chef 17.4.38 → 17.5.22

Sign up to get free protection for your applications and to get access to all the features.
Files changed (78) hide show
  1. checksums.yaml +4 -4
  2. data/chef.gemspec +2 -0
  3. data/lib/chef/application/base.rb +11 -1
  4. data/lib/chef/client.rb +1 -2
  5. data/lib/chef/compliance/input.rb +115 -0
  6. data/lib/chef/compliance/input_collection.rb +139 -0
  7. data/lib/chef/compliance/profile.rb +122 -0
  8. data/lib/chef/compliance/profile_collection.rb +109 -0
  9. data/lib/chef/compliance/runner.rb +47 -5
  10. data/lib/chef/compliance/waiver.rb +115 -0
  11. data/lib/chef/compliance/waiver_collection.rb +143 -0
  12. data/lib/chef/dsl/compliance.rb +38 -0
  13. data/lib/chef/dsl/reader_helpers.rb +51 -0
  14. data/lib/chef/dsl/recipe.rb +4 -2
  15. data/lib/chef/dsl/secret.rb +2 -4
  16. data/lib/chef/dsl/universal.rb +2 -0
  17. data/lib/chef/event_dispatch/base.rb +44 -2
  18. data/lib/chef/formatters/doc.rb +46 -0
  19. data/lib/chef/http/basic_client.rb +15 -7
  20. data/lib/chef/http.rb +7 -3
  21. data/lib/chef/provider/file.rb +2 -0
  22. data/lib/chef/provider/link.rb +2 -2
  23. data/lib/chef/provider/registry_key.rb +3 -2
  24. data/lib/chef/provider/remote_file/http.rb +1 -1
  25. data/lib/chef/provider/template.rb +1 -1
  26. data/lib/chef/resource/archive_file.rb +17 -14
  27. data/lib/chef/resource/chef_client_scheduled_task.rb +45 -2
  28. data/lib/chef/resource/chocolatey_config.rb +13 -13
  29. data/lib/chef/resource/file/verification/json.rb +50 -0
  30. data/lib/chef/resource/file/verification/yaml.rb +52 -0
  31. data/lib/chef/resource/inspec_input.rb +128 -0
  32. data/lib/chef/resource/inspec_waiver.rb +185 -0
  33. data/lib/chef/resource/mount.rb +1 -1
  34. data/lib/chef/resource/registry_key.rb +36 -48
  35. data/lib/chef/resource/remote_file.rb +98 -2
  36. data/lib/chef/resource/timezone.rb +2 -2
  37. data/lib/chef/resource/user_ulimit.rb +1 -0
  38. data/lib/chef/resource/windows_printer.rb +1 -1
  39. data/lib/chef/resource/windows_uac.rb +3 -1
  40. data/lib/chef/resource/windows_user_privilege.rb +1 -1
  41. data/lib/chef/resources.rb +2 -0
  42. data/lib/chef/run_context/cookbook_compiler.rb +112 -28
  43. data/lib/chef/run_context.rb +31 -1
  44. data/lib/chef/secret_fetcher/akeyless_vault.rb +57 -0
  45. data/lib/chef/secret_fetcher/aws_secrets_manager.rb +1 -1
  46. data/lib/chef/secret_fetcher/azure_key_vault.rb +1 -1
  47. data/lib/chef/secret_fetcher/base.rb +1 -1
  48. data/lib/chef/secret_fetcher/hashi_vault.rb +100 -0
  49. data/lib/chef/secret_fetcher.rb +8 -2
  50. data/lib/chef/version.rb +1 -1
  51. data/spec/data/archive_file/test_archive.tar.gz +0 -0
  52. data/spec/functional/resource/archive_file_spec.rb +87 -0
  53. data/spec/functional/resource/group_spec.rb +5 -1
  54. data/spec/functional/resource/link_spec.rb +8 -0
  55. data/spec/integration/compliance/compliance_spec.rb +60 -0
  56. data/spec/spec_helper.rb +3 -0
  57. data/spec/support/platform_helpers.rb +4 -0
  58. data/spec/support/ruby_installer.rb +51 -0
  59. data/spec/unit/compliance/input_spec.rb +104 -0
  60. data/spec/unit/compliance/profile_spec.rb +120 -0
  61. data/spec/unit/compliance/waiver_spec.rb +104 -0
  62. data/spec/unit/http/basic_client_spec.rb +30 -0
  63. data/spec/unit/http_spec.rb +8 -2
  64. data/spec/unit/provider/link_spec.rb +13 -7
  65. data/spec/unit/provider/remote_file/http_spec.rb +10 -0
  66. data/spec/unit/provider/template_spec.rb +2 -2
  67. data/spec/unit/resource/archive_file_spec.rb +414 -3
  68. data/spec/unit/resource/chef_client_scheduled_task_spec.rb +69 -0
  69. data/spec/unit/resource/file/verification/json_spec.rb +72 -0
