chef 14.11.21 → 14.12.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f798de1b307dfa70ca1ce581c1a2d47848e045fb0b8ffd2560bee57617e5360
-  data.tar.gz: 0e3deab54bb4e0876692ccb8b693fa81c524c1f367d12b8687cda83527a334c0
+  metadata.gz: c48c84f4c9683a3913e28858cd0e9d07aef8c3c04d4ccde07208c1ce63e87cb7
+  data.tar.gz: c0d67ba3df47d13b9cc636cc248c99e40e42153a84c171a14d5f146ba47fbcde
 SHA512:
-  metadata.gz: c0ab56ed0fd49314cd2fb22bb9f3fda2765ba137e971aa865670059d5a0c674e9cdb61b8347f0776bf1115172b285c53394a898efa5840ec0728b9fb9e906fa9
-  data.tar.gz: ed3ac08a4ff1204800ce95f1480dd2545e0a51114d09c7c83b779392a4673dddb0799e5b16a6a269d74b85bf051b78974f0e7d6a234e7c584958407ffacd4047
+  metadata.gz: '031997455ace5bfe53d929e08648a6c2a1faadcd7082d27cd2ba5c6b6114bfeeb664f45ac20fba8fa0b2e41f446632960ab269a65169f6aeb41ed2601970dc1f'
+  data.tar.gz: 2e5a32afd33b95d1d8091317937de26c51571e7d489eaac40c163ac0bdd5310873007e196bf9fd164e12e908ed34888d44575d028d384e91a3160f18f45a8ca0

data/Gemfile

@@ -58,10 +58,6 @@ group(:development, :test) do
   gem "chefstyle", "=0.11.2"
 end
 
-group(:travis) do
-  gem "travis"
-end
-
 instance_eval(ENV["GEMFILE_MOD"]) if ENV["GEMFILE_MOD"]
 
 # If you want to load debugging tools into the bundle exec sandbox,

data/chef-universal-mingw32.gemspec

@@ -5,18 +5,17 @@ gemspec.platform = Gem::Platform.new(%w{universal mingw32})
 gemspec.add_dependency "win32-api", "~> 1.5.3"
 gemspec.add_dependency "win32-dir", "~> 0.5.0"
 gemspec.add_dependency "win32-event", "~> 0.6.1"
-# TODO: Relax this pin and make the necessary updaets. The issue originally
+# TODO: Relax this pin and make the necessary updates. The issue originally
 # leading to this pin has been fixed in 0.6.5.
 gemspec.add_dependency "win32-eventlog", "0.6.3"
 gemspec.add_dependency "win32-mmap", "~> 0.4.1"
 gemspec.add_dependency "win32-mutex", "~> 0.4.2"
 gemspec.add_dependency "win32-process", "~> 0.8.2"
-gemspec.add_dependency "win32-service", "~> 1.0"
-gemspec.add_dependency "windows-api", "~> 0.4.4"
+gemspec.add_dependency "win32-service", ">= 1.0", "< 3.0"
 gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", "~> 0.12.1"
-gemspec.add_dependency "win32-certstore", "~> 0.2.4"
+gemspec.add_dependency "win32-certstore", "~> 0.3"
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 

data/chef.gemspec

@@ -17,10 +17,10 @@ Gem::Specification.new do |s|
 
   s.add_dependency "chef-config", "= #{Chef::VERSION}"
 
-  s.add_dependency "mixlib-cli", "~> 1.7"
-  s.add_dependency "mixlib-log", "~> 2.0", ">= 2.0.3"
+  s.add_dependency "mixlib-cli", ">= 1.7", "< 3.0"
+  s.add_dependency "mixlib-log", ">= 2.0.3", "< 4.0"
   s.add_dependency "mixlib-authentication", "~> 2.1"
-  s.add_dependency "mixlib-shellout", "~> 2.4"
+  s.add_dependency "mixlib-shellout", ">= 2.4", "< 4.0"
   s.add_dependency "mixlib-archive", ">= 0.4", "< 2.0"
   s.add_dependency "ohai", "~> 14.0"
 

data/lib/chef/application/solo.rb

@@ -218,12 +218,12 @@ class Chef::Application::Solo < Chef::Application
   # Get this party started
   def run
     setup_signal_handlers
+    setup_application
     reconfigure
     for_ezra if Chef::Config[:ez]
     if !Chef::Config[:solo_legacy_mode]
       Chef::Application::Client.new.run
     else
-      setup_application
       run_application
     end
   end

data/lib/chef/provider/service/windows.rb

@@ -83,22 +83,7 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service
 
   def start_service
     if Win32::Service.exists?(@new_resource.service_name)
-      # reconfiguration is idempotent, so just do it.
-      new_config = {
-        service_name: @new_resource.service_name,
-        service_start_name: @new_resource.run_as_user,
-        password: @new_resource.run_as_password,
-      }.reject { |k, v| v.nil? || v.length == 0 }
-
-      Win32::Service.configure(new_config)
-      logger.info "#{@new_resource} configured."
-
-      # LocalSystem is the default runas user, which is a special service account that should ultimately have the rights of BUILTIN\Administrators, but we wouldn't see that from get_account_right
-      if new_config.key?(:service_start_name) && new_config[:service_start_name].casecmp("localsystem") != 0
-        unless Chef::ReservedNames::Win32::Security.get_account_right(canonicalize_username(new_config[:service_start_name])).include?(SERVICE_RIGHT)
-          grant_service_logon(new_config[:service_start_name])
-        end
-      end
+      configure_service_run_as_properties
 
       state = current_state
       if state == RUNNING
@@ -281,6 +266,21 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service
 
   private
 
+  def configure_service_run_as_properties
+    return unless new_resource.property_is_set?(:run_as_user)
+
+    new_config = {
+      service_name: new_resource.service_name,
+      service_start_name: new_resource.run_as_user,
+      password: new_resource.run_as_password,
+    }.reject { |k, v| v.nil? || v.length == 0 }
+
+    Win32::Service.configure(new_config)
+    logger.info "#{new_resource} configured."
+
+    grant_service_logon(new_resource.run_as_user) if new_resource.run_as_user.casecmp("localsystem") != 0
+  end
+
   def current_delayed_start
     if service = Win32::Service.services.find { |x| x.service_name == new_resource.service_name }
       service.delayed_start == 0 ? false : true
@@ -290,6 +290,8 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service
   end
 
   def grant_service_logon(username)
+    return if Chef::ReservedNames::Win32::Security.get_account_right(canonicalize_username(username)).include?(SERVICE_RIGHT)
+
     begin
       Chef::ReservedNames::Win32::Security.add_account_right(canonicalize_username(username), SERVICE_RIGHT)
     rescue Chef::Exceptions::Win32APIError => err

data/lib/chef/resource/windows_certificate.rb

@@ -62,22 +62,9 @@ class Chef
 
         # Extension of the certificate
         ext = ::File.extname(new_resource.source)
-        cert_obj = fetch_cert_object(ext) # Fetch OpenSSL::X509::Certificate object
-        thumbprint = OpenSSL::Digest::SHA1.new(cert_obj.to_der).to_s # Fetch its thumbprint
 
-        # Need to check if return value is Boolean:true
-        # If not then the given certificate should be added in certstore
-        if verify_cert(thumbprint) == true
-          Chef::Log.debug("Certificate is already present")
-        else
-          converge_by("Adding certificate #{new_resource.source} into Store #{new_resource.store_name}") do
-            if ext == ".pfx"
-              add_pfx_cert
-            else
-              add_cert(cert_obj)
-            end
-          end
-        end
+        # PFX certificates contains private keys and we import them with some other aproach
+        import_certificates(fetch_cert_object(ext), (ext == ".pfx"))
       end
 
       # acl_add is a modify-if-exists operation : not idempotent
@@ -272,7 +259,7 @@ class Chef
           set_acl_script
         end
 
-        # Method returns an OpenSSL::X509::Certificate object
+        # Method returns an OpenSSL::X509::Certificate object. Might also return multiple certificates if present in certificate path
         #
         # Based on its extension, the certificate contents are used to initialize
         # PKCS12 (PFX), PKCS7 (P7B) objects which contains OpenSSL::X509::Certificate.
@@ -295,9 +282,14 @@ class Chef
 
           case ext
           when ".pfx"
-            OpenSSL::PKCS12.new(contents, new_resource.pfx_password).certificate
+            pfx = OpenSSL::PKCS12.new(contents, new_resource.pfx_password)
+            if pfx.ca_certs.nil?
+              pfx.certificate
+            else
+              [pfx.certificate] + pfx.ca_certs
+            end
           when ".p7b"
-            OpenSSL::PKCS7.new(contents).certificates.first
+            OpenSSL::PKCS7.new(contents).certificates
           else
             OpenSSL::X509::Certificate.new(contents)
           end
@@ -308,6 +300,32 @@ class Chef
         def binary_cert?
           powershell_out!("file -b --mime-encoding #{new_resource.source}").stdout.strip == "binary"
         end
+
+        # Imports the certificate object into cert store
+        #
+        # @param cert_objs [OpenSSL::X509::Certificate] Object containing certificate's attributes
+        #
+        # @param is_pfx [Boolean] true if we want to import a PFX certificate
+        #
+        def import_certificates(cert_objs, is_pfx)
+          [cert_objs].flatten.each do |cert_obj|
+            thumbprint = OpenSSL::Digest::SHA1.new(cert_obj.to_der).to_s # Fetch its thumbprint
+
+            # Need to check if return value is Boolean:true
+            # If not then the given certificate should be added in certstore
+            if verify_cert(thumbprint) == true
+              Chef::Log.debug("Certificate is already present")
+            else
+              converge_by("Adding certificate #{new_resource.source} into Store #{new_resource.store_name}") do
+                if is_pfx
+                  add_pfx_cert
+                else
+                  add_cert(cert_obj)
+                end
+              end
+            end
+          end
+        end
       end
     end
   end

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require "chef/version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("../..", __FILE__)
-  VERSION = Chef::VersionString.new("14.11.21")
+  VERSION = Chef::VersionString.new("14.12.3")
 end
 
 #

data/spec/functional/resource/dsc_script_spec.rb

@@ -74,11 +74,11 @@ describe Chef::Resource::DscScript, :windows_powershell_dsc_only do
   let(:env_value2) { "value2" }
   let(:dsc_test_run_context) do
     node = Chef::Node.new
+    node.consume_external_attrs(OHAI_SYSTEM.data, {}) # node[:languages][:powershell][:version]
     node.automatic["os"] = "windows"
     node.automatic["platform"] = "windows"
     node.automatic["platform_version"] = "6.1"
     node.automatic["kernel"][:machine] = :x86_64 # Only 64-bit architecture is supported
-    node.automatic[:languages][:powershell][:version] = "4.0"
     empty_events = Chef::EventDispatch::Dispatcher.new
     Chef::RunContext.new(node, {}, empty_events)
   end

data/spec/functional/resource/group_spec.rb

@@ -292,14 +292,27 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
     end
   end
 
-  let(:group_name) { "group#{SecureRandom.random_number(9999)}" }
+  let(:number) do
+    # Loop until we pick a gid that is not in use.
+    loop do
+      begin
+        gid = rand(2000..9999) # avoid low group numbers
+        return nil if Etc.getgrgid(gid).nil? # returns nil on windows
+      rescue ArgumentError # group does not exist
+        return gid
+      end
+    end
+  end
+
+  let(:group_name) { "grp#{number}" } # group name should be 8 characters or less for Solaris, and possibly others
+  # https://community.aegirproject.org/developing/architecture/unix-group-limitations/index.html#Group_name_length_limits
   let(:included_members) { [] }
   let(:excluded_members) { [] }
   let(:group_resource) do
     group = Chef::Resource::Group.new(group_name, run_context)
     group.members(included_members)
     group.excluded_members(excluded_members)
-    group.gid(30000) unless ohai[:platform_family] == "mac_os_x"
+    group.gid(number) unless ohai[:platform_family] == "mac_os_x"
     group
   end
 

data/spec/functional/resource/windows_certificate_spec.rb

@@ -62,11 +62,14 @@ describe Chef::Resource::WindowsCertificate, :windows_only, :appveyor_only do
   let(:cer_path) { File.join(certificate_path, "test.cer") }
   let(:base64_path) { File.join(certificate_path, "base64_test.cer") }
   let(:pem_path) { File.join(certificate_path, "test.pem") }
+  let(:p7b_path) { File.join(certificate_path, "test.p7b") }
   let(:pfx_path) { File.join(certificate_path, "test.pfx") }
   let(:out_path) { File.join(certificate_path, "testout.pem") }
   let(:tests_thumbprint) { "3180B3E3217862600BD7B2D28067B03D41576A4F" }
   let(:other_cer_path) { File.join(certificate_path, "othertest.cer") }
   let(:others_thumbprint) { "AD393859B2D2D4161D224F16CBD3D16555753A20" }
+  let(:p7b_thumbprint) { "50954A52DDFA2043F36EA9026FDD95EC252048D0" }
+  let(:p7b_nested_thumbprint) { "4A3333FC4E1274995AF5A95810881C86F2DF7FBD" }
 
   before do
     opts = { store_name: store }
@@ -205,6 +208,23 @@ describe Chef::Resource::WindowsCertificate, :windows_only, :appveyor_only do
       end
     end
 
+    context "Adds P7B" do
+      before do
+        win_certificate.source = p7b_path
+        win_certificate.run_action(:create)
+      end
+      it "Imports certificate into store" do
+        expect(no_of_certificates).not_to eq(0)
+      end
+      it "Idempotent: Does not converge while adding again" do
+        win_certificate.run_action(:create)
+        expect(win_certificate).not_to be_updated_by_last_action
+      end
+      it "Nested certificates are also imported" do
+        expect(no_of_certificates).to eq(2)
+      end
+    end
+
     context "Adds PFX" do
       context "With valid password" do
         before do
@@ -289,6 +309,61 @@ describe Chef::Resource::WindowsCertificate, :windows_only, :appveyor_only do
         end
       end
     end
+
+    context "When multiple certificates are present" do
+      before do
+        win_certificate.source = p7b_path
+        win_certificate.run_action(:create)
+      end
+
+      context "With main certificate's thumbprint" do
+        before do
+          win_certificate.source = p7b_thumbprint
+          win_certificate.run_action(:verify)
+        end
+        it "Initial check if certificate is present" do
+          expect(no_of_certificates).to eq(2)
+        end
+        it "Displays correct message" do
+          expect(stdout.string.strip).to eq("Certificate is valid")
+        end
+        it "Does not converge while verifying" do
+          expect(win_certificate).not_to be_updated_by_last_action
+        end
+      end
+
+      context "With nested certificate's thumbprint" do
+        before do
+          win_certificate.source = p7b_nested_thumbprint
+          win_certificate.run_action(:verify)
+        end
+        it "Initial check if certificate is present" do
+          expect(no_of_certificates).to eq(2)
+        end
+        it "Displays correct message" do
+          expect(stdout.string.strip).to eq("Certificate is valid")
+        end
+        it "Does not converge while verifying" do
+          expect(win_certificate).not_to be_updated_by_last_action
+        end
+      end
+
+      context "For an invalid thumbprint" do
+        before do
+          win_certificate.source = others_thumbprint
+          win_certificate.run_action(:verify)
+        end
+        it "Initial check if certificate is present" do
+          expect(no_of_certificates).to eq(2)
+        end
+        it "Displays correct message" do
+          expect(stdout.string.strip).to eq("Certificate not found")
+        end
+        it "Does not converge while verifying" do
+          expect(win_certificate).not_to be_updated_by_last_action
+        end
+      end
+    end
   end
 
   describe "action: fetch" do

data/spec/unit/provider/service/windows_spec.rb

@@ -96,6 +96,7 @@ describe Chef::Provider::Service::Windows, "load_current_resource", :windows_onl
     Win32::Service::DEMAND_START = 0x00000003
     Win32::Service::DISABLED = 0x00000004
 
+    allow(Win32::Service).to receive(:start).with(any_args).and_return(Win32::Service)
     allow(Win32::Service).to receive(:status).with(new_resource.service_name).and_return(
       double("StatusStruct", current_state: "running"))
     allow(Win32::Service).to receive(:config_info).with(new_resource.service_name)
@@ -505,6 +506,31 @@ describe Chef::Provider::Service::Windows, "load_current_resource", :windows_onl
         double("StatusStruct", current_state: "running"))
     end
 
+    context "run_as_user user is specified" do
+      let(:run_as_user) { provider.new_resource.class.properties[:run_as_user].default }
+
+      before do
+        provider.new_resource.run_as_user run_as_user
+      end
+
+      it "configures service run_as_user and run_as_password" do
+        expect(provider).to receive(:configure_service_run_as_properties).and_call_original
+        expect(Win32::Service).to receive(:configure)
+        provider.start_service
+      end
+    end
+
+    context "run_as_user user is not specified" do
+      before do
+        expect(provider.new_resource.property_is_set?(:run_as_user)).to be false
+      end
+
+      it "does not configure service run_as_user and run_as_password" do
+        expect(Win32::Service).not_to receive(:configure)
+        provider.start_service
+      end
+    end
+
     it "calls the start command if one is specified" do
       new_resource.start_command "sc start #{chef_service_name}"
       expect(provider).to receive(:shell_out!).with((new_resource.start_command).to_s).and_return("Starting custom service")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef
 version: !ruby/object:Gem::Version
-  version: 14.11.21
+  version: 14.12.3
 platform: ruby
 authors:
 - Adam Jacob
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-06 00:00:00.000000000 Z
+date: 2019-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-config
@@ -16,48 +16,54 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 14.11.21
+        version: 14.12.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 14.11.21
+        version: 14.12.3
 - !ruby/object:Gem::Dependency
   name: mixlib-cli
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: mixlib-log
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.3
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.3
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: mixlib-authentication
   requirement: !ruby/object:Gem::Requirement
@@ -76,16 +82,22 @@ dependencies:
   name: mixlib-shellout
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.4'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.4'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: mixlib-archive
   requirement: !ruby/object:Gem::Requirement
@@ -1699,6 +1711,7 @@ files:
 - spec/data/windows_certificates/base64_test.cer
 - spec/data/windows_certificates/othertest.cer
 - spec/data/windows_certificates/test.cer
+- spec/data/windows_certificates/test.p7b
 - spec/data/windows_certificates/test.pem
 - spec/data/windows_certificates/test.pfx
 - spec/functional/application_spec.rb