chef 17.10.0 → 18.0.169

data/spec/integration/client/client_spec.rb

@@ -4,6 +4,10 @@ require "chef/mixin/shell_out"
 require "tiny_server"
 require "tmpdir"
 require "chef-utils/dist"
+require "chef/mixin/powershell_exec"
+
+# cspell:disable-next-line
+SOME_CHARS = "~!@#%^&*_-+=`|\\(){}[<]:;'>,.?/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".each_char.to_a.freeze
 
 describe "chef-client" do
 
@@ -31,8 +35,56 @@ describe "chef-client" do
     @server = @api = nil
   end
 
+  def install_certificate_in_store(client_name)
+    if ChefUtils.windows?
+      powershell_exec! <<~EOH
+        if (-not (($PSVersionTable.PSVersion.Major -ge 5) -and ($PSVersionTable.PSVersion.Build -ge 22000)) ) {
+          New-SelfSignedCertificate -CertStoreLocation Cert:\\LocalMachine\\My -DnsName "#{client_name}"
+        }
+        else {
+          New-SelfSignedCertificate -CertStoreLocation Cert:\\LocalMachine\\My -Subject "#{client_name}" -FriendlyName "#{client_name}" -KeyExportPolicy Exportable
+        }
+      EOH
+    end
+  end
+
+  def create_registry_key
+    ::Chef::HTTP::Authenticator.get_cert_password
+    # @win32registry = Chef::Win32::Registry.new
+    # path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+    # unless @win32registry.key_exists?(path)
+    #   @win32registry.create_key(path, true)
+    # end
+    # password = SOME_CHARS.sample(1 + rand(SOME_CHARS.count)).join[0...14]
+    # values = { name: "PfxPass", type: :string, data: password }
+    # @win32registry.set_value(path, values)
+  end
+
+  def remove_certificate_from_store
+    powershell_exec! <<~EOH
+      Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{client_name}" } -ErrorAction Stop | Remove-Item
+    EOH
+  end
+
+  def remove_registry_key
+    powershell_exec!("Remove-ItemProperty -Path HKLM:\\SOFTWARE\\Progress\\Authentication -Name 'PfxPass' ")
+  end
+
+  def verify_export_password_exists
+    powershell_exec! <<~EOH
+    Try {
+      $response = Get-ItemProperty -Path "HKLM:\\Software\\Progress\\Authentication" -Name "PfxPass" -ErrorAction Stop
+      if ($response) {return $true}
+      }
+    Catch {
+        return $false
+    }
+    EOH
+  end
+
   include IntegrationSupport
   include Chef::Mixin::ShellOut
+  include Chef::Mixin::PowershellExec
 
   let(:chef_dir) { File.join(__dir__, "..", "..", "..") }
 
@@ -45,8 +97,10 @@ describe "chef-client" do
   # machine that has omnibus chef installed. In that case we need to ensure
   # we're running `chef-client` from the source tree and not the external one.
   # cf. CHEF-4914
-  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai" }
-  let(:chef_solo) { "bundle exec #{ChefUtils::Dist::Solo::EXEC} --legacy-mode --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
+  let(:chef_solo) { "bundle exec #{ChefUtils::Dist::Solo::EXEC} --legacy-mode --minimal-ohai --always-dump-stacktrace" }
+  let(:client_name) { "chef-973334" }
+  let(:hostname) { "973334" }
 
   context "when validation.pem in current Directory" do
     let(:validation_path) { "" }
@@ -133,7 +187,6 @@ describe "chef-client" do
         # FATAL: Configuration error NoMethodError: undefined method `xxx' for nil:NilClass
         expect(result.stdout).to include("xxx")
       end
-
     end
 
     it "should complete with success" do
@@ -146,6 +199,32 @@ describe "chef-client" do
       result.error!
     end
 
