chef 17.10.0-universal-mingw32 → 17.10.68-universal-mingw32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +2 -2
- data/Rakefile +2 -2
- data/chef-universal-mingw32.gemspec +1 -1
- data/chef.gemspec +4 -4
- data/lib/chef/client.rb +17 -2
- data/lib/chef/compliance/input_collection.rb +1 -1
- data/lib/chef/compliance/profile_collection.rb +1 -1
- data/lib/chef/compliance/waiver_collection.rb +1 -1
- data/lib/chef/dsl/secret.rb +113 -5
- data/lib/chef/mixin/checksum.rb +6 -0
- data/lib/chef/node/attribute.rb +20 -3
- data/lib/chef/node/mixin/deep_merge_cache.rb +4 -4
- data/lib/chef/provider/file.rb +2 -2
- data/lib/chef/provider/package/powershell.rb +1 -1
- data/lib/chef/provider/package/windows.rb +1 -1
- data/lib/chef/resource/chef_client_config.rb +5 -0
- data/lib/chef/resource/locale.rb +1 -1
- data/lib/chef/resource/rhsm_register.rb +19 -0
- data/lib/chef/resource/support/client.erb +1 -2
- data/lib/chef/resource/windows_certificate.rb +54 -43
- data/lib/chef/resource/windows_pagefile.rb +28 -21
- data/lib/chef/resource/windows_user_privilege.rb +36 -26
- data/lib/chef/run_context.rb +16 -0
- data/lib/chef/secret_fetcher/hashi_vault.rb +1 -1
- data/lib/chef/version.rb +1 -1
- data/lib/chef/win32/version.rb +2 -1
- data/spec/data/trusted_certs/opscode.pem +33 -54
- data/spec/functional/resource/windows_certificate_spec.rb +41 -13
- data/spec/functional/resource/windows_font_spec.rb +1 -1
- data/spec/functional/resource/windows_pagefile_spec.rb +31 -4
- data/spec/functional/shell_spec.rb +6 -0
- data/spec/unit/client_spec.rb +6 -3
- data/spec/unit/daemon_spec.rb +1 -5
- data/spec/unit/dsl/secret_spec.rb +127 -23
- data/spec/unit/mixin/checksum_spec.rb +28 -0
- data/spec/unit/provider/package/rubygems_spec.rb +1 -1
- data/spec/unit/resource/chef_client_config_spec.rb +8 -0
- data/spec/unit/run_context_spec.rb +16 -0
- metadata +21 -27
- /data/spec/functional/assets/yumrepo/repodata/{4632d67cb92636e7575d911c24f0e04d3505a944e97c483abe0c3e73a7c62d33-filelists.sqlite.bz2 → 01a3b-filelists.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{bdb4f5f1492a3b9532f22c43110a81500dd744f23da0aec5c33b2a41317c737d-filelists.xml.gz → 401dc-filelists.xml.gz} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{a845d418f919d2115ab95a56b2c76f6825ad0d0bede49181a55c04f58995d057-primary.sqlite.bz2 → 5dc1e-primary.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{74599b793e54d877323837d2d81a1c3c594c44e4335f9528234bb490f7b9b439-other.xml.gz → 6bf96-other.xml.gz} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{af9b7cf9ef23bd7b43068d74a460f3b5d06753d638e58e4a0c9edc35bfb9cdc4-other.sqlite.bz2 → 7c365-other.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{c10d1d34ce99e02f12ec96ef68360543ab1bb7c3cb81a4a2bf78df7d8597e9df-primary.xml.gz → dabe2-primary.xml.gz} +0 -0
@@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
|
|
29
29
|
class Chef
|
30
30
|
class Resource
|
31
31
|
class WindowsCertificate < Chef::Resource
|
32
|
-
unified_mode true
|
33
32
|
|
34
33
|
provides :windows_certificate
|
35
34
|
|
@@ -129,14 +128,14 @@ class Chef
|
|
129
128
|
end
|
130
129
|
|
131
130
|
action :delete, description: "Deletes a certificate." do
|
132
|
-
|
131
|
+
cert_is_valid = verify_cert
|
133
132
|
|
134
|
-
if
|
