chef 17.10.0 → 18.0.185
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +16 -8
- data/README.md +7 -7
- data/Rakefile +5 -24
- data/{chef-universal-mingw32.gemspec → chef-universal-mingw-ucrt.gemspec} +7 -6
- data/chef.gemspec +14 -7
- data/lib/chef/api_client_v1.rb +9 -1
- data/lib/chef/application/exit_code.rb +3 -3
- data/lib/chef/client.rb +167 -0
- data/lib/chef/compliance/input.rb +1 -1
- data/lib/chef/compliance/input_collection.rb +1 -1
- data/lib/chef/compliance/profile.rb +1 -1
- data/lib/chef/compliance/profile_collection.rb +1 -2
- data/lib/chef/compliance/waiver.rb +1 -1
- data/lib/chef/compliance/waiver_collection.rb +1 -1
- data/lib/chef/cookbook/syntax_check.rb +2 -2
- data/lib/chef/dsl/reader_helpers.rb +1 -1
- data/lib/chef/dsl/rest_resource.rb +77 -0
- data/lib/chef/dsl/secret.rb +113 -5
- data/lib/chef/event_dispatch/base.rb +3 -0
- data/lib/chef/exceptions.rb +8 -0
- data/lib/chef/http/authenticator.rb +170 -3
- data/lib/chef/http/ssl_policies.rb +3 -3
- data/lib/chef/mixin/checksum.rb +6 -0
- data/lib/chef/mixin/powershell_exec.rb +5 -28
- data/lib/chef/mixin/properties.rb +6 -0
- data/lib/chef/node/attribute.rb +20 -3
- data/lib/chef/node/mixin/deep_merge_cache.rb +4 -4
- data/lib/chef/node/mixin/immutablize_array.rb +1 -0
- data/lib/chef/property.rb +5 -3
- data/lib/chef/provider/cron.rb +5 -1
- data/lib/chef/provider/file.rb +2 -2
- data/lib/chef/provider/group/windows.rb +1 -1
- data/lib/chef/provider/http_request.rb +11 -9
- data/lib/chef/provider/mount/linux.rb +5 -0
- data/lib/chef/provider/mount/mount.rb +8 -0
- data/lib/chef/provider/mount/windows.rb +1 -1
- data/lib/chef/provider/package/powershell.rb +1 -1
- data/lib/chef/provider/package/rubygems.rb +1 -1
- data/lib/chef/provider/package/snap.rb +1 -1
- data/lib/chef/provider/package/windows/msi.rb +2 -2
- data/lib/chef/provider/package/windows/registry_uninstall_entry.rb +1 -1
- data/lib/chef/provider/package/windows.rb +1 -1
- data/lib/chef/provider/package/zypper/version.rb +60 -0
- data/lib/chef/provider/package/zypper.rb +47 -3
- data/lib/chef/provider/service/windows.rb +1 -1
- data/lib/chef/provider/user/aix.rb +5 -0
- data/lib/chef/provider/user/linux.rb +29 -0
- data/lib/chef/provider/user/mac.rb +1 -1
- data/lib/chef/provider/user.rb +45 -9
- data/lib/chef/provider.rb +1 -1
- data/lib/chef/recipe.rb +1 -1
- data/lib/chef/resource/_rest_resource.rb +389 -0
- data/lib/chef/resource/alternatives.rb +0 -1
- data/lib/chef/resource/apt_package.rb +2 -1
- data/lib/chef/resource/apt_preference.rb +0 -1
- data/lib/chef/resource/apt_repository.rb +0 -1
- data/lib/chef/resource/apt_update.rb +0 -1
- data/lib/chef/resource/archive_file.rb +0 -1
- data/lib/chef/resource/bash.rb +0 -1
- data/lib/chef/resource/batch.rb +0 -1
- data/lib/chef/resource/bff_package.rb +0 -1
- data/lib/chef/resource/breakpoint.rb +0 -1
- data/lib/chef/resource/build_essential.rb +0 -1
- data/lib/chef/resource/cab_package.rb +0 -1
- data/lib/chef/resource/chef_client_config.rb +17 -14
- data/lib/chef/resource/chef_client_cron.rb +1 -2
- data/lib/chef/resource/chef_client_launchd.rb +2 -2
- data/lib/chef/resource/chef_client_scheduled_task.rb +3 -3
- data/lib/chef/resource/chef_client_systemd_timer.rb +0 -1
- data/lib/chef/resource/chef_client_trusted_certificate.rb +0 -1
- data/lib/chef/resource/chef_gem.rb +0 -1
- data/lib/chef/resource/chef_handler.rb +0 -1
- data/lib/chef/resource/chef_sleep.rb +1 -3
- data/lib/chef/resource/chef_vault_secret.rb +0 -1
- data/lib/chef/resource/chocolatey_config.rb +0 -1
- data/lib/chef/resource/chocolatey_feature.rb +0 -1
- data/lib/chef/resource/chocolatey_package.rb +0 -1
- data/lib/chef/resource/chocolatey_source.rb +0 -1
- data/lib/chef/resource/cookbook_file.rb +0 -1
- data/lib/chef/resource/cron/_cron_shared.rb +0 -1
- data/lib/chef/resource/cron/cron.rb +0 -1
- data/lib/chef/resource/cron/cron_d.rb +15 -1
- data/lib/chef/resource/cron_access.rb +0 -1
- data/lib/chef/resource/csh.rb +0 -1
- data/lib/chef/resource/directory.rb +0 -1
- data/lib/chef/resource/dmg_package.rb +2 -1
- data/lib/chef/resource/dnf_package.rb +0 -1
