chef 17.10.0-universal-mingw32 → 17.10.95-universal-mingw32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +2 -2
- data/Rakefile +2 -2
- data/chef-universal-mingw32.gemspec +2 -2
- data/chef.gemspec +5 -5
- data/lib/chef/client.rb +17 -2
- data/lib/chef/compliance/input_collection.rb +1 -1
- data/lib/chef/compliance/profile_collection.rb +1 -1
- data/lib/chef/compliance/waiver_collection.rb +1 -1
- data/lib/chef/dsl/secret.rb +113 -5
- data/lib/chef/mixin/checksum.rb +6 -0
- data/lib/chef/mixin/properties.rb +6 -0
- data/lib/chef/node/attribute.rb +20 -3
- data/lib/chef/node/mixin/deep_merge_cache.rb +4 -4
- data/lib/chef/provider/file.rb +2 -2
- data/lib/chef/provider/package/chocolatey.rb +18 -1
- data/lib/chef/provider/package/powershell.rb +1 -1
- data/lib/chef/provider/package/windows.rb +1 -1
- data/lib/chef/provider/user.rb +5 -1
- data/lib/chef/resource/chef_client_config.rb +5 -0
- data/lib/chef/resource/locale.rb +5 -2
- data/lib/chef/resource/macos_userdefaults.rb +9 -5
- data/lib/chef/resource/rhsm_register.rb +19 -0
- data/lib/chef/resource/support/client.erb +1 -2
- data/lib/chef/resource/windows_certificate.rb +54 -43
- data/lib/chef/resource/windows_pagefile.rb +28 -21
- data/lib/chef/resource/windows_user_privilege.rb +36 -26
- data/lib/chef/resource.rb +2 -1
- data/lib/chef/run_context.rb +16 -0
- data/lib/chef/secret_fetcher/hashi_vault.rb +1 -1
- data/lib/chef/version.rb +1 -1
- data/lib/chef/win32/version.rb +2 -1
- data/spec/data/trusted_certs/example.crt +29 -20
- data/spec/data/trusted_certs/example_no_cn.crt +30 -34
- data/spec/data/trusted_certs/opscode.pem +33 -54
- data/spec/functional/resource/chocolatey_package_spec.rb +32 -20
- data/spec/functional/resource/macos_userdefaults_spec.rb +4 -4
- data/spec/functional/resource/windows_certificate_spec.rb +41 -13
- data/spec/functional/resource/windows_font_spec.rb +1 -1
- data/spec/functional/resource/windows_pagefile_spec.rb +31 -4
- data/spec/functional/resource/yum_package_spec.rb +1 -1
- data/spec/functional/shell_spec.rb +6 -0
- data/spec/unit/client_spec.rb +6 -3
- data/spec/unit/compliance/reporter/chef_server_automate_spec.rb +1 -1
- data/spec/unit/daemon_spec.rb +1 -5
- data/spec/unit/dsl/secret_spec.rb +127 -23
- data/spec/unit/mixin/checksum_spec.rb +28 -0
- data/spec/unit/provider/package/chocolatey_spec.rb +19 -3
- data/spec/unit/provider/package/rubygems_spec.rb +1 -1
- data/spec/unit/provider/user/linux_spec.rb +55 -0
- data/spec/unit/resource/chef_client_config_spec.rb +8 -0
- data/spec/unit/resource/macos_user_defaults_spec.rb +4 -4
- data/spec/unit/resource_spec.rb +22 -1
- data/spec/unit/run_context_spec.rb +16 -0
- metadata +48 -54
- /data/spec/functional/assets/chocolatey_feed/{test-A.1.0.nupkg → test-A.1.0.0.nupkg} +0 -0
- /data/spec/functional/assets/chocolatey_feed/{test-A.1.5.nupkg → test-A.1.5.0.nupkg} +0 -0
- /data/spec/functional/assets/chocolatey_feed/{test-A.2.0.nupkg → test-A.2.0.0.nupkg} +0 -0
- /data/spec/functional/assets/chocolatey_feed/{test-B.1.0.nupkg → test-B.1.0.0.nupkg} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{4632d67cb92636e7575d911c24f0e04d3505a944e97c483abe0c3e73a7c62d33-filelists.sqlite.bz2 → 01a3b-filelists.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{bdb4f5f1492a3b9532f22c43110a81500dd744f23da0aec5c33b2a41317c737d-filelists.xml.gz → 401dc-filelists.xml.gz} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{a845d418f919d2115ab95a56b2c76f6825ad0d0bede49181a55c04f58995d057-primary.sqlite.bz2 → 5dc1e-primary.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{74599b793e54d877323837d2d81a1c3c594c44e4335f9528234bb490f7b9b439-other.xml.gz → 6bf96-other.xml.gz} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{af9b7cf9ef23bd7b43068d74a460f3b5d06753d638e58e4a0c9edc35bfb9cdc4-other.sqlite.bz2 → 7c365-other.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{c10d1d34ce99e02f12ec96ef68360543ab1bb7c3cb81a4a2bf78df7d8597e9df-primary.xml.gz → dabe2-primary.xml.gz} +0 -0
