chef 18.1.0-x64-mingw-ucrt → 18.1.29-x64-mingw-ucrt

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 448a7d27ab27f9a0c39566270e5d99dfa5717ba32bd893505fd3f1d9d50ad339
-  data.tar.gz: be60df259d416a70dc1c6447edab19ec1d4b9fb32f1429a4fc09c62c4cb8e022
+  metadata.gz: 937611f440a583a253b01525212c4d6214da8f25aee63891ab928b9a3d53de67
+  data.tar.gz: 7d69aeb9e4df6f13d76b464c08178f9935bc9be01eed136539d5d123315f0fea
 SHA512:
-  metadata.gz: 833f265e523ce7924016ee802f599548361c94ec5e837f85b1263a39935f5a8443953b06d9b753fe2cbc154d0d9a6f1d5fd363caaaf2a14ccab08f6d952344ee
-  data.tar.gz: 25c72dc0a3d5e6e4a6c414ecea9260a363b033a657d1626cdf1cdd6be683a8f51968655715b5b693e643bbf44b605c99d27d98d6cdf6a58d0d1481f43e687300
+  metadata.gz: 2bc789e6367a7ba5277f905d460f7b5390854f62c98f0ba07270e6659e7e70bb92b2d4fc64c8d87e524a972da75657f64022d3f01305558e00f90348f8d6811a
+  data.tar.gz: dea177b817a903ef86d7b8bacef0aca894ca778c26615339a041186276da976eb23abede8c47c1a3b9ee459a392961ff75fbc8532475186a1d21d77a1a528fde

data/Gemfile

@@ -37,9 +37,6 @@ group(:omnibus_package, :pry) do
   gem "pry-stack_explorer"
 end
 
-# proxifier gem is busted on ruby 3.1 and seems abandoned so use git fork of gem
-gem "proxifier", git: "https://github.com/chef/ruby-proxifier", branch: "lcg/ruby-3"
-
 # Everything except AIX and Windows
 group(:ruby_shadow) do
   # if ruby-shadow does a release that supports ruby-3.0 this can be removed

data/chef.gemspec

@@ -49,7 +49,8 @@ Gem::Specification.new do |s|
   s.add_dependency "net-ftp" # remote_file resource
   s.add_dependency "erubis", "~> 2.7" # template resource / cookbook syntax check
   s.add_dependency "diff-lcs", ">= 1.2.4", "!= 1.4.0", "< 1.6.0" # 1.4 breaks output. Used in lib/chef/util/diff
-  s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
+  # s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
+  s.add_dependency "ffi-libarchive", "~> 1.1", ">= 1.1.3"
   s.add_dependency "chef-zero", ">= 14.0.11"
   s.add_dependency "chef-vault" # chef-vault resources and helpers
 
@@ -61,7 +62,7 @@ Gem::Specification.new do |s|
   s.add_dependency "unf_ext", ">= 0.0.8.2" # This is ruby31 compatible ucrt gem version
   s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
-  s.add_dependency "proxifier", "~> 1.0"
+  s.add_dependency "proxifier2", "~> 1.1"
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"

data/lib/chef/application/base.rb

@@ -386,8 +386,10 @@ class Chef::Application::Base < Chef::Application
     elsif uri.scheme == "s3"
       require "aws-sdk-s3" unless defined?(Aws::S3)
 
-      s3 = Aws::S3::Client.new
-      object = s3.get_object(bucket: uri.hostname, key: uri.path[1..-1])
+      bucket_name = uri.hostname
+      s3 = Aws::S3::Client.new(region: s3_bucket_location(bucket_name))
+
+      object = s3.get_object(bucket: bucket_name, key: uri.path[1..-1])
       File.open(path, "wb") do |f|
         f.write(object.body.read)
       end
@@ -403,6 +405,20 @@ class Chef::Application::Base < Chef::Application
     end
   end
 
+  def s3_bucket_location(bucket_name)
+    s3 = Aws::S3::Client.new(region: aws_api_region)
+
+    resp = s3.get_bucket_location(bucket: bucket_name)
+    resp.location_constraint
+  rescue Aws::S3::Errors::AccessDenied => _e
+    Chef::Log.warn("Missing s3:GetBucketLocation privilege, trying currently configured region #{aws_api_region}")
+    aws_api_region
+  end
+
+  def aws_api_region
+    ENV["AWS_REGION"] || Aws.shared_config.region || Aws::EC2Metadata.new.get("/latest/meta-data/placement/region")
+  end
+
   def interval_run_chef_client
     if Chef::Config[:daemonize]
       Chef::Daemon.daemonize(ChefUtils::Dist::Infra::PRODUCT)

data/lib/chef/client.rb

@@ -66,6 +66,15 @@ class Chef
   class Client
     CRYPT_EXPORTABLE = 0x00000001
 
+    # adding these
+    # certstore 65536 == 0x00010000 == CurrentUser
+    # certstore 131072 == 0x00020000 == LocalMachine
+    # Reference: https://github.com/chef/win32-certstore/blob/main/lib/win32/certstore/mixin/crypto.rb#L90
+    CERT_SYSTEM_STORE_LOCAL_MACHINE                     = 0x00020000
+    CERT_SYSTEM_STORE_CURRENT_USER                      = 0x00010000
+    CERT_SYSTEM_STORE_SERVICES                          = 0x00050000
+    CERT_SYSTEM_STORE_USERS                             = 0x00060000
+
     attr_reader :local_context
 
