chef 17.10.95 → 18.0.169

data/lib/chef/resource/selinux_permissive.rb

@@ -0,0 +1,64 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class SelinuxPermissive < Chef::Resource
+      unified_mode true
+
+      provides :selinux_permissive
+
+      description "Use **selinux_permissive** resource to allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely."
+      introduced "18.0"
+      examples <<~DOC
+      **Disable enforcement on Apache**:
+
+      ```ruby
+      selinux_permissive 'httpd_t' do
+        notifies :restart, 'service[httpd]'
+      end
+      ```
+      DOC
+
+      property :context, String,
+                name_property: true,
+                description: "The SELinux context to permit."
+
+      action_class do
+        def current_permissives
+          shell_out!("semanage permissive -ln").stdout.split("\n")
+        end
+      end
+
+      # Create if doesn't exist, do not touch if permissive is already registered (even under different type)
+      action :add, description: "Add a permissive, unless already set." do
+        unless current_permissives.include? new_resource.context
+          converge_by "adding permissive context #{new_resource.context}" do
+            shell_out!("semanage permissive -a '#{new_resource.context}'")
+          end
+        end
+      end
+
+      # Delete if exists
+      action :delete, description: "Remove a permissive, if set." do
+        if current_permissives.include? new_resource.context
+          converge_by "deleting permissive context #{new_resource.context}" do
+            shell_out!("semanage permissive -d '#{new_resource.context}'")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/selinux_port.rb

@@ -0,0 +1,118 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+require_relative "selinux/common_helpers"
+
+class Chef
+  class Resource
+    class SelinuxPort < Chef::Resource
+      unified_mode true
+
+      provides :selinux_port
+
+      description "Use **selinux_port** resource to allows assigning a network port to a certain SELinux context, e.g. for running a webserver on a non-standard port."
+      introduced "18.0"
+      examples <<~DOC
+      **Allow nginx/apache to bind to port 5678 by giving it the http_port_t context**:
+
+      ```ruby
+      selinux_port '5678' do
+       protocol 'tcp'
+       secontext 'http_port_t'
+      end
+      ```
+      DOC
+
+      property :port, [Integer, String],
+                name_property: true,
+                regex: /^\d+$/,
+                description: "Port to modify."
+
+      property :protocol, String,
+                equal_to: %w{tcp udp},
+                required: %i{manage add modify},
+                description: "Protocol to modify."
+
+      property :secontext, String,
+                required: %i{manage add modify},
+                description: "SELinux context to assign to the port."
+
+      action_class do
+        include Chef::SELinux::CommonHelpers
+        def current_port_context
+          # use awk to see if the given port is within a reported port range
+          shell_out!(
+            <<~CMD
+              seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
+              awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
+            CMD
+          ).stdout.split
+        end
+      end
+
+      action :manage, description: "Assign the port to the right context regardless of previous state." do
+        run_action(:add)
+        run_action(:modify)
+      end
+
+      action :addormodify, description: "Assigns the port context if not set. Updates the port context if previously set." do
+        Chef::Log.warn("The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.")
+        run_action(:manage)
+      end
+
+      # Create if doesn't exist, do not touch if port is already registered (even under different type)
+      action :add, description: "Assign the port context if not set." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        if current_port_context.empty?
+          converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
+            shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
+          end
+        end
+      end
+
+      # Only modify port if it exists & doesn't have the correct context already
+      action :modify, description: "Update the port context if previously set." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
+          converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
+            shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
+          end
+        end
+      end
+
+      # Delete if exists
+      action :delete, description: "Removes the port context if set." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        unless current_port_context.empty?
+          converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
+            shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/chef/resource/selinux_state.rb

