chef 18.4.2-x64-mingw-ucrt → 18.5.0-x64-mingw-ucrt

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 23f3f81c3dc1cd6817825ebb13a87bb9c4c8e2c332d39846d0291925aff183af
-  data.tar.gz: dd5df36c878f693a329ee770bbb54a0332178e41f17f718027e860c8e289dc64
+  metadata.gz: 77d916c27d4f54717bf1b19c187381d22af18afd8c342e9a991021f79da84710
+  data.tar.gz: 3d3c421530c1d1be2b4dfb6977a36e5442678af9a7bf9ab9a536ed0d4d89acab
 SHA512:
-  metadata.gz: b9e455ca1a2f875d08dea3beba4c9bb029889aedfc3d17344caea7061cde332e3d834f8eda0edd21ee083890e720e670048bdaa62d81206ee4b1670ef577689c
-  data.tar.gz: 0b189fca63d31b90c20755137bfa2ca13c430e924f5b7e0d600fdd82ae4b77570d6f5a2fa6bfce0159404cbbe9d3d172c4f694d424ddf29d930a7437e1c9025c
+  metadata.gz: eefdb38b46958cc9df3c528b48aff78b289b4185411c272868c3e4b79cc3c4b68bb046aaa534a282dbb0936228dce9ce8045d39a0a2ee23d270cc8f10398b212
+  data.tar.gz: 066de3ee0964e8632c8644b7f685c2d8a7d0f512e094b0825585afc514493f0560235c8c8e1ac1b3b37b6a2f26ef78162e58f30f02c6ffcfdf2aa17e3fd6efe5

data/Gemfile

@@ -7,9 +7,11 @@ gem "ohai", git: "https://github.com/chef/ohai.git", branch: "main"
 # Nwed to file a bug with rest-client. In the meantime, we can use this until they accept the update.
 gem "rest-client", git: "https://github.com/chef/rest-client", branch: "jfm/ucrt_update1"
 
-gem "ffi", "~> 1.15.5"
+gem "ffi", ">= 1.15.5"
 gem "chef-utils", path: File.expand_path("chef-utils", __dir__) if File.exist?(File.expand_path("chef-utils", __dir__))
 gem "chef-config", path: File.expand_path("chef-config", __dir__) if File.exist?(File.expand_path("chef-config", __dir__))
+# required for FIPS or bundler will pick up default openssl
+gem "openssl", "= 3.2.0" unless Gem.platforms.any? { |platform| !platform.is_a?(String) && platform.os == "darwin" }
 
 if File.exist?(File.expand_path("chef-bin", __dir__))
   # bundling in a git checkout
@@ -52,6 +54,7 @@ group(:development, :test) do
   gem "rake"
   gem "rspec"
   gem "webmock"
+  gem "crack", "< 0.4.6" # due to https://github.com/jnunemaker/crack/pull/75
   gem "fauxhai-ng" # for chef-utils gem
 end
 

data/chef.gemspec

@@ -2,12 +2,12 @@ $:.unshift(File.dirname(__FILE__) + "/lib")
 vs_path = File.expand_path("chef-utils/lib/chef-utils/version_string.rb", __dir__)
 
 if File.exist?(vs_path)
-  # this is the moral equivalent of a require_relative since bundler makes require_relative here fail hard
-  eval(IO.read(vs_path))
-else
-  # if the path doesn't exist then we're just in the wild gem and not in the git repo
-  require "chef-utils/version_string"
+  # include chef-utils/lib in the path if we're inside of chef vs. chef-utils gem
+  # but add it to the end of the search path
+  $: << (File.dirname(__FILE__) + "/chef-utils/lib")
 end
+# if the path doesn't exist then we're just in the wild gem and not in the git repo
+require "chef-utils/version_string"
 require "chef/version"
 
 Gem::Specification.new do |s|
@@ -43,7 +43,7 @@ Gem::Specification.new do |s|
   s.add_dependency "ohai", "~> 18.0"
   s.add_dependency "inspec-core", ">= 5", "< 6"
 
-  s.add_dependency "ffi", "~> 1.15.5"
+  s.add_dependency "ffi", ">= 1.15.5"
   s.add_dependency "ffi-yajl", "~> 2.2"
   s.add_dependency "net-sftp", ">= 2.1.2", "< 5.0" # remote_file resource
   s.add_dependency "net-ftp" # remote_file resource
@@ -65,7 +65,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
-  s.add_dependency "vault", "~> 0.16" # hashi vault official client gem
+  s.add_dependency "vault", "~> 0.18.2" # hashi vault official client gem
   s.bindir       = "bin"
   s.executables  = %w{ }
 

data/lib/chef/client.rb

@@ -305,8 +305,6 @@ class Chef
         # keep this inside the main loop to get exception backtraces
         end_profiling
 
-        warn_if_eol
-
         # rebooting has to be the last thing we do, no exceptions.
         Chef::Platform::Rebooter.reboot_if_needed!(node)
       rescue Exception => run_error
@@ -335,19 +333,6 @@ class Chef
     # @todo make this stuff protected or private
     #
 
-    # @api private
-    def warn_if_eol
-      require_relative "version"
-
-      # We make a release every year so take the version you're on + 2006 and you get
-      # the year it goes EOL
-      eol_year = 2006 + Gem::Version.new(Chef::VERSION).segments.first
-
-      if Time.now > Time.new(eol_year, 5, 01)
-        logger.warn("This release of #{ChefUtils::Dist::Infra::PRODUCT} became end of life (EOL) on May 1st #{eol_year}. Please update to a supported release to receive new features, bug fixes, and security updates.")
-      end
-    end
-
     # @api private
     def configure_formatters
       formatters_for_run.map do |formatter_name, output_path|

data/lib/chef/cookbook/chefignore.rb

@@ -50,7 +50,10 @@ class Chef
         ignore_globs = []
         if @ignore_file && readable_file_or_symlink?(@ignore_file)
           File.foreach(@ignore_file) do |line|
-            ignore_globs << line.strip unless COMMENTS_AND_WHITESPACE.match?(line)
+            unless COMMENTS_AND_WHITESPACE.match?(line)
+              line.strip!
+              ignore_globs << line
+            end
           end
         else
           Chef::Log.debug("No chefignore file found. No files will be ignored!")

