chef 16.1.16 → 16.18.30

data/lib/chef/resource/osx_profile.rb

@@ -17,6 +17,10 @@
 #
 
 require_relative "../resource"
+require_relative "../log"
+require_relative "../resource/file"
+autoload :UUIDTools, "uuidtools"
+autoload :Plist, "plist"
 
 class Chef
   class Resource
@@ -26,11 +30,72 @@ class Chef
       provides :osx_profile
       provides :osx_config_profile
 
-      description "Use the **osx_profile** resource to manage configuration profiles (.mobileconfig files) on the macOS platform. The osx_profile resource installs profiles by using the uuidgen library to generate a unique ProfileUUID, and then using the profiles command to install the profile on the system."
+      description "Use the **osx_profile** resource to manage configuration profiles (`.mobileconfig` files) on the macOS platform. The **osx_profile** resource installs profiles by using the uuidgen library to generate a unique `ProfileUUID`, and then using the `profiles` command to install the profile on the system."
       introduced "12.7"
+      examples <<~DOC
+      **Install a profile from a cookbook file**
 
-      default_action :install
-      allowed_actions :install, :remove
+      ```ruby
+      osx_profile 'com.company.screensaver.mobileconfig'
+      ```
+
+      **Install profile from a hash**
+
+      ```ruby
+      profile_hash = {
+        'PayloadIdentifier' => 'com.company.screensaver',
+        'PayloadRemovalDisallowed' => false,
+        'PayloadScope' => 'System',
+        'PayloadType' => 'Configuration',
+        'PayloadUUID' => '1781fbec-3325-565f-9022-8aa28135c3cc',
+        'PayloadOrganization' => 'Chef',
+        'PayloadVersion' => 1,
+        'PayloadDisplayName' => 'Screensaver Settings',
+        'PayloadContent'=> [
+          {
+            'PayloadType' => 'com.apple.ManagedClient.preferences',
+            'PayloadVersion' => 1,
+            'PayloadIdentifier' => 'com.company.screensaver',
+            'PayloadUUID' => '73fc30e0-1e57-0131-c32d-000c2944c108',
+            'PayloadEnabled' => true,
+            'PayloadDisplayName' => 'com.apple.screensaver',
+            'PayloadContent' => {
+              'com.apple.screensaver' => {
+                'Forced' => [
+                  {
+                    'mcx_preference_settings' => {
+                      'idleTime' => 0,
+                    },
+                  },
+                ],
+              },
+            },
+          },
+        ],
+      }
+
+      osx_profile 'Install screensaver profile' do
+        profile profile_hash
+      end
+      ```
+
+      **Remove profile using identifier in resource name**
+
+      ```ruby
+      osx_profile 'com.company.screensaver' do
+        action :remove
+      end
+      ```
+
+      **Remove profile by identifier and user friendly resource name**
+
+      ```ruby
+      osx_profile 'Remove screensaver profile' do
+        identifier 'com.company.screensaver'
+        action :remove
+      end
+      ```
+      DOC
 
       property :profile_name, String,
         description: "Use to specify the name of the profile, if different from the name of the resource block.",
@@ -40,10 +105,231 @@ class Chef
         description: "Use to specify a profile. This may be the name of a profile contained in a cookbook or a Hash that contains the contents of the profile."
 
       property :identifier, String,
-        description: "Use to specify the identifier for the profile, such as com.company.screensaver."
+        description: "Use to specify the identifier for the profile, such as `com.company.screensaver`."
+
+      # this is not a property it is necessary for the tempfile this resource uses to work (FIXME: this is terrible)
+      #
+      # @api private
+      #
+      def path(path = nil)
+        @path ||= path
+        @path
+      end
+
+      action_class do
+        def load_current_resource
+          @current_resource = Chef::Resource::OsxProfile.new(new_resource.name)
+          current_resource.profile_name(new_resource.profile_name)
+
+          if new_profile_hash
+            new_profile_hash["PayloadUUID"] = config_uuid(new_profile_hash)
+          end
+
+          current_resource.profile(current_profile)
+        end
+
+        def current_profile
+          all_profiles = get_installed_profiles
+
+          if all_profiles && all_profiles.key?("_computerlevel")
+            return all_profiles["_computerlevel"].find do |item|
+              item["ProfileIdentifier"] == new_profile_identifier
+            end
+          end
+          nil
+        end
+
+        def invalid_profile_name?(name_or_identifier)
+          name_or_identifier.end_with?(".mobileconfig") || !/^\w+(?:(\.| )\w+)+$/.match(name_or_identifier)
+        end
+
+        def check_resource_semantics!
+          if action == :remove
+            if new_profile_identifier
+              if invalid_profile_name?(new_profile_identifier)
+                raise "when removing using the identifier property, it must match the profile identifier"
+              end
+            else
+              if invalid_profile_name?(new_resource.profile_name)
+                raise "When removing by resource name, it must match the profile identifier"
+              end
+            end
+          end
+
+          if action == :install
+            # we only do this check for the install action so that profiles can still be removed on macOS 11+
+            if mac? && node["platform_version"] =~ ">= 11.0"
+              raise "The osx_profile resource is not available on macOS Big Sur or above due to Apple's removal of support for CLI profile installation"
+            end
+
+            if new_profile_hash.is_a?(Hash) && !new_profile_hash.include?("PayloadIdentifier")
+              raise "The specified profile does not seem to be valid"
+            end
+            if new_profile_hash.is_a?(String) && !new_profile_hash.end_with?(".mobileconfig")
+              raise "#{new_profile_hash}' is not a valid profile"
+            end
+          end
+        end
+      end
+
+      action :install do
+        unless profile_installed?
+          converge_by("install profile #{new_profile_identifier}") do
+            profile_path = write_profile_to_disk
+            install_profile(profile_path)
+            get_installed_profiles(true)
+          end
+        end
+      end
+
+      action :remove do
+        # Clean up profile after removing it
+        if profile_installed?
+          converge_by("remove profile #{new_profile_identifier}") do
+            remove_profile
+            get_installed_profiles(true)
+          end
+        end
+      end
+
+      action_class do
+        private
+
+        def profile
+          @profile ||= new_resource.profile || new_resource.profile_name
+        end
+
+        def new_profile_hash
+          @new_profile_hash ||= get_profile_hash(profile)
+        end
+
+        def new_profile_identifier
+          @new_profile_identifier ||= if new_profile_hash
+                                        new_profile_hash["PayloadIdentifier"]
+                                      else
+                                        new_resource.identifier || new_resource.profile_name
+                                      end
+        end
+
+        def load_profile_hash(new_profile)
+          # file must exist in cookbook
+          return nil unless new_profile.end_with?(".mobileconfig")
+
+          unless cookbook_file_available?(new_profile)
+            raise Chef::Exceptions::FileNotFound, "#{self}: '#{new_profile}' not found in cookbook"
+          end
+
+          cookbook_profile = cache_cookbook_profile(new_profile)
+          ::Plist.parse_xml(cookbook_profile)
+        end
+
+        def cookbook_file_available?(cookbook_file)
+          run_context.has_cookbook_file_in_cookbook?(
+            new_resource.cookbook_name, cookbook_file
+          )
+        end
+
+        def get_cache_dir
+          Chef::FileCache.create_cache_path(
+            "profiles/#{new_resource.cookbook_name}"
+          )
+        end
+
+        def cache_cookbook_profile(cookbook_file)
+          Chef::FileCache.create_cache_path(
+            ::File.join(
+              "profiles",
+              new_resource.cookbook_name,
+              ::File.dirname(cookbook_file)
+            )
+          )
+
+          path = ::File.join( get_cache_dir, "#{cookbook_file}.remote")
+
+          cookbook_file path do
+            cookbook_name = new_resource.cookbook_name
+            source(cookbook_file)
+            backup(false)
+            run_action(:create)
+          end
+
+          path
+        end
+
+        def get_profile_hash(new_profile)
+          if new_profile.is_a?(Hash)
+            new_profile
+          elsif new_profile.is_a?(String)
+            load_profile_hash(new_profile)
+          end
+        end
+
+        def config_uuid(profile)
+          # Make a UUID of the profile contents and return as string
+          UUIDTools::UUID.sha1_create(
+            UUIDTools::UUID_DNS_NAMESPACE,
+            profile.to_s
+          ).to_s
+        end
+
+        def write_profile_to_disk
+          # FIXME: this is kind of terrible, the resource needs a tempfile to use and
+          # wants it created similarly to the file providers (with all the magic necessary
+          # for determining if it should go in the cwd or into a tmpdir), but it abuses
+          # the Chef::FileContentManagement::Tempfile API to do that, which requires setting
+          # a `path` method on the resource because of tight-coupling to the file provider
+          # pattern.  We don't just want to use a file here because the point is to get
+          # at the tempfile pattern from the file provider, but to feed that into a shell
+          # command rather than deploying the file to somewhere on disk.  There's some
+          # better API that needs extracting here.
+          new_resource.path(Chef::FileCache.create_cache_path("profiles"))
+          tempfile = Chef::FileContentManagement::Tempfile.new(new_resource).tempfile
+          tempfile.write(new_profile_hash.to_plist)
+          tempfile.close
+          tempfile.path
+        end
+
+        def install_profile(profile_path)
+          cmd = [ "/usr/bin/profiles", "-I", "-F", profile_path ]
+          logger.trace("cmd: #{cmd.join(" ")}")
+          shell_out!(*cmd)
+        end
+
+        def remove_profile
+          cmd = [ "/usr/bin/profiles", "-R", "-p", new_profile_identifier ]
+          logger.trace("cmd: #{cmd.join(" ")}")
+          shell_out!(*cmd)
+        end
+
+        #
+        # FIXME FIXME FIXME
+        # The node object should not be used for caching state like this and this is not a public API and may break.
+        # FIXME FIXME FIXME
+        #
+
+        def get_installed_profiles(update = nil)
+          logger.trace("Saving profile data to node.run_state")
+          if update
+            node.run_state[:config_profiles] = query_installed_profiles
+          else
+            node.run_state[:config_profiles] ||= query_installed_profiles
+          end
+        end
+
+        def query_installed_profiles
+          logger.trace("Running /usr/bin/profiles -P -o stdout-xml to determine profile state")
+          so = shell_out( "/usr/bin/profiles", "-P", "-o", "stdout-xml" )
+          ::Plist.parse_xml(so.stdout)
+        end
+
+        def profile_installed?
+          # Profile Identifier and UUID must match a currently installed profile
+          return false if current_resource.profile.nil? || current_resource.profile.empty?
+          return true if action == :remove
 
