chef 16.7.61 → 16.8.9

data/spec/unit/compliance/reporter/compliance_enforcer_spec.rb

@@ -0,0 +1,48 @@
+require "spec_helper"
+
+describe Chef::Compliance::Reporter::AuditEnforcer do
+  let(:reporter) { Chef::Compliance::Reporter::AuditEnforcer.new }
+
+  it "does not raise error for a successful InSpec report" do
+    report = {
+      "profiles": [
+        {
+          "controls": [
+            { "id": "c1", "results": [{ "status": "passed" }] },
+            { "id": "c2", "results": [{ "status": "passed" }] },
+          ],
+        },
+      ],
+    }
+
+    expect(reporter.send_report(report)).to eq(true)
+  end
+
+  it "does not raise error for an InSpec report with no controls" do
+    report = { "profiles": [{ "name": "empty" }] }
+
+    expect(reporter.send_report(report)).to eq(true)
+  end
+
+  it "does not raise error for an InSpec report with controls but no results" do
+    report = { "profiles": [{ "controls": [{ "id": "empty" }] }] }
+    expect(reporter.send_report(report)).to eq(true)
+  end
+
+  it "raises an error for a failed InSpec report" do
+    report = {
+      "profiles": [
+        {
+          "controls": [
+            { "id": "c1", "results": [{ "status": "passed" }] },
+            { "id": "c2", "results": [{ "status": "failed" }] },
+          ],
+        },
+      ],
+    }
+
+    expect {
+      reporter.send_report(report)
+    }.to raise_error(Chef::Compliance::Reporter::AuditEnforcer::ControlFailure, "Audit c2 has failed. Aborting chef-client run.")
+  end
+end

data/spec/unit/compliance/runner_spec.rb

@@ -0,0 +1,113 @@
+require "spec_helper"
+
+describe Chef::Compliance::Runner do
+  let(:logger) { double(:logger).as_null_object }
+  let(:node) { Chef::Node.new(logger: logger) }
+
+  let(:runner) do
+    described_class.new.tap do |r|
+      r.node = node
+      r.run_id = "my_run_id"
+      r.recipes = []
+    end
+  end
+
+  describe "#enabled?" do
+    it "is true if the node attributes have audit profiles and the audit cookbook is not present" do
+      node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }
+      runner.recipes = %w{ fancy_cookbook::fanciness tacobell::nachos }
+
+      expect(runner).to be_enabled
+    end
+
+    it "is false if the node attributes have audit profiles and the audit cookbook is present" do
+      node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }
+      runner.recipes = %w{ audit::default fancy_cookbook::fanciness tacobell::nachos }
+
+      expect(runner).not_to be_enabled
+    end
+
+    it "is false if the node attributes do not have audit profiles and the audit cookbook is not present" do
+      node.normal["audit"]["profiles"] = {}
+      runner.recipes = %w{ fancy_cookbook::fanciness tacobell::nachos }
+
+      expect(runner).not_to be_enabled
+    end
+
+    it "is false if the node attributes do not have audit profiles and the audit cookbook is present" do
+      node.normal["audit"]["profiles"] = {}
+      runner.recipes = %w{ audit::default fancy_cookbook::fanciness tacobell::nachos }
+
+      expect(runner).not_to be_enabled
+    end
+
+    it "is false if the node attributes do not have audit attributes and the audit cookbook is not present" do
+      runner.recipes = %w{ fancy_cookbook::fanciness tacobell::nachos }
+      expect(runner).not_to be_enabled
+    end
+  end
+
+  describe "#inspec_profiles" do
+    it "returns an empty list with no profiles defined" do
+      expect(runner.inspec_profiles).to eq([])
+    end
+
+    it "converts from the attribute format to the format Inspec expects" do
+      node.normal["audit"]["profiles"]["linux-baseline"] = {
+        'compliance': "user/linux-baseline",
+        'version': "2.1.0",
+      }
+
+      node.normal["audit"]["profiles"]["ssh"] = {
+        'supermarket': "hardening/ssh-hardening",
+      }
+
+      expected = [
+        {
+          compliance: "user/linux-baseline",
+          name: "linux-baseline",
+          version: "2.1.0",
+        },
+        {
+          name: "ssh",
+          supermarket: "hardening/ssh-hardening",
+        },
+      ]
+
+      expect(runner.inspec_profiles).to eq(expected)
+    end
+
+    it "raises an error when the profiles are in the old audit-cookbook format" do
+      node.normal["audit"]["profiles"] = [
+        {
+          name: "Windows 2019 Baseline",
+          compliance: "admin/windows-2019-baseline",
+        },
+      ]
+
+      expect { runner.inspec_profiles }.to raise_error(/profiles specified in an unrecognized format, expected a hash of hashes./)
+    end
+  end
+
+  describe "#warn_for_deprecated_config_values!" do
+    it "logs a warning when deprecated config values are present" do
+      node.normal["audit"]["owner"] = "my_org"
+      node.normal["audit"]["inspec_version"] = "90210"
+
+      expect(logger).to receive(:warn).with(/config values 'inspec_version', 'owner' are not supported/)
+
+      runner.warn_for_deprecated_config_values!
+    end
+
+    it "does not log a warning with no deprecated config values" do
+      node.normal["audit"]["profiles"]["linux-baseline"] = {
+        'compliance': "user/linux-baseline",
+        'version': "2.1.0",
+      }
+
+      expect(logger).not_to receive(:warn)
+
+      runner.warn_for_deprecated_config_values!
+    end
+  end
+end