@@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
|
|
29
29
|
class Chef
|
30
30
|
class Resource
|
31
31
|
class WindowsCertificate < Chef::Resource
|
32
|
-
unified_mode true
|
33
32
|
|
34
33
|
provides :windows_certificate
|
35
34
|
|
@@ -129,14 +128,14 @@ class Chef
|
|
129
128
|
end
|
130
129
|
|
131
130
|
action :delete, description: "Deletes a certificate." do
|
132
|
-
|
131
|
+
cert_is_valid = verify_cert
|
133
132
|
|
134
|
-
if
|
133
|
+
if cert_is_valid == true
|
135
134
|
converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do
|
136
135
|
delete_cert
|
137
136
|
end
|
138
137
|
else
|
139
|
-
Chef::Log.debug("Certificate
|
138
|
+
Chef::Log.debug("Certificate Not Found")
|
140
139
|
end
|
141
140
|
end
|
142
141
|
|
@@ -146,17 +145,25 @@ class Chef
|
|
146
145
|
end
|
147
146
|
|
148
147
|
if ::File.extname(new_resource.output_path) == ".pfx"
|
149
|
-
|
148
|
+
|
149
|
+
validated_thumbprint = validate_thumbprint(new_resource.source)
|
150
|
+
if validated_thumbprint != false # is the thumbprint valid
|
151
|
+
cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
|
152
|
+
else
|
153
|
+
message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
|
154
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
155
|
+
end
|
156
|
+
|
150
157
|
else
|
151
158
|
cert_obj = fetch_cert
|
152
159
|
end
|
153
160
|
|
154
|
-
if cert_obj
|
161
|
+
if cert_obj != false && cert_obj != "Certificate Not Found"
|
155
162
|
converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do
|
156
163
|
export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password)
|
157
164
|
end
|
158
165
|
else
|
159
|
-
Chef::Log.debug("Certificate
|
166
|
+
Chef::Log.debug("Certificate Not Found")
|
160
167
|
end
|
161
168
|
end
|
162
169
|
|
@@ -187,7 +194,7 @@ class Chef
|
|
187
194
|
|
188
195
|
def delete_cert
|
189
196
|
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
190
|
-
store.delete(
|
197
|
+
store.delete(validate_thumbprint(new_resource.source))
|
191
198
|
end
|
192
199
|
|
193
200
|
def fetch_cert
|
@@ -196,17 +203,16 @@ class Chef
|
|
196
203
|
fetch_key
|
197
204
|
|
198
205
|
else
|
199
|
-
store.get(
|
206
|
+
store.get(validate_thumbprint(new_resource.source))
|
200
207
|
end
|
201
208
|
end
|
202
209
|
|
203
210
|
def fetch_key
|
204
211
|
require "openssl" unless defined?(OpenSSL)
|
205
212
|
file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path))
|
206
|
-
directory = ::File.dirname(new_resource.output_path)
|
207
213
|
pfx_file = file_name + ".pfx"
|
208
214
|
new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file)
|
209
|
-
powershell_exec(pfx_ps_cmd(
|
215
|
+
powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
|
210
216
|
pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password)
|
211
217
|
f = ::File.open(new_resource.output_path, "w")
|
212
218
|
f.write(pkcs12.key.to_s)
|
@@ -245,10 +251,6 @@ class Chef
|
|
245
251
|
::File.file?(source)
|
246
252
|
end
|
247
253
|
|
248
|
-
def is_file?(source)
|
249
|
-
::File.file?(source)
|
250
|
-
end
|
251
|
-
|
252
254
|
# Thumbprints should be exactly 40 Hex characters
|
253
255
|
def valid_thumbprint?(string)
|
254
256
|
string.match?(/[0-9A-Fa-f]/) && string.length == 40
|
@@ -261,29 +263,29 @@ class Chef
|
|
261
263
|
GETTHUMBPRINTCODE
|
262
264
|
end
|
263
265
|
|
264
|
-
def
|
265
|
-
return
|
266
|
-
|
267
|
-
|
266
|
+
def validate_thumbprint(thumbprint)
|
267
|
+
# valid_thumbprint can return false under at least 2 conditions:
|
268
|
+
# one is that the thumbprint is in fact busted
|
269
|
+
# the second is that the thumbprint is valid but belongs to an expired certificate already installed
|
270
|
+
results = valid_thumbprint?(thumbprint)
