chef 17.10.163 → 18.0.169

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 28b7b51e00a854a7faa87d094e44b46b0ec68a7d0951de058acfcc6bd180ce82
-  data.tar.gz: 06f7cf2a6059778845b765f6f88855334d464002926b69b5303fbfae7162e9e7
+  metadata.gz: a87965b9d23cae217ee13ee9c4944a7558d55bfb6124eed4b09852305a4dc1c2
+  data.tar.gz: dfb528c686c6e0d708e2ce1610ed6e51f2a1b7e078548c472873bb15c942127d
 SHA512:
-  metadata.gz: dadfcf3a6ac945b7b3c901e9ae58e540f439bd62cab6ed229df02a29c0f43cf7a74fdd0411e91168e0455d714783792c6badf0655150d03e6a444a249d178702
-  data.tar.gz: aba33fe20cf50193f1326740170fb80c5989013721d67fdb95138fa4d7831072a672986f69392dfaa04ae008f5b635ad61077720e1f4c1cc9042c798e7aa47bb
+  metadata.gz: 66df75dfd9ed14186747c2f4f4f89abe73b1cd00d798a1e68ad4219a6694ac1aad5d05228c85d9af75b86bd14b30c5222342be69a6503ff44453192e0970e722
+  data.tar.gz: dcda678decee792fc8b144f846b3eb268c4e0aa619afbebd2b67c2ad3a71bb72ea3c0032f349060b461042cacc50eb1e27e5de00722f37e43274e1f89e627246

data/Gemfile

@@ -2,8 +2,12 @@ source "https://rubygems.org"
 
 gem "chef", path: "."
 
-gem "ohai", git: "https://github.com/chef/ohai.git", branch: "17-stable"
+gem "ohai", git: "https://github.com/chef/ohai.git", branch: "main"
 
+# Nwed to file a bug with rest-client. In the meantime, we can use this until they accept the update.
+gem "rest-client", git: "https://github.com/chef/rest-client", branch: "jfm/ucrt_update1"
+
+gem "ffi", ">= 1.15.5"
 gem "chef-utils", path: File.expand_path("chef-utils", __dir__) if File.exist?(File.expand_path("chef-utils", __dir__))
 gem "chef-config", path: File.expand_path("chef-config", __dir__) if File.exist?(File.expand_path("chef-config", __dir__))
 
@@ -15,36 +19,31 @@ else
   gem "chef-bin" # rubocop:disable Bundler/DuplicatedGem
 end
 
-gem "cheffish", "~> 17.0.0"
-
-gem "ast", "~> 2.4.2"
-gem "rubocop-ast", ">= 1.31.0"
-
-gem "rdoc", "~> 6.3.4" # 6.3.4.1 required for CVE-2024-27281, allow patch upgrades
-
-# Verify and macOS bring their own ruby setups are inconsistent with our OpenSSL configurations
-install_if -> { RUBY_PLATFORM !~ /darwin/ && ENV["BUILDKITE_PIPELINE_SLUG"] !~ /verify/ } do
-  gem "openssl", "= 3.2.0"
-end
+gem "cheffish", ">= 17"
 
 group(:omnibus_package) do
   gem "appbundler"
   gem "rb-readline"
-  gem "inspec-core-bin", "~> 5.22.40" # need to provide the binaries for inspec
+  gem "inspec-core-bin", ">= 5" # need to provide the binaries for inspec
   gem "chef-vault"
 end
 
 group(:omnibus_package, :pry) do
-  gem "pry", ">= 0.14.1"
+  # Locked because pry-byebug is broken with 13+.
+  # some work is ongoing? https://github.com/deivid-rodriguez/pry-byebug/issues/343
+  gem "pry", "= 0.13.0"
   # byebug does not install on freebsd on ruby 3.0
   gem "pry-byebug" unless RUBY_PLATFORM.match?(/freebsd/i)
   gem "pry-stack_explorer"
 end
 
+# proxifier gem is busted on ruby 3.1 and seems abandoned so use git fork of gem
+gem "proxifier", git: "https://github.com/chef/ruby-proxifier", branch: "lcg/ruby-3"
+
 # Everything except AIX and Windows
 group(:ruby_shadow) do
   # if ruby-shadow does a release that supports ruby-3.0 this can be removed
-  gem "ruby-shadow", git: "https://github.com/chef/ruby-shadow", branch: "lcg/ruby-3.0", platforms: :ruby
+  gem "ruby-shadow", git: "https://github.com/chef/ruby-shadow", branch: "lcg/ruby-3.0", platforms: :ruby unless RUBY_PLATFORM == "x64-mingw-ucrt"
 end
 
