource::Package
-      resource_name :apt_package
+      unified_mode true
+
       provides :apt_package, target_mode: true
       provides :package, platform_family: "debian", target_mode: true
 

data/lib/chef/resource/apt_preference.rb

@@ -22,7 +22,8 @@ class Chef
   class Resource
     # @since 13.3
     class AptPreference < Chef::Resource
-      resource_name :apt_preference
+      unified_mode true
+
       provides(:apt_preference) { true }
 
       description "The apt_preference resource allows for the creation of APT preference files. Preference files are used to control which package versions and sources are prioritized during installation."
@@ -42,11 +43,77 @@ class Chef
         required: true
 
       property :pin_priority, [String, Integer],
-        description: "Sets the Pin-Priority for a package.",
+        description: "Sets the Pin-Priority for a package. See <https://wiki.debian.org/AptPreferences> for more details.",
         required: true
 
       default_action :add
       allowed_actions :add, :remove
+
+      APT_PREFERENCE_DIR = "/etc/apt/preferences.d".freeze
+
+      action_class do
+        # Build preferences.d file contents
+        def build_pref(package_name, pin, pin_priority)
+          "Package: #{package_name}\nPin: #{pin}\nPin-Priority: #{pin_priority}\n"
+        end
+
+        def safe_name(name)
+          name.tr(".", "_").gsub("*", "wildcard")
+        end
+      end
+
+      action :add do
+        return unless debian?
+
+        preference = build_pref(
+          new_resource.glob || new_resource.package_name,
+          new_resource.pin,
+          new_resource.pin_priority
+        )
+
+        directory APT_PREFERENCE_DIR do
+          mode "0755"
+          action :create
+        end
+
+        sanitized_prefname = safe_name(new_resource.package_name)
+
+        # cleanup any existing pref files w/o the sanitized name (created by old apt cookbook)
+        if (sanitized_prefname != new_resource.package_name) && ::File.exist?("#{APT_PREFERENCE_DIR}/#{new_resource.package_name}.pref")
+          logger.warn "Replacing legacy #{new_resource.package_name}.pref with #{sanitized_prefname}.pref in #{APT_PREFERENCE_DIR}"
+          file "#{APT_PREFERENCE_DIR}/#{new_resource.package_name}.pref" do
+            action :delete
+          end
+        end
+
+        # cleanup any existing pref files without the .pref extension (created by old apt cookbook)
+        if ::File.exist?("#{APT_PREFERENCE_DIR}/#{new_resource.package_name}")
+          logger.warn "Replacing legacy #{new_resource.package_name} with #{sanitized_prefname}.pref in #{APT_PREFERENCE_DIR}"
+          file "#{APT_PREFERENCE_DIR}/#{new_resource.package_name}" do
+            action :delete
+          end
+        end
+
+        file "#{APT_PREFERENCE_DIR}/#{sanitized_prefname}.pref" do
+          mode "0644"
+          content preference
+          action :create
+        end
+      end
+
+      action :remove do
+        return unless debian?
+
+        sanitized_prefname = safe_name(new_resource.package_name)
+
+        if ::File.exist?("#{APT_PREFERENCE_DIR}/#{sanitized_prefname}.pref")
+          logger.info "Un-pinning #{sanitized_prefname} from #{APT_PREFERENCE_DIR}"
+          file "#{APT_PREFERENCE_DIR}/#{sanitized_prefname}.pref" do
+            action :delete
+          end
+        end
+      end
+
     end
   end
 end

data/lib/chef/resource/apt_repository.rb

@@ -17,11 +17,15 @@
 #
 
 require_relative "../resource"
+require_relative "../http/simple"
+require "tmpdir" unless defined?(Dir.mktmpdir)
+require "addressable" unless defined?(Addressable)
 
 class Chef
   class Resource
     class AptRepository < Chef::Resource
-      resource_name :apt_repository
+      unified_mode true
+
       provides(:apt_repository) { true }
 
       description "Use the apt_repository resource to specify additional APT repositories. Adding a new repository will update the APT package cache immediately."
@@ -111,12 +115,12 @@ class Chef
         description: "The base of the Debian distribution."
 
