chef 17.6.18 → 17.9.18

data/lib/chef/resource/rhsm_register.rb

@@ -79,6 +79,23 @@ class Chef
         default: false, desired_state: false,
         introduced: "15.9"
 
+      property :server_url, String,
+        description: "The hostname of the subscription service to use. The default is Customer Portal Subscription Management, subscription.rhn.redhat.com. If you do not use this option, the system registers with Customer Portal Subscription Management.",
+          introduced: "17.8"
+
+      property :base_url, String,
+        description: "The hostname of the content delivery server to use to receive updates. Both Customer Portal Subscription Management and Subscription Asset Manager use Red Hat's hosted content delivery services, with the URL https://cdn.redhat.com. Since Satellite 6 hosts its own content, the URL must be used for systems registered with Satellite 6.",
+        introduced: "17.8"
+
+      property :service_level, String,
+        description: "Sets the service level to use for subscriptions on the registering machine. This is only used with the `auto_attach` option.",
+        introduced: "17.8"
+
+      property :release,
+        [Float, String],
+        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used only used with the `auto_attach` option.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
+        introduced: "17.8"
+
       action :register, description: "Register the node with RHSM." do
         package "subscription-manager"
 
@@ -170,6 +187,8 @@ class Chef
               command << new_resource.activation_key.map { |key| "--activationkey=#{Shellwords.shellescape(key)}" }
               command << "--org=#{Shellwords.shellescape(new_resource.organization)}"
               command << "--name=#{Shellwords.shellescape(new_resource.system_name)}" if new_resource.system_name
+              command << "--serverurl=#{Shellwords.shellescape(new_resource.server_url)}" if new_resource.server_url
+              command << "--baseurl=#{Shellwords.shellescape(new_resource.base_url)}" if new_resource.base_url
               command << "--force" if new_resource.force
 
               return command.join(" ")
@@ -179,11 +198,23 @@ class Chef
           if new_resource.username && new_resource.password
             raise "Unable to register - you must specify environment when using username/password" if new_resource.environment.nil? && using_satellite_host?
 
+            if new_resource.service_level
+              raise "Unable to register - 'auto_attach' must be enabled when using property `service_level`." unless new_resource.auto_attach
+            end
+
+            if new_resource.release
+              raise "Unable to register - `auto_attach` must be enabled when using property `release`." unless new_resource.auto_attach
+            end
+
             command << "--username=#{Shellwords.shellescape(new_resource.username)}"
             command << "--password=#{Shellwords.shellescape(new_resource.password)}"
             command << "--environment=#{Shellwords.shellescape(new_resource.environment)}" if using_satellite_host?
             command << "--name=#{Shellwords.shellescape(new_resource.system_name)}" if new_resource.system_name
+            command << "--serverurl=#{Shellwords.shellescape(new_resource.server_url)}" if new_resource.server_url
+            command << "--baseurl=#{Shellwords.shellescape(new_resource.base_url)}" if new_resource.base_url
             command << "--auto-attach" if new_resource.auto_attach
+            command << "--servicelevel=#{Shellwords.shellescape(new_resource.service_level)}" if new_resource.service_level
+            command << "--release=#{Shellwords.shellescape(new_resource.release)}" if new_resource.release
             command << "--force" if new_resource.force
 
             return command.join(" ")

data/lib/chef/resource/support/client.erb

@@ -37,6 +37,13 @@ log_location <%= @log_location %>
 log_location <%= @log_location.inspect %>
   <% end -%>
 <% end -%>
+<%# These data_collector options are special as they have a '.' -%>
+<% unless @data_collector_server_url.nil? || @data_collector_server_url.empty? %>
+data_collector.server_url <%= @data_collector_server_url %>
+<% end %>
+<% unless @data_collector_token.nil? || @data_collector_token.empty? %>
+data_collector.token <%= @data_collector_token %>
+<% end %>
 <%# The code below is not DRY on purpose to improve readability -%>
 <% unless @start_handlers.empty? -%>
   # Do not crash if a start handler is missing / not installed yet

data/lib/chef/resource/windows_auto_run.rb

@@ -88,7 +88,7 @@ class Chef
         # @return [String]
         def registry_path
           { machine: "HKLM", user: "HKCU" }[new_resource.root] + \
-            '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'
+            "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
         end
       end
     end