data/lib/chef/cookbook/cookbook_version_loader.rb

@@ -215,7 +215,7 @@ class Chef
         Dir.entries(cookbook_path).each do |top_filename|
           # Skip top-level directories starting with "."
           top_path = File.join(cookbook_path, top_filename)
-          next if File.directory?(top_path) && top_filename.start_with?(".")
+          next if top_filename.start_with?(".") && File.directory?(top_path)
 
           # Use Find.find because it:
           # (a) returns any children, recursively

data/lib/chef/cookbook/synchronizer.rb

@@ -280,8 +280,9 @@ class Chef
     end
 
     def ensure_cookbook_paths
+      cookbook_path = File.join(Chef::Config[:file_cache_path], "cookbooks")
       cookbooks.each do |cookbook|
-        cb_dir = File.join(Chef::Config[:file_cache_path], "cookbooks", cookbook.name)
+        cb_dir = File.join(cookbook_path, cookbook.name)
         cookbook.root_paths = Array(cb_dir)
       end
     end

data/lib/chef/cookbook_manifest.rb

@@ -173,9 +173,9 @@ class Chef
     def files_for(part)
       return root_files if part.to_s == "root_files"
 
+      part_match = "#{part}/"
       manifest[:all_files].select do |file|
-        seg = file[:name].split("/")[0]
-        part.to_s == seg
+        file[:name].start_with?(part_match)
       end
     end
 

data/lib/chef/file_cache.rb

@@ -159,9 +159,24 @@ class Chef
       # [String] - An array of file cache keys matching the glob
       def find(glob_pattern)
         keys = []
-        Dir[File.join(Chef::Util::PathHelper.escape_glob_dir(file_cache_path), glob_pattern)].each do |f|
+        file_cache_dir = Chef::Util::PathHelper.escape_glob_dir(file_cache_path)
+        first_filename = Dir[file_cache_dir].first # directory of the cache
+        return keys unless first_filename
+
+        # TODO: The usage of Regexp.escape and the match here is likely
+        # vestigial, but since it's only getting called once per method, the
+        # effort needed to confirm that its removal won't break something else
+        # isn't worth it. A task for a brave soul ;-)
+        regexp_pattern = /^(#{Regexp.escape(first_filename) + File::Separator}).+/
+
+        files = Dir[File.join(file_cache_dir, glob_pattern)]
+        until files.empty?
+          f = files.shift
           if File.file?(f)
-            keys << f[/^#{Regexp.escape(Dir[Chef::Util::PathHelper.escape_glob_dir(file_cache_path)].first) + File::Separator}(.+)/, 1]
+            # We remove the cache directory from the string of each entry
+            path_to_remove ||= f[regexp_pattern, 1]
+            f.delete_prefix!(path_to_remove)
+            keys << f
           end
         end
         keys

data/lib/chef/formatters/doc.rb

@@ -57,7 +57,7 @@ class Chef
         # Print out deprecations.
         unless deprecations.empty?
           puts_line ""
-          puts_line "Deprecation warnings that must be addressed before upgrading to Chef Infra #{Chef::VERSION.to_i + 1}:"
+          puts_line "Deprecation warnings that must be addressed before upgrading to #{ChefUtils::Dist::Infra::PRODUCT} #{Chef::VERSION.to_i + 1}:"
           puts_line ""
           deprecations.each do |message, details|
             locations = details[:locations]

data/lib/chef/mixin/openssl_helper.rb

@@ -157,7 +157,7 @@ class Chef
         raise TypeError, "curve must be a string" unless curve.is_a?(String)
         raise ArgumentError, "Specified curve is not available on this system" unless %w{prime256v1 secp384r1 secp521r1}.include?(curve)
 
-        ::OpenSSL::PKey::EC.new(curve).generate_key
+        ::OpenSSL::PKey::EC.generate(curve)
       end
 
       # generate pem format of the public key given a private key

data/lib/chef/node/attribute.rb

@@ -570,7 +570,7 @@ class Chef
         ]
 
         ret = components.inject(NIL) do |merged, component|
-          hash_only_merge!(merged, component)
+          component == NIL ? merged : hash_only_merge!(merged, component)
         end
         ret == NIL ? nil : ret
       end
@@ -584,7 +584,7 @@ class Chef
       def merge_defaults(path)
         DEFAULT_COMPONENTS.inject(NIL) do |merged, component_ivar|
           component_value = apply_path(instance_variable_get(component_ivar), path)
-          deep_merge!(merged, component_value)
+          component_value == NIL ? merged : deep_merge!(merged, component_value)
         end
       end
 
@@ -597,7 +597,7 @@ class Chef
       def merge_overrides(path)
         OVERRIDE_COMPONENTS.inject(NIL) do |merged, component_ivar|
           component_value = apply_path(instance_variable_get(component_ivar), path)
-          deep_merge!(merged, component_value)
+          component_value == NIL ? merged : deep_merge!(merged, component_value)
         end
       end
 
@@ -628,10 +628,6 @@ class Chef
         elsif merge_onto.is_a?(Array) && merge_with.is_a?(Array)
           merge_onto |= merge_with
 
-        # If merge_with is NIL, don't replace merge_onto
-        elsif merge_with == NIL
-          merge_onto
-
         # In all other cases, replace merge_onto with merge_with
         else
           if merge_with.is_a?(Hash)
@@ -661,10 +657,6 @@ class Chef
           end
           merge_onto
 
-        # If merge_with is NIL, don't replace merge_onto
-        elsif merge_with == NIL
-          merge_onto
-
         # In all other cases, replace merge_onto with merge_with
         else
           if merge_with.is_a?(Hash)

data/lib/chef/node/immutable_collections.rb

@@ -33,18 +33,25 @@ class Chef
       end
 
       def convert_value(value)
-        # The order in this case statement is *important*.
-        # ImmutableMash and ImmutableArray should be tested first,
-        # as this saves unnecessary creation of intermediate objects
         case value
-        when ImmutableMash, ImmutableArray
-          value
         when Hash
-          ImmutableMash.new(value, __root__, __node__, __precedence__)
+          if ImmutableMash === value
+            # Save an object creation
+            value
+          else
+            ImmutableMash.new(value, __root__, __node__, __precedence__)
+          end
         when Array
-          ImmutableArray.new(value, __root__, __node__, __precedence__)
+          if ImmutableArray === value
+            # Save an object creation
+            value
+          else
+            ImmutableArray.new(value, __root__, __node__, __precedence__)
+          end
         else
-          safe_dup(value).freeze
+          # We return any already frozen strings, since that's common over the course of a run.
+          # Check `frozen?` first since that's faster than a Class comparison
+          value.frozen? && String === value ? value : safe_dup(value).freeze
         end
       end
 

data/lib/chef/node/mixin/state_tracking.rb

@@ -37,7 +37,8 @@ class Chef
         def [](*args)
           ret = super
           key = args.first
-          next_path = [ __path__, convert_key(key) ].flatten.compact
+          next_path = [ __path__, convert_key(key) ].flatten
+          next_path.compact!
           copy_state_to(ret, next_path)
         end
 
