chef 17.10.0 → 18.0.169

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ac04518e7a36c9f65ca1a131832704645b078bf0290708683d6dd5cfeb8975c
-  data.tar.gz: 339602296915ea1c25bd3581db776b7478f109a1a6b0e6b1b887113357ebf0c9
+  metadata.gz: a87965b9d23cae217ee13ee9c4944a7558d55bfb6124eed4b09852305a4dc1c2
+  data.tar.gz: dfb528c686c6e0d708e2ce1610ed6e51f2a1b7e078548c472873bb15c942127d
 SHA512:
-  metadata.gz: 1abbcfb133838d1b902a033589f24529331dea60e4da3c6678c1e1e666c29601175671ca837e23ea7e0a02ed327a1b7a8be0ee9bf73a62cf9a994634bf909ff0
-  data.tar.gz: 4bae17edf6da41be96f21055a3d9d456b57c75e04f4faeb9155af8ee23d5d43a6f3c6952c06131473a3818e461c941ddeb482f92cf46c7e18553bbef1f4ebc9f
+  metadata.gz: 66df75dfd9ed14186747c2f4f4f89abe73b1cd00d798a1e68ad4219a6694ac1aad5d05228c85d9af75b86bd14b30c5222342be69a6503ff44453192e0970e722
+  data.tar.gz: dcda678decee792fc8b144f846b3eb268c4e0aa619afbebd2b67c2ad3a71bb72ea3c0032f349060b461042cacc50eb1e27e5de00722f37e43274e1f89e627246

data/Gemfile

@@ -2,8 +2,12 @@ source "https://rubygems.org"
 
 gem "chef", path: "."
 
-gem "ohai", git: "https://github.com/chef/ohai.git", branch: "17-stable"
+gem "ohai", git: "https://github.com/chef/ohai.git", branch: "main"
 
+# Nwed to file a bug with rest-client. In the meantime, we can use this until they accept the update.
+gem "rest-client", git: "https://github.com/chef/rest-client", branch: "jfm/ucrt_update1"
+
+gem "ffi", ">= 1.15.5"
 gem "chef-utils", path: File.expand_path("chef-utils", __dir__) if File.exist?(File.expand_path("chef-utils", __dir__))
 gem "chef-config", path: File.expand_path("chef-config", __dir__) if File.exist?(File.expand_path("chef-config", __dir__))
 
@@ -15,12 +19,12 @@ else
   gem "chef-bin" # rubocop:disable Bundler/DuplicatedGem
 end
 
-gem "cheffish", "~> 17.0"
+gem "cheffish", ">= 17"
 
 group(:omnibus_package) do
   gem "appbundler"
   gem "rb-readline"
-  gem "inspec-core-bin", "~> 4.24" # need to provide the binaries for inspec
+  gem "inspec-core-bin", ">= 5" # need to provide the binaries for inspec
   gem "chef-vault"
 end
 
@@ -33,10 +37,13 @@ group(:omnibus_package, :pry) do
   gem "pry-stack_explorer"
 end
 
+# proxifier gem is busted on ruby 3.1 and seems abandoned so use git fork of gem
+gem "proxifier", git: "https://github.com/chef/ruby-proxifier", branch: "lcg/ruby-3"
+
 # Everything except AIX and Windows
 group(:ruby_shadow) do
   # if ruby-shadow does a release that supports ruby-3.0 this can be removed
-  gem "ruby-shadow", git: "https://github.com/chef/ruby-shadow", branch: "lcg/ruby-3.0", platforms: :ruby
+  gem "ruby-shadow", git: "https://github.com/chef/ruby-shadow", branch: "lcg/ruby-3.0", platforms: :ruby unless RUBY_PLATFORM == "x64-mingw-ucrt"
 end
 
 # deps that cannot be put in the knife gem because they require a compiler and fail on windows nodes
@@ -51,10 +58,11 @@ group(:development, :test) do
   gem "fauxhai-ng" # for chef-utils gem
 end
 
