chef 17.4.38-universal-mingw32 → 17.5.22-universal-mingw32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. checksums.yaml +4 -4
  2. data/chef.gemspec +2 -0
  3. data/lib/chef/application/base.rb +11 -1
  4. data/lib/chef/client.rb +1 -2
  5. data/lib/chef/compliance/input.rb +115 -0
  6. data/lib/chef/compliance/input_collection.rb +139 -0
  7. data/lib/chef/compliance/profile.rb +122 -0
  8. data/lib/chef/compliance/profile_collection.rb +109 -0
  9. data/lib/chef/compliance/runner.rb +47 -5
  10. data/lib/chef/compliance/waiver.rb +115 -0
  11. data/lib/chef/compliance/waiver_collection.rb +143 -0
  12. data/lib/chef/dsl/compliance.rb +38 -0
  13. data/lib/chef/dsl/reader_helpers.rb +51 -0
  14. data/lib/chef/dsl/recipe.rb +4 -2
  15. data/lib/chef/dsl/secret.rb +2 -4
  16. data/lib/chef/dsl/universal.rb +2 -0
  17. data/lib/chef/event_dispatch/base.rb +44 -2
  18. data/lib/chef/formatters/doc.rb +46 -0
  19. data/lib/chef/http/basic_client.rb +15 -7
  20. data/lib/chef/http.rb +7 -3
  21. data/lib/chef/provider/file.rb +2 -0
  22. data/lib/chef/provider/link.rb +2 -2
  23. data/lib/chef/provider/registry_key.rb +3 -2
  24. data/lib/chef/provider/remote_file/http.rb +1 -1
  25. data/lib/chef/provider/template.rb +1 -1
  26. data/lib/chef/resource/archive_file.rb +17 -14
  27. data/lib/chef/resource/chef_client_scheduled_task.rb +45 -2
  28. data/lib/chef/resource/chocolatey_config.rb +13 -13
  29. data/lib/chef/resource/file/verification/json.rb +50 -0
  30. data/lib/chef/resource/file/verification/yaml.rb +52 -0
  31. data/lib/chef/resource/inspec_input.rb +128 -0
  32. data/lib/chef/resource/inspec_waiver.rb +185 -0
  33. data/lib/chef/resource/mount.rb +1 -1
  34. data/lib/chef/resource/registry_key.rb +36 -48
  35. data/lib/chef/resource/remote_file.rb +98 -2
  36. data/lib/chef/resource/timezone.rb +2 -2
  37. data/lib/chef/resource/user_ulimit.rb +1 -0
  38. data/lib/chef/resource/windows_printer.rb +1 -1
  39. data/lib/chef/resource/windows_uac.rb +3 -1
  40. data/lib/chef/resource/windows_user_privilege.rb +1 -1
  41. data/lib/chef/resources.rb +2 -0
  42. data/lib/chef/run_context/cookbook_compiler.rb +112 -28
  43. data/lib/chef/run_context.rb +31 -1
  44. data/lib/chef/secret_fetcher/akeyless_vault.rb +57 -0
  45. data/lib/chef/secret_fetcher/aws_secrets_manager.rb +1 -1
  46. data/lib/chef/secret_fetcher/azure_key_vault.rb +1 -1
  47. data/lib/chef/secret_fetcher/base.rb +1 -1
  48. data/lib/chef/secret_fetcher/hashi_vault.rb +100 -0
  49. data/lib/chef/secret_fetcher.rb +8 -2
  50. data/lib/chef/version.rb +1 -1
  51. data/spec/data/archive_file/test_archive.tar.gz +0 -0
  52. data/spec/functional/resource/archive_file_spec.rb +87 -0
  53. data/spec/functional/resource/group_spec.rb +5 -1
  54. data/spec/functional/resource/link_spec.rb +8 -0
  55. data/spec/integration/compliance/compliance_spec.rb +60 -0
  56. data/spec/spec_helper.rb +3 -0
  57. data/spec/support/platform_helpers.rb +4 -0
  58. data/spec/support/ruby_installer.rb +51 -0
  59. data/spec/unit/compliance/input_spec.rb +104 -0
  60. data/spec/unit/compliance/profile_spec.rb +120 -0
  61. data/spec/unit/compliance/waiver_spec.rb +104 -0
  62. data/spec/unit/http/basic_client_spec.rb +30 -0
  63. data/spec/unit/http_spec.rb +8 -2
  64. data/spec/unit/provider/link_spec.rb +13 -7
  65. data/spec/unit/provider/remote_file/http_spec.rb +10 -0
  66. data/spec/unit/provider/template_spec.rb +2 -2
  67. data/spec/unit/resource/archive_file_spec.rb +414 -3
  68. data/spec/unit/resource/chef_client_scheduled_task_spec.rb +69 -0
  69. data/spec/unit/resource/file/verification/json_spec.rb +72 -0
  70. data/spec/unit/resource/file/verification/yaml_spec.rb +67 -0
  71. data/spec/unit/resource/inspec_input_spec.rb +300 -0
  72. data/spec/unit/resource/inspec_waiver_spec.rb +312 -0
  73. data/spec/unit/resource/mount_spec.rb +10 -0
  74. data/spec/unit/resource/user_ulimit_spec.rb +14 -1
  75. data/spec/unit/secret_fetcher/akeyless_vault_spec.rb +37 -0
  76. data/spec/unit/secret_fetcher/hashi_vault_spec.rb +80 -0
  77. data/tasks/rspec.rb +2 -1
  78. metadata +60 -6
@@ -0,0 +1,120 @@
1
+ #
2
