chef 18.0.185-x64-mingw-ucrt → 18.1.29-x64-mingw-ucrt

data/lib/chef/resource/bash.rb

@@ -43,6 +43,19 @@ class Chef
       end
       ```
 
+      **Using escape characters in a string of code**
+
+      In the following example, the `find` command uses an escape character (`\`). Use a second escape character (`\\`) to preserve the escape character in the code string:
+
+      ```ruby
+      bash 'delete some archives ' do
+        code <<-EOH
+          find ./ -name "*.tar.Z" -mtime +180 -exec rm -f {} \\;
+        EOH
+        ignore_failure true
+      end
+      ```
+
       **Install a file from a remote location**
 
       The following is an example of how to install the foo123 module for Nginx. This module adds shell-style functionality to an Nginx configuration file and does the following:

data/lib/chef/resource/dsc_script.rb

@@ -34,7 +34,7 @@ class Chef
         resource in #{ChefUtils::Dist::Infra::PRODUCT}, such as the Archive resource, a custom DSC resource, an existing DSC script that performs an important
         task, and so on. Use the dsc_script resource to embed the code that defines a DSC configuration directly within a #{ChefUtils::Dist::Infra::PRODUCT} recipe.
 
-        Warning: The **dsc_script** resource may not be used with the 32 bit Chef Infra client. It must be executed from a 64 bit Chef Infra client.
+        Warning: The **dsc_script** resource is only available on 64-bit Chef Infra Client.
       DESC
 
       default_action :run

data/lib/chef/resource/launchd.rb

@@ -21,7 +21,7 @@ require_relative "../resource"
 class Chef
   class Resource
     class Launchd < Chef::Resource
-      provides :launchd
+      provides :launchd, os: "darwin"
 
       description "Use the **launchd** resource to manage system-wide services (daemons) and per-user services (agents) on the macOS platform."
       introduced "12.8"
@@ -129,6 +129,9 @@ class Chef
       property :abandon_process_group, [ TrueClass, FalseClass ],
         description: "If a job dies, all remaining processes with the same process ID may be kept running. Set to true to kill all remaining processes."
 
+      property :associated_bundle_identifiers, Array,
+        description: "This optional key indicates which bundles the Login Items Added by Apps panel associates with the helper executable."
+
       property :debug, [ TrueClass, FalseClass ],
         description: "Sets the log mask to `LOG_DEBUG` for this job."
 

data/lib/chef/resource/macos_userdefaults.rb

@@ -69,7 +69,7 @@ class Chef
 
       property :global, [TrueClass, FalseClass],
         description: "Determines whether or not the domain is global.",
-        deprecated: true,
+        deprecated: "As of Chef Infra Client 17.8 the `global` property is no longer necessary.",
         default: false,
         desired_state: false
 
@@ -90,7 +90,7 @@ class Chef
         description: "The value type of the preference key.",
         equal_to: %w{bool string int float array dict},
         desired_state: false,
-        deprecated: true
+        deprecated: "As of Chef Infra Client 17.8 the `type` property is no longer necessary."
 
       property :user, [String, Symbol],
         description: "The system user that the default will be applied to. Set :current for current user, :all for all users or pass a valid username",
@@ -100,7 +100,7 @@ class Chef
         description: "Set to true if the setting you wish to modify requires privileged access. This requires passwordless sudo for the `/usr/bin/defaults` command to be setup for the user running #{ChefUtils::Dist::Infra::PRODUCT}.",
         default: false,
         desired_state: false,
-        deprecated: true
+        deprecated: "As of Chef Infra Client 17.8 the `sudo` property is no longer necessary."
 
       load_current_value do |new_resource|
         Chef::Log.debug "#load_current_value: attempting to read \"#{new_resource.domain}\" value from preferences to determine state"

data/lib/chef/resource/rhsm_register.rb

@@ -92,7 +92,7 @@ class Chef
 
       property :release,
         [Float, String],
-        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used only used with the `auto_attach` option.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
+        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used with the `auto_attach` or `activation_key` options.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
         introduced: "17.8"
 
       action :register, description: "Register the node with RHSM." do
@@ -205,6 +205,7 @@ class Chef
               command << "--name=#{Shellwords.shellescape(new_resource.system_name)}" if new_resource.system_name
               command << "--serverurl=#{Shellwords.shellescape(new_resource.server_url)}" if new_resource.server_url
               command << "--baseurl=#{Shellwords.shellescape(new_resource.base_url)}" if new_resource.base_url
+              command << "--release=#{Shellwords.shellescape(new_resource.release)}" if new_resource.release
               command << "--force" if new_resource.force
 
