chef 17.4.38 → 17.7.22

data/lib/chef/secret_fetcher/hashi_vault.rb

@@ -0,0 +1,100 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require "aws-sdk-core" # Support for aws instance profile auth
+require "vault"
+class Chef
+  class SecretFetcher
+    # == Chef::SecretFetcher::HashiVault
+    # A fetcher that fetches a secret from Hashi Vault.
+    #
+    # Does not yet support fetching with version when a versioned key store is in use.
+    # In this initial iteration the only supported authentication is IAM role-based
+    #
+    # Required config:
+    # :auth_method - one of :iam_role, :token.  default: :iam_role
+    # :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200
+    #
+    # For `:token` auth: `:token` - a Vault token valid for authentication.
+    #
+    # For `:iam_role`:  `:role_name` - the name of the role in Vault that was created
+    # to support authentication via IAM.  See the Vault documentation for details[1].
+    # A Terraform example is also available[2]
+    #
+    #
+    # [1] https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy
+    # [2] https://registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth
+    #             an IAM principal ARN bound to it.
+    #
+    # Optional config
+    # :namespace - the namespace under which secrets are kept.  Only supported in with Vault Enterprise
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze
+    class HashiVault < Base
+
+      # Validate and authenticate the current session using the configured auth strategy and parameters
+      def validate!
+        if config[:vault_addr].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr")
+        end
+
+        Vault.address = config[:vault_addr]
+        Vault.namespace = config[:namespace] unless config[:namespace].nil?
+
+        case config[:auth_method]
+        when :token
+          if config[:token].nil?
+            raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")
+          end
+
+          Vault.auth.token(config[:token])
+        when :iam_role, nil
+          if config[:role_name].nil?
+            raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
+          end
+
+          Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
+        else
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided.  You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
+        end
+      end
+
+      # @param identifier [String] Identifier of the secret to be fetched, which should
+      # be the full path of that secret, eg 'secret/example'
+      # @param _version [String] not used in this implementation
+      # @return [Hash] containing key/value pairs stored at the location given in 'identifier'
+      def do_fetch(identifier, _version)
+        result = Vault.logical.read(identifier)
+        raise Chef::Exceptions::Secret::FetchFailed.new("No secret found at #{identifier}. Check to ensure that there is a secrets engine configured for that path") if result.nil?
+
+        result.data
+      end
+    end
+  end
+end
+

data/lib/chef/secret_fetcher.rb

@@ -21,7 +21,7 @@ require_relative "exceptions"
 class Chef
   class SecretFetcher
 
-    SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault}.freeze
+    SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault hashi_vault akeyless_vault}.freeze
 
     # Returns a configured and validated instance
     # of a [Chef::SecretFetcher::Base]  for the given
@@ -42,14 +42,19 @@ class Chef
                 when :azure_key_vault
                   require_relative "secret_fetcher/azure_key_vault"
                   Chef::SecretFetcher::AzureKeyVault.new(config, run_context)
+                when :hashi_vault
+                  require_relative "secret_fetcher/hashi_vault"
+                  Chef::SecretFetcher::HashiVault.new(config, run_context)
+                when :akeyless_vault
+                  require_relative "secret_fetcher/akeyless_vault"
+                  Chef::SecretFetcher::AKeylessVault.new(config, run_context)
                 when nil, ""
                   raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS)
                 else
-                  raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service}", SECRET_FETCHERS)
+                  raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: '#{service}'", SECRET_FETCHERS)
                 end
       fetcher.validate!
       fetcher
     end
   end
 end
-

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.4.38")
+  VERSION = Chef::VersionString.new("17.7.22")
 end
 
 #

data/lib/chef/win32/version.rb

@@ -49,7 +49,8 @@ class Chef
       private_class_method :method_name_from_marketing_name
 
       WIN_VERSIONS = {
-        "Windows Server 2019" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 17763 } },
+        "Windows Server 2022" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 20348 } },
+        "Windows Server 2019" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 17763 && build_number < 20348 } },
         "Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
         "Windows Server 2016" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number <= 14393 } },
         "Windows 8.1" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },

data/spec/functional/dsl/reboot_pending_spec.rb

@@ -39,8 +39,8 @@ describe Chef::DSL::RebootPending, :windows_only do
     let(:reg_key) { nil }
     let(:original_set) { false }
 
