chef 18.1.0-x64-mingw-ucrt → 18.2.7-x64-mingw-ucrt

data/spec/unit/http/authenticator_spec.rb

@@ -18,6 +18,9 @@
 
 require "spec_helper"
 require "chef/http/authenticator"
+require "chef/mixin/powershell_exec"
+
+require_relative "../../../lib/chef/win32/registry"
 
 describe Chef::HTTP::Authenticator, :windows_only do
   let(:class_instance) { Chef::HTTP::Authenticator.new(client_name: "test") }
@@ -28,7 +31,7 @@ describe Chef::HTTP::Authenticator, :windows_only do
   let(:node_name) { "test" }
   let(:passwrd) { "some_insecure_password" }
 
-  before do
+  before(:each) do
     Chef::Config[:node_name] = node_name
     cert_name = "chef-#{node_name}"
     d = Time.now
@@ -36,6 +39,7 @@ describe Chef::HTTP::Authenticator, :windows_only do
     end_date = end_date.utc.iso8601
 
     my_client = Chef::Client.new
+    class_instance.get_cert_password
     pfx = my_client.generate_pfx_package(cert_name, end_date)
     my_client.import_pfx_to_store(pfx)
   end
@@ -47,10 +51,21 @@ describe Chef::HTTP::Authenticator, :windows_only do
     delete_certificate(cert_name)
   end
 
-  context "when retrieving a certificate from the certificate store" do
+  context "when retrieving a certificate from the certificate store it" do
+    it "properly creates the password hive in the registry when it doesn't exist" do
+      delete_registry_hive
+      class_instance.get_cert_password
+      win32registry = Chef::Win32::Registry.new
+      expected_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+      path_created = win32registry.key_exists?(expected_path)
+      expect(path_created).to be(true)
+    end
+
     it "retrieves a certificate password from the registry when the hive does not already exist" do
       delete_registry_hive
+      password = class_instance.get_cert_password
       expect { class_instance.get_cert_password }.not_to raise_error
+      expect(password).not_to be(nil)
     end
 
     it "should return a password of at least 14 characters in length" do
@@ -58,7 +73,27 @@ describe Chef::HTTP::Authenticator, :windows_only do
       expect(password.length).to eql(14)
     end
 
-    it "correctly retrieves a valid certificate in pem format from the certstore" do
+    it "will retrieve a password from a partial registry hive and upgrades it while using the old decryptor" do
+      delete_registry_hive
+      load_partial_registry_hive
+      password = class_instance.get_cert_password
+      expect(password).to eql(passwrd)
+    end
+
+    it "verifies that the new password is now using a vector" do
+      win32registry = Chef::Win32::Registry.new
+      path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+      password_blob = win32registry.get_values(path)
+      if password_blob.nil? || password_blob.empty?
+        raise Chef::Exceptions::Win32RegKeyMissing
+      end
+
+      raw_data = password_blob.map { |x| x[:data] }
+      vector = raw_data[2]
+      expect(vector).not_to be(nil)
+    end
+
+    it "correctly retrieves a valid certificate in pem format from the LocalMachine certstore" do
       require "openssl"
       certificate = class_instance.retrieve_certificate_key(node_name)
       cert_object = OpenSSL::PKey::RSA.new(certificate)
@@ -66,21 +101,39 @@ describe Chef::HTTP::Authenticator, :windows_only do
     end
   end
 
-  def delete_certificate(cert_name)
+  def load_partial_registry_hive
+    extend Chef::Mixin::PowershellExec
+    password = "some_insecure_password"
     powershell_code = <<~CODE
-      Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
+      $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+      $secure_string = ConvertFrom-SecureString $encrypted_string
+      return $secure_string
     CODE
-    powershell_exec!(powershell_code)
+    encrypted_pass = powershell_exec!(powershell_code).result
+    Chef::Config[:auth_key_registry_type] == "user" ? store = "HKEY_CURRENT_USER" : store = "HKEY_LOCAL_MACHINE"
+    hive_path = "#{store}\\Software\\Progress\\Authentication"
+    win32registry = Chef::Win32::Registry.new
+    unless win32registry.key_exists?(hive_path)
+      win32registry.create_key(hive_path, true)
+    end
+    values = { name: "PfxPass", type: :string, data: encrypted_pass }
+    win32registry.set_value(hive_path, values)
   end
 
   def delete_registry_hive
-    @win32registry = Chef::Win32::Registry.new
-    path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
-    present = @win32registry.get_values(path)
-    unless present.nil? || present.empty?
-      @win32registry.delete_key(path, true)
+    win32registry = Chef::Win32::Registry.new
+    hive_path = "HKEY_LOCAL_MACHINE\\Software\\Progress"
+    if win32registry.key_exists?(hive_path)
+      win32registry.delete_key(hive_path, true)
     end
   end
+
+  def delete_certificate(cert_name)
+    powershell_code = <<~CODE
+      Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "#{cert_name}" } | Remove-item
+    CODE
+    powershell_exec!(powershell_code)
+  end
 end
 
 describe Chef::HTTP::Authenticator do

data/spec/unit/provider/apt_repository_spec.rb

@@ -82,6 +82,15 @@ C5986B4F1257FFA86632CBA746181433FBB75451
 843938DF228D22F7B3742BC0D94AA3F0EFE21092}
   end
 
+  let(:apt_public_keys) do
+    %w{
+      pub:-:1024:17:40976EAF437D05B5:2004-09-12
+      pub:-:1024:17:46181433FBB75451:2004-12-30
+      pub:-:4096:1:3B4FE6ACC0B21F32:2012-05-11
+      pub:-:4096:1:D94AA3F0EFE21092:2012-05-11
+    }
+  end
+
   it "responds to load_current_resource" do
     expect(provider).to respond_to(:load_current_resource)
   end
@@ -113,6 +122,18 @@ C5986B4F1257FFA86632CBA746181433FBB75451
     end
   end
 
+  describe "#extract_public_keys_from_cmd" do
+    it "runs the desired command" do
+      expect(provider).to receive(:shell_out).and_return(apt_key_finger)
+      provider.extract_public_keys_from_cmd(*apt_key_finger_cmd)
+    end
+
+    it "returns a list of key fingerprints" do
+      expect(provider).to receive(:shell_out).and_return(apt_key_finger)
+      expect(provider.extract_public_keys_from_cmd(*apt_key_finger_cmd)).to eql(apt_public_keys)
+    end
+  end
+
   describe "#cookbook_name" do
     it "returns 'test' when the cookbook property is set" do
       new_resource.cookbook("test")
@@ -122,22 +143,22 @@ C5986B4F1257FFA86632CBA746181433FBB75451
 
   describe "#no_new_keys?" do
     before do
-      allow(provider).to receive(:extract_fingerprints_from_cmd).with(*apt_key_finger_cmd).and_return(apt_fingerprints)
+      allow(provider).to receive(:extract_public_keys_from_cmd).with(*apt_key_finger_cmd).and_return(apt_public_keys)
     end
 
     let(:file) { "/tmp/remote-gpg-keyfile" }
 
     it "matches a set of keys" do
-      allow(provider).to receive(:extract_fingerprints_from_cmd)
+      allow(provider).to receive(:extract_public_keys_from_cmd)
         .with("gpg", "--with-fingerprint", "--with-colons", file)
-        .and_return(Array(apt_fingerprints.first))
+        .and_return([apt_public_keys.first])
       expect(provider.no_new_keys?(file)).to be_truthy
     end
 
     it "notices missing keys" do
-      allow(provider).to receive(:extract_fingerprints_from_cmd)
+      allow(provider).to receive(:extract_public_keys_from_cmd)
         .with("gpg", "--with-fingerprint", "--with-colons", file)
-        .and_return(%w{ F36A89E33CC1BD0F71079007327574EE02A818DD })
+        .and_return(%w{pub:-:4096:1:871920D1991BC93C:1537196506})
       expect(provider.no_new_keys?(file)).to be_falsey
     end
   end

data/spec/unit/resource/macos_user_defaults_spec.rb

@@ -39,12 +39,12 @@ describe Chef::Resource::MacosUserDefaults, :macos_only do
       expect(resource.domain).to eq("NSGlobalDomain")
     end
 
-    it "nil for the host property" do
-      expect(resource.host).to be_nil
+    it ":all for the host property" do
+      expect(resource.host).to eq(:all)
     end
 
-    it "nil for the user property" do
-      expect(resource.user).to be_nil
+    it ":current for the user property" do
+      expect(resource.user).to eq(:current)
     end
 
     it ":write for resource action" do

data/spec/unit/resource/selinux_login_spec.rb

@@ -0,0 +1,73 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxLogin do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxLogin.new("fakey_fakerton", run_context) }
+  let(:provider) { resource.provider_for_action(:manage) }
+
+  it "sets login property as name_property" do
+    expect(resource.login).to eql("fakey_fakerton")
+  end
+
+  it "sets the default action as :manage" do
+    expect(resource.action).to eql([:manage])
+  end
+
+  it "supports :manage, :add, :modify, :delete actions" do
+    expect { resource.action :manage }.not_to raise_error
+    expect { resource.action :add }.not_to raise_error
+    expect { resource.action :modify }.not_to raise_error
+    expect { resource.action :delete }.not_to raise_error
+  end
+
+  describe "#semanage_login_args" do
+    let(:provider) { resource.provider_for_action(:modify) }
+
+    context "when no parameters are provided" do
+      it "returns an empty string" do
+        expect(provider.semanage_login_args).to eq("")
+      end
+    end
+
+    context "when all parameters are provided" do
+      it "returns all params" do
+        resource.user "user_u"
+        resource.range "s0"
+        expect(provider.semanage_login_args).to eq(" -s user_u -r s0")
+      end
+    end
+
+    context "when no user is provided" do
+      it "returns range param" do
+        resource.range "s0"
+        expect(provider.semanage_login_args).to eq(" -r s0")
+      end
+    end
+
+    context "when no range is provided" do
+      it "returns user param" do
+        resource.user "user_u"
+        expect(provider.semanage_login_args).to eq(" -s user_u")
+      end
+    end
+  end
+end

data/spec/unit/resource/selinux_user_spec.rb

@@ -0,0 +1,92 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxUser do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxUser.new("fakey_fakerton", run_context) }
+  let(:provider) { resource.provider_for_action(:manage) }
+  let(:semanage_list) { double("shellout", stdout: "") }
+
+  it "sets user property as name_property" do
+    expect(resource.user).to eql("fakey_fakerton")
+  end
+
+  it "sets the default action as :manage" do
+    expect(resource.action).to eql([:manage])
+  end
+
+  it "supports :manage, :add, :modify, :delete actions" do
+    expect { resource.action :manage }.not_to raise_error
+    expect { resource.action :add }.not_to raise_error
+    expect { resource.action :modify }.not_to raise_error
+    expect { resource.action :delete }.not_to raise_error
+  end
+
+  it "sorts roles property values" do
+    expect { resource.roles %w{c a b} }.not_to raise_error
+    expect(resource.roles).to eq(%w{a b c})
+  end
+
+  describe "#semanage_user_args" do
+    let(:provider) { resource.provider_for_action(:modify) }
+
+    context "when no parameters are provided" do
+      it "returns an empty string" do
+        expect(provider.semanage_user_args).to eq("")
+      end
+    end
+
+    context "when all parameters are provided" do
+      it "returns all params" do
+        resource.level "s0"
+        resource.range "s0"
+        resource.roles %w{sysadm_r staff_r}
+        expect(provider.semanage_user_args).to eq(" -L s0 -r s0 -R 'staff_r sysadm_r'")
+      end
+    end
+
+    context "when no roles are provided" do
+      it "returns level and range params" do
+        resource.level "s0"
+        resource.range "s0"
+        resource.roles []
+
+        expect(provider.semanage_user_args).to eq(" -L s0 -r s0")
+      end
+    end
+
+    context "when no range is provided" do
+      it "returns level and roles params" do
+        resource.level "s0"
+        resource.roles %w{sysadm_r staff_r}
+        expect(provider.semanage_user_args).to eq(" -L s0 -R 'staff_r sysadm_r'")
+      end
+    end
+
+    context "when no level is provided" do
+      it "returns range and roles params" do
+        resource.range "s0"
+        resource.roles %w{sysadm_r staff_r}
+        expect(provider.semanage_user_args).to eq(" -r s0 -R 'staff_r sysadm_r'")
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef
 version: !ruby/object:Gem::Version
-  version: 18.1.0
+  version: 18.2.7
 platform: x64-mingw-ucrt
 authors:
 - Adam Jacob
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-05 00:00:00.000000000 Z
+date: 2023-04-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-config
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.1.0
+        version: 18.2.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.1.0
+        version: 18.2.7
 - !ruby/object:Gem::Dependency
   name: chef-utils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.1.0
+        version: 18.2.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.1.0
+        version: 18.2.7
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement
@@ -483,19 +483,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.3.4
 - !ruby/object:Gem::Dependency
-  name: proxifier
+  name: proxifier2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-s3
   requirement: !ruby/object:Gem::Requirement
@@ -710,14 +710,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.12
+        version: 18.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.12
+        version: 18.0.0
 description: A systems integration framework, built to bring the benefits of configuration
   management to your entire infrastructure.
 email: adam@chef.io
@@ -734,6 +734,7 @@ files:
 - Rakefile
 - chef-universal-mingw-ucrt.gemspec
 - chef.gemspec
+- distro/powershell/chef/chef.psm1
 - distro/ruby_bin_folder/AMD64/Chef.PowerShell.Wrapper.dll
 - distro/ruby_bin_folder/AMD64/Chef.PowerShell.dll
 - distro/ruby_bin_folder/AMD64/Ijwhost.dll
@@ -1679,7 +1680,6 @@ files:
 - lib/chef/policy_builder/dynamic.rb
 - lib/chef/policy_builder/expand_node_object.rb
 - lib/chef/policy_builder/policyfile.rb
-- lib/chef/powershell.rb
 - lib/chef/property.rb
 - lib/chef/provider.rb
 - lib/chef/provider/batch.rb
@@ -1954,10 +1954,12 @@ files:
 - lib/chef/resource/selinux_boolean.rb
 - lib/chef/resource/selinux_fcontext.rb
 - lib/chef/resource/selinux_install.rb
+- lib/chef/resource/selinux_login.rb
 - lib/chef/resource/selinux_module.rb
 - lib/chef/resource/selinux_permissive.rb
 - lib/chef/resource/selinux_port.rb
 - lib/chef/resource/selinux_state.rb
+- lib/chef/resource/selinux_user.rb
 - lib/chef/resource/service.rb
 - lib/chef/resource/smartos_package.rb
 - lib/chef/resource/snap_package.rb
@@ -3116,10 +3118,12 @@ files:
 - spec/unit/resource/selinux_boolean_spec.rb
 - spec/unit/resource/selinux_fcontext_spec.rb
 - spec/unit/resource/selinux_install_spec.rb
+- spec/unit/resource/selinux_login_spec.rb
 - spec/unit/resource/selinux_module_spec.rb
 - spec/unit/resource/selinux_permissive_spec.rb
 - spec/unit/resource/selinux_port_spec.rb
 - spec/unit/resource/selinux_state_spec.rb
+- spec/unit/resource/selinux_user_spec.rb
 - spec/unit/resource/service_spec.rb
 - spec/unit/resource/smartos_package_spec.rb
 - spec/unit/resource/snap_package_spec.rb

data/lib/chef/powershell.rb

@@ -1,81 +0,0 @@
-#
-# Author:: Stuart Preston (<stuart@chef.io>)
-# Copyright:: Copyright (c) Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require "ffi" unless defined?(FFI)
-require_relative "json_compat"
-
-class Chef
-  class PowerShell
-    extend FFI::Library
-
-    attr_reader :result
-    attr_reader :errors
-    attr_reader :verbose
-
-    # Run a command under PowerShell via FFI
-    # This implementation requires the managed dll and native wrapper to be in the library search
-    # path on Windows (i.e. c:\windows\system32 or in the same location as ruby.exe).
-    #
-    # Requires: .NET Framework 4.0 or higher on the target machine.
-    #
-    # @param script [String] script to run
-    # @param timeout [Integer, nil] timeout in seconds.
-    # @return [Object] output
-    def initialize(script, timeout: -1)
-      # This Powershell DLL source lives here: https://github.com/chef/chef-powershell-shim
-      # Every merge into that repo triggers a Habitat build and promotion. Running
-      # the rake :update_chef_exec_dll task in this (chef/chef) repo will pull down
-      # the built packages and copy the binaries to distro/ruby_bin_folder. Bundle install
-      # ensures that the correct architecture binaries are installed into the path.
-      @dll ||= "Chef.PowerShell.Wrapper.dll"
-      exec(script, timeout: timeout)
-    end
-
-    #
-    # Was there an error running the command
-    #
-    # @return [Boolean]
-    #
-    def error?
-      return true if errors.count > 0
-
-      false
-    end
-
-    class CommandFailed < RuntimeError; end
-
-    #
-    # @raise [Chef::PowerShell::CommandFailed] raise if the command failed
-    #
-    def error!
-      raise Chef::PowerShell::CommandFailed, "Unexpected exit in PowerShell command: #{@errors}" if error?
-    end
-
-    private
-
-    def exec(script, timeout: -1)
-      FFI.ffi_lib @dll
-      FFI.attach_function :execute_powershell, :ExecuteScript, %i{string int}, :pointer
-      timeout = -1 if timeout == 0 || timeout.nil?
-      execution = FFI.execute_powershell(script, timeout).read_utf16string
-      hashed_outcome = Chef::JSONCompat.parse(execution)
-      @result = Chef::JSONCompat.parse(hashed_outcome["result"])
-      @errors = hashed_outcome["errors"]
-      @verbose = hashed_outcome["verbose"]
-    end
-  end
-end