chef 17.2.29-universal-mingw32 → 17.5.22-universal-mingw32

data/lib/chef/compliance/runner.rb

@@ -12,6 +12,8 @@ class Chef
 
       attr_accessor :run_id
       attr_reader :node
+      attr_reader :run_context
+
       def_delegators :node, :logger
 
       def enabled?
@@ -25,7 +27,9 @@ class Chef
         logger.debug("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}")
         logger.debug("#{self.class}##{__method__}: compliance phase attr? #{node["audit"]["compliance_phase"]}")
 
-        if node["audit"]["compliance_phase"].nil?
+        if safe_profile_collection&.using_profiles?
+          true
+        elsif node["audit"]["compliance_phase"].nil?
           inspec_profiles.any? && !audit_cookbook_present
         else
           node["audit"]["compliance_phase"]
@@ -41,6 +45,14 @@ class Chef
         self.node = node
       end
 
+      # This hook gives us the run_context immediately after it is created so that we can wire up this object to it.
+      #
+      # (see EventDispatch::Base#)
+      #
+      def cookbook_compilation_start(run_context)
+        @run_context = run_context
+      end
+
       def run_started(run_status)
         self.run_id = run_status.run_id
       end
@@ -113,8 +125,25 @@ class Chef
         logger.info "Chef Infra Compliance Phase Complete"
       end
 
+      def inputs_from_attributes
+        if !node["audit"]["inputs"].empty?
+          node["audit"]["inputs"].to_h
+        else
+          node["audit"]["attributes"].to_h
+        end
+      end
+
+      def inputs_from_collection
+        safe_input_collection&.inspec_data || {}
+      end
+
+      def waivers_from_collection
+        safe_waiver_collection&.inspec_data || {}
+      end
+
       def inspec_opts
-        inputs = node["audit"]["attributes"].to_h
+        inputs = inputs_from_attributes.merge(inputs_from_collection).merge(waivers_from_collection)
+
         if node["audit"]["chef_node_attribute_enabled"]
           inputs["chef_node"] = node.to_h
           inputs["chef_node"]["chef_environment"] = node.chef_environment
@@ -124,24 +153,34 @@ class Chef
           backend_cache: node["audit"]["inspec_backend_cache"],
           inputs: inputs,
           logger: logger,
+          # output: STDOUT,
           output: node["audit"]["quiet"] ? ::File::NULL : STDOUT,
           report: true,
           reporter: ["json-automate"],
+          # reporter: ["cli"],
           reporter_backtrace_inclusion: node["audit"]["result_include_backtrace"],
           reporter_message_truncation: node["audit"]["result_message_limit"],
-          waiver_file: Array(node["audit"]["waiver_file"]),
+          waiver_file: waiver_files,
         }
       end
 
+      def waiver_files
+        Array(node["audit"]["waiver_file"])
+      end
+
       def inspec_profiles
         profiles = node["audit"]["profiles"]
         unless profiles.respond_to?(:map) && profiles.all? { |_, p| p.respond_to?(:transform_keys) && p.respond_to?(:update) }
           raise "CMPL010: #{Inspec::Dist::PRODUCT_NAME} profiles specified in an unrecognized format, expected a hash of hashes."
         end
 
-        profiles.map do |name, profile|
+        from_attributes = profiles.map do |name, profile|
           profile.transform_keys(&:to_sym).update(name: name)
-        end
+        end || []
+
+        from_cookbooks = safe_profile_collection&.inspec_data || []
+
+        from_attributes + from_cookbooks
       end
 
       def load_fetchers!
@@ -171,7 +210,7 @@ class Chef
         logger.info "Running profiles from: #{profiles.inspect}"
         runner.run
         runner.report.tap do |r|
-          logger.debug "Compliance Report #{r}"
+          logger.debug "Compliance Phase report #{r}"
         end
       rescue Inspec::FetcherFailure => e
         failed_report("Cannot fetch all profiles: #{profiles}. Please make sure you're authenticated and the server is reachable. #{e.message}")
@@ -300,8 +339,25 @@ class Chef
             raise "CMPL002: Unrecognized Compliance Phase fetcher (node['audit']['fetcher'] = #{fetcher}). Supported fetchers are: #{SUPPORTED_FETCHERS.join(", ")}, or nil. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase#fetch-profiles"
           end
         end
+
+        if !node["audit"]["attributes"].empty? && !node["audit"]["inputs"].empty?
+          raise "CMPL011: both node['audit']['inputs'] and node['audit']['attributes'] are set.  The node['audit']['attributes'] setting is deprecated and should not be used."
+        end
+
         @validation_passed = true
       end
+
+      def safe_profile_collection
+        run_context&.profile_collection
+      end
+
+      def safe_waiver_collection
+        run_context&.waiver_collection
+      end
+
+      def safe_input_collection
+        run_context&.input_collection
+      end
     end
   end
 end

