chef 17.4.38-universal-mingw32 → 17.7.22-universal-mingw32

data/lib/chef/resource/windows_auto_run.rb

@@ -88,7 +88,7 @@ class Chef
         # @return [String]
         def registry_path
           { machine: "HKLM", user: "HKCU" }[new_resource.root] + \
-            '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'
+            "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
         end
       end
     end

data/lib/chef/resource/windows_dfs_namespace.rb

@@ -38,7 +38,7 @@ class Chef
 
       property :full_users, Array,
         description: "Determines which users should have full access to the share.",
-        default: ['BUILTIN\\administrators']
+        default: ["BUILTIN\\administrators"]
 
       property :change_users, Array,
         description: "Determines which users should have change access to the share.",
@@ -50,7 +50,7 @@ class Chef
 
       property :root, String,
         description: "The root from which to create the DFS tree. Defaults to C:\\DFSRoots.",
-        default: 'C:\\DFSRoots'
+        default: "C:\\DFSRoots"
 
       action :create, description: "Creates the dfs namespace on the server." do
         directory file_path do

data/lib/chef/resource/windows_printer.rb

@@ -33,7 +33,7 @@ class Chef
 
       provides(:windows_printer) { true }
 
-      description "Use the **windows_printer** resource to setup Windows printers. This resource will automatically install the driver specified in the `driver_name` property and will automatically create a printer port using either the `ipv4_address` property or the `port_name property."
+      description "Use the **windows_printer** resource to setup Windows printers. This resource will automatically install the driver specified in the `driver_name` property and will automatically create a printer port using either the `ipv4_address` property or the `port_name` property."
       introduced "14.0"
       examples <<~DOC
       **Create a printer**:

data/lib/chef/resource/windows_uac.rb

@@ -104,7 +104,9 @@ class Chef
         #
         # @return [Integer]
         def consent_behavior_users_symbol_to_reg(sym)
-          %i{auto_deny secure_prompt_for_creds prompt_for_creds}.index(sym)
+          # Since 2 isn't a valid value for ConsentPromptBehaviorUser, assign the value at index as nil.
+          # https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#registry-key-settings
+          [:auto_deny, :secure_prompt_for_creds, nil, :prompt_for_creds].index(sym)
         end
       end
     end

data/lib/chef/resource/windows_update_settings.rb

@@ -145,7 +145,7 @@ class Chef
       action :set, description: "Set Windows Update settings." do
         actual_day = convert_day(new_resource.scheduled_install_day)
 
-        registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate' do
+        registry_key "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate" do
           recursive true
           values [{
             name: "DisableOSUpgrade",
@@ -180,7 +180,7 @@ class Chef
           action :create
         end
 
-        registry_key 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer' do
+        registry_key "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" do
           recursive true
           values [{
             name: "NoWindowsUpdate",
@@ -190,7 +190,7 @@ class Chef
           action :create
         end
 
-        registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU' do
+        registry_key "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU" do
           recursive true
           values [{
             name: "AUOptions",

data/lib/chef/resource/windows_user_privilege.rb

@@ -139,7 +139,7 @@ class Chef
         coerce: proc { |v| Array(v) },
         callbacks: {
           "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
-        }
+        }, identity: true
 
       load_current_value do |new_resource|
         if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))

data/lib/chef/resource.rb

@@ -1508,7 +1508,7 @@ class Chef
     # @return Chef::CookbookVersion The cookbook in which this Resource was defined.
     #
     def cookbook_version
-      if cookbook_name
+      if cookbook_name && cookbook_name != "@recipe_files"
         run_context.cookbook_collection[cookbook_name]
       end
     end

data/lib/chef/resource_reporter.rb

@@ -41,7 +41,7 @@ class Chef
       as_hash["result"] = action_record.action.to_s
       if new_resource.cookbook_name
         as_hash["cookbook_name"] = new_resource.cookbook_name
-        as_hash["cookbook_version"] = new_resource.cookbook_version.version
+        as_hash["cookbook_version"] = new_resource.cookbook_version&.version
       end
 
       as_hash

data/lib/chef/resources.rb

@@ -73,6 +73,8 @@ require_relative "resource/homebrew_package"
 require_relative "resource/homebrew_tap"
 require_relative "resource/homebrew_update"
 require_relative "resource/ifconfig"
+require_relative "resource/inspec_input"
+require_relative "resource/inspec_waiver"
 require_relative "resource/inspec_waiver_file_entry"
 require_relative "resource/kernel_module"
 require_relative "resource/ksh"

data/lib/chef/run_context/cookbook_compiler.rb

@@ -32,6 +32,7 @@ class Chef
       attr_reader :events
       attr_reader :run_list_expansion
       attr_reader :logger
+      attr_reader :run_context
 
       def initialize(run_context, run_list_expansion, events)
         @run_context = run_context
@@ -43,23 +44,51 @@ class Chef
 