|
271
|
+
results == true ? thumbprint : false
|
268
272
|
end
|
269
273
|
|
270
|
-
# Checks
|
271
|
-
# is
|
272
|
-
# If the certificate is not present, verify_cert returns a String: "Certificate not found"
|
273
|
-
# But if it is present but expired, it returns a Boolean: false
|
274
|
-
# Otherwise, it returns a Boolean: true
|
275
|
-
# updated this method to accept either a subject name or a thumbprint - 1/29/2021
|
276
|
-
|
274
|
+
# Checks to make sure whether the cert is found or not
|
275
|
+
# if it IS found, is it still valid - has it expired?
|
277
276
|
def verify_cert(thumbprint = new_resource.source)
|
278
277
|
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
279
|
-
|
280
|
-
|
278
|
+
validated_thumbprint = validate_thumbprint(thumbprint)
|
279
|
+
if validated_thumbprint != false
|
280
|
+
result = store.valid?(thumbprint)
|
281
|
+
result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
|
281
282
|
else
|
282
|
-
|
283
|
+
message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n"
|
284
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
283
285
|
end
|
284
286
|
end
|
285
287
|
|
286
|
-
# this
|
288
|
+
# this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
|
287
289
|
# Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
|
288
290
|
def ps_cert_location
|
289
291
|
new_resource.user_store ? "CurrentUser" : "LocalMachine"
|
@@ -436,7 +438,7 @@ class Chef
|
|
436
438
|
end
|
437
439
|
|
438
440
|
def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:)
|
439
|
-
# Delete the cert if it exists
|
441
|
+
# Delete the cert if it exists on disk already.
|
440
442
|
# We want to ensure we're not randomly loading an old stinky cert.
|
441
443
|
if ::File.exists?(output_path)
|
442
444
|
::File.delete(output_path)
|
@@ -460,7 +462,20 @@ class Chef
|
|
460
462
|
cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout
|
461
463
|
out_file.puts(cert_out)
|
462
464
|
when ".pfx"
|
463
|
-
|
465
|
+
validated_thumbprint = validate_thumbprint(new_resource.source)
|
466
|
+
if validated_thumbprint != false # is the thumbprint valid
|
467
|
+
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
468
|
+
result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint
|
469
|
+
temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
|
470
|
+
if temp == true
|
471
|
+
pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
|
472
|
+
else
|
473
|
+
Chef::Log.debug("The requested certificate is not found or has expired")
|
474
|
+
end
|
475
|
+
else
|
476
|
+
message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
|
477
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
478
|
+
end
|
464
479
|
when ".p7b"
|
465
480
|
cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
|
466
481
|
out_file.puts(cert_out)
|
@@ -481,14 +496,11 @@ class Chef
|
|
481
496
|
#
|
482
497
|
def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location)
|
483
498
|
[cert_objs].flatten.each do |cert_obj|
|
484
|
-
# thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
|
485
|
-
# pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password)
|
486
|
-
# cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem)
|
487
499
|
thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
|
488
|
-
if
|
489
|
-
|
490
|
-
|
491
|
-
|
500
|
+
if verify_cert(thumbprint) == true
|
501
|
+
Chef::Log.debug("Certificate is already present")
|
502
|
+
elsif verify_cert(thumbprint) == false # Not found already in the CertStore
|
503
|
+
if is_pfx
|
492
504
|
if is_file?(new_resource.source)
|
493
505
|
converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do
|
494
506
|
add_pfx_cert(new_resource.source)
|
@@ -502,15 +514,14 @@ class Chef
|
|
502
514
|
message << exception.message
|
503
515
|
raise Chef::Exceptions::ArgumentError, message
|
504
516
|
end
|
505
|
-
end
|
506
|
-
else
|
507
|
-
if verify_cert(thumbprint) == true
|
508
|
-
Chef::Log.debug("Certificate is already present")
|
509
517
|
else
|
510
518
|
converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do
|
511
519
|
add_cert(cert_obj)
|
512
520
|
end
|
513
521
|
end
|
522
|
+
else
|
523
|
+
message = "Certificate could not be imported"
|
524
|
+
raise Chef::Exceptions::CertificateNotImportable, message
|
514
525
|
end
|
515
526
|
end
|
516
527
|
end
|
@@ -88,7 +88,7 @@ class Chef
|
|
88
88
|
if automatic_managed
|
89
89
|
set_automatic_managed unless automatic_managed?
