chef 17.9.52-universal-mingw32 → 17.10.68-universal-mingw32

Sign up to get free protection for your applications and to get access to all the features.
Files changed (55) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +2 -2
  3. data/Rakefile +2 -2
  4. data/chef-universal-mingw32.gemspec +2 -1
  5. data/chef.gemspec +5 -5
  6. data/lib/chef/api_client.rb +1 -1
  7. data/lib/chef/client.rb +17 -2
  8. data/lib/chef/compliance/input_collection.rb +1 -1
  9. data/lib/chef/compliance/profile_collection.rb +1 -1
  10. data/lib/chef/compliance/waiver_collection.rb +1 -1
  11. data/lib/chef/dsl/secret.rb +113 -5
  12. data/lib/chef/mixin/checksum.rb +6 -0
  13. data/lib/chef/node/attribute.rb +20 -3
  14. data/lib/chef/node/mixin/deep_merge_cache.rb +4 -4
  15. data/lib/chef/policy_builder/expand_node_object.rb +1 -2
  16. data/lib/chef/policy_builder/policyfile.rb +1 -1
  17. data/lib/chef/provider/file.rb +2 -2
  18. data/lib/chef/provider/package/powershell.rb +1 -1
  19. data/lib/chef/provider/package/rubygems.rb +6 -6
  20. data/lib/chef/provider/package/windows.rb +1 -1
  21. data/lib/chef/provider/package/yum/python_helper.rb +14 -1
  22. data/lib/chef/provider/service/windows.rb +4 -4
  23. data/lib/chef/provider/user/windows.rb +2 -2
  24. data/lib/chef/resource/chef_client_config.rb +5 -0
  25. data/lib/chef/resource/locale.rb +1 -1
  26. data/lib/chef/resource/rhsm_register.rb +19 -0
  27. data/lib/chef/resource/support/client.erb +1 -2
  28. data/lib/chef/resource/windows_certificate.rb +54 -43
  29. data/lib/chef/resource/windows_pagefile.rb +28 -21
  30. data/lib/chef/resource/windows_user_privilege.rb +36 -26
  31. data/lib/chef/run_context.rb +16 -0
  32. data/lib/chef/secret_fetcher/hashi_vault.rb +1 -1
  33. data/lib/chef/version.rb +1 -1
  34. data/lib/chef/win32/version.rb +2 -1
  35. data/spec/data/trusted_certs/opscode.pem +33 -54
  36. data/spec/functional/resource/dnf_package_spec.rb +15 -0
  37. data/spec/functional/resource/windows_certificate_spec.rb +41 -13
  38. data/spec/functional/resource/windows_font_spec.rb +1 -1
  39. data/spec/functional/resource/windows_pagefile_spec.rb +31 -4
  40. data/spec/functional/resource/yum_package_spec.rb +15 -0
  41. data/spec/functional/shell_spec.rb +6 -0
  42. data/spec/unit/client_spec.rb +6 -3
  43. data/spec/unit/daemon_spec.rb +1 -5
  44. data/spec/unit/dsl/secret_spec.rb +127 -23
  45. data/spec/unit/mixin/checksum_spec.rb +28 -0
  46. data/spec/unit/provider/package/rubygems_spec.rb +1 -1
  47. data/spec/unit/resource/chef_client_config_spec.rb +8 -0
  48. data/spec/unit/run_context_spec.rb +16 -0
  49. metadata +43 -29
  50. /data/spec/functional/assets/yumrepo/repodata/{4632d67cb92636e7575d911c24f0e04d3505a944e97c483abe0c3e73a7c62d33-filelists.sqlite.bz2 → 01a3b-filelists.sqlite.bz2} +0 -0
  51. /data/spec/functional/assets/yumrepo/repodata/{bdb4f5f1492a3b9532f22c43110a81500dd744f23da0aec5c33b2a41317c737d-filelists.xml.gz → 401dc-filelists.xml.gz} +0 -0
  52. /data/spec/functional/assets/yumrepo/repodata/{a845d418f919d2115ab95a56b2c76f6825ad0d0bede49181a55c04f58995d057-primary.sqlite.bz2 → 5dc1e-primary.sqlite.bz2} +0 -0
  53. /data/spec/functional/assets/yumrepo/repodata/{74599b793e54d877323837d2d81a1c3c594c44e4335f9528234bb490f7b9b439-other.xml.gz → 6bf96-other.xml.gz} +0 -0
  54. /data/spec/functional/assets/yumrepo/repodata/{af9b7cf9ef23bd7b43068d74a460f3b5d06753d638e58e4a0c9edc35bfb9cdc4-other.sqlite.bz2 → 7c365-other.sqlite.bz2} +0 -0
  55. /data/spec/functional/assets/yumrepo/repodata/{c10d1d34ce99e02f12ec96ef68360543ab1bb7c3cb81a4a2bf78df7d8597e9df-primary.xml.gz → dabe2-primary.xml.gz} +0 -0
@@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
29
29
  class Chef
30
30
  class Resource
31
31
  class WindowsCertificate < Chef::Resource
32
- unified_mode true
33
32
 
