chef 16.3.45-universal-mingw32 → 16.5.77-universal-mingw32

data/lib/chef/resource/ohai_hint.rb

@@ -26,6 +26,39 @@ class Chef
 
       description "Use the **ohai_hint** resource to aid in configuration detection by passing hint data to Ohai."
       introduced "14.0"
+      examples <<~DOC
+      **Create a hint file**
+
+      ```ruby
+      ohai_hint 'example' do
+        content a: 'test_content'
+      end
+      ```
+
+      **Create a hint file with a name that does not match the resource name**
+
+      ```ruby
+      ohai_hint 'example' do
+        hint_name 'custom'
+      end
+      ```
+
+      **Create a hint file that is not loaded at compile time**
+
+      ```ruby
+      ohai_hint 'example' do
+        compile_time false
+      end
+      ```
+
+      **Delete a hint file**
+
+      ```ruby
+      ohai_hint 'example' do
+        action :delete
+      end
+      ```
+      DOC
 
       property :hint_name, String,
         description: "An optional property to set the hint name if it differs from the resource block's name.",

data/lib/chef/resource/openssl_dhparam.rb

@@ -23,17 +23,41 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides(:openssl_dhparam) { true }
 
-      description "Use the **openssl_dhparam** resource to generate dhparam.pem files. If a valid dhparam.pem file is found at the specified location, no new file will be created. If a file is found at the specified location but it is not a valid dhparam file, it will be overwritten."
+      description "Use the **openssl_dhparam** resource to generate `dhparam.pem` files. If a valid `dhparam.pem` file is found at the specified location, no new file will be created. If a file is found at the specified location but it is not a valid `dhparam.pem` file, it will be overwritten."
       introduced "14.0"
       examples <<~DOC
-        Create a 1024bit dhparam file
+        **Create a dhparam file**
 
         ```ruby
-        openssl_dhparam '/etc/ssl_files/dhparam.pem' do
-          key_length 1024
-          action :create
+        openssl_dhparam '/etc/httpd/ssl/dhparam.pem'
+        ```
+
+        **Create a dhparam file with a specific key length**
+
+        ```ruby
+        openssl_dhparam '/etc/httpd/ssl/dhparam.pem' do
+          key_length 4096
+        end
+        ```
+
+        **Create a dhparam file with specific user/group ownership**
+
+        ```ruby
+        openssl_dhparam '/etc/httpd/ssl/dhparam.pem' do
+          owner 'www-data'
+          group 'www-data'
+        end
+        ```
+
+        **Manually specify the dhparam file path**
+
+        ```ruby
+        openssl_dhparam 'httpd_dhparam' do
+          path '/etc/httpd/ssl/dhparam.pem'
         end
         ```
       DOC

data/lib/chef/resource/openssl_ec_private_key.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_ec_private_key
 
       description "Use the **openssl_ec_private_key** resource to generate an elliptic curve (EC) private key file. If a valid EC key file can be opened at the specified location, no new file will be created. If the EC key file cannot be opened, either because it does not exist or because the password to the EC key file does not match the password in the recipe, then it will be overwritten."
@@ -64,10 +66,13 @@ class Chef
         description: "The desired passphrase for the key."
 
       property :key_cipher, String,
-        equal_to: OpenSSL::Cipher.ciphers,
-        validation_message: "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options.",
         description: "The designed cipher to use when generating your key. Run `openssl list-cipher-algorithms` to see available options.",
-        default: "des3"
+        default: lazy { "des3" },
+        default_description: "des3",
+        callbacks: {
+          "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options." =>
+            proc { |v| OpenSSL::Cipher.ciphers.include?(v) },
+        }
 
       property :owner, [String, Integer],
         description: "The owner applied to all files created by the resource."

data/lib/chef/resource/openssl_ec_public_key.rb

@@ -24,12 +24,14 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_ec_public_key
 
       description "Use the **openssl_ec_public_key** resource to generate elliptic curve (EC) public key files from a given EC private key."
       introduced "14.4"
       examples <<~DOC
-        Generate new ec public key from a private key on disk
+        **Generate new EC public key from a private key on disk**
 
         ```ruby
         openssl_ec_public_key '/etc/ssl_files/eckey_prime256v1_des3.pub' do
@@ -39,7 +41,7 @@ class Chef
         end
         ```
 
-        Generate new ec public key by passing in a private key
+        **Generate new EC public key by passing in a private key**
 
