chef 17.10.163 → 18.0.169

data/lib/chef/dsl/rest_resource.rb

@@ -0,0 +1,77 @@
+#
+# Copyright:: Copyright 2008-2016, Chef, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef/constants" unless defined?(NOT_PASSED)
+
+class Chef
+  module DSL
+    module RestResource
+      def rest_property_map(rest_property_map = NOT_PASSED)
+        if rest_property_map != NOT_PASSED
+          rest_property_map = rest_property_map.to_h { |k| [k.to_sym, k] } if rest_property_map.is_a? Array
+
+          @rest_property_map = rest_property_map
+        end
+        @rest_property_map
+      end
+
+      # URL to collection
+      def rest_api_collection(rest_api_collection = NOT_PASSED)
+        if rest_api_collection != NOT_PASSED
+          raise ArgumentError, "You must pass an absolute path to rest_api_collection" unless rest_api_collection.start_with? "/"
+
+          @rest_api_collection = rest_api_collection
+        end
+
+        @rest_api_collection
+      end
+
+      # RFC6570-Templated URL to document
+      def rest_api_document(rest_api_document = NOT_PASSED, first_element_only: false)
+        if rest_api_document != NOT_PASSED
+          raise ArgumentError, "You must pass an absolute path to rest_api_document" unless rest_api_document.start_with? "/"
+
+          @rest_api_document = rest_api_document
+          @rest_api_document_first_element_only = first_element_only
+        end
+        @rest_api_document
+      end
+
+      # Explicit REST document identity mapping
+      def rest_identity_map(rest_identity_map = NOT_PASSED)
+        @rest_identity_map = rest_identity_map if rest_identity_map != NOT_PASSED
+        @rest_identity_map
+      end
+
+      # Mark up properties for POST only, not PATCH/PUT
+      def rest_post_only_properties(rest_post_only_properties = NOT_PASSED)
+        if rest_post_only_properties != NOT_PASSED
+          @rest_post_only_properties = Array(rest_post_only_properties).map(&:to_sym)
+        end
+        @rest_post_only_properties || []
+      end
+
+      def rest_api_document_first_element_only(rest_api_document_first_element_only = NOT_PASSED)
+        if rest_api_document_first_element_only != NOT_PASSED
+          @rest_api_document_first_element_only = rest_api_document_first_element_only
+        end
+        @rest_api_document_first_element_only
+      end
+
+    end
+  end
+end

data/lib/chef/event_dispatch/base.rb

@@ -273,6 +273,9 @@ class Chef
       # Called if the converge phase fails
       def converge_failed(exception); end
 
+      # Called when migrating from a pem on disk to a pem stored in Keychain or Windows Certstore
+      def key_migration_status(key_migrated = false); end
+
       # TODO: need events for notification resolve?
       # def notifications_resolved
       # end

data/lib/chef/exceptions.rb

@@ -561,5 +561,13 @@ class Chef
         super "before subscription from #{notification.resource} resource cannot be setup to #{notification.notifying_resource} resource, which has already fired while in unified mode"
       end
     end
+
+    class RestError < RuntimeError; end
+
+    class RestTargetError < RestError; end
+
+    class RestTimeout < RestError; end
+
+    class RestOperationFailed < RestError; end
   end
 end

data/lib/chef/http/authenticator.rb

@@ -16,16 +16,19 @@
 # limitations under the License.
 #
 
+require "chef/mixin/powershell_exec"
 require_relative "auth_credentials"
 require_relative "../exceptions"
+require_relative "../win32/registry"
 autoload :OpenSSL, "openssl"
 
 class Chef
   class HTTP
     class Authenticator
-
       DEFAULT_SERVER_API_VERSION = "2".freeze
 
+      extend Chef::Mixin::PowershellExec
+
       attr_reader :signing_key_filename
       attr_reader :raw_key
       attr_reader :attr_names
@@ -83,13 +86,69 @@ class Chef
         @auth_credentials.client_name
       end
 
