chef 17.10.95 → 18.0.169

data/lib/chef/exceptions.rb

@@ -561,5 +561,13 @@ class Chef
         super "before subscription from #{notification.resource} resource cannot be setup to #{notification.notifying_resource} resource, which has already fired while in unified mode"
       end
     end
+
+    class RestError < RuntimeError; end
+
+    class RestTargetError < RestError; end
+
+    class RestTimeout < RestError; end
+
+    class RestOperationFailed < RestError; end
   end
 end

data/lib/chef/http/authenticator.rb

@@ -16,16 +16,19 @@
 # limitations under the License.
 #
 
+require "chef/mixin/powershell_exec"
 require_relative "auth_credentials"
 require_relative "../exceptions"
+require_relative "../win32/registry"
 autoload :OpenSSL, "openssl"
 
 class Chef
   class HTTP
     class Authenticator
-
       DEFAULT_SERVER_API_VERSION = "2".freeze
 
+      extend Chef::Mixin::PowershellExec
+
       attr_reader :signing_key_filename
       attr_reader :raw_key
       attr_reader :attr_names
@@ -83,13 +86,69 @@ class Chef
         @auth_credentials.client_name
       end
 
+      def detect_certificate_key(client_name)
+        self.class.detect_certificate_key(client_name)
+      end
+
+      def check_certstore_for_key(client_name)
+        self.class.check_certstore_for_key(client_name)
+      end
+
+      def retrieve_certificate_key(client_name)
+        self.class.retrieve_certificate_key(client_name)
+      end
+
+      def get_cert_password
+        self.class.get_cert_password
+      end
+
+      def encrypt_pfx_pass
+        self.class.encrypt_pfx_pass
+      end
+
+      def decrypt_pfx_pass
+        self.class.decrypt_pfx_pass
+      end
+
+      # Detects if a private key exists in a certificate repository like Keychain (macOS) or Certificate Store (Windows)
+      #
+      # @param client_name - we're using the node name to store and retrieve any keys
+      # Returns true if a key is found, false if not. False will trigger a registration event which will lead to a certificate based key being created
+      #
+      def self.detect_certificate_key(client_name)
+        if ChefUtils.windows?
+          check_certstore_for_key(client_name)
+        else # generic return for Mac and LInux clients
+          false
+        end
+      end
+
+      def self.check_certstore_for_key(client_name)
+        powershell_code = <<~CODE
+          $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
+          if (($cert.HasPrivateKey -eq $true) -and ($cert.PrivateKey.Key.ExportPolicy -ne "NonExportable")) {
+            return $true
+          }
+          else{
+            return $false
+          }
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
       def load_signing_key(key_file, raw_key = nil)
-        if !!key_file
+        results = retrieve_certificate_key(Chef::Config[:node_name])
+
+        if !!results
+          @raw_key = results
+        elsif key_file == nil? && raw_key == nil?
+          puts "\nNo key detected\n"
+        elsif !!key_file
           @raw_key = IO.read(key_file).strip
         elsif !!raw_key
           @raw_key = raw_key.strip
         else
-          return nil
+          return
         end
         # Pass in '' as the passphrase to avoid OpenSSL prompting on the TTY if
         # given an encrypted key. This also helps if using a single file for
@@ -104,6 +163,114 @@ class Chef
         raise Chef::Exceptions::InvalidPrivateKey, msg
       end
 
+      def self.get_cert_password
+        @win32registry = Chef::Win32::Registry.new
+        path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        # does the registry key even exist?
+        present = @win32registry.get_values(path)
+        if present.nil? || present.empty?
+          raise Chef::Exceptions::Win32RegKeyMissing
+        end
+
+        present.each do |secret|
+          if secret[:name] == "PfxPass"
+            password = decrypt_pfx_pass(secret[:data])
+            return password
+          end
+        end
+
+        raise Chef::Exceptions::Win32RegKeyMissing
+
+      rescue Chef::Exceptions::Win32RegKeyMissing
+        # if we don't have a password, log that and generate one
+        Chef::Log.warn "Authentication Hive and values not present in registry, creating them now"
+        new_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        unless @win32registry.key_exists?(new_path)
+          @win32registry.create_key(new_path, true)
+        end
+        require "securerandom" unless defined?(SecureRandom)
+        size = 14
+        password = SecureRandom.alphanumeric(size)
+        encrypted_pass = encrypt_pfx_pass(password)
+        values = { name: "PfxPass", type: :string, data: encrypted_pass }
+        @win32registry.set_value(new_path, values)
+        password
+      end
+
+      def self.encrypt_pfx_pass(password)
+        powershell_code = <<~CODE
+          $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+          $secure_string = ConvertFrom-SecureString $encrypted_string
+          return $secure_string
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
+      def self.decrypt_pfx_pass(password)
+        powershell_code = <<~CODE
+          $secure_string = "#{password}" | ConvertTo-SecureString
+          $string = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($secure_string))))
+          return $string
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
+      def self.retrieve_certificate_key(client_name)
+        require "openssl" unless defined?(OpenSSL)
+
+        if ChefUtils.windows?
+          password = get_cert_password
+          return false unless password
+
+          if check_certstore_for_key(client_name)
+            ps_blob = powershell_exec!(get_the_key_ps(client_name, password)).result
+            file_path = ps_blob["PSPath"].split("::")[1]
+            pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password)
+
+            # We check the pfx we just extracted the private key from
+            # if that cert is expiring in 7 days or less we generate a new pfx/p12 object
+            # then we post the new public key from that to the client endpoint on
+            # chef server.
+            File.delete(file_path)
+            key_expiring = is_certificate_expiring?(pkcs)
+            if key_expiring
+              powershell_exec!(delete_old_key_ps(client_name))
+              ::Chef::Client.update_key_and_register(Chef::Config[:client_name], pkcs)
+            end
+
+            return pkcs.key.private_to_pem
+          end
+        end
+
+        false
+      end
+
+      def self.is_certificate_expiring?(pkcs)
+        today = Date.parse(Time.now.utc.iso8601)
+        future = Date.parse(pkcs.certificate.not_after.iso8601)
+        future.mjd - today.mjd <= 7
+      end
+
+      def self.get_the_key_ps(client_name, password)
+        powershell_code = <<~CODE
+            Try {
+              $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText;
+              $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
+              $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx";
+              Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile;
+            }
+            Catch {
+              return $false
+            }
+        CODE
+      end
+
+      def self.delete_old_key_ps(client_name)
+        powershell_code = <<~CODE
+          Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
+        CODE
+      end
+
       def authentication_headers(method, url, json_body = nil, headers = nil)
         request_params = {
           http_method: method,

data/lib/chef/http/ssl_policies.rb

@@ -88,10 +88,10 @@ class Chef
           certs = Dir.glob(::File.join(Chef::Util::PathHelper.escape_glob_dir(config.trusted_certs_dir), "*.{crt,pem}"))
           certs.each do |cert_file|
             cert = begin
-              OpenSSL::X509::Certificate.new(::File.binread(cert_file))
+                     OpenSSL::X509::Certificate.new(::File.binread(cert_file))
                    rescue OpenSSL::X509::CertificateError => e
                      raise Chef::Exceptions::ConfigurationError, "Error reading cert file '#{cert_file}', original error '#{e.class}: #{e.message}'"
-            end
+                   end
             add_trusted_cert(cert)
           end
         end
@@ -132,7 +132,7 @@ class Chef
       def add_trusted_cert(cert)
         http_client.cert_store.add_cert(cert)
       rescue OpenSSL::X509::StoreError => e
-        raise e unless e.message == "cert already in hash table"
+        raise e unless e.message =~ /cert already in hash table/
       end
 
     end

data/lib/chef/mixin/checksum.rb

@@ -31,12 +31,6 @@ class Chef
 
         checksum.slice(0, 6)
       end
-
-      def checksum_match?(ref_checksum, diff_checksum)
-        return false if ref_checksum.nil? || diff_checksum.nil?
-
-        ref_checksum.casecmp?(diff_checksum)
-      end
     end
   end
 end