               return command.join(" ")

data/lib/chef/resource/selinux_fcontext.rb

@@ -22,7 +22,7 @@ class Chef
 
       provides :selinux_fcontext
 
-      description "Use **selinux_fcontext** resource to set the SELinux context of files with semanage fcontext."
+      description "Use the **selinux_fcontext** resource to set the SELinux context of files using the `semanage fcontext` command."
       introduced "18.0"
       examples <<~DOC
       **Allow http servers (e.g. nginx/apache) to modify moodle files**:

data/lib/chef/resource/selinux_permissive.rb

@@ -20,7 +20,7 @@ class Chef
 
       provides :selinux_permissive
 
-      description "Use **selinux_permissive** resource to allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely."
+      description "Use the **selinux_permissive** resource to allow some domains to misbehave without stopping them. This is not as good as setting specific policies, but better than disabling SELinux entirely."
       introduced "18.0"
       examples <<~DOC
       **Disable enforcement on Apache**:

data/lib/chef/resource/selinux_port.rb

@@ -21,7 +21,7 @@ class Chef
 
       provides :selinux_port
 
-      description "Use **selinux_port** resource to allows assigning a network port to a certain SELinux context, e.g. for running a webserver on a non-standard port."
+      description "Use the **selinux_port** resource to assign a network port to a specific SELinux context. For example, running a web server on a non-standard port."
       introduced "18.0"
       examples <<~DOC
       **Allow nginx/apache to bind to port 5678 by giving it the http_port_t context**:

data/lib/chef/resource/selinux_state.rb

@@ -56,7 +56,7 @@ class Chef
 
       property :persistent, [true, false],
                 default: true,
-                description: "Persist status update to the selinux configuration file."
+                description: "Set the status update in the SELinux configuration file."
 
       property :policy, String,
                 default: lazy { default_policy_platform },

data/lib/chef/resource/service.rb

@@ -81,7 +81,7 @@ class Chef
       # specify overrides for the start_command, stop_command and
       # restart_command properties.
       property :init_command, String,
-        description: "The path to the init script that is associated with the service. Use init_command to prevent the need to specify overrides for the start_command, stop_command, and restart_command properties. When this property is not specified, the #{ChefUtils::Dist::Infra::PRODUCT} will use the default init command for the service provider being used.",
+        description: "The path to the init script that is associated with the service. Use `init_command` to prevent the need to specify overrides for the `start_command`, `stop_command`, and `restart_command` properties. When this property is not specified, the #{ChefUtils::Dist::Infra::PRODUCT} will use the default init command for the service provider being used.",
         desired_state: false
 
       # if the service is enabled or not

data/lib/chef/resource/user.rb

@@ -74,12 +74,12 @@ class Chef
       alias_method :group, :gid
 
       property :expire_date, [ String, NilClass ],
-               description: "(Linux) The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.",
+               description: "(Linux) The date on which the user account will be disabled. The date is specified in YYYY-MM-DD format.",
                introduced: "18.0",
                desired_state: false
 
       property :inactive, [ String, Integer, NilClass ],
-               description: "(Linux) The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature.",
+               description: "(Linux) The number of days after a password expires until the account is permanently disabled. A value of `0` disables the account as soon as the password has expired, and a value of `-1` disables the feature.",
                introduced: "18.0",
                desired_state: false
     end

data/lib/chef/resource/windows_user_privilege.rb

@@ -23,12 +23,14 @@ class Chef
     class WindowsUserPrivilege < Chef::Resource
 
       provides :windows_user_privilege
-      description "The windows_user_privilege resource allows to add a privilege to a principal or (User/Group).\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
+      description "Use the **windows_user_privilege** resource to set privileges for a principal, user, or group.\n See [Microsoft's user rights assignment documentation](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment) for more information."
 
       introduced "16.0"
 
       examples <<~DOC
-      **Set the SeNetworkLogonRight Privilege for the Builtin Administrators Group and Authenticated Users**:
+      **Set the SeNetworkLogonRight privilege for the Builtin Administrators and Authenticated Users groups**:
+
+      The `:set` action will add this privilege for these two groups and remove this privilege from all other groups or users.
 