         ```ruby
         openssl_ec_public_key '/etc/ssl_files/eckey_prime256v1_des3_2.pub' do

data/lib/chef/resource/openssl_rsa_private_key.rb

@@ -23,6 +23,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides(:openssl_rsa_private_key) { true }
       provides(:openssl_rsa_key) { true } # legacy cookbook resource name
 
@@ -63,10 +65,13 @@ class Chef
         description: "The desired passphrase for the key."
 
       property :key_cipher, String,
-        equal_to: OpenSSL::Cipher.ciphers,
-        validation_message: "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options.",
         description: "The designed cipher to use when generating your key. Run `openssl list-cipher-algorithms` to see available options.",
-        default: "des3"
+        default: lazy { "des3" },
+        default_description: "des3",
+        callbacks: {
+          "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options." =>
+            proc { |v| OpenSSL::Cipher.ciphers.include?(v) },
+        }
 
       property :owner, [String, Integer],
         description: "The owner applied to all files created by the resource."

data/lib/chef/resource/openssl_rsa_public_key.rb

@@ -23,6 +23,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides(:openssl_rsa_public_key) { true }
 
       examples <<~DOC

data/lib/chef/resource/openssl_x509_certificate.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_certificate
       provides(:openssl_x509) { true } # legacy cookbook name.
 
@@ -84,32 +86,32 @@ class Chef
         description: "The permission mode applied to all files created by the resource."
 
       property :country, String,
-        description: "Value for the C certificate field."
+        description: "Value for the `C` certificate field."
 
       property :state, String,
-        description: "Value for the ST certificate field."
+        description: "Value for the `ST` certificate field."
 
       property :city, String,
-        description: "Value for the L certificate field."
+        description: "Value for the `L` certificate field."
 
       property :org, String,
-        description: "Value for the O certificate field."
+        description: "Value for the `O` certificate field."
 
       property :org_unit, String,
-        description: "Value for the OU certificate field."
+        description: "Value for the `OU` certificate field."
 
       property :common_name, String,
-        description: "Value for the CN certificate field."
+        description: "Value for the `CN` certificate field."
 
       property :email, String,
-        description: "Value for the email certificate field."
+        description: "Value for the `email` certificate field."
 
       property :extensions, Hash,
-        description: "Hash of X509 Extensions entries, in format { 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }.",
+        description: "Hash of X509 Extensions entries, in format `{ 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }`.",
         default: lazy { {} }
 
       property :subject_alt_name, Array,
-        description: "Array of Subject Alternative Name entries, in format DNS:example.com or IP:1.2.3.4.",
+        description: "Array of Subject Alternative Name entries, in format `DNS:example.com` or `IP:1.2.3.4`.",
         default: lazy { [] }
 
       property :key_file, String,
@@ -120,7 +122,7 @@ class Chef
 
       property :key_type, String,
         equal_to: %w{rsa ec},
-        description: "The desired type of the generated key (rsa or ec).",
+        description: "The desired type of the generated key.",
         default: "rsa"
 
       property :key_length, Integer,
@@ -129,18 +131,18 @@ class Chef
         default: 2048
 
       property :key_curve, String,
-        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run openssl ecparam -list_curves to see available options.",
+        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run `openssl ecparam -list_curves` to see available options.",
         equal_to: %w{secp384r1 secp521r1 prime256v1},
         default: "prime256v1"
 
       property :csr_file, String,
-        description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the csr_file property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)."
+        description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the `csr_file` property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)."
 
       property :ca_cert_file, String,
-        description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file property is specified, the ca_key_file property must also be specified, the certificate will be signed with them."
+        description: "The path to the CA X509 Certificate on the filesystem. If the `ca_cert_file` property is specified, the `ca_key_file` property must also be specified, the certificate will be signed with them."
 
       property :ca_key_file, String,
-        description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the 'ca_cert_file' property must also be specified, the certificate will be signed with them."
+        description: "The path to the CA private key on the filesystem. If the `ca_key_file` property is specified, the `ca_cert_file` property must also be specified, the certificate will be signed with them."
 
       property :ca_key_pass, String,
         description: "The passphrase for CA private key's passphrase."
@@ -161,7 +163,7 @@ class Chef
           content cert.to_pem
         end
 
