chef 17.10.0 → 18.0.185

data/lib/chef/resource/selinux_state.rb

@@ -0,0 +1,166 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+require_relative "selinux/common_helpers"
+
+class Chef
+  class Resource
+    class SelinuxState < Chef::Resource
+      unified_mode true
+
+      provides :selinux_state
+
+      description "Use **selinux_state** resource to manages the SELinux state on the system. It does this by using the `setenforce` command and rendering the `/etc/selinux/config` file from a template."
+      introduced "18.0"
+      examples <<~DOC
+      **Set SELinux state to permissive**:
+
+      ```ruby
+      selinux_state 'permissive' do
+        action :permissive
+      end
+      ```
+
+      **Set SELinux state to enforcing**:
+
+      ```ruby
+      selinux_state 'enforcing' do
+        action :enforcing
+      end
+      ```
+
+      **Set SELinux state to disabled**:
+      ```ruby
+      selinux_state 'disabled' do
+        action :disabled
+      end
+      ```
+      DOC
+
+      default_action :nothing
+
+      property :config_file, String,
+                default: "/etc/selinux/config",
+                description: "Path to SELinux config file on disk."
+
+      property :persistent, [true, false],
+                default: true,
+                description: "Persist status update to the selinux configuration file."
+
+      property :policy, String,
+                default: lazy { default_policy_platform },
+                equal_to: %w{default minimum mls src strict targeted},
+                description: "SELinux policy type."
+
+      property :automatic_reboot, [true, false, Symbol],
+                default: false,
+                description: "Perform an automatic node reboot if required for state change."
+
+      deprecated_property_alias "temporary", "persistent", "The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name."
+
+      action_class do
+        include Chef::SELinux::CommonHelpers
+        def render_selinux_template(action)
+          Chef::Log.warn("It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.") if selinux_disabled? && action == :enforcing
+
+          unless new_resource.automatic_reboot
+            Chef::Log.warn("Changes from disabled require a reboot.") if selinux_disabled? && %i{enforcing permissive}.include?(action)
+            Chef::Log.warn("Disabling selinux requires a reboot.") if (selinux_enforcing? || selinux_permissive?) && action == :disabled
+          end
+
+          template "#{action} selinux config" do
+            path new_resource.config_file
+            source debian? ? ::File.expand_path("selinux/selinux_debian.erb", __dir__) : ::File.expand_path("selinux/selinux_default.erb", __dir__)
+            local true
+            variables(
+              selinux: action.to_s,
+              selinuxtype: new_resource.policy
+            )
+          end
+        end
+
+        def node_selinux_restart
+          unless new_resource.automatic_reboot
+            Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.")
+            return
+          end
+
+          outer_action = action
+          reboot "selinux_state_change" do
+            delay_mins 1
+            reason "SELinux state change to #{outer_action} from #{selinux_state}"
+
+            action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now
+          end
+        end
+      end
+
+      action :enforcing, description: "Set the SELinux state to enforcing." do
+        unless selinux_disabled? || selinux_enforcing?
+          execute "selinux-setenforce-enforcing" do
+            command "/usr/sbin/setenforce 1"
+          end
+        end
+
+        if selinux_activate_required?
+          execute "debian-selinux-activate" do
+            command "/usr/sbin/selinux-activate"
+          end
+        end
+
+        render_selinux_template(action) if new_resource.persistent
+        node_selinux_restart if state_change_reboot_required?
+      end
+
+      action :permissive, description: "Set the SELinux state to permissive." do
+        unless selinux_disabled? || selinux_permissive?
+          execute "selinux-setenforce-permissive" do
+            command "/usr/sbin/setenforce 0"
+          end
+        end
+
+        if selinux_activate_required?
+          execute "debian-selinux-activate" do
+            command "/usr/sbin/selinux-activate"
+          end
+        end
+
+        render_selinux_template(action) if new_resource.persistent
+        node_selinux_restart if state_change_reboot_required?
+      end
+
+      action :disabled, description: "Set the SELinux state to disabled. **NOTE**: Switching to or from disabled requires a reboot!" do
+        raise "A non-persistent change to the disabled SELinux status is not possible." unless new_resource.persistent
+
+        render_selinux_template(action)
+        node_selinux_restart if state_change_reboot_required?
+      end
+
+      private
+
+      #
+      # Decide default policy platform based upon platform_family
+      #
+      # @return [String] Policy platform name
+      def default_policy_platform
+        case node["platform_family"]
+        when "rhel", "fedora", "amazon"
+          "targeted"
+        when "debian"
+          "default"
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/service.rb

@@ -27,7 +27,6 @@ class Chef
     class Service < Chef::Resource
       include Chef::Platform::ServiceHelpers
       extend Chef::Platform::ServiceHelpers
-      unified_mode true
 
       provides :service, target_mode: true
 

data/lib/chef/resource/smartos_package.rb

@@ -21,13 +21,14 @@ require_relative "package"
 class Chef
   class Resource
     class SmartosPackage < Chef::Resource::Package
-      unified_mode true
 
       provides :smartos_package
       provides :package, platform_family: "smartos"
 
       description "Use the **smartos_package** resource to manage packages for the SmartOS platform."
 
