chef 18.1.0-x64-mingw-ucrt → 18.2.7-x64-mingw-ucrt

data/lib/chef/http/authenticator.rb

@@ -102,12 +102,12 @@ class Chef
         self.class.get_cert_password
       end
 
-      def encrypt_pfx_pass
-        self.class.encrypt_pfx_pass
+      def encrypt_pfx_pass_with_vector
+        self.class.encrypt_pfx_pass_with_vector
       end
 
-      def decrypt_pfx_pass
-        self.class.decrypt_pfx_pass
+      def decrypt_pfx_pass_with_vector
+        self.class.decrypt_pfx_pass_with_vector
       end
 
       # Detects if a private key exists in a certificate repository like Keychain (macOS) or Certificate Store (Windows)
@@ -123,9 +123,18 @@ class Chef
         end
       end
 
+      def self.get_cert_user
+        Chef::Config[:auth_key_registry_type] == "user" ? "CurrentUser" : "LocalMachine"
+      end
+
+      def self.get_registry_user
+        Chef::Config[:auth_key_registry_type] == "user" ? "HKEY_CURRENT_USER" : "HKEY_LOCAL_MACHINE"
+      end
+
       def self.check_certstore_for_key(client_name)
+        store = get_cert_user
         powershell_code = <<~CODE
-          $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
+          $cert = Get-ChildItem -path cert:\\#{store}\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
           if (($cert.HasPrivateKey -eq $true) -and ($cert.PrivateKey.Key.ExportPolicy -ne "NonExportable")) {
             return $true
           }
@@ -164,49 +173,86 @@ class Chef
       end
 
       def self.get_cert_password
+        store = get_registry_user
         @win32registry = Chef::Win32::Registry.new
-        path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        path = "#{store}\\Software\\Progress\\Authentication"
         # does the registry key even exist?
-        present = @win32registry.get_values(path)
-        if present.nil? || present.empty?
+        # password_blob should be an array of hashes
+        password_blob = @win32registry.get_values(path)
+        if password_blob.nil? || password_blob.empty?
           raise Chef::Exceptions::Win32RegKeyMissing
         end
 
-        present.each do |secret|
-          if secret[:name] == "PfxPass"
-            password = decrypt_pfx_pass(secret[:data])
-            return password
+        # Did someone have just the password stored in the registry?
+        raw_data = password_blob.map { |x| x[:data] }
+        vector = raw_data[2]
+        if !!vector
+          decrypted_password = decrypt_pfx_pass_with_vector(password_blob)
+        else
+          decrypted_password = decrypt_pfx_pass_with_password(password_blob)
+          if !!decrypted_password
+            migrate_pass_to_use_vector(decrypted_password)
+          else
+            Chef::Log.error("Failed to retrieve certificate password")
           end
         end
-
-        raise Chef::Exceptions::Win32RegKeyMissing
-
+        decrypted_password
       rescue Chef::Exceptions::Win32RegKeyMissing
         # if we don't have a password, log that and generate one
-        Chef::Log.warn "Authentication Hive and values not present in registry, creating them now"
-        new_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        store = get_registry_user
+        new_path = "#{store}\\Software\\Progress\\Authentication"
         unless @win32registry.key_exists?(new_path)
           @win32registry.create_key(new_path, true)
         end
-        require "securerandom" unless defined?(SecureRandom)
-        size = 14
-        password = SecureRandom.alphanumeric(size)
-        encrypted_pass = encrypt_pfx_pass(password)
-        values = { name: "PfxPass", type: :string, data: encrypted_pass }
-        @win32registry.set_value(new_path, values)
-        password
+        create_and_store_new_password
       end
 
