chef 16.4.35 → 16.6.14

data/lib/chef/resource/macos_userdefaults.rb

@@ -16,8 +16,8 @@
 #
 
 require_relative "../resource"
-require_relative "../dist"
-require "plist"
+require "chef-utils/dist" unless defined?(ChefUtils::Dist)
+autoload :Plist, "plist"
 
 class Chef
   class Resource
@@ -97,7 +97,7 @@ class Chef
         desired_state: false
 
       property :sudo, [TrueClass, FalseClass],
-        description: "Set to true if the setting you wish to modify requires privileged access. This requires passwordless sudo for the '/usr/bin/defaults' command to be setup for the user running #{Chef::Dist::PRODUCT}.",
+        description: "Set to true if the setting you wish to modify requires privileged access. This requires passwordless sudo for the '/usr/bin/defaults' command to be setup for the user running #{ChefUtils::Dist::Infra::PRODUCT}.",
         default: false,
         desired_state: false
 

data/lib/chef/resource/mount.rb

@@ -84,7 +84,7 @@ class Chef
         description: "Windows only: Use to specify the user name."
 
       property :domain, String,
-        description: "Windows only: Use to specify the domain in which the username and password are located."
+        description: "Windows only: Use to specify the domain in which the `username` and `password` are located."
 
       private
 

data/lib/chef/resource/notify_group.rb

@@ -15,7 +15,6 @@
 #
 
 require_relative "../resource"
-require_relative "../dist"
 
 class Chef
   class Resource

data/lib/chef/resource/ohai.rb

@@ -19,7 +19,7 @@
 #
 
 require_relative "../resource"
-require_relative "../dist"
+require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 require "ohai" unless defined?(Ohai::System)
 
 class Chef
@@ -29,10 +29,53 @@ class Chef
 
       provides :ohai
 
-      description "Use the **ohai** resource to reload the Ohai configuration on a node. This allows recipes that change system attributes (like a recipe that adds a user) to refer to those attributes later on during the #{Chef::Dist::CLIENT} run."
+      description "Use the **ohai** resource to reload the Ohai configuration on a node. This allows recipes that change system attributes (like a recipe that adds a user) to refer to those attributes later on during the #{ChefUtils::Dist::Infra::PRODUCT} run."
+
+      examples <<~DOC
+      Reload All Ohai Plugins
+
+      ```ruby
+      ohai 'reload' do
+        action :reload
+      end
+      ```
+
+      Reload A Single Ohai Plugin
+
+      ```ruby
+      ohai 'reload' do
+        plugin 'ipaddress'
+        action :reload
+      end
+      ```
+
+      Reload Ohai after a new user is created
+
+      ```ruby
+      ohai 'reload_passwd' do
+        action :nothing
+        plugin 'etc'
+      end
+
+      user 'daemon_user' do
+        home '/dev/null'
+        shell '/sbin/nologin'
+        system true
+        notifies :reload, 'ohai[reload_passwd]', :immediately
+      end
+
+      ruby_block 'just an example' do
+        block do
+          # These variables will now have the new values
+          puts node['etc']['passwd']['daemon_user']['uid']
+          puts node['etc']['passwd']['daemon_user']['gid']
+        end
+      end
+      ```
+      DOC
 
       property :plugin, String,
-        description: "The name of an Ohai plugin to be reloaded. If this property is not specified, #{Chef::Dist::PRODUCT} will reload all plugins."
+        description: "Specific Ohai attribute data to reload. This property behaves similar to specifying attributes when running Ohai on the command line and takes the attribute that you wish to reload instead of the actual plugin name. For instance, you can pass `ipaddress` to reload `node['ipaddress']` even though that data comes from the `Network` plugin. If this property is not specified, #{ChefUtils::Dist::Infra::PRODUCT} will reload all plugins."
 