-group(:chefstyle) do
-  # for testing new chefstyle rules
-  gem "chefstyle", git: "https://github.com/chef/chefstyle.git", branch: "main"
-end
+gem "chefstyle"
+# group(:chefstyle) do
+#   # for testing new chefstyle rules
+#   gem "chefstyle", git: "https://github.com/chef/chefstyle.git", branch: "main"
+# end
 
 instance_eval(ENV["GEMFILE_MOD"]) if ENV["GEMFILE_MOD"]
 

data/README.md

@@ -1,16 +1,16 @@
 # Chef Infra
 [![Code Climate](https://codeclimate.com/github/chef/chef.svg)](https://codeclimate.com/github/chef/chef)
-[![Build Status](https://badge.buildkite.com/c82093430ceec7d27af05febb9dcafe3aa331fff9d74c0ab9d.svg?branch=chef-17)](https://buildkite.com/chef-oss/chef-chef-chef-17-verify)
+[![Build Status](https://badge.buildkite.com/c82093430ceec7d27af05febb9dcafe3aa331fff9d74c0ab9d.svg?branch=main)](https://buildkite.com/chef-oss/chef-chef-main-verify)
 [![Gem Version](https://badge.fury.io/rb/chef.svg)](https://badge.fury.io/rb/chef)
-[![](https://img.shields.io/badge/Release%20Policy-Cadence%20Release-brightgreen.svg)](https://github.com/chef/chef/blob/master/docs/dev/design_documents/client_release_cadence.md)
+[![](https://img.shields.io/badge/Release%20Policy-Cadence%20Release-brightgreen.svg)](https://github.com/chef/chef/blob/main/docs/dev/design_documents/client_release_cadence.md)
 
-**Umbrella Project**: [Chef Infra](https://github.com/chef/chef-oss-practices/blob/master/projects/chef-infra.md)
+**Umbrella Project**: [Chef Infra](https://github.com/chef/chef-oss-practices/blob/main/projects/chef-infra.md)
 
-**Project State**: [Active](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md#active)
+**Project State**: [Active](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md#active)
 
-**Issues [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md)**: 14 days
+**Issues [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md)**: 14 days
 
-**Pull Request [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md)**: 14 days
+**Pull Request [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md)**: 14 days
 
 ## Getting Started
 
@@ -23,7 +23,7 @@ For Chef Infra usage, please refer to [Learn Chef](https://learn.chef.io/), our
 Other useful resources for Chef Infra users:
 
 - Documentation: <https://docs.chef.io/>
-- Source: <https://github.com/chef/chef/tree/master>
+- Source: <https://github.com/chef/chef/tree/main>
 - Tickets/Issues: <https://github.com/chef/chef/issues>
 - Slack: [Chef Community Slack](https://community-slack.chef.io/)
 - Mailing list/Forum: <https://discourse.chef.io>

data/Rakefile

@@ -40,7 +40,7 @@ namespace :pre_install do
     %w{chef-utils chef-config}.each do |gem|
       path = ::File.join(::File.dirname(__FILE__), gem)
       Dir.chdir(path) do
-        sh("rake install")
+        system "rake install"
       end
     end
   end
@@ -61,16 +61,16 @@ end
 
 # hack in all the preinstall tasks to occur before the traditional install task
 task install: "pre_install:all"
-
 # make sure we build the correct gemspec on windows
-gemspec = Gem.win_platform? ? "chef-universal-mingw32" : "chef"
+gemspec = Gem.win_platform? ? "chef-universal-mingw-ucrt" : "chef"
+
 Bundler::GemHelper.install_tasks name: gemspec
 
 # this gets appended to the normal bundler install helper
 task :install do
   chef_bin_path = ::File.join(::File.dirname(__FILE__), "chef-bin")
   Dir.chdir(chef_bin_path) do
-    sh("rake install:force")
+    system "rake install:force"
   end
 end
 
@@ -80,7 +80,7 @@ namespace :install do
   task :local do
     chef_bin_path = ::File.join(::File.dirname(__FILE__), "chef-bin")
     Dir.chdir(chef_bin_path) do
-      sh("rake install:local")
+      system "rake install:local"
     end
   end
 end
@@ -99,25 +99,6 @@ task :register_eventlog do
   end
 end
 
-desc "Copies powershell_exec related binaries from the latest built Habitat Packages"
-task :update_chef_exec_dll do
-  raise "This task must be run on Windows since we are installing a Windows targeted package!" unless Gem.win_platform?
-
-  require "mkmf"
-  raise "Unable to locate Habitat cli. Please install Habitat cli before invoking this task!" unless find_executable "hab"
-
-  sh("hab pkg install chef/chef-powershell-shim")
-  sh("hab pkg install chef/chef-powershell-shim-x86")
-  x64 = `hab pkg path chef/chef-powershell-shim`.chomp.tr("\\", "/")
-  x86 = `hab pkg path chef/chef-powershell-shim-x86`.chomp.tr("\\", "/")
-  FileUtils.rm_rf(Dir["distro/ruby_bin_folder/AMD64/*"])
-  FileUtils.rm_rf(Dir["distro/ruby_bin_folder/x86/*"])
-  puts "Copying #{x64}/bin/* to distro/ruby_bin_folder/AMD64"
-  FileUtils.cp_r(Dir["#{x64}/bin/*"], "distro/ruby_bin_folder/AMD64")
-  puts "Copying #{x86}/bin/* to distro/ruby_bin_folder/x86"
-  FileUtils.cp_r(Dir["#{x86}/bin/*"], "distro/ruby_bin_folder/x86")
-end
-
 begin
   require "chefstyle"
   require "rubocop/rake_task"

data/{chef-universal-mingw32.gemspec → chef-universal-mingw-ucrt.gemspec}

@@ -1,8 +1,8 @@
-gemspec = eval(IO.read(File.expand_path("chef.gemspec", __dir__)))
+gemspec = instance_eval(File.read(File.expand_path("chef.gemspec", __dir__)))
 
-gemspec.platform = Gem::Platform.new(%w{universal mingw32})
+gemspec.platform = Gem::Platform.new(%w{x64-mingw-ucrt})
 
-gemspec.add_dependency "win32-api", "~> 1.5.3"
+gemspec.add_dependency "win32-api", "~> 1.10.0"
 gemspec.add_dependency "win32-event", "~> 0.6.1"
 # TODO: Relax this pin and make the necessary updaets. The issue originally
 # leading to this pin has been fixed in 0.6.5.
@@ -14,9 +14,10 @@ gemspec.add_dependency "win32-service", ">= 2.1.5", "< 3.0"
 gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
-gemspec.add_dependency "win32-certstore", "~> 0.6.2"
-gemspec.add_dependency "chef-powershell", "~> 1.0.12" # 0.5+ required for specifying user vs. system store
+gemspec.add_dependency "win32-certstore", "~> 0.6.15" # 0.5+ required for specifying user vs. system store
+gemspec.add_dependency "chef-powershell", "~> 1.0.12" # The guts of the powershell_exec code have been moved to its own gem, chef-powershell. It's part of the chef-powershell-shim repo.
+
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 
-gemspec
+gemspec

data/chef.gemspec

@@ -22,12 +22,17 @@ Gem::Specification.new do |s|
   s.email = "adam@chef.io"
   s.homepage = "https://www.chef.io"
 
-  s.required_ruby_version = ">= 2.6.0"
+  if RUBY_PLATFORM =~ /aix/
+    s.required_ruby_version = ">= 3.0.3"
+  else
+    s.required_ruby_version = ">= 3.1.0"
+  end
 
   s.add_dependency "chef-config", "= #{Chef::VERSION}"
   s.add_dependency "chef-utils", "= #{Chef::VERSION}"
-  s.add_dependency "train-core", "~> 3.2", ">= 3.2.28" # 3.2.28 fixes sudo prompts. See https://github.com/chef/chef/pull/9635
+  s.add_dependency "train-core", "~> 3.10", ">= 3.2.28" # 3.2.28 fixes sudo prompts. See https://github.com/chef/chef/pull/9635
   s.add_dependency "train-winrm", ">= 0.2.5"
+  s.add_dependency "train-rest", ">= 0.4.1" # target mode with rest APIs
 
   s.add_dependency "license-acceptance", ">= 1.0.5", "< 3"
   s.add_dependency "mixlib-cli", ">= 2.1.1", "< 3.0"
@@ -35,12 +40,13 @@ Gem::Specification.new do |s|
   s.add_dependency "mixlib-authentication", ">= 2.1", "< 4"
   s.add_dependency "mixlib-shellout", ">= 3.1.1", "< 4.0"
   s.add_dependency "mixlib-archive", ">= 0.4", "< 2.0"
-  s.add_dependency "ohai", "~> 17.0"
-  s.add_dependency "inspec-core", "~> 4.23"
+  s.add_dependency "ohai", "~> 18.0"
+  s.add_dependency "inspec-core", ">= 5"
 
