chef 17.9.52 → 18.0.169

data/lib/chef/dsl/rest_resource.rb

@@ -0,0 +1,77 @@
+#
+# Copyright:: Copyright 2008-2016, Chef, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef/constants" unless defined?(NOT_PASSED)
+
+class Chef
+  module DSL
+    module RestResource
+      def rest_property_map(rest_property_map = NOT_PASSED)
+        if rest_property_map != NOT_PASSED
+          rest_property_map = rest_property_map.to_h { |k| [k.to_sym, k] } if rest_property_map.is_a? Array
+
+          @rest_property_map = rest_property_map
+        end
+        @rest_property_map
+      end
+
+      # URL to collection
+      def rest_api_collection(rest_api_collection = NOT_PASSED)
+        if rest_api_collection != NOT_PASSED
+          raise ArgumentError, "You must pass an absolute path to rest_api_collection" unless rest_api_collection.start_with? "/"
+
+          @rest_api_collection = rest_api_collection
+        end
+
+        @rest_api_collection
+      end
+
+      # RFC6570-Templated URL to document
+      def rest_api_document(rest_api_document = NOT_PASSED, first_element_only: false)
+        if rest_api_document != NOT_PASSED
+          raise ArgumentError, "You must pass an absolute path to rest_api_document" unless rest_api_document.start_with? "/"
+
+          @rest_api_document = rest_api_document
+          @rest_api_document_first_element_only = first_element_only
+        end
+        @rest_api_document
+      end
+
+      # Explicit REST document identity mapping
+      def rest_identity_map(rest_identity_map = NOT_PASSED)
+        @rest_identity_map = rest_identity_map if rest_identity_map != NOT_PASSED
+        @rest_identity_map
+      end
+
+      # Mark up properties for POST only, not PATCH/PUT
+      def rest_post_only_properties(rest_post_only_properties = NOT_PASSED)
+        if rest_post_only_properties != NOT_PASSED
+          @rest_post_only_properties = Array(rest_post_only_properties).map(&:to_sym)
+        end
+        @rest_post_only_properties || []
+      end
+
+      def rest_api_document_first_element_only(rest_api_document_first_element_only = NOT_PASSED)
+        if rest_api_document_first_element_only != NOT_PASSED
+          @rest_api_document_first_element_only = rest_api_document_first_element_only
+        end
+        @rest_api_document_first_element_only
+      end
+
+    end
+  end
+end

