chef 17.6.18 → 17.9.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59f5d3f142e80c94be749ef60ee943e69079238f55209a2a10741158c8816bce
-  data.tar.gz: 48a22e1452ab3aa51e69f64144ccccff80790f9890e81c7ea3a781a151080da6
+  metadata.gz: 1886ca1ea538fbe96bf89e02df660eaa7eead201d917e15525e63cb7b3c3f90c
+  data.tar.gz: 2f2807b137aba35aba5ab1fa719ed26d0dd5aaab8ba4989c56c33b62761c3bfc
 SHA512:
-  metadata.gz: 28fb40af64c9a66d6e1d7ab487e88873b0eed7db8fc13f80c7e5fe5c191bbbe1b89da0d5fcf841072a12d1674ce2a5986d243dc41340ddb71508d337e804325e
-  data.tar.gz: 24a4a408695c4c6283bcd7312b7f74c164fe2f4bb9b6eb3adce43c4182d398f86a02cbb2aa1a63df0ff0a1084961cba96f3c7a7b4fefb958b23a61c92f53a3a8
+  metadata.gz: e52940ab6008d9263848045de3be99288298a6b542a94e9fa6832f2e2cdb73369b0055ec1df63237338faf8f0015d65f138985201452e7b64e15ddd8a76d1619
+  data.tar.gz: ea68a2d6a8096d590877bef7b764b8b6283980354401b2f713177b3977ba7338bb2bd012433ae0a203cb42deacf10865a288a4b3fcedcb9d9cd0c423b749c9da

data/Gemfile

@@ -39,6 +39,11 @@ group(:ruby_shadow) do
   gem "ruby-shadow", git: "https://github.com/chef/ruby-shadow", branch: "lcg/ruby-3.0", platforms: :ruby
 end
 
+# deps that cannot be put in the knife gem because they require a compiler and fail on windows nodes
+group(:knife_windows_deps) do
+  gem "ed25519", "~> 1.2" # ed25519 ssh key support
+end
+
 group(:development, :test) do
   gem "rake"
   gem "rspec"

data/chef.gemspec

@@ -52,6 +52,7 @@ Gem::Specification.new do |s|
   s.add_dependency "addressable"
   s.add_dependency "syslog-logger", "~> 1.6"
   s.add_dependency "uuidtools", ">= 2.1.5", "< 3.0" # osx_profile resource
+  s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
   s.add_dependency "proxifier", "~> 1.0"
 

data/lib/chef/application/base.rb

@@ -254,7 +254,7 @@ class Chef::Application::Base < Chef::Application
     short: "-K KEY_FILE",
     long: "--validation_key KEY_FILE",
     description: "Set the validation key file location, used for registering new clients.",
-    proc: nil
+    proc: lambda { |argument| File.expand_path(argument) }
 
   option :client_key,
     short: "-k KEY_FILE",

data/lib/chef/chef_fs/file_pattern.rb

@@ -276,7 +276,7 @@ class Chef
               regexp << ".*"
             when "*"
               exact = nil
-              regexp << '[^\/]*'
+              regexp << "[^\\/]*"
             when "?"
               exact = nil
               regexp << "."

data/lib/chef/chef_fs/path_utils.rb

@@ -58,7 +58,7 @@ class Chef
       end
 
       def self.regexp_path_separator
-        ChefUtils.windows? ? '[\/\\\\]' : "/"
+        ChefUtils.windows? ? "[\\/\\\\]" : "/"
       end
 
       # Given a server path, determines if it is absolute.

data/lib/chef/compliance/default_attributes.rb

@@ -28,7 +28,7 @@ class Chef
       # Controls what is done with the resulting report after the Chef InSpec run.
       # Accepts a single string value or an array of multiple values.
       # Accepted values: 'chef-server-automate', 'chef-automate', 'json-file', 'audit-enforcer', 'cli'
-      "reporter" => "cli",
+      "reporter" => nil,
 
       # Controls if Chef InSpec profiles should be fetched from Chef Automate or Chef Infra Server
       # in addition to the default fetch locations provided by Chef Inspec.
@@ -94,7 +94,17 @@ class Chef
 
       # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have
       # profiles defined but do not have the audit cookbook enabled.
-      "compliance_phase" => false
+      "compliance_phase" => false,
+
+      "interval" => {
+        # control how often inspec scans are run, if not on every node converge
+        # notes: false value will result in running inspec scan every converge
+        "enabled" => false,
+
+        # controls how often inspec scans are run (in minutes)
+        # notes: only used if interval is enabled above
+        "time" => 1440,
+      }
     )
   end
 end

data/lib/chef/compliance/runner.rb

@@ -71,7 +71,7 @@ class Chef
 
         logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
-        report
+        report_with_interval
       end
 
       def run_failed(_exception, _run_status)
@@ -82,7 +82,7 @@ class Chef
 
         logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
-        report
+        report_with_interval
       end
 
       ### Below code adapted from audit cookbook's files/default/handler/audit_report.rb
@@ -92,7 +92,6 @@ class Chef
         fail_if_not_present
         inspec_gem_source
         inspec_version
-        interval
         owner
         raise_if_unreachable
       }.freeze
@@ -106,6 +105,15 @@ class Chef
         end
       end
 
+      def report_with_interval
+        if interval_seconds_left <= 0
+          create_timestamp_file if interval_enabled
+          report
+        else
+          logger.info "Skipping Chef Infra Compliance Phase due to interval settings (next run in #{interval_seconds_left / 60.0} mins)"
+        end
+      end
+
       def report(report = nil)
         logger.info "Starting Chef Infra Compliance Phase"
         report ||= generate_report
@@ -118,7 +126,7 @@ class Chef
           return
         end
 
-        Array(node["audit"]["reporter"]).each do |reporter_type|
+        requested_reporters.each do |reporter_type|
           logger.info "Reporting to #{reporter_type}"
           @reporters[reporter_type].send_report(report)
         end
@@ -325,7 +333,7 @@ class Chef
         @reporters = {}
         # Note that the docs don't say you can use an array, but our implementation
         # supports it.
-        Array(node["audit"]["reporter"]).each do |type|
+        requested_reporters.each do |type|
           unless SUPPORTED_REPORTERS.include? type
             raise "CMPL003: '#{type}' found in node['audit']['reporter'] is not a supported reporter for Compliance Phase. Supported reporters are: #{SUPPORTED_REPORTERS.join(", ")}. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase#reporters"
           end
@@ -358,6 +366,44 @@ class Chef
       def safe_input_collection
         run_context&.input_collection
       end
+
+      def requested_reporters
+        (Array(node["audit"]["reporter"]) + ["cli"]).uniq
+      end
+
+      def create_timestamp_file
+        FileUtils.touch report_timing_file
+      end
+
+      def report_timing_file
+        ::File.join(Chef::FileCache.create_cache_path("compliance"), "report_timing.json")
+      end
+
+      def interval_time
+        @interval_time ||= node.read("audit", "interval", "time")
+      end
+
+      def interval_enabled
+        @interval_enabled ||= node.read("audit", "interval", "enabled")
+      end
+
+      def interval_seconds
+        @interval_seconds ||=
+          if interval_enabled
+            logger.debug "Running Chef Infra Compliance Phase every #{interval_time} minutes"
+            interval_time * 60
+          else
+            logger.debug "Running Chef Infra Compliance Phase on every run"
+            0
+          end
+      end
+
+      def interval_seconds_left
+        return 0 unless ::File.exist?(report_timing_file)
+
+        seconds_since_last_run = Time.now - ::File.mtime(report_timing_file)
+        interval_seconds - seconds_since_last_run
+      end
     end
   end
 end

data/lib/chef/data_collector/run_end_message.rb

@@ -128,7 +128,7 @@ class Chef
 
           if new_resource.cookbook_name
             hash["cookbook_name"]    = new_resource.cookbook_name
-            hash["cookbook_version"] = new_resource.cookbook_version.version
+            hash["cookbook_version"] = new_resource.cookbook_version&.version
             hash["recipe_name"]      = new_resource.recipe_name
           end
 

data/lib/chef/dsl/reboot_pending.rb

@@ -37,7 +37,7 @@ class Chef
           # due to a file being in use (usually a temporary file and a system file)
           # \??\c:\temp\test.sys!\??\c:\winnt\system32\test.sys
           # http://technet.microsoft.com/en-us/library/cc960241.aspx
-          registry_value_exists?('HKLM\SYSTEM\CurrentControlSet\Control\Session Manager', { name: "PendingFileRenameOperations" }) ||
+          registry_value_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", { name: "PendingFileRenameOperations" }) ||
 
             # RebootRequired key contains Update IDs with a value of 1 if they require a reboot.
             # The existence of RebootRequired alone is sufficient on my Windows 8.1 workstation in Windows Update

data/lib/chef/exceptions.rb

@@ -308,6 +308,16 @@ class Chef
           super("No secret service provided. Supported services are: :#{fetcher_service_names.join(" :")}")
         end
       end
+
+      class Azure
+        class IdentityNotFound < RuntimeError
+          def initialize
+            super("The managed identity could not be found. This could mean one of the following things:\n\n" \
+                  "  1. The VM has no system or user assigned identities.\n" \
+                  "  2. The managed identity object_id or client_id that was specified is not assigned to the VM.\n")
+          end
+        end
+      end
     end
 
     # Exception class for collecting multiple failures. Used when running

data/lib/chef/mixin/powershell_exec.rb

@@ -104,13 +104,14 @@ class Chef
       #
       # @param script [String] script to run
       # @param interpreter [Symbol] the interpreter type, `:powershell` or `:pwsh`
+      # @param timeout [Integer, nil] timeout in seconds.
       # @return [Chef::PowerShell] output
-      def powershell_exec(script, interpreter = :powershell)
+      def powershell_exec(script, interpreter = :powershell, timeout: -1)
         case interpreter
         when :powershell
-          Chef::PowerShell.new(script)
+          Chef::PowerShell.new(script, timeout: timeout)
         when :pwsh
-          Chef::Pwsh.new(script)
+          Chef::Pwsh.new(script, timeout: timeout)
         else
           raise ArgumentError, "Expected interpreter of :powershell or :pwsh"
         end
@@ -118,8 +119,8 @@ class Chef
 
       # The same as the #powershell_exec method except this will raise
       # Chef::PowerShell::CommandFailed if the command fails
-      def powershell_exec!(script, interpreter = :powershell)
-        cmd = powershell_exec(script, interpreter)
+      def powershell_exec!(script, interpreter = :powershell, **options)
+        cmd = powershell_exec(script, interpreter, **options)
         cmd.error!
         cmd
       end

data/lib/chef/mixin/why_run.rb

@@ -242,8 +242,12 @@ class Chef
           end
         end
 
-        def initialize(resource, run_context)
-          @resource, @run_context = resource, run_context
+        attr_accessor :action
+
+        def initialize(resource, run_context, action)
+          @resource = resource
+          @run_context = run_context
+          @action = action
           @assertions = Hash.new { |h, k| h[k] = [] }
           @blocked_actions = []
         end
@@ -305,6 +309,8 @@ class Chef
         #                       "You don't have sufficient privileges to delete #{@new_resource.path}")
         #   end
         def assert(*actions)
+          return unless actions.include?(action.to_sym) || actions.include?(:all_actions)
+
           assertion = Assertion.new
           yield assertion
           actions.each { |action| @assertions[action] << assertion }

data/lib/chef/powershell.rb

@@ -33,15 +33,16 @@ class Chef
     # Requires: .NET Framework 4.0 or higher on the target machine.
     #
     # @param script [String] script to run
+    # @param timeout [Integer, nil] timeout in seconds.
     # @return [Object] output
-    def initialize(script)
+    def initialize(script, timeout: -1)
       # This Powershell DLL source lives here: https://github.com/chef/chef-powershell-shim
       # Every merge into that repo triggers a Habitat build and promotion. Running
       # the rake :update_chef_exec_dll task in this (chef/chef) repo will pull down
       # the built packages and copy the binaries to distro/ruby_bin_folder. Bundle install
       # ensures that the correct architecture binaries are installed into the path.
       @dll ||= "Chef.PowerShell.Wrapper.dll"
-      exec(script)
+      exec(script, timeout: timeout)
     end
 
     #
@@ -64,12 +65,13 @@ class Chef
       raise Chef::PowerShell::CommandFailed, "Unexpected exit in PowerShell command: #{@errors}" if error?
     end
 
-    protected
+    private
 
-    def exec(script)
+    def exec(script, timeout: -1)
       FFI.ffi_lib @dll
-      FFI.attach_function :execute_powershell, :ExecuteScript, [:string], :pointer
-      execution = FFI.execute_powershell(script).read_utf16string
+      FFI.attach_function :execute_powershell, :ExecuteScript, %i{string int}, :pointer
+      timeout = -1 if timeout == 0 || timeout.nil?
+      execution = FFI.execute_powershell(script, timeout).read_utf16string
       hashed_outcome = Chef::JSONCompat.parse(execution)
       @result = Chef::JSONCompat.parse(hashed_outcome["result"])
       @errors = hashed_outcome["errors"]

data/lib/chef/provider/cron.rb

@@ -92,7 +92,7 @@ class Chef
         end
       end
 
-      action :create do
+      action :create, description: "Create an entry in a cron table file (crontab). If an entry already exists (but does not match), update that entry to match." do
         crontab = ""
         newcron = ""
         cron_found = false
@@ -100,7 +100,10 @@ class Chef
         newcron = get_crontab_entry
 
         if @cron_exists
-          unless cron_different?
+          # Only compare the crontab if the current resource has a set command.
+          # This may not be set in cases where the Chef comment exists but the
+          # crontab command was commented out.
+          if current_resource.property_is_set?(:command) && !cron_different?
             logger.debug("#{new_resource}: Skipping existing cron entry")
             return
           end
@@ -146,7 +149,7 @@ class Chef
         end
       end
 
-      action :delete do
+      action :delete, description: "Delete an entry from a cron table file (crontab)." do
         if @cron_exists
           crontab = ""
           cron_found = false

data/lib/chef/provider/directory.rb

@@ -121,7 +121,7 @@ class Chef
         end
       end
 
-      action :create do
+      action :create, description: "Create a directory. If a directory already exists (but does not match), update that directory to match." do
         unless ::File.exist?(new_resource.path)
           converge_by("create new directory #{new_resource.path}") do
             if new_resource.recursive == true
@@ -137,7 +137,7 @@ class Chef
         load_resource_attributes_from_file(new_resource) unless Chef::Config[:why_run]
       end
 
-      action :delete do
+      action :delete, description: "Delete a directory." do
         if ::File.exist?(new_resource.path)
           converge_by("delete existing directory #{new_resource.path}") do
             if new_resource.recursive == true

data/lib/chef/provider/git.rb

@@ -28,7 +28,7 @@ class Chef
       extend Forwardable
       provides :git
 
-      GIT_VERSION_PATTERN = Regexp.compile('git version (\d+\.\d+.\d+)')
+      GIT_VERSION_PATTERN = Regexp.compile("git version (\\d+\\.\\d+.\\d+)")
 
       def_delegator :new_resource, :destination, :cwd
 

data/lib/chef/provider/ifconfig/debian.rb

@@ -87,7 +87,7 @@ iface <%= new_resource.device %> <%= new_resource.family %> static
           directory INTERFACES_DOT_D_DIR
 
           # roll our own file_edit resource, this will not get reported until we have a file_edit resource
-          interfaces_dot_d_for_regexp = INTERFACES_DOT_D_DIR.gsub(/\./, '\.') # escape dots for the regexp
+          interfaces_dot_d_for_regexp = INTERFACES_DOT_D_DIR.gsub(/\./, "\\.") # escape dots for the regexp
           regexp = %r{^\s*source\s+#{interfaces_dot_d_for_regexp}/\*\s*$}
 
           return if ::File.exist?(INTERFACES_FILE) && regexp.match(IO.read(INTERFACES_FILE))

data/lib/chef/provider/ifconfig.rb

@@ -168,7 +168,7 @@ class Chef
         end
       end
 
-      action :add do
+      action :add, description: "Run ifconfig to configure a network interface and (on some platforms) write a configuration file for that network interface." do
         # check to see if load_current_resource found interface in ifconfig
         unless current_resource.inet_addr
           unless new_resource.device == loopback_device
@@ -183,7 +183,7 @@ class Chef
         generate_config
       end
 
-      action :enable do
+      action :enable, description: "Run ifconfig to enable a network interface." do
         # check to see if load_current_resource found ifconfig
         # enables, but does not manage config files
         return if current_resource.inet_addr
@@ -196,7 +196,7 @@ class Chef
         end
       end
 
-      action :delete do
+      action :delete, description: "Run ifconfig to disable a network interface and (on some platforms) delete that network interface’s configuration file." do
         # check to see if load_current_resource found the interface
         if current_resource.device
           command = delete_command
@@ -210,7 +210,7 @@ class Chef
         delete_config
       end
 
-      action :disable do
+      action :disable, description: "Run ifconfig to disable a network interface." do
         # check to see if load_current_resource found the interface
         # disables, but leaves config files in place.
         if current_resource.device

data/lib/chef/provider/mount/linux.rb

@@ -29,10 +29,16 @@ class Chef
         # "findmnt" outputs the mount points with volume.
         # Convert the mount_point of the resource to a real path in case it
         # contains symlinks in its parents dirs.
+        def loop_mount_points
+          # get loop_mount_points only if not initialized earlier
+          @loop_mount_points ||= shell_out!("losetup -a").stdout
+
+        rescue Errno::ENOENT
+          @loop_mount_points = ""
+        end
 
         def mounted?
           mounted = false
-
           real_mount_point = if ::File.exists? @new_resource.mount_point
                                ::File.realpath(@new_resource.mount_point)
                              else
@@ -45,6 +51,14 @@ class Chef
             when /\A#{Regexp.escape(real_mount_point)}\s+#{device_mount_regex}\s/
               mounted = true
               logger.trace("Special device #{device_logstring} mounted as #{real_mount_point}")
+            # Permalink for loop type devices mount points https://rubular.com/r/a0bS4p2RvXsGxx
+            when %r{\A#{Regexp.escape(real_mount_point)}\s+\/dev\/loop+[0-9]+\s}
+              loop_mount_points.each_line do |mount_point|
+                if mount_point.include? device_real
+                  mounted = true
+                  break
+                end
+              end
             # Permalink for multiple devices mounted to the same mount point(i.e. '/proc') https://rubular.com/r/a356yzspU7N9TY
             when %r{\A#{Regexp.escape(real_mount_point)}\s+([/\w])+\s}
               mounted = false
@@ -64,4 +78,4 @@ class Chef
       end
     end
   end
-end
+end

data/lib/chef/provider/mount/mount.rb

@@ -279,4 +279,4 @@ class Chef
       end
     end
   end
-end
+end

data/lib/chef/provider/package/dnf.rb

@@ -98,7 +98,7 @@ class Chef
           end
         end
 
-        def magic_version
+        def magic_version_array
           package_name_array.each_with_index.map do |pkg, i|
             magical_version(i).version_with_arch
           end

data/lib/chef/provider/package/habitat.rb

@@ -108,7 +108,7 @@ class Chef
               headers["Authorization"] = "Bearer #{new_resource.auth_token}" if new_resource.auth_token
 
               Chef::JSONCompat.parse(http.get(url, headers))
-            rescue Net::HTTPServerException
+            rescue Net::HTTPClientException
               nil
             end
         end

data/lib/chef/provider/package/powershell.rb

@@ -17,13 +17,13 @@
 
 require_relative "../package"
 require_relative "../../resource/powershell_package"
-require_relative "../../mixin/powershell_out"
+require_relative "../../mixin/powershell_exec"
 
 class Chef
   class Provider
     class Package
       class Powershell < Chef::Provider::Package
-        include Chef::Mixin::PowershellOut
+        include Chef::Mixin::PowershellExec
 
         provides :powershell_package
 
@@ -54,9 +54,9 @@ class Chef
         # Installs the package specified with the version passed else latest version will be installed
         def install_package(names, versions)
           names.each_with_index do |name, index|
-            cmd = powershell_out(build_powershell_package_command("Install-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
+            cmd = powershell_exec(build_powershell_package_command("Install-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
             next if cmd.nil?
-            raise Chef::Exceptions::PowershellCmdletException, "Failed to install package due to catalog signing error, use skip_publisher_check to force install" if /SkipPublisherCheck/.match?(cmd.stderr)
+            raise Chef::Exceptions::PowershellCmdletException, "Failed to install package due to catalog signing error, use skip_publisher_check to force install" if /SkipPublisherCheck/.match?(cmd.error)
           end
         end
 
@@ -64,11 +64,12 @@ class Chef
         def remove_package(names, versions)
           names.each_with_index do |name, index|
             if versions && !versions[index].nil?
-              powershell_out(build_powershell_package_command("Uninstall-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
+              powershell_exec(build_powershell_package_command("Uninstall-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
             else
               version = "0"
               until version.empty?
-                version = powershell_out(build_powershell_package_command("Uninstall-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                version = powershell_exec(build_powershell_package_command("Uninstall-Package '#{name}'"), timeout: new_resource.timeout).result
+                version = version.strip if version.respond_to?(:strip)
                 unless version.empty?
                   logger.info("Removed package '#{name}' with version #{version}")
                 end
@@ -82,13 +83,14 @@ class Chef
           versions = []
           new_resource.package_name.each_with_index do |name, index|
             version = if new_resource.version && !new_resource.version[index].nil?
-                        powershell_out(build_powershell_package_command("Find-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Find-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).result
                       else
-                        powershell_out(build_powershell_package_command("Find-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Find-Package '#{name}'"), timeout: new_resource.timeout).result
                       end
             if version.empty?
               version = nil
             end
+            version = version.strip if version.respond_to?(:strip)
             versions.push(version)
           end
           versions
@@ -99,13 +101,14 @@ class Chef
           version_list = []
           new_resource.package_name.each_with_index do |name, index|
             version = if new_resource.version && !new_resource.version[index].nil?
-                        powershell_out(build_powershell_package_command("Get-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Get-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).result
                       else
-                        powershell_out(build_powershell_package_command("Get-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Get-Package '#{name}'"), timeout: new_resource.timeout).result
                       end
             if version.empty?
               version = nil
             end
+            version = version.strip if version.respond_to?(:strip)
             version_list.push(version)
           end
           version_list