34
33
  provides :windows_certificate
35
34
 
@@ -129,14 +128,14 @@ class Chef
129
128
  end
130
129
 
131
130
  action :delete, description: "Deletes a certificate." do
132
- cert_obj = fetch_cert
131
+ cert_is_valid = verify_cert
133
132
 
134
- if cert_obj
133
+ if cert_is_valid == true
135
134
  converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do
136
135
  delete_cert
137
136
  end
138
137
  else
139
- Chef::Log.debug("Certificate not found")
138
+ Chef::Log.debug("Certificate Not Found")
140
139
  end
141
140
  end
142
141
 
@@ -146,17 +145,25 @@ class Chef
146
145
  end
147
146
 
148
147
  if ::File.extname(new_resource.output_path) == ".pfx"
149
- powershell_exec!(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
148
+
149
+ validated_thumbprint = validate_thumbprint(new_resource.source)
150
+ if validated_thumbprint != false # is the thumbprint valid
151
+ cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
152
+ else
153
+ message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
154
+ raise Chef::Exceptions::InvalidKeyAttribute, message
155
+ end
156
+
150
157
  else
151
158
  cert_obj = fetch_cert
152
159
  end
153
160
 
154
- if cert_obj
161
+ if cert_obj != false && cert_obj != "Certificate Not Found"
155
162
  converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do
156
163
  export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password)
157
164
  end
158
165
  else
159
- Chef::Log.debug("Certificate not found")
166
+ Chef::Log.debug("Certificate Not Found")
160
167
  end
161
168
  end
162
169
 
@@ -187,7 +194,7 @@ class Chef
187
194
 
188
195
  def delete_cert
189
196
  store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
190
- store.delete(resolve_thumbprint(new_resource.source))
197
+ store.delete(validate_thumbprint(new_resource.source))
191
198
  end
192
199
 
193
200
  def fetch_cert
@@ -196,17 +203,16 @@ class Chef
196
203
  fetch_key
197
204
 
198
205
  else
199
- store.get(resolve_thumbprint(new_resource.source), store_name: new_resource.store_name, store_location: native_cert_location)
206
+ store.get(validate_thumbprint(new_resource.source))
200
207
  end
201
208
  end
202
209
 
203
210
  def fetch_key
204
211
  require "openssl" unless defined?(OpenSSL)
205
212
  file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path))
206
- directory = ::File.dirname(new_resource.output_path)
207
213
  pfx_file = file_name + ".pfx"
208
214
  new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file)
209
- powershell_exec(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
215
+ powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
210
216
  pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password)
211
217
  f = ::File.open(new_resource.output_path, "w")
212
218
  f.write(pkcs12.key.to_s)
@@ -245,10 +251,6 @@ class Chef
245
251
  ::File.file?(source)
246
252
  end
247
253
 
248
- def is_file?(source)
249
- ::File.file?(source)
250
- end
251
-
252
254
  # Thumbprints should be exactly 40 Hex characters
253
255
  def valid_thumbprint?(string)
254
256
  string.match?(/[0-9A-Fa-f]/) && string.length == 40
@@ -261,29 +263,29 @@ class Chef
261
263
  GETTHUMBPRINTCODE
262
264
  end
263
265
 
264
- def resolve_thumbprint(thumbprint)
265
- return thumbprint if valid_thumbprint?(thumbprint)
266
-
267
- powershell_exec!(get_thumbprint(new_resource.store_name, ps_cert_location, new_resource.source)).result
266
+ def validate_thumbprint(thumbprint)
267
+ # valid_thumbprint can return false under at least 2 conditions:
268
+ # one is that the thumbprint is in fact busted
269
+ # the second is that the thumbprint is valid but belongs to an expired certificate already installed
270
+ results = valid_thumbprint?(thumbprint)
271
+ results == true ? thumbprint : false
268
272
  end
269
273
 
270
- # Checks whether a certificate with the given thumbprint
271
- # is already present and valid in certificate store
272
- # If the certificate is not present, verify_cert returns a String: "Certificate not found"
273
- # But if it is present but expired, it returns a Boolean: false
274
- # Otherwise, it returns a Boolean: true
275
- # updated this method to accept either a subject name or a thumbprint - 1/29/2021
276
-
274
+ # Checks to make sure whether the cert is found or not
275
+ # if it IS found, is it still valid - has it expired?
277
276
  def verify_cert(thumbprint = new_resource.source)
278
277
  store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
279
- if new_resource.pfx_password.nil?
280
- store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name )
278
+ validated_thumbprint = validate_thumbprint(thumbprint)
279
+ if validated_thumbprint != false
280
+ result = store.valid?(thumbprint)
281
+ result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
281
282
  else
282
- store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name)
283
+ message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n"
284
+ raise Chef::Exceptions::InvalidKeyAttribute, message
283
285
  end
284
286
  end
285
287
 
286
- # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
288
+ # this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
287
289
  # Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
288
290
  def ps_cert_location
289
291
  new_resource.user_store ? "CurrentUser" : "LocalMachine"
@@ -436,7 +438,7 @@ class Chef
436
438
  end
437
439
 
438
440
  def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:)
439
- # Delete the cert if it exists. This is non-destructive in that it only removes the file and not the entire path.
441
+ # Delete the cert if it exists on disk already.
440
442
  # We want to ensure we're not randomly loading an old stinky cert.
441
443
  if ::File.exists?(output_path)
442
444
  ::File.delete(output_path)
@@ -460,7 +462,20 @@ class Chef
460
462
  cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout
461
463
  out_file.puts(cert_out)
462
464
  when ".pfx"
463
- pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
465
+ validated_thumbprint = validate_thumbprint(new_resource.source)
466
+ if validated_thumbprint != false # is the thumbprint valid
467
+ store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
468
+ result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint
469
+ temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
470
+ if temp == true
471
+ pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
472
+ else
473
+ Chef::Log.debug("The requested certificate is not found or has expired")
474
+ end
475
+ else
476
+ message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
477
+ raise Chef::Exceptions::InvalidKeyAttribute, message
478
+ end
464
479
  when ".p7b"
465
480
  cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
466
481
  out_file.puts(cert_out)
@@ -481,14 +496,11 @@ class Chef
481
496
  #
482
497
  def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location)
483
498
  [cert_objs].flatten.each do |cert_obj|
484
- # thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
485
- # pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password)
486
- # cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem)
487
499
  thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
488
- if is_pfx
489
- if verify_cert(thumbprint) == true
490
- Chef::Log.debug("Certificate is already present")
491
- else
500
+ if verify_cert(thumbprint) == true
501
+ Chef::Log.debug("Certificate is already present")
502
+ elsif verify_cert(thumbprint) == false # Not found already in the CertStore
503
+ if is_pfx
492
504
  if is_file?(new_resource.source)
493
505
  converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do
494
506
  add_pfx_cert(new_resource.source)
@@ -502,15 +514,14 @@ class Chef
502
514
  message << exception.message
503
515
  raise Chef::Exceptions::ArgumentError, message
504
516
  end
505
- end
506
- else
507
- if verify_cert(thumbprint) == true
508
- Chef::Log.debug("Certificate is already present")
509
517
  else
510
518
  converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do
511
519
  add_cert(cert_obj)
512
520
  end
513
521
  end
522
+ else
523
+ message = "Certificate could not be imported"
524
+ raise Chef::Exceptions::CertificateNotImportable, message
514
525
  end
515
526
  end
516
527
  end
@@ -88,7 +88,7 @@ class Chef
88
88
  if automatic_managed
89
89
  set_automatic_managed unless automatic_managed?
90
90
  elsif automatic_managed == false
91
- unset_automatic_managed if automatic_managed?
91
+ unset_automatic_managed
92
92
  else
93
93
  pagefile = clarify_pagefile_name
94
94
  initial_size = new_resource.initial_size
@@ -149,10 +149,12 @@ class Chef
149
149
  def exists?(pagefile)
150
150
  @exists ||= begin
151
151
  logger.trace("Checking if #{pagefile} exists by running: Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($pagefile)} ")
152
- cmd = "$page_file_name = '#{pagefile}';"
153
- cmd << "$pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)};"
154
- cmd << "if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }"
155
- powershell_exec!(cmd).result
152
+ powershell_code = <<~CODE
153
+ $page_file_name = '#{pagefile}';
154
+ $pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)}
155
+ if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }
156
+ CODE
157
+ powershell_exec!(powershell_code).result
156
158
  end
157
159
  end
158
160
 
@@ -164,13 +166,17 @@ class Chef
164
166
  # @return [Boolean]
165
167
  def max_and_min_set?(pagefile, min, max)
166
168
  logger.trace("Checking if #{pagefile} has max and initial disk size values set")
167
- cmd = "$page_file = '#{pagefile}';"
168
- cmd << "$driveLetter = $page_file.split(':')[0];"
169
- cmd << "$page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter \"SettingID='pagefile.sys @ $($driveLetter):'\" -Property * -ErrorAction Stop;"
170
- cmd << "if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})"
171
- cmd << "{ return $true }"
172
- cmd << "else { return $false }"
173
- powershell_exec!(cmd).result
169
+
170
+ powershell_code = <<-CODE
171
+ $page_file = '#{pagefile}';
172
+ $driveLetter = $page_file.split(':')[0];
173
+ $page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -Property * -ErrorAction Stop;
174
+ if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})
175
+ { return $true }
176
+ else
177
+ { return $false }
178
+ CODE
179
+ powershell_exec!(powershell_code).result
174
180
  end
175
181
 
176
182
  # create a pagefile
@@ -225,12 +231,14 @@ class Chef
225
231
 
226
232
  # turn off automatic management of all pagefiles by Windows
227
233
  def unset_automatic_managed
228
- converge_by("Turn off Automatically Managed on pagefiles") do
229
- logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
230
- powershell_exec! <<~EOH
231
- $sys = Get-CimInstance Win32_ComputerSystem -Property *
232
- Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
233
- EOH
234
+ if automatic_managed?
235
+ converge_by("Turn off Automatically Managed on pagefiles") do
236
+ logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
237
+ powershell_exec! <<~EOH
238
+ $sys = Get-CimInstance Win32_ComputerSystem -Property *
239
+ Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
240
+ EOH
241
+ end
234
242
  end
235
243
  end
236
244
 
@@ -240,14 +248,13 @@ class Chef
240
248
  # @param [String] min the minimum size of the pagefile
241
249
  # @param [String] max the minimum size of the pagefile
242
250
  def set_custom_size(pagefile, min, max)
251
+ unset_automatic_managed
243
252
  converge_by("set #{pagefile} to InitialSize=#{min} & MaximumSize=#{max}") do
244
253
  logger.trace("Set-CimInstance -Property @{InitialSize = #{min} MaximumSize = #{max}")
245
254
  powershell_exec! <<~EOD
246
255
  $page_file = "#{pagefile}"
247
256
  $driveLetter = $page_file.split(':')[0]
248
- Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{
249
- InitialSize = #{min}
250
- MaximumSize = #{max}}
257
+ Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{InitialSize = #{min}; MaximumSize = #{max};}
251
258
  EOD
252
259
  end
253
260
  end
@@ -24,7 +24,7 @@ class Chef
24
24
  unified_mode true
25
25
 
26
26
  provides :windows_user_privilege
27
- description "The windows_user_privilege resource allows to add and set principal (User/Group) to the specified privilege.\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
27
+ description "The windows_user_privilege resource allows to add a privilege to a principal or (User/Group).\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
28
28
 
29
29
  introduced "16.0"
30
30
 
@@ -39,23 +39,32 @@ class Chef
39
39
  end
40
40
  ```
41
41
 
42
- **Add the SeDenyRemoteInteractiveLogonRight Privilege to the Builtin Guests and Local Accounts User Groups**:
42
+ **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
43
+
44
+ ```ruby
45
+ windows_user_privilege 'Create Pagefile' do
46
+ privilege 'SeCreatePagefilePrivilege'
47
+ users ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
48
+ action :set
49
+ end
50
+ ```
51
+
52
+ **Add the SeDenyRemoteInteractiveLogonRight Privilege to the 'Remote interactive logon' principal**:
43
53
 
44
54
  ```ruby
45
55
  windows_user_privilege 'Remote interactive logon' do
46
56
  privilege 'SeDenyRemoteInteractiveLogonRight'
47
- users ['Builtin\\Guests', 'NT AUTHORITY\\Local Account']
48
57
  action :add
49
58
  end
50
59
  ```
51
60
 
52
- **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
61
+ **Add to the Builtin Guests Group the SeCreatePageFile Privilege**:
53
62
 
54
63
  ```ruby
55
- windows_user_privilege 'Create Pagefile' do
64
+ windows_user_privilege 'Guests add Create Pagefile' do
65
+ principal 'BUILTIN\\Guests'
56
66
  privilege 'SeCreatePagefilePrivilege'
57
- users ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
58
- action :set
67
+ action :add
59
68
  end
60
69
  ```
61
70
 
@@ -90,6 +99,7 @@ class Chef
90
99
  SeCreateSymbolicLinkPrivilege
91
100
  SeCreateTokenPrivilege
92
101
  SeDebugPrivilege
102
+ SeDelegateSessionUserImpersonatePrivilege
93
103
  SeDenyBatchLogonRight
94
104
  SeDenyInteractiveLogonRight
95
105
  SeDenyNetworkLogonRight
@@ -126,20 +136,20 @@ class Chef
126
136
  }.freeze
127
137
 
128
138
  property :principal, String,
129
- description: "An optional property to add the user to the given privilege. Use only with add and remove action.",
130
- name_property: true
139
+ description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a User/Group or one of special identities found here Ref: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities",
140
+ name_property: true
131
141
 
132
142
  property :users, [Array, String],
133
- description: "An optional property to set the privilege for given users. Use only with set action.",
134
- coerce: proc { |v| Array(v) }
143
+ description: "An optional property to set the privilege for given users. Use only with set action.",
144
+ coerce: proc { |v| Array(v) }
135
145
 
136
146
  property :privilege, [Array, String],
137
- description: "One or more privileges to set for users.",
138
- required: true,
139
- coerce: proc { |v| Array(v) },
140
- callbacks: {
141
- "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
142