data/lib/chef/compliance/waiver.rb

@@ -0,0 +1,115 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "yaml"
+
+class Chef
+  module Compliance
+    #
+    # Chef object that represents a single waiver file in the compliance
+    # segment of a cookbook
+    #
+    class Waiver
+      # @return [Boolean] if the waiver has been enabled
+      attr_reader :enabled
+
+      # @return [String] The name of the cookbook that the waiver is in
+      attr_reader :cookbook_name
+
+      # @return [String] The full path on the host to the waiver yml file
+      attr_reader :path
+
+      # @return [String] the pathname in the cookbook
+      attr_reader :pathname
+
+      # @api private
+      attr_reader :data
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_accessor :events
+
+      def initialize(events, data, path, cookbook_name)
+        @events = events
+        @data = data
+        @cookbook_name = cookbook_name
+        @path = path
+        @pathname = File.basename(path, File.extname(path)) unless path.nil?
+        disable!
+      end
+
+      # @return [Boolean] if the waiver has been enabled
+      #
+      def enabled?
+        !!@enabled
+      end
+
+      # Set the waiver to being enabled
+      #
+      def enable!
+        events.compliance_waiver_enabled(self)
+        @enabled = true
+      end
+
+      # Set the waiver as being disabled
+      #
+      def disable!
+        @enabled = false
+      end
+
+      # Render the waiver in a way that it can be consumed by inspec
+      #
+      def inspec_data
+        data
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      # Helper to construct a waiver object from a hash.  Since the path and
+      # cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_hash(events, hash, path = nil, cookbook_name = nil)
+        new(events, hash, path, cookbook_name)
+      end
+
+      # Helper to construct a waiver object from a yaml string.  Since the path
+      # and cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_yaml(events, string, path = nil, cookbook_name = nil)
+        from_hash(events, YAML.load(string), path, cookbook_name)
+      end
+
+      # @param filename [String] full path to the yml file in the cookbook
+      # @param cookbook_name [String] cookbook that the waiver is in
+      #
+      def self.from_file(events, filename, cookbook_name = nil)
+        from_yaml(events, IO.read(filename), filename, cookbook_name)
+      end
+    end
+  end
+end

data/lib/chef/compliance/waiver_collection.rb

@@ -0,0 +1,143 @@
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "waiver"
+
+class Chef
+  module Compliance
+    class WaiverCollection < Array
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_reader :events
+
+      def initialize(events)
+        @events = events
+      end
+
+      # Add a waiver to the waiver collection.  The cookbook_name needs to be determined by the
+      # caller and is used in the `include_waiver` API to match on.  The path should be the complete
+      # path on the host of the yml file, including the filename.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_file(filename, cookbook_name)
+        new_waiver = Waiver.from_file(events, filename, cookbook_name)
+        self << new_waiver
+        events.compliance_waiver_loaded(new_waiver)
+      end
+
+      # Add a waiver from a raw hash.  This waiver will be enabled by default.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_hash(hash)
+        new_waiver = Waiver.from_hash(events, hash)
+        new_waiver.enable!
+        self << new_waiver
+      end
+
+      # @return [Array<Waiver>] inspec waivers which are enabled in a form suitable to pass to inspec
+      #
+      def inspec_data
+        select(&:enabled?).each_with_object({}) { |waiver, hash| hash.merge(waiver.inspec_data) }
+      end
+
+      # DSL method to enable waiver files.  This matches on the filename of the waiver file.
+      # If the specific waiver is omitted then it uses the default waiver. The string
+      # supports regular expression matching.
+      #
+      # @example Specific waiver file in a cookbook
+      #
+      # include_waiver "acme_cookbook::ssh-001"
+      #
+      # @example The compliance/waiver/default.rb waiver file in a cookbook
+      #
+      # include_waiver "acme_cookbook"
+      #
+      # @example Every waiver file in a cookbook
+      #
+      # include_waiver "acme_cookbook::.*"
+      #
+      # @example Matching waivers by regexp in a cookbook
+      #
+      # include_waiver "acme_cookbook::ssh.*"
+      #
+      # @example Matching waivers by regexp in any cookbook in the cookbook collection
+      #
+      # include_waiver ".*::ssh.*"
+      #
+      # @example Adding an arbitrary hash of data (not from any file in a cookbook)
+      #
+      # include_waiver({ "ssh-01" => {
+      #   "expiration_date" => "2033-07-31",
+      #   "run" => false,
+      #   "justification" => "the reason it is waived",
+      # } })
+      #
+      def include_waiver(arg)
+        raise "include_waiver was given a nil value" if arg.nil?
+
+        # if we're given a hash argument just shove it in the collection
+        if arg.is_a?(Hash)
+          from_hash(arg)
+          return
+        end
+
+        matching_waivers!(arg).each(&:enable!)
+      end
+
+      def valid?(arg)
+        !matching_waivers(arg).empty?
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      private
+
+      def matching_waivers(arg, should_raise: false)
+        (cookbook_name, waiver_name) = arg.split("::")
+
+        waiver_name = "default" if waiver_name.nil?
+
+        waivers = select { |waiver| /^#{cookbook_name}$/.match?(waiver.cookbook_name) && /^#{waiver_name}$/.match?(waiver.pathname) }
+
+        if waivers.empty? && should_raise
+          raise "No inspec waivers matching '#{waiver_name}' found in cookbooks matching '#{cookbook_name}'"
+        end
+
+        waivers
+      end
+
+      def matching_waivers!(arg)
+        matching_waivers(arg, should_raise: true)
+      end
+    end
+  end
+end

