chef 15.2.20 → 15.3.14

data/lib/chef/providers.rb

@@ -107,6 +107,7 @@ require_relative "provider/service/aix"
 require_relative "provider/user/aix"
 require_relative "provider/user/dscl"
 require_relative "provider/user/linux"
+require_relative "provider/user/mac"
 require_relative "provider/user/pw"
 require_relative "provider/user/solaris"
 require_relative "provider/user/windows"

data/lib/chef/resource.rb

@@ -182,7 +182,7 @@ class Chef
           { action: { kind_of: Symbol, equal_to: allowed_actions } }
         )
         # the resource effectively sends a delayed notification to itself
-        run_context.add_delayed_action(Notification.new(self, action, self))
+        run_context.add_delayed_action(Notification.new(self, action, self, run_context.unified_mode))
       end
     end
 
@@ -453,7 +453,6 @@ class Chef
     #
     attr_reader :elapsed_time
 
-    #
     # @return [Boolean] If the resource was executed by the runner
     #
     attr_accessor :executed_by_runner
@@ -985,6 +984,16 @@ class Chef
       resource_name automatic_name
     end
 
+    # If the resource's action should run in separated compile/converge mode.
+    #
+    # @param flag [Boolean] value to set unified_mode to
+    # @return [Boolean] unified_mode value
+    def self.unified_mode(flag = nil)
+      @unified_mode = Chef::Config[:resource_unified_mode_default] if @unified_mode.nil?
+      @unified_mode = flag unless flag.nil?
+      !!@unified_mode
+    end
+
     #
     # The list of allowed actions for the resource.
     #
@@ -1038,7 +1047,6 @@ class Chef
       default_action action_name
     end
 
-    #
     # Define an action on this resource.
     #
     # The action is defined as a *recipe* block that will be compiled and then
@@ -1076,7 +1084,6 @@ class Chef
       default_action action if Array(default_action) == [:nothing]
     end
 
-    #
     # Define a method to load up this resource's properties with the current
     # actual values.
     #
@@ -1087,7 +1094,6 @@ class Chef
       define_method(:load_current_value!, &load_block)
     end
 
-    #
     # Call this in `load_current_value` to indicate that the value does not
     # exist and that `current_resource` should therefore be `nil`.
     #
@@ -1097,7 +1103,6 @@ class Chef
       raise Chef::Exceptions::CurrentValueDoesNotExist
     end
 
-    #
     # Get the current actual value of this resource.
     #
     # This does not cache--a new value will be returned each time.
@@ -1154,7 +1159,6 @@ class Chef
       end
     end
 
-    #
     # Ensure the action class actually gets created. This is called
     # when the user does `action :x do ... end`.
     #
@@ -1211,22 +1215,27 @@ class Chef
     # @return [Chef::RunContext] The run context for this Resource.  This is
     # where the context for the current Chef run is stored, including the node
     # and the resource collection.
+    #
     attr_accessor :run_context
 
     # @return [Mixlib::Log::Child] The logger for this resources. This is a child
     # of the run context's logger, if one exists.
+    #
     attr_reader :logger
 
     # @return [String] The cookbook this resource was declared in.
+    #
     attr_accessor :cookbook_name
 
     # @return [String] The recipe this resource was declared in.
+    #
     attr_accessor :recipe_name
 
     # @return [Chef::Provider] The provider this resource was declared in (if
     #   it was declared in an LWRP).  When you call methods that do not exist
     #   on this Resource, Chef will try to call the method on the provider
     #   as well before giving up.
+    #
     attr_accessor :enclosing_provider
 
     # @return [String] The source line where this resource was declared.
@@ -1234,6 +1243,7 @@ class Chef
     #   of these formats:
     #     /some/path/to/file.rb:80:in `wombat_tears'
     #     C:/some/path/to/file.rb:80 in 1`wombat_tears'
+    #
     attr_accessor :source_line
 