|
90
90
|
elsif automatic_managed == false
|
91
|
-
unset_automatic_managed
|
91
|
+
unset_automatic_managed
|
92
92
|
else
|
93
93
|
pagefile = clarify_pagefile_name
|
94
94
|
initial_size = new_resource.initial_size
|
@@ -149,10 +149,12 @@ class Chef
|
|
149
149
|
def exists?(pagefile)
|
150
150
|
@exists ||= begin
|
151
151
|
logger.trace("Checking if #{pagefile} exists by running: Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($pagefile)} ")
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
152
|
+
powershell_code = <<~CODE
|
153
|
+
$page_file_name = '#{pagefile}';
|
154
|
+
$pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)}
|
155
|
+
if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }
|
156
|
+
CODE
|
157
|
+
powershell_exec!(powershell_code).result
|
156
158
|
end
|
157
159
|
end
|
158
160
|
|
@@ -164,13 +166,17 @@ class Chef
|
|
164
166
|
# @return [Boolean]
|
165
167
|
def max_and_min_set?(pagefile, min, max)
|
166
168
|
logger.trace("Checking if #{pagefile} has max and initial disk size values set")
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
169
|
+
|
170
|
+
powershell_code = <<-CODE
|
171
|
+
$page_file = '#{pagefile}';
|
172
|
+
$driveLetter = $page_file.split(':')[0];
|
173
|
+
$page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -Property * -ErrorAction Stop;
|
174
|
+
if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})
|
175
|
+
{ return $true }
|
176
|
+
else
|
177
|
+
{ return $false }
|
178
|
+
CODE
|
179
|
+
powershell_exec!(powershell_code).result
|
174
180
|
end
|
175
181
|
|
176
182
|
# create a pagefile
|
@@ -225,12 +231,14 @@ class Chef
|
|
225
231
|
|
226
232
|
# turn off automatic management of all pagefiles by Windows
|
227
233
|
def unset_automatic_managed
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
+
if automatic_managed?
|
235
|
+
converge_by("Turn off Automatically Managed on pagefiles") do
|
236
|
+
logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
|
237
|
+
powershell_exec! <<~EOH
|
238
|
+
$sys = Get-CimInstance Win32_ComputerSystem -Property *
|
239
|
+
Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
|
240
|
+
EOH
|
241
|
+
end
|
234
242
|
end
|
235
243
|
end
|
236
244
|
|
@@ -240,14 +248,13 @@ class Chef
|
|
240
248
|
# @param [String] min the minimum size of the pagefile
|
241
249
|
# @param [String] max the minimum size of the pagefile
|
242
250
|
def set_custom_size(pagefile, min, max)
|
251
|
+
unset_automatic_managed
|
243
252
|
converge_by("set #{pagefile} to InitialSize=#{min} & MaximumSize=#{max}") do
|
244
253
|
logger.trace("Set-CimInstance -Property @{InitialSize = #{min} MaximumSize = #{max}")
|
245
254
|
powershell_exec! <<~EOD
|
246
255
|
$page_file = "#{pagefile}"
|
247
256
|
$driveLetter = $page_file.split(':')[0]
|
248
|
-
Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{
|
249
|
-
InitialSize = #{min}
|
250
|
-
MaximumSize = #{max}}
|
257
|
+
Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{InitialSize = #{min}; MaximumSize = #{max};}
|
251
258
|
EOD
|
252
259
|
end
|
253
260
|
end
|
@@ -24,7 +24,7 @@ class Chef
|
|
24
24
|
unified_mode true
|
25
25
|
|
26
26
|
provides :windows_user_privilege
|
27
|
-
description "The windows_user_privilege resource allows to add
|
27
|
+
description "The windows_user_privilege resource allows to add a privilege to a principal or (User/Group).\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
|
28
28
|
|
29
29
|
introduced "16.0"
|
30
30
|
|
@@ -39,23 +39,32 @@ class Chef
|
|
39
39
|
end
|
40
40
|
```
|
41
41
|
|
42
|
-
**
|
42
|
+
**Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
|
43
|
+
|
44
|
+
```ruby
|
45
|
+
windows_user_privilege 'Create Pagefile' do
|
46
|
+
privilege 'SeCreatePagefilePrivilege'
|
47
|
+
users ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
|
48
|
+
action :set
|
49
|
+
end
|
50
|
+
```
|
51
|
+
|
52
|
+