- data/lib/chef/resource/dpkg_package.rb +0 -1
- data/lib/chef/resource/dsc_resource.rb +0 -1
- data/lib/chef/resource/dsc_script.rb +0 -1
- data/lib/chef/resource/execute.rb +0 -1
- data/lib/chef/resource/file.rb +0 -1
- data/lib/chef/resource/freebsd_package.rb +2 -1
- data/lib/chef/resource/gem_package.rb +2 -1
- data/lib/chef/resource/group.rb +25 -2
- data/lib/chef/resource/habitat/habitat_package.rb +0 -1
- data/lib/chef/resource/habitat/habitat_sup.rb +6 -7
- data/lib/chef/resource/habitat/habitat_sup_windows.rb +1 -1
- data/lib/chef/resource/habitat_config.rb +0 -1
- data/lib/chef/resource/habitat_install.rb +0 -1
- data/lib/chef/resource/habitat_service.rb +0 -1
- data/lib/chef/resource/habitat_user_toml.rb +0 -1
- data/lib/chef/resource/homebrew_cask.rb +0 -1
- data/lib/chef/resource/homebrew_package.rb +2 -1
- data/lib/chef/resource/homebrew_tap.rb +0 -1
- data/lib/chef/resource/homebrew_update.rb +0 -2
- data/lib/chef/resource/hostname.rb +0 -1
- data/lib/chef/resource/http_request.rb +0 -1
- data/lib/chef/resource/ifconfig.rb +0 -1
- data/lib/chef/resource/inspec_input.rb +0 -1
- data/lib/chef/resource/inspec_waiver.rb +0 -1
- data/lib/chef/resource/inspec_waiver_file_entry.rb +2 -3
- data/lib/chef/resource/ips_package.rb +0 -1
- data/lib/chef/resource/kernel_module.rb +0 -1
- data/lib/chef/resource/ksh.rb +0 -1
- data/lib/chef/resource/launchd.rb +0 -1
- data/lib/chef/resource/link.rb +0 -1
- data/lib/chef/resource/locale.rb +1 -2
- data/lib/chef/resource/log.rb +0 -1
- data/lib/chef/resource/lwrp_base.rb +0 -4
- data/lib/chef/resource/macos_userdefaults.rb +0 -1
- data/lib/chef/resource/macosx_service.rb +0 -1
- data/lib/chef/resource/macports_package.rb +2 -1
- data/lib/chef/resource/mdadm.rb +0 -1
- data/lib/chef/resource/mount.rb +0 -1
- data/lib/chef/resource/msu_package.rb +0 -1
- data/lib/chef/resource/notify_group.rb +0 -2
- data/lib/chef/resource/ohai.rb +0 -1
- data/lib/chef/resource/ohai_hint.rb +0 -1
- data/lib/chef/resource/openbsd_package.rb +2 -1
- data/lib/chef/resource/openssl_dhparam.rb +0 -2
- data/lib/chef/resource/openssl_ec_private_key.rb +0 -2
- data/lib/chef/resource/openssl_ec_public_key.rb +0 -2
- data/lib/chef/resource/openssl_rsa_private_key.rb +0 -2
- data/lib/chef/resource/openssl_rsa_public_key.rb +0 -2
- data/lib/chef/resource/openssl_x509_certificate.rb +0 -2
- data/lib/chef/resource/openssl_x509_crl.rb +0 -2
- data/lib/chef/resource/openssl_x509_request.rb +0 -2
- data/lib/chef/resource/osx_profile.rb +0 -1
- data/lib/chef/resource/package.rb +0 -1
- data/lib/chef/resource/pacman_package.rb +2 -1
- data/lib/chef/resource/paludis_package.rb +0 -1
- data/lib/chef/resource/perl.rb +0 -1
- data/lib/chef/resource/plist.rb +7 -3
- data/lib/chef/resource/portage_package.rb +2 -1
- data/lib/chef/resource/powershell_package.rb +0 -1
- data/lib/chef/resource/powershell_package_source.rb +0 -1
- data/lib/chef/resource/powershell_script.rb +0 -1
- data/lib/chef/resource/python.rb +0 -1
- data/lib/chef/resource/reboot.rb +0 -1
- data/lib/chef/resource/registry_key.rb +0 -1
- data/lib/chef/resource/remote_directory.rb +0 -1
- data/lib/chef/resource/remote_file.rb +0 -1
- data/lib/chef/resource/rhsm_errata.rb +0 -1
- data/lib/chef/resource/rhsm_errata_level.rb +0 -1
- data/lib/chef/resource/rhsm_register.rb +17 -1
- data/lib/chef/resource/rhsm_repo.rb +0 -1
- data/lib/chef/resource/rhsm_subscription.rb +0 -1
- data/lib/chef/resource/route.rb +0 -1
- data/lib/chef/resource/rpm_package.rb +2 -1
- data/lib/chef/resource/ruby.rb +0 -1
- data/lib/chef/resource/ruby_block.rb +0 -1
- data/lib/chef/resource/scm/_scm.rb +0 -2
- data/lib/chef/resource/scm/git.rb +0 -2
- data/lib/chef/resource/scm/subversion.rb +0 -2
- data/lib/chef/resource/script.rb +0 -1
- data/lib/chef/resource/selinux/common_helpers.rb +47 -0
- data/lib/chef/resource/selinux/selinux_debian.erb +18 -0
- data/lib/chef/resource/selinux/selinux_default.erb +15 -0
- data/lib/chef/resource/selinux_boolean.rb +101 -0
- data/lib/chef/resource/selinux_fcontext.rb +160 -0
- data/lib/chef/resource/selinux_install.rb +107 -0