       property :distribution, [ String, nil, FalseClass ],
-        description: "Usually a distribution's codename, such as trusty, xenial or bionic. Default value: the codename of the node's distro.",
-        default: lazy { node["lsb"]["codename"] }, default_description: "The LSB codename of the host such as 'bionic'."
+        description: "Usually a distribution's codename, such as xenial, bionic, or focal.",
+        default: lazy { node["lsb"]["codename"] }, default_description: "The LSB codename of the node such as 'focal'."
 
       property :components, Array,
         description: "Package groupings, such as 'main' and 'stable'.",
-        default: lazy { [] }
+        default: lazy { [] }, default_description: "'main' if using a PPA repository."
 
       property :arch, [String, nil, FalseClass],
         description: "Constrain packages to a particular CPU architecture such as 'i386' or 'amd64'."
@@ -138,7 +142,7 @@ class Chef
         default: lazy { [] }, coerce: proc { |x| x ? Array(x) : x }
 
       property :key_proxy, [String, nil, FalseClass],
-        description: "If set, a specified proxy is passed to GPG via http-proxy=."
+        description: "If set, a specified proxy is passed to GPG via `http-proxy=`."
 
       property :cookbook, [String, nil, FalseClass],
         description: "If key should be a cookbook_file, specify a cookbook where the key is located for files/default. Default value is nil, so it will use the cookbook where the resource is used.",
@@ -150,6 +154,334 @@ class Chef
 
       default_action :add
       allowed_actions :add, :remove
+
+      action_class do
+        LIST_APT_KEY_FINGERPRINTS = %w{apt-key adv --list-public-keys --with-fingerprint --with-colons}.freeze
+
+        # is the provided ID a key ID from a keyserver. Looks at length and HEX only values
+        # @param [String] id the key value passed by the user that *may* be an ID
+        def is_key_id?(id)
+          id = id[2..-1] if id.start_with?("0x")
+          id =~ /^\h+$/ && [8, 16, 40].include?(id.length)
+        end
+
+        # run the specified command and extract the fingerprints from the output
+        # accepts a command so it can be used to extract both the current key's fingerprints
+        # and the fingerprint of the new key
+        # @param [Array<String>] cmd the command to run
+        #
+        # @return [Array] an array of fingerprints
+        def extract_fingerprints_from_cmd(*cmd)
+          so = shell_out(*cmd)
+          so.stdout.split(/\n/).map do |t|
+            if z = t.match(/^fpr:+([0-9A-F]+):/)
+              z[1].split.join
+            end
+          end.compact
+        end
+
+        # validate the key against the apt keystore to see if that version is expired
+        # @param [String] key
+        #
+        # @return [Boolean] is the key valid or not
+        def key_is_valid?(key)
+          valid = true
+
+          so = shell_out("apt-key", "list")
+          so.stdout.split(/\n/).map do |t|
+            if t =~ %r{^\/#{key}.*\[expired: .*\]$}
+              logger.debug "Found expired key: #{t}"
+              valid = false
+              break
+            end
+          end
+
+          logger.debug "key #{key} #{valid ? "is valid" : "is not valid"}"
+          valid
+        end
+
+        # return the specified cookbook name or the cookbook containing the
+        # resource.
+        #
+        # @return [String] name of the cookbook
+        def cookbook_name
+          new_resource.cookbook || new_resource.cookbook_name
+        end
+
+        # determine if a cookbook file is available in the run
+        # @param [String] fn the path to the cookbook file
+        #
+        # @return [Boolean] cookbook file exists or doesn't
+        def has_cookbook_file?(fn)
+          run_context.has_cookbook_file_in_cookbook?(cookbook_name, fn)
+        end
+
+        # determine if there are any new keys by comparing the fingerprints of installed
+        # keys to those of the passed file
+        # @param [String] file the keyfile of the new repository
+        #
+        # @return [Boolean] true: no new keys in the file. false: there are new keys
+        def no_new_keys?(file)
+          # Now we are using the option --with-colons that works across old os versions
+          # as well as the latest (16.10). This for both `apt-key` and `gpg` commands
+          installed_keys = extract_fingerprints_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
+          proposed_keys = extract_fingerprints_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
+          (installed_keys & proposed_keys).sort == proposed_keys.sort
+        end
+
+        # Given the provided key URI determine what kind of chef resource we need
+        # to fetch the key
+        # @param [String] uri the uri of the gpg key (local path or http URL)
+        #
+        # @raise [Chef::Exceptions::FileNotFound] Key isn't remote or found in the current run
+        #
+        # @return [Symbol] :remote_file or :cookbook_file
+        def key_type(uri)
+          if uri.start_with?("http")
+            :remote_file
+          elsif has_cookbook_file?(uri)
+            :cookbook_file
+          else
+            raise Chef::Exceptions::FileNotFound, "Cannot locate key file: #{uri}"
+          end
+        end
+
+        # Fetch the key using either cookbook_file or remote_file, validate it,
+        # and install it with apt-key add
+        # @param [String] key the key to install
+        #
+        # @raise [RuntimeError] Invalid key which can't verify the apt repository
+        #
+        # @return [void]
+        def install_key_from_uri(key)
+          key_name = key.gsub(/[^0-9A-Za-z\-]/, "_")
+          cached_keyfile = ::File.join(Chef::Config[:file_cache_path], key_name)
+          tmp_dir = Dir.mktmpdir(".gpg")
+          at_exit { FileUtils.remove_entry(tmp_dir) }
+
+          declare_resource(key_type(key), cached_keyfile) do
+            source key
+            mode "0644"
+            sensitive new_resource.sensitive
+            action :create
+            verify "gpg --homedir #{tmp_dir} %{path}"
+          end
+
+          execute "apt-key add #{cached_keyfile}" do
+            command [ "apt-key", "add", cached_keyfile ]
+            default_env true
+            sensitive new_resource.sensitive
+            action :run
+            not_if { no_new_keys?(cached_keyfile) }
+            notifies :run, "execute[apt-cache gencaches]", :immediately
+          end
+        end
+
+        # build the apt-key command to install the keyserver
+        # @param [String] key the key to install
+        # @param [String] keyserver the key server to use
+        #
+        # @return [String] the full apt-key command to run
+        def keyserver_install_cmd(key, keyserver)
+          cmd = "apt-key adv --no-tty --recv"
+          cmd << " --keyserver-options http-proxy=#{new_resource.key_proxy}" if new_resource.key_proxy
+          cmd << " --keyserver "
+          cmd << if keyserver.start_with?("hkp://")
+                   keyserver
+                 else
+                   "hkp://#{keyserver}:80"
+                 end
+
+          cmd << " #{key}"
+          cmd
+        end
+
+        # @param [String] key
+        # @param [String] keyserver
+        #
+        # @raise [RuntimeError] Invalid key which can't verify the apt repository
+        #
+        # @return [void]
+        def install_key_from_keyserver(key, keyserver = new_resource.keyserver)
+          execute "install-key #{key}" do
+            command keyserver_install_cmd(key, keyserver)
+            default_env true
+            sensitive new_resource.sensitive
+            not_if do
+              present = extract_fingerprints_from_cmd(*LIST_APT_KEY_FINGERPRINTS).any? do |fp|
+                fp.end_with? key.upcase
+              end
+              present && key_is_valid?(key.upcase)
+            end
+            notifies :run, "execute[apt-cache gencaches]", :immediately
+          end
+
+          raise "The key #{key} is invalid and cannot be used to verify an apt repository." unless key_is_valid?(key.upcase)
+        end
+
+        # @param [String] owner
+        # @param [String] repo
+        #
+        # @raise [RuntimeError] Could not access the Launchpad PPA API
+        #
+        # @return [void]
+        def install_ppa_key(owner, repo)
+          url = "https://launchpad.net/api/1.0/~#{owner}/+archive/#{repo}"
+          key_id = Chef::HTTP::Simple.new(url).get("signing_key_fingerprint").delete('"')
+          install_key_from_keyserver(key_id, "keyserver.ubuntu.com")
+        rescue Net::HTTPClientException => e
+          raise "Could not access Launchpad ppa API: #{e.message}"
+        end
+
+        # determine if the repository URL is a PPA
+        # @param [String] url the url of the repository
+        #
+        # @return [Boolean] is the repo URL a PPA
+        def is_ppa_url?(url)
+          url.start_with?("ppa:")
+        end
+
+        # determine the repository's components:
+        #  - "components" property if defined
+        #  - "main" if "components" not defined and the repo is a PPA URL
+        #  - otherwise nothing
+        #
+        # @return [String] the repository component
+        def repo_components
+          if is_ppa_url?(new_resource.uri) && new_resource.components.empty?
+            "main"
+          else
+            new_resource.components
+          end
+        end
+
+        # given a PPA return a PPA URL in http://ppa.launchpad.net format
+        # @param [String] ppa the ppa URL
+        #
+        # @return [String] full PPA URL
+        def make_ppa_url(ppa)
+          owner, repo = ppa[4..-1].split("/")
+          repo ||= "ppa"
+
+          install_ppa_key(owner, repo)
+          "http://ppa.launchpad.net/#{owner}/#{repo}/ubuntu"
+        end
+
+        # build complete repo text that will be written to the config
+        # @param [String] uri
+        # @param [Array] components
+        # @param [Boolean] trusted
+        # @param [String] arch
+        # @param [Boolean] add_src
+        #
+        # @return [String] complete repo config text
+        def build_repo(uri, distribution, components, trusted, arch, add_src = false)
+          uri = make_ppa_url(uri) if is_ppa_url?(uri)
+
+          uri = Addressable::URI.parse(uri)
+          components = Array(components).join(" ")
+          options = []
+          options << "arch=#{arch}" if arch
+          options << "trusted=yes" if trusted
+          optstr = unless options.empty?
+                     "[" + options.join(" ") + "]"
+                   end
+          info = [ optstr, uri.normalize.to_s, distribution, components ].compact.join(" ")
+          repo =  "deb      #{info}\n"
+          repo << "deb-src  #{info}\n" if add_src
+          repo
+        end
+
+        # clean up a potentially legacy file from before we fixed the usage of
+        # new_resource.name vs. new_resource.repo_name. We might have the
+        # name.list file hanging around and need to clean it up.
+        #
+        # @return [void]
+        def cleanup_legacy_file!
+          legacy_path = "/etc/apt/sources.list.d/#{new_resource.name}.list"
+          if new_resource.name != new_resource.repo_name && ::File.exist?(legacy_path)
+            converge_by "Cleaning up legacy #{legacy_path} repo file" do
+              file legacy_path do
+                action :delete
+                # Not triggering an update since it isn't super likely to be needed.
+              end
+            end
+          end
+        end
+      end
+
+      action :add do
+        return unless debian?
+
+        execute "apt-cache gencaches" do
+          command %w{apt-cache gencaches}
+          default_env true
+          ignore_failure true
+          action :nothing
+        end
+
+        apt_update new_resource.name do
+          ignore_failure true
+          action :nothing
+        end
+
+        if new_resource.key.nil?
+          logger.debug "No 'key' property specified skipping key import"
+        else
+          new_resource.key.each do |k|
+            if is_key_id?(k) && !has_cookbook_file?(k)
+              install_key_from_keyserver(k)
+            else
+              install_key_from_uri(k)
+            end
+          end
+        end
+
+        cleanup_legacy_file!
+
+        repo = build_repo(
+          new_resource.uri,
+          new_resource.distribution,
+          repo_components,
+          new_resource.trusted,
+          new_resource.arch,
+          new_resource.deb_src
+        )
+
+        file "/etc/apt/sources.list.d/#{new_resource.repo_name}.list" do
+          owner "root"
+          group "root"
+          mode "0644"
+          content repo
+          sensitive new_resource.sensitive
+          action :create
+          notifies :run, "execute[apt-cache gencaches]", :immediately
+          notifies :update, "apt_update[#{new_resource.name}]", :immediately if new_resource.cache_rebuild
+        end
+      end
+
+      action :remove do
+        return unless debian?
+
+        cleanup_legacy_file!
+        if ::File.exist?("/etc/apt/sources.list.d/#{new_resource.repo_name}.list")
+          converge_by "Removing #{new_resource.repo_name} repository from /etc/apt/sources.list.d/" do
+            apt_update new_resource.name do
+              ignore_failure true
+              action :nothing
+            end
+
+            file "/etc/apt/sources.list.d/#{new_resource.repo_name}.list" do
+              sensitive new_resource.sensitive
+              action :delete
+              notifies :update, "apt_update[#{new_resource.name}]", :immediately if new_resource.cache_rebuild
+            end
+          end
+        else
+          logger.trace("/etc/apt/sources.list.d/#{new_resource.repo_name}.list does not exist. Nothing to do")
+        end
+      end
+
     end
   end
 end