chef 16.3.45 → 16.4.35

data/lib/chef/resource/execute.rb

@@ -161,11 +161,11 @@ class Chef
 
         ```ruby
         execute 'test_rule' do
-          command 'command_to_run
+          command "command_to_run
             --option value
             --option value
             --source \#{node[:name_of_node][:ipsec][:local][:subnet]}
-            -j test_rule'
+            -j test_rule"
 
           action :nothing
         end
@@ -509,7 +509,6 @@ class Chef
       def initialize(name, run_context = nil)
         super
         @command = name
-        @backup = 5
         @default_guard_interpreter = :execute
         @is_guard_interpreter = false
       end

data/lib/chef/resource/homebrew_update.rb

@@ -86,7 +86,7 @@ class Chef
       end
 
       action :periodic do
-        return unless mac_os_x?
+        return unless macos?
 
         unless brew_up_to_date?
           converge_by "update new lists of packages" do
@@ -96,7 +96,7 @@ class Chef
       end
 
       action :update do
-        return unless mac_os_x?
+        return unless macos?
 
         converge_by "force update new lists of packages" do
           do_update

data/lib/chef/resource/openssl_dhparam.rb

@@ -23,6 +23,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides(:openssl_dhparam) { true }
 
       description "Use the **openssl_dhparam** resource to generate dhparam.pem files. If a valid dhparam.pem file is found at the specified location, no new file will be created. If a file is found at the specified location but it is not a valid dhparam file, it will be overwritten."

data/lib/chef/resource/openssl_ec_private_key.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_ec_private_key
 
       description "Use the **openssl_ec_private_key** resource to generate an elliptic curve (EC) private key file. If a valid EC key file can be opened at the specified location, no new file will be created. If the EC key file cannot be opened, either because it does not exist or because the password to the EC key file does not match the password in the recipe, then it will be overwritten."

data/lib/chef/resource/openssl_ec_public_key.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_ec_public_key
 
       description "Use the **openssl_ec_public_key** resource to generate elliptic curve (EC) public key files from a given EC private key."

data/lib/chef/resource/openssl_rsa_private_key.rb

@@ -23,6 +23,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides(:openssl_rsa_private_key) { true }
       provides(:openssl_rsa_key) { true } # legacy cookbook resource name
 

data/lib/chef/resource/openssl_rsa_public_key.rb

@@ -23,6 +23,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides(:openssl_rsa_public_key) { true }
 
       examples <<~DOC

data/lib/chef/resource/openssl_x509_certificate.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_certificate
       provides(:openssl_x509) { true } # legacy cookbook name.
 
@@ -161,7 +163,7 @@ class Chef
           content cert.to_pem
         end
 
-        if !new_resource.renew_before_expiry.nil? && cert_need_renewall?(new_resource.path, new_resource.renew_before_expiry)
+        if !new_resource.renew_before_expiry.nil? && cert_need_renewal?(new_resource.path, new_resource.renew_before_expiry)
           file new_resource.path do
             action :create
             owner new_resource.owner unless new_resource.owner.nil?
@@ -173,7 +175,7 @@ class Chef
         end
 
         if new_resource.csr_file.nil?
-          file new_resource.key_file do
+          file key_file do
             action :create_if_missing
             owner new_resource.owner unless new_resource.owner.nil?
             group new_resource.group unless new_resource.group.nil?
@@ -185,24 +187,25 @@ class Chef
       end
 
       action_class do
-        def generate_key_file
-          unless new_resource.key_file
-            path, file = ::File.split(new_resource.path)
-            filename = ::File.basename(file, ::File.extname(file))
-            new_resource.key_file path + "/" + filename + ".key"
-          end
-          new_resource.key_file
+        def key_file
+          @key_file ||=
+            if new_resource.key_file
+              new_resource.key_file
+            else
+              path, file = ::File.split(new_resource.path)
+              filename = ::File.basename(file, ::File.extname(file))
+              path + "/" + filename + ".key"
+            end
         end
 
         def key
-          @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
-                     OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
+          @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass)
+                     OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass
                    elsif new_resource.key_type == "rsa"
                      gen_rsa_priv_key(new_resource.key_length)
                    else
                      gen_ec_priv_key(new_resource.key_curve)
                    end
-          @key
         end
 
         def request
@@ -214,15 +217,15 @@ class Chef
         end
 
         def subject
-          subject = OpenSSL::X509::Name.new
-          subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
-          subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
-          subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
-          subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
-          subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
-          subject.add_entry("CN", new_resource.common_name)
-          subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
-          subject
+          OpenSSL::X509::Name.new.tap do |csr_subject|
+            csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
+            csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
+            csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
+            csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
+            csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
+            csr_subject.add_entry("CN", new_resource.common_name)
+            csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
+          end
         end
 
         def ca_private_key

data/lib/chef/resource/openssl_x509_crl.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_crl
 
       description "Use the **openssl_x509_crl** resource to generate PEM-formatted x509 certificate revocation list (CRL) files."