@@ -45,7 +46,8 @@ class Chef
           ret = super
           key = args.first
           value = args.last
-          next_path = [ __path__, convert_key(key) ].flatten.compact
+          next_path = [ __path__, convert_key(key) ].flatten
+          next_path.compact!
           send_attribute_changed_event(next_path, value)
           copy_state_to(ret, next_path)
         end
@@ -77,7 +79,8 @@ class Chef
         end
 
         def send_reset_cache(path = nil, key = nil)
-          next_path = [ path, key ].flatten.compact
+          next_path = [ path, key ].flatten
+          next_path.compact!
           __root__.reset_cache(next_path.first) if !__root__.nil? && __root__.respond_to?(:reset_cache)
         end
 

data/lib/chef/node.rb

@@ -285,7 +285,7 @@ class Chef
     def loaded_recipe(cookbook, recipe)
       fully_qualified_recipe = "#{cookbook}::#{recipe}"
 
-      automatic_attrs[:recipes] << fully_qualified_recipe unless Array(self[:recipes]).include?(fully_qualified_recipe)
+      automatic_attrs[:recipes] << fully_qualified_recipe unless Array(automatic_attrs[:recipes]).include?(fully_qualified_recipe)
     end
 
     # Returns true if this Node expects a given role, false if not.

data/lib/chef/policy_builder/policyfile.rb

@@ -132,6 +132,9 @@ class Chef
 
         node.consume_external_attrs(ohai_data, json_attribs)
 
+        # Preserve the fall back to loading an unencrypted data bag item if the item we're trying to load isn't actually a vault item.
+        set_databag_fallback
+
         setup_run_list_override
 
         expand_run_list
@@ -191,6 +194,11 @@ class Chef
         run_context
       end
 
+      # Preserve the fall back to loading an unencrypted data bag item if the item we're trying to load isn't actually a vault item.
+      def set_databag_fallback
+        node.default["chef-vault"]["databag_fallback"] = ChefUtils.kitchen?(node)
+      end
+
       # Sets `run_list` on the node from the policy, sets `roles` and `recipes`
       # attributes on the node accordingly.
       #

data/lib/chef/provider/package/chocolatey.rb

@@ -144,7 +144,11 @@ class Chef
         def check_resource_semantics!; end
 
         def get_choco_version
-          @get_choco_version ||= powershell_exec!("#{choco_exe} --version").result
+          # We need a different way to get the version than by simply calling "choco --version".
+          # If the license file is installed (for business customers) but not the Chocolatey.Extension (because you're using the choco resource to install it)
+          # then you get a license error. This method bypasses that by getting the version from the exe directly instead of invoking it.
+          # deprecated: @get_choco_version ||= powershell_exec!("#{choco_exe} --version").result
+          @get_choco_version ||= powershell_exec!("Get-ItemProperty #{choco_exe} | select-object -expandproperty versioninfo | select-object -expandproperty productversion").result
         end
 
         # Choco V2 uses 'Search' for remote repositories and 'List' for local packages
@@ -167,22 +171,34 @@ class Chef
           true
         end
 
-        # walk the collection to find peer resources to ensure that
-        # we get as much of the cache this run as possible.  Unified mode
-        # sub-resources will, of course, be incremental with this, since we can't
-        # grab them in advance, but even in that case we're still way, way
-        # more efficient with our queries...
+        # Find the set of packages to ask the chocolatey server about
+        #
+        # if walk_resource_tree is true, this finds _all_ of the packages that
+        # we have referenced anywhere in our recipes - this is so we can
+        # attempt to query them all in a single transaction.  However,
+        # currently we don't do that - see the comment on available_packages
+        # for details of the why, but the TL;DR is that the public chocolatey
+        # servers do not support `or` type queries properly.
+        #
+        # If walk_resource_tree is false, we don't do any of that - we just filter
+        # the package list based on cache data.  This is the default due to reasons
+        # explained in the comment on available_packages - the goal is to eventually
+        # turn this back on, hence the default false parameter here.
         #
         # @return [Array] List of chocolatey packages referenced in the run list
-        def collect_package_requests(ignore_list: [])
+        def collect_package_requests(ignore_list: [], walk_resource_tree: false)
           return ["*"] if new_resource.bulk_query || Chef::Config[:always_use_bulk_chocolatey_package_list]
 
-          # Get to the root of the resource collection
-          rc = run_context.parent_run_context || run_context
-          rc = rc.parent_run_context while rc.parent_run_context
+          if walk_resource_tree
+            # Get to the root of the resource collection
+            rc = run_context.parent_run_context || run_context
+            rc = rc.parent_run_context while rc.parent_run_context
 
-          package_collection = package_name_array
-          package_collection += nested_package_resources(rc.resource_collection)
+            package_collection = package_name_array
+            package_collection += nested_package_resources(rc.resource_collection)
+          else
+            package_collection = package_name_array
+          end
           # downcase the array and uniq.  sorted for easier testing...
           package_collection.uniq.sort.filter { |pkg| !ignore_list.include?(pkg) }
         end
@@ -339,22 +355,33 @@ class Chef
             @@choco_available_packages[new_resource.list_options] = {}
           end
 
