chef 17.0.242-universal-mingw32 → 17.4.25-universal-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 41c93beb21c79d39b06a7ae7939e826e5cd3f206993e883ee26ad048ca92d8fc
-  data.tar.gz: bca43e03deba7211b7ac186b970db08d08d1568d4f58a0caf5600c86ffa11384
+  metadata.gz: b16e62ba7d28cff9fe62328af38e23c484ff0f7f4f6e8c8ea24c768fa2da78d4
+  data.tar.gz: 007b4a36cd90ec76ba99b61b1a8dda12687e20787f1e3611d37a81504a831e05
 SHA512:
-  metadata.gz: 0326db2eedf4d75bd23467b9df9cee1eda1ebc5aad091d6d585b311699f64c50f09c7dd38214d0a09ad7467090d2d2b6046108fd8cdb43ce147e11a07212a561
-  data.tar.gz: d91d49ddbb7efffefd6a416f7994a1a14c836478651a0b6a985d7e46b57e05b016ec327d94bf13d9ef886923c07602d2c0a08fb655da790dd4a8ca86e57d0043
+  metadata.gz: 9dd9c1790477e60242859ba4e0e7bed672e04702946aebd965fcc7bb31bf5ecb6e43eb8db6e44d55968760c2f2b8bc4cfc472072eb4f662b2c58eb031d04b651
+  data.tar.gz: 79249489f9347537dffa27bd7b8b152e2ebea6486d54c64a570a638fdf91c17c5e4079a37198ffea8b762bcf3572ff8d80631865cf5a21dfece9106c01dbbf63

data/Gemfile

@@ -1,10 +1,5 @@
 source "https://rubygems.org"
 
-# Note we do not use the gemspec DSL which restricts to the
-# gemspec for the current platform and filters out other platforms
-# during a bundle lock operation. We actually want dependencies from
-# both of our gemspecs. Also note this this mimics gemspec behavior
-# of bundler versions prior to 1.12.0 (https://github.com/bundler/bundler/commit/193a14fe5e0d56294c7b370a0e59f93b2c216eed)
 gem "chef", path: "."
 
 gem "ohai", git: "https://github.com/chef/ohai.git", branch: "master"
@@ -22,8 +17,6 @@ end
 
 gem "cheffish", ">= 17"
 
-gem "chef-telemetry", ">=1.0.8" # 1.0.8 removes the http dep
-
 group(:omnibus_package) do
   gem "appbundler"
   gem "rb-readline"
@@ -32,17 +25,14 @@ group(:omnibus_package) do
 end
 
 group(:omnibus_package, :pry) do
-  gem "pry"
+  # Locked because pry-byebug is broken with 13+.
+  # some work is ongoing? https://github.com/deivid-rodriguez/pry-byebug/issues/343
+  gem "pry", "= 0.13.0"
   # byebug does not install on freebsd on ruby 3.0
-  # gem "pry-byebug"
+  gem "pry-byebug" unless RUBY_PLATFORM =~ /freebsd/i
   gem "pry-stack_explorer"
 end
 
-# Everything except AIX
-group(:ruby_prof) do
-  gem "ruby-prof"
-end
-
 # Everything except AIX and Windows
 group(:ruby_shadow) do
   # if ruby-shadow does a release that supports ruby-3.0 this can be removed

data/Rakefile

@@ -108,8 +108,8 @@ task :update_chef_exec_dll do
 
   sh("hab pkg install chef/chef-powershell-shim")
   sh("hab pkg install chef/chef-powershell-shim-x86")
-  x64 = `hab pkg path chef/chef-powershell-shim`.chomp.tr('\\', "/")
-  x86 = `hab pkg path chef/chef-powershell-shim-x86`.chomp.tr('\\', "/")
+  x64 = `hab pkg path chef/chef-powershell-shim`.chomp.tr("\\", "/")
+  x86 = `hab pkg path chef/chef-powershell-shim-x86`.chomp.tr("\\", "/")
   FileUtils.rm_rf(Dir["distro/ruby_bin_folder/AMD64/*"])
   FileUtils.rm_rf(Dir["distro/ruby_bin_folder/x86/*"])
   puts "Copying #{x64}/bin/* to distro/ruby_bin_folder/AMD64"

