chef 17.9.52-universal-mingw32 → 17.10.68-universal-mingw32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +2 -2
- data/Rakefile +2 -2
- data/chef-universal-mingw32.gemspec +2 -1
- data/chef.gemspec +5 -5
- data/lib/chef/api_client.rb +1 -1
- data/lib/chef/client.rb +17 -2
- data/lib/chef/compliance/input_collection.rb +1 -1
- data/lib/chef/compliance/profile_collection.rb +1 -1
- data/lib/chef/compliance/waiver_collection.rb +1 -1
- data/lib/chef/dsl/secret.rb +113 -5
- data/lib/chef/mixin/checksum.rb +6 -0
- data/lib/chef/node/attribute.rb +20 -3
- data/lib/chef/node/mixin/deep_merge_cache.rb +4 -4
- data/lib/chef/policy_builder/expand_node_object.rb +1 -2
- data/lib/chef/policy_builder/policyfile.rb +1 -1
- data/lib/chef/provider/file.rb +2 -2
- data/lib/chef/provider/package/powershell.rb +1 -1
- data/lib/chef/provider/package/rubygems.rb +6 -6
- data/lib/chef/provider/package/windows.rb +1 -1
- data/lib/chef/provider/package/yum/python_helper.rb +14 -1
- data/lib/chef/provider/service/windows.rb +4 -4
- data/lib/chef/provider/user/windows.rb +2 -2
- data/lib/chef/resource/chef_client_config.rb +5 -0
- data/lib/chef/resource/locale.rb +1 -1
- data/lib/chef/resource/rhsm_register.rb +19 -0
- data/lib/chef/resource/support/client.erb +1 -2
- data/lib/chef/resource/windows_certificate.rb +54 -43
- data/lib/chef/resource/windows_pagefile.rb +28 -21
- data/lib/chef/resource/windows_user_privilege.rb +36 -26
- data/lib/chef/run_context.rb +16 -0
- data/lib/chef/secret_fetcher/hashi_vault.rb +1 -1
- data/lib/chef/version.rb +1 -1
- data/lib/chef/win32/version.rb +2 -1
- data/spec/data/trusted_certs/opscode.pem +33 -54
- data/spec/functional/resource/dnf_package_spec.rb +15 -0
- data/spec/functional/resource/windows_certificate_spec.rb +41 -13
- data/spec/functional/resource/windows_font_spec.rb +1 -1
- data/spec/functional/resource/windows_pagefile_spec.rb +31 -4
- data/spec/functional/resource/yum_package_spec.rb +15 -0
- data/spec/functional/shell_spec.rb +6 -0
- data/spec/unit/client_spec.rb +6 -3
- data/spec/unit/daemon_spec.rb +1 -5
- data/spec/unit/dsl/secret_spec.rb +127 -23
- data/spec/unit/mixin/checksum_spec.rb +28 -0
- data/spec/unit/provider/package/rubygems_spec.rb +1 -1
- data/spec/unit/resource/chef_client_config_spec.rb +8 -0
- data/spec/unit/run_context_spec.rb +16 -0
- metadata +43 -29
- /data/spec/functional/assets/yumrepo/repodata/{4632d67cb92636e7575d911c24f0e04d3505a944e97c483abe0c3e73a7c62d33-filelists.sqlite.bz2 → 01a3b-filelists.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{bdb4f5f1492a3b9532f22c43110a81500dd744f23da0aec5c33b2a41317c737d-filelists.xml.gz → 401dc-filelists.xml.gz} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{a845d418f919d2115ab95a56b2c76f6825ad0d0bede49181a55c04f58995d057-primary.sqlite.bz2 → 5dc1e-primary.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{74599b793e54d877323837d2d81a1c3c594c44e4335f9528234bb490f7b9b439-other.xml.gz → 6bf96-other.xml.gz} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{af9b7cf9ef23bd7b43068d74a460f3b5d06753d638e58e4a0c9edc35bfb9cdc4-other.sqlite.bz2 → 7c365-other.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{c10d1d34ce99e02f12ec96ef68360543ab1bb7c3cb81a4a2bf78df7d8597e9df-primary.xml.gz → dabe2-primary.xml.gz} +0 -0
@@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
|
|
29
29
|
class Chef
|
30
30
|
class Resource
|
31
31
|
class WindowsCertificate < Chef::Resource
|
32
|
-
unified_mode true
|
33
32
|
|
34
33
|
provides :windows_certificate
|
35
34
|
|
@@ -129,14 +128,14 @@ class Chef
|
|
129
128
|
end
|
130
129
|
|
131
130
|
action :delete, description: "Deletes a certificate." do
|
132
|
-
|
131
|
+
cert_is_valid = verify_cert
|
133
132
|
|
134
|
-
if
|
133
|
+
if cert_is_valid == true
|
135
134
|
converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do
|
136
135
|
delete_cert
|
137
136
|
end
|
138
137
|
else
|
139
|
-
Chef::Log.debug("Certificate
|
138
|
+
Chef::Log.debug("Certificate Not Found")
|
140
139
|
end
|
141
140
|
end
|
142
141
|
|
@@ -146,17 +145,25 @@ class Chef
|
|
146
145
|
end
|
147
146
|
|
148
147
|
if ::File.extname(new_resource.output_path) == ".pfx"
|
149
|
-
|
148
|
+
|
149
|
+
validated_thumbprint = validate_thumbprint(new_resource.source)
|
150
|
+
if validated_thumbprint != false # is the thumbprint valid
|
151
|
+
cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
|
152
|
+
else
|
153
|
+
message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
|
154
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
155
|
+
end
|
156
|
+
|
150
157
|
else
|
151
158
|
cert_obj = fetch_cert
|
152
159
|
end
|
153
160
|
|
154
|
-
if cert_obj
|
161
|
+
if cert_obj != false && cert_obj != "Certificate Not Found"
|
155
162
|
converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do
|
156
163
|
export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password)
|
157
164
|
end
|
158
165
|
else
|
159
|
-
Chef::Log.debug("Certificate
|
166
|
+
Chef::Log.debug("Certificate Not Found")
|
160
167
|
end
|
161
168
|
end
|
162
169
|
|
@@ -187,7 +194,7 @@ class Chef
|
|
187
194
|
|
188
195
|
def delete_cert
|
189
196
|
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
190
|
-
store.delete(
|
197
|
+
store.delete(validate_thumbprint(new_resource.source))
|
191
198
|
end
|
192
199
|
|
193
200
|
def fetch_cert
|
@@ -196,17 +203,16 @@ class Chef
|
|
196
203
|
fetch_key
|
197
204
|
|
198
205
|
else
|
199
|
-
store.get(
|
206
|
+
store.get(validate_thumbprint(new_resource.source))
|
200
207
|
end
|
201
208
|
end
|
202
209
|
|
203
210
|
def fetch_key
|
204
211
|
require "openssl" unless defined?(OpenSSL)
|
205
212
|
file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path))
|
206
|
-
directory = ::File.dirname(new_resource.output_path)
|
207
213
|
pfx_file = file_name + ".pfx"
|
208
214
|
new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file)
|
209
|
-
powershell_exec(pfx_ps_cmd(
|
215
|
+
powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
|
210
216
|
pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password)
|
211
217
|
f = ::File.open(new_resource.output_path, "w")
|
212
218
|
f.write(pkcs12.key.to_s)
|
@@ -245,10 +251,6 @@ class Chef
|
|
245
251
|
::File.file?(source)
|
246
252
|
end
|
247
253
|
|
248
|
-
def is_file?(source)
|
249
|
-
::File.file?(source)
|
250
|
-
end
|
251
|
-
|
252
254
|
# Thumbprints should be exactly 40 Hex characters
|
253
255
|
def valid_thumbprint?(string)
|
254
256
|
string.match?(/[0-9A-Fa-f]/) && string.length == 40
|
@@ -261,29 +263,29 @@ class Chef
|
|
261
263
|
GETTHUMBPRINTCODE
|
262
264
|
end
|
263
265
|
|
264
|
-
def
|
265
|
-
return
|
266
|
-
|
267
|
-
|
266
|
+
def validate_thumbprint(thumbprint)
|
267
|
+
# valid_thumbprint can return false under at least 2 conditions:
|
268
|
+
# one is that the thumbprint is in fact busted
|
269
|
+
# the second is that the thumbprint is valid but belongs to an expired certificate already installed
|
270
|
+
results = valid_thumbprint?(thumbprint)
|
271
|
+
results == true ? thumbprint : false
|
268
272
|
end
|
269
273
|
|
270
|
-
# Checks
|
271
|
-
# is
|
272
|
-
# If the certificate is not present, verify_cert returns a String: "Certificate not found"
|
273
|
-
# But if it is present but expired, it returns a Boolean: false
|
274
|
-
# Otherwise, it returns a Boolean: true
|
275
|
-
# updated this method to accept either a subject name or a thumbprint - 1/29/2021
|
276
|
-
|
274
|
+
# Checks to make sure whether the cert is found or not
|
275
|
+
# if it IS found, is it still valid - has it expired?
|
277
276
|
def verify_cert(thumbprint = new_resource.source)
