chef 17.2.29 → 17.5.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3259221c96da998dc7da695df0488bcfbe781ce3764dcd98309c78c1a46cb56c
-  data.tar.gz: 120938b331b2e96306b91c5a192a73ebbfaeebce9b3febfccae32d7e7918e4a6
+  metadata.gz: bfe0cb34ad720e2647118256d4260f209cd36d73e6ccedf079a67489963901c1
+  data.tar.gz: bc5229775dbb96f3f61cf2d11dfa16de3c0e2de6567169ed11cea54502a18679
 SHA512:
-  metadata.gz: f1191c217a427591d0cdd0b0223249ed83164f53da4edd463258dfe37d084b9e928627eb9020a20aeb87f141d160eb72b64d4c1d37e47b7206f50e120b7738fe
-  data.tar.gz: '0148bdae1adf6ffa4539aab3c8dbc47fc225cb5d6f1e421967be4d53ce7504f9ff10af21cd0410412847b9e99d6308892b32a0ab673bd657ccb6922f191c91a1'
+  metadata.gz: afce77f4964d02364b91be0128053ac2f866a41225308dd68d857d468c660d774450d95926e86615818791a37c9c6930c1ed1fdae4145f483f35dd633413ae1d
+  data.tar.gz: 8db608f6151726772e05ac054fb31d37da4e21e16101f383d70eed9622d88b1362573e56d2eed50b38cd7fd5258631d3b99db7f9f6e26415d9a48a751a4a78a7

data/Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gem "chef", path: "."
 
-gem "ohai", git: "https://github.com/chef/ohai.git", branch: "master"
+gem "ohai", git: "https://github.com/chef/ohai.git", branch: "main"
 
 gem "chef-utils", path: File.expand_path("chef-utils", __dir__) if File.exist?(File.expand_path("chef-utils", __dir__))
 gem "chef-config", path: File.expand_path("chef-config", __dir__) if File.exist?(File.expand_path("chef-config", __dir__))
@@ -22,13 +22,14 @@ group(:omnibus_package) do
   gem "rb-readline"
   gem "inspec-core-bin", "~> 4.24" # need to provide the binaries for inspec
   gem "chef-vault"
-  gem "ed25519", "~> 1.2" # to make it possible to install knife into chef. Remove this in Chef 18
 end
 
 group(:omnibus_package, :pry) do
-  gem "pry"
+  # Locked because pry-byebug is broken with 13+.
+  # some work is ongoing? https://github.com/deivid-rodriguez/pry-byebug/issues/343
+  gem "pry", "= 0.13.0"
   # byebug does not install on freebsd on ruby 3.0
-  # gem "pry-byebug"
+  gem "pry-byebug" unless RUBY_PLATFORM =~ /freebsd/i
   gem "pry-stack_explorer"
 end
 
@@ -47,7 +48,7 @@ end
 
 group(:chefstyle) do
   # for testing new chefstyle rules
-  gem "chefstyle", git: "https://github.com/chef/chefstyle.git", branch: "master"
+  gem "chefstyle", git: "https://github.com/chef/chefstyle.git", branch: "main"
 end
 
 instance_eval(ENV["GEMFILE_MOD"]) if ENV["GEMFILE_MOD"]

data/chef.gemspec

@@ -55,6 +55,9 @@ Gem::Specification.new do |s|
 
   s.add_dependency "proxifier", "~> 1.0"
 
+  s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
+  s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
+  s.add_dependency "vault", "~> 0.16" # hashi vault official client gem
   s.bindir       = "bin"
   s.executables  = %w{ }
 

data/lib/chef/application/base.rb

@@ -378,9 +378,19 @@ class Chef::Application::Base < Chef::Application
 
   def fetch_recipe_tarball(url, path)
     require "open-uri" unless defined?(OpenURI)
+    uri = URI.parse(url)
+
     Chef::Log.trace("Download recipes tarball from #{url} to #{path}")
     if File.exist?(url)
       FileUtils.cp(url, path)
+    elsif uri.scheme == "s3"
+      require "aws-sdk-s3" unless defined?(Aws::S3)
+
+      s3 = Aws::S3::Client.new
+      object = s3.get_object(bucket: uri.hostname, key: uri.path[1..-1])
+      File.open(path, "wb") do |f|
+        f.write(object.body.read)
+      end
     elsif URI::DEFAULT_PARSER.make_regexp.match?(url)
       File.open(path, "wb") do |f|
         URI.open(url) do |r|
@@ -388,7 +398,7 @@ class Chef::Application::Base < Chef::Application
         end
       end
     else
-      Chef::Application.fatal! "You specified --recipe-url but the value is neither a valid URL nor a path to a file that exists on disk." +
+      Chef::Application.fatal! "You specified --recipe-url but the value is neither a valid URL, an S3 bucket nor a path to a file that exists on disk." +
         "Please confirm the location of the tarball and try again."
     end
   end

