chef 16.1.0-universal-mingw32 → 16.3.38-universal-mingw32

data/lib/chef/provider/user/aix.rb

@@ -40,7 +40,7 @@ class Chef
           shell_out!("userdel", userdel_options, new_resource.username)
         end
 
-        # Aix does not support -r like other unix, sytem account is created by adding to 'system' group
+        # Aix does not support -r like other unix, system account is created by adding to 'system' group
         def useradd_options
           opts = []
           opts << "-g" << "system" if new_resource.system

data/lib/chef/provider/user/dscl.rb

@@ -215,7 +215,7 @@ in 'password', with the associated 'salt' and 'iterations'.")
           next_uid_guess = base_uid
           users_uids = run_dscl("list", "/Users", "uid")
           while next_uid_guess < search_limit + base_uid
-            if users_uids =~ Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n")
+            if users_uids&.match?(Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n"))
               next_uid_guess += 1
             else
               uid = next_uid_guess
@@ -291,7 +291,7 @@ in 'password', with the associated 'salt' and 'iterations'.")
         end
 
         def validate_home_dir_specification!
-          unless new_resource.home =~ %r{^/}
+          unless %r{^/}.match?(new_resource.home)
             raise(Chef::Exceptions::InvalidHomeDirectory, "invalid path spec for User: '#{new_resource.username}', home directory: '#{new_resource.home}'")
           end
         end
@@ -382,7 +382,7 @@ in 'password', with the associated 'salt' and 'iterations'.")
               salt,
               iterations,
               128,
-              OpenSSL::Digest::SHA512.new
+              OpenSSL::Digest.new("SHA512")
             )
           end
 
@@ -536,7 +536,7 @@ in 'password', with the associated 'salt' and 'iterations'.")
 
           # We flush the cache here in order to make sure that we read fresh information
           # for the user.
-          shell_out("dscacheutil", "-flushcache") # FIXME: this is MacOS version dependent
+          shell_out("dscacheutil", "-flushcache") # FIXME: this is macOS version dependent
 
           begin
             user_plist_file = "#{USER_PLIST_DIRECTORY}/#{new_resource.username}.plist"
@@ -587,7 +587,7 @@ in 'password', with the associated 'salt' and 'iterations'.")
           result = shell_out("dscl", ".", "-#{args[0]}", args[1..-1])
           return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 )
           raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") unless result.exitstatus == 0
-          raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if result.stdout =~ /No such key: /
+          raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if /No such key: /.match?(result.stdout)
 
           result.stdout
         end
@@ -627,7 +627,7 @@ in 'password', with the associated 'salt' and 'iterations'.")
             salt,
             current_resource.iterations,
             128,
-            OpenSSL::Digest::SHA512.new
+            OpenSSL::Digest.new("SHA512")
           ).unpack("H*").first == current_resource.password
         end
 

data/lib/chef/provider/user/linux.rb

@@ -96,7 +96,7 @@ class Chef
           passwd_s = shell_out("passwd", "-S", new_resource.username, returns: [ 0, 1 ])
 
           # checking "does not exist" has to come before exit code handling since centos and ubuntu differ in exit codes
-          if passwd_s.stderr =~ /does not exist/
+          if /does not exist/.match?(passwd_s.stderr)
             return false if whyrun_mode?
 
             raise Chef::Exceptions::User, "User #{new_resource.username} does not exist when checking lock status for #{new_resource}"
@@ -108,8 +108,8 @@ class Chef
           # now the actual output parsing
           @locked = nil
           status_line = passwd_s.stdout.split(" ")
-          @locked = false if status_line[1] =~ /^[PN]/
-          @locked = true if status_line[1] =~ /^L/
+          @locked = false if /^[PN]/.match?(status_line[1])
+          @locked = true if /^L/.match?(status_line[1])
 
           raise Chef::Exceptions::User, "Cannot determine if user #{new_resource.username} is locked for #{new_resource}" if @locked.nil?
 

data/lib/chef/provider/user/mac.rb

@@ -102,7 +102,7 @@ class Chef
           shadow_hash_hex = user_plist[:shadow_hash][0]
           return unless shadow_hash_hex && shadow_hash_hex != ""
 