|
278
277
|
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
279
|
-
|
280
|
-
|
278
|
+
validated_thumbprint = validate_thumbprint(thumbprint)
|
279
|
+
if validated_thumbprint != false
|
280
|
+
result = store.valid?(thumbprint)
|
281
|
+
result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
|
281
282
|
else
|
282
|
-
|
283
|
+
message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n"
|
284
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
283
285
|
end
|
284
286
|
end
|
285
287
|
|
286
|
-
# this
|
288
|
+
# this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
|
287
289
|
# Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
|
288
290
|
def ps_cert_location
|
289
291
|
new_resource.user_store ? "CurrentUser" : "LocalMachine"
|
@@ -436,7 +438,7 @@ class Chef
|
|
436
438
|
end
|
437
439
|
|
438
440
|
def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:)
|
439
|
-
# Delete the cert if it exists
|
441
|
+
# Delete the cert if it exists on disk already.
|
440
442
|
# We want to ensure we're not randomly loading an old stinky cert.
|
441
443
|
if ::File.exists?(output_path)
|
442
444
|
::File.delete(output_path)
|
@@ -460,7 +462,20 @@ class Chef
|
|
460
462
|
cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout
|
461
463
|
out_file.puts(cert_out)
|
462
464
|
when ".pfx"
|
463
|
-
|
465
|
+
validated_thumbprint = validate_thumbprint(new_resource.source)
|
466
|
+
if validated_thumbprint != false # is the thumbprint valid
|
467
|
+
store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
|
468
|
+
result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint
|
469
|
+
temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
|
470
|
+
if temp == true
|
471
|
+
pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
|
472
|
+
else
|
473
|
+
Chef::Log.debug("The requested certificate is not found or has expired")
|
474
|
+
end
|
475
|
+
else
|
476
|
+
message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
|
477
|
+
raise Chef::Exceptions::InvalidKeyAttribute, message
|
478
|
+
end
|
464
479
|
when ".p7b"
|
465
480
|
cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
|
466
481
|
out_file.puts(cert_out)
|
@@ -481,14 +496,11 @@ class Chef
|
|
481
496
|
#
|
482
497
|
def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location)
|
483
498
|
[cert_objs].flatten.each do |cert_obj|
|
484
|
-
# thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
|
485
|
-
# pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password)
|
486
|
-
# cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem)
|
487
499
|
thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
|
488
|
-
if
|
489
|
-
|
490
|
-
|
491
|
-
|
500
|
+
if verify_cert(thumbprint) == true
|
501
|
+
Chef::Log.debug("Certificate is already present")
|
502
|
+
elsif verify_cert(thumbprint) == false # Not found already in the CertStore
|
503
|
+
if is_pfx
|
492
504
|
if is_file?(new_resource.source)
|
493
505
|
converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do
|
494
506
|
add_pfx_cert(new_resource.source)
|
@@ -502,15 +514,14 @@ class Chef
|
|
502
514
|
message << exception.message
|
503
515
|
raise Chef::Exceptions::ArgumentError, message
|
504
516
|
end
|
505
|
-
end
|
506
|
-
else
|
507
|
-
if verify_cert(thumbprint) == true
|
508
|
-
Chef::Log.debug("Certificate is already present")
|
509
517
|
else
|
510
518
|
converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do
|
511
519
|
add_cert(cert_obj)
|
512
520
|
end
|
513
521
|
end
|
522
|
+
else
|
523
|
+
message = "Certificate could not be imported"
|
524
|
+
raise Chef::Exceptions::CertificateNotImportable, message
|
514
525
|
end
|
515
526
|
end
|
516
527
|
end
|
@@ -88,7 +88,7 @@ class Chef
|
|
88
88
|
if automatic_managed
|
89
89
|
set_automatic_managed unless automatic_managed?
|
90
90
|
elsif automatic_managed == false
|
91
|
-
unset_automatic_managed
|
91
|
+
unset_automatic_managed
|
92
92
|
else
|
93
93
|
pagefile = clarify_pagefile_name
|
94
94
|
initial_size = new_resource.initial_size
|
@@ -149,10 +149,12 @@ class Chef
|
|
149
149
|
def exists?(pagefile)
|
150
150
|
@exists ||= begin
|
151
151
|
logger.trace("Checking if #{pagefile} exists by running: Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($pagefile)} ")
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
152
|
+
powershell_code = <<~CODE
|
153
|
+
$page_file_name = '#{pagefile}';
|
154
|
+
$pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)}
|
155
|
+
if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }
|
156
|
+
CODE
|
157
|
+
powershell_exec!(powershell_code).result
|
156
158
|
end
|
157
159
|
end
|
158
160
|
|
@@ -164,13 +166,17 @@ class Chef
|
|
164
166
|
# @return [Boolean]
|
165
167
|
def max_and_min_set?(pagefile, min, max)
|
166
168
|
logger.trace("Checking if #{pagefile} has max and initial disk size values set")
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
169
|
+
|
170
|
+
powershell_code = <<-CODE
|
171
|
+
$page_file = '#{pagefile}';
|
172
|
+
$driveLetter = $page_file.split(':')[0];
|
173
|
+
$page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -Property * -ErrorAction Stop;
|
174
|
+
if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})
|
175
|
+
{ return $true }
|
176
|
+
else
|
177
|
+
{ return $false }
|
178
|
+
CODE
|
179
|
+
powershell_exec!(powershell_code).result
|
174
180
|
end
|
175
181
|
|
176
182
|
# create a pagefile
|
@@ -225,12 +231,14 @@ class Chef
|
|
225
231
|
|
226
232
|
# turn off automatic management of all pagefiles by Windows
|
227
233
|
def unset_automatic_managed
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
+
if automatic_managed?
|
235
|
+
converge_by("Turn off Automatically Managed on pagefiles") do
|
236
|
+
logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
|
237
|
+
powershell_exec! <<~EOH
|
238
|
+
$sys = Get-CimInstance Win32_ComputerSystem -Property *
|
239
|
+
Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
|
240
|
+
EOH
|
241
|
+
end
|
234
242
|
end
|
235
243
|
end
|
236
244
|
|
@@ -240,14 +248,13 @@ class Chef
|
|
240
248
|
# @param [String] min the minimum size of the pagefile
|
241
249
|
# @param [String] max the minimum size of the pagefile
|
242
250
|
def set_custom_size(pagefile, min, max)
|
251
|
+
unset_automatic_managed
|
243
252
|
converge_by("set #{pagefile} to InitialSize=#{min} & MaximumSize=#{max}") do
|
244
253
|
logger.trace("Set-CimInstance -Property @{InitialSize = #{min} MaximumSize = #{max}")
|
245
254
|
powershell_exec! <<~EOD
|
246
255
|
$page_file = "#{pagefile}"
|
247
256
|
$driveLetter = $page_file.split(':')[0]
|
248
|
-
Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{
|
249
|
-
InitialSize = #{min}
|
250
|
-
MaximumSize = #{max}}
|
257
|
+
Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{InitialSize = #{min}; MaximumSize = #{max};}
|
251
258
|
EOD
|
252
259
|
end
|
253
260
|
end
|
@@ -24,7 +24,7 @@ class Chef
|
|
24
24
|
unified_mode true
|
25
25
|
|
26
26
|
provides :windows_user_privilege
|
27
|
-
description "The windows_user_privilege resource allows to add
|
27
|
+
description "The windows_user_privilege resource allows to add a privilege to a principal or (User/Group).\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
|
28
28
|
|
29
29
|
introduced "16.0"
|
30
30
|
|
@@ -39,23 +39,32 @@ class Chef
|
|
39
39
|
end
|
40
40
|
```
|
41
41
|
|
42
|
-
**
|
42
|
+
**Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
|
43
|
+
|
44
|
+
```ruby
|
45
|
+
windows_user_privilege 'Create Pagefile' do
|
46
|
+
privilege 'SeCreatePagefilePrivilege'
|
47
|
+
users ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
|
48
|
+
action :set
|
49
|
+
end
|
50
|
+
```
|
51
|
+
|
52
|
+
**Add the SeDenyRemoteInteractiveLogonRight Privilege to the 'Remote interactive logon' principal**:
|
43
53
|
|
44
54
|
```ruby
|
45
55
|
windows_user_privilege 'Remote interactive logon' do
|
46
56
|
privilege 'SeDenyRemoteInteractiveLogonRight'
|
47
|
-
users ['Builtin\\Guests', 'NT AUTHORITY\\Local Account']
|
48
57
|
action :add
|
49
58
|
end
|
50
59
|
```
|
51
60
|
|
52
|
-
**
|
61
|
+
**Add to the Builtin Guests Group the SeCreatePageFile Privilege**:
|
53
62
|
|
54
63
|
```ruby
|
55
|
-
windows_user_privilege 'Create Pagefile' do
|
64
|
+
windows_user_privilege 'Guests add Create Pagefile' do
|
65
|
+
principal 'BUILTIN\\Guests'
|
56
66
|
privilege 'SeCreatePagefilePrivilege'
|
57
|
-
|
58
|
-
action :set
|
67
|
+
action :add
|
59
68
|
end
|
60
69
|
```
|
61
70
|
|
@@ -90,6 +99,7 @@ class Chef
|
|
90
99
|
SeCreateSymbolicLinkPrivilege
|
91
100
|
SeCreateTokenPrivilege
|
92
101
|
SeDebugPrivilege
|
102
|
+
SeDelegateSessionUserImpersonatePrivilege
|
93
103
|
SeDenyBatchLogonRight
|
94
104
|
SeDenyInteractiveLogonRight
|
95
105
|
SeDenyNetworkLogonRight
|
@@ -126,20 +136,20 @@ class Chef
|
|
126
136
|
}.freeze
|
127
137
|
|
128
138
|
property :principal, String,
|
129
|
-
|
130
|
-
|
139
|
+
description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a User/Group or one of special identities found here Ref: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities",
|
140
|
+
name_property: true
|
131
141
|
|
132
142
|
property :users, [Array, String],
|
133
|
-
|
134
|
-
|
143
|
+
description: "An optional property to set the privilege for given users. Use only with set action.",
|
144
|
+
coerce: proc { |v| Array(v) }
|
135
145
|
|
136
146
|
property :privilege, [Array, String],
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
147
|
+
description: "One or more privileges to set for principal or users/groups. For more information on what each privilege does Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment",
|
148
|
+
required: true,
|
149
|
+
coerce: proc { |v| Array(v) },
|
150
|
+
callbacks: {
|
151
|
+
"Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
|
152
|
+
}, identity: true
|
143
153
|
|
144
154
|
load_current_value do |new_resource|
|
145
155
|
if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))
|
@@ -147,15 +157,15 @@ class Chef
|
|
147
157
|
end
|
148
158
|
end
|
149
159
|
|
150
|
-
action :add, description: "Add a
|
151
|
-
([*new_resource.privilege] - [*current_resource.privilege]).each do |
|
152
|
-
converge_by("adding
|
153
|
-
Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal,
|
160
|
+
action :add, description: "Add a privileges to a principal." do
|
161
|
+
([*new_resource.privilege] - [*current_resource.privilege]).each do |principal_right|
|
162
|
+
converge_by("adding principal '#{new_resource.principal}' privilege #{principal_right}") do
|
163
|
+
Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, principal_right)
|
154
164
|
end
|
155
165
|
end
|
156
166
|
end
|
157
167
|
|
158
|
-
action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property." do
|
168
|
+
action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property. All other users not listed with given privilege will be have the privilege removed." do
|
159
169
|
if new_resource.users.nil? || new_resource.users.empty?