- data/lib/chef/resource/selinux_module.rb +143 -0
- data/lib/chef/resource/selinux_permissive.rb +64 -0
- data/lib/chef/resource/selinux_port.rb +118 -0
- data/lib/chef/resource/selinux_state.rb +166 -0
- data/lib/chef/resource/service.rb +0 -1
- data/lib/chef/resource/smartos_package.rb +2 -1
- data/lib/chef/resource/snap_package.rb +2 -1
- data/lib/chef/resource/solaris_package.rb +2 -1
- data/lib/chef/resource/ssh_known_hosts_entry.rb +0 -1
- data/lib/chef/resource/sudo.rb +0 -1
- data/lib/chef/resource/support/client.erb +3 -4
- data/lib/chef/resource/swap_file.rb +0 -1
- data/lib/chef/resource/sysctl.rb +1 -2
- data/lib/chef/resource/systemd_unit.rb +0 -1
- data/lib/chef/resource/template.rb +0 -1
- data/lib/chef/resource/timezone.rb +0 -1
- data/lib/chef/resource/user/aix_user.rb +0 -1
- data/lib/chef/resource/user/linux_user.rb +0 -1
- data/lib/chef/resource/user/mac_user.rb +0 -1
- data/lib/chef/resource/user/pw_user.rb +0 -1
- data/lib/chef/resource/user/solaris_user.rb +0 -1
- data/lib/chef/resource/user/windows_user.rb +0 -1
- data/lib/chef/resource/user.rb +10 -1
- data/lib/chef/resource/user_ulimit.rb +0 -1
- data/lib/chef/resource/whyrun_safe_ruby_block.rb +0 -1
- data/lib/chef/resource/windows_ad_join.rb +0 -2
- data/lib/chef/resource/windows_audit_policy.rb +0 -2
- data/lib/chef/resource/windows_auto_run.rb +0 -1
- data/lib/chef/resource/windows_certificate.rb +54 -43
- data/lib/chef/resource/windows_defender.rb +0 -1
- data/lib/chef/resource/windows_defender_exclusion.rb +0 -1
- data/lib/chef/resource/windows_dfs_folder.rb +0 -1
- data/lib/chef/resource/windows_dfs_namespace.rb +0 -1
- data/lib/chef/resource/windows_dfs_server.rb +0 -1
- data/lib/chef/resource/windows_dns_record.rb +0 -1
- data/lib/chef/resource/windows_dns_zone.rb +0 -1
- data/lib/chef/resource/windows_env.rb +0 -1
- data/lib/chef/resource/windows_feature.rb +0 -1
- data/lib/chef/resource/windows_feature_dism.rb +0 -1
- data/lib/chef/resource/windows_feature_powershell.rb +0 -1
- data/lib/chef/resource/windows_firewall_profile.rb +0 -2
- data/lib/chef/resource/windows_firewall_rule.rb +0 -1
- data/lib/chef/resource/windows_font.rb +2 -3
- data/lib/chef/resource/windows_package.rb +3 -4
- data/lib/chef/resource/windows_pagefile.rb +27 -22
- data/lib/chef/resource/windows_path.rb +0 -1
- data/lib/chef/resource/windows_printer.rb +0 -1
- data/lib/chef/resource/windows_printer_port.rb +0 -1
- data/lib/chef/resource/windows_script.rb +0 -2
- data/lib/chef/resource/windows_security_policy.rb +0 -1
- data/lib/chef/resource/windows_service.rb +0 -1
- data/lib/chef/resource/windows_share.rb +0 -1
- data/lib/chef/resource/windows_shortcut.rb +1 -2
- data/lib/chef/resource/windows_task.rb +0 -1
- data/lib/chef/resource/windows_uac.rb +0 -1
- data/lib/chef/resource/windows_update_settings.rb +0 -1
- data/lib/chef/resource/windows_user_privilege.rb +36 -27
- data/lib/chef/resource/windows_workgroup.rb +0 -1
- data/lib/chef/resource/yum_package.rb +2 -1
- data/lib/chef/resource/yum_repository.rb +0 -1
- data/lib/chef/resource/zypper_package.rb +2 -1
- data/lib/chef/resource/zypper_repository.rb +0 -1
- data/lib/chef/resource.rb +13 -5
- data/lib/chef/resources.rb +7 -0
- data/lib/chef/run_context.rb +19 -3
- data/lib/chef/secret_fetcher/azure_key_vault.rb +3 -3
- data/lib/chef/secret_fetcher/hashi_vault.rb +1 -1
- data/lib/chef/version.rb +1 -1
- data/lib/chef/win32/handle.rb +6 -7
- data/lib/chef/win32/registry.rb +7 -3
- data/lib/chef/win32/version.rb +2 -1
- data/spec/data/rubygems.org/sexp_processor-info +2 -1
- data/spec/functional/resource/dsc_script_spec.rb +1 -1
- data/spec/functional/resource/group_spec.rb +10 -6
- data/spec/functional/resource/link_spec.rb +8 -8
- data/spec/functional/resource/plist_spec.rb +25 -0
- data/spec/functional/resource/user/linux_user_spec.rb +127 -0
- data/spec/functional/resource/windows_certificate_spec.rb +15 -12
- data/spec/functional/resource/windows_font_spec.rb +11 -8
- data/spec/functional/resource/windows_pagefile_spec.rb +31 -4
- data/spec/functional/resource/zypper_package_spec.rb +12 -0