+    if ChefUtils.windows?
+      context "and the private key is in the Windows CertStore" do
+        before do
+          install_certificate_in_store(client_name)
+          create_registry_key
+        end
+
+        after do
+          remove_certificate_from_store
+          remove_registry_key
+        end
+
+        it "should verify that the cert is loaded in the LocalMachine\\My" do
+          expect(Chef::HTTP::Authenticator.check_certstore_for_key(hostname)).to eq(true)
+        end
+
+        it "should verify that the export password for the pfx is loaded in the Registry" do
+          expect(verify_export_password_exists.result).to eq(true)
+        end
+
+        it "should verify that a private key is returned to me" do
+          expect(Chef::HTTP::Authenticator.retrieve_certificate_key(client_name)).not_to be nil
+        end
+      end
+    end
+
     context "and a private key" do
       before do
         file "mykey.pem", <<~EOM

data/spec/integration/client/exit_code_spec.rb

@@ -23,7 +23,7 @@ describe "chef-client" do
   # machine that has omnibus chef installed. In that case we need to ensure
   # we're running `chef-client` from the source tree and not the external one.
   # cf. CHEF-4914
-  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --no-fork --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --no-fork --minimal-ohai --always-dump-stacktrace" }
 
   let(:critical_env_vars) { %w{PATH RUBYOPT BUNDLE_GEMFILE GEM_PATH}.map { |o| "#{o}=#{ENV[o]}" } .join(" ") }
 

data/spec/integration/client/ipv6_spec.rb

@@ -76,7 +76,7 @@ describe "chef-client" do
 
   let(:chef_dir) { File.join(__dir__, "..", "..", "..") }
 
-  let(:chef_client_cmd) { %Q{bundle exec chef-client --minimal-ohai -c "#{path_to("config/client.rb")}" -lwarn} }
+  let(:chef_client_cmd) { %Q{bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai -c "#{path_to("config/client.rb")}" -lwarn --always-dump-stacktrace} }
 
   after do
     FileUtils.rm_rf(cache_path)

data/spec/integration/compliance/compliance_spec.rb

@@ -20,7 +20,7 @@ describe "chef-client with compliance phase" do
   # machine that has omnibus chef installed. In that case we need to ensure
   # we're running `chef-client` from the source tree and not the external one.
   # cf. CHEF-4914
-  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   when_the_repository "has a custom profile" do
     let(:report_file) { path_to("report_file.json") }

data/spec/integration/recipes/accumulator_spec.rb

@@ -17,7 +17,7 @@ describe "Accumulators" do
   # machine that has omnibus chef installed. In that case we need to ensure
   # we're running `chef-client` from the source tree and not the external one.
   # cf. CHEF-4914
-  let(:chef_client) { "bundle exec chef-client --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   let(:aliases_temppath) do
     t = Tempfile.new("chef_accumulator_test")

data/spec/integration/recipes/lwrp_inline_resources_spec.rb

@@ -17,7 +17,7 @@ describe "LWRPs with inline resources" do
   # machine that has omnibus chef installed. In that case we need to ensure
   # we're running `chef-client` from the source tree and not the external one.
   # cf. CHEF-4914
-  let(:chef_client) { "bundle exec chef-client --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   context "with a use_inline_resources provider with 'def action_a' instead of action :a" do
     class LwrpInlineResourcesTest < Chef::Resource

data/spec/integration/recipes/lwrp_spec.rb

@@ -17,7 +17,7 @@ describe "LWRPs" do
   # machine that has omnibus chef installed. In that case we need to ensure
   # we're running `chef-client` from the source tree and not the external one.
   # cf. CHEF-4914
-  let(:chef_client) { "bundle exec chef-client --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   when_the_repository "has a cookbook named l-w-r-p" do
     before do

data/spec/integration/recipes/notifies_spec.rb

@@ -23,7 +23,7 @@ describe "notifications" do
   include Chef::Mixin::ShellOut
 
   let(:chef_dir) { File.expand_path("../../..", __dir__) }
-  let(:chef_client) { "bundle exec chef-client --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   when_the_repository "notifies a nameless resource" do
     before do

data/spec/integration/recipes/notifying_block_spec.rb

@@ -24,7 +24,7 @@ describe "notifying_block" do
   include Chef::Mixin::ShellOut
 
   let(:chef_dir) { File.expand_path("../../..", __dir__) }
-  let(:chef_client) { "bundle exec chef-client --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   when_the_repository "notifying_block test one" do
     before do

data/spec/integration/recipes/remote_directory.rb

@@ -16,7 +16,7 @@ describe Chef::Resource::RemoteDirectory do
   # machine that has omnibus chef installed. In that case we need to ensure
   # we're running `chef-client` from the source tree and not the external one.
   # cf. CHEF-4914
-  let(:chef_client) { "bundle exec chef-client --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   when_the_repository "has a cookbook with a source_dir with two subdirectories, each with one file and subdir in a different alphabetical order" do
     before do

