chef 16.2.50-universal-mingw32 → 16.4.38-universal-mingw32

data/lib/chef/resource/openssl_x509_crl.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_crl
 
       description "Use the **openssl_x509_crl** resource to generate PEM-formatted x509 certificate revocation list (CRL) files."
@@ -113,8 +115,7 @@ class Chef
         end
 
         def ca_private_key
-          ca_private_key = ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
-          ca_private_key
+          ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
         end
 
         def crl

data/lib/chef/resource/openssl_x509_request.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_request
 
       description "Use the **openssl_x509_request** resource to generate PEM-formatted x509 certificates requests. If no existing key is specified, the resource will automatically generate a passwordless key with the certificate."
@@ -132,7 +134,7 @@ class Chef
               action :create
             end
 
-            file new_resource.key_file do
+            file key_file do
               owner new_resource.owner unless new_resource.owner.nil?
               group new_resource.group unless new_resource.group.nil?
               mode new_resource.mode unless new_resource.mode.nil?
@@ -145,36 +147,37 @@ class Chef
       end
 
       action_class do
-        def generate_key_file
-          unless new_resource.key_file
-            path, file = ::File.split(new_resource.path)
-            filename = ::File.basename(file, ::File.extname(file))
-            new_resource.key_file path + "/" + filename + ".key"
-          end
-          new_resource.key_file
+        def key_file
+          @key_file ||=
+            if new_resource.key_file
+              new_resource.key_file
+            else
+              path, file = ::File.split(new_resource.path)
+              filename = ::File.basename(file, ::File.extname(file))
+              path + "/" + filename + ".key"
+            end
         end
 
         def key
-          @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
-                     OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
+          @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass)
+                     OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass
                    elsif new_resource.key_type == "rsa"
                      gen_rsa_priv_key(new_resource.key_length)
                    else
                      gen_ec_priv_key(new_resource.key_curve)
                    end
-          @key
         end
 
         def subject
-          csr_subject = OpenSSL::X509::Name.new
-          csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
-          csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
-          csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
-          csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
-          csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
-          csr_subject.add_entry("CN", new_resource.common_name)
-          csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
-          csr_subject
+          OpenSSL::X509::Name.new.tap do |csr_subject|
+            csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
+            csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
+            csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
+            csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
+            csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
+            csr_subject.add_entry("CN", new_resource.common_name)
+            csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
+          end
         end
 
         def csr

data/lib/chef/resource/osx_profile.rb

@@ -17,6 +17,10 @@
 #
 
 require_relative "../resource"
+require_relative "../log"
+require_relative "../resource/file"
+require "uuidtools"
+require "plist"
 
 class Chef
   class Resource
@@ -29,9 +33,6 @@ class Chef
       description "Use the **osx_profile** resource to manage configuration profiles (.mobileconfig files) on the macOS platform. The osx_profile resource installs profiles by using the uuidgen library to generate a unique ProfileUUID, and then using the profiles command to install the profile on the system."
       introduced "12.7"
 
-      default_action :install
-      allowed_actions :install, :remove
-
       property :profile_name, String,
         description: "Use to specify the name of the profile, if different from the name of the resource block.",
         name_property: true
@@ -42,8 +43,229 @@ class Chef
       property :identifier, String,
         description: "Use to specify the identifier for the profile, such as com.company.screensaver."
 