133
|
+
if cert_is_valid == true
|
135
134
|
converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do
|
136
135
|
delete_cert
|
137
136
|
end
|
138
137
|
else
|
139
|
-
Chef::Log.debug("Certificate
|
138
|
+
Chef::Log.debug("Certificate Not Found")
|
140
139
|
end
|
141
140
|
end
|
142
141
|
|
@@ -146,17 +145,25 @@ class Chef
|
|
146
145
|
end
|
147
146
|
|
148
147
|
if ::File.extname(new_resource.output_path) == ".pfx"
|
149
|
-
|
148
|
+
|
149
|
+
validated_thumbprint = validate_thumbprint(new_resource.source)
|
150
|
+
if validated_thumbprint != false # is the thumbprint valid
|
151
|
+
cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
|
152
|
+
else
|
153
|
+
message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
|
154
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
155
|
+
end
|
156
|
+
|
150
157
|
else
|
151
158
|
cert_obj = fetch_cert
|
152
159
|
end
|
153
160
|
|
154
|
-
if cert_obj
|
161
|
+
if cert_obj != false && cert_obj != "Certificate Not Found"
|
155
162
|
converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do
|
156
163
|
export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password)
|
157
164
|
end
|
158
165
|
else
|
159
|
-
Chef::Log.debug("Certificate
|
166
|
+
Chef::Log.debug("Certificate Not Found")
|
160
167
|
end
|
161
168
|
end
|
162
169
|
|
@@ -187,7 +194,7 @@ class Chef
|
|
187
194
|
|
188
195
|
def delete_cert
|
189
196
|
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
190
|
-
store.delete(
|
197
|
+
store.delete(validate_thumbprint(new_resource.source))
|
191
198
|
end
|
192
199
|
|
193
200
|
def fetch_cert
|
@@ -196,17 +203,16 @@ class Chef
|
|
196
203
|
fetch_key
|
197
204
|
|
198
205
|
else
|
199
|
-
store.get(
|
206
|
+
store.get(validate_thumbprint(new_resource.source))
|
200
207
|
end
|
201
208
|
end
|
202
209
|
|
203
210
|
def fetch_key
|
204
211
|
require "openssl" unless defined?(OpenSSL)
|
205
212
|
file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path))
|
206
|
-
directory = ::File.dirname(new_resource.output_path)
|
207
213
|
pfx_file = file_name + ".pfx"
|
208
214
|
new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file)
|
209
|
-
powershell_exec(pfx_ps_cmd(
|
215
|
+
powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
|
210
216
|
pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password)
|
211
217
|
f = ::File.open(new_resource.output_path, "w")
|
212
218
|
f.write(pkcs12.key.to_s)
|
@@ -245,10 +251,6 @@ class Chef
|
|
245
251
|
::File.file?(source)
|
246
252
|
end
|
247
253
|
|
248
|
-
def is_file?(source)
|
249
|
-
::File.file?(source)
|
250
|
-
end
|
251
|
-
|
252
254
|
# Thumbprints should be exactly 40 Hex characters
|
253
255
|
def valid_thumbprint?(string)
|
254
256
|
string.match?(/[0-9A-Fa-f]/) && string.length == 40
|
@@ -261,29 +263,29 @@ class Chef
|
|
261
263
|
GETTHUMBPRINTCODE
|
262
264
|
end
|
263
265
|
|
264
|
-
def
|
265
|
-
return
|
266
|
-
|
267
|
-
|
266
|
+
def validate_thumbprint(thumbprint)
|
267
|
+
# valid_thumbprint can return false under at least 2 conditions:
|
268
|
+
# one is that the thumbprint is in fact busted
|
269
|
+
# the second is that the thumbprint is valid but belongs to an expired certificate already installed
|
270
|
+
results = valid_thumbprint?(thumbprint)