       def load_current_resource
         true

data/lib/chef/resource/ohai_hint.rb

@@ -26,6 +26,39 @@ class Chef
 
       description "Use the **ohai_hint** resource to aid in configuration detection by passing hint data to Ohai."
       introduced "14.0"
+      examples <<~DOC
+      **Create a hint file**
+
+      ```ruby
+      ohai_hint 'example' do
+        content a: 'test_content'
+      end
+      ```
+
+      **Create a hint file with a name that does not match the resource name**
+
+      ```ruby
+      ohai_hint 'example' do
+        hint_name 'custom'
+      end
+      ```
+
+      **Create a hint file that is not loaded at compile time**
+
+      ```ruby
+      ohai_hint 'example' do
+        compile_time false
+      end
+      ```
+
+      **Delete a hint file**
+
+      ```ruby
+      ohai_hint 'example' do
+        action :delete
+      end
+      ```
+      DOC
 
       property :hint_name, String,
         description: "An optional property to set the hint name if it differs from the resource block's name.",

data/lib/chef/resource/openssl_dhparam.rb

@@ -27,15 +27,37 @@ class Chef
 
       provides(:openssl_dhparam) { true }
 
-      description "Use the **openssl_dhparam** resource to generate dhparam.pem files. If a valid dhparam.pem file is found at the specified location, no new file will be created. If a file is found at the specified location but it is not a valid dhparam file, it will be overwritten."
+      description "Use the **openssl_dhparam** resource to generate `dhparam.pem` files. If a valid `dhparam.pem` file is found at the specified location, no new file will be created. If a file is found at the specified location but it is not a valid `dhparam.pem` file, it will be overwritten."
       introduced "14.0"
       examples <<~DOC
-        Create a 1024bit dhparam file
+        **Create a dhparam file**
 
         ```ruby
-        openssl_dhparam '/etc/ssl_files/dhparam.pem' do
-          key_length 1024
-          action :create
+        openssl_dhparam '/etc/httpd/ssl/dhparam.pem'
+        ```
+
+        **Create a dhparam file with a specific key length**
+
+        ```ruby
+        openssl_dhparam '/etc/httpd/ssl/dhparam.pem' do
+          key_length 4096
+        end
+        ```
+
+        **Create a dhparam file with specific user/group ownership**
+
+        ```ruby
+        openssl_dhparam '/etc/httpd/ssl/dhparam.pem' do
+          owner 'www-data'
+          group 'www-data'
+        end
+        ```
+
+        **Manually specify the dhparam file path**
+
+        ```ruby
+        openssl_dhparam 'httpd_dhparam' do
+          path '/etc/httpd/ssl/dhparam.pem'
         end
         ```
       DOC

data/lib/chef/resource/openssl_ec_private_key.rb

@@ -66,10 +66,13 @@ class Chef
         description: "The desired passphrase for the key."
 
       property :key_cipher, String,
-        equal_to: OpenSSL::Cipher.ciphers,
-        validation_message: "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options.",
         description: "The designed cipher to use when generating your key. Run `openssl list-cipher-algorithms` to see available options.",
-        default: "des3"
+        default: lazy { "des3" },
+        default_description: "des3",
+        callbacks: {
+          "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options." =>
+            proc { |v| OpenSSL::Cipher.ciphers.include?(v) },
+        }
 
       property :owner, [String, Integer],
         description: "The owner applied to all files created by the resource."

data/lib/chef/resource/openssl_ec_public_key.rb

@@ -31,7 +31,7 @@ class Chef
       description "Use the **openssl_ec_public_key** resource to generate elliptic curve (EC) public key files from a given EC private key."
       introduced "14.4"
       examples <<~DOC
-        Generate new ec public key from a private key on disk
+        **Generate new EC public key from a private key on disk**
 
         ```ruby
         openssl_ec_public_key '/etc/ssl_files/eckey_prime256v1_des3.pub' do
@@ -41,7 +41,7 @@ class Chef
         end
         ```
 
-        Generate new ec public key by passing in a private key
+        **Generate new EC public key by passing in a private key**
 
         ```ruby
         openssl_ec_public_key '/etc/ssl_files/eckey_prime256v1_des3_2.pub' do

data/lib/chef/resource/openssl_rsa_private_key.rb

@@ -65,10 +65,13 @@ class Chef
         description: "The desired passphrase for the key."
 
       property :key_cipher, String,
-        equal_to: OpenSSL::Cipher.ciphers,
-        validation_message: "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options.",
         description: "The designed cipher to use when generating your key. Run `openssl list-cipher-algorithms` to see available options.",
-        default: "des3"
+        default: lazy { "des3" },
+        default_description: "des3",
+        callbacks: {
+          "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options." =>
+            proc { |v| OpenSSL::Cipher.ciphers.include?(v) },
+        }
 
       property :owner, [String, Integer],
         description: "The owner applied to all files created by the resource."

data/lib/chef/resource/openssl_x509_certificate.rb

@@ -86,32 +86,32 @@ class Chef
         description: "The permission mode applied to all files created by the resource."
 
