chef 17.0.242 → 17.1.35

data/lib/chef/provider/package/yum/yum_helper.py

@@ -2,45 +2,26 @@
 # vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
 
 #
-# NOTE: this actually needs to run under python2.4 and centos 5.x through python3 and centos 7.x
-# please manually test changes on centos5 boxes or you will almost certainly break things.
+# NOTE: this actually needs to run under python2.7 and centos 6.x through python3 and centos 7.x
+# please manually test changes on centos6 boxes or you will almost certainly break things.
 #
 
 import sys
 import yum
 import signal
 import os
-sys.path.append(os.path.join(os.path.dirname(__file__), '..', 'simplejson'))
-try: import json
-except ImportError: import simplejson as json
+import fcntl
+import json
 import re
 from rpmUtils.miscutils import stringToVersion,compareEVR
 from rpmUtils.arch import getBaseArch, getArchList
-
-
-try: from yum.misc import string_to_prco_tuple
-except ImportError:
-    # RHEL5 compat
-    def string_to_prco_tuple(prcoString):
-        prco_split = prcoString.split()
-        n, f, v = prco_split
-        (prco_e, prco_v, prco_r) = stringToVersion(v)
-        return (n, f, (prco_e, prco_v, prco_r))
+from yum.misc import string_to_prco_tuple
 
 # hack to work around https://github.com/chef/chef/issues/7126
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1396248
 if not hasattr(yum.packages.FakeRepository, 'compare_providers_priority'):
     yum.packages.FakeRepository.compare_providers_priority = 99
 
-base = None
-
-def get_base():
-    global base
-    if base is None:
-        base = yum.YumBase()
-    setup_exit_handler()
-    return base
-
 def versioncompare(versions):
     arch_list = getArchList()
     candidate_arch1 = versions[0].split(".")[-1]
@@ -51,9 +32,9 @@ def versioncompare(versions):
     # then we'll chop the arch component (assuming it *is* a valid one) from the first version string
     # so we're only comparing the evr portions.
     if (candidate_arch2 not in arch_list) and (candidate_arch1 in arch_list):
-       final_version1 = versions[0].replace("." + candidate_arch1,"")
+        final_version1 = versions[0].replace("." + candidate_arch1,"")
     else:
-       final_version1 = versions[0]
+        final_version1 = versions[0]
 
     final_version2 = versions[1]
 
@@ -64,37 +45,24 @@ def versioncompare(versions):
     outpipe.write("%(e)s\n" % { 'e': evr_comparison })
     outpipe.flush()
 
-def install_only_packages(name):
-    base = get_base()
+def install_only_packages(base, name):
     if name in base.conf.installonlypkgs:
-      outpipe.write('True')
+        outpipe.write('True\n')
     else:
-      outpipe.write('False')
+        outpipe.write('False\n')
     outpipe.flush()
 
-# python2.4 / centos5 compat
-try:
-    any
-except NameError:
-    def any(s):
-        for v in s:
-            if v:
-                return True
-        return False
-
-def query(command):
-    base = get_base()
-
+def query(base, command):
     enabled_repos = base.repos.listEnabled()
 
     # Handle any repocontrols passed in with our options
 
     if 'repos' in command:
-      for repo in command['repos']:
-        if 'enable' in repo:
-          base.repos.enableRepo(repo['enable'])
+        for repo in command['repos']:
+            if 'enable' in repo:
+                base.repos.enableRepo(repo['enable'])
         if 'disable' in repo:
-          base.repos.disableRepo(repo['disable'])
+            base.repos.disableRepo(repo['disable'])
 
     args = { 'name': command['provides'] }
     do_nevra = False
@@ -136,7 +104,7 @@ def query(command):
         #    returnPackages and searchProvides and then apply the Nevra filters to those results.
         pkgs = obj.searchNevra(**args)
         if (command['action'] == "whatinstalled") and (not pkgs):
-          pkgs = obj.searchNevra(name=args['name'], arch=desired_arch)
+            pkgs = obj.searchNevra(name=args['name'], arch=desired_arch)
     else:
         pats = [command['provides']]
         pkgs = obj.returnPackages(patterns=pats)
@@ -157,13 +125,13 @@ def query(command):
 
     # Reset any repos we were passed in enablerepo/disablerepo to the original state in enabled_repos
     if 'repos' in command:
-      for repo in command['repos']:
-        if 'enable' in repo:
-          if base.repos.getRepo(repo['enable']) not in enabled_repos:
-            base.repos.disableRepo(repo['enable'])
+        for repo in command['repos']:
+            if 'enable' in repo:
+                if base.repos.getRepo(repo['enable']) not in enabled_repos:
+                    base.repos.disableRepo(repo['enable'])
         if 'disable' in repo:
-          if base.repos.getRepo(repo['disable']) in enabled_repos:
-            base.repos.enableRepo(repo['disable'])
+            if base.repos.getRepo(repo['disable']) in enabled_repos:
+                base.repos.enableRepo(repo['disable'])
 
 # the design of this helper is that it should try to be 'brittle' and fail hard and exit in order
 # to keep process tables clean.  additional error handling should probably be added to the retry loop
@@ -179,21 +147,29 @@ def setup_exit_handler():
     signal.signal(signal.SIGPIPE, exit_handler)
     signal.signal(signal.SIGQUIT, exit_handler)
 
+def set_blocking(fd):
+    old_flags = fcntl.fcntl(fd, fcntl.F_GETFL)
+    fcntl.fcntl(fd, fcntl.F_SETFL, old_flags & ~os.O_NONBLOCK)
+
+base = None
+
 if len(sys.argv) < 3:
-  inpipe = sys.stdin
-  outpipe = sys.stdout
+    inpipe = sys.stdin
+    outpipe = sys.stdout
 else:
-  inpipe = os.fdopen(int(sys.argv[1]), "r")
-  outpipe = os.fdopen(int(sys.argv[2]), "w")
+    set_blocking(int(sys.argv[1]))
+    set_blocking(int(sys.argv[2]))
+    inpipe = os.fdopen(int(sys.argv[1]), "r")
+    outpipe = os.fdopen(int(sys.argv[2]), "w")
 
 try:
+    setup_exit_handler()
     while 1:
         # stop the process if the parent proc goes away
         ppid = os.getppid()
         if ppid == 1:
             raise RuntimeError("orphaned")
 
-        setup_exit_handler()
         line = inpipe.readline()
 
         # only way to detect EOF in python
@@ -205,14 +181,22 @@ try:
         except ValueError, e:
             raise RuntimeError("bad json parse")
 
+        if base is None:
+            base = yum.YumBase()
+
         if command['action'] == "whatinstalled":
-            query(command)
+            query(base, command)
         elif command['action'] == "whatavailable":
-            query(command)
+            query(base, command)
         elif command['action'] == "versioncompare":
             versioncompare(command['versions'])
         elif command['action'] == "installonlypkgs":
-             install_only_packages(command['package'])
+            install_only_packages(base, command['package'])
+        elif command['action'] == "close_rpmdb":
+            base.closeRpmDB()
+            base = None
+            outpipe.write('nil nil nil\n')
+            outpipe.flush()
         else:
             raise RuntimeError("bad command")
 finally:

data/lib/chef/provider/registry_key.rb

@@ -78,7 +78,7 @@ class Chef
       def define_resource_requirements
         requirements.assert(:create, :create_if_missing, :delete, :delete_key) do |a|
           a.assertion { registry.hive_exists?(new_resource.key) }
-          a.failure_message(Chef::Exceptions::Win32RegHiveMissing, "Hive #{new_resource.key.split('\\').shift} does not exist")
+          a.failure_message(Chef::Exceptions::Win32RegHiveMissing, "Hive #{new_resource.key.split("\\").shift} does not exist")
         end
 
         requirements.assert(:create) do |a|

data/lib/chef/provider/service/systemd.rb

@@ -80,7 +80,7 @@ class Chef::Provider::Service::Systemd < Chef::Provider::Service::Simple
     @systemd_service_status ||= begin
       # Collect all the status information for a service and returns it at once
       options, args = get_systemctl_options_args
-      s = shell_out!(systemctl_path, args, "show", "-p", "UnitFileState", "-p", "ActiveState", new_resource.service_name, options)
+      s = shell_out!(systemctl_path, args, "show", "-p", "UnitFileState", "-p", "ActiveState", new_resource.service_name, **options)
       # e.g. /bin/systemctl --system show  -p UnitFileState -p ActiveState sshd.service
       # Returns something like:
       # ActiveState=active

data/lib/chef/provider/systemd_unit.rb

@@ -60,7 +60,7 @@ class Chef
           # Collect all the status information for a unit and return it at once
           # This may fail if we are managing a template unit (e.g. with '@'), in which case
           # we just ignore the error because unit status is irrelevant in that case
-          s = shell_out(*systemctl_cmd, "show", "-p", "UnitFileState", "-p", "ActiveState", new_resource.unit_name, systemctl_opts)
+          s = shell_out(*systemctl_cmd, "show", "-p", "UnitFileState", "-p", "ActiveState", new_resource.unit_name, **systemctl_opts)
           # e.g. /bin/systemctl --system show -p UnitFileState -p ActiveState syslog.socket
           # Returns something like:
           # ActiveState=inactive

data/lib/chef/provider/template/content.rb

@@ -63,7 +63,7 @@ class Chef
           context[:template_finder] = template_finder
 
           # helper variables
-          context[:cookbook_name] = new_resource.cookbook_name unless context.keys.include?(:coookbook_name)
+          context[:cookbook_name] = new_resource.cookbook_name unless context.keys.include?(:cookbook_name)
           context[:recipe_name] = new_resource.recipe_name unless context.keys.include?(:recipe_name)
           context[:recipe_line_string] = new_resource.source_line unless context.keys.include?(:recipe_line_string)
           context[:recipe_path] = new_resource.source_line_file unless context.keys.include?(:recipe_path)

data/lib/chef/provider/windows_script.rb

@@ -83,7 +83,7 @@ class Chef
         username = new_resource.user
 
         if new_resource.domain
-          username = new_resource.domain + '\\' + new_resource.user
+          username = new_resource.domain + "\\" + new_resource.user
         end
 
         # Create an ACE that allows the alternate user read access to the script

data/lib/chef/resource.rb

@@ -42,6 +42,7 @@ require_relative "mixin/deprecation"
 require_relative "mixin/properties"
 require_relative "mixin/provides"
 require_relative "dsl/universal"
+require_relative "constants"
 
 class Chef
   class Resource
@@ -1362,8 +1363,9 @@ class Chef
     #
     # @param arg [String] version constraint to match against (e.g. "> 14")
     #
-    def self.chef_version_for_provides(constraint)
-      @chef_version_for_provides = constraint
+    def self.chef_version_for_provides(constraint = NOT_PASSED)
+      @chef_version_for_provides = constraint unless constraint == NOT_PASSED
+      @chef_version_for_provides ||= nil
     end
 
     # Mark this resource as providing particular DSL.
@@ -1376,14 +1378,11 @@ class Chef
     def self.provides(name, **options, &block)
       name = name.to_sym
 
-      # quell warnings
-      @chef_version_for_provides = nil unless defined?(@chef_version_for_provides)
-
       # deliberately do not go through the accessor here
       @resource_name = name if resource_name.nil?
 
-      if @chef_version_for_provides && !options.include?(:chef_version)
-        options[:chef_version] = @chef_version_for_provides
+      if chef_version_for_provides && !options.include?(:chef_version)
+        options[:chef_version] = chef_version_for_provides
       end
 
       result = Chef.resource_handler_map.set(name, self, **options, &block)

data/lib/chef/resource/execute.rb

@@ -633,13 +633,13 @@ class Chef
         end
 
         # if domain is provided in both username and domain
-        if specified_user.is_a?(String) && ((specified_user.include? '\\') || (specified_user.include? "@")) && specified_domain
+        if specified_user.is_a?(String) && ((specified_user.include? "\\") || (specified_user.include? "@")) && specified_domain
           raise ArgumentError, "The domain is provided twice. Username: `#{specified_user}`, Domain: `#{specified_domain}`. Please specify domain only once."
         end
 
         if specified_user.is_a?(String) && specified_domain.nil?
           # Splitting username of format: Domain\Username
-          domain_and_user = user.split('\\')
+          domain_and_user = user.split("\\")
 
           if domain_and_user.length == 2
             domain = domain_and_user[0]

data/lib/chef/resource/inspec_waiver_file_entry.rb

@@ -0,0 +1,155 @@
+#
+# Author:: Davin Taddeo (<davin@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+require "yaml"
+require "date"
+
+class Chef
+  class Resource
+    class InspecWaiverFileEntry < Chef::Resource
+      provides :inspec_waiver_file_entry
+      unified_mode true
+
+      description "Use the **inspec_waiver_file_entry** resource to add or remove entries from an InSpec waiver file. This can be used in conjunction with the Compliance Phase."
+      introduced "17.1"
+      examples <<~DOC
+      **Add an InSpec waiver entry to a given waiver file**:
+
+      ```ruby
+        inspec_waiver_file_entry 'Add waiver entry for control' do
+          file_path 'C:\\chef\\inspec_waiver_file.yml'
+          control 'my_inspec_control_01'
+          run_test false
+          justification "The subject of this control is not managed by Chef on the systems in policy group \#{node['policy_group']}"
+          expiration '2022-01-01'
+          action :add
+        end
+      ```
+
+      **Add an InSpec waiver entry to a given waiver file using the 'name' property to identify the control**:
+
+      ```ruby
+        inspec_waiver_file_entry 'my_inspec_control_01' do
+          justification "The subject of this control is not managed by Chef on the systems in policy group \#{node['policy_group']}"
+          action :add
+        end
+      ```
+
+      **Remove an InSpec waiver entry to a given waiver file**:
+
+      ```ruby
+        inspec_waiver_file_entry "my_inspec_control_01" do
+          action :remove
+        end
+      ```
+      DOC
+
+      property :control, String,
+        name_property: true,
+        description: "The name of the control being added or removed to the waiver file"
+
+      property :file_path, String,
+        required: true,
+        description: "The path to the waiver file being modified",
+        default: "#{ChefConfig::Config.etc_chef_dir}/inspec_waivers.yml",
+        default_description: "`/etc/chef/inspec_waivers.yml` on Linux/Unix and `C:\\chef\\inspec_waivers.yml` on Windows"
+
+      property :expiration, String,
+        description: "The expiration date of the given waiver - provided in YYYY-MM-DD format",
+        callbacks: {
+          "Expiration date should be a valid calendar date and match the following format: YYYY-MM-DD" => proc { |e|
+            re = Regexp.new('\d{4}-\d{2}-\d{2}$').freeze
+            if re.match?(e)
+              Date.valid_date?(*e.split("-").map(&:to_i))
+            else
+              e.nil?
+            end
+          },
+        }
+
+      property :run_test, [true, false],
+        description: "If present and true, the control will run and be reported, but failures in it won’t make the overall run fail. If absent or false, the control will not be run."
+
+      property :justification, String,
+        description: "Can be any text you want and might include a reason for the waiver as well as who signed off on the waiver."
+
+      property :backup, [false, Integer],
+        description: "The number of backups to be kept in /var/chef/backup (for UNIX- and Linux-based platforms) or C:/chef/backup (for the Microsoft Windows platform). Set to false to prevent backups from being kept.",
+        default: false
+
+      action :add do
+        if new_resource.justification.nil? || new_resource.justification == ""
+          raise Chef::Exceptions::ValidationFailed, "Entries in the InSpec waiver file must have a justification given, this parameter must have a value."
+        end
+
+        filename = new_resource.file_path
+        waiver_hash = load_waiver_file_to_hash(filename)
+        control_hash = {}
+        control_hash["expiration_date"] = new_resource.expiration.to_s unless new_resource.expiration.nil?
+        control_hash["run"] = new_resource.run_test unless new_resource.run_test.nil?
+        control_hash["justification"] = new_resource.justification.to_s
+
+        unless waiver_hash[new_resource.control] == control_hash
+          waiver_hash[new_resource.control] = control_hash
+          waiver_hash = waiver_hash.sort.to_h
+
+          file "Update Waiver File #{new_resource.file_path} to update waiver for control #{new_resource.control}" do
+            path new_resource.file_path
+            content waiver_hash.to_yaml
+            backup new_resource.backup
+            action :create
+          end
+        end
+      end
+
+      action :remove do
+        filename = new_resource.file_path
+        waiver_hash = load_waiver_file_to_hash(filename)
+        if waiver_hash.key?(new_resource.control)
+          waiver_hash.delete(new_resource.control)
+          waiver_hash = waiver_hash.sort.to_h
+          file "Update Waiver File #{new_resource.file_path} to remove waiver for control #{new_resource.control}" do
+            path new_resource.file_path
+            content waiver_hash.to_yaml
+            backup new_resource.backup
+            action :create
+          end
+        end
+      end
+
+      action_class do
+        def load_waiver_file_to_hash(file_name)
+          if file_name =~ %r{(/|C:\\).*(.yaml|.yml)}i
+            if ::File.exist?(file_name)
+              hash = ::YAML.load_file(file_name)
+              if hash == false || hash.nil? || hash == ""
+                {}
+              else
+                ::YAML.load_file(file_name)
+              end
+            else
+              {}
+            end
+          else
+            raise "Waiver files needs to be a YAML file which should have a .yaml or .yml extension -\"#{file_name}\" does not have an appropriate extension"
+          end
+        end
+      end
+    end
+  end
+end