-          # Attempt to get everything we need in a single query.
-          # Grab 25 packages at a time at most, to avoid hurting servers too badly
+          # This would previously grab 25 packages at a time, which previously worked - however,
+          # upstream changed and it turns out this was only working by accident - see
+          # https://github.com/chocolatey/choco/issues/2116 for this.  So the TL;DR ends up
+          # being that this can be re-enabled when the chocolatey server actually supports an
+          # or operator.  So it makes sense to leave the logic here for this split, while we
+          # work with upstream to get this to be a working feature there
+          #
+          # Foot guns: there is a --id-starts-with for chocolatey, which you'd think would work,
+          # but that actually fails on public chocolatey as well, because it seems to do the filtering
+          # locally. Which means it too will omit a lot of results (this is also corroborated by
+          # the 2116 issue above).
           #
-          # For v1 we actually used to grab the entire list of packages, but we found
-          # that it could cause undue load on really large package lists
+          # collect_package_requests, however, continues to be useful here because it filters
+          # the already cached things from the list.  However, for now it will no longer walk the
+          # resource tree until 2116 can be sorted out.  When we regain that ability, we should
+          # re-evaluate this, since it does save a LOT of API requests!
           collect_package_requests(
             ignore_list: @@choco_available_packages[new_resource.list_options].keys
-          ).each_slice(25) do |pkg_set|
+          ).each do |pkg_set|
             available_versions =
               begin
               cmd = [ query_command, "-r" ]
 
               # Chocolatey doesn't actually take a wildcard for this query, however
               # it will return all packages when using '*' as a query
-              unless pkg_set == ["*"]
-                cmd += pkg_set
+              unless pkg_set == "*"
+                cmd << pkg_set
               end
               cmd += common_options
               cmd.push( new_resource.list_options ) if new_resource.list_options
@@ -383,10 +410,12 @@ class Chef
         #
         # @return [Hash] name-to-version mapping of installed packages
         def installed_packages
-          if new_resource.use_choco_list == false || !Chef::Config[:always_use_choco_list]
-            installed_packages_via_choco
-          else
+          # Logic here must be either use_choco_list is false _and_ always_use_choco_list is
+          # falsy, since the global overrides the local
+          if new_resource.use_choco_list == false && !Chef::Config[:always_use_choco_list]
             installed_packages_via_disk
+          else
+            installed_packages_via_choco
           end
         end
 
@@ -413,8 +442,8 @@ class Chef
             # that contains all possible package folders, and so we push our
             # guess to the front as an optimization.
             target_dirs << targets.first.downcase if targets.length == 1
-            if targets.downcase is_a?(String)
-              target_dirs << targets
+            if targets.is_a?(String)
+              target_dirs << targets.downcase
             end
             target_dirs += get_local_pkg_dirs(choco_lib_path)
             fetch_package_versions(choco_lib_path, target_dirs, targets)
@@ -465,6 +494,7 @@ class Chef
         # Fetch the local package versions from chocolatey
         def fetch_package_versions(base_dir, target_dirs, targets)
           pkg_versions = {}
+          targets = [targets] if targets.is_a?(String)
           target_dirs.each do |dir|
             pkg_versions.merge!(get_pkg_data(::File.join(base_dir, dir)))
             # return early if we found the single package version we were looking for

data/lib/chef/provider/package/powershell.rb

@@ -127,6 +127,7 @@ class Chef
           command.push("-RequiredVersion #{version}") if version
           command.push("-Source #{new_resource.source}") if new_resource.source && cmdlet_name =~ Regexp.union(/Install-Package/, /Find-Package/)
           command.push("-SkipPublisherCheck") if new_resource.skip_publisher_check && cmdlet_name !~ /Find-Package/
+          command.push("-AllowClobber") if new_resource.allow_clobber
           if new_resource.options && cmdlet_name !~ Regexp.union(/Get-Package/, /Find-Package/)
             new_resource.options.each do |arg|
               command.push(arg) unless command.include?(arg)

data/lib/chef/provider/package/snap.rb

@@ -218,6 +218,7 @@ class Chef
           waiting = true
           while waiting
             result = get_change_id(id)
+
             case result["result"]["status"]
             when "Do", "Doing", "Undoing", "Undo"
               # Continue

data/lib/chef/provider/package/zypper.rb

@@ -146,7 +146,6 @@ class Chef
             if md = line.match(/^(\S*)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(\S+)\s+\|\s+(.*)$/)
               (status, name, type, version, arch, repo) = [ md[1], md[2], md[3], md[4], md[5], md[6] ]
               next if version == "Version" # header
-              next if name != package_name
 
               # sometimes even though we request a specific version in the search string above and have match exact, we wind up
               # with other versions in the output, particularly getting the installed version when downgrading.

data/lib/chef/provider/service/windows.rb

@@ -74,7 +74,6 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service
       current_resource.run_as_user(config_info.service_start_name)    if config_info.service_start_name
       current_resource.display_name(config_info.display_name)         if config_info.display_name
       current_resource.delayed_start(current_delayed_start)           if current_delayed_start
-      current_resource.description(config_info.description)           if new_resource.description
     end
 
     current_resource

data/lib/chef/resource/chef_client_config.rb

@@ -198,7 +198,8 @@ class Chef
         introduced: "17.3"
 
       property :minimal_ohai, [true, false],
-        description: "Run a minimal set of Ohai plugins providing data necessary for the execution of #{ChefUtils::Dist::Infra::PRODUCT}'s built-in resources. Setting this to true will skip many large and time consuming data sets such as `cloud` or `packages`. Setting this this to true may break cookbooks that assume all Ohai data will be present."
+        description: "Run a minimal set of Ohai plugins providing data necessary for the execution of #{ChefUtils::Dist::Infra::PRODUCT}'s built-in resources. Setting this to true will skip many large and time consuming data sets such as `cloud` or `packages`. Setting this to true may break cookbooks that assume all Ohai data will be present.",
+        default: false
 
       property :start_handlers, Array,
         description: %q(An array of hashes that contain a report handler class and the arguments to pass to that class on initialization. The hash should include `class` and `argument` keys where `class` is a String and `argument` is an array of quoted String values. For example: `[{'class' => 'MyHandler', %w('"argument1"', '"argument2"')}]`),

data/lib/chef/resource/chef_client_systemd_timer.rb

@@ -103,6 +103,10 @@ class Chef
         coerce: proc { |x| Integer(x) },
         callbacks: { "should be a positive Integer" => proc { |v| v > 0 } }
 
+      property :service_umask, [Integer, String],
+        description: "Fix umask for hardened systems that have a changed default umask. This changes the chef-client umask so any files or folders are created with new umask. Recommend setting to stand install default of 0022.",
+        introduced: "18.5"
+
       action :add, description: "Add a systemd timer that runs #{ChefUtils::Dist::Infra::PRODUCT}." do
         systemd_unit "#{new_resource.job_name}.service" do
           content service_content
@@ -175,6 +179,7 @@ class Chef
             "Install" => { "WantedBy" => "multi-user.target" },
           }
 
