chef 16.13.16-universal-mingw32 → 17.0.242-universal-mingw32

data/lib/chef/compliance/reporter/compliance_enforcer.rb

@@ -14,6 +14,10 @@ class Chef
           end
           true
         end
+
+        def validate_config!
+          true
+        end
       end
     end
   end

data/lib/chef/compliance/reporter/json_file.rb

@@ -1,4 +1,5 @@
 require_relative "../../json_compat"
+require_relative "../../log"
 
 class Chef
   module Compliance
@@ -9,10 +10,16 @@ class Chef
         end
 
         def send_report(report)
+          Chef::Log.info "Writing compliance report to #{@path}"
           FileUtils.mkdir_p(File.dirname(@path), mode: 0700)
-
           File.write(@path, Chef::JSONCompat.to_json(report))
         end
+
+        def validate_config!
+          if @path.nil? || @path.class != String || @path.empty?
+            raise "CMPL009: json_file reporter: node['audit']['json_file']['location'] must contain a file path"
+          end
+        end
       end
     end
   end

data/lib/chef/compliance/runner.rb

@@ -1,21 +1,22 @@
 autoload :Inspec, "inspec"
 
 require_relative "default_attributes"
-require_relative "reporter/automate"
-require_relative "reporter/chef_server_automate"
-require_relative "reporter/compliance_enforcer"
-require_relative "reporter/json_file"
 
 class Chef
   module Compliance
     class Runner < EventDispatch::Base
       extend Forwardable
 
+      SUPPORTED_REPORTERS = %w{chef-automate chef-server-automate json-file audit-enforcer cli}.freeze
+      SUPPORTED_FETCHERS = %w{chef-automate chef-server}.freeze
+
       attr_accessor :run_id
       attr_reader :node
       def_delegators :node, :logger
 
       def enabled?
+        return false if @node.nil?
+
         # Did we parse the libraries file from the audit cookbook?  This class dates back to when Chef Automate was
         # renamed from Chef Visibility in 2017, so should capture all modern versions of the audit cookbook.
         audit_cookbook_present = defined?(::Reporter::ChefAutomate)
@@ -44,18 +45,30 @@ class Chef
         self.run_id = run_status.run_id
       end
 
+      def converge_start(run_context)
+        # With all attributes - including cookbook - loaded, we now have enough data to validate
+        # configuration.  Because the converge is best coupled with the associated compliance run, these validations
+        # will raise (and abort the converge) if the compliance phase configuration is incorrect/will
+        # prevent compliance phase from completing and submitting its report to all configured reporters.
+        # can abort the converge if the compliance phase configuration (node attributes and client config)
+        load_and_validate!
+      end
+
       def run_completed(_node, _run_status)
         return unless enabled?
 
-        logger.info("#{self.class}##{__method__}: enabling Compliance Phase")
+        logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
         report
       end
 
       def run_failed(_exception, _run_status)
-        return unless enabled?
+        # If the run has failed because our own validation of compliance
+        # phase configuration has failed, we don't want to submit a report
+        # because we're still not configured correctly.
+        return unless enabled? && @validation_passed
 
-        logger.info("#{self.class}##{__method__}: enabling Compliance Phase")
+        logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
         report
       end
@@ -81,7 +94,11 @@ class Chef
         end
       end
 
-      def report(report = generate_report)
+      def report(report = nil)
+        logger.info "Starting Chef Infra Compliance Phase"
+        report ||= generate_report
+        # This is invoked at report-time instead of with the normal validations at node loaded,
+        # because we want to ensure that it is visible in the output - and not lost in back-scroll.
         warn_for_deprecated_config_values!
 
