chef 17.4.38-universal-mingw32 → 17.7.22-universal-mingw32

data/lib/chef/resource/inspec_waiver.rb

@@ -0,0 +1,184 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class InspecWaiver < Chef::Resource
+      provides :inspec_waiver
+      unified_mode true
+
+      description "Use the **inspec_waiver** resource to add a waiver to the Compliance Phase."
+      introduced "17.5"
+      examples <<~DOC
+      **Activate the default waiver in the openssh cookbook's compliance segment**:
+
+      ```ruby
+        inspec_waiver 'openssh' do
+          action :add
+        end
+      ```
+
+      **Activate all waivers in the openssh cookbook's compliance segment**:
+
+      ```ruby
+        inspec_waiver 'openssh::.*' do
+          action :add
+        end
+      ```
+
+      **Add an InSpec waiver to the Compliance Phase**:
+
+      ```ruby
+        inspec_waiver 'Add waiver entry for control' do
+          control 'my_inspec_control_01'
+          run_test false
+          justification "The subject of this control is not managed by #{ChefUtils::Dist::Infra::PRODUCT} on the systems in policy group \#{node['policy_group']}"
+          expiration '2022-01-01'
+          action :add
+        end
+      ```
+
+      **Add an InSpec waiver to the Compliance Phase using the 'name' property to identify the control**:
+
+      ```ruby
+        inspec_waiver 'my_inspec_control_01' do
+          justification "The subject of this control is not managed by #{ChefUtils::Dist::Infra::PRODUCT} on the systems in policy group \#{node['policy_group']}"
+          action :add
+        end
+      ```
+
+      **Add an InSpec waiver to the Compliance Phase using an arbitrary YAML, JSON, or TOML file**:
+
+      ```ruby
+        # files ending in .yml or .yaml that exist are parsed as YAML
+        inspec_waiver "/path/to/my/waiver.yml"
+
+        inspec_waiver "my-waiver-name" do
+          source "/path/to/my/waiver.yml"
+        end
+
+        # files ending in .json that exist are parsed as JSON
+        inspec_waiver "/path/to/my/waiver.json"
+
+        inspec_waiver "my-waiver-name" do
+          source "/path/to/my/waiver.json"
+        end
+
+        # files ending in .toml that exist are parsed as TOML
+        inspec_waiver "/path/to/my/waiver.toml"
+
+        inspec_waiver "my-waiver-name" do
+          source "/path/to/my/waiver.toml"
+        end
+      ```
+
+      **Add an InSpec waiver to the Compliance Phase using a hash**:
+
+      ```ruby
+        my_hash = { "ssh-01" => {
+          "expiration_date" => "2033-07-31",
+          "run" => false,
+          "justification" => "because"
+        } }
+
+        inspec_waiver "my-waiver-name" do
+          source my_hash
+        end
+      ```
+
+      Note that the **inspec_waiver** resource does not update and will not fire notifications (similar to the log resource). This is done to preserve the ability to use
+      the resource while not causing the updated resource count to be larger than zero. Since the resource does not update the state of the managed node, this behavior
+      is still consistent with the configuration management model. Instead, you should use events to observe configuration changes for the compliance phase. It is
+      possible to use the `notify_group` resource to chain notifications of the two resources, but notifications are the wrong model to use, and you should use pure ruby
+      conditionals instead. Compliance configuration should be independent of other resources and should only be conditional based on state/attributes, not other resources.
+      DOC
+
+      property :control, String,
+        name_property: true,
+        description: "The name of the control being waived"
+
+      property :expiration, String,
+        description: "The expiration date of the waiver - provided in YYYY-MM-DD format",
+        callbacks: {
+          "Expiration date should be a valid calendar date and match the following format: YYYY-MM-DD" => proc { |e|
+            re = Regexp.new("\\d{4}-\\d{2}-\\d{2}$").freeze
+            if re.match?(e)
+              Date.valid_date?(*e.split("-").map(&:to_i))
+            else
+              e.nil?
+            end
+          },
+        }
+
+      property :run_test, [true, false],
+        description: "If present and true, the control will run and be reported, but failures in it won’t make the overall run fail. If absent or false, the control will not be run."
+
+      property :justification, String,
+        description: "Can be any text you want and might include a reason for the waiver as well as who signed off on the waiver."
+
+      property :source, [ Hash, String ]
+
+      action :add, description: "Add a waiver to the compliance phase" do
+        if run_context.waiver_collection.valid?(new_resource.control)
+          include_waiver(new_resource.control)
+        else
+          include_waiver(waiver_hash)
+        end
+      end
+
+      action_class do
+        # If the source is nil and the control / name_property contains a file separator and is a string of a
+        # file that exists, then use that as the file (similar to the package provider automatic source property).  Otherwise
+        # just return the source.
+        #
+        # @api private
+        def source
+          @source ||= build_source
+        end
+
+        def build_source
+          return new_resource.source unless new_resource.source.nil?
+          return nil unless new_resource.control.count(::File::SEPARATOR) > 0 || (::File::ALT_SEPARATOR && new_resource.control.count(::File::ALT_SEPARATOR) > 0 )
+          return nil unless ::File.exist?(new_resource.control)
+
+          new_resource.control
+        end
+
+        def waiver_hash
+          case source
+          when Hash
+            source
+          when String
+            parse_file(source)
+          when nil
+            if new_resource.justification.nil? || new_resource.justification == ""
+              raise Chef::Exceptions::ValidationFailed, "Entries for an InSpec waiver must have a justification given, this parameter must have a value."
+            end
+
+            control_hash = {}
+            control_hash["expiration_date"] = new_resource.expiration.to_s unless new_resource.expiration.nil?
+            control_hash["run"] = new_resource.run_test unless new_resource.run_test.nil?
+            control_hash["justification"] = new_resource.justification.to_s
+
+            { new_resource.control => control_hash }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/inspec_waiver_file_entry.rb