+          unit["Service"]["UMask"] = new_resource.service_umask if new_resource.service_umask
           unit["Service"]["ConditionACPower"] = "true" unless new_resource.run_on_battery
           unit["Service"]["CPUQuota"] = "#{new_resource.cpu_quota}%" if new_resource.cpu_quota
           unit["Service"]["Environment"] = new_resource.environment.collect { |k, v| "\"#{k}=#{v}\"" } unless new_resource.environment.empty?

data/lib/chef/resource/chef_gem.rb

@@ -62,7 +62,7 @@ class Chef
         end
         ```
 
-        **Install MySQL gem into #{ChefUtils::Dist::Infra::PRODUCT}***
+        **Install MySQL gem into #{ChefUtils::Dist::Infra::PRODUCT}**
         ```ruby
         apt_update
 

data/lib/chef/resource/execute.rb

@@ -442,14 +442,14 @@ class Chef
         NetworkService have this right when running as a service. This is necessary
         even if the user is an Administrator.
 
-        This right can be added and checked in a recipe using this example:
+        This right can be added and checked in a recipe using this example (will not take effect in the same Chef run):
 
         ```ruby
-        # Add 'SeAssignPrimaryTokenPrivilege' for the user
-        Chef::ReservedNames::Win32::Security.add_account_right('<user>', 'SeAssignPrimaryTokenPrivilege')
-
-        # Check if the user has 'SeAssignPrimaryTokenPrivilege' rights
-        Chef::ReservedNames::Win32::Security.get_account_right('<user>').include?('SeAssignPrimaryTokenPrivilege')
+        windows_user_privilege 'add assign token privilege' do
+          principal '<user>'
+          privilege 'SeAssignPrimaryTokenPrivilege'
+          action :add
+        end
         ```
 
         The following example shows how to run `mkdir test_dir` from a Chef Infra Client
@@ -492,9 +492,11 @@ class Chef
 
         **Run a command with an external input file**:
 
+        ```ruby
         execute 'md5sum' do
           input File.read(__FILE__)
         end
+        ```
       EXAMPLES
 
       # The ResourceGuardInterpreter wraps a resource's guards in another resource.  That inner resource

data/lib/chef/resource/habitat_install.rb

@@ -127,6 +127,7 @@ class Chef
           remote_file ::File.join(Chef::Config[:file_cache_path], "hab-install.sh") do
             source new_resource.install_url
             sensitive true
+            mode 0755
           end
 
           execute "installing with hab-install.sh" do
@@ -235,7 +236,7 @@ class Chef
         end
 
         def hab_command
-          cmd = "bash #{Chef::Config[:file_cache_path]}/hab-install.sh"
+          cmd = "#{Chef::Config[:file_cache_path]}/hab-install.sh"
           cmd << " -v #{new_resource.hab_version} " if new_resource.hab_version
           cmd << " -t x86_64-linux-kernel2" if node["kernel"]["release"].to_i < 3
           cmd

data/lib/chef/resource/powershell_package.rb

@@ -44,6 +44,10 @@ class Chef
         description: "Skip validating module author.",
         default: false, introduced: "14.3", desired_state: false
 
+      property :allow_clobber,  [TrueClass, FalseClass],
+        description: "Overrides warning messages about installation conflicts about existing commands on a computer.",
+        default: false, introduced: "18.5"
+
     end
   end
 end

data/lib/chef/resource/snap_package.rb

@@ -26,6 +26,29 @@ class Chef
 
       description "Use the **snap_package** resource to manage snap packages on Debian and Ubuntu platforms."
       introduced "15.0"
+      examples <<~DOC
+      **Install a package**
+
+      ```ruby
+      snap_package 'hello'
+      ```
+
+      **Upgrade a package**
+
+      ```ruby
+      snap_package 'hello' do
+        action :upgrade
+      end
+      ```
+
+      **Install a package with classic confinement**
+
+      ```ruby
+      snap_package 'hello' do
+        options 'classic'
+      end
+      ```
+      DOC
 
       allowed_actions :install, :upgrade, :remove, :purge
 

data/lib/chef/resource/support/client.erb

@@ -10,7 +10,6 @@
       @https_proxy
       @ftp_proxy
       @log_level
-      @minimal_ohai
       @named_run_list
       @no_proxy
       @pid_file
@@ -22,6 +21,7 @@
 <% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
 <%=prop.delete_prefix("@") %> <%= instance_variable_get(prop).inspect %>
 <% end -%>
+minimal_ohai <%= @minimal_ohai.inspect %>
 <%# ohai_disabled_plugins and ohai_optional_plugins properties don't match the config value perfectly-%>
 <% %w(@ohai_disabled_plugins
       @ohai_optional_plugins).each do |prop| -%>

data/lib/chef/resource/sysctl.rb

@@ -103,6 +103,7 @@ class Chef
       property :comment, [Array, String],
         description: "Comments, placed above the resource setting in the generated file. For multi-line comments, use an array of strings, one per line.",
         default: [],
+        desired_state: false,
         introduced: "15.8"
 
       property :conf_dir, String,

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("18.4.2")
+  VERSION = Chef::VersionString.new("18.5.0")
 end
 
 #

data/spec/functional/resource/remote_file_spec.rb

@@ -245,7 +245,7 @@ describe Chef::Resource::RemoteFile do
           end
         end
 
-        context "when the the file is only accessible as a specific alternate identity" do
+        context "when the file is only accessible as a specific alternate identity" do
           let(:windows_nonadmin_user) { "chefremfile2" }
           let(:windows_nonadmin_user_password) { "j82ajfxK3;2Xe2" }
           include_context "a non-admin Windows user"

data/spec/integration/client/fips_spec.rb

@@ -9,12 +9,21 @@ describe "chef-client fips" do
   after { OpenSSL.fips_mode = false }
 
   # For non-FIPS OSes/builds of Ruby, enabling FIPS should error
-  example "Error enabling fips_mode if FIPS not linked", fips_mode: false do
+  example "Error enabling fips_mode if FIPS not linked", :fips_mode_negative_test do
     expect { enable_fips }.to raise_error(OpenSSL::OpenSSLError)
   end
 