+      def detect_certificate_key(client_name)
+        self.class.detect_certificate_key(client_name)
+      end
+
+      def check_certstore_for_key(client_name)
+        self.class.check_certstore_for_key(client_name)
+      end
+
+      def retrieve_certificate_key(client_name)
+        self.class.retrieve_certificate_key(client_name)
+      end
+
+      def get_cert_password
+        self.class.get_cert_password
+      end
+
+      def encrypt_pfx_pass
+        self.class.encrypt_pfx_pass
+      end
+
+      def decrypt_pfx_pass
+        self.class.decrypt_pfx_pass
+      end
+
+      # Detects if a private key exists in a certificate repository like Keychain (macOS) or Certificate Store (Windows)
+      #
+      # @param client_name - we're using the node name to store and retrieve any keys
+      # Returns true if a key is found, false if not. False will trigger a registration event which will lead to a certificate based key being created
+      #
+      def self.detect_certificate_key(client_name)
+        if ChefUtils.windows?
+          check_certstore_for_key(client_name)
+        else # generic return for Mac and LInux clients
+          false
+        end
+      end
+
+      def self.check_certstore_for_key(client_name)
+        powershell_code = <<~CODE
+          $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
+          if (($cert.HasPrivateKey -eq $true) -and ($cert.PrivateKey.Key.ExportPolicy -ne "NonExportable")) {
+            return $true
+          }
+          else{
+            return $false
+          }
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
       def load_signing_key(key_file, raw_key = nil)
-        if !!key_file
+        results = retrieve_certificate_key(Chef::Config[:node_name])
+
+        if !!results
+          @raw_key = results
+        elsif key_file == nil? && raw_key == nil?
+          puts "\nNo key detected\n"
+        elsif !!key_file
           @raw_key = IO.read(key_file).strip
         elsif !!raw_key
           @raw_key = raw_key.strip
         else
-          return nil
+          return
         end
         # Pass in '' as the passphrase to avoid OpenSSL prompting on the TTY if
         # given an encrypted key. This also helps if using a single file for
@@ -104,6 +163,114 @@ class Chef
         raise Chef::Exceptions::InvalidPrivateKey, msg
       end
 
+      def self.get_cert_password
+        @win32registry = Chef::Win32::Registry.new
+        path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        # does the registry key even exist?
+        present = @win32registry.get_values(path)
+        if present.nil? || present.empty?
+          raise Chef::Exceptions::Win32RegKeyMissing
+        end
+
+        present.each do |secret|
+          if secret[:name] == "PfxPass"
+            password = decrypt_pfx_pass(secret[:data])
+            return password
+          end
+        end
+
+        raise Chef::Exceptions::Win32RegKeyMissing
+
+      rescue Chef::Exceptions::Win32RegKeyMissing
+        # if we don't have a password, log that and generate one
+        Chef::Log.warn "Authentication Hive and values not present in registry, creating them now"
+        new_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        unless @win32registry.key_exists?(new_path)
+          @win32registry.create_key(new_path, true)
+        end
+        require "securerandom" unless defined?(SecureRandom)
+        size = 14
+        password = SecureRandom.alphanumeric(size)
+        encrypted_pass = encrypt_pfx_pass(password)
+        values = { name: "PfxPass", type: :string, data: encrypted_pass }
+        @win32registry.set_value(new_path, values)
+        password
+      end
+
+      def self.encrypt_pfx_pass(password)
+        powershell_code = <<~CODE
+          $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+          $secure_string = ConvertFrom-SecureString $encrypted_string
+          return $secure_string
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
+      def self.decrypt_pfx_pass(password)
+        powershell_code = <<~CODE
+          $secure_string = "#{password}" | ConvertTo-SecureString
+          $string = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($secure_string))))
+          return $string
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
+      def self.retrieve_certificate_key(client_name)
+        require "openssl" unless defined?(OpenSSL)
+
+        if ChefUtils.windows?
+          password = get_cert_password
+          return false unless password
+
+          if check_certstore_for_key(client_name)
+            ps_blob = powershell_exec!(get_the_key_ps(client_name, password)).result
+            file_path = ps_blob["PSPath"].split("::")[1]
+            pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password)
+
+            # We check the pfx we just extracted the private key from
+            # if that cert is expiring in 7 days or less we generate a new pfx/p12 object
+            # then we post the new public key from that to the client endpoint on
+            # chef server.
+            File.delete(file_path)
+            key_expiring = is_certificate_expiring?(pkcs)
+            if key_expiring
+              powershell_exec!(delete_old_key_ps(client_name))
+              ::Chef::Client.update_key_and_register(Chef::Config[:client_name], pkcs)
+            end
+
+            return pkcs.key.private_to_pem
+          end
+        end
+
+        false
+      end
+
+      def self.is_certificate_expiring?(pkcs)
+        today = Date.parse(Time.now.utc.iso8601)
+        future = Date.parse(pkcs.certificate.not_after.iso8601)
+        future.mjd - today.mjd <= 7
+      end
+
+      def self.get_the_key_ps(client_name, password)
+        powershell_code = <<~CODE
+            Try {
+              $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText;
+              $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
+              $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx";
+              Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile;
+            }
+            Catch {
+              return $false
+            }
+        CODE
+      end
+
+      def self.delete_old_key_ps(client_name)
+        powershell_code = <<~CODE
+          Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
+        CODE
+      end
+
       def authentication_headers(method, url, json_body = nil, headers = nil)
         request_params = {
           http_method: method,