data/spec/integration/recipes/unified_mode_spec.rb

@@ -8,7 +8,7 @@ describe "Unified Mode" do
 
   let(:chef_dir) { File.expand_path("../../..", __dir__) }
 
-  let(:chef_client) { "bundle exec chef-client --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   when_the_repository "has a cookbook with a unified_mode resource with a delayed notification from the second block to the first block" do
     before do

data/spec/integration/recipes/use_partial_spec.rb

@@ -23,10 +23,11 @@ describe "notifying_block" do
   include Chef::Mixin::ShellOut
 
   let(:chef_dir) { File.expand_path("../../..", __dir__) }
-  let(:chef_client) { "bundle exec chef-client --minimal-ohai" }
+  let(:chef_client) { "bundle exec #{ChefUtils::Dist::Infra::CLIENT} --minimal-ohai --always-dump-stacktrace" }
 
   when_the_repository "has a cookbook with partial resources" do
     before do
+      ::Chef::HTTP::Authenticator.get_cert_password if windows?
       directory "cookbooks/x" do
         file "resources/_shared_properties.rb", <<-EOM
           property :content, String

data/spec/integration/solo/solo_spec.rb

@@ -18,7 +18,7 @@ describe ChefUtils::Dist::Solo::EXEC do
 
   let(:cookbook_ancient_100_metadata_rb) { cb_metadata("ancient", "1.0.0") }
 
-  let(:chef_solo) { "bundle exec #{ChefUtils::Dist::Solo::EXEC} --legacy-mode --minimal-ohai" }
+  let(:chef_solo) { "bundle exec #{ChefUtils::Dist::Solo::EXEC} --legacy-mode --minimal-ohai --always-dump-stacktrace" }
 
   when_the_repository "creates nodes" do
     let(:nodes_dir) { File.join(@repository_dir, "nodes") }
@@ -28,7 +28,7 @@ describe ChefUtils::Dist::Solo::EXEC do
       file "config/solo.rb", <<~EOM
         chef_repo_path "#{@repository_dir}"
       EOM
-      result = shell_out("bundle exec chef-solo -c \"#{path_to("config/solo.rb")}\" -l debug", cwd: chef_dir)
+      result = shell_out("bundle exec #{ChefUtils::Dist::Solo::EXEC} --minimal-ohai --always-dump-stacktrace -c \"#{path_to("config/solo.rb")}\" -l debug", cwd: chef_dir)
       result.error!
     end
 

data/spec/spec_helper.rb

@@ -144,6 +144,7 @@ RSpec.configure do |config|
   config.filter_run_excluding macos_only: true unless macos?
   config.filter_run_excluding not_macos_gte_11: true if macos_gte_11?
   config.filter_run_excluding not_supported_on_aix: true if aix?
+  config.filter_run_excluding not_supported_on_freebsd_gte_12_3: true if freebsd_gte_12_3?
   config.filter_run_excluding not_supported_on_solaris: true if solaris?
   config.filter_run_excluding not_supported_on_gce: true if gce?
   config.filter_run_excluding win2012r2_only: true unless windows_2012r2?

data/spec/support/platform_helpers.rb

@@ -127,6 +127,10 @@ def freebsd?
   RUBY_PLATFORM.include?("freebsd")
 end
 
+def freebsd_gte_12_3?
+  RUBY_PLATFORM.include?("freebsd") && !!(ohai[:platform_version].to_f >= 12.3)
+end
+
 def intel_64bit?
   !!(ohai[:kernel][:machine] == "x86_64")
 end

data/spec/support/ruby_installer.rb

@@ -48,4 +48,4 @@ rescue LoadError
   $stderr.puts "Failed to load ruby_installer. Assuming Ruby Installer is not being used."
 end
 
-add_libarchive_dll_directory if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+add_libarchive_dll_directory if RUBY_PLATFORM.match?(/mswin|mingw|windows/)

data/spec/support/shared/functional/windows_script.rb

@@ -163,7 +163,7 @@ shared_context Chef::Resource::WindowsScript do
 
     describe "when the run action is invoked on Windows" do
       it "executes the script code" do
-        resource.code("whoami > \"#{script_output_path}\"")
+        resource.code("chcp > \"#{script_output_path}\"")
         resource.returns(0)
         resource.run_action(:run)
       end
@@ -199,7 +199,7 @@ shared_context Chef::Resource::WindowsScript do
       end
 
       it "executes the script code" do
-        resource.code("whoami > \"#{script_output_path}\"")
+        resource.code("chcp > \"#{script_output_path}\"")
         resource.returns(0)
         resource.run_action(:run)
       end

data/spec/unit/application/client_spec.rb

@@ -564,16 +564,6 @@ describe Chef::Application::Client, "run_application", :unix_only do
         expect(IO.select([@pipe[0]], nil, nil, 0)).not_to be_nil
         expect(@pipe[0].gets).to eq("finished\n")
       end
-
-      it "should exit hard when sent before converge" do
-        pid = fork do
-          sleep 3
-          @app.run_application
-        end
-        Process.kill("TERM", pid)
-        _pid, result = Process.waitpid2(pid)
-        expect(result.exitstatus).to eq(3)
-      end
     end
   end
 

data/spec/unit/client_spec.rb

@@ -23,6 +23,11 @@ require "chef/run_context"
 require "chef/server_api"
 require "rbconfig"
 
+begin
+  require "chef-powershell"
+rescue LoadError
+end
+
 class FooError < RuntimeError
 end
 
@@ -113,6 +118,7 @@ shared_context "a client run" do
     # --Client.register
     #   Make sure Client#register thinks the client key doesn't
     #   exist, so it tries to register and create one.
+    allow(Chef::HTTP::Authenticator).to receive(:detect_certificate_key).with(fqdn).and_return(false)
     allow(File).to receive(:exists?).and_call_original
     expect(File).to receive(:exists?)
       .with(Chef::Config[:client_key])
@@ -201,7 +207,6 @@ shared_context "a client run" do
 
     # Post conditions: check that node has been filled in correctly
     expect(client).to receive(:run_started)
-
     stub_for_run
   end
 end
@@ -262,7 +267,7 @@ end
 
 # requires platform and platform_version be defined
 shared_examples "a completed run" do
-  include_context "run completed"
+  include_context "run completed" # should receive run_completed_successfully
 
   it "runs ohai, sets up authentication, loads node state, synchronizes policy, converges" do
     # This is what we're testing.
@@ -282,6 +287,53 @@ shared_examples "a failed run" do
   end
 end
 
+describe Chef::Client, :windows_only do
+  let(:hostname) { "test" }
+  let(:my_client) { Chef::Client.new }
+  let(:cert_name) { "chef-#{hostname}" }
+  let(:node_name) { "#{hostname}" }
+  let(:end_date) do
+    d = Time.now
+    if d.month == 10 || d.month == 11 || d.month == 12
+      end_date = Time.new(d.year + 1, d.month - 9, d.day, d.hour, d.min, d.sec).utc.iso8601
+    else
+      end_date = Time.new(d.year, d.month + 3, d.day, d.hour, d.min, d.sec).utc.iso8601
+    end
+  end
+  # include_context "client"
+  before(:each) do
+    Chef::Config[:migrate_key_to_keystore] = true
+  end
+
+  after(:each) do
+    delete_certificate(cert_name)
+  end
+
+  context "when the client intially boots the first time" do
+    it "verfies that a certificate was correctly created and exists in the Cert Store" do
+      new_pfx = my_client.generate_pfx_package(cert_name, end_date)
+      my_client.import_pfx_to_store(new_pfx)
+      expect(my_client.check_certstore_for_key(cert_name)).not_to be false
+    end
+
+    it "correctly returns a new Publc Key" do
+      new_pfx = my_client.generate_pfx_package(cert_name, end_date)
+      cert_object = new_pfx.certificate.public_key.to_pem
+      expect(cert_object.to_s).to match(/PUBLIC KEY/)
+    end
+
+  end
+
+  def delete_certificate(cert_name)
+    require "chef/mixin/powershell_exec"
+    extend Chef::Mixin::PowershellExec
+    powershell_code = <<~CODE
+      Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
+    CODE
+    powershell_exec!(powershell_code)
+  end
+end
+
 describe Chef::Client do
   include_context "client"
 

data/spec/unit/cookbook/syntax_check_spec.rb

@@ -159,12 +159,15 @@ describe Chef::Cookbook::SyntaxCheck do
       end
 
       describe "and a file has a syntax error" do
+
         before do
           cookbook_path = File.join(CHEF_SPEC_DATA, "cookbooks", "borken")
           syntax_check.cookbook_path.replace(cookbook_path)
         end
 
         it "it indicates that a ruby file has a syntax error" do
+          expect(Chef::Log).to receive(:fatal).with("Cookbook file borken/recipes/default.rb has a ruby syntax error.")
+          allow(Chef::Log).to receive(:fatal)
           expect(syntax_check.validate_ruby_files).to be_falsey
         end
 

data/spec/unit/daemon_spec.rb

@@ -170,11 +170,7 @@ describe Chef::Daemon do
 
       it "should log an appropriate error message and fail miserably" do
         allow(Process).to receive(:initgroups).and_raise(Errno::EPERM)
-        error = "Operation not permitted"
-        if RUBY_PLATFORM.match("solaris2") || RUBY_PLATFORM.match("aix")
-          error = "Not owner"
-        end
-        expect(Chef::Application).to receive(:fatal!).with("Permission denied when trying to change 999:999 to 501:20. #{error}")
+        expect(Chef::Application).to receive(:fatal!).with(/Permission denied when trying to change 999:999 to 501:20/)
         Chef::Daemon._change_privilege(testuser)
       end
     end

data/spec/unit/dsl/secret_spec.rb

@@ -17,11 +17,14 @@
 #
 
 require "spec_helper"
+require "chef/exceptions"
 require "chef/dsl/secret"
 require "chef/secret_fetcher/base"
+
 class SecretDSLTester
   include Chef::DSL::Secret
-  # Because DSL is invoked in the context of a recipe,
+
+  # Because DSL is invoked in the context of a recipe or attribute file
   # we expect run_context to always be available when SecretFetcher::Base
   # requests it - making it safe to mock here
   def run_context
@@ -37,35 +40,136 @@ end
 
 describe Chef::DSL::Secret do
   let(:dsl) { SecretDSLTester.new }
-  it "responds to 'secret'" do
-    expect(dsl.respond_to?(:secret)).to eq true
+  let(:run_context) { Chef::RunContext.new(Chef::Node.new, {}, Chef::EventDispatch::Dispatcher.new) }
+
+  before do
+    allow(dsl).to receive(:run_context).and_return(run_context)
   end
 
-  it "uses SecretFetcher.for_service to find the fetcher" do
-    substitute_fetcher = SecretFetcherImpl.new({}, nil)
-    expect(Chef::SecretFetcher).to receive(:for_service).with(:example, {}, nil).and_return(substitute_fetcher)
-    expect(substitute_fetcher).to receive(:fetch).with("key1", nil)
-    dsl.secret(name: "key1", service: :example, config: {})
+  %w{
+      secret
+      default_secret_service
+      default_secret_config
+      with_secret_service
+      with_secret_config
+    }.each do |m|
+      it "responds to ##{m}" do
+        expect(dsl.respond_to?(m)).to eq true
+      end
+    end
+
+  describe "#default_secret_service" do
+    let(:service) { :hashi_vault }
+
+    it "persists the service passed in as an argument" do
+      expect(dsl.default_secret_service).to eq(nil)
+      dsl.default_secret_service(service)
+      expect(dsl.default_secret_service).to eq(service)
+    end
+
+    it "returns run_context.default_secret_service value when no argument is given" do
+      run_context.default_secret_service = :my_thing
+      expect(dsl.default_secret_service).to eq(:my_thing)
+    end
+
+    it "raises exception when service given is not valid" do
+      stub_const("Chef::SecretFetcher::SECRET_FETCHERS", %i{service_a service_b})
+      expect { dsl.default_secret_service(:unknown_service) }.to raise_error(Chef::Exceptions::Secret::InvalidFetcherService)
+    end
   end
 
-  it "resolves a secret when using the example fetcher" do
-    secret_value = dsl.secret(name: "test1", service: :example, config: { "test1" => "secret value" })
-    expect(secret_value).to eq "secret value"
+  describe "#with_secret_config" do
+    let(:service) { :hashi_vault }
+
+    it "sets the service for the scope of the block only" do
+      expect(dsl.default_secret_service).to eq(nil)
+      dsl.with_secret_service(service) do
+        expect(dsl.default_secret_service).to eq(service)
+      end
+      expect(dsl.default_secret_service).to eq(nil)
+    end
+
+    it "raises exception when block is not given" do
+      expect { dsl.with_secret_service(service) }.to raise_error(ArgumentError)
+    end
   end
 
