chef 17.7.29 → 17.8.25

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c14c01fc55c7847b27979c41e01be0dd845b69840fc048e7abeb8787156bae23
-  data.tar.gz: 44676d2fe03cc4306efaa4c33f48a9eb3e2d6d736962bcd441ffc4bd0c371621
+  metadata.gz: ed316b17dc9b7561f86e7eb1200574f7e8946edea8c6e9e48caabe7166b3fff1
+  data.tar.gz: e51295a6e6d7ea03ee3eef0c7f1dcfdc5135567145a9e1317423fe363c5b37d4
 SHA512:
-  metadata.gz: 768707842ce349798c256c91d2202c5c7b7f931d63ca53eb9454ed6b424f3a11b38b2c9b94c4c4177959ff179029831a9cca3d3233afa5d2ba7dcd90afba3c23
-  data.tar.gz: 9a3a715294581c43a663387a3462c745d6bab3a44736ab9bf87e607cfa5cfa7a920de90a918225e05b08a8962b52103c792d97b586d69ef32023afb1e45dc11c
+  metadata.gz: 187833c4a2187663915307d01ca12edfabac952728430a651df5c67329b6f0f3c4271f81b840837b7a4a7ae19b6a1aeadb7ac9e4115f082a992e005d1cb7f683
+  data.tar.gz: d89346312b01e97606e0f0ba1e2b9fed0f447700332bcacbcb2843d460f51c3f7348383c0ee8a247ce98decfd7eec36fecda1a2ee7d91203834c75347dc2911e

data/lib/chef/application/base.rb

@@ -254,7 +254,7 @@ class Chef::Application::Base < Chef::Application
     short: "-K KEY_FILE",
     long: "--validation_key KEY_FILE",
     description: "Set the validation key file location, used for registering new clients.",
-    proc: nil
+    proc: lambda { |argument| File.expand_path(argument) }
 
   option :client_key,
     short: "-k KEY_FILE",

data/lib/chef/compliance/default_attributes.rb

@@ -28,7 +28,7 @@ class Chef
       # Controls what is done with the resulting report after the Chef InSpec run.
       # Accepts a single string value or an array of multiple values.
       # Accepted values: 'chef-server-automate', 'chef-automate', 'json-file', 'audit-enforcer', 'cli'
-      "reporter" => "cli",
+      "reporter" => nil,
 
       # Controls if Chef InSpec profiles should be fetched from Chef Automate or Chef Infra Server
       # in addition to the default fetch locations provided by Chef Inspec.
@@ -94,7 +94,17 @@ class Chef
 
       # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have
       # profiles defined but do not have the audit cookbook enabled.
-      "compliance_phase" => false
+      "compliance_phase" => false,
+
+      "interval" => {
+        # control how often inspec scans are run, if not on every node converge
+        # notes: false value will result in running inspec scan every converge
+        "enabled" => false,
+
+        # controls how often inspec scans are run (in minutes)
+        # notes: only used if interval is enabled above
+        "time" => 1440,
+      }
     )
   end
 end

data/lib/chef/compliance/runner.rb

@@ -71,7 +71,7 @@ class Chef
 
         logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
-        report
+        report_with_interval
       end
 
       def run_failed(_exception, _run_status)
@@ -82,7 +82,7 @@ class Chef
 
         logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
-        report
+        report_with_interval
       end
 
       ### Below code adapted from audit cookbook's files/default/handler/audit_report.rb
@@ -92,7 +92,6 @@ class Chef
         fail_if_not_present
         inspec_gem_source
         inspec_version
-        interval
         owner
         raise_if_unreachable
       }.freeze
@@ -106,6 +105,15 @@ class Chef
         end
       end
 
+      def report_with_interval
+        if interval_seconds_left <= 0
+          create_timestamp_file if interval_enabled
+          report
+        else
+          logger.info "Skipping Chef Infra Compliance Phase due to interval settings (next run in #{interval_seconds_left / 60.0} mins)"
+        end
+      end
+
       def report(report = nil)
         logger.info "Starting Chef Infra Compliance Phase"
         report ||= generate_report
@@ -118,7 +126,7 @@ class Chef
           return
         end
 
-        Array(node["audit"]["reporter"]).each do |reporter_type|
+        requested_reporters.each do |reporter_type|
           logger.info "Reporting to #{reporter_type}"
           @reporters[reporter_type].send_report(report)
         end
@@ -325,7 +333,7 @@ class Chef
         @reporters = {}
         # Note that the docs don't say you can use an array, but our implementation
         # supports it.
-        Array(node["audit"]["reporter"]).each do |type|
+        requested_reporters.each do |type|
           unless SUPPORTED_REPORTERS.include? type
             raise "CMPL003: '#{type}' found in node['audit']['reporter'] is not a supported reporter for Compliance Phase. Supported reporters are: #{SUPPORTED_REPORTERS.join(", ")}. For more information, see the documentation at https://docs.chef.io/chef_compliance_phase#reporters"
           end
@@ -358,6 +366,44 @@ class Chef
       def safe_input_collection
         run_context&.input_collection
       end
+
+      def requested_reporters
+        (Array(node["audit"]["reporter"]) + ["cli"]).uniq
+      end
+
+      def create_timestamp_file
+        FileUtils.touch report_timing_file
+      end
+
+      def report_timing_file
+        ::File.join(Chef::FileCache.create_cache_path("compliance"), "report_timing.json")
+      end
+
+      def interval_time
+        @interval_time ||= node.read("audit", "interval", "time")
+      end
+
+      def interval_enabled
+        @interval_enabled ||= node.read("audit", "interval", "enabled")
+      end
+
+      def interval_seconds
+        @interval_seconds ||=
+          if interval_enabled
+            logger.debug "Running Chef Infra Compliance Phase every #{interval_time} minutes"
+            interval_time * 60
+          else
+            logger.debug "Running Chef Infra Compliance Phase on every run"
+            0
+          end
+      end
+
+      def interval_seconds_left
+        return 0 unless ::File.exist?(report_timing_file)
+
+        seconds_since_last_run = Time.now - ::File.mtime(report_timing_file)
+        interval_seconds - seconds_since_last_run
+      end
     end
   end
 end

data/lib/chef/mixin/powershell_exec.rb

@@ -104,13 +104,14 @@ class Chef
       #
       # @param script [String] script to run
       # @param interpreter [Symbol] the interpreter type, `:powershell` or `:pwsh`
+      # @param timeout [Integer, nil] timeout in seconds.
       # @return [Chef::PowerShell] output
-      def powershell_exec(script, interpreter = :powershell)
+      def powershell_exec(script, interpreter = :powershell, timeout: -1)
         case interpreter
         when :powershell
-          Chef::PowerShell.new(script)
+          Chef::PowerShell.new(script, timeout: timeout)
         when :pwsh
-          Chef::Pwsh.new(script)
+          Chef::Pwsh.new(script, timeout: timeout)
         else
           raise ArgumentError, "Expected interpreter of :powershell or :pwsh"
         end
@@ -118,8 +119,8 @@ class Chef
 
       # The same as the #powershell_exec method except this will raise
       # Chef::PowerShell::CommandFailed if the command fails
-      def powershell_exec!(script, interpreter = :powershell)
-        cmd = powershell_exec(script, interpreter)
+      def powershell_exec!(script, interpreter = :powershell, **options)
+        cmd = powershell_exec(script, interpreter, **options)
         cmd.error!
         cmd
       end

data/lib/chef/mixin/why_run.rb

@@ -242,8 +242,12 @@ class Chef
           end
         end
 
-        def initialize(resource, run_context)
-          @resource, @run_context = resource, run_context
+        attr_accessor :action
+
+        def initialize(resource, run_context, action)
+          @resource = resource
+          @run_context = run_context
+          @action = action
           @assertions = Hash.new { |h, k| h[k] = [] }
           @blocked_actions = []
         end
@@ -305,6 +309,8 @@ class Chef
         #                       "You don't have sufficient privileges to delete #{@new_resource.path}")
         #   end
         def assert(*actions)
+          return unless actions.include?(action.to_sym) || actions.include?(:all_actions)
+
           assertion = Assertion.new
           yield assertion
           actions.each { |action| @assertions[action] << assertion }