- data/spec/functional/shell_spec.rb +7 -2
- data/spec/functional/version_spec.rb +1 -1
- data/spec/integration/client/client_spec.rb +82 -3
- data/spec/integration/client/exit_code_spec.rb +1 -1
- data/spec/integration/client/ipv6_spec.rb +1 -1
- data/spec/integration/compliance/compliance_spec.rb +1 -1
- data/spec/integration/recipes/accumulator_spec.rb +1 -1
- data/spec/integration/recipes/lwrp_inline_resources_spec.rb +1 -1
- data/spec/integration/recipes/lwrp_spec.rb +1 -1
- data/spec/integration/recipes/notifies_spec.rb +1 -1
- data/spec/integration/recipes/notifying_block_spec.rb +1 -1
- data/spec/integration/recipes/remote_directory.rb +1 -1
- data/spec/integration/recipes/unified_mode_spec.rb +1 -1
- data/spec/integration/recipes/use_partial_spec.rb +2 -1
- data/spec/integration/solo/solo_spec.rb +2 -2
- data/spec/spec_helper.rb +1 -0
- data/spec/support/platform_helpers.rb +4 -0
- data/spec/support/ruby_installer.rb +1 -1
- data/spec/support/shared/functional/windows_script.rb +2 -2
- data/spec/unit/application/client_spec.rb +0 -10
- data/spec/unit/client_spec.rb +54 -2
- data/spec/unit/cookbook/syntax_check_spec.rb +3 -0
- data/spec/unit/daemon_spec.rb +1 -5
- data/spec/unit/dsl/secret_spec.rb +127 -23
- data/spec/unit/http/authenticator_spec.rb +68 -0
- data/spec/unit/mixin/checksum_spec.rb +28 -0
- data/spec/unit/mixin/powershell_exec_spec.rb +5 -5
- data/spec/unit/platform/query_helpers_spec.rb +2 -17
- data/spec/unit/provider/cron_spec.rb +36 -0
- data/spec/unit/provider/http_request_spec.rb +60 -72
- data/spec/unit/provider/mount/linux_spec.rb +10 -0
- data/spec/unit/provider/package/rubygems_spec.rb +2 -2
- data/spec/unit/provider/package/zypper_spec.rb +32 -0
- data/spec/unit/provider/user/linux_spec.rb +96 -1
- data/spec/unit/provider/user_spec.rb +24 -6
- data/spec/unit/resource/archive_file_spec.rb +1 -1
- data/spec/unit/resource/chef_client_config_spec.rb +8 -0
- data/spec/unit/resource/chef_client_cron_spec.rb +5 -0
- data/spec/unit/resource/chef_client_launchd_spec.rb +5 -0
- data/spec/unit/resource/chef_client_scheduled_task_spec.rb +5 -0
- data/spec/unit/resource/chef_client_systemd_timer_spec.rb +1 -1
- data/spec/unit/resource/cron_d_spec.rb +37 -1
- data/spec/unit/resource/rest_resource_spec.rb +381 -0
- data/spec/unit/resource/selinux_boolean_spec.rb +92 -0
- data/spec/unit/resource/selinux_fcontext_spec.rb +65 -0
- data/spec/unit/resource/selinux_install_spec.rb +60 -0
- data/spec/unit/resource/selinux_module_spec.rb +55 -0
- data/spec/unit/resource/selinux_permissive_spec.rb +39 -0
- data/spec/unit/resource/selinux_port_spec.rb +42 -0
- data/spec/unit/resource/selinux_state_spec.rb +46 -0
- data/spec/unit/resource/sysctl_spec.rb +2 -2
- data/spec/unit/resource/user/linux_user_spec.rb +42 -0
- data/spec/unit/resource_spec.rb +21 -1
- data/spec/unit/run_context_spec.rb +16 -0
- data/spec/unit/util/dsc/local_configuration_manager_spec.rb +1 -1
- data/tasks/rspec.rb +1 -1
- metadata +87 -27
@@ -0,0 +1,166 @@
|
|
1
|
+
#
|
2
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
3
|
+
# you may not use this file except in compliance with the License.
|
4
|
+
# You may obtain a copy of the License at
|
5
|
+
#
|
6
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
7
|
+
#
|
8
|
+
# Unless required by applicable law or agreed to in writing, software
|
9
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
10
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
11
|
+
# See the License for the specific language governing permissions and
|
12
|
+
# limitations under the License.
|
13
|
+
|
14
|
+
require_relative "../resource"
|
15
|
+
require_relative "selinux/common_helpers"
|
16
|
+
|
17
|
+
class Chef
|
18
|
+
class Resource
|
19
|
+
class SelinuxState < Chef::Resource
|
20
|
+
unified_mode true
|
21
|
+
|
22
|
+
provides :selinux_state
|
23
|
+
|
24
|
+
description "Use **selinux_state** resource to manages the SELinux state on the system. It does this by using the `setenforce` command and rendering the `/etc/selinux/config` file from a template."