|
271
|
+
results == true ? thumbprint : false
|
268
272
|
end
|
269
273
|
|
270
|
-
# Checks
|
271
|
-
# is
|
272
|
-
# If the certificate is not present, verify_cert returns a String: "Certificate not found"
|
273
|
-
# But if it is present but expired, it returns a Boolean: false
|
274
|
-
# Otherwise, it returns a Boolean: true
|
275
|
-
# updated this method to accept either a subject name or a thumbprint - 1/29/2021
|
276
|
-
|
274
|
+
# Checks to make sure whether the cert is found or not
|
275
|
+
# if it IS found, is it still valid - has it expired?
|
277
276
|
def verify_cert(thumbprint = new_resource.source)
|
278
277
|
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
279
|
-
|
280
|
-
|
278
|
+
validated_thumbprint = validate_thumbprint(thumbprint)
|
279
|
+
if validated_thumbprint != false
|
280
|
+
result = store.valid?(thumbprint)
|
281
|
+
result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
|
281
282
|
else
|
282
|
-
|
283
|
+
message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n"
|
284
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
283
285
|
end
|
284
286
|
end
|
285
287
|
|
286
|
-
# this
|
288
|
+
# this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
|
287
289
|
# Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
|
288
290
|
def ps_cert_location
|
289
291
|
new_resource.user_store ? "CurrentUser" : "LocalMachine"
|
@@ -436,7 +438,7 @@ class Chef
|
|
436
438
|
end
|
437
439
|
|
438
440
|
def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:)
|
439
|
-
# Delete the cert if it exists
|
441
|
+
# Delete the cert if it exists on disk already.
|
440
442
|
# We want to ensure we're not randomly loading an old stinky cert.
|
441
443
|
if ::File.exists?(output_path)
|
442
444
|
::File.delete(output_path)
|
@@ -460,7 +462,20 @@ class Chef
|
|
460
462
|
cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout
|
461
463
|
out_file.puts(cert_out)
|
462
464
|
when ".pfx"
|
463
|
-
|
465
|
+
validated_thumbprint = validate_thumbprint(new_resource.source)
|
466
|
+
if validated_thumbprint != false # is the thumbprint valid
|
467
|
+
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
468
|
+
result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint
|
469
|
+
temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
|
470
|
+
if temp == true
|
471
|
+
pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
|
472
|
+
else
|
473
|
+
Chef::Log.debug("The requested certificate is not found or has expired")
|
474
|
+
end
|
475
|
+
else
|
476
|
+
message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
|
477
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
478
|
+
end
|
464
479
|
when ".p7b"
|
465
480
|
cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
|
466
481
|
out_file.puts(cert_out)
|
@@ -481,14 +496,11 @@ class Chef
|
|
481
496
|
#
|
482
497
|
def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location)
|
483
498
|
[cert_objs].flatten.each do |cert_obj|
|
484
|
-
# thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
|
485
|
-
# pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password)
|
486
|
-
# cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem)
|
487
499
|
thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
|
488
|
-
if
|
489
|
-
|
490
|
-
|
491
|
-
|
500
|
+
if verify_cert(thumbprint) == true
|
501
|
+
Chef::Log.debug("Certificate is already present")
|
502
|
+
elsif verify_cert(thumbprint) == false # Not found already in the CertStore
|
503
|
+
if is_pfx
|
492
504
|
if is_file?(new_resource.source)
|
493
505
|
converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do
|
494
506
|
add_pfx_cert(new_resource.source)
|
@@ -502,15 +514,14 @@ class Chef
|
|
502
514
|
message << exception.message
|
503
515
|
raise Chef::Exceptions::ArgumentError, message
|
504
516
|
end
|
505
|
-
end
|
506
|
-
else
|
507
|
-
if verify_cert(thumbprint) == true
|
508
|
-
Chef::Log.debug("Certificate is already present")
|
509
517
|
else
|
510
518
|
converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do
|
511
519
|
add_cert(cert_obj)
|
512
520
|
end
|
513
521
|
end
|
522
|
+
else
|
523
|
+
message = "Certificate could not be imported"
|
524
|
+
raise Chef::Exceptions::CertificateNotImportable, message
|
514
525
|
end
|
515
526
|
end
|
516
527
|
end
|
@@ -88,7 +88,7 @@ class Chef
|
|
88
88
|
if automatic_managed
|
89
89
|
set_automatic_managed unless automatic_managed?