       # Chef::Node object for the current run.
       def node
-        @run_context.node
+        run_context.node
       end
 
       # Chef::CookbookCollection object for the current run
       def cookbook_collection
-        @run_context.cookbook_collection
+        run_context.cookbook_collection
       end
 
       # Resource Definitions from the compiled cookbooks. This is populated by
       # calling #compile_resource_definitions (which is called by #compile)
       def definitions
-        @run_context.definitions
+        run_context.definitions
+      end
+
+      # The global waiver_collection hanging off of the run_context, used by
+      # compile_compliance and the compliance phase that runs inspec
+      #
+      # @returns [Chef::Compliance::WaiverCollection]
+      #
+      def waiver_collection
+        run_context.waiver_collection
+      end
+
+      # The global input_collection hanging off of the run_context, used by
+      # compile_compliance and the compliance phase that runs inspec
+      #
+      # @returns [Chef::Compliance::inputCollection]
+      #
+      def input_collection
+        run_context.input_collection
+      end
+
+      # The global profile_collection hanging off of the run_context, used by
+      # compile_compliance and the compliance phase that runs inspec
+      #
+      # @returns [Chef::Compliance::ProfileCollection]
+      #
+      def profile_collection
+        run_context.profile_collection
       end
 
       # Run the compile phase of the chef run. Loads files in the following order:
       # * Libraries
       # * Ohai
+      # * Compliance Profiles/Waivers
       # * Attributes
       # * LWRPs
       # * Resource Definitions
@@ -73,6 +102,7 @@ class Chef
       def compile
         compile_libraries
         compile_ohai_plugins
+        compile_compliance
         compile_attributes
         compile_lwrps
         compile_resource_definitions
@@ -98,7 +128,7 @@ class Chef
 
       # Loads library files from cookbooks according to #cookbook_order.
       def compile_libraries
-        @events.library_load_start(count_files_by_segment(:libraries))
+        events.library_load_start(count_files_by_segment(:libraries))
         cookbook_order.each do |cookbook|
           eager_load_libraries = cookbook_collection[cookbook].metadata.eager_load_libraries
           if eager_load_libraries == true # actually true, not truthy
@@ -110,14 +140,14 @@ class Chef
             end
           end
         end
-        @events.library_load_complete
+        events.library_load_complete
       end
 
       # Loads Ohai Plugins from cookbooks, and ensure any old ones are
       # properly cleaned out
       def compile_ohai_plugins
         ohai_plugin_count = count_files_by_segment(:ohai)
-        @events.ohai_plugin_load_start(ohai_plugin_count)
+        events.ohai_plugin_load_start(ohai_plugin_count)
         FileUtils.rm_rf(Chef::Config[:ohai_segment_plugin_path])
 
         cookbook_order.each do |cookbook|
@@ -131,57 +161,81 @@ class Chef
           node.consume_ohai_data(ohai)
         end
 
-        @events.ohai_plugin_load_complete
+        events.ohai_plugin_load_complete
+      end
+
+      # Loads the compliance segment files from the cookbook into the collections
+      # hanging off of the run_context, for later use in the compliance phase
+      # inspec run.
+      #
+      def compile_compliance
+        events.compliance_load_start
+        events.profiles_load_start
+        cookbook_order.each do |cookbook|
+          load_profiles_from_cookbook(cookbook)
+        end
+        events.profiles_load_complete
+        events.inputs_load_start
+        cookbook_order.each do |cookbook|
+          load_inputs_from_cookbook(cookbook)
+        end
+        events.inputs_load_complete
+        events.waivers_load_start
+        cookbook_order.each do |cookbook|
+          load_waivers_from_cookbook(cookbook)
+        end
+        events.waivers_load_complete
+        events.compliance_load_complete
       end
 
       # Loads attributes files from cookbooks. Attributes files are loaded
       # according to #cookbook_order; within a cookbook, +default.rb+ is loaded
       # first, then the remaining attributes files in lexical sort order.
       def compile_attributes
-        @events.attribute_load_start(count_files_by_segment(:attributes, "attributes.rb"))
+        events.attribute_load_start(count_files_by_segment(:attributes, "attributes.rb"))
         cookbook_order.each do |cookbook|
           load_attributes_from_cookbook(cookbook)
         end
-        @events.attribute_load_complete
+        events.attribute_load_complete
       end
 
       # Loads LWRPs according to #cookbook_order. Providers are loaded before
       # resources on a cookbook-wise basis.
       def compile_lwrps
         lwrp_file_count = count_files_by_segment(:providers) + count_files_by_segment(:resources)
-        @events.lwrp_load_start(lwrp_file_count)
+        events.lwrp_load_start(lwrp_file_count)
         cookbook_order.each do |cookbook|
           load_lwrps_from_cookbook(cookbook)
         end
-        @events.lwrp_load_complete
+        events.lwrp_load_complete
       end
 
       # Loads resource definitions according to #cookbook_order
       def compile_resource_definitions
-        @events.definition_load_start(count_files_by_segment(:definitions))
+        events.definition_load_start(count_files_by_segment(:definitions))
         cookbook_order.each do |cookbook|
           load_resource_definitions_from_cookbook(cookbook)
         end
-        @events.definition_load_complete
+        events.definition_load_complete
       end
 
       # Iterates over the expanded run_list, loading each recipe in turn.
       def compile_recipes
-        @events.recipe_load_start(run_list_expansion.recipes.size)
+        events.recipe_load_start(run_list_expansion.recipes.size)
         run_list_expansion.recipes.each do |recipe|
 
           path = resolve_recipe(recipe)
-          @run_context.load_recipe(recipe)
-          @events.recipe_file_loaded(path, recipe)
+          run_context.load_recipe(recipe)
+          events.recipe_file_loaded(path, recipe)
         rescue Chef::Exceptions::RecipeNotFound => e
-          @events.recipe_not_found(e)
+          events.recipe_not_found(e)
           raise
         rescue Exception => e
-          @events.recipe_file_load_failed(path, e, recipe)
+          events.recipe_file_load_failed(path, e, recipe)
           raise
 
         end
-        @events.recipe_load_complete
+        events.recipe_load_complete
       end
 
       # Whether or not a cookbook is reachable from the set of cookbook given
@@ -225,7 +279,7 @@ class Chef
         attr_file_basename = ::File.basename(filename, ".rb")
         node.include_attribute("#{cookbook_name}::#{attr_file_basename}")
       rescue Exception => e
-        @events.attribute_file_load_failed(filename, e)
+        events.attribute_file_load_failed(filename, e)
         raise
       end
 
@@ -234,9 +288,9 @@ class Chef
 
           logger.trace("Loading cookbook #{cookbook_name}'s library file: #{filename}")
           Kernel.require(filename)
-          @events.library_file_loaded(filename)
+          events.library_file_loaded(filename)
         rescue Exception => e
-          @events.library_file_load_failed(filename, e)
+          events.library_file_load_failed(filename, e)
           raise
 
         end
@@ -260,18 +314,18 @@ class Chef
       def load_lwrp_provider(cookbook_name, filename)
         logger.trace("Loading cookbook #{cookbook_name}'s providers from #{filename}")
         Chef::Provider::LWRPBase.build_from_file(cookbook_name, filename, self)
-        @events.lwrp_file_loaded(filename)
+        events.lwrp_file_loaded(filename)
       rescue Exception => e
-        @events.lwrp_file_load_failed(filename, e)
+        events.lwrp_file_load_failed(filename, e)
         raise
       end
 
       def load_lwrp_resource(cookbook_name, filename)
         logger.trace("Loading cookbook #{cookbook_name}'s resources from #{filename}")
         Chef::Resource::LWRPBase.build_from_file(cookbook_name, filename, self)
-        @events.lwrp_file_loaded(filename)
+        events.lwrp_file_loaded(filename)
       rescue Exception => e
-        @events.lwrp_file_load_failed(filename, e)
+        events.lwrp_file_load_failed(filename, e)
         raise
       end
 
@@ -288,6 +342,36 @@ class Chef
         end
       end
 
+      # Load the compliance segment files from a single cookbook
+      #
+      def load_profiles_from_cookbook(cookbook_name)
+        # This identifies profiles by their inspec.yml file, we recurse into subdirs so the profiles may be deeply
+        # nested in a subdir structure for organization.  You could have profiles inside of profiles but
+        # since that is not coherently defined, you should not.
+        #
+        each_file_in_cookbook_by_segment(cookbook_name, :compliance, [ "profiles/**/inspec.{yml,yaml}" ]) do |filename|
+          profile_collection.from_file(filename, cookbook_name)
+        end
+      end
+
+      def load_waivers_from_cookbook(cookbook_name)
+        # This identifies waiver files as any yaml files under the waivers subdir.  We recurse into subdirs as well
+        # so that waivers may be nested in subdirs for organization.  Any other files are ignored.
+        #
+        each_file_in_cookbook_by_segment(cookbook_name, :compliance, [ "waivers/**/*.{yml,yaml}" ]) do |filename|
+          waiver_collection.from_file(filename, cookbook_name)
+        end
+      end
+
+      def load_inputs_from_cookbook(cookbook_name)
+        # This identifies input files as any yaml files under the inputs subdir.  We recurse into subdirs as well
+        # so that inputs may be nested in subdirs for organization.  Any other files are ignored.
+        #
+        each_file_in_cookbook_by_segment(cookbook_name, :compliance, [ "inputs/**/*.{yml,yaml}" ]) do |filename|
+          input_collection.from_file(filename, cookbook_name)
+        end
+      end
+
       def load_resource_definitions_from_cookbook(cookbook_name)
         files_in_cookbook_by_segment(cookbook_name, :definitions).each do |filename|
           next unless File.extname(filename) == ".rb"
@@ -300,9 +384,9 @@ class Chef
               logger.info("Overriding duplicate definition #{key}, new definition found in #{filename}")
               newval
             end
-            @events.definition_file_loaded(filename)
+            events.definition_file_loaded(filename)
           rescue Exception => e
-            @events.definition_file_load_failed(filename, e)
+            events.definition_file_load_failed(filename, e)
             raise
           end
         end

data/lib/chef/run_context.rb

@@ -25,6 +25,9 @@ require_relative "log"
 require_relative "recipe"
 require_relative "run_context/cookbook_compiler"
 require_relative "event_dispatch/events_output_stream"
+require_relative "compliance/input_collection"
+require_relative "compliance/waiver_collection"
+require_relative "compliance/profile_collection"
 require_relative "train_transport"
 require_relative "exceptions"
 require "forwardable" unless defined?(Forwardable)
@@ -120,10 +123,28 @@ class Chef
 
     # Handle to the global action_collection of executed actions for reporting / data_collector /etc
     #
-    # @return [Chef::ActionCollection
+    # @return [Chef::ActionCollection]
     #
     attr_accessor :action_collection
 
+    # Handle to the global profile_collection of inspec profiles for the compliance phase
+    #
+    # @return [Chef::Compliance::ProfileCollection]
+    #
+    attr_accessor :profile_collection
+
+    # Handle to the global waiver_collection of inspec waiver files for the compliance phase
+    #
+    # @return [Chef::Compliance::WaiverCollection]
+    #
+    attr_accessor :waiver_collection
+
+    # Handle to the global input_collection of inspec input files for the compliance phase
+    #
+    # @return [Chef::Compliance::inputCollection]
+    #
+    attr_accessor :input_collection
+
     # Pointer back to the Chef::Runner that created this
     #
     attr_accessor :runner
@@ -198,6 +219,9 @@ class Chef
       @loaded_attributes_hash = {}
       @reboot_info = {}
       @cookbook_compiler = nil
+      @input_collection = Chef::Compliance::InputCollection.new(events)
+      @waiver_collection = Chef::Compliance::WaiverCollection.new(events)
+      @profile_collection = Chef::Compliance::ProfileCollection.new(events)
 
       initialize_child_state
     end
@@ -674,6 +698,8 @@ class Chef
         events=
         has_cookbook_file_in_cookbook?
         has_template_in_cookbook?
+        input_collection
+        input_collection=
         load
         loaded_attribute
         loaded_attributes
@@ -688,6 +714,8 @@ class Chef
         node
         node=
         open_stream
+        profile_collection
+        profile_collection=
         reboot_info
         reboot_info=
         reboot_requested?
@@ -700,6 +728,8 @@ class Chef
         transport
         transport_connection
         unreachable_cookbook?
+        waiver_collection
+        waiver_collection=
       }
 
       def initialize(parent_run_context)