data/lib/chef/application.rb

@@ -377,7 +377,9 @@ class Chef
 
         Chef::FileCache.store("#{ChefUtils::Dist::Infra::SHORT}-stacktrace.out", chef_stacktrace_out)
         logger.fatal("Stacktrace dumped to #{Chef::FileCache.load("#{ChefUtils::Dist::Infra::SHORT}-stacktrace.out", false)}")
-        logger.fatal("Please provide the contents of the stacktrace.out file if you file a bug report")
+        logger.fatal("---------------------------------------------------------------------------------------")
+        logger.fatal("PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT")
+        logger.fatal("---------------------------------------------------------------------------------------")
         if Chef::Config[:always_dump_stacktrace]
           logger.fatal(message)
         else

data/lib/chef/client.rb

@@ -241,8 +241,7 @@ class Chef
 
         run_status.run_id = request_id = Chef::RequestID.instance.request_id
 
-        @run_context = Chef::RunContext.new
-        run_context.events = events
+        @run_context = Chef::RunContext.new(nil, nil, events)
         run_status.run_context = run_context
 
         events.run_start(Chef::VERSION, run_status)
@@ -751,7 +750,7 @@ class Chef
     end
 
     # Notification registration
-    class<<self
+    class << self
       #
       # Add a listener for the 'client run started' event.
       #

data/lib/chef/compliance/default_attributes.rb

@@ -28,7 +28,7 @@ class Chef
       # Controls what is done with the resulting report after the Chef InSpec run.
       # Accepts a single string value or an array of multiple values.
       # Accepted values: 'chef-server-automate', 'chef-automate', 'json-file', 'audit-enforcer', 'cli'
-      "reporter" => %w{json-file cli},
+      "reporter" => "cli",
 
       # Controls if Chef InSpec profiles should be fetched from Chef Automate or Chef Infra Server
       # in addition to the default fetch locations provided by Chef Inspec.
@@ -47,8 +47,10 @@ class Chef
       "profiles" => {},
 
       # Extra inputs passed to Chef InSpec to allow finer-grained control over behavior.
-      # These are mapped to Chef InSpec's inputs, but are named attributes here for legacy reasons.
       # See Chef Inspec's documentation for more information: https://docs.chef.io/inspec/inputs/
+      "inputs" => {},
+
+      # Legacy alias for inputs
       "attributes" => {},
 
       # A string path or an array of paths to Chef InSpec waiver files.
@@ -88,7 +90,7 @@ class Chef
 
       # If enabled, a hash representation of the Chef Infra node object will be sent to Chef InSpec in an input
       # named `chef_node`.
-      "chef_node_attribute_enabled" => false,
+      "chef_node_attribute_enabled" => true,
 
       # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have
       # profiles defined but do not have the audit cookbook enabled.

data/lib/chef/compliance/input.rb

@@ -0,0 +1,115 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "yaml"
+
+class Chef
+  module Compliance
+    #
+    # Chef object that represents a single input file in the compliance segment
+    # of a cookbook.
+    #
+    class Input
+      # @return [Boolean] if the input has been enabled
+      attr_reader :enabled
+
+      # @return [String] The name of the cookbook that the input is in
+      attr_reader :cookbook_name
+
+      # @return [String] The full path on the host to the input yml file
+      attr_reader :path
+
+      # @return [String] the pathname in the cookbook
+      attr_reader :pathname
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_reader :events
+
+      # @api private
+      attr_reader :data
+
+      def initialize(events, data, path, cookbook_name)
+        @events = events
+        @data = data
+        @cookbook_name = cookbook_name
+        @path = path
+        @pathname = File.basename(path, File.extname(path)) unless path.nil?
+        disable!
+      end
+
+      # @return [Boolean] if the input has been enabled
+      #
+      def enabled?
+        !!@enabled
+      end
+
+      # Set the input to being enabled
+      #
+      def enable!
+        events.compliance_input_enabled(self)
+        @enabled = true
+      end
+
+      # Set the input as being disabled
+      #
+      def disable!
+        @enabled = false
+      end
+
+      # Render the input in a way that it can be consumed by inspec
+      #
+      def inspec_data
+        data
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      # Helper to construct a input object from a hash.  Since the path and
+      # cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_hash(events, hash, path = nil, cookbook_name = nil)
+        new(events, hash, path, cookbook_name)
+      end
+
+      # Helper to construct a input object from a yaml string.  Since the path
+      # and cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_yaml(events, string, path = nil, cookbook_name = nil)
+        from_hash(events, YAML.load(string), path, cookbook_name)
+      end
+
+      # @param filename [String] full path to the yml file in the cookbook
+      # @param cookbook_name [String] cookbook that the input is in
+      #
+      def self.from_file(events, filename, cookbook_name = nil)
+        from_yaml(events, IO.read(filename), filename, cookbook_name)
+      end
+    end
+  end
+end