|
25
|
+
introduced "18.0"
|
26
|
+
examples <<~DOC
|
27
|
+
**Set SELinux state to permissive**:
|
28
|
+
|
29
|
+
```ruby
|
30
|
+
selinux_state 'permissive' do
|
31
|
+
action :permissive
|
32
|
+
end
|
33
|
+
```
|
34
|
+
|
35
|
+
**Set SELinux state to enforcing**:
|
36
|
+
|
37
|
+
```ruby
|
38
|
+
selinux_state 'enforcing' do
|
39
|
+
action :enforcing
|
40
|
+
end
|
41
|
+
```
|
42
|
+
|
43
|
+
**Set SELinux state to disabled**:
|
44
|
+
```ruby
|
45
|
+
selinux_state 'disabled' do
|
46
|
+
action :disabled
|
47
|
+
end
|
48
|
+
```
|
49
|
+
DOC
|
50
|
+
|
51
|
+
default_action :nothing
|
52
|
+
|
53
|
+
property :config_file, String,
|
54
|
+
default: "/etc/selinux/config",
|
55
|
+
description: "Path to SELinux config file on disk."
|
56
|
+
|
57
|
+
property :persistent, [true, false],
|
58
|
+
default: true,
|
59
|
+
description: "Persist status update to the selinux configuration file."
|
60
|
+
|
61
|
+
property :policy, String,
|
62
|
+
default: lazy { default_policy_platform },
|
63
|
+
equal_to: %w{default minimum mls src strict targeted},
|
64
|
+
description: "SELinux policy type."
|
65
|
+
|
66
|
+
property :automatic_reboot, [true, false, Symbol],
|
67
|
+
default: false,
|
68
|
+
description: "Perform an automatic node reboot if required for state change."
|
69
|
+
|
70
|
+
deprecated_property_alias "temporary", "persistent", "The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name."
|
71
|
+
|
72
|
+
action_class do
|
73
|
+
include Chef::SELinux::CommonHelpers
|
74
|
+
def render_selinux_template(action)
|
75
|
+
Chef::Log.warn("It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.") if selinux_disabled? && action == :enforcing
|
76
|
+
|
77
|
+
unless new_resource.automatic_reboot
|
78
|
+
Chef::Log.warn("Changes from disabled require a reboot.") if selinux_disabled? && %i{enforcing permissive}.include?(action)
|
79
|
+
Chef::Log.warn("Disabling selinux requires a reboot.") if (selinux_enforcing? || selinux_permissive?) && action == :disabled
|
80
|
+
end
|
81
|
+
|
82
|
+
template "#{action} selinux config" do
|
83
|
+
path new_resource.config_file
|
84
|
+
source debian? ? ::File.expand_path("selinux/selinux_debian.erb", __dir__) : ::File.expand_path("selinux/selinux_default.erb", __dir__)
|
85
|
+
local true
|
86
|
+
variables(
|
87
|
+
selinux: action.to_s,
|
88
|
+
selinuxtype: new_resource.policy
|
89
|
+
)
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
def node_selinux_restart
|
94
|
+
unless new_resource.automatic_reboot
|
95
|
+
Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.")
|
96
|
+
return
|
97
|
+
end
|
98
|
+
|
99
|
+
outer_action = action
|
100
|
+
reboot "selinux_state_change" do
|
101
|
+
delay_mins 1
|
102
|
+
reason "SELinux state change to #{outer_action} from #{selinux_state}"
|
103
|
+
|
104
|
+
action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
108
|
+
|
109
|
+
action :enforcing, description: "Set the SELinux state to enforcing." do
|
110
|
+
unless selinux_disabled? || selinux_enforcing?
|
111
|
+
execute "selinux-setenforce-enforcing" do
|
112
|
+
command "/usr/sbin/setenforce 1"
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
if selinux_activate_required?
|
117
|
+
execute "debian-selinux-activate" do
|
118
|
+
command "/usr/sbin/selinux-activate"
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
122
|
+
render_selinux_template(action) if new_resource.persistent
|
123
|
+
node_selinux_restart if state_change_reboot_required?
|
124
|
+
end
|
125
|
+
|
126
|
+
action :permissive, description: "Set the SELinux state to permissive." do
|
127
|
+
unless selinux_disabled? || selinux_permissive?
|
128
|
+
execute "selinux-setenforce-permissive" do
|
129
|
+
command "/usr/sbin/setenforce 0"
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
133
|
+
if selinux_activate_required?
|
134
|
+
execute "debian-selinux-activate" do
|
135
|
+
command "/usr/sbin/selinux-activate"
|
136
|
+
end
|
137
|
+
end
|
138
|
+
|
139
|
+
render_selinux_template(action) if new_resource.persistent
|
140
|
+
node_selinux_restart if state_change_reboot_required?
|
141
|
+
end
|
142
|
+
|
143
|
+
action :disabled, description: "Set the SELinux state to disabled. **NOTE**: Switching to or from disabled requires a reboot!" do
|
144
|
+
raise "A non-persistent change to the disabled SELinux status is not possible." unless new_resource.persistent
|
145
|
+
|
146
|
+
render_selinux_template(action)
|
147
|
+
node_selinux_restart if state_change_reboot_required?
