chef 17.3.48 → 17.4.25

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -8,23 +8,30 @@ class Chef
     # In this initial iteration this authenticates via token obtained from the OAuth2  /token
     # endpoint.
     #
-    # Usage Example:
+    # Validation of required configuration (vault name) is not performed until
+    # `fetch` time, to allow for embedding the vault name in with the secret
+    # name, such as "my_vault/secretkey1".
     #
-    # fetcher = SecretFetcher.for_service(:azure_key_vault)
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context )
     # fetcher.fetch("secretkey1", "v1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context )
+    # fetcher.fetch("my_vault/secretkey1", "v1")
     class AzureKeyVault < Base
-      def validate!
-        @vault = config[:vault]
-        if @vault.nil?
-          raise Chef::Exceptions::Secret::MissingVaultName.new("You must provide a vault name to service options as vault: 'vault_name'")
-        end
-      end
 
       def do_fetch(name, version)
         token = fetch_token
+        vault, name = resolve_vault_and_secret_name(name)
+        if vault.nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide a vault name to fetcher options as vault: 'vault_name' or in the secret name as 'vault_name/secret_name'")
+        end
 
         # Note that `version` is optional after the final `/`. If nil/"", the latest secret version will be fetched.
-        secret_uri = URI.parse("https://#{@vault}.vault.azure.net/secrets/#{name}/#{version}?api-version=7.2")
+        secret_uri = URI.parse("https://#{vault}.vault.azure.net/secrets/#{name}/#{version}?api-version=7.2")
         http = Net::HTTP.new(secret_uri.host, secret_uri.port)
         http.use_ssl = true
 
@@ -41,6 +48,21 @@ class Chef
         end
       end
 
+      # Determine the vault name and secret name from the provided name.
+      # If it is not in the provided name in the form "vault_name/secret_name"
+      # it will determine the vault name from `config[:vault]`.
+      # @param name [String] the secret name or vault and secret name in the form "vault_name/secret_name"
+      # @return Array[String, String] vault and secret name respectively
+      def resolve_vault_and_secret_name(name)
+        # We support a simplified approach where the vault name is not passed i
+        # into configuration, but
+        if name.include?("/")
+          name.split("/", 2)
+        else
+          [config[:vault], name]
+        end
+      end
+
       def fetch_token
         token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net")
         http = Net::HTTP.new(token_uri.host, token_uri.port)

data/lib/chef/secret_fetcher/base.rb

@@ -25,13 +25,17 @@ class Chef
   class SecretFetcher
     class Base
       attr_reader :config
+      # Note that this is only available in the context of a recipe.
+      # Since that's the only place it's intended to be used, that's probably OK.
+      attr_reader :run_context
 
       # Initialize a new SecretFetcher::Base
       #
       # @param config [Hash] Configuration hash.  Expected configuration keys and values
       # will vary based on implementation, and are validated in `validate!`.
-      def initialize(config)
+      def initialize(config, run_context)
         @config = config
+        @run_context = run_context
       end
 
       # Fetch the named secret by invoking implementation-specific [Chef::SecretFetcher::Base#do_fetch]

data/lib/chef/secret_fetcher.rb

@@ -30,17 +30,18 @@ class Chef
     # @param service [Symbol] the identifier for the service that will support this request. Must be in
     #                         SECRET_FETCHERS
     # @param config [Hash] configuration that the secrets service requires
-    def self.for_service(service, config)
+    # @param run_context [Chef::RunContext] the run context this is being invoked from
+    def self.for_service(service, config, run_context)
       fetcher = case service
                 when :example
                   require_relative "secret_fetcher/example"
-                  Chef::SecretFetcher::Example.new(config)
+                  Chef::SecretFetcher::Example.new(config, run_context)
                 when :aws_secrets_manager
                   require_relative "secret_fetcher/aws_secrets_manager"
-                  Chef::SecretFetcher::AWSSecretsManager.new(config)
+                  Chef::SecretFetcher::AWSSecretsManager.new(config, run_context)
                 when :azure_key_vault
                   require_relative "secret_fetcher/azure_key_vault"
-                  Chef::SecretFetcher::AzureKeyVault.new(config)
+                  Chef::SecretFetcher::AzureKeyVault.new(config, run_context)
                 when nil, ""
                   raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS)
                 else

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.3.48")
+  VERSION = Chef::VersionString.new("17.4.25")
 end
 
