chef 16.3.38-universal-mingw32 → 16.5.64-universal-mingw32

data/lib/chef/resource/openssl_rsa_public_key.rb

@@ -23,6 +23,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides(:openssl_rsa_public_key) { true }
 
       examples <<~DOC

data/lib/chef/resource/openssl_x509_certificate.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_certificate
       provides(:openssl_x509) { true } # legacy cookbook name.
 
@@ -84,32 +86,32 @@ class Chef
         description: "The permission mode applied to all files created by the resource."
 
       property :country, String,
-        description: "Value for the C certificate field."
+        description: "Value for the `C` certificate field."
 
       property :state, String,
-        description: "Value for the ST certificate field."
+        description: "Value for the `ST` certificate field."
 
       property :city, String,
-        description: "Value for the L certificate field."
+        description: "Value for the `L` certificate field."
 
       property :org, String,
-        description: "Value for the O certificate field."
+        description: "Value for the `O` certificate field."
 
       property :org_unit, String,
-        description: "Value for the OU certificate field."
+        description: "Value for the `OU` certificate field."
 
       property :common_name, String,
-        description: "Value for the CN certificate field."
+        description: "Value for the `CN` certificate field."
 
       property :email, String,
-        description: "Value for the email certificate field."
+        description: "Value for the `email` certificate field."
 
       property :extensions, Hash,
-        description: "Hash of X509 Extensions entries, in format { 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }.",
+        description: "Hash of X509 Extensions entries, in format `{ 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }`.",
         default: lazy { {} }
 
       property :subject_alt_name, Array,
-        description: "Array of Subject Alternative Name entries, in format DNS:example.com or IP:1.2.3.4.",
+        description: "Array of Subject Alternative Name entries, in format `DNS:example.com` or `IP:1.2.3.4`.",
         default: lazy { [] }
 
       property :key_file, String,
@@ -120,7 +122,7 @@ class Chef
 
       property :key_type, String,
         equal_to: %w{rsa ec},
-        description: "The desired type of the generated key (rsa or ec).",
+        description: "The desired type of the generated key.",
         default: "rsa"
 
       property :key_length, Integer,
@@ -129,18 +131,18 @@ class Chef
         default: 2048
 
       property :key_curve, String,
-        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run openssl ecparam -list_curves to see available options.",
+        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run `openssl ecparam -list_curves` to see available options.",
         equal_to: %w{secp384r1 secp521r1 prime256v1},
         default: "prime256v1"
 
       property :csr_file, String,
-        description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the csr_file property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)."
+        description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the `csr_file` property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)."
 
       property :ca_cert_file, String,
-        description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file property is specified, the ca_key_file property must also be specified, the certificate will be signed with them."
+        description: "The path to the CA X509 Certificate on the filesystem. If the `ca_cert_file` property is specified, the `ca_key_file` property must also be specified, the certificate will be signed with them."
 
       property :ca_key_file, String,
-        description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the 'ca_cert_file' property must also be specified, the certificate will be signed with them."
+        description: "The path to the CA private key on the filesystem. If the `ca_key_file` property is specified, the `ca_cert_file` property must also be specified, the certificate will be signed with them."
 
       property :ca_key_pass, String,
         description: "The passphrase for CA private key's passphrase."
@@ -161,7 +163,7 @@ class Chef
           content cert.to_pem
         end
 
-        if !new_resource.renew_before_expiry.nil? && cert_need_renewall?(new_resource.path, new_resource.renew_before_expiry)
+        if !new_resource.renew_before_expiry.nil? && cert_need_renewal?(new_resource.path, new_resource.renew_before_expiry)
           file new_resource.path do
             action :create
             owner new_resource.owner unless new_resource.owner.nil?
@@ -173,7 +175,7 @@ class Chef
         end
 
         if new_resource.csr_file.nil?
-          file new_resource.key_file do
+          file key_file do
             action :create_if_missing
             owner new_resource.owner unless new_resource.owner.nil?
             group new_resource.group unless new_resource.group.nil?
@@ -185,24 +187,25 @@ class Chef
       end
 
       action_class do
-        def generate_key_file
-          unless new_resource.key_file
-            path, file = ::File.split(new_resource.path)
-            filename = ::File.basename(file, ::File.extname(file))
-            new_resource.key_file path + "/" + filename + ".key"
-          end
-          new_resource.key_file
+        def key_file
+          @key_file ||=
+            if new_resource.key_file
+              new_resource.key_file
+            else
+              path, file = ::File.split(new_resource.path)
+              filename = ::File.basename(file, ::File.extname(file))
+              path + "/" + filename + ".key"
+            end
         end
 
