chef 17.10.0-universal-mingw32 → 17.10.68-universal-mingw32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +2 -2
  3. data/Rakefile +2 -2
  4. data/chef-universal-mingw32.gemspec +1 -1
  5. data/chef.gemspec +4 -4
  6. data/lib/chef/client.rb +17 -2
  7. data/lib/chef/compliance/input_collection.rb +1 -1
  8. data/lib/chef/compliance/profile_collection.rb +1 -1
  9. data/lib/chef/compliance/waiver_collection.rb +1 -1
  10. data/lib/chef/dsl/secret.rb +113 -5
  11. data/lib/chef/mixin/checksum.rb +6 -0
  12. data/lib/chef/node/attribute.rb +20 -3
  13. data/lib/chef/node/mixin/deep_merge_cache.rb +4 -4
  14. data/lib/chef/provider/file.rb +2 -2
  15. data/lib/chef/provider/package/powershell.rb +1 -1
  16. data/lib/chef/provider/package/windows.rb +1 -1
  17. data/lib/chef/resource/chef_client_config.rb +5 -0
  18. data/lib/chef/resource/locale.rb +1 -1
  19. data/lib/chef/resource/rhsm_register.rb +19 -0
  20. data/lib/chef/resource/support/client.erb +1 -2
  21. data/lib/chef/resource/windows_certificate.rb +54 -43
  22. data/lib/chef/resource/windows_pagefile.rb +28 -21
  23. data/lib/chef/resource/windows_user_privilege.rb +36 -26
  24. data/lib/chef/run_context.rb +16 -0
  25. data/lib/chef/secret_fetcher/hashi_vault.rb +1 -1
  26. data/lib/chef/version.rb +1 -1
  27. data/lib/chef/win32/version.rb +2 -1
  28. data/spec/data/trusted_certs/opscode.pem +33 -54
  29. data/spec/functional/resource/windows_certificate_spec.rb +41 -13
  30. data/spec/functional/resource/windows_font_spec.rb +1 -1
  31. data/spec/functional/resource/windows_pagefile_spec.rb +31 -4
  32. data/spec/functional/shell_spec.rb +6 -0
  33. data/spec/unit/client_spec.rb +6 -3
  34. data/spec/unit/daemon_spec.rb +1 -5
  35. data/spec/unit/dsl/secret_spec.rb +127 -23
  36. data/spec/unit/mixin/checksum_spec.rb +28 -0
  37. data/spec/unit/provider/package/rubygems_spec.rb +1 -1
  38. data/spec/unit/resource/chef_client_config_spec.rb +8 -0
  39. data/spec/unit/run_context_spec.rb +16 -0
  40. metadata +21 -27
  41. /data/spec/functional/assets/yumrepo/repodata/{4632d67cb92636e7575d911c24f0e04d3505a944e97c483abe0c3e73a7c62d33-filelists.sqlite.bz2 → 01a3b-filelists.sqlite.bz2} +0 -0
  42. /data/spec/functional/assets/yumrepo/repodata/{bdb4f5f1492a3b9532f22c43110a81500dd744f23da0aec5c33b2a41317c737d-filelists.xml.gz → 401dc-filelists.xml.gz} +0 -0
  43. /data/spec/functional/assets/yumrepo/repodata/{a845d418f919d2115ab95a56b2c76f6825ad0d0bede49181a55c04f58995d057-primary.sqlite.bz2 → 5dc1e-primary.sqlite.bz2} +0 -0
  44. /data/spec/functional/assets/yumrepo/repodata/{74599b793e54d877323837d2d81a1c3c594c44e4335f9528234bb490f7b9b439-other.xml.gz → 6bf96-other.xml.gz} +0 -0
  45. /data/spec/functional/assets/yumrepo/repodata/{af9b7cf9ef23bd7b43068d74a460f3b5d06753d638e58e4a0c9edc35bfb9cdc4-other.sqlite.bz2 → 7c365-other.sqlite.bz2} +0 -0
  46. /data/spec/functional/assets/yumrepo/repodata/{c10d1d34ce99e02f12ec96ef68360543ab1bb7c3cb81a4a2bf78df7d8597e9df-primary.xml.gz → dabe2-primary.xml.gz} +0 -0
@@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
29
29
  class Chef
30
30
  class Resource
31
31
  class WindowsCertificate < Chef::Resource
32
- unified_mode true
33
32
 
