chef 18.4.12 → 18.6.2

data/lib/chef/provider/package/homebrew.rb

@@ -18,7 +18,7 @@
 #
 
 require "etc" unless defined?(Etc)
-require_relative "../../mixin/homebrew_user"
+require_relative "../../mixin/homebrew"
 
 class Chef
   class Provider
@@ -30,7 +30,7 @@ class Chef
         provides :package, os: "darwin"
         provides :homebrew_package
 
-        include Chef::Mixin::HomebrewUser
+        include Chef::Mixin::Homebrew
 
         def load_current_resource
           @current_resource = Chef::Resource::HomebrewPackage.new(new_resource.name)
@@ -63,9 +63,8 @@ class Chef
         # and which packages can be upgrades. We do this by checking if brew_info has an entry
         # via the installed_version helper.
         def upgrade_package(names, versions)
-          # @todo when we no longer support Ruby 2.6 this can be simplified to be a .filter_map
-          upgrade_pkgs = names.select { |x| x if installed_version(x) }.compact
-          install_pkgs = names.select { |x| x unless installed_version(x) }.compact
+          upgrade_pkgs = names.filter_map { |x| x if installed_version(x) }
+          install_pkgs = names.filter_map { |x| x unless installed_version(x) }
 
           brew_cmd_output("upgrade", options, upgrade_pkgs) unless upgrade_pkgs.empty?
           brew_cmd_output("install", options, install_pkgs) unless install_pkgs.empty?
@@ -182,7 +181,7 @@ class Chef
           homebrew_uid = find_homebrew_uid(new_resource.respond_to?(:homebrew_user) && new_resource.homebrew_user)
           homebrew_user = Etc.getpwuid(homebrew_uid)
 
-          logger.trace "Executing 'brew #{command.join(" ")}' as user '#{homebrew_user.name}'"
+          logger.trace "Executing '#{homebrew_bin_path} #{command.join(" ")}' as user '#{homebrew_user.name}'"
 
           # allow the calling method to decide if the cmd should raise or not
           # brew_info uses this when querying out available package info since a bad
@@ -190,11 +189,9 @@ class Chef
           # the package provider can magically handle that
           shell_out_cmd = options[:allow_failure] ? :shell_out : :shell_out!
 
-          # FIXME: this 1800 second default timeout should be deprecated
-          output = send(shell_out_cmd, "brew", *command, timeout: 1800, user: homebrew_uid, environment: { "HOME" => homebrew_user.dir, "RUBYOPT" => nil, "TMPDIR" => nil })
+          output = send(shell_out_cmd, homebrew_bin_path, *command, user: homebrew_uid, login: true, environment: { "HOME" => homebrew_user.dir, "RUBYOPT" => nil, "TMPDIR" => nil })
           output.stdout.chomp
         end
-
       end
     end
   end

data/lib/chef/provider/package/powershell.rb

@@ -127,6 +127,7 @@ class Chef
           command.push("-RequiredVersion #{version}") if version
           command.push("-Source #{new_resource.source}") if new_resource.source && cmdlet_name =~ Regexp.union(/Install-Package/, /Find-Package/)
           command.push("-SkipPublisherCheck") if new_resource.skip_publisher_check && cmdlet_name !~ /Find-Package/
+          command.push("-AllowClobber") if new_resource.allow_clobber
           if new_resource.options && cmdlet_name !~ Regexp.union(/Get-Package/, /Find-Package/)
             new_resource.options.each do |arg|
               command.push(arg) unless command.include?(arg)

data/lib/chef/provider/package/rubygems.rb

@@ -136,6 +136,10 @@ class Chef
             if defined?(Gem::Format) && Gem::Package.respond_to?(:open)
               Gem::Format.from_file_by_path(file).spec
             else
+              # Gem::Package is getting defined as an empty class as of bundler 2.5.23
+              # and therefore won't autoload
+              # ["bundler-2.5.23/lib/bundler/rubygems_ext.rb", 457]
+              require "rubygems/package" if Gem::Package.method(:new).source_location.nil?
               Gem::Package.new(file).spec
             end
           end

data/lib/chef/provider/package/snap.rb

@@ -218,6 +218,7 @@ class Chef
           waiting = true
           while waiting
             result = get_change_id(id)
+
             case result["result"]["status"]
             when "Do", "Doing", "Undoing", "Undo"
               # Continue

data/lib/chef/provider/package/zypper.rb

@@ -146,7 +146,6 @@ class Chef
             if md = line.match(/^(\S*)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(.*)$/)
               (status, name, type, version, arch, repo) = [ md[1], md[2], md[3], md[4], md[5], md[6] ]
               next if version == "Version" # header
-              next if name != package_name
 
               # sometimes even though we request a specific version in the search string above and have match exact, we wind up
               # with other versions in the output, particularly getting the installed version when downgrading.

data/lib/chef/provider/service/windows.rb

@@ -74,7 +74,6 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service
       current_resource.run_as_user(config_info.service_start_name)    if config_info.service_start_name
       current_resource.display_name(config_info.display_name)         if config_info.display_name
       current_resource.delayed_start(current_delayed_start)           if current_delayed_start
-      current_resource.description(config_info.description)           if new_resource.description
     end
 
     current_resource

data/lib/chef/provider/user/windows.rb

@@ -85,7 +85,12 @@ class Chef
           @net_user.update(**set_options)
         end
 
+        def clear_account_rights(name)
+          Chef::ReservedNames::Win32::Security.clear_account_rights(name)
+        end
+
         def remove_user
+          clear_account_rights(new_resource.username)
           @net_user.delete
         end
 

data/lib/chef/resource/chef_client_config.rb

@@ -195,10 +195,12 @@ class Chef
 
       property :policy_persist_run_list, [true, false],
         description: "Override run lists defined in a Policyfile with the `run_list` defined on the #{ChefUtils::Dist::Server::PRODUCT}.",
-        introduced: "17.3"
+        introduced: "17.3",
+        default: false
 
       property :minimal_ohai, [true, false],
-        description: "Run a minimal set of Ohai plugins providing data necessary for the execution of #{ChefUtils::Dist::Infra::PRODUCT}'s built-in resources. Setting this to true will skip many large and time consuming data sets such as `cloud` or `packages`. Setting this this to true may break cookbooks that assume all Ohai data will be present."
+        description: "Run a minimal set of Ohai plugins providing data necessary for the execution of #{ChefUtils::Dist::Infra::PRODUCT}'s built-in resources. Setting this to true will skip many large and time consuming data sets such as `cloud` or `packages`. Setting this to true may break cookbooks that assume all Ohai data will be present.",
+        default: false
 
       property :start_handlers, Array,
         description: %q(An array of hashes that contain a report handler class and the arguments to pass to that class on initialization. The hash should include `class` and `argument` keys where `class` is a String and `argument` is an array of quoted String values. For example: `[{'class' => 'MyHandler', %w('"argument1"', '"argument2"')}]`),

data/lib/chef/resource/chef_client_systemd_timer.rb

@@ -103,6 +103,10 @@ class Chef
         coerce: proc { |x| Integer(x) },
         callbacks: { "should be a positive Integer" => proc { |v| v > 0 } }
 
+      property :service_umask, [Integer, String],
+        description: "Fix umask for hardened systems that have a changed default umask. This changes the chef-client umask so any files or folders are created with new umask. Recommend setting to stand install default of 0022.",
+        introduced: "18.5"
+
       action :add, description: "Add a systemd timer that runs #{ChefUtils::Dist::Infra::PRODUCT}." do
         systemd_unit "#{new_resource.job_name}.service" do
           content service_content
@@ -175,6 +179,7 @@ class Chef
             "Install" => { "WantedBy" => "multi-user.target" },
           }
 