  70. data/spec/unit/resource/file/verification/yaml_spec.rb +67 -0
  71. data/spec/unit/resource/inspec_input_spec.rb +300 -0
  72. data/spec/unit/resource/inspec_waiver_spec.rb +312 -0
  73. data/spec/unit/resource/mount_spec.rb +10 -0
  74. data/spec/unit/resource/user_ulimit_spec.rb +14 -1
  75. data/spec/unit/secret_fetcher/akeyless_vault_spec.rb +37 -0
  76. data/spec/unit/secret_fetcher/hashi_vault_spec.rb +80 -0
  77. data/tasks/rspec.rb +2 -1
  78. metadata +60 -6
@@ -0,0 +1,80 @@
1
+ #
2
+ # Author:: Marc Paradise <marc@chef.io>
3
+ # Copyright:: Copyright (c) Chef Software Inc.
4
+ # License:: Apache License, Version 2.0
5
+ #
6
+ # Licensed under the Apache License, Version 2.0 (the "License");
7
+ # you may not use this file except in compliance with the License.
8
+ # You may obtain a copy of the License at
9
+ #
10
+ # http://www.apache.org/licenses/LICENSE-2.0
11
+ #
12
+ # Unless required by applicable law or agreed to in writing, software
13
+ # distributed under the License is distributed on an "AS IS" BASIS,
14
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
+ # See the License for the specific language governing permissions and
16
+ # limitations under the License.
17
+ #
18
+
19
+ require_relative "../../spec_helper"
20
+ require "chef/secret_fetcher/hashi_vault"
21
+
22
+ describe Chef::SecretFetcher::HashiVault do
23
+ let(:node) { {} }
24
+ let(:run_context) { double("run_context", node: node) }
25
+
26
+ context "when validating provided HashiVault configuration" do
27
+ it "raises ConfigurationInvalid when the :auth_method is not valid" do
28
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com:8200" }, run_context)
29
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:auth_method/)
30
+ end
31
+
32
+ it "raises ConfigurationInvalid when the vault_addr is not provided" do
33
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, role_name: "example-role" }, run_context)
34
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
35
+ end
36
+
37
+ context "and using auth_method: :iam_role" do
38
+ it "raises ConfigurationInvalid when the role_name is not provided" do
39
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "https://vault.example.com:8200" }, run_context)
40
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
41
+ end
42
+
43
+ it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do
44
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "https://vault.example.com:8200", role_name: "example-role" }, run_context)
45
+ allow(Aws::InstanceProfileCredentials).to receive(:new).and_return instance_double(Aws::InstanceProfileCredentials)
46
+ auth_double = instance_double(Vault::Authenticate)
47
+ expect(auth_double).to receive(:aws_iam)
48
+ allow(Vault).to receive(:auth).and_return(auth_double)
49
+ fetcher.validate!
50
+ end
51
+ end
52
+
53
+ context "and using auth_method: :token" do
54
+ it "raises ConfigurationInvalid when no token is provided" do
55
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, vault_addr: "https://vault.example.com:8200" }, run_context)
56
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
57
+ end
58
+
59
+ it "authenticates using the token during validation when all configuration is correct" do
60
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, token: "t.1234abcd", vault_addr: "https://vault.example.com:8200" }, run_context)
61
+ auth = instance_double(Vault::Authenticate)
62
+ auth_double = instance_double(Vault::Authenticate)
63
+ expect(auth_double).to receive(:token)
64
+ allow(Vault).to receive(:auth).and_return(auth_double)
65
+ fetcher.validate!