 # deps that cannot be put in the knife gem because they require a compiler and fail on windows nodes
@@ -56,14 +55,14 @@ group(:development, :test) do
   gem "rake"
   gem "rspec"
   gem "webmock"
-  gem "crack", "< 0.4.6" # due to https://github.com/jnunemaker/crack/pull/75
   gem "fauxhai-ng" # for chef-utils gem
 end
 
-group(:chefstyle) do
-  # for testing new chefstyle rules
-  gem "chefstyle", git: "https://github.com/chef/chefstyle.git", branch: "main"
-end
+gem "chefstyle"
+# group(:chefstyle) do
+#   # for testing new chefstyle rules
+#   gem "chefstyle", git: "https://github.com/chef/chefstyle.git", branch: "main"
+# end
 
 instance_eval(ENV["GEMFILE_MOD"]) if ENV["GEMFILE_MOD"]
 

data/README.md

@@ -1,16 +1,16 @@
 # Chef Infra
 [![Code Climate](https://codeclimate.com/github/chef/chef.svg)](https://codeclimate.com/github/chef/chef)
-[![Build Status](https://badge.buildkite.com/c82093430ceec7d27af05febb9dcafe3aa331fff9d74c0ab9d.svg?branch=chef-17)](https://buildkite.com/chef-oss/chef-chef-chef-17-verify)
+[![Build Status](https://badge.buildkite.com/c82093430ceec7d27af05febb9dcafe3aa331fff9d74c0ab9d.svg?branch=main)](https://buildkite.com/chef-oss/chef-chef-main-verify)
 [![Gem Version](https://badge.fury.io/rb/chef.svg)](https://badge.fury.io/rb/chef)
-[![](https://img.shields.io/badge/Release%20Policy-Cadence%20Release-brightgreen.svg)](https://github.com/chef/chef/blob/master/docs/dev/design_documents/client_release_cadence.md)
+[![](https://img.shields.io/badge/Release%20Policy-Cadence%20Release-brightgreen.svg)](https://github.com/chef/chef/blob/main/docs/dev/design_documents/client_release_cadence.md)
 
-**Umbrella Project**: [Chef Infra](https://github.com/chef/chef-oss-practices/blob/master/projects/chef-infra.md)
+**Umbrella Project**: [Chef Infra](https://github.com/chef/chef-oss-practices/blob/main/projects/chef-infra.md)
 
-**Project State**: [Active](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md#active)
+**Project State**: [Active](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md#active)
 
-**Issues [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md)**: 14 days
+**Issues [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md)**: 14 days
 
-**Pull Request [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md)**: 14 days
+**Pull Request [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md)**: 14 days
 
 ## Getting Started
 
@@ -23,7 +23,7 @@ For Chef Infra usage, please refer to [Learn Chef](https://learn.chef.io/), our
 Other useful resources for Chef Infra users:
 
 - Documentation: <https://docs.chef.io/>
-- Source: <https://github.com/chef/chef/tree/master>
+- Source: <https://github.com/chef/chef/tree/main>
 - Tickets/Issues: <https://github.com/chef/chef/issues>
 - Slack: [Chef Community Slack](https://community-slack.chef.io/)
 - Mailing list/Forum: <https://discourse.chef.io>

data/Rakefile

@@ -40,7 +40,7 @@ namespace :pre_install do
     %w{chef-utils chef-config}.each do |gem|
       path = ::File.join(::File.dirname(__FILE__), gem)
       Dir.chdir(path) do
-        sh("rake install")
+        system "rake install"
       end
     end
   end
@@ -61,9 +61,9 @@ end
 
 # hack in all the preinstall tasks to occur before the traditional install task
 task install: "pre_install:all"
-
 # make sure we build the correct gemspec on windows
-gemspec = Gem.win_platform? ? "chef-universal-mingw32" : "chef"
+gemspec = Gem.win_platform? ? "chef-universal-mingw-ucrt" : "chef"
+
 Bundler::GemHelper.install_tasks name: gemspec
 
 # this gets appended to the normal bundler install helper
@@ -99,25 +99,6 @@ task :register_eventlog do
   end
 end
 
-desc "Copies powershell_exec related binaries from the latest built Habitat Packages"
-task :update_chef_exec_dll do
-  raise "This task must be run on Windows since we are installing a Windows targeted package!" unless Gem.win_platform?
-
-  require "mkmf"
-  raise "Unable to locate Habitat cli. Please install Habitat cli before invoking this task!" unless find_executable "hab"
-
-  sh("hab pkg install chef/chef-powershell-shim")
-  sh("hab pkg install chef/chef-powershell-shim-x86")
-  x64 = `hab pkg path chef/chef-powershell-shim`.chomp.tr("\\", "/")
-  x86 = `hab pkg path chef/chef-powershell-shim-x86`.chomp.tr("\\", "/")
-  FileUtils.rm_rf(Dir["distro/ruby_bin_folder/AMD64/*"])
-  FileUtils.rm_rf(Dir["distro/ruby_bin_folder/x86/*"])
-  puts "Copying #{x64}/bin/* to distro/ruby_bin_folder/AMD64"
-  FileUtils.cp_r(Dir["#{x64}/bin/*"], "distro/ruby_bin_folder/AMD64")
-  puts "Copying #{x86}/bin/* to distro/ruby_bin_folder/x86"
-  FileUtils.cp_r(Dir["#{x86}/bin/*"], "distro/ruby_bin_folder/x86")
-end
-
 begin
   require "chefstyle"
   require "rubocop/rake_task"

data/{chef-universal-mingw32.gemspec → chef-universal-mingw-ucrt.gemspec}

@@ -1,8 +1,8 @@
-gemspec = eval(IO.read(File.expand_path("chef.gemspec", __dir__)))
+gemspec = instance_eval(File.read(File.expand_path("chef.gemspec", __dir__)))
 
-gemspec.platform = Gem::Platform.new(%w{universal mingw32})
+gemspec.platform = Gem::Platform.new(%w{x64-mingw-ucrt})
 
-gemspec.add_dependency "win32-api", "~> 1.5.3"
+gemspec.add_dependency "win32-api", "~> 1.10.0"
 gemspec.add_dependency "win32-event", "~> 0.6.1"
 # TODO: Relax this pin and make the necessary updaets. The issue originally
 # leading to this pin has been fixed in 0.6.5.
@@ -11,12 +11,13 @@ gemspec.add_dependency "win32-mmap", "~> 0.4.1"
 gemspec.add_dependency "win32-mutex", "~> 0.4.2"
 gemspec.add_dependency "win32-process", "~> 0.9"
 gemspec.add_dependency "win32-service", ">= 2.1.5", "< 3.0"
-gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
-gemspec.add_dependency "win32-certstore", "~> 0.6.15"
 gemspec.add_dependency "wmi-lite", "~> 1.0"
+gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
-gemspec.add_dependency "chef-powershell" , "~> 18.1.0"
+gemspec.add_dependency "win32-certstore", "~> 0.6.15" # 0.5+ required for specifying user vs. system store
+gemspec.add_dependency "chef-powershell", "~> 1.0.12" # The guts of the powershell_exec code have been moved to its own gem, chef-powershell. It's part of the chef-powershell-shim repo.
+
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 
-gemspec
+gemspec

data/chef.gemspec

@@ -22,12 +22,17 @@ Gem::Specification.new do |s|
   s.email = "adam@chef.io"
   s.homepage = "https://www.chef.io"
 
-  s.required_ruby_version = ">= 3.0.0"
+  if RUBY_PLATFORM =~ /aix/
+    s.required_ruby_version = ">= 3.0.3"
+  else
+    s.required_ruby_version = ">= 3.1.0"
+  end
 
   s.add_dependency "chef-config", "= #{Chef::VERSION}"
   s.add_dependency "chef-utils", "= #{Chef::VERSION}"
-  s.add_dependency "train-core", "~> 3.10", "< 3.12.5"
+  s.add_dependency "train-core", "~> 3.10", ">= 3.2.28" # 3.2.28 fixes sudo prompts. See https://github.com/chef/chef/pull/9635
   s.add_dependency "train-winrm", ">= 0.2.5"
+  s.add_dependency "train-rest", ">= 0.4.1" # target mode with rest APIs
 