|
90
90
|
elsif automatic_managed == false
|
91
|
-
unset_automatic_managed
|
91
|
+
unset_automatic_managed
|
92
92
|
else
|
93
93
|
pagefile = clarify_pagefile_name
|
94
94
|
initial_size = new_resource.initial_size
|
@@ -149,10 +149,12 @@ class Chef
|
|
149
149
|
def exists?(pagefile)
|
150
150
|
@exists ||= begin
|
151
151
|
logger.trace("Checking if #{pagefile} exists by running: Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($pagefile)} ")
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
152
|
+
powershell_code = <<~CODE
|
153
|
+
$page_file_name = '#{pagefile}';
|
154
|
+
$pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)}
|
155
|
+
if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }
|
156
|
+
CODE
|
157
|
+
powershell_exec!(powershell_code).result
|
156
158
|
end
|
157
159
|
end
|
158
160
|
|
@@ -164,13 +166,17 @@ class Chef
|
|
164
166
|
# @return [Boolean]
|
165
167
|
def max_and_min_set?(pagefile, min, max)
|
166
168
|
logger.trace("Checking if #{pagefile} has max and initial disk size values set")
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
169
|
+
|
170
|
+
powershell_code = <<-CODE
|
171
|
+
$page_file = '#{pagefile}';
|
172
|
+
$driveLetter = $page_file.split(':')[0];
|
173
|
+
$page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -Property * -ErrorAction Stop;
|
174
|
+
if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})
|
175
|
+
{ return $true }
|
176
|
+
else
|
177
|
+
{ return $false }
|
178
|
+
CODE
|
179
|
+
powershell_exec!(powershell_code).result
|
174
180
|
end
|
175
181
|
|
176
182
|
# create a pagefile
|
@@ -225,12 +231,14 @@ class Chef
|
|
225
231
|
|
226
232
|
# turn off automatic management of all pagefiles by Windows
|
227
233
|
def unset_automatic_managed
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
+
if automatic_managed?
|
235
|
+
converge_by("Turn off Automatically Managed on pagefiles") do
|
236
|
+
logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
|
237
|
+
powershell_exec! <<~EOH
|
238
|
+
$sys = Get-CimInstance Win32_ComputerSystem -Property *
|
239
|
+
Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
|
240
|
+
EOH
|
241
|
+
end
|
234
242
|
end
|
235
243
|
end
|
236
244
|
|
@@ -240,14 +248,13 @@ class Chef
|
|
240
248
|
# @param [String] min the minimum size of the pagefile
|
241
249
|
# @param [String] max the minimum size of the pagefile
|
242
250
|
def set_custom_size(pagefile, min, max)
|
251
|
+
unset_automatic_managed
|
243
252
|
converge_by("set #{pagefile} to InitialSize=#{min} & MaximumSize=#{max}") do
|
244
253
|
logger.trace("Set-CimInstance -Property @{InitialSize = #{min} MaximumSize = #{max}")
|
245
254
|
powershell_exec! <<~EOD
|
246
255
|
$page_file = "#{pagefile}"
|
247
256
|
$driveLetter = $page_file.split(':')[0]
|
248
|
-
Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{
|
249
|
-
InitialSize = #{min}
|
250
|
-
MaximumSize = #{max}}
|
257
|
+
Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{InitialSize = #{min}; MaximumSize = #{max};}
|
251
258
|
EOD
|
252
259
|
end
|
253
260
|
end
|
@@ -24,7 +24,7 @@ class Chef
|
|
24
24
|
unified_mode true
|
25
25
|
|
26
26
|
provides :windows_user_privilege
|
27
|
-
description "The windows_user_privilege resource allows to add
|
27
|
+
description "The windows_user_privilege resource allows to add a privilege to a principal or (User/Group).\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
|
28
28
|
|
29
29
|
introduced "16.0"
|
30
30
|
|
@@ -39,23 +39,32 @@ class Chef
|
|
39
39
|
end
|
40
40
|
```
|
41
41
|
|
42
|
-
**
|
42
|
+
**Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
|
43
|
+
|
44
|
+
```ruby
|
45
|
+
windows_user_privilege 'Create Pagefile' do
|
46
|
+
privilege 'SeCreatePagefilePrivilege'
|
47
|
+
users ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
|
48
|
+
action :set
|
49
|
+
end
|
50
|
+
```
|
51
|
+
|
52
|
+
**Add the SeDenyRemoteInteractiveLogonRight Privilege to the 'Remote interactive logon' principal**:
|
43
53
|
|
44
54
|
```ruby
|
45
55
|
windows_user_privilege 'Remote interactive logon' do
|
46
56
|
privilege 'SeDenyRemoteInteractiveLogonRight'
|
47
|
-
users ['Builtin\\Guests', 'NT AUTHORITY\\Local Account']
|
48
57
|
action :add
|
49
58
|
end
|
50
59
|
```
|
51
60
|
|
52
|
-
**
|
61
|
+
**Add to the Builtin Guests Group the SeCreatePageFile Privilege**:
|
53
62
|
|
54
63
|
```ruby
|
55
|
-
windows_user_privilege 'Create Pagefile' do
|
64
|
+
windows_user_privilege 'Guests add Create Pagefile' do
|
65
|
+
principal 'BUILTIN\\Guests'
|
56
66
|
privilege 'SeCreatePagefilePrivilege'
|
57
|
-
|
58
|
-
action :set
|
67
|
+
action :add
|
59
68
|
end
|
60
69
|
```
|
61
70
|
|
@@ -90,6 +99,7 @@ class Chef
|
|
90
99
|
SeCreateSymbolicLinkPrivilege
|
91
100
|
SeCreateTokenPrivilege
|
92
101
|
SeDebugPrivilege
|
102
|
+
SeDelegateSessionUserImpersonatePrivilege
|
93
103
|
SeDenyBatchLogonRight
|
94
104
|
SeDenyInteractiveLogonRight
|
95
105
|
SeDenyNetworkLogonRight
|
@@ -126,20 +136,20 @@ class Chef
|
|
126
136
|
}.freeze
|
127
137
|
|
128
138
|
property :principal, String,
|
129
|
-
|
130
|
-
|
139
|
+
description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a User/Group or one of special identities found here Ref: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities",
|
140
|
+
name_property: true
|
131
141
|
|
132
142
|
property :users, [Array, String],
|
133
|
-
|
134
|
-
|
143
|
+
description: "An optional property to set the privilege for given users. Use only with set action.",
|
144
|
+
coerce: proc { |v| Array(v) }
|
135
145
|
|
136
146
|
property :privilege, [Array, String],
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
147
|
+
description: "One or more privileges to set for principal or users/groups. For more information on what each privilege does Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment",
|
148
|
+
required: true,
|
149
|
+
coerce: proc { |v| Array(v) },
|
150
|
+
callbacks: {
|
151
|
+
"Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
|
152
|
+
}, identity: true
|
143
153
|
|
144
154
|
load_current_value do |new_resource|
|
145
155
|
if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))
|
@@ -147,15 +157,15 @@ class Chef
|
|
147
157
|
end
|
148
158
|
end
|
149
159
|
|
150
|
-
action :add, description: "Add a
|
151
|
-
([*new_resource.privilege] - [*current_resource.privilege]).each do |
|
152
|
-
converge_by("adding
|
153
|
-
Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal,
|
160
|
+
action :add, description: "Add a privileges to a principal." do
|
161
|
+
([*new_resource.privilege] - [*current_resource.privilege]).each do |principal_right|
|
162
|
+
converge_by("adding principal '#{new_resource.principal}' privilege #{principal_right}") do
|
163
|
+
Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, principal_right)
|
154
164
|
end
|
155
165
|
end
|
156
166
|
end
|
157
167
|
|
158
|
-
action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property." do
|
168
|
+
action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property. All other users not listed with given privilege will be have the privilege removed." do
|
159
169
|
if new_resource.users.nil? || new_resource.users.empty?
|
160
170
|
raise Chef::Exceptions::ValidationFailed, "Users are required property with set action."
|
161
171
|
end
|
@@ -204,7 +214,7 @@ class Chef
|
|
204
214
|
end
|
205
215
|
end
|
206
216
|
|
207
|
-
action :remove, description: "Remove a
|
217
|
+
action :remove, description: "Remove a principal privilege" do
|
208
218
|
curr_res_privilege = current_resource.privilege
|
209
219
|
missing_res_privileges = (new_resource.privilege - curr_res_privilege)
|
210
220
|
|
@@ -212,9 +222,9 @@ class Chef
|
|
212
222
|
Chef::Log.info("User \'#{new_resource.principal}\' for Privilege: #{missing_res_privileges.join(", ")} not found. Nothing to remove.")
|
213
223
|
end
|
214
224
|
|
215
|
-
(new_resource.privilege - missing_res_privileges).each do |
|
216
|
-
converge_by("removing
|
217
|
-
Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal,
|
225
|
+
(new_resource.privilege - missing_res_privileges).each do |principal_right|
|
226
|
+
converge_by("removing principal #{new_resource.principal} from privilege #{principal_right}") do
|
227
|
+
Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, principal_right)
|
218
228
|
end
|
219
229
|
end
|
220
230
|
end
|
data/lib/chef/run_context.rb
CHANGED
@@ -145,6 +145,16 @@ class Chef
|
|
145
145
|
#
|
146
146
|
attr_accessor :input_collection
|
147
147
|
|
148
|
+
#
|
149
|
+
# @return [Symbol, nil]
|
150
|
+
#
|
151
|
+
attr_accessor :default_secret_service
|
152
|
+
|
153
|
+
#
|
154
|
+
# @return [Hash<Symbol,Object>]
|
155
|
+
#
|
156
|
+
attr_accessor :default_secret_config
|
157
|
+
|
148
158
|
# Pointer back to the Chef::Runner that created this
|
149
159
|
#
|
150
160
|
attr_accessor :runner
|
@@ -222,6 +232,8 @@ class Chef
|
|
222
232
|
@input_collection = Chef::Compliance::InputCollection.new(events)
|
223
233
|
@waiver_collection = Chef::Compliance::WaiverCollection.new(events)
|
224
234
|
@profile_collection = Chef::Compliance::ProfileCollection.new(events)
|
235
|
+
@default_secret_service = nil
|
236
|
+
@default_secret_config = {}
|
225
237
|
|
226
238
|
initialize_child_state
|
227
239
|
end
|
@@ -693,6 +705,10 @@ class Chef
|
|
693
705
|
cookbook_collection
|
694
706
|
cookbook_collection=
|
695
707
|
cookbook_compiler
|
708
|
+
default_secret_config
|
709
|
+
default_secret_config=
|
710
|
+
default_secret_service
|
711
|
+
default_secret_service=
|
696
712
|
definitions
|
697
713
|
events
|
698
714
|
events=
|
@@ -112,7 +112,7 @@ class Chef
|
|
112
112
|
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
|
113
113
|
end
|
114
114
|
|
115
|
-
Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
|
115
|
+
Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new, Vault.address)
|
116
116
|
else
|
117
117
|
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
|
118
118
|
end
|
data/lib/chef/version.rb
CHANGED
data/lib/chef/win32/version.rb
CHANGED
@@ -51,7 +51,8 @@ class Chef
|
|
51
51
|
WIN_VERSIONS = {
|
52
52
|
"Windows Server 2022" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 20348 } },
|
53
53
|
"Windows Server 2019" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 17763 && build_number < 20348 } },
|
54
|
-
"Windows
|
54
|
+
"Windows 11" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 22000 } },
|
55
|
+
"Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 19044 && build_number < 22000 } },
|
55
56
|
"Windows Server 2016" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number <= 14393 } },
|
56
57
|
"Windows 8.1" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
|
57
58
|
"Windows Server 2012 R2" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION } },
|
@@ -1,57 +1,36 @@
|
|
1
1
|
-----BEGIN CERTIFICATE-----
|
2
|
-
|
2
|
+
MIIGTjCCBTagAwIBAgIQBK55YGZmkBq5xX+mbFvczTANBgkqhkiG9w0BAQsFADBl
|
3
3
|
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
/
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
2XthJLcFgTO+y+1/IKnnpLKDfkx1YngWEBXEBP+MrrpDUKKs053s45/bI9QBPISA
|
37
|
-
tXgnYxMH9Glo6FWWd13TUq++OKGw1p1wazH64XK4MAf5y/lkmWXIWumNuO35ZqtB
|
38
|
-
ME3wJISwVHzHB2CQjlDklt+Mb0APEiIFIZflgu9JNBYzLdvUtxiz15FUZQI7SsYL
|
39
|
-
TfXOD1KBNMWqN8snG2e5gRAzB2D161DFvAZt8OiYUe+3QurNlTYVzeHv1ok6UqgM
|
40
|
-