-    describe 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations' do
-      let(:reg_key) { 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager' }
+    describe "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations" do
+      let(:reg_key) { "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }
       let(:original_set) { registry.value_exists?(reg_key, { name: "PendingFileRenameOperations" }) }
 
       it "returns true if the registry value exists" do
@@ -78,7 +78,7 @@ describe Chef::DSL::RebootPending, :windows_only do
 
     describe "when there is nothing to indicate a reboot is pending" do
       it "should return false" do
-        skip "reboot pending" if registry_value_exists?('HKLM\SYSTEM\CurrentControlSet\Control\Session Manager', { name: "PendingFileRenameOperations" }) ||
+        skip "reboot pending" if registry_value_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", { name: "PendingFileRenameOperations" }) ||
           registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired') ||
           registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending')
         expect(recipe.reboot_pending?).to be_falsey

data/spec/functional/dsl/registry_helper_spec.rb

@@ -24,7 +24,7 @@ describe Chef::Resource::RegistryKey, :windows_only do
   before(:all) do
     ::Win32::Registry::HKEY_CURRENT_USER.create "Software\\Root"
     ::Win32::Registry::HKEY_CURRENT_USER.create "Software\\Root\\Branch"
-    ::Win32::Registry::HKEY_CURRENT_USER.open('Software\\Root', Win32::Registry::KEY_ALL_ACCESS) do |reg|
+    ::Win32::Registry::HKEY_CURRENT_USER.open("Software\\Root", Win32::Registry::KEY_ALL_ACCESS) do |reg|
       reg["RootType1", Win32::Registry::REG_SZ] = "fibrous"
       reg.write("Roots", Win32::Registry::REG_MULTI_SZ, ["strong roots", "healthy tree"])
     end

data/spec/functional/resource/archive_file_spec.rb

@@ -0,0 +1,87 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "tmpdir"
+
+# Exclude this test on platforms where ffi-libarchive loading is broken
+describe Chef::Resource::ArchiveFile, :libarchive_loading_broken do
+  include RecipeDSLHelper
+
+  let(:tmp_path) { Dir.mktmpdir }
+  let(:extract_destination) { "#{tmp_path}/extract_here" }
+  let(:test_archive_path) { File.expand_path("archive_file/test_archive.tar.gz", CHEF_SPEC_DATA) }
+
+  after do
+    FileUtils.remove_entry_secure(extract_destination) if File.exist?(extract_destination)
+  end
+
+  context "when strip_components is 0" do
+    it "extracts archive to destination" do
+      af = archive_file test_archive_path do
+        destination extract_destination
+      end
+      af.should_be_updated
+
+      expect(af.strip_components).to eq(0) # Validate defaults haven't changed here
+      expect(Dir.glob("#{extract_destination}/**/*").length).to eq(4)
+      expect(Dir.exist?("#{extract_destination}/folder-1")).to eq(true)
+      expect(File.exist?("#{extract_destination}/folder-1/file-1.txt")).to eq(true)
+      expect(Dir.exist?("#{extract_destination}/folder-1/folder-2")).to eq(true)
+      expect(File.exist?("#{extract_destination}/folder-1/folder-2/file-2.txt")).to eq(true)
+    end
+  end
+
+  context "when strip_components is 1" do
+    it "extracts archive to destination, with 1 component stripped" do
+      archive_file test_archive_path do
+        destination extract_destination
+        strip_components 1
+      end.should_be_updated
+
+      expect(Dir.exist?("#{extract_destination}/folder-1")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-1/file-1.txt")).to eq(false)
+      expect(Dir.exist?("#{extract_destination}/folder-1/folder-2")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-1/folder-2/file-2.txt")).to eq(false)
+
+      expect(Dir.glob("#{extract_destination}/**/*").length).to eq(3)
+      expect(File.exist?("#{extract_destination}/file-1.txt")).to eq(true)
+      expect(Dir.exist?("#{extract_destination}/folder-2")).to eq(true)
+      expect(File.exist?("#{extract_destination}/folder-2/file-2.txt")).to eq(true)
+    end
+  end
+
+  context "when strip_components is 2" do
+    it "extracts archive to destination, with 2 components stripped" do
+      archive_file test_archive_path do
+        destination extract_destination
+        strip_components 2
+      end.should_be_updated
+
+      expect(Dir.exist?("#{extract_destination}/folder-1")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-1/file-1.txt")).to eq(false)
+      expect(Dir.exist?("#{extract_destination}/folder-1/folder-2")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-1/folder-2/file-2.txt")).to eq(false)
+      expect(File.exist?("#{extract_destination}/file-1.txt")).to eq(false)
+      expect(Dir.exist?("#{extract_destination}/folder-2")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-2/file-2.txt")).to eq(false)
+
+      expect(Dir.glob("#{extract_destination}/**/*").length).to eq(1)
+      expect(File.exist?("#{extract_destination}/file-2.txt")).to eq(true)
+    end
+  end
+end

