chef 17.6.15 → 17.8.25

data/lib/chef/resource/macos_userdefaults.rb

@@ -17,6 +17,7 @@
 
 require_relative "../resource"
 require "chef-utils/dist" unless defined?(ChefUtils::Dist)
+require "corefoundation" if RUBY_PLATFORM.match?(/darwin/)
 autoload :Plist, "plist"
 
 class Chef
@@ -78,173 +79,82 @@ class Chef
         required: true
 
       property :host, [String, Symbol],
-        description: "Set either :current or a hostname to set the user default at the host level.",
+        description: "Set either :current, :all or a hostname to set the user default at the host level.",
         desired_state: false,
         introduced: "16.3"
 
       property :value, [Integer, Float, String, TrueClass, FalseClass, Hash, Array],
         description: "The value of the key. Note: With the `type` property set to `bool`, `String` forms of Boolean true/false values that Apple accepts in the defaults command will be coerced: 0/1, 'TRUE'/'FALSE,' 'true'/false', 'YES'/'NO', or 'yes'/'no'.",
-        required: [:write],
-        coerce: proc { |v| v.is_a?(Hash) ? v.transform_keys(&:to_s) : v } # make sure keys are all strings for comparison
+        required: [:write]
 
       property :type, String,
         description: "The value type of the preference key.",
         equal_to: %w{bool string int float array dict},
-        desired_state: false
+        desired_state: false,
+        deprecated: true
 
-      property :user, String,
-        description: "The system user that the default will be applied to.",
+      property :user, [String, Symbol],
+        description: "The system user that the default will be applied to. Set :current for current user, :all for all users or pass a valid username",
         desired_state: false
 
       property :sudo, [TrueClass, FalseClass],
         description: "Set to true if the setting you wish to modify requires privileged access. This requires passwordless sudo for the `/usr/bin/defaults` command to be setup for the user running #{ChefUtils::Dist::Infra::PRODUCT}.",
         default: false,
-        desired_state: false
+        desired_state: false,
+        deprecated: true
 
       load_current_value do |new_resource|
-        Chef::Log.debug "#load_current_value: shelling out \"#{defaults_export_cmd(new_resource).join(" ")}\" to determine state"
-        state = shell_out(defaults_export_cmd(new_resource), user: new_resource.user)
-
-        if state.error? || state.stdout.empty?
-          Chef::Log.debug "#load_current_value: #{defaults_export_cmd(new_resource).join(" ")} returned stdout: #{state.stdout} and stderr: #{state.stderr}"
-          current_value_does_not_exist!
-        end
+        Chef::Log.debug "#load_current_value: attempting to read \"#{new_resource.domain}\" value from preferences to determine state"
 
-        plist_data = ::Plist.parse_xml(state.stdout)
+        pref = get_preference(new_resource)
+        current_value_does_not_exist! if pref.nil?
 
-        # handle the situation where the key doesn't exist in the domain
-        if plist_data.key?(new_resource.key)
-          key new_resource.key
-        else
-          current_value_does_not_exist!
-        end
-
-        value plist_data[new_resource.key]
-      end
-
-      #
-      # The defaults command to export a domain
-      #
-      # @return [Array] defaults command
-      #
-      def defaults_export_cmd(resource)
-        state_cmd = ["/usr/bin/defaults"]
-
-        if resource.host == "current"
-          state_cmd.concat(["-currentHost"])
-        elsif resource.host # they specified a non-nil value, which is a hostname
-          state_cmd.concat(["-host", resource.host])
-        end
-
-        state_cmd.concat(["export", resource.domain, "-"])
-        state_cmd
+        key new_resource.key
+        value pref
       end
 
       action :write, description: "Write the value to the specified domain/key." do
         converge_if_changed do
-          cmd = defaults_modify_cmd
-          Chef::Log.debug("Updating defaults value by shelling out: #{cmd.join(" ")}")
-
-          shell_out!(cmd, user: new_resource.user)
+          Chef::Log.debug("Updating defaults value for #{new_resource.key} in #{new_resource.domain}")
+          CF::Preferences.set!(new_resource.key, new_resource.value, new_resource.domain, to_cf_user(new_resource.user), to_cf_host(new_resource.host))
         end
       end
 
       action :delete, description: "Delete a key from a domain." do
         # if it's not there there's nothing to remove
-        return unless current_resource
+        return if current_resource.nil?
 