+      allowed_actions :install, :upgrade, :remove
+
       property :package_name, String,
         description: "An optional property to set the package name if it differs from the resource block's name.",
         identity: true

data/lib/chef/resource/snap_package.rb

@@ -21,13 +21,14 @@ require_relative "package"
 class Chef
   class Resource
     class SnapPackage < Chef::Resource::Package
-      unified_mode true
 
       provides :snap_package
 
       description "Use the **snap_package** resource to manage snap packages on Debian and Ubuntu platforms."
       introduced "15.0"
 
+      allowed_actions :install, :upgrade, :remove, :purge
+
       property :channel, String,
         description: "The default channel. For example: stable.",
         default: "stable",

data/lib/chef/resource/solaris_package.rb

@@ -22,12 +22,13 @@ require_relative "package"
 class Chef
   class Resource
     class SolarisPackage < Chef::Resource::Package
-      unified_mode true
 
       provides :solaris_package
 
       description "Use the **solaris_package** resource to manage packages on the Solaris platform."
 
+      allowed_actions :install, :upgrade, :remove
+
       property :package_name, String,
         description: "An optional property to set the package name if it differs from the resource block's name.",
         identity: true

data/lib/chef/resource/ssh_known_hosts_entry.rb

@@ -23,7 +23,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 class Chef
   class Resource
     class SshKnownHostsEntry < Chef::Resource
-      unified_mode true
 
       provides :ssh_known_hosts_entry
 

data/lib/chef/resource/sudo.rb

@@ -24,7 +24,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class Sudo < Chef::Resource
-      unified_mode true
 
       provides(:sudo) { true }
 

data/lib/chef/resource/support/client.erb

@@ -13,11 +13,10 @@
       @minimal_ohai
       @named_run_list
       @no_proxy
-      @ohai_disabled_plugins
-      @ohai_optional_plugins
       @pid_file
       @policy_group
       @policy_name
+      @rubygems_url
       @ssl_verify_mode
       @policy_persist_run_list).each do |prop| -%>
 <% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
@@ -39,10 +38,10 @@ log_location <%= @log_location.inspect %>
 <% end -%>
 <%# These data_collector options are special as they have a '.' -%>
 <% unless @data_collector_server_url.nil? || @data_collector_server_url.empty? %>
-data_collector.server_url <%= @data_collector_server_url %>
+data_collector.server_url <%= @data_collector_server_url.inspect %>
 <% end %>
 <% unless @data_collector_token.nil? || @data_collector_token.empty? %>
-data_collector.token <%= @data_collector_token %>
+data_collector.token <%= @data_collector_token.inspect %>
 <% end %>
 <%# The code below is not DRY on purpose to improve readability -%>
 <% unless @start_handlers.empty? -%>

data/lib/chef/resource/swap_file.rb

@@ -20,7 +20,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class SwapFile < Chef::Resource
-      unified_mode true
 
       provides(:swap_file) { true }
 

data/lib/chef/resource/sysctl.rb

@@ -20,7 +20,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class Sysctl < Chef::Resource
-      unified_mode true
 
       provides(:sysctl) { true }
       provides(:sysctl_param) { true }
@@ -188,7 +187,7 @@ class Chef
 
           sysctl_lines << "#{new_resource.key} = #{new_resource.value}"
 
-          sysctl_lines.join("\n")
+          sysctl_lines.join("\n") + "\n"
         end
       end
 

data/lib/chef/resource/systemd_unit.rb

@@ -23,7 +23,6 @@ require "iniparse"
 class Chef
   class Resource
     class SystemdUnit < Chef::Resource
-      unified_mode true
 
       provides(:systemd_unit) { true }
 

data/lib/chef/resource/template.rb

@@ -34,7 +34,6 @@ class Chef
     # chef-client. This resource includes actions and properties from the file resource. Template files managed by the
     # template resource follow the same file specificity rules as the remote_file and file resources.
     class Template < Chef::Resource::File
-      unified_mode true
 
       provides :template
 

data/lib/chef/resource/timezone.rb

@@ -22,7 +22,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class Timezone < Chef::Resource
-      unified_mode true
 
       provides :timezone
 

data/lib/chef/resource/user/aix_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class AixUser < Chef::Resource::User
-        unified_mode true
 
         provides :aix_user
         provides :user, os: "aix"

data/lib/chef/resource/user/linux_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class LinuxUser < Chef::Resource::User
-        unified_mode true
 
         provides :linux_user
         provides :user, os: "linux"

data/lib/chef/resource/user/mac_user.rb

@@ -58,7 +58,6 @@ class Chef
       #   the 'password' property corresponds to a plaintext password and will
       #   attempt to use it in place of secure_token_password if it not set.
       class MacUser < Chef::Resource::User
-        unified_mode true
 
         provides :mac_user
         provides :user, platform: "mac_os_x"

data/lib/chef/resource/user/pw_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class PwUser < Chef::Resource::User
-        unified_mode true
 
         provides :pw_user
         provides :user, os: "freebsd"

data/lib/chef/resource/user/solaris_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class SolarisUser < Chef::Resource::User
-        unified_mode true
 
         provides :solaris_user
         provides :user, os: %w{omnios solaris2}

data/lib/chef/resource/user/windows_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class WindowsUser < Chef::Resource::User
-        unified_mode true
 
         provides :windows_user
         provides :user, os: "windows"

data/lib/chef/resource/user.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class User < Chef::Resource
-      unified_mode true
 
       description "Use the **user** resource to add users, update existing users, remove users, and to lock/unlock user passwords."
 
@@ -73,6 +72,16 @@ class Chef
         description: "The numeric group identifier."
 
       alias_method :group, :gid
+
+      property :expire_date, [ String, NilClass ],
+               description: "(Linux) The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.",
+               introduced: "18.0",
+               desired_state: false
+
+      property :inactive, [ String, Integer, NilClass ],
+               description: "(Linux) The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature.",
+               introduced: "18.0",
+               desired_state: false
     end
   end
 end

data/lib/chef/resource/user_ulimit.rb

@@ -22,7 +22,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class UserUlimit < Chef::Resource
-      unified_mode true
 
       provides :user_ulimit
 

data/lib/chef/resource/whyrun_safe_ruby_block.rb

@@ -20,7 +20,6 @@ class Chef
   class Resource
     class WhyrunSafeRubyBlock < Chef::Resource::RubyBlock
       provides :whyrun_safe_ruby_block
-      unified_mode true
     end
   end
 end

data/lib/chef/resource/windows_ad_join.rb

@@ -23,8 +23,6 @@ class Chef
     class WindowsAdJoin < Chef::Resource
       provides :windows_ad_join
 
-      unified_mode true
-
       description "Use the **windows_ad_join** resource to join a Windows Active Directory domain."
       introduced "14.0"
       examples <<~DOC

data/lib/chef/resource/windows_audit_policy.rb

@@ -83,8 +83,6 @@ class Chef
                                  "User Account Management",
                                 ].freeze
 
-      unified_mode true
-
       provides :windows_audit_policy
 
       description "Use the **windows_audit_policy** resource to configure system level and per-user Windows advanced audit policy settings."

data/lib/chef/resource/windows_auto_run.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsAutorun < Chef::Resource
-      unified_mode true
 
       provides(:windows_auto_run) { true }
 

data/lib/chef/resource/windows_certificate.rb

@@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 class Chef
   class Resource
     class WindowsCertificate < Chef::Resource
-      unified_mode true
 
       provides :windows_certificate
 
@@ -129,14 +128,14 @@ class Chef
       end
 
       action :delete, description: "Deletes a certificate." do
-        cert_obj = fetch_cert
+        cert_is_valid = verify_cert
 
-        if cert_obj
+        if cert_is_valid == true
           converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do
             delete_cert
           end
         else
-          Chef::Log.debug("Certificate not found")
+          Chef::Log.debug("Certificate Not Found")
         end
       end
 
@@ -146,17 +145,25 @@ class Chef
         end
 
         if ::File.extname(new_resource.output_path) == ".pfx"
-          powershell_exec!(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
+
+          validated_thumbprint = validate_thumbprint(new_resource.source)
+          if validated_thumbprint != false # is the thumbprint valid
+            cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
+          else
+            message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
+            raise Chef::Exceptions::InvalidKeyAttribute, message
+          end
+
         else
           cert_obj = fetch_cert
         end
 
-        if cert_obj
+        if cert_obj != false && cert_obj != "Certificate Not Found"
           converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do
             export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password)
           end
         else
-          Chef::Log.debug("Certificate not found")
+          Chef::Log.debug("Certificate Not Found")
         end
       end
 