 #

data/spec/integration/compliance/compliance_spec.rb

@@ -47,6 +47,7 @@ describe "chef-client with compliance phase" do
         {
           "audit": {
             "compliance_phase": true,
+            "reporter": "json-file",
             "json_file": {
               "location": "#{report_file}"
             },

data/spec/integration/recipes/resource_action_spec.rb

@@ -354,8 +354,8 @@ module ResourceActionSpec
         end
 
         it "allows overridden action to have a description separate from the action defined in the base resource" do
-          expect(ActionJackson.action_description(:test1)).to eql "Original description"
-          expect(ActionJackalope.action_description(:test1)).to eql "An old action with a new description"
+          expect(ActionJackson.new("ActionJackson", nil).action_description(:test1)).to eql "Original description"
+          expect(ActionJackalope.new("ActionJackalope", nil).action_description(:test1)).to eql "An old action with a new description"
         end
 
         it "non-overridden actions run and can access overridden and non-overridden variables (but not necessarily new ones)" do

data/spec/unit/compliance/runner_spec.rb

@@ -202,6 +202,16 @@ describe Chef::Compliance::Runner do
       expect { runner.load_and_validate! }.to raise_error(/^CMPL002:/)
     end
 
+    it "raises CMPL004 if both the inputs and attributes node attributes are set" do
+      node.normal["audit"]["attributes"] = {
+        "tacos" => "lunch",
+      }
+      node.normal["audit"]["inputs"] = {
+        "tacos" => "lunch",
+      }
+      expect { runner.load_and_validate! }.to raise_error(/^CMPL011:/)
+    end
+
     it "validates configured reporters" do
       node.normal["audit"]["reporter"] = [ "chef-automate" ]
       reporter_double = double("reporter", validate_config!: nil)
@@ -212,6 +222,40 @@ describe Chef::Compliance::Runner do
   end
 
   describe "#inspec_opts" do
+    it "pulls inputs from the attributes setting" do
+      node.normal["audit"]["attributes"] = {
+        "tacos" => "lunch",
+      }
+
+      inputs = runner.inspec_opts[:inputs]
+
+      expect(inputs["tacos"]).to eq("lunch")
+    end
+
+    it "pulls inputs from the inputs setting" do
+      node.normal["audit"]["inputs"] = {
+        "tacos" => "lunch",
+      }
+
+      inputs = runner.inspec_opts[:inputs]
+
+      expect(inputs["tacos"]).to eq("lunch")
+    end
+
+    it "favors inputs over attributes" do
+      node.normal["audit"]["attributes"] = {
+        "tacos" => "dinner",
+      }
+
+      node.normal["audit"]["inputs"] = {
+        "tacos" => "lunch",
+      }
+
+      inputs = runner.inspec_opts[:inputs]
+
+      expect(inputs["tacos"]).to eq("lunch")
+    end
+
     it "does not include chef_node in inputs by default" do
       node.normal["audit"]["attributes"] = {
         "tacos" => "lunch",
@@ -221,7 +265,7 @@ describe Chef::Compliance::Runner do
       inputs = runner.inspec_opts[:inputs]
 
       expect(inputs["tacos"]).to eq("lunch")
-      expect(inputs.key?("chef_node")).to eq(false)
+      expect(inputs.key?("chef_node")).to eq(true)
     end
 
     it "includes chef_node in inputs with chef_node_attribute_enabled set" do
@@ -234,7 +278,7 @@ describe Chef::Compliance::Runner do
       inputs = runner.inspec_opts[:inputs]
 
       expect(inputs["tacos"]).to eq("lunch")
-      expect(inputs["chef_node"]["audit"]["reporter"]).to eq(%w{json-file cli})
+      expect(inputs["chef_node"]["audit"]["reporter"]).to eq("cli")
       expect(inputs["chef_node"]["chef_environment"]).to eq("_default")
     end
   end

data/spec/unit/dsl/secret_spec.rb

@@ -21,6 +21,12 @@ require "chef/dsl/secret"
 require "chef/secret_fetcher/base"
 class SecretDSLTester
   include Chef::DSL::Secret
+  # Because DSL is invoked in the context of a recipe,
+  # we expect run_context to always be available when SecretFetcher::Base
+  # requests it - making it safe to mock here
+  def run_context
+    nil
+  end
 end
 
 class SecretFetcherImpl < Chef::SecretFetcher::Base
@@ -36,8 +42,8 @@ describe Chef::DSL::Secret do
   end
 
   it "uses SecretFetcher.for_service to find the fetcher" do
-    substitute_fetcher = SecretFetcherImpl.new({})
-    expect(Chef::SecretFetcher).to receive(:for_service).with(:example, {}).and_return(substitute_fetcher)
+    substitute_fetcher = SecretFetcherImpl.new({}, nil)
+    expect(Chef::SecretFetcher).to receive(:for_service).with(:example, {}, nil).and_return(substitute_fetcher)
     expect(substitute_fetcher).to receive(:fetch).with("key1", nil)
     dsl.secret(name: "key1", service: :example, config: {})
   end

data/spec/unit/provider_spec.rb

@@ -32,6 +32,21 @@ class NoWhyrunDemonstrator < Chef::Provider
   end
 end
 
+class ActionDescriptionDemonstrator < Chef::Provider
+  def load_current_resource; end
+
+  action :foo, description: "foo described" do
+    true
+  end
+
+  action :foo2 do
+    true
+  end
+
+end
+
+context "blah" do
+end
 class ConvergeActionDemonstrator < Chef::Provider
   attr_reader :system_state_altered
 
@@ -98,6 +113,14 @@ describe Chef::Provider do
     expect(@provider.action_nothing).to eql(true)
   end
 
+  it "should return an action description for action_description when one is available" do
+    expect(ActionDescriptionDemonstrator.action_description(:foo)).to eq "foo described"
+  end
+
+  it "should return nil for action_description when no description is available" do
+    expect(ActionDescriptionDemonstrator.action_description(:none)).to eq nil
+  end
+
   it "evals embedded recipes with a pristine resource collection" do
     @provider.run_context.instance_variable_set(:@resource_collection, "doesn't matter what this is")
     temporary_collection = nil

data/spec/unit/resource/homebrew_cask_spec.rb

@@ -19,22 +19,40 @@ require "spec_helper"
 
 describe Chef::Resource::HomebrewCask do
 
-  let(:resource) { Chef::Resource::HomebrewCask.new("fakey_fakerton") }
+  context "name with under bar" do
+    let(:resource) { Chef::Resource::HomebrewCask.new("fakey_fakerton") }
 
-  it "has a resource name of :homebrew_cask" do
-    expect(resource.resource_name).to eql(:homebrew_cask)
-  end
+    it "has a resource name of :homebrew_cask" do
+      expect(resource.resource_name).to eql(:homebrew_cask)
+    end
+
+    it "the cask_name property is the name_property" do
+      expect(resource.cask_name).to eql("fakey_fakerton")
+    end
+
+    it "sets the default action as :install" do
+      expect(resource.action).to eql([:install])
+    end
 
-  it "the cask_name property is the name_property" do
-    expect(resource.cask_name).to eql("fakey_fakerton")
+    it "supports :install, :remove actions" do
+      expect { resource.action :install }.not_to raise_error
+      expect { resource.action :remove }.not_to raise_error
+    end
   end
 
-  it "sets the default action as :install" do
-    expect(resource.action).to eql([:install])
+  context "name with high fun" do
+    let(:resource) { Chef::Resource::HomebrewCask.new("fakey-fakerton") }
+
+    it "the cask_name property is the name_property" do
+      expect(resource.cask_name).to eql("fakey-fakerton")
+    end
   end
 
-  it "supports :install, :remove actions" do
-    expect { resource.action :install }.not_to raise_error
-    expect { resource.action :remove }.not_to raise_error
+  context "name with at mark" do
+    let(:resource) { Chef::Resource::HomebrewCask.new("fakey-fakerton@10") }
+
+    it "the cask_name property is the name_property" do
+      expect(resource.cask_name).to eql("fakey-fakerton@10")
+    end
   end
 end

data/spec/unit/resource/rhsm_subscription_spec.rb

@@ -18,15 +18,24 @@
 require "spec_helper"
 
 describe Chef::Resource::RhsmSubscription do
-  let(:resource) { Chef::Resource::RhsmSubscription.new("fakey_fakerton") }
-  let(:provider) { resource.provider_for_action(:attach) }
+  let(:event_dispatch) { Chef::EventDispatch::Dispatcher.new }
+  let(:node) { Chef::Node.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, event_dispatch) }
+
+  let(:pool_id) { "8a8dd78c766232550226b46e59404aba" }
+  let(:resource) { Chef::Resource::RhsmSubscription.new(pool_id, run_context) }
+  let(:provider) { resource.provider_for_action(Array(resource.action).first) }
+
+  before do
+    allow(resource).to receive(:provider_for_action).with(:attach).and_return(provider)
+  end
 
   it "has a resource name of :rhsm_subscription" do
     expect(resource.resource_name).to eql(:rhsm_subscription)
   end
 
   it "the pool_id property is the name_property" do
-    expect(resource.pool_id).to eql("fakey_fakerton")
+    expect(resource.pool_id).to eql(pool_id)
   end
 
   it "sets the default action as :attach" do
@@ -38,6 +47,44 @@ describe Chef::Resource::RhsmSubscription do
     expect { resource.action :remove }.not_to raise_error
   end
 
+  describe "#action_attach" do
+    let(:yum_package_double) { instance_double("Chef::Resource::YumPackage") }
+    let(:so_double) { instance_double("Mixlib::ShellOut", stdout: "Successfully attached a subscription for: My Subscription", exitstatus: 0, error?: false) }
+
+    before do
+      allow(provider).to receive(:shell_out!).with("subscription-manager attach --pool=#{resource.pool_id}").and_return(so_double)
+      allow(provider).to receive(:build_resource).with(:package, "rhsm_subscription-#{pool_id}-flush_cache").and_return(yum_package_double)
+      allow(yum_package_double).to receive(:run_action).with(:flush_cache)
+    end
+
+    context "when already attached to pool" do
+      before do
+        allow(provider).to receive(:subscription_attached?).with(resource.pool_id).and_return(true)
+      end
+
+      it "does not attach to pool" do
+        expect(provider).not_to receive(:shell_out!)
+        resource.run_action(:attach)
+      end
+    end
+
+    context "when not attached to pool" do
+      before do
+        allow(provider).to receive(:subscription_attached?).with(resource.pool_id).and_return(false)
+      end
+
+      it "attaches to pool" do
+        expect(provider).to receive(:shell_out!).with("subscription-manager attach --pool=#{resource.pool_id}")
+        resource.run_action(:attach)
+      end
+
+      it "flushes package provider cache" do
+        expect(yum_package_double).to receive(:run_action).with(:flush_cache)
+        resource.run_action(:attach)
+      end
+    end
+  end
+
   describe "#subscription_attached?" do
     let(:cmd)    { double("cmd") }
     let(:output) { "Pool ID:    pool123" }

data/spec/unit/resource/systemd_unit_spec.rb

@@ -20,7 +20,7 @@ require "spec_helper"
 
 describe Chef::Resource::SystemdUnit do
   let(:resource) { Chef::Resource::SystemdUnit.new("sysstat-collect.timer") }
-  let(:unit_content_string) { "[Unit]\nDescription = Run system activity accounting tool every 10 minutes\nDocumentation = foo\nDocumentation = bar\n\n[Timer]\nOnCalendar = *:00/10\n\n[Install]\nWantedBy = sysstat.service\n" }
+  let(:unit_content_string) { "[Unit]\nDescription=Run system activity accounting tool every 10 minutes\nDocumentation=foo\nDocumentation=bar\n\n[Timer]\nOnCalendar=*:00/10\n\n[Install]\nWantedBy=sysstat.service\n" }
   let(:unit_content_hash) do
     {
       "Unit" => {

data/spec/unit/resource_spec.rb

@@ -1172,21 +1172,23 @@ describe Chef::Resource do
       action :base_action3, description: "unmodified base action 3 desc" do; end
     end
 
+    let(:resource_inst) { TestResource.new("TestResource", nil) }
+
     it "returns nil when no description was provided for the action" do
-      expect(TestResource.action_description(:base_action0)).to eql(nil)
+      expect(resource_inst.action_description(:base_action0)).to eql(nil)
     end
 
     context "when action definition is a string" do
       it "returns the description whether a symbol or string is used to look it up" do
-        expect(TestResource.action_description("string_action")).to eql("a string test")
-        expect(TestResource.action_description(:string_action)).to eql("a string test")
+        expect(resource_inst.action_description("string_action")).to eql("a string test")
+        expect(resource_inst.action_description(:string_action)).to eql("a string test")
       end
     end
 
     context "when action definition is a symbol" do
       it "returns the description whether a symbol or string is used to look up" do
-        expect(TestResource.action_description("symbol_action")).to eql("a symbol test")
-        expect(TestResource.action_description(:symbol_action)).to eql("a symbol test")
+        expect(resource_inst.action_description("symbol_action")).to eql("a symbol test")
+        expect(resource_inst.action_description(:symbol_action)).to eql("a symbol test")
       end
     end
 
@@ -1196,14 +1198,23 @@ describe Chef::Resource do
         action :base_action3 do; end
       end
 
+      class TestResourceChild2 < TestResource
+        # We should never see this description
+        action :base_action2, description: "if you see this in an error, TestResourceChild was polluted with this description" do; end
+      end
+      let(:resource_inst) { TestResourceChild.new("TestResource", nil) }
+
       it "returns original description when a described action is not overridden in child resource" do
-        expect(TestResourceChild.action_description(:base_action1)).to eq "unmodified base action 1 desc"
+        expect(resource_inst.action_description(:base_action1)).to eq "unmodified base action 1 desc"
       end
       it "returns original description when the child resource overrides an inherited action but NOT its description" do
-        expect(TestResourceChild.action_description(:base_action3)).to eq "unmodified base action 3 desc"
+        expect(resource_inst.action_description(:base_action3)).to eq "unmodified base action 3 desc"
+      end
+      it "returns new description when the child resource overrides an inherited action and its description" do
+        expect(resource_inst.action_description(:base_action2)).to eq "modified base action 2 desc"
       end
       it "returns new description when the child resource overrides an inherited action and its description" do
-        expect(TestResourceChild.action_description(:base_action2)).to eq "modified base action 2 desc"
+        expect(resource_inst.action_description(:base_action2)).to eq "modified base action 2 desc"
       end
     end
   end