+  example "Do not error on MD5 if not fips_mode", :fips_mode_negative_test do
+    expect { OpenSSL::Digest.new("MD5", "test string for digesting") }.not_to raise_error
+  end
+
   # For FIPS OSes/builds of Ruby, enabling FIPS should not error
-  example "Do not error enabling fips_mode if FIPS linked", fips_mode: true do
+  example "Do not error enabling fips_mode if FIPS linked", :fips_mode_test do
     expect { enable_fips }.not_to raise_error
   end
+
+  example "Error on MD5 if fips_mode", :fips_mode_test do
+    enable_fips
+    expect { OpenSSL::Digest.new("MD5", "test string for digesting") }.to raise_error(OpenSSL::Digest::DigestError)
+  end
 end

data/spec/integration/client/open_ssl_spec.rb

@@ -0,0 +1,20 @@
+require "spec_helper"
+
+describe "openssl checks" do
+  let(:openssl_version_default) do
+    if windows?
+      "1.0.2zi"
+    elsif macos?
+      "1.1.1m"
+    else
+      "3.0.9"
+    end
+  end
+
+  %w{version library_version}.each do |method|
+    # macOS just picks up its own for some reason, maybe it circumvents a build step
+    example "check #{method}", not_supported_on_macos: true do
+      expect(OpenSSL.const_get("OPENSSL_#{method.upcase}")).to match(openssl_version_default), "OpenSSL doesn't match omnibus_overrides.rb"
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -138,7 +138,8 @@ RSpec.configure do |config|
 
   config.filter_run_excluding skip_buildkite: true if ENV["BUILDKITE"]
 
-  config.filter_run_excluding fips_mode: !fips_mode_build?
+  config.filter_run_excluding fips_mode_test: true unless fips_mode_build?
+  config.filter_run_excluding fips_mode_negative_test: true # disable all fips_mode negative tests
   # Skip fips on windows
   # config.filter_run_excluding :fips_mode if windows?
 
@@ -180,6 +181,7 @@ RSpec.configure do |config|
   config.filter_run_excluding aes_256_gcm_only: true unless aes_256_gcm?
   config.filter_run_excluding broken: true
   config.filter_run_excluding not_wpar: true unless wpar?
+  config.filter_run_excluding not_supported_on_s390x: true unless s390x?
   config.filter_run_excluding not_supported_under_fips: true if fips?
   config.filter_run_excluding rhel: true unless rhel?
   config.filter_run_excluding rhel6: true unless rhel6?

data/spec/support/platform_helpers.rb

@@ -67,10 +67,10 @@ end
 
 def win32_os_version
   @win32_os_version ||= begin
-    wmi = WmiLite::Wmi.new
-    host = wmi.first_of("Win32_OperatingSystem")
-    host["version"]
-  end
+                          wmi = WmiLite::Wmi.new
+                          host = wmi.first_of("Win32_OperatingSystem")
+                          host["version"]
+                        end
 end
 
 def windows_powershell_dsc?
@@ -80,7 +80,7 @@ def windows_powershell_dsc?
   begin
     wmi = WmiLite::Wmi.new("root/microsoft/windows/desiredstateconfiguration")
     lcm = wmi.query("SELECT * FROM meta_class WHERE __this ISA 'MSFT_DSCLocalConfigurationManager'")
-    supports_dsc = !! lcm
+    supports_dsc = !!lcm
   rescue WmiLite::WmiException
   end
   supports_dsc
@@ -95,7 +95,7 @@ end
 
 # detects if the hardware is 64-bit (evaluates to true in "WOW64" mode in a 32-bit app on a 64-bit system)
 def windows64?
-  windows? && ( ENV["PROCESSOR_ARCHITECTURE"] == "AMD64" || ENV["PROCESSOR_ARCHITEW6432"] == "AMD64" )
+  windows? && (ENV["PROCESSOR_ARCHITECTURE"] == "AMD64" || ENV["PROCESSOR_ARCHITEW6432"] == "AMD64")
 end
 
 # detects if the hardware is 32-bit
@@ -175,6 +175,10 @@ def wpar?
   !((ohai[:virtualization] || {})[:wpar_no].nil?)
 end
 
+def s390x?
+  RUBY_PLATFORM.include?("s390x")
+end
+
 def supports_cloexec?
   Fcntl.const_defined?(:F_SETFD) && Fcntl.const_defined?(:FD_CLOEXEC)
 end
@@ -224,7 +228,15 @@ def aes_256_gcm?
 end
 
 def fips_mode_build?
-  OpenSSL::OPENSSL_FIPS
+  if ENV.include?("BUILDKITE_LABEL") # try keying directly off Buildkite environments
+    # regex version of chef/chef-foundation:.expeditor/release.omnibus.yml:fips-platforms
+    [/el-.*-x86_64/, /el-.*-ppc64/, /el-.*aarch/, /ubuntu-/, /windows-/, /amazon-2/].any? do |os_arch|
+      ENV["BUILDKITE_LABEL"].match?(os_arch)
+    end
+  else
+    # if you're testing your local build
+    OpenSSL::OPENSSL_FIPS
+  end
 end
 
 def fips?
@@ -233,6 +245,7 @@ end
 
 class HttpHelper
   extend Ohai::Mixin::HttpHelper
+
   def self.logger
     Chef::Log
   end

data/spec/unit/client_spec.rb

@@ -384,22 +384,6 @@ describe Chef::Client do
     end
   end
 
-  describe "eol release warning" do
-    it "warns when running an EOL release" do
-      stub_const("Chef::VERSION", 15)
-      allow(Time).to receive(:now).and_return(Time.new(2021, 5, 1, 5))
-      expect(logger).to receive(:warn).with(/This release of.*became end of life \(EOL\) on May 1st 2021/)
-      client.warn_if_eol
-    end
-
-    it "does not warn when running an non-EOL release" do
-      stub_const("Chef::VERSION", 15)
-      allow(Time).to receive(:now).and_return(Time.new(2021, 4, 31))
-      expect(logger).to_not receive(:warn).with(/became end of life/)
-      client.warn_if_eol
-    end
-  end
-
   describe "authentication protocol selection" do
     context "when FIPS is disabled" do
       before do