ZcLzg8m801rRip0D7FCGvMCU/ktdAgMBAAGjggHPMIIByzAfBgNVHSMEGDAWgBQP
|
41
|
-
gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUwldjw4Pb4HV+wxGZ7MSSRh+d
|
42
|
-
pm4wHQYDVR0RBBYwFIIJKi5jaGVmLmlvggdjaGVmLmlvMA4GA1UdDwEB/wQEAwIF
|
43
|
-
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g
|
44
|
-
K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nMy5jcmwwL6At
|
45
|
-
oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzMuY3JsMEIG
|
46
|
-
A1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
|
47
|
-
LmRpZ2ljZXJ0LmNvbS9DUFMwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhho
|
48
|
-
dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNl
|
49
|
-
cnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQw
|
50
|
-
DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAvcTWenNuvvrhX2omm8LQ
|
51
|
-
zWOuu8jqpoflACwD4lOSZ4TgOe4pQGCjXq8aRBD5k+goqQrPVf9lHnelUHFQac0Q
|
52
|
-
5WT4YUmisUbF0S4uY5OGQymM52MvUWG4ODL4gaWhFvN+HAXrDPP/9iitsjV0QOnl
|
53
|
-
CDq7Q4/XYRYW3opu5nLLbfW6v4QvF5yzZagEACGs7Vt32p6l391UcU8f6wiB3uMD
|
54
|
-
eioCvjpv/+2YOUNlDPCM3uBubjUhHOwO817wBxXkzdk1OSRe4jzcw/uX6wL7birt
|
55
|
-
fbaSkpilvVX529pSzB2Lvi9xWOoGMM578dpQ0h3PwhmmvKhhCWP+pI05k3oSkYCP
|
56
|
-
ng==
|
4
|
+
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
|
5
|
+
b3QgQ0EwHhcNMTMxMTA1MTIwMDAwWhcNMjgxMTA1MTIwMDAwWjBlMQswCQYDVQQG
|
6
|
+
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
|
7
|
+
cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwggEi
|
8
|
+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc+BEjP2q178AneRstBYeiEEMx
|
9
|
+
3w7UFRtPd6Qizj6McPC+B47dJyq8AR22LArK3WlYH0HtagUf2mN4WR4iLCv4un7J
|
10
|
+
NTtW8R98Qn4lsCMZxkU41z1E+SB8YK4csFoYBL6PO/ep8JSapgxjSbZBF1NAMr1P
|
11
|
+
5lB6UB8lRejxia/N/17/UPPwFxH/vcWJ9b1iudj7jkUEhW2ZzcVITf0mqwI2Reo2
|
12
|
+
119q4hqCQQrc6dn1kReOxiGtODwT5h5/ZpzVTdlG2vbPUqd9OyTDtMFRNcab69Tv
|
13
|
+
fuR7A+FEvXoLN+BPy4KKDXEY5KbgiSwb87JzPMGwkp4Yfb2rfcV9CKEswp9zAgMB
|
14
|
+
AAGjggL4MIIC9DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA0
|
15
|
+
BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
|
16
|
+
LmNvbTCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
|
17
|
+
L0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDMu
|
18
|
+
ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDAdBgNVHSUE
|
19
|
+
FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwggGzBgNVHSAEggGqMIIBpjCCAaIGCmCG
|
20
|
+
SAGG/WwAAgQwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
|
21
|
+
b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
|
22
|
+
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
|
23
|
+
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
|
24
|
+
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
|
25
|
+
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
|
26
|
+
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
|
27
|
+
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
|
28
|
+
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdDgQWBBTnAiOAAE/Y
|
29
|
+
17yUC9k/dDlJMjyKeTAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAN
|
30
|
+
BgkqhkiG9w0BAQsFAAOCAQEATtSJJ7n9HYd3fg8oBZDxCi/JOz69k5yQxq/6kVGH
|
31
|
+
MlRr6MrBcVFcmY61+uBiGZmmB5p8Eyfb5QKihBLZFfYKRFfENI9tcx861qABPd7j
|
32
|
+
guRFa7LrJf2AXh05kL5bQvbOkWDj+aBWDEgQzjNoe82Tq/Bqy09YD7l7XRsEgZ6n
|
33
|
+
IuJXSSfukpMIvmkIUwI6Ll3IGfRQgE4C2bBdkbSTh/mWloFVQI5m7YLYuyhf7Uxh
|
34
|
+
7QZYKBlTEUS8RyApsgRs2IlUmTt122d4LB6SeMZVPVgSETJuvUMMTTTbe8ZC2+y+
|
35
|
+
q5thTAaS447fISpQVwTAYKI11SSeZjcJSc/V+GWz4OJuwg==
|
57
36
|
-----END CERTIFICATE-----
|