34
33
  provides :windows_certificate
35
34
 
@@ -129,14 +128,14 @@ class Chef
129
128
  end
130
129
 
131
130
  action :delete, description: "Deletes a certificate." do
132
- cert_obj = fetch_cert
131
+ cert_is_valid = verify_cert
133
132
 
134
- if cert_obj
133
+ if cert_is_valid == true
135
134
  converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do
136
135
  delete_cert
137
136
  end
138
137
  else
139
- Chef::Log.debug("Certificate not found")
138
+ Chef::Log.debug("Certificate Not Found")
140
139
  end
141
140
  end
142
141
 
@@ -146,17 +145,25 @@ class Chef
146
145
  end
147
146
 
148
147
  if ::File.extname(new_resource.output_path) == ".pfx"
149
- powershell_exec!(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
148
+
149
+ validated_thumbprint = validate_thumbprint(new_resource.source)
150
+ if validated_thumbprint != false # is the thumbprint valid
151
+ cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
152
+ else
153
+ message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
154
+ raise Chef::Exceptions::InvalidKeyAttribute, message
155
+ end
156
+
150
157
  else
151
158
  cert_obj = fetch_cert
152
159
  end
153
160
 
154
- if cert_obj
161
+ if cert_obj != false && cert_obj != "Certificate Not Found"
155
162
  converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do
156
163
  export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password)
157
164
  end
158
165
  else
159
- Chef::Log.debug("Certificate not found")
166
+ Chef::Log.debug("Certificate Not Found")
160
167
  end
161
168
  end
162
169
 
@@ -187,7 +194,7 @@ class Chef
187
194
 
188
195
  def delete_cert
189
196
  store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
190
- store.delete(resolve_thumbprint(new_resource.source))
197
+ store.delete(validate_thumbprint(new_resource.source))
191
198
  end
192
199
 
193
200
  def fetch_cert
@@ -196,17 +203,16 @@ class Chef
196
203
  fetch_key
197
204
 
198
205
  else
199
- store.get(resolve_thumbprint(new_resource.source), store_name: new_resource.store_name, store_location: native_cert_location)
206
+ store.get(validate_thumbprint(new_resource.source))
200
207
  end
201
208
  end
202
209
 
203
210
  def fetch_key
204
211
  require "openssl" unless defined?(OpenSSL)
205
212
  file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path))
206
- directory = ::File.dirname(new_resource.output_path)
207
213
  pfx_file = file_name + ".pfx"
208
214
  new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file)
209
- powershell_exec(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
215
+ powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
210
216
  pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password)
211
217
  f = ::File.open(new_resource.output_path, "w")
212
218
  f.write(pkcs12.key.to_s)
@@ -245,10 +251,6 @@ class Chef
245
251
  ::File.file?(source)
246
252
  end
247
253
 
248
- def is_file?(source)
249
- ::File.file?(source)
250
- end
251
-
252
254
  # Thumbprints should be exactly 40 Hex characters
253
255
  def valid_thumbprint?(string)
254
256
  string.match?(/[0-9A-Fa-f]/) && string.length == 40
@@ -261,29 +263,29 @@ class Chef
261
263
  GETTHUMBPRINTCODE
262
264
  end
263
265
 
264
- def resolve_thumbprint(thumbprint)
265
- return thumbprint if valid_thumbprint?(thumbprint)
266
-
267
- powershell_exec!(get_thumbprint(new_resource.store_name, ps_cert_location, new_resource.source)).result
266
+ def validate_thumbprint(thumbprint)
267
+ # valid_thumbprint can return false under at least 2 conditions:
268
+ # one is that the thumbprint is in fact busted
269
+ # the second is that the thumbprint is valid but belongs to an expired certificate already installed
270
+ results = valid_thumbprint?(thumbprint)
271
+ results == true ? thumbprint : false
268
272
  end
269
273
 