data/spec/functional/resource/dsc_script_spec.rb

@@ -85,7 +85,7 @@ describe Chef::Resource::DscScript, :windows_powershell_dsc_only, :ruby64_only d
   let(:dsc_test_resource_base) do
     Chef::Resource::DscScript.new(dsc_test_resource_name, dsc_test_run_context)
   end
-  let(:test_registry_key) { 'HKEY_LOCAL_MACHINE\Software\Chef\Spec\Functional\Resource\dsc_script_spec' }
+  let(:test_registry_key) { "HKEY_LOCAL_MACHINE\\Software\\Chef\\Spec\\Functional\\Resource\\dsc_script_spec" }
   let(:test_registry_value) { "Registration" }
   let(:test_registry_data1) { "LL927" }
   let(:test_registry_data2) { "LL928" }
@@ -394,7 +394,7 @@ describe Chef::Resource::DscScript, :windows_powershell_dsc_only, :ruby64_only d
       dsc_test_run_context.node.consume_external_attrs(OHAI_SYSTEM.data, {})
     end
 
-    let(:configuration_data_path) { 'C:\\configurationdata.psd1' }
+    let(:configuration_data_path) { "C:\\configurationdata.psd1" }
 
     let(:self_signed_cert_path) do
       File.join(CHEF_SPEC_DATA, "dsc_lcm.pfx")

data/spec/functional/resource/group_spec.rb

@@ -44,6 +44,10 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
       members.shift # Get rid of GroupMembership: string
       members.include?(user)
     else
+      # TODO For some reason our temporary AIX 7.2 system does not correctly report group membership immediately after changes have been made.
+      # Adding a 2 second delay for this platform is enough to get correct results.
+      # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+      sleep 2 if aix? && (ohai[:platform_version] == "7.2")
       Etc.getgrnam(group_name).mem.include?(user)
     end
   end
@@ -181,7 +185,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
 
     describe "when the users exist" do
       before do
-        high_uid = 30000
+        high_uid = 40000
         (spec_members).each do |member|
           remove_user(member)
           create_user(member, high_uid)

data/spec/functional/resource/link_spec.rb

@@ -345,9 +345,17 @@ describe Chef::Resource::Link do
             let(:test_user) { "test-link-user" }
             before do
               user(test_user).run_action(:create)
+              # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made.
+              # Adding a 2 second delay for this platform is enough to get correct results.
+              # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+              sleep 2 if aix? && (ohai[:platform_version] == "7.2")
             end
             after do
               user(test_user).run_action(:remove)
+              # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made.
+              # Adding a 2 second delay for this platform is enough to get correct results.
+              # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+              sleep 2 if aix? && (ohai[:platform_version] == "7.2")
             end
             before(:each) do
               resource.owner(test_user)

data/spec/functional/resource/macos_userdefaults_spec.rb

@@ -0,0 +1,119 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+require "spec_helper"
+
+describe Chef::Resource::MacosUserDefaults, :macos_only, requires_root: true do
+  def create_resource
+    node = Chef::Node.new
+    events = Chef::EventDispatch::Dispatcher.new
+    run_context = Chef::RunContext.new(node, {}, events)
+    resource = Chef::Resource::MacosUserDefaults.new("test", run_context)
+    resource
+  end
+
+  let(:resource) do
+    create_resource
+  end
+
+  context "has a default value" do
+    it ":macos_userdefaults for resource name" do
+      expect(resource.name).to eq("test")
+    end
+
+    it "NSGlobalDomain for the domain property" do
+      expect(resource.domain).to eq("NSGlobalDomain")
+    end
+
+    it "nil for the host property" do
+      expect(resource.host).to be_nil
+    end
+
+    it "nil for the user property" do
+      expect(resource.user).to be_nil
+    end
+
+    it ":write for resource action" do
+      expect(resource.action).to eq([:write])
+    end
+  end
+
+  it "supports :write, :delete actions" do
+    expect { resource.action :write }.not_to raise_error
+    expect { resource.action :delete }.not_to raise_error
+  end
+
+  context "can process expected data" do
+    it "set array values" do
+      resource.domain "/Library/Preferences/ManagedInstalls"
+      resource.key "TestArrayValues"
+      resource.value [ "/Library/Managed Installs/fake.log", "/Library/Managed Installs/also_fake.log"]
+      resource.run_action(:write)
+      expect(resource.get_preference resource).to eq([ "/Library/Managed Installs/fake.log", "/Library/Managed Installs/also_fake.log"])
+    end
+
+    it "set dictionary value" do
+      resource.domain "/Library/Preferences/ManagedInstalls"
+      resource.key "TestDictionaryValues"
+      resource.value "User": "/Library/Managed Installs/way_fake.log"
+      resource.run_action(:write)
+      expect(resource.get_preference resource).to eq("User" => "/Library/Managed Installs/way_fake.log")
+    end
+
+    it "set array of dictionaries" do
+      resource.domain "/Library/Preferences/ManagedInstalls"
+      resource.key "TestArrayWithDictionary"
+      resource.value [ { "User": "/Library/Managed Installs/way_fake.log" } ]
+      resource.run_action(:write)
+      expect(resource.get_preference resource).to eq([ { "User" => "/Library/Managed Installs/way_fake.log" } ])
+    end
+
+    it "set boolean for preference value" do
+      resource.domain "/Library/Preferences/ManagedInstalls"
+      resource.key "TestBooleanValue"
+      resource.value true
+      resource.run_action(:write)
+      expect(resource.get_preference resource).to eq(true)
+    end
+
+    it "sets value to global domain when domain is not passed" do
+      resource.key "TestKey"
+      resource.value 1
+      resource.run_action(:write)
+      expect(resource.get_preference resource).to eq(1)
+    end
+
+    it "short domain names" do
+      resource.domain "com.apple.dock"
+      resource.key "titlesize"
+      resource.value "20"
+      resource.run_action(:write)
+      expect(resource.get_preference resource).to eq("20")
+    end
+  end
+
+  it "we can delete a preference with full path" do
+    resource.domain "/Library/Preferences/ManagedInstalls"
+    resource.key "TestKey"
+    expect { resource.run_action(:delete) }. to_not raise_error
+  end
+
+  it "we can delete a preference with short name" do
+    resource.domain "com.apple.dock"
+    resource.key "titlesize"
+    expect { resource.run_action(:delete) }. to_not raise_error
+  end
+end

data/spec/functional/resource/powershell_package_source_spec.rb

@@ -22,7 +22,7 @@ describe Chef::Resource::PowershellPackageSource, :windows_gte_10 do
   include Chef::Mixin::PowershellExec
 
   let(:source_name) { "fake" }
-  let(:url) { "https://www.nuget.org/api/v2" }
+  let(:source_location) { "https://www.nuget.org/api/v2" }
   let(:trusted) { true }
 
   let(:run_context) do
@@ -32,7 +32,7 @@ describe Chef::Resource::PowershellPackageSource, :windows_gte_10 do
   subject do
     new_resource = Chef::Resource::PowershellPackageSource.new("test powershell package source", run_context)
     new_resource.source_name source_name
-    new_resource.url url
+    new_resource.source_location source_location
     new_resource.trusted trusted
     new_resource.provider_name provider_name
     new_resource
@@ -61,7 +61,7 @@ describe Chef::Resource::PowershellPackageSource, :windows_gte_10 do
       it "updates an existing package source if changed" do
         subject.run_action(:register)
         subject.trusted !trusted
-        subject.run_action(:register)
+        subject.run_action(:set)
         expect(subject).to be_updated_by_last_action
       end
     end
@@ -73,9 +73,8 @@ describe Chef::Resource::PowershellPackageSource, :windows_gte_10 do
         expect(get_installed_package_source_name).to be_empty
       end
 
-      it "does not unregister the package source if not already installed" do
-        subject.run_action(:unregister)
-        expect(subject).not_to be_updated_by_last_action
+      it "does not unregister the package source if not installed" do
+        expect { subject.run_action(:unregister) }.to_not raise_error
       end
     end
   end