data/lib/chef/compliance/input_collection.rb

@@ -0,0 +1,139 @@
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "input"
+
+class Chef
+  module Compliance
+    class InputCollection < Array
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_reader :events
+
+      def initialize(events)
+        @events = events
+      end
+
+      # Add a input to the input collection.  The cookbook_name needs to be determined by the
+      # caller and is used in the `include_input` API to match on.  The path should be the complete
+      # path on the host of the yml file, including the filename.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_file(filename, cookbook_name)
+        new_input = Input.from_file(events, filename, cookbook_name)
+        self << new_input
+        events.compliance_input_loaded(new_input)
+      end
+
+      # Add a input from a raw hash.  This input will be enabled by default.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_hash(hash)
+        new_input = Input.from_hash(events, hash)
+        new_input.enable!
+        self << new_input
+      end
+
+      # @return [Array<Input>] inspec inputs which are enabled in a form suitable to pass to inspec
+      #
+      def inspec_data
+        select(&:enabled?).each_with_object({}) { |input, hash| hash.merge(input.inspec_data) }
+      end
+
+      # DSL method to enable input files.  This matches on the filename of the input file.
+      # If the specific input is omitted then it uses the default input. The string
+      # supports regular expression matching.
+      #
+      # @example Specific input file in a cookbook
+      #
+      # include_input "acme_cookbook::ssh-001"
+      #
+      # @example The compliance/inputs/default.yml input in a cookbook
+      #
+      # include_input "acme_cookbook"
+      #
+      # @example Every input file in a cookbook
+      #
+      # include_input "acme_cookbook::.*"
+      #
+      # @example Matching inputs by regexp in a cookbook
+      #
+      # include_input "acme_cookbook::ssh.*"
+      #
+      # @example Matching inputs by regexp in any cookbook in the cookbook collection
+      #
+      # include_input ".*::ssh.*"
+      #
+      # @example Adding an arbitrary hash of data (not from any file in a cookbook)
+      #
+      # include_input({ "ssh_custom_path": "/usr/local/bin" })
+      #
+      def include_input(arg)
+        raise "include_input was given a nil value" if arg.nil?
+
+        # if we're given a hash argument just shove it in the raw_hash
+        if arg.is_a?(Hash)
+          from_hash(arg)
+          return
+        end
+
+        matching_inputs(arg).each(&:enable!)
+      end
+
+      def valid?(arg)
+        !matching_inputs(arg).empty?
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      private
+
+      def matching_inputs(arg, should_raise: false)
+        (cookbook_name, input_name) = arg.split("::")
+
+        input_name = "default" if input_name.nil?
+
+        inputs = select { |input| /^#{cookbook_name}$/.match?(input.cookbook_name) && /^#{input_name}$/.match?(input.pathname) }
+
+        if inputs.empty? && should_raise
+          raise "No inspec inputs matching '#{input_name}' found in cookbooks matching '#{cookbook_name}'"
+        end
+
+        inputs
+      end
+
+      def matching_inputs!(arg)
+        matching_inputs(arg, should_raise: true)
+      end
+    end
+  end
+end

