chef 17.1.35 → 17.4.38

data/lib/chef/resource/windows_user_privilege.rb

@@ -147,7 +147,7 @@ class Chef
         end
       end
 
-      action :add, description: "Add a user privilege" do
+      action :add, description: "Add a user privilege." do
         ([*new_resource.privilege] - [*current_resource.privilege]).each do |user_right|
           converge_by("adding user '#{new_resource.principal}' privilege #{user_right}") do
             Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, user_right)
@@ -155,7 +155,7 @@ class Chef
         end
       end
 
-      action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property" do
+      action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property." do
         if new_resource.users.nil? || new_resource.users.empty?
           raise Chef::Exceptions::ValidationFailed, "Users are required property with set action."
         end

data/lib/chef/resource/windows_workgroup.rb

@@ -30,13 +30,13 @@ class Chef
       examples <<~DOC
       **Join a workgroup**:
 
-      ``` ruby
+      ```ruby
       windows_workgroup 'myworkgroup'
       ```
 
       **Join a workgroup using a specific user**:
 
-      ``` ruby
+      ```ruby
       windows_workgroup 'myworkgroup' do
         user 'Administrator'
         password 'passw0rd'

data/lib/chef/resource/yum_package.rb

@@ -27,40 +27,36 @@ class Chef
       provides :yum_package
       provides :package, platform_family: "fedora_derived"
 
-      description "Use the **yum_package** resource to install, upgrade, and remove packages with Yum"\
-                  " for the Red Hat and CentOS platforms. The yum_package resource is able to resolve"\
-                  " `provides` data for packages much like Yum can do when it is run from the command line."\
-                  " This allows a variety of options for installing packages, like minimum versions,"\
-                  " virtual provides, and library names."
+      description "Use the **yum_package** resource to install, upgrade, and remove packages with Yum for the Red Hat and CentOS platforms. The yum_package resource is able to resolve `provides` data for packages much like Yum can do when it is run from the command line. This allows a variety of options for installing packages, like minimum versions, virtual provides, and library names. Note: Support for using file names to install packages (as in `yum_package '/bin/sh'`) is not available because the volume of data required to parse for this is excessive."
       examples <<~DOC
         **Install an exact version**:
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm = 10.35.58-8.el8'
         ```
 
         **Install a minimum version**:
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm >= 10.35.58-8.el8'
         ```
 
         **Install a minimum version using the default action**:
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm'
         ```
 
         **Install a version without worrying about the exact release**:
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm-10.35*'
         ```
 
 
         **To install a package**:
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm' do
           action :install
         end
@@ -68,13 +64,13 @@ class Chef
 
         **To install a partial minimum version**:
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm >= 10'
         ```
 
         **To install a specific architecture**:
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm' do
           arch 'i386'
         end
@@ -82,13 +78,13 @@ class Chef
 
         or:
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm.x86_64'
         ```
 
         **To install a specific version-release**
 
-        ``` ruby
+        ```ruby
         yum_package 'netpbm' do
           version '10.35.58-8.el8'
         end
@@ -101,7 +97,7 @@ class Chef
         to dump the in-memory Yum cache, and then use the repository immediately
         to ensure that the correct package is installed:
 
-        ``` ruby
+        ```ruby
         cookbook_file '/etc/yum.repos.d/custom.repo' do
           source 'custom'
           mode '0755'

data/lib/chef/resource/zypper_package.rb

@@ -30,7 +30,7 @@ class Chef
       examples <<~DOC
         **Install a package using package manager:**
 
-        ``` ruby
+        ```ruby
         zypper_package 'name of package' do
           action :install
         end
@@ -38,7 +38,7 @@ class Chef
 
         **Install a package using local file:**
 
-        ``` ruby
+        ```ruby
         zypper_package 'jwhois' do
           action :install
           source '/path/to/jwhois.rpm'
@@ -47,10 +47,10 @@ class Chef
 
         **Install without using recommend packages as a dependency:**
 
-        ``` ruby
+        ```ruby
         package 'apache2' do
           options '--no-recommends'
-          end
+        end
         ```
       DOC
 

data/lib/chef/resource/zypper_repository.rb

@@ -24,21 +24,37 @@ class Chef
       unified_mode true
 
       provides(:zypper_repository) { true }
-      provides(:zypper_repo) { true }
+      provides(:zypper_repo) { true } # legacy cookbook compatibility
 
       description "Use the **zypper_repository** resource to create Zypper package repositories on SUSE Enterprise Linux and openSUSE systems. This resource maintains full compatibility with the **zypper_repository** resource in the existing **zypper** cookbook."
       introduced "13.3"
       examples <<~DOC
         **Add the Apache repo on openSUSE Leap 15**:
 
-        ``` ruby
+        ```ruby
         zypper_repository 'apache' do
           baseurl 'http://download.opensuse.org/repositories/Apache'
-          path '/openSUSE_Leap_15.0'
-            type 'rpm-md'
+          path '/openSUSE_Leap_15.2'
+          type 'rpm-md'
           priority '100'
         end
         ```
+
+        **Remove the repo named 'apache'**:
+
+        ```ruby
+        zypper_repository 'apache' do
+          action :delete
+        end
+        ```
+
+        **Refresh the repo named 'apache'**:
+
+        ```ruby
+        zypper_repository 'apache' do
+          action :refresh
+        end
+        ```
       DOC
 
       property :repo_name, String,
@@ -66,8 +82,10 @@ class Chef
         description: "Determines whether or not to perform a GPG signature check on the repository.",
         default: true
 
-      property :gpgkey, String,
-        description: "The location of the repository key to be imported."
+      property :gpgkey, [String, Array],
+        description: "The location of the repository key(s) to be imported.",
+        coerce: proc { |v| Array(v) },
+        default: []
 
       property :baseurl, String,
         description: "The base URL for the Zypper repository, such as `http://download.opensuse.org`."
@@ -95,10 +113,12 @@ class Chef
         default: true
 
       property :source, String,
-        description: "The name of the template for the repository file. Only necessary if you're not using the built in template."
+        description: "The name of the template for the repository file. Only necessary if you're using a custom template for the repository file."
 
       property :cookbook, String,
-        description: "The cookbook to source the repository template file from. Only necessary if you're not using the built in template.",
+        description: "The cookbook to source the repository template file from. Only necessary if you're using a custom template for the repository file.",
+        default: lazy { cookbook_name },
+        default_description: "The cookbook containing the resource",
         desired_state: false
 
       property :gpgautoimportkeys, [TrueClass, FalseClass],

data/lib/chef/resource.rb

@@ -1063,7 +1063,8 @@ class Chef
     # action for the resource.
     #
     # @param name [Symbol] The action name to define.
-    # @param description [String] optional description for the action
+    # @param description [String] optional description for the action. Used for
+    #   documentation generation.
     # @param recipe_block The recipe to run when the action is taken. This block
     #   takes no parameters, and will be evaluated in a new context containing:
     #
@@ -1076,11 +1077,8 @@ class Chef
     def self.action(action, description: nil, &recipe_block)
       action = action.to_sym
       declare_action_class
-      action_class.action(action, &recipe_block)
+      action_class.action(action, description: description, &recipe_block)
       self.allowed_actions += [ action ]
-      # Accept any non-nil description, which will correctly override
-      # any specific inherited description.
-      action_descriptions[action] = description unless description.nil?
       default_action action if Array(default_action) == [:nothing]
     end
 
@@ -1090,18 +1088,15 @@ class Chef
     # @param action [Symbol,String] the action name
     # @return the description of the action provided, or nil if no description
     # was defined
-    def self.action_description(action)
-      action_descriptions[action.to_sym]
-    end
-
-    # @api private
-    #
-    # @return existing action description hash, or newly-initialized
-    # hash containing action descriptions inherited from parent Resource,
-    # if any.
-    def self.action_descriptions
-      @action_descriptions ||=
-        superclass.respond_to?(:action_descriptions) ? superclass.action_descriptions.dup : { nothing: nil }
+    def action_description(action)
+      provider_for_action(action).class.action_description(action)
+    rescue Chef::Exceptions::ProviderNotFound
+      # If a provider can't be found, there can be no description defined on the provider.
+      nil
+    rescue NameError => e
+      # This can happen when attempting to load a provider in a platform-specific
+      # environment where we have not required the necessary files yet
+      raise unless e.message =~ /uninitialized constant/
     end
 
     # Define a method to load up this resource's properties with the current
@@ -1191,6 +1186,7 @@ class Chef
             if superclass.custom_resource?
               superclass.action_class
             else
+
               ActionClass
             end
 

data/lib/chef/resource_inspector.rb

@@ -23,6 +23,11 @@ require_relative "node"
 require_relative "resources"
 require_relative "json_compat"
 
+# We need to require providers  so that we can resolve
+# action documentation that may have been defined on the providers
+# instead of the resources.
+require_relative "providers"
+
 class Chef
   module ResourceInspector
     def self.get_default(default)
@@ -39,11 +44,10 @@ class Chef
     def self.extract_resource(resource, complete = false)
       data = {}
       data[:description] = resource.description
-      # data[:deprecated] = resource.deprecated || false
       data[:default_action] = resource.default_action
       data[:actions] = {}
       resource.allowed_actions.each do |action|
-        data[:actions][action] = resource.action_description(action)
+        data[:actions][action] = resource.new(resource.to_s, nil).action_description(action)
       end
 
       data[:examples] = resource.examples

data/lib/chef/resource_reporter.rb

@@ -135,7 +135,6 @@ class Chef
 
     def action_collection_registration(action_collection)
       @action_collection = action_collection
-      action_collection.register(self) if reporting_enabled?
     end
 
     def post_reporting_data

data/lib/chef/resources.rb

@@ -58,6 +58,14 @@ require_relative "resource/ips_package"
 require_relative "resource/gem_package"
 require_relative "resource/scm/git"
 require_relative "resource/group"
+require_relative "resource/habitat/habitat_package"
+require_relative "resource/habitat/habitat_sup"
+require_relative "resource/habitat/habitat_sup_systemd"
+require_relative "resource/habitat/habitat_sup_windows"
+require_relative "resource/habitat_config"
+require_relative "resource/habitat_install"
+require_relative "resource/habitat_service"
+require_relative "resource/habitat_user_toml"
 require_relative "resource/http_request"
 require_relative "resource/hostname"
 require_relative "resource/homebrew_cask"
@@ -148,6 +156,8 @@ require_relative "resource/windows_ad_join"
 require_relative "resource/windows_audit_policy"
 require_relative "resource/windows_auto_run"
 require_relative "resource/windows_certificate"
+require_relative "resource/windows_defender"
+require_relative "resource/windows_defender_exclusion"
 require_relative "resource/windows_dfs_folder"
 require_relative "resource/windows_dfs_namespace"
 require_relative "resource/windows_dfs_server"
@@ -167,7 +177,8 @@ require_relative "resource/windows_share"
 require_relative "resource/windows_shortcut"
 require_relative "resource/windows_task"
 require_relative "resource/windows_uac"
+require_relative "resource/windows_update_settings"
 require_relative "resource/windows_workgroup"
 require_relative "resource/timezone"
 require_relative "resource/windows_user_privilege"
-require_relative "resource/windows_security_policy"
+require_relative "resource/windows_security_policy"

data/lib/chef/secret_fetcher/aws_secrets_manager.rb

@@ -0,0 +1,65 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require "aws-sdk-core"
+require "aws-sdk-secretsmanager"
+
+class Chef
+  # == Chef::SecretFetcher::AWSSecretsManager
+  # A fetcher that fetches a secret from AWS Secrets Manager
+  # In this initial iteration it defaults to authentication via instance profile.
+  # It is possible to pass options that configure it to use alternative credentials.
+  # This implementation supports fetching with version.
+  #
+  # @note ':region' is required configuration.  If it is not explicitly provided,
+  # and it is not available via global AWS config, we will pull it from node ohai data by default.
+  # If this isn't correct, you will need to explicitly override it.
+  # If it is not available via ohai data either (such as if you have the AWS plugin disabled)
+  # then the converge will fail with an error.
+  #
+  # @note: This does not yet support automatic retries, which the AWS client does by default.
+  #
+  # For configuration options see https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecretsManager/Client.html#initialize-instance_method
+  #
+  #
+  # Usage Example:
+  #
+  # fetcher = SecretFetcher.for_service(:aws_secrets_manager)
+  # fetcher.fetch("secretkey1", "v1")
+  class SecretFetcher
+    class AWSSecretsManager < Base
+      def validate!
+        config[:region] = config[:region] || Aws.config[:region] || run_context.node.dig("ec2", "region")
+        if config[:region].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Missing required config for AWS secret fetcher: :region")
+        end
+      end
+
+      # @param identifier [String] the secret_id
+      # @param version [String] the secret version. Not usd at this time
+      # @return Aws::SecretsManager::Types::GetSecretValueResponse
+      def do_fetch(identifier, version)
+        client = Aws::SecretsManager::Client.new(config)
+        result = client.get_secret_value(secret_id: identifier, version_stage: version)
+        # These fields are mutually exclusive
+        result.secret_string || result.secret_binary
+      end
+    end
+  end
+end

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -0,0 +1,78 @@
+require_relative "base"
+
+class Chef
+  class SecretFetcher
+    # == Chef::SecretFetcher::AWSSecretsManager
+    # A fetcher that fetches a secret from Azure Key Vault. Supports fetching with version.
+    #
+    # In this initial iteration this authenticates via token obtained from the OAuth2  /token
+    # endpoint.
+    #
+    # Validation of required configuration (vault name) is not performed until
+    # `fetch` time, to allow for embedding the vault name in with the secret
+    # name, such as "my_vault/secretkey1".
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context )
+    # fetcher.fetch("secretkey1", "v1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context )
+    # fetcher.fetch("my_vault/secretkey1", "v1")
+    class AzureKeyVault < Base
+
+      def do_fetch(name, version)
+        token = fetch_token
+        vault, name = resolve_vault_and_secret_name(name)
+        if vault.nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide a vault name to fetcher options as vault: 'vault_name' or in the secret name as 'vault_name/secret_name'")
+        end
+
+        # Note that `version` is optional after the final `/`. If nil/"", the latest secret version will be fetched.
+        secret_uri = URI.parse("https://#{vault}.vault.azure.net/secrets/#{name}/#{version}?api-version=7.2")
+        http = Net::HTTP.new(secret_uri.host, secret_uri.port)
+        http.use_ssl = true
+
+        response = http.get(secret_uri, { "Authorization" => "Bearer #{token}",
+                                          "Content-Type" => "application/json" })
+
+        # If an exception is not raised, we can be reasonably confident of the
+        # shape of the result.
+        result = JSON.parse(response.body)
+        if result.key? "value"
+          result["value"]
+        else
+          raise Chef::Exceptions::Secret::FetchFailed.new("#{result["error"]["code"]}: #{result["error"]["message"]}")
+        end
+      end
+
+      # Determine the vault name and secret name from the provided name.
+      # If it is not in the provided name in the form "vault_name/secret_name"
+      # it will determine the vault name from `config[:vault]`.
+      # @param name [String] the secret name or vault and secret name in the form "vault_name/secret_name"
+      # @return Array[String, String] vault and secret name respectively
+      def resolve_vault_and_secret_name(name)
+        # We support a simplified approach where the vault name is not passed i
+        # into configuration, but
+        if name.include?("/")
+          name.split("/", 2)
+        else
+          [config[:vault], name]
+        end
+      end
+
+      def fetch_token
+        token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net")
+        http = Net::HTTP.new(token_uri.host, token_uri.port)
+        response = http.get(token_uri, { "Metadata" => "true" })
+        body = JSON.parse(response.body)
+        body["access_token"]
+      end
+    end
+  end
+end
+
+
+