270
- # Checks whether a certificate with the given thumbprint
271
- # is already present and valid in certificate store
272
- # If the certificate is not present, verify_cert returns a String: "Certificate not found"
273
- # But if it is present but expired, it returns a Boolean: false
274
- # Otherwise, it returns a Boolean: true
275
- # updated this method to accept either a subject name or a thumbprint - 1/29/2021
276
-
274
+ # Checks to make sure whether the cert is found or not
275
+ # if it IS found, is it still valid - has it expired?
277
276
  def verify_cert(thumbprint = new_resource.source)
278
277
  store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
279
- if new_resource.pfx_password.nil?
280
- store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name )
278
+ validated_thumbprint = validate_thumbprint(thumbprint)
279
+ if validated_thumbprint != false
280
+ result = store.valid?(thumbprint)
281
+ result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
281
282
  else
282
- store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name)
283
+ message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n"
284
+ raise Chef::Exceptions::InvalidKeyAttribute, message
283
285
  end
284
286
  end
285
287
 
286
- # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
288
+ # this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
287
289
  # Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
288
290
  def ps_cert_location
289
291
  new_resource.user_store ? "CurrentUser" : "LocalMachine"
@@ -436,7 +438,7 @@ class Chef
436
438
  end
437
439
 
438
440
  def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:)
439
- # Delete the cert if it exists. This is non-destructive in that it only removes the file and not the entire path.
441
+ # Delete the cert if it exists on disk already.
440
442
  # We want to ensure we're not randomly loading an old stinky cert.
441
443
  if ::File.exists?(output_path)
442
444
  ::File.delete(output_path)
@@ -460,7 +462,20 @@ class Chef
460
462
  cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout
461
463
  out_file.puts(cert_out)
462
464
  when ".pfx"
463
- pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
465
+ validated_thumbprint = validate_thumbprint(new_resource.source)
466
+ if validated_thumbprint != false # is the thumbprint valid
467
+ store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
468
+ result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint
469
+ temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
470
+ if temp == true
471
+ pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
472
+ else
473
+ Chef::Log.debug("The requested certificate is not found or has expired")
474
+ end
475
+ else
476
+ message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
477
+ raise Chef::Exceptions::InvalidKeyAttribute, message
478
+ end
464
479
  when ".p7b"
465
480
  cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
466
481
  out_file.puts(cert_out)
@@ -481,14 +496,11 @@ class Chef
481
496
  #
482
497
  def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location)
483
498
  [cert_objs].flatten.each do |cert_obj|
484
- # thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
485
- # pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password)
486
- # cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem)
487
499
  thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
488
- if is_pfx
489
- if verify_cert(thumbprint) == true
490
- Chef::Log.debug("Certificate is already present")
491
- else
500
+ if verify_cert(thumbprint) == true
501
+ Chef::Log.debug("Certificate is already present")
502
+ elsif verify_cert(thumbprint) == false # Not found already in the CertStore
503
+ if is_pfx
492
504
  if is_file?(new_resource.source)
493
505
  converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do
494
506
  add_pfx_cert(new_resource.source)
@@ -502,15 +514,14 @@ class Chef
502
514
  message << exception.message
503
515
  raise Chef::Exceptions::ArgumentError, message
504
516
  end
505
- end
506
- else
507
- if verify_cert(thumbprint) == true
508
- Chef::Log.debug("Certificate is already present")
509
517
  else
510
518
  converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do
511
519
  add_cert(cert_obj)
512
520
  end
513
521
  end
522
+ else
523
+ message = "Certificate could not be imported"
524
+ raise Chef::Exceptions::CertificateNotImportable, message
514
525
  end
515
526
  end
516
527
  end
@@ -88,7 +88,7 @@ class Chef
88
88
  if automatic_managed
89
89
  set_automatic_managed unless automatic_managed?
90
90
  elsif automatic_managed == false
91
- unset_automatic_managed if automatic_managed?
91
+ unset_automatic_managed
92
92
  else
93
93
  pagefile = clarify_pagefile_name
94
94
  initial_size = new_resource.initial_size
@@ -149,10 +149,12 @@ class Chef
149
149
  def exists?(pagefile)
150
150
  @exists ||= begin
151
151
  logger.trace("Checking if #{pagefile} exists by running: Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($pagefile)} ")
152
- cmd = "$page_file_name = '#{pagefile}';"
153
- cmd << "$pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)};"
154
- cmd << "if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }"
155
- powershell_exec!(cmd).result
152
+ powershell_code = <<~CODE
153
+ $page_file_name = '#{pagefile}';
154
+ $pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)}
155
+ if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }
156
+ CODE
157
+ powershell_exec!(powershell_code).result
156
158
  end
157
159
  end
158
160
 