data/lib/chef/compliance/profile.rb

@@ -0,0 +1,122 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  module Compliance
+    class Profile
+      # @return [Boolean] if the profile has been enabled
+      attr_accessor :enabled
+
+      # @return [String] The full path on the host to the profile inspec.yml
+      attr_reader :path
+
+      # @return [String] The name of the cookbook that the profile is in
+      attr_reader :cookbook_name
+
+      # @return [String] the pathname in the cookbook
+      attr_accessor :pathname
+
+      # @return [Chef::EventDispatch::Dispatcher] Event dispatcher for this run.
+      attr_reader :events
+
+      # @api private
+      attr_reader :data
+
+      def initialize(events, data, path, cookbook_name)
+        @events = events
+        @data = data
+        @path = path
+        @cookbook_name = cookbook_name
+        @pathname = File.basename(File.dirname(path))
+        disable!
+        validate!
+      end
+
+      # @return [String] name of the inspec profile from parsing the inspec.yml
+      def name
+        @data["name"]
+      end
+
+      # @return [String] version of the inspec profile from parsing the inspec.yml
+      def version
+        @data["version"]
+      end
+
+      # Raises if the inspec profile is not valid.
+      #
+      def validate!
+        raise "Inspec profile at #{path} has no name" unless name
+      end
+
+      # @return [Boolean] if the profile has been enabled
+      def enabled?
+        !!@enabled
+      end
+
+      # Set the profile to being enabled
+      #
+      def enable!
+        events.compliance_profile_enabled(self)
+        @enabled = true
+      end
+
+      # Set the profile as being disabled
+      #
+      def disable!
+        @enabled = false
+      end
+
+      # Render the profile in a way that it can be consumed by inspec
+      #
+      def inspec_data
+        { name: name, path: File.dirname(path) }
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      # Helper to construct a profile object from a hash.  Since the path and
+      # cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_hash(events, hash, path, cookbook_name)
+        new(events, hash, path, cookbook_name)
+      end
+
+      # Helper to construct a profile object from a yaml string.  Since the path
+      # and cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_yaml(events, string, path, cookbook_name)
+        from_hash(events, YAML.load(string), path, cookbook_name)
+      end
+
+      # @param filename [String] full path to the inspec.yml file in the cookbook
+      # @param cookbook_name [String] cookbook that the profile is in
+      #
+      def self.from_file(events, filename, cookbook_name)
+        from_yaml(events, IO.read(filename), filename, cookbook_name)
+      end
+    end
+  end
+end

data/lib/chef/compliance/profile_collection.rb

@@ -0,0 +1,109 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "profile"
+
+class Chef
+  module Compliance
+    class ProfileCollection < Array
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_reader :events
+
+      def initialize(events)
+        @events = events
+      end
+
+      # Add a profile to the profile collection.  The cookbook_name needs to be determined by the
+      # caller and is used in the `include_profile` API to match on.  The path should be the complete
+      # path on the host of the inspec.yml file, including the filename.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_file(path, cookbook_name)
+        new_profile = Profile.from_file(events, path, cookbook_name)
+        self << new_profile
+        events.compliance_profile_loaded(new_profile)
+      end
+
+      # @return [Boolean] if any of the profiles are enabled
+      #
+      def using_profiles?
+        any?(&:enabled?)
+      end
+
+      # @return [Array<Profile>] inspec profiles which are enabled in a form suitable to pass to inspec
+      #
+      def inspec_data
+        select(&:enabled?).each_with_object([]) { |profile, arry| arry << profile.inspec_data }
+      end
+
+      # DSL method to enable profile files.  This matches on the name of the profile being included it
+      # does not match on the filename of the input file.  If the specific profile is omitted then
+      # it uses the default profile. The string supports regular expression matching.
+      #
+      # @example Specific profile in a cookbook
+      #
+      # include_profile "acme_cookbook::ssh-001"
+      #
+      # @example The profile named "default" in a cookbook
+      #
+      # include_profile "acme_cookbook"
+      #
+      # @example Every profile in a cookbook
+      #
+      # include_profile "acme_cookbook::.*"
+      #
+      # @example Matching profiles by regexp in a cookbook
+      #
+      # include_profile "acme_cookbook::ssh.*"
+      #
+      # @example Matching profiles by regexp in any cookbook in the cookbook collection
+      #
+      # include_profile ".*::ssh.*"
+      #
+      def include_profile(arg)
+        (cookbook_name, profile_name) = arg.split("::")
+
+        profile_name = "default" if profile_name.nil?
+
+        profiles = select { |profile| /^#{cookbook_name}$/.match?(profile.cookbook_name) && /^#{profile_name}$/.match?(profile.pathname) }
+
+        if profiles.empty?
+          raise "No inspec profiles matching '#{profile_name}' found in cookbooks matching '#{cookbook_name}'"
+        end
+
+        profiles.each(&:enable!)
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+    end
+  end
+end

data/lib/chef/compliance/reporter/automate.rb

@@ -76,7 +76,7 @@ class Chef
 
           begin
             Chef::Log.info "Report to #{ChefUtils::Dist::Automate::PRODUCT}: #{@url}"
-            Chef::Log.debug "Compliance Report: #{json_report}"
+            Chef::Log.debug "Compliance Phase report: #{json_report}"
             http_client.post(nil, json_report, headers)
             true
           rescue => e