       property :country, String,
-        description: "Value for the C certificate field."
+        description: "Value for the `C` certificate field."
 
       property :state, String,
-        description: "Value for the ST certificate field."
+        description: "Value for the `ST` certificate field."
 
       property :city, String,
-        description: "Value for the L certificate field."
+        description: "Value for the `L` certificate field."
 
       property :org, String,
-        description: "Value for the O certificate field."
+        description: "Value for the `O` certificate field."
 
       property :org_unit, String,
-        description: "Value for the OU certificate field."
+        description: "Value for the `OU` certificate field."
 
       property :common_name, String,
-        description: "Value for the CN certificate field."
+        description: "Value for the `CN` certificate field."
 
       property :email, String,
-        description: "Value for the email certificate field."
+        description: "Value for the `email` certificate field."
 
       property :extensions, Hash,
-        description: "Hash of X509 Extensions entries, in format { 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }.",
+        description: "Hash of X509 Extensions entries, in format `{ 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }`.",
         default: lazy { {} }
 
       property :subject_alt_name, Array,
-        description: "Array of Subject Alternative Name entries, in format DNS:example.com or IP:1.2.3.4.",
+        description: "Array of Subject Alternative Name entries, in format `DNS:example.com` or `IP:1.2.3.4`.",
         default: lazy { [] }
 
       property :key_file, String,
@@ -122,7 +122,7 @@ class Chef
 
       property :key_type, String,
         equal_to: %w{rsa ec},
-        description: "The desired type of the generated key (rsa or ec).",
+        description: "The desired type of the generated key.",
         default: "rsa"
 
       property :key_length, Integer,
@@ -131,18 +131,18 @@ class Chef
         default: 2048
 
       property :key_curve, String,
-        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run openssl ecparam -list_curves to see available options.",
+        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run `openssl ecparam -list_curves` to see available options.",
         equal_to: %w{secp384r1 secp521r1 prime256v1},
         default: "prime256v1"
 
       property :csr_file, String,
-        description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the csr_file property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)."
+        description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the `csr_file` property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)."
 
       property :ca_cert_file, String,
-        description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file property is specified, the ca_key_file property must also be specified, the certificate will be signed with them."
+        description: "The path to the CA X509 Certificate on the filesystem. If the `ca_cert_file` property is specified, the `ca_key_file` property must also be specified, the certificate will be signed with them."
 
       property :ca_key_file, String,
-        description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the 'ca_cert_file' property must also be specified, the certificate will be signed with them."
+        description: "The path to the CA private key on the filesystem. If the `ca_key_file` property is specified, the `ca_cert_file` property must also be specified, the certificate will be signed with them."
 
       property :ca_key_pass, String,
         description: "The passphrase for CA private key's passphrase."

data/lib/chef/resource/openssl_x509_crl.rb

@@ -31,15 +31,24 @@ class Chef
       description "Use the **openssl_x509_crl** resource to generate PEM-formatted x509 certificate revocation list (CRL) files."
       introduced "14.4"
       examples <<~DOC
-        Generate a CRL file given a cert file and key file
+      **Create a certificate revocation file**
 
-        ```ruby
-        openssl_x509_crl '/etc/ssl_files/my_ca2.crl' do
-          ca_cert_file '/etc/ssl_files/my_ca2.crt'
-          ca_key_file '/etc/ssl_files/my_ca2.key'
-          expire 1
-        end
-        ```
+      ```ruby
+      openssl_x509_crl '/etc/ssl_test/my_ca.crl' do
+        ca_cert_file '/etc/ssl_test/my_ca.crt'
+        ca_key_file '/etc/ssl_test/my_ca.key'
+      end
+      ```
+
+      **Create a certificate revocation file for a particular serial**
+
+      ```ruby
+      openssl_x509_crl '/etc/ssl_test/my_ca.crl' do
+        ca_cert_file '/etc/ssl_test/my_ca.crt'
+        ca_key_file '/etc/ssl_test/my_ca.key'
+        serial_to_revoke C7BCB6602A2E4251EF4E2827A228CB52BC0CEA2F
+      end
+      ```
       DOC
 
       property :path, String,
@@ -62,11 +71,11 @@ class Chef
         default: 1
 
       property :ca_cert_file, String,
-        description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file property is specified, the ca_key_file property must also be specified, the CRL will be signed with them.",
+        description: "The path to the CA X509 Certificate on the filesystem. If the `ca_cert_file` property is specified, the `ca_key_file` property must also be specified, the CRL will be signed with them.",
         required: true
 
       property :ca_key_file, String,
-        description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the ca_cert_file property must also be specified, the CRL will be signed with them.",
+        description: "The path to the CA private key on the filesystem. If the `ca_key_file` property is specified, the `ca_cert_file` property must also be specified, the CRL will be signed with them.",
         required: true
 
       property :ca_key_pass, String,

data/lib/chef/resource/openssl_x509_request.rb

@@ -31,7 +31,7 @@ class Chef
       description "Use the **openssl_x509_request** resource to generate PEM-formatted x509 certificates requests. If no existing key is specified, the resource will automatically generate a passwordless key with the certificate."
       introduced "14.4"
       examples <<~DOC
-        Generate new ec key and csr file
+        **Generate new EC key and CSR file**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_ec_request.csr' do
@@ -42,7 +42,7 @@ class Chef
         end
         ```
 
-        Generate a new csr file from an existing ec key
+        **Generate a new CSR file from an existing EC key**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_ec_request2.csr' do
@@ -54,7 +54,7 @@ class Chef
         end
         ```
 
-        Generate new rsa key and csr file
+        **Generate new RSA key and CSR file**
 
         ```ruby
         openssl_x509_request '/etc/ssl_files/my_rsa_request.csr' do
@@ -80,46 +80,44 @@ class Chef
         description: "The permission mode applied to all files created by the resource."
 
       property :country, String,
-        description: "Value for the C certificate field."
+        description: "Value for the `C` certificate field."
 
       property :state, String,
-        description: "Value for the ST certificate field."
+        description: "Value for the `ST` certificate field."
 
       property :city, String,
-        description: "Value for the L certificate field."
+        description: "Value for the `L` certificate field."
 
       property :org, String,
-        description: "Value for the O certificate field."
+        description: "Value for the `O` certificate field."
 
       property :org_unit, String,
-        description: "Value for the OU certificate field."
+        description: "Value for the `OU` certificate field."
 
       property :common_name, String,
         required: true,
-        description: "Value for the CN certificate field."
+        description: "Value for the `CN` certificate field."
 
       property :email, String,
-        description: "Value for the email certificate field."
+        description: "Value for the `email` certificate field."
 
       property :key_file, String,
-        description: "The path to a certificate key file on the filesystem. If the key_file property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the key_file property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate."
+        description: "The path to a certificate key file on the filesystem. If the `key_file` property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the `key_file` property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate."
 
       property :key_pass, String,
         description: "The passphrase for an existing key's passphrase."
 
       property :key_type, String,
         equal_to: %w{rsa ec}, default: "ec",
-        description: "The desired type of the generated key (rsa or ec)."
+        description: "The desired type of the generated key."
 
       property :key_length, Integer,
         equal_to: [1024, 2048, 4096, 8192], default: 2048,
-        description: "The desired bit length of the generated key (if key_type is equal to 'rsa')."
+        description: "The desired bit length of the generated key (if key_type is equal to `rsa`)."
 
       property :key_curve, String,
         equal_to: %w{secp384r1 secp521r1 prime256v1}, default: "prime256v1",
-        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run openssl ecparam -list_curves to see available options."
-
-      default_action :create
+        description: "The desired curve of the generated key (if key_type is equal to `ec`). Run `openssl ecparam -list_curves` to see available options."
 
       action :create do
         description "Generate a certificate request."

data/lib/chef/resource/osx_profile.rb

@@ -19,8 +19,8 @@
 require_relative "../resource"
 require_relative "../log"
 require_relative "../resource/file"
-require "uuidtools"
-require "plist"
+autoload :UUIDTools, "uuidtools"
+autoload :Plist, "plist"
 
 class Chef
   class Resource
@@ -30,8 +30,72 @@ class Chef
       provides :osx_profile
       provides :osx_config_profile
 