-      property :path, String,
-        description: "The path to write the profile to disk before loading it."
+      # this is not a property it is necessary for the tempfile this resource uses to work (FIXME: this is terrible)
+      #
+      # @api private
+      #
+      def path(path = nil)
+        @path ||= path
+        @path
+      end
+
+      action_class do
+        def load_current_resource
+          @current_resource = Chef::Resource::OsxProfile.new(new_resource.name)
+          current_resource.profile_name(new_resource.profile_name)
+
+          if new_profile_hash
+            new_profile_hash["PayloadUUID"] = config_uuid(new_profile_hash)
+          end
+
+          current_resource.profile(current_profile)
+        end
+
+        def current_profile
+          all_profiles = get_installed_profiles
+
+          if all_profiles && all_profiles.key?("_computerlevel")
+            return all_profiles["_computerlevel"].find do |item|
+              item["ProfileIdentifier"] == new_profile_identifier
+            end
+          end
+          nil
+        end
+
+        def invalid_profile_name?(name_or_identifier)
+          name_or_identifier.end_with?(".mobileconfig") || !/^\w+(?:(\.| )\w+)+$/.match(name_or_identifier)
+        end
+
+        def check_resource_semantics!
+          if mac? && node["platform_version"] =~ ">= 11.0"
+            raise "The osx_profile resource is not available on macOS Big Sur or above due to Apple's removal of support for CLI profile installation"
+          end
+
+          if action == :remove
+            if new_profile_identifier
+              if invalid_profile_name?(new_profile_identifier)
+                raise "when removing using the identifier property, it must match the profile identifier"
+              end
+            else
+              if invalid_profile_name?(new_resource.profile_name)
+                raise "When removing by resource name, it must match the profile identifier"
+              end
+            end
+          end
+
+          if action == :install
+            if new_profile_hash.is_a?(Hash) && !new_profile_hash.include?("PayloadIdentifier")
+              raise "The specified profile does not seem to be valid"
+            end
+            if new_profile_hash.is_a?(String) && !new_profile_hash.end_with?(".mobileconfig")
+              raise "#{new_profile_hash}' is not a valid profile"
+            end
+          end
+        end
+      end
+
+      action :install do
+        unless profile_installed?
+          converge_by("install profile #{new_profile_identifier}") do
+            profile_path = write_profile_to_disk
+            install_profile(profile_path)
+            get_installed_profiles(true)
+          end
+        end
+      end
+
+      action :remove do
+        # Clean up profile after removing it
+        if profile_installed?
+          converge_by("remove profile #{new_profile_identifier}") do
+            remove_profile
+            get_installed_profiles(true)
+          end
+        end
+      end
+
+      action_class do
+        private
+
+        def profile
+          @profile ||= new_resource.profile || new_resource.profile_name
+        end
+
+        def new_profile_hash
+          @new_profile_hash ||= get_profile_hash(profile)
+        end
+
+        def new_profile_identifier
+          @new_profile_identifier ||= if new_profile_hash
+                                        new_profile_hash["PayloadIdentifier"]
+                                      else
+                                        new_resource.identifier || new_resource.profile_name
+                                      end
+        end
+
+        def load_profile_hash(new_profile)
+          # file must exist in cookbook
+          return nil unless new_profile.end_with?(".mobileconfig")
+
+          unless cookbook_file_available?(new_profile)
+            raise Chef::Exceptions::FileNotFound, "#{self}: '#{new_profile}' not found in cookbook"
+          end
+
+          cookbook_profile = cache_cookbook_profile(new_profile)
+          ::Plist.parse_xml(cookbook_profile)
+        end
+
+        def cookbook_file_available?(cookbook_file)
+          run_context.has_cookbook_file_in_cookbook?(
+            new_resource.cookbook_name, cookbook_file
+          )
+        end
+
+        def get_cache_dir
+          Chef::FileCache.create_cache_path(
+            "profiles/#{new_resource.cookbook_name}"
+          )
+        end
+
+        def cache_cookbook_profile(cookbook_file)
+          Chef::FileCache.create_cache_path(
+            ::File.join(
+              "profiles",
+              new_resource.cookbook_name,
+              ::File.dirname(cookbook_file)
+            )
+          )
+
+          path = ::File.join( get_cache_dir, "#{cookbook_file}.remote")
+
+          cookbook_file path do
+            cookbook_name = new_resource.cookbook_name
+            source(cookbook_file)
+            backup(false)
+            run_action(:create)
+          end
+
+          path
+        end
+
+        def get_profile_hash(new_profile)
+          if new_profile.is_a?(Hash)
+            new_profile
+          elsif new_profile.is_a?(String)
+            load_profile_hash(new_profile)
+          end
+        end
+
+        def config_uuid(profile)
+          # Make a UUID of the profile contents and return as string
+          UUIDTools::UUID.sha1_create(
+            UUIDTools::UUID_DNS_NAMESPACE,
+            profile.to_s
+          ).to_s
+        end
+
+        def write_profile_to_disk
+          # FIXME: this is kind of terrible, the resource needs a tempfile to use and
+          # wants it created similarly to the file providers (with all the magic necessary
+          # for determining if it should go in the cwd or into a tmpdir), but it abuses
+          # the Chef::FileContentManagement::Tempfile API to do that, which requires setting
+          # a `path` method on the resource because of tight-coupling to the file provider
+          # pattern.  We don't just want to use a file here because the point is to get
+          # at the tempfile pattern from the file provider, but to feed that into a shell
+          # command rather than deploying the file to somewhere on disk.  There's some
+          # better API that needs extracting here.
+          new_resource.path(Chef::FileCache.create_cache_path("profiles"))
+          tempfile = Chef::FileContentManagement::Tempfile.new(new_resource).tempfile
+          tempfile.write(new_profile_hash.to_plist)
+          tempfile.close
+          tempfile.path
+        end
+
+        def install_profile(profile_path)
+          cmd = [ "/usr/bin/profiles", "-I", "-F", profile_path ]
+          logger.trace("cmd: #{cmd.join(" ")}")
+          shell_out!(*cmd)
+        end
+
+        def remove_profile
+          cmd = [ "/usr/bin/profiles", "-R", "-p", new_profile_identifier ]
+          logger.trace("cmd: #{cmd.join(" ")}")
+          shell_out!(*cmd)
+        end
+
+        #
+        # FIXME FIXME FIXME
+        # The node object should not be used for caching state like this and this is not a public API and may break.
+        # FIXME FIXME FIXME
+        #
+
+        def get_installed_profiles(update = nil)
+          if update
+            node.run_state[:config_profiles] = query_installed_profiles
+          else
+            node.run_state[:config_profiles] ||= query_installed_profiles
+          end
+          logger.trace("Saved profiles to run_state")
+        end
+
+        def query_installed_profiles
+          Tempfile.open("allprofiles.plist") do |tempfile|
+            shell_out( "/usr/bin/profiles", "-P", "-o", tempfile.path )
+            ::Plist.parse_xml(tempfile)
+          end
+        end
+
+        def profile_installed?
+          # Profile Identifier and UUID must match a currently installed profile
+          return false if current_resource.profile.nil? || current_resource.profile.empty?
+          return true if action == :remove
+
+          current_resource.profile["ProfileUUID"] == new_profile_hash["PayloadUUID"]
+        end
+      end
     end
   end
 end