@@ -187,7 +194,7 @@ class Chef
 
         def delete_cert
           store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
-          store.delete(resolve_thumbprint(new_resource.source))
+          store.delete(validate_thumbprint(new_resource.source))
         end
 
         def fetch_cert
@@ -196,17 +203,16 @@ class Chef
             fetch_key
 
           else
-            store.get(resolve_thumbprint(new_resource.source), store_name: new_resource.store_name, store_location: native_cert_location)
+            store.get(validate_thumbprint(new_resource.source))
           end
         end
 
         def fetch_key
           require "openssl" unless defined?(OpenSSL)
           file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path))
-          directory = ::File.dirname(new_resource.output_path)
           pfx_file = file_name + ".pfx"
           new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file)
-          powershell_exec(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
+          powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
           pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password)
           f = ::File.open(new_resource.output_path, "w")
           f.write(pkcs12.key.to_s)
@@ -245,10 +251,6 @@ class Chef
           ::File.file?(source)
         end
 
-        def is_file?(source)
-          ::File.file?(source)
-        end
-
         # Thumbprints should be exactly 40 Hex characters
         def valid_thumbprint?(string)
           string.match?(/[0-9A-Fa-f]/) && string.length == 40
@@ -261,29 +263,29 @@ class Chef
           GETTHUMBPRINTCODE
         end
 
-        def resolve_thumbprint(thumbprint)
-          return thumbprint if valid_thumbprint?(thumbprint)
-
-          powershell_exec!(get_thumbprint(new_resource.store_name, ps_cert_location, new_resource.source)).result
+        def validate_thumbprint(thumbprint)
+          # valid_thumbprint can return false under at least 2 conditions:
+          # one is that the thumbprint is in fact busted
+          # the second is that the thumbprint is valid but belongs to an expired certificate already installed
+          results = valid_thumbprint?(thumbprint)
+          results == true ? thumbprint : false
         end
 
-        # Checks whether a certificate with the given thumbprint
-        # is already present and valid in certificate store
-        # If the certificate is not present, verify_cert returns a String: "Certificate not found"
-        # But if it is present but expired, it returns a Boolean: false
-        # Otherwise, it returns a Boolean: true
-        # updated this method to accept either a subject name or a thumbprint - 1/29/2021
-
+        # Checks to make sure whether the cert is found or not
+        # if it IS found, is it still valid - has it expired?
         def verify_cert(thumbprint = new_resource.source)
           store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
-          if new_resource.pfx_password.nil?
-            store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name )
+          validated_thumbprint = validate_thumbprint(thumbprint)
+          if validated_thumbprint != false
+            result = store.valid?(thumbprint)
+            result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
           else
-            store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name)
+            message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n"
+            raise Chef::Exceptions::InvalidKeyAttribute, message
           end
         end
 
-        # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
+        # this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
         # Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
         def ps_cert_location
           new_resource.user_store ? "CurrentUser" : "LocalMachine"
@@ -436,7 +438,7 @@ class Chef
         end
 
         def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:)
-          # Delete the cert if it exists. This is non-destructive in that it only removes the file and not the entire path.
+          # Delete the cert if it exists on disk already.
           # We want to ensure we're not randomly loading an old stinky cert.
           if ::File.exists?(output_path)
             ::File.delete(output_path)
@@ -460,7 +462,20 @@ class Chef
             cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout
             out_file.puts(cert_out)
           when ".pfx"
-            pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
+            validated_thumbprint = validate_thumbprint(new_resource.source)
+            if validated_thumbprint != false # is the thumbprint valid
+              store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
+              result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint
+              temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
+              if temp == true
+                pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
+              else
+                Chef::Log.debug("The requested certificate is not found or has expired")
+              end
+            else
+              message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
+              raise Chef::Exceptions::InvalidKeyAttribute, message
+            end
           when ".p7b"
             cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
             out_file.puts(cert_out)
@@ -481,14 +496,11 @@ class Chef
         #
         def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location)
           [cert_objs].flatten.each do |cert_obj|
-            # thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
-            # pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password)
-            # cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem)
             thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
-            if is_pfx
-              if verify_cert(thumbprint) == true
-                Chef::Log.debug("Certificate is already present")
-              else
+            if verify_cert(thumbprint) == true
+              Chef::Log.debug("Certificate is already present")
+            elsif verify_cert(thumbprint) == false # Not found already in the CertStore
+              if is_pfx
                 if is_file?(new_resource.source)
                   converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do
                     add_pfx_cert(new_resource.source)
@@ -502,15 +514,14 @@ class Chef
                   message << exception.message
                   raise Chef::Exceptions::ArgumentError, message
                 end
-              end
-            else
-              if verify_cert(thumbprint) == true
-                Chef::Log.debug("Certificate is already present")
               else
                 converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do
                   add_cert(cert_obj)
                 end
               end
+            else
+              message = "Certificate could not be imported"
+              raise Chef::Exceptions::CertificateNotImportable, message
             end
           end
         end