|
148
|
+
end
|
149
|
+
|
150
|
+
private
|
151
|
+
|
152
|
+
#
|
153
|
+
# Decide default policy platform based upon platform_family
|
154
|
+
#
|
155
|
+
# @return [String] Policy platform name
|
156
|
+
def default_policy_platform
|
157
|
+
case node["platform_family"]
|
158
|
+
when "rhel", "fedora", "amazon"
|
159
|
+
"targeted"
|
160
|
+
when "debian"
|
161
|
+
"default"
|
162
|
+
end
|
163
|
+
end
|
164
|
+
end
|
165
|
+
end
|
166
|
+
end
|
@@ -21,13 +21,14 @@ require_relative "package"
|
|
21
21
|
class Chef
|
22
22
|
class Resource
|
23
23
|
class SmartosPackage < Chef::Resource::Package
|
24
|
-
unified_mode true
|
25
24
|
|
26
25
|
provides :smartos_package
|
27
26
|
provides :package, platform_family: "smartos"
|
28
27
|
|
29
28
|
description "Use the **smartos_package** resource to manage packages for the SmartOS platform."
|
30
29
|
|
30
|
+
allowed_actions :install, :upgrade, :remove
|
31
|
+
|
31
32
|
property :package_name, String,
|
32
33
|
description: "An optional property to set the package name if it differs from the resource block's name.",
|
33
34
|
identity: true
|
@@ -21,13 +21,14 @@ require_relative "package"
|
|
21
21
|
class Chef
|
22
22
|
class Resource
|
23
23
|
class SnapPackage < Chef::Resource::Package
|
24
|
-
unified_mode true
|
25
24
|
|
26
25
|
provides :snap_package
|
27
26
|
|
28
27
|
description "Use the **snap_package** resource to manage snap packages on Debian and Ubuntu platforms."
|
29
28
|
introduced "15.0"
|
30
29
|
|
30
|
+
allowed_actions :install, :upgrade, :remove, :purge
|
31
|
+
|
31
32
|
property :channel, String,
|
32
33
|
description: "The default channel. For example: stable.",
|
33
34
|
default: "stable",
|
@@ -22,12 +22,13 @@ require_relative "package"
|
|
22
22
|
class Chef
|
23
23
|
class Resource
|
24
24
|
class SolarisPackage < Chef::Resource::Package
|
25
|
-
unified_mode true
|
26
25
|
|
27
26
|
provides :solaris_package
|
28
27
|
|
29
28
|
description "Use the **solaris_package** resource to manage packages on the Solaris platform."
|
30
29
|
|
30
|
+
allowed_actions :install, :upgrade, :remove
|
31
|
+
|
31
32
|
property :package_name, String,
|
32
33
|
description: "An optional property to set the package name if it differs from the resource block's name.",
|
33
34
|
identity: true
|
data/lib/chef/resource/sudo.rb
CHANGED
@@ -13,11 +13,10 @@
|
|
13
13
|
@minimal_ohai
|
14
14
|
@named_run_list
|
15
15
|
@no_proxy
|
16
|
-
@ohai_disabled_plugins
|
17
|
-
@ohai_optional_plugins
|
18
16
|
@pid_file
|
19
17
|
@policy_group
|
20
18
|
@policy_name
|
19
|
+
@rubygems_url
|
21
20
|
@ssl_verify_mode
|
22
21
|
@policy_persist_run_list).each do |prop| -%>
|
23
22
|
<% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
|
@@ -39,10 +38,10 @@ log_location <%= @log_location.inspect %>
|
|
39
38
|
<% end -%>
|
40
39
|
<%# These data_collector options are special as they have a '.' -%>
|
41
40
|
<% unless @data_collector_server_url.nil? || @data_collector_server_url.empty? %>
|
42
|
-
data_collector.server_url <%= @data_collector_server_url %>
|
41
|
+
data_collector.server_url <%= @data_collector_server_url.inspect %>
|
43
42
|
<% end %>
|
44
43
|
<% unless @data_collector_token.nil? || @data_collector_token.empty? %>
|
45
|
-
data_collector.token <%= @data_collector_token %>
|
44
|
+
data_collector.token <%= @data_collector_token.inspect %>
|
46
45
|
<% end %>
|
47
46
|
<%# The code below is not DRY on purpose to improve readability -%>
|
48
47
|
<% unless @start_handlers.empty? -%>
|
data/lib/chef/resource/sysctl.rb
CHANGED
@@ -20,7 +20,6 @@ require_relative "../resource"
|
|
20
20
|
class Chef
|
21
21
|
class Resource
|
22
22
|
class Sysctl < Chef::Resource
|
23
|
-
unified_mode true
|
24
23
|
|
25
24
|
provides(:sysctl) { true }
|
26
25
|
provides(:sysctl_param) { true }
|
@@ -188,7 +187,7 @@ class Chef
|
|
188
187
|
|
189
188
|
sysctl_lines << "#{new_resource.key} = #{new_resource.value}"
|
190
189
|
|
191
|
-
sysctl_lines.join("\n")
|
190
|
+
sysctl_lines.join("\n") + "\n"
