chef 17.7.22 → 17.9.26

data/lib/chef/resource.rb

@@ -311,7 +311,7 @@ class Chef
     #   file '/foo.txt' do
     #     content 'hi'
     #     action :nothing
-    #     subscribes :create, '/bar.txt'
+    #     subscribes :create, bar
     #   end
     # @example Multiple resources by string
     #   file '/foo.txt' do
@@ -454,7 +454,7 @@ class Chef
     # @param arg [String] The umask to apply while converging the resource.
     # @return [Boolean] The umask to apply while converging the resource.
     #
-    property :umask, String,
+    property :umask, [String, Integer],
       desired_state: false,
       introduced: "16.2",
       description: "Set a umask to be used for the duration of converging the resource. Defaults to `nil`, which means to use the system umask. Unsupported on Windows because Windows lacks a direct equivalent to UNIX's umask."
@@ -1096,7 +1096,7 @@ class Chef
     rescue NameError => e
       # This can happen when attempting to load a provider in a platform-specific
       # environment where we have not required the necessary files yet
-      raise unless e.message =~ /uninitialized constant/
+      raise unless /uninitialized constant/.match?(e.message)
     end
 
     # Define a method to load up this resource's properties with the current

data/lib/chef/resource_reporter.rb

@@ -34,7 +34,7 @@ class Chef
       as_hash["after"]    = new_resource.state_for_resource_reporter
       as_hash["before"]   = current_resource ? current_resource.state_for_resource_reporter : {}
       as_hash["duration"] = ( action_record.elapsed_time * 1000 ).to_i.to_s
-      as_hash["delta"]    = new_resource.diff if new_resource.respond_to?("diff")
+      as_hash["delta"]    = new_resource.diff if new_resource.respond_to?(:diff)
       as_hash["delta"]    = "" if as_hash["delta"].nil?
 
       # TODO: rename as "action"

data/lib/chef/run_lock.rb

@@ -144,7 +144,7 @@ class Chef
         # If we support FD_CLOEXEC, then use it.
         # NB: ruby-2.0.0-p195 sets FD_CLOEXEC by default, but not
         # ruby-1.8.7/1.9.3
-        if Fcntl.const_defined?("F_SETFD") && Fcntl.const_defined?("FD_CLOEXEC")
+        if Fcntl.const_defined?(:F_SETFD) && Fcntl.const_defined?(:FD_CLOEXEC)
           runlock.fcntl(Fcntl::F_SETFD, runlock.fcntl(Fcntl::F_GETFD, 0) | Fcntl::FD_CLOEXEC)
         end
         # Flock will return 0 if it can acquire the lock otherwise it

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -1,5 +1,7 @@
 require_relative "base"
 require_relative "../exceptions"
+require "json" unless defined?(JSON)
+require "net/http" unless defined?(Net::HTTP)
 require "uri" unless defined?(URI)
 
 class Chef
@@ -57,7 +59,7 @@ class Chef
       end
 
       def validate!
-        raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :object_id, :client_id, or :mi_res_id" if [object_id, client_id, mi_res_id].select { |x| !x.nil? }.length > 1
+        raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :object_id, :client_id, or :mi_res_id" if [object_id, client_id, mi_res_id].count { |x| !x.nil? } > 1
       end
 
       private
@@ -121,7 +123,7 @@ class Chef
           body["access_token"]
         when Net::HTTPBadRequest
           body = JSON.parse(response.body)
-          raise Chef::Exceptions::Secret::Azure::IdentityNotFound if body["error_description"] =~ /identity not found/i
+          raise Chef::Exceptions::Secret::Azure::IdentityNotFound if /identity not found/i.match?(body["error_description"])
         else
           body = JSON.parse(response.body)
           body["access_token"]

data/lib/chef/secret_fetcher/hashi_vault.rb

@@ -31,6 +31,10 @@ class Chef
     # :auth_method - one of :iam_role, :token.  default: :iam_role
     # :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200
     #
+    # For `:approle`: one of `:approle_name` or `:approle_id`
+    #     `:approle_name`: The name of the approle to use for authentication.  When specified, associated `:approle_id` will be found via query to Vault instance.
+    #     `:approle_id`: The ID of the approle to use for authentication, requires `:approle_secret_id`
+    #     `:approle_secret_id`: The Vault `secret_id` associated with the provided `:approle_name` or `:approle_id`.  When specified, prevents need to create `:secret_id` with `:approle_name`.
     # For `:token` auth: `:token` - a Vault token valid for authentication.
     #
     # For `:iam_role`:  `:role_name` - the name of the role in Vault that was created
@@ -47,14 +51,25 @@ class Chef
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :iam_role, role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
     # fetcher.fetch("secretkey1")
     #
     # @example
     #
-    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, approle: 'approle_name', run_context )
     # fetcher.fetch("secretkey1")
-    SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_id: "11111111-abcd-1111-abcd-111111111111", approle_secret_id: "22222222-abcd-2222-abcd-222222222222", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_name: "testing-role", token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    #
+    SUPPORTED_AUTH_TYPES = %i{approle iam_role token}.freeze
     class HashiVault < Base
 
       # Validate and authenticate the current session using the configured auth strategy and parameters
@@ -67,6 +82,25 @@ class Chef
         Vault.namespace = config[:namespace] unless config[:namespace].nil?
 
         case config[:auth_method]
+        when :approle
+          unless config[:approle_name] || config[:approle_id]
+            raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name or :approle_id in the configuration with :auth_method set to :approle")
+          end
+
+          # When :approle_id and :approle_secret_id are both specified, all pieces are present which are needed to authenticate using an approle.
+          #  If either is missing, we need to authenticate to Vault to get the missing pieces with the :approle_name and optionally :token.
+          unless config[:approle_id] && config[:approle_secret_id]
+            if config[:approle_name].nil?
+              raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name in the configuration when :approle_id and :approle_secret_id are not both present with :auth_method set to :approle")
+            end
+
+            Vault.token = config[:token] unless config[:token].nil?
+          end
+
+          approle_id = config[:approle_id] || Vault.approle.role_id(config[:approle_name])
+          approle_secret_id = config[:approle_secret_id] || Vault.approle.create_secret_id(config[:approle_name]).data[:secret_id]
+
+          Vault.auth.approle(approle_id, approle_secret_id)
         when :token
           if config[:token].nil?
             raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.7.22")
+  VERSION = Chef::VersionString.new("17.9.26")
 end
 
 #