chef 18.1.29 → 18.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 01fc036d9cbe5a20b0ca17c3d09db60986f92c4759ce2b20212e0b34d9a57535
-  data.tar.gz: 16f9392fddd572bf0d5e58c35d2018a423ee20858038af6bc0d49aa5cdd55626
+  metadata.gz: 3856e8d0d5224634cad3eb9d43ecf3e87cc504ee881474f7698a14eb90e15088
+  data.tar.gz: 7830af2c8acab4e76176876a2aaac1363d9a8ff706a78422ec98d6d522772856
 SHA512:
-  metadata.gz: e7ca0d1982af93db302d882654d42544dee4344ee9c9025c8ea857e2bf6fcb9f6dfdebd7b8eb78dd559e88d4597a6153d3acd04397eb708cc419ca0f782ed380
-  data.tar.gz: 673c088d0f223b34daa9cf14a7598d80d0b5c7276e6478d54a93e64c12550235a05c10d39cba1d9d522a5b42fa654c113d943e618c1e4eea9cf45bae9ec81ae2
+  metadata.gz: 4503271efa5b5e0713e2753056c32f6c9fb044935802571d8ef3a4024788dd23f9b6ca7da74e1210d1eaedf03b2b44ecc6e7a0e28059078e815b78161ca4e502
+  data.tar.gz: 150281399db54afc60e2f910b3dd4322b0d6f287f97d57b9c530fea39d705bbc4dd0b89cb43807f642674c0ae0ce20d40964bba5fe757a76d4af71fa6b7dc7d1

data/chef-universal-mingw-ucrt.gemspec

@@ -15,9 +15,9 @@ gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
 gemspec.add_dependency "win32-certstore", "~> 0.6.15" # 0.5+ required for specifying user vs. system store
-gemspec.add_dependency "chef-powershell", "~> 1.0.12" # The guts of the powershell_exec code have been moved to its own gem, chef-powershell. It's part of the chef-powershell-shim repo.
+gemspec.add_dependency "chef-powershell", "~> 18.1.0" # The guts of the powershell_exec code have been moved to its own gem, chef-powershell. It's part of the chef-powershell-shim repo.
 
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 
-gemspec
+gemspec

data/chef.gemspec

@@ -49,8 +49,7 @@ Gem::Specification.new do |s|
   s.add_dependency "net-ftp" # remote_file resource
   s.add_dependency "erubis", "~> 2.7" # template resource / cookbook syntax check
   s.add_dependency "diff-lcs", ">= 1.2.4", "!= 1.4.0", "< 1.6.0" # 1.4 breaks output. Used in lib/chef/util/diff
-  # s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
-  s.add_dependency "ffi-libarchive", "~> 1.1", ">= 1.1.3"
+  s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
   s.add_dependency "chef-zero", ">= 14.0.11"
   s.add_dependency "chef-vault" # chef-vault resources and helpers
 

data/lib/chef/application/base.rb

@@ -24,6 +24,8 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 require_relative "../daemon"
 require "chef-config/mixin/dot_d"
 require "license_acceptance/cli_flags/mixlib_cli"
+require "chef/monkey_patches/net-http"
+
 module Mixlib
   autoload :Archive, "mixlib/archive"
 end

data/lib/chef/client.rb

@@ -663,7 +663,7 @@ class Chef
           logger.trace("New client keys created in the Certificate Store - skipping registration")
         end
         events.skipping_registration(client_name, config)
-      elsif File.exists?(config[:client_key])
+      elsif File.exist?(config[:client_key])
         events.skipping_registration(client_name, config)
         logger.trace("Client key #{config[:client_key]} is present - skipping registration")
       else
@@ -1069,7 +1069,7 @@ class Chef
     end
 
     def empty_directory?(path)
-      !File.exists?(path) || (Dir.entries(path).size <= 2)
+      !File.exist?(path) || (Dir.entries(path).size <= 2)
     end
 
     def is_last_element?(index, object)

data/lib/chef/cookbook/synchronizer.rb

@@ -18,6 +18,7 @@ require_relative "../util/threaded_job_queue"
 require_relative "../server_api"
 require "singleton" unless defined?(Singleton)
 require "chef-utils/dist" unless defined?(ChefUtils::Dist)
+require "set" unless defined?(Set)
 
 class Chef
 
@@ -219,14 +220,31 @@ class Chef
 
     # remove deleted files in cookbooks that are being used on the node
     def remove_deleted_files
+      cache_file_hash = {}
+      @cookbooks_by_name.each_key do |k|
+        cache_file_hash[k] = {}
+      end
+
+      # First populate files from cache
       cache.find(File.join(%w{cookbooks ** {*,.*}})).each do |cache_file|
         md = cache_file.match(%r{^cookbooks/([^/]+)/([^/]+)/(.*)})
         next unless md
 
-        ( cookbook_name, segment, file ) = md[1..3]
+        (cookbook_name, segment, file) = md[1..3]
         if have_cookbook?(cookbook_name)
+          cache_file_hash[cookbook_name][segment] ||= {}
+          cache_file_hash[cookbook_name][segment]["#{segment}/#{file}"] = cache_file
+        end
+      end
+      # Determine which files don't match manifest
+      @cookbooks_by_name.each_key do |cookbook_name|
+        cache_file_hash[cookbook_name].each_key do |segment|
           manifest_segment = cookbook_segment(cookbook_name, segment)
-          if manifest_segment.select { |manifest_record| manifest_record["path"] == "#{segment}/#{file}" }.empty?
+          manifest_record_paths = manifest_segment.map { |manifest_record| manifest_record["path"] }.to_set
+          to_be_removed = cache_file_hash[cookbook_name][segment].keys.to_set - manifest_record_paths
+          to_be_removed.each do |path|
+            cache_file = cache_file_hash[cookbook_name][segment][path]
+
             Chef::Log.info("Removing #{cache_file} from the cache; its is no longer in the cookbook manifest.")
             cache.delete(cache_file)
             @events.removed_cookbook_file(cache_file)

data/lib/chef/cookbook_version.rb

@@ -474,7 +474,7 @@ class Chef
     end
 
     def reload_metadata!
-      if File.exists?(metadata_json_file)
+      if File.exist?(metadata_json_file)
         metadata.from_json(IO.read(metadata_json_file))
       end
     end

data/lib/chef/http/authenticator.rb

@@ -124,11 +124,11 @@ class Chef
       end
 
       def self.get_cert_user
-        Chef::Config[:auth_key_registry_type] == "user" ? store = "CurrentUser" : store = "LocalMachine"
+        Chef::Config[:auth_key_registry_type] == "user" ? "CurrentUser" : "LocalMachine"
       end
 
       def self.get_registry_user
-        Chef::Config[:auth_key_registry_type] == "user" ? store = "HKEY_CURRENT_USER" : store = "HKEY_LOCAL_MACHINE"
+        Chef::Config[:auth_key_registry_type] == "user" ? "HKEY_CURRENT_USER" : "HKEY_LOCAL_MACHINE"
       end
 
       def self.check_certstore_for_key(client_name)

data/lib/chef/http/ssl_policies.rb

@@ -103,10 +103,10 @@ class Chef
         unless config[:ssl_client_cert] && config[:ssl_client_key]
           raise Chef::Exceptions::ConfigurationError, "You must configure ssl_client_cert and ssl_client_key together"
         end
-        unless ::File.exists?(config[:ssl_client_cert])
+        unless ::File.exist?(config[:ssl_client_cert])
           raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_cert #{config[:ssl_client_cert]} does not exist"
         end
-        unless ::File.exists?(config[:ssl_client_key])
+        unless ::File.exist?(config[:ssl_client_key])
           raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_key #{config[:ssl_client_key]} does not exist"
         end
 

data/lib/chef/mixin/homebrew_user.rb

@@ -57,18 +57,25 @@ class Chef
         @homebrew_owner_username
       end
 
+      def homebrew_bin_path(brew_bin_path = nil)
+        if brew_bin_path && ::File.exist?(brew_bin_path)
+          brew_bin_path
+        else
+          brew_bin_path = [which("brew"), "/opt/homebrew/bin/brew", "/usr/local/bin/brew", "/home/linuxbrew/.linuxbrew/bin/brew"].uniq.select { |x| ::File.exist?(x) && ::File.executable?(x) }.first
+          brew_bin_path || nil
+        end
+      end
+
       private
 
       def calculate_owner
-        default_brew_path = "/usr/local/bin/brew"
-        if ::File.exist?(default_brew_path)
+        brew_path = homebrew_bin_path
+        if brew_path
           # By default, this follows symlinks which is what we want
-          owner = ::File.stat(default_brew_path).uid
-        elsif (brew_path = shell_out("which brew").stdout.strip) && !brew_path.empty?
           owner = ::File.stat(brew_path).uid
         else
           raise Chef::Exceptions::CannotDetermineHomebrewOwner,
-            'Could not find the "brew" executable in /usr/local/bin or anywhere on the path.'
+            'Could not find the "brew" executable anywhere on the path.'
         end
 
         Chef::Log.debug "Found Homebrew owner #{Etc.getpwuid(owner).name}; executing `brew` commands as them"

data/lib/chef/mixin/proxified_socket.rb

@@ -15,7 +15,7 @@
 # limitations under the License.
 #
 
-require "proxifier2"
+require "proxifier"
 require "chef-config/mixin/fuzzy_hostname_matcher"
 
 class Chef

data/lib/chef/monkey_patches/net-http.rb

@@ -0,0 +1,127 @@
+if RUBY_VERSION.split(".")[0..1].join(".") == "3.1"
+  require "net/http" unless defined?(Net::HTTP)
+  # This is monkey-patch for ruby 3.1.x
+  # Due to change https://github.com/ruby/net-http/pull/10, when making net/http requests to a url which supports only IPv6 and not IPv4,
+  # ruby waits for IPv4 request to timeout first, then makes IPv6 request. This increased response time.
+  # NOTE 1: This is already reverted https://github.com/ruby/ruby/commit/f88bff770578583a708093f4a0d8b1483a1d2039 but under ruby 3.2.2
+  # NOTE 2: We are patching action `connect` from here https://github.com/ruby/ruby/blob/f88bff770578583a708093f4a0d8b1483a1d2039/lib/net/http.rb#L1000
+
+  module Net
+    class HTTP
+      def connect
+        if use_ssl?
+          # reference early to load OpenSSL before connecting,
+          # as OpenSSL may take time to load.
+          @ssl_context = OpenSSL::SSL::SSLContext.new
+        end
+
+        if proxy?
+          conn_addr = proxy_address
+          conn_port = proxy_port
+        else
+          conn_addr = conn_address
+          conn_port = port
+        end
+
+        puts "opening connection to #{conn_addr}:#{conn_port}..."
+        s = Timeout.timeout(@open_timeout, Net::OpenTimeout) {
+          begin
+            TCPSocket.open(conn_addr, conn_port, @local_host, @local_port)
+          rescue => e
+            raise e, "Failed to open TCP connection to " +
+              "#{conn_addr}:#{conn_port} (#{e.message})"
+          end
+        }
+        s.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+        puts "opened"
+        if use_ssl?
+          if proxy?
+            plain_sock = BufferedIO.new(s, read_timeout: @read_timeout,
+                                        write_timeout: @write_timeout,
+                                        continue_timeout: @continue_timeout,
+                                        debug_output: @debug_output)
+            buf = "CONNECT #{conn_address}:#{@port} HTTP/#{HTTPVersion}\r\n"
+            buf << "Host: #{@address}:#{@port}\r\n"
+            if proxy_user
+              credential = ["#{proxy_user}:#{proxy_pass}"].pack("m0")
+              buf << "Proxy-Authorization: Basic #{credential}\r\n"
+            end
+            buf << "\r\n"
+            plain_sock.write(buf)
+            HTTPResponse.read_new(plain_sock).value
+            # assuming nothing left in buffers after successful CONNECT response
+          end
+
+          ssl_parameters = {}
+          iv_list = instance_variables
+          SSL_IVNAMES.each_with_index do |ivname, i|
+            if iv_list.include?(ivname)
+              value = instance_variable_get(ivname)
+              unless value.nil?
+                ssl_parameters[SSL_ATTRIBUTES[i]] = value
+              end
+            end
+          end
+          @ssl_context.set_params(ssl_parameters)
+          unless @ssl_context.session_cache_mode.nil? # a dummy method on JRuby
+            @ssl_context.session_cache_mode =
+                OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT |
+                OpenSSL::SSL::SSLContext::SESSION_CACHE_NO_INTERNAL_STORE
+          end
+          if @ssl_context.respond_to?(:session_new_cb) # not implemented under JRuby
+            @ssl_context.session_new_cb = proc { |sock, sess| @ssl_session = sess }
+          end
+
+          # Still do the post_connection_check below even if connecting
+          # to IP address
+          verify_hostname = @ssl_context.verify_hostname
+
+          # requiring 'resolv' near the top of the file causes registry.rb monkey patch to fail
+          # Windows 2012 R2 somehow fails to have Resolv defined unless we require it manually
+          require "resolv" unless defined?(Resolv)
+
+          # Server Name Indication (SNI) RFC 3546/6066
+          case @address
+          when ::Resolv::IPv4::Regex, ::Resolv::IPv6::Regex
+            # don't set SNI, as IP addresses in SNI is not valid
+            # per RFC 6066, section 3.
+
+            # Avoid openssl warning
+            @ssl_context.verify_hostname = false
+          else
+            ssl_host_address = @address
+          end
+
+          puts "starting SSL for #{conn_addr}:#{conn_port}..."
+          s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
+          s.sync_close = true
+          s.hostname = ssl_host_address if s.respond_to?(:hostname=) && ssl_host_address
+
+          if @ssl_session &&
+              (Process.clock_gettime(Process::CLOCK_REALTIME) < @ssl_session.time.to_f + @ssl_session.timeout)
+            s.session = @ssl_session
+          end
+          ssl_socket_connect(s, @open_timeout)
+          if (@ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE) && verify_hostname
+            s.post_connection_check(@address)
+          end
+          puts "SSL established, protocol: #{s.ssl_version}, cipher: #{s.cipher[0]}"
+        end
+        @socket = BufferedIO.new(s, read_timeout: @read_timeout,
+                                write_timeout: @write_timeout,
+                                continue_timeout: @continue_timeout,
+                                debug_output: @debug_output)
+        @last_communicated = nil
+        on_connect
+      rescue => exception
+        if s
+          puts "Conn close because of connect error #{exception}"
+          s.close
+        end
+        raise
+      end
+    end
+  end
+else
+  warn "Not applying net/http monkey patch needed for ruby 3.1"
+end

data/lib/chef/node/attribute_collections.rb

@@ -39,11 +39,19 @@ class Chef
       MUTATOR_METHODS.each do |mutator|
         define_method(mutator) do |*args, &block|
           ret = super(*args, &block)
+          # TODO: use `send_reset_cache(__path__)` for all mutator methods?
           send_reset_cache
           ret
         end
       end
 
+      def <<(obj)
+        ret = super(obj)
+        # NOTE: Expecting __path__ to be top-level attribute only
+        send_reset_cache(__path__)
+        ret
+      end
+
       def delete(key, &block)
         send_reset_cache(__path__, key)
         super

data/lib/chef/node/immutable_collections.rb

@@ -32,13 +32,16 @@ class Chef
       end
 
       def convert_value(value)
+        # The order in this case statement is *important*.
+        # ImmutableMash and ImmutableArray should be tested first,
+        # as this saves unnecessary creation of intermediate objects
         case value
+        when ImmutableMash, ImmutableArray
+          value
         when Hash
           ImmutableMash.new(value, __root__, __node__, __precedence__)
         when Array
           ImmutableArray.new(value, __root__, __node__, __precedence__)
-        when ImmutableMash, ImmutableArray
-          value
         else
           safe_dup(value).freeze
         end

data/lib/chef/node/mixin/state_tracking.rb

@@ -78,7 +78,7 @@ class Chef
 
         def send_reset_cache(path = nil, key = nil)
           next_path = [ path, key ].flatten.compact
-          __root__.reset_cache(next_path.first) if !__root__.nil? && __root__.respond_to?(:reset_cache) && !next_path.nil?
+          __root__.reset_cache(next_path.first) if !__root__.nil? && __root__.respond_to?(:reset_cache)
         end
 
         def copy_state_to(ret, next_path)

data/lib/chef/platform/query_helpers.rb

@@ -17,11 +17,14 @@
 #
 
 require "chef-utils" unless defined?(ChefUtils::CANARY)
+require_relative "../mixin/powershell_exec"
 
 class Chef
   class Platform
 
     class << self
+      include Chef::Mixin::PowershellExec
+
       def windows?
         ChefUtils.windows?
       end
@@ -58,8 +61,7 @@ class Chef
       end
 
       def dsc_refresh_mode_disabled?(node)
-        require_relative "../powershell"
-        exec = Chef::PowerShell.new("Get-DscLocalConfigurationManager")
+        exec = powershell_exec!("Get-DscLocalConfigurationManager")
         exec.error!
         exec.result["RefreshMode"] == "Disabled"
       end

data/lib/chef/provider/launchd.rb

@@ -52,7 +52,7 @@ class Chef
       end
 
       action :delete, description: "Delete a launchd property list. This will unload a daemon or agent, if loaded." do
-        if ::File.exists?(path)
+        if ::File.exist?(path)
           manage_service(:disable)
         end
         manage_plist(:delete)

data/lib/chef/provider/mount/linux.rb

@@ -39,7 +39,7 @@ class Chef
 
         def mounted?
           mounted = false
-          real_mount_point = if ::File.exists? @new_resource.mount_point
+          real_mount_point = if ::File.exist? @new_resource.mount_point
                                ::File.realpath(@new_resource.mount_point)
                              else
                                @new_resource.mount_point

data/lib/chef/provider/mount/mount.rb

@@ -42,9 +42,9 @@ class Chef
 
         def mountable?
           # only check for existence of non-remote devices
-          if device_should_exist? && !::File.exists?(device_real)
+          if device_should_exist? && !::File.exist?(device_real)
             raise Chef::Exceptions::Mount, "Device #{@new_resource.device} does not exist"
-          elsif @new_resource.mount_point != "none" && !::File.exists?(@new_resource.mount_point)
+          elsif @new_resource.mount_point != "none" && !::File.exist?(@new_resource.mount_point)
             raise Chef::Exceptions::Mount, "Mount point #{@new_resource.mount_point} does not exist"
           end
 
@@ -81,7 +81,7 @@ class Chef
           # "mount" outputs the mount points as real paths. Convert
           # the mount_point of the resource to a real path in case it
           # contains symlinks in its parents dirs.
-          real_mount_point = if ::File.exists? @new_resource.mount_point
+          real_mount_point = if ::File.exist? @new_resource.mount_point
                                ::File.realpath(@new_resource.mount_point)
                              else
                                @new_resource.mount_point
@@ -186,7 +186,7 @@ class Chef
         def device_should_exist?
           ( @new_resource.device != "none" ) &&
             ( not network_device? ) &&
-            ( not %w{ cgroup tmpfs fuse vboxsf zfs }.include? @new_resource.fstype )
+            ( not %w{ cgroup tmpfs fuse vboxsf zfs efivarfs }.include? @new_resource.fstype )
         end
 
         private
@@ -287,4 +287,4 @@ class Chef
       end
     end
   end
-end
+end

data/lib/chef/provider/package/chocolatey.rb

@@ -130,6 +130,21 @@ class Chef
         # install from, but like the rubygem provider's sources which are more like repos.
         def check_resource_semantics!; end
 
+        def self.get_choco_version
+          @get_choco_version ||= powershell_exec!("choco --version").result
+        end
+
+        # Choco V2 uses 'Search' for remote repositories and 'List' for local packages
+        def self.query_command
+          return "list" if get_choco_version.match?(/^1/)
+
+          "search"
+        end
+
+        def query_command
+          self.class.query_command
+        end
+
         private
 
         def version_compare(v1, v2)
@@ -225,7 +240,7 @@ class Chef
           package_name_array.each do |pkg|
             available_versions =
               begin
-                cmd = [ "list", "-r", pkg ]
+                cmd = [ query_command, "-r", pkg ]
                 cmd += common_options
                 cmd.push( new_resource.list_options ) if new_resource.list_options
 
@@ -242,6 +257,8 @@ class Chef
         # Installed packages in chocolatey as a Hash of names mapped to versions
         # (names are downcased for case-insensitive matching)
         #
+        # Beginning with Choco 2.0, "list" returns local packages only while "search" returns packages from external package sources
+        #
         # @return [Hash] name-to-version mapping of installed packages
         def installed_packages
           @installed_packages ||= Hash[*parse_list_output("list", "-l", "-r").flatten]

data/lib/chef/provider/package/zypper.rb

@@ -141,6 +141,7 @@ class Chef
             if md = line.match(/^(\S*)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(.*)$/)
               (status, name, type, version, arch, repo) = [ md[1], md[2], md[3], md[4], md[5], md[6] ]
               next if version == "Version" # header
+              next if name != package_name
 
               # sometimes even though we request a specific version in the search string above and have match exact, we wind up
               # with other versions in the output, particularly getting the installed version when downgrading.

data/lib/chef/provider/remote_file/http.rb

@@ -113,7 +113,7 @@ class Chef
         end
 
         def last_modified_time_from(response)
-          response["last_modified"] || response["date"]
+          response["last-modified"] || response["date"]
         end
 
         def etag_from(response)

data/lib/chef/provider/yum_repository.rb

@@ -45,7 +45,7 @@ class Chef
           if new_resource.make_cache
             notifies :run, "execute[yum clean metadata #{new_resource.repositoryid}]", :immediately if new_resource.clean_metadata || new_resource.clean_headers
             # makecache fast only works on non-dnf systems.
-            if !which "dnf" && new_resource.makecache_fast
+            if !which("dnf") && new_resource.makecache_fast
               notifies :run, "execute[yum-makecache-fast-#{new_resource.repositoryid}]", :immediately
             else
               notifies :run, "execute[yum-makecache-#{new_resource.repositoryid}]", :immediately

data/lib/chef/resource/apt_repository.rb

@@ -98,6 +98,18 @@ class Chef
         end
         ```
 
+        **Add repository that needs custom options**:
+        ```ruby
+        apt_repository 'corretto' do
+          uri          'https://apt.corretto.aws'
+          arch         'amd64'
+          distribution 'stable'
+          components   ['main']
+          options      ['target-=Contents-deb']
+          key          'https://apt.corretto.aws/corretto.key'
+        end
+        ```
+
         **Remove a repository from the list**:
 
         ```ruby
@@ -159,6 +171,10 @@ class Chef
         description: "Determines whether to rebuild the APT package cache.",
         default: true, desired_state: false
 
+      property :options, [String, Array],
+        description: "Additional options to set for the repository",
+        default: [], coerce: proc { |x| Array(x) }
+
       default_action :add
       allowed_actions :add, :remove
 
@@ -388,19 +404,21 @@ class Chef
         # @param [Array] components
         # @param [Boolean] trusted
         # @param [String] arch
+        # @param [Array] options
         # @param [Boolean] add_src
         #
         # @return [String] complete repo config text
-        def build_repo(uri, distribution, components, trusted, arch, add_src = false)
+        def build_repo(uri, distribution, components, trusted, arch, options, add_src = false)
           uri = make_ppa_url(uri) if is_ppa_url?(uri)
 
           uri = Addressable::URI.parse(uri)
           components = Array(components).join(" ")
-          options = []
-          options << "arch=#{arch}" if arch
-          options << "trusted=yes" if trusted
-          optstr = unless options.empty?
-                     "[" + options.join(" ") + "]"
+          options_list = []
+          options_list << "arch=#{arch}" if arch
+          options_list << "trusted=yes" if trusted
+          options_list += options
+          optstr = unless options_list.empty?
+                     "[" + options_list.join(" ") + "]"
                    end
           info = [ optstr, uri.normalize.to_s, distribution, components ].compact.join(" ")
           repo =  "deb      #{info}\n"
@@ -461,6 +479,7 @@ class Chef
           repo_components,
           new_resource.trusted,
           new_resource.arch,
+          new_resource.options,
           new_resource.deb_src
         )
 

data/lib/chef/resource/homebrew_cask.rb

@@ -45,8 +45,7 @@ class Chef
         default: true
 
       property :homebrew_path, String,
-        description: "The path to the homebrew binary.",
-        default: "/usr/local/bin/brew"
+        description: "The path to the Homebrew binary."
 
       property :owner, [String, Integer],
         description: "The owner of the Homebrew installation.",
@@ -56,14 +55,14 @@ class Chef
       action :install, description: "Install an application that is packaged as a Homebrew cask." do
         if new_resource.install_cask
           homebrew_tap "homebrew/cask" do
-            homebrew_path new_resource.homebrew_path
+            homebrew_path homebrew_bin_path(new_resource.homebrew_path)
             owner new_resource.owner
           end
         end
 
         unless casked?
           converge_by("install cask #{new_resource.cask_name} #{new_resource.options}") do
-            shell_out!("#{new_resource.homebrew_path} install --cask #{new_resource.cask_name} #{new_resource.options}",
+            shell_out!("#{homebrew_bin_path(new_resource.homebrew_path)} install --cask #{new_resource.cask_name} #{new_resource.options}",
               user: new_resource.owner,
               env:  { "HOME" => ::Dir.home(new_resource.owner), "USER" => new_resource.owner },
               cwd: ::Dir.home(new_resource.owner))
@@ -74,14 +73,14 @@ class Chef
       action :remove, description: "Remove an application that is packaged as a Homebrew cask." do
         if new_resource.install_cask
           homebrew_tap "homebrew/cask" do
-            homebrew_path new_resource.homebrew_path
+            homebrew_path homebrew_bin_path(new_resource.homebrew_path)
             owner new_resource.owner
           end
         end
 
         if casked?
           converge_by("uninstall cask #{new_resource.cask_name}") do
-            shell_out!("#{new_resource.homebrew_path} uninstall --cask #{new_resource.cask_name}",
+            shell_out!("#{homebrew_bin_path(new_resource.homebrew_path)} uninstall --cask #{new_resource.cask_name}",
               user: new_resource.owner,
               env:  { "HOME" => ::Dir.home(new_resource.owner), "USER" => new_resource.owner },
               cwd: ::Dir.home(new_resource.owner))
@@ -99,7 +98,7 @@ class Chef
         # @return [Boolean]
         def casked?
           unscoped_name = new_resource.cask_name.split("/").last
-          shell_out!("#{new_resource.homebrew_path} list --cask 2>/dev/null",
+          shell_out!("#{homebrew_bin_path(new_resource.homebrew_path)} list --cask 2>/dev/null",
             user: new_resource.owner,
             env:  { "HOME" => ::Dir.home(new_resource.owner), "USER" => new_resource.owner },
             cwd: ::Dir.home(new_resource.owner)).stdout.split.include?(unscoped_name)

data/lib/chef/resource/homebrew_package.rb

@@ -63,7 +63,7 @@ class Chef
       allowed_actions :install, :upgrade, :remove, :purge
 
       property :homebrew_user, [ String, Integer ],
-        description: "The name or uid of the Homebrew owner to be used by #{ChefUtils::Dist::Infra::PRODUCT} when executing a command.\n\n#{ChefUtils::Dist::Infra::PRODUCT}, by default, will attempt to execute a Homebrew command as the owner of the `/usr/local/bin/brew` executable. If that executable does not exist, #{ChefUtils::Dist::Infra::PRODUCT} will attempt to find the user by executing `which brew`. If that executable cannot be found, #{ChefUtils::Dist::Infra::PRODUCT} will print an error message: `Could not find the 'brew' executable in /usr/local/bin or anywhere on the path.`.\n\nSet this property to specify the Homebrew owner for situations where Chef Infra Client cannot automatically detect the correct owner.'"
+        description: "The name or uid of the Homebrew owner to be used by #{ChefUtils::Dist::Infra::PRODUCT} when executing a command.\n\n#{ChefUtils::Dist::Infra::PRODUCT}, by default, will attempt to execute a Homebrew command as the owner of the `/usr/local/bin/brew` executable on x86_64 machines or `/opt/homebrew/bin/brew` executable on arm64 machines. If that executable does not exist, #{ChefUtils::Dist::Infra::PRODUCT} will attempt to find the user by executing `which brew`. If that executable cannot be found, #{ChefUtils::Dist::Infra::PRODUCT} will print an error message: `Could not find the 'brew' executable in /usr/local/bin, /opt/homebrew/bin, or anywhere on the path.`.\n\nSet this property to specify the Homebrew owner for situations where Chef Infra Client cannot automatically detect the correct owner.'"
 
     end
   end