data/chef.gemspec

@@ -40,38 +40,28 @@ Gem::Specification.new do |s|
 
   s.add_dependency "ffi", ">= 1.5.0"
   s.add_dependency "ffi-yajl", "~> 2.2"
-  s.add_dependency "net-ssh", ">= 5.1", "< 7"
-  s.add_dependency "net-ssh-multi", "~> 1.2", ">= 1.2.1"
-  s.add_dependency "net-sftp", ">= 2.1.2", "< 4.0"
-  s.add_dependency "ed25519", "~> 1.2" # ed25519 ssh key support
-  s.add_dependency "bcrypt_pbkdf", "~> 1.1" # ed25519 ssh key support
-  s.add_dependency "highline", ">= 1.6.9", "< 3"
-  s.add_dependency "tty-prompt", "~> 0.21" # knife ui.ask prompt
-  s.add_dependency "tty-screen", "~> 0.6" # knife list
-  s.add_dependency "tty-table", "~> 0.11" # knife render table output.
-  s.add_dependency "pastel" # knife ui.color
-  s.add_dependency "erubis", "~> 2.7"
-  s.add_dependency "diff-lcs", ">= 1.2.4", "< 1.4.0" # 1.4 breaks output
-  s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3"
+  s.add_dependency "net-sftp", ">= 2.1.2", "< 4.0" # remote_file resource
+  s.add_dependency "erubis", "~> 2.7" # template resource / cookbook syntax check
+  s.add_dependency "diff-lcs", ">= 1.2.4", "< 1.4.0" # 1.4 breaks output. Used in lib/chef/util/diff
+  s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
   s.add_dependency "chef-zero", ">= 14.0.11"
-  s.add_dependency "chef-vault"
+  s.add_dependency "chef-vault" # chef-vault resources and helpers
 
-  s.add_dependency "plist", "~> 3.2"
-  s.add_dependency "iniparse", "~> 1.4"
+  s.add_dependency "plist", "~> 3.2" # launchd, dscl/mac user, macos_userdefaults, osx_profile and plist resources
+  s.add_dependency "iniparse", "~> 1.4" # systemd_unit resource
   s.add_dependency "addressable"
   s.add_dependency "syslog-logger", "~> 1.6"
-  s.add_dependency "uuidtools", ">= 2.1.5", "< 3.0"
+  s.add_dependency "uuidtools", ">= 2.1.5", "< 3.0" # osx_profile resource
 
   s.add_dependency "proxifier", "~> 1.0"
 
+  s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
   s.bindir       = "bin"
   s.executables  = %w{ }
 
   s.require_paths = %w{ lib }
   s.files = %w{Gemfile Rakefile LICENSE README.md} +
-    Dir.glob("{lib,spec}/**/*", File::FNM_DOTMATCH).reject do |f|
-      File.directory?(f) || File.path(f).match(/knife*/)
-    end +
+    Dir.glob("{lib,spec}/**/*", File::FNM_DOTMATCH).reject { |f| File.directory?(f) } +
     Dir.glob("*.gemspec") +
     Dir.glob("tasks/rspec.rb")
 

data/lib/chef/action_collection.rb

@@ -87,13 +87,11 @@ class Chef
     attr_reader :action_records
     attr_reader :pending_updates
     attr_reader :run_context
-    attr_reader :consumers
     attr_reader :events
 
     def initialize(events, run_context = nil, action_records = [])
       @action_records  = action_records
       @pending_updates = []
-      @consumers       = []
       @events          = events
       @run_context     = run_context
     end
@@ -118,17 +116,17 @@ class Chef
       self.class.new(events, run_context, subrecords)
     end
 
+    def resources
+      action_records.map(&:new_resource)
+    end
+
     # This hook gives us the run_context immediately after it is created so that we can wire up this object to it.
     #
-    # This also causes the action_collection_registration event to fire, all consumers that have not yet registered with the
-    # action_collection must register via this callback.  This is the latest point before resources actually start to get
-    # evaluated.
-    #
     # (see EventDispatch::Base#)
     #
     def cookbook_compilation_start(run_context)
       run_context.action_collection = self
-      # fire the action_colleciton_registration hook after cookbook_compilation_start -- last chance for consumers to register
+      # this hook is now poorly named since it is just a callback that lets other consumers snag a reference to the action_collection
       run_context.events.enqueue(:action_collection_registration, self)
       @run_context = run_context
     end
@@ -139,7 +137,7 @@ class Chef
     # @params object [Object] callers should call with `self`
     #
     def register(object)
-      consumers << object
+      Chef::Log.warn "the action collection no longer requires registration at #{caller[0]}"
     end
 
     # End of an unsuccessful converge used to fire off detect_unprocessed_resources.
@@ -147,8 +145,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def converge_failed(exception)
-      return if consumers.empty?
-
       detect_unprocessed_resources
     end
 
@@ -159,8 +155,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_action_start(new_resource, action, notification_type = nil, notifier = nil)
-      return if consumers.empty?
-
       pending_updates << ActionRecord.new(new_resource, action, pending_updates.length)
     end
 
