chef 17.5.22 → 17.7.29

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bfe0cb34ad720e2647118256d4260f209cd36d73e6ccedf079a67489963901c1
-  data.tar.gz: bc5229775dbb96f3f61cf2d11dfa16de3c0e2de6567169ed11cea54502a18679
+  metadata.gz: c14c01fc55c7847b27979c41e01be0dd845b69840fc048e7abeb8787156bae23
+  data.tar.gz: 44676d2fe03cc4306efaa4c33f48a9eb3e2d6d736962bcd441ffc4bd0c371621
 SHA512:
-  metadata.gz: afce77f4964d02364b91be0128053ac2f866a41225308dd68d857d468c660d774450d95926e86615818791a37c9c6930c1ed1fdae4145f483f35dd633413ae1d
-  data.tar.gz: 8db608f6151726772e05ac054fb31d37da4e21e16101f383d70eed9622d88b1362573e56d2eed50b38cd7fd5258631d3b99db7f9f6e26415d9a48a751a4a78a7
+  metadata.gz: 768707842ce349798c256c91d2202c5c7b7f931d63ca53eb9454ed6b424f3a11b38b2c9b94c4c4177959ff179029831a9cca3d3233afa5d2ba7dcd90afba3c23
+  data.tar.gz: 9a3a715294581c43a663387a3462c745d6bab3a44736ab9bf87e607cfa5cfa7a920de90a918225e05b08a8962b52103c792d97b586d69ef32023afb1e45dc11c

data/Gemfile

@@ -39,6 +39,11 @@ group(:ruby_shadow) do
   gem "ruby-shadow", git: "https://github.com/chef/ruby-shadow", branch: "lcg/ruby-3.0", platforms: :ruby
 end
 
+# deps that cannot be put in the knife gem because they require a compiler and fail on windows nodes
+group(:knife_windows_deps) do
+  gem "ed25519", "~> 1.2" # ed25519 ssh key support
+end
+
 group(:development, :test) do
   gem "rake"
   gem "rspec"

data/chef.gemspec

@@ -52,6 +52,7 @@ Gem::Specification.new do |s|
   s.add_dependency "addressable"
   s.add_dependency "syslog-logger", "~> 1.6"
   s.add_dependency "uuidtools", ">= 2.1.5", "< 3.0" # osx_profile resource
+  s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
   s.add_dependency "proxifier", "~> 1.0"
 

data/lib/chef/chef_fs/file_pattern.rb

@@ -276,7 +276,7 @@ class Chef
               regexp << ".*"
             when "*"
               exact = nil
-              regexp << '[^\/]*'
+              regexp << "[^\\/]*"
             when "?"
               exact = nil
               regexp << "."

data/lib/chef/chef_fs/path_utils.rb

@@ -58,7 +58,7 @@ class Chef
       end
 
       def self.regexp_path_separator
-        ChefUtils.windows? ? '[\/\\\\]' : "/"
+        ChefUtils.windows? ? "[\\/\\\\]" : "/"
       end
 
       # Given a server path, determines if it is absolute.

data/lib/chef/data_collector/run_end_message.rb

@@ -128,7 +128,7 @@ class Chef
 
           if new_resource.cookbook_name
             hash["cookbook_name"]    = new_resource.cookbook_name
-            hash["cookbook_version"] = new_resource.cookbook_version.version
+            hash["cookbook_version"] = new_resource.cookbook_version&.version
             hash["recipe_name"]      = new_resource.recipe_name
           end
 

data/lib/chef/dsl/reboot_pending.rb

@@ -37,7 +37,7 @@ class Chef
           # due to a file being in use (usually a temporary file and a system file)
           # \??\c:\temp\test.sys!\??\c:\winnt\system32\test.sys
           # http://technet.microsoft.com/en-us/library/cc960241.aspx
-          registry_value_exists?('HKLM\SYSTEM\CurrentControlSet\Control\Session Manager', { name: "PendingFileRenameOperations" }) ||
+          registry_value_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", { name: "PendingFileRenameOperations" }) ||
 
             # RebootRequired key contains Update IDs with a value of 1 if they require a reboot.
             # The existence of RebootRequired alone is sufficient on my Windows 8.1 workstation in Windows Update

data/lib/chef/exceptions.rb

@@ -308,6 +308,16 @@ class Chef
           super("No secret service provided. Supported services are: :#{fetcher_service_names.join(" :")}")
         end
       end
+
+      class Azure
+        class IdentityNotFound < RuntimeError
+          def initialize
+            super("The managed identity could not be found. This could mean one of the following things:\n\n" \
+                  "  1. The VM has no system or user assigned identities.\n" \
+                  "  2. The managed identity object_id or client_id that was specified is not assigned to the VM.\n")
+          end
+        end
+      end
     end
 
     # Exception class for collecting multiple failures. Used when running

data/lib/chef/provider/cron.rb

@@ -100,7 +100,10 @@ class Chef
         newcron = get_crontab_entry
 
         if @cron_exists
-          unless cron_different?
+          # Only compare the crontab if the current resource has a set command.
+          # This may not be set in cases where the Chef comment exists but the
+          # crontab command was commented out.
+          if current_resource.property_is_set?(:command) && !cron_different?
             logger.debug("#{new_resource}: Skipping existing cron entry")
             return
           end

data/lib/chef/provider/git.rb

@@ -28,7 +28,7 @@ class Chef
       extend Forwardable
       provides :git
 
-      GIT_VERSION_PATTERN = Regexp.compile('git version (\d+\.\d+.\d+)')
+      GIT_VERSION_PATTERN = Regexp.compile("git version (\\d+\\.\\d+.\\d+)")
 
       def_delegator :new_resource, :destination, :cwd
 

data/lib/chef/provider/ifconfig/debian.rb

@@ -87,7 +87,7 @@ iface <%= new_resource.device %> <%= new_resource.family %> static
           directory INTERFACES_DOT_D_DIR
 
           # roll our own file_edit resource, this will not get reported until we have a file_edit resource
-          interfaces_dot_d_for_regexp = INTERFACES_DOT_D_DIR.gsub(/\./, '\.') # escape dots for the regexp
+          interfaces_dot_d_for_regexp = INTERFACES_DOT_D_DIR.gsub(/\./, "\\.") # escape dots for the regexp
           regexp = %r{^\s*source\s+#{interfaces_dot_d_for_regexp}/\*\s*$}
 
           return if ::File.exist?(INTERFACES_FILE) && regexp.match(IO.read(INTERFACES_FILE))

data/lib/chef/provider/package/habitat.rb

@@ -108,7 +108,7 @@ class Chef
               headers["Authorization"] = "Bearer #{new_resource.auth_token}" if new_resource.auth_token
 
               Chef::JSONCompat.parse(http.get(url, headers))
-            rescue Net::HTTPServerException
+            rescue Net::HTTPClientException
               nil
             end
         end

data/lib/chef/provider/subversion.rb

@@ -58,7 +58,7 @@ class Chef
       action :checkout, description: "Clone or check out the source. When a checkout is available, this provider does nothing." do
         if target_dir_non_existent_or_empty?
           converge_by("perform checkout of #{new_resource.repository} into #{new_resource.destination}") do
-            shell_out!(checkout_command, run_options)
+            shell_out!(checkout_command, **run_options)
           end
         else
           logger.debug "#{new_resource} checkout destination #{new_resource.destination} already exists or is a non-empty directory - nothing to do"
@@ -75,7 +75,7 @@ class Chef
 
       action :force_export, description: "Export the source, excluding or removing any version control artifacts and force an export of the source that is overwriting the existing copy (if it exists)." do
         converge_by("export #{new_resource.repository} into #{new_resource.destination}") do
-          shell_out!(export_command, run_options)
+          shell_out!(export_command, **run_options)
         end
       end
 
@@ -86,7 +86,7 @@ class Chef
           logger.trace "#{new_resource} current revision: #{current_rev} target revision: #{revision_int}"
           unless current_revision_matches_target_revision?
             converge_by("sync #{new_resource.destination} from #{new_resource.repository}") do
-              shell_out!(sync_command, run_options)
+              shell_out!(sync_command, **run_options)
               logger.info "#{new_resource} updated to revision: #{revision_int}"
             end
           end
@@ -125,7 +125,7 @@ class Chef
                             new_resource.revision
                           else
                             command = scm(:info, new_resource.repository, new_resource.svn_info_args, authentication, "-r#{new_resource.revision}")
-                            svn_info = shell_out!(command, run_options(cwd: cwd, returns: [0, 1])).stdout
+                            svn_info = shell_out!(command, **run_options(cwd: cwd, returns: [0, 1])).stdout
 
                             extract_revision_info(svn_info)
                           end
@@ -137,7 +137,7 @@ class Chef
         return nil unless ::File.exist?(::File.join(new_resource.destination, ".svn"))
 
         command = scm(:info)
-        svn_info = shell_out!(command, run_options(cwd: cwd, returns: [0, 1])).stdout
+        svn_info = shell_out!(command, **run_options(cwd: cwd, returns: [0, 1])).stdout
 
         extract_revision_info(svn_info)
       end

data/lib/chef/resource/archive_file.rb

@@ -82,7 +82,7 @@ class Chef
         default: false
 
       property :strip_components, Integer,
-        description: "Remove the specified number of leading path elements.  Pathnames with fewer elements will be silently skipped. This behaves similarly to tar's --strip-components command line argument.",
+        description: "Remove the specified number of leading path elements. Pathnames with fewer elements will be silently skipped. This behaves similarly to tar's --strip-components command line argument.",
         introduced: "17.5",
         default: 0
 

data/lib/chef/resource/chef_client_trusted_certificate.rb

@@ -75,6 +75,7 @@ class Chef
         file cert_path do
           content new_resource.certificate
           mode "0640"
+          sensitive new_resource.sensitive
         end
       end
 

data/lib/chef/resource/chocolatey_config.rb

@@ -21,7 +21,7 @@ class Chef
 
       provides :chocolatey_config
 
-      description "Use the **chocolatey_config** resource to add or remove Chocolatey configuration keys."
+      description "Use the **chocolatey_config** resource to add or remove Chocolatey configuration keys. Note: The Chocolatey package manager is not installed on Windows by default. You will need to install it prior to using this resource by adding the [Chocolatey cookbook](https://supermarket.chef.io/cookbooks/chocolatey/) to your node's run list."
       introduced "14.3"
       examples <<~DOC
       **Set the Chocolatey cacheLocation config**:

data/lib/chef/resource/chocolatey_feature.rb

@@ -20,7 +20,7 @@ class Chef
       unified_mode true
       provides :chocolatey_feature
 
-      description "Use the **chocolatey_feature** resource to enable and disable Chocolatey features."
+      description "Use the **chocolatey_feature** resource to enable and disable Chocolatey features. Note: The Chocolatey package manager is not installed on Windows by default. You will need to install it prior to using this resource by adding the [Chocolatey cookbook](https://supermarket.chef.io/cookbooks/chocolatey/) to your node's run list."
       introduced "15.1"
       examples <<~DOC
         **Enable the checksumFiles Chocolatey feature**

data/lib/chef/resource/chocolatey_source.rb

@@ -20,7 +20,7 @@ class Chef
       unified_mode true
       provides :chocolatey_source
 
-      description "Use the **chocolatey_source** resource to add, remove, enable, or disable Chocolatey sources."
+      description "Use the **chocolatey_source** resource to add, remove, enable, or disable Chocolatey sources. Note: The Chocolatey package manager is not installed on Windows by default. You will need to install it prior to using this resource by adding the [Chocolatey cookbook](https://supermarket.chef.io/cookbooks/chocolatey/) to your node's run list."
       introduced "14.3"
       examples <<~DOC
         **Add a Chocolatey source**
@@ -63,6 +63,22 @@ class Chef
 
       property :disabled, [TrueClass, FalseClass], default: false, desired_state: false, skip_docs: true
 
+      property :username, String,
+               description: "The username to use when authenticating against the source",
+               introduced: "17.7"
+
+      property :password, String, sensitive: true, desired_state: false,
+               description: "The password to use when authenticating against the source",
+               introduced: "17.7"
+
+      property :cert, String,
+               description: "The certificate to use when authenticating against the source",
+               introduced: "17.7"
+
+      property :cert_password, String, sensitive: true, desired_state: false,
+               description: "The password for the certificate to use when authenticating against the source",
+               introduced: "17.7"
+
       load_current_value do
         element = fetch_source_element(source_name)
         current_value_does_not_exist! if element.nil?
@@ -74,6 +90,8 @@ class Chef
         allow_self_service element["selfService"] == "true"
         priority element["priority"].to_i
         disabled element["disabled"] == "true"
+        username element["user"]
+        cert element["certificate"]
       end
 
       # @param [String] id the source name
@@ -129,10 +147,14 @@ class Chef
         def choco_cmd(action)
           cmd = "#{ENV["ALLUSERSPROFILE"]}\\chocolatey\\bin\\choco source #{action} -n \"#{new_resource.source_name}\""
           if action == "add"
-            cmd << " -s #{new_resource.source} --priority=#{new_resource.priority}"
+            cmd << " --source=\"#{new_resource.source}\" --priority=#{new_resource.priority}"
             cmd << " --bypassproxy" if new_resource.bypass_proxy
             cmd << " --allowselfservice" if new_resource.allow_self_service
             cmd << " --adminonly" if new_resource.admin_only
+            cmd << " --user=\"#{new_resource.username}\"" if new_resource.username
+            cmd << " --password=\"#{new_resource.password}\"" if new_resource.password
+            cmd << " --cert=\"#{new_resource.cert}\"" if new_resource.cert
+            cmd << " --certpassword=\"#{new_resource.cert_password}\"" if new_resource.cert_password
           end
           cmd
         end

data/lib/chef/resource/directory.rb

@@ -46,7 +46,7 @@ class Chef
                description: "The path to the directory. Using a fully qualified path is recommended, but is not always required."
 
       property :recursive, [ TrueClass, FalseClass ],
-        description: "Create or delete parent directories recursively. For the owner, group, and mode properties, the value of this property applies only to the leaf directory.",
+        description: "Create parent directories recursively, or delete directory and all children recursively. For the owner, group, and mode properties, the value of this property applies only to the leaf directory.",
         default: false
     end
   end

data/lib/chef/resource/habitat_install.rb

@@ -52,8 +52,8 @@ class Chef
       property :name, String, default: "install habitat",
         description: "Name of the resource block. This has no impact other than logging."
 
-      property :install_url, String, default: "https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh",
-        description: "URL to the install script, default is from the [habitat repo](https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh) ."
+      property :install_url, String, default: "https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh",
+        description: "URL to the install script, default is from the [habitat repo](https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh) ."
 
       property :bldr_url, String,
         description: "Optional URL to an alternate Habitat Builder."
@@ -95,10 +95,10 @@ class Chef
             path habfile
             destination "#{Chef::Config[:file_cache_path]}/habitat"
             action :extract
-            not_if { ::Dir.exist?('c:\habitat') }
+            not_if { ::Dir.exist?("c:\\habitat") }
           end
 
-          directory 'c:\habitat' do
+          directory "c:\\habitat" do
             notifies :run, "powershell_script[installing from archive]", :immediately
           end
 
@@ -110,7 +110,7 @@ class Chef
           end
 
           # TODO: This won't self heal if missing until the next upgrade
-          windows_path 'C:\habitat' do
+          windows_path "C:\\habitat" do
             action :add
           end
         else

data/lib/chef/resource/inspec_input.rb

@@ -56,13 +56,13 @@ class Chef
         end
       ```
 
-      **Add an InSpec input to the Compliance Phase using a TOML, JSON or YAML file**:
+      **Add an InSpec input to the Compliance Phase using a TOML, JSON, or YAML file**:
 
       ```ruby
         inspec_input "/path/to/my/input.yml"
       ```
 
-      **Add an InSpec input to the Compliance Phase using a TOML, JSON or YAML file, using the 'name' property**:
+      **Add an InSpec input to the Compliance Phase using a TOML, JSON, or YAML file, using the 'name' property**:
 
       ```ruby
         inspec_input "setting my input" do
@@ -70,12 +70,11 @@ class Chef
         end
       ```
 
-      Note that the inspec_input resource does not update and will not fire notifications (similar to the log resource).  This is done to preserve the ability to use
-      the resource while not causing the updated resource count to be larger than zero.  Since the resource does not update the state of the node being managed this
-      behavior is still consistent with the configuration management model.  Events should be used to observe configuration changes for the compliance phase.  It is
-      possible to use the `notify_group` resource to chain notifications of the two resources, but notifications are the wrong model to use and pure ruby conditionals
-      should be used instead.  Compliance configuration should be independent of other resources and should only be made conditional based on state/attributes not
-      on other resources.
+      Note that the **inspec_input** resource does not update and will not fire notifications (similar to the log resource). This is done to preserve the ability to use
+      the resource while not causing the updated resource count to be larger than zero. Since the resource does not update the state of the managed node, this behavior
+      is still consistent with the configuration management model. Instead, you should use events to observe configuration changes for the compliance phase. It is
+      possible to use the `notify_group` resource to chain notifications of the two resources, but notifications are the wrong model to use, and you should use pure ruby
+      conditionals instead. Compliance configuration should be independent of other resources and should only be conditional based on state/attributes, not other resources.
       DOC
 
       property :name, [ Hash, String ]

data/lib/chef/resource/inspec_waiver.rb

@@ -62,7 +62,7 @@ class Chef
         end
       ```
 
-      **Add an InSpec waiver to the Compliance Phase using an arbitrary YAML, JSON or TOML file**:
+      **Add an InSpec waiver to the Compliance Phase using an arbitrary YAML, JSON, or TOML file**:
 