data/lib/chef/resource/powershell_package_source.rb

@@ -34,7 +34,7 @@ class Chef
 
       property :url, String,
         description: "The url to the package source.",
-        required: true
+        required: [:register]
 
       property :trusted, [TrueClass, FalseClass],
         description: "Whether or not to trust packages from this source.",

data/lib/chef/resource/powershell_script.rb

@@ -25,19 +25,31 @@ class Chef
       provides :powershell_script, os: "windows"
 
       property :flags, String,
-        description: "A string that is passed to the Windows PowerShell command",
-        default: lazy { default_flags },
-        coerce: proc { |input|
-          if input == default_flags
-            # Means there was no input provided,
-            # and should use defaults in this case
-            input
-          else
-            # The last occurrence of a flag would override its
-            # previous one at the time of command execution.
-            [default_flags, input].join(" ")
+        description: "A string that is passed to the Windows PowerShell command"
+
+      property :convert_boolean_return, [true, false],
+        default: false,
+        description: <<~DESC
+          Return `0` if the last line of a command is evaluated to be true or to return `1` if the last line is evaluated to be false.
+
+          When the `guard_interpreter` common attribute is set to `:powershell_script`, a string command will be evaluated as if this value were set to `true`. This is because the behavior of this attribute is similar to the value of the `"$?"` expression common in UNIX interpreters. For example, this:
+
+          ```ruby
+          powershell_script 'make_safe_backup' do
+            guard_interpreter :powershell_script
+            code 'cp ~/data/nodes.json ~/data/nodes.bak'
+            not_if 'test-path ~/data/nodes.bak'
+          end
+          ```
+
+          is similar to:
+          ```ruby
+          bash 'make_safe_backup' do
+            code 'cp ~/data/nodes.json ~/data/nodes.bak'
+            not_if 'test -e ~/data/nodes.bak'
           end
-        }
+          ```
+        DESC
 
       description "Use the **powershell_script** resource to execute a script using the Windows PowerShell"\
                   " interpreter, much like how the script and script-based resources—bash, csh, perl, python,"\
@@ -52,15 +64,6 @@ class Chef
         super
         @interpreter = "powershell.exe"
         @default_guard_interpreter = resource_name
-        @convert_boolean_return = false
-      end
-
-      def convert_boolean_return(arg = nil)
-        set_or_return(
-          :convert_boolean_return,
-          arg,
-          kind_of: [ FalseClass, TrueClass ]
-        )
       end
 
       # Allow callers evaluating guards to request default
@@ -73,15 +76,6 @@ class Chef
       def self.get_default_attributes(opts)
         { convert_boolean_return: true }
       end
-
-      # Options that will be passed to Windows PowerShell command
-      #
-      # @returns [String]
-      def default_flags
-        # Set InputFormat to None as PowerShell will hang if STDIN is redirected
-        # http://connect.microsoft.com/PowerShell/feedback/details/572313/powershell-exe-can-hang-if-stdin-is-redirected
-        "-NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None"
-      end
     end
   end
 end

data/lib/chef/resource/service.rb

@@ -25,8 +25,8 @@ require_relative "../dist"
 class Chef
   class Resource
     class Service < Chef::Resource
-      include ChefUtils::DSL::Service
-      extend ChefUtils::DSL::Service
+      include Chef::Platform::ServiceHelpers
+      extend Chef::Platform::ServiceHelpers
       unified_mode true
 
       provides :service, target_mode: true

data/lib/chef/resource/ssh_known_hosts_entry.rb

@@ -106,7 +106,7 @@ class Chef
 
         r = with_run_context :root do
           find_resource(:template, "update ssh known hosts file #{new_resource.file_location}") do
-            source ::File.expand_path("../support/ssh_known_hosts.erb", __FILE__)
+            source ::File.expand_path("support/ssh_known_hosts.erb", __dir__)
             local true
             path new_resource.file_location
             owner new_resource.owner