   s.add_dependency "license-acceptance", ">= 1.0.5", "< 3"
   s.add_dependency "mixlib-cli", ">= 2.1.1", "< 3.0"
@@ -35,12 +40,13 @@ Gem::Specification.new do |s|
   s.add_dependency "mixlib-authentication", ">= 2.1", "< 4"
   s.add_dependency "mixlib-shellout", ">= 3.1.1", "< 4.0"
   s.add_dependency "mixlib-archive", ">= 0.4", "< 2.0"
-  s.add_dependency "ohai", "~> 17.9"
-  s.add_dependency "inspec-core", "~> 5.22.40"
+  s.add_dependency "ohai", "~> 18.0"
+  s.add_dependency "inspec-core", ">= 5"
 
-  s.add_dependency "ffi", "~> 1.15.5"
-  s.add_dependency "ffi-yajl", ">= 2.2", "< 4.0"
-  s.add_dependency "net-sftp", ">= 2.1.2", "< 5.0" # remote_file resource
+  s.add_dependency "ffi", ">= 1.15.5"
+  s.add_dependency "ffi-yajl", "~> 2.2"
+  s.add_dependency "net-sftp", ">= 2.1.2", "< 4.0" # remote_file resource
+  s.add_dependency "net-ftp" # remote_file resource
   s.add_dependency "erubis", "~> 2.7" # template resource / cookbook syntax check
   s.add_dependency "diff-lcs", ">= 1.2.4", "!= 1.4.0", "< 1.6.0" # 1.4 breaks output. Used in lib/chef/util/diff
   s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
@@ -52,21 +58,17 @@ Gem::Specification.new do |s|
   s.add_dependency "addressable"
   s.add_dependency "syslog-logger", "~> 1.6"
   s.add_dependency "uuidtools", ">= 2.1.5", "< 3.0" # osx_profile resource
+  s.add_dependency "unf_ext", ">= 0.0.8.2" # This is ruby31 compatible ucrt gem version
   s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
-  s.add_dependency "proxifier2", "~> 1.1"
+  s.add_dependency "proxifier", "~> 1.0"
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
-  s.add_dependency "vault", "~> 0.18.2" # hashi vault official client gem
+  s.add_dependency "vault", "~> 0.16" # hashi vault official client gem
   s.bindir       = "bin"
   s.executables  = %w{ }
 
-  if RUBY_VERSION.match?("3.0.0")
-    # Ruby 3.0.0 on Fedora specifically makes trouble
-    s.add_dependency "uri", "= 0.10.1"
-  end
-
   s.require_paths = %w{ lib }
   s.files = %w{Gemfile Rakefile LICENSE README.md} +
     Dir.glob("{lib,spec}/**/*", File::FNM_DOTMATCH).reject { |f| File.directory?(f) } +
@@ -75,7 +77,7 @@ Gem::Specification.new do |s|
 
   s.metadata = {
     "bug_tracker_uri"   => "https://github.com/chef/chef/issues",
-    "changelog_uri"     => "https://github.com/chef/chef/blob/master/CHANGELOG.md",
+    "changelog_uri"     => "https://github.com/chef/chef/blob/main/CHANGELOG.md",
     "documentation_uri" => "https://docs.chef.io/",
     "homepage_uri"      => "https://www.chef.io",
     "mailing_list_uri"  => "https://discourse.chef.io/",

data/lib/chef/api_client_v1.rb

@@ -64,6 +64,10 @@ class Chef
       @chef_rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { api_version: "1", inflate_json_class: false })
     end
 
+    def chef_rest_v1_with_validator
+      @chef_rest_v1_with_validator ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { client_name: Chef::Config[:validation_client_name], signing_key_filename: Chef::Config[:validation_key], api_version: "1", inflate_json_class: false })
+    end
+
     def self.http_api
       Chef::ServerAPI.new(Chef::Config[:chef_server_url], { api_version: "1", inflate_json_class: false })
     end
@@ -293,7 +297,11 @@ class Chef
         payload[:public_key] = public_key unless public_key.nil?
         payload[:create_key] = create_key unless create_key.nil?
 
-        new_client = chef_rest_v1.post("clients", payload)
+        new_client = if Chef::Config[:migrate_key_to_keystore] == true
+                       chef_rest_v1_with_validator.post("clients", payload)
+                     else
+                       chef_rest_v1.post("clients", payload)
+                     end
 
         # get the private_key out of the chef_key hash if it exists
         if new_client["chef_key"]

data/lib/chef/application/exit_code.rb

@@ -19,8 +19,8 @@
 class Chef
   class Application
 
-    # These are the exit codes defined in Chef RFC 062
-    # https://github.com/chef/chef-rfc/blob/master/rfc062-exit-status.md
+    # These are the exit codes defined in the exit codes design document
+    # https://github.com/chef/chef/blob/main/docs/dev/design_documents/client_exit_codes.md
     class ExitCode
       require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 
@@ -140,7 +140,7 @@ class Chef
 
         def non_standard_exit_code_warning(exit_code)
           "#{ChefUtils::Dist::Infra::CLIENT} attempted to exit with a non-standard exit code of #{exit_code}." \
-          " The #{ChefUtils::Dist::Infra::PRODUCT} Exit Codes design document (https://github.com/chef/chef-rfc/blob/master/rfc062-exit-status.md)" \
+          " The #{ChefUtils::Dist::Infra::PRODUCT} Exit Codes design document (https://github.com/chef/chef/blob/main/docs/dev/design_documents/client_exit_codes.md)" \
           " defines the exit codes that should be used with #{ChefUtils::Dist::Infra::CLIENT}. Chef::Application::ExitCode defines"  \
           " valid exit codes Non-standard exit codes are redefined as GENERIC_FAILURE."
         end

data/lib/chef/client.rb

@@ -64,6 +64,10 @@ class Chef
   # The main object in a Chef run. Preps a Chef::Node and Chef::RunContext,
   # syncs cookbooks if necessary, and triggers convergence.
   class Client
+    CRYPT_EXPORTABLE = 0x00000001
+
+    attr_reader :local_context
+
     extend Chef::Mixin::Deprecation
 
     extend Forwardable
@@ -292,6 +296,8 @@ class Chef
         # keep this inside the main loop to get exception backtraces
         end_profiling
 
+        warn_if_eol
+
         # rebooting has to be the last thing we do, no exceptions.
         Chef::Platform::Rebooter.reboot_if_needed!(node)
       rescue Exception => run_error
@@ -320,6 +326,19 @@ class Chef
     # @todo make this stuff protected or private
     #
 
+    # @api private
+    def warn_if_eol
+      require_relative "version"
+
+      # We make a release every year so take the version you're on + 2006 and you get
+      # the year it goes EOL
+      eol_year = 2006 + Gem::Version.new(Chef::VERSION).segments.first
+
+      if Time.now > Time.new(eol_year, 5, 01)
+        logger.warn("This release of #{ChefUtils::Dist::Infra::PRODUCT} became end of life (EOL) on May 1st #{eol_year}. Please update to a supported release to receive new features, bug fixes, and security updates.")
+      end
+    end
+
     # @api private
     def configure_formatters
       formatters_for_run.map do |formatter_name, output_path|
@@ -625,6 +644,16 @@ class Chef
       if !config[:client_key]
         events.skipping_registration(client_name, config)
         logger.trace("Client key is unspecified - skipping registration")
+      elsif ::Chef::Config[:migrate_key_to_keystore] == true && ChefUtils.windows?
+        cert_name = "chef-#{client_name}"
+        result = check_certstore_for_key(cert_name)
+        if result.rassoc("#{cert_name}")
+          logger.trace("Client key #{config[:client_key]} is present in Certificate Store - skipping registration")
+        else
+          create_new_key_and_register(cert_name)
+          logger.trace("New client keys created in the Certificate Store - skipping registration")
+        end
+        events.skipping_registration(client_name, config)
       elsif File.exists?(config[:client_key])
         events.skipping_registration(client_name, config)
         logger.trace("Client key #{config[:client_key]} is present - skipping registration")
@@ -643,6 +672,158 @@ class Chef
       raise
     end
 
+    # In the brave new world of No Certs On Disk, we want to put the pem file into Keychain or the Certstore
+    # But is it already there?
+    def check_certstore_for_key(cert_name)
+      require "win32-certstore"
+      win32certstore = ::Win32::Certstore.open("MY")
+      win32certstore.search("#{cert_name}")
+    end
+
+    def generate_pfx_package(cert_name, date)
+      self.class.generate_pfx_package(cert_name, date)
+    end
+
+    def self.generate_pfx_package(cert_name, date)
+      require "openssl" unless defined?(OpenSSL)
+
+      key = OpenSSL::PKey::RSA.new(2048)
+      public_key = key.public_key
+
+      subject = "CN=#{cert_name}"
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+      cert.not_before = Time.now
+      cert.not_after = Time.parse(date)
+      cert.public_key = public_key
+      cert.serial = 0x0
+      cert.version = 2
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = cert
+      cert.extensions = [
+        ef.create_extension("subjectKeyIdentifier", "hash"),
+        ef.create_extension("keyUsage", "digitalSignature,keyEncipherment", true),
+      ]
+      cert.add_extension(ef.create_ext_from_string("extendedKeyUsage=critical,serverAuth,clientAuth"))
+
+      cert.sign key, OpenSSL::Digest.new("SHA256")
+      password = ::Chef::HTTP::Authenticator.get_cert_password
+      pfx = OpenSSL::PKCS12.create(password, subject, key, cert)
+      pfx
+    end
+
+    def update_key_and_register(cert_name)
+      self.class.update_key_and_register(cert_name)
+    end
+
+    def self.update_key_and_register(cert_name, expiring_cert = nil)
+      # Chef client and node objects exist on Chef Server already
+      # Create a new public/private keypair in secure storage
+      # and register the new public cert with Chef Server
+      require "time" unless defined?(Time)
+      autoload :URI, "uri"
+
+      node = Chef::Config[:node_name]
+      end_date = Time.new + (3600 * 24 * 90)
+      end_date = end_date.utc.iso8601
+
+      new_cert_name = Time.now.utc.iso8601
+      payload = {
+        name: new_cert_name,
+        clientname: node,
+        public_key: "",
+        expiration_date: end_date,
+      }
+
+      new_pfx = generate_pfx_package(cert_name, end_date)
+      payload[:public_key] = new_pfx.certificate.public_key.to_pem
+      base_url = "#{Chef::Config[:chef_server_url]}"
+
+      @tmpdir = Dir.mktmpdir
+      file_path = File.join(@tmpdir, "#{node}.pem")
+
+      # The pfx files expire every 90 days.
+      # We check them in /http/authenticator to see if they are expiring when we extract the private key
+      # If they are, we come here to update Chef Server with a new public key
+      if expiring_cert
+        File.open(file_path, "w") { |f| f.write expiring_cert.key.to_pem }
+        signing_cert = file_path
+        client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:node_name], signing_key_filename: signing_cert )
+        File.delete(file_path)
+      else
+        client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:node_name], signing_key_filename: Chef::Config[:client_key] )
+      end
+
+      # Get the list of keys for this client
+      # Then add the new key we just created
+      # Then we delete the old one.
+      cert_list = client.get(base_url + "/clients/#{node}/keys")
+      client.post(base_url + "/clients/#{node}/keys", payload)
+
+      # We want to remove the old key for various reasons
+      # In the case where more than 1 certificate is returned we assume
+      # there is some special condition applied to the client so we won't delete the old
+      # certificates
+      if cert_list.count < 2
+        cert_hash = cert_list.reduce({}, :merge!)
+        old_cert_name = cert_hash["name"]
+        new_key = new_pfx.key.to_pem
+        File.open(file_path, "w") { |f| f.write new_key }
+        client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:node_name], signing_key_filename: file_path)
+        client.delete(base_url + "/clients/#{node}/keys/#{old_cert_name}")
+        File.delete(file_path)
+      end
+      import_pfx_to_store(new_pfx)
+    end
+
+    def create_new_key_and_register(cert_name)
+      require "time" unless defined?(Time)
+      autoload :URI, "uri"
+
+      # KeyMigration.instance.key_migrated = true
+
+      node = Chef::Config[:node_name]
+      d = Time.now
+      if d.month == 10 || d.month == 11 || d.month == 12
+        end_date = Time.new(d.year + 1, d.month - 9, d.day, d.hour, d.min, d.sec).utc.iso8601
+      else
+        end_date = Time.new(d.year, d.month + 3, d.day, d.hour, d.min, d.sec).utc.iso8601
+      end
+
+      payload = {
+        name: node,
+        clientname: node,
+        public_key: "",
+        expiration_date: end_date,
+      }
+
+      new_pfx = generate_pfx_package(cert_name, end_date)
+      payload[:public_key] = new_pfx.certificate.public_key.to_pem
+      base_url = "#{Chef::Config[:chef_server_url]}"
+      client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:validation_client_name], signing_key_filename: Chef::Config[:validation_key])
+      client.post(base_url + "/clients", payload)
+      Chef::Log.trace("Updated client data: #{client.inspect}")
+      import_pfx_to_store(new_pfx)
+    end
+
+    def import_pfx_to_store(new_pfx)
+      self.class.import_pfx_to_store(new_pfx)
+    end
+
+    def self.import_pfx_to_store(new_pfx)
+      password = ::Chef::HTTP::Authenticator.get_cert_password
+      require "win32-certstore"
+      tempfile = Tempfile.new("#{Chef::Config[:node_name]}.pfx")
+      File.open(tempfile, "wb") { |f| f.print new_pfx.to_der }
+
+      store = ::Win32::Certstore.open("MY")
+      store.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
+      tempfile.unlink
+    end
+
     #
     # Converges all compiled resources.
     #
@@ -907,3 +1088,4 @@ end
 require_relative "cookbook_loader"
 require_relative "cookbook_version"
 require_relative "cookbook/synchronizer"
+

data/lib/chef/compliance/input.rb

@@ -101,7 +101,7 @@ class Chef
       # and cookbook_name are required this is probably not externally useful.
       #
       def self.from_yaml(events, string, path = nil, cookbook_name = nil)
-        from_hash(events, YAML.load(string), path, cookbook_name)
+        from_hash(events, YAML.safe_load(string, permitted_classes: [Date]), path, cookbook_name)
       end
 
       # @param filename [String] full path to the yml file in the cookbook

data/lib/chef/compliance/profile.rb

@@ -108,7 +108,7 @@ class Chef
       # and cookbook_name are required this is probably not externally useful.
       #
       def self.from_yaml(events, string, path, cookbook_name)
-        from_hash(events, YAML.load(string), path, cookbook_name)
+        from_hash(events, YAML.safe_load(string, permitted_classes: [Date]), path, cookbook_name)
       end
 
       # @param filename [String] full path to the inspec.yml file in the cookbook

data/lib/chef/compliance/profile_collection.rb

@@ -45,7 +45,6 @@ class Chef
       end
 
       # @return [Boolean] if any of the profiles are enabled
-      #
       def using_profiles?
         any?(&:enabled?)
       end

data/lib/chef/compliance/waiver.rb

@@ -101,7 +101,7 @@ class Chef
       # and cookbook_name are required this is probably not externally useful.
       #
       def self.from_yaml(events, string, path = nil, cookbook_name = nil)
-        from_hash(events, YAML.load(string), path, cookbook_name)
+        from_hash(events, YAML.safe_load(string, permitted_classes: [Date]), path, cookbook_name)
       end
 
       # @param filename [String] full path to the yml file in the cookbook

data/lib/chef/cookbook/syntax_check.rb

@@ -248,8 +248,8 @@ class Chef
       # Debugs ruby syntax errors by printing the path to the file and any
       # diagnostic info given in +error_message+
       def invalid_ruby_file(ruby_file, error_message)
-        file_relative_path = ruby_file[/^#{Regexp.escape(cookbook_path + File::Separator)}(.*)/, 1]
-        Chef::Log.fatal("Cookbook file #{file_relative_path} has a ruby syntax error:")
+        file_relative_path = ruby_file[ruby_file.index(cookbook_path.split("/").last), ruby_file.length]
+        Chef::Log.fatal("Cookbook file #{file_relative_path} has a ruby syntax error.")
         error_message.each_line { |l| Chef::Log.fatal(l.chomp) }
         false
       end

data/lib/chef/dsl/reader_helpers.rb

@@ -42,7 +42,7 @@ class Chef
       end
 
       def parse_yaml(filename)
-        YAML.load(IO.read(filename))
+        YAML.safe_load_file(filename, permitted_classes: [Date])
       end
 
       extend self