data/lib/chef/resource/openssl_x509_request.rb

@@ -24,6 +24,8 @@ class Chef
       require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
+      unified_mode true
+
       provides :openssl_x509_request
 
       description "Use the **openssl_x509_request** resource to generate PEM-formatted x509 certificates requests. If no existing key is specified, the resource will automatically generate a passwordless key with the certificate."
@@ -132,7 +134,7 @@ class Chef
               action :create
             end
 
-            file new_resource.key_file do
+            file key_file do
               owner new_resource.owner unless new_resource.owner.nil?
               group new_resource.group unless new_resource.group.nil?
               mode new_resource.mode unless new_resource.mode.nil?
@@ -145,36 +147,37 @@ class Chef
       end
 
       action_class do
-        def generate_key_file
-          unless new_resource.key_file
-            path, file = ::File.split(new_resource.path)
-            filename = ::File.basename(file, ::File.extname(file))
-            new_resource.key_file path + "/" + filename + ".key"
-          end
-          new_resource.key_file
+        def key_file
+          @key_file ||=
+            if new_resource.key_file
+              new_resource.key_file
+            else
+              path, file = ::File.split(new_resource.path)
+              filename = ::File.basename(file, ::File.extname(file))
+              path + "/" + filename + ".key"
+            end
         end
 
         def key
-          @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
-                     OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
+          @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass)
+                     OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass
                    elsif new_resource.key_type == "rsa"
                      gen_rsa_priv_key(new_resource.key_length)
                    else
                      gen_ec_priv_key(new_resource.key_curve)
                    end
-          @key
         end
 
         def subject
-          csr_subject = OpenSSL::X509::Name.new
-          csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
-          csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
-          csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
-          csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
-          csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
-          csr_subject.add_entry("CN", new_resource.common_name)
-          csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
-          csr_subject
+          OpenSSL::X509::Name.new.tap do |csr_subject|
+            csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
+            csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
+            csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
+            csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
+            csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
+            csr_subject.add_entry("CN", new_resource.common_name)
+            csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
+          end
         end
 
         def csr

data/lib/chef/resource/osx_profile.rb

@@ -17,6 +17,10 @@
 #
 
 require_relative "../resource"
+require_relative "../log"
+require_relative "../resource/file"
+require "uuidtools"
+require "plist"
 
 class Chef
   class Resource
@@ -29,9 +33,6 @@ class Chef
       description "Use the **osx_profile** resource to manage configuration profiles (.mobileconfig files) on the macOS platform. The osx_profile resource installs profiles by using the uuidgen library to generate a unique ProfileUUID, and then using the profiles command to install the profile on the system."
       introduced "12.7"
 
-      default_action :install
-      allowed_actions :install, :remove
-
       property :profile_name, String,
         description: "Use to specify the name of the profile, if different from the name of the resource block.",
         name_property: true
@@ -42,8 +43,229 @@ class Chef
       property :identifier, String,
         description: "Use to specify the identifier for the profile, such as com.company.screensaver."
 