     # @return [String] The actual name that was used to create this resource.
@@ -1242,37 +1252,40 @@ class Chef
     #   user will expect to see the thing they wrote, not the type that was
     #   returned.  May be `nil`, in which case callers should read #resource_name.
     #   See #declared_key.
+    #
     attr_accessor :declared_type
 
-    #
     # Iterates over all immediate and delayed notifications, calling
     # resolve_resource_reference on each in turn, causing them to
     # resolve lazy/forward references.
-    def resolve_notification_references
+    #
+    def resolve_notification_references(always_raise = false)
       run_context.before_notifications(self).each do |n|
-        n.resolve_resource_reference(run_context.resource_collection)
+        n.resolve_resource_reference(run_context.resource_collection, true)
       end
+
       run_context.immediate_notifications(self).each do |n|
-        n.resolve_resource_reference(run_context.resource_collection)
+        n.resolve_resource_reference(run_context.resource_collection, always_raise)
       end
+
       run_context.delayed_notifications(self).each do |n|
-        n.resolve_resource_reference(run_context.resource_collection)
+        n.resolve_resource_reference(run_context.resource_collection, always_raise)
       end
     end
 
     # Helper for #notifies
     def notifies_before(action, resource_spec)
-      run_context.notifies_before(Notification.new(resource_spec, action, self))
+      run_context.notifies_before(Notification.new(resource_spec, action, self, run_context.unified_mode))
     end
 
     # Helper for #notifies
     def notifies_immediately(action, resource_spec)
-      run_context.notifies_immediately(Notification.new(resource_spec, action, self))
+      run_context.notifies_immediately(Notification.new(resource_spec, action, self, run_context.unified_mode))
     end
 
     # Helper for #notifies
     def notifies_delayed(action, resource_spec)
-      run_context.notifies_delayed(Notification.new(resource_spec, action, self))
+      run_context.notifies_delayed(Notification.new(resource_spec, action, self, run_context.unified_mode))
     end
 
     class << self
@@ -1321,7 +1334,6 @@ class Chef
       end
     end
 
-    #
     # This API can be used for backcompat to do:
     #
     # chef_version_for_provides "< 14.0" if defined?(:chef_version_for_provides)
@@ -1343,7 +1355,6 @@ class Chef
       @chef_version_for_provides = constraint
     end
 
-    #
     # Mark this resource as providing particular DSL.
     #
     # Resources have an automatic DSL based on their resource_name, equivalent to
@@ -1472,7 +1483,6 @@ class Chef
       @default_description
     end
 
-    #
     # The cookbook in which this Resource was defined (if any).
     #
     # @return Chef::CookbookVersion The cookbook in which this Resource was defined.
@@ -1498,7 +1508,6 @@ class Chef
       provider
     end
 
-    #
     # Preface an exception message with generic Resource information.
     #
     # @param e [StandardError] An exception with `e.message`
@@ -1554,7 +1563,6 @@ class Chef
       klass
     end
 
-    #
     # Returns the class with the given resource_name.
     #
     # NOTE: Chef::Resource.resource_matching_short_name(:package) returns

data/lib/chef/resource/chocolatey_feature.rb

@@ -25,7 +25,7 @@ class Chef
       property :feature_name, String, name_property: true,
                description: "The name of the Chocolatey feature to enable or disable."
 
-      property :feature_state, [TrueClass, FalseClass], default: false
+      property :feature_state, [TrueClass, FalseClass], default: false, skip_docs: true
 
       load_current_value do
         current_state = fetch_feature_element(feature_name)

data/lib/chef/resource/chocolatey_package.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Adam Jacob (<adam@chef.io>)
-# Copyright:: Copyright 2008-2017, Chef Software Inc.
+# Copyright:: Copyright 2008-2019, Chef Software Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -30,7 +30,7 @@ class Chef
       allowed_actions :install, :upgrade, :remove, :purge, :reconfig
 