-        if !new_resource.renew_before_expiry.nil? && cert_need_renewall?(new_resource.path, new_resource.renew_before_expiry)
+        if !new_resource.renew_before_expiry.nil? && cert_need_renewal?(new_resource.path, new_resource.renew_before_expiry)
           file new_resource.path do
             action :create
             owner new_resource.owner unless new_resource.owner.nil?
@@ -173,7 +175,7 @@ class Chef
         end
 
         if new_resource.csr_file.nil?
-          file new_resource.key_file do
+          file key_file do
             action :create_if_missing
             owner new_resource.owner unless new_resource.owner.nil?
             group new_resource.group unless new_resource.group.nil?
@@ -185,24 +187,25 @@ class Chef
       end
 
       action_class do
-        def generate_key_file
-          unless new_resource.key_file
-            path, file = ::File.split(new_resource.path)
-            filename = ::File.basename(file, ::File.extname(file))
-            new_resource.key_file path + "/" + filename + ".key"
-          end
-          new_resource.key_file
+        def key_file
+          @key_file ||=
+            if new_resource.key_file
+              new_resource.key_file
+            else
+              path, file = ::File.split(new_resource.path)
+              filename = ::File.basename(file, ::File.extname(file))
+              path + "/" + filename + ".key"
+            end
         end
 
         def key
-          @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
-                     OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
+          @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass)
+                     OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass
                    elsif new_resource.key_type == "rsa"
                      gen_rsa_priv_key(new_resource.key_length)
                    else
                      gen_ec_priv_key(new_resource.key_curve)
                    end
-          @key
         end
 
         def request
@@ -214,15 +217,15 @@ class Chef
         end
 
         def subject
-          subject = OpenSSL::X509::Name.new
-          subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
-          subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
-          subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
-          subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
-          subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
-          subject.add_entry("CN", new_resource.common_name)
-          subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
-          subject
+          OpenSSL::X509::Name.new.tap do |csr_subject|
+            csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
+            csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
+            csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
+            csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
+            csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
+            csr_subject.add_entry("CN", new_resource.common_name)
+            csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
+          end
         end
 
         def ca_private_key

data/lib/chef/resource/openssl_x509_crl.rb

@@ -24,20 +24,31 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_crl
 
       description "Use the **openssl_x509_crl** resource to generate PEM-formatted x509 certificate revocation list (CRL) files."
       introduced "14.4"
       examples <<~DOC
-        Generate a CRL file given a cert file and key file
+      **Create a certificate revocation file**
 
-        ```ruby
-        openssl_x509_crl '/etc/ssl_files/my_ca2.crl' do
-          ca_cert_file '/etc/ssl_files/my_ca2.crt'
-          ca_key_file '/etc/ssl_files/my_ca2.key'
-          expire 1
-        end
-        ```
+      ```ruby
+      openssl_x509_crl '/etc/ssl_test/my_ca.crl' do
+        ca_cert_file '/etc/ssl_test/my_ca.crt'
+        ca_key_file '/etc/ssl_test/my_ca.key'
+      end
+      ```
+
+      **Create a certificate revocation file for a particular serial**
+
+      ```ruby
+      openssl_x509_crl '/etc/ssl_test/my_ca.crl' do
+        ca_cert_file '/etc/ssl_test/my_ca.crt'
+        ca_key_file '/etc/ssl_test/my_ca.key'
+        serial_to_revoke C7BCB6602A2E4251EF4E2827A228CB52BC0CEA2F
+      end
+      ```
       DOC
 
       property :path, String,
@@ -60,11 +71,11 @@ class Chef
         default: 1
 
       property :ca_cert_file, String,
-        description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file property is specified, the ca_key_file property must also be specified, the CRL will be signed with them.",
+        description: "The path to the CA X509 Certificate on the filesystem. If the `ca_cert_file` property is specified, the `ca_key_file` property must also be specified, the CRL will be signed with them.",
         required: true
 
       property :ca_key_file, String,
-        description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the ca_cert_file property must also be specified, the CRL will be signed with them.",
+        description: "The path to the CA private key on the filesystem. If the `ca_key_file` property is specified, the `ca_cert_file` property must also be specified, the CRL will be signed with them.",
         required: true
 
       property :ca_key_pass, String,

data/lib/chef/resource/openssl_x509_request.rb

@@ -24,12 +24,14 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_request
 
       description "Use the **openssl_x509_request** resource to generate PEM-formatted x509 certificates requests. If no existing key is specified, the resource will automatically generate a passwordless key with the certificate."
       introduced "14.4"
       examples <<~DOC
-        Generate new ec key and csr file
+        **Generate new EC key and CSR file**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_ec_request.csr' do
@@ -40,7 +42,7 @@ class Chef
         end
         ```
 
-        Generate a new csr file from an existing ec key
+        **Generate a new CSR file from an existing EC key**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_ec_request2.csr' do
@@ -52,7 +54,7 @@ class Chef
         end
         ```
 
-        Generate new rsa key and csr file
+        **Generate new RSA key and CSR file**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_rsa_request.csr' do
@@ -78,46 +80,44 @@ class Chef
         description: "The permission mode applied to all files created by the resource."
 
       property :country, String,
-        description: "Value for the C certificate field."
+        description: "Value for the `C` certificate field."
 
       property :state, String,
-        description: "Value for the ST certificate field."
+        description: "Value for the `ST` certificate field."
 
       property :city, String,
-        description: "Value for the L certificate field."
+        description: "Value for the `L` certificate field."
 
       property :org, String,
-        description: "Value for the O certificate field."
+        description: "Value for the `O` certificate field."
 
       property :org_unit, String,
-        description: "Value for the OU certificate field."
+        description: "Value for the `OU` certificate field."
 
       property :common_name, String,
         required: true,
-        description: "Value for the CN certificate field."
+        description: "Value for the `CN` certificate field."
 
       property :email, String,
-        description: "Value for the email certificate field."
+        description: "Value for the `email` certificate field."
 
       property :key_file, String,
-        description: "The path to a certificate key file on the filesystem. If the key_file property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the key_file property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate."
+        description: "The path to a certificate key file on the filesystem. If the `key_file` property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the `key_file` property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate."
 
       property :key_pass, String,
         description: "The passphrase for an existing key's passphrase."
 
       property :key_type, String,
         equal_to: %w{rsa ec}, default: "ec",
-        description: "The desired type of the generated key (rsa or ec)."
+        description: "The desired type of the generated key."
 
       property :key_length, Integer,
         equal_to: [1024, 2048, 4096, 8192], default: 2048,
-        description: "The desired bit length of the generated key (if key_type is equal to 'rsa')."
+        description: "The desired bit length of the generated key (if key_type is equal to `rsa`)."
 
       property :key_curve, String,
         equal_to: %w{secp384r1 secp521r1 prime256v1}, default: "prime256v1",
-        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run openssl ecparam -list_curves to see available options."
-
-      default_action :create
+        description: "The desired curve of the generated key (if key_type is equal to `ec`). Run `openssl ecparam -list_curves` to see available options."
 
       action :create do
         description "Generate a certificate request."
@@ -132,7 +132,7 @@ class Chef
               action :create
             end
 
-            file new_resource.key_file do
+            file key_file do
               owner new_resource.owner unless new_resource.owner.nil?
               group new_resource.group unless new_resource.group.nil?
               mode new_resource.mode unless new_resource.mode.nil?
@@ -145,36 +145,37 @@ class Chef
       end
 
       action_class do
-        def generate_key_file
-          unless new_resource.key_file
-            path, file = ::File.split(new_resource.path)
-            filename = ::File.basename(file, ::File.extname(file))
-            new_resource.key_file path + "/" + filename + ".key"
-          end
-          new_resource.key_file
+        def key_file
+          @key_file ||=
+            if new_resource.key_file
+              new_resource.key_file
+            else
+              path, file = ::File.split(new_resource.path)
+              filename = ::File.basename(file, ::File.extname(file))
+              path + "/" + filename + ".key"
+            end
         end
 
         def key
-          @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
-                     OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
+          @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass)
+                     OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass
                    elsif new_resource.key_type == "rsa"
                      gen_rsa_priv_key(new_resource.key_length)
                    else
                      gen_ec_priv_key(new_resource.key_curve)
                    end
-          @key
         end
 
         def subject
-          csr_subject = OpenSSL::X509::Name.new
-          csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
-          csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
-          csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
-          csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
-          csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
-          csr_subject.add_entry("CN", new_resource.common_name)
-          csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
-          csr_subject
+          OpenSSL::X509::Name.new.tap do |csr_subject|
+            csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
+            csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
+            csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
+            csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
+            csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
+            csr_subject.add_entry("CN", new_resource.common_name)
+            csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
+          end
         end
 
         def csr