+ # Copyright:: Copyright (c) Chef Software Inc.
3
+ # License:: Apache License, Version 2.0
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # http://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+ #
17
+
18
+ require "spec_helper"
19
+ require "tempfile"
20
+
21
+ describe Chef::Compliance::Profile do
22
+ let(:events) { Chef::EventDispatch::Dispatcher.new }
23
+ let(:data) { { "copyright" => "DevSec Hardening Framework Team", "copyright_email" => "hello@dev-sec.io", "license" => "Apache-2.0", "maintainer" => "DevSec Hardening Framework Team", "name" => "ssh-baseline", "summary" => "Test-suite for best-practice SSH hardening", "supports" => [{ "os-family" => "unix" }], "title" => "DevSec SSH Baseline", "version" => "2.6.4" } }
24
+ let(:path) { "/var/chef/cache/cookbooks/acme_compliance/compliance/profiles/thisdirectoryisnotthename/inspec.yml" }
25
+ let(:cookbook_name) { "acme_compliance" }
26
+ let(:profile) { Chef::Compliance::Profile.new(events, data, path, cookbook_name) }
27
+
28
+ it "has a cookbook_name" do
29
+ expect(profile.cookbook_name).to eql(cookbook_name)
30
+ end
31
+
32
+ it "has a path" do
33
+ expect(profile.path).to eql(path)
34
+ end
35
+
36
+ it "has a name based on the yml" do
37
+ expect(profile.name).to eql("ssh-baseline")
38
+ end
39
+
40
+ it "has a pathname based on the path" do
41
+ expect(profile.pathname).to eql("thisdirectoryisnotthename")
42
+ end
43
+
44
+ it "is disabled" do
45
+ expect(profile.enabled).to eql(false)
46
+ expect(profile.enabled?).to eql(false)
47
+ end
48
+
49
+ it "has an event handler" do
50
+ expect(profile.events).to eql(events)
51
+ end
52
+
53
+ it "can be enabled by enable!" do
54
+ profile.enable!
55
+ expect(profile.enabled).to eql(true)
56
+ expect(profile.enabled?).to eql(true)
57
+ end
58
+
59
+ it "enabling sends an event" do
60
+ expect(events).to receive(:compliance_profile_enabled).with(profile)
61
+ profile.enable!
62
+ end
63
+
64
+ it "can be disabled by disable!" do
65
+ profile.enable!
66
+ profile.disable!
67
+ expect(profile.enabled).to eql(false)
68
+ expect(profile.enabled?).to eql(false)
69
+ end
70
+
71
+ it "has a #inspec_data method that renders the path" do
72
+ expect(profile.inspec_data).to eql( { name: "ssh-baseline", path: "/var/chef/cache/cookbooks/acme_compliance/compliance/profiles/thisdirectoryisnotthename" } )
73
+ end
74
+
75
+ it "doesn't render the events in the inspect output" do
76
+ expect(profile.inspect).not_to include("events")
77
+ end
78
+
79
+ it "inflates objects from YAML" do
80
+ string = <<~EOH
81
+ name: ssh-baseline#{" "}
82
+ title: DevSec SSH Baseline#{" "}
83
+ maintainer: DevSec Hardening Framework Team#{" "}
84
+ copyright: DevSec Hardening Framework Team#{" "}
85
+ copyright_email: hello@dev-sec.io#{" "}
86
+ license: Apache-2.0#{" "}
87
+ summary: Test-suite for best-practice SSH hardening#{" "}
88
+ version: 2.6.4#{" "}
89
+ supports:#{" "}
90
+ - os-family: unix
91
+ EOH
92
+ newprofile = Chef::Compliance::Profile.from_yaml(events, string, path, cookbook_name)
93
+ expect(newprofile.data).to eql(data)
94
+ end
95
+
96
+ it "inflates objects from files" do
97
+ string = <<~EOH
98
+ name: ssh-baseline#{" "}
99
+ title: DevSec SSH Baseline#{" "}
100
+ maintainer: DevSec Hardening Framework Team#{" "}
101
+ copyright: DevSec Hardening Framework Team#{" "}
102
+ copyright_email: hello@dev-sec.io#{" "}
103
+ license: Apache-2.0#{" "}
104
+ summary: Test-suite for best-practice SSH hardening#{" "}
105
+ version: 2.6.4#{" "}
106
+ supports:#{" "}
107
+ - os-family: unix
108
+ EOH
109
+ tempfile = Tempfile.new("chef-compliance-test")
110
+ tempfile.write string
111
+ tempfile.close
112
+ newprofile = Chef::Compliance::Profile.from_file(events, tempfile.path, cookbook_name)
113
+ expect(newprofile.data).to eql(data)
114
+ end
115
+
116
+ it "inflates objects from hashes" do
117
+ newprofile = Chef::Compliance::Profile.from_hash(events, data, path, cookbook_name)
118
+ expect(newprofile.data).to eql(data)
119
+ end
120
+ end
@@ -0,0 +1,104 @@
1
+ #
2
+ # Copyright:: Copyright (c) Chef Software Inc.
3
+ # License:: Apache License, Version 2.0
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # http://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+ #
17
+
18
+ require "spec_helper"
19
+ require "tempfile"
20
+
21
+ describe Chef::Compliance::Waiver do
22
+ let(:events) { Chef::EventDispatch::Dispatcher.new }
23
+ let(:data) { { "ssh-01" => { "expiration_date" => Date.jd(2463810), "justification" => "waived, yo", "run" => false } } }
24
+ let(:path) { "/var/chef/cache/cookbooks/acme_compliance/compliance/waivers/default.yml" }
25
+ let(:cookbook_name) { "acme_compliance" }
26
+ let(:waiver) { Chef::Compliance::Waiver.new(events, data, path, cookbook_name) }
27
+
28
+ it "has a cookbook_name" do
29
+ expect(waiver.cookbook_name).to eql(cookbook_name)
30
+ end
31
+
32
+ it "has a path" do
33
+ expect(waiver.path).to eql(path)
34
+ end
35
+
36
+ it "has a pathname based on the path" do
37
+ expect(waiver.pathname).to eql("default")
38
+ end
39
+
40
+ it "is disabled" do
41
+ expect(waiver.enabled).to eql(false)
42
+ expect(waiver.enabled?).to eql(false)
43
+ end
44
+
45
+ it "has an event handler" do
46
+ expect(waiver.events).to eql(events)
47
+ end
48
+
49
+ it "can be enabled by enable!" do
50
+ waiver.enable!
51
+ expect(waiver.enabled).to eql(true)
52
+ expect(waiver.enabled?).to eql(true)
53
+ end
54
+
55
+ it "enabling sends an event" do
56
+ expect(events).to receive(:compliance_waiver_enabled).with(waiver)
57
+ waiver.enable!
58
+ end
59
+
60
+ it "can be disabled by disable!" do
61
+ waiver.enable!
62
+ waiver.disable!
63
+ expect(waiver.enabled).to eql(false)
64
+ expect(waiver.enabled?).to eql(false)
65
+ end
66
+
67
+ it "has a #inspec_data method that renders the data" do
68
+ expect(waiver.inspec_data).to eql(data)
69
+ end
70
+
71
+ it "doesn't render the events in the inspect output" do
72
+ expect(waiver.inspect).not_to include("events")
73
+ end
74
+
75
+ it "inflates objects from YAML" do
76
+ string = <<~EOH
77
+ ssh-01:
78
+ expiration_date: 2033-07-31
79
+ run: false
80
+ justification: "waived, yo"
81
+ EOH
82
+ newwaiver = Chef::Compliance::Waiver.from_yaml(events, string, path, cookbook_name)
83
+ expect(newwaiver.data).to eql(data)
84
+ end
85
+
86
+ it "inflates objects from files" do
87
+ string = <<~EOH
88
+ ssh-01:
89
+ expiration_date: 2033-07-31
90
+ run: false
91
+ justification: "waived, yo"
92
+ EOH
93
+ tempfile = Tempfile.new("chef-compliance-test")
94
+ tempfile.write string
95
+ tempfile.close
96
+ newwaiver = Chef::Compliance::Waiver.from_file(events, tempfile.path, cookbook_name)
97
+ expect(newwaiver.data).to eql(data)
98
+ end
99
+
100
+ it "inflates objects from hashes" do
101
+ newwaiver = Chef::Compliance::Waiver.from_hash(events, data, path, cookbook_name)
102
+ expect(newwaiver.data).to eql(data)
103
+ end
104
+ end
@@ -47,6 +47,36 @@ describe "HTTP Connection" do
47
47
  expect(Net::HTTP).to receive(:new).and_return(net_http_mock)
48
48
  expect(basic_client.http_client).to eql(net_http_mock)
49
49
  end
50
+
51
+ it "allows setting net-http accessor options" do
52
+ basic_client = Chef::HTTP::BasicClient.new(uri, nethttp_opts: {
53
+ "continue_timeout" => 5,
54
+ "max_retries" => 5,
55
+ "read_timeout" => 5,
56
+ "write_timeout" => 5,
57
+ "ssl_timeout" => 5,
58
+ })
59
+ expect(basic_client.http_client.continue_timeout).to eql(5)
60
+ expect(basic_client.http_client.max_retries).to eql(5)
61
+ expect(basic_client.http_client.read_timeout).to eql(5)
62
+ expect(basic_client.http_client.write_timeout).to eql(5)
63
+ expect(basic_client.http_client.ssl_timeout).to eql(5)
64
+ end
65
+
66
+ it "allows setting net-http accssor options as symbols" do
67
+ basic_client = Chef::HTTP::BasicClient.new(uri, nethttp_opts: {
68
+ continue_timeout: 5,
69
+ max_retries: 5,
70
+ read_timeout: 5,
71
+ write_timeout: 5,
72
+ ssl_timeout: 5,
73
+ })
74
+ expect(basic_client.http_client.continue_timeout).to eql(5)
75
+ expect(basic_client.http_client.max_retries).to eql(5)
76
+ expect(basic_client.http_client.read_timeout).to eql(5)
77
+ expect(basic_client.http_client.write_timeout).to eql(5)
78
+ expect(basic_client.http_client.ssl_timeout).to eql(5)
79
+ end
50
80
  end
51
81
 
52
82
  describe "#build_http_client" do
@@ -46,13 +46,19 @@ describe Chef::HTTP do
46
46
  describe "#initialize" do
47
47
  it "accepts a keepalive option and passes it to the http_client" do
48
48
  http = Chef::HTTP.new(uri, keepalives: true)
49
- expect(Chef::HTTP::BasicClient).to receive(:new).with(uri, ssl_policy: Chef::HTTP::APISSLPolicy, keepalives: true).and_call_original
49
+ expect(Chef::HTTP::BasicClient).to receive(:new).with(uri, ssl_policy: Chef::HTTP::APISSLPolicy, nethttp_opts: {}, keepalives: true).and_call_original
50
50
  expect(http.http_client).to be_a_kind_of(Chef::HTTP::BasicClient)
51
51
  end
52
52
 
53
53
  it "the default is not to use keepalives" do
54
54
  http = Chef::HTTP.new(uri)
55
- expect(Chef::HTTP::BasicClient).to receive(:new).with(uri, ssl_policy: Chef::HTTP::APISSLPolicy, keepalives: false).and_call_original
55
+ expect(Chef::HTTP::BasicClient).to receive(:new).with(uri, ssl_policy: Chef::HTTP::APISSLPolicy, nethttp_opts: {}, keepalives: false).and_call_original
56
+ expect(http.http_client).to be_a_kind_of(Chef::HTTP::BasicClient)
57
+ end
58
+
59
+ it "allows setting the nethttp options hash" do
60
+ http = Chef::HTTP.new(uri, { nethttp: { "continue_timeout" => 5 } })
61
+ expect(Chef::HTTP::BasicClient).to receive(:new).with(uri, ssl_policy: Chef::HTTP::APISSLPolicy, nethttp_opts: { "continue_timeout" => 5 }, keepalives: false).and_call_original
56
62
  expect(http.http_client).to be_a_kind_of(Chef::HTTP::BasicClient)
57
63
  end
58
64
  end
@@ -125,7 +125,7 @@ describe Chef::Resource::Link do
125
125
 
126
126
  describe "when the target doesn't exist" do
127
127
  before do
128
- allow(File).to receive(:exists?).with("#{CHEF_SPEC_DATA}/fofile-link").and_return(false)
128
+ allow(File).to receive(:exist?).with("#{CHEF_SPEC_DATA}/fofile-link").and_return(false)
129
129
  allow(provider.file_class).to receive(:symlink?).with("#{CHEF_SPEC_DATA}/fofile-link").and_return(false)
130
130
  provider.load_current_resource
131
131
  end
@@ -152,13 +152,16 @@ describe Chef::Resource::Link do
152
152
  allow(stat).to receive(:mode).and_return(0755)
153
153
  allow(provider.file_class).to receive(:stat).with("#{CHEF_SPEC_DATA}/fofile-link").and_return(stat)
154
154
 
155
- allow(File).to receive(:exists?).with("#{CHEF_SPEC_DATA}/fofile-link").and_return(true)
155
+ # XXX: this might be broken? it preserves prior behavior in the specs caused by File.exist?/exists? interactions
156
+ allow(Chef::ScanAccessControl).to receive(:new).and_return(instance_double(Chef::ScanAccessControl, set_all!: nil))
157
+
158
+ allow(File).to receive(:exist?).with("#{CHEF_SPEC_DATA}/fofile-link").and_return(true)
156
159
  allow(provider.file_class).to receive(:symlink?).with("#{CHEF_SPEC_DATA}/fofile-link").and_return(false)
157
160
  end
158
161
 
159
162
  describe "and the source does not exist" do
160
163
  before do
161
- allow(File).to receive(:exists?).with("#{CHEF_SPEC_DATA}/fofile").and_return(false)
164
+ expect(File).to receive(:exist?).with("#{CHEF_SPEC_DATA}/fofile").and_return(false)
162
165
  provider.load_current_resource
163
166
  end
164
167
 
