chef 17.4.38-universal-mingw32 → 17.5.22-universal-mingw32

data/lib/chef/compliance/waiver.rb

@@ -0,0 +1,115 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "yaml"
+
+class Chef
+  module Compliance
+    #
+    # Chef object that represents a single waiver file in the compliance
+    # segment of a cookbook
+    #
+    class Waiver
+      # @return [Boolean] if the waiver has been enabled
+      attr_reader :enabled
+
+      # @return [String] The name of the cookbook that the waiver is in
+      attr_reader :cookbook_name
+
+      # @return [String] The full path on the host to the waiver yml file
+      attr_reader :path
+
+      # @return [String] the pathname in the cookbook
+      attr_reader :pathname
+
+      # @api private
+      attr_reader :data
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_accessor :events
+
+      def initialize(events, data, path, cookbook_name)
+        @events = events
+        @data = data
+        @cookbook_name = cookbook_name
+        @path = path
+        @pathname = File.basename(path, File.extname(path)) unless path.nil?
+        disable!
+      end
+
+      # @return [Boolean] if the waiver has been enabled
+      #
+      def enabled?
+        !!@enabled
+      end
+
+      # Set the waiver to being enabled
+      #
+      def enable!
+        events.compliance_waiver_enabled(self)
+        @enabled = true
+      end
+
+      # Set the waiver as being disabled
+      #
+      def disable!
+        @enabled = false
+      end
+
+      # Render the waiver in a way that it can be consumed by inspec
+      #
+      def inspec_data
+        data
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      # Helper to construct a waiver object from a hash.  Since the path and
+      # cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_hash(events, hash, path = nil, cookbook_name = nil)
+        new(events, hash, path, cookbook_name)
+      end
+
+      # Helper to construct a waiver object from a yaml string.  Since the path
+      # and cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_yaml(events, string, path = nil, cookbook_name = nil)
+        from_hash(events, YAML.load(string), path, cookbook_name)
+      end
+
+      # @param filename [String] full path to the yml file in the cookbook
+      # @param cookbook_name [String] cookbook that the waiver is in
+      #
+      def self.from_file(events, filename, cookbook_name = nil)
+        from_yaml(events, IO.read(filename), filename, cookbook_name)
+      end
+    end
+  end
+end