data/lib/chef/http/ssl_policies.rb

@@ -88,10 +88,10 @@ class Chef
           certs = Dir.glob(::File.join(Chef::Util::PathHelper.escape_glob_dir(config.trusted_certs_dir), "*.{crt,pem}"))
           certs.each do |cert_file|
             cert = begin
-              OpenSSL::X509::Certificate.new(::File.binread(cert_file))
+                     OpenSSL::X509::Certificate.new(::File.binread(cert_file))
                    rescue OpenSSL::X509::CertificateError => e
                      raise Chef::Exceptions::ConfigurationError, "Error reading cert file '#{cert_file}', original error '#{e.class}: #{e.message}'"
-            end
+                   end
             add_trusted_cert(cert)
           end
         end
@@ -103,10 +103,10 @@ class Chef
         unless config[:ssl_client_cert] && config[:ssl_client_key]
           raise Chef::Exceptions::ConfigurationError, "You must configure ssl_client_cert and ssl_client_key together"
         end
-        unless ::File.exist?(config[:ssl_client_cert])
+        unless ::File.exists?(config[:ssl_client_cert])
           raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_cert #{config[:ssl_client_cert]} does not exist"
         end
-        unless ::File.exist?(config[:ssl_client_key])
+        unless ::File.exists?(config[:ssl_client_key])
           raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_key #{config[:ssl_client_key]} does not exist"
         end
 

data/lib/chef/mixin/checksum.rb

@@ -31,12 +31,6 @@ class Chef
 
         checksum.slice(0, 6)
       end
-
-      def checksum_match?(ref_checksum, diff_checksum)
-        return false if ref_checksum.nil? || diff_checksum.nil?
-
-        ref_checksum.casecmp?(diff_checksum)
-      end
     end
   end
 end

data/lib/chef/mixin/homebrew_user.rb

@@ -57,28 +57,18 @@ class Chef
         @homebrew_owner_username
       end
 
-      def homebrew_bin_path(brew_bin_path = nil)
-        if brew_bin_path && ::File.exist?(brew_bin_path)
-          brew_bin_path
-        else
-          [which("brew"), "/opt/homebrew/bin/brew", "/usr/local/bin/brew", "/home/linuxbrew/.linuxbrew/bin/brew"].uniq.select do |x|
-            next if x == false
-
-            ::File.exist?(x) && ::File.executable?(x)
-          end.first || nil
-        end
-      end
-
       private
 
       def calculate_owner
-        brew_path = homebrew_bin_path
-        if brew_path
+        default_brew_path = "/usr/local/bin/brew"
+        if ::File.exist?(default_brew_path)
           # By default, this follows symlinks which is what we want
+          owner = ::File.stat(default_brew_path).uid
+        elsif (brew_path = shell_out("which brew").stdout.strip) && !brew_path.empty?
           owner = ::File.stat(brew_path).uid
         else
           raise Chef::Exceptions::CannotDetermineHomebrewOwner,
-            'Could not find the "brew" executable anywhere on the path.'
+            'Could not find the "brew" executable in /usr/local/bin or anywhere on the path.'
         end
 
         Chef::Log.debug "Found Homebrew owner #{Etc.getpwuid(owner).name}; executing `brew` commands as them"

data/lib/chef/mixin/openssl_helper.rb

@@ -157,7 +157,7 @@ class Chef
         raise TypeError, "curve must be a string" unless curve.is_a?(String)
         raise ArgumentError, "Specified curve is not available on this system" unless %w{prime256v1 secp384r1 secp521r1}.include?(curve)
 
-        ::OpenSSL::PKey::EC.generate(curve)
+        ::OpenSSL::PKey::EC.new(curve).generate_key
       end
 
       # generate pem format of the public key given a private key
@@ -170,22 +170,18 @@ class Chef
         key_content = ::File.exist?(priv_key) ? File.read(priv_key) : priv_key
         key = ::OpenSSL::PKey::EC.new key_content, priv_key_password
 
-        if windows? || macos? || aix?
-          # Get curve type (prime256v1...)
-          group = ::OpenSSL::PKey::EC::Group.new(key.group.curve_name)
-          # Get Generator point & public point (priv * generator)
-          generator = group.generator
-          pub_point = generator.mul(key.private_key)
-          key.public_key = pub_point
-
-          # Public Key in pem
-          public_key = ::OpenSSL::PKey::EC.new
-          public_key.group = group
-          public_key.public_key = pub_point
-          public_key.to_pem
-        else
-          key.public_to_pem
-        end
+        # Get curve type (prime256v1...)
+        group = ::OpenSSL::PKey::EC::Group.new(key.group.curve_name)
+        # Get Generator point & public point (priv * generator)
+        generator = group.generator
+        pub_point = generator.mul(key.private_key)
+        key.public_key = pub_point
+
+        # Public Key in pem
+        public_key = ::OpenSSL::PKey::EC.new
+        public_key.group = group
+        public_key.public_key = pub_point
+        public_key.to_pem
       end
 
       # generate a pem file given a cipher, key, an optional key_password

data/lib/chef/mixin/powershell_exec.rb

@@ -15,9 +15,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require_relative "../powershell"
-require_relative "../pwsh"
-
 # The powershell_exec mixin provides in-process access to the PowerShell engine.
 #
 # powershell_exec is initialized with a string that should be set to the script
@@ -94,35 +91,15 @@ require_relative "../pwsh"
 # - It is not possible to impersonate another user running powershell, the
 #   credentials of the user running Chef Client are used.
 #
+if ChefUtils.windows?
+  require "chef-powershell"
+end
 
 class Chef
   module Mixin
     module PowershellExec
-      # Run a command under PowerShell via a managed (.NET) API.
-      #
-      # Requires: .NET Framework 4.0 or higher on the target machine.
-      #
-      # @param script [String] script to run
-      # @param interpreter [Symbol] the interpreter type, `:powershell` or `:pwsh`
-      # @param timeout [Integer, nil] timeout in seconds.
-      # @return [Chef::PowerShell] output
-      def powershell_exec(script, interpreter = :powershell, timeout: -1)
-        case interpreter
-        when :powershell
-          Chef::PowerShell.new(script, timeout: timeout)
-        when :pwsh
-          Chef::Pwsh.new(script, timeout: timeout)
-        else
-          raise ArgumentError, "Expected interpreter of :powershell or :pwsh"
-        end
-      end
-
-      # The same as the #powershell_exec method except this will raise
-      # Chef::PowerShell::CommandFailed if the command fails
-      def powershell_exec!(script, interpreter = :powershell, **options)
-        cmd = powershell_exec(script, interpreter, **options)
-        cmd.error!
-        cmd
+      if ChefUtils.windows?
+        include ChefPowerShell::ChefPowerShellModule::PowerShellExec
       end
     end
   end

data/lib/chef/node/mixin/immutablize_array.rb

@@ -73,6 +73,7 @@ class Chef
           include?
           index
           inject
+          intersect?
           intersection
           join
           last

data/lib/chef/property.rb

@@ -113,9 +113,11 @@ class Chef
     #     and the transformed value returned as output. Lazy values will *not*
     #     be passed to this method until after they are evaluated. Called in the
     #     context of the resource (meaning you can access other properties).
-    #   @option options [Boolean] :required `true` if this property
-    #     must be present; `false` otherwise. This is checked after the resource
-    #     is fully initialized.
+    #   @option options [Boolean, Array<Symbol>] :required `true` if this property
+    #     must be present for *all* actions; `false` otherwise. Alternatively
+    #     you may specify a list of actions the property is required for, when
+    #     the property is only required for a subset of actions. This is checked
+    #     after the resource is fully initialized.
     #   @option options [String] :deprecated If set, this property is deprecated and
     #     will create a deprecation warning.
     #

data/lib/chef/provider/cron.rb

@@ -88,11 +88,7 @@ class Chef
 
       def cron_different?
         CRON_ATTRIBUTES.any? do |cron_var|
-          if new_resource.send(cron_var).class == current_resource.send(cron_var).class
-            new_resource.send(cron_var) != current_resource.send(cron_var)
-          else
-            new_resource.send(cron_var).to_s != current_resource.send(cron_var).to_s
-          end
+          new_resource.send(cron_var) != current_resource.send(cron_var)
         end
       end
 

data/lib/chef/provider/file.rb

@@ -336,7 +336,7 @@ class Chef
       end
 
       def do_validate_content
-        if new_resource.checksum && tempfile && !checksum_match?(new_resource.checksum, tempfile_checksum)
+        if new_resource.checksum && tempfile && ( new_resource.checksum != tempfile_checksum )
           raise Chef::Exceptions::ChecksumMismatch.new(short_cksum(new_resource.checksum), short_cksum(tempfile_checksum))
         end
 