+          unit["Service"]["UMask"] = new_resource.service_umask if new_resource.service_umask
           unit["Service"]["ConditionACPower"] = "true" unless new_resource.run_on_battery
           unit["Service"]["CPUQuota"] = "#{new_resource.cpu_quota}%" if new_resource.cpu_quota
           unit["Service"]["Environment"] = new_resource.environment.collect { |k, v| "\"#{k}=#{v}\"" } unless new_resource.environment.empty?

data/lib/chef/resource/chef_gem.rb

@@ -62,7 +62,7 @@ class Chef
         end
         ```
 
-        **Install MySQL gem into #{ChefUtils::Dist::Infra::PRODUCT}***
+        **Install MySQL gem into #{ChefUtils::Dist::Infra::PRODUCT}**
         ```ruby
         apt_update
 

data/lib/chef/resource/execute.rb

@@ -442,14 +442,14 @@ class Chef
         NetworkService have this right when running as a service. This is necessary
         even if the user is an Administrator.
 
-        This right can be added and checked in a recipe using this example:
+        This right can be added and checked in a recipe using this example (will not take effect in the same Chef run):
 
         ```ruby
-        # Add 'SeAssignPrimaryTokenPrivilege' for the user
-        Chef::ReservedNames::Win32::Security.add_account_right('<user>', 'SeAssignPrimaryTokenPrivilege')
-
-        # Check if the user has 'SeAssignPrimaryTokenPrivilege' rights
-        Chef::ReservedNames::Win32::Security.get_account_right('<user>').include?('SeAssignPrimaryTokenPrivilege')
+        windows_user_privilege 'add assign token privilege' do
+          principal '<user>'
+          privilege 'SeAssignPrimaryTokenPrivilege'
+          action :add
+        end
         ```
 
         The following example shows how to run `mkdir test_dir` from a Chef Infra Client
@@ -492,9 +492,11 @@ class Chef
 
         **Run a command with an external input file**:
 
+        ```ruby
         execute 'md5sum' do
           input File.read(__FILE__)
         end
+        ```
       EXAMPLES
 
       # The ResourceGuardInterpreter wraps a resource's guards in another resource.  That inner resource

data/lib/chef/resource/habitat_install.rb

@@ -127,6 +127,7 @@ class Chef
           remote_file ::File.join(Chef::Config[:file_cache_path], "hab-install.sh") do
             source new_resource.install_url
             sensitive true
+            mode 0755
           end
 
           execute "installing with hab-install.sh" do
@@ -235,7 +236,7 @@ class Chef
         end
 
         def hab_command
-          cmd = "bash #{Chef::Config[:file_cache_path]}/hab-install.sh"
+          cmd = "#{Chef::Config[:file_cache_path]}/hab-install.sh"
           cmd << " -v #{new_resource.hab_version} " if new_resource.hab_version
           cmd << " -t x86_64-linux-kernel2" if node["kernel"]["release"].to_i < 3
           cmd

data/lib/chef/resource/homebrew_cask.rb

@@ -18,7 +18,7 @@
 #
 
 require_relative "../resource"
-require_relative "../mixin/homebrew_user"
+require_relative "../mixin/homebrew"
 
 class Chef
   class Resource
@@ -29,7 +29,7 @@ class Chef
       description "Use the **homebrew_cask** resource to install binaries distributed via the Homebrew package manager."
       introduced "14.0"
 
-      include Chef::Mixin::HomebrewUser
+      include Chef::Mixin::Homebrew
 
       property :cask_name, String,
         description: "An optional property to set the cask name if it differs from the resource block's name.",
@@ -40,10 +40,6 @@ class Chef
       property :options, String,
         description: "Options to pass to the brew command during installation."
 
-      property :install_cask, [TrueClass, FalseClass],
-        description: "Automatically install the Homebrew cask tap, if necessary.",
-        default: true
-
       property :homebrew_path, String,
         description: "The path to the Homebrew binary."
 