data/lib/chef/compliance/waiver_collection.rb

@@ -0,0 +1,143 @@
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "waiver"
+
+class Chef
+  module Compliance
+    class WaiverCollection < Array
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_reader :events
+
+      def initialize(events)
+        @events = events
+      end
+
+      # Add a waiver to the waiver collection.  The cookbook_name needs to be determined by the
+      # caller and is used in the `include_waiver` API to match on.  The path should be the complete
+      # path on the host of the yml file, including the filename.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_file(filename, cookbook_name)
+        new_waiver = Waiver.from_file(events, filename, cookbook_name)
+        self << new_waiver
+        events.compliance_waiver_loaded(new_waiver)
+      end
+
+      # Add a waiver from a raw hash.  This waiver will be enabled by default.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_hash(hash)
+        new_waiver = Waiver.from_hash(events, hash)
+        new_waiver.enable!
+        self << new_waiver
+      end
+
+      # @return [Array<Waiver>] inspec waivers which are enabled in a form suitable to pass to inspec
+      #
+      def inspec_data
+        select(&:enabled?).each_with_object({}) { |waiver, hash| hash.merge(waiver.inspec_data) }
+      end
+
+      # DSL method to enable waiver files.  This matches on the filename of the waiver file.
+      # If the specific waiver is omitted then it uses the default waiver. The string
+      # supports regular expression matching.
+      #
+      # @example Specific waiver file in a cookbook
+      #
+      # include_waiver "acme_cookbook::ssh-001"
+      #
+      # @example The compliance/waiver/default.rb waiver file in a cookbook
+      #
+      # include_waiver "acme_cookbook"
+      #
+      # @example Every waiver file in a cookbook
+      #
+      # include_waiver "acme_cookbook::.*"
+      #
+      # @example Matching waivers by regexp in a cookbook
+      #
+      # include_waiver "acme_cookbook::ssh.*"
+      #
+      # @example Matching waivers by regexp in any cookbook in the cookbook collection
+      #
+      # include_waiver ".*::ssh.*"
+      #
+      # @example Adding an arbitrary hash of data (not from any file in a cookbook)
+      #
+      # include_waiver({ "ssh-01" => {
+      #   "expiration_date" => "2033-07-31",
+      #   "run" => false,
+      #   "justification" => "the reason it is waived",
+      # } })
+      #
+      def include_waiver(arg)
+        raise "include_waiver was given a nil value" if arg.nil?
+
+        # if we're given a hash argument just shove it in the collection
+        if arg.is_a?(Hash)
+          from_hash(arg)
+          return
+        end
+
+        matching_waivers!(arg).each(&:enable!)
+      end
+
+      def valid?(arg)
+        !matching_waivers(arg).empty?
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      private
+
+      def matching_waivers(arg, should_raise: false)
+        (cookbook_name, waiver_name) = arg.split("::")
+
+        waiver_name = "default" if waiver_name.nil?
+
+        waivers = select { |waiver| /^#{cookbook_name}$/.match?(waiver.cookbook_name) && /^#{waiver_name}$/.match?(waiver.pathname) }
+
+        if waivers.empty? && should_raise
+          raise "No inspec waivers matching '#{waiver_name}' found in cookbooks matching '#{cookbook_name}'"
+        end
+
+        waivers
+      end
+
+      def matching_waivers!(arg)
+        matching_waivers(arg, should_raise: true)
+      end
+    end
+  end
+end

data/lib/chef/dsl/compliance.rb

@@ -0,0 +1,38 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  module DSL
+    module Compliance
+
+      # @see Chef::Compliance::ProfileCollection#include_profile
+      def include_profile(*args)
+        run_context.profile_collection.include_profile(*args)
+      end
+
+      # @see Chef::Compliance::WaiverCollection#include_waiver
+      def include_waiver(*args)
+        run_context.waiver_collection.include_waiver(*args)
+      end
+
+      # @see Chef::Compliance::inputCollection#include_input
+      def include_input(*args)
+        run_context.input_collection.include_input(*args)
+      end
+    end
+  end
+end

data/lib/chef/dsl/reader_helpers.rb

@@ -0,0 +1,51 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+autoload :TOML, "tomlrb"
+require_relative "../json_compat"
+autoload :YAML, "yaml"
+
+class Chef
+  module DSL
+    module ReaderHelpers
+
+      def parse_file(filename)
+        case File.extname(filename)
+        when ".toml"
+          parse_toml(filename)
+        when ".yaml", ".yml"
+          parse_yaml(filename)
+        when ".json"
+          parse_json(filename)
+        end
+      end
+
+      def parse_json(filename)
+        JSONCompat.parse(IO.read(filename))
+      end
+
+      def parse_toml(filename)
+        Tomlrb.load_file(filename)
+      end
+
+      def parse_yaml(filename)
+        YAML.load(IO.read(filename))
+      end
+
+      extend self
+    end
+  end
+end

data/lib/chef/dsl/recipe.rb

@@ -18,12 +18,13 @@
 #
 
 require_relative "../exceptions"
-require_relative "resources"
+require_relative "compliance"
+require_relative "declare_resource"
 require_relative "definitions"
 require_relative "include_recipe"
 require_relative "reboot_pending"
+require_relative "resources"
 require_relative "universal"
-require_relative "declare_resource"
 require_relative "../mixin/notifying_block"
 require_relative "../mixin/lazy_module_include"
 