       # windows can't take Array options yet
-      property :options, String,
+      property :options, [String, Array],
         description: "One (or more) additional options that are passed to the command."
 
       property :package_name, [String, Array],

data/lib/chef/resource/cron_d.rb

@@ -111,7 +111,7 @@ class Chef
         }
 
       property :hour, [Integer, String],
-        description: "The hour at which the cron entry should run (0 - 23).",
+        description: "The hour at which the cron entry is to run (0 - 23).",
         default: "*", callbacks: {
           "should be a valid hour spec" => ->(spec) { validate_numeric(spec, 0, 23) },
         }

data/lib/chef/resource/ohai.rb

@@ -29,7 +29,7 @@ class Chef
       description "Use the ohai resource to reload the Ohai configuration on a node. This allows recipes that change system attributes (like a recipe that adds a user) to refer to those attributes later on during the #{Chef::Dist::CLIENT} run."
 
       property :plugin, String,
-        description: "The name of an Ohai plugin to be reloaded. If this property is not specified, the #{Chef::Dist::CLIENT} will reload all plugins."
+        description: "The name of an Ohai plugin to be reloaded. If this property is not specified, #{Chef::Dist::PRODUCT} will reload all plugins."
 
       default_action :reload
       allowed_actions :reload

data/lib/chef/resource/resource_notification.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Tyler Ball (<tball@chef.io>)
-# Copyright:: Copyright 2014-2016, Chef Software, Inc.
+# Copyright:: Copyright 2014-2019, Chef Software Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -26,12 +26,13 @@ class Chef
     # @attr [Resource] notifying_resource the Chef resource performing the notification
     class Notification
 
-      attr_accessor :resource, :action, :notifying_resource
+      attr_accessor :resource, :action, :notifying_resource, :unified_mode
 
-      def initialize(resource, action, notifying_resource)
+      def initialize(resource, action, notifying_resource, unified_mode = false)
         @resource = resource
         @action = action&.to_sym
         @notifying_resource = notifying_resource
+        @unified_mode = unified_mode
       end
 
       # Is the current notification a duplicate of another notification
@@ -52,11 +53,11 @@ class Chef
       # @param [ResourceCollection] resource_collection
       #
       # @return [void]
-      def resolve_resource_reference(resource_collection)
+      def resolve_resource_reference(resource_collection, always_raise = false)
         return resource if resource.is_a?(Chef::Resource) && notifying_resource.is_a?(Chef::Resource)
 
         unless resource.is_a?(Chef::Resource)
-          fix_resource_reference(resource_collection)
+          fix_resource_reference(resource_collection, always_raise)
         end
 
         unless notifying_resource.is_a?(Chef::Resource)
@@ -69,7 +70,7 @@ class Chef
       # @param [ResourceCollection] resource_collection
       #
       # @return [void]
-      def fix_resource_reference(resource_collection)
+      def fix_resource_reference(resource_collection, always_raise = false)
         matching_resource = resource_collection.find(resource)
         if Array(matching_resource).size > 1
           msg = "Notification #{self} from #{notifying_resource} was created with a reference to multiple resources, "\
@@ -79,13 +80,16 @@ class Chef
         self.resource = matching_resource
 
       rescue Chef::Exceptions::ResourceNotFound => e
-        err = Chef::Exceptions::ResourceNotFound.new(<<~FAIL)
-          resource #{notifying_resource} is configured to notify resource #{resource} with action #{action}, \
-          but #{resource} cannot be found in the resource collection. #{notifying_resource} is defined in \
-          #{notifying_resource.source_line}
-        FAIL
-        err.set_backtrace(e.backtrace)
-        raise err
+        # in unified mode we allow lazy notifications to resources not yet declared
+        if !unified_mode || always_raise
+          err = Chef::Exceptions::ResourceNotFound.new(<<~FAIL)
+            resource #{notifying_resource} is configured to notify resource #{resource} with action #{action}, \
+            but #{resource} cannot be found in the resource collection. #{notifying_resource} is defined in \
+            #{notifying_resource.source_line}
+          FAIL
+          err.set_backtrace(e.backtrace)
+          raise err
+        end
       rescue Chef::Exceptions::InvalidResourceSpecification => e
         err = Chef::Exceptions::InvalidResourceSpecification.new(<<~F)
           Resource #{notifying_resource} is configured to notify resource #{resource} with action #{action}, \

data/lib/chef/resource/ruby_block.rb

@@ -26,7 +26,7 @@ class Chef
     class RubyBlock < Chef::Resource
       provides :ruby_block, target_mode: true
 
