chef 18.1.0 → 18.2.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2116a9a16e93030ed9aa85235426085567d3ef63e0c603bffa3a5a1614bb439e
-  data.tar.gz: cc9dcbc47ddcb72e3fe920f9da13a788a607b66d628331b23a03ea8dbad53c30
+  metadata.gz: ae48a568217d00b159123bf621bdaee21412909ef553f400719f251559c8a4d4
+  data.tar.gz: 553c80d44e9babb553588b0d01beac0a413aec6b0d21fdbaaf754cc1b3fa0928
 SHA512:
-  metadata.gz: d14c879526c8da207c572690f7e5c0a066c8ff89d33412053f6eaf3635ae2231d1f0c2c3478b1ebae30219ac0cbf86ee8c2381239eda50b937f853c2b7a77028
-  data.tar.gz: 1bfb25d57117e4cc93655ab55573cebcffd9854402a59606f79e5a6e05bc8660d18c2ccc85d2a09c007789509dd23abee90a1a3d26a07bc6d93ba8fff12d0b58
+  metadata.gz: 3b2df041625cd266ae86c1a899c69493190f09018714cf281486291958268a669d65103555b63f0104345b5e281248d9bf7a2157a2de3632d92f84b4ed72c99c
+  data.tar.gz: 54b4391ec722faa770d54b7d5c6650285ab3dfdb933eed86938d579fb92b1501ad4bf3848e3f17950316eb5c8d9bc2bc99e044368246940321b10f3ddaaa1e97

data/Gemfile

@@ -37,9 +37,6 @@ group(:omnibus_package, :pry) do
   gem "pry-stack_explorer"
 end
 
-# proxifier gem is busted on ruby 3.1 and seems abandoned so use git fork of gem
-gem "proxifier", git: "https://github.com/chef/ruby-proxifier", branch: "lcg/ruby-3"
-
 # Everything except AIX and Windows
 group(:ruby_shadow) do
   # if ruby-shadow does a release that supports ruby-3.0 this can be removed

data/chef-universal-mingw-ucrt.gemspec

@@ -15,9 +15,9 @@ gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
 gemspec.add_dependency "win32-certstore", "~> 0.6.15" # 0.5+ required for specifying user vs. system store
-gemspec.add_dependency "chef-powershell", "~> 1.0.12" # The guts of the powershell_exec code have been moved to its own gem, chef-powershell. It's part of the chef-powershell-shim repo.
+gemspec.add_dependency "chef-powershell", "~> 18.0.0" # The guts of the powershell_exec code have been moved to its own gem, chef-powershell. It's part of the chef-powershell-shim repo.
 
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 
-gemspec
+gemspec

data/chef.gemspec

@@ -61,7 +61,7 @@ Gem::Specification.new do |s|
   s.add_dependency "unf_ext", ">= 0.0.8.2" # This is ruby31 compatible ucrt gem version
   s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
-  s.add_dependency "proxifier", "~> 1.0"
+  s.add_dependency "proxifier2", "~> 1.1"
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"

data/lib/chef/application/base.rb

@@ -386,8 +386,10 @@ class Chef::Application::Base < Chef::Application
     elsif uri.scheme == "s3"
       require "aws-sdk-s3" unless defined?(Aws::S3)
 
-      s3 = Aws::S3::Client.new
-      object = s3.get_object(bucket: uri.hostname, key: uri.path[1..-1])
+      bucket_name = uri.hostname
+      s3 = Aws::S3::Client.new(region: s3_bucket_location(bucket_name))
+
+      object = s3.get_object(bucket: bucket_name, key: uri.path[1..-1])
       File.open(path, "wb") do |f|
         f.write(object.body.read)
       end
@@ -403,6 +405,20 @@ class Chef::Application::Base < Chef::Application
     end
   end
 
+  def s3_bucket_location(bucket_name)
+    s3 = Aws::S3::Client.new(region: aws_api_region)
+
+    resp = s3.get_bucket_location(bucket: bucket_name)
+    resp.location_constraint
+  rescue Aws::S3::Errors::AccessDenied => _e
+    Chef::Log.warn("Missing s3:GetBucketLocation privilege, trying currently configured region #{aws_api_region}")
+    aws_api_region
+  end
+
+  def aws_api_region
+    ENV["AWS_REGION"] || Aws.shared_config.region || Aws::EC2Metadata.new.get("/latest/meta-data/placement/region")
+  end
+
   def interval_run_chef_client
     if Chef::Config[:daemonize]
       Chef::Daemon.daemonize(ChefUtils::Dist::Infra::PRODUCT)

data/lib/chef/client.rb

@@ -66,6 +66,15 @@ class Chef
   class Client
     CRYPT_EXPORTABLE = 0x00000001
 
+    # adding these
+    # certstore 65536 == 0x00010000 == CurrentUser
+    # certstore 131072 == 0x00020000 == LocalMachine
+    # Reference: https://github.com/chef/win32-certstore/blob/main/lib/win32/certstore/mixin/crypto.rb#L90
+    CERT_SYSTEM_STORE_LOCAL_MACHINE                     = 0x00020000
+    CERT_SYSTEM_STORE_CURRENT_USER                      = 0x00010000
+    CERT_SYSTEM_STORE_SERVICES                          = 0x00050000
+    CERT_SYSTEM_STORE_USERS                             = 0x00060000
+
     attr_reader :local_context
 
     extend Chef::Mixin::Deprecation
@@ -674,9 +683,15 @@ class Chef
 
     # In the brave new world of No Certs On Disk, we want to put the pem file into Keychain or the Certstore
     # But is it already there?
+    # We're solving the multi-user scenario where both a system/admin user can run on the box but also someone without
+    # admin rights can also run correctly locally.
     def check_certstore_for_key(cert_name)
       require "win32-certstore"
-      win32certstore = ::Win32::Certstore.open("MY")
+      if Chef::Config[:auth_key_registry_type] == "user"
+        win32certstore = ::Win32::Certstore.open("MY", store_location: CERT_SYSTEM_STORE_CURRENT_USER)
+      else
+        win32certstore = ::Win32::Certstore.open("MY")
+      end
       win32certstore.search("#{cert_name}")
     end
 
@@ -783,8 +798,6 @@ class Chef
       require "time" unless defined?(Time)
       autoload :URI, "uri"
 
-      # KeyMigration.instance.key_migrated = true
-
       node = Chef::Config[:node_name]
       d = Time.now
       if d.month == 10 || d.month == 11 || d.month == 12
@@ -818,9 +831,13 @@ class Chef
       require "win32-certstore"
       tempfile = Tempfile.new("#{Chef::Config[:node_name]}.pfx")
       File.open(tempfile, "wb") { |f| f.print new_pfx.to_der }
-
-      store = ::Win32::Certstore.open("MY")
-      store.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
+      # Need to determine where to store the key
+      if Chef::Config[:auth_key_registry_type] == "user"
+        win32certstore = ::Win32::Certstore.open("MY", store_location: CERT_SYSTEM_STORE_CURRENT_USER)
+      else
+        win32certstore = ::Win32::Certstore.open("MY")
+      end
+      win32certstore.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
       tempfile.unlink
     end
 

data/lib/chef/http/authenticator.rb

@@ -102,12 +102,12 @@ class Chef
         self.class.get_cert_password
       end
 
-      def encrypt_pfx_pass
-        self.class.encrypt_pfx_pass
+      def encrypt_pfx_pass_with_vector
+        self.class.encrypt_pfx_pass_with_vector
       end
 
-      def decrypt_pfx_pass
-        self.class.decrypt_pfx_pass
+      def decrypt_pfx_pass_with_vector
+        self.class.decrypt_pfx_pass_with_vector
       end
 
       # Detects if a private key exists in a certificate repository like Keychain (macOS) or Certificate Store (Windows)
@@ -123,9 +123,18 @@ class Chef
         end
       end
 
+      def self.get_cert_user
+        Chef::Config[:auth_key_registry_type] == "user" ? "CurrentUser" : "LocalMachine"
+      end
+
+      def self.get_registry_user
+        Chef::Config[:auth_key_registry_type] == "user" ? "HKEY_CURRENT_USER" : "HKEY_LOCAL_MACHINE"
+      end
+
       def self.check_certstore_for_key(client_name)
+        store = get_cert_user
         powershell_code = <<~CODE
-          $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
+          $cert = Get-ChildItem -path cert:\\#{store}\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
           if (($cert.HasPrivateKey -eq $true) -and ($cert.PrivateKey.Key.ExportPolicy -ne "NonExportable")) {
             return $true
           }
@@ -164,49 +173,86 @@ class Chef
       end
 
       def self.get_cert_password
+        store = get_registry_user
         @win32registry = Chef::Win32::Registry.new
-        path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        path = "#{store}\\Software\\Progress\\Authentication"
         # does the registry key even exist?
-        present = @win32registry.get_values(path)
-        if present.nil? || present.empty?
+        # password_blob should be an array of hashes
+        password_blob = @win32registry.get_values(path)
+        if password_blob.nil? || password_blob.empty?
           raise Chef::Exceptions::Win32RegKeyMissing
         end
 
-        present.each do |secret|
-          if secret[:name] == "PfxPass"
-            password = decrypt_pfx_pass(secret[:data])
-            return password
+        # Did someone have just the password stored in the registry?
+        raw_data = password_blob.map { |x| x[:data] }
+        vector = raw_data[2]
+        if !!vector
+          decrypted_password = decrypt_pfx_pass_with_vector(password_blob)
+        else
+          decrypted_password = decrypt_pfx_pass_with_password(password_blob)
+          if !!decrypted_password
+            migrate_pass_to_use_vector(decrypted_password)
+          else
+            Chef::Log.error("Failed to retrieve certificate password")
           end
         end
-
-        raise Chef::Exceptions::Win32RegKeyMissing
-
+        decrypted_password
       rescue Chef::Exceptions::Win32RegKeyMissing
         # if we don't have a password, log that and generate one
-        Chef::Log.warn "Authentication Hive and values not present in registry, creating them now"
-        new_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        store = get_registry_user
+        new_path = "#{store}\\Software\\Progress\\Authentication"
         unless @win32registry.key_exists?(new_path)
           @win32registry.create_key(new_path, true)
         end
-        require "securerandom" unless defined?(SecureRandom)
-        size = 14
-        password = SecureRandom.alphanumeric(size)
-        encrypted_pass = encrypt_pfx_pass(password)
-        values = { name: "PfxPass", type: :string, data: encrypted_pass }
-        @win32registry.set_value(new_path, values)
-        password
+        create_and_store_new_password
       end
 
-      def self.encrypt_pfx_pass(password)
+      def self.encrypt_pfx_pass_with_vector(password)
         powershell_code = <<~CODE
-          $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
-          $secure_string = ConvertFrom-SecureString $encrypted_string
-          return $secure_string
+          $AES = [System.Security.Cryptography.Aes]::Create()
+          $key_temp = [System.Convert]::ToBase64String($AES.Key)
+          $iv_temp = [System.Convert]::ToBase64String($AES.IV)
+          $encryptor = $AES.CreateEncryptor()
+          [System.Byte[]]$Bytes =  [System.Text.Encoding]::Unicode.GetBytes("#{password}")
+          $EncryptedBytes = $encryptor.TransformFinalBlock($Bytes,0,$Bytes.Length)
+          $EncryptedBase64String = [System.Convert]::ToBase64String($EncryptedBytes)
+          # create array of encrypted pass, key, iv
+          $password_blob = @($EncryptedBase64String, $key_temp, $iv_temp)
+          return $password_blob
         CODE
         powershell_exec!(powershell_code).result
       end
 
-      def self.decrypt_pfx_pass(password)
+      def self.decrypt_pfx_pass_with_vector(password_blob)
+        raw_data = password_blob.map { |x| x[:data] }
+        password = raw_data[0]
+        key = raw_data[1]
+        vector = raw_data[2]
+
+        powershell_code = <<~CODE
+          $KeyBytes = [System.Convert]::FromBase64String("#{key}")
+          $IVBytes = [System.Convert]::FromBase64String("#{vector}")
+          $aes = [System.Security.Cryptography.Aes]::Create()
+          $aes.Key = $KeyBytes
+          $aes.IV = $IVBytes
+          $EncryptedBytes = [System.Convert]::FromBase64String("#{password}")
+          $Decryptor = $aes.CreateDecryptor()
+          $DecryptedBytes = $Decryptor.TransformFinalBlock($EncryptedBytes,0,$EncryptedBytes.Length)
+          $DecryptedString = [System.Text.Encoding]::Unicode.GetString($DecryptedBytes)
+          return $DecryptedString
+        CODE
+        results = powershell_exec!(powershell_code).result
+      end
+
+      def self.decrypt_pfx_pass_with_password(password_blob)
+        password = ""
+        password_blob.each do |secret|
+          if secret[:name] == "PfxPass"
+            password = secret[:data]
+          else
+            Chef::Log.error("Failed to retrieve a password for the private key")
+          end
+        end
         powershell_code = <<~CODE
           $secure_string = "#{password}" | ConvertTo-SecureString
           $string = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($secure_string))))
@@ -215,14 +261,49 @@ class Chef
         powershell_exec!(powershell_code).result
       end
 
-      def self.retrieve_certificate_key(client_name)
-        require "openssl" unless defined?(OpenSSL)
+      def self.migrate_pass_to_use_vector(password)
+        store = get_cert_user
+        corrected_store = (store == "CurrentUser" ? "HKCU" : "HKLM")
+        powershell_code = <<~CODE
+          Remove-ItemProperty -Path "#{corrected_store}:\\Software\\Progress\\Authentication" -Name "PfXPass"
+        CODE
+        powershell_exec!(powershell_code)
+        create_and_store_new_password(password)
+      end
 
+      # This method name is a bit of a misnomer. We call it to legit create a new password using the vector format.
+      # But we also call it with a password that needs to be migrated to use the vector format too.
+      def self.create_and_store_new_password(password = nil)
+        @win32registry = Chef::Win32::Registry.new
+        store = get_registry_user
+        path = "#{store}\\Software\\Progress\\Authentication"
+        if password.nil?
+          require "securerandom" unless defined?(SecureRandom)
+          size = 14
+          password = SecureRandom.alphanumeric(size)
+        end
+        encrypted_blob = encrypt_pfx_pass_with_vector(password)
+        encrypted_password = encrypted_blob[0]
+        key = encrypted_blob[1]
+        vector = encrypted_blob[2]
+        values = [
+                  { name: "PfxPass", type: :string, data: encrypted_password },
+                  { name: "PfxKey", type: :string, data: key },
+                  { name: "PfxIV", type: :string, data: vector },
+                ]
+        values.each do |i|
+          @win32registry.set_value(path, i)
+        end
+        password
+      end
+
+      def self.retrieve_certificate_key(client_name)
         if ChefUtils.windows?
+          require "openssl" unless defined?(OpenSSL)
           password = get_cert_password
           return false unless password
 
-          if check_certstore_for_key(client_name)
+          if !!check_certstore_for_key(client_name)
             ps_blob = powershell_exec!(get_the_key_ps(client_name, password)).result
             file_path = ps_blob["PSPath"].split("::")[1]
             pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password)
@@ -252,10 +333,11 @@ class Chef
       end
 
       def self.get_the_key_ps(client_name, password)
+        store = get_cert_user
         powershell_code = <<~CODE
             Try {
               $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText;
-              $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
+              $cert = Get-ChildItem -path cert:\\#{store}\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
               $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx";
               Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile;
             }
@@ -266,8 +348,9 @@ class Chef
       end
 
       def self.delete_old_key_ps(client_name)
+        store = get_cert_user
         powershell_code = <<~CODE
-          Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
+          Get-ChildItem -path cert:\\#{store}\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
         CODE
       end
 

data/lib/chef/platform/query_helpers.rb

@@ -17,11 +17,14 @@
 #
 
 require "chef-utils" unless defined?(ChefUtils::CANARY)
+require_relative "../mixin/powershell_exec"
 
 class Chef
   class Platform
 
     class << self
+      include Chef::Mixin::PowershellExec
+
       def windows?
         ChefUtils.windows?
       end
@@ -58,8 +61,7 @@ class Chef
       end
 
       def dsc_refresh_mode_disabled?(node)
-        require_relative "../powershell"
-        exec = Chef::PowerShell.new("Get-DscLocalConfigurationManager")
+        exec = powershell_exec!("Get-DscLocalConfigurationManager")
         exec.error!
         exec.result["RefreshMode"] == "Disabled"
       end

data/lib/chef/resource/apt_repository.rb

@@ -187,6 +187,24 @@ class Chef
           end.compact
         end
 
+        # run the specified command and extract the public key ids
+        # accepts the command so it can be used to extract both the current keys
+        # and the new keys
+        # @param [Array<String>] cmd the command to run
+        #
+        # @return [Array] an array of key ids
+        def extract_public_keys_from_cmd(*cmd)
+          so = shell_out(*cmd)
+          # Sample output
+          # pub:-:4096:1:D94AA3F0EFE21092:1336774248:::-:::scSC::::::23::0:
+          so.stdout.split(/\n/).map do |t|
+            if t.match(/^pub:/)
+              f = t.split(":")
+              f.slice(0, 6).join(":")
+            end
+          end.compact
+        end
+
         # validate the key against the apt keystore to see if that version is expired
         # @param [String] key
         #
@@ -222,8 +240,8 @@ class Chef
         def no_new_keys?(file)
           # Now we are using the option --with-colons that works across old os versions
           # as well as the latest (16.10). This for both `apt-key` and `gpg` commands
-          installed_keys = extract_fingerprints_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
-          proposed_keys = extract_fingerprints_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
+          installed_keys = extract_public_keys_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
+          proposed_keys = extract_public_keys_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
           (installed_keys & proposed_keys).sort == proposed_keys.sort
         end
 

data/lib/chef/resource/bash.rb

@@ -43,6 +43,19 @@ class Chef
       end
       ```
 
+      **Using escape characters in a string of code**
+
+      In the following example, the `find` command uses an escape character (`\`). Use a second escape character (`\\`) to preserve the escape character in the code string:
+
+      ```ruby
+      bash 'delete some archives ' do
+        code <<-EOH
+          find ./ -name "*.tar.Z" -mtime +180 -exec rm -f {} \\;
+        EOH
+        ignore_failure true
+      end
+      ```
+
       **Install a file from a remote location**
 
       The following is an example of how to install the foo123 module for Nginx. This module adds shell-style functionality to an Nginx configuration file and does the following:

data/lib/chef/resource/dsc_script.rb

@@ -34,7 +34,7 @@ class Chef
         resource in #{ChefUtils::Dist::Infra::PRODUCT}, such as the Archive resource, a custom DSC resource, an existing DSC script that performs an important
         task, and so on. Use the dsc_script resource to embed the code that defines a DSC configuration directly within a #{ChefUtils::Dist::Infra::PRODUCT} recipe.
 
-        Warning: The **dsc_script** resource may not be used with the 32 bit Chef Infra client. It must be executed from a 64 bit Chef Infra client.
+        Warning: The **dsc_script** resource is only available on 64-bit Chef Infra Client.
       DESC
 
       default_action :run

data/lib/chef/resource/launchd.rb

@@ -21,7 +21,7 @@ require_relative "../resource"
 class Chef
   class Resource
     class Launchd < Chef::Resource
-      provides :launchd
+      provides :launchd, os: "darwin"
 
       description "Use the **launchd** resource to manage system-wide services (daemons) and per-user services (agents) on the macOS platform."
       introduced "12.8"
@@ -129,7 +129,7 @@ class Chef
       property :abandon_process_group, [ TrueClass, FalseClass ],
         description: "If a job dies, all remaining processes with the same process ID may be kept running. Set to true to kill all remaining processes."
 
-      property :associated_bundle_identifiers, Hash,
+      property :associated_bundle_identifiers, Array,
         description: "This optional key indicates which bundles the Login Items Added by Apps panel associates with the helper executable."
 
       property :debug, [ TrueClass, FalseClass ],

data/lib/chef/resource/macos_userdefaults.rb

@@ -50,15 +50,17 @@ class Chef
         end
         ```
 
-        **Specifying the type of a key to skip automatic type detection**
+        **Setting a value for specific user and hosts**
 
         ```ruby
-        macos_userdefaults 'Finder expanded save dialogs' do
-          key 'NSNavPanelExpandedStateForSaveMode'
-          value 'TRUE'
-          type 'bool'
+        macos_userdefaults 'Enable macOS firewall' do
+          key 'globalstate'
+          value 1
+          user 'jane'
+          host :current
         end
         ```
+
       DOC
 
       property :domain, String,
@@ -79,6 +81,7 @@ class Chef
 
       property :host, [String, Symbol],
         description: "Set either :current, :all or a hostname to set the user default at the host level.",
+        default: :all,
         desired_state: false,
         introduced: "16.3"
 
@@ -94,6 +97,7 @@ class Chef
 
       property :user, [String, Symbol],
         description: "The system user that the default will be applied to. Set :current for current user, :all for all users or pass a valid username",
+        default: :current,
         desired_state: false
 
       property :sudo, [TrueClass, FalseClass],

data/lib/chef/resource/rhsm_register.rb

@@ -92,7 +92,7 @@ class Chef
 
       property :release,
         [Float, String],
-        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used with the `auto_attach` option, it may also be used with activation keys.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
+        description: "Sets the operating system minor release to use for subscriptions for the system. Products and updates are limited to the specified minor release version. This is used with the `auto_attach` or `activation_key` options.  For example, `release '6.4'` will append `--release=6.4` to the register command.",
         introduced: "17.8"
 
       action :register, description: "Register the node with RHSM." do

data/lib/chef/resource/selinux_fcontext.rb

@@ -22,7 +22,7 @@ class Chef
 
       provides :selinux_fcontext
 
-      description "Use **selinux_fcontext** resource to set the SELinux context of files with semanage fcontext."
+      description "Use the **selinux_fcontext** resource to set the SELinux context of files using the `semanage fcontext` command."
       introduced "18.0"
       examples <<~DOC
       **Allow http servers (e.g. nginx/apache) to modify moodle files**:

data/lib/chef/resource/selinux_login.rb

@@ -0,0 +1,129 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+require_relative "selinux/common_helpers"
+
+class Chef
+  class Resource
+    class SelinuxLogin < Chef::Resource
+      unified_mode true
+
+      provides :selinux_login
+
+      description "Use the **selinux_login** resource to add, update, or remove SELinux user to OS login mappings."
+      introduced "18.1"
+      examples <<~DOC
+      **Manage test OS user mapping with a range of s0 and associated SELinux user test_u**:
+
+      ```ruby
+      selinux_login 'test' do
+        user 'test_u'
+        range 's0'
+      end
+      ```
+      DOC
+
+      property :login, String,
+                name_property: true,
+                description: "An optional property to set the OS user login value if it differs from the resource block's name."
+
+      property :user, String,
+                description: "SELinux user to be mapped."
+
+      property :range, String,
+                description: "MLS/MCS security range for the SELinux user."
+
+      load_current_value do |new_resource|
+        logins = shell_out!("semanage login -l").stdout.split("\n")
+
+        current_login = logins.grep(/^#{Regexp.escape(new_resource.login)}\s+/) do |l|
+          l.match(/^(?<login>[^\s]+)\s+(?<user>[^\s]+)\s+(?<range>[^\s]+)/)
+          # match returns [<Match 'data'>] or [], shift converts that to <Match 'data'> or nil
+        end.shift
+
+        current_value_does_not_exist! unless current_login
+
+        # Existing resources should maintain their current configuration unless otherwise specified
+        new_resource.user ||= current_login[:user]
+        new_resource.range ||= current_login[:range]
+
+        user current_login[:user]
+        range current_login[:range]
+      end
+
+      action_class do
+        include Chef::SELinux::CommonHelpers
+
+        def semanage_login_args
+          # Generate arguments for semanage login -a or -m
+          args = ""
+
+          args += " -s #{new_resource.user}" if new_resource.user
+          args += " -r #{new_resource.range}" if new_resource.range
+
+          args
+        end
+      end
+
+      action :manage, description: "Sets the SELinux login mapping to the desired settings regardless of previous state." do
+        run_action(:add)
+        run_action(:modify)
+      end
+
+      # Create if doesn't exist, do not touch if user already exists
+      action :add, description: "Creates the SELinux login mapping if not previously created." do
+        raise "The user property must be populated to create a new SELinux login" if new_resource.user.to_s.empty?
+
+        if selinux_disabled?
+          Chef::Log.warn("Unable to add SELinux login #{new_resource.login} as SELinux is disabled")
+          return
+        end
+
+        unless current_resource
+          converge_if_changed do
+            shell_out!("semanage login -a#{semanage_login_args} #{new_resource.login}")
+          end
+        end
+      end
+
+      # Only modify port if it exists & doesn't have the correct context already
+      action :modify, description: "Updates the SELinux login mapping if previously created." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to modify SELinux login #{new_resource.login} as SELinux is disabled")
+          return
+        end
+
+        if current_resource
+          converge_if_changed do
+            shell_out!("semanage login -m#{semanage_login_args} #{new_resource.login}")
+          end
+        end
+      end
+
+      # Delete if exists
+      action :delete, description: "Removes the SELinux login mapping if previously created." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to delete SELinux login #{new_resource.login} as SELinux is disabled")
+          return
+        end
+
+        if current_resource
+          converge_by "deleting SELinux login #{new_resource.login}" do
+            shell_out!("semanage login -d #{new_resource.login}")
+          end
+        end
+      end
+    end
+  end
+end