data/lib/chef/dsl/secret.rb

@@ -21,6 +21,118 @@ class Chef
   module DSL
     module Secret
 
+      #
+      # This allows you to set the default secret service that is used when
+      # fetching secrets.
+      #
+      # @example
+      #
+      #   default_secret_service :hashi_vault
+      #   val1 = secret(name: "test1", config: { region: "us-west-1" })
+      #
+      # @example
+      #
+      #   default_secret_service #=> nil
+      #   default_secret_service :hashi_vault
+      #   default_secret_service #=> :hashi_vault
+      #
+      # @param [Symbol] service default secret service to use when fetching secrets
+      # @return [Symbol, nil] default secret service to use when fetching secrets
+      #
+      def default_secret_service(service = nil)
+        return run_context.default_secret_service if service.nil?
+        raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service.inspect}", Chef::SecretFetcher::SECRET_FETCHERS) unless Chef::SecretFetcher::SECRET_FETCHERS.include?(service)
+
+        run_context.default_secret_service = service
+      end
+
+      #
+      # This allows you to set the secret service for the scope of the block
+      # passed into this method.
+      #
+      # @example
+      #
+      #   with_secret_service :hashi_vault do
+      #     val1 = secret(name: "test1", config: { region: "us-west-1" })
+      #     val2 = secret(name: "test2", config: { region: "us-west-1" })
+      #   end
+      #
+      # @example Combine with #with_secret_config
+      #
+      #   with_secret_service :hashi_vault do
+      #     with_secret_config region: "us-west-1" do
+      #       val1 = secret(name: "test1")
+      #       val2 = secret(name: "test2")
+      #     end
+      #   end
+      #
+      # @param [Symbol] service The default secret service to use when fetching secrets
+      #
+      def with_secret_service(service)
+        raise ArgumentError, "You must pass a block to #with_secret_service" unless block_given?
+
+        begin
+          old_service = default_secret_service
+          # Use "public" API for input validation
+          default_secret_service(service)
+          yield
+        ensure
+          # Use "private" API so we can set back to nil
+          run_context.default_secret_service = old_service
+        end
+      end
+
+      #
+      # This allows you to set the default secret config that is used when
+      # fetching secrets.
+      #
+      # @example
+      #
+      #   default_secret_config region: "us-west-1"
+      #   val1 = secret(name: "test1", service: :hashi_vault)
+      #
+      # @example
+      #
+      #   default_secret_config #=> {}
+      #   default_secret_service region: "us-west-1"
+      #   default_secret_service #=> { region: "us-west-1" }
+      #
+      # @param [Hash<Symbol,Object>] config The default configuration options to apply when fetching secrets
+      # @return [Hash<Symbol,Object>]
+      #
+      def default_secret_config(**config)
+        return run_context.default_secret_config if config.empty?
+
+        run_context.default_secret_config = config
+      end
+
+      #
+      # This allows you to set the secret config for the scope of the block
+      # passed into this method.
+      #
+      # @example
+      #
+      #   with_secret_config region: "us-west-1" do
+      #     val1 = secret(name: "test1", service: :hashi_vault)
+      #     val2 = secret(name: "test2", service: :hashi_vault)
+      #   end
+      #
+      # @param [Hash<Symbol,Object>] config The default configuration options to use when fetching secrets
+      #
+      def with_secret_config(**config)
+        raise ArgumentError, "You must pass a block to #with_secret_config" unless block_given?
+
+        begin
+          old_config = default_secret_config
+          # Use "public" API for input validation
+          default_secret_config(**config)
+          yield
+        ensure
+          # Use "private" API so we can set back to nil
+          run_context.default_secret_config = old_config
+        end
+      end
+
       # Helper method which looks up a secret using the given service and configuration,
       # and returns the retrieved secret value.
       # This DSL providers a wrapper around [Chef::SecretFetcher]
@@ -49,11 +161,7 @@ class Chef
       #
       #   value = secret(name: "test1", service: :aws_secrets_manager, version: "v1", config: { region: "us-west-1" })
       #   log "My secret is #{value}"
-      def secret(name: nil, version: nil, service: nil, config: {})
-        Chef::Log.warn <<~EOM.gsub("\n", " ")
-          The secrets Chef Infra language helper is currently in beta. If you have feedback or you would
-          like to be part of the future design of this helper e-mail us at secrets_management_beta@progress.com"
-        EOM
+      def secret(name: nil, version: nil, service: default_secret_service, config: default_secret_config)
         sensitive(true) if is_a?(Chef::Resource)
         Chef::SecretFetcher.for_service(service, config, run_context).fetch(name, version)
       end

data/lib/chef/event_dispatch/base.rb

@@ -273,6 +273,9 @@ class Chef
       # Called if the converge phase fails
       def converge_failed(exception); end
 
+      # Called when migrating from a pem on disk to a pem stored in Keychain or Windows Certstore
+      def key_migration_status(key_migrated = false); end
+
       # TODO: need events for notification resolve?
       # def notifications_resolved
       # end

data/lib/chef/exceptions.rb

@@ -561,5 +561,13 @@ class Chef
         super "before subscription from #{notification.resource} resource cannot be setup to #{notification.notifying_resource} resource, which has already fired while in unified mode"
       end
     end
+
+    class RestError < RuntimeError; end
+
+    class RestTargetError < RestError; end
+
+    class RestTimeout < RestError; end
+
+    class RestOperationFailed < RestError; end
   end
 end

data/lib/chef/http/authenticator.rb

@@ -16,16 +16,19 @@
 # limitations under the License.
 #
 
+require "chef/mixin/powershell_exec"
 require_relative "auth_credentials"
 require_relative "../exceptions"
+require_relative "../win32/registry"
 autoload :OpenSSL, "openssl"
 
 class Chef
   class HTTP
     class Authenticator
-
       DEFAULT_SERVER_API_VERSION = "2".freeze
 
+      extend Chef::Mixin::PowershellExec
+
       attr_reader :signing_key_filename
       attr_reader :raw_key
       attr_reader :attr_names
@@ -83,13 +86,69 @@ class Chef
         @auth_credentials.client_name
       end
 