data/lib/chef/mixin/powershell_exec.rb

@@ -15,9 +15,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require_relative "../powershell"
-require_relative "../pwsh"
-
 # The powershell_exec mixin provides in-process access to the PowerShell engine.
 #
 # powershell_exec is initialized with a string that should be set to the script
@@ -94,35 +91,15 @@ require_relative "../pwsh"
 # - It is not possible to impersonate another user running powershell, the
 #   credentials of the user running Chef Client are used.
 #
+if ChefUtils.windows?
+  require "chef-powershell"
+end
 
 class Chef
   module Mixin
     module PowershellExec
-      # Run a command under PowerShell via a managed (.NET) API.
-      #
-      # Requires: .NET Framework 4.0 or higher on the target machine.
-      #
-      # @param script [String] script to run
-      # @param interpreter [Symbol] the interpreter type, `:powershell` or `:pwsh`
-      # @param timeout [Integer, nil] timeout in seconds.
-      # @return [Chef::PowerShell] output
-      def powershell_exec(script, interpreter = :powershell, timeout: -1)
-        case interpreter
-        when :powershell
-          Chef::PowerShell.new(script, timeout: timeout)
-        when :pwsh
-          Chef::Pwsh.new(script, timeout: timeout)
-        else
-          raise ArgumentError, "Expected interpreter of :powershell or :pwsh"
-        end
-      end
-
-      # The same as the #powershell_exec method except this will raise
-      # Chef::PowerShell::CommandFailed if the command fails
-      def powershell_exec!(script, interpreter = :powershell, **options)
-        cmd = powershell_exec(script, interpreter, **options)
-        cmd.error!
-        cmd
+      if ChefUtils.windows?
+        include ChefPowerShell::ChefPowerShellModule::PowerShellExec
       end
     end
   end

data/lib/chef/node/mixin/immutablize_array.rb

@@ -73,6 +73,7 @@ class Chef
           include?
           index
           inject
+          intersect?
           intersection
           join
           last

data/lib/chef/property.rb

@@ -113,9 +113,11 @@ class Chef
     #     and the transformed value returned as output. Lazy values will *not*
     #     be passed to this method until after they are evaluated. Called in the
     #     context of the resource (meaning you can access other properties).
-    #   @option options [Boolean] :required `true` if this property
-    #     must be present; `false` otherwise. This is checked after the resource
-    #     is fully initialized.
+    #   @option options [Boolean, Array<Symbol>] :required `true` if this property
+    #     must be present for *all* actions; `false` otherwise. Alternatively
+    #     you may specify a list of actions the property is required for, when
+    #     the property is only required for a subset of actions. This is checked
+    #     after the resource is fully initialized.
     #   @option options [String] :deprecated If set, this property is deprecated and
     #     will create a deprecation warning.
     #

data/lib/chef/provider/file.rb

@@ -336,7 +336,7 @@ class Chef
       end
 
       def do_validate_content
-        if new_resource.checksum && tempfile && !checksum_match?(new_resource.checksum, tempfile_checksum)
+        if new_resource.checksum && tempfile && ( new_resource.checksum != tempfile_checksum )
           raise Chef::Exceptions::ChecksumMismatch.new(short_cksum(new_resource.checksum), short_cksum(tempfile_checksum))
         end
 
@@ -450,7 +450,7 @@ class Chef
 
       def contents_changed?
         logger.trace "calculating checksum of #{tempfile.path} to compare with #{current_resource.checksum}"
-        !checksum_match?(tempfile_checksum, current_resource.checksum)
+        tempfile_checksum != current_resource.checksum
       end
 
       def tempfile

data/lib/chef/provider/group/windows.rb

@@ -17,7 +17,7 @@
 #
 
 require_relative "../user"
-if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
   require_relative "../../util/windows/net_group"
 end
 

data/lib/chef/provider/http_request.rb

@@ -25,18 +25,20 @@ class Chef
 
       provides :http_request
 
-      attr_accessor :http
+      attr_writer :http
 
-      def load_current_resource
-        @http = Chef::HTTP::Simple.new(new_resource.url)
+      def http
+        @http ||= Chef::HTTP::Simple.new(new_resource.url)
       end
 
+      def load_current_resource; end
+
       # Send a HEAD request to new_resource.url
       action :head do
         message = check_message(new_resource.message)
         # CHEF-4762: we expect a nil return value from Chef::HTTP for a "200 Success" response
         # and false for a "304 Not Modified" response
-        modified = @http.head(
+        modified = http.head(
           (new_resource.url).to_s,
           new_resource.headers
         )
@@ -53,7 +55,7 @@ class Chef
         converge_by("#{new_resource} GET to #{new_resource.url}") do
 
           message = check_message(new_resource.message)
-          body = @http.get(
+          body = http.get(
             (new_resource.url).to_s,
             new_resource.headers
           )
@@ -66,7 +68,7 @@ class Chef
       action :patch do
         converge_by("#{new_resource} PATCH to #{new_resource.url}") do
           message = check_message(new_resource.message)
-          body = @http.patch(
+          body = http.patch(
             (new_resource.url).to_s,
             message,
             new_resource.headers
@@ -80,7 +82,7 @@ class Chef
       action :put do
         converge_by("#{new_resource} PUT to #{new_resource.url}") do
           message = check_message(new_resource.message)
-          body = @http.put(
+          body = http.put(
             (new_resource.url).to_s,
             message,
             new_resource.headers
@@ -94,7 +96,7 @@ class Chef
       action :post do
         converge_by("#{new_resource} POST to #{new_resource.url}") do
           message = check_message(new_resource.message)
-          body = @http.post(
+          body = http.post(
             (new_resource.url).to_s,
             message,
             new_resource.headers
@@ -107,7 +109,7 @@ class Chef
       # Send a DELETE request to new_resource.url
       action :delete do
         converge_by("#{new_resource} DELETE to #{new_resource.url}") do
-          body = @http.delete(
+          body = http.delete(
             (new_resource.url).to_s,
             new_resource.headers
           )

data/lib/chef/provider/mount/linux.rb

@@ -71,6 +71,11 @@ class Chef
             when /\A#{Regexp.escape(real_mount_point)}\s+#{device_mount_regex}\[/
               mounted = true
               logger.trace("Network device #{device_logstring} mounted as #{real_mount_point}")
+            # Permalink for network device mounted with a space in device name https://rubular.com/r/CK5zWWms96CRES
+            # See the comment in "device_with_space_escape" for an explanation what's going here.
+            when /\A#{Regexp.escape(real_mount_point)}\s+#{device_with_space_escape}\s/
+              mounted = true
+              logger.trace("Network device #{device_logstring} mounted as #{real_mount_point}")
             end
           end
           @current_resource.mounted(mounted)

data/lib/chef/provider/mount/mount.rb

@@ -217,6 +217,14 @@ class Chef
           end
         end
 
+        def device_with_space_escape
+          # For CIFS (and perhaps other remote network mounts) when a space is in the "device name"
+          # It will appear with the space substituted with a special character. However, when mounting,
+          # The mount needs to be done with an actual space. This function provides the device name with
+          # The special character to determine if the device is mounted.
+          device_mount_regex.gsub(" ", "\\x20")
+        end
+
         def device_mount_regex
           if network_device?
             # ignore trailing slash

data/lib/chef/provider/mount/windows.rb

@@ -17,7 +17,7 @@
 #
 
 require_relative "../mount"
-if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
   require_relative "../../util/windows/net_use"
   require_relative "../../util/windows/volume"
 end

data/lib/chef/provider/package/chocolatey.rb

@@ -130,21 +130,6 @@ class Chef
         # install from, but like the rubygem provider's sources which are more like repos.
         def check_resource_semantics!; end
 
-        def self.get_choco_version
-          @get_choco_version ||= powershell_exec!("choco --version").result
-        end
-
-        # Choco V2 uses 'Search' for remote repositories and 'List' for local packages
-        def self.query_command
-          return "list" if get_choco_version.match?(/^1/)
-
-          "search"
-        end
-
-        def query_command
-          self.class.query_command
-        end
-
         private
 
         def version_compare(v1, v2)
@@ -240,7 +225,7 @@ class Chef
           package_name_array.each do |pkg|
             available_versions =
               begin
-                cmd = [ query_command, "-r", pkg ]
+                cmd = [ "list", "-r", pkg ]
                 cmd += common_options
                 cmd.push( new_resource.list_options ) if new_resource.list_options
 
@@ -257,8 +242,6 @@ class Chef
         # Installed packages in chocolatey as a Hash of names mapped to versions
         # (names are downcased for case-insensitive matching)
         #
-        # Beginning with Choco 2.0, "list" returns local packages only while "search" returns packages from external package sources
-        #
         # @return [Hash] name-to-version mapping of installed packages
         def installed_packages
           @installed_packages ||= Hash[*parse_list_output("list", "-l", "-r").flatten]

data/lib/chef/provider/package/rubygems.rb

@@ -92,7 +92,7 @@ class Chef
           #
           def installed_versions(gem_dep)
             rubygems_version = Gem::Version.new(Gem::VERSION)
-            if rubygems_version >= Gem::Version.new("2.7")
+            if rubygems_version >= Gem::Version.new("3.1")
               # In newer Rubygems, bundler is now a "default gem" which means
               # even with AlternateGemEnvironment when you try to get the
               # installed versions, you get the one from Chef's Ruby's default

data/lib/chef/provider/package/windows/msi.rb

@@ -18,7 +18,7 @@
 
 # TODO: Allow new_resource.source to be a Product Code as a GUID for uninstall / network install
 
-require_relative "../../../win32/api/installer" if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+require_relative "../../../win32/api/installer" if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
 require_relative "../../../mixin/shell_out"
 
 class Chef
@@ -26,7 +26,7 @@ class Chef
     class Package
       class Windows
         class MSI
-          include Chef::ReservedNames::Win32::API::Installer if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+          include Chef::ReservedNames::Win32::API::Installer if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
           include Chef::Mixin::ShellOut
 
           def initialize(resource, uninstall_entries)

data/lib/chef/provider/package/windows/registry_uninstall_entry.rb

@@ -18,7 +18,7 @@
 #
 
 module Win32
-  autoload :Registry, File.expand_path("../../../monkey_patches/win32/registry", __dir__) if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+  autoload :Registry, File.expand_path("../../../monkey_patches/win32/registry", __dir__) if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
 end
 
 class Chef

data/lib/chef/provider/package/windows.rb

@@ -38,7 +38,7 @@ class Chef
         def define_resource_requirements
           if new_resource.checksum
             requirements.assert(:install) do |a|
-              a.assertion { checksum_match?(new_resource.checksum, checksum(source_location)) }
+              a.assertion { new_resource.checksum == checksum(source_location) }
               a.failure_message Chef::Exceptions::Package, "Checksum on resource (#{short_cksum(new_resource.checksum)}) does not match checksum on content (#{short_cksum(source_location)})"
             end
           end

data/lib/chef/provider/package/zypper/version.rb

@@ -0,0 +1,60 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class Provider
+    class Package
+      class Zypper < Chef::Provider::Package
+
+        # helper class to assist in passing around name/version/arch triples
+        class Version
+          attr_accessor :name
+          attr_accessor :version
+          attr_accessor :arch
+
+          def initialize(name, version, arch)
+            @name    = name
+            @version = version
+            @arch    = arch
+          end
+
+          def to_s
+            "#{name}-#{version}.#{arch}" unless version.nil?
+          end
+
+          def version_with_arch
+            "#{version}.#{arch}" unless version.nil?
+          end
+
+          def name_with_arch
+            "#{name}.#{arch}" unless name.nil?
+          end
+
+          def matches_name_and_arch?(other)
+            other.version == version && other.arch == arch
+          end
+
+          def ==(other)
+            name == other.name && version == other.version && arch == other.arch
+          end
+
+          alias eql? ==
+        end
+      end
+    end
+  end
+end