chef 17.2.29 → 17.3.48

data/lib/chef/resources.rb

@@ -58,6 +58,14 @@ require_relative "resource/ips_package"
 require_relative "resource/gem_package"
 require_relative "resource/scm/git"
 require_relative "resource/group"
+require_relative "resource/habitat/habitat_package"
+require_relative "resource/habitat/habitat_sup"
+require_relative "resource/habitat/habitat_sup_systemd"
+require_relative "resource/habitat/habitat_sup_windows"
+require_relative "resource/habitat_config"
+require_relative "resource/habitat_install"
+require_relative "resource/habitat_service"
+require_relative "resource/habitat_user_toml"
 require_relative "resource/http_request"
 require_relative "resource/hostname"
 require_relative "resource/homebrew_cask"
@@ -148,6 +156,8 @@ require_relative "resource/windows_ad_join"
 require_relative "resource/windows_audit_policy"
 require_relative "resource/windows_auto_run"
 require_relative "resource/windows_certificate"
+require_relative "resource/windows_defender"
+require_relative "resource/windows_defender_exclusion"
 require_relative "resource/windows_dfs_folder"
 require_relative "resource/windows_dfs_namespace"
 require_relative "resource/windows_dfs_server"
@@ -167,7 +177,8 @@ require_relative "resource/windows_share"
 require_relative "resource/windows_shortcut"
 require_relative "resource/windows_task"
 require_relative "resource/windows_uac"
+require_relative "resource/windows_update_settings"
 require_relative "resource/windows_workgroup"
 require_relative "resource/timezone"
 require_relative "resource/windows_user_privilege"
-require_relative "resource/windows_security_policy"
+require_relative "resource/windows_security_policy"

data/lib/chef/secret_fetcher.rb

@@ -0,0 +1,54 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "exceptions"
+
+class Chef
+  class SecretFetcher
+
+    SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault}.freeze
+
+    # Returns a configured and validated instance
+    # of a [Chef::SecretFetcher::Base]  for the given
+    # service and configuration.
+    #
+    # @param service [Symbol] the identifier for the service that will support this request. Must be in
+    #                         SECRET_FETCHERS
+    # @param config [Hash] configuration that the secrets service requires
+    def self.for_service(service, config)
+      fetcher = case service
+                when :example
+                  require_relative "secret_fetcher/example"
+                  Chef::SecretFetcher::Example.new(config)
+                when :aws_secrets_manager
+                  require_relative "secret_fetcher/aws_secrets_manager"
+                  Chef::SecretFetcher::AWSSecretsManager.new(config)
+                when :azure_key_vault
+                  require_relative "secret_fetcher/azure_key_vault"
+                  Chef::SecretFetcher::AzureKeyVault.new(config)
+                when nil, ""
+                  raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS)
+                else
+                  raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service}", SECRET_FETCHERS)
+                end
+      fetcher.validate!
+      fetcher
+    end
+  end
+end
+

data/lib/chef/secret_fetcher/aws_secrets_manager.rb

@@ -0,0 +1,53 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require "aws-sdk-secretsmanager"
+
+class Chef
+  # == Chef::SecretFetcher::AWSSecretsManager
+  # A fetcher that fetches a secret from AWS Secrets Manager
+  # In this initial iteration it defaults to authentication via instance profile.
+  # It is possible to pass options that configure it to use alternative credentials.
+  # This implementation supports fetching with version.
+  #
+  # NOTE: This does not yet support automatic retries, which the AWS client does by default.
+  #
+  # For configuration options see https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecretsManager/Client.html#initialize-instance_method
+  #
+  # Note that ~/.aws default and environment-based configurations are supported by default in the
+  # ruby SDK.
+  #
+  # Usage Example:
+  #
+  # fetcher = SecretFetcher.for_service(:aws_secrets_manager, { region: "us-east-1" })
+  # fetcher.fetch("secretkey1", "v1")
+  class SecretFetcher
+    class AWSSecretsManager < Base
+      # @param identifier [String] the secret_id
+      # @param version [String] the secret version. Not usd at this time
+      # @return Aws::SecretsManager::Types::GetSecretValueResponse
+      def do_fetch(identifier, version)
+        client = Aws::SecretsManager::Client.new(config)
+        result = client.get_secret_value(secret_id: identifier, version_stage: version)
+        # These fields are mutually exclusive
+        result.secret_string || result.secret_binary
+      end
+    end
+  end
+end