|
160
170
|
raise Chef::Exceptions::ValidationFailed, "Users are required property with set action."
|
161
171
|
end
|
@@ -204,7 +214,7 @@ class Chef
|
|
204
214
|
end
|
205
215
|
end
|
206
216
|
|
207
|
-
action :remove, description: "Remove a
|
217
|
+
action :remove, description: "Remove a principal privilege" do
|
208
218
|
curr_res_privilege = current_resource.privilege
|
209
219
|
missing_res_privileges = (new_resource.privilege - curr_res_privilege)
|
210
220
|
|
@@ -212,9 +222,9 @@ class Chef
|
|
212
222
|
Chef::Log.info("User \'#{new_resource.principal}\' for Privilege: #{missing_res_privileges.join(", ")} not found. Nothing to remove.")
|
213
223
|
end
|
214
224
|
|
215
|
-
(new_resource.privilege - missing_res_privileges).each do |
|
216
|
-
converge_by("removing
|
217
|
-
Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal,
|
225
|
+
(new_resource.privilege - missing_res_privileges).each do |principal_right|
|
226
|
+
converge_by("removing principal #{new_resource.principal} from privilege #{principal_right}") do
|
227
|
+
Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, principal_right)
|
218
228
|
end
|
219
229
|
end
|
220
230
|
end
|
data/lib/chef/run_context.rb
CHANGED
@@ -145,6 +145,16 @@ class Chef
|
|
145
145
|
#
|
146
146
|
attr_accessor :input_collection
|
147
147
|
|
148
|
+
#
|
149
|
+
# @return [Symbol, nil]
|
150
|
+
#
|
151
|
+
attr_accessor :default_secret_service
|
152
|
+
|
153
|
+
#
|
154
|
+
# @return [Hash<Symbol,Object>]
|
155
|
+
#
|
156
|
+
attr_accessor :default_secret_config
|
157
|
+
|
148
158
|
# Pointer back to the Chef::Runner that created this
|
149
159
|
#
|
150
160
|
attr_accessor :runner
|
@@ -222,6 +232,8 @@ class Chef
|
|
222
232
|
@input_collection = Chef::Compliance::InputCollection.new(events)
|
223
233
|
@waiver_collection = Chef::Compliance::WaiverCollection.new(events)
|
224
234
|
@profile_collection = Chef::Compliance::ProfileCollection.new(events)
|
235
|
+
@default_secret_service = nil
|
236
|
+
@default_secret_config = {}
|
225
237
|
|
226
238
|
initialize_child_state
|
227
239
|
end
|
@@ -693,6 +705,10 @@ class Chef
|
|
693
705
|
cookbook_collection
|
694
706
|
cookbook_collection=
|
695
707
|
cookbook_compiler
|
708
|
+
default_secret_config
|
709
|
+
default_secret_config=
|
710
|
+
default_secret_service
|
711
|
+
default_secret_service=
|
696
712
|
definitions
|
697
713
|
events
|
698
714
|
events=
|
@@ -112,7 +112,7 @@ class Chef
|
|
112
112
|
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
|
113
113
|
end
|
114
114
|
|
115
|
-
Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
|
115
|
+
Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new, Vault.address)
|
116
116
|
else
|
117
117
|
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
|
118
118
|
end
|
data/lib/chef/version.rb
CHANGED
data/lib/chef/win32/version.rb
CHANGED
@@ -51,7 +51,8 @@ class Chef
|
|
51
51
|
WIN_VERSIONS = {
|
52
52
|
"Windows Server 2022" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 20348 } },
|
53
53
|
"Windows Server 2019" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 17763 && build_number < 20348 } },
|
54
|
-
"Windows
|
54
|
+
"Windows 11" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 22000 } },
|
55
|
+
"Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 19044 && build_number < 22000 } },
|
55
56
|
"Windows Server 2016" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number <= 14393 } },
|
56
57
|
"Windows 8.1" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
|
57
58
|
"Windows Server 2012 R2" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION } },
|
@@ -1,57 +1,36 @@
|
|
1
1
|
-----BEGIN CERTIFICATE-----
|
2
|
-
|
2
|
+
MIIGTjCCBTagAwIBAgIQBK55YGZmkBq5xX+mbFvczTANBgkqhkiG9w0BAQsFADBl
|
3
3
|
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
/
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
2XthJLcFgTO+y+1/IKnnpLKDfkx1YngWEBXEBP+MrrpDUKKs053s45/bI9QBPISA
|
37
|
-
tXgnYxMH9Glo6FWWd13TUq++OKGw1p1wazH64XK4MAf5y/lkmWXIWumNuO35ZqtB
|
38
|
-
ME3wJISwVHzHB2CQjlDklt+Mb0APEiIFIZflgu9JNBYzLdvUtxiz15FUZQI7SsYL
|
39
|
-
TfXOD1KBNMWqN8snG2e5gRAzB2D161DFvAZt8OiYUe+3QurNlTYVzeHv1ok6UqgM
|
40
|
-
ZcLzg8m801rRip0D7FCGvMCU/ktdAgMBAAGjggHPMIIByzAfBgNVHSMEGDAWgBQP
|
41
|
-
gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUwldjw4Pb4HV+wxGZ7MSSRh+d
|
42
|
-
pm4wHQYDVR0RBBYwFIIJKi5jaGVmLmlvggdjaGVmLmlvMA4GA1UdDwEB/wQEAwIF
|
43
|
-
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g
|
44
|
-
K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nMy5jcmwwL6At
|
45
|
-
oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzMuY3JsMEIG
|
46
|
-
A1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
|
47
|
-
LmRpZ2ljZXJ0LmNvbS9DUFMwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhho
|
48
|
-
dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNl
|
49
|
-
cnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQw
|
50
|
-
DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAvcTWenNuvvrhX2omm8LQ
|
51
|
-
zWOuu8jqpoflACwD4lOSZ4TgOe4pQGCjXq8aRBD5k+goqQrPVf9lHnelUHFQac0Q
|
52
|
-
5WT4YUmisUbF0S4uY5OGQymM52MvUWG4ODL4gaWhFvN+HAXrDPP/9iitsjV0QOnl
|
53
|
-
CDq7Q4/XYRYW3opu5nLLbfW6v4QvF5yzZagEACGs7Vt32p6l391UcU8f6wiB3uMD
|
54
|
-
eioCvjpv/+2YOUNlDPCM3uBubjUhHOwO817wBxXkzdk1OSRe4jzcw/uX6wL7birt
|
55
|
-
fbaSkpilvVX529pSzB2Lvi9xWOoGMM578dpQ0h3PwhmmvKhhCWP+pI05k3oSkYCP
|
56
|
-
ng==
|
4
|
+
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
|
5
|
+
b3QgQ0EwHhcNMTMxMTA1MTIwMDAwWhcNMjgxMTA1MTIwMDAwWjBlMQswCQYDVQQG
|
6
|
+
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
|
7
|
+
cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwggEi
|
8
|
+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc+BEjP2q178AneRstBYeiEEMx
|
9
|
+
3w7UFRtPd6Qizj6McPC+B47dJyq8AR22LArK3WlYH0HtagUf2mN4WR4iLCv4un7J
|
10
|
+
NTtW8R98Qn4lsCMZxkU41z1E+SB8YK4csFoYBL6PO/ep8JSapgxjSbZBF1NAMr1P
|
11
|
+
5lB6UB8lRejxia/N/17/UPPwFxH/vcWJ9b1iudj7jkUEhW2ZzcVITf0mqwI2Reo2
|
12
|
+
119q4hqCQQrc6dn1kReOxiGtODwT5h5/ZpzVTdlG2vbPUqd9OyTDtMFRNcab69Tv
|
13
|
+
fuR7A+FEvXoLN+BPy4KKDXEY5KbgiSwb87JzPMGwkp4Yfb2rfcV9CKEswp9zAgMB
|
14
|
+
AAGjggL4MIIC9DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA0
|
15
|
+
BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
|
16
|
+
LmNvbTCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
|
17
|
+
L0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDMu
|
18
|
+
ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDAdBgNVHSUE
|
19
|
+
FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwggGzBgNVHSAEggGqMIIBpjCCAaIGCmCG
|
20
|
+
SAGG/WwAAgQwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
|
21
|
+
b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
|
22
|
+
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
|
23
|
+
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
|
24
|
+
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
|
25
|
+
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
|
26
|
+
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
|
27
|
+
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
|
28
|
+
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdDgQWBBTnAiOAAE/Y
|
29
|
+
17yUC9k/dDlJMjyKeTAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAN
|
30
|
+
BgkqhkiG9w0BAQsFAAOCAQEATtSJJ7n9HYd3fg8oBZDxCi/JOz69k5yQxq/6kVGH
|
31
|
+
MlRr6MrBcVFcmY61+uBiGZmmB5p8Eyfb5QKihBLZFfYKRFfENI9tcx861qABPd7j
|
32
|
+
guRFa7LrJf2AXh05kL5bQvbOkWDj+aBWDEgQzjNoe82Tq/Bqy09YD7l7XRsEgZ6n
|
33
|
+
IuJXSSfukpMIvmkIUwI6Ll3IGfRQgE4C2bBdkbSTh/mWloFVQI5m7YLYuyhf7Uxh
|
34
|
+
7QZYKBlTEUS8RyApsgRs2IlUmTt122d4LB6SeMZVPVgSETJuvUMMTTTbe8ZC2+y+
|
35
|
+
q5thTAaS447fISpQVwTAYKI11SSeZjcJSc/V+GWz4OJuwg==
|
57
36
|
-----END CERTIFICATE-----
|
@@ -709,6 +709,21 @@ describe Chef::Resource::DnfPackage, :requires_root, external: exclude_test do
|
|
709
709
|
action :install
|
710
710
|
end.should_not_be_updated
|
711
711
|
end
|
712
|
+
|
713
|
+
it "works with constraints in the version property" do
|
714
|
+
flush_cache
|
715
|
+
dnf_package "chef_rpm" do
|
716
|
+
version ">= 1.10"
|
717
|
+
options default_options
|
718
|
+
action :install
|
719
|
+
end.should_be_updated
|
720
|
+
expect_matching_installed_version("^chef_rpm-1.10-1.#{pkg_arch}$")
|
721
|
+
dnf_package "chef_rpm" do
|
722
|
+
version ">= 1.10"
|
723
|
+
options default_options
|
724
|
+
action :install
|
725
|
+
end.should_not_be_updated
|
726
|
+
end
|
712
727
|
end
|
713
728
|
|
714
729
|
context "with source arguments" do
|