         def key
-          @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
-                     OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
+          @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass)
+                     OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass
                    elsif new_resource.key_type == "rsa"
                      gen_rsa_priv_key(new_resource.key_length)
                    else
                      gen_ec_priv_key(new_resource.key_curve)
                    end
-          @key
         end
 
         def request
@@ -214,15 +217,15 @@ class Chef
         end
 
         def subject
-          subject = OpenSSL::X509::Name.new
-          subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
-          subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
-          subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
-          subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
-          subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
-          subject.add_entry("CN", new_resource.common_name)
-          subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
-          subject
+          OpenSSL::X509::Name.new.tap do |csr_subject|
+            csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
+            csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
+            csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
+            csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
+            csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
+            csr_subject.add_entry("CN", new_resource.common_name)
+            csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
+          end
         end
 
         def ca_private_key

data/lib/chef/resource/openssl_x509_crl.rb

@@ -24,20 +24,31 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_crl
 
       description "Use the **openssl_x509_crl** resource to generate PEM-formatted x509 certificate revocation list (CRL) files."
       introduced "14.4"
       examples <<~DOC
-        Generate a CRL file given a cert file and key file
+      **Create a certificate revocation file**
 
-        ```ruby
-        openssl_x509_crl '/etc/ssl_files/my_ca2.crl' do
-          ca_cert_file '/etc/ssl_files/my_ca2.crt'
-          ca_key_file '/etc/ssl_files/my_ca2.key'
-          expire 1
-        end
-        ```
+      ```ruby
+      openssl_x509_crl '/etc/ssl_test/my_ca.crl' do
+        ca_cert_file '/etc/ssl_test/my_ca.crt'
+        ca_key_file '/etc/ssl_test/my_ca.key'
+      end
+      ```
+
+      **Create a certificate revocation file for a particular serial**
+
+      ```ruby
+      openssl_x509_crl '/etc/ssl_test/my_ca.crl' do
+        ca_cert_file '/etc/ssl_test/my_ca.crt'
+        ca_key_file '/etc/ssl_test/my_ca.key'
+        serial_to_revoke C7BCB6602A2E4251EF4E2827A228CB52BC0CEA2F
+      end
+      ```
       DOC
 
       property :path, String,
@@ -60,11 +71,11 @@ class Chef
         default: 1
 
       property :ca_cert_file, String,
-        description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file property is specified, the ca_key_file property must also be specified, the CRL will be signed with them.",
+        description: "The path to the CA X509 Certificate on the filesystem. If the `ca_cert_file` property is specified, the `ca_key_file` property must also be specified, the CRL will be signed with them.",
         required: true
 
       property :ca_key_file, String,
-        description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the ca_cert_file property must also be specified, the CRL will be signed with them.",
+        description: "The path to the CA private key on the filesystem. If the `ca_key_file` property is specified, the `ca_cert_file` property must also be specified, the CRL will be signed with them.",
         required: true
 
       property :ca_key_pass, String,

data/lib/chef/resource/openssl_x509_request.rb

@@ -24,12 +24,14 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_request
 
       description "Use the **openssl_x509_request** resource to generate PEM-formatted x509 certificates requests. If no existing key is specified, the resource will automatically generate a passwordless key with the certificate."
       introduced "14.4"
       examples <<~DOC
-        Generate new ec key and csr file
+        **Generate new EC key and CSR file**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_ec_request.csr' do
@@ -40,7 +42,7 @@ class Chef
         end
         ```
 
-        Generate a new csr file from an existing ec key
+        **Generate a new CSR file from an existing EC key**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_ec_request2.csr' do
@@ -52,7 +54,7 @@ class Chef
         end
         ```
 
-        Generate new rsa key and csr file
+        **Generate new RSA key and CSR file**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_rsa_request.csr' do
@@ -78,46 +80,44 @@ class Chef
         description: "The permission mode applied to all files created by the resource."
 
       property :country, String,
-        description: "Value for the C certificate field."
+        description: "Value for the `C` certificate field."
 
       property :state, String,
-        description: "Value for the ST certificate field."
+        description: "Value for the `ST` certificate field."
 
       property :city, String,
-        description: "Value for the L certificate field."
+        description: "Value for the `L` certificate field."
 
       property :org, String,
-        description: "Value for the O certificate field."
+        description: "Value for the `O` certificate field."
 
       property :org_unit, String,
-        description: "Value for the OU certificate field."
+        description: "Value for the `OU` certificate field."
 
       property :common_name, String,
         required: true,
-        description: "Value for the CN certificate field."
+        description: "Value for the `CN` certificate field."
 
       property :email, String,
-        description: "Value for the email certificate field."
+        description: "Value for the `email` certificate field."
 
       property :key_file, String,
-        description: "The path to a certificate key file on the filesystem. If the key_file property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the key_file property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate."
+        description: "The path to a certificate key file on the filesystem. If the `key_file` property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the `key_file` property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate."
 
       property :key_pass, String,
         description: "The passphrase for an existing key's passphrase."
 
       property :key_type, String,
         equal_to: %w{rsa ec}, default: "ec",
-        description: "The desired type of the generated key (rsa or ec)."
+        description: "The desired type of the generated key."
 
       property :key_length, Integer,
         equal_to: [1024, 2048, 4096, 8192], default: 2048,
-        description: "The desired bit length of the generated key (if key_type is equal to 'rsa')."
+        description: "The desired bit length of the generated key (if key_type is equal to `rsa`)."
 
       property :key_curve, String,
         equal_to: %w{secp384r1 secp521r1 prime256v1}, default: "prime256v1",
-        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run openssl ecparam -list_curves to see available options."
-
-      default_action :create
+        description: "The desired curve of the generated key (if key_type is equal to `ec`). Run `openssl ecparam -list_curves` to see available options."
 
       action :create do
         description "Generate a certificate request."
@@ -132,7 +132,7 @@ class Chef
               action :create
             end
 
-            file new_resource.key_file do
+            file key_file do
               owner new_resource.owner unless new_resource.owner.nil?
               group new_resource.group unless new_resource.group.nil?
               mode new_resource.mode unless new_resource.mode.nil?
@@ -145,36 +145,37 @@ class Chef
       end
 
       action_class do
-        def generate_key_file
-          unless new_resource.key_file
-            path, file = ::File.split(new_resource.path)
-            filename = ::File.basename(file, ::File.extname(file))
-            new_resource.key_file path + "/" + filename + ".key"
-          end
-          new_resource.key_file
+        def key_file
+          @key_file ||=
+            if new_resource.key_file
+              new_resource.key_file
+            else
+              path, file = ::File.split(new_resource.path)
+              filename = ::File.basename(file, ::File.extname(file))
+              path + "/" + filename + ".key"
+            end
         end
 
         def key
-          @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
-                     OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
+          @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass)
+                     OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass
                    elsif new_resource.key_type == "rsa"
                      gen_rsa_priv_key(new_resource.key_length)
                    else
                      gen_ec_priv_key(new_resource.key_curve)
                    end
-          @key
         end
 
         def subject
-          csr_subject = OpenSSL::X509::Name.new
-          csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
-          csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
-          csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
-          csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
-          csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
-          csr_subject.add_entry("CN", new_resource.common_name)
-          csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
-          csr_subject
+          OpenSSL::X509::Name.new.tap do |csr_subject|
+            csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
+            csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
+            csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
+            csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
+            csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
+            csr_subject.add_entry("CN", new_resource.common_name)
+            csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
+          end
         end
 
         def csr

data/lib/chef/resource/osx_profile.rb

@@ -17,6 +17,10 @@
 #
 
 require_relative "../resource"
+require_relative "../log"
+require_relative "../resource/file"
+autoload :UUIDTools, "uuidtools"
+autoload :Plist, "plist"
 
 class Chef
   class Resource
@@ -26,11 +30,72 @@ class Chef
       provides :osx_profile
       provides :osx_config_profile
 
-      description "Use the **osx_profile** resource to manage configuration profiles (.mobileconfig files) on the macOS platform. The osx_profile resource installs profiles by using the uuidgen library to generate a unique ProfileUUID, and then using the profiles command to install the profile on the system."
+      description "Use the **osx_profile** resource to manage configuration profiles (`.mobileconfig` files) on the macOS platform. The **osx_profile** resource installs profiles by using the uuidgen library to generate a unique `ProfileUUID`, and then using the `profiles` command to install the profile on the system."
       introduced "12.7"
+      examples <<~DOC
+      **Install a profile from a cookbook file**
 
-      default_action :install
-      allowed_actions :install, :remove
+      ```ruby
+      osx_profile 'com.company.screensaver.mobileconfig'
+      ```
+
+      **Install profile from a hash**
+
+      ```ruby
+      profile_hash = {
+        'PayloadIdentifier' => 'com.company.screensaver',
+        'PayloadRemovalDisallowed' => false,
+        'PayloadScope' => 'System',
+        'PayloadType' => 'Configuration',
+        'PayloadUUID' => '1781fbec-3325-565f-9022-8aa28135c3cc',
+        'PayloadOrganization' => 'Chef',
+        'PayloadVersion' => 1,
+        'PayloadDisplayName' => 'Screensaver Settings',
+        'PayloadContent'=> [
+          {
+            'PayloadType' => 'com.apple.ManagedClient.preferences',
+            'PayloadVersion' => 1,
+            'PayloadIdentifier' => 'com.company.screensaver',
+            'PayloadUUID' => '73fc30e0-1e57-0131-c32d-000c2944c108',
+            'PayloadEnabled' => true,
+            'PayloadDisplayName' => 'com.apple.screensaver',
+            'PayloadContent' => {
+              'com.apple.screensaver' => {
+                'Forced' => [
+                  {
+                    'mcx_preference_settings' => {
+                      'idleTime' => 0,
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        ]
+      }
+
+      osx_profile 'Install screensaver profile' do
+        profile profile_hash
+      end
+      ```
+
+      **Remove profile using identifier in resource name**
+
+      ```ruby
+      osx_profile 'com.company.screensaver' do
+        action :remove
+      end
+      ```
+
+      **Remove profile by identifier and user friendly resource name**
+
+      ```ruby
+      osx_profile 'Remove screensaver profile' do
+        identifier 'com.company.screensaver'
+        action :remove
+      end
+      ```
+      DOC
 
       property :profile_name, String,
         description: "Use to specify the name of the profile, if different from the name of the resource block.",
@@ -40,10 +105,231 @@ class Chef
         description: "Use to specify a profile. This may be the name of a profile contained in a cookbook or a Hash that contains the contents of the profile."
 
       property :identifier, String,
-        description: "Use to specify the identifier for the profile, such as com.company.screensaver."
+        description: "Use to specify the identifier for the profile, such as `com.company.screensaver`."
+
+      # this is not a property it is necessary for the tempfile this resource uses to work (FIXME: this is terrible)
+      #
+      # @api private
+      #
+      def path(path = nil)
+        @path ||= path
+        @path
+      end
+
+      action_class do
+        def load_current_resource
+          @current_resource = Chef::Resource::OsxProfile.new(new_resource.name)
+          current_resource.profile_name(new_resource.profile_name)
+
+          if new_profile_hash
+            new_profile_hash["PayloadUUID"] = config_uuid(new_profile_hash)
+          end
+
+          current_resource.profile(current_profile)
+        end
+
+        def current_profile
+          all_profiles = get_installed_profiles
+
+          if all_profiles && all_profiles.key?("_computerlevel")
+            return all_profiles["_computerlevel"].find do |item|
+              item["ProfileIdentifier"] == new_profile_identifier
+            end
+          end
+          nil
+        end
+
+        def invalid_profile_name?(name_or_identifier)
+          name_or_identifier.end_with?(".mobileconfig") || !/^\w+(?:(\.| )\w+)+$/.match(name_or_identifier)
+        end
+
+        def check_resource_semantics!
+          if action == :remove
+            if new_profile_identifier
+              if invalid_profile_name?(new_profile_identifier)
+                raise "when removing using the identifier property, it must match the profile identifier"
+              end
+            else
+              if invalid_profile_name?(new_resource.profile_name)
+                raise "When removing by resource name, it must match the profile identifier"
+              end
+            end
+          end
+
+          if action == :install
+            # we only do this check for the install action so that profiles can still be removed on macOS 11+
+            if mac? && node["platform_version"] =~ ">= 11.0"
+              raise "The osx_profile resource is not available on macOS Big Sur or above due to Apple's removal of support for CLI profile installation"
+            end
+
+            if new_profile_hash.is_a?(Hash) && !new_profile_hash.include?("PayloadIdentifier")
+              raise "The specified profile does not seem to be valid"
+            end
+            if new_profile_hash.is_a?(String) && !new_profile_hash.end_with?(".mobileconfig")
+              raise "#{new_profile_hash}' is not a valid profile"
+            end
+          end
+        end
+      end
+
+      action :install do
+        unless profile_installed?
+          converge_by("install profile #{new_profile_identifier}") do
+            profile_path = write_profile_to_disk
+            install_profile(profile_path)
+            get_installed_profiles(true)
+          end
+        end
+      end
+
+      action :remove do
+        # Clean up profile after removing it
+        if profile_installed?
+          converge_by("remove profile #{new_profile_identifier}") do
+            remove_profile
+            get_installed_profiles(true)
+          end
+        end
+      end
+
+      action_class do
+        private
+
+        def profile
+          @profile ||= new_resource.profile || new_resource.profile_name
+        end
+
+        def new_profile_hash
+          @new_profile_hash ||= get_profile_hash(profile)
+        end
+
+        def new_profile_identifier
+          @new_profile_identifier ||= if new_profile_hash
+                                        new_profile_hash["PayloadIdentifier"]
+                                      else
+                                        new_resource.identifier || new_resource.profile_name
+                                      end
+        end
+
+        def load_profile_hash(new_profile)
+          # file must exist in cookbook
+          return nil unless new_profile.end_with?(".mobileconfig")
+
+          unless cookbook_file_available?(new_profile)
+            raise Chef::Exceptions::FileNotFound, "#{self}: '#{new_profile}' not found in cookbook"
+          end
+
+          cookbook_profile = cache_cookbook_profile(new_profile)
+          ::Plist.parse_xml(cookbook_profile)
+        end
+
+        def cookbook_file_available?(cookbook_file)
+          run_context.has_cookbook_file_in_cookbook?(
+            new_resource.cookbook_name, cookbook_file
+          )
+        end
+
+        def get_cache_dir
+          Chef::FileCache.create_cache_path(
+            "profiles/#{new_resource.cookbook_name}"
+          )
+        end
+
+        def cache_cookbook_profile(cookbook_file)
+          Chef::FileCache.create_cache_path(
+            ::File.join(
+              "profiles",
+              new_resource.cookbook_name,
+              ::File.dirname(cookbook_file)
+            )
+          )
+
+          path = ::File.join( get_cache_dir, "#{cookbook_file}.remote")
+
+          cookbook_file path do
+            cookbook_name = new_resource.cookbook_name
+            source(cookbook_file)
+            backup(false)
+            run_action(:create)
+          end
+
+          path
+        end
+
+        def get_profile_hash(new_profile)
+          if new_profile.is_a?(Hash)
+            new_profile
+          elsif new_profile.is_a?(String)
+            load_profile_hash(new_profile)
+          end
+        end
+
+        def config_uuid(profile)
+          # Make a UUID of the profile contents and return as string
+          UUIDTools::UUID.sha1_create(
+            UUIDTools::UUID_DNS_NAMESPACE,
+            profile.to_s
+          ).to_s
+        end
+
+        def write_profile_to_disk
+          # FIXME: this is kind of terrible, the resource needs a tempfile to use and
+          # wants it created similarly to the file providers (with all the magic necessary
+          # for determining if it should go in the cwd or into a tmpdir), but it abuses
+          # the Chef::FileContentManagement::Tempfile API to do that, which requires setting
+          # a `path` method on the resource because of tight-coupling to the file provider
+          # pattern.  We don't just want to use a file here because the point is to get
+          # at the tempfile pattern from the file provider, but to feed that into a shell
+          # command rather than deploying the file to somewhere on disk.  There's some
+          # better API that needs extracting here.
+          new_resource.path(Chef::FileCache.create_cache_path("profiles"))
+          tempfile = Chef::FileContentManagement::Tempfile.new(new_resource).tempfile
+          tempfile.write(new_profile_hash.to_plist)
+          tempfile.close
+          tempfile.path
+        end
+
+        def install_profile(profile_path)
+          cmd = [ "/usr/bin/profiles", "-I", "-F", profile_path ]
+          logger.trace("cmd: #{cmd.join(" ")}")
+          shell_out!(*cmd)
+        end
+
+        def remove_profile
+          cmd = [ "/usr/bin/profiles", "-R", "-p", new_profile_identifier ]
+          logger.trace("cmd: #{cmd.join(" ")}")
+          shell_out!(*cmd)
+        end
+
+        #
+        # FIXME FIXME FIXME
+        # The node object should not be used for caching state like this and this is not a public API and may break.
+        # FIXME FIXME FIXME
+        #
+
+        def get_installed_profiles(update = nil)
+          logger.trace("Saving profile data to node.run_state")
+          if update
+            node.run_state[:config_profiles] = query_installed_profiles
+          else
+            node.run_state[:config_profiles] ||= query_installed_profiles
+          end
+        end
+
+        def query_installed_profiles
+          logger.trace("Running /usr/bin/profiles -P -o stdout-xml to determine profile state")
+          so = shell_out( "/usr/bin/profiles", "-P", "-o", "stdout-xml" )
+          ::Plist.parse_xml(so.stdout)
+        end
+
+        def profile_installed?
+          # Profile Identifier and UUID must match a currently installed profile
+          return false if current_resource.profile.nil? || current_resource.profile.empty?
+          return true if action == :remove
 
-      property :path, String,
-        description: "The path to write the profile to disk before loading it."
+          current_resource.profile["ProfileUUID"] == new_profile_hash["PayloadUUID"]
+        end
+      end
     end
   end
 end