**Add the SeDenyRemoteInteractiveLogonRight Privilege to the 'Remote interactive logon' principal**:
|
43
53
|
|
44
54
|
```ruby
|
45
55
|
windows_user_privilege 'Remote interactive logon' do
|
46
56
|
privilege 'SeDenyRemoteInteractiveLogonRight'
|
47
|
-
users ['Builtin\\Guests', 'NT AUTHORITY\\Local Account']
|
48
57
|
action :add
|
49
58
|
end
|
50
59
|
```
|
51
60
|
|
52
|
-
**
|
61
|
+
**Add to the Builtin Guests Group the SeCreatePageFile Privilege**:
|
53
62
|
|
54
63
|
```ruby
|
55
|
-
windows_user_privilege 'Create Pagefile' do
|
64
|
+
windows_user_privilege 'Guests add Create Pagefile' do
|
65
|
+
principal 'BUILTIN\\Guests'
|
56
66
|
privilege 'SeCreatePagefilePrivilege'
|
57
|
-
|
58
|
-
action :set
|
67
|
+
action :add
|
59
68
|
end
|
60
69
|
```
|
61
70
|
|
@@ -90,6 +99,7 @@ class Chef
|
|
90
99
|
SeCreateSymbolicLinkPrivilege
|
91
100
|
SeCreateTokenPrivilege
|
92
101
|
SeDebugPrivilege
|
102
|
+
SeDelegateSessionUserImpersonatePrivilege
|
93
103
|
SeDenyBatchLogonRight
|
94
104
|
SeDenyInteractiveLogonRight
|
95
105
|
SeDenyNetworkLogonRight
|
@@ -126,20 +136,20 @@ class Chef
|
|
126
136
|
}.freeze
|
127
137
|
|
128
138
|
property :principal, String,
|
129
|
-
|
130
|
-
|
139
|
+
description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a User/Group or one of special identities found here Ref: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities",
|
140
|
+
name_property: true
|
131
141
|
|
132
142
|
property :users, [Array, String],
|
133
|
-
|
134
|
-
|
143
|
+
description: "An optional property to set the privilege for given users. Use only with set action.",
|
144
|
+
coerce: proc { |v| Array(v) }
|
135
145
|
|
136
146
|
property :privilege, [Array, String],
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
147
|
+
description: "One or more privileges to set for principal or users/groups. For more information on what each privilege does Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment",
|
148
|
+
required: true,
|
149
|
+
coerce: proc { |v| Array(v) },
|
150
|
+
callbacks: {
|
151
|
+
"Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
|
152
|
+
}, identity: true
|
143
153
|
|
144
154
|
load_current_value do |new_resource|
|
145
155
|
if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))
|
@@ -147,15 +157,15 @@ class Chef
|
|
147
157
|
end
|
148
158
|
end
|
149
159
|
|
150
|
-
action :add, description: "Add a
|
151
|
-
([*new_resource.privilege] - [*current_resource.privilege]).each do |
|
152
|
-
converge_by("adding
|
153
|
-
Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal,
|
160
|
+
action :add, description: "Add a privileges to a principal." do
|
161
|
+
([*new_resource.privilege] - [*current_resource.privilege]).each do |principal_right|
|
162
|
+
converge_by("adding principal '#{new_resource.principal}' privilege #{principal_right}") do
|
163
|
+
Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, principal_right)
|
154
164
|
end
|
155
165
|
end
|
156
166
|
end
|
157
167
|
|
158
|
-
action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property." do
|
168
|
+
action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property. All other users not listed with given privilege will be have the privilege removed." do
|
159
169
|
if new_resource.users.nil? || new_resource.users.empty?
|
160
170
|
raise Chef::Exceptions::ValidationFailed, "Users are required property with set action."
|
161
171
|
end
|
@@ -204,7 +214,7 @@ class Chef
|
|
204
214
|
end
|
205
215
|
end
|
206
216
|
|
207
|
-
action :remove, description: "Remove a
|
217
|
+
action :remove, description: "Remove a principal privilege" do
|
208
218
|
curr_res_privilege = current_resource.privilege
|
209
219
|
missing_res_privileges = (new_resource.privilege - curr_res_privilege)
|
210
220
|
|
@@ -212,9 +222,9 @@ class Chef
|
|
212
222
|
Chef::Log.info("User \'#{new_resource.principal}\' for Privilege: #{missing_res_privileges.join(", ")} not found. Nothing to remove.")
|
213
223
|
end
|
214
224
|
|
215
|
-
(new_resource.privilege - missing_res_privileges).each do |
|
216
|
-
converge_by("removing
|
217
|
-
Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal,
|
225
|
+
(new_resource.privilege - missing_res_privileges).each do |principal_right|
|
226
|
+
converge_by("removing principal #{new_resource.principal} from privilege #{principal_right}") do
|
227
|
+
Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, principal_right)
|
218
228
|
end
|
219
229
|
end
|
220
230
|
end
|
data/lib/chef/resource.rb
CHANGED
@@ -660,7 +660,8 @@ class Chef
|
|
660
660
|
text << "#{resource_name}(\"#{name}\") do\n"
|
661
661
|
|
662
662
|
all_props = {}
|
663
|
-
|
663
|
+
|
664
|
+
self.class.sensitive_properties.map do |p|
|
664
665
|
|
665
666
|
all_props[p.name.to_s] = p.sensitive? ? '"*sensitive value suppressed*"' : value_to_text(p.get(self))
|
666
667
|
rescue Chef::Exceptions::ValidationFailed
|
data/lib/chef/run_context.rb
CHANGED
@@ -145,6 +145,16 @@ class Chef
|
|
145
145
|
#
|
146
146
|
attr_accessor :input_collection
|
147
147
|
|
148
|
+
#
|
149
|
+
# @return [Symbol, nil]
|
150
|
+
#
|
151
|
+
attr_accessor :default_secret_service
|
152
|
+
|
153
|
+
#
|
154
|
+
# @return [Hash<Symbol,Object>]
|
155
|
+
#
|
156
|
+
attr_accessor :default_secret_config
|
157
|
+
|
148
158
|
# Pointer back to the Chef::Runner that created this
|
149
159
|
#
|
150
160
|
attr_accessor :runner
|
@@ -222,6 +232,8 @@ class Chef
|
|
222
232
|
@input_collection = Chef::Compliance::InputCollection.new(events)
|
223
233
|
@waiver_collection = Chef::Compliance::WaiverCollection.new(events)
|
224
234
|
@profile_collection = Chef::Compliance::ProfileCollection.new(events)
|
235
|
+
@default_secret_service = nil
|
236
|
+
@default_secret_config = {}
|
225
237
|
|
226
238
|
initialize_child_state
|
227
239
|
end
|
@@ -693,6 +705,10 @@ class Chef
|
|
693
705
|
cookbook_collection
|
694
706
|
cookbook_collection=
|
695
707
|
cookbook_compiler
|
708
|
+
default_secret_config
|
709
|
+
default_secret_config=
|
710
|
+
default_secret_service
|
711
|
+
default_secret_service=
|
696
712
|
definitions
|
697
713
|
events
|
698
714
|
events=
|
@@ -112,7 +112,7 @@ class Chef
|
|
112
112
|
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
|
113
113
|
end
|
114
114
|
|
115
|
-
Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
|
115
|
+
Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new, Vault.address)
|
116
116
|
else
|
117
117
|
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
|
118
118
|
end
|
data/lib/chef/version.rb
CHANGED
data/lib/chef/win32/version.rb
CHANGED
@@ -51,7 +51,8 @@ class Chef
|
|
51
51
|
WIN_VERSIONS = {
|
52
52
|
"Windows Server 2022" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 20348 } },