@@ -53,37 +49,27 @@ class Chef
         default_description: "Calculated default username"\
 
       action :install, description: "Install an application that is packaged as a Homebrew cask." do
-        if new_resource.install_cask
-          homebrew_tap "homebrew/cask" do
-            homebrew_path homebrew_bin_path(new_resource.homebrew_path)
-            owner new_resource.owner
-          end
-        end
-
         unless casked?
           converge_by("install cask #{new_resource.cask_name} #{new_resource.options}") do
-            shell_out!("#{homebrew_bin_path(new_resource.homebrew_path)} install --cask #{new_resource.cask_name} #{new_resource.options}",
-              user: new_resource.owner,
-              env:  { "HOME" => ::Dir.home(new_resource.owner), "USER" => new_resource.owner },
-              cwd: ::Dir.home(new_resource.owner))
+            execute "install cask #{new_resource.cask_name}" do
+              command "#{homebrew_bin_path(new_resource.homebrew_path)} install --cask #{new_resource.cask_name} #{new_resource.options}"
+              user new_resource.owner
+              cwd ::Dir.home(new_resource.owner)
+              login true
+            end
           end
         end
       end
 
       action :remove, description: "Remove an application that is packaged as a Homebrew cask." do
-        if new_resource.install_cask
-          homebrew_tap "homebrew/cask" do
-            homebrew_path homebrew_bin_path(new_resource.homebrew_path)
-            owner new_resource.owner
-          end
-        end
-
         if casked?
           converge_by("uninstall cask #{new_resource.cask_name}") do
-            shell_out!("#{homebrew_bin_path(new_resource.homebrew_path)} uninstall --cask #{new_resource.cask_name}",
-              user: new_resource.owner,
-              env:  { "HOME" => ::Dir.home(new_resource.owner), "USER" => new_resource.owner },
-              cwd: ::Dir.home(new_resource.owner))
+            execute "uninstall cask #{new_resource.cask_name}" do
+              command "#{homebrew_bin_path(new_resource.homebrew_path)} uninstall --cask #{new_resource.cask_name}"
+              user new_resource.owner
+              cwd ::Dir.home(new_resource.owner)
+              login true
+            end
           end
         end
       end
@@ -98,10 +84,13 @@ class Chef
         # @return [Boolean]
         def casked?
           unscoped_name = new_resource.cask_name.split("/").last
-          shell_out!("#{homebrew_bin_path(new_resource.homebrew_path)} list --cask 2>/dev/null",
+          shell_out!(
+            "#{homebrew_bin_path(new_resource.homebrew_path)} list --cask 2>/dev/null",
             user: new_resource.owner,
             env:  { "HOME" => ::Dir.home(new_resource.owner), "USER" => new_resource.owner },
-            cwd: ::Dir.home(new_resource.owner)).stdout.split.include?(unscoped_name)
+            cwd: ::Dir.home(new_resource.owner),
+            login: true
+          ).stdout.split.include?(unscoped_name)
         end
       end
     end

data/lib/chef/resource/homebrew_tap.rb

@@ -18,7 +18,7 @@
 #
 
 require_relative "../resource"
-require_relative "../mixin/homebrew_user"
+require_relative "../mixin/homebrew"
 
 class Chef
   class Resource
@@ -29,7 +29,7 @@ class Chef
       description "Use the **homebrew_tap** resource to add additional formula repositories to the Homebrew package manager."
       introduced "14.0"
 