data/lib/chef/powershell.rb

@@ -33,15 +33,16 @@ class Chef
     # Requires: .NET Framework 4.0 or higher on the target machine.
     #
     # @param script [String] script to run
+    # @param timeout [Integer, nil] timeout in seconds.
     # @return [Object] output
-    def initialize(script)
+    def initialize(script, timeout: -1)
       # This Powershell DLL source lives here: https://github.com/chef/chef-powershell-shim
       # Every merge into that repo triggers a Habitat build and promotion. Running
       # the rake :update_chef_exec_dll task in this (chef/chef) repo will pull down
       # the built packages and copy the binaries to distro/ruby_bin_folder. Bundle install
       # ensures that the correct architecture binaries are installed into the path.
       @dll ||= "Chef.PowerShell.Wrapper.dll"
-      exec(script)
+      exec(script, timeout: timeout)
     end
 
     #
@@ -64,12 +65,13 @@ class Chef
       raise Chef::PowerShell::CommandFailed, "Unexpected exit in PowerShell command: #{@errors}" if error?
     end
 
-    protected
+    private
 
-    def exec(script)
+    def exec(script, timeout: -1)
       FFI.ffi_lib @dll
-      FFI.attach_function :execute_powershell, :ExecuteScript, [:string], :pointer
-      execution = FFI.execute_powershell(script).read_utf16string
+      FFI.attach_function :execute_powershell, :ExecuteScript, %i{string int}, :pointer
+      timeout = -1 if timeout == 0 || timeout.nil?
+      execution = FFI.execute_powershell(script, timeout).read_utf16string
       hashed_outcome = Chef::JSONCompat.parse(execution)
       @result = Chef::JSONCompat.parse(hashed_outcome["result"])
       @errors = hashed_outcome["errors"]

data/lib/chef/provider/mount/linux.rb

@@ -29,10 +29,16 @@ class Chef
         # "findmnt" outputs the mount points with volume.
         # Convert the mount_point of the resource to a real path in case it
         # contains symlinks in its parents dirs.
+        def loop_mount_points
+          # get loop_mount_points only if not initialized earlier
+          @loop_mount_points ||= shell_out!("losetup -a").stdout
+
+        rescue Errno::ENOENT
+          @loop_mount_points = ""
+        end
 
         def mounted?
           mounted = false
-
           real_mount_point = if ::File.exists? @new_resource.mount_point
                                ::File.realpath(@new_resource.mount_point)
                              else
@@ -45,6 +51,14 @@ class Chef
             when /\A#{Regexp.escape(real_mount_point)}\s+#{device_mount_regex}\s/
               mounted = true
               logger.trace("Special device #{device_logstring} mounted as #{real_mount_point}")
+            # Permalink for loop type devices mount points https://rubular.com/r/a0bS4p2RvXsGxx
+            when %r{\A#{Regexp.escape(real_mount_point)}\s+\/dev\/loop+[0-9]+\s}
+              loop_mount_points.each_line do |mount_point|
+                if mount_point.include? device_real
+                  mounted = true
+                  break
+                end
+              end
             # Permalink for multiple devices mounted to the same mount point(i.e. '/proc') https://rubular.com/r/a356yzspU7N9TY
             when %r{\A#{Regexp.escape(real_mount_point)}\s+([/\w])+\s}
               mounted = false
@@ -64,4 +78,4 @@ class Chef
       end
     end
   end
-end
+end

data/lib/chef/provider/mount/mount.rb

@@ -279,4 +279,4 @@ class Chef
       end
     end
   end
-end
+end

data/lib/chef/provider/package/dnf.rb

@@ -98,7 +98,7 @@ class Chef
           end
         end
 
-        def magic_version
+        def magic_version_array
           package_name_array.each_with_index.map do |pkg, i|
             magical_version(i).version_with_arch
           end

data/lib/chef/provider/package/powershell.rb

@@ -17,13 +17,13 @@
 
 require_relative "../package"
 require_relative "../../resource/powershell_package"
-require_relative "../../mixin/powershell_out"
+require_relative "../../mixin/powershell_exec"
 
 class Chef
   class Provider
     class Package
       class Powershell < Chef::Provider::Package
-        include Chef::Mixin::PowershellOut
+        include Chef::Mixin::PowershellExec
 
         provides :powershell_package
 
@@ -54,9 +54,9 @@ class Chef
         # Installs the package specified with the version passed else latest version will be installed
         def install_package(names, versions)
           names.each_with_index do |name, index|
-            cmd = powershell_out(build_powershell_package_command("Install-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
+            cmd = powershell_exec(build_powershell_package_command("Install-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
             next if cmd.nil?
-            raise Chef::Exceptions::PowershellCmdletException, "Failed to install package due to catalog signing error, use skip_publisher_check to force install" if /SkipPublisherCheck/.match?(cmd.stderr)
+            raise Chef::Exceptions::PowershellCmdletException, "Failed to install package due to catalog signing error, use skip_publisher_check to force install" if /SkipPublisherCheck/.match?(cmd.error)
           end
         end
 
@@ -64,11 +64,12 @@ class Chef
         def remove_package(names, versions)
           names.each_with_index do |name, index|
             if versions && !versions[index].nil?
-              powershell_out(build_powershell_package_command("Uninstall-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
+              powershell_exec(build_powershell_package_command("Uninstall-Package '#{name}'", versions[index]), timeout: new_resource.timeout)
             else
               version = "0"
               until version.empty?
-                version = powershell_out(build_powershell_package_command("Uninstall-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                version = powershell_exec(build_powershell_package_command("Uninstall-Package '#{name}'"), timeout: new_resource.timeout).result
+                version = version.strip if version.respond_to?(:strip)
                 unless version.empty?
                   logger.info("Removed package '#{name}' with version #{version}")
                 end
@@ -82,13 +83,14 @@ class Chef
           versions = []
           new_resource.package_name.each_with_index do |name, index|
             version = if new_resource.version && !new_resource.version[index].nil?
-                        powershell_out(build_powershell_package_command("Find-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Find-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).result
                       else
-                        powershell_out(build_powershell_package_command("Find-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Find-Package '#{name}'"), timeout: new_resource.timeout).result
                       end
             if version.empty?
               version = nil
             end
+            version = version.strip if version.respond_to?(:strip)
             versions.push(version)
           end
           versions
@@ -99,13 +101,14 @@ class Chef
           version_list = []
           new_resource.package_name.each_with_index do |name, index|
             version = if new_resource.version && !new_resource.version[index].nil?
-                        powershell_out(build_powershell_package_command("Get-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Get-Package '#{name}'", new_resource.version[index]), timeout: new_resource.timeout).result
                       else
-                        powershell_out(build_powershell_package_command("Get-Package '#{name}'"), timeout: new_resource.timeout).stdout.strip
+                        powershell_exec(build_powershell_package_command("Get-Package '#{name}'"), timeout: new_resource.timeout).result
                       end
             if version.empty?
               version = nil
             end
+            version = version.strip if version.respond_to?(:strip)
             version_list.push(version)
           end
           version_list

data/lib/chef/provider/package/zypper.rb

@@ -113,6 +113,8 @@ class Chef
             end
           end
           nil
+        rescue
+          nil
         end
 
         def available_version(index)

data/lib/chef/provider/package.rb

@@ -438,47 +438,81 @@ class Chef
         @target_version_array ||=
           begin
             target_version_array = []
-            each_package do |package_name, new_version, current_version, candidate_version|
+            each_package do |package_name, new_version, current_version, candidate_version, magic_version|
               case action
               when :upgrade
-                if current_version.nil?
-                  # with use_magic_version there may be a package installed, but it fails the user's
-                  # requested new_resource.version constraints
+                if version_equals?(current_version, new_version)
+                  # This is a short-circuit (mostly for the rubygems provider) to avoid needing to
+                  # expensively query the candidate_version which must come later.  This only checks
+                  # exact matching, the check for fuzzy matching is later.
+                  logger.trace("#{new_resource} #{package_name} #{new_version} is already installed")
+                  target_version_array.push(nil)
+                elsif current_version.nil?
+                  # This is a simple check to see if we have any currently installed version at all, this is
+                  # safe to do before the allow_downgrade check so we check this before.
                   logger.trace("#{new_resource} has no existing installed version. Installing install #{candidate_version}")
                   target_version_array.push(candidate_version)
-                elsif !use_magic_version? && version_equals?(current_version, new_version)
-                  # this is a short-circuit (mostly for the rubygems provider) to avoid needing to expensively query the candidate_version which must come later
-                  logger.trace("#{new_resource} #{package_name} #{new_version} is already installed")
+                elsif !allow_downgrade && version_compare(current_version, candidate_version) == 1
+                  # This check for downgrading when allow_downgrade is false uses the current_version rather
+                  # than the magic_version since we never want to downgrade even if the constraints are not met
+                  # if the version is higher.  This check does use the candidate_version and unlazies this so
+                  # there will a perf hit on idempotent use when allow_downgrade is false which is unavoidable.
+                  logger.trace("#{new_resource} #{package_name} has installed version #{current_version}, which is newer than available version #{candidate_version}. Skipping...)")
                   target_version_array.push(nil)
+                elsif magic_version.nil?
+                  # This is the check for fuzzy matching of the installed_version, where if the installed version
+                  # does not match the desired version constraints (but is not an exact match) then we need to
+                  # install the candidate_version (this must come after the allow_downgrade check)
+                  logger.trace("#{new_resource} has an installed version that does not match the version constraint. Installing install #{candidate_version}")
+                  target_version_array.push(candidate_version)
                 elsif candidate_version.nil?
+                  # This check necessarily unlazies the candidate_version and may be expensive (connecting to
+                  # rubygems.org or whatever).  It comes as late as possible.
                   logger.trace("#{new_resource} #{package_name} has no candidate_version to upgrade to")
                   target_version_array.push(nil)
                 elsif version_equals?(current_version, candidate_version)
+                  # This check sees if the candidate_version is already installed or if we should upgrade/update the
+                  # package.  This is the normal idempotent behavior of :upgrade and is inherently expensive due to
+                  # unlazying the candidate_version.  To prevent the perf hit the version may be specified with a full
+                  # version constraint.  Then the cookbook can roll the version forward and use :upgrade to force version
+                  # pinning.
                   logger.trace("#{new_resource} #{package_name} #{candidate_version} is already installed")
                   target_version_array.push(nil)
-                elsif !allow_downgrade && version_compare(current_version, candidate_version) == 1
-                  logger.trace("#{new_resource} #{package_name} has installed version #{current_version}, which is newer than available version #{candidate_version}. Skipping...)")
-                  target_version_array.push(nil)
                 else
-                  logger.trace("#{new_resource} #{package_name} is out of date, will upgrade to #{candidate_version}")
+                  logger.trace("#{new_resource} #{package_name} is out of date, will update to #{candidate_version}")
                   target_version_array.push(candidate_version)
                 end
 
               when :install
-                if new_version && !use_magic_version?
+                if current_version && new_version && !allow_downgrade && version_compare(current_version, new_version) == 1
+                  # This is the idempotency guard for downgrades when downgrades are not allowed.  This should perhaps raise
+                  # an exception since we were told to install an exact package version but we are silently refusing to do so
+                  # because a higher version is already installed.  Maybe we need a flag for users to apply their preferred
+                  # declarative philosophy?  This has to come early and outside of the two code paths below.
+                  logger.warn("#{new_resource} #{package_name} has installed version #{current_version}, which is newer than available version #{new_version}. Skipping...)")
+                  target_version_array.push(nil)
+                elsif new_version && !use_magic_version?
+                  # This is for "non magic version using" subclasses to do comparisons between the current_version and the
+                  # desired new_version.  XXX: If we converted this to current_version_requirement_satisfied? and made it specific
+                  # to the current version check and then eliminated the magic_version, we might be able to eliminate separate codepaths
+                  # here, and eliminate the semantic confusion around the magic_version?
                   if version_requirement_satisfied?(current_version, new_version)
                     logger.trace("#{new_resource} #{package_name} #{current_version} satisfies #{new_version} requirement")
                     target_version_array.push(nil)
-                  elsif current_version && !allow_downgrade && version_compare(current_version, new_version) == 1
-                    logger.warn("#{new_resource} #{package_name} has installed version #{current_version}, which is newer than available version #{new_version}. Skipping...)")
-                    target_version_array.push(nil)
                   else
+                    # XXX: some subclasses seem to depend on this behavior where the new_version can be different from the
+                    # candidate_version and we install the new_version, it seems like the candidate_version should be fixed to
+                    # be resolved correctly to the new_version for those providers.  although it may just be unit test bugs.
+                    # it would be more correct to use the candidate_version here, but then it needs to be the correctly resolved
+                    # candidate_version against the new_version constraint.
                     logger.trace("#{new_resource} #{package_name} #{current_version} needs updating to #{new_version}")
                     target_version_array.push(new_version)
                   end
-                elsif current_version.nil?
-                  # with use_magic_version there may be a package installed, but it fails the user's
-                  # requested new_resource.version constraints
+                elsif magic_version.nil?
+                  # This is for when we have a "magic version using" subclass and where the installed version does not match the
+                  # constraint specified in the new_version, so we need to upgrade to the candidate_version.  This is the only
+                  # codepath in the :install branch which references the candidate_version so it is slow, but it is the path where
+                  # we need to do work anyway.  XXX: should we check for candidate_version.nil? somewhere around here?
                   logger.trace("#{new_resource} #{package_name} not installed, installing #{candidate_version}")
                   target_version_array.push(candidate_version)
                 else
@@ -512,8 +546,8 @@ class Chef
         @packages_missing_candidates ||=
           begin
             missing = []
-            each_package do |package_name, new_version, current_version, candidate_version|
-              missing.push(package_name) if current_version.nil? && candidate_version.nil?
+            each_package do |package_name, new_version, current_version, candidate_version, magic_version|
+              missing.push(package_name) if magic_version.nil? && candidate_version.nil?
             end
             missing
           end
@@ -536,7 +570,7 @@ class Chef
         @forced_packages_missing_candidates ||=
           begin
             missing = []
-            each_package do |package_name, new_version, current_version, candidate_version|
+            each_package do |package_name, new_version, current_version, candidate_version, magic_version|
               next if new_version.nil? || current_version.nil?
 
               if use_magic_version?
@@ -559,9 +593,10 @@ class Chef
       def each_package
         package_name_array.each_with_index do |package_name, i|
           candidate_version = candidate_version_array[i]
-          current_version = use_magic_version? ? magic_version[i] : current_version_array[i]
+          current_version = current_version_array[i]
+          magic_version = use_magic_version? ? magic_version_array[i] : current_version_array[i]
           new_version = new_version_array[i]
-          yield package_name, new_version, current_version, candidate_version
+          yield package_name, new_version, current_version, candidate_version, magic_version
         end
       end
 

data/lib/chef/provider.rb

@@ -269,7 +269,7 @@ class Chef
     end
 
     def requirements
-      @requirements ||= ResourceRequirements.new(@new_resource, run_context)
+      @requirements ||= ResourceRequirements.new(@new_resource, run_context, action || new_resource.action)
     end
 
     def description(description = "NOT_PASSED")

data/lib/chef/pwsh.rb

@@ -24,15 +24,16 @@ class Chef
     # bindir directory.
     #
     # @param script [String] script to run
+    # @param timeout [Integer, nil] timeout in seconds.
     # @return [Object] output
-    def initialize(script)
+    def initialize(script, timeout: -1)
       @dll = Pwsh.dll
       super
     end
 
     protected
 
-    def exec(script)
+    def exec(script, timeout: -1)
       # Note that we need to override the location of the shared dotnet core library
       # location. With most .net core applications, you can simply publish them as a
       # "self-contained" application allowing consumers of the application to run them

data/lib/chef/resource/chef_client_config.rb

@@ -87,6 +87,17 @@ class Chef
         ]
       end
       ```
+
+      **Report directly to the [Chef Automate data collector endpoint](/automate/data_collection/#configure-chef-infra-client-to-use-the-data-collector-endpoint-in-chef-automate).**
+
+      ```ruby
+      chef_client_config 'Create client.rb' do
+        chef_server_url 'https://chef.example.dmz'
+        data_collector_server_url 'https://automate.example.dmz'
+        data_collector_token 'TEST_TOKEN_TEST'
+      end
+      ```
+
       DOC
 
       # @todo policy_file or policy_group being set requires the other to be set so enforce that.
@@ -231,6 +242,14 @@ class Chef
       property :additional_config, String,
         description: "Additional text to add at the bottom of the client.rb config. This can be used to run custom Ruby or to add less common config options"
 
+      property :data_collector_server_url, String,
+        description: "The data collector url (typically automate) to send node, converge and compliance data. Note: Data collection reporting to Automate should be performed directly by Chef Infra Server if possible, as this removes the need to distribute tokens to individual nodes.",
+        introduced: "17.8"
+
+      property :data_collector_token, String,
+        description: "The data collector token to interact with the data collector server url (Automate). Note: Data collection reporting to Automate should be performed directly by Chef Infra Server if possible, as this removes the need to distribute tokens to individual nodes.",
+        introduced: "17.8"
+
       action :create, description: "Create a client.rb config file for configuring #{ChefUtils::Dist::Infra::PRODUCT}." do
         unless ::Dir.exist?(new_resource.config_directory)
           directory new_resource.config_directory do
@@ -282,7 +301,9 @@ class Chef
             ssl_verify_mode: new_resource.ssl_verify_mode,
             start_handlers: format_handler(new_resource.start_handlers),
             additional_config: new_resource.additional_config,
-            policy_persist_run_list: new_resource.policy_persist_run_list
+            policy_persist_run_list: new_resource.policy_persist_run_list,
+            data_collector_server_url: new_resource.data_collector_server_url,
+            data_collector_token: new_resource.data_collector_token
           )
           mode "0640"
           action :create

data/lib/chef/resource/chef_client_launchd.rb

@@ -134,7 +134,7 @@ class Chef
           standard_error_path ::File.join(new_resource.log_directory, new_resource.log_file_name)
           program_arguments ["/bin/bash",
                              "-c",
-                             "echo; echo #{ChefUtils::Dist::Infra::PRODUCT} launchd daemon config has been updated. Manually unloading and reloading the daemon; echo Now unloading the daemon; /bin/launchctl unload /Library/LaunchDaemons/com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}.plist; sleep 2; echo Now loading the daemon; /bin/launchctl load /Library/LaunchDaemons/com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}.plist"]
+                             "echo; echo #{ChefUtils::Dist::Infra::PRODUCT} launchd daemon config has been updated. Manually unloading and reloading the daemon; echo Now unloading the daemon; sudo /bin/launchctl unload /Library/LaunchDaemons/com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}.plist; sleep 2; echo Now loading the daemon; sudo /bin/launchctl load /Library/LaunchDaemons/com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}.plist"]
           action :enable # enable creates the plist & triggers service restarts on change
         end
 

data/lib/chef/resource/dnf_package.rb

@@ -68,12 +68,10 @@ class Chef
           end
         }
 
-      def allow_downgrade(arg = nil)
-        unless arg.nil?
-          Chef.deprecated(:dnf_package_allow_downgrade, "the allow_downgrade property on the dnf_package provider is not used, DNF supports downgrades by default.")
-        end
-        true
-      end
+      property :allow_downgrade, [ TrueClass, FalseClass ],
+        description: "Allow downgrading a package to satisfy requested version requirements.",
+        default: true,
+        desired_state: false
     end
   end
 end

data/lib/chef/resource/dpkg_package.rb

@@ -37,6 +37,11 @@ class Chef
       property :response_file_variables, Hash,
         description: "A Hash of response file variables in the form of {'VARIABLE' => 'VALUE'}.",
         default: {}, desired_state: false
+
+      property :allow_downgrade, [ TrueClass, FalseClass ],
+              description: "Allow downgrading a package to satisfy requested version requirements.",
+              default: true,
+              desired_state: false
     end
   end
 end