@@ -164,13 +166,17 @@ class Chef
164
166
  # @return [Boolean]
165
167
  def max_and_min_set?(pagefile, min, max)
166
168
  logger.trace("Checking if #{pagefile} has max and initial disk size values set")
167
- cmd = "$page_file = '#{pagefile}';"
168
- cmd << "$driveLetter = $page_file.split(':')[0];"
169
- cmd << "$page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter \"SettingID='pagefile.sys @ $($driveLetter):'\" -Property * -ErrorAction Stop;"
170
- cmd << "if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})"
171
- cmd << "{ return $true }"
172
- cmd << "else { return $false }"
173
- powershell_exec!(cmd).result
169
+
170
+ powershell_code = <<-CODE
171
+ $page_file = '#{pagefile}';
172
+ $driveLetter = $page_file.split(':')[0];
173
+ $page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -Property * -ErrorAction Stop;
174
+ if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})
175
+ { return $true }
176
+ else
177
+ { return $false }
178
+ CODE
179
+ powershell_exec!(powershell_code).result
174
180
  end
175
181
 
176
182
  # create a pagefile
@@ -225,12 +231,14 @@ class Chef
225
231
 
226
232
  # turn off automatic management of all pagefiles by Windows
227
233
  def unset_automatic_managed
228
- converge_by("Turn off Automatically Managed on pagefiles") do
229
- logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
230
- powershell_exec! <<~EOH
231
- $sys = Get-CimInstance Win32_ComputerSystem -Property *
232
- Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
233
- EOH
234
+ if automatic_managed?
235
+ converge_by("Turn off Automatically Managed on pagefiles") do
236
+ logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
237
+ powershell_exec! <<~EOH
238
+ $sys = Get-CimInstance Win32_ComputerSystem -Property *
239
+ Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
240
+ EOH
241
+ end
234
242
  end
235
243
  end
236
244
 
@@ -240,14 +248,13 @@ class Chef
240
248
  # @param [String] min the minimum size of the pagefile
241
249
  # @param [String] max the minimum size of the pagefile
242
250
  def set_custom_size(pagefile, min, max)
251
+ unset_automatic_managed
243
252
  converge_by("set #{pagefile} to InitialSize=#{min} & MaximumSize=#{max}") do
244
253
  logger.trace("Set-CimInstance -Property @{InitialSize = #{min} MaximumSize = #{max}")
245
254
  powershell_exec! <<~EOD
246
255
  $page_file = "#{pagefile}"
247
256
  $driveLetter = $page_file.split(':')[0]
248
- Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{
249
- InitialSize = #{min}
250
- MaximumSize = #{max}}
257
+ Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{InitialSize = #{min}; MaximumSize = #{max};}
251
258
  EOD
252
259
  end
253
260
  end
@@ -24,7 +24,7 @@ class Chef
24
24
  unified_mode true
25
25
 
26
26
  provides :windows_user_privilege
27
- description "The windows_user_privilege resource allows to add and set principal (User/Group) to the specified privilege.\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
27
+ description "The windows_user_privilege resource allows to add a privilege to a principal or (User/Group).\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
28
28
 
29
29
  introduced "16.0"
30
30
 
@@ -39,23 +39,32 @@ class Chef
39
39
  end
40
40
  ```
41
41
 
42
- **Add the SeDenyRemoteInteractiveLogonRight Privilege to the Builtin Guests and Local Accounts User Groups**:
42
+ **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
43
+
44
+ ```ruby
45
+ windows_user_privilege 'Create Pagefile' do
46
+ privilege 'SeCreatePagefilePrivilege'
47
+ users ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
48
+ action :set
49
+ end
50
+ ```
51
+
52
+ **Add the SeDenyRemoteInteractiveLogonRight Privilege to the 'Remote interactive logon' principal**:
43
53
 
44
54
  ```ruby
45
55
  windows_user_privilege 'Remote interactive logon' do
46
56
  privilege 'SeDenyRemoteInteractiveLogonRight'
47
- users ['Builtin\\Guests', 'NT AUTHORITY\\Local Account']
48
57
  action :add
49
58
  end
50
59
  ```
51
60
 
52
- **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
61
+ **Add to the Builtin Guests Group the SeCreatePageFile Privilege**:
53
62
 
54
63
  ```ruby
55
- windows_user_privilege 'Create Pagefile' do
64
+ windows_user_privilege 'Guests add Create Pagefile' do
65
+ principal 'BUILTIN\\Guests'
56
66
  privilege 'SeCreatePagefilePrivilege'
57
- users ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
58
- action :set
67
+ action :add
59
68
  end
60
69
  ```
61
70
 
@@ -90,6 +99,7 @@ class Chef
90
99
  SeCreateSymbolicLinkPrivilege
91
100
  SeCreateTokenPrivilege
92
101
  SeDebugPrivilege
102
+ SeDelegateSessionUserImpersonatePrivilege
93
103
  SeDenyBatchLogonRight
94
104
  SeDenyInteractiveLogonRight
95
105
  SeDenyNetworkLogonRight
@@ -126,20 +136,20 @@ class Chef
126
136
  }.freeze
127
137
 
128
138
  property :principal, String,
129
- description: "An optional property to add the user to the given privilege. Use only with add and remove action.",
130
- name_property: true
139
+ description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a User/Group or one of special identities found here Ref: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities",
140
+ name_property: true
131
141
 
132
142
  property :users, [Array, String],
133
- description: "An optional property to set the privilege for given users. Use only with set action.",
134
- coerce: proc { |v| Array(v) }
143
+ description: "An optional property to set the privilege for given users. Use only with set action.",
144
+ coerce: proc { |v| Array(v) }
135
145
 
136
146
  property :privilege, [Array, String],
137
- description: "One or more privileges to set for users.",
138
- required: true,
139
- coerce: proc { |v| Array(v) },
140
- callbacks: {
141
- "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
142
- }, identity: true
147
+ description: "One or more privileges to set for principal or users/groups. For more information on what each privilege does Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment",
148
+ required: true,
149
+ coerce: proc { |v| Array(v) },
150
+ callbacks: {
151
+ "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
152
+ }, identity: true
143
153
 
144
154
  load_current_value do |new_resource|
145
155
  if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))
@@ -147,15 +157,15 @@ class Chef
147
157
  end
148
158
  end
149
159
 
150
- action :add, description: "Add a user privilege." do
151
- ([*new_resource.privilege] - [*current_resource.privilege]).each do |user_right|
152
- converge_by("adding user '#{new_resource.principal}' privilege #{user_right}") do
153
- Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, user_right)
160
+ action :add, description: "Add a privileges to a principal." do
161
+ ([*new_resource.privilege] - [*current_resource.privilege]).each do |principal_right|
162
+ converge_by("adding principal '#{new_resource.principal}' privilege #{principal_right}") do
163
+ Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, principal_right)
154
164
  end
155
165
  end
156
166
  end
157
167
 
158
- action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property." do
168
+ action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property. All other users not listed with given privilege will be have the privilege removed." do
159
169
  if new_resource.users.nil? || new_resource.users.empty?
160
170
  raise Chef::Exceptions::ValidationFailed, "Users are required property with set action."
161
171
  end
@@ -204,7 +214,7 @@ class Chef
204
214
  end
205
215
  end
206
216
 
207
- action :remove, description: "Remove a user privilege" do
217
+ action :remove, description: "Remove a principal privilege" do
208
218
  curr_res_privilege = current_resource.privilege
209
219
  missing_res_privileges = (new_resource.privilege - curr_res_privilege)
210
220
 
@@ -212,9 +222,9 @@ class Chef
212
222
  Chef::Log.info("User \'#{new_resource.principal}\' for Privilege: #{missing_res_privileges.join(", ")} not found. Nothing to remove.")
213
223
  end
214
224
 
215
- (new_resource.privilege - missing_res_privileges).each do |user_right|
216
- converge_by("removing user #{new_resource.principal} from privilege #{user_right}") do
217
- Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, user_right)
225
+ (new_resource.privilege - missing_res_privileges).each do |principal_right|
226
+ converge_by("removing principal #{new_resource.principal} from privilege #{principal_right}") do
227
+ Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, principal_right)
218
228
  end
219
229
  end
220
230
  end
@@ -145,6 +145,16 @@ class Chef
145
145
  #
146
146
  attr_accessor :input_collection
147
147
 
148
+ #
149
+ # @return [Symbol, nil]
150
+ #
151
+ attr_accessor :default_secret_service
152
+
153
+ #
154
+ # @return [Hash<Symbol,Object>]
155
+ #
156
+ attr_accessor :default_secret_config
157
+
148
158
  # Pointer back to the Chef::Runner that created this
149
159
  #
150
160
  attr_accessor :runner
@@ -222,6 +232,8 @@ class Chef
222
232
  @input_collection = Chef::Compliance::InputCollection.new(events)
223
233
  @waiver_collection = Chef::Compliance::WaiverCollection.new(events)
224
234
  @profile_collection = Chef::Compliance::ProfileCollection.new(events)
235
+ @default_secret_service = nil
236
+ @default_secret_config = {}
225
237
 
226
238
  initialize_child_state
227
239
  end
@@ -693,6 +705,10 @@ class Chef
693
705
  cookbook_collection
694
706
  cookbook_collection=
695
707
  cookbook_compiler
708
+ default_secret_config
709
+ default_secret_config=
710
+ default_secret_service
711
+ default_secret_service=
696
712
  definitions
697
713
  events
698
714
  events=
@@ -112,7 +112,7 @@ class Chef
112
112
  raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
113
113
  end
114
114
 
115
- Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
115
+ Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new, Vault.address)
116
116
  else
117
117
  raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
118
118
  end
data/lib/chef/version.rb CHANGED
@@ -23,7 +23,7 @@ require_relative "version_string"
23
23
 
24
24
  class Chef
25
25
  CHEF_ROOT = File.expand_path("..", __dir__)
26
- VERSION = Chef::VersionString.new("17.10.0")
26
+ VERSION = Chef::VersionString.new("17.10.68")
27
27
  end
28
28
 
29
29
  #
@@ -51,7 +51,8 @@ class Chef
51
51
  WIN_VERSIONS = {
52
52
  "Windows Server 2022" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 20348 } },
53
53
  "Windows Server 2019" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 17763 && build_number < 20348 } },
54
- "Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
54
+ "Windows 11" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 22000 } },
55
+ "Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 19044 && build_number < 22000 } },
55
56
  "Windows Server 2016" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number <= 14393 } },
56
57
  "Windows 8.1" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
57
58
  "Windows Server 2012 R2" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION } },
@@ -1,57 +1,36 @@
1
1
  -----BEGIN CERTIFICATE-----
2
- MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
2
+ MIIGTjCCBTagAwIBAgIQBK55YGZmkBq5xX+mbFvczTANBgkqhkiG9w0BAQsFADBl
3
3
  MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
4
- d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
5
- QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
6
- MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
7
- U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
8
- ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
9
- nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
10
- KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
11
- /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
12
- kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
13
- /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
14
- AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
15
- aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
16
- Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
17
- oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
18
- QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
19
- d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
20
- xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
21
- CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
22
- 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
23
- 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
24
- 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
25
- c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
26
- j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
27
- -----END CERTIFICATE-----
28
- -----BEGIN CERTIFICATE-----
29
- MIIFDTCCA/WgAwIBAgIQBZ8R1sZP2Lbc8x554UUQ2DANBgkqhkiG9w0BAQsFADBN
30
- MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
31
- aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQxMTEwMDAwMDAwWhcN
32
- MTcxMTE0MTIwMDAwWjBlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
33
- bjEQMA4GA1UEBxMHU2VhdHRsZTEbMBkGA1UEChMSQ2hlZiBTb2Z0d2FyZSwgSW5j
34
- MRIwEAYDVQQDDAkqLmNoZWYuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
35
- AoIBAQC3xCIczkV10O5jTDpbd4YlPLC6kfnVoOkno2N/OOlcLQu3ulj/Lj1j4r6e
36
- 2XthJLcFgTO+y+1/IKnnpLKDfkx1YngWEBXEBP+MrrpDUKKs053s45/bI9QBPISA
37
- tXgnYxMH9Glo6FWWd13TUq++OKGw1p1wazH64XK4MAf5y/lkmWXIWumNuO35ZqtB
38
- ME3wJISwVHzHB2CQjlDklt+Mb0APEiIFIZflgu9JNBYzLdvUtxiz15FUZQI7SsYL
39
- TfXOD1KBNMWqN8snG2e5gRAzB2D161DFvAZt8OiYUe+3QurNlTYVzeHv1ok6UqgM
40
- ZcLzg8m801rRip0D7FCGvMCU/ktdAgMBAAGjggHPMIIByzAfBgNVHSMEGDAWgBQP
41
- gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUwldjw4Pb4HV+wxGZ7MSSRh+d
42
- pm4wHQYDVR0RBBYwFIIJKi5jaGVmLmlvggdjaGVmLmlvMA4GA1UdDwEB/wQEAwIF
43
- oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g
44
- K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nMy5jcmwwL6At
45
- oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzMuY3JsMEIG
46
- A1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
47
- LmRpZ2ljZXJ0LmNvbS9DUFMwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhho
48
- dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNl
49
- cnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQw
50
- DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAvcTWenNuvvrhX2omm8LQ
51
- zWOuu8jqpoflACwD4lOSZ4TgOe4pQGCjXq8aRBD5k+goqQrPVf9lHnelUHFQac0Q
52
- 5WT4YUmisUbF0S4uY5OGQymM52MvUWG4ODL4gaWhFvN+HAXrDPP/9iitsjV0QOnl
53
- CDq7Q4/XYRYW3opu5nLLbfW6v4QvF5yzZagEACGs7Vt32p6l391UcU8f6wiB3uMD
54
- eioCvjpv/+2YOUNlDPCM3uBubjUhHOwO817wBxXkzdk1OSRe4jzcw/uX6wL7birt
55
- fbaSkpilvVX529pSzB2Lvi9xWOoGMM578dpQ0h3PwhmmvKhhCWP+pI05k3oSkYCP
56
- ng==
4
+ d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
5
+ b3QgQ0EwHhcNMTMxMTA1MTIwMDAwWhcNMjgxMTA1MTIwMDAwWjBlMQswCQYDVQQG
6
+ EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
7
+ cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwggEi
8
+ MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc+BEjP2q178AneRstBYeiEEMx
9
+ 3w7UFRtPd6Qizj6McPC+B47dJyq8AR22LArK3WlYH0HtagUf2mN4WR4iLCv4un7J
10
+ NTtW8R98Qn4lsCMZxkU41z1E+SB8YK4csFoYBL6PO/ep8JSapgxjSbZBF1NAMr1P
11
+ 5lB6UB8lRejxia/N/17/UPPwFxH/vcWJ9b1iudj7jkUEhW2ZzcVITf0mqwI2Reo2
12
+ 119q4hqCQQrc6dn1kReOxiGtODwT5h5/ZpzVTdlG2vbPUqd9OyTDtMFRNcab69Tv
13
+ fuR7A+FEvXoLN+BPy4KKDXEY5KbgiSwb87JzPMGwkp4Yfb2rfcV9CKEswp9zAgMB
14
+ AAGjggL4MIIC9DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA0
15
+ BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
16
+ LmNvbTCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
17
+ L0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDMu
18
+ ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDAdBgNVHSUE
19
+ FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwggGzBgNVHSAEggGqMIIBpjCCAaIGCmCG
20
+ SAGG/WwAAgQwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
21
+ b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
22
+ ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
23
+ AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
24
+ AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
25
+ AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
26
+ AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
27
+ AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
28
+ AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdDgQWBBTnAiOAAE/Y
29
+ 17yUC9k/dDlJMjyKeTAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAN
30
+ BgkqhkiG9w0BAQsFAAOCAQEATtSJJ7n9HYd3fg8oBZDxCi/JOz69k5yQxq/6kVGH
31
+ MlRr6MrBcVFcmY61+uBiGZmmB5p8Eyfb5QKihBLZFfYKRFfENI9tcx861qABPd7j
32
+ guRFa7LrJf2AXh05kL5bQvbOkWDj+aBWDEgQzjNoe82Tq/Bqy09YD7l7XRsEgZ6n
33
+ IuJXSSfukpMIvmkIUwI6Ll3IGfRQgE4C2bBdkbSTh/mWloFVQI5m7YLYuyhf7Uxh
34
+ 7QZYKBlTEUS8RyApsgRs2IlUmTt122d4LB6SeMZVPVgSETJuvUMMTTTbe8ZC2+y+
35
+ q5thTAaS447fISpQVwTAYKI11SSeZjcJSc/V+GWz4OJuwg==
57
36
  -----END CERTIFICATE-----