chef 15.6.10 → 15.7.30

data/lib/chef/knife/core/bootstrap_context.rb

@@ -158,11 +158,11 @@ class Chef
           end
 
           if encrypted_data_bag_secret
-            client_rb << %Q{encrypted_data_bag_secret "#{Chef::Dist::CONF_DIR}/encrypted_data_bag_secret"\n}
+            client_rb << %Q{encrypted_data_bag_secret "/etc/chef/encrypted_data_bag_secret"\n}
           end
 
           unless trusted_certs.empty?
-            client_rb << %Q{trusted_certs_dir "#{Chef::Dist::CONF_DIR}/trusted_certs"\n}
+            client_rb << %Q{trusted_certs_dir "/etc/chef/trusted_certs"\n}
           end
 
           if Chef::Config[:fips]
@@ -175,7 +175,7 @@ class Chef
         def start_chef
           # If the user doesn't have a client path configure, let bash use the PATH for what it was designed for
           client_path = @chef_config[:chef_client_path] || "#{Chef::Dist::CLIENT}"
-          s = "#{client_path} -j #{Chef::Dist::CONF_DIR}/first-boot.json"
+          s = "#{client_path} -j /etc/chef/first-boot.json"
           if @config[:verbosity] && @config[:verbosity] >= 3
             s << " -l trace"
           elsif @config[:verbosity] && @config[:verbosity] >= 2
@@ -226,7 +226,7 @@ class Chef
           content = ""
           if @chef_config[:trusted_certs_dir]
             Dir.glob(File.join(Chef::Util::PathHelper.escape_glob_dir(@chef_config[:trusted_certs_dir]), "*.{crt,pem}")).each do |cert|
-              content << "cat > #{Chef::Dist::CONF_DIR}/trusted_certs/#{File.basename(cert)} <<'EOP'\n" +
+              content << "cat > /etc/chef/trusted_certs/#{File.basename(cert)} <<'EOP'\n" +
                 IO.read(File.expand_path(cert)) + "\nEOP\n"
             end
           end
@@ -240,7 +240,7 @@ class Chef
             root.find do |f|
               relative = f.relative_path_from(root)
               if f != root
-                file_on_node = "#{Chef::Dist::CONF_DIR}/client.d/#{relative}"
+                file_on_node = "/etc/chef/client.d/#{relative}"
                 if f.directory?
                   content << "mkdir #{file_on_node}\n"
                 else

data/lib/chef/knife/core/windows_bootstrap_context.rb

@@ -158,7 +158,7 @@ class Chef
 
         def start_chef
           bootstrap_environment_option = bootstrap_environment.nil? ? "" : " -E #{bootstrap_environment}"
-          start_chef = "SET \"PATH=%SystemRoot%\\system32;%SystemRoot%;%SystemRoot%\\System32\\Wbem;%SYSTEMROOT%\\System32\\WindowsPowerShell\\v1.0\\;C:\\ruby\\bin;C:\\opscode\\chef\\bin;C:\\opscode\\chef\\embedded\\bin\"\n"
+          start_chef = "SET \"PATH=%SystemRoot%\\system32;%SystemRoot%;%SystemRoot%\\System32\\Wbem;%SYSTEMROOT%\\System32\\WindowsPowerShell\\v1.0\\;C:\\ruby\\bin;C:\\opscode\\chef\\bin;C:\\opscode\\chef\\embedded\\bin\;%PATH%\"\n"
           start_chef << "chef-client -c c:/chef/client.rb -j c:/chef/first-boot.json#{bootstrap_environment_option}\n"
         end
 

data/lib/chef/knife/supermarket_install.rb

@@ -137,7 +137,7 @@ class Chef
       end
 
       def download_cookbook_to(download_path)
-        downloader = Chef::Knife::CookbookSiteDownload.new
+        downloader = Chef::Knife::SupermarketDownload.new
         downloader.config[:file] = download_path
         downloader.config[:supermarket_site] = config[:supermarket_site]
         downloader.name_args = name_args

data/lib/chef/log/winevt.rb

@@ -37,7 +37,7 @@ class Chef
       FATAL_EVENT_ID = 10104
 
       # Since we must install the event logger, this is not really configurable
-      SOURCE = Chef::Dist::PRODUCT.freeze
+      SOURCE = Chef::Dist::SHORT.freeze
 
       include Chef::Mixin::Unformatter
 

data/lib/chef/mixin/openssl_helper.rb

@@ -401,6 +401,27 @@ class Chef
         crl.sign(ca_private_key, ::OpenSSL::Digest::SHA256.new)
         crl
       end
+
+      # Return true if a certificate need to be renewed (or doesn't exist) according to the number
+      # of days before expiration given
+      # @param [string] cert_file path of the cert file or cert content
+      # @param [integer] renew_before_expiry number of days before expiration
+      # @return [true, false]
+      def cert_need_renewall?(cert_file, renew_before_expiry)
+        resp = true
+        cert_content = ::File.exist?(cert_file) ? File.read(cert_file) : cert_file
+        begin
+          cert = OpenSSL::X509::Certificate.new cert_content
+        rescue ::OpenSSL::X509::CertificateError
+          return resp
+        end
+
+        unless cert.not_after <= Time.now + 3600 * 24 * renew_before_expiry
+          resp = false
+        end
+
+        resp
+      end
     end
   end
 end

data/lib/chef/monkey_patches/net_http.rb

@@ -24,41 +24,3 @@ module Net
     include ChefNetHTTPExceptionExtensions
   end
 end
-
-if Net::HTTP.instance_methods.map(&:to_s).include?("proxy_uri")
-  begin
-    # Ruby 2.0 changes the way proxy support is implemented in Net::HTTP.
-    # The implementation does not work correctly with IPv6 literals because it
-    # concatenates the address into a URI without adding square brackets for
-    # IPv6 addresses.
-    #
-    # If the bug is present, a call to Net::HTTP#proxy_uri when the host is an
-    # IPv6 address will fail by creating an invalid URI, like so:
-    #
-    #    ruby -r'net/http' -e 'Net::HTTP.new("::1", 80).proxy_uri'
-    #    /Users/ddeleo/.rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/uri/generic.rb:214:in `initialize': the scheme http does not accept registry part: ::1:80 (or bad hostname?) (URI::InvalidURIError)
-    #      from /Users/ddeleo/.rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/uri/http.rb:84:in `initialize'
-    #      from /Users/ddeleo/.rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/uri/common.rb:214:in `new'
-    #      from /Users/ddeleo/.rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/uri/common.rb:214:in `parse'
-    #      from /Users/ddeleo/.rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/uri/common.rb:747:in `parse'
-    #      from /Users/ddeleo/.rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/uri/common.rb:994:in `URI'
-    #      from /Users/ddeleo/.rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/net/http.rb:1027:in `proxy_uri'
-    #      from -e:1:in `<main>'
-    #
-    # https://bugs.ruby-lang.org/issues/9129
-    #
-    # NOTE: This should be fixed in Ruby 2.2.0, and backported to Ruby 2.0 and
-    # 2.1 (not yet released so the version/patchlevel required isn't known
-    # yet).
-    Net::HTTP.new("::1", 80).proxy_uri
-  rescue URI::InvalidURIError
-    class Net::HTTP
-
-      def proxy_uri # :nodoc:
-        ipv6_safe_addr = address.to_s.include?(":") ? "[#{address}]" : address
-        @proxy_uri ||= URI("http://#{ipv6_safe_addr}:#{port}").find_proxy
-      end
-
-    end
-  end
-end

data/lib/chef/provider/cron.rb

@@ -216,11 +216,13 @@ class Chef
         raise Chef::Exceptions::Cron, "Error updating state of #{new_resource.name}, error: #{e}"
       end
 
-      def get_crontab_entry
-        newcron = ""
-        newcron << "# Chef Name: #{new_resource.name}\n"
+      #
+      # @return [String] The string of Env Variables containing line breaks.
+      #
+      def env_var_str
+        str = []
         %i{mailto path shell home}.each do |v|
-          newcron << "#{v.to_s.upcase}=\"#{new_resource.send(v)}\"\n" if new_resource.send(v)
+          str << "#{v.to_s.upcase}=\"#{new_resource.send(v)}\"" if new_resource.send(v)
         end
         new_resource.environment.each do |name, value|
           if ENVIRONMENT_PROPERTIES.include?(name)
@@ -228,20 +230,63 @@ class Chef
               logger.warn("#{new_resource.name}: the environment property contains the '#{name}' variable, which should be set separately as a property.")
               new_resource.send(name.downcase.to_sym, value.gsub(/^"|"$/, ""))
               new_resource.environment.delete(name)
-              newcron << "#{name.to_s.upcase}=\"#{value}\"\n"
+              str << "#{name.to_s.upcase}=\"#{value}\""
             else
               raise Chef::Exceptions::Cron, "#{new_resource.name}: the '#{name}' property is set and environment property also contains the '#{name}' variable. Remove the variable from the environment property."
             end
           else
-            newcron << "#{name}=#{value}\n"
+            str << "#{name}=#{value}"
           end
         end
+        str.join("\n")
+      end
+
+      #
+      # @return [String] The Cron time string consisting five fields that Cron converts into a time interval.
+      #
+      def duration_str
         if new_resource.time
-          newcron << "@#{new_resource.time} #{new_resource.command}\n"
+          "@#{new_resource.time}"
         else
-          newcron << "#{new_resource.minute} #{new_resource.hour} #{new_resource.day} #{new_resource.month} #{new_resource.weekday} #{new_resource.command}\n"
+          "#{new_resource.minute} #{new_resource.hour} #{new_resource.day} #{new_resource.month} #{new_resource.weekday}"
         end
-        newcron
+      end
+
+      #
+      # @return [String] The timeout command string formed as per time_out property.
+      #
+      def time_out_str
+        return "" if new_resource.time_out.empty?
+
+        str = " timeout"
+        str << " --preserve-status" if new_resource.time_out["preserve-status"].to_s.downcase == "true"
+        str << " --foreground" if new_resource.time_out["foreground"].to_s.downcase == "true"
+        str << " --kill-after #{new_resource.time_out["kill-after"]}" if new_resource.time_out["kill-after"]
+        str << " --signal #{new_resource.time_out["signal"]}" if new_resource.time_out["signal"]
+        str << " #{new_resource.time_out["duration"]};"
+        str
+      end
+
+      #
+      # @return [String] The command to be executed. The new line at the end has been added purposefully.
+      #
+      def cmd_str
+        " #{new_resource.command}\n"
+      end
+
+      # Concatenates various information and formulates a complete string that
+      # could be written in the crontab
+      #
+      # @return [String] A crontab string formed as per the user inputs.
+      #
+      def get_crontab_entry
+        # Initialize
+        newcron = []
+        newcron << "# Chef Name: #{new_resource.name}"
+        newcron << env_var_str unless env_var_str.empty?
+        newcron << duration_str + time_out_str + cmd_str
+
+        newcron.join("\n")
       end
 
       def weekday_in_crontab

data/lib/chef/provider/cron/aix.rb

@@ -33,8 +33,11 @@ class Chef
             raise Chef::Exceptions::Cron, "Aix cron entry does not support environment variables. Please set them in script and use script in cron."
           end
 
-          newcron = ""
-          newcron << "# Chef Name: #{new_resource.name}\n"
+          if time_out_set?
+            raise Chef::Exceptions::Cron, "Aix cron entry does not support timeout."
+          end
+
+          newcron = "# Chef Name: #{new_resource.name}\n"
           newcron << "#{@new_resource.minute} #{@new_resource.hour} #{@new_resource.day} #{@new_resource.month} #{@new_resource.weekday}"
 
           newcron << " #{@new_resource.command}\n"
@@ -44,6 +47,10 @@ class Chef
         def env_vars_are_set?
           @new_resource.environment.length > 0 || !@new_resource.mailto.nil? || !@new_resource.path.nil? || !@new_resource.shell.nil? || !@new_resource.home.nil?
         end
+
+        def time_out_set?
+          !@new_resource.time_out.empty?
+        end
       end
     end
   end

data/lib/chef/provider/launchd.rb

@@ -194,7 +194,7 @@ class Chef
           "environment_variables" => "EnvironmentVariables",
           "exit_timeout" => "ExitTimeout",
           "ld_group" => "GroupName",
-          "hard_resource_limits" => "HardreSourceLimits",
+          "hard_resource_limits" => "HardResourceLimits",
           "inetd_compatibility" => "inetdCompatibility",
           "init_groups" => "InitGroups",
           "keep_alive" => "KeepAlive",

data/lib/chef/provider/user/aix.rb

@@ -110,7 +110,7 @@ class Chef
           return unless current_resource.password != new_resource.password && new_resource.password
 
           logger.trace("#{new_resource.username} setting password to #{new_resource.password}")
-          command = "echo '#{new_resource.username}:#{new_resource.password}' | chpasswd -e"
+          command = "echo '#{new_resource.username}:#{new_resource.password}' | chpasswd -c -e"
           shell_out!(command)
         end
 

data/lib/chef/provider/user/mac.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Ryan Cragun (<ryan@chef.io>)
-# Copyright:: Copyright (c) 2019, Chef Software Inc.
+# Copyright:: Copyright (c) 2019-2019, Chef Software Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -92,6 +92,8 @@ class Chef
 
           @user_plist = Plist.new(::Plist.parse_xml(user_xml))
 
+          return unless user_plist[:shadow_hash]
+
           shadow_hash_hex = user_plist[:shadow_hash][0]
           return unless shadow_hash_hex && shadow_hash_hex != ""
 
@@ -148,14 +150,12 @@ class Chef
             cmd += ["-adminPassword", new_resource.admin_password]
           end
 
-          converge_by "create user" do
-            # sysadminctl doesn't exit with a non-zero exit code if it encounters
-            # a problem. We'll check stderr and make sure we see that it finished
-            # correctly.
-            res = run_sysadminctl(cmd)
-            unless res.downcase =~ /creating user/
-              raise Chef::Exceptions::User, "error when creating user: #{res}"
-            end
+          # sysadminctl doesn't exit with a non-zero exit code if it encounters
+          # a problem. We'll check stderr and make sure we see that it finished
+          # correctly.
+          res = run_sysadminctl(cmd)
+          unless res.downcase =~ /creating user/
+            raise Chef::Exceptions::User, "error when creating user: #{res}"
           end
 
           # Wait for the user to show up in the ds cache
@@ -289,11 +289,9 @@ class Chef
 
           # sysadminctl doesn't exit with a non-zero exit code if it encounters
           # a problem. We'll check stderr and make sure we see that it finished
-          converge_by "remove user" do
-            res = run_sysadminctl(cmd)
-            unless res.downcase =~ /deleting record|not found/
-              raise Chef::Exceptions::User, "error deleting user: #{res}"
-            end
+          res = run_sysadminctl(cmd)
+          unless res.downcase =~ /deleting record|not found/
+            raise Chef::Exceptions::User, "error deleting user: #{res}"
           end
 
           reload_user_plist
@@ -301,18 +299,15 @@ class Chef
         end
 
         def lock_user
-          converge_by "lock user" do
-            run_dscl("append", "/Users/#{new_resource.username}", "AuthenticationAuthority", ";DisabledUser;")
-          end
+          run_dscl("append", "/Users/#{new_resource.username}", "AuthenticationAuthority", ";DisabledUser;")
 
           reload_user_plist
         end
 
         def unlock_user
           auth_string = user_plist[:auth_authority].reject! { |tag| tag == ";DisabledUser;" }.join.strip
-          converge_by "unlock user" do
-            run_dscl("create", "/Users/#{new_resource.username}", "AuthenticationAuthority", auth_string)
-          end
+
+          run_dscl("create", "/Users/#{new_resource.username}", "AuthenticationAuthority", auth_string)
 
           reload_user_plist
         end
@@ -483,7 +478,7 @@ class Chef
             )
           end
 
-          shadow_hash = user_plist[:shadow_hash][0]
+          shadow_hash = user_plist[:shadow_hash] ? user_plist[:shadow_hash][0] : {}
           shadow_hash["SALTED-SHA512-PBKDF2"] = {
             "entropy" => entropy,
             "salt" => salt,
@@ -533,7 +528,7 @@ class Chef
           run_dsimport(import_file, "/Local/Default", "M")
           run_dscl("create", "/Users/#{new_resource.username}", "Password", "********")
         ensure
-          ::File.delete(import_file) if defined?(import_file) && ::File.exist?(import_file)
+          ::File.delete(import_file) if import_file && ::File.exist?(import_file)
         end
 
         def wait_for_user

data/lib/chef/provider/windows_task.rb

@@ -328,7 +328,7 @@ class Chef
         def task_needs_update?(task)
           flag = false
           if new_resource.frequency == :none
-            flag = (task.account_information != new_resource.user ||
+            flag = (task.author != new_resource.user ||
             task.application_name != new_resource.command ||
             description_needs_update?(task) ||
             task.parameters != new_resource.command_arguments.to_s ||
@@ -352,7 +352,7 @@ class Chef
                 current_task_trigger[:type] != new_task_trigger[:type] ||
                 current_task_trigger[:random_minutes_interval].to_i != new_task_trigger[:random_minutes_interval].to_i ||
                 current_task_trigger[:minutes_interval].to_i != new_task_trigger[:minutes_interval].to_i ||
-                task.account_information.to_s.casecmp(new_resource.user.to_s) != 0 ||
+                task.author.to_s.casecmp(new_resource.user.to_s) != 0 ||
                 task.application_name != new_resource.command ||
                 description_needs_update?(task) ||
                 task.parameters != new_resource.command_arguments.to_s ||

data/lib/chef/resource/archive_file.rb

@@ -102,8 +102,11 @@ class Chef
         end
 
         if new_resource.owner || new_resource.group
-          converge_by("set owner of #{new_resource.destination} to #{new_resource.owner}:#{new_resource.group}") do
-            FileUtils.chown_R(new_resource.owner, new_resource.group, new_resource.destination)
+          converge_by("set owner of files extracted in #{new_resource.destination} to #{new_resource.owner}:#{new_resource.group}") do
+            archive = Archive::Reader.open_filename(new_resource.path)
+            archive.each_entry do |e|
+              FileUtils.chown(new_resource.owner, new_resource.group, "#{new_resource.destination}/#{e.pathname}")
+            end
           end
         end
       end

data/lib/chef/resource/cron.rb

@@ -162,6 +162,35 @@ class Chef
         description: "A Hash of environment variables in the form of ({'ENV_VARIABLE' => 'VALUE'}).",
         default: lazy { {} }
 
+      TIMEOUT_OPTS = %w{duration preserve-status foreground kill-after signal}.freeze
+      TIMEOUT_REGEX = /\A\S+/.freeze
+
+      property :time_out, Hash,
+        description: "A Hash of timeouts in the form of ({'OPTION' => 'VALUE'}).
+        Accepted valid options are:
+        preserve-status (BOOL, default: 'false'),
+        foreground (BOOL, default: 'false'),
+        kill-after (in seconds),
+        signal (a name like 'HUP' or a number)",
+        default: lazy { {} },
+        introduced: "15.7",
+        coerce: proc { |h|
+          if h.is_a?(Hash)
+            invalid_keys = h.keys - TIMEOUT_OPTS
+            unless invalid_keys.empty?
+              error_msg = "Key of option time_out must be equal to one of: \"#{TIMEOUT_OPTS.join('", "')}\"!  You passed \"#{invalid_keys.join(", ")}\"."
+              raise Chef::Exceptions::ValidationFailed, error_msg
+            end
+            unless h.values.all? { |x| x =~ TIMEOUT_REGEX }
+              error_msg = "Values of option time_out should be non-empty string without any leading whitespaces."
+              raise Chef::Exceptions::ValidationFailed, error_msg
+            end
+            h
+          elsif h.is_a?(Integer) || h.is_a?(String)
+            { "duration" => h }
+          end
+        }
+
       private
 
       def integerize(integerish)

data/lib/chef/resource/cron_d.rb

@@ -206,6 +206,35 @@ class Chef
         description: "A Hash containing additional arbitrary environment variables under which the cron job will be run in the form of ``({'ENV_VARIABLE' => 'VALUE'})``.",
         default: lazy { {} }
 
+      TIMEOUT_OPTS = %w{duration preserve-status foreground kill-after signal}.freeze
+      TIMEOUT_REGEX = /\A\S+/.freeze
+
+      property :time_out, Hash,
+        description: "A Hash of timeouts in the form of ({'OPTION' => 'VALUE'}).
+        Accepted valid options are:
+        preserve-status (BOOL, default: 'false'),
+        foreground (BOOL, default: 'false'),
+        kill-after (in seconds),
+        signal (a name like 'HUP' or a number)",
+        default: lazy { {} },
+        introduced: "15.7",
+        coerce: proc { |h|
+          if h.is_a?(Hash)
+            invalid_keys = h.keys - TIMEOUT_OPTS
+            unless invalid_keys.empty?
+              error_msg = "Key of option time_out must be equal to one of: \"#{TIMEOUT_OPTS.join('", "')}\"!  You passed \"#{invalid_keys.join(", ")}\"."
+              raise Chef::Exceptions::ValidationFailed, error_msg
+            end
+            unless h.values.all? { |x| x =~ TIMEOUT_REGEX }
+              error_msg = "Values of option time_out should be non-empty string without any leading whitespaces."
+              raise Chef::Exceptions::ValidationFailed, error_msg
+            end
+            h
+          elsif h.is_a?(Integer) || h.is_a?(String)
+            { "duration" => h }
+          end
+        }
+
       property :mode, [String, Integer],
         description: "The octal mode of the generated crontab file.",
         default: "0600"