-      property :path, String,
-        description: "The path to write the profile to disk before loading it."
+          current_resource.profile["ProfileUUID"] == new_profile_hash["PayloadUUID"]
+        end
+      end
     end
   end
 end

data/lib/chef/resource/perl.rb

@@ -17,7 +17,6 @@
 #
 
 require_relative "script"
-require_relative "../provider/script"
 
 class Chef
   class Resource
@@ -33,9 +32,9 @@ class Chef
 
       description "Use the **perl** resource to execute scripts using the Perl interpreter."\
                   " This resource may also use any of the actions and properties that are"\
-                  " available to the execute resource. Commands that are executed with this"\
+                  " available to the **execute** resource. Commands that are executed with this"\
                   " resource are (by their nature) not idempotent, as they are typically"\
-                  " unique to the environment in which they are run. Use not_if and only_if"\
+                  " unique to the environment in which they are run. Use `not_if` and `only_if`"\
                   " to guard this resource for idempotence."
     end
   end

data/lib/chef/resource/plist.rb

@@ -16,7 +16,7 @@
 # limitations under the License.
 #
 require_relative "../resource"
-require "plist"
+autoload :Plist, "plist"
 
 class Chef
   class Resource
@@ -28,14 +28,33 @@ class Chef
 
       description "Use the **plist** resource to set config values in plist files on macOS systems."
       introduced "16.0"
+      examples <<~DOC
+        **Show hidden files in finder**:
+
+        ```ruby
+        plist 'show hidden files' do
+          path '/Users/vagrant/Library/Preferences/com.apple.finder.plist'
+          entry 'AppleShowAllFiles'
+          value true
+        end
+        ```
+      DOC
+
+      property :path, String, name_property: true,
+        description: "The path on disk to the plist file."
 
-      property :path, String, name_property: true
       property :entry, String
       property :value, [TrueClass, FalseClass, String, Integer, Float, Hash]
       property :encoding, String, default: "binary"
-      property :owner, String, default: "root"
-      property :group, String, default: "wheel"
-      property :mode, [String, Integer]
+
+      property :owner, String, default: "root",
+        description: "The owner of the plist file."
+
+      property :group, String, default: "wheel",
+        description: "The group of the plist file."
+
+      property :mode, [String, Integer],
+        description: "The file mode of the plist file. Ex: '644'"
 
       PLISTBUDDY_EXECUTABLE = "/usr/libexec/PlistBuddy".freeze
       DEFAULTS_EXECUTABLE = "/usr/bin/defaults".freeze
@@ -132,9 +151,7 @@ class Chef
           value.to_i
         when "float"
           value.to_f
-        when "string"
-          value
-        when "dictionary"
+        when "string", "dictionary"
           value
         when nil
           ""
@@ -149,9 +166,7 @@ class Chef
           "array"
         when Integer
           "integer"
-        when FalseClass
-          "bool"
-        when TrueClass
+        when FalseClass, TrueClass
           "bool"
         when Hash
           "dict"

data/lib/chef/resource/powershell_package_source.rb

@@ -16,7 +16,6 @@
 #
 
 require_relative "../resource"
-require_relative "../json_compat"
 
 class Chef
   class Resource
@@ -33,8 +32,8 @@ class Chef
         name_property: true
 
       property :url, String,
-        description: "The url to the package source.",
-        required: true
+        description: "The URL to the package source.",
+        required: [:register]
 
       property :trusted, [TrueClass, FalseClass],
         description: "Whether or not to trust packages from this source.",
@@ -43,25 +42,25 @@ class Chef
       property :provider_name, String,
         equal_to: %w{ Programs msi NuGet msu PowerShellGet psl chocolatey },
         validation_message: "The following providers are supported: 'Programs', 'msi', 'NuGet', 'msu', 'PowerShellGet', 'psl' or 'chocolatey'",
-        description: "The package management provider for the source. It supports the following providers: 'Programs', 'msi', 'NuGet', 'msu', 'PowerShellGet', 'psl' and 'chocolatey'.",
+        description: "The package management provider for the source.",
         default: "NuGet"
 
       property :publish_location, String,
-        description: "The url where modules will be published to for this source. Only valid if the provider is 'PowerShellGet'."
+        description: "The URL where modules will be published to for this source. Only valid if the provider is `PowerShellGet`."
 
       property :script_source_location, String,
-        description: "The url where scripts are located for this source. Only valid if the provider is 'PowerShellGet'."
+        description: "The URL where scripts are located for this source. Only valid if the provider is `PowerShellGet`."
 
       property :script_publish_location, String,
-        description: "The location where scripts will be published to for this source. Only valid if the provider is 'PowerShellGet'."
+        description: "The location where scripts will be published to for this source. Only valid if the provider is `PowerShellGet`."
 
       load_current_value do
         cmd = load_resource_state_script(source_name)
-        repo = powershell_out!(cmd)
-        if repo.stdout.empty?
+        repo = powershell_exec!(cmd)
+        if repo.result.empty?
           current_value_does_not_exist!
         else
-          status = Chef::JSONCompat.from_json(repo.stdout)
+          status = repo.result
         end
         url status["url"]
         trusted status["trusted"]
@@ -78,28 +77,28 @@ class Chef
           if package_source_exists?
             converge_if_changed :url, :trusted, :publish_location, :script_source_location, :script_publish_location do
               update_cmd = build_ps_repository_command("Set", new_resource)
-              res = powershell_out(update_cmd)
-              raise "Failed to update #{new_resource.source_name}: #{res.stderr}" unless res.stderr.empty?
+              res = powershell_exec(update_cmd)
+              raise "Failed to update #{new_resource.source_name}: #{res.errors}" if res.error?
             end
           else
             converge_by("register source: #{new_resource.source_name}") do
               register_cmd = build_ps_repository_command("Register", new_resource)
-              res = powershell_out(register_cmd)
-              raise "Failed to register #{new_resource.source_name}: #{res.stderr}" unless res.stderr.empty?
+              res = powershell_exec(register_cmd)
+              raise "Failed to register #{new_resource.source_name}: #{res.errors}" if res.error?
             end
           end
         else
           if package_source_exists?
             converge_if_changed :url, :trusted, :provider_name do
               update_cmd = build_package_source_command("Set", new_resource)
-              res = powershell_out(update_cmd)
-              raise "Failed to update #{new_resource.source_name}: #{res.stderr}" unless res.stderr.empty?
+              res = powershell_exec(update_cmd)
+              raise "Failed to update #{new_resource.source_name}: #{res.errors}" if res.error?
             end
           else
             converge_by("register source: #{new_resource.source_name}") do
               register_cmd = build_package_source_command("Register", new_resource)
-              res = powershell_out(register_cmd)
-              raise "Failed to register #{new_resource.source_name}: #{res.stderr}" unless res.stderr.empty?
+              res = powershell_exec(register_cmd)
+              raise "Failed to register #{new_resource.source_name}: #{res.errors}" if res.error?
             end
           end
         end
@@ -110,16 +109,16 @@ class Chef
         if package_source_exists?
           unregister_cmd = "Get-PackageSource -Name '#{new_resource.source_name}' | Unregister-PackageSource"
           converge_by("unregister source: #{new_resource.source_name}") do
-            res = powershell_out(unregister_cmd)
-            raise "Failed to unregister #{new_resource.source_name}: #{res.stderr}" unless res.stderr.empty?
+            res = powershell_exec(unregister_cmd)
+            raise "Failed to unregister #{new_resource.source_name}: #{res.errors}" if res.error?
           end
         end
       end
 
       action_class do
         def package_source_exists?
-          cmd = powershell_out!("(Get-PackageSource -Name '#{new_resource.source_name}' -WarningAction SilentlyContinue).Name")
-          cmd.stdout.downcase.strip == new_resource.source_name.downcase
+          cmd = powershell_exec!("(Get-PackageSource -Name '#{new_resource.source_name}' -ErrorAction SilentlyContinue).Name")
+          !cmd.result.empty? && cmd.result.to_s.downcase.strip == new_resource.source_name.downcase
         end
 
         def psrepository_cmdlet_appropriate?
@@ -133,6 +132,7 @@ class Chef
           cmd << " -PublishLocation '#{new_resource.publish_location}'" if new_resource.publish_location
           cmd << " -ScriptSourceLocation '#{new_resource.script_source_location}'" if new_resource.script_source_location
           cmd << " -ScriptPublishLocation '#{new_resource.script_publish_location}'" if new_resource.script_publish_location
+          cmd << " | Out-Null"
           cmd
         end
 
@@ -141,6 +141,7 @@ class Chef
           cmd << " -Location '#{new_resource.url}'" if new_resource.url
           cmd << " -Trusted:#{new_resource.trusted ? "$true" : "$false"}"
           cmd << " -ProviderName '#{new_resource.provider_name}'" if new_resource.provider_name
+          cmd << " | Out-Null"
           cmd
         end
       end
@@ -157,11 +158,11 @@ class Chef
             if ((Get-PackageSource -Name '#{name}').ProviderName -eq 'PowerShellGet') {
                 (Get-PSRepository -Name '#{name}') | Select @{n='source_name';e={$_.Name}}, @{n='url';e={$_.SourceLocation}},
                 @{n='trusted';e={$_.Trusted}}, @{n='provider_name';e={$_.PackageManagementProvider}}, @{n='publish_location';e={$_.PublishLocation}},
-                @{n='script_source_location';e={$_.ScriptSourceLocation}}, @{n='script_publish_location';e={$_.ScriptPublishLocation}} | ConvertTo-Json
+                @{n='script_source_location';e={$_.ScriptSourceLocation}}, @{n='script_publish_location';e={$_.ScriptPublishLocation}}
             }
             else {
                 (Get-PackageSource -Name '#{name}') | Select @{n='source_name';e={$_.Name}}, @{n='url';e={$_.Location}},
-                @{n='provider_name';e={$_.ProviderName}}, @{n='trusted';e={$_.IsTrusted}} | ConvertTo-Json
+                @{n='provider_name';e={$_.ProviderName}}, @{n='trusted';e={$_.IsTrusted}}
             }
         }
       EOH

data/lib/chef/resource/powershell_script.rb

@@ -22,43 +22,51 @@ class Chef
     class PowershellScript < Chef::Resource::WindowsScript
       unified_mode true
 
+      set_guard_inherited_attributes(:interpreter)
+
       provides :powershell_script, os: "windows"
 
+      description <<~DESC
+        Use the **powershell_script** resource to execute a script using the Windows PowerShell interpreter, much like how the script and script-based resources **bash**, **csh**, **perl**, **python**, and **ruby** are used. The **powershell_script** resource is specific to the Microsoft Windows platform, but may use both the the Windows PowerShell interpreter or the PowerShell Core (pwsh) interpreter as of Chef Infra Client 16.6 and later.
+
+        The **powershell_script** resource creates and executes a temporary file rather than running the command inline. Commands that are executed with this resource are (by their nature) not idempotent, as they are typically unique to the environment in which they are run. Use `not_if` and `only_if` conditionals to guard this resource for idempotence.
+      DESC
+
       property :flags, String,
-        description: "A string that is passed to the Windows PowerShell command",
-        default: lazy { default_flags },
-        coerce: proc { |input|
-          if input == default_flags
-            # Means there was no input provided,
-            # and should use defaults in this case
-            input
-          else
-            # The last occurrence of a flag would override its
-            # previous one at the time of command execution.
-            [default_flags, input].join(" ")
-          end
-        }
+        description: "A string that is passed to the Windows PowerShell command"
 
-      description "Use the **powershell_script** resource to execute a script using the Windows PowerShell"\
-                  " interpreter, much like how the script and script-based resources—bash, csh, perl, python,"\
-                  " and ruby—are used. The powershell_script is specific to the Microsoft Windows platform"\
-                  " and the Windows PowerShell interpreter.\n\n The powershell_script resource creates and"\
-                  " executes a temporary file (similar to how the script resource behaves), rather than running"\
-                  " the command inline. Commands that are executed with this resource are (by their nature) not"\
-                  " idempotent, as they are typically unique to the environment in which they are run. Use not_if"\
-                  " and only_if to guard this resource for idempotence."
+      property :interpreter, String,
+        default: "powershell",
+        equal_to: %w{powershell pwsh},
+        description: "The interpreter type, `powershell` or `pwsh` (PowerShell Core)"
 
-      def initialize(name, run_context = nil)
-        super(name, run_context, :powershell_script, "powershell.exe")
-        @convert_boolean_return = false
-      end
+      property :convert_boolean_return, [true, false],
+        default: false,
+        description: <<~DESC
+          Return `0` if the last line of a command is evaluated to be true or to return `1` if the last line is evaluated to be false.
+
+          When the `guard_interpreter` common attribute is set to `:powershell_script`, a string command will be evaluated as if this value were set to `true`. This is because the behavior of this attribute is similar to the value of the `"$?"` expression common in UNIX interpreters. For example, this:
 
-      def convert_boolean_return(arg = nil)
-        set_or_return(
-          :convert_boolean_return,
-          arg,
-          kind_of: [ FalseClass, TrueClass ]
-        )
+          ```ruby
+          powershell_script 'make_safe_backup' do
+            guard_interpreter :powershell_script
+            code 'cp ~/data/nodes.json ~/data/nodes.bak'
+            not_if 'test-path ~/data/nodes.bak'
+          end
+          ```
+
+          is similar to:
+          ```ruby
+          bash 'make_safe_backup' do
+            code 'cp ~/data/nodes.json ~/data/nodes.bak'
+            not_if 'test -e ~/data/nodes.bak'
+          end
+          ```
+        DESC
+
+      def initialize(*args)
+        super
+        @default_guard_interpreter = resource_name
       end
 
       # Allow callers evaluating guards to request default
@@ -68,18 +76,9 @@ class Chef
       # default for this resource, this method can be removed since
       # guard context and recipe resource context will have the
       # same behavior.
-      def self.get_default_attributes(opts)
+      def self.get_default_attributes
         { convert_boolean_return: true }
       end
-
-      # Options that will be passed to Windows PowerShell command
-      #
-      # @returns [String]
-      def default_flags
-        # Set InputFormat to None as PowerShell will hang if STDIN is redirected
-        # http://connect.microsoft.com/PowerShell/feedback/details/572313/powershell-exe-can-hang-if-stdin-is-redirected
-        "-NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None"
-      end
     end
   end
 end

data/lib/chef/resource/python.rb

@@ -16,7 +16,6 @@
 #
 
 require_relative "script"
-require_relative "../provider/script"
 
 class Chef
   class Resource
@@ -32,9 +31,9 @@ class Chef
 
       description "Use the **python** resource to execute scripts using the Python interpreter."\
                   " This resource may also use any of the actions and properties that are available"\
-                  " to the execute resource. Commands that are executed with this resource are (by"\
+                  " to the **execute** resource. Commands that are executed with this resource are (by"\
                   " their nature) not idempotent, as they are typically unique to the environment in"\
-                  " which they are run. Use not_if and only_if to guard this resource for idempotence."
+                  " which they are run. Use `not_if` and `only_if` to guard this resource for idempotence."
     end
   end
 end