- }, identity: true
147
+ description: "One or more privileges to set for principal or users/groups. For more information on what each privilege does Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment",
148
+ required: true,
149
+ coerce: proc { |v| Array(v) },
150
+ callbacks: {
151
+ "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
152
+ }, identity: true
143
153
 
144
154
  load_current_value do |new_resource|
145
155
  if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))
@@ -147,15 +157,15 @@ class Chef
147
157
  end
148
158
  end
149
159
 
150
- action :add, description: "Add a user privilege." do
151
- ([*new_resource.privilege] - [*current_resource.privilege]).each do |user_right|
152
- converge_by("adding user '#{new_resource.principal}' privilege #{user_right}") do
153
- Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, user_right)
160
+ action :add, description: "Add a privileges to a principal." do
161
+ ([*new_resource.privilege] - [*current_resource.privilege]).each do |principal_right|
162
+ converge_by("adding principal '#{new_resource.principal}' privilege #{principal_right}") do
163
+ Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, principal_right)
154
164
  end
155
165
  end
156
166
  end
157
167
 
158
- action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property." do
168
+ action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property. All other users not listed with given privilege will be have the privilege removed." do
159
169
  if new_resource.users.nil? || new_resource.users.empty?
160
170
  raise Chef::Exceptions::ValidationFailed, "Users are required property with set action."
161
171
  end
@@ -204,7 +214,7 @@ class Chef
204
214
  end
205
215
  end
206
216
 
207
- action :remove, description: "Remove a user privilege" do
217
+ action :remove, description: "Remove a principal privilege" do
208
218
  curr_res_privilege = current_resource.privilege
209
219
  missing_res_privileges = (new_resource.privilege - curr_res_privilege)
210
220
 
@@ -212,9 +222,9 @@ class Chef
212
222
  Chef::Log.info("User \'#{new_resource.principal}\' for Privilege: #{missing_res_privileges.join(", ")} not found. Nothing to remove.")
213
223
  end
214
224
 
215
- (new_resource.privilege - missing_res_privileges).each do |user_right|
216
- converge_by("removing user #{new_resource.principal} from privilege #{user_right}") do
217
- Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, user_right)
225
+ (new_resource.privilege - missing_res_privileges).each do |principal_right|
226
+ converge_by("removing principal #{new_resource.principal} from privilege #{principal_right}") do
227
+ Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, principal_right)
218
228
  end
219
229
  end
220
230
  end
@@ -145,6 +145,16 @@ class Chef
145
145
  #
146
146
  attr_accessor :input_collection
147
147
 
148
+ #
149
+ # @return [Symbol, nil]
150
+ #
151
+ attr_accessor :default_secret_service
152
+
153
+ #
154
+ # @return [Hash<Symbol,Object>]
155
+ #
156
+ attr_accessor :default_secret_config
157
+
148
158
  # Pointer back to the Chef::Runner that created this
149
159
  #
150
160
  attr_accessor :runner
@@ -222,6 +232,8 @@ class Chef
222
232
  @input_collection = Chef::Compliance::InputCollection.new(events)
223
233
  @waiver_collection = Chef::Compliance::WaiverCollection.new(events)
224
234
  @profile_collection = Chef::Compliance::ProfileCollection.new(events)
235
+ @default_secret_service = nil
236
+ @default_secret_config = {}
225
237
 
226
238
  initialize_child_state
227
239
  end
@@ -693,6 +705,10 @@ class Chef
693
705
  cookbook_collection
694
706
  cookbook_collection=
695
707
  cookbook_compiler
708
+ default_secret_config
709
+ default_secret_config=
710
+ default_secret_service
711
+ default_secret_service=
696
712
  definitions
697
713
  events
698
714
  events=
@@ -112,7 +112,7 @@ class Chef
112
112
  raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
113
113
  end
114
114
 
115
- Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
115
+ Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new, Vault.address)
116
116
  else
117
117
  raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
118
118
  end
data/lib/chef/version.rb CHANGED
@@ -23,7 +23,7 @@ require_relative "version_string"
23
23
 
24
24
  class Chef
25
25
  CHEF_ROOT = File.expand_path("..", __dir__)
26
- VERSION = Chef::VersionString.new("17.9.52")
26
+ VERSION = Chef::VersionString.new("17.10.68")
27
27
  end
28
28
 
29
29
  #
@@ -51,7 +51,8 @@ class Chef
51
51
  WIN_VERSIONS = {
52
52
  "Windows Server 2022" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 20348 } },
53
53
  "Windows Server 2019" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 17763 && build_number < 20348 } },
54
- "Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
54
+ "Windows 11" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 22000 } },
55
+ "Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 19044 && build_number < 22000 } },
55
56
  "Windows Server 2016" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number <= 14393 } },
56
57
  "Windows 8.1" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
57
58
  "Windows Server 2012 R2" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION } },
@@ -1,57 +1,36 @@
1
1
  -----BEGIN CERTIFICATE-----
2
- MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
2
+ MIIGTjCCBTagAwIBAgIQBK55YGZmkBq5xX+mbFvczTANBgkqhkiG9w0BAQsFADBl
3
3
  MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
4
- d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
5
- QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
6
- MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
7
- U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
8
- ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
9
- nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
10
- KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
11
- /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
12
- kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
13
- /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
14
- AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
15
- aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
16
- Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
17
- oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
18
- QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
19
- d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
20
- xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
21
- CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
22
- 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
23
- 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
24
- 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
25
- c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
26
- j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
27
- -----END CERTIFICATE-----
28
- -----BEGIN CERTIFICATE-----
29
- MIIFDTCCA/WgAwIBAgIQBZ8R1sZP2Lbc8x554UUQ2DANBgkqhkiG9w0BAQsFADBN
30
- MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
31
- aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQxMTEwMDAwMDAwWhcN
32
- MTcxMTE0MTIwMDAwWjBlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
33
- bjEQMA4GA1UEBxMHU2VhdHRsZTEbMBkGA1UEChMSQ2hlZiBTb2Z0d2FyZSwgSW5j
34
- MRIwEAYDVQQDDAkqLmNoZWYuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
35
- AoIBAQC3xCIczkV10O5jTDpbd4YlPLC6kfnVoOkno2N/OOlcLQu3ulj/Lj1j4r6e
36
- 2XthJLcFgTO+y+1/IKnnpLKDfkx1YngWEBXEBP+MrrpDUKKs053s45/bI9QBPISA
37
- tXgnYxMH9Glo6FWWd13TUq++OKGw1p1wazH64XK4MAf5y/lkmWXIWumNuO35ZqtB
38
- ME3wJISwVHzHB2CQjlDklt+Mb0APEiIFIZflgu9JNBYzLdvUtxiz15FUZQI7SsYL
39
- TfXOD1KBNMWqN8snG2e5gRAzB2D161DFvAZt8OiYUe+3QurNlTYVzeHv1ok6UqgM
40
- ZcLzg8m801rRip0D7FCGvMCU/ktdAgMBAAGjggHPMIIByzAfBgNVHSMEGDAWgBQP
41
- gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUwldjw4Pb4HV+wxGZ7MSSRh+d
42
- pm4wHQYDVR0RBBYwFIIJKi5jaGVmLmlvggdjaGVmLmlvMA4GA1UdDwEB/wQEAwIF
43
- oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g
44
- K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nMy5jcmwwL6At
45
- oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzMuY3JsMEIG
46
- A1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
47
- LmRpZ2ljZXJ0LmNvbS9DUFMwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhho
48
- dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNl
49
- cnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQw
50
- DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAvcTWenNuvvrhX2omm8LQ
51
- zWOuu8jqpoflACwD4lOSZ4TgOe4pQGCjXq8aRBD5k+goqQrPVf9lHnelUHFQac0Q
52
- 5WT4YUmisUbF0S4uY5OGQymM52MvUWG4ODL4gaWhFvN+HAXrDPP/9iitsjV0QOnl
53
- CDq7Q4/XYRYW3opu5nLLbfW6v4QvF5yzZagEACGs7Vt32p6l391UcU8f6wiB3uMD
54
- eioCvjpv/+2YOUNlDPCM3uBubjUhHOwO817wBxXkzdk1OSRe4jzcw/uX6wL7birt
55
- fbaSkpilvVX529pSzB2Lvi9xWOoGMM578dpQ0h3PwhmmvKhhCWP+pI05k3oSkYCP
56
- ng==
4
+ d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
5
+ b3QgQ0EwHhcNMTMxMTA1MTIwMDAwWhcNMjgxMTA1MTIwMDAwWjBlMQswCQYDVQQG
6
+ EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
7
+ cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwggEi
8
+ MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc+BEjP2q178AneRstBYeiEEMx
9
+ 3w7UFRtPd6Qizj6McPC+B47dJyq8AR22LArK3WlYH0HtagUf2mN4WR4iLCv4un7J
10
+ NTtW8R98Qn4lsCMZxkU41z1E+SB8YK4csFoYBL6PO/ep8JSapgxjSbZBF1NAMr1P
11
+ 5lB6UB8lRejxia/N/17/UPPwFxH/vcWJ9b1iudj7jkUEhW2ZzcVITf0mqwI2Reo2
12
+ 119q4hqCQQrc6dn1kReOxiGtODwT5h5/ZpzVTdlG2vbPUqd9OyTDtMFRNcab69Tv
13
+ fuR7A+FEvXoLN+BPy4KKDXEY5KbgiSwb87JzPMGwkp4Yfb2rfcV9CKEswp9zAgMB
14
+ AAGjggL4MIIC9DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA0
15
+ BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
16
+ LmNvbTCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
17
+ L0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDMu
18
+ ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDAdBgNVHSUE
19
+ FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwggGzBgNVHSAEggGqMIIBpjCCAaIGCmCG
20
+ SAGG/WwAAgQwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
21
+ b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
22
+ ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
23
+ AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
24
+ AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
25
+ AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
26
+ AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
27
+ AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
28
+ AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdDgQWBBTnAiOAAE/Y
29
+ 17yUC9k/dDlJMjyKeTAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAN
30
+ BgkqhkiG9w0BAQsFAAOCAQEATtSJJ7n9HYd3fg8oBZDxCi/JOz69k5yQxq/6kVGH
31
+ MlRr6MrBcVFcmY61+uBiGZmmB5p8Eyfb5QKihBLZFfYKRFfENI9tcx861qABPd7j
32
+ guRFa7LrJf2AXh05kL5bQvbOkWDj+aBWDEgQzjNoe82Tq/Bqy09YD7l7XRsEgZ6n
33
+ IuJXSSfukpMIvmkIUwI6Ll3IGfRQgE4C2bBdkbSTh/mWloFVQI5m7YLYuyhf7Uxh
34
+ 7QZYKBlTEUS8RyApsgRs2IlUmTt122d4LB6SeMZVPVgSETJuvUMMTTTbe8ZC2+y+
35
+ q5thTAaS447fISpQVwTAYKI11SSeZjcJSc/V+GWz4OJuwg==
57
36
  -----END CERTIFICATE-----
@@ -709,6 +709,21 @@ describe Chef::Resource::DnfPackage, :requires_root, external: exclude_test do
709
709
  action :install
710
710
  end.should_not_be_updated
711
711
  end
712
+
713
+ it "works with constraints in the version property" do
714
+ flush_cache
715
+ dnf_package "chef_rpm" do
716
+ version ">= 1.10"
717
+ options default_options
718
+ action :install
719
+ end.should_be_updated
720
+ expect_matching_installed_version("^chef_rpm-1.10-1.#{pkg_arch}$")
721
+ dnf_package "chef_rpm" do
722
+ version ">= 1.10"
723
+ options default_options
724
+ action :install
725
+ end.should_not_be_updated
726
+ end
712
727
  end
713
728
 
714
729
  context "with source arguments" do