-      description "Use the **osx_profile** resource to manage configuration profiles (.mobileconfig files) on the macOS platform. The osx_profile resource installs profiles by using the uuidgen library to generate a unique ProfileUUID, and then using the profiles command to install the profile on the system."
+      description "Use the **osx_profile** resource to manage configuration profiles (`.mobileconfig` files) on the macOS platform. The **osx_profile** resource installs profiles by using the uuidgen library to generate a unique `ProfileUUID`, and then using the `profiles` command to install the profile on the system."
       introduced "12.7"
+      examples <<~DOC
+      **Install a profile from a cookbook file**
+
+      ```ruby
+      osx_profile 'com.company.screensaver.mobileconfig'
+      ```
+
+      **Install profile from a hash**
+
+      ```ruby
+      profile_hash = {
+        'PayloadIdentifier' => 'com.company.screensaver',
+        'PayloadRemovalDisallowed' => false,
+        'PayloadScope' => 'System',
+        'PayloadType' => 'Configuration',
+        'PayloadUUID' => '1781fbec-3325-565f-9022-8aa28135c3cc',
+        'PayloadOrganization' => 'Chef',
+        'PayloadVersion' => 1,
+        'PayloadDisplayName' => 'Screensaver Settings',
+        'PayloadContent'=> [
+          {
+            'PayloadType' => 'com.apple.ManagedClient.preferences',
+            'PayloadVersion' => 1,
+            'PayloadIdentifier' => 'com.company.screensaver',
+            'PayloadUUID' => '73fc30e0-1e57-0131-c32d-000c2944c108',
+            'PayloadEnabled' => true,
+            'PayloadDisplayName' => 'com.apple.screensaver',
+            'PayloadContent' => {
+              'com.apple.screensaver' => {
+                'Forced' => [
+                  {
+                    'mcx_preference_settings' => {
+                      'idleTime' => 0,
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        ]
+      }
+
+      osx_profile 'Install screensaver profile' do
+        profile profile_hash
+      end
+      ```
+
+      **Remove profile using identifier in resource name**
+
+      ```ruby
+      osx_profile 'com.company.screensaver' do
+        action :remove
+      end
+      ```
+
+      **Remove profile by identifier and user friendly resource name**
+
+      ```ruby
+      osx_profile 'Remove screensaver profile' do
+        identifier 'com.company.screensaver'
+        action :remove
+      end
+      ```
+      DOC
 
       property :profile_name, String,
         description: "Use to specify the name of the profile, if different from the name of the resource block.",
@@ -41,7 +105,7 @@ class Chef
         description: "Use to specify a profile. This may be the name of a profile contained in a cookbook or a Hash that contains the contents of the profile."
 
       property :identifier, String,
-        description: "Use to specify the identifier for the profile, such as com.company.screensaver."
+        description: "Use to specify the identifier for the profile, such as `com.company.screensaver`."
 
       # this is not a property it is necessary for the tempfile this resource uses to work (FIXME: this is terrible)
       #
@@ -80,10 +144,6 @@ class Chef
         end
 
         def check_resource_semantics!
-          if mac? && node["platform_version"] =~ "> 10.15"
-            raise "The osx_profile resource is not available on macOS Bug Sur or above due to the removal of apple support for CLI installation of profiles"
-          end
-
           if action == :remove
             if new_profile_identifier
               if invalid_profile_name?(new_profile_identifier)
@@ -97,6 +157,11 @@ class Chef
           end
 
           if action == :install
+            # we only do this check for the install action so that profiles can still be removed on macOS 11+
+            if mac? && node["platform_version"] =~ ">= 11.0"
+              raise "The osx_profile resource is not available on macOS Big Sur or above due to Apple's removal of support for CLI profile installation"
+            end
+
             if new_profile_hash.is_a?(Hash) && !new_profile_hash.include?("PayloadIdentifier")
               raise "The specified profile does not seem to be valid"
             end
@@ -243,19 +308,18 @@ class Chef
         #
 
         def get_installed_profiles(update = nil)
+          logger.trace("Saving profile data to node.run_state")
           if update
             node.run_state[:config_profiles] = query_installed_profiles
           else
             node.run_state[:config_profiles] ||= query_installed_profiles
           end
-          logger.trace("Saved profiles to run_state")
         end
 
         def query_installed_profiles
-          Tempfile.open("allprofiles.plist") do |tempfile|
-            shell_out!( "/usr/bin/profiles", "-P", "-o", tempfile.path )
-            ::Plist.parse_xml(tempfile)
-          end
+          logger.trace("Running /usr/bin/profiles -P -o stdout-xml to determine profile state")
+          so = shell_out( "/usr/bin/profiles", "-P", "-o", "stdout-xml" )
+          ::Plist.parse_xml(so.stdout)
         end
 
         def profile_installed?