@@ -74,7 +74,7 @@ class Chef
         description: "The expiration date of the given waiver - provided in YYYY-MM-DD format",
         callbacks: {
           "Expiration date should be a valid calendar date and match the following format: YYYY-MM-DD" => proc { |e|
-            re = Regexp.new('\d{4}-\d{2}-\d{2}$').freeze
+            re = Regexp.new("\\d{4}-\\d{2}-\\d{2}$").freeze
             if re.match?(e)
               Date.valid_date?(*e.split("-").map(&:to_i))
             else

data/lib/chef/resource/kernel_module.rb

@@ -15,7 +15,7 @@ class Chef
 
       provides :kernel_module
 
-      description "Use the **kernel_module** resource to manage kernel modules on Linux systems. This resource can load, unload, blacklist, disable, install, and uninstall modules."
+      description "Use the **kernel_module** resource to manage kernel modules on Linux systems. This resource can load, unload, blacklist, disable, enable, install, and uninstall modules."
       introduced "14.3"
       examples <<~DOC
         Install and load a kernel module, and ensure it loads on reboot.
@@ -68,13 +68,21 @@ class Chef
         end
         ```
 
-        Disable a kernel module.
+        Disable a kernel module so that it is not installable.
 
         ```ruby
         kernel_module 'loop' do
           action :disable
         end
         ```
+
+        Enable a kernel module so that it is can be installed.  Does not load or install.
+
+        ```ruby
+        kernel_module 'loop' do
+          action :enable
+        end
+        ```
       DOC
 
       property :modname, String,
@@ -101,6 +109,9 @@ class Chef
           end
         end
 
+        # Remove the "disable file" before trying to install
+        action_enable
+
         # create options file before loading the module
         unless new_resource.options.nil?
           file "#{new_resource.unload_dir}/options_#{new_resource.modname}.conf" do
@@ -178,6 +189,20 @@ class Chef
         action_unload
       end
 
+      action :enable, description: "Enable a kernel module.  Reverse :disable actions" do
+        with_run_context :root do
+          find_resource(:execute, "update initramfs") do
+            command initramfs_command
+            action :nothing
+          end
+        end
+
+        file "#{new_resource.unload_dir}/disable_#{new_resource.modname}.conf" do
+          action :delete
+          notifies :run, "execute[update initramfs]", :delayed
+        end
+      end
+
       action :load, description: "Load a kernel module." do
         unless module_loaded?
           converge_by("load kernel module #{new_resource.modname}") do

data/lib/chef/resource/macos_userdefaults.rb

@@ -78,172 +78,87 @@ class Chef
         required: true
 
       property :host, [String, Symbol],
-        description: "Set either :current or a hostname to set the user default at the host level.",
+        description: "Set either :current, :all or a hostname to set the user default at the host level.",
         desired_state: false,
-        introduced: "16.3"
+        introduced: "16.3",
+        coerce: proc { |value| to_cf_host(value) }
 