|
53
53
|
"Windows Server 2019" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 17763 && build_number < 20348 } },
|
54
|
-
"Windows
|
54
|
+
"Windows 11" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 22000 } },
|
55
|
+
"Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 19044 && build_number < 22000 } },
|
55
56
|
"Windows Server 2016" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number <= 14393 } },
|
56
57
|
"Windows 8.1" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
|
57
58
|
"Windows Server 2012 R2" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION } },
|
@@ -1,22 +1,31 @@
|
|
1
1
|
-----BEGIN CERTIFICATE-----
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
/
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
2
|
+
MIIFPTCCAyWgAwIBAgIUPv2sKSZA+KW0a4LxgUhiZG48AkswDQYJKoZIhvcNAQEL
|
3
|
+
BQAwFzEVMBMGA1UEAwwMZXhhbXBsZS4uY29tMB4XDTIzMTAxNjE2MzM1M1oXDTMz
|
4
|
+
MTAxMzE2MzM1M1owFzEVMBMGA1UEAwwMZXhhbXBsZS4uY29tMIICIjANBgkqhkiG
|
5
|
+
9w0BAQEFAAOCAg8AMIICCgKCAgEA1NKZJQY7B8xGnaERMX4laepq3u00q1nSDS6j
|
6
|
+
03qd1zZkW+ofMFlH5plBvULNO1jdAH9WwyMAwLu87R1QOx9fEz06J81Wtu7jheOU
|
7
|
+
EHzn6NwWkUaX+j1oaIHIXrYnrUn5sW8w2wFEky82gPEG5SiZ6otKV2whX1ckSa3W
|
8
|
+
ReFihEO/2/zxOEA0QzfIxFDW92wyAMDNM2/O/AMQB2jVxtWhYiqePXVUfQrIrLW1
|
9
|
+
ytNmIWl7hoIHfVPgEoGLRe7kbT/QMTCd/lNrzF/rxUo+Aohq3WmVOdUCL4KdDnKS
|
10
|
+
tlQFf8L4+9t19KiM9xX4GRMk9WWONk8rHln842ziv00bgD0rB3yZHlHJfGpkLdKv
|
11
|
+
VZgcMHp31ZqVFzHapqHmXBVyEqxRIZSkZX4PN5bEdigz3Exf/vys+NAZKyJw35tn
|
12
|
+
kF0+V/+vLlbvqZz98DDj+/KGgy7vaF3tBYBAC4px5yvnicDlBZS0GlrF1fufWQRQ
|
13
|
+
94n8LVcG47XjaEOufpzj5Xm6ZzTYDyiqO1+mszU6BQH8W8N+sZ+q7hPBkgRZ/WJF
|
14
|
+
gXzNh5KPeDv47oXadYXOqNzXR7wkC11H5hmgQFrDCjuc0zTi/y7Iq+NxpkuQJIDD
|
15
|
+
/4yNVTHM6GZSeBDH7rpkjL6coShU6fu2QxSofltpz4QxNtbquRtt3A2Se7obhC9g
|
16
|
+
OeZfIqsCAwEAAaOBgDB+MB0GA1UdDgQWBBQ8JrC+u1bsL4QTJuIkH4MyZ2+ZWzAf
|
17
|
+
BgNVHSMEGDAWgBQ8JrC+u1bsL4QTJuIkH4MyZ2+ZWzAPBgNVHRMBAf8EBTADAQH/
|
18
|
+
MCsGA1UdEQQkMCKCC2V4YW1wbGUuY29tgg0qLmV4YW1wbGUuY29thwQKAAABMA0G
|
19
|
+
CSqGSIb3DQEBCwUAA4ICAQAVFkQdpfoxzNu2VyhCtrCT8a1PA7Ko+ziPR0GWBxag
|
20
|
+
kB3NRGzCVXENuX8OjLAsBRrYDTeUwIZJD2MWLqkhqs+8Bw08c9jdyezeWmgAL0I8
|
21
|
+
aTiPET3CwVME78JPvxAJjmdayYFanniAbE3GMk+Bf2pvFTdPI8etY6Brv+uqBbyb
|
22
|
+
9pFspp2U05KRqTukVW2YJnWKfMR4VIBzOEA1maGwVMgnC3YPm3qsYqxXqr/jLDCg
|
23
|
+
/EFoozne5/mNmvhSKWOUB1gsuv+3wiUOL6aZETY7RJPQADpHhJntCSeapb5DWhyr
|
24
|
+
ZzUPGHbAyWqbfwmt7b9Pga4fQOihxi4Nf2ZnnMy32HQVqz2sOU7Fo/5rfejEQfGP
|
25
|
+
jxt9b69Hydc3MQJF+eQVYS+NzaZyCX05kLqcGmIP4WKhjx3BkMaZVwjmYfE9WgKR
|
26
|
+
Lcwq0aoz4Guh7Q0yICUc0PvxWLAkiXYFhthg05ZplTd+HgY3XCdO4DyG7lgL4b9t
|
27
|
+
T6oqZv/7ivJbwTrvQXr6gGPhVq+120/mEw2qsdaQAp8v1ac5UgdCTViDkT45Ivox
|
28
|
+
dS8VaqlVymvnLWAXtN92kQeb7bAhRmMZMNpFicFm8VS+alfijQDwhW5kOGpqtCrO
|
29
|
+
f3QWYOehrqmHIuKw4ZhCYIy/OWkHR2j5iiZl8RFN2KhHZwLcmQTyxLaBk3SX1kCl
|
30
|
+
qA==
|
22
31
|
-----END CERTIFICATE-----
|
@@ -1,36 +1,32 @@
|
|
1
1
|
-----BEGIN CERTIFICATE-----
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
wRSvwk/VHifYPxJ54RRB51ebYjmD1j41tRseHdFq21qpXSvr9DFLUJBvdN9zA/6t
|
33
|
-
xCBlXAdYxD0n0/bruUYNoXBeMhLp+WKSAQvTlVIyqoNQCo1OBBzBVNg9otl3jw5d
|
34
|
-
1QOhodRqmS5UQAJptuXtk8WN8OZqMCCeogIfdpa5tJG+/fxFML9EvqedS4c05Wf/
|
35
|
-
oYdVLVWSjyoA2l4Xb4LdexAgCg==
|
2
|
+
MIIFkzCCA3ugAwIBAgIUFwXNNBdNYJ9+hvGdKqTqEF+XwiMwDQYJKoZIhvcNAQEL
|
3
|
+
BQAwQjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkZMMRQwEgYDVQQKDAtFeGFtcGxl
|
4
|
+
IENvbTEQMA4GA1UECwwHVW5rbm93bjAeFw0yMzEwMTYxNjQ1NTlaFw0zMzEwMTMx
|
5
|
+
NjQ1NTlaMEIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJGTDEUMBIGA1UECgwLRXhh
|
6
|
+
bXBsZSBDb20xEDAOBgNVBAsMB1Vua25vd24wggIiMA0GCSqGSIb3DQEBAQUAA4IC
|
7
|
+
DwAwggIKAoICAQC+Hzs1xpvg7sPFIry6LO0IIvERaP2ncmQd3lPhQ1nRHqAv2Tkq
|
8
|
+
dSNxJ0kadXw015Ze6n7+L5o8PXqPwFooaFLHqJv/iBWQvEBBCoaRoKF1mNMaaQ7c
|
9
|
+
dD22bSeG5R01Silnewzt6fG2TdQ3hVjLMsApLEzYCUpqWXvYy/+Aqixfg9nTN+sH
|
10
|
+
3xHTibNS69LDD+xDQ3q1IDAqLxvF7zBir5UQ7XbK2D2QrgEQ+OM5rXbkcM3KFIh0
|
11
|
+
bGKN7NyP202drGwcTy3DDq5ojfyC9fIRT2YuAAAZO6UFRmc9Dr59F1ukGe6m4lxq
|
12
|
+
4u4Pj0LlLdB8ufbCb5wr7bRXuGCWfwGAQrK9z5YlTxoCb9wmA80spM7xSQRewAb6
|
13
|
+
ibJB9FwdjItwZf2YkMmSy3lt63HunN62DvlfvHzQBd5sfNSOX09i/VCxuy2xget2
|
14
|
+
F2ToOyWpjLt/+Vqni8S8ZiD9M8X0lWApwtkDWDxFMFPSAPlerqCcQANhGN3PKSMj
|
15
|
+
jHxU20oNxs6LkxQJPLJZCkBz2Y2ND6dXY0B9UuxM5HsFQb6CdYhsdWUPYUXMf1Jy
|
16
|
+
zlXHb6j6XCFvrx9Wf5WVw1ubEWMVBZEqHpLsR4p0gnHwcZFGa0PcQj2LncevRglt
|
17
|
+
qTWfHnupxlzAjkZefahG9Lp0WJgG3y2kMiTIL2sSsJGvybbatAvw83RBrwIDAQAB
|
18
|
+
o4GAMH4wHQYDVR0OBBYEFEhnFG/xXEKQa/jFbs4EZKh2r1vCMB8GA1UdIwQYMBaA
|
19
|
+
FEhnFG/xXEKQa/jFbs4EZKh2r1vCMA8GA1UdEwEB/wQFMAMBAf8wKwYDVR0RBCQw
|
20
|
+
IoILZXhhbXBsZS5jb22CDSouZXhhbXBsZS5jb22HBAoAAAEwDQYJKoZIhvcNAQEL
|
21
|
+
BQADggIBAFItDIIoQLS377pgmAcTMADW4b4T5SL7cqhukgvg81l0hAJLzE5cCdqu
|
22
|
+
8UTR3N+uvwVq0SnP5fuNoyBfcL52NeCaQZMO8N4IEd1VDjwu1XXxav+AbWwaT4Yo
|
23
|
+
OPDWIGGjkCtf2xZsXWFQ0xW+68bZvD6hN9yKp+W2bu1UFqcKCiY/Klhol+2t3eLX
|
24
|
+
xP/fM4nMo6iMZhY4FQCWI/NKbuFPwzHLtrrBURCoX50+fvekOdfRHq771mJvzZKE
|
25
|
+
AAIKAvYoYdFfeuaX5N9/UNjMhZ92mw1IIsdbmsCxvHrWsrczmXeP3u1lvxQnkjWL
|
26
|
+
vg3Zpdv2a0vpYx6nSunko0XA7qnoE+0gdP/uRhMaGiE9QCu3KdZji62gKHuxgc+u
|
27
|
+
/i23kmyqOTC36o/a725eb6fMnGFVSxQ0DXlPSPQnJ2tsGMAM37fxoPfF9IamrmdD
|
28
|
+
Q0Usia+XzBckD0sSG8j50x2of9NS3vFFgWM1Cas55XWzlkDGbIJMlrKOj01bUYNq
|
29
|
+
ltmMfavmpMPA86p8QHRmWlQhtgu+OK/8RxmGtQdtBi8Gdk3mNMkokSQCVcDWvNhX
|
30
|
+
pVFCGya51orBgbWqxbAsIeiv7Pl85edXm8KolJ389xkXqFvX31hme5KnyBhCcRrv
|
31
|
+
EZbXRhY3O58t7SlKWVCnx/JmEkJcRJtZaEReF1LbBayExYNnj/sD
|
36
32
|
-----END CERTIFICATE-----
|