chef 11.12.0.alpha.1 → 11.12.0.rc.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9898c6f7591ed887a6598b3d69e579eb80e91219
-  data.tar.gz: a149ede107dbfe06de90825b9fc14f17eda23117
+  metadata.gz: 60391bafa32bf5cc32d6e20d2d7e4d73851b4831
+  data.tar.gz: 35fe3189610b04474bf26cf2e4b6d6f3285c383e
 SHA512:
-  metadata.gz: 91da0bbf0cf8981e3300510bb4b8c7e8479f9624c37e4d3d0abb3398fe5dff5692f2cfdb8a7b47362d139e215b52111f29346a5504a187c0a8f39ecb67fd20cd
-  data.tar.gz: fe75d1790cd62872a44c86c9801919f3e3479c47e5389e03d5f95fbbe3292a4e4461759744b2cc2b54cf07cfbb90eb45f702e92c3dd529caec97abe94f66eb10
+  metadata.gz: a1b8ef49c08c01859feaf9dbe315fa7d6be0e9c8c27db37008fd725ee84e96685180db220612289cec70b2757ba61a810f56380016db5529a4b37037fdb349e3
+  data.tar.gz: 24f43562e5917d82395fd74f9a5ef307890f3496264ace9369ef5f12ab82cd03809a1a86b7c4e26a5bb2a1b58cf4ab4ae3fdc5c11a5f581cfdb37c2d809678b9

data/lib/chef/api_client/registration.rb

@@ -30,14 +30,13 @@ class Chef
     # a new client/node identity by borrowing the validator client identity
     # when creating a new client.
     class Registration
-      attr_reader :private_key
       attr_reader :destination
       attr_reader :name
 
       def initialize(name, destination)
         @name = name
         @destination = destination
-        @private_key = nil
+        @server_generated_private_key = nil
       end
 
       # Runs the client registration process, including creating the client on
@@ -90,29 +89,67 @@ class Chef
       end
 
       def create
-        response = http_api.post("clients", :name => name, :admin => false)
-        @private_key = response["private_key"]
+        response = http_api.post("clients", post_data)
+        @server_generated_private_key = response["private_key"]
         response
       end
 
       def update
-        response = http_api.put("clients/#{name}", :name => name,
-                                                     :admin => false,
-                                                     :private_key => true)
+        response = http_api.put("clients/#{name}", put_data)
         if response.respond_to?(:private_key) # Chef 11
-          @private_key = response.private_key
+          @server_generated_private_key = response.private_key
         else # Chef 10
-          @private_key = response["private_key"]
+          @server_generated_private_key = response["private_key"]
         end
         response
       end
 
+      def put_data
+        base_put_data = { :name => name, :admin => false }
+        if self_generate_keys?
+          base_put_data[:public_key] = generated_public_key
+        else
+          base_put_data[:private_key] = true
+        end
+        base_put_data
+      end
+
+      def post_data
+        post_data = { :name => name, :admin => false }
+        post_data[:public_key] = generated_public_key if self_generate_keys?
+        post_data
+      end
+
+
       def http_api
         @http_api_as_validator ||= Chef::REST.new(Chef::Config[:chef_server_url],
                                                   Chef::Config[:validation_client_name],
                                                   Chef::Config[:validation_key])
       end
 
+      # Whether or not to generate keys locally and post the public key to the
+      # server. Delegates to `Chef::Config.local_key_generation`. Servers
+      # before 11.0 do not support this feature.
+      def self_generate_keys?
+        Chef::Config.local_key_generation
+      end
+
+      def private_key
+        if self_generate_keys?
+          generated_private_key.to_pem
+        else
+          @server_generated_private_key
+        end
+      end
+
+      def generated_private_key
+        @generated_key ||= OpenSSL::PKey::RSA.generate(2048)
+      end
+
+      def generated_public_key
+        generated_private_key.public_key.to_pem
+      end
+
       def file_flags
         base_flags = File::CREAT|File::TRUNC|File::RDWR
         # Windows doesn't have symlinks, so it doesn't have NOFOLLOW

data/lib/chef/application.rb

@@ -19,6 +19,7 @@
 require 'pp'
 require 'socket'
 require 'chef/config'
+require 'chef/config_fetcher'
 require 'chef/exceptions'
 require 'chef/log'
 require 'chef/platform'

data/lib/chef/application/client.rb

@@ -25,7 +25,6 @@ require 'chef/log'
 require 'chef/config_fetcher'
 require 'chef/handler/error_report'
 
-
 class Chef::Application::Client < Chef::Application
 
   # Mimic self_pipe sleep from Unicorn to capture signals safely
@@ -228,12 +227,10 @@ class Chef::Application::Client < Chef::Application
       :boolean      => true
   end
 
-  attr_reader :chef_client_json
+  IMMEDIATE_RUN_SIGNAL = "1".freeze
+  GRACEFUL_EXIT_SIGNAL = "2".freeze
 
-  def initialize
-    super
-    @exit_gracefully = false
-  end
+  attr_reader :chef_client_json
 
   # Reconfigure the chef client
   # Re-open the JSON attributes and load them into the node
@@ -295,13 +292,12 @@ class Chef::Application::Client < Chef::Application
 
       trap("USR1") do
         Chef::Log.info("SIGUSR1 received, waking up")
-        SELF_PIPE[1].putc('.') # wakeup master process from select
+        SELF_PIPE[1].putc(IMMEDIATE_RUN_SIGNAL) # wakeup master process from select
       end
 
       trap("TERM") do
         Chef::Log.info("SIGTERM received, exiting gracefully")
-        @exit_gracefully = true
-        SELF_PIPE[1].putc('.')
+        SELF_PIPE[1].putc(GRACEFUL_EXIT_SIGNAL)
       end
     end
 
@@ -313,23 +309,24 @@ class Chef::Application::Client < Chef::Application
       Chef::Daemon.daemonize("chef-client")
     end
 
+    signal = nil
+
     loop do
       begin
-        Chef::Application.exit!("Exiting", 0) if @exit_gracefully
-        if Chef::Config[:splay]
+        Chef::Application.exit!("Exiting", 0) if signal == GRACEFUL_EXIT_SIGNAL
+
+        if Chef::Config[:splay] and signal != IMMEDIATE_RUN_SIGNAL
           splay = rand Chef::Config[:splay]
           Chef::Log.debug("Splay sleep #{splay} seconds")
           sleep splay
         end
+
+        signal = nil
         run_chef_client(Chef::Config[:specific_recipes])
+
         if Chef::Config[:interval]
           Chef::Log.debug("Sleeping for #{Chef::Config[:interval]} seconds")
-          unless SELF_PIPE.empty?
-            client_sleep Chef::Config[:interval]
-          else
-            # Windows
-            sleep Chef::Config[:interval]
-          end
+          signal = interval_sleep
         else
           Chef::Application.exit! "Exiting", 0
         end
@@ -339,12 +336,7 @@ class Chef::Application::Client < Chef::Application
         if Chef::Config[:interval]
           Chef::Log.error("#{e.class}: #{e}")
           Chef::Log.error("Sleeping for #{Chef::Config[:interval]} seconds before trying again")
-          unless SELF_PIPE.empty?
-            client_sleep Chef::Config[:interval]
-          else
-            # Windows
-            sleep Chef::Config[:interval]
-          end
+          signal = interval_sleep
           retry
         else
           Chef::Application.fatal!("#{e.class}: #{e.message}", 1)
@@ -355,8 +347,17 @@ class Chef::Application::Client < Chef::Application
 
   private
 
+  def interval_sleep
+    unless SELF_PIPE.empty?
+      client_sleep Chef::Config[:interval]
+    else
+      # Windows
+      sleep Chef::Config[:interval]
+    end
+  end
+
   def client_sleep(sec)
     IO.select([ SELF_PIPE[0] ], nil, nil, sec) or return
-    SELF_PIPE[0].getc
+    SELF_PIPE[0].getc.chr
   end
 end

data/lib/chef/client.rb

@@ -401,6 +401,9 @@ class Chef
       # don't add code that may fail before entering this section to be sure to release lock
       begin
         runlock.save_pid
+
+        check_ssl_config
+
         request_id = Chef::RequestID.instance.request_id
         run_context = nil
         @events.run_start(Chef::VERSION)
@@ -489,6 +492,37 @@ class Chef
       Chef::ReservedNames::Win32::Security.has_admin_privileges?
     end
 
+    def check_ssl_config
+      if Chef::Config[:ssl_verify_mode] == :verify_none and !Chef::Config[:verify_api_cert]
+        Chef::Log.warn(<<-WARN)
+
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
+SSL validation of HTTPS requests is disabled. HTTPS connections are still
+encrypted, but chef is not able to detect forged replies or man in the middle
+attacks.
+
+To fix this issue add an entry like this to your configuration file:
+
+```
+  # Verify all HTTPS connections (recommended)
+  ssl_verify_mode :verify_peer
+
+  # OR, Verify only connections to chef-server
+  verify_api_cert true
+```
+
+To check your SSL configuration, or troubleshoot errors, you can use the
+`knife ssl check` command like so:
+
+```
+  knife ssl check -c #{Chef::Config.config_file}
+```
+
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
+WARN
+      end
+    end
+
   end
 end
 

data/lib/chef/config.rb

@@ -432,6 +432,17 @@ class Chef
     default(:validation_key) { chef_zero.enabled ? nil : platform_specific_path("/etc/chef/validation.pem") }
     default :validation_client_name, "chef-validator"
 
+    # When creating a new client via the validation_client account, Chef 11
+    # servers allow the client to generate a key pair locally and sent the
+    # public key to the server. This is more secure and helps offload work from
+    # the server, enhancing scalability. If enabled and the remote server
+    # implements only the Chef 10 API, client registration will not work
+    # properly.
+    #
+    # The default value is `false` (Server generates client keys). Set to
+    # `true` to enable client-side key generation.
+    default(:local_key_generation) { false }
+
     # Zypper package provider gpg checks. Set to true to enable package
     # gpg signature checking. This will be default in the
     # future. Setting to false disables the warnings.

data/lib/chef/cookbook/chefignore.rb

@@ -25,7 +25,11 @@ class Chef
       attr_reader :ignores
 
       def initialize(ignore_file_or_repo)
+        # Check the 'ignore_file_or_repo' path first and then look in the parent directory
+        # to handle both the chef repo cookbook layout and a standalone cookbook
         @ignore_file = find_ignore_file(ignore_file_or_repo)
+        @ignore_file = find_ignore_file(File.dirname(ignore_file_or_repo)) unless readable_file_or_symlink?(@ignore_file)
+
         @ignores = parse_ignore_file
       end
 
@@ -43,8 +47,7 @@ class Chef
 
       def parse_ignore_file
         ignore_globs = []
-        if File.exist?(@ignore_file) && File.readable?(@ignore_file) &&
-          (File.file?(@ignore_file) || File.symlink?(@ignore_file))
+        if readable_file_or_symlink?(@ignore_file)
           File.foreach(@ignore_file) do |line|
             ignore_globs << line.strip unless line =~ COMMENTS_AND_WHITESPACE
           end
@@ -61,6 +64,11 @@ class Chef
           File.join(path, 'chefignore')
         end
       end
+
+      def readable_file_or_symlink?(path)
+        File.exist?(@ignore_file) && File.readable?(@ignore_file) &&
+          (File.file?(@ignore_file) || File.symlink?(@ignore_file))
+      end
     end
   end
 end

data/lib/chef/cookbook/metadata.rb

@@ -391,14 +391,14 @@ class Chef
             :description => { :kind_of => String },
             :choice => { :kind_of => [ Array ], :default => [] },
             :calculated => { :equal_to => [ true, false ], :default => false },
-            :type => { :equal_to => [ "string", "array", "hash", "symbol" ], :default => "string" },
+            :type => { :equal_to => [ "string", "array", "hash", "symbol", "boolean", "numeric" ], :default => "string" },
             :required => { :equal_to => [ "required", "recommended", "optional", true, false ], :default => "optional" },
             :recipes => { :kind_of => [ Array ], :default => [] },
-            :default => { :kind_of => [ String, Array, Hash ] }
+            :default => { :kind_of => [ String, Array, Hash, Symbol, Numeric, TrueClass, FalseClass ] }
           }
         )
         options[:required] = remap_required_attribute(options[:required]) unless options[:required].nil?
-        validate_string_array(options[:choice])
+        validate_choice_array(options)
         validate_calculated_default_rule(options)
         validate_choice_default_rule(options)
 
@@ -546,6 +546,34 @@ INVALID
         end
       end
 
+      # Validate the choice of the options hash
+      #
+      # Raise an exception if the members of the array do not match the defaults
+      # === Parameters
+      # opts<Hash>:: The options hash
+        def validate_choice_array(opts)
+          if opts[:choice].kind_of?(Array)
+            case opts[:type]
+            when "string"
+              validator = [ String ]
+            when "array"
+              validator = [ Array ]
+            when "hash"
+              validator = [ Hash ]
+            when "symbol"
+              validator = [ Symbol ]
+            when "boolean"
+              validator = [ TrueClass, FalseClass ]
+            when "numeric"
+              validator = [ Numeric ]
+            end
+
+            opts[:choice].each do |choice|
+              validate( {:choice => choice}, {:choice => {:kind_of => validator}} )
+            end
+          end
+        end
+
       # For backwards compatibility, remap Boolean values to String
       #   true is mapped to "required"
       #   false is mapped to "optional"

data/lib/chef/cookbook/synchronizer.rb

@@ -92,7 +92,7 @@ class Chef
     # === Returns
     # true:: Always returns true
     def sync_cookbooks
-      Chef::Log.info("Loading cookbooks [#{cookbook_names.sort.join(', ')}]")
+      Chef::Log.info("Loading cookbooks [#{cookbooks.map {|ckbk| ckbk.name + '@' + ckbk.version}.join(', ')}]")
       Chef::Log.debug("Cookbooks detail: #{cookbooks.inspect}")
 
       clear_obsoleted_cookbooks
@@ -136,7 +136,7 @@ class Chef
     # valid_cache_entries<Hash>:: Out-param; Added to this hash are the files that
     # were referred to by this cookbook
     def sync_cookbook(cookbook)
-      Chef::Log.debug("Synchronizing cookbook #{cookbook.name}")
+      Chef::Log.debug("Synchronizing cookbook #{cookbook.name} #{cookbook.version}")
 
       # files and templates are lazily loaded, and will be done later.
 

data/lib/chef/cookbook/syntax_check.rb

@@ -77,6 +77,8 @@ class Chef
       # validated.
       attr_reader :validated_files
 
+      attr_reader :chefignore
+
       # Creates a new SyntaxCheck given the +cookbook_name+ and a +cookbook_path+.
       # If no +cookbook_path+ is given, +Chef::Config.cookbook_path+ is used.
       def self.for_cookbook(cookbook_name, cookbook_path=nil)
@@ -92,11 +94,9 @@ class Chef
       # cookbook_path::: the (on disk) path to the cookbook
       def initialize(cookbook_path)
         @cookbook_path = cookbook_path
-        @validated_files = PersistentSet.new
-      end
+        @chefignore ||= Chefignore.new(cookbook_path)
 
-      def chefignore
-        @chefignore ||= Chefignore.new(File.dirname(cookbook_path))
+        @validated_files = PersistentSet.new
       end
 
       def remove_ignored_files(file_list)

data/lib/chef/encrypted_data_bag_item.rb

@@ -26,7 +26,7 @@ require 'open-uri'
 # all values, except for the value associated with the id key, have
 # been encrypted.
 #
-# EncrypedDataBagItem can be used in recipes to decrypt data bag item
+# EncryptedDataBagItem can be used in recipes to decrypt data bag item
 # members.
 #
 # Data bag item values are assumed to have been encrypted using the
@@ -49,6 +49,22 @@ require 'open-uri'
 class Chef::EncryptedDataBagItem
   ALGORITHM = 'aes-256-cbc'
 
+  #
+  # === Synopsis
+  #
+  #   EncryptedDataBagItem.new(hash, secret)
+  #
+  # === Args
+  #
+  # +enc_hash+::
+  #   The encrypted hash to be decrypted
+  # +secret+::
+  #   The raw secret key
+  #
+  # === Description
+  #
+  # Create a new encrypted data bag item for reading (decryption)
+  #
   def initialize(enc_hash, secret)
     @enc_hash = enc_hash
     @secret = secret
@@ -82,6 +98,26 @@ class Chef::EncryptedDataBagItem
     end
   end
 
+  #
+  # === Synopsis
+  #
+  #   EncryptedDataBagItem.load(data_bag, name, secret = nil)
+  #
+  # === Args
+  #
+  # +data_bag+::
+  #   The name of the data bag to fetch
+  # +name+::
+  #   The name of the data bag item to fetch
+  # +secret+::
+  #   The raw secret key. If the +secret+ is nil, the value of the file at
+  #   +Chef::Config[:encrypted_data_bag_secret]+ is loaded. See +load_secret+
+  #   for more information.
+  #
+  # === Description
+  #
+  # Loads and decrypts the data bag item with the given name.
+  #
   def self.load(data_bag, name, secret = nil)
     raw_hash = Chef::DataBagItem.load(data_bag, name)
     secret = secret || self.load_secret