         converge_by("delete domain:#{new_resource.domain} key:#{new_resource.key}") do
-
-          cmd = defaults_modify_cmd
-          Chef::Log.debug("Removing defaults key by shelling out: #{cmd.join(" ")}")
-
-          shell_out!(cmd, user: new_resource.user)
+          Chef::Log.debug("Removing defaults key: #{new_resource.key}")
+          CF::Preferences.set!(new_resource.key, nil, new_resource.domain, to_cf_user(new_resource.user), to_cf_host(new_resource.host))
         end
       end
 
-      action_class do
-        #
-        # The command used to write or delete delete values from domains
-        #
-        # @return [Array] Array representation of defaults command to run
-        #
-        def defaults_modify_cmd
-          cmd = ["/usr/bin/defaults"]
-
-          if new_resource.host == :current
-            cmd.concat(["-currentHost"])
-          elsif new_resource.host # they specified a non-nil value, which is a hostname
-            cmd.concat(["-host", new_resource.host])
-          end
-
-          cmd.concat([action.to_s, new_resource.domain, new_resource.key])
-          cmd.concat(processed_value) if action == :write
-          cmd.prepend("sudo") if new_resource.sudo
-          cmd
-        end
-
-        #
-        # convert the provided value into the format defaults expects
-        #
-        # @return [array] array of values starting with the type if applicable
-        #
-        def processed_value
-          type = new_resource.type || value_type(new_resource.value)
-
-          # when dict this creates an array of values ["Key1", "Value1", "Key2", "Value2" ...]
-          cmd_values = ["-#{type}"]
-
-          case type
-          when "dict"
-            cmd_values.concat(new_resource.value.flatten)
-          when "array"
-            cmd_values.concat(new_resource.value)
-          when "bool"
-            cmd_values.concat(bool_to_defaults_bool(new_resource.value))
-          else
-            cmd_values.concat([new_resource.value])
-          end
-
-          cmd_values
-        end
+      def get_preference(new_resource)
+        CF::Preferences.get(new_resource.key, new_resource.domain, to_cf_user(new_resource.user), to_cf_host(new_resource.host))
+      end
 
-        #
-        # defaults booleans on the CLI must be 'TRUE' or 'FALSE' so convert various inputs to that
-        #
-        # @param [String, Integer, Boolean] input <description>
-        #
-        # @return [String] TRUE or FALSE
-        #
-        def bool_to_defaults_bool(input)
-          return ["TRUE"] if [true, "TRUE", "1", "true", "YES", "yes"].include?(input)
-          return ["FALSE"] if [false, "FALSE", "0", "false", "NO", "no"].include?(input)
-
-          # make sure it's very clear bad input was given
-          raise ArgumentError, "#{input} cannot be converted to a boolean value for use with Apple's defaults command. Acceptable values are: 'TRUE', 'YES', 'true, 'yes', '0', true, 'FALSE', 'false', 'NO', 'no', '1', or false."
+      # Return valid hostname based on the input from host property
+      def to_cf_host(value)
+        case value
+        when :all
+          CF::Preferences::ALL_HOSTS
+        when :current
+          CF::Preferences::CURRENT_HOST
+        else
+          value
         end
+      end
 
-        #
-        # convert ruby type to defaults type
-        #
-        # @param [Integer, Float, String, TrueClass, FalseClass, Hash, Array] value The value being set
-        #
-        # @return [string, nil] the type value used by defaults or nil if not applicable
-        #
-        def value_type(value)
-          case value
-          when true, false
-            "bool"
-          when Integer
-            "int"
-          when Float
-            "float"
-          when Hash
-            "dict"
-          when Array
-            "array"
-          when String
-            "string"
-          end
+      # Return valid username based on the input from user property
+      def to_cf_user(value)
+        case value
+        when :all
+          CF::Preferences::ALL_USERS
+        when :current
+          CF::Preferences::CURRENT_USER
+        else
+          value
         end
       end
     end

data/lib/chef/resource/rhsm_register.rb

@@ -79,6 +79,23 @@ class Chef
         default: false, desired_state: false,
         introduced: "15.9"
 
+      property :server_url, String,
+        description: "The hostname of the subscription service to use. The default is for Customer Portal Subscription Management, subscription.rhn.redhat.com. If this option is not used, the system is registered with Customer Portal Subscription Management.",
+          introduced: "17.8"
+
+      property :base_url, String,
+        description: "The hostname of the content delivery server to use to receive updates. Both Customer Portal Subscription Management and Subscription Asset Manager use Red Hat's hosted content delivery services, with the URL https://cdn.redhat.com. Since Satellite 6 hosts its own content, the URL must be used for systems registered with Satellite 6.",
+        introduced: "17.8"
+
+      property :service_level, String,
+        description: "Sets the service level to use for subscriptions on the registering machine. This is only used with the auto_attach option.",
+        introduced: "17.8"
+
+      property :release,
+        [Float, String],
+        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used only used with the auto_attach option.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
+        introduced: "17.8"
+
       action :register, description: "Register the node with RHSM." do
         package "subscription-manager"
 