-      include Chef::Mixin::HomebrewUser
+      include Chef::Mixin::Homebrew
 
       property :tap_name, String,
         description: "An optional property to set the tap name if it differs from the resource block's name.",
@@ -51,10 +51,13 @@ class Chef
       action :tap, description: "Add a Homebrew tap." do
         unless tapped?(new_resource.tap_name)
           converge_by("tap #{new_resource.tap_name}") do
-            shell_out!("#{homebrew_bin_path(new_resource.homebrew_path)} tap #{new_resource.tap_name} #{new_resource.url || ""}",
-              user: new_resource.owner,
-              env:  { "HOME" => ::Dir.home(new_resource.owner), "USER" => new_resource.owner },
-              cwd: ::Dir.home(new_resource.owner))
+            execute "tap #{new_resource.tap_name}" do
+              command "#{homebrew_bin_path(new_resource.homebrew_path)} tap #{new_resource.tap_name} #{new_resource.url || ""}"
+              user new_resource.owner
+              default_env true
+              cwd ::Dir.home(new_resource.owner)
+              login true
+            end
           end
         end
       end
@@ -62,21 +65,33 @@ class Chef
       action :untap, description: "Remove a Homebrew tap." do
         if tapped?(new_resource.tap_name)
           converge_by("untap #{new_resource.tap_name}") do
-            shell_out!("#{homebrew_bin_path(new_resource.homebrew_path)} untap #{new_resource.tap_name}",
-              user: new_resource.owner,
-              env:  { "HOME" => ::Dir.home(new_resource.owner), "USER" => new_resource.owner },
-              cwd: ::Dir.home(new_resource.owner))
+            execute "untap #{new_resource.tap_name}" do
+              command "#{homebrew_bin_path(new_resource.homebrew_path)} untap #{new_resource.tap_name}"
+              user new_resource.owner
+              default_env true
+              cwd ::Dir.home(new_resource.owner)
+              login true
+            end
           end
         end
       end
 
-      # Is the passed tap already tapped
-      #
-      # @return [Boolean]
-      def tapped?(name)
-        base_path = ["#{::File.dirname(which("brew"))}/../homebrew", "#{::File.dirname(which("brew"))}/../Homebrew", "/opt/homebrew", "/usr/local/Homebrew", "/home/linuxbrew/.linuxbrew"].uniq.select { |x| Dir.exist?(x) }.first
-        tap_dir = name.gsub("/", "/homebrew-")
-        ::File.directory?("#{base_path}/Library/Taps/#{tap_dir}")
+      action_class do
+        # Is the passed tap already tapped
+        #
+        # @return [Boolean]
+        def tapped?(name)
+          brew_path = ::File.dirname(homebrew_bin_path(new_resource.homebrew_path))
+          base_path = [
+            "#{brew_path}/../homebrew",
+            "#{brew_path}/../Homebrew",
+            "/opt/homebrew",
+            "/usr/local/Homebrew",
+            "/home/linuxbrew/.linuxbrew",
+          ].filter_map { |x| x if Dir.exist?(x) }.first
+          tap_dir = name.gsub("/", "/homebrew-")
+          ::File.directory?("#{base_path}/Library/Taps/#{tap_dir}")
+        end
       end
     end
   end

data/lib/chef/resource/homebrew_update.rb

@@ -19,13 +19,13 @@
 #
 
 require_relative "../resource"
-require_relative "../mixin/homebrew_user"
+require_relative "../mixin/homebrew"
 require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 
 class Chef
   class Resource
     class HomebrewUpdate < Chef::Resource
-      include Chef::Mixin::HomebrewUser
+      include Chef::Mixin::Homebrew
 
       provides(:homebrew_update) { true }
 
@@ -78,9 +78,9 @@ class Chef
           end
 
           execute "brew update" do
-            command %w{brew update}
-            default_env true
+            command "#{homebrew_bin_path} update"
             user find_homebrew_uid
+            login true
             notifies :touch, "file[#{BREW_STAMP}]", :immediately
           end
         end

data/lib/chef/resource/powershell_package.rb

@@ -44,6 +44,10 @@ class Chef
         description: "Skip validating module author.",
         default: false, introduced: "14.3", desired_state: false
 
+      property :allow_clobber,  [TrueClass, FalseClass],
+        description: "Overrides warning messages about installation conflicts about existing commands on a computer.",
+        default: false, introduced: "18.5"
+
     end
   end
 end

data/lib/chef/resource/snap_package.rb

@@ -26,6 +26,29 @@ class Chef
 
       description "Use the **snap_package** resource to manage snap packages on Debian and Ubuntu platforms."
       introduced "15.0"
+      examples <<~DOC
+      **Install a package**
+
+      ```ruby
+      snap_package 'hello'
+      ```
+
+      **Upgrade a package**
+
+      ```ruby
+      snap_package 'hello' do
+        action :upgrade
+      end
+      ```
+
+      **Install a package with classic confinement**
+
+      ```ruby
+      snap_package 'hello' do
+        options 'classic'
+      end
+      ```
+      DOC
 
       allowed_actions :install, :upgrade, :remove, :purge
 

data/lib/chef/resource/support/client.erb

@@ -10,18 +10,19 @@
       @https_proxy
       @ftp_proxy
       @log_level
-      @minimal_ohai
       @named_run_list
       @no_proxy
       @pid_file
       @policy_group
       @policy_name
       @rubygems_url
-      @ssl_verify_mode
-      @policy_persist_run_list).each do |prop| -%>
+      @ssl_verify_mode).each do |prop| -%>
 <% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
 <%=prop.delete_prefix("@") %> <%= instance_variable_get(prop).inspect %>
 <% end -%>
+<%# boolean properties are neither .nil? nor respond to .empty? so they are included below %>
+minimal_ohai <%= @minimal_ohai.inspect %>
+policy_persist_run_list <%= @policy_persist_run_list.inspect %>
 <%# ohai_disabled_plugins and ohai_optional_plugins properties don't match the config value perfectly-%>
 <% %w(@ohai_disabled_plugins
       @ohai_optional_plugins).each do |prop| -%>

data/lib/chef/resource/sysctl.rb

@@ -103,6 +103,7 @@ class Chef
       property :comment, [Array, String],
         description: "Comments, placed above the resource setting in the generated file. For multi-line comments, use an array of strings, one per line.",
         default: [],
+        desired_state: false,
         introduced: "15.8"
 
       property :conf_dir, String,

data/lib/chef/resource_inspector.rb

@@ -79,19 +79,37 @@ class Chef
       Array(equal_to).map(&:inspect)
     end
 
+    def self.load_from_resources(resources, complete)
+      resources.each_with_object({}) do |r, res|
+        pth = r["full_path"]
+        # Here we do some magic to extract resources from files where there are multiple resources
+        # in a file - to do this, we load the file, and take the delta of which resources
+        # exist in object space
+        existing_classes = []
+        ObjectSpace.each_object(Class).select { |k| k < Chef::Resource }.each { |klass| existing_classes << klass }
+        # Load the set of resources from this file
+        Chef::Resource::LWRPBase.build_from_file(name, pth, Chef::RunContext.new(Chef::Node.new, nil, nil))
+        # Finally, process every new class added to the object space by that
+        ObjectSpace.each_object(Class).select { |k| k < Chef::Resource }.each do |klass|
+          unless existing_classes.include?(klass)
+            # Skip over anything which creates resources that start with exactly this - that happens
+            # because if there is no non-classed resource in here, LWRPBase.build_from_file builds a
+            # dummy object from it - we don't need that polluting out output!
+            next if klass.resource_name.start_with?("Chef__ResourceInspector")
+
+            res[klass.resource_name] = extract_resource(klass, complete)
+          end
+        end
+      end
+    end
+
     def self.extract_cookbook(path, complete)
       path = File.expand_path(path)
       dir, name = File.split(path)
       Chef::Cookbook::FileVendor.fetch_from_disk(path)
       loader = Chef::CookbookLoader.new(dir)
       cookbook = loader.load_cookbook(name)
-      resources = cookbook.files_for(:resources)
-
-      resources.each_with_object({}) do |r, res|
-        pth = r["full_path"]
-        cur = Chef::Resource::LWRPBase.build_from_file(name, pth, Chef::RunContext.new(Chef::Node.new, nil, nil))
-        res[cur.resource_name] = extract_resource(cur, complete)
-      end
+      load_from_resources(cookbook.files_for(:resources), complete)
     end
 
     # If we're given no resources, dump all of Chef's built ins

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("18.4.12")
+  VERSION = Chef::VersionString.new("18.6.2")
 end
 
 #

data/lib/chef/win32/registry.rb

@@ -26,6 +26,11 @@ if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
     autoload :Registry, File.expand_path("../monkey_patches/win32/registry", __dir__)
   end
   require_relative "api/registry"
+
+  require "win32/resolv"
+  ::Win32::Registry.define_method :export_string do |str, enc = (Encoding.default_internal || "utf-8")|
+    str.encode(enc)
+  end
 end
 
 class Chef

data/lib/chef/win32/security.rb

@@ -130,6 +130,15 @@ class Chef
         end
       end
 
+      def self.clear_account_rights(name)
+        return if get_account_right(name) == []
+
+        with_lsa_policy(name) do |policy_handle, sid|
+          result = LsaRemoveAccountRights(policy_handle.read_pointer, sid, true, nil, 1)
+          test_and_raise_lsa_nt_status(result)
+        end
+      end
+
       def self.adjust_token_privileges(token, privileges)
         token = token.handle if token.respond_to?(:handle)
         old_privileges_size = FFI::Buffer.new(:long).write_long(privileges.size_with_privileges)

data/spec/functional/resource/cookbook_file_spec.rb

@@ -57,7 +57,7 @@ describe Chef::Resource::CookbookFile do
     create_resource
   end
 
-  it_behaves_like "a file resource"
+  it_behaves_like "a file resource", :not_supported_on_windows_11
 
   # These examples cover CHEF-3467 where unexpected and incorrect
   # permissions can result on Windows because CookbookFile's

data/spec/functional/resource/remote_file_spec.rb

@@ -245,7 +245,7 @@ describe Chef::Resource::RemoteFile do
           end
         end
 
-        context "when the the file is only accessible as a specific alternate identity" do
+        context "when the file is only accessible as a specific alternate identity" do
           let(:windows_nonadmin_user) { "chefremfile2" }
           let(:windows_nonadmin_user_password) { "j82ajfxK3;2Xe2" }
           include_context "a non-admin Windows user"

data/spec/integration/client/fips_spec.rb

@@ -9,12 +9,21 @@ describe "chef-client fips" do
   after { OpenSSL.fips_mode = false }
 
   # For non-FIPS OSes/builds of Ruby, enabling FIPS should error
-  example "Error enabling fips_mode if FIPS not linked", fips_mode: false do
+  example "Error enabling fips_mode if FIPS not linked", :fips_mode_negative_test do
     expect { enable_fips }.to raise_error(OpenSSL::OpenSSLError)
   end
 
+  example "Do not error on MD5 if not fips_mode", :fips_mode_negative_test do
+    expect { OpenSSL::Digest.new("MD5", "test string for digesting") }.not_to raise_error
+  end
+
   # For FIPS OSes/builds of Ruby, enabling FIPS should not error
-  example "Do not error enabling fips_mode if FIPS linked", fips_mode: true do
+  example "Do not error enabling fips_mode if FIPS linked", :fips_mode_test do
     expect { enable_fips }.not_to raise_error
   end
+
+  example "Error on MD5 if fips_mode", :fips_mode_test do
+    enable_fips
+    expect { OpenSSL::Digest.new("MD5", "test string for digesting") }.to raise_error(OpenSSL::Digest::DigestError)
+  end
 end

data/spec/integration/client/open_ssl_spec.rb

@@ -0,0 +1,20 @@
+require "spec_helper"
+
+describe "openssl checks" do
+  let(:openssl_version_default) do
+    if windows?
+      "3.0.9"
+    elsif macos?
+      "1.1.1m"
+    else
+      "3.0.9"
+    end
+  end
+
+  %w{version library_version}.each do |method|
+    # macOS just picks up its own for some reason, maybe it circumvents a build step
+    example "check #{method}", not_supported_on_macos: true do
+      expect(OpenSSL.const_get("OPENSSL_#{method.upcase}")).to match(openssl_version_default), "OpenSSL doesn't match omnibus_overrides.rb"
+    end
+  end
+end