-      description "Use the ruby_block resource to execute Ruby code during a #{Chef::Dist::CLIENT} run."\
+      description "Use the ruby_block resource to execute Ruby code during a #{Chef::Dist::PRODUCT} run."\
                   " Ruby code in the ruby_block resource is evaluated with other resources during"\
                   " convergence, whereas Ruby code outside of a ruby_block resource is evaluated"\
                   " before other resources, as the recipe is compiled."

data/lib/chef/resource/service.rb

@@ -35,7 +35,7 @@ class Chef
 
       # this is a poor API please do not re-use this pattern
       property :supports, Hash, default: { restart: nil, reload: nil, status: nil },
-               description: "A list of properties that controls how the #{Chef::Dist::CLIENT} is to attempt to manage a service: :restart, :reload, :status. For :restart, the init script or other service provider can use a restart command; if :restart is not specified, the #{Chef::Dist::CLIENT} attempts to stop and then start a service. For :reload, the init script or other service provider can use a reload command. For :status, the init script or other service provider can use a status command to determine if the service is running; if :status is not specified, the #{Chef::Dist::CLIENT} attempts to match the service_name against the process table as a regular expression, unless a pattern is specified as a parameter property. Default value: { restart: false, reload: false, status: false } for all platforms (except for the Red Hat platform family, which defaults to { restart: false, reload: false, status: true }.)",
+               description: "A list of properties that controls how #{Chef::Dist::PRODUCT} is to attempt to manage a service: :restart, :reload, :status. For :restart, the init script or other service provider can use a restart command; if :restart is not specified, the #{Chef::Dist::CLIENT} attempts to stop and then start a service. For :reload, the init script or other service provider can use a reload command. For :status, the init script or other service provider can use a status command to determine if the service is running; if :status is not specified, the #{Chef::Dist::CLIENT} attempts to match the service_name against the process table as a regular expression, unless a pattern is specified as a parameter property. Default value: { restart: false, reload: false, status: false } for all platforms (except for the Red Hat platform family, which defaults to { restart: false, reload: false, status: true }.)",
                coerce: proc { |x| x.is_a?(Array) ? x.each_with_object({}) { |i, m| m[i] = true } : x }
 
       property :service_name, String,

data/lib/chef/resource/user.rb

@@ -47,6 +47,7 @@ class Chef
 
       property :password, String,
         description: "The password shadow hash",
+        sensitive: true,
         desired_state: false
 
       property :non_unique, [ TrueClass, FalseClass ],

data/lib/chef/resource/user/dscl_user.rb

@@ -24,7 +24,7 @@ class Chef
         resource_name :dscl_user
 
         provides :dscl_user
-        provides :user, os: "darwin"
+        provides :user, platform: "mac_os_x", platform_version: "< 10.14"
 
         property :iterations, Integer,
           description: "macOS platform only. The number of iterations for a password with a SALTED-SHA512-PBKDF2 shadow hash.",

data/lib/chef/resource/user/mac_user.rb

@@ -0,0 +1,119 @@
+#
+# Author:: Ryan Cragun (<ryan@chef.io>)
+# Copyright:: Copyright 2019, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../user"
+
+class Chef
+  class Resource
+    class User
+      # Provide a user resource that is compatible with default TCC restrictions
+      # that were introduced in macOS 10.14.
+      #
+      # Changes:
+      #
+      # * This resource and the corresponding provider have been modified to
+      #   work with default macOS TCC policies. Direct access to user binary
+      #   plists are no longer permitted by default, thus we've chosen to use
+      #   a combination of newer utilities for managing user lifecycles and older
+      #   utilities for managing passwords.
+      #
+      # * Due to tooling changes that were necessitated by the new policy
+      #   restrictions the mac_user resource is only suitable for use on macOS
+      #   >= 10.14. Support for older platforms has been removed.
+      #
+      # New Features:
+      #
+      # * Primary group management is now included.
+      #
+      # * 'admin' is now a boolean property that configures a user to an admin.
+      #
+      # * 'admin_username' and 'admin_password' are new properties that define the
+      #   admin user credentials required for toggling SecureToken for a user.
+      #
+      #   The value of 'admin_username' must correspond to a system user that
+      #   is part of the 'admin' with SecureToken enabled in order to toggle
+      #   SecureToken.
+      #
+      # * 'secure_token' is a boolean property that sets the desired state
+      #   for SecureToken. SecureToken token is required for FileVault full
+      #   disk encryption.
+      #
+      # * 'secure_token_password' is the plaintext password required to enable
+      #   or disable secure_token for a user. If no salt is specified we assume
+      #   the 'password' property corresponds to a plaintext password and will
+      #   attempt to use it in place of secure_token_password if it not set.
+      class MacUser < Chef::Resource::User
+        resource_name :mac_user
+
+        provides :mac_user
+        provides :user, platform: "mac_os_x", platform_version: ">= 10.14"
+
+        introduced "15.3"
+
+        property :iterations, Integer,
+          description: "The number of iterations for a password with a SALTED-SHA512-PBKDF2 shadow hash.",
+          default: 57803, desired_state: false
+
+        # Overload gid to set our default gid to 20, the macOS "staff" group.
+        # We also allow a string group name here which we'll attempt to resolve
+        # or create in the provider.
+        property :gid, [Integer, String], description: "The numeric group identifier.", default: 20, coerce: ->(gid) do
+          begin
+            Integer(gid) # Try and coerce a group id string into an integer
+          rescue
+            gid # assume we have a group name
+          end
+        end
+
+        # Overload the password so we can set a length requirements and update the
+        # description.
+        property :password, String, description: "The plain text user password", sensitive: true, coerce: ->(password) {
+          # It would be nice if this could be in callbacks but we need the context
+          # of the resource to get the salt property so we have to do it in coerce.
+          if salt && password !~ /^[[:xdigit:]]{256}$/
+            raise Chef::Exceptions::User, "Password must be a SALTED-SHA512-PBKDF2 shadow hash entropy when a shadow hash salt is given"
+          end
+
+          password
+        },
+        callbacks: {
+          "Password length must be >= 4" => ->(password) { password.size >= 4 },
+        }
+
+        # Overload home so we set our default.
+        property :home, String, description: "The user home directory", default: lazy { "/Users/#{name}" }
+
+        property :admin, [TrueClass, FalseClass], description: "Create the user as an admin", default: false
+
+        # TCC on macOS >= 10.14 requires admin credentials of an Admin user that
+        # has SecureToken enabled in order to toggle SecureToken.
+        property :admin_username, String, description: "Admin username for superuser actions"
+        property :admin_password, String, description: "Admin password for superuser actions", sensitive: true
+
+        property :secure_token, [TrueClass, FalseClass], description: "Enable SecureToken for the user", default: false
+        # In order to enable SecureToken for a user we require the plaintext password.
+        property :secure_token_password, String, description: "The plaintext password for enabling SecureToken", sensitive: true, default: lazy {
+          # In some cases the user can pass the plaintext value to "password" instead of
+          # SALTED-SHA512-PBKDF2 entropy. In those cases we'll default to the
+          # same value.
+          (salt.nil? && password) ? password : nil
+        }
+      end
+    end
+  end
+end