@@ -170,6 +187,8 @@ class Chef
               command << new_resource.activation_key.map { |key| "--activationkey=#{Shellwords.shellescape(key)}" }
               command << "--org=#{Shellwords.shellescape(new_resource.organization)}"
               command << "--name=#{Shellwords.shellescape(new_resource.system_name)}" if new_resource.system_name
+              command << "--serverurl=#{Shellwords.shellescape(new_resource.server_url)}" if new_resource.server_url
+              command << "--baseurl=#{Shellwords.shellescape(new_resource.base_url)}" if new_resource.base_url
               command << "--force" if new_resource.force
 
               return command.join(" ")
@@ -179,11 +198,23 @@ class Chef
           if new_resource.username && new_resource.password
             raise "Unable to register - you must specify environment when using username/password" if new_resource.environment.nil? && using_satellite_host?
 
+            if new_resource.service_level
+              raise "Unable to register - 'auto_attach' must be enabled when using property `service_level`." unless new_resource.auto_attach
+            end
+
+            if new_resource.release
+              raise "Unable to register - `auto_attach` must be enabled when using property `release`." unless new_resource.auto_attach
+            end
+
             command << "--username=#{Shellwords.shellescape(new_resource.username)}"
             command << "--password=#{Shellwords.shellescape(new_resource.password)}"
             command << "--environment=#{Shellwords.shellescape(new_resource.environment)}" if using_satellite_host?
             command << "--name=#{Shellwords.shellescape(new_resource.system_name)}" if new_resource.system_name
+            command << "--serverurl=#{Shellwords.shellescape(new_resource.server_url)}" if new_resource.server_url
+            command << "--baseurl=#{Shellwords.shellescape(new_resource.base_url)}" if new_resource.base_url
             command << "--auto-attach" if new_resource.auto_attach
+            command << "--servicelevel=#{Shellwords.shellescape(new_resource.service_level)}" if new_resource.service_level
+            command << "--release=#{Shellwords.shellescape(new_resource.release)}" if new_resource.release
             command << "--force" if new_resource.force
 
             return command.join(" ")

data/lib/chef/resource/support/client.erb

@@ -37,6 +37,13 @@ log_location <%= @log_location %>
 log_location <%= @log_location.inspect %>
   <% end -%>
 <% end -%>
+<%# These data_collector options are special as they have a '.' -%>
+<% unless @data_collector_server_url.nil? || @data_collector_server_url.empty? %>
+data_collector.server_url <%= @data_collector_server_url %>
+<% end %>
+<% unless @data_collector_token.nil? || @data_collector_token.empty? %>
+data_collector.token <%= @data_collector_token %>
+<% end %>
 <%# The code below is not DRY on purpose to improve readability -%>
 <% unless @start_handlers.empty? -%>
   # Do not crash if a start handler is missing / not installed yet

data/lib/chef/resource/windows_auto_run.rb

@@ -88,7 +88,7 @@ class Chef
         # @return [String]
         def registry_path
           { machine: "HKLM", user: "HKCU" }[new_resource.root] + \
-            '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'
+            "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
         end
       end
     end

data/lib/chef/resource/windows_dfs_namespace.rb

@@ -38,7 +38,7 @@ class Chef
 
       property :full_users, Array,
         description: "Determines which users should have full access to the share.",
-        default: ['BUILTIN\\administrators']
+        default: ["BUILTIN\\administrators"]
 
       property :change_users, Array,
         description: "Determines which users should have change access to the share.",
@@ -50,7 +50,7 @@ class Chef
 
       property :root, String,
         description: "The root from which to create the DFS tree. Defaults to C:\\DFSRoots.",
-        default: 'C:\\DFSRoots'
+        default: "C:\\DFSRoots"
 
       action :create, description: "Creates the dfs namespace on the server." do
         directory file_path do

data/lib/chef/resource/windows_feature_powershell.rb

@@ -100,8 +100,8 @@ class Chef
             install_command << " -Source \"#{new_resource.source}\"" if new_resource.source
             install_command << " -IncludeManagementTools" if new_resource.management_tools
 
-            cmd = powershell_out!(install_command, timeout: new_resource.timeout)
-            Chef::Log.info(cmd.stdout)
+            cmd = powershell_exec!(install_command, timeout: new_resource.timeout)
+            Chef::Log.info(cmd.result)
 
             reload_cached_powershell_data # Reload cached powershell feature state
           end
@@ -115,8 +115,8 @@ class Chef
 
         unless features_to_remove.empty?
           converge_by("remove Windows feature#{"s" if features_to_remove.count > 1} #{features_to_remove.join(",")}") do
-            cmd = powershell_out!("Uninstall-WindowsFeature #{features_to_remove.join(",")}", timeout: new_resource.timeout)
-            Chef::Log.info(cmd.stdout)
+            cmd = powershell_exec!("Uninstall-WindowsFeature #{features_to_remove.join(",")}", timeout: new_resource.timeout)
+            Chef::Log.info(cmd.result)
 
             reload_cached_powershell_data # Reload cached powershell feature state
           end
@@ -132,8 +132,8 @@ class Chef
 
         unless features_to_delete.empty?
           converge_by("delete Windows feature#{"s" if features_to_delete.count > 1} #{features_to_delete.join(",")} from the image") do
-            cmd = powershell_out!("Uninstall-WindowsFeature #{features_to_delete.join(",")} -Remove", timeout: new_resource.timeout)
-            Chef::Log.info(cmd.stdout)
+            cmd = powershell_exec!("Uninstall-WindowsFeature #{features_to_delete.join(",")} -Remove", timeout: new_resource.timeout)
+            Chef::Log.info(cmd.result)
 
             reload_cached_powershell_data # Reload cached powershell feature state
           end
@@ -215,7 +215,7 @@ class Chef
         # fetch the list of available feature names and state in JSON and parse the JSON
         def parsed_feature_list
           # Grab raw feature information from WindowsFeature
-          raw_list_of_features = powershell_out!("Get-WindowsFeature | Select-Object -Property Name,InstallState | ConvertTo-Json -Compress", timeout: new_resource.timeout).stdout
+          raw_list_of_features = powershell_exec!("Get-WindowsFeature | Select-Object -Property Name,InstallState", timeout: new_resource.timeout).result
 
           Chef::JSONCompat.from_json(raw_list_of_features)
         end

data/lib/chef/resource/windows_update_settings.rb

@@ -145,7 +145,7 @@ class Chef
       action :set, description: "Set Windows Update settings." do
         actual_day = convert_day(new_resource.scheduled_install_day)
 
-        registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate' do
+        registry_key "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate" do
           recursive true
           values [{
             name: "DisableOSUpgrade",
@@ -180,7 +180,7 @@ class Chef
           action :create
         end
 
-        registry_key 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer' do
+        registry_key "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" do
           recursive true
           values [{
             name: "NoWindowsUpdate",
@@ -190,7 +190,7 @@ class Chef
           action :create
         end
 
-        registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU' do
+        registry_key "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU" do
           recursive true
           values [{
             name: "AUOptions",

data/lib/chef/resource.rb

@@ -454,7 +454,7 @@ class Chef
     # @param arg [String] The umask to apply while converging the resource.
     # @return [Boolean] The umask to apply while converging the resource.
     #
-    property :umask, String,
+    property :umask, [String, Integer],
       desired_state: false,
       introduced: "16.2",
       description: "Set a umask to be used for the duration of converging the resource. Defaults to `nil`, which means to use the system umask. Unsupported on Windows because Windows lacks a direct equivalent to UNIX's umask."
@@ -1508,7 +1508,7 @@ class Chef
     # @return Chef::CookbookVersion The cookbook in which this Resource was defined.
     #
     def cookbook_version
-      if cookbook_name
+      if cookbook_name && cookbook_name != "@recipe_files"
         run_context.cookbook_collection[cookbook_name]
       end
     end

data/lib/chef/resource_reporter.rb

@@ -41,7 +41,7 @@ class Chef
       as_hash["result"] = action_record.action.to_s
       if new_resource.cookbook_name
         as_hash["cookbook_name"] = new_resource.cookbook_name
-        as_hash["cookbook_version"] = new_resource.cookbook_version.version
+        as_hash["cookbook_version"] = new_resource.cookbook_version&.version
       end
 
       as_hash

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -1,4 +1,6 @@
 require_relative "base"
+require_relative "../exceptions"
+require "uri" unless defined?(URI)
 
 class Chef
   class SecretFetcher
@@ -14,13 +16,19 @@ class Chef
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context )
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context)
     # fetcher.fetch("secretkey1", "v1")
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context )
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context)
     # fetcher.fetch("my_vault/secretkey1", "v1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { client_id: "540d76b6-7f76-456c-b68b-ccae4dc9d99d" }, run_context)
+    # fetcher.fetch("my_vault/secretkey1", "v1")
+    #
     class AzureKeyVault < Base
 
       def do_fetch(name, version)
@@ -48,6 +56,12 @@ class Chef
         end
       end
 
+      def validate!
+        raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :object_id, :client_id, or :mi_res_id" if [object_id, client_id, mi_res_id].select { |x| !x.nil? }.length > 1
+      end
+
+      private
+
       # Determine the vault name and secret name from the provided name.
       # If it is not in the provided name in the form "vault_name/secret_name"
       # it will determine the vault name from `config[:vault]`.
@@ -63,16 +77,56 @@ class Chef
         end
       end
 
+      def api_version
+        "2018-02-01"
+      end
+
+      def resource
+        "https://vault.azure.net"
+      end
+
+      def object_id
+        config[:object_id]
+      end
+
+      def client_id
+        config[:client_id]
+      end
+
+      def mi_res_id
+        config[:mi_res_id]
+      end
+
+      def token_query
+        @token_query ||= begin
+          p = {}
+          p["api-version"] = api_version
+          p["resource"] = resource
+          p["object_id"] = object_id if object_id
+          p["client_id"] = client_id if client_id
+          p["mi_res_id"] = mi_res_id if mi_res_id
+          URI.encode_www_form(p)
+        end
+      end
+
       def fetch_token
-        token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net")
+        token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token")
+        token_uri.query = token_query
         http = Net::HTTP.new(token_uri.host, token_uri.port)
         response = http.get(token_uri, { "Metadata" => "true" })
-        body = JSON.parse(response.body)
-        body["access_token"]
+
+        case response
+        when Net::HTTPSuccess
+          body = JSON.parse(response.body)
+          body["access_token"]
+        when Net::HTTPBadRequest
+          body = JSON.parse(response.body)
+          raise Chef::Exceptions::Secret::Azure::IdentityNotFound if body["error_description"] =~ /identity not found/i
+        else
+          body = JSON.parse(response.body)
+          body["access_token"]
+        end
       end
     end
   end
 end
-
-
-

data/lib/chef/secret_fetcher.rb

@@ -58,4 +58,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.6.15")
+  VERSION = Chef::VersionString.new("17.8.25")
 end
 
 #

data/spec/functional/dsl/reboot_pending_spec.rb

@@ -39,8 +39,8 @@ describe Chef::DSL::RebootPending, :windows_only do
     let(:reg_key) { nil }
     let(:original_set) { false }
 
-    describe 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations' do
-      let(:reg_key) { 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager' }
+    describe "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations" do
+      let(:reg_key) { "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }
       let(:original_set) { registry.value_exists?(reg_key, { name: "PendingFileRenameOperations" }) }
 
       it "returns true if the registry value exists" do
@@ -78,7 +78,7 @@ describe Chef::DSL::RebootPending, :windows_only do
 
     describe "when there is nothing to indicate a reboot is pending" do
       it "should return false" do
-        skip "reboot pending" if registry_value_exists?('HKLM\SYSTEM\CurrentControlSet\Control\Session Manager', { name: "PendingFileRenameOperations" }) ||
+        skip "reboot pending" if registry_value_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", { name: "PendingFileRenameOperations" }) ||
           registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired') ||
           registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending')
         expect(recipe.reboot_pending?).to be_falsey

data/spec/functional/dsl/registry_helper_spec.rb

@@ -24,7 +24,7 @@ describe Chef::Resource::RegistryKey, :windows_only do
   before(:all) do
     ::Win32::Registry::HKEY_CURRENT_USER.create "Software\\Root"
     ::Win32::Registry::HKEY_CURRENT_USER.create "Software\\Root\\Branch"
-    ::Win32::Registry::HKEY_CURRENT_USER.open('Software\\Root', Win32::Registry::KEY_ALL_ACCESS) do |reg|
+    ::Win32::Registry::HKEY_CURRENT_USER.open("Software\\Root", Win32::Registry::KEY_ALL_ACCESS) do |reg|
       reg["RootType1", Win32::Registry::REG_SZ] = "fibrous"
       reg.write("Roots", Win32::Registry::REG_MULTI_SZ, ["strong roots", "healthy tree"])
     end