-          # The password infomation is stored in the ShadowHashData key in the
+          # The password information is stored in the ShadowHashData key in the
           # plist. However, parsing it is a bit tricky as the value is itself
           # another encoded binary plist. We have to extract the encoded plist,
           # decode it from hex to a binary plist and then convert the binary
@@ -116,6 +116,8 @@ class Chef
           #
           #  eg:
           #
+          # spellchecker: disable
+          #
           # <array>
           #   <string>77687920 63616e27 74206170 706c6520 6275696c 6420636f 6e736973 74656e74 20746f6f 6c696e67</string>
           # </array>
@@ -126,6 +128,8 @@ class Chef
           #   <data>AADKAAAKAA4LAA0MAAAAAAAAAAA=</data>
           # </array>
           #
+          # spellchecker: disable
+          #
           begin
             shadow_binary_plist = [shadow_hash_hex.delete(" ")].pack("H*")
             shadow_xml_plist = shell_out("plutil", "-convert", "xml1", "-o", "-", "-", input: shadow_binary_plist).stdout
@@ -159,7 +163,7 @@ class Chef
           # a problem. We'll check stderr and make sure we see that it finished
           # correctly.
           res = run_sysadminctl(cmd)
-          unless res.downcase =~ /creating user/
+          unless /creating user/.match?(res.downcase)
             raise Chef::Exceptions::User, "error when creating user: #{res}"
           end
 
@@ -179,7 +183,7 @@ class Chef
           end
 
           if new_resource.manage_home
-            # "sydadminctl -addUser" will create the home directory if it's
+            # "sysadminctl -addUser" will create the home directory if it's
             # the default /Users/<username>, otherwise it sets it in plist
             # but does not create it. Here we'll ensure that it gets created
             # if we've been given a directory that is not the default.
@@ -305,7 +309,7 @@ class Chef
           # sysadminctl doesn't exit with a non-zero exit code if it encounters
           # a problem. We'll check stderr and make sure we see that it finished
           res = run_sysadminctl(cmd)
-          unless res.downcase =~ /deleting record|not found/
+          unless /deleting record|not found/.match?(res.downcase)
             raise Chef::Exceptions::User, "error deleting user: #{res}"
           end
 
@@ -368,7 +372,7 @@ class Chef
           next_uid_guess = base_uid
           users_uids = run_dscl("list", "/Users", "uid")
           while next_uid_guess < search_limit + base_uid
-            if users_uids =~ Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n")
+            if users_uids&.match?(Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n"))
               next_uid_guess += 1
             else
               uid = next_uid_guess
@@ -426,7 +430,7 @@ class Chef
           # sysadminctl doesn't exit with a non-zero exit code if it encounters
           # a problem. We'll check stderr and make sure we see that it finished
           res = run_sysadminctl(cmd)
-          unless res.downcase =~ /done/
+          unless /done/.match?(res.downcase)
             raise Chef::Exceptions::User, "error when modifying SecureToken: #{res}"
           end
 
@@ -491,7 +495,7 @@ class Chef
             convert_to_binary(current_resource.salt),
             current_resource.iterations.to_i,
             128,
-            OpenSSL::Digest::SHA512.new
+            OpenSSL::Digest.new("SHA512")
           ).unpack("H*")[0] != current_resource.password
         end
 
@@ -517,7 +521,7 @@ class Chef
                 salt.string,
                 new_resource.iterations,
                 128,
-                OpenSSL::Digest::SHA512.new
+                OpenSSL::Digest.new("SHA512")
               )
             )
           end
@@ -554,7 +558,7 @@ class Chef
           # 0x0A                                    End of record denoted by \n
           # 0x5C                                    Escaping is denoted by \
           # 0x3A                                    Fields are separated by :
-          # 0x2C                                    Values are seperated by ,
+          # 0x2C                                    Values are separated by ,
           # dsRecTypeStandard:Users                 The record type we're configuring
           # 2                                       How many properties we're going to set
           # dsAttrTypeStandard:RecordName           Property 1: our users record name
@@ -598,7 +602,7 @@ class Chef
 
         def run_sysadminctl(args)
           # sysadminctl doesn't exit with a non-zero code when errors are encountered
-          # and ouputs everything to STDERR instead of STDOUT and STDERR. Therefore we'll
+          # and outputs everything to STDERR instead of STDOUT and STDERR. Therefore we'll
           # return the STDERR and let the caller handle it.
           shell_out!("sysadminctl", args).stderr
         end
@@ -607,7 +611,7 @@ class Chef
           result = shell_out("dscl", "-plist", ".", "-#{args[0]}", args[1..-1])
           return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 )
           raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") unless result.exitstatus == 0
-          raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if result.stdout =~ /No such key: /
+          raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if /No such key: /.match?(result.stdout)
 
           result.stdout
         end

data/lib/chef/provider/windows_script.rb

@@ -18,57 +18,119 @@
 
 require_relative "script"
 require_relative "../mixin/windows_architecture_helper"
+require_relative "../win32/security" if ChefUtils.windows?
+require "tempfile" unless defined?(Tempfile)
 
 class Chef
   class Provider
     class WindowsScript < Chef::Provider::Script
 
-      attr_reader :is_forced_32bit
-
       protected
 
-      include Chef::Mixin::WindowsArchitectureHelper
-
-      def initialize( new_resource, run_context, script_extension = "")
-        super( new_resource, run_context )
-        @script_extension = script_extension
+      attr_accessor :script_file_path
 
-        target_architecture = if new_resource.architecture.nil?
-                                node_windows_architecture(run_context.node)
-                              else
-                                new_resource.architecture
-                              end
-
-        @is_wow64 = wow64_architecture_override_required?(run_context.node, target_architecture)
+      include Chef::Mixin::WindowsArchitectureHelper
 
-        @is_forced_32bit = forced_32bit_override_required?(run_context.node, target_architecture)
+      def target_architecture
+        @target_architecture ||= if new_resource.architecture.nil?
+                                   node_windows_architecture(run_context.node)
+                                 else
+                                   new_resource.architecture
+                                 end
       end
 
-      public
+      def basepath
+        if forced_32bit_override_required?(run_context.node, target_architecture)
+          wow64_directory
+        else
+          run_context.node["kernel"]["os_info"]["system_directory"]
+        end
+      end
 
-      action :run do
+      def with_wow64_redirection_disabled
         wow64_redirection_state = nil
 
-        if @is_wow64
-          wow64_redirection_state = disable_wow64_file_redirection(@run_context.node)
+        if wow64_architecture_override_required?(run_context.node, target_architecture)
+          wow64_redirection_state = disable_wow64_file_redirection(run_context.node)
         end
 
         begin
-          super()
+          yield
         rescue
           raise
         ensure
           unless wow64_redirection_state.nil?
-            restore_wow64_file_redirection(@run_context.node, wow64_redirection_state)
+            restore_wow64_file_redirection(run_context.node, wow64_redirection_state)
           end
         end
       end
 
-      def script_file
-        base_script_name = "chef-script"
-        temp_file_arguments = [ base_script_name, @script_extension ]
+      def command
+        "\"#{interpreter}\" #{flags} \"#{script_file_path}\""
+      end
+
+      def grant_alternate_user_read_access(file_path)
+        # Do nothing if an alternate user isn't specified -- the file
+        # will already have the correct permissions for the user as part
+        # of the default ACL behavior on Windows.
+        return if new_resource.user.nil?
+
+        # Duplicate the script file's existing DACL
+        # so we can add an ACE later
+        securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(file_path)
+        aces = securable_object.security_descriptor.dacl.reduce([]) { |result, current| result.push(current) }
+
+        username = new_resource.user
+
+        if new_resource.domain
+          username = new_resource.domain + '\\' + new_resource.user
+        end
+
+        # Create an ACE that allows the alternate user read access to the script
+        # file so it can be read and executed.
+        user_sid = Chef::ReservedNames::Win32::Security::SID.from_account(username)
+        read_ace = Chef::ReservedNames::Win32::Security::ACE.access_allowed(user_sid, Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE, 0)
+        aces.push(read_ace)
+        acl = Chef::ReservedNames::Win32::Security::ACL.create(aces)
+
+        # This actually applies the modified DACL to the file
+        # Use parentheses to bypass RuboCop / ChefStyle warning
+        # about useless setter
+        (securable_object.dacl = acl)
+      end
+
+      def with_temp_script_file
+        Tempfile.open(["chef-script", script_extension]) do |script_file|
+          script_file.puts(code)
+          script_file.close
+
+          grant_alternate_user_read_access(script_file.path)
+
+          # This needs to be set here so that the call to #command in Execute works.
+          self.script_file_path = script_file.path
+
+          yield
+
+          self.script_file_path = nil
+        end
+      end
+
+      def input
+        nil
+      end
+
+      public
+
+      action :run do
+        with_wow64_redirection_disabled do
+          with_temp_script_file do
+            super()
+          end
+        end
+      end
 
-        @script_file ||= Tempfile.open(temp_file_arguments)
+      def script_extension
+        raise Chef::Exceptions::Override, "You must override #{__method__} in #{self}"
       end
     end
   end

data/lib/chef/provider/windows_task.rb

@@ -72,6 +72,7 @@ class Chef
           6 => TaskScheduler::TASK_SIXTH,
           7 => TaskScheduler::TASK_SEVENTH,
           8 => TaskScheduler::TASK_EIGHTH,
+          # cspell:disable-next-line
           9 => TaskScheduler::TASK_NINETH,
           10 => TaskScheduler::TASK_TENTH,
           11 => TaskScheduler::TASK_ELEVENTH,
@@ -93,6 +94,7 @@ class Chef
           27 => TaskScheduler::TASK_TWENTY_SEVENTH,
           28 => TaskScheduler::TASK_TWENTY_EIGHTH,
           29 => TaskScheduler::TASK_TWENTY_NINTH,
+          # cspell:disable-next-line
           30 => TaskScheduler::TASK_THIRTYETH,
           31 => TaskScheduler::TASK_THIRTY_FIRST,
         }.freeze
@@ -229,7 +231,7 @@ class Chef
 
         private
 
-        # seprated command arguments from :command property
+        # separated command arguments from :command property
         def set_command_and_arguments
           cmd, *args = Chef::Util::PathHelper.split_args(new_resource.command)
           new_resource.command = cmd
@@ -577,7 +579,7 @@ class Chef
 
         def logon_type
           # Ref: https://msdn.microsoft.com/en-us/library/windows/desktop/aa383566(v=vs.85).aspx
-          # if nothing is passed as logon_type the TASK_LOGON_SERVICE_ACCOUNT is getting set as default so using that for comparision.
+          # if nothing is passed as logon_type the TASK_LOGON_SERVICE_ACCOUNT is getting set as default so using that for comparison.
           user_id = new_resource.user.to_s
           password = new_resource.password.to_s
           if Chef::ReservedNames::Win32::Security::SID.service_account_user?(user_id)

data/lib/chef/provider/yum_repository.rb

@@ -37,7 +37,7 @@ class Chef
           if template_available?(new_resource.source)
             source new_resource.source
           else
-            source ::File.expand_path("../support/yum_repo.erb", __FILE__)
+            source ::File.expand_path("support/yum_repo.erb", __dir__)
             local true
           end
           sensitive new_resource.sensitive

data/lib/chef/provider/zypper_repository.rb

@@ -41,7 +41,7 @@ class Chef
           if template_available?(new_resource.source)
             source new_resource.source
           else
-            source ::File.expand_path("../support/zypper_repo.erb", __FILE__)
+            source ::File.expand_path("support/zypper_repo.erb", __dir__)
             local true
           end
           sensitive new_resource.sensitive
@@ -115,28 +115,48 @@ class Chef
         end
       end
 
+      # the version of gpg installed on the system
+      #
+      # @return [Gem::Version] the version of GPG
+      def gpg_version
+        so = shell_out!("gpg --version")
+        # matches 2.0 and 2.2 versions from SLES 12 and 15: https://rubular.com/r/e6D0WfGK6SXvUp
+        version = /gpg \(GnuPG\)\s*(.*)/.match(so.stdout)[1]
+        logger.trace("GPG package version is #{version}")
+        Gem::Version.new(version)
+      end
+
       # is the provided key already installed
       # @param [String] key_path the path to the key on the local filesystem
       #
       # @return [boolean] is the key already known by rpm
       def key_installed?(key_path)
-        so = shell_out("rpm -qa gpg-pubkey*")
+        so = shell_out("/bin/rpm -qa gpg-pubkey*")
         # expected output & match: http://rubular.com/r/RdF7EcXEtb
-        status = /gpg-pubkey-#{key_fingerprint(key_path)}/.match(so.stdout)
+        status = /gpg-pubkey-#{short_key_id(key_path)}/.match(so.stdout)
         logger.trace("GPG key at #{key_path} is known by rpm? #{status ? "true" : "false"}")
         status
       end
 
-      # extract the gpg key fingerprint from a local file
+      # extract the gpg key's short key id from a local file. Learning moment: This 8 hex value ID
+      # is sometimes incorrectly called the fingerprint. The fingerprint is the full length value
+      # and googling for that will just result in sad times.
+      #
       # @param [String] key_path the path to the key on the local filesystem
       #
-      # @return [String] the fingerprint of the key
-      def key_fingerprint(key_path)
-        so = shell_out!("gpg --with-fingerprint #{key_path}")
-        # expected output and match: http://rubular.com/r/BpfMjxySQM
-        fingerprint = %r{pub\s*\S*/(\S*)}.match(so.stdout)[1].downcase
-        logger.trace("GPG fingerprint of key at #{key_path} is #{fingerprint}")
-        fingerprint
+      # @return [String] the short key id of the key
+      def short_key_id(key_path)
+        if gpg_version >= Gem::Version.new("2.2") # SLES 15+
+          so = shell_out!("gpg --import-options import-show --dry-run --import --with-colons #{key_path}")
+          # expected output and match: https://rubular.com/r/uXWJo3yfkli1qA
+          short_key_id = /fpr:*\h*(\h{8}):/.match(so.stdout)[1].downcase
+        else # SLES 12 and earlier
+          so = shell_out!("gpg --with-fingerprint #{key_path}")
+          # expected output and match: http://rubular.com/r/BpfMjxySQM
+          short_key_id = %r{pub\s*\S*/(\S*)}.match(so.stdout)[1].downcase
+        end
+        logger.trace("GPG short key ID of key at #{key_path} is #{short_key_id}")
+        short_key_id
       end
 
       # install the provided gpg key