-      def self.encrypt_pfx_pass(password)
+      def self.encrypt_pfx_pass_with_vector(password)
         powershell_code = <<~CODE
-          $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
-          $secure_string = ConvertFrom-SecureString $encrypted_string
-          return $secure_string
+          $AES = [System.Security.Cryptography.Aes]::Create()
+          $key_temp = [System.Convert]::ToBase64String($AES.Key)
+          $iv_temp = [System.Convert]::ToBase64String($AES.IV)
+          $encryptor = $AES.CreateEncryptor()
+          [System.Byte[]]$Bytes =  [System.Text.Encoding]::Unicode.GetBytes("#{password}")
+          $EncryptedBytes = $encryptor.TransformFinalBlock($Bytes,0,$Bytes.Length)
+          $EncryptedBase64String = [System.Convert]::ToBase64String($EncryptedBytes)
+          # create array of encrypted pass, key, iv
+          $password_blob = @($EncryptedBase64String, $key_temp, $iv_temp)
+          return $password_blob
         CODE
         powershell_exec!(powershell_code).result
       end
 
-      def self.decrypt_pfx_pass(password)
+      def self.decrypt_pfx_pass_with_vector(password_blob)
+        raw_data = password_blob.map { |x| x[:data] }
+        password = raw_data[0]
+        key = raw_data[1]
+        vector = raw_data[2]
+
+        powershell_code = <<~CODE
+          $KeyBytes = [System.Convert]::FromBase64String("#{key}")
+          $IVBytes = [System.Convert]::FromBase64String("#{vector}")
+          $aes = [System.Security.Cryptography.Aes]::Create()
+          $aes.Key = $KeyBytes
+          $aes.IV = $IVBytes
+          $EncryptedBytes = [System.Convert]::FromBase64String("#{password}")
+          $Decryptor = $aes.CreateDecryptor()
+          $DecryptedBytes = $Decryptor.TransformFinalBlock($EncryptedBytes,0,$EncryptedBytes.Length)
+          $DecryptedString = [System.Text.Encoding]::Unicode.GetString($DecryptedBytes)
+          return $DecryptedString
+        CODE
+        results = powershell_exec!(powershell_code).result
+      end
+
+      def self.decrypt_pfx_pass_with_password(password_blob)
+        password = ""
+        password_blob.each do |secret|
+          if secret[:name] == "PfxPass"
+            password = secret[:data]
+          else
+            Chef::Log.error("Failed to retrieve a password for the private key")
+          end
+        end
         powershell_code = <<~CODE
           $secure_string = "#{password}" | ConvertTo-SecureString
           $string = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($secure_string))))
@@ -215,14 +261,49 @@ class Chef
         powershell_exec!(powershell_code).result
       end
 
-      def self.retrieve_certificate_key(client_name)
-        require "openssl" unless defined?(OpenSSL)
+      def self.migrate_pass_to_use_vector(password)
+        store = get_cert_user
+        corrected_store = (store == "CurrentUser" ? "HKCU" : "HKLM")
+        powershell_code = <<~CODE
+          Remove-ItemProperty -Path "#{corrected_store}:\\Software\\Progress\\Authentication" -Name "PfXPass"
+        CODE
+        powershell_exec!(powershell_code)
+        create_and_store_new_password(password)
+      end
 
+      # This method name is a bit of a misnomer. We call it to legit create a new password using the vector format.
+      # But we also call it with a password that needs to be migrated to use the vector format too.
+      def self.create_and_store_new_password(password = nil)
+        @win32registry = Chef::Win32::Registry.new
+        store = get_registry_user
+        path = "#{store}\\Software\\Progress\\Authentication"
+        if password.nil?
+          require "securerandom" unless defined?(SecureRandom)
+          size = 14
+          password = SecureRandom.alphanumeric(size)
+        end
+        encrypted_blob = encrypt_pfx_pass_with_vector(password)
+        encrypted_password = encrypted_blob[0]
+        key = encrypted_blob[1]
+        vector = encrypted_blob[2]
+        values = [
+                  { name: "PfxPass", type: :string, data: encrypted_password },
+                  { name: "PfxKey", type: :string, data: key },
+                  { name: "PfxIV", type: :string, data: vector },
+                ]
+        values.each do |i|
+          @win32registry.set_value(path, i)
+        end
+        password
+      end
+
+      def self.retrieve_certificate_key(client_name)
         if ChefUtils.windows?
+          require "openssl" unless defined?(OpenSSL)
           password = get_cert_password
           return false unless password
 
-          if check_certstore_for_key(client_name)
+          if !!check_certstore_for_key(client_name)
             ps_blob = powershell_exec!(get_the_key_ps(client_name, password)).result
             file_path = ps_blob["PSPath"].split("::")[1]
             pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password)
@@ -252,10 +333,11 @@ class Chef
       end
 
       def self.get_the_key_ps(client_name, password)
+        store = get_cert_user
         powershell_code = <<~CODE
             Try {
               $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText;
-              $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
+              $cert = Get-ChildItem -path cert:\\#{store}\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
               $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx";
               Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile;
             }
@@ -266,8 +348,9 @@ class Chef
       end
 
       def self.delete_old_key_ps(client_name)
+        store = get_cert_user
         powershell_code = <<~CODE
-          Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
+          Get-ChildItem -path cert:\\#{store}\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
         CODE
       end
 

data/lib/chef/platform/query_helpers.rb

@@ -17,11 +17,14 @@
 #
 
 require "chef-utils" unless defined?(ChefUtils::CANARY)
+require_relative "../mixin/powershell_exec"
 
 class Chef
   class Platform
 
     class << self
+      include Chef::Mixin::PowershellExec
+
       def windows?
         ChefUtils.windows?
       end
@@ -58,8 +61,7 @@ class Chef
       end
 
       def dsc_refresh_mode_disabled?(node)
-        require_relative "../powershell"
-        exec = Chef::PowerShell.new("Get-DscLocalConfigurationManager")
+        exec = powershell_exec!("Get-DscLocalConfigurationManager")
         exec.error!
         exec.result["RefreshMode"] == "Disabled"
       end

data/lib/chef/resource/apt_repository.rb

@@ -187,6 +187,24 @@ class Chef
           end.compact
         end
 
+        # run the specified command and extract the public key ids
+        # accepts the command so it can be used to extract both the current keys
+        # and the new keys
+        # @param [Array<String>] cmd the command to run
+        #
+        # @return [Array] an array of key ids
+        def extract_public_keys_from_cmd(*cmd)
+          so = shell_out(*cmd)
+          # Sample output
+          # pub:-:4096:1:D94AA3F0EFE21092:1336774248:::-:::scSC::::::23::0:
+          so.stdout.split(/\n/).map do |t|
+            if t.match(/^pub:/)
+              f = t.split(":")
+              f.slice(0, 6).join(":")
+            end
+          end.compact
+        end
+
         # validate the key against the apt keystore to see if that version is expired
         # @param [String] key
         #
@@ -222,8 +240,8 @@ class Chef
         def no_new_keys?(file)
           # Now we are using the option --with-colons that works across old os versions
           # as well as the latest (16.10). This for both `apt-key` and `gpg` commands
-          installed_keys = extract_fingerprints_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
-          proposed_keys = extract_fingerprints_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
+          installed_keys = extract_public_keys_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
+          proposed_keys = extract_public_keys_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
           (installed_keys & proposed_keys).sort == proposed_keys.sort
         end
 

data/lib/chef/resource/bash.rb

@@ -43,6 +43,19 @@ class Chef
       end
       ```
 
+      **Using escape characters in a string of code**
+
+      In the following example, the `find` command uses an escape character (`\`). Use a second escape character (`\\`) to preserve the escape character in the code string:
+
+      ```ruby
+      bash 'delete some archives ' do
+        code <<-EOH
+          find ./ -name "*.tar.Z" -mtime +180 -exec rm -f {} \\;
+        EOH
+        ignore_failure true
+      end
+      ```
+
       **Install a file from a remote location**
 
       The following is an example of how to install the foo123 module for Nginx. This module adds shell-style functionality to an Nginx configuration file and does the following:

data/lib/chef/resource/dsc_script.rb

@@ -34,7 +34,7 @@ class Chef
         resource in #{ChefUtils::Dist::Infra::PRODUCT}, such as the Archive resource, a custom DSC resource, an existing DSC script that performs an important
         task, and so on. Use the dsc_script resource to embed the code that defines a DSC configuration directly within a #{ChefUtils::Dist::Infra::PRODUCT} recipe.
 
-        Warning: The **dsc_script** resource may not be used with the 32 bit Chef Infra client. It must be executed from a 64 bit Chef Infra client.
+        Warning: The **dsc_script** resource is only available on 64-bit Chef Infra Client.
       DESC
 
       default_action :run

data/lib/chef/resource/launchd.rb

@@ -21,7 +21,7 @@ require_relative "../resource"
 class Chef
   class Resource
     class Launchd < Chef::Resource
-      provides :launchd
+      provides :launchd, os: "darwin"
 
       description "Use the **launchd** resource to manage system-wide services (daemons) and per-user services (agents) on the macOS platform."
       introduced "12.8"
@@ -129,7 +129,7 @@ class Chef
       property :abandon_process_group, [ TrueClass, FalseClass ],
         description: "If a job dies, all remaining processes with the same process ID may be kept running. Set to true to kill all remaining processes."
 
-      property :associated_bundle_identifiers, Hash,
+      property :associated_bundle_identifiers, Array,
         description: "This optional key indicates which bundles the Login Items Added by Apps panel associates with the helper executable."
 
       property :debug, [ TrueClass, FalseClass ],

data/lib/chef/resource/macos_userdefaults.rb

@@ -50,15 +50,17 @@ class Chef
         end
         ```
 
-        **Specifying the type of a key to skip automatic type detection**
+        **Setting a value for specific user and hosts**
 
         ```ruby
-        macos_userdefaults 'Finder expanded save dialogs' do
-          key 'NSNavPanelExpandedStateForSaveMode'
-          value 'TRUE'
-          type 'bool'
+        macos_userdefaults 'Enable macOS firewall' do
+          key 'globalstate'
+          value 1
+          user 'jane'
+          host :current
         end
         ```
+
       DOC
 
       property :domain, String,
@@ -79,6 +81,7 @@ class Chef
 
       property :host, [String, Symbol],
         description: "Set either :current, :all or a hostname to set the user default at the host level.",
+        default: :all,
         desired_state: false,
         introduced: "16.3"
 
@@ -94,6 +97,7 @@ class Chef
 
       property :user, [String, Symbol],
         description: "The system user that the default will be applied to. Set :current for current user, :all for all users or pass a valid username",
+        default: :current,
         desired_state: false
 
       property :sudo, [TrueClass, FalseClass],

data/lib/chef/resource/rhsm_register.rb

@@ -92,7 +92,7 @@ class Chef
 
       property :release,
         [Float, String],
-        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used with the `auto_attach` option, it may also be used with activation keys.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
+        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used with the `auto_attach` or `activation_key` options.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
         introduced: "17.8"
 
       action :register, description: "Register the node with RHSM." do

data/lib/chef/resource/selinux_fcontext.rb

@@ -22,7 +22,7 @@ class Chef
 
       provides :selinux_fcontext
 
-      description "Use **selinux_fcontext** resource to set the SELinux context of files with semanage fcontext."
+      description "Use the **selinux_fcontext** resource to set the SELinux context of files using the `semanage fcontext` command."
       introduced "18.0"
       examples <<~DOC
       **Allow http servers (e.g. nginx/apache) to modify moodle files**:

data/lib/chef/resource/selinux_login.rb

@@ -0,0 +1,129 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+require_relative "selinux/common_helpers"
+
+class Chef
+  class Resource
+    class SelinuxLogin < Chef::Resource
+      unified_mode true
+
+      provides :selinux_login
+
+      description "Use the **selinux_login** resource to add, update, or remove SELinux user to OS login mappings."
+      introduced "18.1"
+      examples <<~DOC
+      **Manage test OS user mapping with a range of s0 and associated SELinux user test_u**:
+
+      ```ruby
+      selinux_login 'test' do
+        user 'test_u'
+        range 's0'
+      end
+      ```
+      DOC
+
+      property :login, String,
+                name_property: true,
+                description: "An optional property to set the OS user login value if it differs from the resource block's name."
+
+      property :user, String,
+                description: "SELinux user to be mapped."
+
+      property :range, String,
+                description: "MLS/MCS security range for the SELinux user."
+
+      load_current_value do |new_resource|
+        logins = shell_out!("semanage login -l").stdout.split("\n")
+
+        current_login = logins.grep(/^#{Regexp.escape(new_resource.login)}\s+/) do |l|
+          l.match(/^(?<login>[^\s]+)\s+(?<user>[^\s]+)\s+(?<range>[^\s]+)/)
+          # match returns [<Match 'data'>] or [], shift converts that to <Match 'data'> or nil
+        end.shift
+
+        current_value_does_not_exist! unless current_login
+
+        # Existing resources should maintain their current configuration unless otherwise specified
+        new_resource.user ||= current_login[:user]
+        new_resource.range ||= current_login[:range]
+
+        user current_login[:user]
+        range current_login[:range]
+      end
+
+      action_class do
+        include Chef::SELinux::CommonHelpers
+
+        def semanage_login_args
+          # Generate arguments for semanage login -a or -m
+          args = ""
+
+          args += " -s #{new_resource.user}" if new_resource.user
+          args += " -r #{new_resource.range}" if new_resource.range
+
+          args
+        end
+      end
+
+      action :manage, description: "Sets the SELinux login mapping to the desired settings regardless of previous state." do
+        run_action(:add)
+        run_action(:modify)
+      end
+
+      # Create if doesn't exist, do not touch if user already exists
+      action :add, description: "Creates the SELinux login mapping if not previously created." do
+        raise "The user property must be populated to create a new SELinux login" if new_resource.user.to_s.empty?
+
+        if selinux_disabled?
+          Chef::Log.warn("Unable to add SELinux login #{new_resource.login} as SELinux is disabled")
+          return
+        end
+
+        unless current_resource
+          converge_if_changed do
+            shell_out!("semanage login -a#{semanage_login_args} #{new_resource.login}")
+          end
+        end
+      end
+
+      # Only modify port if it exists & doesn't have the correct context already
+      action :modify, description: "Updates the SELinux login mapping if previously created." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to modify SELinux login #{new_resource.login} as SELinux is disabled")
+          return
+        end
+
+        if current_resource
+          converge_if_changed do
+            shell_out!("semanage login -m#{semanage_login_args} #{new_resource.login}")
+          end
+        end
+      end
+
+      # Delete if exists
+      action :delete, description: "Removes the SELinux login mapping if previously created." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to delete SELinux login #{new_resource.login} as SELinux is disabled")
+          return
+        end
+
+        if current_resource
+          converge_by "deleting SELinux login #{new_resource.login}" do
+            shell_out!("semanage login -d #{new_resource.login}")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/selinux_permissive.rb

@@ -20,7 +20,7 @@ class Chef
 
       provides :selinux_permissive
 
-      description "Use **selinux_permissive** resource to allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely."
+      description "Use the **selinux_permissive** resource to allow some domains to misbehave without stopping them. This is not as good as setting specific policies, but better than disabling SELinux entirely."
       introduced "18.0"
       examples <<~DOC
       **Disable enforcement on Apache**:

data/lib/chef/resource/selinux_port.rb

@@ -21,7 +21,7 @@ class Chef
 
       provides :selinux_port
 
-      description "Use **selinux_port** resource to allows assigning a network port to a certain SELinux context, e.g. for running a webserver on a non-standard port."
+      description "Use the **selinux_port** resource to assign a network port to a specific SELinux context. For example, running a web server on a non-standard port."
       introduced "18.0"
       examples <<~DOC
       **Allow nginx/apache to bind to port 5678 by giving it the http_port_t context**:

data/lib/chef/resource/selinux_state.rb

@@ -56,7 +56,7 @@ class Chef
 
       property :persistent, [true, false],
                 default: true,
-                description: "Persist status update to the selinux configuration file."
+                description: "Set the status update in the SELinux configuration file."
 
       property :policy, String,
                 default: lazy { default_policy_platform },