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -0,0 +1,56 @@
+require_relative "base"
+
+class Chef
+  class SecretFetcher
+    # == Chef::SecretFetcher::AWSSecretsManager
+    # A fetcher that fetches a secret from Azure Key Vault. Supports fetching with version.
+    #
+    # In this initial iteration this authenticates via token obtained from the OAuth2  /token
+    # endpoint.
+    #
+    # Usage Example:
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault)
+    # fetcher.fetch("secretkey1", "v1")
+    class AzureKeyVault < Base
+      def validate!
+        @vault = config[:vault]
+        if @vault.nil?
+          raise Chef::Exceptions::Secret::MissingVaultName.new("You must provide a vault name to service options as vault: 'vault_name'")
+        end
+      end
+
+      def do_fetch(name, version)
+        token = fetch_token
+
+        # Note that `version` is optional after the final `/`. If nil/"", the latest secret version will be fetched.
+        secret_uri = URI.parse("https://#{@vault}.vault.azure.net/secrets/#{name}/#{version}?api-version=7.2")
+        http = Net::HTTP.new(secret_uri.host, secret_uri.port)
+        http.use_ssl = true
+
+        response = http.get(secret_uri, { "Authorization" => "Bearer #{token}",
+                                          "Content-Type" => "application/json" })
+
+        # If an exception is not raised, we can be reasonably confident of the
+        # shape of the result.
+        result = JSON.parse(response.body)
+        if result.key? "value"
+          result["value"]
+        else
+          raise Chef::Exceptions::Secret::FetchFailed.new("#{result["error"]["code"]}: #{result["error"]["message"]}")
+        end
+      end
+
+      def fetch_token
+        token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net")
+        http = Net::HTTP.new(token_uri.host, token_uri.port)
+        response = http.get(token_uri, { "Metadata" => "true" })
+        body = JSON.parse(response.body)
+        body["access_token"]
+      end
+    end
+  end
+end
+
+
+

data/lib/chef/secret_fetcher/base.rb

@@ -0,0 +1,72 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../exceptions"
+
+class Chef
+  # == Chef::SecretFetcher
+  # An abstract base class that defines the methods required to implement
+  # a Secret Fetcher.
+  class SecretFetcher
+    class Base
+      attr_reader :config
+
+      # Initialize a new SecretFetcher::Base
+      #
+      # @param config [Hash] Configuration hash.  Expected configuration keys and values
+      # will vary based on implementation, and are validated in `validate!`.
+      def initialize(config)
+        @config = config
+      end
+
+      # Fetch the named secret by invoking implementation-specific [Chef::SecretFetcher::Base#do_fetch]
+      #
+      # @param name [Object] the name or identifier of the secret.
+      # @param version [Object] Optional version of the secret to fetch.
+      # @note - the name parameter will probably see a narrowing of type as we learn more about different integrations.
+      # @return [Object] the fetched secret
+      # @raise [Chef::Exceptions::Secret::MissingSecretName] when secret name is not provided
+      # @raise [Chef::Exceptions::Secret::FetchFailed] when the underlying attempt to fetch the secret fails.
+      def fetch(name, version = nil)
+        raise Chef::Exceptions::Secret::MissingSecretName.new if name.to_s == ""
+
+        do_fetch(name, version)
+      end
+
+      # Validate that the instance is correctly configured.
+      # @raise [Chef::Exceptions::Secret::ConfigurationInvalid] if it is not.
+      def validate!; end
+
+      # Called to fetch the secret identified by 'identifer'.  Implementations
+      # should expect that `validate!` has been invoked before `do_fetch`.
+      #
+      # @param identifier [Object] Unique identifier of the secret to be retrieved.
+      # When invoked via DSL, this is pre-verified to be not nil/not empty string.
+      # The expected data type and form can vary by implementation.
+      # @param version [Object] Optional version of the secret to be retrieved.  If not
+      # provided, implementations are expected to fetch the most recent version of the
+      # secret by default.
+      #
+      # @return [Object] The secret as returned from the implementation.  The data type
+      # will vary implementation.
+      #
+      # @raise [Chef::Exceptions::Secret::FetchFailed] if the secret could not be fetched
+      def do_fetch(identifier, version); raise NotImplementedError.new; end
+    end
+  end
+end

data/lib/chef/secret_fetcher/example.rb

@@ -0,0 +1,46 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+
+class Chef
+  # == Chef::SecretFetcher::Example
+  # A simple implementation of a secrets fetcher.
+  # It expects to be initialized with a hash of
+  # keys and secret values.
+  #
+  # Usage Example:
+  #
+  # fetcher = SecretFetcher.for_service(:example, "secretkey1" => { "secret" => "lives here" })
+  # fetcher.fetch("secretkey1")
+  class SecretFetcher
+    class Example < Base
+      def validate!
+        if config.class != Hash
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("The Example fetcher requires a hash of secrets")
+        end
+      end
+
+      def do_fetch(identifier, version)
+        raise Chef::Exceptions::Secret::FetchFailed.new("Secret #{identifier}) not found.") unless config.key?(identifier)
+
+        config[identifier]
+      end
+    end
+  end
+end

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.2.29")
+  VERSION = Chef::VersionString.new("17.3.48")
 end
 
 #

data/spec/functional/mixin/from_file_spec.rb

@@ -33,7 +33,7 @@ describe Chef::Mixin::FromFile do
   end
 
   class ClassTestData
-    class <<self
+    class << self
       include Chef::Mixin::FromFile
 
       def a(a = nil)

data/spec/integration/recipes/recipe_dsl_spec.rb

@@ -19,7 +19,7 @@ describe "Recipe DSL methods" do
         provides :base_thingy
         default_action :create
 