@@ -450,7 +450,7 @@ class Chef
 
       def contents_changed?
         logger.trace "calculating checksum of #{tempfile.path} to compare with #{current_resource.checksum}"
-        !checksum_match?(tempfile_checksum, current_resource.checksum)
+        tempfile_checksum != current_resource.checksum
       end
 
       def tempfile

data/lib/chef/provider/group/windows.rb

@@ -17,7 +17,7 @@
 #
 
 require_relative "../user"
-if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
   require_relative "../../util/windows/net_group"
 end
 

data/lib/chef/provider/http_request.rb

@@ -25,18 +25,20 @@ class Chef
 
       provides :http_request
 
-      attr_accessor :http
+      attr_writer :http
 
-      def load_current_resource
-        @http = Chef::HTTP::Simple.new(new_resource.url)
+      def http
+        @http ||= Chef::HTTP::Simple.new(new_resource.url)
       end
 
+      def load_current_resource; end
+
       # Send a HEAD request to new_resource.url
       action :head do
         message = check_message(new_resource.message)
         # CHEF-4762: we expect a nil return value from Chef::HTTP for a "200 Success" response
         # and false for a "304 Not Modified" response
-        modified = @http.head(
+        modified = http.head(
           (new_resource.url).to_s,
           new_resource.headers
         )
@@ -53,7 +55,7 @@ class Chef
         converge_by("#{new_resource} GET to #{new_resource.url}") do
 
           message = check_message(new_resource.message)
-          body = @http.get(
+          body = http.get(
             (new_resource.url).to_s,
             new_resource.headers
           )
@@ -66,7 +68,7 @@ class Chef
       action :patch do
         converge_by("#{new_resource} PATCH to #{new_resource.url}") do
           message = check_message(new_resource.message)
-          body = @http.patch(
+          body = http.patch(
             (new_resource.url).to_s,
             message,
             new_resource.headers
@@ -80,7 +82,7 @@ class Chef
       action :put do
         converge_by("#{new_resource} PUT to #{new_resource.url}") do
           message = check_message(new_resource.message)
-          body = @http.put(
+          body = http.put(
             (new_resource.url).to_s,
             message,
             new_resource.headers
@@ -94,7 +96,7 @@ class Chef
       action :post do
         converge_by("#{new_resource} POST to #{new_resource.url}") do
           message = check_message(new_resource.message)
-          body = @http.post(
+          body = http.post(
             (new_resource.url).to_s,
             message,
             new_resource.headers
@@ -107,7 +109,7 @@ class Chef
       # Send a DELETE request to new_resource.url
       action :delete do
         converge_by("#{new_resource} DELETE to #{new_resource.url}") do
-          body = @http.delete(
+          body = http.delete(
             (new_resource.url).to_s,
             new_resource.headers
           )

data/lib/chef/provider/mount/linux.rb

@@ -71,6 +71,11 @@ class Chef
             when /\A#{Regexp.escape(real_mount_point)}\s+#{device_mount_regex}\[/
               mounted = true
               logger.trace("Network device #{device_logstring} mounted as #{real_mount_point}")
+            # Permalink for network device mounted with a space in device name https://rubular.com/r/CK5zWWms96CRES
+            # See the comment in "device_with_space_escape" for an explanation what's going here.
+            when /\A#{Regexp.escape(real_mount_point)}\s+#{device_with_space_escape}\s/
+              mounted = true
+              logger.trace("Network device #{device_logstring} mounted as #{real_mount_point}")
             end
           end
           @current_resource.mounted(mounted)

data/lib/chef/provider/mount/mount.rb

@@ -217,6 +217,14 @@ class Chef
           end
         end
 
+        def device_with_space_escape
+          # For CIFS (and perhaps other remote network mounts) when a space is in the "device name"
+          # It will appear with the space substituted with a special character. However, when mounting,
+          # The mount needs to be done with an actual space. This function provides the device name with
+          # The special character to determine if the device is mounted.
+          device_mount_regex.gsub(" ", "\\x20")
+        end
+
         def device_mount_regex
           if network_device?
             # ignore trailing slash

data/lib/chef/provider/mount/windows.rb

@@ -17,7 +17,7 @@
 #
 
 require_relative "../mount"
-if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
   require_relative "../../util/windows/net_use"
   require_relative "../../util/windows/volume"
 end