data/spec/functional/resource/dnf_package_spec.rb

@@ -455,7 +455,7 @@ describe Chef::Resource::DnfPackage, :requires_root, external: exclude_test do
     end
 
     context "downgrades" do
-      it "downgrades the package when allow_downgrade" do
+      it "downgrades the package when allow_downgrade is true" do
         flush_cache
         preinstall("chef_rpm-1.10-1.#{pkg_arch}.rpm")
         dnf_package "chef_rpm" do
@@ -470,6 +470,18 @@ describe Chef::Resource::DnfPackage, :requires_root, external: exclude_test do
           action :install
         end.should_not_be_updated
       end
+
+      it "does not downgrade the package when allow_downgrade is false" do
+        flush_cache
+        preinstall("chef_rpm-1.10-1.#{pkg_arch}.rpm")
+        dnf_package "chef_rpm" do
+          options default_options
+          allow_downgrade false
+          version "1.2-1"
+          action :install
+        end.should_not_be_updated
+        expect(shell_out("rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' chef_rpm").stdout.chomp).to match("^chef_rpm-1.10-1.#{pkg_arch}$")
+      end
     end
 
     context "with arches", :intel_64bit do
@@ -763,6 +775,17 @@ describe Chef::Resource::DnfPackage, :requires_root, external: exclude_test do
         end.should_not_be_updated
       end
 
+      it "downgrade on a local file with allow_downgrade false does not downgrade" do
+        preinstall("chef_rpm-1.10-1.#{pkg_arch}.rpm")
+        dnf_package "#{CHEF_SPEC_ASSETS}/yumrepo/chef_rpm-1.2-1.#{pkg_arch}.rpm" do
+          options default_options
+          allow_downgrade false
+          version "1.2-1"
+          action :install
+        end.should_not_be_updated
+        expect(shell_out("rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' chef_rpm").stdout.chomp).to match("^chef_rpm-1.10-1.#{pkg_arch}$")
+      end
+
       it "does not downgrade the package with :install" do
         preinstall("chef_rpm-1.10-1.#{pkg_arch}.rpm")
         dnf_package "#{CHEF_SPEC_ASSETS}/yumrepo/chef_rpm-1.2-1.#{pkg_arch}.rpm" do
@@ -1027,25 +1050,6 @@ describe Chef::Resource::DnfPackage, :requires_root, external: exclude_test do
           action :install
         end.should_not_be_updated
       end
-
-      it "throws a deprecation warning with allow_downgrade" do
-        Chef::Config[:treat_deprecation_warnings_as_errors] = false
-        expect(Chef).to receive(:deprecated).at_least(:once).with(:dnf_package_allow_downgrade, /^the allow_downgrade property on the dnf_package provider is not used/)
-        preinstall("chef_rpm-1.10-1.#{pkg_arch}.rpm")
-        dnf_package "chef_rpm" do
-          options default_options
-          version "1.2"
-          allow_downgrade true
-          action :install
-        end.should_be_updated
-        expect(shell_out("rpm -q chef_rpm").stdout.chomp).to match("^chef_rpm-1.2-1.#{pkg_arch}")
-        dnf_package "chef_rpm" do
-          options default_options
-          version "1.2"
-          allow_downgrade true
-          action :install
-        end.should_not_be_updated
-      end
     end
 
     context "with source arguments" do
@@ -1092,6 +1096,16 @@ describe Chef::Resource::DnfPackage, :requires_root, external: exclude_test do
         end.should_not_be_updated
       end
 
+      it "does not downgrade the package when allow_downgrade is false" do
+        preinstall("chef_rpm-1.10-1.#{pkg_arch}.rpm")
+        dnf_package "#{CHEF_SPEC_ASSETS}/yumrepo/chef_rpm-1.2-1.#{pkg_arch}.rpm" do
+          options default_options
+          allow_downgrade false
+          action :upgrade
+        end.should_not_be_updated
+        expect(shell_out("rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' chef_rpm").stdout.chomp).to match("^chef_rpm-1.10-1.#{pkg_arch}$")
+      end
+
       it "upgrades the package" do
         preinstall("chef_rpm-1.2-1.#{pkg_arch}.rpm")
         dnf_package "#{CHEF_SPEC_ASSETS}/yumrepo/chef_rpm-1.10-1.#{pkg_arch}.rpm" do