66
+ end
67
+ end
68
+ end
69
+
70
+ context "when fetching a secret from Hashi Vault" do
71
+ it "raises an FetchFailed message when no secret is returned due to invalid engine path" do
72
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com:8200" }, run_context)
73
+ logical_double = instance_double(Vault::Logical)
74
+ expect(logical_double).to receive(:read).and_return nil
75
+ expect(Vault).to receive(:logical).and_return(logical_double)
76
+ expect { fetcher.do_fetch("anything", nil) }.to raise_error(Chef::Exceptions::Secret::FetchFailed)
77
+ end
78
+ end
79
+ end
80
+
data/tasks/rspec.rb CHANGED
@@ -30,7 +30,8 @@ begin
30
30
  puts "--- Running #{gem} specs"
31
31
  Bundler.with_unbundled_env do
32
32
  puts "Executing tests in #{Dir.pwd}:"
33
- sh("bundle install --jobs=3 --retry=3 --path=../vendor/bundle")
33
+ sh("bundle config set --local path 'vendor/bundle'")
34
+ sh("bundle install --jobs=3 --retry=3")
34
35
  sh("bundle exec rake spec")
35
36
  end
36
37
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: chef
3
3
  version: !ruby/object:Gem::Version
4
- version: 17.4.38
4
+ version: 17.5.22
5
5
  platform: ruby
6
6
  authors:
7
7
  - Adam Jacob
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-08-27 00:00:00.000000000 Z
11
+ date: 2021-09-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: chef-config
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 17.4.38
19
+ version: 17.5.22
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 17.4.38
26
+ version: 17.5.22
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: chef-utils
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 17.4.38
33
+ version: 17.5.22
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 17.4.38
40
+ version: 17.5.22
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: train-core
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -440,6 +440,20 @@ dependencies:
440
440
  - - "~>"
441
441
  - !ruby/object:Gem::Version
442
442
  version: '1.0'
443
+ - !ruby/object:Gem::Dependency
444
+ name: aws-sdk-s3
445
+ requirement: !ruby/object:Gem::Requirement
446
+ requirements:
447
+ - - "~>"
448
+ - !ruby/object:Gem::Version
449
+ version: '1.91'
450
+ type: :runtime
451
+ prerelease: false
452
+ version_requirements: !ruby/object:Gem::Requirement
453
+ requirements:
454
+ - - "~>"
455
+ - !ruby/object:Gem::Version
456
+ version: '1.91'
443
457
  - !ruby/object:Gem::Dependency
444
458
  name: aws-sdk-secretsmanager
445
459
  requirement: !ruby/object:Gem::Requirement
@@ -454,6 +468,20 @@ dependencies:
454
468
  - - "~>"
455
469
  - !ruby/object:Gem::Version
456
470
  version: '1.46'
471
+ - !ruby/object:Gem::Dependency
472
+ name: vault
473
+ requirement: !ruby/object:Gem::Requirement
474
+ requirements:
475
+ - - "~>"
476
+ - !ruby/object:Gem::Version
477
+ version: '0.16'
478
+ type: :runtime
479
+ prerelease: false
480
+ version_requirements: !ruby/object:Gem::Requirement
481
+ requirements:
482
+ - - "~>"
483
+ - !ruby/object:Gem::Version
484
+ version: '0.16'
457
485
  description: A systems integration framework, built to bring the benefits of configuration
458
486
  management to your entire infrastructure.
