chef 17.7.22 → 17.9.26
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/lib/chef/application/base.rb +1 -1
- data/lib/chef/application/exit_code.rb +7 -21
- data/lib/chef/compliance/default_attributes.rb +12 -2
- data/lib/chef/compliance/runner.rb +51 -5
- data/lib/chef/cookbook/syntax_check.rb +1 -1
- data/lib/chef/cookbook_version.rb +1 -1
- data/lib/chef/mixin/powershell_exec.rb +6 -5
- data/lib/chef/mixin/why_run.rb +8 -2
- data/lib/chef/powershell.rb +8 -6
- data/lib/chef/provider/cron.rb +2 -2
- data/lib/chef/provider/directory.rb +2 -2
- data/lib/chef/provider/ifconfig.rb +5 -5
- data/lib/chef/provider/mount/linux.rb +16 -2
- data/lib/chef/provider/mount/mount.rb +1 -1
- data/lib/chef/provider/package/dnf.rb +1 -1
- data/lib/chef/provider/package/habitat.rb +1 -1
- data/lib/chef/provider/package/powershell.rb +13 -10
- data/lib/chef/provider/package/yum/python_helper.rb +81 -25
- data/lib/chef/provider/package/yum.rb +39 -12
- data/lib/chef/provider/package/zypper.rb +2 -0
- data/lib/chef/provider/package.rb +63 -28
- data/lib/chef/provider/user/mac.rb +3 -3
- data/lib/chef/provider.rb +5 -2
- data/lib/chef/providers.rb +0 -1
- data/lib/chef/pwsh.rb +3 -2
- data/lib/chef/resource/apt_package.rb +2 -2
- data/lib/chef/resource/chef_client_config.rb +21 -1
- data/lib/chef/resource/chef_client_launchd.rb +1 -1
- data/lib/chef/resource/chef_client_trusted_certificate.rb +1 -0
- data/lib/chef/resource/chocolatey_package.rb +3 -3
- data/lib/chef/resource/cron/cron.rb +75 -1
- data/lib/chef/resource/cron/cron_d.rb +2 -1
- data/lib/chef/resource/dnf_package.rb +4 -6
- data/lib/chef/resource/dpkg_package.rb +5 -0
- data/lib/chef/resource/execute.rb +1 -4
- data/lib/chef/resource/habitat/habitat_sup.rb +1 -1
- data/lib/chef/resource/habitat/habitat_sup_windows.rb +1 -1
- data/lib/chef/resource/habitat_install.rb +2 -2
- data/lib/chef/resource/homebrew_tap.rb +1 -5
- data/lib/chef/resource/inspec_waiver_file_entry.rb +1 -1
- data/lib/chef/resource/launchd.rb +2 -5
- data/lib/chef/resource/macos_userdefaults.rb +25 -30
- data/lib/chef/resource/powershell_package_source.rb +8 -8
- data/lib/chef/resource/remote_file.rb +1 -1
- data/lib/chef/resource/rhsm_register.rb +31 -0
- data/lib/chef/resource/support/client.erb +7 -0
- data/lib/chef/resource/windows_feature_powershell.rb +8 -9
- data/lib/chef/resource/windows_task.rb +25 -10
- data/lib/chef/resource.rb +3 -3
- data/lib/chef/resource_reporter.rb +1 -1
- data/lib/chef/run_lock.rb +1 -1
- data/lib/chef/secret_fetcher/azure_key_vault.rb +4 -2
- data/lib/chef/secret_fetcher/hashi_vault.rb +37 -3
- data/lib/chef/version.rb +1 -1
- data/spec/functional/resource/dnf_package_spec.rb +138 -124
- data/spec/functional/resource/dpkg_package_spec.rb +16 -0
- data/spec/functional/resource/macos_userdefaults_spec.rb +21 -1
- data/spec/functional/resource/yum_package_spec.rb +789 -129
- data/spec/functional/resource/zypper_package_spec.rb +7 -0
- data/spec/integration/client/client_spec.rb +31 -0
- data/spec/spec_helper.rb +3 -3
- data/spec/support/platform_helpers.rb +1 -1
- data/spec/support/ruby_installer.rb +1 -1
- data/spec/support/shared/functional/file_resource.rb +1 -1
- data/spec/support/shared/unit/provider/useradd_based_user_provider.rb +1 -1
- data/spec/unit/application/base_spec.rb +40 -0
- data/spec/unit/compliance/runner_spec.rb +62 -1
- data/spec/unit/dsl/registry_helper_spec.rb +6 -6
- data/spec/unit/file_access_control_spec.rb +1 -1
- data/spec/unit/guard_interpreter/resource_guard_interpreter_spec.rb +1 -1
- data/spec/unit/lwrp_spec.rb +2 -2
- data/spec/unit/mixin/why_run_spec.rb +53 -0
- data/spec/unit/provider/dsc_script_spec.rb +8 -8
- data/spec/unit/provider/group/groupadd_spec.rb +1 -0
- data/spec/unit/provider/group/usermod_spec.rb +4 -4
- data/spec/unit/provider/ifconfig/aix_spec.rb +14 -14
- data/spec/unit/provider/ifconfig/debian_spec.rb +1 -1
- data/spec/unit/provider/ifconfig/redhat_spec.rb +1 -1
- data/spec/unit/provider/ifconfig_spec.rb +5 -3
- data/spec/unit/provider/mount/linux_spec.rb +16 -3
- data/spec/unit/provider/package/bff_spec.rb +1 -0
- data/spec/unit/provider/package/powershell_spec.rb +114 -114
- data/spec/unit/provider/package/rubygems_spec.rb +3 -0
- data/spec/unit/provider/package/solaris_spec.rb +1 -0
- data/spec/unit/provider/remote_file/cache_control_data_spec.rb +3 -3
- data/spec/unit/provider/service/arch_service_spec.rb +2 -2
- data/spec/unit/provider/service/debian_service_spec.rb +1 -0
- data/spec/unit/provider/service/gentoo_service_spec.rb +3 -2
- data/spec/unit/provider/service/macosx_spec.rb +1 -0
- data/spec/unit/provider/service/redhat_spec.rb +4 -1
- data/spec/unit/provider/service/simple_service_spec.rb +6 -4
- data/spec/unit/provider/service/upstart_service_spec.rb +3 -3
- data/spec/unit/provider/user_spec.rb +2 -0
- data/spec/unit/resource/chef_client_trusted_certificate_spec.rb +14 -0
- data/spec/unit/resource/conditional_spec.rb +4 -4
- data/spec/unit/resource/dpkg_package_spec.rb +12 -0
- data/spec/unit/resource/macos_user_defaults_spec.rb +1 -1
- data/spec/unit/resource/rhsm_register_spec.rb +42 -0
- data/spec/unit/resource_spec.rb +2 -2
- data/spec/unit/secret_fetcher/hashi_vault_spec.rb +46 -0
- metadata +9 -9
- data/lib/chef/provider/group/suse.rb +0 -82
- data/spec/unit/provider/group/suse_spec.rb +0 -90
data/lib/chef/resource.rb
CHANGED
@@ -311,7 +311,7 @@ class Chef
|
|
311
311
|
# file '/foo.txt' do
|
312
312
|
# content 'hi'
|
313
313
|
# action :nothing
|
314
|
-
# subscribes :create,
|
314
|
+
# subscribes :create, bar
|
315
315
|
# end
|
316
316
|
# @example Multiple resources by string
|
317
317
|
# file '/foo.txt' do
|
@@ -454,7 +454,7 @@ class Chef
|
|
454
454
|
# @param arg [String] The umask to apply while converging the resource.
|
455
455
|
# @return [Boolean] The umask to apply while converging the resource.
|
456
456
|
#
|
457
|
-
property :umask, String,
|
457
|
+
property :umask, [String, Integer],
|
458
458
|
desired_state: false,
|
459
459
|
introduced: "16.2",
|
460
460
|
description: "Set a umask to be used for the duration of converging the resource. Defaults to `nil`, which means to use the system umask. Unsupported on Windows because Windows lacks a direct equivalent to UNIX's umask."
|
@@ -1096,7 +1096,7 @@ class Chef
|
|
1096
1096
|
rescue NameError => e
|
1097
1097
|
# This can happen when attempting to load a provider in a platform-specific
|
1098
1098
|
# environment where we have not required the necessary files yet
|
1099
|
-
raise unless
|
1099
|
+
raise unless /uninitialized constant/.match?(e.message)
|
1100
1100
|
end
|
1101
1101
|
|
1102
1102
|
# Define a method to load up this resource's properties with the current
|
@@ -34,7 +34,7 @@ class Chef
|
|
34
34
|
as_hash["after"] = new_resource.state_for_resource_reporter
|
35
35
|
as_hash["before"] = current_resource ? current_resource.state_for_resource_reporter : {}
|
36
36
|
as_hash["duration"] = ( action_record.elapsed_time * 1000 ).to_i.to_s
|
37
|
-
as_hash["delta"] = new_resource.diff if new_resource.respond_to?(
|
37
|
+
as_hash["delta"] = new_resource.diff if new_resource.respond_to?(:diff)
|
38
38
|
as_hash["delta"] = "" if as_hash["delta"].nil?
|
39
39
|
|
40
40
|
# TODO: rename as "action"
|
data/lib/chef/run_lock.rb
CHANGED
@@ -144,7 +144,7 @@ class Chef
|
|
144
144
|
# If we support FD_CLOEXEC, then use it.
|
145
145
|
# NB: ruby-2.0.0-p195 sets FD_CLOEXEC by default, but not
|
146
146
|
# ruby-1.8.7/1.9.3
|
147
|
-
if Fcntl.const_defined?(
|
147
|
+
if Fcntl.const_defined?(:F_SETFD) && Fcntl.const_defined?(:FD_CLOEXEC)
|
148
148
|
runlock.fcntl(Fcntl::F_SETFD, runlock.fcntl(Fcntl::F_GETFD, 0) | Fcntl::FD_CLOEXEC)
|
149
149
|
end
|
150
150
|
# Flock will return 0 if it can acquire the lock otherwise it
|
@@ -1,5 +1,7 @@
|
|
1
1
|
require_relative "base"
|
2
2
|
require_relative "../exceptions"
|
3
|
+
require "json" unless defined?(JSON)
|
4
|
+
require "net/http" unless defined?(Net::HTTP)
|
3
5
|
require "uri" unless defined?(URI)
|
4
6
|
|
5
7
|
class Chef
|
@@ -57,7 +59,7 @@ class Chef
|
|
57
59
|
end
|
58
60
|
|
59
61
|
def validate!
|
60
|
-
raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :object_id, :client_id, or :mi_res_id" if [object_id, client_id, mi_res_id].
|
62
|
+
raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :object_id, :client_id, or :mi_res_id" if [object_id, client_id, mi_res_id].count { |x| !x.nil? } > 1
|
61
63
|
end
|
62
64
|
|
63
65
|
private
|
@@ -121,7 +123,7 @@ class Chef
|
|
121
123
|
body["access_token"]
|
122
124
|
when Net::HTTPBadRequest
|
123
125
|
body = JSON.parse(response.body)
|
124
|
-
raise Chef::Exceptions::Secret::Azure::IdentityNotFound if
|
126
|
+
raise Chef::Exceptions::Secret::Azure::IdentityNotFound if /identity not found/i.match?(body["error_description"])
|
125
127
|
else
|
126
128
|
body = JSON.parse(response.body)
|
127
129
|
body["access_token"]
|
@@ -31,6 +31,10 @@ class Chef
|
|
31
31
|
# :auth_method - one of :iam_role, :token. default: :iam_role
|
32
32
|
# :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200
|
33
33
|
#
|
34
|
+
# For `:approle`: one of `:approle_name` or `:approle_id`
|
35
|
+
# `:approle_name`: The name of the approle to use for authentication. When specified, associated `:approle_id` will be found via query to Vault instance.
|
36
|
+
# `:approle_id`: The ID of the approle to use for authentication, requires `:approle_secret_id`
|
37
|
+
# `:approle_secret_id`: The Vault `secret_id` associated with the provided `:approle_name` or `:approle_id`. When specified, prevents need to create `:secret_id` with `:approle_name`.
|
34
38
|
# For `:token` auth: `:token` - a Vault token valid for authentication.
|
35
39
|
#
|
36
40
|
# For `:iam_role`: `:role_name` - the name of the role in Vault that was created
|
@@ -47,14 +51,25 @@ class Chef
|
|
47
51
|
#
|
48
52
|
# @example
|
49
53
|
#
|
50
|
-
# fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
|
54
|
+
# fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :iam_role, role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
|
51
55
|
# fetcher.fetch("secretkey1")
|
52
56
|
#
|
53
57
|
# @example
|
54
58
|
#
|
55
|
-
# fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
|
59
|
+
# fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, approle: 'approle_name', run_context )
|
56
60
|
# fetcher.fetch("secretkey1")
|
57
|
-
|
61
|
+
#
|
62
|
+
# @example
|
63
|
+
#
|
64
|
+
# fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_id: "11111111-abcd-1111-abcd-111111111111", approle_secret_id: "22222222-abcd-2222-abcd-222222222222", vault_addr: https://localhost:8200}, run_context )
|
65
|
+
# fetcher.fetch("secretkey1")
|
66
|
+
#
|
67
|
+
# @example
|
68
|
+
#
|
69
|
+
# fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_name: "testing-role", token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
|
70
|
+
# fetcher.fetch("secretkey1")
|
71
|
+
#
|
72
|
+
SUPPORTED_AUTH_TYPES = %i{approle iam_role token}.freeze
|
58
73
|
class HashiVault < Base
|
59
74
|
|
60
75
|
# Validate and authenticate the current session using the configured auth strategy and parameters
|
@@ -67,6 +82,25 @@ class Chef
|
|
67
82
|
Vault.namespace = config[:namespace] unless config[:namespace].nil?
|
68
83
|
|
69
84
|
case config[:auth_method]
|
85
|
+
when :approle
|
86
|
+
unless config[:approle_name] || config[:approle_id]
|
87
|
+
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name or :approle_id in the configuration with :auth_method set to :approle")
|
88
|
+
end
|
89
|
+
|
90
|
+
# When :approle_id and :approle_secret_id are both specified, all pieces are present which are needed to authenticate using an approle.
|
91
|
+
# If either is missing, we need to authenticate to Vault to get the missing pieces with the :approle_name and optionally :token.
|
92
|
+
unless config[:approle_id] && config[:approle_secret_id]
|
93
|
+
if config[:approle_name].nil?
|
94
|
+
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name in the configuration when :approle_id and :approle_secret_id are not both present with :auth_method set to :approle")
|
95
|
+
end
|
96
|
+
|
97
|
+
Vault.token = config[:token] unless config[:token].nil?
|
98
|
+
end
|
99
|
+
|
100
|
+
approle_id = config[:approle_id] || Vault.approle.role_id(config[:approle_name])
|
101
|
+
approle_secret_id = config[:approle_secret_id] || Vault.approle.create_secret_id(config[:approle_name]).data[:secret_id]
|
102
|
+
|
103
|
+
Vault.auth.approle(approle_id, approle_secret_id)
|
70
104
|
when :token
|
71
105
|
if config[:token].nil?
|
72
106
|
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")
|