-        class<<self
+        class << self
           attr_accessor :created_name
           attr_accessor :created_resource
           attr_accessor :created_provider

data/spec/integration/recipes/resource_action_spec.rb

@@ -9,7 +9,7 @@ class NoActionJackson < Chef::Resource
     @foo
   end
 
-  class <<self
+  class << self
     attr_accessor :action_was
   end
 end
@@ -17,7 +17,7 @@ end
 class WeirdActionJackson < Chef::Resource
   provides :weird_action_jackson
 
-  class <<self
+  class << self
     attr_accessor :action_was
   end
 
@@ -176,7 +176,7 @@ module ResourceActionSpec
           @blarghle
         end
 
-        class <<self
+        class << self
           attr_accessor :ran_action
           attr_accessor :succeeded
           attr_accessor :ruby_block_converged
@@ -284,7 +284,7 @@ module ResourceActionSpec
             @bar = "#{value}alope" if value
             @bar
           end
-          class <<self
+          class << self
             attr_accessor :load_current_resource_ran
             attr_accessor :jackalope_ran
           end

data/spec/support/shared/unit/provider/file.rb

@@ -43,7 +43,6 @@ end
 def setup_normal_file
   [ resource_path, normalized_path, windows_path].each do |path|
     allow(File).to receive(:file?).with(path).and_return(true)
-    allow(File).to receive(:exists?).with(path).and_return(true)
     allow(File).to receive(:exist?).with(path).and_return(true)
     allow(File).to receive(:directory?).with(path).and_return(false)
     allow(File).to receive(:writable?).with(path).and_return(true)
@@ -57,7 +56,6 @@ def setup_missing_file
   [ resource_path, normalized_path, windows_path].each do |path|
     allow(File).to receive(:file?).with(path).and_return(false)
     allow(File).to receive(:realpath?).with(path).and_return(resource_path)
-    allow(File).to receive(:exists?).with(path).and_return(false)
     allow(File).to receive(:exist?).with(path).and_return(false)
     allow(File).to receive(:directory?).with(path).and_return(false)
     allow(File).to receive(:writable?).with(path).and_return(false)
@@ -70,7 +68,6 @@ def setup_symlink
   [ resource_path, normalized_path, windows_path].each do |path|
     allow(File).to receive(:file?).with(path).and_return(true)
     allow(File).to receive(:realpath?).with(path).and_return(normalized_path)
-    allow(File).to receive(:exists?).with(path).and_return(true)
     allow(File).to receive(:exist?).with(path).and_return(true)
     allow(File).to receive(:directory?).with(path).and_return(false)
     allow(File).to receive(:writable?).with(path).and_return(true)
@@ -84,7 +81,6 @@ def setup_unwritable_file
   [ resource_path, normalized_path, windows_path].each do |path|
     allow(File).to receive(:file?).with(path).and_return(false)
     allow(File).to receive(:realpath?).with(path).and_raise(Errno::ENOENT)
-    allow(File).to receive(:exists?).with(path).and_return(true)
     allow(File).to receive(:exist?).with(path).and_return(true)
     allow(File).to receive(:directory?).with(path).and_return(false)
     allow(File).to receive(:writable?).with(path).and_return(false)
@@ -97,7 +93,6 @@ def setup_missing_enclosing_directory
   [ resource_path, normalized_path, windows_path].each do |path|
     allow(File).to receive(:file?).with(path).and_return(false)
     allow(File).to receive(:realpath?).with(path).and_raise(Errno::ENOENT)
-    allow(File).to receive(:exists?).with(path).and_return(false)
     allow(File).to receive(:exist?).with(path).and_return(false)
     allow(File).to receive(:directory?).with(path).and_return(false)
     allow(File).to receive(:writable?).with(path).and_return(false)
@@ -138,7 +133,6 @@ shared_examples_for Chef::Provider::File do
   before(:each) do
     allow(content).to receive(:tempfile).and_return(tempfile)
     allow(File).to receive(:exist?).with(tempfile.path).and_call_original
-    allow(File).to receive(:exists?).with(tempfile.path).and_call_original
   end
 
   after do
@@ -547,7 +541,7 @@ shared_examples_for Chef::Provider::File do
           provider.load_current_resource
           tempfile = double("Tempfile", path: "/tmp/foo-bar-baz")
           allow(content).to receive(:tempfile).and_return(tempfile)
-          expect(File).to receive(:exists?).with("/tmp/foo-bar-baz").and_return(true)
+          expect(File).to receive(:exist?).with("/tmp/foo-bar-baz").and_return(true)
           expect(tempfile).to receive(:close).once
           expect(tempfile).to receive(:unlink).once
         end
@@ -630,7 +624,7 @@ shared_examples_for Chef::Provider::File do
       it "raises an exception when the content object returns a tempfile that does not exist" do
         tempfile = double("Tempfile", path: "/tmp/foo-bar-baz")
         expect(provider.send(:content)).to receive(:tempfile).at_least(:once).and_return(tempfile)
-        expect(File).to receive(:exists?).with("/tmp/foo-bar-baz").and_return(false)
+        expect(File).to receive(:exist?).with("/tmp/foo-bar-baz").and_return(false)
         expect { provider.send(:do_contents_changes) }.to raise_error(RuntimeError)
       end
     end