data/lib/chef/resource/windows_dfs_namespace.rb

@@ -38,7 +38,7 @@ class Chef
 
       property :full_users, Array,
         description: "Determines which users should have full access to the share.",
-        default: ['BUILTIN\\administrators']
+        default: ["BUILTIN\\administrators"]
 
       property :change_users, Array,
         description: "Determines which users should have change access to the share.",
@@ -50,7 +50,7 @@ class Chef
 
       property :root, String,
         description: "The root from which to create the DFS tree. Defaults to C:\\DFSRoots.",
-        default: 'C:\\DFSRoots'
+        default: "C:\\DFSRoots"
 
       action :create, description: "Creates the dfs namespace on the server." do
         directory file_path do

data/lib/chef/resource/windows_feature_powershell.rb

@@ -100,8 +100,8 @@ class Chef
             install_command << " -Source \"#{new_resource.source}\"" if new_resource.source
             install_command << " -IncludeManagementTools" if new_resource.management_tools
 
-            cmd = powershell_out!(install_command, timeout: new_resource.timeout)
-            Chef::Log.info(cmd.stdout)
+            cmd = powershell_exec!(install_command, timeout: new_resource.timeout)
+            Chef::Log.info(cmd.result)
 
             reload_cached_powershell_data # Reload cached powershell feature state
           end
@@ -115,8 +115,8 @@ class Chef
 
         unless features_to_remove.empty?
           converge_by("remove Windows feature#{"s" if features_to_remove.count > 1} #{features_to_remove.join(",")}") do
-            cmd = powershell_out!("Uninstall-WindowsFeature #{features_to_remove.join(",")}", timeout: new_resource.timeout)
-            Chef::Log.info(cmd.stdout)
+            cmd = powershell_exec!("Uninstall-WindowsFeature #{features_to_remove.join(",")}", timeout: new_resource.timeout)
+            Chef::Log.info(cmd.result)
 
             reload_cached_powershell_data # Reload cached powershell feature state
           end
@@ -132,8 +132,8 @@ class Chef
 
         unless features_to_delete.empty?
           converge_by("delete Windows feature#{"s" if features_to_delete.count > 1} #{features_to_delete.join(",")} from the image") do
-            cmd = powershell_out!("Uninstall-WindowsFeature #{features_to_delete.join(",")} -Remove", timeout: new_resource.timeout)
-            Chef::Log.info(cmd.stdout)
+            cmd = powershell_exec!("Uninstall-WindowsFeature #{features_to_delete.join(",")} -Remove", timeout: new_resource.timeout)
+            Chef::Log.info(cmd.result)
 
             reload_cached_powershell_data # Reload cached powershell feature state
           end
@@ -215,9 +215,8 @@ class Chef
         # fetch the list of available feature names and state in JSON and parse the JSON
         def parsed_feature_list
           # Grab raw feature information from WindowsFeature
-          raw_list_of_features = powershell_out!("Get-WindowsFeature | Select-Object -Property Name,InstallState | ConvertTo-Json -Compress", timeout: new_resource.timeout).stdout
-
-          Chef::JSONCompat.from_json(raw_list_of_features)
+          raw_list_of_features = powershell_exec!("Get-WindowsFeature | Select-Object -Property Name,InstallState", timeout: new_resource.timeout).result
+          raw_list_of_features || []
         end
 
         # add the features values to the appropriate array

data/lib/chef/resource/windows_task.rb

@@ -149,7 +149,6 @@ class Chef
       DOC
 
       allowed_actions :create, :delete, :run, :end, :enable, :disable, :change
-      default_action :create
 
       property :task_name, String, regex: [%r{\A[^/\:\*\?\<\>\|]+\z}],
         description: "An optional property to set the task name if it differs from the resource block's name. Example: `Task Name` or `/Task Name`",
@@ -182,10 +181,19 @@ class Chef
         default: false
 
       property :frequency_modifier, [Integer, String],
-        default: 1
+        default: 1,
+        description: <<~DOCS
+          * For frequency `:minute` valid values are 1 to 1439
+          * For frequency `:hourly` valid values are 1 to 23
+          * For frequency `:daily` valid values are 1 to 365
+          * For frequency `:weekly` valid values are 1 to 52
+          * For frequency `:monthly` valid values are `('FIRST', 'SECOND', 'THIRD', 'FOURTH', 'LAST')` OR `1-12`.
+            * e.g. If user want to run the task on `second week of the month` use `frequency_modifier` value as `SECOND`. Multiple values for weeks of the month should be comma separated e.g. `"FIRST, THIRD, LAST"`.
+            * To run task every (n) months use values 1 to 12.
+        DOCS
 
       property :frequency, Symbol, equal_to: %i{minute hourly daily weekly monthly once on_logon onstart on_idle none},
-        description: "The frequency with which to run the task."
+        description: "The frequency with which to run the task. Note: This property is required in Chef Infra Client 14.1 or later. Note: The `:once` value requires the `start_time` property to be set."
 
       property :start_day, String,
         description: "Specifies the first date on which the task runs in **MM/DD/YYYY** format.",
@@ -195,7 +203,14 @@ class Chef
         description: "Specifies the start time to run the task, in **HH:mm** format."
 
       property :day, [String, Integer],
-        description: "The day(s) on which the task runs."
+        description:  <<~DOCS
+        The day(s) on which the task runs.
+          * Use this property when setting `frequency` to `:monthly` or `:weekly`.
+          * Valid values with frequency `:weekly` are `MON`-`SUN` or `*`.
+          * Valid values with frequency `:monthly` are `1-31`, `MON`-`SUN`, and `LASTDAY`.
+          * Use `MON`-`SUN` or `LASTDAY` if you are setting `frequency_modifier` as "FIRST, SECOND, THIRD etc." else use 1-31.
+          * Multiple days should be comma separated. e.g `1, 2, 3` or `MON, WED, FRI`.
+        DOCS
 
       property :months, String,
         description: "The Months of the year on which the task runs, such as: `JAN, FEB` or `*`. Multiple months should be comma delimited. e.g. `Jan, Feb, Mar, Dec`."
@@ -961,7 +976,7 @@ class Chef
         end
       end
 
-      action :create do
+      action :create, description: "Creates a scheduled task, or updates an existing task if any property has changed." do
         set_command_and_arguments if new_resource.command
 
         if current_resource.exists
@@ -998,7 +1013,7 @@ class Chef
         end
       end
 
-      action :run do
+      action :run, description: "Runs a scheduled task." do
         if current_resource.exists
           logger.trace "#{new_resource} task exists"
           if current_resource.task.status == "running"
@@ -1013,7 +1028,7 @@ class Chef
         end
       end
 
-      action :delete do
+      action :delete, description: "Deletes a scheduled task." do
         if current_resource.exists
           logger.trace "#{new_resource} task exists"
           converge_by("delete scheduled task #{new_resource}") do
@@ -1026,7 +1041,7 @@ class Chef
         end
       end
 
-      action :end do
+      action :end, description: "Ends a scheduled task." do
         if current_resource.exists
           logger.trace "#{new_resource} task exists"
           if current_resource.task.status != "running"
@@ -1041,7 +1056,7 @@ class Chef
         end
       end
 
-      action :enable do
+      action :enable, description: "Enables a scheduled task." do
         if current_resource.exists
           logger.trace "#{new_resource} task exists"
           if current_resource.task.status == "not scheduled"
@@ -1058,7 +1073,7 @@ class Chef
         end
       end
 
-      action :disable do
+      action :disable, description: "Disables a scheduled task." do
         if current_resource.exists
           logger.info "#{new_resource} task exists"
           if %w{ready running}.include?(current_resource.task.status)

data/lib/chef/resource/windows_update_settings.rb

@@ -145,7 +145,7 @@ class Chef
       action :set, description: "Set Windows Update settings." do
         actual_day = convert_day(new_resource.scheduled_install_day)
 
-        registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate' do
+        registry_key "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate" do
           recursive true
           values [{
             name: "DisableOSUpgrade",
@@ -180,7 +180,7 @@ class Chef
           action :create
         end
 
-        registry_key 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer' do
+        registry_key "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" do
           recursive true
           values [{
             name: "NoWindowsUpdate",
@@ -190,7 +190,7 @@ class Chef
           action :create
         end
 
-        registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU' do
+        registry_key "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU" do
           recursive true
           values [{
             name: "AUOptions",

data/lib/chef/resource.rb

@@ -454,7 +454,7 @@ class Chef
     # @param arg [String] The umask to apply while converging the resource.
     # @return [Boolean] The umask to apply while converging the resource.
     #
-    property :umask, String,
+    property :umask, [String, Integer],
       desired_state: false,
       introduced: "16.2",
       description: "Set a umask to be used for the duration of converging the resource. Defaults to `nil`, which means to use the system umask. Unsupported on Windows because Windows lacks a direct equivalent to UNIX's umask."
@@ -1508,7 +1508,7 @@ class Chef
     # @return Chef::CookbookVersion The cookbook in which this Resource was defined.
     #
     def cookbook_version
-      if cookbook_name
+      if cookbook_name && cookbook_name != "@recipe_files"
         run_context.cookbook_collection[cookbook_name]
       end
     end

data/lib/chef/resource_reporter.rb

@@ -41,7 +41,7 @@ class Chef
       as_hash["result"] = action_record.action.to_s
       if new_resource.cookbook_name
         as_hash["cookbook_name"] = new_resource.cookbook_name
-        as_hash["cookbook_version"] = new_resource.cookbook_version.version
+        as_hash["cookbook_version"] = new_resource.cookbook_version&.version
       end
 
       as_hash

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -1,4 +1,8 @@
 require_relative "base"
+require_relative "../exceptions"
+require "json" unless defined?(JSON)
+require "net/http" unless defined?(Net::HTTP)
+require "uri" unless defined?(URI)
 
 class Chef
   class SecretFetcher
@@ -14,13 +18,19 @@ class Chef
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context )
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context)
     # fetcher.fetch("secretkey1", "v1")
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context )
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context)
     # fetcher.fetch("my_vault/secretkey1", "v1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { client_id: "540d76b6-7f76-456c-b68b-ccae4dc9d99d" }, run_context)
+    # fetcher.fetch("my_vault/secretkey1", "v1")
+    #
     class AzureKeyVault < Base
 
       def do_fetch(name, version)
@@ -48,6 +58,12 @@ class Chef
         end
       end
 
+      def validate!
+        raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :object_id, :client_id, or :mi_res_id" if [object_id, client_id, mi_res_id].select { |x| !x.nil? }.length > 1
+      end
+
+      private
+
       # Determine the vault name and secret name from the provided name.
       # If it is not in the provided name in the form "vault_name/secret_name"
       # it will determine the vault name from `config[:vault]`.
@@ -63,16 +79,56 @@ class Chef
         end
       end
 
+      def api_version
+        "2018-02-01"
+      end
+
+      def resource
+        "https://vault.azure.net"
+      end
+
+      def object_id
+        config[:object_id]
+      end
+
+      def client_id
+        config[:client_id]
+      end
+
+      def mi_res_id
+        config[:mi_res_id]
+      end
+
+      def token_query
+        @token_query ||= begin
+          p = {}
+          p["api-version"] = api_version
+          p["resource"] = resource
+          p["object_id"] = object_id if object_id
+          p["client_id"] = client_id if client_id
+          p["mi_res_id"] = mi_res_id if mi_res_id
+          URI.encode_www_form(p)
+        end
+      end
+
       def fetch_token
-        token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net")
+        token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token")
+        token_uri.query = token_query
         http = Net::HTTP.new(token_uri.host, token_uri.port)
         response = http.get(token_uri, { "Metadata" => "true" })
-        body = JSON.parse(response.body)
-        body["access_token"]
+
+        case response
+        when Net::HTTPSuccess
+          body = JSON.parse(response.body)
+          body["access_token"]
+        when Net::HTTPBadRequest
+          body = JSON.parse(response.body)
+          raise Chef::Exceptions::Secret::Azure::IdentityNotFound if body["error_description"] =~ /identity not found/i
+        else
+          body = JSON.parse(response.body)
+          body["access_token"]
+        end
       end
     end
   end
 end
-
-
-

data/lib/chef/secret_fetcher/hashi_vault.rb

@@ -31,6 +31,10 @@ class Chef
     # :auth_method - one of :iam_role, :token.  default: :iam_role
     # :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200
     #
+    # For `:approle`: one of `:approle_name` or `:approle_id`
+    #     `:approle_name`: The name of the approle to use for authentication.  When specified, associated `:approle_id` will be found via query to Vault instance.
+    #     `:approle_id`: The ID of the approle to use for authentication, requires `:approle_secret_id`
+    #     `:approle_secret_id`: The Vault `secret_id` associated with the provided `:approle_name` or `:approle_id`.  When specified, prevents need to create `:secret_id` with `:approle_name`.
     # For `:token` auth: `:token` - a Vault token valid for authentication.
     #
     # For `:iam_role`:  `:role_name` - the name of the role in Vault that was created
@@ -47,14 +51,25 @@ class Chef
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :iam_role, role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
     # fetcher.fetch("secretkey1")
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, approle: 'approle_name', run_context )
     # fetcher.fetch("secretkey1")
-    SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_id: "11111111-abcd-1111-abcd-111111111111", approle_secret_id: "22222222-abcd-2222-abcd-222222222222", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_name: "testing-role", token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    #
+    SUPPORTED_AUTH_TYPES = %i{approle iam_role token}.freeze
     class HashiVault < Base
 
       # Validate and authenticate the current session using the configured auth strategy and parameters
@@ -67,6 +82,25 @@ class Chef
         Vault.namespace = config[:namespace] unless config[:namespace].nil?
 
         case config[:auth_method]
+        when :approle
+          unless config[:approle_name] || config[:approle_id]
+            raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name or :approle_id in the configuration with :auth_method set to :approle")
+          end
+
+          # When :approle_id and :approle_secret_id are both specified, all pieces are present which are needed to authenticate using an approle.
+          #  If either is missing, we need to authenticate to Vault to get the missing pieces with the :approle_name and optionally :token.
+          unless config[:approle_id] && config[:approle_secret_id]
+            if config[:approle_name].nil?
+              raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name in the configuration when :approle_id and :approle_secret_id are not both present with :auth_method set to :approle")
+            end
+
+            Vault.token = config[:token] unless config[:token].nil?
+          end
+
+          approle_id = config[:approle_id] || Vault.approle.role_id(config[:approle_name])
+          approle_secret_id = config[:approle_secret_id] || Vault.approle.create_secret_id(config[:approle_name]).data[:secret_id]
+
+          Vault.auth.approle(approle_id, approle_secret_id)
         when :token
           if config[:token].nil?
             raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")

data/lib/chef/secret_fetcher.rb

@@ -58,4 +58,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.6.18")
+  VERSION = Chef::VersionString.new("17.9.18")
 end
 
 #

data/spec/functional/dsl/reboot_pending_spec.rb

@@ -39,8 +39,8 @@ describe Chef::DSL::RebootPending, :windows_only do
     let(:reg_key) { nil }
     let(:original_set) { false }
 
-    describe 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations' do
-      let(:reg_key) { 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager' }
+    describe "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations" do
+      let(:reg_key) { "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }
       let(:original_set) { registry.value_exists?(reg_key, { name: "PendingFileRenameOperations" }) }
 
       it "returns true if the registry value exists" do
@@ -78,7 +78,7 @@ describe Chef::DSL::RebootPending, :windows_only do
 
     describe "when there is nothing to indicate a reboot is pending" do
       it "should return false" do
-        skip "reboot pending" if registry_value_exists?('HKLM\SYSTEM\CurrentControlSet\Control\Session Manager', { name: "PendingFileRenameOperations" }) ||
+        skip "reboot pending" if registry_value_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", { name: "PendingFileRenameOperations" }) ||
           registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired') ||
           registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending')
         expect(recipe.reboot_pending?).to be_falsey

data/spec/functional/dsl/registry_helper_spec.rb

@@ -24,7 +24,7 @@ describe Chef::Resource::RegistryKey, :windows_only do
   before(:all) do
     ::Win32::Registry::HKEY_CURRENT_USER.create "Software\\Root"
     ::Win32::Registry::HKEY_CURRENT_USER.create "Software\\Root\\Branch"
-    ::Win32::Registry::HKEY_CURRENT_USER.open('Software\\Root', Win32::Registry::KEY_ALL_ACCESS) do |reg|
+    ::Win32::Registry::HKEY_CURRENT_USER.open("Software\\Root", Win32::Registry::KEY_ALL_ACCESS) do |reg|
       reg["RootType1", Win32::Registry::REG_SZ] = "fibrous"
       reg.write("Roots", Win32::Registry::REG_MULTI_SZ, ["strong roots", "healthy tree"])
     end