chef 16.0.275-universal-mingw32 → 16.2.50-universal-mingw32

data/lib/chef/provider/windows_script.rb

@@ -18,57 +18,119 @@
 
 require_relative "script"
 require_relative "../mixin/windows_architecture_helper"
+require_relative "../win32/security" if ChefUtils.windows?
+require "tempfile" unless defined?(Tempfile)
 
 class Chef
   class Provider
     class WindowsScript < Chef::Provider::Script
 
-      attr_reader :is_forced_32bit
-
       protected
 
-      include Chef::Mixin::WindowsArchitectureHelper
-
-      def initialize( new_resource, run_context, script_extension = "")
-        super( new_resource, run_context )
-        @script_extension = script_extension
+      attr_accessor :script_file_path
 
-        target_architecture = if new_resource.architecture.nil?
-                                node_windows_architecture(run_context.node)
-                              else
-                                new_resource.architecture
-                              end
-
-        @is_wow64 = wow64_architecture_override_required?(run_context.node, target_architecture)
+      include Chef::Mixin::WindowsArchitectureHelper
 
-        @is_forced_32bit = forced_32bit_override_required?(run_context.node, target_architecture)
+      def target_architecture
+        @target_architecture ||= if new_resource.architecture.nil?
+                                   node_windows_architecture(run_context.node)
+                                 else
+                                   new_resource.architecture
+                                 end
       end
 
-      public
+      def basepath
+        if forced_32bit_override_required?(run_context.node, target_architecture)
+          wow64_directory
+        else
+          run_context.node["kernel"]["os_info"]["system_directory"]
+        end
+      end
 
-      action :run do
+      def with_wow64_redirection_disabled
         wow64_redirection_state = nil
 
-        if @is_wow64
-          wow64_redirection_state = disable_wow64_file_redirection(@run_context.node)
+        if wow64_architecture_override_required?(run_context.node, target_architecture)
+          wow64_redirection_state = disable_wow64_file_redirection(run_context.node)
         end
 
         begin
-          super()
+          yield
         rescue
           raise
         ensure
           unless wow64_redirection_state.nil?
-            restore_wow64_file_redirection(@run_context.node, wow64_redirection_state)
+            restore_wow64_file_redirection(run_context.node, wow64_redirection_state)
           end
         end
       end
 
-      def script_file
-        base_script_name = "chef-script"
-        temp_file_arguments = [ base_script_name, @script_extension ]
+      def command
+        "\"#{interpreter}\" #{flags} \"#{script_file_path}\""
+      end
+
+      def grant_alternate_user_read_access(file_path)
+        # Do nothing if an alternate user isn't specified -- the file
+        # will already have the correct permissions for the user as part
+        # of the default ACL behavior on Windows.
+        return if new_resource.user.nil?
+
+        # Duplicate the script file's existing DACL
+        # so we can add an ACE later
+        securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(file_path)
+        aces = securable_object.security_descriptor.dacl.reduce([]) { |result, current| result.push(current) }
+
+        username = new_resource.user
+
+        if new_resource.domain
+          username = new_resource.domain + '\\' + new_resource.user
+        end
+
+        # Create an ACE that allows the alternate user read access to the script
+        # file so it can be read and executed.
+        user_sid = Chef::ReservedNames::Win32::Security::SID.from_account(username)
+        read_ace = Chef::ReservedNames::Win32::Security::ACE.access_allowed(user_sid, Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE, 0)
+        aces.push(read_ace)
+        acl = Chef::ReservedNames::Win32::Security::ACL.create(aces)
+
+        # This actually applies the modified DACL to the file
+        # Use parentheses to bypass RuboCop / ChefStyle warning
+        # about useless setter
+        (securable_object.dacl = acl)
+      end
+
+      def with_temp_script_file
+        Tempfile.open(["chef-script", script_extension]) do |script_file|
+          script_file.puts(code)
+          script_file.close
+
+          grant_alternate_user_read_access(script_file.path)
+
+          # This needs to be set here so that the call to #command in Execute works.
+          self.script_file_path = script_file.path
+
+          yield
+
+          self.script_file_path = nil
+        end
+      end
+
+      def input
+        nil
+      end
+
+      public
+
+      action :run do
+        with_wow64_redirection_disabled do
+          with_temp_script_file do
+            super()
+          end
+        end
+      end
 
-        @script_file ||= Tempfile.open(temp_file_arguments)
+      def script_extension
+        raise Chef::Exceptions::Override, "You must override #{__method__} in #{self}"
       end
     end
   end

data/lib/chef/provider/windows_task.rb

@@ -72,6 +72,7 @@ class Chef
           6 => TaskScheduler::TASK_SIXTH,
           7 => TaskScheduler::TASK_SEVENTH,
           8 => TaskScheduler::TASK_EIGHTH,
+          # cspell:disable-next-line
           9 => TaskScheduler::TASK_NINETH,
           10 => TaskScheduler::TASK_TENTH,
           11 => TaskScheduler::TASK_ELEVENTH,
@@ -93,6 +94,7 @@ class Chef
           27 => TaskScheduler::TASK_TWENTY_SEVENTH,
           28 => TaskScheduler::TASK_TWENTY_EIGHTH,
           29 => TaskScheduler::TASK_TWENTY_NINTH,
+          # cspell:disable-next-line
           30 => TaskScheduler::TASK_THIRTYETH,
           31 => TaskScheduler::TASK_THIRTY_FIRST,
         }.freeze
@@ -229,7 +231,7 @@ class Chef
 
         private
 
-        # seprated command arguments from :command property
+        # separated command arguments from :command property
         def set_command_and_arguments
           cmd, *args = Chef::Util::PathHelper.split_args(new_resource.command)
           new_resource.command = cmd
@@ -424,7 +426,7 @@ class Chef
             when TaskScheduler::AT_LOGON
               # TODO: handle option for this trigger
             when TaskScheduler::AT_SYSTEMSTART
-              # TODO: handle option for this trigger
+            # TODO: handle option for this trigger
           end
         end
 
@@ -577,7 +579,7 @@ class Chef
 
         def logon_type
           # Ref: https://msdn.microsoft.com/en-us/library/windows/desktop/aa383566(v=vs.85).aspx
-          # if nothing is passed as logon_type the TASK_LOGON_SERVICE_ACCOUNT is getting set as default so using that for comparision.
+          # if nothing is passed as logon_type the TASK_LOGON_SERVICE_ACCOUNT is getting set as default so using that for comparison.
           user_id = new_resource.user.to_s
           password = new_resource.password.to_s
           if Chef::ReservedNames::Win32::Security::SID.service_account_user?(user_id)

data/lib/chef/provider/zypper_repository.rb

@@ -115,28 +115,48 @@ class Chef
         end
       end
 
+      # the version of gpg installed on the system
+      #
+      # @return [Gem::Version] the version of GPG
+      def gpg_version
+        so = shell_out!("gpg --version")
+        # matches 2.0 and 2.2 versions from SLES 12 and 15: https://rubular.com/r/e6D0WfGK6SXvUp
+        version = /gpg \(GnuPG\)\s*(.*)/.match(so.stdout)[1]
+        logger.trace("GPG package version is #{version}")
+        Gem::Version.new(version)
+      end
+
       # is the provided key already installed
       # @param [String] key_path the path to the key on the local filesystem
       #
       # @return [boolean] is the key already known by rpm
       def key_installed?(key_path)
-        so = shell_out("rpm -qa gpg-pubkey*")
+        so = shell_out("/bin/rpm -qa gpg-pubkey*")
         # expected output & match: http://rubular.com/r/RdF7EcXEtb
-        status = /gpg-pubkey-#{key_fingerprint(key_path)}/.match(so.stdout)
+        status = /gpg-pubkey-#{short_key_id(key_path)}/.match(so.stdout)
         logger.trace("GPG key at #{key_path} is known by rpm? #{status ? "true" : "false"}")
         status
       end
 
-      # extract the gpg key fingerprint from a local file
+      # extract the gpg key's short key id from a local file. Learning moment: This 8 hex value ID
+      # is sometimes incorrectly called the fingerprint. The fingerprint is the full length value
+      # and googling for that will just result in sad times.
+      #
       # @param [String] key_path the path to the key on the local filesystem
       #
-      # @return [String] the fingerprint of the key
-      def key_fingerprint(key_path)
-        so = shell_out!("gpg --with-fingerprint #{key_path}")
-        # expected output and match: http://rubular.com/r/BpfMjxySQM
-        fingerprint = %r{pub\s*\S*/(\S*)}.match(so.stdout)[1].downcase
-        logger.trace("GPG fingerprint of key at #{key_path} is #{fingerprint}")
-        fingerprint
+      # @return [String] the short key id of the key
+      def short_key_id(key_path)
+        if gpg_version >= Gem::Version.new("2.2") # SLES 15+
+          so = shell_out!("gpg --import-options import-show --dry-run --import --with-colons #{key_path}")
+          # expected output and match: https://rubular.com/r/uXWJo3yfkli1qA
+          short_key_id = /fpr:*\h*(\h{8}):/.match(so.stdout)[1].downcase
+        else # SLES 12 and earlier
+          so = shell_out!("gpg --with-fingerprint #{key_path}")
+          # expected output and match: http://rubular.com/r/BpfMjxySQM
+          short_key_id = %r{pub\s*\S*/(\S*)}.match(so.stdout)[1].downcase
+        end
+        logger.trace("GPG short key ID of key at #{key_path} is #{short_key_id}")
+        short_key_id
       end
 
       # install the provided gpg key

data/lib/chef/resource.rb

@@ -451,6 +451,17 @@ class Chef
       description: "Determines whether or not the resource is executed during the compile time phase.",
       default: false, desired_state: false
 
+    # Set a umask to be used for the duration of converging the resource.
+    # Defaults to `nil`, which means to use the system umask.
+    #
+    # @param arg [String] The umask to apply while converging the resource.
+    # @return [Boolean] The umask to apply while converging the resource.
+    #
+    property :umask, String,
+      desired_state: false,
+      introduced: "16.2",
+      description: "Set a umask to be used for the duration of converging the resource. Defaults to `nil`, which means to use the system umask."
+
     # The time it took (in seconds) to run the most recently-run action.  Not
     # cumulative across actions.  This is set to 0 as soon as a new action starts
     # running, and set to the elapsed time at the end of the action.
@@ -588,7 +599,9 @@ class Chef
       begin
         return if should_skip?(action)
 
-        provider_for_action(action).run_action
+        with_umask do
+          provider_for_action(action).run_action
+        end
       rescue StandardError => e
         if ignore_failure
           logger.error("#{custom_exception_message(e)}; ignore_failure is set, continuing")
@@ -612,6 +625,13 @@ class Chef
       events.resource_completed(self)
     end
 
+    def with_umask
+      old_value = ::File.umask(umask.oct) if umask
+      yield
+    ensure
+      ::File.umask(old_value) if umask
+    end
+
     #
     # If we are currently initializing the resource, this will be true.
     #
@@ -930,7 +950,7 @@ class Chef
     end
 
     #
-    # A hook called after a resource is created.  Meant to be overriden by
+    # A hook called after a resource is created.  Meant to be overridden by
     # subclasses.
     #
     def after_created
@@ -950,16 +970,7 @@ class Chef
     def self.resource_name(name = NOT_PASSED)
       # Setter
       if name != NOT_PASSED
-        if name
-          @resource_name = name.to_sym
-          name = name.to_sym
-          # FIXME: determine a way to deprecate this magic behavior
-          unless Chef::ResourceResolver.includes_handler?(name, self)
-            provides name
-          end
-        else
-          @resource_name = nil
-        end
+        @resource_name = name.to_sym rescue nil
       end
 
       @resource_name = nil unless defined?(@resource_name)
@@ -1114,7 +1125,7 @@ class Chef
     # `action_class` method, the presence of either indicates that this is
     # going to be a Chef-12.5 custom resource.  If we never see one of these
     # directives then we are constructing an old-style Resource+Provider or
-    # LWRP or whatevs.
+    # LWRP or whatever.
     #
     # If a block is passed, the action_class is always created and the block is
     # run inside it.
@@ -1327,7 +1338,7 @@ class Chef
     # Once we no longer care about supporting chef < 14.4 then we can deprecate
     # this API.
     #
-    # @param arg [String] version constrant to match against (e.g. "> 14")
+    # @param arg [String] version constraint to match against (e.g. "> 14")
     #
     def self.chef_version_for_provides(constraint)
       @chef_version_for_provides = constraint

data/lib/chef/resource/alternatives.rb

@@ -89,7 +89,7 @@ class Chef
         description: "The path to the alternatives link."
 
       property :path, String,
-        description: "The full path to the original application binary such as `/usr/bin/ruby27`."
+        description: "The absolute path to the original application binary such as `/usr/bin/ruby27`."
 
       property :priority, [String, Integer],
         coerce: proc { |n| n.to_i },

data/lib/chef/resource/apt_package.rb

@@ -46,7 +46,7 @@ class Chef
       apt_package %(package1 package2 package3)
       ```
 
-      **Install without using recommend packages as a dependency**
+      **Install without using recommend packages as a dependency**:
 
       ```ruby
       package 'apache2' do

data/lib/chef/resource/archive_file.rb

@@ -19,6 +19,7 @@
 #
 
 require_relative "../resource"
+require "fileutils" unless defined?(FileUtils)
 
 class Chef
   class Resource
@@ -39,6 +40,18 @@ class Chef
           destination '/srv/files'
         end
         ```
+
+        **Set specific permissions on the extracted files**:
+
+        ```ruby
+        archive_file 'Precompiled.zip' do
+          owner 'tsmith'
+          group 'staff'
+          mode '700'
+          path '/tmp/Precompiled.zip'
+          destination '/srv/files'
+        end
+        ```
       DOC
 
       property :path, String,
@@ -53,7 +66,7 @@ class Chef
         description: "The group of the extracted files."
 
       property :mode, [String, Integer],
-        description: "The mode of the extracted files.",
+        description: "The mode of the extracted files. Integer values are deprecated as octal values (ex. 0755) would not be interpreted correctly.",
         default: "755"
 
       property :destination, String,
@@ -72,11 +85,11 @@ class Chef
       alias_method :extract_options, :options
       alias_method :extract_to, :destination
 
-      require "fileutils" unless defined?(FileUtils)
-
       action :extract do
         description "Extract and archive file."
 
+        require_libarchive
+
         unless ::File.exist?(new_resource.path)
           raise Errno::ENOENT, "No archive found at #{new_resource.path}! Cannot continue."
         end
@@ -85,7 +98,8 @@ class Chef
           Chef::Log.trace("File or directory does not exist at destination path: #{new_resource.destination}")
 
           converge_by("create directory #{new_resource.destination}") do
-            FileUtils.mkdir_p(new_resource.destination, mode: new_resource.mode.to_i)
+            # @todo when we remove the ability for mode to be an int we can remove the .to_s below
+            FileUtils.mkdir_p(new_resource.destination, mode: new_resource.mode.to_s.to_i(8))
           end
 
           extract(new_resource.path, new_resource.destination, Array(new_resource.options))
@@ -113,6 +127,16 @@ class Chef
       end
 
       action_class do
+        def require_libarchive
+          require "ffi-libarchive"
+        end
+
+        def define_resource_requirements
+          if new_resource.mode.is_a?(Integer)
+            Chef.deprecated(:archive_file_integer_file_mode, "The mode property should be passed to archive_file resources as a String and not an Integer to ensure the value is properly interpreted.")
+          end
+        end
+
         # This can't be a constant since we might not have required 'ffi-libarchive' yet.
         def extract_option_map
           {
@@ -136,8 +160,6 @@ class Chef
         #
         # @return [Boolean]
         def archive_differs_from_disk?(src, dest)
-          require "ffi-libarchive"
-
           modified = false
           Dir.chdir(dest) do
             archive = Archive::Reader.open_filename(src)
@@ -164,8 +186,6 @@ class Chef
         #
         # @return [void]
         def extract(src, dest, options = [])
-          require "ffi-libarchive"
-
           converge_by("extract #{src} to #{dest}") do
             flags = [options].flatten.map { |option| extract_option_map[option] }.compact.reduce(:|)
 

data/lib/chef/resource/bash.rb

@@ -17,7 +17,6 @@
 #
 
 require_relative "script"
-require_relative "../provider/script"
 
 class Chef
   class Resource