@@ -0,0 +1,166 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+require_relative "selinux/common_helpers"
+
+class Chef
+  class Resource
+    class SelinuxState < Chef::Resource
+      unified_mode true
+
+      provides :selinux_state
+
+      description "Use **selinux_state** resource to manages the SELinux state on the system. It does this by using the `setenforce` command and rendering the `/etc/selinux/config` file from a template."
+      introduced "18.0"
+      examples <<~DOC
+      **Set SELinux state to permissive**:
+
+      ```ruby
+      selinux_state 'permissive' do
+        action :permissive
+      end
+      ```
+
+      **Set SELinux state to enforcing**:
+
+      ```ruby
+      selinux_state 'enforcing' do
+        action :enforcing
+      end
+      ```
+
+      **Set SELinux state to disabled**:
+      ```ruby
+      selinux_state 'disabled' do
+        action :disabled
+      end
+      ```
+      DOC
+
+      default_action :nothing
+
+      property :config_file, String,
+                default: "/etc/selinux/config",
+                description: "Path to SELinux config file on disk."
+
+      property :persistent, [true, false],
+                default: true,
+                description: "Persist status update to the selinux configuration file."
+
+      property :policy, String,
+                default: lazy { default_policy_platform },
+                equal_to: %w{default minimum mls src strict targeted},
+                description: "SELinux policy type."
+
+      property :automatic_reboot, [true, false, Symbol],
+                default: false,
+                description: "Perform an automatic node reboot if required for state change."
+
+      deprecated_property_alias "temporary", "persistent", "The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name."
+
+      action_class do
+        include Chef::SELinux::CommonHelpers
+        def render_selinux_template(action)
+          Chef::Log.warn("It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.") if selinux_disabled? && action == :enforcing
+
+          unless new_resource.automatic_reboot
+            Chef::Log.warn("Changes from disabled require a reboot.") if selinux_disabled? && %i{enforcing permissive}.include?(action)
+            Chef::Log.warn("Disabling selinux requires a reboot.") if (selinux_enforcing? || selinux_permissive?) && action == :disabled
+          end
+
+          template "#{action} selinux config" do
+            path new_resource.config_file
+            source debian? ? ::File.expand_path("selinux/selinux_debian.erb", __dir__) : ::File.expand_path("selinux/selinux_default.erb", __dir__)
+            local true
+            variables(
+              selinux: action.to_s,
+              selinuxtype: new_resource.policy
+            )
+          end
+        end
+
+        def node_selinux_restart
+          unless new_resource.automatic_reboot
+            Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.")
+            return
+          end
+
+          outer_action = action
+          reboot "selinux_state_change" do
+            delay_mins 1
+            reason "SELinux state change to #{outer_action} from #{selinux_state}"
+
+            action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now
+          end
+        end
+      end
+
+      action :enforcing, description: "Set the SELinux state to enforcing." do
+        unless selinux_disabled? || selinux_enforcing?
+          execute "selinux-setenforce-enforcing" do
+            command "/usr/sbin/setenforce 1"
+          end
+        end
+
+        if selinux_activate_required?
+          execute "debian-selinux-activate" do
+            command "/usr/sbin/selinux-activate"
+          end
+        end
+
+        render_selinux_template(action) if new_resource.persistent
+        node_selinux_restart if state_change_reboot_required?
+      end
+
+      action :permissive, description: "Set the SELinux state to permissive." do
+        unless selinux_disabled? || selinux_permissive?
+          execute "selinux-setenforce-permissive" do
+            command "/usr/sbin/setenforce 0"
+          end
+        end
+
+        if selinux_activate_required?
+          execute "debian-selinux-activate" do
+            command "/usr/sbin/selinux-activate"
+          end
+        end
+
+        render_selinux_template(action) if new_resource.persistent
+        node_selinux_restart if state_change_reboot_required?
+      end
+
+      action :disabled, description: "Set the SELinux state to disabled. **NOTE**: Switching to or from disabled requires a reboot!" do
+        raise "A non-persistent change to the disabled SELinux status is not possible." unless new_resource.persistent
+
+        render_selinux_template(action)
+        node_selinux_restart if state_change_reboot_required?
+      end
+
+      private
+
+      #
+      # Decide default policy platform based upon platform_family
+      #
+      # @return [String] Policy platform name
+      def default_policy_platform
+        case node["platform_family"]
+        when "rhel", "fedora", "amazon"
+          "targeted"
+        when "debian"
+          "default"
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/service.rb

@@ -27,7 +27,6 @@ class Chef
     class Service < Chef::Resource
       include Chef::Platform::ServiceHelpers
       extend Chef::Platform::ServiceHelpers
-      unified_mode true
 
       provides :service, target_mode: true
 

data/lib/chef/resource/smartos_package.rb

@@ -21,7 +21,6 @@ require_relative "package"
 class Chef
   class Resource
     class SmartosPackage < Chef::Resource::Package
-      unified_mode true
 
       provides :smartos_package
       provides :package, platform_family: "smartos"

data/lib/chef/resource/snap_package.rb

@@ -21,7 +21,6 @@ require_relative "package"
 class Chef
   class Resource
     class SnapPackage < Chef::Resource::Package
-      unified_mode true
 
       provides :snap_package
 

data/lib/chef/resource/solaris_package.rb

@@ -22,7 +22,6 @@ require_relative "package"
 class Chef
   class Resource
     class SolarisPackage < Chef::Resource::Package
-      unified_mode true
 
       provides :solaris_package
 

data/lib/chef/resource/ssh_known_hosts_entry.rb

@@ -23,7 +23,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 class Chef
   class Resource
     class SshKnownHostsEntry < Chef::Resource
-      unified_mode true
 
       provides :ssh_known_hosts_entry
 

data/lib/chef/resource/sudo.rb

@@ -24,7 +24,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class Sudo < Chef::Resource
-      unified_mode true
 
       provides(:sudo) { true }
 

data/lib/chef/resource/support/client.erb

@@ -38,10 +38,10 @@ log_location <%= @log_location.inspect %>
 <% end -%>
 <%# These data_collector options are special as they have a '.' -%>
 <% unless @data_collector_server_url.nil? || @data_collector_server_url.empty? %>
-data_collector.server_url <%= @data_collector_server_url %>
+data_collector.server_url <%= @data_collector_server_url.inspect %>
 <% end %>
 <% unless @data_collector_token.nil? || @data_collector_token.empty? %>
-data_collector.token <%= @data_collector_token %>
+data_collector.token <%= @data_collector_token.inspect %>
 <% end %>
 <%# The code below is not DRY on purpose to improve readability -%>
 <% unless @start_handlers.empty? -%>

data/lib/chef/resource/swap_file.rb

@@ -20,7 +20,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class SwapFile < Chef::Resource
-      unified_mode true
 
       provides(:swap_file) { true }
 

data/lib/chef/resource/sysctl.rb

@@ -20,7 +20,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class Sysctl < Chef::Resource
-      unified_mode true
 
       provides(:sysctl) { true }
       provides(:sysctl_param) { true }
@@ -188,7 +187,7 @@ class Chef
 
           sysctl_lines << "#{new_resource.key} = #{new_resource.value}"
 
-          sysctl_lines.join("\n")
+          sysctl_lines.join("\n") + "\n"
         end
       end
 

data/lib/chef/resource/systemd_unit.rb

@@ -23,7 +23,6 @@ require "iniparse"
 class Chef
   class Resource
     class SystemdUnit < Chef::Resource
-      unified_mode true
 
       provides(:systemd_unit) { true }
 

data/lib/chef/resource/template.rb

@@ -34,7 +34,6 @@ class Chef
     # chef-client. This resource includes actions and properties from the file resource. Template files managed by the
     # template resource follow the same file specificity rules as the remote_file and file resources.
     class Template < Chef::Resource::File
-      unified_mode true
 
       provides :template
 

data/lib/chef/resource/timezone.rb

@@ -22,7 +22,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class Timezone < Chef::Resource
-      unified_mode true
 
       provides :timezone
 

data/lib/chef/resource/user/aix_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class AixUser < Chef::Resource::User
-        unified_mode true
 
         provides :aix_user
         provides :user, os: "aix"

data/lib/chef/resource/user/linux_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class LinuxUser < Chef::Resource::User
-        unified_mode true
 
         provides :linux_user
         provides :user, os: "linux"

data/lib/chef/resource/user/mac_user.rb

@@ -58,7 +58,6 @@ class Chef
       #   the 'password' property corresponds to a plaintext password and will
       #   attempt to use it in place of secure_token_password if it not set.
       class MacUser < Chef::Resource::User
-        unified_mode true
 
         provides :mac_user
         provides :user, platform: "mac_os_x"

data/lib/chef/resource/user/pw_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class PwUser < Chef::Resource::User
-        unified_mode true
 
         provides :pw_user
         provides :user, os: "freebsd"

data/lib/chef/resource/user/solaris_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class SolarisUser < Chef::Resource::User
-        unified_mode true
 
         provides :solaris_user
         provides :user, os: %w{omnios solaris2}

data/lib/chef/resource/user/windows_user.rb

@@ -21,7 +21,6 @@ class Chef
   class Resource
     class User
       class WindowsUser < Chef::Resource::User
-        unified_mode true
 
         provides :windows_user
         provides :user, os: "windows"

data/lib/chef/resource/user.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class User < Chef::Resource
-      unified_mode true
 
       description "Use the **user** resource to add users, update existing users, remove users, and to lock/unlock user passwords."
 
@@ -73,6 +72,16 @@ class Chef
         description: "The numeric group identifier."
 
       alias_method :group, :gid
+
+      property :expire_date, [ String, NilClass ],
+               description: "(Linux) The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.",
+               introduced: "18.0",
+               desired_state: false
+
+      property :inactive, [ String, Integer, NilClass ],
+               description: "(Linux) The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature.",
+               introduced: "18.0",
+               desired_state: false
     end
   end
 end

data/lib/chef/resource/user_ulimit.rb

@@ -22,7 +22,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class UserUlimit < Chef::Resource
-      unified_mode true
 
       provides :user_ulimit
 

data/lib/chef/resource/whyrun_safe_ruby_block.rb

@@ -20,7 +20,6 @@ class Chef
   class Resource
     class WhyrunSafeRubyBlock < Chef::Resource::RubyBlock
       provides :whyrun_safe_ruby_block
-      unified_mode true
     end
   end
 end

data/lib/chef/resource/windows_ad_join.rb

@@ -23,8 +23,6 @@ class Chef
     class WindowsAdJoin < Chef::Resource
       provides :windows_ad_join
 
-      unified_mode true
-
       description "Use the **windows_ad_join** resource to join a Windows Active Directory domain."
       introduced "14.0"
       examples <<~DOC

data/lib/chef/resource/windows_audit_policy.rb

@@ -83,8 +83,6 @@ class Chef
                                  "User Account Management",
                                 ].freeze
 
-      unified_mode true
-
       provides :windows_audit_policy
 
       description "Use the **windows_audit_policy** resource to configure system level and per-user Windows advanced audit policy settings."

data/lib/chef/resource/windows_auto_run.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsAutorun < Chef::Resource
-      unified_mode true
 
       provides(:windows_auto_run) { true }
 

data/lib/chef/resource/windows_defender.rb

@@ -19,7 +19,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDefender < Chef::Resource
-      unified_mode true
       provides :windows_defender
 
       description "Use the **windows_defender** resource to enable or disable the Microsoft Windows Defender service."

data/lib/chef/resource/windows_defender_exclusion.rb

@@ -45,7 +45,6 @@ class Chef
       end
       ```
       DOC
-      unified_mode true
 
       property :paths, [String, Array], default: [],
         coerce: proc { |x| to_consistent_path_array(x) },

data/lib/chef/resource/windows_dfs_folder.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDfsFolder < Chef::Resource
-      unified_mode true
 
       provides :windows_dfs_folder
 

data/lib/chef/resource/windows_dfs_namespace.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDfsNamespace < Chef::Resource
-      unified_mode true
 
       provides :windows_dfs_namespace
 

data/lib/chef/resource/windows_dfs_server.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDfsServer < Chef::Resource
-      unified_mode true
 
       provides :windows_dfs_server
 

data/lib/chef/resource/windows_dns_record.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDnsRecord < Chef::Resource
-      unified_mode true
 
       provides :windows_dns_record
 

data/lib/chef/resource/windows_dns_zone.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDnsZone < Chef::Resource
-      unified_mode true
 
       provides :windows_dns_zone