|
192
191
|
end
|
193
192
|
end
|
194
193
|
|
@@ -34,7 +34,6 @@ class Chef
|
|
34
34
|
# chef-client. This resource includes actions and properties from the file resource. Template files managed by the
|
35
35
|
# template resource follow the same file specificity rules as the remote_file and file resources.
|
36
36
|
class Template < Chef::Resource::File
|
37
|
-
unified_mode true
|
38
37
|
|
39
38
|
provides :template
|
40
39
|
|
@@ -58,7 +58,6 @@ class Chef
|
|
58
58
|
# the 'password' property corresponds to a plaintext password and will
|
59
59
|
# attempt to use it in place of secure_token_password if it not set.
|
60
60
|
class MacUser < Chef::Resource::User
|
61
|
-
unified_mode true
|
62
61
|
|
63
62
|
provides :mac_user
|
64
63
|
provides :user, platform: "mac_os_x"
|
data/lib/chef/resource/user.rb
CHANGED
@@ -21,7 +21,6 @@ require_relative "../resource"
|
|
21
21
|
class Chef
|
22
22
|
class Resource
|
23
23
|
class User < Chef::Resource
|
24
|
-
unified_mode true
|
25
24
|
|
26
25
|
description "Use the **user** resource to add users, update existing users, remove users, and to lock/unlock user passwords."
|
27
26
|
|
@@ -73,6 +72,16 @@ class Chef
|
|
73
72
|
description: "The numeric group identifier."
|
74
73
|
|
75
74
|
alias_method :group, :gid
|
75
|
+
|
76
|
+
property :expire_date, [ String, NilClass ],
|
77
|
+
description: "(Linux) The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.",
|
78
|
+
introduced: "18.0",
|
79
|
+
desired_state: false
|
80
|
+
|
81
|
+
property :inactive, [ String, Integer, NilClass ],
|
82
|
+
description: "(Linux) The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature.",
|
83
|
+
introduced: "18.0",
|
84
|
+
desired_state: false
|
76
85
|
end
|
77
86
|
end
|
78
87
|
end
|
@@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
|
|
29
29
|
class Chef
|
30
30
|
class Resource
|
31
31
|
class WindowsCertificate < Chef::Resource
|
32
|
-
unified_mode true
|
33
32
|
|
34
33
|
provides :windows_certificate
|
35
34
|
|
@@ -129,14 +128,14 @@ class Chef
|
|
129
128
|
end
|
130
129
|
|
131
130
|
action :delete, description: "Deletes a certificate." do
|
132
|
-
|
131
|
+
cert_is_valid = verify_cert
|
133
132
|
|
134
|
-
if
|
133
|
+
if cert_is_valid == true
|
135
134
|
converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do
|
136
135
|
delete_cert
|
137
136
|
end
|
138
137
|
else
|
139
|
-
Chef::Log.debug("Certificate
|
138
|
+
Chef::Log.debug("Certificate Not Found")
|
140
139
|
end
|
141
140
|
end
|
142
141
|
|
@@ -146,17 +145,25 @@ class Chef
|
|
146
145
|
end
|
147
146
|
|
148
147
|
if ::File.extname(new_resource.output_path) == ".pfx"
|
149
|
-
|
148
|
+
|
149
|
+
validated_thumbprint = validate_thumbprint(new_resource.source)
|
150
|
+
if validated_thumbprint != false # is the thumbprint valid
|
151
|
+
cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
|
152
|
+
else
|
153
|
+
message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
|
154
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
155
|
+
end
|
156
|
+
|
150
157
|
else
|
151
158
|
cert_obj = fetch_cert
|
152
159
|
end
|
153
160
|
|
154
|
-
if cert_obj
|
161
|
+
if cert_obj != false && cert_obj != "Certificate Not Found"
|
155
162
|
converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do
|
156
163
|
export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password)
|
157
164
|
end
|
158
165
|
else
|
159
|
-
Chef::Log.debug("Certificate
|
166
|
+
Chef::Log.debug("Certificate Not Found")
|
160
167
|
end
|
161
168
|
end
|
162
169
|
|
@@ -187,7 +194,7 @@ class Chef
|
|
187
194
|
|
188
195
|
def delete_cert
|
189
196
|
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
190
|
-
store.delete(
|
197
|
+
store.delete(validate_thumbprint(new_resource.source))
|
191
198
|
end
|
192
199
|
|
193
200
|
def fetch_cert
|
@@ -196,17 +203,16 @@ class Chef
|
|
196
203
|
fetch_key
|
197
204
|
|
198
205
|
else
|
199
|
-
store.get(
|
206
|
+
store.get(validate_thumbprint(new_resource.source))
|
200
207
|
end
|
201
208
|
end
|
202
209
|
|
203
210
|
def fetch_key
|
204
211
|
require "openssl" unless defined?(OpenSSL)
|
205
212
|
file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path))
|
206
|
-
directory = ::File.dirname(new_resource.output_path)
|
207
213
|
pfx_file = file_name + ".pfx"
|
208
214
|
new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file)
|
209
|
-
powershell_exec(pfx_ps_cmd(
|
215
|
+
powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
|
210
216
|
pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password)
|
211
217
|
f = ::File.open(new_resource.output_path, "w")
|
212
218
|
f.write(pkcs12.key.to_s)
|
@@ -245,10 +251,6 @@ class Chef
|
|
245
251
|
::File.file?(source)
|
246
252
|
end
|
247
253
|
|
248
|
-
def is_file?(source)
|
249
|
-
::File.file?(source)
|
250
|
-
end
|
251
|
-
|
252
254
|
# Thumbprints should be exactly 40 Hex characters
|