       property :value, [Integer, Float, String, TrueClass, FalseClass, Hash, Array],
         description: "The value of the key. Note: With the `type` property set to `bool`, `String` forms of Boolean true/false values that Apple accepts in the defaults command will be coerced: 0/1, 'TRUE'/'FALSE,' 'true'/false', 'YES'/'NO', or 'yes'/'no'.",
-        required: [:write],
-        coerce: proc { |v| v.is_a?(Hash) ? v.transform_keys(&:to_s) : v } # make sure keys are all strings for comparison
+        required: [:write]
 
       property :type, String,
         description: "The value type of the preference key.",
         equal_to: %w{bool string int float array dict},
-        desired_state: false
+        desired_state: false,
+        deprecated: true
 
-      property :user, String,
-        description: "The system user that the default will be applied to.",
-        desired_state: false
+      property :user, [String, Symbol],
+        description: "The system user that the default will be applied to. Set :current for current user, :all for all users or pass a valid username",
+        desired_state: false,
+        coerce: proc { |value| to_cf_user(value) }
 
       property :sudo, [TrueClass, FalseClass],
         description: "Set to true if the setting you wish to modify requires privileged access. This requires passwordless sudo for the `/usr/bin/defaults` command to be setup for the user running #{ChefUtils::Dist::Infra::PRODUCT}.",
         default: false,
-        desired_state: false
+        desired_state: false,
+        deprecated: true
 
       load_current_value do |new_resource|
-        Chef::Log.debug "#load_current_value: shelling out \"#{defaults_export_cmd(new_resource).join(" ")}\" to determine state"
-        state = shell_out(defaults_export_cmd(new_resource), user: new_resource.user)
-
-        if state.error? || state.stdout.empty?
-          Chef::Log.debug "#load_current_value: #{defaults_export_cmd(new_resource).join(" ")} returned stdout: #{state.stdout} and stderr: #{state.stderr}"
-          current_value_does_not_exist!
-        end
-
-        plist_data = ::Plist.parse_xml(state.stdout)
-
-        # handle the situation where the key doesn't exist in the domain
-        if plist_data.key?(new_resource.key)
-          key new_resource.key
-        else
-          current_value_does_not_exist!
-        end
+        Chef::Log.debug "#load_current_value: attempting to read \"#{new_resource.domain}\" value from preferences to determine state"
 
-        value plist_data[new_resource.key]
-      end
-
-      #
-      # The defaults command to export a domain
-      #
-      # @return [Array] defaults command
-      #
-      def defaults_export_cmd(resource)
-        state_cmd = ["/usr/bin/defaults"]
-
-        if resource.host == "current"
-          state_cmd.concat(["-currentHost"])
-        elsif resource.host # they specified a non-nil value, which is a hostname
-          state_cmd.concat(["-host", resource.host])
-        end
+        pref = get_preference(new_resource)
+        current_value_does_not_exist! if pref.nil?
 
-        state_cmd.concat(["export", resource.domain, "-"])
-        state_cmd
+        key new_resource.key
+        value pref
       end
 
       action :write, description: "Write the value to the specified domain/key." do
         converge_if_changed do
-          cmd = defaults_modify_cmd
-          Chef::Log.debug("Updating defaults value by shelling out: #{cmd.join(" ")}")
-
-          shell_out!(cmd, user: new_resource.user)
+          Chef::Log.debug("Updating defaults value for #{new_resource.key} in #{new_resource.domain}")
+          CF::Preferences.set!(new_resource.key, new_resource.value, new_resource.domain, new_resource.user, new_resource.host)
         end
       end
 
       action :delete, description: "Delete a key from a domain." do
         # if it's not there there's nothing to remove
-        return unless current_resource
+        return if current_resource.nil?
 
         converge_by("delete domain:#{new_resource.domain} key:#{new_resource.key}") do
-
-          cmd = defaults_modify_cmd
-          Chef::Log.debug("Removing defaults key by shelling out: #{cmd.join(" ")}")
-
-          shell_out!(cmd, user: new_resource.user)
+          Chef::Log.debug("Removing defaults key: #{new_resource.key}")
+          CF::Preferences.set!(new_resource.key, nil, new_resource.domain, new_resource.user, new_resource.host)
         end
       end
 
-      action_class do
-        #
-        # The command used to write or delete delete values from domains
-        #
-        # @return [Array] Array representation of defaults command to run
-        #
-        def defaults_modify_cmd
-          cmd = ["/usr/bin/defaults"]
-
-          if new_resource.host == :current
-            cmd.concat(["-currentHost"])
-          elsif new_resource.host # they specified a non-nil value, which is a hostname
-            cmd.concat(["-host", new_resource.host])
-          end
+      def get_preference(new_resource)
+        CF::Preferences.get(new_resource.key, new_resource.domain, new_resource.user, new_resource.host)
+      end
 
-          cmd.concat([action.to_s, new_resource.domain, new_resource.key])
-          cmd.concat(processed_value) if action == :write
-          cmd.prepend("sudo") if new_resource.sudo
-          cmd
-        end
+      action_class do
+        require "corefoundation" if RUBY_PLATFORM.match?(/darwin/)
 
-        #
-        # convert the provided value into the format defaults expects
-        #
-        # @return [array] array of values starting with the type if applicable
-        #
-        def processed_value
-          type = new_resource.type || value_type(new_resource.value)
-
-          # when dict this creates an array of values ["Key1", "Value1", "Key2", "Value2" ...]
-          cmd_values = ["-#{type}"]
-
-          case type
-          when "dict"
-            cmd_values.concat(new_resource.value.flatten)
-          when "array"
-            cmd_values.concat(new_resource.value)
-          when "bool"
-            cmd_values.concat(bool_to_defaults_bool(new_resource.value))
+        # Return valid hostname based on the input from host property
+        def to_cf_host(value)
+          case value
+          when :all
+            CF::Preferences::ALL_HOSTS
+          when :current
+            CF::Preferences::CURRENT_HOST
           else
-            cmd_values.concat([new_resource.value])
+            value
           end
-
-          cmd_values
         end
 
-        #
-        # defaults booleans on the CLI must be 'TRUE' or 'FALSE' so convert various inputs to that
-        #
-        # @param [String, Integer, Boolean] input <description>
-        #
-        # @return [String] TRUE or FALSE
-        #
-        def bool_to_defaults_bool(input)
-          return ["TRUE"] if [true, "TRUE", "1", "true", "YES", "yes"].include?(input)
-          return ["FALSE"] if [false, "FALSE", "0", "false", "NO", "no"].include?(input)
-
-          # make sure it's very clear bad input was given
-          raise ArgumentError, "#{input} cannot be converted to a boolean value for use with Apple's defaults command. Acceptable values are: 'TRUE', 'YES', 'true, 'yes', '0', true, 'FALSE', 'false', 'NO', 'no', '1', or false."
-        end
-
-        #
-        # convert ruby type to defaults type
-        #
-        # @param [Integer, Float, String, TrueClass, FalseClass, Hash, Array] value The value being set
-        #
-        # @return [string, nil] the type value used by defaults or nil if not applicable
-        #
-        def value_type(value)
+        # Return valid username based on the input from user property
+        def to_cf_user(value)
           case value
-          when true, false
-            "bool"
-          when Integer
-            "int"
-          when Float
-            "float"
-          when Hash
-            "dict"
-          when Array
-            "array"
-          when String
-            "string"
+          when :all
+            CF::Preferences::ALL_USERS
+          when :current
+            CF::Preferences::CURRENT_USER
+          else
+            value
           end
         end
       end

data/lib/chef/resource/mount.rb

@@ -42,7 +42,7 @@ class Chef
         sensitive: true
 
       property :mount_point, String, name_property: true,
-               coerce: proc { |arg| arg.chomp("/") }, # Removed "/" from the end of str, because it was causing idempotency issue.
+               coerce: proc { |arg| (arg == "/" || arg.match?(":/$")) ? arg : arg.chomp("/") }, # Removed "/" from the end of str, because it was causing idempotency issue.
                description: "The directory (or path) in which the device is to be mounted. Defaults to the name of the resource block if not provided."
 
       property :device, String, identity: true,

data/lib/chef/resource/openssl_x509_certificate.rb

@@ -226,7 +226,7 @@ class Chef
         end
 
         def ca_private_key
-          if new_resource.csr_file.nil?
+          if new_resource.ca_key_file.nil?
             key
           else
             OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass