chef 17.7.22 → 17.9.26

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 830ef86569d7fc3510b6428198eaf8f6befb9473f808af1f77ae7d1e95171fb7
-  data.tar.gz: 58d92cc9852026920805cb37699360c2f13edf4f8404839c8ab0ba5de1e54f21
+  metadata.gz: 36dbce2fafed93ea8c76e98161ac43fd4e11dfece0cfaffb37de8ccc0e6d3635
+  data.tar.gz: 0bf1c93e247430baf36b78eb3b942ba1037f9c23429efc5f05fa9e5ff3ed4bfa
 SHA512:
-  metadata.gz: f07a07a8726c05f0b967e65f391388b7206b6590d598360b2aac3d26e48c773573366153d58dcf1392cbffc4552ed1756096d243ed2d076820d10394999abdb3
-  data.tar.gz: 8c6a775624f533de9112b3c77cae54ba033e94faca6a87fd0c44c7772a64e2f4f981c550813f2deb6c8bf1326adc33877fc15e4fb1d16a65ab98ec6f20297bde
+  metadata.gz: d8054644c9e4cf9ead5fc960de3f4561d78afd86cb5b43cfb9893cfc772726a4a6c262dfd9bcff44bfea6a047515f93b78dec98d52afa7d0d764beee2fa68380
+  data.tar.gz: 7e57743c2142e7d979a679593d035916c46fb85290c49f059f49830d075dbd343c122dd0b8546912482b6f4ef7108cd780a36836c1b6005cca9f269351318917

data/Gemfile

@@ -29,7 +29,7 @@ group(:omnibus_package, :pry) do
   # some work is ongoing? https://github.com/deivid-rodriguez/pry-byebug/issues/343
   gem "pry", "= 0.13.0"
   # byebug does not install on freebsd on ruby 3.0
-  gem "pry-byebug" unless RUBY_PLATFORM =~ /freebsd/i
+  gem "pry-byebug" unless RUBY_PLATFORM.match?(/freebsd/i)
   gem "pry-stack_explorer"
 end
 

data/lib/chef/application/base.rb

@@ -254,7 +254,7 @@ class Chef::Application::Base < Chef::Application
     short: "-K KEY_FILE",
     long: "--validation_key KEY_FILE",
     description: "Set the validation key file location, used for registering new clients.",
-    proc: nil
+    proc: lambda { |argument| File.expand_path(argument) }
 
   option :client_key,
     short: "-k KEY_FILE",

data/lib/chef/application/exit_code.rb

@@ -90,45 +90,31 @@ class Chef
         end
 
         def reboot_scheduled?(exception)
-          resolve_exception_array(exception).any? do |e|
-            e.is_a? Chef::Exceptions::Reboot
-          end
+          resolve_exception_array(exception).any?(Chef::Exceptions::Reboot)
         end
 
         def reboot_needed?(exception)
-          resolve_exception_array(exception).any? do |e|
-            e.is_a? Chef::Exceptions::RebootPending
-          end
+          resolve_exception_array(exception).any?(Chef::Exceptions::RebootPending)
         end
 
         def reboot_failed?(exception)
-          resolve_exception_array(exception).any? do |e|
-            e.is_a? Chef::Exceptions::RebootFailed
-          end
+          resolve_exception_array(exception).any?(Chef::Exceptions::RebootFailed)
         end
 
         def configuration_failure?(exception)
-          resolve_exception_array(exception).any? do |e|
-            e.is_a? Chef::Exceptions::ConfigurationError
-          end
+          resolve_exception_array(exception).any?(Chef::Exceptions::ConfigurationError)
         end
 
         def client_upgraded?(exception)
-          resolve_exception_array(exception).any? do |e|
-            e.is_a? Chef::Exceptions::ClientUpgraded
-          end
+          resolve_exception_array(exception).any?(Chef::Exceptions::ClientUpgraded)
         end
 
         def sigint_received?(exception)
-          resolve_exception_array(exception).any? do |e|
-            e.is_a? Chef::Exceptions::SigInt
-          end
+          resolve_exception_array(exception).any?(Chef::Exceptions::SigInt)
         end
 
         def sigterm_received?(exception)
-          resolve_exception_array(exception).any? do |e|
-            e.is_a? Chef::Exceptions::SigTerm
-          end
+          resolve_exception_array(exception).any?(Chef::Exceptions::SigTerm)
         end
 
         def resolve_exception_array(exception)

data/lib/chef/compliance/default_attributes.rb

@@ -28,7 +28,7 @@ class Chef
       # Controls what is done with the resulting report after the Chef InSpec run.
       # Accepts a single string value or an array of multiple values.
       # Accepted values: 'chef-server-automate', 'chef-automate', 'json-file', 'audit-enforcer', 'cli'
-      "reporter" => "cli",
+      "reporter" => nil,
 
       # Controls if Chef InSpec profiles should be fetched from Chef Automate or Chef Infra Server
       # in addition to the default fetch locations provided by Chef Inspec.
@@ -94,7 +94,17 @@ class Chef
 
       # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have
       # profiles defined but do not have the audit cookbook enabled.
-      "compliance_phase" => false
+      "compliance_phase" => false,
+
+      "interval" => {
+        # control how often inspec scans are run, if not on every node converge
+        # notes: false value will result in running inspec scan every converge
+        "enabled" => false,
+
+        # controls how often inspec scans are run (in minutes)
+        # notes: only used if interval is enabled above
+        "time" => 1440,
+      }
     )
   end
 end

data/lib/chef/compliance/runner.rb

@@ -71,7 +71,7 @@ class Chef
 
         logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
-        report
+        report_with_interval
       end
 
       def run_failed(_exception, _run_status)
@@ -82,7 +82,7 @@ class Chef
 
         logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
-        report
+        report_with_interval
       end
 
       ### Below code adapted from audit cookbook's files/default/handler/audit_report.rb
@@ -92,7 +92,6 @@ class Chef
         fail_if_not_present
         inspec_gem_source
         inspec_version
-        interval
         owner
         raise_if_unreachable
       }.freeze
@@ -106,6 +105,15 @@ class Chef
         end
       end
 
+      def report_with_interval
+        if interval_seconds_left <= 0
+          create_timestamp_file if interval_enabled
+          report
+        else
+          logger.info "Skipping Chef Infra Compliance Phase due to interval settings (next run in #{interval_seconds_left / 60.0} mins)"
+        end
+      end
+
       def report(report = nil)
         logger.info "Starting Chef Infra Compliance Phase"
         report ||= generate_report
@@ -118,7 +126,7 @@ class Chef
           return
         end
 
-        Array(node["audit"]["reporter"]).each do |reporter_type|
+        requested_reporters.each do |reporter_type|
           logger.info "Reporting to #{reporter_type}"
           @reporters[reporter_type].send_report(report)
         end
@@ -325,7 +333,7 @@ class Chef
         @reporters = {}
         # Note that the docs don't say you can use an array, but our implementation
         # supports it.
-        Array(node["audit"]["reporter"]).each do |type|
+        requested_reporters.each do |type|
           unless SUPPORTED_REPORTERS.include? type
             raise "CMPL003: '#{type}' found in node['audit']['reporter'] is not a supported reporter for Compliance Phase. Supported reporters are: #{SUPPORTED_REPORTERS.join(", ")}. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase#reporters"
           end
@@ -358,6 +366,44 @@ class Chef
       def safe_input_collection
         run_context&.input_collection
       end
+
+      def requested_reporters
+        (Array(node["audit"]["reporter"]) + ["cli"]).uniq
+      end
+
+      def create_timestamp_file
+        FileUtils.touch report_timing_file
+      end
+
+      def report_timing_file
+        ::File.join(Chef::FileCache.create_cache_path("compliance"), "report_timing.json")
+      end
+
+      def interval_time
+        @interval_time ||= node.read("audit", "interval", "time")
+      end
+
+      def interval_enabled
+        @interval_enabled ||= node.read("audit", "interval", "enabled")
+      end
+
+      def interval_seconds
+        @interval_seconds ||=
+          if interval_enabled
+            logger.debug "Running Chef Infra Compliance Phase every #{interval_time} minutes"
+            interval_time * 60
+          else
+            logger.debug "Running Chef Infra Compliance Phase on every run"
+            0
+          end
+      end
+
+      def interval_seconds_left
+        return 0 unless ::File.exist?(report_timing_file)
+
+        seconds_since_last_run = Time.now - ::File.mtime(report_timing_file)
+        interval_seconds - seconds_since_last_run
+      end
     end
   end
 end

data/lib/chef/cookbook/syntax_check.rb

@@ -113,7 +113,7 @@ class Chef
       end
 
       def remove_uninteresting_ruby_files(file_list)
-        file_list.reject { |f| f =~ %r{#{Regexp.quote(cookbook_path)}/(files|templates)/} }
+        file_list.grep_v(%r{#{Regexp.quote(cookbook_path)}/(files|templates)/})
       end
 
       def ruby_files

data/lib/chef/cookbook_version.rb

@@ -598,7 +598,7 @@ class Chef
         filename = record[:name]
         base_dup_name = File.join(File.dirname(filename), File.basename(filename, File.extname(filename)))
         yml_files.each do |other|
-          if other[:name] =~ /#{(File.extname(filename) == ".yml") ? "#{base_dup_name}.yaml" : "#{base_dup_name}.yml"}$/
+          if /#{(File.extname(filename) == ".yml") ? "#{base_dup_name}.yaml" : "#{base_dup_name}.yml"}$/.match?(other[:name])
             raise Chef::Exceptions::AmbiguousYAMLFile.new("Cookbook #{name}@#{version} contains ambiguous files: #{filename} and #{other[:name]}. Please update the cookbook to remove the incorrect file.")
           end
         end

data/lib/chef/mixin/powershell_exec.rb

@@ -104,13 +104,14 @@ class Chef
       #
       # @param script [String] script to run
       # @param interpreter [Symbol] the interpreter type, `:powershell` or `:pwsh`
+      # @param timeout [Integer, nil] timeout in seconds.
       # @return [Chef::PowerShell] output
-      def powershell_exec(script, interpreter = :powershell)
+      def powershell_exec(script, interpreter = :powershell, timeout: -1)
         case interpreter
         when :powershell
-          Chef::PowerShell.new(script)
+          Chef::PowerShell.new(script, timeout: timeout)
         when :pwsh
-          Chef::Pwsh.new(script)
+          Chef::Pwsh.new(script, timeout: timeout)
         else
           raise ArgumentError, "Expected interpreter of :powershell or :pwsh"
         end
@@ -118,8 +119,8 @@ class Chef
 
       # The same as the #powershell_exec method except this will raise
       # Chef::PowerShell::CommandFailed if the command fails
-      def powershell_exec!(script, interpreter = :powershell)
-        cmd = powershell_exec(script, interpreter)
+      def powershell_exec!(script, interpreter = :powershell, **options)
+        cmd = powershell_exec(script, interpreter, **options)
         cmd.error!
         cmd
       end

data/lib/chef/mixin/why_run.rb

@@ -242,8 +242,12 @@ class Chef
           end
         end
 
-        def initialize(resource, run_context)
-          @resource, @run_context = resource, run_context
+        attr_accessor :action
+
+        def initialize(resource, run_context, action)
+          @resource = resource
+          @run_context = run_context
+          @action = action
           @assertions = Hash.new { |h, k| h[k] = [] }
           @blocked_actions = []
         end
@@ -305,6 +309,8 @@ class Chef
         #                       "You don't have sufficient privileges to delete #{@new_resource.path}")
         #   end
         def assert(*actions)
+          return unless actions.include?(action.to_sym) || actions.include?(:all_actions)
+
           assertion = Assertion.new
           yield assertion
           actions.each { |action| @assertions[action] << assertion }

data/lib/chef/powershell.rb

@@ -33,15 +33,16 @@ class Chef
     # Requires: .NET Framework 4.0 or higher on the target machine.
     #
     # @param script [String] script to run
+    # @param timeout [Integer, nil] timeout in seconds.
     # @return [Object] output
-    def initialize(script)
+    def initialize(script, timeout: -1)
       # This Powershell DLL source lives here: https://github.com/chef/chef-powershell-shim
       # Every merge into that repo triggers a Habitat build and promotion. Running
       # the rake :update_chef_exec_dll task in this (chef/chef) repo will pull down
       # the built packages and copy the binaries to distro/ruby_bin_folder. Bundle install
       # ensures that the correct architecture binaries are installed into the path.
       @dll ||= "Chef.PowerShell.Wrapper.dll"
-      exec(script)
+      exec(script, timeout: timeout)
     end
 
     #
@@ -64,12 +65,13 @@ class Chef
       raise Chef::PowerShell::CommandFailed, "Unexpected exit in PowerShell command: #{@errors}" if error?
     end
 
-    protected
+    private
 
-    def exec(script)
+    def exec(script, timeout: -1)
       FFI.ffi_lib @dll
-      FFI.attach_function :execute_powershell, :ExecuteScript, [:string], :pointer
-      execution = FFI.execute_powershell(script).read_utf16string
+      FFI.attach_function :execute_powershell, :ExecuteScript, %i{string int}, :pointer
+      timeout = -1 if timeout == 0 || timeout.nil?
+      execution = FFI.execute_powershell(script, timeout).read_utf16string
       hashed_outcome = Chef::JSONCompat.parse(execution)
       @result = Chef::JSONCompat.parse(hashed_outcome["result"])
       @errors = hashed_outcome["errors"]

data/lib/chef/provider/cron.rb

@@ -92,7 +92,7 @@ class Chef
         end
       end
 
-      action :create do
+      action :create, description: "Create an entry in a cron table file (crontab). If an entry already exists (but does not match), update that entry to match." do
         crontab = ""
         newcron = ""
         cron_found = false
@@ -149,7 +149,7 @@ class Chef
         end
       end
 
-      action :delete do
+      action :delete, description: "Delete an entry from a cron table file (crontab)." do
         if @cron_exists
           crontab = ""
           cron_found = false

data/lib/chef/provider/directory.rb

@@ -121,7 +121,7 @@ class Chef
         end
       end
 
-      action :create do
+      action :create, description: "Create a directory. If a directory already exists (but does not match), update that directory to match." do
         unless ::File.exist?(new_resource.path)
           converge_by("create new directory #{new_resource.path}") do
             if new_resource.recursive == true
@@ -137,7 +137,7 @@ class Chef
         load_resource_attributes_from_file(new_resource) unless Chef::Config[:why_run]
       end
 
-      action :delete do
+      action :delete, description: "Delete a directory." do
         if ::File.exist?(new_resource.path)
           converge_by("delete existing directory #{new_resource.path}") do
             if new_resource.recursive == true

data/lib/chef/provider/ifconfig.rb

@@ -120,7 +120,7 @@ class Chef
           @status = shell_out("ifconfig")
           @status.stdout.each_line do |line|
             addr_regex = /^((\w|-)+):?(\d*):?\ .+$/
-            if line =~ addr_regex
+            if line&.match?(addr_regex)
               if line.match(addr_regex).nil?
                 @int_name = "nil"
               elsif line.match(addr_regex)[3] == ""
@@ -168,7 +168,7 @@ class Chef
         end
       end
 
-      action :add do
+      action :add, description: "Run ifconfig to configure a network interface and (on some platforms) write a configuration file for that network interface." do
         # check to see if load_current_resource found interface in ifconfig
         unless current_resource.inet_addr
           unless new_resource.device == loopback_device
@@ -183,7 +183,7 @@ class Chef
         generate_config
       end
 
-      action :enable do
+      action :enable, description: "Run ifconfig to enable a network interface." do
         # check to see if load_current_resource found ifconfig
         # enables, but does not manage config files
         return if current_resource.inet_addr
@@ -196,7 +196,7 @@ class Chef
         end
       end
 
-      action :delete do
+      action :delete, description: "Run ifconfig to disable a network interface and (on some platforms) delete that network interface’s configuration file." do
         # check to see if load_current_resource found the interface
         if current_resource.device
           command = delete_command
@@ -210,7 +210,7 @@ class Chef
         delete_config
       end
 
-      action :disable do
+      action :disable, description: "Run ifconfig to disable a network interface." do
         # check to see if load_current_resource found the interface
         # disables, but leaves config files in place.
         if current_resource.device

data/lib/chef/provider/mount/linux.rb

@@ -29,10 +29,16 @@ class Chef
         # "findmnt" outputs the mount points with volume.
         # Convert the mount_point of the resource to a real path in case it
         # contains symlinks in its parents dirs.
+        def loop_mount_points
+          # get loop_mount_points only if not initialized earlier
+          @loop_mount_points ||= shell_out!("losetup -a").stdout
+
+        rescue Errno::ENOENT
+          @loop_mount_points = ""
+        end
 
         def mounted?
           mounted = false
-
           real_mount_point = if ::File.exists? @new_resource.mount_point
                                ::File.realpath(@new_resource.mount_point)
                              else
@@ -45,6 +51,14 @@ class Chef
             when /\A#{Regexp.escape(real_mount_point)}\s+#{device_mount_regex}\s/
               mounted = true
               logger.trace("Special device #{device_logstring} mounted as #{real_mount_point}")
+            # Permalink for loop type devices mount points https://rubular.com/r/a0bS4p2RvXsGxx
+            when %r{\A#{Regexp.escape(real_mount_point)}\s+\/dev\/loop+[0-9]+\s}
+              loop_mount_points.each_line do |mount_point|
+                if mount_point.include? device_real
+                  mounted = true
+                  break
+                end
+              end
             # Permalink for multiple devices mounted to the same mount point(i.e. '/proc') https://rubular.com/r/a356yzspU7N9TY
             when %r{\A#{Regexp.escape(real_mount_point)}\s+([/\w])+\s}
               mounted = false
@@ -64,4 +78,4 @@ class Chef
       end
     end
   end
-end
+end

data/lib/chef/provider/mount/mount.rb

@@ -279,4 +279,4 @@ class Chef
       end
     end
   end
-end
+end

data/lib/chef/provider/package/dnf.rb

@@ -98,7 +98,7 @@ class Chef
           end
         end
 
-        def magic_version
+        def magic_version_array
           package_name_array.each_with_index.map do |pkg, i|
             magical_version(i).version_with_arch
           end

data/lib/chef/provider/package/habitat.rb

@@ -108,7 +108,7 @@ class Chef
               headers["Authorization"] = "Bearer #{new_resource.auth_token}" if new_resource.auth_token
 
               Chef::JSONCompat.parse(http.get(url, headers))
-            rescue Net::HTTPServerException
+            rescue Net::HTTPClientException
               nil
             end
         end

data/lib/chef/provider/package/powershell.rb

@@ -17,13 +17,13 @@
 
 require_relative "../package"
 require_relative "../../resource/powershell_package"
-require_relative "../../mixin/powershell_out"
+require_relative "../../mixin/powershell_exec"
 
 class Chef
   class Provider
     class Package
       class Powershell < Chef::Provider::Package
-        include Chef::Mixin::PowershellOut
+        include Chef::Mixin::PowershellExec
 
         provides :powershell_package
 
@@ -54,9 +54,9 @@ class Chef
         # Installs the package specified with the version passed else latest version will be installed
         def install_package(names, versions)
           names.each_with_index do |name, index|
-            cmd = powershell_out(build_powershell_package_command("Install-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
+            cmd = powershell_exec(build_powershell_package_command("Install-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
             next if cmd.nil?
-            raise Chef::Exceptions::PowershellCmdletException, "Failed to install package due to catalog signing error, use skip_publisher_check to force install" if /SkipPublisherCheck/.match?(cmd.stderr)
+            raise Chef::Exceptions::PowershellCmdletException, "Failed to install package due to catalog signing error, use skip_publisher_check to force install" if /SkipPublisherCheck/.match?(cmd.error)
           end
         end
 
@@ -64,11 +64,12 @@ class Chef
         def remove_package(names, versions)
           names.each_with_index do |name, index|
             if versions && !versions[index].nil?
-              powershell_out(build_powershell_package_command("Uninstall-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
+              powershell_exec(build_powershell_package_command("Uninstall-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
             else
               version = "0"
               until version.empty?
-                version = powershell_out(build_powershell_package_command("Uninstall-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                version = powershell_exec(build_powershell_package_command("Uninstall-Package '#{name}'"), timeout: new_resource.timeout).result
+                version = version.strip if version.respond_to?(:strip)
                 unless version.empty?
                   logger.info("Removed package '#{name}' with version #{version}")
                 end
@@ -82,13 +83,14 @@ class Chef
           versions = []
           new_resource.package_name.each_with_index do |name, index|
             version = if new_resource.version && !new_resource.version[index].nil?
-                        powershell_out(build_powershell_package_command("Find-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Find-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).result
                       else
-                        powershell_out(build_powershell_package_command("Find-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Find-Package '#{name}'"), timeout: new_resource.timeout).result
                       end
             if version.empty?
               version = nil
             end
+            version = version.strip if version.respond_to?(:strip)
             versions.push(version)
           end
           versions
@@ -99,13 +101,14 @@ class Chef
           version_list = []
           new_resource.package_name.each_with_index do |name, index|
             version = if new_resource.version && !new_resource.version[index].nil?
-                        powershell_out(build_powershell_package_command("Get-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Get-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).result
                       else
-                        powershell_out(build_powershell_package_command("Get-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Get-Package '#{name}'"), timeout: new_resource.timeout).result
                       end
             if version.empty?
               version = nil
             end
+            version = version.strip if version.respond_to?(:strip)
             version_list.push(version)
           end
           version_list