         if report.empty?
@@ -89,9 +106,11 @@ class Chef
           return
         end
 
-        Array(node["audit"]["reporter"]).each do |reporter|
-          send_report(reporter, report)
+        Array(node["audit"]["reporter"]).each do |reporter_type|
+          logger.info "Reporting to #{reporter_type}"
+          @reporters[reporter_type].send_report(report)
         end
+        logger.info "Chef Infra Compliance Phase Complete"
       end
 
       def inspec_opts
@@ -116,10 +135,8 @@ class Chef
 
       def inspec_profiles
         profiles = node["audit"]["profiles"]
-
-        # TODO: Custom exception class here?
         unless profiles.respond_to?(:map) && profiles.all? { |_, p| p.respond_to?(:transform_keys) && p.respond_to?(:update) }
-          raise "#{Inspec::Dist::PRODUCT_NAME} profiles specified in an unrecognized format, expected a hash of hashes."
+          raise "CMPL010: #{Inspec::Dist::PRODUCT_NAME} profiles specified in an unrecognized format, expected a hash of hashes."
         end
 
         profiles.map do |name, profile|
@@ -135,8 +152,6 @@ class Chef
           require_relative "fetcher/chef_server"
         when nil
           # intentionally blank
-        else
-          raise "Invalid value specified for Compliance Phase's fetcher: '#{node["audit"]["fetcher"]}'. Valid values are 'chef-automate', 'chef-server', or nil."
         end
       end
 
@@ -209,17 +224,10 @@ class Chef
         }
       end
 
-      def send_report(reporter_type, report)
-        logger.info "Reporting to #{reporter_type}"
-
-        reporter = reporter(reporter_type)
-
-        reporter.send_report(report) if reporter
-      end
-
       def reporter(reporter_type)
         case reporter_type
         when "chef-automate"
+          require_relative "reporter/automate"
           opts = {
             control_results_limit: node["audit"]["control_results_limit"],
             entity_uuid: node["chef_guid"],
@@ -230,6 +238,7 @@ class Chef
           }
           Chef::Compliance::Reporter::Automate.new(opts)
         when "chef-server-automate"
+          require_relative "reporter/chef_server_automate"
           opts = {
             control_results_limit: node["audit"]["control_results_limit"],
             entity_uuid: node["chef_guid"],
@@ -241,13 +250,15 @@ class Chef
           }
           Chef::Compliance::Reporter::ChefServerAutomate.new(opts)
         when "json-file"
-          path = node["audit"]["json_file"]["location"]
-          logger.info "Writing compliance report to #{path}"
+          require_relative "reporter/json_file"
+          path = node.dig("audit", "json_file", "location")
           Chef::Compliance::Reporter::JsonFile.new(file: path)
         when "audit-enforcer"
+          require_relative "reporter/compliance_enforcer"
           Chef::Compliance::Reporter::ComplianceEnforcer.new
-        else
-          raise "'#{reporter_type}' is not a supported reporter for Compliance Phase."
+        when "cli"
+          require_relative "reporter/cli"
+          Chef::Compliance::Reporter::Cli.new
         end
       end
 
@@ -264,6 +275,33 @@ class Chef
         url.path = File.join(url.path, "organizations/#{org}/data-collector")
         url
       end
+
+      # Load the resources required for this runner, and validate configuration
+      # is correct to proceed. Requires node state to be loaded.
+      # Will raise exception if fetcher is not valid, if a reporter is not valid,
+      # or the configuration required by a reporter is not provided.
+      def load_and_validate!
+        return unless enabled?
+
+        @reporters = {}
+        # Note that the docs don't say you can use an array, but our implementation
+        # supports it.
+        Array(node["audit"]["reporter"]).each do |type|
+          unless SUPPORTED_REPORTERS.include? type
+            raise "CMPL003: '#{type}' found in node['audit']['reporter'] is not a supported reporter for Compliance Phase. Supported reporters are: #{SUPPORTED_REPORTERS.join(", ")}. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase/chef_compliance_runners/#reporters"
+          end
+
+          @reporters[type] = reporter(type)
+          @reporters[type].validate_config!
+        end
+
+        unless (fetcher = node["audit"]["fetcher"]).nil?
+          unless SUPPORTED_FETCHERS.include? fetcher
+            raise "CMPL002: Unrecognized Compliance Phase fetcher (node['audit']['fetcher'] = #{fetcher}). Supported fetchers are: #{SUPPORTED_FETCHERS.join(", ")}, or nil. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase/chef_compliance_runners/#fetchers"
+          end
+        end
+        @validation_passed = true
+      end
     end
   end
 end

data/lib/chef/cookbook/synchronizer.rb

@@ -143,11 +143,9 @@ class Chef
     end
 
     def files_remaining_by_cookbook
-      @files_remaining_by_cookbook ||= begin
-        files_by_cookbook.inject({}) do |memo, (cookbook, files)|
-          memo[cookbook] = files.size
-          memo
-        end
+      @files_remaining_by_cookbook ||= files_by_cookbook.inject({}) do |memo, (cookbook, files)|
+        memo[cookbook] = files.size
+        memo
       end
     end
 

data/lib/chef/cookbook_loader.rb

@@ -195,10 +195,8 @@ class Chef
 
     def all_files_in_repo_paths
       @all_files_in_repo_paths ||=
-        begin
-          repo_paths.inject([]) do |all_children, repo_path|
-            all_children + Dir[File.join(Chef::Util::PathHelper.escape_glob_dir(repo_path), "*")]
-          end
+        repo_paths.inject([]) do |all_children, repo_path|
+          all_children + Dir[File.join(Chef::Util::PathHelper.escape_glob_dir(repo_path), "*")]
         end
     end
 

data/lib/chef/cookbook_uploader.rb

@@ -1,7 +1,6 @@
 
 autoload :Set, "set"
 require_relative "exceptions"
-require_relative "knife/cookbook_metadata"
 require_relative "digester"
 require_relative "cookbook_manifest"
 require_relative "cookbook_version"

data/lib/chef/data_bag_item.rb

@@ -44,8 +44,17 @@ class Chef
       end
     end
 
-    # Define all Hash's instance methods as delegating to @raw_data
-    def_delegators(:@raw_data, *(Hash.instance_methods - Object.instance_methods))
+    # delegate missing methods to the @raw_data Hash
+    def method_missing(method_name, *arguments, &block)
+      @raw_data.send(method_name, *arguments, &block)
+    rescue
+      # throw more sensible errors back at the user
+      super
+    end
+
+    def respond_to_missing?(method_name, include_private = false)
+      @raw_data.respond_to?(method_name, include_private) || super
+    end
 
     attr_reader :raw_data
 

data/lib/chef/delayed_evaluator.rb

@@ -17,5 +17,9 @@
 
 class Chef
   class DelayedEvaluator < Proc
+    def dup
+      # super returns a "Proc" (which seems buggy) so re-wrap it
+      self.class.new(&super) # rubocop:disable Layout/SpaceAroundKeyword
+    end
   end
 end

data/lib/chef/deprecated.rb

@@ -249,6 +249,10 @@ class Chef
       target 32
     end
 
+    class UnifiedMode < Base
+      target 33
+    end
+
     class Generic < Base
       def url
         "https://docs.chef.io/chef_deprecations_client/"

data/lib/chef/dsl/chef_vault.rb

@@ -32,8 +32,8 @@ class Chef
       # actually a Chef Vault item. This is controlled via
       # +node['chef-vault']['databag_fallback']+.
       # @example
-      # item = chef_vault_item('secrets', 'bacon')
-      # log 'Yeah buddy!' if item['_default']['type']
+      #   item = chef_vault_item('secrets', 'bacon')
+      #   log 'Yeah buddy!' if item['_default']['type']
       # @param [String] bag Name of the data bag to load from.
       # @param [String] id Identifier of the data bag item to load.
       def chef_vault_item(bag, id)
@@ -51,8 +51,8 @@ class Chef
       # the items, so this method strips out the keys for users so that they
       # don't have to do it in their recipes.
       # @example
-      # ids = chef_vault('secrets')
-      # log 'Yeah buddy!' if ids[0] == 'bacon'
+      #   ids = chef_vault('secrets')
+      #   log 'Yeah buddy!' if ids[0] == 'bacon'
       # @param [String] bag Name of the data bag to load from.
       # @return [Array]
       def chef_vault(bag)
@@ -68,8 +68,8 @@ class Chef
       # This allows for easy access to current environment secrets inside
       # of an item.
       # @example
-      # item = chef_vault_item_for_environment('secrets', 'bacon')
-      # log 'Yeah buddy!' if item['type'] == 'applewood_smoked'
+      #   item = chef_vault_item_for_environment('secrets', 'bacon')
+      #   log 'Yeah buddy!' if item['type'] == 'applewood_smoked'
       # @param [String] bag Name of the data bag to load from.
       # @param [String] id Identifier of the data bag item to load.
       # @return [Hash]

data/lib/chef/dsl/reboot_pending.rb

@@ -45,8 +45,7 @@ class Chef
 
             # Vista + Server 2008 and newer may have reboots pending from CBS
             registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending')
-        elsif platform?("ubuntu")
-          # This should work for Debian as well if update-notifier-common happens to be installed. We need an API for that.
+        elsif platform_family?("debian")
           File.exist?("/var/run/reboot-required")
         else
           false

data/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb

@@ -64,36 +64,34 @@ class Chef
         def recipe_snippet
           return nil if dynamic_resource?
 
-          @snippet ||= begin
-            if (file = parse_source) && (line = parse_line(file))
-              return nil unless ::File.exist?(file)
+          @snippet ||= if (file = parse_source) && (line = parse_line(file))
+                         return nil unless ::File.exist?(file)
 
-              lines = IO.readlines(file)
+                         lines = IO.readlines(file)
 
-              relevant_lines = ["# In #{file}\n\n"]
+                         relevant_lines = ["# In #{file}\n\n"]
 
-              current_line = line - 1
-              current_line = 0 if current_line < 0
-              nesting = 0
+                         current_line = line - 1
+                         current_line = 0 if current_line < 0
+                         nesting = 0
 
-              loop do
+                         loop do
 
-                # low rent parser. try to gracefully handle nested blocks in resources
-                nesting += 1 if /\s+do\s*/.match?(lines[current_line])
-                nesting -= 1 if /end\s*$/.match?(lines[current_line])
+                           # low rent parser. try to gracefully handle nested blocks in resources
+                           nesting += 1 if /\s+do\s*/.match?(lines[current_line])
+                           nesting -= 1 if /end\s*$/.match?(lines[current_line])
 
-                relevant_lines << format_line(current_line, lines[current_line])
+                           relevant_lines << format_line(current_line, lines[current_line])
 
-                break if lines[current_line + 1].nil?
-                break if current_line >= (line + 50)
-                break if nesting <= 0
+                           break if lines[current_line + 1].nil?
+                           break if current_line >= (line + 50)
+                           break if nesting <= 0
 
-                current_line += 1
-              end
-              relevant_lines << format_line(current_line + 1, lines[current_line + 1]) if lines[current_line + 1]
-              relevant_lines.join("")
-            end
-          end
+                           current_line += 1
+                         end
+                         relevant_lines << format_line(current_line + 1, lines[current_line + 1]) if lines[current_line + 1]
+                         relevant_lines.join("")
+                       end
         end
 
         def dynamic_resource?

data/lib/chef/group.rb

@@ -0,0 +1,75 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "org"
+
+class Chef
+  class Group
+
+    def group(groupname)
+      @group ||= {}
+      @group[groupname] ||= chef_rest.get_rest "organizations/#{name}/groups/#{groupname}"
+    end
+
+    def user_member_of_group?(username, groupname)
+      group = group(groupname)
+      group["actors"].include? username
+    end
+
+    def add_user_to_group(groupname, username)
+      group = group(groupname)
+      body_hash = {
+        groupname: "#{groupname}",
+        actors: {
+          "users" => group["actors"].concat([username]),
+          "groups" => group["groups"],
+        },
+      }
+      chef_rest.put_rest "organizations/#{name}/groups/#{groupname}", body_hash
+    end
+
+    def remove_user_from_group(groupname, username)
+      group = group(groupname)
+      group["actors"].delete(username)
+      body_hash = {
+        groupname: "#{groupname}",
+        actors: {
+          "users" => group["actors"],
+          "groups" => group["groups"],
+        },
+      }
+      chef_rest.put_rest "organizations/#{name}/groups/#{groupname}", body_hash
+    end
+
+    def actor_delete_would_leave_admins_empty?
+      admins = group("admins")
+      if admins["groups"].empty?
+        # exclude 'pivotal' but don't mutate the group since we're caching it
+        if admins["actors"].include? "pivotal"
+          admins["actors"].length <= 2
+        else
+          admins["actors"].length <= 1
+        end
+      else
+        # We don't check recursively. If the admins group contains a group,
+        # and the user is the only member of that group,
+        # we'll still turn up a 'safe to delete'.
+        false
+      end
+    end
+  end
+end