-  context "when used within a resource" do
-    let(:run_context) {
-      Chef::RunContext.new(Chef::Node.new,
-                           Chef::CookbookCollection.new(Chef::CookbookLoader.new(File.join(CHEF_SPEC_DATA, "cookbooks"))),
-                           Chef::EventDispatch::Dispatcher.new)
-    }
-
-    it "marks that resource as 'sensitive'" do
-      recipe = Chef::Recipe.new("secrets", "test", run_context)
-      recipe.zen_master "secret_test" do
-        peace secret(name: "test1", service: :example, config: { "test1" => true })
+  describe "#default_secret_config" do
+    let(:config) { { my_key: "value" } }
+
+    it "persists the config passed in as argument" do
+      expect(dsl.default_secret_config).to eq({})
+      dsl.default_secret_config(**config)
+      expect(dsl.default_secret_config).to eq(config)
+    end
+
+    it "returns run_context.default_secret_config value when no argument is given" do
+      run_context.default_secret_config = { my_thing: "that" }
+      expect(dsl.default_secret_config).to eq({ my_thing: "that" })
+    end
+  end
+
+  describe "#with_secret_config" do
+    let(:config) { { my_key: "value" } }
+
+    it "sets the config for the scope of the block only" do
+      expect(dsl.default_secret_config).to eq({})
+      dsl.with_secret_config(**config) do
+        expect(dsl.default_secret_config).to eq(config)
       end
-      expect(run_context.resource_collection.lookup("zen_master[secret_test]").sensitive).to eql(true)
+      expect(dsl.default_secret_config).to eq({})
+    end
+
+    it "raises exception when block is not given" do
+      expect { dsl.with_secret_config(**config) }.to raise_error(ArgumentError)
+    end
+  end
+
+  describe "#secret" do
+    it "uses SecretFetcher.for_service to find the fetcher" do
+      substitute_fetcher = SecretFetcherImpl.new({}, nil)
+      expect(Chef::SecretFetcher).to receive(:for_service).with(:example, {}, run_context).and_return(substitute_fetcher)
+      expect(substitute_fetcher).to receive(:fetch).with("key1", nil)
+      dsl.secret(name: "key1", service: :example, config: {})
+    end
+
+    it "resolves a secret when using the example fetcher" do
+      secret_value = dsl.secret(name: "test1", service: :example, config: { "test1" => "secret value" })
+      expect(secret_value).to eq "secret value"
+    end
+
+    context "when used within a resource" do
+      let(:run_context) {
+        Chef::RunContext.new(Chef::Node.new,
+                             Chef::CookbookCollection.new(Chef::CookbookLoader.new(File.join(CHEF_SPEC_DATA, "cookbooks"))),
+                             Chef::EventDispatch::Dispatcher.new)
+      }
+
+      it "marks that resource as 'sensitive'" do
+        recipe = Chef::Recipe.new("secrets", "test", run_context)
+        recipe.zen_master "secret_test" do
+          peace secret(name: "test1", service: :example, config: { "test1" => true })
+        end
+        expect(run_context.resource_collection.lookup("zen_master[secret_test]").sensitive).to eql(true)
+      end
+    end
+
+    it "passes default service to SecretFetcher.for_service" do
+      service = :example
+      dsl.default_secret_service(service)
+      substitute_fetcher = SecretFetcherImpl.new({}, nil)
+      expect(Chef::SecretFetcher).to receive(:for_service).with(service, {}, run_context).and_return(substitute_fetcher)
+      allow(substitute_fetcher).to receive(:fetch).with("key1", nil)
+      dsl.secret(name: "key1")
+    end
+
+    it "passes default config to SecretFetcher.for_service" do
+      config = { my_config: "value" }
+      dsl.default_secret_config(**config)
+      substitute_fetcher = SecretFetcherImpl.new({}, nil)
+      expect(Chef::SecretFetcher).to receive(:for_service).with(:example, config, run_context).and_return(substitute_fetcher)
+      allow(substitute_fetcher).to receive(:fetch).with("key1", nil)
+      dsl.secret(name: "key1", service: :example)
     end
   end
 end