253
255
|
def valid_thumbprint?(string)
|
254
256
|
string.match?(/[0-9A-Fa-f]/) && string.length == 40
|
@@ -261,29 +263,29 @@ class Chef
|
|
261
263
|
GETTHUMBPRINTCODE
|
262
264
|
end
|
263
265
|
|
264
|
-
def
|
265
|
-
return
|
266
|
-
|
267
|
-
|
266
|
+
def validate_thumbprint(thumbprint)
|
267
|
+
# valid_thumbprint can return false under at least 2 conditions:
|
268
|
+
# one is that the thumbprint is in fact busted
|
269
|
+
# the second is that the thumbprint is valid but belongs to an expired certificate already installed
|
270
|
+
results = valid_thumbprint?(thumbprint)
|
271
|
+
results == true ? thumbprint : false
|
268
272
|
end
|
269
273
|
|
270
|
-
# Checks
|
271
|
-
# is
|
272
|
-
# If the certificate is not present, verify_cert returns a String: "Certificate not found"
|
273
|
-
# But if it is present but expired, it returns a Boolean: false
|
274
|
-
# Otherwise, it returns a Boolean: true
|
275
|
-
# updated this method to accept either a subject name or a thumbprint - 1/29/2021
|
276
|
-
|
274
|
+
# Checks to make sure whether the cert is found or not
|
275
|
+
# if it IS found, is it still valid - has it expired?
|
277
276
|
def verify_cert(thumbprint = new_resource.source)
|
278
277
|
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
279
|
-
|
280
|
-
|
278
|
+
validated_thumbprint = validate_thumbprint(thumbprint)
|
279
|
+
if validated_thumbprint != false
|
280
|
+
result = store.valid?(thumbprint)
|
281
|
+
result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
|
281
282
|
else
|
282
|
-
|
283
|
+
message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n"
|
284
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
283
285
|
end
|
284
286
|
end
|
285
287
|
|
286
|
-
# this
|
288
|
+
# this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
|
287
289
|
# Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
|
288
290
|
def ps_cert_location
|
289
291
|
new_resource.user_store ? "CurrentUser" : "LocalMachine"
|
@@ -436,7 +438,7 @@ class Chef
|
|
436
438
|
end
|
437
439
|
|
438
440
|
def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:)
|
439
|
-
# Delete the cert if it exists
|
441
|
+
# Delete the cert if it exists on disk already.
|
440
442
|
# We want to ensure we're not randomly loading an old stinky cert.
|
441
443
|
if ::File.exists?(output_path)
|
442
444
|
::File.delete(output_path)
|
@@ -460,7 +462,20 @@ class Chef
|
|
460
462
|
cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout
|
461
463
|
out_file.puts(cert_out)
|
462
464
|
when ".pfx"
|
463
|
-
|
465
|
+
validated_thumbprint = validate_thumbprint(new_resource.source)
|
466
|
+
if validated_thumbprint != false # is the thumbprint valid
|
467
|
+
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
468
|
+
result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint
|
469
|
+
temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
|
470
|
+
if temp == true
|
471
|
+
pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
|
472
|
+
else
|
473
|
+
Chef::Log.debug("The requested certificate is not found or has expired")
|
474
|
+
end
|
475
|
+
else
|
476
|
+
message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
|
477
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
478
|
+
end
|
464
479
|
when ".p7b"
|
465
480
|
cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
|
466
481
|
out_file.puts(cert_out)
|
@@ -481,14 +496,11 @@ class Chef
|
|
481
496
|
#
|
482
497
|
def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location)
|
483
498
|
[cert_objs].flatten.each do |cert_obj|
|
484
|
-
# thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
|
485
|
-
# pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password)
|
486
|
-
# cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem)
|
487
499
|
thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
|
488
|
-
if
|
489
|
-
|
490
|
-
|
491
|
-
|
500
|
+
if verify_cert(thumbprint) == true
|
501
|
+
Chef::Log.debug("Certificate is already present")
|
502
|
+
elsif verify_cert(thumbprint) == false # Not found already in the CertStore
|
503
|
+
if is_pfx
|
492
504
|
if is_file?(new_resource.source)
|
493
505
|
converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do
|
494
506
|
add_pfx_cert(new_resource.source)
|
@@ -502,15 +514,14 @@ class Chef
|
|
502
514
|
message << exception.message
|
503
515
|
raise Chef::Exceptions::ArgumentError, message
|
504
516
|
end
|
505
|
-
end
|
506
|
-
else
|
507
|
-
if verify_cert(thumbprint) == true
|
508
|
-
Chef::Log.debug("Certificate is already present")
|
509
517
|
else
|
510
518
|
converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do
|
511
519
|
add_cert(cert_obj)
|
512
520
|
end
|
513
521
|
end
|
522
|
+
else
|
523
|
+
message = "Certificate could not be imported"
|
524
|
+
raise Chef::Exceptions::CertificateNotImportable, message
|
514
525
|
end
|
515
526
|
end
|
516
527
|
end
|