-      property :path, String,
-        description: "The path to write the profile to disk before loading it."
+      # this is not a property it is necessary for the tempfile this resource uses to work (FIXME: this is terrible)
+      #
+      # @api private
+      #
+      def path(path = nil)
+        @path ||= path
+        @path
+      end
+
+      action_class do
+        def load_current_resource
+          @current_resource = Chef::Resource::OsxProfile.new(new_resource.name)
+          current_resource.profile_name(new_resource.profile_name)
+
+          if new_profile_hash
+            new_profile_hash["PayloadUUID"] = config_uuid(new_profile_hash)
+          end
+
+          current_resource.profile(current_profile)
+        end
+
+        def current_profile
+          all_profiles = get_installed_profiles
+
+          if all_profiles && all_profiles.key?("_computerlevel")
+            return all_profiles["_computerlevel"].find do |item|
+              item["ProfileIdentifier"] == new_profile_identifier
+            end
+          end
+          nil
+        end
+
+        def invalid_profile_name?(name_or_identifier)
+          name_or_identifier.end_with?(".mobileconfig") || !/^\w+(?:(\.| )\w+)+$/.match(name_or_identifier)
+        end
+
+        def check_resource_semantics!
+          if mac? && node["platform_version"] =~ "> 10.15"
+            raise "The osx_profile resource is not available on macOS Bug Sur or above due to the removal of apple support for CLI installation of profiles"
+          end
+
+          if action == :remove
+            if new_profile_identifier
+              if invalid_profile_name?(new_profile_identifier)
+                raise "when removing using the identifier property, it must match the profile identifier"
+              end
+            else
+              if invalid_profile_name?(new_resource.profile_name)
+                raise "When removing by resource name, it must match the profile identifier"
+              end
+            end
+          end
+
+          if action == :install
+            if new_profile_hash.is_a?(Hash) && !new_profile_hash.include?("PayloadIdentifier")
+              raise "The specified profile does not seem to be valid"
+            end
+            if new_profile_hash.is_a?(String) && !new_profile_hash.end_with?(".mobileconfig")
+              raise "#{new_profile_hash}' is not a valid profile"
+            end
+          end
+        end
+      end
+
+      action :install do
+        unless profile_installed?
+          converge_by("install profile #{new_profile_identifier}") do
+            profile_path = write_profile_to_disk
+            install_profile(profile_path)
+            get_installed_profiles(true)
+          end
+        end
+      end
+
+      action :remove do
+        # Clean up profile after removing it
+        if profile_installed?
+          converge_by("remove profile #{new_profile_identifier}") do
+            remove_profile
+            get_installed_profiles(true)
+          end
+        end
+      end
+
+      action_class do
+        private
+
+        def profile
+          @profile ||= new_resource.profile || new_resource.profile_name
+        end
+
+        def new_profile_hash
+          @new_profile_hash ||= get_profile_hash(profile)
+        end
+
+        def new_profile_identifier
+          @new_profile_identifier ||= if new_profile_hash
+                                        new_profile_hash["PayloadIdentifier"]
+                                      else
+                                        new_resource.identifier || new_resource.profile_name
+                                      end
+        end
+
+        def load_profile_hash(new_profile)
+          # file must exist in cookbook
+          return nil unless new_profile.end_with?(".mobileconfig")
+
+          unless cookbook_file_available?(new_profile)
+            raise Chef::Exceptions::FileNotFound, "#{self}: '#{new_profile}' not found in cookbook"
+          end
+
+          cookbook_profile = cache_cookbook_profile(new_profile)
+          ::Plist.parse_xml(cookbook_profile)
+        end
+
+        def cookbook_file_available?(cookbook_file)
+          run_context.has_cookbook_file_in_cookbook?(
+            new_resource.cookbook_name, cookbook_file
+          )
+        end
+
+        def get_cache_dir
+          Chef::FileCache.create_cache_path(
+            "profiles/#{new_resource.cookbook_name}"
+          )
+        end
+
+        def cache_cookbook_profile(cookbook_file)
+          Chef::FileCache.create_cache_path(
+            ::File.join(
+              "profiles",
+              new_resource.cookbook_name,
+              ::File.dirname(cookbook_file)
+            )
+          )
+
+          path = ::File.join( get_cache_dir, "#{cookbook_file}.remote")
+
+          cookbook_file path do
+            cookbook_name = new_resource.cookbook_name
+            source(cookbook_file)
+            backup(false)
+            run_action(:create)
+          end
+
+          path
+        end
+
+        def get_profile_hash(new_profile)
+          if new_profile.is_a?(Hash)
+            new_profile
+          elsif new_profile.is_a?(String)
+            load_profile_hash(new_profile)
+          end
+        end
+
+        def config_uuid(profile)
+          # Make a UUID of the profile contents and return as string
+          UUIDTools::UUID.sha1_create(
+            UUIDTools::UUID_DNS_NAMESPACE,
+            profile.to_s
+          ).to_s
+        end
+
+        def write_profile_to_disk
+          # FIXME: this is kind of terrible, the resource needs a tempfile to use and
+          # wants it created similarly to the file providers (with all the magic necessary
+          # for determining if it should go in the cwd or into a tmpdir), but it abuses
+          # the Chef::FileContentManagement::Tempfile API to do that, which requires setting
+          # a `path` method on the resource because of tight-coupling to the file provider
+          # pattern.  We don't just want to use a file here because the point is to get
+          # at the tempfile pattern from the file provider, but to feed that into a shell
+          # command rather than deploying the file to somewhere on disk.  There's some
+          # better API that needs extracting here.
+          new_resource.path(Chef::FileCache.create_cache_path("profiles"))
+          tempfile = Chef::FileContentManagement::Tempfile.new(new_resource).tempfile
+          tempfile.write(new_profile_hash.to_plist)
+          tempfile.close
+          tempfile.path
+        end
+
+        def install_profile(profile_path)
+          cmd = [ "/usr/bin/profiles", "-I", "-F", profile_path ]
+          logger.trace("cmd: #{cmd.join(" ")}")
+          shell_out!(*cmd)
+        end
+
+        def remove_profile
+          cmd = [ "/usr/bin/profiles", "-R", "-p", new_profile_identifier ]
+          logger.trace("cmd: #{cmd.join(" ")}")
+          shell_out!(*cmd)
+        end
+
+        #
+        # FIXME FIXME FIXME
+        # The node object should not be used for caching state like this and this is not a public API and may break.
+        # FIXME FIXME FIXME
+        #
+
+        def get_installed_profiles(update = nil)
+          if update
+            node.run_state[:config_profiles] = query_installed_profiles
+          else
+            node.run_state[:config_profiles] ||= query_installed_profiles
+          end
+          logger.trace("Saved profiles to run_state")
+        end
+
+        def query_installed_profiles
+          Tempfile.open("allprofiles.plist") do |tempfile|
+            shell_out!( "/usr/bin/profiles", "-P", "-o", tempfile.path )
+            ::Plist.parse_xml(tempfile)
+          end
+        end
+
+        def profile_installed?
+          # Profile Identifier and UUID must match a currently installed profile
+          return false if current_resource.profile.nil? || current_resource.profile.empty?
+          return true if action == :remove
+
+          current_resource.profile["ProfileUUID"] == new_profile_hash["PayloadUUID"]
+        end
+      end
     end
   end
 end