       ```ruby
         # files ending in .yml or .yaml that exist are parsed as YAML
@@ -101,12 +101,11 @@ class Chef
         end
       ```
 
-      Note that the inspec_waiver resource does not update and will not fire notifications (similar to the log resource).  This is done to preserve the ability to use
-      the resource while not causing the updated resource count to be larger than zero.  Since the resource does not update the state of the node being managed this
-      behavior is still consistent with the configuration management model.  Events should be used to observe configuration changes for the compliance phase.  It is
-      possible to use the `notify_group` resource to chain notifications of the two resources, but notifications are the wrong model to use and pure ruby conditionals
-      should be used instead.  Compliance configuration should be independent of other resources and should only be made conditional based on state/attributes not
-      on other resources.
+      Note that the **inspec_waiver** resource does not update and will not fire notifications (similar to the log resource). This is done to preserve the ability to use
+      the resource while not causing the updated resource count to be larger than zero. Since the resource does not update the state of the managed node, this behavior
+      is still consistent with the configuration management model. Instead, you should use events to observe configuration changes for the compliance phase. It is
+      possible to use the `notify_group` resource to chain notifications of the two resources, but notifications are the wrong model to use, and you should use pure ruby
+      conditionals instead. Compliance configuration should be independent of other resources and should only be conditional based on state/attributes, not other resources.
       DOC
 
       property :control, String,
@@ -117,7 +116,7 @@ class Chef
         description: "The expiration date of the waiver - provided in YYYY-MM-DD format",
         callbacks: {
           "Expiration date should be a valid calendar date and match the following format: YYYY-MM-DD" => proc { |e|
-            re = Regexp.new('\d{4}-\d{2}-\d{2}$').freeze
+            re = Regexp.new("\\d{4}-\\d{2}-\\d{2}$").freeze
             if re.match?(e)
               Date.valid_date?(*e.split("-").map(&:to_i))
             else

data/lib/chef/resource/inspec_waiver_file_entry.rb

@@ -74,7 +74,7 @@ class Chef
         description: "The expiration date of the given waiver - provided in YYYY-MM-DD format",
         callbacks: {
           "Expiration date should be a valid calendar date and match the following format: YYYY-MM-DD" => proc { |e|
-            re = Regexp.new('\d{4}-\d{2}-\d{2}$').freeze
+            re = Regexp.new("\\d{4}-\\d{2}-\\d{2}$").freeze
             if re.match?(e)
               Date.valid_date?(*e.split("-").map(&:to_i))
             else

data/lib/chef/resource/kernel_module.rb

@@ -15,7 +15,7 @@ class Chef
 
       provides :kernel_module
 
-      description "Use the **kernel_module** resource to manage kernel modules on Linux systems. This resource can load, unload, blacklist, disable, install, and uninstall modules."
+      description "Use the **kernel_module** resource to manage kernel modules on Linux systems. This resource can load, unload, blacklist, disable, enable, install, and uninstall modules."
       introduced "14.3"
       examples <<~DOC
         Install and load a kernel module, and ensure it loads on reboot.
@@ -68,13 +68,21 @@ class Chef
         end
         ```
 
-        Disable a kernel module.
+        Disable a kernel module so that it is not installable.
 
         ```ruby
         kernel_module 'loop' do
           action :disable
         end
         ```
+
+        Enable a kernel module so that it is can be installed.  Does not load or install.
+
+        ```ruby
+        kernel_module 'loop' do
+          action :enable
+        end
+        ```
       DOC
 
       property :modname, String,
@@ -101,6 +109,9 @@ class Chef
           end
         end
 
+        # Remove the "disable file" before trying to install
+        action_enable
+
         # create options file before loading the module
         unless new_resource.options.nil?
           file "#{new_resource.unload_dir}/options_#{new_resource.modname}.conf" do
@@ -178,6 +189,20 @@ class Chef
         action_unload
       end
 
+      action :enable, description: "Enable a kernel module.  Reverse :disable actions" do
+        with_run_context :root do
+          find_resource(:execute, "update initramfs") do
+            command initramfs_command
+            action :nothing
+          end
+        end
+
+        file "#{new_resource.unload_dir}/disable_#{new_resource.modname}.conf" do
+          action :delete
+          notifies :run, "execute[update initramfs]", :delayed
+        end
+      end
+
       action :load, description: "Load a kernel module." do
         unless module_loaded?
           converge_by("load kernel module #{new_resource.modname}") do