@@ -170,8 +164,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_current_state_loaded(new_resource, action, current_resource)
-      return if consumers.empty?
-
       current_record.current_resource = current_resource
     end
 
@@ -181,8 +173,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_after_state_loaded(new_resource, action, after_resource)
-      return if consumers.empty?
-
       current_record.after_resource = after_resource
     end
 
@@ -191,8 +181,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_up_to_date(new_resource, action)
-      return if consumers.empty?
-
       current_record.status = :up_to_date
     end
 
@@ -201,8 +189,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_skipped(resource, action, conditional)
-      return if consumers.empty?
-
       current_record.status = :skipped
       current_record.conditional = conditional
     end
@@ -212,8 +198,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_updated(new_resource, action)
-      return if consumers.empty?
-
       current_record.status = :updated
     end
 
@@ -222,8 +206,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_failed(new_resource, action, exception)
-      return if consumers.empty?
-
       current_record.status = :failed
       current_record.exception = exception
       current_record.error_description = Formatters::ErrorMapper.resource_failed(new_resource, action, exception).for_json
@@ -234,8 +216,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_completed(new_resource)
-      return if consumers.empty?
-
       current_record.elapsed_time = new_resource.elapsed_time
 
       # Verify if the resource has sensitive data and create a new blank resource with only

data/lib/chef/application/base.rb

@@ -297,6 +297,21 @@ class Chef::Application::Base < Chef::Application
     long: "--named-run-list NAMED_RUN_LIST",
     description: "Use a policyfile's named run list instead of the default run list."
 
+  option :slow_report,
+    long: "--[no-]slow-report [COUNT]",
+    description: "List the slowest resources at the end of the run (default: 10).",
+    boolean: true,
+    default: false,
+    proc: lambda { |argument|
+      if argument.nil?
+        true
+      elsif argument == false
+        false
+      else
+        Integer(argument)
+      end
+    }
+
   IMMEDIATE_RUN_SIGNAL = "1".freeze
   RECONFIGURE_SIGNAL = "H".freeze
 

data/lib/chef/application.rb

@@ -310,7 +310,7 @@ class Chef
       logger.info "Forking #{ChefUtils::Dist::Infra::PRODUCT} instance to converge..."
       pid = fork do
         # Want to allow forked processes to finish converging when
-        # TERM singal is received (exit gracefully)
+        # TERM signal is received (exit gracefully)
         trap("TERM") do
           logger.debug("SIGTERM received during converge," +
             " finishing converge to exit normally (send SIGINT to terminate immediately)")
@@ -377,7 +377,9 @@ class Chef
 
         Chef::FileCache.store("#{ChefUtils::Dist::Infra::SHORT}-stacktrace.out", chef_stacktrace_out)
         logger.fatal("Stacktrace dumped to #{Chef::FileCache.load("#{ChefUtils::Dist::Infra::SHORT}-stacktrace.out", false)}")
-        logger.fatal("Please provide the contents of the stacktrace.out file if you file a bug report")
+        logger.fatal("---------------------------------------------------------------------------------------")
+        logger.fatal("PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT")
+        logger.fatal("---------------------------------------------------------------------------------------")
         if Chef::Config[:always_dump_stacktrace]
           logger.fatal(message)
         else

data/lib/chef/chef_fs/file_pattern.rb

@@ -255,7 +255,7 @@ class Chef
       end
 
       def self.regexp_escape_characters
-        [ "[", '\\', "^", "$", ".", "|", "?", "*", "+", "(", ")", "{", "}" ]
+        [ "[", "\\", "^", "$", ".", "|", "?", "*", "+", "(", ")", "{", "}" ]
       end
 
       def self.pattern_to_regexp(pattern)
@@ -281,7 +281,7 @@ class Chef
               exact = nil
               regexp << "."
             else
-              if part[0, 1] == '\\' && part.length == 2
+              if part[0, 1] == "\\" && part.length == 2
                 # backslash escapes are only supported on Unix, and are handled here by leaving the escape on (it means the same thing in a regex)
                 exact << part[1, 1] unless exact.nil?
                 if regexp_escape_characters.include?(part[1, 1])

data/lib/chef/client.rb

@@ -751,7 +751,7 @@ class Chef
     end
 
     # Notification registration
-    class<<self
+    class << self
       #
       # Add a listener for the 'client run started' event.
       #
@@ -863,6 +863,12 @@ class Chef
     end
 
     def start_profiling
+      if Chef::Config[:slow_report]
+        require_relative "handler/slow_report"
+
+        Chef::Config.report_handlers << Chef::Handler::SlowReport.new(Chef::Config[:slow_report])
+      end
+
       return unless Chef::Config[:profile_ruby]
 
       profiling_prereqs!