data/lib/chef/secret_fetcher/akeyless_vault.rb

@@ -0,0 +1,57 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require_relative "hashi_vault"
+
+class Chef
+  class SecretFetcher
+    # == Chef::SecretFetcher::AKeylessVault
+    # A fetcher that fetches a secret from AKeyless Vault.  Initial implementation is
+    # based on HashiVault , because AKeyless provides a compatibility layer that makes this possible.
+    # Future revisions will use native akeyless authentication.
+    #
+    # Required config:
+    # :access_id - the access id of the API key
+    # :access_key - the access key of the API key
+    #
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: "my-access-id", access_key: "my-access-key"  }, run_context )
+    # fetcher.fetch("/secret/data/secretkey1")
+    #
+    AKEYLESS_VAULT_PROXY_ADDR = "https://hvp.akeyless.io".freeze
+    class AKeylessVault < HashiVault
+      def validate!
+        if config[:access_key].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the secret access key in the configuration as :secret_access_key")
+        end
+        if config[:access_id].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the access key id in the configuration as :access_key_id")
+        end
+
+        config[:vault_addr] ||= AKEYLESS_VAULT_PROXY_ADDR
+        config[:auth_method] = :token
+        config[:token] = "#{config[:access_id]}..#{config[:access_key]}"
+        super
+      end
+    end
+  end
+end
+

data/lib/chef/secret_fetcher/aws_secrets_manager.rb

@@ -52,7 +52,7 @@ class Chef
       end
 
       # @param identifier [String] the secret_id
-      # @param version [String] the secret version. Not usd at this time
+      # @param version [String] the secret version.
       # @return Aws::SecretsManager::Types::GetSecretValueResponse
       def do_fetch(identifier, version)
         client = Aws::SecretsManager::Client.new(config)

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -1,8 +1,10 @@
 require_relative "base"
+require_relative "../exceptions"
+require "uri" unless defined?(URI)
 
 class Chef
   class SecretFetcher
-    # == Chef::SecretFetcher::AWSSecretsManager
+    # == Chef::SecretFetcher::AzureKeyVault
     # A fetcher that fetches a secret from Azure Key Vault. Supports fetching with version.
     #
     # In this initial iteration this authenticates via token obtained from the OAuth2  /token
@@ -14,13 +16,19 @@ class Chef
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context )
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context)
     # fetcher.fetch("secretkey1", "v1")
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context )
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context)
     # fetcher.fetch("my_vault/secretkey1", "v1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { client_id: "540d76b6-7f76-456c-b68b-ccae4dc9d99d" }, run_context)
+    # fetcher.fetch("my_vault/secretkey1", "v1")
+    #
     class AzureKeyVault < Base
 
       def do_fetch(name, version)
@@ -48,6 +56,12 @@ class Chef
         end
       end
 
+      def validate!
+        raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :object_id, :client_id, or :mi_res_id" if [object_id, client_id, mi_res_id].select { |x| !x.nil? }.length > 1
+      end
+
+      private
+
       # Determine the vault name and secret name from the provided name.
       # If it is not in the provided name in the form "vault_name/secret_name"
       # it will determine the vault name from `config[:vault]`.
@@ -63,16 +77,56 @@ class Chef
         end
       end
 
+      def api_version
+        "2018-02-01"
+      end
+
+      def resource
+        "https://vault.azure.net"
+      end
+
+      def object_id
+        config[:object_id]
+      end
+
+      def client_id
+        config[:client_id]
+      end
+
+      def mi_res_id
+        config[:mi_res_id]
+      end
+
+      def token_query
+        @token_query ||= begin
+          p = {}
+          p["api-version"] = api_version
+          p["resource"] = resource
+          p["object_id"] = object_id if object_id
+          p["client_id"] = client_id if client_id
+          p["mi_res_id"] = mi_res_id if mi_res_id
+          URI.encode_www_form(p)
+        end
+      end
+
       def fetch_token
-        token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net")
+        token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token")
+        token_uri.query = token_query
         http = Net::HTTP.new(token_uri.host, token_uri.port)
         response = http.get(token_uri, { "Metadata" => "true" })
-        body = JSON.parse(response.body)
-        body["access_token"]
+
+        case response
+        when Net::HTTPSuccess
+          body = JSON.parse(response.body)
+          body["access_token"]
+        when Net::HTTPBadRequest
+          body = JSON.parse(response.body)
+          raise Chef::Exceptions::Secret::Azure::IdentityNotFound if body["error_description"] =~ /identity not found/i
+        else
+          body = JSON.parse(response.body)
+          body["access_token"]
+        end
       end
     end
   end
 end
-
-
-

data/lib/chef/secret_fetcher/base.rb

@@ -56,7 +56,7 @@ class Chef
       # @raise [Chef::Exceptions::Secret::ConfigurationInvalid] if it is not.
       def validate!; end
 
-      # Called to fetch the secret identified by 'identifer'.  Implementations
+      # Called to fetch the secret identified by 'identifier'.  Implementations
       # should expect that `validate!` has been invoked before `do_fetch`.
       #
       # @param identifier [Object] Unique identifier of the secret to be retrieved.