chef 17.10.95 → 18.0.169

data/lib/chef/provider/package/zypper.rb

@@ -20,17 +20,28 @@
 
 require_relative "../package"
 require_relative "../../resource/zypper_package"
+require_relative "zypper/version"
 
 class Chef
   class Provider
     class Package
       class Zypper < Chef::Provider::Package
         use_multipackage_api
+        use_package_name_for_source
         allow_nils
 
         provides :package, platform_family: "suse"
         provides :zypper_package
 
+        def define_resource_requirements
+          super
+          requirements.assert(:install, :upgrade) do |a|
+            a.assertion { source_files_exist? }
+            a.failure_message Chef::Exceptions::Package, "#{new_resource} source file(s) do not exist: #{missing_sources}"
+            a.whyrun "Assuming they would have been previously created."
+          end
+        end
+
         def load_current_resource
           @current_resource = Chef::Resource::ZypperPackage.new(new_resource.name)
           current_resource.package_name(new_resource.package_name)
@@ -70,7 +81,35 @@ class Chef
         end
 
         def candidate_version
-          @candidate_version ||= package_name_array.each_with_index.map { |pkg, i| available_version(i) }
+          package_name_array.each_with_index.map do |pkg, i|
+            available_version(i)
+          end
+        end
+
+        # returns true if all sources exist.  Returns false if any do not, or if no
+        # sources were specified.
+        # @return [Boolean] True if all sources exist
+        def source_files_exist?
+          if !new_resource.source.nil?
+            resolved_source_array.all? { |s| s && ::File.exist?(s) }
+          else
+            true
+          end
+        end
+
+        # Helper to return all the names of the missing sources for error messages.
+        # @return [Array<String>] Array of missing sources
+        def missing_sources
+          resolved_source_array.select { |s| s.nil? || !::File.exist?(s) }
+        end
+
+        def resolve_source_to_version
+          shell_out!("rpm -qp --queryformat '%{NAME} %{EPOCH} %{VERSION} %{RELEASE} %{ARCH}\n' #{new_resource.source}").stdout.each_line do |line|
+            case line
+              when /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)$/
+                return Version.new($1, "#{$2 == "(none)" ? "0" : $2}:#{$3}-#{$4}", $5)
+            end
+          end
         end
 
         def resolve_current_version(package_name)
@@ -119,7 +158,12 @@ class Chef
 
         def available_version(index)
           @available_version ||= []
-          @available_version[index] ||= resolve_available_version(package_name_array[index], safe_version_array[index])
+
+          @available_version[index] ||= if new_resource.source
+                                          resolve_source_to_version
+                                        else
+                                          resolve_available_version(package_name_array[index], safe_version_array[index])
+                                        end
           @available_version[index]
         end
 
@@ -141,7 +185,7 @@ class Chef
         end
 
         def zypper_package(command, global_options, *options, names, versions)
-          zipped_names = zip(names, versions)
+          zipped_names = new_resource.source || zip(names, versions)
           if zypper_version < 1.0
             shell_out!("zypper", global_options, gpg_checks, command, *options, "-y", names)
           else

data/lib/chef/provider/service/windows.rb

@@ -20,7 +20,7 @@
 
 require_relative "simple"
 require_relative "../../win32_service_constants"
-if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
   require_relative "../../win32/error"
   require "win32/service"
 end

data/lib/chef/provider/user/aix.rb

@@ -23,6 +23,11 @@ class Chef
         provides :user, os: "aix"
         provides :aix_user
 
+        # The ruby-shadow gem is not supported on aix.
+        def supports_ruby_shadow?
+          false
+        end
+
         def create_user
           shell_out!("useradd", universal_options, useradd_options, new_resource.username)
           add_password

data/lib/chef/provider/user/linux.rb

@@ -23,6 +23,27 @@ class Chef
         provides :linux_user
         provides :user, os: "linux"
 
+        def load_current_resource
+          super
+          load_shadow_options
+        end
+
+        def compare_user
+          user_changed = super
+
+          @change_desc ||= []
+
+          %i{expire_date inactive}.each do |user_attrib|
+            new_val = new_resource.send(user_attrib)
+            cur_val = current_resource.send(user_attrib)
+            if !new_val.nil? && new_val.to_s != cur_val.to_s
+              @change_desc << "change #{user_attrib} from #{cur_val} to #{new_val}"
+            end
+          end
+
+          user_changed || !@change_desc.empty?
+        end
+
         def create_user
           shell_out!("useradd", universal_options, useradd_options, new_resource.username)
         end
@@ -52,7 +73,9 @@ class Chef
         def universal_options
           opts = []
           opts << "-c" << new_resource.comment if should_set?(:comment)
+          opts << "-e" << new_resource.expire_date if prop_is_set?(:expire_date)
           opts << "-g" << new_resource.gid if should_set?(:gid)
+          opts << "-f" << new_resource.inactive if prop_is_set?(:inactive)
           opts << "-p" << new_resource.password if should_set?(:password)
           opts << "-s" << new_resource.shell if should_set?(:shell)
           opts << "-u" << new_resource.uid if should_set?(:uid)
@@ -116,6 +139,12 @@ class Chef
           # FIXME: should probably go on the current_resource
           @locked
         end
+
+        def prop_is_set?(prop)
+          v = new_resource.send(prop.to_sym)
+
+          !v.nil? && v != ""
+        end
       end
     end
   end

data/lib/chef/provider/user/mac.rb

@@ -48,7 +48,7 @@ class Chef
           if user_plist
             current_resource.uid(user_plist[:uid][0])
             current_resource.gid(user_plist[:gid][0])
-            current_resource.home(user_plist[:home][0])
+            current_resource.home(user_plist[:home]&.first) # use &.first since home can be nil
             current_resource.shell(user_plist[:shell]&.first) # use &.first since shell can be nil
             current_resource.comment(user_plist[:comment][0])
 

data/lib/chef/provider/user.rb

@@ -66,14 +66,23 @@ class Chef
           end
           current_resource.comment(user_info.gecos)
 
-          if new_resource.password && current_resource.password == "x"
-            begin
-              require "shadow"
-            rescue LoadError
-              @shadow_lib_ok = false
-            else
-              shadow_info = Shadow::Passwd.getspnam(new_resource.username)
-              current_resource.password(shadow_info.sp_pwdp)
+          begin
+            require "shadow"
+          rescue LoadError
+            @shadow_lib_ok = false
+          else
+            @shadow_info = Shadow::Passwd.getspnam(new_resource.username)
+            # This conditional remains in place until we can sort out whether we need it.
+            # Currently removing it causes tests to fail, but that /seems/ to be mocking/setup issues.
+            # Some notes for context:
+            # 1. Ruby's ETC.getpwnam makes use of /etc/passwd file (https://github.com/ruby/etc/blob/master/ext/etc/etc.c),
+            #    which returns "x" for a nil password. on AIX it returns a "*"
+            #    (https://www.ibm.com/docs/bg/aix/7.2?topic=passwords-using-etcpasswd-file)
+            # 2. On AIX platforms ruby_shadow does not work as it does not
+            #    store encrypted passwords in the /etc/passwd file but in /etc/security/passwd file.
+            #    The AIX provider for user currently declares it does not support ruby-shadow.
+            if new_resource.password && current_resource.password == "x"
+              current_resource.password(@shadow_info.sp_pwdp)
             end
           end
 
@@ -83,6 +92,27 @@ class Chef
         current_resource
       end
 
+      # An overridable for platforms that do not support ruby shadow. This way we
+      # can verify that the platform supports ruby shadow before requiring that
+      # it be available.
+      def supports_ruby_shadow?
+        true
+      end
+
+      def load_shadow_options
+        unless @shadow_info.nil?
+          current_resource.inactive(@shadow_info.sp_inact&.to_i)
+          # sp_expire gives time since epoch in days till expiration. Need to convert that
+          # to time in seconds since epoch and output date format for comparison
+          expire_date = if @shadow_info.sp_expire.nil?
+                          @shadow_info.sp_expire
+                        else
+                          Time.at(@shadow_info.sp_expire * 60 * 60 * 24).strftime("%Y-%m-%d")
+                        end
+          current_resource.expire_date(expire_date)
+        end
+      end
+
       def define_resource_requirements
         requirements.assert(:create, :modify, :manage, :lock, :unlock) do |a|
           a.assertion { @group_name_resolved }
@@ -90,11 +120,17 @@ class Chef
           a.whyrun "group name #{new_resource.gid} does not exist.  This will cause group assignment to fail.  Assuming this group will have been created previously."
         end
         requirements.assert(:all_actions) do |a|
-          a.assertion { @shadow_lib_ok }
+          a.assertion { !supports_ruby_shadow? || @shadow_lib_ok }
           a.failure_message Chef::Exceptions::MissingLibrary, "You must have ruby-shadow installed for password support!"
           a.whyrun "ruby-shadow is not installed. Attempts to set user password will cause failure.  Assuming that this gem will have been previously installed." \
             "Note that user update converge may report false-positive on the basis of mismatched password. "
         end
+        requirements.assert(:all_actions) do |a|
+          # either neither linux-only value is set, or we need to be on Linux.
+          a.assertion { (!new_resource.expire_date && !new_resource.inactive) || linux? }
+          a.failure_message Chef::Exceptions::User, "Properties expire_date and inactive are not supported by this OS or have not been implemented for this OS yet."
+          a.whyrun "Properties expire_date and inactive are ignored as they are not supported by this OS or have not been implemented yet for this OS"
+        end
         requirements.assert(:modify, :lock, :unlock) do |a|
           a.assertion { @user_exists }
           a.failure_message(Chef::Exceptions::User, "Cannot modify user #{new_resource.username} - does not exist!")
@@ -117,11 +153,7 @@ class Chef
           new_val = new_resource.send(user_attrib)
           cur_val = current_resource.send(user_attrib)
           if !new_val.nil? && new_val.to_s != cur_val.to_s
-            if user_attrib.to_s == "password" && new_resource.sensitive
-              @change_desc << "change #{user_attrib} from ******** to ********"
-            else
-              @change_desc << "change #{user_attrib} from #{cur_val} to #{new_val}"
-            end
+            @change_desc << "change #{user_attrib} from #{cur_val} to #{new_val}"
           end
         end
 

data/lib/chef/provider.rb

@@ -113,7 +113,7 @@ class Chef
       dirname = ::File.dirname(partial)
       basename = ::File.basename(partial, ".rb")
       basename = basename[1..] if basename.start_with?("_")
-      class_eval IO.read(::File.expand_path("#{dirname}/_#{basename}.rb", ::File.dirname(caller_locations.first.absolute_path)))
+      class_eval IO.read(::File.expand_path("#{dirname}/_#{basename}.rb", ::File.dirname(caller_locations.first.path)))
     end
 
     # delegate to the resource

data/lib/chef/recipe.rb

@@ -101,7 +101,7 @@ class Chef
     end
 
     def from_yaml(string)
-      res = ::YAML.safe_load(string)
+      res = ::YAML.safe_load(string, permitted_classes: [Date])
       unless res.is_a?(Hash) && res.key?("resources")
         raise ArgumentError, "YAML recipe '#{source_file}' must contain a top-level 'resources' hash (YAML sequence), i.e. 'resources:'"
       end

data/lib/chef/resource/_rest_resource.rb

@@ -0,0 +1,389 @@
+#
+# Copyright:: Copyright 2008-2016, Chef, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "addressable/template" unless defined?(Addressable::Template)
+require "rest-client" unless defined?(RestClient)
+require "jmespath" unless defined?(JMESPath)
+require "chef/dsl/rest_resource" unless defined?(Chef::DSL::RestResource)
+
+extend Chef::DSL::RestResource
+
+action_class do
+  def load_current_resource
+    @current_resource = new_resource.class.new(new_resource.name)
+
+    required_properties.each do |name|
+      requested = new_resource.send(name)
+      current_resource.send(name, requested)
+    end
+
+    return @current_resource if rest_get_all.data.empty?
+
+    resource_data = rest_get.data rescue nil
+    return @current_resource if resource_data.nil? || resource_data.empty?
+
+    @resource_exists = true
+
+    # Map JSON contents to defined properties
+    current_resource.class.rest_property_map.each do |property, match_instruction|
+      property_value = json_to_property(match_instruction, property, resource_data)
+      current_resource.send(property, property_value) unless property_value.nil?
+    end
+
+    current_resource
+  end
+end
+
+action :configure do
+  if resource_exists?
+    converge_if_changed do
+      data = {}
+
+      new_resource.class.rest_property_map.each do |property, match_instruction|
+        # Skip "creation-only" properties on modifications
+        next if new_resource.class.rest_post_only_properties.include?(property)
+
+        deep_merge! data, property_to_json(property, match_instruction)
+      end
+
+      deep_compact!(data)
+
+      rest_patch(data)
+    end
+  else
+    converge_by "creating resource" do
+      data = {}
+
+      new_resource.class.rest_property_map.each do |property, match_instruction|
+        deep_merge! data, property_to_json(property, match_instruction)
+      end
+
+      deep_compact!(data)
+
+      rest_post(data)
+    end
+  end
+end
+
+action :delete do
+  if resource_exists?
+    converge_by "deleting resource" do
+      rest_delete
+    end
+  else
+    logger.debug format("REST resource %<name>s of type %<type>s does not exist. Skipping.",
+                        type: new_resource.name, name: id_property)
+  end
+end
+
+action_class do
+  # Override this for postprocessing device-specifics (paging, data conversion)
+  def rest_postprocess(response)
+    response
+  end
+
+  # Override this for error handling of device-specifics (readable error messages)
+  def rest_errorhandler(error_obj)
+    error_obj
+  end
+
+  private
+
+  def resource_exists?
+    @resource_exists
+  end
+
+  def required_properties
+    current_resource.class.properties.select { |_, v| v.required? }.except(:name).keys
+  end
+
+  # Return changed value or nil for delta current->new
+  def changed_value(property)
+    new_value = new_resource.send(property)
+    return new_value if current_resource.nil?
+
+    current_value = current_resource.send(property)
+
+    return current_value if required_properties.include? property
+
+    new_value == current_value ? nil : new_value
+  end
+
+  def id_property
+    current_resource.class.identity_attr
+  end
+
+  # Map properties to their current values
+  def property_map
+    map = {}
+
+    current_resource.class.state_properties.each do |property|
+      name = property.options[:name]
+
+      map[name] = current_resource.send(name)
+    end
+
+    map[id_property] = current_resource.send(id_property)
+
+    map
+  end
+
+  # Map part of a JSON (Hash) to resource property via JMESPath or user-supplied function
+  def json_to_property(match_instruction, property, resource_data)
+    case match_instruction
+    when String
+      JMESPath.search(match_instruction, resource_data)
+    when Symbol
+      function = "#{property}_from_json".to_sym
+      raise "#{new_resource.name} missing #{function} method" unless self.class.protected_method_defined?(function)
+
+      send(function, resource_data) || {}
+    else
+      raise TypeError, "Did not expect match type #{match_instruction.class}"
+    end
+  end
+
+  # Map resource contents into a JSON (Hash) via JMESPath-like syntax or user-supplied function
+  def property_to_json(property, match_instruction)
+    case match_instruction
+    when String
+      bury(match_instruction, changed_value(property))
+    when Symbol
+      function = "#{property}_to_json".to_sym
+      raise "#{new_resource.name} missing #{function} method" unless self.class.protected_method_defined?(function)
+
+      value = new_resource.send(property)
+      changed_value(property).nil? ? {} : send(function, value)
+    else
+      raise TypeError, "Did not expect match type #{match_instruction.class}"
+    end
+  end
+
+  def rest_url_collection
+    current_resource.class.rest_api_collection
+  end
+
+  # Resource document URL after RFC 6570 template evaluation via properties substitution
+  def rest_url_document
+    template = ::Addressable::Template.new(current_resource.class.rest_api_document)
+    template.expand(property_map).to_s
+  end
+
+  # Convenience method for conditional requires
+  def conditionally_require_on_setting(property, dependent_properties)
+    dependent_properties = Array(dependent_properties)
+
+    requirements.assert(:configure) do |a|
+      a.assertion do
+        # Needs to be set and truthy to require dependent properties
+        if new_resource.send(property)
+          dependent_properties.all? { |dep_prop| new_resource.property_is_set?(dep_prop) }
+        else
+          true
+        end
+      end
+
+      message = format("Setting property :%<property>s requires properties :%<properties>s to be set as well on resource %<resource_name>s",
+                       property: property,
+                       properties: dependent_properties.join(", :"),
+                       resource_name: current_resource.to_s)
+
+      a.failure_message message
+    end
+  end
+
+  # Generic REST helpers
+
+  def rest_get_all
+    response = api_connection.get(rest_url_collection)
+
+    rest_postprocess(response)
+  rescue RestClient::Exception => e
+    rest_errorhandler(e)
+  end
+
+  def rest_get
+    response = api_connection.get(rest_url_document)
+
+    response = rest_postprocess(response)
+
+    first_only = current_resource.class.rest_api_document_first_element_only
+    response.data = response.data.first if first_only && response.data.is_a?(Array)
+
+    response
+  rescue RestClient::Exception => e
+    rest_errorhandler(e)
+  end
+
+  def rest_post(data)
+    data.merge! rest_identity_values
+
+    response = api_connection.post(rest_url_collection, data: data)
+
+    rest_postprocess(response)
+  rescue RestClient::Exception => e
+    rest_errorhandler(e)
+  end
+
+  def rest_put(data)
+    data.merge! rest_identity_values
+
+    response = api_connection.put(rest_url_collection, data: data)
+
+    rest_postprocess(response)
+  rescue RestClient::Exception => e
+    rest_errorhandler(e)
+  end
+
+  def rest_patch(data)
+    response = api_connection.patch(rest_url_document, data: data)
+
+    rest_postprocess(response)
+  rescue RestClient::Exception => e
+    rest_errorhandler(e)
+  end
+
+  def rest_delete
+    response = api_connection.delete(rest_url_document)
+
+    rest_postprocess(response)
+  rescue RestClient::Exception => e
+    rest_errorhandler(e)
+  end
+
+  # REST parameter mapping
+
+  # Return number of parameters needed to identify a resource (pre- and post-creation)
+  def rest_arity
+    rest_identity_map.keys.count
+  end
+
+  # Return mapping of template placeholders to property value of identity parameters
+  def rest_identity_values
+    data = {}
+
+    rest_identity_map.each do |rfc_template, property|
+      property_value = new_resource.send(property)
+      data.merge! bury(rfc_template, property_value)
+    end
+
+    data
+  end
+
+  def rest_identity_map
+    rest_identity_explicit || rest_identity_implicit
+  end
+
+  # Accept direct mapping like { "svm.name" => :name } for specifying the x-ary identity of a resource
+  def rest_identity_explicit
+    current_resource.class.rest_identity_map
+  end
+
+  # Parse document URL for RFC 6570 templates and map them to resource properties.
+  #
+  # Examples:
+  #   Query based: "/api/protocols/san/igroups?name={name}&svm.name={svm}": { "name" => :name, "svm.name" => :svm }
+  #   Path based:  "/api/v1/{address}": { "address" => :address }
+  #
+  def rest_identity_implicit
+    template_url = current_resource.class.rest_api_document
+
+    rfc_template = ::Addressable::Template.new(template_url)
+    rfc_template_vars = rfc_template.variables
+
+    # Shortcut for 0-ary resources
+    return {} if rfc_template_vars.empty?
+
+    if query_based_selection?
+      uri_query = URI.parse(template_url).query
+
+      if CGI.parse(uri_query).values.any?(&:empty?)
+        raise "Need explicit identity mapping, as URL does not contain query parameters for all templates"
+      end
+
+      path_variables = CGI.parse(uri_query).keys
+    elsif path_based_selection?
+      path_variables = rfc_template_vars
+    else
+      # There is also
+      raise "Unknown type of resource selection. Document URL does not seem to be path- or query-based?"
+    end
+
+    identity_map = {}
+    path_variables.each_with_index do |v, i|
+      next if rfc_template_vars[i].nil? # Not mapped to property, assume metaparameter
+
+      identity_map[v] = rfc_template_vars[i].to_sym
+    end
+
+    identity_map
+  end
+
+  def query_based_selection?
+    template_url = current_resource.class.rest_api_document
+
+    # Will throw exception on presence of RFC 6570 templates
+    URI.parse(template_url)
+    true
+  rescue URI::InvalidURIError => _e
+    false
+  end
+
+  def path_based_selection?
+    !query_based_selection?
+  end
+
+  def api_connection
+    Chef.run_context.transport.connection
+  end
+
+  # Remove all empty keys (recusively) from Hash.
+  # @see https://stackoverflow.com/questions/56457020/#answer-56458673
+  def deep_compact!(hsh)
+    raise TypeError unless hsh.is_a? Hash
+
+    hsh.each do |_, v|
+      deep_compact!(v) if v.is_a? Hash
+    end.reject! { |_, v| v.nil? || (v.respond_to?(:empty?) && v.empty?) }
+  end
+
+  # Deep merge two hashes
+  # @see https://stackoverflow.com/questions/41109599#answer-41109737
+  def deep_merge!(hsh1, hsh2)
+    raise TypeError unless hsh1.is_a?(Hash) && hsh2.is_a?(Hash)
+
+    hsh1.merge!(hsh2) { |_, v1, v2| deep_merge!(v1, v2) }
+  end
+
+  # Create nested hashes from JMESPath syntax.
+  def bury(path, value)
+    raise TypeError unless path.is_a?(String)
+
+    arr = path.split(".")
+    ret = {}
+
+    if arr.count == 1
+      ret[arr.first] = value
+
+      ret
+    else
+      partial_path = arr[0..-2].join(".")
+
+      bury(partial_path, bury(arr.last, value))
+    end
+  end
+end

data/lib/chef/resource/alternatives.rb

@@ -22,7 +22,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class Alternatives < Chef::Resource
-      unified_mode true
 
       provides(:alternatives) { true }
 

data/lib/chef/resource/apt_package.rb

@@ -21,7 +21,6 @@ require_relative "package"
 class Chef
   class Resource
     class AptPackage < Chef::Resource::Package
-      unified_mode true
 
       provides :apt_package, target_mode: true
       provides :package, platform_family: "debian", target_mode: true