data/spec/unit/file_cache_spec.rb

@@ -94,7 +94,71 @@ describe Chef::FileCache do
     it "searches for cached files by globbing" do
       expect(Chef::FileCache.find("snappy/**/*")).to eq(%w{snappy/patter})
     end
+  end
+
+  describe "#find handles regex-unsafe unix paths" do
+    before(:each) do
+      # Dir.mktmpdir doesn't allow regex unsafe characters (the nerve!), so we'll have to fake file lookups
+      @file_cache_path = "/tmp/[foo* ^bar]"
+      escaped_file_cache_path = '/tmp/\[foo\* ^bar\]'
+      Chef::Config[:file_cache_path] = @file_cache_path
+      allow(Chef::Util::PathHelper).to receive(:escape_glob_dir).and_return(escaped_file_cache_path)
+      allow(Dir).to receive(:[]).with(File.join(escaped_file_cache_path, "snappy/**/*")).and_return([
+        File.join(@file_cache_path, "snappy"),
+        File.join(@file_cache_path, "snappy", "patter"),
+      ])
+      allow(Dir).to receive(:[]).with(escaped_file_cache_path).and_return([
+        @file_cache_path,
+      ])
+      [
+        File.join(@file_cache_path, "snappy", "patter"),
+        File.join(@file_cache_path, "whiz", "bang"),
+      ].each do |f|
+        allow(File).to receive(:file?).with(f).and_return(true)
+      end
+      [
+        File.join(@file_cache_path, "snappy"),
+        File.join(@file_cache_path, "whiz"),
+      ].each do |f|
+        allow(File).to receive(:file?).with(f).and_return(false)
+      end
+    end
+
+    it "searches for cached files by globbing" do
+      expect(Chef::FileCache.find("snappy/**/*")).to eq(%w{snappy/patter})
+    end
+  end
 
+  describe "#find handles Windows paths" do
+    before(:each) do
+      allow(ChefUtils).to receive(:windows?).and_return(true)
+      @file_cache_path = 'C:\tmp\fakecache'
+      escaped_file_cache_path = "C:\\tmp\\fakecache"
+      Chef::Config[:file_cache_path] = @file_cache_path
+      allow(Chef::Util::PathHelper).to receive(:escape_glob_dir).and_return(escaped_file_cache_path)
+      allow(Dir).to receive(:[]).with(File.join(escaped_file_cache_path, "snappy/**/*")).and_return([
+        File.join(@file_cache_path, "snappy"),
+        File.join(@file_cache_path, "snappy", "patter"),
+      ])
+      allow(Dir).to receive(:[]).with(escaped_file_cache_path).and_return([
+        @file_cache_path,
+      ])
+      [
+        File.join(@file_cache_path, "snappy", "patter"),
+        File.join(@file_cache_path, "whiz", "bang"),
+      ].each do |f|
+        allow(File).to receive(:file?).with(f).and_return(true)
+      end
+      [
+        File.join(@file_cache_path, "snappy"),
+        File.join(@file_cache_path, "whiz"),
+      ].each do |f|
+        allow(File).to receive(:file?).with(f).and_return(false)
+      end
+    end
+    it "searches for cached files by globbing" do
+      expect(Chef::FileCache.find("snappy/**/*")).to eq(%w{snappy/patter})
+    end
   end
 
   describe "when checking for the existence of a file" do

data/spec/unit/mixin/openssl_helper_spec.rb

@@ -92,7 +92,12 @@ describe Chef::Mixin::OpenSSLHelper do
 
     context "When the dhparam.pem file does exist, and does contain a vaild dhparam key" do
       it "returns true" do
-        @dhparam_file.puts(::OpenSSL::PKey::DH.new(256).to_pem) # this is 256 to speed up specs
+        # bumped this from 256 to 1024 because OpenSSL 3.x will enforce
+        # size
+        #      OpenSSL::PKey::PKeyError:
+        #       EVP_PKEY_paramgen: modulus too small
+        # need to double check that the mixin itself doesn't allow smaller
+        @dhparam_file.puts(::OpenSSL::PKey::DH.new(1024).to_pem)
         @dhparam_file.close
         expect(instance.dhparam_pem_valid?(@dhparam_file.path)).to be_truthy
       end

data/spec/unit/provider/package/chocolatey_spec.rb

@@ -36,9 +36,9 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
   # installed packages (ConEmu is upgradable)
   let(:local_list_stdout) do
     <<~EOF
-      Chocolatey v0.9.9.11
-      chocolatey|0.9.9.11
-      ConEmu|15.10.25.0
+      Chocolatey v0.9.9.10
+      chocolatey|0.9.9.12
+      ConEmu|15.10.25.2
     EOF
   end
 
@@ -47,10 +47,10 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
     allow(provider).to receive(:choco_exe).and_return(choco_exe)
     local_list_obj = double(stdout: local_list_stdout)
     allow(provider).to receive(:shell_out_compacted!).with(choco_exe, "list", "-l", "-r", { returns: [0, 2], timeout: timeout }).and_return(local_list_obj)
-    allow(provider).to receive(:powershell_exec!).with("#{choco_exe} --version").and_return(double(result: "2.1.0"))
+    allow(provider).to receive(:powershell_exec!).with("Get-ItemProperty #{choco_exe} | select-object -expandproperty versioninfo | select-object -expandproperty productversion").and_return(double(result: "2.1.0"))
     # Mock the local file system choco queries
     allow(provider).to receive(:get_local_pkg_dirs).and_return(%w{chocolatey ConEmu})
-    allow(provider).to receive(:fetch_package_versions_local).and_return({ "chocolatey" => "0.9.9.11", "conemu" => "15.10.25.0" })
+    allow(provider).to receive(:fetch_package_versions).and_return({ "chocolatey" => "0.9.9.11", "conemu" => "15.10.25.0" })
   end
 
   after(:each) do
@@ -70,10 +70,13 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
       munin-node|1.6.1.20130823
     EOF
     remote_list_obj = double(stdout: remote_list_stdout)
-    if args
-      allow(provider).to receive(:shell_out_compacted!).with(choco_exe, provider.query_command, "-r", *(package_names.sort + args), { returns: [0, 2], timeout: timeout }).and_return(remote_list_obj)
-    else
-      allow(provider).to receive(:shell_out_compacted!).with(choco_exe, provider.query_command, "-r", *(package_names.sort), { returns: [0, 2], timeout: timeout }).and_return(remote_list_obj)
+
+    package_names.each do |pkg|
+      if args
+        allow(provider).to receive(:shell_out_compacted!).with(choco_exe, provider.query_command, "-r", *([pkg] + args), { returns: [0, 2], timeout: timeout }).and_return(remote_list_obj)
+      else
+        allow(provider).to receive(:shell_out_compacted!).with(choco_exe, provider.query_command, "-r", pkg, { returns: [0, 2], timeout: timeout }).and_return(remote_list_obj)
+      end
     end
   end
 
