chef 16.9.20-universal-mingw32 → 16.11.7-universal-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e49964142ed39fe2e90e47037534dc91d8275d187ad5060cda25adb12db2d36
-  data.tar.gz: fb7706304ec584e1d18eba6737cb32103d67c3fe3ef134c5db2b0cef85f81a37
+  metadata.gz: 1ff4cbdb2ed3ab0adba5e92095f8ba416211c2a8fccab691ad89655487dc6f71
+  data.tar.gz: a605de0ed32367778265e601fc8737819910b264a90675040f20e10733c4e1d6
 SHA512:
-  metadata.gz: 50b3f89e0fa321467fa078dd3b7c51fa7fe764473d70d2dd3e92ff85f33e6bad72c84ad47139492a8f986f7c15e128256431768ec9426dab299f822147d054bd
-  data.tar.gz: c3dbc6b9d27d0abaa1164d97108e741b41c87e60fa96cebeb97f2c5d97915c42608ed3db4dc2dc63af6c339197143d0e3c30113cdcf4c705910cc46aa82b2d72
+  metadata.gz: 281d36ebbd20f5d6cc2c7bfbf0e4c93217c7fd4830222a1e494f2b8eba3c8e70897fca8c55bec8912f490b6ee93363a8f0b8769a0f83ead58857be8a1e4ff9ed
+  data.tar.gz: ba9da1ff38d23204d7de940462987f9ed5899bcfbae0e4c5c56fe5ff95124d39420cf555d556d6440c19140941e896a49d424f98115c3225ad89c90f27277108

data/Gemfile

@@ -1,5 +1,8 @@
 source "https://rubygems.org"
 
+# 1.15+ is required for M1 mac builds
+gem "ffi", ">=1.15"
+
 # Note we do not use the gemspec DSL which restricts to the
 # gemspec for the current platform and filters out other platforms
 # during a bundle lock operation. We actually want dependencies from

data/chef-universal-mingw32.gemspec

@@ -14,7 +14,7 @@ gemspec.add_dependency "win32-service", ">= 2.1.5", "< 3.0"
 gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
-gemspec.add_dependency "win32-certstore", "~> 0.3"
+gemspec.add_dependency "win32-certstore", "~> 0.5.0" # 0.5+ required for specifying user vs. system store
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 

data/chef.gemspec

@@ -1,4 +1,13 @@
 $:.unshift(File.dirname(__FILE__) + "/lib")
+vs_path = File.expand_path("chef-utils/lib/chef-utils/version_string.rb", __dir__)
+
+if File.exist?(vs_path)
+  # this is the moral equivalent of a require_relative since bundler makes require_relative here fail hard
+  eval(IO.read(vs_path))
+else
+  # if the path doesn't exist then we're just in the wild gem and not in the git repo
+  require "chef-utils/version_string"
+end
 require "chef/version"
 
 Gem::Specification.new do |s|
@@ -35,7 +44,7 @@ Gem::Specification.new do |s|
   s.add_dependency "net-ssh-multi", "~> 1.2", ">= 1.2.1"
   s.add_dependency "net-sftp", ">= 2.1.2", "< 4.0"
   s.add_dependency "ed25519", "~> 1.2" # ed25519 ssh key support
-  s.add_dependency "bcrypt_pbkdf", "= 1.1.0.rc2" # ed25519 ssh key support
+  s.add_dependency "bcrypt_pbkdf", "~> 1.1" # ed25519 ssh key support
   s.add_dependency "highline", ">= 1.6.9", "< 3"
   s.add_dependency "tty-prompt", "~> 0.21" # knife ui.ask prompt
   s.add_dependency "tty-screen", "~> 0.6" # knife list
@@ -51,7 +60,7 @@ Gem::Specification.new do |s|
   s.add_dependency "iniparse", "~> 1.4"
   s.add_dependency "addressable"
   s.add_dependency "syslog-logger", "~> 1.6"
-  s.add_dependency "uuidtools", "~> 2.1.5"
+  s.add_dependency "uuidtools", ">= 2.1.5", "< 3.0"
 
   s.add_dependency "proxifier", "~> 1.0"
 

data/lib/chef/compliance/default_attributes.rb

@@ -1,5 +1,5 @@
 # Author:: Stephan Renatus <srenatus@chef.io>
-# Copyright:: (c) 2016-2019, Chef Software Inc. <legal@chef.io>
+# Copyright:: Copyright (c) Chef Software Inc. <legal@chef.io>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -87,7 +87,11 @@ class Chef
 
       # If enabled, a hash representation of the Chef Infra node object will be sent to Chef InSpec in an input
       # named `chef_node`.
-      "chef_node_attribute_enabled" => false
+      "chef_node_attribute_enabled" => false,
+
+      # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have
+      # profiles defined but do not have the audit cookbook enabled.
+      "compliance_phase" => false
     )
   end
 end

data/lib/chef/compliance/fetcher/automate.rb

@@ -32,12 +32,12 @@ class Chef
             profile_fetch_url = target[:url]
           else
             # verifies that the target e.g base/ssh exists
-            base_path = "/compliance/profiles/#{uri.host}#{uri.path}"
-
+            profile = sanitize_profile_name(uri)
+            owner, id = profile.split("/")
             profile_path = if target.respond_to?(:key?) && target.key?(:version)
-                             "#{base_path}/version/#{target[:version]}/tar"
+                             "/compliance/profiles/#{owner}/#{id}/version/#{target[:version]}/tar"
                            else
-                             "#{base_path}/tar"
+                             "/compliance/profiles/#{owner}/#{id}/tar"
                            end
 
             url = URI(Chef::Config[:data_collector][:server_url])
@@ -60,6 +60,17 @@ class Chef
           nil
         end
 
+        # returns a parsed url for `admin/profile` or `compliance://admin/profile`
+        # TODO: remove in future, copied from inspec to support older versions of inspec
+        def self.sanitize_profile_name(profile)
+          uri = if URI(profile).scheme == "compliance"
+                  URI(profile)
+                else
+                  URI("compliance://#{profile}")
+                end
+          uri.to_s.sub(%r{^compliance:\/\/}, "")
+        end
+
         def to_s
           "#{ChefUtils::Dist::Automate::PRODUCT} for #{ChefUtils::Dist::Solo::PRODUCT} Fetcher"
         end

data/lib/chef/compliance/runner.rb

@@ -16,12 +16,19 @@ class Chef
       def_delegators :node, :logger
 
       def enabled?
-        audit_cookbook_present = node["recipes"].include?("audit::default")
+        # Did we parse the libraries file from the audit cookbook?  This class dates back to when Chef Automate was
+        # renamed from Chef Visibility in 2017, so should capture all modern versions of the audit cookbook.
+        audit_cookbook_present = defined?(::Reporter::ChefAutomate)
 
-        logger.info("#{self.class}##{__method__}: #{Inspec::Dist::PRODUCT_NAME} profiles? #{inspec_profiles.any?}")
-        logger.info("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}")
+        logger.debug("#{self.class}##{__method__}: #{Inspec::Dist::PRODUCT_NAME} profiles? #{inspec_profiles.any?}")
+        logger.debug("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}")
+        logger.debug("#{self.class}##{__method__}: compliance phase attr? #{node["audit"]["compliance_phase"]}")
 
-        inspec_profiles.any? && !audit_cookbook_present
+        if node["audit"]["compliance_phase"].nil?
+          inspec_profiles.any? && !audit_cookbook_present
+        else
+          node["audit"]["compliance_phase"]
+        end
       end
 
       def node=(node)

data/lib/chef/dsl/reboot_pending.rb

@@ -47,7 +47,7 @@ class Chef
             registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending')
         elsif platform?("ubuntu")
           # This should work for Debian as well if update-notifier-common happens to be installed. We need an API for that.
-          File.exists?("/var/run/reboot-required")
+          File.exist?("/var/run/reboot-required")
         else
           false
         end

data/lib/chef/file_access_control/windows.rb

@@ -33,7 +33,7 @@ class Chef
       module ClassMethods
         # We want to mix these in as class methods
         def writable?(path)
-          ::File.exists?(path) && Chef::ReservedNames::Win32::File.file_access_check(
+          ::File.exist?(path) && Chef::ReservedNames::Win32::File.file_access_check(
             path, Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE
           )
         end
@@ -136,7 +136,7 @@ class Chef
       end
 
       def should_update_dacl?
-        return true unless ::File.exists?(file) || ::File.symlink?(file)
+        return true unless ::File.exist?(file) || ::File.symlink?(file)
 
         dacl = target_dacl
         existing_dacl = existing_descriptor.dacl
@@ -170,7 +170,7 @@ class Chef
       end
 
       def should_update_group?
-        return true unless ::File.exists?(file) || ::File.symlink?(file)
+        return true unless ::File.exist?(file) || ::File.symlink?(file)
 
         (group = target_group) && (group != existing_descriptor.group)
       end
@@ -190,7 +190,7 @@ class Chef
       end
 
       def should_update_owner?
-        return true unless ::File.exists?(file) || ::File.symlink?(file)
+        return true unless ::File.exist?(file) || ::File.symlink?(file)
 
         (owner = target_owner) && (owner != existing_descriptor.owner)
       end

data/lib/chef/file_cache.rb

@@ -79,7 +79,7 @@ class Chef
 
         file_path_array = File.split(path)
         file_name = file_path_array.pop
-        if File.exists?(file) && File.writable?(file)
+        if File.exist?(file) && File.writable?(file)
           FileUtils.mv(
             file,
             File.join(create_cache_path(File.join(file_path_array), true), file_name)
@@ -112,7 +112,7 @@ class Chef
           }
         )
         cache_path = create_cache_path(path, false)
-        raise Chef::Exceptions::FileNotFound, "Cannot find #{cache_path} for #{path}!" unless File.exists?(cache_path)
+        raise Chef::Exceptions::FileNotFound, "Cannot find #{cache_path} for #{path}!" unless File.exist?(cache_path)
 
         if read
           File.read(cache_path)
@@ -139,7 +139,7 @@ class Chef
           }
         )
         cache_path = create_cache_path(path, false)
-        if File.exists?(cache_path)
+        if File.exist?(cache_path)
           File.unlink(cache_path)
         end
         true
@@ -186,7 +186,7 @@ class Chef
           }
         )
         full_path = create_cache_path(path, false)
-        if File.exists?(full_path)
+        if File.exist?(full_path)
           true
         else
           false

data/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb

@@ -66,7 +66,7 @@ class Chef
 
           @snippet ||= begin
             if (file = parse_source) && (line = parse_line(file))
-              return nil unless ::File.exists?(file)
+              return nil unless ::File.exist?(file)
 
               lines = IO.readlines(file)
 

data/lib/chef/handler/json_file.rb

@@ -51,7 +51,7 @@ class Chef
       end
 
       def build_report_dir
-        unless File.exists?(config[:path])
+        unless File.exist?(config[:path])
           FileUtils.mkdir_p(config[:path])
           File.chmod(00700, config[:path])
         end

data/lib/chef/knife/bootstrap.rb

@@ -217,6 +217,16 @@ class Chef
         description: "Execute the bootstrap via sudo with password.",
         boolean: false
 
+      # runtime - su user
+      option :su_user,
+        long: "--su-user NAME",
+        description: "The su - USER name to perform bootstrap command using a non-root user."
+
+      # runtime - su user password
+      option :su_password,
+        long: "--su-password PASSWORD",
+        description: "The su USER password for authentication."
+
       # runtime - client_builder
       option :chef_node_name,
         short: "-N NAME",
@@ -591,13 +601,31 @@ class Chef
       def perform_bootstrap(remote_bootstrap_script_path)
         ui.info("Bootstrapping #{ui.color(server_name, :bold)}")
         cmd = bootstrap_command(remote_bootstrap_script_path)
-        r = connection.run_command(cmd) do |data|
+        bootstrap_run_command(cmd)
+      end
+
+      # Actual bootstrap command to be run on the node.
+      # Handles recursive calls if su USER failed to authenticate.
+      def bootstrap_run_command(cmd)
+        r = connection.run_command(cmd) do |data, channel|
           ui.msg("#{ui.color(" [#{connection.hostname}]", :cyan)} #{data}")
+          channel.send_data("#{config[:su_password] || config[:connection_password]}\n") if data.match?("Password:")
         end
+
         if r.exit_status != 0
           ui.error("The following error occurred on #{server_name}:")
-          ui.error(r.stderr)
-          exit 1
+          ui.error("#{r.stdout} #{r.stderr}".strip)
+          exit(r.exit_status)
+        end
+      rescue Train::UserError => e
+        limit ||= 0
+        if e.reason == :bad_su_user_password && limit < 3
+          limit += 1
+          ui.warn("Failed to authenticate su - #{config[:su_user]} to #{server_name}")
+          config[:su_password] = ui.ask("Enter password for su - #{config[:su_user]}@#{server_name}:", echo: false)
+          retry
+        else
+          raise
         end
       end
 
@@ -1082,7 +1110,17 @@ class Chef
         if connection.windows?
           "cmd.exe /C #{remote_path}"
         else
-          "sh #{remote_path}"
+          cmd = "sh #{remote_path}"
+
+          if config[:su_user]
+            # su - USER is subject to required an interactive console
+            # Otherwise, it will raise: su: must be run from a terminal
+            set_transport_options(pty: true)
+            cmd = "su - #{config[:su_user]} -c '#{cmd}'"
+            cmd = "sudo " << cmd if config[:use_sudo]
+          end
+
+          cmd
         end
       end
 
@@ -1137,6 +1175,18 @@ class Chef
 
         timeout.to_i
       end
+
+      # Train::Transports::SSH::Connection#transport_options
+      # Append the options to connection transport_options
+      #
+      # @param opts [Hash] the opts to be added to connection transport_options.
+      # @return [Hash] transport_options if the opts contains any option to be set.
+      #
+      def set_transport_options(opts)
+        return unless opts.is_a?(Hash) || !opts.empty?
+
+        connection&.connection&.transport_options&.merge! opts
+      end
     end
   end
 end

data/lib/chef/provider/mount/mount.rb

@@ -203,7 +203,7 @@ class Chef
             end
           end
           # Removed "/" from the end of str, because it was causing idempotency issue.
-          @real_device == "/" ? @real_device : @real_device.chomp("/")
+          (@real_device == "/" || @real_device.match?(":/$")) ? @real_device : @real_device.chomp("/")
         end
 
         def device_logstring

data/lib/chef/provider/package.rb

@@ -446,8 +446,8 @@ class Chef
                   # requested new_resource.version constraints
                   logger.trace("#{new_resource} has no existing installed version. Installing install #{candidate_version}")
                   target_version_array.push(candidate_version)
-                elsif version_equals?(current_version, new_version)
-                  # this is a short-circuit to avoid needing to (expensively) query the candidate_version which must come later
+                elsif !use_magic_version? && version_equals?(current_version, new_version)
+                  # this is a short-circuit (mostly for the rubygems provider) to avoid needing to expensively query the candidate_version which must come later
                   logger.trace("#{new_resource} #{package_name} #{new_version} is already installed")
                   target_version_array.push(nil)
                 elsif candidate_version.nil?

data/lib/chef/provider/package/dnf/dnf_helper.py

@@ -64,7 +64,7 @@ def version_tuple(versionstr):
         tmp = versionstr[colon_index + 1:dash_index]
         if tmp != '':
             v = tmp
-        arch_index = versionstr.find('.', dash_index)
+        arch_index = versionstr.rfind('.', dash_index)
         if arch_index > 0:
             r = versionstr[dash_index + 1:arch_index]
         else:
@@ -168,6 +168,10 @@ try:
         setup_exit_handler()
         line = inpipe.readline()
 
+        # only way to detect EOF in python
+        if line == "":
+            break
+
         try:
             command = json.loads(line)
         except ValueError:

data/lib/chef/provider/package/yum/yum_helper.py

@@ -196,6 +196,10 @@ try:
         setup_exit_handler()
         line = inpipe.readline()
 
+        # only way to detect EOF in python
+        if line == "":
+            break
+
         try:
             command = json.loads(line)
         except ValueError, e:

data/lib/chef/resource.rb

@@ -1062,6 +1062,7 @@ class Chef
     # action for the resource.
     #
     # @param name [Symbol] The action name to define.
+    # @param description [String] optional description for the action
     # @param recipe_block The recipe to run when the action is taken. This block
     #   takes no parameters, and will be evaluated in a new context containing:
     #
@@ -1071,14 +1072,37 @@ class Chef
     #
     # @return The Action class implementing the action
     #
-    def self.action(action, &recipe_block)
+    def self.action(action, description: nil, &recipe_block)
       action = action.to_sym
       declare_action_class
       action_class.action(action, &recipe_block)
       self.allowed_actions += [ action ]
+      # Accept any non-nil description, which will correctly override
+      # any specific inherited description.
+      action_descriptions[action] = description unless description.nil?
       default_action action if Array(default_action) == [:nothing]
     end
 
+    # Retrieve the description for a resource's action, if
+    # any description has been included in the definition.
+    #
+    # @param action [Symbol,String] the action name
+    # @return the description of the action provided, or nil if no description
+    # was defined
+    def self.action_description(action)
+      action_descriptions[action.to_sym]
+    end
+
+    # @api private
+    #
+    # @return existing action description hash, or newly-initialized
+    # hash containing action descriptions inherited from parent Resource,
+    # if any.
+    def self.action_descriptions
+      @action_descriptions ||=
+        superclass.respond_to?(:action_descriptions) ? superclass.action_descriptions.dup : { nothing: nil }
+    end
+
     # Define a method to load up this resource's properties with the current
     # actual values.
     #
@@ -1196,9 +1220,9 @@ class Chef
     #
 
     # FORBIDDEN_IVARS do not show up when the resource is converted to JSON (ie. hidden from data_collector and sending to the chef server via #to_json/to_h/as_json/inspect)
-    FORBIDDEN_IVARS = %i{@run_context @logger @not_if @only_if @enclosing_provider @description @introduced @examples @validation_message @deprecated @default_description @skip_docs @executed_by_runner}.freeze
+    FORBIDDEN_IVARS = %i{@run_context @logger @not_if @only_if @enclosing_provider @description @introduced @examples @validation_message @deprecated @default_description @skip_docs @executed_by_runner @action_descriptions}.freeze
     # HIDDEN_IVARS do not show up when the resource is displayed to the user as text (ie. in the error inspector output via #to_text)
-    HIDDEN_IVARS = %i{@allowed_actions @resource_name @source_line @run_context @logger @name @not_if @only_if @elapsed_time @enclosing_provider @description @introduced @examples @validation_message @deprecated @default_description @skip_docs @executed_by_runner}.freeze
+    HIDDEN_IVARS = %i{@allowed_actions @resource_name @source_line @run_context @logger @name @not_if @only_if @elapsed_time @enclosing_provider @description @introduced @examples @validation_message @deprecated @default_description @skip_docs @executed_by_runner @action_descriptions}.freeze
 
     include Chef::Mixin::ConvertToClassName
     extend Chef::Mixin::ConvertToClassName