chef 17.1.35-universal-mingw32 → 17.4.38-universal-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d814772e55ced10ad9a25572951a3b2a947d99f34d04a8461832f98e9de30c82
-  data.tar.gz: eaffd1bafbb17d03f396b57c2749ba9ab4cdce63167398bdeb73d3d655bb27b5
+  metadata.gz: 84ec7e8ea8d183bc0319fbf78ed7eb5f6ea0830020bde33233f96ca1c26947bc
+  data.tar.gz: e49b65d28c30682629d84258b8352d4076fe650156ef5f314507a9fe0adb2ba8
 SHA512:
-  metadata.gz: b0d2752d08a72f130ef06263783ccb6c62b14edb653a19f9425c7cf7410a26668ebe6c8a8dbb845cc2705b5abe035ea9475b5c4e78eb43a5a5b43b1a4846c017
-  data.tar.gz: 6d77cbb27f1ef920d28af4aeae4a5f39ee5841e523a16b65173c4cf8bff9d740b8e9e54ec66d02b17d73ec968595ffb27909033664415ca23461ac1e8e649125
+  metadata.gz: ad784e028b0347e81dfb3b75dd6c6d58c143d2d87a3bbd746eadbcf4d35f1c3cb242d4c4f1dcd2a2d16d66bb05232eb902ef65b4dd31bbc68f41dd5a81d9e5a1
+  data.tar.gz: f78342cb9b9410cc931f9158388faff31e1a34786e93c4e6892c7c903086b171a363f295adc203c473a3806de987a7a403b3699b105622d87dbe73085b1600f3

data/Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gem "chef", path: "."
 
-gem "ohai", git: "https://github.com/chef/ohai.git", branch: "master"
+gem "ohai", git: "https://github.com/chef/ohai.git", branch: "main"
 
 gem "chef-utils", path: File.expand_path("chef-utils", __dir__) if File.exist?(File.expand_path("chef-utils", __dir__))
 gem "chef-config", path: File.expand_path("chef-config", __dir__) if File.exist?(File.expand_path("chef-config", __dir__))
@@ -25,9 +25,11 @@ group(:omnibus_package) do
 end
 
 group(:omnibus_package, :pry) do
-  gem "pry"
+  # Locked because pry-byebug is broken with 13+.
+  # some work is ongoing? https://github.com/deivid-rodriguez/pry-byebug/issues/343
+  gem "pry", "= 0.13.0"
   # byebug does not install on freebsd on ruby 3.0
-  # gem "pry-byebug"
+  gem "pry-byebug" unless RUBY_PLATFORM =~ /freebsd/i
   gem "pry-stack_explorer"
 end
 
@@ -46,7 +48,7 @@ end
 
 group(:chefstyle) do
   # for testing new chefstyle rules
-  gem "chefstyle", git: "https://github.com/chef/chefstyle.git", branch: "master"
+  gem "chefstyle", git: "https://github.com/chef/chefstyle.git", branch: "main"
 end
 
 instance_eval(ENV["GEMFILE_MOD"]) if ENV["GEMFILE_MOD"]

data/chef.gemspec

@@ -55,6 +55,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency "proxifier", "~> 1.0"
 
+  s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
   s.bindir       = "bin"
   s.executables  = %w{ }
 

data/lib/chef/action_collection.rb

@@ -87,13 +87,11 @@ class Chef
     attr_reader :action_records
     attr_reader :pending_updates
     attr_reader :run_context
-    attr_reader :consumers
     attr_reader :events
 
     def initialize(events, run_context = nil, action_records = [])
       @action_records  = action_records
       @pending_updates = []
-      @consumers       = []
       @events          = events
       @run_context     = run_context
     end
@@ -118,17 +116,17 @@ class Chef
       self.class.new(events, run_context, subrecords)
     end
 
+    def resources
+      action_records.map(&:new_resource)
+    end
+
     # This hook gives us the run_context immediately after it is created so that we can wire up this object to it.
     #
-    # This also causes the action_collection_registration event to fire, all consumers that have not yet registered with the
-    # action_collection must register via this callback.  This is the latest point before resources actually start to get
-    # evaluated.
-    #
     # (see EventDispatch::Base#)
     #
     def cookbook_compilation_start(run_context)
       run_context.action_collection = self
-      # fire the action_colleciton_registration hook after cookbook_compilation_start -- last chance for consumers to register
+      # this hook is now poorly named since it is just a callback that lets other consumers snag a reference to the action_collection
       run_context.events.enqueue(:action_collection_registration, self)
       @run_context = run_context
     end
@@ -139,7 +137,7 @@ class Chef
     # @params object [Object] callers should call with `self`
     #
     def register(object)
-      consumers << object
+      Chef::Log.warn "the action collection no longer requires registration at #{caller[0]}"
     end
 
     # End of an unsuccessful converge used to fire off detect_unprocessed_resources.
@@ -147,8 +145,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def converge_failed(exception)
-      return if consumers.empty?
-
       detect_unprocessed_resources
     end
 
@@ -159,8 +155,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_action_start(new_resource, action, notification_type = nil, notifier = nil)
-      return if consumers.empty?
-
       pending_updates << ActionRecord.new(new_resource, action, pending_updates.length)
     end
 
@@ -170,8 +164,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_current_state_loaded(new_resource, action, current_resource)
-      return if consumers.empty?
-
       current_record.current_resource = current_resource
     end
 
@@ -181,8 +173,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_after_state_loaded(new_resource, action, after_resource)
-      return if consumers.empty?
-
       current_record.after_resource = after_resource
     end
 
@@ -191,8 +181,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_up_to_date(new_resource, action)
-      return if consumers.empty?
-
       current_record.status = :up_to_date
     end
 
@@ -201,8 +189,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_skipped(resource, action, conditional)
-      return if consumers.empty?
-
       current_record.status = :skipped
       current_record.conditional = conditional
     end
@@ -212,8 +198,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_updated(new_resource, action)
-      return if consumers.empty?
-
       current_record.status = :updated
     end
 
@@ -222,8 +206,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_failed(new_resource, action, exception)
-      return if consumers.empty?
-
       current_record.status = :failed
       current_record.exception = exception
       current_record.error_description = Formatters::ErrorMapper.resource_failed(new_resource, action, exception).for_json
@@ -234,8 +216,6 @@ class Chef
     # (see EventDispatch::Base#)
     #
     def resource_completed(new_resource)
-      return if consumers.empty?
-
       current_record.elapsed_time = new_resource.elapsed_time
 
       # Verify if the resource has sensitive data and create a new blank resource with only

data/lib/chef/application/base.rb

@@ -297,6 +297,21 @@ class Chef::Application::Base < Chef::Application
     long: "--named-run-list NAMED_RUN_LIST",
     description: "Use a policyfile's named run list instead of the default run list."
 
+  option :slow_report,
+    long: "--[no-]slow-report [COUNT]",
+    description: "List the slowest resources at the end of the run (default: 10).",
+    boolean: true,
+    default: false,
+    proc: lambda { |argument|
+      if argument.nil?
+        true
+      elsif argument == false
+        false
+      else
+        Integer(argument)
+      end
+    }
+
   IMMEDIATE_RUN_SIGNAL = "1".freeze
   RECONFIGURE_SIGNAL = "H".freeze
 

data/lib/chef/application.rb

@@ -310,7 +310,7 @@ class Chef
       logger.info "Forking #{ChefUtils::Dist::Infra::PRODUCT} instance to converge..."
       pid = fork do
         # Want to allow forked processes to finish converging when
-        # TERM singal is received (exit gracefully)
+        # TERM signal is received (exit gracefully)
         trap("TERM") do
           logger.debug("SIGTERM received during converge," +
             " finishing converge to exit normally (send SIGINT to terminate immediately)")
@@ -377,7 +377,9 @@ class Chef
 
         Chef::FileCache.store("#{ChefUtils::Dist::Infra::SHORT}-stacktrace.out", chef_stacktrace_out)
         logger.fatal("Stacktrace dumped to #{Chef::FileCache.load("#{ChefUtils::Dist::Infra::SHORT}-stacktrace.out", false)}")
-        logger.fatal("Please provide the contents of the stacktrace.out file if you file a bug report")
+        logger.fatal("---------------------------------------------------------------------------------------")
+        logger.fatal("PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT")
+        logger.fatal("---------------------------------------------------------------------------------------")
         if Chef::Config[:always_dump_stacktrace]
           logger.fatal(message)
         else

data/lib/chef/client.rb

@@ -751,7 +751,7 @@ class Chef
     end
 
     # Notification registration
-    class<<self
+    class << self
       #
       # Add a listener for the 'client run started' event.
       #
@@ -863,6 +863,12 @@ class Chef
     end
 
     def start_profiling
+      if Chef::Config[:slow_report]
+        require_relative "handler/slow_report"
+
+        Chef::Config.report_handlers << Chef::Handler::SlowReport.new(Chef::Config[:slow_report])
+      end
+
       return unless Chef::Config[:profile_ruby]
 
       profiling_prereqs!

data/lib/chef/compliance/default_attributes.rb

@@ -28,7 +28,7 @@ class Chef
       # Controls what is done with the resulting report after the Chef InSpec run.
       # Accepts a single string value or an array of multiple values.
       # Accepted values: 'chef-server-automate', 'chef-automate', 'json-file', 'audit-enforcer', 'cli'
-      "reporter" => %w{json-file cli},
+      "reporter" => "cli",
 
       # Controls if Chef InSpec profiles should be fetched from Chef Automate or Chef Infra Server
       # in addition to the default fetch locations provided by Chef Inspec.
@@ -47,8 +47,10 @@ class Chef
       "profiles" => {},
 
       # Extra inputs passed to Chef InSpec to allow finer-grained control over behavior.
-      # These are mapped to Chef InSpec's inputs, but are named attributes here for legacy reasons.
       # See Chef Inspec's documentation for more information: https://docs.chef.io/inspec/inputs/
+      "inputs" => {},
+
+      # Legacy alias for inputs
       "attributes" => {},
 
       # A string path or an array of paths to Chef InSpec waiver files.
@@ -88,7 +90,7 @@ class Chef
 
       # If enabled, a hash representation of the Chef Infra node object will be sent to Chef InSpec in an input
       # named `chef_node`.
-      "chef_node_attribute_enabled" => false,
+      "chef_node_attribute_enabled" => true,
 
       # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have
       # profiles defined but do not have the audit cookbook enabled.

data/lib/chef/compliance/reporter/automate.rb

@@ -76,7 +76,7 @@ class Chef
 
           begin
             Chef::Log.info "Report to #{ChefUtils::Dist::Automate::PRODUCT}: #{@url}"
-            Chef::Log.debug "Compliance Report: #{json_report}"
+            Chef::Log.debug "Compliance Phase report: #{json_report}"
             http_client.post(nil, json_report, headers)
             true
           rescue => e

data/lib/chef/compliance/runner.rb

@@ -113,8 +113,17 @@ class Chef
         logger.info "Chef Infra Compliance Phase Complete"
       end
 
+      def inputs_from_attributes
+        if !node["audit"]["inputs"].empty?
+          node["audit"]["inputs"].to_h
+        else
+          node["audit"]["attributes"].to_h
+        end
+      end
+
       def inspec_opts
-        inputs = node["audit"]["attributes"].to_h
+        inputs = inputs_from_attributes
+
         if node["audit"]["chef_node_attribute_enabled"]
           inputs["chef_node"] = node.to_h
           inputs["chef_node"]["chef_environment"] = node.chef_environment
@@ -171,7 +180,7 @@ class Chef
         logger.info "Running profiles from: #{profiles.inspect}"
         runner.run
         runner.report.tap do |r|
-          logger.debug "Compliance Report #{r}"
+          logger.debug "Compliance Phase report #{r}"
         end
       rescue Inspec::FetcherFailure => e
         failed_report("Cannot fetch all profiles: #{profiles}. Please make sure you're authenticated and the server is reachable. #{e.message}")
@@ -300,6 +309,11 @@ class Chef
             raise "CMPL002: Unrecognized Compliance Phase fetcher (node['audit']['fetcher'] = #{fetcher}). Supported fetchers are: #{SUPPORTED_FETCHERS.join(", ")}, or nil. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase#fetch-profiles"
           end
         end
+
+        if !node["audit"]["attributes"].empty? && !node["audit"]["inputs"].empty?
+          raise "CMPL011: both node['audit']['inputs'] and node['audit']['attributes'] are set.  The node['audit']['attributes'] setting is deprecated and should not be used."
+        end
+
         @validation_passed = true
       end
     end

data/lib/chef/cookbook_version.rb

@@ -138,11 +138,14 @@ class Chef
     end
 
     def recipe_yml_filenames_by_name
-      @recipe_ym_filenames_by_name ||= begin
+      @recipe_yml_filenames_by_name ||= begin
         name_map = yml_filenames_by_name(files_for("recipes"))
-        root_alias = cookbook_manifest.root_files.find { |record| record[:name] == "root_files/recipe.yml" }
+        root_alias = cookbook_manifest.root_files.find { |record|
+          record[:name] == "root_files/recipe.yml" ||
+            record[:name] == "root_files/recipe.yaml"
+        }
         if root_alias
-          Chef::Log.error("Cookbook #{name} contains both recipe.yml and and recipes/default.yml, ignoring recipes/default.yml") if name_map["default"]
+          Chef::Log.error("Cookbook #{name} contains both recipe.yml and recipes/default.yml, ignoring recipes/default.yml") if name_map["default"]
           name_map["default"] = root_alias[:full_path]
         end
         name_map
@@ -582,8 +585,27 @@ class Chef
       records.select { |record| record[:name] =~ /\.rb$/ }.inject({}) { |memo, record| memo[File.basename(record[:name], ".rb")] = record[:full_path]; memo }
     end
 
+    # Filters YAML files from the superset of provided files.
+    # Checks for duplicate basenames with differing extensions (eg yaml v yml)
+    # and raises error if any are detected.
+    # This prevents us from arbitrarily the ".yaml" or ".yml" version when both are present,
+    # because we don't know which is correct.
+    # This method runs in O(n^2) where N = number of yml files present. This number should be consistently
+    # low enough that there's no noticeable perf impact.
     def yml_filenames_by_name(records)
-      records.select { |record| record[:name] =~ /\.yml$/ }.inject({}) { |memo, record| memo[File.basename(record[:name], ".yml")] = record[:full_path]; memo }
+      yml_files = records.select { |record| record[:name] =~ /\.(y[a]?ml)$/ }
+      result = yml_files.inject({}) do |acc, record|
+        filename = record[:name]
+        base_dup_name = File.join(File.dirname(filename), File.basename(filename, File.extname(filename)))
+        yml_files.each do |other|
+          if other[:name] =~ /#{(File.extname(filename) == ".yml") ? "#{base_dup_name}.yaml" : "#{base_dup_name}.yml"}$/
+            raise Chef::Exceptions::AmbiguousYAMLFile.new("Cookbook #{name}@#{version} contains ambiguous files: #{filename} and #{other[:name]}. Please update the cookbook to remove the incorrect file.")
+          end
+        end
+        acc[File.basename(record[:name], File.extname(record[:name]))] = record[:full_path]
+        acc
+      end
+      result
     end
 
     def file_vendor

data/lib/chef/data_collector/run_end_message.rb

@@ -51,7 +51,7 @@ class Chef
             "id" => run_status&.run_id,
             "message_version" => "1.1.0",
             "message_type" => "run_converge",
-            "node" => node || {},
+            "node" => node&.data_for_save || {},
             "node_name" => node&.name || data_collector.node_name,
             "organization_name" => organization,
             "resources" => all_action_records(action_collection),

data/lib/chef/data_collector.rb

@@ -104,7 +104,6 @@ class Chef
       #
       def action_collection_registration(action_collection)
         @action_collection = action_collection
-        action_collection.register(self)
       end
 
       # - Creates and writes our NodeUUID back to the node object

data/lib/chef/deprecated.rb

@@ -79,10 +79,12 @@ class Chef
         return true if location =~ /^(.*?):(\d+):in/ && begin
           # Don't buffer the whole file in memory, so read it one line at a time.
           line_no = $2.to_i
-          location_file = ::File.open($1)
-          (line_no - 1).times { location_file.readline } # Read all the lines we don't care about.
-          relevant_line = location_file.readline
-          relevant_line.match?(/#.*chef:silence_deprecation($|[^:]|:#{self.class.deprecation_key})/)
+          if File.exist?($1) # some stacktraces come from `eval` and not a file
+            location_file = ::File.open($1)
+            (line_no - 1).times { location_file.readline } # Read all the lines we don't care about.
+            relevant_line = location_file.readline
+            relevant_line.match?(/#.*chef:silence_deprecation($|[^:]|:#{self.class.deprecation_key})/)
+          end
         end
 
         false
@@ -253,6 +255,14 @@ class Chef
       target 33
     end
 
+    class AttributeWhitelistConfiguration < Base
+      target 34
+    end
+
+    class PolicyfileCompatMode < Base
+      target 35
+    end
+
     class Generic < Base
       def url
         "https://docs.chef.io/chef_deprecations_client/"

data/lib/chef/dsl/render_helpers.rb

@@ -0,0 +1,44 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require_relative "toml"
+require_relative "../json_compat"
+autoload :YAML, "yaml"
+
+class Chef
+  module DSL
+    module RenderHelpers
+
+      # pretty-print a hash as a JSON string
+      def render_json(hash)
+        JSON.pretty_generate(hash) + "\n"
+      end
+
+      # pretty-print a hash as a TOML string
+      def render_toml(hash)
+        Chef::DSL::Toml::Dumper.new(hash).toml_str
+      end
+
+      # pretty-print a hash as a YAML string
+      def render_yaml(hash)
+        yaml_content = hash.transform_keys(&:to_s).to_yaml
+        # above replaces first-level keys with strings, below the rest
+        yaml_content.gsub!(" :", " ")
+      end
+
+      extend self
+    end
+  end
+end