     extend Chef::Mixin::Deprecation
@@ -674,9 +683,15 @@ class Chef
 
     # In the brave new world of No Certs On Disk, we want to put the pem file into Keychain or the Certstore
     # But is it already there?
+    # We're solving the multi-user scenario where both a system/admin user can run on the box but also someone without
+    # admin rights can also run correctly locally.
     def check_certstore_for_key(cert_name)
       require "win32-certstore"
-      win32certstore = ::Win32::Certstore.open("MY")
+      if Chef::Config[:auth_key_registry_type] == "user"
+        win32certstore = ::Win32::Certstore.open("MY", store_location: CERT_SYSTEM_STORE_CURRENT_USER)
+      else
+        win32certstore = ::Win32::Certstore.open("MY")
+      end
       win32certstore.search("#{cert_name}")
     end
 
@@ -783,8 +798,6 @@ class Chef
       require "time" unless defined?(Time)
       autoload :URI, "uri"
 
-      # KeyMigration.instance.key_migrated = true
-
       node = Chef::Config[:node_name]
       d = Time.now
       if d.month == 10 || d.month == 11 || d.month == 12
@@ -818,9 +831,13 @@ class Chef
       require "win32-certstore"
       tempfile = Tempfile.new("#{Chef::Config[:node_name]}.pfx")
       File.open(tempfile, "wb") { |f| f.print new_pfx.to_der }
-
-      store = ::Win32::Certstore.open("MY")
-      store.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
+      # Need to determine where to store the key
+      if Chef::Config[:auth_key_registry_type] == "user"
+        win32certstore = ::Win32::Certstore.open("MY", store_location: CERT_SYSTEM_STORE_CURRENT_USER)
+      else
+        win32certstore = ::Win32::Certstore.open("MY")
+      end
+      win32certstore.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
       tempfile.unlink
     end
 

data/lib/chef/http/authenticator.rb

@@ -102,12 +102,12 @@ class Chef
         self.class.get_cert_password
       end
 
-      def encrypt_pfx_pass
-        self.class.encrypt_pfx_pass
+      def encrypt_pfx_pass_with_vector
+        self.class.encrypt_pfx_pass_with_vector
       end
 
-      def decrypt_pfx_pass
-        self.class.decrypt_pfx_pass
+      def decrypt_pfx_pass_with_vector
+        self.class.decrypt_pfx_pass_with_vector
       end
 
       # Detects if a private key exists in a certificate repository like Keychain (macOS) or Certificate Store (Windows)
@@ -123,9 +123,18 @@ class Chef
         end
       end
 
+      def self.get_cert_user
+        Chef::Config[:auth_key_registry_type] == "user" ? store = "CurrentUser" : store = "LocalMachine"
+      end
+
+      def self.get_registry_user
+        Chef::Config[:auth_key_registry_type] == "user" ? store = "HKEY_CURRENT_USER" : store = "HKEY_LOCAL_MACHINE"
+      end
+
       def self.check_certstore_for_key(client_name)
+        store = get_cert_user
         powershell_code = <<~CODE
-          $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
+          $cert = Get-ChildItem -path cert:\\#{store}\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
           if (($cert.HasPrivateKey -eq $true) -and ($cert.PrivateKey.Key.ExportPolicy -ne "NonExportable")) {
             return $true
           }
@@ -164,49 +173,86 @@ class Chef
       end
 
       def self.get_cert_password
+        store = get_registry_user
         @win32registry = Chef::Win32::Registry.new
-        path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        path = "#{store}\\Software\\Progress\\Authentication"
         # does the registry key even exist?
-        present = @win32registry.get_values(path)
-        if present.nil? || present.empty?
+        # password_blob should be an array of hashes
+        password_blob = @win32registry.get_values(path)
+        if password_blob.nil? || password_blob.empty?
           raise Chef::Exceptions::Win32RegKeyMissing
         end
 
-        present.each do |secret|
-          if secret[:name] == "PfxPass"
-            password = decrypt_pfx_pass(secret[:data])
-            return password
+        # Did someone have just the password stored in the registry?
+        raw_data = password_blob.map { |x| x[:data] }
+        vector = raw_data[2]
+        if !!vector
+          decrypted_password = decrypt_pfx_pass_with_vector(password_blob)
+        else
+          decrypted_password = decrypt_pfx_pass_with_password(password_blob)
+          if !!decrypted_password
+            migrate_pass_to_use_vector(decrypted_password)
+          else
+            Chef::Log.error("Failed to retrieve certificate password")
           end
         end
-
-        raise Chef::Exceptions::Win32RegKeyMissing
-
+        decrypted_password
       rescue Chef::Exceptions::Win32RegKeyMissing
         # if we don't have a password, log that and generate one
-        Chef::Log.warn "Authentication Hive and values not present in registry, creating them now"
-        new_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        store = get_registry_user
+        new_path = "#{store}\\Software\\Progress\\Authentication"
         unless @win32registry.key_exists?(new_path)
           @win32registry.create_key(new_path, true)
         end
-        require "securerandom" unless defined?(SecureRandom)
-        size = 14
-        password = SecureRandom.alphanumeric(size)
-        encrypted_pass = encrypt_pfx_pass(password)
-        values = { name: "PfxPass", type: :string, data: encrypted_pass }
-        @win32registry.set_value(new_path, values)
-        password
+        create_and_store_new_password
       end
 
-      def self.encrypt_pfx_pass(password)
+      def self.encrypt_pfx_pass_with_vector(password)
         powershell_code = <<~CODE
-          $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
-          $secure_string = ConvertFrom-SecureString $encrypted_string
-          return $secure_string
+          $AES = [System.Security.Cryptography.Aes]::Create()
+          $key_temp = [System.Convert]::ToBase64String($AES.Key)
+          $iv_temp = [System.Convert]::ToBase64String($AES.IV)
+          $encryptor = $AES.CreateEncryptor()
+          [System.Byte[]]$Bytes =  [System.Text.Encoding]::Unicode.GetBytes("#{password}")
+          $EncryptedBytes = $encryptor.TransformFinalBlock($Bytes,0,$Bytes.Length)
+          $EncryptedBase64String = [System.Convert]::ToBase64String($EncryptedBytes)
+          # create array of encrypted pass, key, iv
+          $password_blob = @($EncryptedBase64String, $key_temp, $iv_temp)
+          return $password_blob
         CODE
         powershell_exec!(powershell_code).result
       end
 
-      def self.decrypt_pfx_pass(password)
+      def self.decrypt_pfx_pass_with_vector(password_blob)
+        raw_data = password_blob.map { |x| x[:data] }
+        password = raw_data[0]
+        key = raw_data[1]
+        vector = raw_data[2]
+
+        powershell_code = <<~CODE
+          $KeyBytes = [System.Convert]::FromBase64String("#{key}")
+          $IVBytes = [System.Convert]::FromBase64String("#{vector}")
+          $aes = [System.Security.Cryptography.Aes]::Create()
+          $aes.Key = $KeyBytes
+          $aes.IV = $IVBytes
+          $EncryptedBytes = [System.Convert]::FromBase64String("#{password}")
+          $Decryptor = $aes.CreateDecryptor()
+          $DecryptedBytes = $Decryptor.TransformFinalBlock($EncryptedBytes,0,$EncryptedBytes.Length)
+          $DecryptedString = [System.Text.Encoding]::Unicode.GetString($DecryptedBytes)
+          return $DecryptedString
+        CODE
+        results = powershell_exec!(powershell_code).result
+      end
+
+      def self.decrypt_pfx_pass_with_password(password_blob)
+        password = ""
+        password_blob.each do |secret|
+          if secret[:name] == "PfxPass"
+            password = secret[:data]
+          else
+            Chef::Log.error("Failed to retrieve a password for the private key")
+          end
+        end
         powershell_code = <<~CODE
           $secure_string = "#{password}" | ConvertTo-SecureString
           $string = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($secure_string))))
@@ -215,14 +261,49 @@ class Chef
         powershell_exec!(powershell_code).result
       end
 
-      def self.retrieve_certificate_key(client_name)
-        require "openssl" unless defined?(OpenSSL)
+      def self.migrate_pass_to_use_vector(password)
+        store = get_cert_user
+        corrected_store = (store == "CurrentUser" ? "HKCU" : "HKLM")
+        powershell_code = <<~CODE
+          Remove-ItemProperty -Path "#{corrected_store}:\\Software\\Progress\\Authentication" -Name "PfXPass"
+        CODE
+        powershell_exec!(powershell_code)
+        create_and_store_new_password(password)
+      end
 
+      # This method name is a bit of a misnomer. We call it to legit create a new password using the vector format.
+      # But we also call it with a password that needs to be migrated to use the vector format too.
+      def self.create_and_store_new_password(password = nil)
+        @win32registry = Chef::Win32::Registry.new
+        store = get_registry_user
+        path = "#{store}\\Software\\Progress\\Authentication"
+        if password.nil?
+          require "securerandom" unless defined?(SecureRandom)
+          size = 14
+          password = SecureRandom.alphanumeric(size)
+        end
+        encrypted_blob = encrypt_pfx_pass_with_vector(password)
+        encrypted_password = encrypted_blob[0]
+        key = encrypted_blob[1]
+        vector = encrypted_blob[2]
+        values = [
+                  { name: "PfxPass", type: :string, data: encrypted_password },
+                  { name: "PfxKey", type: :string, data: key },
+                  { name: "PfxIV", type: :string, data: vector },
+                ]
+        values.each do |i|
+          @win32registry.set_value(path, i)
+        end
+        password
+      end
+
+      def self.retrieve_certificate_key(client_name)
         if ChefUtils.windows?
+          require "openssl" unless defined?(OpenSSL)
           password = get_cert_password
           return false unless password
 
-          if check_certstore_for_key(client_name)
+          if !!check_certstore_for_key(client_name)
             ps_blob = powershell_exec!(get_the_key_ps(client_name, password)).result
             file_path = ps_blob["PSPath"].split("::")[1]
             pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password)
@@ -252,10 +333,11 @@ class Chef
       end
 
       def self.get_the_key_ps(client_name, password)
+        store = get_cert_user
         powershell_code = <<~CODE
             Try {
               $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText;
-              $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
+              $cert = Get-ChildItem -path cert:\\#{store}\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
               $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx";
               Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile;
             }
@@ -266,8 +348,9 @@ class Chef
       end
 
       def self.delete_old_key_ps(client_name)
+        store = get_cert_user
         powershell_code = <<~CODE
-          Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
+          Get-ChildItem -path cert:\\#{store}\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
         CODE
       end
 

data/lib/chef/mixin/proxified_socket.rb

@@ -15,7 +15,7 @@
 # limitations under the License.
 #
 
-require "proxifier"
+require "proxifier2"
 require "chef-config/mixin/fuzzy_hostname_matcher"
 
 class Chef

data/lib/chef/resource/apt_repository.rb

@@ -187,6 +187,24 @@ class Chef
           end.compact
         end
 
+        # run the specified command and extract the public key ids
+        # accepts the command so it can be used to extract both the current keys
+        # and the new keys
+        # @param [Array<String>] cmd the command to run
+        #
+        # @return [Array] an array of key ids
+        def extract_public_keys_from_cmd(*cmd)
+          so = shell_out(*cmd)
+          # Sample output
+          # pub:-:4096:1:D94AA3F0EFE21092:1336774248:::-:::scSC::::::23::0:
+          so.stdout.split(/\n/).map do |t|
+            if t.match(/^pub:/)
+              f = t.split(":")
+              f.slice(0, 6).join(":")
+            end
+          end.compact
+        end
+
         # validate the key against the apt keystore to see if that version is expired
         # @param [String] key
         #
@@ -222,8 +240,8 @@ class Chef
         def no_new_keys?(file)
           # Now we are using the option --with-colons that works across old os versions
           # as well as the latest (16.10). This for both `apt-key` and `gpg` commands
-          installed_keys = extract_fingerprints_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
-          proposed_keys = extract_fingerprints_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
+          installed_keys = extract_public_keys_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
+          proposed_keys = extract_public_keys_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
           (installed_keys & proposed_keys).sort == proposed_keys.sort
         end
 

data/lib/chef/resource/bash.rb

@@ -43,6 +43,19 @@ class Chef
       end
       ```
 
+      **Using escape characters in a string of code**
+
+      In the following example, the `find` command uses an escape character (`\`). Use a second escape character (`\\`) to preserve the escape character in the code string:
+
+      ```ruby
+      bash 'delete some archives ' do
+        code <<-EOH
+          find ./ -name "*.tar.Z" -mtime +180 -exec rm -f {} \\;
+        EOH
+        ignore_failure true
+      end
+      ```
+
       **Install a file from a remote location**
 
       The following is an example of how to install the foo123 module for Nginx. This module adds shell-style functionality to an Nginx configuration file and does the following:

data/lib/chef/resource/dsc_script.rb

@@ -34,7 +34,7 @@ class Chef
         resource in #{ChefUtils::Dist::Infra::PRODUCT}, such as the Archive resource, a custom DSC resource, an existing DSC script that performs an important
         task, and so on. Use the dsc_script resource to embed the code that defines a DSC configuration directly within a #{ChefUtils::Dist::Infra::PRODUCT} recipe.
 
-        Warning: The **dsc_script** resource may not be used with the 32 bit Chef Infra client. It must be executed from a 64 bit Chef Infra client.
+        Warning: The **dsc_script** resource is only available on 64-bit Chef Infra Client.
       DESC
 
       default_action :run

data/lib/chef/resource/launchd.rb

@@ -21,7 +21,7 @@ require_relative "../resource"
 class Chef
   class Resource
     class Launchd < Chef::Resource
-      provides :launchd
+      provides :launchd, os: "darwin"
 
       description "Use the **launchd** resource to manage system-wide services (daemons) and per-user services (agents) on the macOS platform."
       introduced "12.8"
@@ -129,7 +129,7 @@ class Chef
       property :abandon_process_group, [ TrueClass, FalseClass ],
         description: "If a job dies, all remaining processes with the same process ID may be kept running. Set to true to kill all remaining processes."
 
-      property :associated_bundle_identifiers, Hash,
+      property :associated_bundle_identifiers, Array,
         description: "This optional key indicates which bundles the Login Items Added by Apps panel associates with the helper executable."
 
       property :debug, [ TrueClass, FalseClass ],

data/lib/chef/resource/rhsm_register.rb

@@ -92,7 +92,7 @@ class Chef
 
       property :release,
         [Float, String],
-        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used with the `auto_attach` option, it may also be used with activation keys.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
+        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used with the `auto_attach` or `activation_key` options.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
         introduced: "17.8"
 
       action :register, description: "Register the node with RHSM." do

data/lib/chef/resource/selinux_fcontext.rb

@@ -22,7 +22,7 @@ class Chef
 
       provides :selinux_fcontext
 
-      description "Use **selinux_fcontext** resource to set the SELinux context of files with semanage fcontext."
+      description "Use the **selinux_fcontext** resource to set the SELinux context of files using the `semanage fcontext` command."
       introduced "18.0"
       examples <<~DOC
       **Allow http servers (e.g. nginx/apache) to modify moodle files**:

data/lib/chef/resource/selinux_permissive.rb

@@ -20,7 +20,7 @@ class Chef
 
       provides :selinux_permissive
 
-      description "Use **selinux_permissive** resource to allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely."
+      description "Use the **selinux_permissive** resource to allow some domains to misbehave without stopping them. This is not as good as setting specific policies, but better than disabling SELinux entirely."
       introduced "18.0"
       examples <<~DOC
       **Disable enforcement on Apache**:

data/lib/chef/resource/selinux_port.rb

@@ -21,7 +21,7 @@ class Chef
 
       provides :selinux_port
 
-      description "Use **selinux_port** resource to allows assigning a network port to a certain SELinux context, e.g. for running a webserver on a non-standard port."
+      description "Use the **selinux_port** resource to assign a network port to a specific SELinux context. For example, running a web server on a non-standard port."
       introduced "18.0"
       examples <<~DOC
       **Allow nginx/apache to bind to port 5678 by giving it the http_port_t context**:

data/lib/chef/resource/selinux_state.rb

@@ -56,7 +56,7 @@ class Chef
 
       property :persistent, [true, false],
                 default: true,
-                description: "Persist status update to the selinux configuration file."
+                description: "Set the status update in the SELinux configuration file."
 
       property :policy, String,
                 default: lazy { default_policy_platform },

data/lib/chef/resource/service.rb

@@ -81,7 +81,7 @@ class Chef
       # specify overrides for the start_command, stop_command and
       # restart_command properties.
       property :init_command, String,
-        description: "The path to the init script that is associated with the service. Use init_command to prevent the need to specify overrides for the start_command, stop_command, and restart_command properties. When this property is not specified, the #{ChefUtils::Dist::Infra::PRODUCT} will use the default init command for the service provider being used.",
+        description: "The path to the init script that is associated with the service. Use `init_command` to prevent the need to specify overrides for the `start_command`, `stop_command`, and `restart_command` properties. When this property is not specified, the #{ChefUtils::Dist::Infra::PRODUCT} will use the default init command for the service provider being used.",
         desired_state: false
 
       # if the service is enabled or not

data/lib/chef/resource/user.rb

@@ -74,12 +74,12 @@ class Chef
       alias_method :group, :gid
 
       property :expire_date, [ String, NilClass ],
-               description: "(Linux) The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.",
+               description: "(Linux) The date on which the user account will be disabled. The date is specified in YYYY-MM-DD format.",
                introduced: "18.0",
                desired_state: false
 
       property :inactive, [ String, Integer, NilClass ],
-               description: "(Linux) The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature.",
+               description: "(Linux) The number of days after a password expires until the account is permanently disabled. A value of `0` disables the account as soon as the password has expired, and a value of `-1` disables the feature.",
                introduced: "18.0",
                desired_state: false
     end

data/lib/chef/resource/windows_user_privilege.rb

@@ -23,12 +23,14 @@ class Chef
     class WindowsUserPrivilege < Chef::Resource
 
       provides :windows_user_privilege
-      description "The windows_user_privilege resource allows to add a privilege to a principal or (User/Group).\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
+      description "Use the **windows_user_privilege** resource to set privileges for a principal, user, or group.\n See [Microsoft's user rights assignment documentation](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment) for more information."
 
       introduced "16.0"
 
       examples <<~DOC
-      **Set the SeNetworkLogonRight Privilege for the Builtin Administrators Group and Authenticated Users**:
+      **Set the SeNetworkLogonRight privilege for the Builtin Administrators and Authenticated Users groups**:
+
+      The `:set` action will add this privilege for these two groups and remove this privilege from all other groups or users.
 
       ```ruby
       windows_user_privilege 'Network Logon Rights' do
@@ -38,7 +40,9 @@ class Chef
       end
       ```
 
-      **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
+      **Set the SeCreatePagefilePrivilege privilege for the Builtin Guests and Administrator groups**:
+
+      The `:set` action will add this privilege for these two groups and remove this privilege from all other groups or users.
 
       ```ruby
       windows_user_privilege 'Create Pagefile' do
@@ -48,7 +52,7 @@ class Chef
       end
       ```
 
-      **Add the SeDenyRemoteInteractiveLogonRight Privilege to the 'Remote interactive logon' principal**:
+      **Add the SeDenyRemoteInteractiveLogonRight privilege to the 'Remote interactive logon' principal**:
 
       ```ruby
       windows_user_privilege 'Remote interactive logon' do
@@ -57,7 +61,7 @@ class Chef
       end
       ```
 
-      **Add to the Builtin Guests Group the SeCreatePageFile Privilege**:
+      **Add the SeCreatePageFilePrivilege privilege to the Builtin Guests group**:
 
       ```ruby
       windows_user_privilege 'Guests add Create Pagefile' do
@@ -67,7 +71,7 @@ class Chef
       end
       ```
 
-      **Remove the SeCreatePageFile Privilege from the Builtin Guests Group**:
+      **Remove the SeCreatePageFilePrivilege privilege from the Builtin Guests group**:
 
       ```ruby
       windows_user_privilege 'Create Pagefile' do
@@ -77,7 +81,7 @@ class Chef
       end
       ```
 
-      **Clear all users from the SeDenyNetworkLogonRight Privilege**:
+      **Clear the SeDenyNetworkLogonRight privilege from all users**:
 
       ```ruby
       windows_user_privilege 'Allow any user the Network Logon right' do
@@ -135,15 +139,15 @@ class Chef
                           }.freeze
 
       property :principal, String,
-               description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a User/Group or one of special identities found here Ref: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities",
+               description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a user, group, or [special identity](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities).",
                name_property: true
 
       property :users, [Array, String],
-               description: "An optional property to set the privilege for given users. Use only with set action.",
+               description: "An optional property to set the privilege for the specified users. Use only with `:set` action",
                coerce: proc { |v| Array(v) }
 
       property :privilege, [Array, String],
-               description: "One or more privileges to set for principal or users/groups. For more information on what each privilege does Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment",
+               description: "One or more privileges to set for principal or users/groups. For more information, see [Microsoft's documentation on what each privilege does](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment).",
                required: true,
                coerce: proc { |v| Array(v) },
                callbacks: {