       ```ruby
       windows_user_privilege 'Network Logon Rights' do
@@ -38,7 +40,9 @@ class Chef
       end
       ```
 
-      **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
+      **Set the SeCreatePagefilePrivilege privilege for the Builtin Guests and Administrator groups**:
+
+      The `:set` action will add this privilege for these two groups and remove this privilege from all other groups or users.
 
       ```ruby
       windows_user_privilege 'Create Pagefile' do
@@ -48,7 +52,7 @@ class Chef
       end
       ```
 
-      **Add the SeDenyRemoteInteractiveLogonRight Privilege to the 'Remote interactive logon' principal**:
+      **Add the SeDenyRemoteInteractiveLogonRight privilege to the 'Remote interactive logon' principal**:
 
       ```ruby
       windows_user_privilege 'Remote interactive logon' do
@@ -57,7 +61,7 @@ class Chef
       end
       ```
 
-      **Add to the Builtin Guests Group the SeCreatePageFile Privilege**:
+      **Add the SeCreatePageFilePrivilege privilege to the Builtin Guests group**:
 
       ```ruby
       windows_user_privilege 'Guests add Create Pagefile' do
@@ -67,7 +71,7 @@ class Chef
       end
       ```
 
-      **Remove the SeCreatePageFile Privilege from the Builtin Guests Group**:
+      **Remove the SeCreatePageFilePrivilege privilege from the Builtin Guests group**:
 
       ```ruby
       windows_user_privilege 'Create Pagefile' do
@@ -77,7 +81,7 @@ class Chef
       end
       ```
 
-      **Clear all users from the SeDenyNetworkLogonRight Privilege**:
+      **Clear the SeDenyNetworkLogonRight privilege from all users**:
 
       ```ruby
       windows_user_privilege 'Allow any user the Network Logon right' do
@@ -135,15 +139,15 @@ class Chef
                           }.freeze
 
       property :principal, String,
-               description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a User/Group or one of special identities found here Ref: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities",
+               description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a user, group, or [special identity](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities).",
                name_property: true
 
       property :users, [Array, String],
-               description: "An optional property to set the privilege for given users. Use only with set action.",
+               description: "An optional property to set the privilege for the specified users. Use only with `:set` action",
                coerce: proc { |v| Array(v) }
 
       property :privilege, [Array, String],
-               description: "One or more privileges to set for principal or users/groups. For more information on what each privilege does Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment",
+               description: "One or more privileges to set for principal or users/groups. For more information, see [Microsoft's documentation on what each privilege does](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment).",
                required: true,
                coerce: proc { |v| Array(v) },
                callbacks: {

data/lib/chef/resource/yum_repository.rb

@@ -114,6 +114,10 @@ class Chef
         description: "Determines whether package files downloaded by Yum stay in cache directories. By using cached data, you can carry out certain operations without a network connection.",
         default: true
 
+      property :makecache_fast, [TrueClass, FalseClass],
+        description: "if make_cache is true, uses `yum makecache fast`, which downloads only the minimum amount of data required. Useful over slower connections and when disk space is at a premium.",
+        default: false
+
       property :max_retries, [String, Integer],
         description: "Number of times any attempt to retrieve a file should retry before returning an error. Setting this to `0` makes Yum try forever."
 

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("18.0.185")
+  VERSION = Chef::VersionString.new("18.1.29")
 end
 