data/lib/chef/compliance/default_attributes.rb

@@ -28,7 +28,7 @@ class Chef
       # Controls what is done with the resulting report after the Chef InSpec run.
       # Accepts a single string value or an array of multiple values.
       # Accepted values: 'chef-server-automate', 'chef-automate', 'json-file', 'audit-enforcer', 'cli'
-      "reporter" => "json-file",
+      "reporter" => "cli",
 
       # Controls if Chef InSpec profiles should be fetched from Chef Automate or Chef Infra Server
       # in addition to the default fetch locations provided by Chef Inspec.
@@ -47,8 +47,10 @@ class Chef
       "profiles" => {},
 
       # Extra inputs passed to Chef InSpec to allow finer-grained control over behavior.
-      # These are mapped to Chef InSpec's inputs, but are named attributes here for legacy reasons.
       # See Chef Inspec's documentation for more information: https://docs.chef.io/inspec/inputs/
+      "inputs" => {},
+
+      # Legacy alias for inputs
       "attributes" => {},
 
       # A string path or an array of paths to Chef InSpec waiver files.
@@ -88,7 +90,7 @@ class Chef
 
       # If enabled, a hash representation of the Chef Infra node object will be sent to Chef InSpec in an input
       # named `chef_node`.
-      "chef_node_attribute_enabled" => false,
+      "chef_node_attribute_enabled" => true,
 
       # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have
       # profiles defined but do not have the audit cookbook enabled.

data/lib/chef/compliance/reporter/automate.rb

@@ -44,7 +44,7 @@ class Chef
           end
 
           unless @url && @token
-            raise "CMPL006: data_collector.token and data_collector.server_url must be configured in client.rb! Further information: https://docs.chef.io/chef_compliance_phase/#direct-reporting-to-chef-automate"
+            raise "CMPL006: data_collector.token and data_collector.server_url must be configured in client.rb! Further information: https://docs.chef.io/automate/data_collection/#configure-your-chef-infra-client-to-send-data-to-chef-automate-without-chef-infra-server"
           end
         end
 

data/lib/chef/compliance/runner.rb

@@ -113,8 +113,17 @@ class Chef
         logger.info "Chef Infra Compliance Phase Complete"
       end
 
+      def inputs_from_attributes
+        if !node["audit"]["inputs"].empty?
+          node["audit"]["inputs"].to_h
+        else
+          node["audit"]["attributes"].to_h
+        end
+      end
+
       def inspec_opts
-        inputs = node["audit"]["attributes"].to_h
+        inputs = inputs_from_attributes
+
         if node["audit"]["chef_node_attribute_enabled"]
           inputs["chef_node"] = node.to_h
           inputs["chef_node"]["chef_environment"] = node.chef_environment
@@ -288,7 +297,7 @@ class Chef
         # supports it.
         Array(node["audit"]["reporter"]).each do |type|
           unless SUPPORTED_REPORTERS.include? type
-            raise "CMPL003: '#{type}' found in node['audit']['reporter'] is not a supported reporter for Compliance Phase. Supported reporters are: #{SUPPORTED_REPORTERS.join(", ")}. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase/chef_compliance_runners/#reporters"
+            raise "CMPL003: '#{type}' found in node['audit']['reporter'] is not a supported reporter for Compliance Phase. Supported reporters are: #{SUPPORTED_REPORTERS.join(", ")}. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase#reporters"
           end
 
           @reporters[type] = reporter(type)
@@ -297,9 +306,14 @@ class Chef
 
         unless (fetcher = node["audit"]["fetcher"]).nil?
           unless SUPPORTED_FETCHERS.include? fetcher
-            raise "CMPL002: Unrecognized Compliance Phase fetcher (node['audit']['fetcher'] = #{fetcher}). Supported fetchers are: #{SUPPORTED_FETCHERS.join(", ")}, or nil. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase/chef_compliance_runners/#fetchers"
+            raise "CMPL002: Unrecognized Compliance Phase fetcher (node['audit']['fetcher'] = #{fetcher}). Supported fetchers are: #{SUPPORTED_FETCHERS.join(", ")}, or nil. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase#fetch-profiles"
           end
         end
+
+        if !node["audit"]["attributes"].empty? && !node["audit"]["inputs"].empty?
+          raise "CMPL011: both node['audit']['inputs'] and node['audit']['attributes'] are set.  The node['audit']['attributes'] setting is deprecated and should not be used."
+        end
+
         @validation_passed = true
       end
     end

data/lib/chef/cookbook/cookbook_version_loader.rb

@@ -160,13 +160,13 @@ class Chef
       def metadata_filenames
         return @metadata_filenames unless @metadata_filenames.empty?
 
-        if File.exists?(File.join(cookbook_path, UPLOADED_COOKBOOK_VERSION_FILE))
+        if File.exist?(File.join(cookbook_path, UPLOADED_COOKBOOK_VERSION_FILE))
           @uploaded_cookbook_version_file = File.join(cookbook_path, UPLOADED_COOKBOOK_VERSION_FILE)
         end
 
-        if File.exists?(File.join(cookbook_path, "metadata.json"))
+        if File.exist?(File.join(cookbook_path, "metadata.json"))
           @metadata_filenames << File.join(cookbook_path, "metadata.json")
-        elsif File.exists?(File.join(cookbook_path, "metadata.rb"))
+        elsif File.exist?(File.join(cookbook_path, "metadata.rb"))
           @metadata_filenames << File.join(cookbook_path, "metadata.rb")
         elsif uploaded_cookbook_version_file
           @metadata_filenames << uploaded_cookbook_version_file

data/lib/chef/cookbook/gem_installer.rb

@@ -70,7 +70,11 @@ class Chef
                 unless Chef::Config[:skip_gem_metadata_installation]
                   # Add additional options to bundle install
                   cmd = [ "bundle", "install", Chef::Config[:gem_installer_bundler_options] ]
-                  so = shell_out!(cmd, cwd: dir, env: { "PATH" => path_with_prepended_ruby_bin })
+                  env = {
+                    "PATH" => path_with_prepended_ruby_bin,
+                    "BUNDLE_SILENCE_ROOT_WARNING" => "1",
+                  }
+                  so = shell_out!(cmd, cwd: dir, env: env)
                   Chef::Log.info(so.stdout)
                 end
               end

data/lib/chef/cookbook_version.rb

@@ -138,11 +138,14 @@ class Chef
     end
 
     def recipe_yml_filenames_by_name
-      @recipe_ym_filenames_by_name ||= begin
+      @recipe_yml_filenames_by_name ||= begin
         name_map = yml_filenames_by_name(files_for("recipes"))
-        root_alias = cookbook_manifest.root_files.find { |record| record[:name] == "root_files/recipe.yml" }
+        root_alias = cookbook_manifest.root_files.find { |record|
+          record[:name] == "root_files/recipe.yml" ||
+            record[:name] == "root_files/recipe.yaml"
+        }
         if root_alias
-          Chef::Log.error("Cookbook #{name} contains both recipe.yml and and recipes/default.yml, ignoring recipes/default.yml") if name_map["default"]
+          Chef::Log.error("Cookbook #{name} contains both recipe.yml and recipes/default.yml, ignoring recipes/default.yml") if name_map["default"]
           name_map["default"] = root_alias[:full_path]
         end
         name_map
@@ -582,8 +585,27 @@ class Chef
       records.select { |record| record[:name] =~ /\.rb$/ }.inject({}) { |memo, record| memo[File.basename(record[:name], ".rb")] = record[:full_path]; memo }
     end
 
+    # Filters YAML files from the superset of provided files.
+    # Checks for duplicate basenames with differing extensions (eg yaml v yml)
+    # and raises error if any are detected.
+    # This prevents us from arbitrarily the ".yaml" or ".yml" version when both are present,
+    # because we don't know which is correct.
+    # This method runs in O(n^2) where N = number of yml files present. This number should be consistently
+    # low enough that there's no noticeable perf impact.
     def yml_filenames_by_name(records)
-      records.select { |record| record[:name] =~ /\.yml$/ }.inject({}) { |memo, record| memo[File.basename(record[:name], ".yml")] = record[:full_path]; memo }
+      yml_files = records.select { |record| record[:name] =~ /\.(y[a]?ml)$/ }
+      result = yml_files.inject({}) do |acc, record|
+        filename = record[:name]
+        base_dup_name = File.join(File.dirname(filename), File.basename(filename, File.extname(filename)))
+        yml_files.each do |other|
+          if other[:name] =~ /#{(File.extname(filename) == ".yml") ? "#{base_dup_name}.yaml" : "#{base_dup_name}.yml"}$/
+            raise Chef::Exceptions::AmbiguousYAMLFile.new("Cookbook #{name}@#{version} contains ambiguous files: #{filename} and #{other[:name]}. Please update the cookbook to remove the incorrect file.")
+          end
+        end
+        acc[File.basename(record[:name], File.extname(record[:name]))] = record[:full_path]
+        acc
+      end
+      result
     end
 
     def file_vendor