+      def detect_certificate_key(client_name)
+        self.class.detect_certificate_key(client_name)
+      end
+
+      def check_certstore_for_key(client_name)
+        self.class.check_certstore_for_key(client_name)
+      end
+
+      def retrieve_certificate_key(client_name)
+        self.class.retrieve_certificate_key(client_name)
+      end
+
+      def get_cert_password
+        self.class.get_cert_password
+      end
+
+      def encrypt_pfx_pass
+        self.class.encrypt_pfx_pass
+      end
+
+      def decrypt_pfx_pass
+        self.class.decrypt_pfx_pass
+      end
+
+      # Detects if a private key exists in a certificate repository like Keychain (macOS) or Certificate Store (Windows)
+      #
+      # @param client_name - we're using the node name to store and retrieve any keys
+      # Returns true if a key is found, false if not. False will trigger a registration event which will lead to a certificate based key being created
+      #
+      def self.detect_certificate_key(client_name)
+        if ChefUtils.windows?
+          check_certstore_for_key(client_name)
+        else # generic return for Mac and LInux clients
+          false
+        end
+      end
+
+      def self.check_certstore_for_key(client_name)
+        powershell_code = <<~CODE
+          $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
+          if (($cert.HasPrivateKey -eq $true) -and ($cert.PrivateKey.Key.ExportPolicy -ne "NonExportable")) {
+            return $true
+          }
+          else{
+            return $false
+          }
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
       def load_signing_key(key_file, raw_key = nil)
-        if !!key_file
+        results = retrieve_certificate_key(Chef::Config[:node_name])
+
+        if !!results
+          @raw_key = results
+        elsif key_file == nil? && raw_key == nil?
+          puts "\nNo key detected\n"
+        elsif !!key_file
           @raw_key = IO.read(key_file).strip
         elsif !!raw_key
           @raw_key = raw_key.strip
         else
-          return nil
+          return
         end
         # Pass in '' as the passphrase to avoid OpenSSL prompting on the TTY if
         # given an encrypted key. This also helps if using a single file for
@@ -104,6 +163,114 @@ class Chef
         raise Chef::Exceptions::InvalidPrivateKey, msg
       end
 
+      def self.get_cert_password
+        @win32registry = Chef::Win32::Registry.new
+        path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        # does the registry key even exist?
+        present = @win32registry.get_values(path)
+        if present.nil? || present.empty?
+          raise Chef::Exceptions::Win32RegKeyMissing
+        end
+
+        present.each do |secret|
+          if secret[:name] == "PfxPass"
+            password = decrypt_pfx_pass(secret[:data])
+            return password
+          end
+        end
+
+        raise Chef::Exceptions::Win32RegKeyMissing
+
+      rescue Chef::Exceptions::Win32RegKeyMissing
+        # if we don't have a password, log that and generate one
+        Chef::Log.warn "Authentication Hive and values not present in registry, creating them now"
+        new_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        unless @win32registry.key_exists?(new_path)
+          @win32registry.create_key(new_path, true)
+        end
+        require "securerandom" unless defined?(SecureRandom)
+        size = 14
+        password = SecureRandom.alphanumeric(size)
+        encrypted_pass = encrypt_pfx_pass(password)
+        values = { name: "PfxPass", type: :string, data: encrypted_pass }
+        @win32registry.set_value(new_path, values)
+        password
+      end
+
+      def self.encrypt_pfx_pass(password)
+        powershell_code = <<~CODE
+          $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+          $secure_string = ConvertFrom-SecureString $encrypted_string
+          return $secure_string
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
+      def self.decrypt_pfx_pass(password)
+        powershell_code = <<~CODE
+          $secure_string = "#{password}" | ConvertTo-SecureString
+          $string = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($secure_string))))
+          return $string
+        CODE
+        powershell_exec!(powershell_code).result
+      end
+
+      def self.retrieve_certificate_key(client_name)
+        require "openssl" unless defined?(OpenSSL)
+
+        if ChefUtils.windows?
+          password = get_cert_password
+          return false unless password
+
+          if check_certstore_for_key(client_name)
+            ps_blob = powershell_exec!(get_the_key_ps(client_name, password)).result
+            file_path = ps_blob["PSPath"].split("::")[1]
+            pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password)
+
+            # We check the pfx we just extracted the private key from
+            # if that cert is expiring in 7 days or less we generate a new pfx/p12 object
+            # then we post the new public key from that to the client endpoint on
+            # chef server.
+            File.delete(file_path)
+            key_expiring = is_certificate_expiring?(pkcs)
+            if key_expiring
+              powershell_exec!(delete_old_key_ps(client_name))
+              ::Chef::Client.update_key_and_register(Chef::Config[:client_name], pkcs)
+            end
+
+            return pkcs.key.private_to_pem
+          end
+        end
+
+        false
+      end
+
+      def self.is_certificate_expiring?(pkcs)
+        today = Date.parse(Time.now.utc.iso8601)
+        future = Date.parse(pkcs.certificate.not_after.iso8601)
+        future.mjd - today.mjd <= 7
+      end
+
+      def self.get_the_key_ps(client_name, password)
+        powershell_code = <<~CODE
+            Try {
+              $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText;
+              $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
+              $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx";
+              Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile;
+            }
+            Catch {
+              return $false
+            }
+        CODE
+      end
+
+      def self.delete_old_key_ps(client_name)
+        powershell_code = <<~CODE
+          Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
+        CODE
+      end
+
       def authentication_headers(method, url, json_body = nil, headers = nil)
         request_params = {
           http_method: method,

data/lib/chef/http/ssl_policies.rb

@@ -88,10 +88,10 @@ class Chef
           certs = Dir.glob(::File.join(Chef::Util::PathHelper.escape_glob_dir(config.trusted_certs_dir), "*.{crt,pem}"))
           certs.each do |cert_file|
             cert = begin
-              OpenSSL::X509::Certificate.new(::File.binread(cert_file))
+                     OpenSSL::X509::Certificate.new(::File.binread(cert_file))
                    rescue OpenSSL::X509::CertificateError => e
                      raise Chef::Exceptions::ConfigurationError, "Error reading cert file '#{cert_file}', original error '#{e.class}: #{e.message}'"
-            end
+                   end
             add_trusted_cert(cert)
           end
         end
@@ -132,7 +132,7 @@ class Chef
       def add_trusted_cert(cert)
         http_client.cert_store.add_cert(cert)
       rescue OpenSSL::X509::StoreError => e
-        raise e unless e.message == "cert already in hash table"
+        raise e unless e.message =~ /cert already in hash table/
       end
 
     end

data/lib/chef/mixin/powershell_exec.rb

@@ -15,9 +15,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require_relative "../powershell"
-require_relative "../pwsh"
-
 # The powershell_exec mixin provides in-process access to the PowerShell engine.
 #
 # powershell_exec is initialized with a string that should be set to the script
@@ -94,35 +91,15 @@ require_relative "../pwsh"
 # - It is not possible to impersonate another user running powershell, the
 #   credentials of the user running Chef Client are used.
 #
+if ChefUtils.windows?
+  require "chef-powershell"
+end
 
 class Chef
   module Mixin
     module PowershellExec
-      # Run a command under PowerShell via a managed (.NET) API.
-      #
-      # Requires: .NET Framework 4.0 or higher on the target machine.
-      #
-      # @param script [String] script to run
-      # @param interpreter [Symbol] the interpreter type, `:powershell` or `:pwsh`
-      # @param timeout [Integer, nil] timeout in seconds.
-      # @return [Chef::PowerShell] output
-      def powershell_exec(script, interpreter = :powershell, timeout: -1)
-        case interpreter
-        when :powershell
-          Chef::PowerShell.new(script, timeout: timeout)
-        when :pwsh
-          Chef::Pwsh.new(script, timeout: timeout)
-        else
-          raise ArgumentError, "Expected interpreter of :powershell or :pwsh"
-        end
-      end
-
-      # The same as the #powershell_exec method except this will raise
-      # Chef::PowerShell::CommandFailed if the command fails
-      def powershell_exec!(script, interpreter = :powershell, **options)
-        cmd = powershell_exec(script, interpreter, **options)
-        cmd.error!
-        cmd
+      if ChefUtils.windows?
+        include ChefPowerShell::ChefPowerShellModule::PowerShellExec
       end
     end
   end

data/lib/chef/mixin/properties.rb

@@ -274,6 +274,12 @@ class Chef
           result
         end
 
+        # This method returns list of sensitive properties
+        # @return [Array<Property>] All sensitive properties.
+        def sensitive_properties
+          properties.values.empty? ? [] : properties.values.select(&:sensitive?)
+        end
+
         # Returns the name of the name property.  Returns nil if there is no name property.
         #
         # @return [Symbol] the name property for this resource

data/lib/chef/node/attribute.rb

@@ -452,17 +452,34 @@ class Chef
       # method-style access to attributes (has to come after the prepended ImmutablizeHash)
 
       def read(*path)
-        merged_attributes.read(*path)
+        if path[0].nil?
+          Chef::Log.warn "Calling node.read() without any path argument is very slow, probably a bug, and should be avoided"
+          merged_attributes.read(*path) # re-merges everything, slow edge case
+        else
+          self[path[0]] unless path[0].nil? # force deep_merge_cache key construction if necessary
+          deep_merge_cache.read(*path)
+        end
       end
 
       alias :dig :read
 
       def read!(*path)
-        merged_attributes.read!(*path)
+        if path[0].nil?
+          Chef::Log.warn "Calling node.read!() without any path argument is very slow, probably a bug, and should be avoided"
+          merged_attributes.read!(*path) # re-merges everything, slow edge case
+        else
+          self[path[0]] unless path[0].nil? # force deep_merge_cache key construction if necessary
+          deep_merge_cache.read!(*path)
+        end
       end
 
       def exist?(*path)
-        merged_attributes.exist?(*path)
+        if path[0].nil?
+          true
+        else
+          self[path[0]] unless path[0].nil? # force deep_merge_cache key construction if necessary
+          deep_merge_cache.exist?(*path)
+        end
       end
 
       def write(level, *args, &block)

data/lib/chef/node/mixin/deep_merge_cache.rb

@@ -30,7 +30,7 @@ class Chef
           @merged_attributes = nil
           @combined_override = nil
           @combined_default = nil
-          @deep_merge_cache = {}
+          @deep_merge_cache = Chef::Node::ImmutableMash.new
         end
 
         # Invalidate a key in the deep_merge_cache.  If called with nil, or no arg, this will invalidate
@@ -39,9 +39,9 @@ class Chef
         # must invalidate the entire cache and re-deep-merge the entire node object.
         def reset_cache(path = nil)
           if path.nil?
-            deep_merge_cache.clear
+            deep_merge_cache.regular_clear
           else
-            deep_merge_cache.delete(path.to_s)
+            deep_merge_cache.regular_delete(path.to_s)
           end
         end
 
@@ -53,7 +53,7 @@ class Chef
                   deep_merge_cache[key.to_s]
                 else
                   # save all the work of computing node[key]
-                  deep_merge_cache[key.to_s] = merged_attributes(key)
+                  deep_merge_cache.internal_set(key.to_s, merged_attributes(key))
                 end
           ret = ret.call while ret.is_a?(::Chef::DelayedEvaluator)
           ret

data/lib/chef/node/mixin/immutablize_array.rb

@@ -73,6 +73,7 @@ class Chef
           include?
           index
           inject
+          intersect?
           intersection
           join
           last

data/lib/chef/policy_builder/expand_node_object.rb

@@ -248,8 +248,7 @@ class Chef
       end
 
       def api_service
-        @api_service ||= Chef::ServerAPI.new(config[:chef_server_url],
-          { version_class: Chef::CookbookManifestVersions })
+        @api_service ||= Chef::ServerAPI.new(config[:chef_server_url], version_class: Chef::CookbookManifestVersions )
       end
 
       def config

data/lib/chef/policy_builder/policyfile.rb

@@ -507,7 +507,7 @@ class Chef
       # @api private
       def api_service
         @api_service ||= Chef::ServerAPI.new(config[:chef_server_url],
-          { version_class: Chef::CookbookManifestVersions })
+          version_class: Chef::CookbookManifestVersions)
       end
 
       # @api private

data/lib/chef/property.rb

@@ -113,9 +113,11 @@ class Chef
     #     and the transformed value returned as output. Lazy values will *not*
     #     be passed to this method until after they are evaluated. Called in the
     #     context of the resource (meaning you can access other properties).
-    #   @option options [Boolean] :required `true` if this property
-    #     must be present; `false` otherwise. This is checked after the resource
-    #     is fully initialized.
+    #   @option options [Boolean, Array<Symbol>] :required `true` if this property
+    #     must be present for *all* actions; `false` otherwise. Alternatively
+    #     you may specify a list of actions the property is required for, when
+    #     the property is only required for a subset of actions. This is checked
+    #     after the resource is fully initialized.
     #   @option options [String] :deprecated If set, this property is deprecated and
     #     will create a deprecation warning.
     #

data/lib/chef/provider/group/windows.rb

@@ -17,7 +17,7 @@
 #
 
 require_relative "../user"
-if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
+if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
   require_relative "../../util/windows/net_group"
 end