 #

data/spec/functional/assets/yumrepo-empty/repodata/repomd.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
+ <revision>1667508211</revision>
+<data type="filelists">
+  <checksum type="sha256">401dc19bda88c82c403423fb835844d64345f7e95f5b9835888189c03834cc93</checksum>
+  <open-checksum type="sha256">bf9808b81cb2dbc54b4b8e35adc584ddcaa73bd81f7088d73bf7dbbada961310</open-checksum>
+  <location href="repodata/401dc19bda88c82c403423fb835844d64345f7e95f5b9835888189c03834cc93-filelists.xml.gz"/>
+  <timestamp>1667508211</timestamp>
+  <size>123</size>
+  <open-size>125</open-size>
+</data>
+<data type="primary">
+  <checksum type="sha256">dabe2ce5481d23de1f4f52bdcfee0f9af98316c9e0de2ce8123adeefa0dd08b9</checksum>
+  <open-checksum type="sha256">e1e2ffd2fb1ee76f87b70750d00ca5677a252b397ab6c2389137a0c33e7b359f</open-checksum>
+  <location href="repodata/dabe2ce5481d23de1f4f52bdcfee0f9af98316c9e0de2ce8123adeefa0dd08b9-primary.xml.gz"/>
+  <timestamp>1667508211</timestamp>
+  <size>134</size>
+  <open-size>167</open-size>
+</data>
+<data type="primary_db">
+  <checksum type="sha256">5dc1e6e73c84803f059bb3065e684e56adfc289a7e398946574d79dac6643945</checksum>
+  <open-checksum type="sha256">f0d550414e8f2e960e82e704549364299ca9e3e8664ad4faffd208262c3b6d12</open-checksum>
+  <location href="repodata/5dc1e6e73c84803f059bb3065e684e56adfc289a7e398946574d79dac6643945-primary.sqlite.bz2"/>
+  <timestamp>1667508211</timestamp>
+  <database_version>10</database_version>
+  <size>1131</size>
+  <open-size>21504</open-size>
+</data>
+<data type="other_db">
+  <checksum type="sha256">7c36572015e075add2b38b900837bcdbb8a504130ddff49b2351a7fc0affa3d4</checksum>
+  <open-checksum type="sha256">4de0fe7c5dd2674849a7c63c326e42f33af0a0f46219bc6dd59f51dfa2ac8c68</open-checksum>
+  <location href="repodata/7c36572015e075add2b38b900837bcdbb8a504130ddff49b2351a7fc0affa3d4-other.sqlite.bz2"/>
+  <timestamp>1667508211</timestamp>
+  <database_version>10</database_version>
+  <size>575</size>
+  <open-size>6144</open-size>
+</data>
+<data type="other">
+  <checksum type="sha256">6bf9672d0862e8ef8b8ff05a2fd0208a922b1f5978e6589d87944c88259cb670</checksum>
+  <open-checksum type="sha256">e0ed5e0054194df036cf09c1a911e15bf2a4e7f26f2a788b6f47d53e80717ccc</open-checksum>
+  <location href="repodata/6bf9672d0862e8ef8b8ff05a2fd0208a922b1f5978e6589d87944c88259cb670-other.xml.gz"/>
+  <timestamp>1667508211</timestamp>
+  <size>123</size>
+  <open-size>121</open-size>
+</data>
+<data type="filelists_db">
+  <checksum type="sha256">01a3b489a465bcac22a43492163df43451dc6ce47d27f66de289756b91635523</checksum>
+  <open-checksum type="sha256">c4211f57bdcbb142c9f93a6d32401539f775eb6a670ab7a423e13f435ce94689</open-checksum>
+  <location href="repodata/01a3b489a465bcac22a43492163df43451dc6ce47d27f66de289756b91635523-filelists.sqlite.bz2"/>
+  <timestamp>1667508211</timestamp>
+  <database_version>10</database_version>
+  <size>586</size>
+  <open-size>7168</open-size>
+</data>
+</repomd>

data/spec/functional/resource/yum_package_spec.rb

@@ -57,6 +57,12 @@ describe Chef::Resource::YumPackage, :requires_root, external: exclude_test do
         baseurl=file://#{CHEF_SPEC_ASSETS}/yumrepo
         enable=1
         gpgcheck=0
+        [chef-yum-empty]
+        name=Chef DNF spec empty repo
+        baseurl=file://#{CHEF_SPEC_ASSETS}/yumrepo-empty
+        enable=1
+        gpgcheck=0
+
       EOF
     end
     # ensure we don't have any stray chef_rpms installed
@@ -1095,6 +1101,16 @@ describe Chef::Resource::YumPackage, :requires_root, external: exclude_test do
         end.should_not_be_updated
       end
 