@@ -42,6 +43,7 @@ class Chef
     #   - it also pollutes the namespace of nearly every context, watch out.
     #
     module Recipe
+      include Chef::DSL::Compliance
       include Chef::DSL::Universal
       include Chef::DSL::DeclareResource
       include Chef::Mixin::NotifyingBlock

data/lib/chef/dsl/secret.rb

@@ -51,10 +51,8 @@ class Chef
       #   log "My secret is #{value}"
       def secret(name: nil, version: nil, service: nil, config: {})
         Chef::Log.warn <<~EOM.gsub("\n", " ")
-          The secrets Chef Infra language helper is currently in beta.
-          This helper will most likely change over time in potentially breaking ways.
-          If you have feedback or you'd like to be part of the future design of this
-          helper e-mail us at secrets_management_beta@progress.com"
+          The secrets Chef Infra language helper is currently in beta. If you have feedback or you would
+          like to be part of the future design of this helper e-mail us at secrets_management_beta@progress.com"
         EOM
         sensitive(true) if is_a?(Chef::Resource)
         Chef::SecretFetcher.for_service(service, config, run_context).fetch(name, version)

data/lib/chef/dsl/universal.rb

@@ -23,6 +23,7 @@ require_relative "chef_vault"
 require_relative "registry_helper"
 require_relative "powershell"
 require_relative "secret"
+require_relative "reader_helpers"
 require_relative "render_helpers"
 require_relative "toml"
 require_relative "../mixin/powershell_exec"
@@ -50,6 +51,7 @@ class Chef
       include Chef::DSL::ChefVault
       include Chef::DSL::RegistryHelper
       include Chef::DSL::Powershell
+      include Chef::DSL::ReaderHelpers
       include Chef::DSL::RenderHelpers
       include Chef::DSL::Secret
       include Chef::Mixin::PowershellExec

data/lib/chef/event_dispatch/base.rb

@@ -164,7 +164,7 @@ class Chef
       # Called when LWRPs are finished loading
       def lwrp_load_complete; end
 
-      # Called when an ohai plugin file loading starts
+      # Called when ohai plugin file loading starts
       def ohai_plugin_load_start(file_count); end
 
       # Called when an ohai plugin file has been loaded
@@ -173,9 +173,51 @@ class Chef
       # Called when an ohai plugin file has an error on load.
       def ohai_plugin_file_load_failed(path, exception); end
 
-      # Called when an ohai plugin file loading has finished
+      # Called when ohai plugin file loading has finished
       def ohai_plugin_load_complete; end
 
+      # Called when compliance file loading starts
+      def compliance_load_start; end
+
+      # Called when compliance file loading ends
+      def compliance_load_complete; end
+
+      # Called when compliance profile loading starts
+      def profiles_load_start; end
+
+      # Called when compliance profile loading end
+      def profiles_load_complete; end
+
+      # Called when compliance input loading starts
+      def inputs_load_start; end
+
+      # Called when compliance input loading end
+      def inputs_load_complete; end
+
+      # Called when compliance waiver loading starts
+      def waivers_load_start; end
+
+      # Called when compliance waiver loading end
+      def waivers_load_complete; end
+
+      # Called when a compliance profile is found in a cookbook by the cookbook_compiler
+      def compliance_profile_loaded(profile); end
+
+      # Called when a compliance waiver is found in a cookbook by the cookbook_compiler
+      def compliance_waiver_loaded(waiver); end
+
+      # Called when a compliance waiver is found in a cookbook by the cookbook_compiler
+      def compliance_input_loaded(input); end
+
+      # Called when a compliance profile is enabled (by include_profile)
+      def compliance_profile_enabled(profile); end
+
+      # Called when a compliance waiver is enabled (by include_waiver)
+      def compliance_waiver_enabled(waiver); end
+
+      # Called when a compliance input is enabled (by include_input)
+      def compliance_input_enabled(input); end
+
       # Called before attribute files are loaded
       def attribute_load_start(attribute_file_count); end
 

data/lib/chef/formatters/doc.rb

@@ -363,6 +363,52 @@ class Chef
         end
       end
 
+      # Called when compliance profile loading starts
+      def profiles_load_start
+        puts_line("Loading #{Inspec::Dist::PRODUCT_NAME} profile files:")
+      end
+
+      # Called when compliance input loading starts
+      def inputs_load_start
+        puts_line("Loading #{Inspec::Dist::PRODUCT_NAME} input files:")
+      end
+
+      # Called when compliance waiver loading starts
+      def waivers_load_start
+        puts_line("Loading #{Inspec::Dist::PRODUCT_NAME} waiver files:")
+      end
+
+      # Called when a compliance profile is found in a cookbook by the cookbook_compiler
+      def compliance_profile_loaded(profile)
+        start_line("  - #{profile.cookbook_name}::#{profile.pathname}", :cyan)
+        puts " (#{profile.version})", :cyan if profile.version
+      end
+
+      # Called when a compliance waiver is found in a cookbook by the cookbook_compiler
+      def compliance_input_loaded(input)
+        puts_line("  - #{input.cookbook_name}::#{input.pathname}", :cyan)
+      end
+
+      # Called when a compliance waiver is found in a cookbook by the cookbook_compiler
+      def compliance_waiver_loaded(waiver)
+        puts_line("  - #{waiver.cookbook_name}::#{waiver.pathname}", :cyan)
+      end
+
+      # Called when a compliance profile is enabled (by include_profile)
+      def compliance_profile_enabled(profile)
+        # puts_line("  * FIXME", :cyan)
+      end
+
+      # Called when a compliance waiver is enabled (by include_waiver)
+      def compliance_waiver_enabled(waiver)
+        # puts_line("  * FIXME", :cyan)
+      end
+
+      # Called when a compliance input is enabled (by include_input)
+      def compliance_input_enabled(input)
+        # puts_line("  * FIXME", :cyan)
+      end
+
       # (see Base#deprecation)
       def deprecation(deprecation, _location = nil)
         if Chef::Config[:treat_deprecation_warnings_as_errors]

data/lib/chef/http/basic_client.rb

@@ -36,16 +36,18 @@ class Chef
       attr_reader :url
       attr_reader :ssl_policy
       attr_reader :keepalives
+      attr_reader :nethttp_opts
 
       # Instantiate a BasicClient.
       # === Arguments:
       # url:: An URI for the remote server.
       # === Options:
       # ssl_policy:: The SSL Policy to use, defaults to DefaultSSLPolicy
-      def initialize(url, opts = {})
+      def initialize(url, ssl_policy: DefaultSSLPolicy, keepalives: false, nethttp_opts: {})
         @url = url
-        @ssl_policy = opts[:ssl_policy] || DefaultSSLPolicy
-        @keepalives = opts[:keepalives] || false
+        @ssl_policy = ssl_policy
+        @keepalives = keepalives
+        @nethttp_opts = ChefUtils::Mash.new(nethttp_opts)
       end
 
       def http_client
@@ -118,8 +120,14 @@ class Chef
           configure_ssl(http_client)
         end
 
-        http_client.read_timeout = config[:rest_timeout]
-        http_client.open_timeout = config[:rest_timeout]
+        opts = nethttp_opts.dup
+        opts["read_timeout"] ||= config[:rest_timeout]
+        opts["open_timeout"] ||= config[:rest_timeout]
+
+        opts.each do |key, value|
+          http_client.send(:"#{key}=", value)
+        end
+
         if keepalives
           http_client.start
         else
@@ -142,11 +150,11 @@ class Chef
       end
 
       def http_proxy_user(proxy_uri)
-        proxy_uri.user || Chef::Config["#{proxy_uri.scheme}_proxy_user"]
+        proxy_uri.user || config["#{proxy_uri.scheme}_proxy_user"]
       end
 
       def http_proxy_pass(proxy_uri)
-        proxy_uri.password || Chef::Config["#{proxy_uri.scheme}_proxy_pass"]
+        proxy_uri.password || config["#{proxy_uri.scheme}_proxy_pass"]
       end
 
       def configure_ssl(http_client)

data/lib/chef/http.rb

@@ -82,6 +82,9 @@ class Chef
     # [Boolean] if we're doing keepalives or not
     attr_reader :keepalives
 
+    # @returns [Hash] options for Net::HTTP to be sent to setters on the object
+    attr_reader :nethttp_opts
+
     # Create a HTTP client object. The supplied +url+ is used as the base for
     # all subsequent requests. For example, when initialized with a base url
     # http://localhost:4000, a call to +get+ with 'nodes' will make an
@@ -94,6 +97,7 @@ class Chef
       @redirect_limit = 10
       @keepalives = options[:keepalives] || false
       @options = options
+      @nethttp_opts = options[:nethttp] || {}
 
       @middlewares = []
       self.class.middlewares.each do |middleware_class|
@@ -311,7 +315,7 @@ class Chef
 
         SocketlessChefZeroClient.new(base_url)
       else
-        BasicClient.new(base_url, ssl_policy: ssl_policy, keepalives: keepalives)
+        BasicClient.new(base_url, ssl_policy: ssl_policy, keepalives: keepalives, nethttp_opts: nethttp_opts)
       end
     end
 
@@ -468,12 +472,12 @@ class Chef
 
     # @api private
     def http_retry_delay
-      config[:http_retry_delay]
+      options[:http_retry_delay] || config[:http_retry_delay]
     end
 
     # @api private
     def http_retry_count
-      config[:http_retry_count]
+      options[:http_retry_count] || config[:http_retry_count]
     end
 
     # @api private

data/lib/chef/provider/file.rb

@@ -27,6 +27,8 @@ require_relative "../scan_access_control"
 require_relative "../mixin/checksum"
 require_relative "../mixin/file_class"
 require_relative "../mixin/enforce_ownership_and_permissions"
+require_relative "../resource/file/verification/json"
+require_relative "../resource/file/verification/yaml"
 require_relative "../util/backup"
 require_relative "../util/diff"
 require_relative "../util/selinux"

data/lib/chef/provider/link.rb

@@ -43,8 +43,8 @@ class Chef
           )
         else
           current_resource.link_type(:hard)
-          if ::File.exists?(current_resource.target_file)
-            if ::File.exists?(new_resource.to) &&
+          if ::File.exist?(current_resource.target_file)
+            if ::File.exist?(new_resource.to) &&
                 file_class.stat(current_resource.target_file).ino ==
                     file_class.stat(new_resource.to).ino
               current_resource.to(canonicalize(new_resource.to))

data/lib/chef/provider/registry_key.rb

@@ -19,7 +19,7 @@
 
 require_relative "../config"
 require_relative "../log"
-require_relative "../resource/file"
+require_relative "../resource/registry_key"
 require_relative "../mixin/checksum"
 require_relative "../provider"
 require "etc" unless defined?(Etc)
@@ -50,7 +50,8 @@ class Chef
         current_resource.architecture(new_resource.architecture)
         current_resource.recursive(new_resource.recursive)
         if registry.key_exists?(new_resource.key)
-          current_resource.values(registry.get_values(new_resource.key))
+          current_registry_values = registry.get_values(new_resource.key) || []
+          current_resource.values(current_registry_values)
         end
         values_to_hash(current_resource.unscrubbed_values)
         current_resource

data/lib/chef/provider/remote_file/http.rb

@@ -137,7 +137,7 @@ class Chef
           if new_resource.ssl_verify_mode
             opts[:ssl_verify_mode] = new_resource.ssl_verify_mode
           end
-          opts
+          opts.merge(new_resource.http_options)
         end
 
       end

data/lib/chef/provider/template.rb

@@ -39,7 +39,7 @@ class Chef
         super
 
         requirements.assert(:create, :create_if_missing) do |a|
-          a.assertion { ::File.exists?(content.template_location) }
+          a.assertion { ::File.exist?(content.template_location) }
           a.failure_message "Template source #{content.template_location} could not be found."
           a.whyrun "Template source #{content.template_location} does not exist. Assuming it would have been created."
           a.block_action!