@@ -89,12 +92,12 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
 
   describe "choco searches change with the version" do
     it "Choco V1 uses List" do
-      allow(provider).to receive(:powershell_exec!).with("#{choco_exe} --version").and_return(double(result: "1.4.0"))
+      allow(provider).to receive(:powershell_exec!).with("Get-ItemProperty #{choco_exe} | select-object -expandproperty versioninfo | select-object -expandproperty productversion").and_return(double(result: "1.4.0"))
       expect(provider.query_command).to eql("list")
     end
 
     it "Choco V2 uses Search" do
-      allow(provider).to receive(:powershell_exec!).with("#{choco_exe} --version").and_return(double(result: "2.1.0"))
+      allow(provider).to receive(:powershell_exec!).with("Get-ItemProperty #{choco_exe} | select-object -expandproperty versioninfo | select-object -expandproperty productversion").and_return(double(result: "2.1.0"))
       expect(provider.query_command).to eql("search")
     end
   end
@@ -168,6 +171,7 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
 
     it "should load and downcase names in the installed_packages hash (with disk provider)" do
       new_resource.use_choco_list(false)
+      provider.invalidate_cache
       provider.load_current_resource
       expect(provider.send(:installed_packages)).to eql(
         { "chocolatey" => "0.9.9.11", "conemu" => "15.10.25.0" }
@@ -176,9 +180,10 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
 
     it "should load and downcase names in the installed_packages hash (with choco list provider)" do
       new_resource.use_choco_list(true)
+      provider.invalidate_cache
       provider.load_current_resource
       expect(provider.send(:installed_packages)).to eql(
-        { "chocolatey" => "0.9.9.11", "conemu" => "15.10.25.0" }
+        { "chocolatey" => "0.9.9.12", "conemu" => "15.10.25.2" }
       )
     end
 

data/spec/unit/provider/package/windows_spec.rb

@@ -106,27 +106,27 @@ describe Chef::Provider::Package::Windows, :windows_only do
         provider.package_provider
       end
 
-      it "sets the package provider to MSI if the the installer type is :msi" do
+      it "sets the package provider to MSI if the installer type is :msi" do
         allow(provider).to receive(:installer_type).and_return(:msi)
         expect(provider.package_provider).to be_a(Chef::Provider::Package::Windows::MSI)
       end
 
-      it "sets the package provider to Exe if the the installer type is :inno" do
+      it "sets the package provider to Exe if the installer type is :inno" do
         allow(provider).to receive(:installer_type).and_return(:inno)
         expect(provider.package_provider).to be_a(Chef::Provider::Package::Windows::Exe)
       end
 
-      it "sets the package provider to Exe if the the installer type is :nsis" do
+      it "sets the package provider to Exe if the installer type is :nsis" do
         allow(provider).to receive(:installer_type).and_return(:nsis)
         expect(provider.package_provider).to be_a(Chef::Provider::Package::Windows::Exe)
       end
 
-      it "sets the package provider to Exe if the the installer type is :wise" do
+      it "sets the package provider to Exe if the installer type is :wise" do
         allow(provider).to receive(:installer_type).and_return(:wise)
         expect(provider.package_provider).to be_a(Chef::Provider::Package::Windows::Exe)
       end
 
-      it "sets the package provider to Exe if the the installer type is :installshield" do
+      it "sets the package provider to Exe if the installer type is :installshield" do
         allow(provider).to receive(:installer_type).and_return(:installshield)
         expect(provider.package_provider).to be_a(Chef::Provider::Package::Windows::Exe)
       end

data/spec/unit/provider/package/zypper_spec.rb

@@ -491,14 +491,4 @@ describe Chef::Provider::Package::Zypper do
       provider.remove_package(%w{emacs vim}, ["1.0", "2.0"])
     end
   end
-
-  describe "resolve_available_version" do
-    it "should return correct version if multiple packages are shown" do
-      status = double(stdout: "S  | Name                     | Type    | Version             | Arch   | Repository\n---+--------------------------+---------+---------------------+--------+-------------------------------------------------------------\n   | apache2-mod_wsgi         | package | 4.7.1-150400.3.3.1  | x86_64 | Update repository with updates from SUSE Linux Enterprise 15\n   | apache2-mod_wsgi         | package | 4.7.1-150400.1.52   | x86_64 | Main Repository\ni+ | apache2-mod_wsgi-python3 | package | 4.5.18-150000.4.6.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15\nv  | apache2-mod_wsgi-python3 | package | 4.5.18-4.3.1        | x86_64 | Main Repository\n", exitstatus: 0)
-
-      allow(provider).to receive(:shell_out_compacted!).and_return(status)
-      result = provider.send(:resolve_available_version, "apache2-mod_wsgi-python3", nil)
-      expect(result).to eq("4.5.18-150000.4.6.1")
-    end
-  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef
 version: !ruby/object:Gem::Version
-  version: 18.4.2
+  version: 18.5.0
 platform: x64-mingw-ucrt
 authors:
 - Adam Jacob
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-01-18 00:00:00.000000000 Z
+date: 2024-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-config
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.4.2
+        version: 18.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.4.2
+        version: 18.5.0
 - !ruby/object:Gem::Dependency
   name: chef-utils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.4.2
+        version: 18.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 18.4.2
+        version: 18.5.0
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement
@@ -238,14 +238,14 @@ dependencies:
   name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.15.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.15.5
 - !ruby/object:Gem::Dependency
@@ -536,14 +536,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: 0.18.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: 0.18.2
 - !ruby/object:Gem::Dependency
   name: win32-api
   requirement: !ruby/object:Gem::Requirement
@@ -2655,6 +2655,7 @@ files:
 - spec/integration/client/exit_code_spec.rb
 - spec/integration/client/fips_spec.rb
 - spec/integration/client/ipv6_spec.rb
+- spec/integration/client/open_ssl_spec.rb
 - spec/integration/compliance/compliance_spec.rb
 - spec/integration/ohai/ohai_spec.rb
 - spec/integration/recipes/accumulator_spec.rb
@@ -3271,7 +3272,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key: 
 specification_version: 4
 summary: A systems integration framework, built to bring the benefits of configuration