data/lib/chef/data_bag.rb

@@ -32,8 +32,7 @@ class Chef
     include Chef::Mixin::FromFile
     include Chef::Mixin::ParamsValidate
 
-    # Regex reference: https://rubular.com/r/oIMySIO4USPm5x
-    VALID_NAME = /^[\-[:alnum:]_]+$/.freeze
+    VALID_NAME = /^[\.\-[:alnum:]_]+$/.freeze
     RESERVED_NAMES = /^(node|role|environment|client)$/.freeze
 
     def self.validate_name!(name)

data/lib/chef/data_bag_item.rb

@@ -36,8 +36,7 @@ class Chef
     include Chef::Mixin::FromFile
     include Chef::Mixin::ParamsValidate
 
-    # Regex reference: https://rubular.com/r/oIMySIO4USPm5x
-    VALID_ID = /^[\-[:alnum:]_]+$/.freeze
+    VALID_ID = /^[\.\-[:alnum:]_]+$/.freeze
 
     def self.validate_id!(id_str)
       if id_str.nil? || ( id_str !~ VALID_ID )

data/lib/chef/deprecated.rb

@@ -79,10 +79,12 @@ class Chef
         return true if location =~ /^(.*?):(\d+):in/ && begin
           # Don't buffer the whole file in memory, so read it one line at a time.
           line_no = $2.to_i
-          location_file = ::File.open($1)
-          (line_no - 1).times { location_file.readline } # Read all the lines we don't care about.
-          relevant_line = location_file.readline
-          relevant_line.match?(/#.*chef:silence_deprecation($|[^:]|:#{self.class.deprecation_key})/)
+          if File.exist?($1) # some stacktraces come from `eval` and not a file
+            location_file = ::File.open($1)
+            (line_no - 1).times { location_file.readline } # Read all the lines we don't care about.
+            relevant_line = location_file.readline
+            relevant_line.match?(/#.*chef:silence_deprecation($|[^:]|:#{self.class.deprecation_key})/)
+          end
         end
 
         false
@@ -257,6 +259,10 @@ class Chef
       target 34
     end
 
+    class PolicyfileCompatMode < Base
+      target 35
+    end
+
     class Generic < Base
       def url
         "https://docs.chef.io/chef_deprecations_client/"

data/lib/chef/dsl/compliance.rb

@@ -0,0 +1,38 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  module DSL
+    module Compliance
+
+      # @see Chef::Compliance::ProfileCollection#include_profile
+      def include_profile(*args)
+        run_context.profile_collection.include_profile(*args)
+      end
+
+      # @see Chef::Compliance::WaiverCollection#include_waiver
+      def include_waiver(*args)
+        run_context.waiver_collection.include_waiver(*args)
+      end
+
+      # @see Chef::Compliance::inputCollection#include_input
+      def include_input(*args)
+        run_context.input_collection.include_input(*args)
+      end
+    end
+  end
+end

data/lib/chef/dsl/reader_helpers.rb

@@ -0,0 +1,51 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+autoload :TOML, "tomlrb"
+require_relative "../json_compat"
+autoload :YAML, "yaml"
+
+class Chef
+  module DSL
+    module ReaderHelpers
+
+      def parse_file(filename)
+        case File.extname(filename)
+        when ".toml"
+          parse_toml(filename)
+        when ".yaml", ".yml"
+          parse_yaml(filename)
+        when ".json"
+          parse_json(filename)
+        end
+      end
+
+      def parse_json(filename)
+        JSONCompat.parse(IO.read(filename))
+      end
+
+      def parse_toml(filename)
+        Tomlrb.load_file(filename)
+      end
+
+      def parse_yaml(filename)
+        YAML.load(IO.read(filename))
+      end
+
+      extend self
+    end
+  end
+end

data/lib/chef/dsl/recipe.rb

@@ -18,12 +18,13 @@
 #
 
 require_relative "../exceptions"
-require_relative "resources"
+require_relative "compliance"
+require_relative "declare_resource"
 require_relative "definitions"
 require_relative "include_recipe"
 require_relative "reboot_pending"
+require_relative "resources"
 require_relative "universal"
-require_relative "declare_resource"
 require_relative "../mixin/notifying_block"
 require_relative "../mixin/lazy_module_include"
 
@@ -42,6 +43,7 @@ class Chef
     #   - it also pollutes the namespace of nearly every context, watch out.
     #
     module Recipe
+      include Chef::DSL::Compliance
       include Chef::DSL::Universal
       include Chef::DSL::DeclareResource
       include Chef::Mixin::NotifyingBlock

data/lib/chef/dsl/render_helpers.rb

@@ -0,0 +1,44 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require_relative "toml"
+require_relative "../json_compat"
+autoload :YAML, "yaml"
+
+class Chef
+  module DSL
+    module RenderHelpers
+
+      # pretty-print a hash as a JSON string
+      def render_json(hash)
+        JSON.pretty_generate(hash) + "\n"
+      end
+
+      # pretty-print a hash as a TOML string
+      def render_toml(hash)
+        Chef::DSL::Toml::Dumper.new(hash).toml_str
+      end
+
+      # pretty-print a hash as a YAML string
+      def render_yaml(hash)
+        yaml_content = hash.transform_keys(&:to_s).to_yaml
+        # above replaces first-level keys with strings, below the rest
+        yaml_content.gsub!(" :", " ")
+      end
+
+      extend self
+    end
+  end
+end

data/lib/chef/dsl/secret.rb

@@ -0,0 +1,62 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+require_relative "../secret_fetcher"
+
+class Chef
+  module DSL
+    module Secret
+
+      # Helper method which looks up a secret using the given service and configuration,
+      # and returns the retrieved secret value.
+      # This DSL providers a wrapper around [Chef::SecretFetcher]
+      #
+      # Use of the secret helper in the context of a resource block will automatically mark
+      # that resource as 'sensitive', preventing resource data from being logged.  See [Chef::Resource#sensitive].
+      #
+      # @option name [Object] The identifier or name for this secret
+      # @option version [Object] The secret version. If a service supports versions
+      #                          and no version is provided, the latest version will be fetched.
+      # @option service [Symbol] The service identifier for the service that will
+      #                         perform the secret lookup. See
+      #                         [Chef::SecretFetcher::SECRET_FETCHERS]
+      # @option config [Hash] The configuration that the named service expects
+      #
+      # @return result [Object] The response object type is determined by the fetcher but will usually be a string or a hash.
+      # See individual fetcher documentation to know what to expect for a given service.
+      #
+      # @example
+      #
+      # This example uses the built-in :example secret manager service, which
+      # accepts a hash of secrets.
+      #
+      #   value = secret(name: "test1", service: :example, config: { "test1" => "value1" })
+      #   log "My secret is #{value}"
+      #
+      #   value = secret(name: "test1", service: :aws_secrets_manager, version: "v1", config: { region: "us-west-1" })
+      #   log "My secret is #{value}"
+      def secret(name: nil, version: nil, service: nil, config: {})
+        Chef::Log.warn <<~EOM.gsub("\n", " ")
+          The secrets Chef Infra language helper is currently in beta. If you have feedback or you would
+          like to be part of the future design of this helper e-mail us at secrets_management_beta@progress.com"
+        EOM
+        sensitive(true) if is_a?(Chef::Resource)
+        Chef::SecretFetcher.for_service(service, config, run_context).fetch(name, version)
+      end
+    end
+  end
+end