data/spec/unit/http/ssl_policies_spec.rb

@@ -26,6 +26,7 @@ describe "HTTP SSL Policy" do
     Chef::Config[:ssl_client_key]  = nil
     Chef::Config[:ssl_ca_path]     = nil
     Chef::Config[:ssl_ca_file]     = nil
+    ENV["SSL_CERT_FILE"]           = nil
   end
 
   let(:unconfigured_http_client) { Net::HTTP.new("example.com", 443) }
@@ -71,6 +72,16 @@ describe "HTTP SSL Policy" do
         Chef::Config[:ssl_ca_file] = CHEF_SPEC_DATA + "/ssl/5e707473.0"
         expect(http_client.ca_file).to eq(CHEF_SPEC_DATA + "/ssl/5e707473.0")
       end
+
+      it "should set the custom CA file if SSL_CERT_FILE environment variable is set" do
+        ENV["SSL_CERT_FILE"] = CHEF_SPEC_DATA + "/trusted_certs/intermediate.pem"
+        expect(http_client.ca_file).to eq(CHEF_SPEC_DATA + "/trusted_certs/intermediate.pem")
+      end
+
+      it "raises a ConfigurationError if SSL_CERT_FILE environment variable is set to a file that does not exist" do
+        ENV["SSL_CERT_FILE"] = "/dev/null/nothing_here"
+        expect { http_client }.to raise_error(Chef::Exceptions::ConfigurationError)
+      end
     end
 
     describe "when configured with :ssl_verify_mode set to :verify peer" do

data/spec/unit/knife/core/node_editor_spec.rb

@@ -74,7 +74,7 @@ describe Chef::Knife::NodeEditor do
 
         expect(ui).to have_received(:warn)
           .with "Changing the name of a node results in a new node being " +
-          "created, test_node will not be modified or removed."
+            "created, test_node will not be modified or removed."
 
         expect(ui).to have_received(:confirm)
           .with("Proceed with creation of new node")

data/spec/unit/mixin/powershell_exec_spec.rb

@@ -66,7 +66,7 @@ describe Chef::Mixin::PowershellExec, :windows_only do
       execution = object.powershell_exec("this-should-error")
       expect(execution.errors).to be_a_kind_of(Array)
       expect(execution.errors[0]).to be_a_kind_of(String)
-      expect(execution.errors[0]).to include("Runtime exception: this-should-error")
+      expect(execution.errors[0]).to include("The term 'this-should-error' is not recognized")
     end
 
     it "raises an error if the interpreter is invalid" do

data/spec/unit/platform/query_helpers_spec.rb

@@ -41,24 +41,23 @@ end
 
 describe "Chef::Platform#dsc_refresh_mode_disabled?" do
   let(:node) { instance_double("Chef::Node") }
-  let(:cmdlet) { instance_double("Chef::Util::Powershell::Cmdlet") }
-  let(:cmdlet_result) { instance_double("Chef::Util::Powershell::CmdletResult") }
+  let(:powershell) { instance_double("Chef::PowerShell") }
 
   it "returns true when RefreshMode is Disabled" do
-    expect(Chef::Util::Powershell::Cmdlet).to receive(:new)
-      .with(node, "Get-DscLocalConfigurationManager", :object)
-      .and_return(cmdlet)
-    expect(cmdlet).to receive(:run!).and_return(cmdlet_result)
-    expect(cmdlet_result).to receive(:return_value).and_return({ "RefreshMode" => "Disabled" })
+    expect(Chef::PowerShell).to receive(:new)
+      .with("Get-DscLocalConfigurationManager")
+      .and_return(powershell)
+    expect(powershell).to receive(:error!)
+    expect(powershell).to receive(:result).and_return({ "RefreshMode" => "Disabled" })
     expect(Chef::Platform.dsc_refresh_mode_disabled?(node)).to be true
   end
 
   it "returns false when RefreshMode is not Disabled" do
-    expect(Chef::Util::Powershell::Cmdlet).to receive(:new)
-      .with(node, "Get-DscLocalConfigurationManager", :object)
-      .and_return(cmdlet)
-    expect(cmdlet).to receive(:run!).and_return(cmdlet_result)
-    expect(cmdlet_result).to receive(:return_value).and_return({ "RefreshMode" => "LaLaLa" })
+    expect(Chef::PowerShell).to receive(:new)
+      .with("Get-DscLocalConfigurationManager")
+      .and_return(powershell)
+    expect(powershell).to receive(:error!)
+    expect(powershell).to receive(:result).and_return({ "RefreshMode" => "LaLaLa" })
     expect(Chef::Platform.dsc_refresh_mode_disabled?(node)).to be false
   end
 end

data/spec/unit/provider/dsc_resource_spec.rb

@@ -85,14 +85,13 @@ describe Chef::Provider::DscResource do
       node.automatic[:languages][:powershell][:version] = "5.0.10018.0"
       node
     end
-    let(:resource_result) { double("CmdletResult", return_value: { "InDesiredState" => true }, stream: "description") }
-    let(:invoke_dsc_resource) { double("cmdlet", run!: resource_result) }
+    let(:resource_result) { double("PowerShell", result: { "InDesiredState" => true }, verbose: ["description"]) }
     let(:store) { double("ResourceStore", find: resource_records) }
     let(:resource_records) { [] }
 
     before do
       allow(Chef::Util::DSC::ResourceStore).to receive(:instance).and_return(store)
-      allow(Chef::Util::Powershell::Cmdlet).to receive(:new).and_return(invoke_dsc_resource)
+      allow(provider).to receive(:powershell_exec!).and_return(resource_result)
       allow(provider).to receive(:dsc_refresh_mode_disabled?).and_return(true)
     end
 
@@ -112,9 +111,8 @@ describe Chef::Provider::DscResource do
     it "flags the resource as reboot required when required" do
       expect(provider).to receive(:test_resource).and_return(false)
       expect(provider).to receive(:invoke_resource)
-        .and_return(double(stdout: "", return_value: nil))
+        .and_return(double(result: { "RebootRequired" => true }))
       expect(provider).to receive(:add_dsc_verbose_log)
-      expect(provider).to receive(:return_dsc_resource_result).and_return(true)
       expect(provider).to receive(:create_reboot_resource)
       provider.run_action(:run)
     end
@@ -122,9 +120,8 @@ describe Chef::Provider::DscResource do
     it "does not flag the resource as reboot required when not required" do
       expect(provider).to receive(:test_resource).and_return(false)
       expect(provider).to receive(:invoke_resource)
-        .and_return(double(stdout: "", return_value: nil))
+        .and_return(double(stdout: "", result: {}))
       expect(provider).to receive(:add_dsc_verbose_log)
-      expect(provider).to receive(:return_dsc_resource_result).and_return(false)
       expect(provider).to_not receive(:create_reboot_resource)
       provider.run_action(:run)
     end
@@ -142,9 +139,7 @@ describe Chef::Provider::DscResource do
         let(:resource_records) { [{}] }
 
         it "returns the default dsc resource module" do
-          expect(Chef::Util::Powershell::Cmdlet).to receive(:new) do |node, cmdlet, format|
-            expect(cmdlet).to match(/Module PSDesiredStateConfiguration /)
-          end.and_return(invoke_dsc_resource)
+          expect(provider).to receive(:powershell_exec!).with(/Module PSDesiredStateConfiguration /).and_return(resource_result)
           provider.run_action(:run)
         end
       end
@@ -153,9 +148,7 @@ describe Chef::Provider::DscResource do
         let(:resource_records) { [{ "Module" => { "Name" => "ModuleName" } }] }
 
         it "returns the default dsc resource module" do
-          expect(Chef::Util::Powershell::Cmdlet).to receive(:new) do |node, cmdlet, format|
-            expect(cmdlet).to match(/Module ModuleName /)
-          end.and_return(invoke_dsc_resource)
+          expect(provider).to receive(:powershell_exec!).with(/Module ModuleName /).and_return(resource_result)
           provider.run_action(:run)
         end
       end
@@ -286,8 +279,6 @@ describe Chef::Provider::DscResource do
   end
 
   describe "invoke_resource" do
-    let(:cmdlet) { double(run!: nil) }
-
     before(:each) do
       allow(provider).to receive(:translate_type).and_return("my_properties")
       provider.instance_variable_set(:@new_resource, double(
@@ -301,12 +292,8 @@ describe Chef::Provider::DscResource do
       end
 
       it "invokes Invoke-DscResource command with module name" do
-        expect(Chef::Util::Powershell::Cmdlet).to receive(:new).with(
-          node,
-          "Invoke-DscResource -Method my_method -Name my_resource -Property my_properties -Module my_module -Verbose",
-          "my_output_format"
-        ).and_return(cmdlet)
-        provider.send(:invoke_resource, "my_method", "my_output_format")
+        expect(provider).to receive(:powershell_exec!).with("Invoke-DscResource -Method my_method -Name my_resource -Property my_properties -Module my_module -Verbose").and_return(nil)
+        provider.send(:invoke_resource, "my_method")
       end
     end
 
@@ -318,12 +305,8 @@ describe Chef::Provider::DscResource do
       end
 
       it "invokes Invoke-DscResource command with module info object" do
-        expect(Chef::Util::Powershell::Cmdlet).to receive(:new).with(
-          node,
-          "Invoke-DscResource -Method my_method -Name my_resource -Property my_properties -Module @{ModuleName='my_module';ModuleVersion='my_module_version'} -Verbose",
-          "my_output_format"
-        ).and_return(cmdlet)
-        provider.send(:invoke_resource, "my_method", "my_output_format")
+        expect(provider).to receive(:powershell_exec!).with("Invoke-DscResource -Method my_method -Name my_resource -Property my_properties -Module @{ModuleName='my_module';ModuleVersion='my_module_version'} -Verbose").and_return(nil)
+        provider.send(:invoke_resource, "my_method")
       end
     end
   end

data/spec/unit/provider/dsc_script_spec.rb

@@ -99,7 +99,7 @@ describe Chef::Provider::DscScript do
       it "should noop if neither code or command are provided" do
         allow(provider).to receive(:load_current_resource)
         generator = double("Chef::Util::DSC::ConfigurationGenerator")
-        expect(generator).to receive(:configuration_document_from_script_code).with("", anything, anything, anything)
+        expect(generator).to receive(:configuration_document_from_script_code).with("", anything, anything)
         allow(Chef::Util::DSC::ConfigurationGenerator).to receive(:new).and_return(generator)
         provider.send(:generate_configuration_document, "tmp", nil)
       end

data/spec/unit/provider/mount/windows_spec.rb

@@ -23,6 +23,7 @@ class Chef
     class Windows
       class NetUse
       end
+
       class Volume
       end
     end

data/spec/unit/provider/systemd_unit_spec.rb

@@ -18,7 +18,7 @@
 
 require "spec_helper"
 
-describe Chef::Provider::SystemdUnit do
+describe Chef::Provider::SystemdUnit, :linux_only do
 
   let(:node) { Chef::Node.new }
   let(:events) { Chef::EventDispatch::Dispatcher.new }

data/spec/unit/resource/windows_certificate_spec.rb

@@ -80,4 +80,16 @@ describe Chef::Resource::WindowsCertificate do
     resource.store_name "MY"
     expect { resource.action :create }.not_to raise_error
   end
+
+  it "the exportable property defaults to false" do
+    expect(resource.exportable).to be false
+  end
+
+  it "doesn't raise error if exportable option is passed" do
+    resource.pfx_password "chef$123"
+    resource.source "C:\\certs\\test-cert.pfx"
+    resource.store_name "MY"
+    resource.exportable true
+    expect { resource.action :create }.not_to raise_error
+  end
 end

data/spec/unit/util/dsc/configuration_generator_spec.rb

@@ -25,6 +25,85 @@ describe Chef::Util::DSC::ConfigurationGenerator do
     Chef::Util::DSC::ConfigurationGenerator.new(node, "tmp")
   end
 
+  describe "#validate_switch_name!" do
+    it "should not raise an error if a name contains all upper case letters" do
+      conf_man.send(:validate_switch_name!, "HELLO")
+    end
+
+    it "should not raise an error if the name contains all lower case letters" do
+      conf_man.send(:validate_switch_name!, "hello")
+    end
+
+    it "should not raise an error if no special characters are used except _" do
+      conf_man.send(:validate_switch_name!, "hello_world")
+    end
+
+    %w{! @ # $ % ^ & * & * ( ) - = + \{ \} . ? < > \\ /}.each do |sym|
+      it "raises an ArgumentError if configuration name contains #{sym}" do
+        expect do
+          conf_man.send(:validate_switch_name!, "Hello#{sym}")
+        end.to raise_error(ArgumentError)
+      end
+    end
+  end
+
+  describe "#escape_parameter_value" do
+    # Is this list really complete?
+    %w{` " # '}.each do |c|
+      it "escapes #{c}" do
+        expect(conf_man.send(:escape_parameter_value, "stuff #{c}")).to eql("stuff `#{c}")
+      end
+    end
+
+    it "does not do anything to a string without special characters" do
+      expect(conf_man.send(:escape_parameter_value, "stuff")).to eql("stuff")
+    end
+  end
+
+  describe "#escape_string_parameter_value" do
+    it "surrounds a string with ''" do
+      expect(conf_man.send(:escape_string_parameter_value, "stuff")).to eql("'stuff'")
+    end
+  end
+
+  describe "#command_switches_string" do
+    it "raises an ArgumentError if the key is not a symbol" do
+      expect do
+        conf_man.send(:command_switches_string, { "foo" => "bar" })
+      end.to raise_error(ArgumentError)
+    end
+
+    it "does not allow invalid switch names" do
+      expect do
+        conf_man.send(:command_switches_string, { foo!: "bar" })
+      end.to raise_error(ArgumentError)
+    end
+
+    it "ignores switches with a false value" do
+      expect(conf_man.send(:command_switches_string, { foo: false })).to eql("")
+    end
+
+    it "should correctly handle a value type of string" do
+      expect(conf_man.send(:command_switches_string, { foo: "bar" })).to eql("-foo 'bar'")
+    end
+
+    it "should correctly handle a value type of string even when it is 0 length" do
+      expect(conf_man.send(:command_switches_string, { foo: "" })).to eql("-foo ''")
+    end
+
+    it "should not quote integers" do
+      expect(conf_man.send(:command_switches_string, { foo: 1 })).to eql("-foo 1")
+    end
+
+    it "should not quote floats" do
+      expect(conf_man.send(:command_switches_string, { foo: 1.0 })).to eql("-foo 1.0")
+    end
+
+    it "has just the switch when the value is true" do
+      expect(conf_man.send(:command_switches_string, { foo: true })).to eql("-foo")
+    end
+  end
+
   describe "#validate_configuration_name!" do
     it "should not raise an error if a name contains all upper case letters" do
       conf_man.send(:validate_configuration_name!, "HELLO")