+      it "should work to disable a repo" do
+        flush_cache
+        expect {
+          yum_package "chef_rpm" do
+            options "--disablerepo=chef-yum-localtesting --enablerepo=chef-yum-empty"
+            action :install
+          end
+        }.to raise_error(Chef::Exceptions::Package, /No candidate version available/)
+      end
+
       it "when an idempotent install action is run, does not leave repos disabled" do
         flush_cache
         # this is a bit tricky -- we need this action to be idempotent, so that it doesn't recycle any

data/spec/integration/client/client_spec.rb

@@ -35,14 +35,14 @@ describe "chef-client" do
     @server = @api = nil
   end
 
-  def install_certificate_in_store(client_name)
+  def install_certificate_in_store(client_name, store_location)
     if ChefUtils.windows?
       powershell_exec! <<~EOH
         if (-not (($PSVersionTable.PSVersion.Major -ge 5) -and ($PSVersionTable.PSVersion.Build -ge 22000)) ) {
-          New-SelfSignedCertificate -CertStoreLocation Cert:\\LocalMachine\\My -DnsName "#{client_name}"
+          New-SelfSignedCertificate -CertStoreLocation Cert:\\#{store_location}\\My -DnsName "#{client_name}"
         }
         else {
-          New-SelfSignedCertificate -CertStoreLocation Cert:\\LocalMachine\\My -Subject "#{client_name}" -FriendlyName "#{client_name}" -KeyExportPolicy Exportable
+          New-SelfSignedCertificate -CertStoreLocation Cert:\\#{store_location}\\My -Subject "#{client_name}" -FriendlyName "#{client_name}" -KeyExportPolicy Exportable
         }
       EOH
     end
@@ -50,14 +50,6 @@ describe "chef-client" do
 
   def create_registry_key
     ::Chef::HTTP::Authenticator.get_cert_password
-    # @win32registry = Chef::Win32::Registry.new
-    # path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
-    # unless @win32registry.key_exists?(path)
-    #   @win32registry.create_key(path, true)
-    # end
-    # password = SOME_CHARS.sample(1 + rand(SOME_CHARS.count)).join[0...14]
-    # values = { name: "PfxPass", type: :string, data: password }
-    # @win32registry.set_value(path, values)
   end
 
   def remove_certificate_from_store
@@ -111,6 +103,9 @@ describe "chef-client" do
       tempfile.close
       @path = tempfile.path
       Chef::Config.validation_key = @path
+      if ChefUtils.windows?
+        create_registry_key
+      end
 
       file "config/client.rb", <<~EOM
        local_mode true
@@ -201,17 +196,27 @@ describe "chef-client" do
 
     if ChefUtils.windows?
       context "and the private key is in the Windows CertStore" do
-        before do
-          install_certificate_in_store(client_name)
+
+        it "should verify that the cert is loaded in the \\LocalMachine\\My store" do
+          Chef::Config[:auth_key_registry_type] = "machine"
+          install_certificate_in_store(client_name, "LocalMachine")
           create_registry_key
+          expect(Chef::HTTP::Authenticator.check_certstore_for_key(hostname)).to eq(true)
         end
 
-        after do
+        it "should verify that the export password for the pfx is loaded in the Registry" do
+          expect(verify_export_password_exists.result).to eq(true)
+        end
+
+        it "should verify that a private key is returned to me" do
+          expect(Chef::HTTP::Authenticator.retrieve_certificate_key(client_name)).not_to be nil
           remove_certificate_from_store
-          remove_registry_key
         end
 
-        it "should verify that the cert is loaded in the LocalMachine\\My" do
+        it "should verify that the cert is loaded in the \\CurrentUser\\My store" do
+          Chef::Config[:auth_key_registry_type] = "user"
+          install_certificate_in_store(client_name, "CurrentUser")
+          create_registry_key
           expect(Chef::HTTP::Authenticator.check_certstore_for_key(hostname)).to eq(true)
         end
 
@@ -221,6 +226,7 @@ describe "chef-client" do
 
         it "should verify that a private key is returned to me" do
           expect(Chef::HTTP::Authenticator.retrieve_certificate_key(client_name)).not_to be nil
+          remove_certificate_from_store
         end
       end
     end

data/spec/integration/client/fips_spec.rb

@@ -0,0 +1,20 @@
+require "spec_helper"
+
+describe "chef-client fips" do
+  def enable_fips
+    OpenSSL.fips_mode = true
+  end
+
+  # All tests assume fips mode is off at present
+  after { OpenSSL.fips_mode = false }
+
+  # For non-FIPS OSes/builds of Ruby, enabling FIPS should error
+  example "Error enabling fips_mode if FIPS not linked", fips_mode: false do
+    expect { enable_fips }.to raise_error(OpenSSL::OpenSSLError)
+  end
+
+  # For FIPS OSes/builds of Ruby, enabling FIPS should not error
+  example "Do not error enabling fips_mode if FIPS linked", fips_mode: true do
+    expect { enable_fips }.not_to raise_error
+  end
+end

data/spec/spec_helper.rb

@@ -138,6 +138,10 @@ RSpec.configure do |config|
 
   config.filter_run_excluding skip_buildkite: true if ENV["BUILDKITE"]
 
+  config.filter_run_excluding fips_mode: !fips_mode_build?
+  # Skip fips on windows
+  # config.filter_run_excluding :fips_mode if windows?
+
   config.filter_run_excluding windows_only: true unless windows?
   config.filter_run_excluding not_supported_on_windows: true if windows?
   config.filter_run_excluding not_supported_on_macos: true if macos?

data/spec/support/platform_helpers.rb

@@ -223,6 +223,10 @@ def aes_256_gcm?
   OpenSSL::Cipher.ciphers.include?("aes-256-gcm")
 end
 
+def fips_mode_build?
+  OpenSSL::OPENSSL_FIPS
+end
+
 def fips?
   ENV["CHEF_FIPS"] == "1"
 end

data/spec/unit/chef_fs/file_system_spec.rb

@@ -145,4 +145,6 @@ describe Chef::ChefFS::FileSystem, ruby: ">= 3.0" do
       end
     end
   end
+
+  # Need to add the test case for copy_to method - not able to do the implimentation with Dir.mktmpdir
 end

data/spec/unit/client_spec.rb

@@ -310,25 +310,49 @@ describe Chef::Client, :windows_only do
   end
 
   context "when the client intially boots the first time" do
-    it "verfies that a certificate was correctly created and exists in the Cert Store" do
+    it "verfies that a certificate was correctly created and exists in the LocalMachine Cert Store" do
+      Chef::Config[:node_name] = "test"
       new_pfx = my_client.generate_pfx_package(cert_name, end_date)
       my_client.import_pfx_to_store(new_pfx)
       expect(my_client.check_certstore_for_key(cert_name)).not_to be false
+      delete_certificate(cert_name)
     end
 
     it "correctly returns a new Publc Key" do
       new_pfx = my_client.generate_pfx_package(cert_name, end_date)
       cert_object = new_pfx.certificate.public_key.to_pem
       expect(cert_object.to_s).to match(/PUBLIC KEY/)
+      delete_certificate(cert_name)
+    end
+
+  end
+
+  context "when the client intially boots the first time and auth_key_registry_type is set to 'user' " do
+    it "verfies that a certificate was correctly created and exists in the CurrentUser Cert Store" do
+      Chef::Config[:node_name] = "test"
+      Chef::Config[:auth_key_registry_type] = "user"
+      new_pfx = my_client.generate_pfx_package(cert_name, end_date)
+      my_client.import_pfx_to_store(new_pfx)
+      expect(my_client.check_certstore_for_key(cert_name)).not_to be false
+      delete_certificate(cert_name)
+    end
+
+    it "correctly returns a new Publc Key" do
+      Chef::Config[:auth_key_registry_type] = "user"
+      new_pfx = my_client.generate_pfx_package(cert_name, end_date)
+      cert_object = new_pfx.certificate.public_key.to_pem
+      expect(cert_object.to_s).to match(/PUBLIC KEY/)
+      delete_certificate(cert_name)
     end
 
   end
 
   def delete_certificate(cert_name)
+    Chef::Config[:auth_key_registry_type] == "user" ? store = "CurrentUser" : store = "LocalMachine"
     require "chef/mixin/powershell_exec"
     extend Chef::Mixin::PowershellExec
     powershell_code = <<~CODE
-      Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
+      Get-ChildItem -path cert:\\#{store}\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
     CODE
     powershell_exec!(powershell_code)
   end

data/spec/unit/compliance/runner_spec.rb

@@ -49,6 +49,14 @@ describe Chef::Compliance::Runner do
       expect(runner).not_to be_enabled
     end
 
+    it "is false if the node attributes have audit profiles and the audit cookbook is present, and the complince mode attribute is false" do
+      stub_const("::Reporter::ChefAutomate", true)
+      node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }
+      node.normal["audit"]["compliance_phase"] = false
+
+      expect(runner).not_to be_enabled
+    end
+
     it "is true if the node attributes have audit profiles and the audit cookbook is present, and the complince mode attribute is true" do
       stub_const("::Reporter::ChefAutomate", true)
       node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }