chef 18.4.2 → 18.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b0abf8303fae83df7a99b7731d5e3eedd3dcb5f533cbc9c784527682b3daaa6
-  data.tar.gz: a0fa3f6ee5de4413da2bc2a8e7f41d6d50d320f7c7d2cc080cbda5c9c7bf4604
+  metadata.gz: 6aeb4e21d11cdf70486e7d5c78992d1248331091782075950ed11103f16313eb
+  data.tar.gz: 0d0732e253f1ff220fa4460a98befd22879d206f09e3053527b0996c0a84c268
 SHA512:
-  metadata.gz: 961231927046fcc8965d79b9138e76d7659c666d3afaafe99b4cd1816169e888cb0f87cb57bb394c1d5a81e1f7d54f69f2dad7c9f51ff573c868429449aae808
-  data.tar.gz: '024394b552768952422587e0c0cd68bb617c51c1baa01ee7a5421952b3d1822ad6a553e0ad549047d53f3339c2483bb54f76f556a5a180d0999bb7fd1553a7ec'
+  metadata.gz: '067286ca73d5381ce8ffca9e20694d03b8b5032769ebec6805fdf51c03aadf5d7f2c55c6b1b27d32b81085b378b4e917410fa6dffb9532cae2130f3c6da8160f'
+  data.tar.gz: 1e35e9df95757159af9ab8a22b1d59cbbf8c0e916fdc8ec032c8383921e7de9a9a05d5f6aaba138b3d53af9e4e8359c39bba0f64fb42e90201c704e8ce3bcfe4

data/Gemfile

@@ -7,9 +7,11 @@ gem "ohai", git: "https://github.com/chef/ohai.git", branch: "main"
 # Nwed to file a bug with rest-client. In the meantime, we can use this until they accept the update.
 gem "rest-client", git: "https://github.com/chef/rest-client", branch: "jfm/ucrt_update1"
 
-gem "ffi", "~> 1.15.5"
+gem "ffi", ">= 1.15.5"
 gem "chef-utils", path: File.expand_path("chef-utils", __dir__) if File.exist?(File.expand_path("chef-utils", __dir__))
 gem "chef-config", path: File.expand_path("chef-config", __dir__) if File.exist?(File.expand_path("chef-config", __dir__))
+# required for FIPS or bundler will pick up default openssl
+gem "openssl", "= 3.2.0" unless Gem.platforms.any? { |platform| !platform.is_a?(String) && platform.os == "darwin" }
 
 if File.exist?(File.expand_path("chef-bin", __dir__))
   # bundling in a git checkout
@@ -52,6 +54,7 @@ group(:development, :test) do
   gem "rake"
   gem "rspec"
   gem "webmock"
+  gem "crack", "< 0.4.6" # due to https://github.com/jnunemaker/crack/pull/75
   gem "fauxhai-ng" # for chef-utils gem
 end
 

data/chef.gemspec

@@ -2,12 +2,12 @@ $:.unshift(File.dirname(__FILE__) + "/lib")
 vs_path = File.expand_path("chef-utils/lib/chef-utils/version_string.rb", __dir__)
 
 if File.exist?(vs_path)
-  # this is the moral equivalent of a require_relative since bundler makes require_relative here fail hard
-  eval(IO.read(vs_path))
-else
-  # if the path doesn't exist then we're just in the wild gem and not in the git repo
-  require "chef-utils/version_string"
+  # include chef-utils/lib in the path if we're inside of chef vs. chef-utils gem
+  # but add it to the end of the search path
+  $: << (File.dirname(__FILE__) + "/chef-utils/lib")
 end
+# if the path doesn't exist then we're just in the wild gem and not in the git repo
+require "chef-utils/version_string"
 require "chef/version"
 
 Gem::Specification.new do |s|
@@ -43,7 +43,7 @@ Gem::Specification.new do |s|
   s.add_dependency "ohai", "~> 18.0"
   s.add_dependency "inspec-core", ">= 5", "< 6"
 
-  s.add_dependency "ffi", "~> 1.15.5"
+  s.add_dependency "ffi", ">= 1.15.5"
   s.add_dependency "ffi-yajl", "~> 2.2"
   s.add_dependency "net-sftp", ">= 2.1.2", "< 5.0" # remote_file resource
   s.add_dependency "net-ftp" # remote_file resource
@@ -65,7 +65,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
-  s.add_dependency "vault", "~> 0.16" # hashi vault official client gem
+  s.add_dependency "vault", "~> 0.18.2" # hashi vault official client gem
   s.bindir       = "bin"
   s.executables  = %w{ }
 

data/lib/chef/application/client.rb

@@ -40,6 +40,10 @@ class Chef::Application::Client < Chef::Application::Base
     long: "--config CONFIG",
     description: "The configuration file to use."
 
+  option :credentials,
+    long: "--credentials CREDENTIALS",
+    description: "Credentials file to use. Default: ~/.chef/credentials"
+
   unless ChefUtils.windows?
     option :daemonize,
       short: "-d [WAIT]",
@@ -125,6 +129,14 @@ class Chef::Application::Client < Chef::Application::Base
       Chef::Config.node_name = Chef::Config.target_mode.host unless Chef::Config.node_name
     end
 
+    if config[:credentials]
+      unless File.exist?(config[:credentials])
+        Chef::Application.fatal!("credentials file #{config[:credentials]} not found")
+      end
+
+      Chef::Config.credentials = config[:credentials]
+    end
+
     if Chef::Config[:daemonize]
       Chef::Config[:interval] ||= 1800
     end

data/lib/chef/client.rb

@@ -292,6 +292,7 @@ class Chef
         Chef.provider_handler_map.lock!
 
         setup_run_context
+        setup_targetmode if Chef::Config.target_mode?
 
         load_required_recipe(@rest, run_context) unless Chef::Config[:solo_legacy_mode]
 
@@ -305,8 +306,6 @@ class Chef
         # keep this inside the main loop to get exception backtraces
         end_profiling
 
-        warn_if_eol
-
         # rebooting has to be the last thing we do, no exceptions.
         Chef::Platform::Rebooter.reboot_if_needed!(node)
       rescue Exception => run_error
@@ -335,19 +334,6 @@ class Chef
     # @todo make this stuff protected or private
     #
 
-    # @api private
-    def warn_if_eol
-      require_relative "version"
-
-      # We make a release every year so take the version you're on + 2006 and you get
-      # the year it goes EOL
-      eol_year = 2006 + Gem::Version.new(Chef::VERSION).segments.first
-
-      if Time.now > Time.new(eol_year, 5, 01)
-        logger.warn("This release of #{ChefUtils::Dist::Infra::PRODUCT} became end of life (EOL) on May 1st #{eol_year}. Please update to a supported release to receive new features, bug fixes, and security updates.")
-      end
-    end
-
     # @api private
     def configure_formatters
       formatters_for_run.map do |formatter_name, output_path|
@@ -586,6 +572,15 @@ class Chef
       end
     end
 
+    #
+    # Setup conditions for Target Mode.
+    #
+    # @api private
+    #
+    def setup_targetmode
+      TargetIO::FileUtils.mkdir_p(Chef::Config[:file_cache_path])
+    end
+
     #
     # Run ohai plugins.  Runs all ohai plugins unless minimal_ohai is specified.
     #
@@ -1105,4 +1100,3 @@ end
 require_relative "cookbook_loader"
 require_relative "cookbook_version"
 require_relative "cookbook/synchronizer"
-

data/lib/chef/compliance/runner.rb

@@ -208,6 +208,16 @@ class Chef
         logger.debug "Options are set to: #{opts}"
         runner = ::Inspec::Runner.new(opts)
 
+        # Switch from local to remote backend for Target Mode
+        if ChefConfig::Config.target_mode?
+          logger.info "Configure InSpec backend to use established connection"
+
+          connection = Chef.run_context.transport_connection
+          backend = Inspec::Backend.new(connection)
+
+          runner.set_backend(backend)
+        end
+
         if profiles.empty?
           failed_report("No #{Inspec::Dist::PRODUCT_NAME} profiles are defined.")
           return

data/lib/chef/cookbook/chefignore.rb

@@ -50,7 +50,10 @@ class Chef
         ignore_globs = []
         if @ignore_file && readable_file_or_symlink?(@ignore_file)
           File.foreach(@ignore_file) do |line|
-            ignore_globs << line.strip unless COMMENTS_AND_WHITESPACE.match?(line)
+            unless COMMENTS_AND_WHITESPACE.match?(line)
+              line.strip!
+              ignore_globs << line
+            end
           end
         else
           Chef::Log.debug("No chefignore file found. No files will be ignored!")

data/lib/chef/cookbook/cookbook_version_loader.rb

@@ -215,7 +215,7 @@ class Chef
         Dir.entries(cookbook_path).each do |top_filename|
           # Skip top-level directories starting with "."
           top_path = File.join(cookbook_path, top_filename)
-          next if File.directory?(top_path) && top_filename.start_with?(".")
+          next if top_filename.start_with?(".") && File.directory?(top_path)
 
           # Use Find.find because it:
           # (a) returns any children, recursively

data/lib/chef/cookbook/synchronizer.rb

@@ -61,6 +61,11 @@ class Chef
 
     def cleanup_file_cache
       unless Chef::Config[:solo_legacy_mode] || skip_removal
+        if Chef::Config.target_mode?
+          TargetIO::FileUtils.rm_rf(Chef::Config[:file_cache_path])
+          return
+        end
+
         # Delete each file in the cache that we didn't encounter in the
         # manifest.
         cache.find(File.join(%w{cookbooks ** {*,.*}})).each do |cache_filename|
@@ -280,8 +285,9 @@ class Chef
     end
 
     def ensure_cookbook_paths
+      cookbook_path = File.join(Chef::Config[:file_cache_path], "cookbooks")
       cookbooks.each do |cookbook|
-        cb_dir = File.join(Chef::Config[:file_cache_path], "cookbooks", cookbook.name)
+        cb_dir = File.join(cookbook_path, cookbook.name)
         cookbook.root_paths = Array(cb_dir)
       end
     end

data/lib/chef/cookbook_manifest.rb

@@ -173,9 +173,9 @@ class Chef
     def files_for(part)
       return root_files if part.to_s == "root_files"
 
+      part_match = "#{part}/"
       manifest[:all_files].select do |file|
-        seg = file[:name].split("/")[0]
-        part.to_s == seg
+        file[:name].start_with?(part_match)
       end
     end
 

data/lib/chef/file_access_control/unix.rb

@@ -29,7 +29,7 @@ class Chef
       module ClassMethods
         # We want to mix these in as class methods
         def writable?(path)
-          ::File.writable?(path)
+          ::TargetIO::File.writable?(path)
         end
       end
 
@@ -120,7 +120,7 @@ class Chef
         return nil if resource.nil? || resource.group.nil?
 
         if resource.group.is_a?(String)
-          diminished_radix_complement( Etc.getgrnam(resource.group).gid )
+          diminished_radix_complement( TargetIO::Etc.getgrnam(resource.group).gid )
         elsif resource.group.is_a?(Integer)
           resource.group
         else
@@ -222,9 +222,9 @@ class Chef
 
       def stat
         if manage_symlink_attrs?
-          @stat ||= File.lstat(file)
+          @stat ||= TargetIO::File.lstat(file)
         else
-          @stat ||= File.stat(file)
+          @stat ||= TargetIO::File.stat(file)
         end
       end
 
@@ -237,20 +237,20 @@ class Chef
       def chmod(mode, file)
         if manage_symlink_attrs?
           begin
-            File.lchmod(mode, file)
+            TargetIO::File.lchmod(mode, file)
           rescue NotImplementedError
             Chef::Log.warn("#{file} mode not changed: File.lchmod is unimplemented on this OS and Ruby version")
           end
         else
-          File.chmod(mode, file)
+          TargetIO::File.chmod(mode, file)
         end
       end
 
       def chown(uid, gid, file)
         if manage_symlink_attrs?
-          File.lchown(uid, gid, file)
+          TargetIO::File.lchown(uid, gid, file)
         else
-          File.chown(uid, gid, file)
+          TargetIO::File.chown(uid, gid, file)
         end
       end
 
@@ -269,7 +269,7 @@ class Chef
         return nil if resource.nil? || resource.owner.nil?
 
         if resource.owner.is_a?(String)
-          diminished_radix_complement( Etc.getpwnam(resource.owner).uid )
+          diminished_radix_complement( TargetIO::Etc.getpwnam(resource.owner).uid )
         elsif resource.owner.is_a?(Integer)
           resource.owner
         else

data/lib/chef/file_cache.rb

@@ -159,9 +159,24 @@ class Chef
       # [String] - An array of file cache keys matching the glob
       def find(glob_pattern)
         keys = []
-        Dir[File.join(Chef::Util::PathHelper.escape_glob_dir(file_cache_path), glob_pattern)].each do |f|
+        file_cache_dir = Chef::Util::PathHelper.escape_glob_dir(file_cache_path)
+        first_filename = Dir[file_cache_dir].first # directory of the cache
+        return keys unless first_filename
+
+        # TODO: The usage of Regexp.escape and the match here is likely
+        # vestigial, but since it's only getting called once per method, the
+        # effort needed to confirm that its removal won't break something else
+        # isn't worth it. A task for a brave soul ;-)
+        regexp_pattern = /^(#{Regexp.escape(first_filename) + File::Separator}).+/
+
+        files = Dir[File.join(file_cache_dir, glob_pattern)]
+        until files.empty?
+          f = files.shift
           if File.file?(f)
-            keys << f[/^#{Regexp.escape(Dir[Chef::Util::PathHelper.escape_glob_dir(file_cache_path)].first) + File::Separator}(.+)/, 1]
+            # We remove the cache directory from the string of each entry
+            path_to_remove ||= f[regexp_pattern, 1]
+            f.delete_prefix!(path_to_remove)
+            keys << f
           end
         end
         keys

data/lib/chef/file_content_management/deploy/target_io.rb

@@ -0,0 +1,29 @@
+module TargetIO
+  class Deploy
+    def create(file)
+      Chef::Log.trace("Touching #{file} to create it")
+      TargetIO::FileUtils.touch(file)
+    end
+
+    def deploy(src, dst)
+      Chef::Log.trace("Reading modes from remote file #{dst}")
+      stat = ::TargetIO::File.stat(dst)
+      mode = stat.mode & 07777
+      uid  = stat.uid
+      gid  = stat.gid
+
+      # TODO: Switch to TargetIO::File.open as soon as writing is implemented
+      Chef::Log.trace("Uploading local temporary file #{src} as remote file #{dst}")
+      connection = Chef.run_context&.transport_connection
+      connection.upload(src, dst)
+
+      Chef::Log.trace("Applying mode = #{mode.to_s(8)}, uid = #{uid}, gid = #{gid} to #{dst}")
+      ::TargetIO::File.chown(uid, nil, dst)
+      ::TargetIO::File.chown(nil, gid, dst)
+      ::TargetIO::File.chmod(mode, dst)
+
+      # Local clean up
+      File.delete(src)
+    end
+  end
+end

data/lib/chef/file_content_management/deploy.rb

@@ -18,6 +18,7 @@
 
 require_relative "deploy/cp"
 require_relative "deploy/mv_unix"
+require_relative "deploy/target_io"
 if ChefUtils.windows?
   require_relative "deploy/mv_windows"
 end
@@ -26,7 +27,9 @@ class Chef
   class FileContentManagement
     class Deploy
       def self.strategy(atomic_update)
-        if atomic_update
+        if ChefConfig::Config.target_mode?
+          TargetIO::Deploy.new
+        elsif atomic_update
           ChefUtils.windows? ? MvWindows.new : MvUnix.new
         else
           Cp.new

data/lib/chef/formatters/doc.rb

@@ -57,7 +57,7 @@ class Chef
         # Print out deprecations.
         unless deprecations.empty?
           puts_line ""
-          puts_line "Deprecation warnings that must be addressed before upgrading to Chef Infra #{Chef::VERSION.to_i + 1}:"
+          puts_line "Deprecation warnings that must be addressed before upgrading to #{ChefUtils::Dist::Infra::PRODUCT} #{Chef::VERSION.to_i + 1}:"
           puts_line ""
           deprecations.each do |message, details|
             locations = details[:locations]

data/lib/chef/mixin/file_class.rb

@@ -23,7 +23,9 @@ class Chef
     module FileClass
 
       def file_class
-        @host_os_file ||= if ChefUtils.windows?
+        @host_os_file ||= if ChefConfig::Config.target_mode?
+                            ::TargetIO::File
+                          elsif ChefUtils.windows?
                             require_relative "../win32/file"
                             Chef::ReservedNames::Win32::File
                           else

data/lib/chef/mixin/get_source_from_package.rb

@@ -38,7 +38,7 @@ class Chef
 
         # if we're passed something that looks like a filesystem path, with no source, use it
         #  - require at least one '/' in the path to avoid gem_package "foo" breaking if a file named 'foo' exists in the cwd
-        if new_resource.source.nil? && new_resource.package_name.include?(::File::SEPARATOR) && ::File.exist?(new_resource.package_name)
+        if new_resource.source.nil? && new_resource.package_name.include?(::File::SEPARATOR) && ::TargetIO::File.exist?(new_resource.package_name)
           Chef::Log.trace("No package source specified, but #{new_resource.package_name} exists on the filesystem, copying to package source")
           new_resource.source(new_resource.package_name)
         end

data/lib/chef/mixin/openssl_helper.rb

@@ -157,7 +157,7 @@ class Chef
         raise TypeError, "curve must be a string" unless curve.is_a?(String)
         raise ArgumentError, "Specified curve is not available on this system" unless %w{prime256v1 secp384r1 secp521r1}.include?(curve)
 
-        ::OpenSSL::PKey::EC.new(curve).generate_key
+        ::OpenSSL::PKey::EC.generate(curve)
       end
 
       # generate pem format of the public key given a private key

data/lib/chef/node/attribute.rb

@@ -570,7 +570,7 @@ class Chef
         ]
 
         ret = components.inject(NIL) do |merged, component|
-          hash_only_merge!(merged, component)
+          component == NIL ? merged : hash_only_merge!(merged, component)
         end
         ret == NIL ? nil : ret
       end
@@ -584,7 +584,7 @@ class Chef
       def merge_defaults(path)
         DEFAULT_COMPONENTS.inject(NIL) do |merged, component_ivar|
           component_value = apply_path(instance_variable_get(component_ivar), path)
-          deep_merge!(merged, component_value)
+          component_value == NIL ? merged : deep_merge!(merged, component_value)
         end
       end
 
@@ -597,7 +597,7 @@ class Chef
       def merge_overrides(path)
         OVERRIDE_COMPONENTS.inject(NIL) do |merged, component_ivar|
           component_value = apply_path(instance_variable_get(component_ivar), path)
-          deep_merge!(merged, component_value)
+          component_value == NIL ? merged : deep_merge!(merged, component_value)
         end
       end
 
@@ -628,10 +628,6 @@ class Chef
         elsif merge_onto.is_a?(Array) && merge_with.is_a?(Array)
           merge_onto |= merge_with
 
-        # If merge_with is NIL, don't replace merge_onto
-        elsif merge_with == NIL
-          merge_onto
-
         # In all other cases, replace merge_onto with merge_with
         else
           if merge_with.is_a?(Hash)
@@ -661,10 +657,6 @@ class Chef
           end
           merge_onto
 
-        # If merge_with is NIL, don't replace merge_onto
-        elsif merge_with == NIL
-          merge_onto
-
         # In all other cases, replace merge_onto with merge_with
         else
           if merge_with.is_a?(Hash)

data/lib/chef/node/immutable_collections.rb

@@ -33,18 +33,25 @@ class Chef
       end
 
       def convert_value(value)
-        # The order in this case statement is *important*.
-        # ImmutableMash and ImmutableArray should be tested first,
-        # as this saves unnecessary creation of intermediate objects
         case value
-        when ImmutableMash, ImmutableArray
-          value
         when Hash
-          ImmutableMash.new(value, __root__, __node__, __precedence__)
+          if ImmutableMash === value
+            # Save an object creation
+            value
+          else
+            ImmutableMash.new(value, __root__, __node__, __precedence__)
+          end
         when Array
-          ImmutableArray.new(value, __root__, __node__, __precedence__)
+          if ImmutableArray === value
+            # Save an object creation
+            value
+          else
+            ImmutableArray.new(value, __root__, __node__, __precedence__)
+          end
         else
-          safe_dup(value).freeze
+          # We return any already frozen strings, since that's common over the course of a run.
+          # Check `frozen?` first since that's faster than a Class comparison
+          value.frozen? && String === value ? value : safe_dup(value).freeze
         end
       end
 

data/lib/chef/node/mixin/state_tracking.rb

@@ -37,7 +37,8 @@ class Chef
         def [](*args)
           ret = super
           key = args.first
-          next_path = [ __path__, convert_key(key) ].flatten.compact
+          next_path = [ __path__, convert_key(key) ].flatten
+          next_path.compact!
           copy_state_to(ret, next_path)
         end
 
@@ -45,7 +46,8 @@ class Chef
           ret = super
           key = args.first
           value = args.last
-          next_path = [ __path__, convert_key(key) ].flatten.compact
+          next_path = [ __path__, convert_key(key) ].flatten
+          next_path.compact!
           send_attribute_changed_event(next_path, value)
           copy_state_to(ret, next_path)
         end
@@ -77,7 +79,8 @@ class Chef
         end
 
         def send_reset_cache(path = nil, key = nil)
-          next_path = [ path, key ].flatten.compact
+          next_path = [ path, key ].flatten
+          next_path.compact!
           __root__.reset_cache(next_path.first) if !__root__.nil? && __root__.respond_to?(:reset_cache)
         end
 

data/lib/chef/node.rb

@@ -285,7 +285,7 @@ class Chef
     def loaded_recipe(cookbook, recipe)
       fully_qualified_recipe = "#{cookbook}::#{recipe}"
 
-      automatic_attrs[:recipes] << fully_qualified_recipe unless Array(self[:recipes]).include?(fully_qualified_recipe)
+      automatic_attrs[:recipes] << fully_qualified_recipe unless Array(automatic_attrs[:recipes]).include?(fully_qualified_recipe)
     end
 
     # Returns true if this Node expects a given role, false if not.

data/lib/chef/policy_builder/policyfile.rb

@@ -132,6 +132,9 @@ class Chef
 
         node.consume_external_attrs(ohai_data, json_attribs)
 
+        # Preserve the fall back to loading an unencrypted data bag item if the item we're trying to load isn't actually a vault item.
+        set_databag_fallback
+
         setup_run_list_override
 
         expand_run_list
@@ -191,6 +194,11 @@ class Chef
         run_context
       end
 
+      # Preserve the fall back to loading an unencrypted data bag item if the item we're trying to load isn't actually a vault item.
+      def set_databag_fallback
+        node.default["chef-vault"]["databag_fallback"] = ChefUtils.kitchen?(node)
+      end
+
       # Sets `run_list` on the node from the policy, sets `roles` and `recipes`
       # attributes on the node accordingly.
       #

data/lib/chef/provider/cookbook_file.rb

@@ -22,7 +22,7 @@ class Chef
   class Provider
     class CookbookFile < Chef::Provider::File
 
-      provides :cookbook_file
+      provides :cookbook_file, target_mode: true
 
       def initialize(new_resource, run_context)
         @content_class = Chef::Provider::CookbookFile::Content

data/lib/chef/provider/cron.rb

@@ -22,7 +22,7 @@ class Chef
   class Provider
     class Cron < Chef::Provider
 
-      provides :cron, os: ["!aix", "!solaris2"]
+      provides :cron, os: ["!aix", "!solaris2"], target_mode: true
 
       SPECIAL_TIME_VALUES = %i{reboot yearly annually monthly weekly daily midnight hourly}.freeze
       CRON_ATTRIBUTES = %i{minute hour day month weekday time command mailto path shell home environment}.freeze