459
487
  email: adam@chef.io
@@ -587,12 +615,18 @@ files:
587
615
  - lib/chef/compliance/default_attributes.rb
588
616
  - lib/chef/compliance/fetcher/automate.rb
589
617
  - lib/chef/compliance/fetcher/chef_server.rb
618
+ - lib/chef/compliance/input.rb
619
+ - lib/chef/compliance/input_collection.rb
620
+ - lib/chef/compliance/profile.rb
621
+ - lib/chef/compliance/profile_collection.rb
590
622
  - lib/chef/compliance/reporter/automate.rb
591
623
  - lib/chef/compliance/reporter/chef_server_automate.rb
592
624
  - lib/chef/compliance/reporter/cli.rb
593
625
  - lib/chef/compliance/reporter/compliance_enforcer.rb
594
626
  - lib/chef/compliance/reporter/json_file.rb
595
627
  - lib/chef/compliance/runner.rb
628
+ - lib/chef/compliance/waiver.rb
629
+ - lib/chef/compliance/waiver_collection.rb
596
630
  - lib/chef/config.rb
597
631
  - lib/chef/config_fetcher.rb
598
632
  - lib/chef/constants.rb
@@ -632,6 +666,7 @@ files:
632
666
  - lib/chef/dsl.rb
633
667
  - lib/chef/dsl/chef_vault.rb
634
668
  - lib/chef/dsl/cheffish.rb
669
+ - lib/chef/dsl/compliance.rb
635
670
  - lib/chef/dsl/data_query.rb
636
671
  - lib/chef/dsl/declare_resource.rb
637
672
  - lib/chef/dsl/definitions.rb
@@ -639,6 +674,7 @@ files:
639
674
  - lib/chef/dsl/include_recipe.rb
640
675
  - lib/chef/dsl/platform_introspection.rb
641
676
  - lib/chef/dsl/powershell.rb
677
+ - lib/chef/dsl/reader_helpers.rb
642
678
  - lib/chef/dsl/reboot_pending.rb
643
679
  - lib/chef/dsl/recipe.rb
644
680
  - lib/chef/dsl/registry_helper.rb
@@ -981,7 +1017,9 @@ files:
981
1017
  - lib/chef/resource/execute.rb
982
1018
  - lib/chef/resource/file.rb
983
1019
  - lib/chef/resource/file/verification.rb
1020
+ - lib/chef/resource/file/verification/json.rb
984
1021
  - lib/chef/resource/file/verification/systemd_unit.rb
1022
+ - lib/chef/resource/file/verification/yaml.rb
985
1023
  - lib/chef/resource/freebsd_package.rb
986
1024
  - lib/chef/resource/gem_package.rb
987
1025
  - lib/chef/resource/group.rb
@@ -1002,6 +1040,8 @@ files:
1002
1040
  - lib/chef/resource/hostname.rb
1003
1041
  - lib/chef/resource/http_request.rb
1004
1042
  - lib/chef/resource/ifconfig.rb
1043
+ - lib/chef/resource/inspec_input.rb
1044
+ - lib/chef/resource/inspec_waiver.rb
1005
1045
  - lib/chef/resource/inspec_waiver_file_entry.rb
1006
1046
  - lib/chef/resource/ips_package.rb
1007
1047
  - lib/chef/resource/kernel_module.rb
@@ -1149,10 +1189,12 @@ files:
1149
1189
  - lib/chef/scan_access_control.rb
1150
1190
  - lib/chef/search/query.rb
1151
1191
  - lib/chef/secret_fetcher.rb
1192
+ - lib/chef/secret_fetcher/akeyless_vault.rb
1152
1193
  - lib/chef/secret_fetcher/aws_secrets_manager.rb
1153
1194
  - lib/chef/secret_fetcher/azure_key_vault.rb
1154
1195
  - lib/chef/secret_fetcher/base.rb
1155
1196
  - lib/chef/secret_fetcher/example.rb
1197
+ - lib/chef/secret_fetcher/hashi_vault.rb
1156
1198
  - lib/chef/server_api.rb
1157
1199
  - lib/chef/server_api_versions.rb
1158
1200
  - lib/chef/shell.rb
@@ -1281,6 +1323,7 @@ files:
1281
1323
  - spec/data/apt/var/www/apt/dists/sid/main/binary-i386/Packages
1282
1324
  - spec/data/apt/var/www/apt/pool/main/c/chef-integration-test/chef-integration-test_1.0-1_amd64.deb
1283
1325
  - spec/data/apt/var/www/apt/pool/main/c/chef-integration-test/chef-integration-test_1.1-1_amd64.deb
1326
+ - spec/data/archive_file/test_archive.tar.gz
1284
1327
  - spec/data/bad-config.rb
1285
1328
  - spec/data/bootstrap/encrypted_data_bag_secret
1286
1329
  - spec/data/bootstrap/no_proxy.erb
@@ -1665,6 +1708,7 @@ files:
1665
1708
  - spec/functional/resource/aix_service_spec.rb
1666
1709
  - spec/functional/resource/aixinit_service_spec.rb
1667
1710
  - spec/functional/resource/apt_package_spec.rb
1711
+ - spec/functional/resource/archive_file_spec.rb
1668
1712
  - spec/functional/resource/bash_spec.rb
1669
1713
  - spec/functional/resource/batch_spec.rb
1670
1714
  - spec/functional/resource/bff_spec.rb
@@ -1769,6 +1813,7 @@ files:
1769
1813
  - spec/support/platforms/prof/win32.rb
1770
1814
  - spec/support/platforms/win32/spec_service.rb
1771
1815
  - spec/support/recipe_dsl_helper.rb
1816
+ - spec/support/ruby_installer.rb
1772
1817
  - spec/support/shared/context/config.rb
1773
1818
  - spec/support/shared/context/win32.rb
1774
1819
  - spec/support/shared/functional/diff_disabled.rb
@@ -1829,10 +1874,13 @@ files:
1829
1874
  - spec/unit/client_spec.rb
1830
1875
  - spec/unit/compliance/fetcher/automate_spec.rb
1831
1876
  - spec/unit/compliance/fetcher/chef_server_spec.rb
1877
+ - spec/unit/compliance/input_spec.rb
1878
+ - spec/unit/compliance/profile_spec.rb
1832
1879
  - spec/unit/compliance/reporter/automate_spec.rb
1833
1880
  - spec/unit/compliance/reporter/chef_server_automate_spec.rb
1834
1881
  - spec/unit/compliance/reporter/compliance_enforcer_spec.rb
1835
1882
  - spec/unit/compliance/runner_spec.rb
1883
+ - spec/unit/compliance/waiver_spec.rb
1836
1884
  - spec/unit/config_fetcher_spec.rb
1837
1885
  - spec/unit/config_spec.rb
1838
1886
  - spec/unit/cookbook/chefignore_spec.rb
@@ -2119,7 +2167,9 @@ files:
2119
2167
  - spec/unit/resource/dsc_resource_spec.rb
2120
2168
  - spec/unit/resource/dsc_script_spec.rb
2121
2169
  - spec/unit/resource/execute_spec.rb
2170
+ - spec/unit/resource/file/verification/json_spec.rb
2122
2171
  - spec/unit/resource/file/verification/systemd_unit_spec.rb
2172
+ - spec/unit/resource/file/verification/yaml_spec.rb
2123
2173
  - spec/unit/resource/file/verification_spec.rb
2124
2174
  - spec/unit/resource/file_spec.rb
2125
2175
  - spec/unit/resource/freebsd_package_spec.rb
@@ -2133,7 +2183,9 @@ files:
2133
2183
  - spec/unit/resource/hostname_spec.rb
2134
2184
  - spec/unit/resource/http_request_spec.rb
2135
2185
  - spec/unit/resource/ifconfig_spec.rb
2186
+ - spec/unit/resource/inspec_input_spec.rb
2136
2187
  - spec/unit/resource/inspec_waiver_file_entry_spec.rb
2188
+ - spec/unit/resource/inspec_waiver_spec.rb
2137
2189
  - spec/unit/resource/ips_package_spec.rb
2138
2190
  - spec/unit/resource/kernel_module_spec.rb
2139
2191
  - spec/unit/resource/ksh_spec.rb
@@ -2260,8 +2312,10 @@ files:
2260
2312
  - spec/unit/runner_spec.rb
2261
2313
  - spec/unit/scan_access_control_spec.rb
2262
2314
  - spec/unit/search/query_spec.rb
2315
+ - spec/unit/secret_fetcher/akeyless_vault_spec.rb
2263
2316
  - spec/unit/secret_fetcher/aws_secrets_manager_spec.rb
2264
2317
  - spec/unit/secret_fetcher/azure_key_vault_spec.rb
2318
+ - spec/unit/secret_fetcher/hashi_vault_spec.rb
2265
2319
  - spec/unit/secret_fetcher_spec.rb
2266
2320
  - spec/unit/server_api_spec.rb
2267
2321
  - spec/unit/server_api_versions_spec.rb