-  s.add_dependency "ffi", ">= 1.5.0"
+  s.add_dependency "ffi", ">= 1.15.5"
   s.add_dependency "ffi-yajl", "~> 2.2"
   s.add_dependency "net-sftp", ">= 2.1.2", "< 4.0" # remote_file resource
+  s.add_dependency "net-ftp" # remote_file resource
   s.add_dependency "erubis", "~> 2.7" # template resource / cookbook syntax check
   s.add_dependency "diff-lcs", ">= 1.2.4", "!= 1.4.0", "< 1.6.0" # 1.4 breaks output. Used in lib/chef/util/diff
   s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
@@ -52,6 +58,7 @@ Gem::Specification.new do |s|
   s.add_dependency "addressable"
   s.add_dependency "syslog-logger", "~> 1.6"
   s.add_dependency "uuidtools", ">= 2.1.5", "< 3.0" # osx_profile resource
+  s.add_dependency "unf_ext", ">= 0.0.8.2" # This is ruby31 compatible ucrt gem version
   s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
   s.add_dependency "proxifier", "~> 1.0"
@@ -70,7 +77,7 @@ Gem::Specification.new do |s|
 
   s.metadata = {
     "bug_tracker_uri"   => "https://github.com/chef/chef/issues",
-    "changelog_uri"     => "https://github.com/chef/chef/blob/master/CHANGELOG.md",
+    "changelog_uri"     => "https://github.com/chef/chef/blob/main/CHANGELOG.md",
     "documentation_uri" => "https://docs.chef.io/",
     "homepage_uri"      => "https://www.chef.io",
     "mailing_list_uri"  => "https://discourse.chef.io/",

data/lib/chef/api_client_v1.rb

@@ -64,6 +64,10 @@ class Chef
       @chef_rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { api_version: "1", inflate_json_class: false })
     end
 
+    def chef_rest_v1_with_validator
+      @chef_rest_v1_with_validator ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { client_name: Chef::Config[:validation_client_name], signing_key_filename: Chef::Config[:validation_key], api_version: "1", inflate_json_class: false })
+    end
+
     def self.http_api
       Chef::ServerAPI.new(Chef::Config[:chef_server_url], { api_version: "1", inflate_json_class: false })
     end
@@ -293,7 +297,11 @@ class Chef
         payload[:public_key] = public_key unless public_key.nil?
         payload[:create_key] = create_key unless create_key.nil?
 
-        new_client = chef_rest_v1.post("clients", payload)
+        new_client = if Chef::Config[:migrate_key_to_keystore] == true
+                       chef_rest_v1_with_validator.post("clients", payload)
+                     else
+                       chef_rest_v1.post("clients", payload)
+                     end
 
         # get the private_key out of the chef_key hash if it exists
         if new_client["chef_key"]

data/lib/chef/application/exit_code.rb

@@ -19,8 +19,8 @@
 class Chef
   class Application
 
-    # These are the exit codes defined in Chef RFC 062
-    # https://github.com/chef/chef-rfc/blob/master/rfc062-exit-status.md
+    # These are the exit codes defined in the exit codes design document
+    # https://github.com/chef/chef/blob/main/docs/dev/design_documents/client_exit_codes.md
     class ExitCode
       require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 
@@ -140,7 +140,7 @@ class Chef
 
         def non_standard_exit_code_warning(exit_code)
           "#{ChefUtils::Dist::Infra::CLIENT} attempted to exit with a non-standard exit code of #{exit_code}." \
-          " The #{ChefUtils::Dist::Infra::PRODUCT} Exit Codes design document (https://github.com/chef/chef-rfc/blob/master/rfc062-exit-status.md)" \
+          " The #{ChefUtils::Dist::Infra::PRODUCT} Exit Codes design document (https://github.com/chef/chef/blob/main/docs/dev/design_documents/client_exit_codes.md)" \
           " defines the exit codes that should be used with #{ChefUtils::Dist::Infra::CLIENT}. Chef::Application::ExitCode defines"  \
           " valid exit codes Non-standard exit codes are redefined as GENERIC_FAILURE."
         end

data/lib/chef/client.rb

@@ -64,6 +64,10 @@ class Chef
   # The main object in a Chef run. Preps a Chef::Node and Chef::RunContext,
   # syncs cookbooks if necessary, and triggers convergence.
   class Client
+    CRYPT_EXPORTABLE = 0x00000001
+
+    attr_reader :local_context
+
     extend Chef::Mixin::Deprecation
 
     extend Forwardable
@@ -640,6 +644,16 @@ class Chef
       if !config[:client_key]
         events.skipping_registration(client_name, config)
         logger.trace("Client key is unspecified - skipping registration")
+      elsif ::Chef::Config[:migrate_key_to_keystore] == true && ChefUtils.windows?
+        cert_name = "chef-#{client_name}"
+        result = check_certstore_for_key(cert_name)
+        if result.rassoc("#{cert_name}")
+          logger.trace("Client key #{config[:client_key]} is present in Certificate Store - skipping registration")
+        else
+          create_new_key_and_register(cert_name)
+          logger.trace("New client keys created in the Certificate Store - skipping registration")
+        end
+        events.skipping_registration(client_name, config)
       elsif File.exists?(config[:client_key])
         events.skipping_registration(client_name, config)
         logger.trace("Client key #{config[:client_key]} is present - skipping registration")
@@ -658,6 +672,158 @@ class Chef
       raise
     end
 
+    # In the brave new world of No Certs On Disk, we want to put the pem file into Keychain or the Certstore
+    # But is it already there?
+    def check_certstore_for_key(cert_name)
+      require "win32-certstore"
+      win32certstore = ::Win32::Certstore.open("MY")
+      win32certstore.search("#{cert_name}")
+    end
+
+    def generate_pfx_package(cert_name, date)
+      self.class.generate_pfx_package(cert_name, date)
+    end
+
+    def self.generate_pfx_package(cert_name, date)
+      require "openssl" unless defined?(OpenSSL)
+
+      key = OpenSSL::PKey::RSA.new(2048)
+      public_key = key.public_key
+
+      subject = "CN=#{cert_name}"
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+      cert.not_before = Time.now
+      cert.not_after = Time.parse(date)
+      cert.public_key = public_key
+      cert.serial = 0x0
+      cert.version = 2
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = cert
+      cert.extensions = [
+        ef.create_extension("subjectKeyIdentifier", "hash"),
+        ef.create_extension("keyUsage", "digitalSignature,keyEncipherment", true),
+      ]
+      cert.add_extension(ef.create_ext_from_string("extendedKeyUsage=critical,serverAuth,clientAuth"))
+
+      cert.sign key, OpenSSL::Digest.new("SHA256")
+      password = ::Chef::HTTP::Authenticator.get_cert_password
+      pfx = OpenSSL::PKCS12.create(password, subject, key, cert)
+      pfx
+    end
+
+    def update_key_and_register(cert_name)
+      self.class.update_key_and_register(cert_name)
+    end
+
+    def self.update_key_and_register(cert_name, expiring_cert = nil)
+      # Chef client and node objects exist on Chef Server already
+      # Create a new public/private keypair in secure storage
+      # and register the new public cert with Chef Server
+      require "time" unless defined?(Time)
+      autoload :URI, "uri"
+
+      node = Chef::Config[:node_name]
+      end_date = Time.new + (3600 * 24 * 90)
+      end_date = end_date.utc.iso8601
+
+      new_cert_name = Time.now.utc.iso8601
+      payload = {
+        name: new_cert_name,
+        clientname: node,
+        public_key: "",
+        expiration_date: end_date,
+      }
+
+      new_pfx = generate_pfx_package(cert_name, end_date)
+      payload[:public_key] = new_pfx.certificate.public_key.to_pem
+      base_url = "#{Chef::Config[:chef_server_url]}"
+
+      @tmpdir = Dir.mktmpdir
+      file_path = File.join(@tmpdir, "#{node}.pem")
+
+      # The pfx files expire every 90 days.
+      # We check them in /http/authenticator to see if they are expiring when we extract the private key
+      # If they are, we come here to update Chef Server with a new public key
+      if expiring_cert
+        File.open(file_path, "w") { |f| f.write expiring_cert.key.to_pem }
+        signing_cert = file_path
+        client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:node_name], signing_key_filename: signing_cert )
+        File.delete(file_path)
+      else
+        client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:node_name], signing_key_filename: Chef::Config[:client_key] )
+      end
+
+      # Get the list of keys for this client
+      # Then add the new key we just created
+      # Then we delete the old one.
+      cert_list = client.get(base_url + "/clients/#{node}/keys")
+      client.post(base_url + "/clients/#{node}/keys", payload)
+
+      # We want to remove the old key for various reasons
+      # In the case where more than 1 certificate is returned we assume
+      # there is some special condition applied to the client so we won't delete the old
+      # certificates
+      if cert_list.count < 2
+        cert_hash = cert_list.reduce({}, :merge!)
+        old_cert_name = cert_hash["name"]
+        new_key = new_pfx.key.to_pem
+        File.open(file_path, "w") { |f| f.write new_key }
+        client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:node_name], signing_key_filename: file_path)
+        client.delete(base_url + "/clients/#{node}/keys/#{old_cert_name}")
+        File.delete(file_path)
+      end
+      import_pfx_to_store(new_pfx)
+    end
+
+    def create_new_key_and_register(cert_name)
+      require "time" unless defined?(Time)
+      autoload :URI, "uri"
+
+      # KeyMigration.instance.key_migrated = true
+
+      node = Chef::Config[:node_name]
+      d = Time.now
+      if d.month == 10 || d.month == 11 || d.month == 12
+        end_date = Time.new(d.year + 1, d.month - 9, d.day, d.hour, d.min, d.sec).utc.iso8601
+      else
+        end_date = Time.new(d.year, d.month + 3, d.day, d.hour, d.min, d.sec).utc.iso8601
+      end
+
+      payload = {
+        name: node,
+        clientname: node,
+        public_key: "",
+        expiration_date: end_date,
+      }
+
+      new_pfx = generate_pfx_package(cert_name, end_date)
+      payload[:public_key] = new_pfx.certificate.public_key.to_pem
+      base_url = "#{Chef::Config[:chef_server_url]}"
+      client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:validation_client_name], signing_key_filename: Chef::Config[:validation_key])
+      client.post(base_url + "/clients", payload)
+      Chef::Log.trace("Updated client data: #{client.inspect}")
+      import_pfx_to_store(new_pfx)
+    end
+
+    def import_pfx_to_store(new_pfx)
+      self.class.import_pfx_to_store(new_pfx)
+    end
+
+    def self.import_pfx_to_store(new_pfx)
+      password = ::Chef::HTTP::Authenticator.get_cert_password
+      require "win32-certstore"
+      tempfile = Tempfile.new("#{Chef::Config[:node_name]}.pfx")
+      File.open(tempfile, "wb") { |f| f.print new_pfx.to_der }
+
+      store = ::Win32::Certstore.open("MY")
+      store.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
+      tempfile.unlink
+    end
+
     #
     # Converges all compiled resources.
     #
@@ -922,3 +1088,4 @@ end
 require_relative "cookbook_loader"
 require_relative "cookbook_version"
 require_relative "cookbook/synchronizer"
+

data/lib/chef/compliance/input.rb

@@ -101,7 +101,7 @@ class Chef
       # and cookbook_name are required this is probably not externally useful.
       #
       def self.from_yaml(events, string, path = nil, cookbook_name = nil)
-        from_hash(events, YAML.load(string), path, cookbook_name)
+        from_hash(events, YAML.safe_load(string, permitted_classes: [Date]), path, cookbook_name)
       end
 
       # @param filename [String] full path to the yml file in the cookbook

data/lib/chef/compliance/input_collection.rb

@@ -40,7 +40,7 @@ class Chef
       def from_file(filename, cookbook_name)
         new_input = Input.from_file(events, filename, cookbook_name)
         self << new_input
-        events.compliance_input_loaded(new_input)
+        events&.compliance_input_loaded(new_input)
       end
 
       # Add a input from a raw hash.  This input will be enabled by default.

data/lib/chef/compliance/profile.rb

@@ -108,7 +108,7 @@ class Chef
       # and cookbook_name are required this is probably not externally useful.
       #
       def self.from_yaml(events, string, path, cookbook_name)
-        from_hash(events, YAML.load(string), path, cookbook_name)
+        from_hash(events, YAML.safe_load(string, permitted_classes: [Date]), path, cookbook_name)
       end
 
       # @param filename [String] full path to the inspec.yml file in the cookbook

data/lib/chef/compliance/profile_collection.rb

@@ -41,11 +41,10 @@ class Chef
       def from_file(path, cookbook_name)
         new_profile = Profile.from_file(events, path, cookbook_name)
         self << new_profile
-        events.compliance_profile_loaded(new_profile)
+        events&.compliance_profile_loaded(new_profile)
       end
 
       # @return [Boolean] if any of the profiles are enabled
-      #
       def using_profiles?
         any?(&:enabled?)
       end

data/lib/chef/compliance/waiver.rb

@@ -101,7 +101,7 @@ class Chef
       # and cookbook_name are required this is probably not externally useful.
       #
       def self.from_yaml(events, string, path = nil, cookbook_name = nil)
-        from_hash(events, YAML.load(string), path, cookbook_name)
+        from_hash(events, YAML.safe_load(string, permitted_classes: [Date]), path, cookbook_name)
       end
 
       # @param filename [String] full path to the yml file in the cookbook

data/lib/chef/compliance/waiver_collection.rb

@@ -40,7 +40,7 @@ class Chef
       def from_file(filename, cookbook_name)
         new_waiver = Waiver.from_file(events, filename, cookbook_name)
         self << new_waiver
-        events.compliance_waiver_loaded(new_waiver)
+        events&.compliance_waiver_loaded(new_waiver)
       end
 
       # Add a waiver from a raw hash.  This waiver will be enabled by default.

data/lib/chef/cookbook/syntax_check.rb

@@ -248,8 +248,8 @@ class Chef
       # Debugs ruby syntax errors by printing the path to the file and any
       # diagnostic info given in +error_message+
       def invalid_ruby_file(ruby_file, error_message)
-        file_relative_path = ruby_file[/^#{Regexp.escape(cookbook_path + File::Separator)}(.*)/, 1]
-        Chef::Log.fatal("Cookbook file #{file_relative_path} has a ruby syntax error:")
+        file_relative_path = ruby_file[ruby_file.index(cookbook_path.split("/").last), ruby_file.length]
+        Chef::Log.fatal("Cookbook file #{file_relative_path} has a ruby syntax error.")
         error_message.each_line { |l| Chef::Log.fatal(l.chomp) }
         false
       end

data/lib/chef/dsl/reader_helpers.rb

@@ -42,7 +42,7 @@ class Chef
       end
 
       def parse_yaml(filename)
-        YAML.load(IO.read(filename))
+        YAML.safe_load_file(filename, permitted_classes: [Date])
       end
 
       extend self

data/lib/chef/dsl/rest_resource.rb

@@ -0,0 +1,77 @@
+#
+# Copyright:: Copyright 2008-2016, Chef, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef/constants" unless defined?(NOT_PASSED)
+
+class Chef
+  module DSL
+    module RestResource
+      def rest_property_map(rest_property_map = NOT_PASSED)
+        if rest_property_map != NOT_PASSED
+          rest_property_map = rest_property_map.to_h { |k| [k.to_sym, k] } if rest_property_map.is_a? Array
+
+          @rest_property_map = rest_property_map
+        end
+        @rest_property_map
+      end
+
+      # URL to collection
+      def rest_api_collection(rest_api_collection = NOT_PASSED)
+        if rest_api_collection != NOT_PASSED
+          raise ArgumentError, "You must pass an absolute path to rest_api_collection" unless rest_api_collection.start_with? "/"
+
+          @rest_api_collection = rest_api_collection
+        end
+
+        @rest_api_collection
+      end
+
+      # RFC6570-Templated URL to document
+      def rest_api_document(rest_api_document = NOT_PASSED, first_element_only: false)
+        if rest_api_document != NOT_PASSED
+          raise ArgumentError, "You must pass an absolute path to rest_api_document" unless rest_api_document.start_with? "/"
+
+          @rest_api_document = rest_api_document
+          @rest_api_document_first_element_only = first_element_only
+        end
+        @rest_api_document
+      end
+
+      # Explicit REST document identity mapping
+      def rest_identity_map(rest_identity_map = NOT_PASSED)
+        @rest_identity_map = rest_identity_map if rest_identity_map != NOT_PASSED
+        @rest_identity_map
+      end
+
+      # Mark up properties for POST only, not PATCH/PUT
+      def rest_post_only_properties(rest_post_only_properties = NOT_PASSED)
+        if rest_post_only_properties != NOT_PASSED
+          @rest_post_only_properties = Array(rest_post_only_properties).map(&:to_sym)
+        end
+        @rest_post_only_properties || []
+      end
+
+      def rest_api_document_first_element_only(rest_api_document_first_element_only = NOT_PASSED)
+        if rest_api_document_first_element_only != NOT_PASSED
+          @rest_api_document_first_element_only = rest_api_document_first_element_only
+        end
+        @rest_api_document_first_element_only
+      end
+
+    end
+  end
+end