@@ -185,7 +188,7 @@ describe Chef::Resource::Link do
185
188
 
186
189
  allow(provider.file_class).to receive(:stat).with("#{CHEF_SPEC_DATA}/fofile").and_return(stat)
187
190
 
188
- allow(File).to receive(:exists?).with("#{CHEF_SPEC_DATA}/fofile").and_return(true)
191
+ allow(File).to receive(:exist?).with("#{CHEF_SPEC_DATA}/fofile").and_return(true)
189
192
  provider.load_current_resource
190
193
  end
191
194
 
@@ -212,7 +215,7 @@ describe Chef::Resource::Link do
212
215
 
213
216
  allow(provider.file_class).to receive(:stat).with("#{CHEF_SPEC_DATA}/fofile").and_return(stat)
214
217
 
215
- allow(File).to receive(:exists?).with("#{CHEF_SPEC_DATA}/fofile").and_return(true)
218
+ allow(File).to receive(:exist?).with("#{CHEF_SPEC_DATA}/fofile").and_return(true)
216
219
  provider.load_current_resource
217
220
  end
218
221
 
@@ -262,6 +265,9 @@ describe Chef::Resource::Link do
262
265
  "#{CHEF_SPEC_DATA}/fofile-link"
263
266
  ).and_return(stat)
264
267
 
268
+ # XXX: this might be broken? it preserves prior behavior in the specs caused by File.exist?/exists? interactions
269
+ allow(Chef::ScanAccessControl).to receive(:new).and_return(instance_double(Chef::ScanAccessControl, set_all!: nil))
270
+
265
271
  provider.load_current_resource
266
272
  end
267
273
 
@@ -336,10 +342,10 @@ describe Chef::Resource::Link do
336
342
  "#{CHEF_SPEC_DATA}/fofile-link"
337
343
  ).and_return(false)
338
344
 
339
- allow(File).to receive(:exists?).with(
345
+ allow(File).to receive(:exist?).with(
340
346
  "#{CHEF_SPEC_DATA}/fofile-link"
341
347
  ).and_return(true)
342
- allow(File).to receive(:exists?).with(
348
+ allow(File).to receive(:exist?).with(
343
349
  "#{CHEF_SPEC_DATA}/fofile"
344
350
  ).and_return(true)
345
351
 
@@ -321,4 +321,14 @@ describe Chef::Provider::RemoteFile::HTTP do
321
321
 
322
322
  end
323
323
 
324
+ describe "#http_client_opts" do
325
+ before do
326
+ new_resource.http_options({ retries: 2, retry_delay: 3 })
327
+ end
328
+
329
+ it "should set http client options" do
330
+ expect(fetcher.send(:http_client_opts)).to eq({ retries: 2, retry_delay: 3 })
331
+ end
332
+ end
333
+
324
334
  end
@@ -50,7 +50,7 @@ describe Chef::Provider::Template do
50
50
 
51
51
  let(:content) do
52
52
  content = double("Chef::Provider::File::Content::Template", template_location: "/foo/bar/baz")
53
- allow(File).to receive(:exists?).with("/foo/bar/baz").and_return(true)
53
+ allow(File).to receive(:exist?).with("/foo/bar/baz").and_return(true)
54
54
  content
55
55
  end
56
56
 
@@ -76,7 +76,7 @@ describe Chef::Provider::Template do
76
76
  it "stops executing when the local template source can't be found" do
77
77
  setup_normal_file
78
78
  allow(content).to receive(:template_location).and_return("/baz/bar/foo")
79
- allow(File).to receive(:exists?).with("/baz/bar/foo").and_return(false)
79
+ allow(File).to receive(:exist?).with("/baz/bar/foo").and_return(false)
80
80
  expect { provider.run_action(:create) }.to raise_error Chef::Mixin::WhyRun::ResourceRequirements::Assertion::AssertionFailure
81
81
  end
82
82