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("18.1.0")
+  VERSION = Chef::VersionString.new("18.1.29")
 end
 
 #

data/spec/integration/client/client_spec.rb

@@ -35,14 +35,14 @@ describe "chef-client" do
     @server = @api = nil
   end
 
-  def install_certificate_in_store(client_name)
+  def install_certificate_in_store(client_name, store_location)
     if ChefUtils.windows?
       powershell_exec! <<~EOH
         if (-not (($PSVersionTable.PSVersion.Major -ge 5) -and ($PSVersionTable.PSVersion.Build -ge 22000)) ) {
-          New-SelfSignedCertificate -CertStoreLocation Cert:\\LocalMachine\\My -DnsName "#{client_name}"
+          New-SelfSignedCertificate -CertStoreLocation Cert:\\#{store_location}\\My -DnsName "#{client_name}"
         }
         else {
-          New-SelfSignedCertificate -CertStoreLocation Cert:\\LocalMachine\\My -Subject "#{client_name}" -FriendlyName "#{client_name}" -KeyExportPolicy Exportable
+          New-SelfSignedCertificate -CertStoreLocation Cert:\\#{store_location}\\My -Subject "#{client_name}" -FriendlyName "#{client_name}" -KeyExportPolicy Exportable
         }
       EOH
     end
@@ -50,14 +50,6 @@ describe "chef-client" do
 
   def create_registry_key
     ::Chef::HTTP::Authenticator.get_cert_password
-    # @win32registry = Chef::Win32::Registry.new
-    # path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
-    # unless @win32registry.key_exists?(path)
-    #   @win32registry.create_key(path, true)
-    # end
-    # password = SOME_CHARS.sample(1 + rand(SOME_CHARS.count)).join[0...14]
-    # values = { name: "PfxPass", type: :string, data: password }
-    # @win32registry.set_value(path, values)
   end
 
   def remove_certificate_from_store
@@ -111,6 +103,9 @@ describe "chef-client" do
       tempfile.close
       @path = tempfile.path
       Chef::Config.validation_key = @path
+      if ChefUtils.windows?
+        create_registry_key
+      end
 
       file "config/client.rb", <<~EOM
        local_mode true
@@ -201,17 +196,27 @@ describe "chef-client" do
 
     if ChefUtils.windows?
       context "and the private key is in the Windows CertStore" do
-        before do
-          install_certificate_in_store(client_name)
+
+        it "should verify that the cert is loaded in the \\LocalMachine\\My store" do
+          Chef::Config[:auth_key_registry_type] = "machine"
+          install_certificate_in_store(client_name, "LocalMachine")
           create_registry_key
+          expect(Chef::HTTP::Authenticator.check_certstore_for_key(hostname)).to eq(true)
         end
 
-        after do
+        it "should verify that the export password for the pfx is loaded in the Registry" do
+          expect(verify_export_password_exists.result).to eq(true)
+        end
+
+        it "should verify that a private key is returned to me" do
+          expect(Chef::HTTP::Authenticator.retrieve_certificate_key(client_name)).not_to be nil
           remove_certificate_from_store
-          remove_registry_key
         end
 
-        it "should verify that the cert is loaded in the LocalMachine\\My" do
+        it "should verify that the cert is loaded in the \\CurrentUser\\My store" do
+          Chef::Config[:auth_key_registry_type] = "user"
+          install_certificate_in_store(client_name, "CurrentUser")
+          create_registry_key
           expect(Chef::HTTP::Authenticator.check_certstore_for_key(hostname)).to eq(true)
         end
 
@@ -221,6 +226,7 @@ describe "chef-client" do
 
         it "should verify that a private key is returned to me" do
           expect(Chef::HTTP::Authenticator.retrieve_certificate_key(client_name)).not_to be nil
+          remove_certificate_from_store
         end
       end
     end

data/spec/spec_helper.rb

@@ -138,9 +138,9 @@ RSpec.configure do |config|
 
   config.filter_run_excluding skip_buildkite: true if ENV["BUILDKITE"]
 
-  config.filter_run_excluding fips_mode: !fips_mode_build? unless opensuse?
-  # RubyDistros OpenSUSE docker images have a broken fips
-  config.filter_run_excluding :fips_mode if opensuse?
+  config.filter_run_excluding fips_mode: !fips_mode_build?
+  # Skip fips on windows
+  # config.filter_run_excluding :fips_mode if windows?
 
   config.filter_run_excluding windows_only: true unless windows?
   config.filter_run_excluding not_supported_on_windows: true if windows?

data/spec/unit/client_spec.rb

@@ -310,25 +310,49 @@ describe Chef::Client, :windows_only do
   end
 
   context "when the client intially boots the first time" do
-    it "verfies that a certificate was correctly created and exists in the Cert Store" do
+    it "verfies that a certificate was correctly created and exists in the LocalMachine Cert Store" do
+      Chef::Config[:node_name] = "test"
       new_pfx = my_client.generate_pfx_package(cert_name, end_date)
       my_client.import_pfx_to_store(new_pfx)
       expect(my_client.check_certstore_for_key(cert_name)).not_to be false
+      delete_certificate(cert_name)
     end
 
     it "correctly returns a new Publc Key" do
       new_pfx = my_client.generate_pfx_package(cert_name, end_date)
       cert_object = new_pfx.certificate.public_key.to_pem
       expect(cert_object.to_s).to match(/PUBLIC KEY/)
+      delete_certificate(cert_name)
+    end
+
+  end
+
+  context "when the client intially boots the first time and auth_key_registry_type is set to 'user' " do
+    it "verfies that a certificate was correctly created and exists in the CurrentUser Cert Store" do
+      Chef::Config[:node_name] = "test"
+      Chef::Config[:auth_key_registry_type] = "user"
+      new_pfx = my_client.generate_pfx_package(cert_name, end_date)
+      my_client.import_pfx_to_store(new_pfx)
+      expect(my_client.check_certstore_for_key(cert_name)).not_to be false
+      delete_certificate(cert_name)
+    end
+
+    it "correctly returns a new Publc Key" do
+      Chef::Config[:auth_key_registry_type] = "user"
+      new_pfx = my_client.generate_pfx_package(cert_name, end_date)
+      cert_object = new_pfx.certificate.public_key.to_pem
+      expect(cert_object.to_s).to match(/PUBLIC KEY/)
+      delete_certificate(cert_name)
     end
 
   end
 
   def delete_certificate(cert_name)
+    Chef::Config[:auth_key_registry_type] == "user" ? store = "CurrentUser" : store = "LocalMachine"
     require "chef/mixin/powershell_exec"
     extend Chef::Mixin::PowershellExec
     powershell_code = <<~CODE
-      Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
+      Get-ChildItem -path cert:\\#{store}\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
     CODE
     powershell_exec!(powershell_code)
   end

data/spec/unit/compliance/runner_spec.rb

@@ -49,6 +49,14 @@ describe Chef::Compliance::Runner do
       expect(runner).not_to be_enabled
     end
 
+    it "is false if the node attributes have audit profiles and the audit cookbook is present, and the complince mode attribute is false" do
+      stub_const("::Reporter::ChefAutomate", true)
+      node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }
+      node.normal["audit"]["compliance_phase"] = false
+
+      expect(runner).not_to be_enabled
+    end
+
     it "is true if the node attributes have audit profiles and the audit cookbook is present, and the complince mode attribute is true" do
       stub_const("::Reporter::ChefAutomate", true)
       node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }

data/spec/unit/http/authenticator_spec.rb

@@ -18,6 +18,9 @@
 
 require "spec_helper"
 require "chef/http/authenticator"
+require "chef/mixin/powershell_exec"
+
+require_relative "../../../lib/chef/win32/registry"
 
 describe Chef::HTTP::Authenticator, :windows_only do
   let(:class_instance) { Chef::HTTP::Authenticator.new(client_name: "test") }
@@ -28,7 +31,7 @@ describe Chef::HTTP::Authenticator, :windows_only do
   let(:node_name) { "test" }
   let(:passwrd) { "some_insecure_password" }
 
-  before do
+  before(:each) do
     Chef::Config[:node_name] = node_name
     cert_name = "chef-#{node_name}"
     d = Time.now
@@ -36,6 +39,7 @@ describe Chef::HTTP::Authenticator, :windows_only do
     end_date = end_date.utc.iso8601
 
     my_client = Chef::Client.new
+    class_instance.get_cert_password
     pfx = my_client.generate_pfx_package(cert_name, end_date)
     my_client.import_pfx_to_store(pfx)
   end
@@ -47,10 +51,21 @@ describe Chef::HTTP::Authenticator, :windows_only do
     delete_certificate(cert_name)
   end
 
-  context "when retrieving a certificate from the certificate store" do
+  context "when retrieving a certificate from the certificate store it" do
+    it "properly creates the password hive in the registry when it doesn't exist" do
+      delete_registry_hive
+      class_instance.get_cert_password
+      win32registry = Chef::Win32::Registry.new
+      expected_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+      path_created = win32registry.key_exists?(expected_path)
+      expect(path_created).to be(true)
+    end
+
     it "retrieves a certificate password from the registry when the hive does not already exist" do
       delete_registry_hive
+      password = class_instance.get_cert_password
       expect { class_instance.get_cert_password }.not_to raise_error
+      expect(password).not_to be(nil)
     end
 
     it "should return a password of at least 14 characters in length" do
@@ -58,7 +73,27 @@ describe Chef::HTTP::Authenticator, :windows_only do
       expect(password.length).to eql(14)
     end
 
-    it "correctly retrieves a valid certificate in pem format from the certstore" do
+    it "will retrieve a password from a partial registry hive and upgrades it while using the old decryptor" do
+      delete_registry_hive
+      load_partial_registry_hive
+      password = class_instance.get_cert_password
+      expect(password).to eql(passwrd)
+    end
+
+    it "verifies that the new password is now using a vector" do
+      win32registry = Chef::Win32::Registry.new
+      path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+      password_blob = win32registry.get_values(path)
+      if password_blob.nil? || password_blob.empty?
+        raise Chef::Exceptions::Win32RegKeyMissing
+      end
+
+      raw_data = password_blob.map { |x| x[:data] }
+      vector = raw_data[2]
+      expect(vector).not_to be(nil)
+    end
+
+    it "correctly retrieves a valid certificate in pem format from the LocalMachine certstore" do
       require "openssl"
       certificate = class_instance.retrieve_certificate_key(node_name)
       cert_object = OpenSSL::PKey::RSA.new(certificate)
@@ -66,21 +101,39 @@ describe Chef::HTTP::Authenticator, :windows_only do
     end
   end
 
-  def delete_certificate(cert_name)
+  def load_partial_registry_hive
+    extend Chef::Mixin::PowershellExec
+    password = "some_insecure_password"
     powershell_code = <<~CODE
-      Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
+      $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+      $secure_string = ConvertFrom-SecureString $encrypted_string
+      return $secure_string
     CODE
-    powershell_exec!(powershell_code)
+    encrypted_pass = powershell_exec!(powershell_code).result
+    Chef::Config[:auth_key_registry_type] == "user" ? store = "HKEY_CURRENT_USER" : store = "HKEY_LOCAL_MACHINE"
+    hive_path = "#{store}\\Software\\Progress\\Authentication"
+    win32registry = Chef::Win32::Registry.new
+    unless win32registry.key_exists?(hive_path)
+      win32registry.create_key(hive_path, true)
+    end
+    values = { name: "PfxPass", type: :string, data: encrypted_pass }
+    win32registry.set_value(hive_path, values)
   end
 
   def delete_registry_hive
-    @win32registry = Chef::Win32::Registry.new
-    path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
-    present = @win32registry.get_values(path)
-    unless present.nil? || present.empty?
-      @win32registry.delete_key(path, true)
+    win32registry = Chef::Win32::Registry.new
+    hive_path = "HKEY_LOCAL_MACHINE\\Software\\Progress"
+    if win32registry.key_exists?(hive_path)
+      win32registry.delete_key(hive_path, true)
     end
   end
+
+  def delete_certificate(cert_name)
+    powershell_code = <<~CODE
+      Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
+    CODE
+    powershell_exec!(powershell_code)
+  end
 end
 
 describe Chef::HTTP::Authenticator do

data/spec/unit/provider/apt_repository_spec.rb

@@ -82,6 +82,15 @@ C5986B4F1257FFA86632CBA746181433FBB75451
 843938DF228D22F7B3742BC0D94AA3F0EFE21092}
   end
 
+  let(:apt_public_keys) do
+    %w{
+      pub:-:1024:17:40976EAF437D05B5:2004-09-12
+      pub:-:1024:17:46181433FBB75451:2004-12-30
+      pub:-:4096:1:3B4FE6ACC0B21F32:2012-05-11
+      pub:-:4096:1:D94AA3F0EFE21092:2012-05-11
+    }
+  end
+
   it "responds to load_current_resource" do
     expect(provider).to respond_to(:load_current_resource)
   end
@@ -113,6 +122,18 @@ C5986B4F1257FFA86632CBA746181433FBB75451
     end
   end
 
+  describe "#extract_public_keys_from_cmd" do
+    it "runs the desired command" do
+      expect(provider).to receive(:shell_out).and_return(apt_key_finger)
+      provider.extract_public_keys_from_cmd(*apt_key_finger_cmd)
+    end
+
+    it "returns a list of key fingerprints" do
+      expect(provider).to receive(:shell_out).and_return(apt_key_finger)
+      expect(provider.extract_public_keys_from_cmd(*apt_key_finger_cmd)).to eql(apt_public_keys)
+    end
+  end
+
   describe "#cookbook_name" do
     it "returns 'test' when the cookbook property is set" do
       new_resource.cookbook("test")
@@ -122,22 +143,22 @@ C5986B4F1257FFA86632CBA746181433FBB75451
 
   describe "#no_new_keys?" do
     before do
-      allow(provider).to receive(:extract_fingerprints_from_cmd).with(*apt_key_finger_cmd).and_return(apt_fingerprints)
+      allow(provider).to receive(:extract_public_keys_from_cmd).with(*apt_key_finger_cmd).and_return(apt_public_keys)
     end
 
     let(:file) { "/tmp/remote-gpg-keyfile" }
 
     it "matches a set of keys" do
-      allow(provider).to receive(:extract_fingerprints_from_cmd)
+      allow(provider).to receive(:extract_public_keys_from_cmd)
         .with("gpg", "--with-fingerprint", "--with-colons", file)
-        .and_return(Array(apt_fingerprints.first))
+        .and_return([apt_public_keys.first])
       expect(provider.no_new_keys?(file)).to be_truthy
     end
 
     it "notices missing keys" do
-      allow(provider).to receive(:extract_fingerprints_from_cmd)
+      allow(provider).to receive(:extract_public_keys_from_cmd)
         .with("gpg", "--with-fingerprint", "--with-colons", file)
-        .and_return(%w{ F36A89E33CC1BD0F71079007327574EE02A818DD })
+        .and_return(%w{pub:-:4096:1:871920D1991BC93C:1537196506})
       expect(provider.no_new_keys?(file)).to be_falsey
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef
 version: !ruby/object:Gem::Version
-  version: 18.1.0
+  version: 18.1.29
 platform: x64-mingw-ucrt
 authors:
 - Adam Jacob
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-05 00:00:00.000000000 Z
+date: 2023-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-config
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.1.0
+        version: 18.1.29
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.1.0
+        version: 18.1.29
 - !ruby/object:Gem::Dependency
   name: chef-utils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.1.0
+        version: 18.1.29
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.1.0
+        version: 18.1.29
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement
@@ -336,20 +336,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 1.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 1.1.3
 - !ruby/object:Gem::Dependency
   name: chef-zero
   requirement: !ruby/object:Gem::Requirement
@@ -483,19 +483,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.3.4
 - !ruby/object:Gem::Dependency
-  name: proxifier
+  name: proxifier2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-s3
   requirement: !ruby/object:Gem::Requirement