chef 16.9.32 → 16.10.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 244ba97196d96199132e3085f6c351d495b2db06bcb8c66fbedf2f89c2ddf82a
-  data.tar.gz: 944aec394ec8916f92fd7124d33dbf25a9c4dd40eb6dbdcbdd79b1269f07ecc0
+  metadata.gz: c34d608da9c455be75a96a34306d2f48c696791569efad3a74d949ffa057a1c6
+  data.tar.gz: 53948ca32fb71521ba9b9502f7bd3a3aa10754a6f1971b1c3756ea8caa682de9
 SHA512:
-  metadata.gz: 830152b0c8f02a4dc2f1bc015d3e2062d20c8e30777d0bfb764cbe15d9b2005503aebab3a0a368b56d9f6f76dbc8abcea45398a554a0776da273c4f1e9266146
-  data.tar.gz: 705c961f6472469ce603f94e8498de015db482fcb386659da1babef73afefe589eef4e2cb5c933796b15c0ee3e6ea7f5192481a663a281721e6d5a17a7ad3478
+  metadata.gz: 07d4cc0280c0619c9f9caf772d5f8f5c1edbe5e05cea905a5033c218dd6c0fdfd2c3159dfc18eafdc66c1dc0ed7da28839bade97514f910967b8adf1930b6707
+  data.tar.gz: 00a4ee34617c879ab9de9dba5ea9b5842c3fd1da604c7ac8c9e14ae7ce2f1575b5b0227d2ac947937519df90802192f6d49340890f57ec08c7df0adb7b6f0734

data/Gemfile

@@ -53,7 +53,7 @@ end
 
 group(:development, :test) do
   gem "rake"
-  gem "rspec", "=3.9.0" # remove pin once https://github.com/chef/chef/issues/10817 is resolved
+  gem "rspec"
   gem "webmock"
   gem "fauxhai-ng" # for chef-utils gem
 end

data/chef-universal-mingw32.gemspec

@@ -14,7 +14,7 @@ gemspec.add_dependency "win32-service", ">= 2.1.5", "< 3.0"
 gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
-gemspec.add_dependency "win32-certstore", "~> 0.3"
+gemspec.add_dependency "win32-certstore", "~> 0.5" # 0.5+ required for specifying user vs. system store
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 

data/lib/chef/compliance/runner.rb

@@ -20,8 +20,8 @@ class Chef
         # renamed from Chef Visibility in 2017, so should capture all modern versions of the audit cookbook.
         audit_cookbook_present = defined?(::Reporter::ChefAutomate)
 
-        logger.info("#{self.class}##{__method__}: #{Inspec::Dist::PRODUCT_NAME} profiles? #{inspec_profiles.any?}")
-        logger.info("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}")
+        logger.debug("#{self.class}##{__method__}: #{Inspec::Dist::PRODUCT_NAME} profiles? #{inspec_profiles.any?}")
+        logger.debug("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}")
 
         inspec_profiles.any? && !audit_cookbook_present
       end

data/lib/chef/dsl/reboot_pending.rb

@@ -47,7 +47,7 @@ class Chef
             registry_key_exists?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending')
         elsif platform?("ubuntu")
           # This should work for Debian as well if update-notifier-common happens to be installed. We need an API for that.
-          File.exists?("/var/run/reboot-required")
+          File.exist?("/var/run/reboot-required")
         else
           false
         end

data/lib/chef/file_access_control/windows.rb

@@ -33,7 +33,7 @@ class Chef
       module ClassMethods
         # We want to mix these in as class methods
         def writable?(path)
-          ::File.exists?(path) && Chef::ReservedNames::Win32::File.file_access_check(
+          ::File.exist?(path) && Chef::ReservedNames::Win32::File.file_access_check(
             path, Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE
           )
         end
@@ -136,7 +136,7 @@ class Chef
       end
 
       def should_update_dacl?
-        return true unless ::File.exists?(file) || ::File.symlink?(file)
+        return true unless ::File.exist?(file) || ::File.symlink?(file)
 
         dacl = target_dacl
         existing_dacl = existing_descriptor.dacl
@@ -170,7 +170,7 @@ class Chef
       end
 
       def should_update_group?
-        return true unless ::File.exists?(file) || ::File.symlink?(file)
+        return true unless ::File.exist?(file) || ::File.symlink?(file)
 
         (group = target_group) && (group != existing_descriptor.group)
       end
@@ -190,7 +190,7 @@ class Chef
       end
 
       def should_update_owner?
-        return true unless ::File.exists?(file) || ::File.symlink?(file)
+        return true unless ::File.exist?(file) || ::File.symlink?(file)
 
         (owner = target_owner) && (owner != existing_descriptor.owner)
       end

data/lib/chef/file_cache.rb

@@ -79,7 +79,7 @@ class Chef
 
         file_path_array = File.split(path)
         file_name = file_path_array.pop
-        if File.exists?(file) && File.writable?(file)
+        if File.exist?(file) && File.writable?(file)
           FileUtils.mv(
             file,
             File.join(create_cache_path(File.join(file_path_array), true), file_name)
@@ -112,7 +112,7 @@ class Chef
           }
         )
         cache_path = create_cache_path(path, false)
-        raise Chef::Exceptions::FileNotFound, "Cannot find #{cache_path} for #{path}!" unless File.exists?(cache_path)
+        raise Chef::Exceptions::FileNotFound, "Cannot find #{cache_path} for #{path}!" unless File.exist?(cache_path)
 
         if read
           File.read(cache_path)
@@ -139,7 +139,7 @@ class Chef
           }
         )
         cache_path = create_cache_path(path, false)
-        if File.exists?(cache_path)
+        if File.exist?(cache_path)
           File.unlink(cache_path)
         end
         true
@@ -186,7 +186,7 @@ class Chef
           }
         )
         full_path = create_cache_path(path, false)
-        if File.exists?(full_path)
+        if File.exist?(full_path)
           true
         else
           false

data/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb

@@ -66,7 +66,7 @@ class Chef
 
           @snippet ||= begin
             if (file = parse_source) && (line = parse_line(file))
-              return nil unless ::File.exists?(file)
+              return nil unless ::File.exist?(file)
 
               lines = IO.readlines(file)
 

data/lib/chef/handler/json_file.rb

@@ -51,7 +51,7 @@ class Chef
       end
 
       def build_report_dir
-        unless File.exists?(config[:path])
+        unless File.exist?(config[:path])
           FileUtils.mkdir_p(config[:path])
           File.chmod(00700, config[:path])
         end

data/lib/chef/knife/bootstrap.rb

@@ -217,6 +217,16 @@ class Chef
         description: "Execute the bootstrap via sudo with password.",
         boolean: false
 
+      # runtime - su user
+      option :su_user,
+        long: "--su-user NAME",
+        description: "The su - USER name to perform bootstrap command using a non-root user."
+
+      # runtime - su user password
+      option :su_password,
+        long: "--su-password PASSWORD",
+        description: "The su USER password for authentication."
+
       # runtime - client_builder
       option :chef_node_name,
         short: "-N NAME",
@@ -591,13 +601,31 @@ class Chef
       def perform_bootstrap(remote_bootstrap_script_path)
         ui.info("Bootstrapping #{ui.color(server_name, :bold)}")
         cmd = bootstrap_command(remote_bootstrap_script_path)
-        r = connection.run_command(cmd) do |data|
+        bootstrap_run_command(cmd)
+      end
+
+      # Actual bootstrap command to be run on the node.
+      # Handles recursive calls if su USER failed to authenticate.
+      def bootstrap_run_command(cmd)
+        r = connection.run_command(cmd) do |data, channel|
           ui.msg("#{ui.color(" [#{connection.hostname}]", :cyan)} #{data}")
+          channel.send_data("#{config[:su_password] || config[:connection_password]}\n") if data.match?("Password:")
         end
+
         if r.exit_status != 0
           ui.error("The following error occurred on #{server_name}:")
-          ui.error(r.stderr)
-          exit 1
+          ui.error("#{r.stdout} #{r.stderr}".strip)
+          exit(r.exit_status)
+        end
+      rescue Train::UserError => e
+        limit ||= 0
+        if e.reason == :bad_su_user_password && limit < 3
+          limit += 1
+          ui.warn("Failed to authenticate su - #{config[:su_user]} to #{server_name}")
+          config[:su_password] = ui.ask("Enter password for su - #{config[:su_user]}@#{server_name}:", echo: false)
+          retry
+        else
+          raise
         end
       end
 
@@ -1082,7 +1110,17 @@ class Chef
         if connection.windows?
           "cmd.exe /C #{remote_path}"
         else
-          "sh #{remote_path}"
+          cmd = "sh #{remote_path}"
+
+          if config[:su_user]
+            # su - USER is subject to required an interactive console
+            # Otherwise, it will raise: su: must be run from a terminal
+            set_transport_options(pty: true)
+            cmd = "su - #{config[:su_user]} -c '#{cmd}'"
+            cmd = "sudo " << cmd if config[:use_sudo]
+          end
+
+          cmd
         end
       end
 
@@ -1137,6 +1175,18 @@ class Chef
 
         timeout.to_i
       end
+
+      # Train::Transports::SSH::Connection#transport_options
+      # Append the options to connection transport_options
+      #
+      # @param opts [Hash] the opts to be added to connection transport_options.
+      # @return [Hash] transport_options if the opts contains any option to be set.
+      #
+      def set_transport_options(opts)
+        return unless opts.is_a?(Hash) || !opts.empty?
+
+        connection&.connection&.transport_options&.merge! opts
+      end
     end
   end
 end

data/lib/chef/provider/package.rb

@@ -446,8 +446,8 @@ class Chef
                   # requested new_resource.version constraints
                   logger.trace("#{new_resource} has no existing installed version. Installing install #{candidate_version}")
                   target_version_array.push(candidate_version)
-                elsif version_equals?(current_version, new_version)
-                  # this is a short-circuit to avoid needing to (expensively) query the candidate_version which must come later
+                elsif !use_magic_version? && version_equals?(current_version, new_version)
+                  # this is a short-circuit (mostly for the rubygems provider) to avoid needing to expensively query the candidate_version which must come later
                   logger.trace("#{new_resource} #{package_name} #{new_version} is already installed")
                   target_version_array.push(nil)
                 elsif candidate_version.nil?

data/lib/chef/provider/package/dnf/dnf_helper.py

@@ -64,7 +64,7 @@ def version_tuple(versionstr):
         tmp = versionstr[colon_index + 1:dash_index]
         if tmp != '':
             v = tmp
-        arch_index = versionstr.find('.', dash_index)
+        arch_index = versionstr.rfind('.', dash_index)
         if arch_index > 0:
             r = versionstr[dash_index + 1:arch_index]
         else:

data/lib/chef/resource.rb

@@ -1062,6 +1062,7 @@ class Chef
     # action for the resource.
     #
     # @param name [Symbol] The action name to define.
+    # @param description [String] optional description for the action
     # @param recipe_block The recipe to run when the action is taken. This block
     #   takes no parameters, and will be evaluated in a new context containing:
     #
@@ -1071,14 +1072,37 @@ class Chef
     #
     # @return The Action class implementing the action
     #
-    def self.action(action, &recipe_block)
+    def self.action(action, description: nil, &recipe_block)
       action = action.to_sym
       declare_action_class
       action_class.action(action, &recipe_block)
       self.allowed_actions += [ action ]
+      # Accept any non-nil description, which will correctly override
+      # any specific inherited description.
+      action_descriptions[action] = description unless description.nil?
       default_action action if Array(default_action) == [:nothing]
     end
 
+    # Retrieve the description for a resource's action, if
+    # any description has been included in the definition.
+    #
+    # @param action [Symbol,String] the action name
+    # @return the description of the action provided, or nil if no description
+    # was defined
+    def self.action_description(action)
+      action_descriptions[action.to_sym]
+    end
+
+    # @api private
+    #
+    # @return existing action description hash, or newly-initialized
+    # hash containing action descriptions inherited from parent Resource,
+    # if any.
+    def self.action_descriptions
+      @action_descriptions ||=
+        superclass.respond_to?(:action_descriptions) ? superclass.action_descriptions.dup : { nothing: nil }
+    end
+
     # Define a method to load up this resource's properties with the current
     # actual values.
     #
@@ -1196,9 +1220,9 @@ class Chef
     #
 
     # FORBIDDEN_IVARS do not show up when the resource is converted to JSON (ie. hidden from data_collector and sending to the chef server via #to_json/to_h/as_json/inspect)
-    FORBIDDEN_IVARS = %i{@run_context @logger @not_if @only_if @enclosing_provider @description @introduced @examples @validation_message @deprecated @default_description @skip_docs @executed_by_runner}.freeze
+    FORBIDDEN_IVARS = %i{@run_context @logger @not_if @only_if @enclosing_provider @description @introduced @examples @validation_message @deprecated @default_description @skip_docs @executed_by_runner @action_descriptions}.freeze
     # HIDDEN_IVARS do not show up when the resource is displayed to the user as text (ie. in the error inspector output via #to_text)
-    HIDDEN_IVARS = %i{@allowed_actions @resource_name @source_line @run_context @logger @name @not_if @only_if @elapsed_time @enclosing_provider @description @introduced @examples @validation_message @deprecated @default_description @skip_docs @executed_by_runner}.freeze
+    HIDDEN_IVARS = %i{@allowed_actions @resource_name @source_line @run_context @logger @name @not_if @only_if @elapsed_time @enclosing_provider @description @introduced @examples @validation_message @deprecated @default_description @skip_docs @executed_by_runner @action_descriptions}.freeze
 
     include Chef::Mixin::ConvertToClassName
     extend Chef::Mixin::ConvertToClassName

data/lib/chef/resource/windows_certificate.rb

@@ -76,7 +76,7 @@ class Chef
         default: "MY", equal_to: ["TRUSTEDPUBLISHER", "TrustedPublisher", "CLIENTAUTHISSUER", "REMOTE DESKTOP", "ROOT", "TRUSTEDDEVICES", "WEBHOSTING", "CA", "AUTHROOT", "TRUSTEDPEOPLE", "MY", "SMARTCARDROOT", "TRUST", "DISALLOWED"]
 
       property :user_store, [TrueClass, FalseClass],
-        description: "Use the user store of the local machine store if set to false.",
+        description: "Use the `CurrentUser` store instead of the default `LocalMachine` store. Note: Prior to #{ChefUtils::Dist::Infra::CLIENT}. 16.10 this property was ignored.",
         default: false
 
       property :cert_path, String,
@@ -119,7 +119,7 @@ class Chef
         code_script << acl_script(hash)
         guard_script << cert_exists_script(hash)
 
-        powershell_script "setting the acls on #{new_resource.source} in #{cert_location}\\#{new_resource.store_name}" do
+        powershell_script "setting the acls on #{new_resource.source} in #{ps_cert_location}\\#{new_resource.store_name}" do
           convert_boolean_return true
           code code_script
           only_if guard_script
@@ -161,25 +161,47 @@ class Chef
       end
 
       action_class do
+
+        CERT_SYSTEM_STORE_LOCAL_MACHINE                    = 0x00020000
+        CERT_SYSTEM_STORE_CURRENT_USER                     = 0x00010000
+
         def add_cert(cert_obj)
-          store = ::Win32::Certstore.open(new_resource.store_name)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
           store.add(cert_obj)
         end
 
         def add_pfx_cert
           exportable = new_resource.exportable ? 1 : 0
-          store = ::Win32::Certstore.open(new_resource.store_name)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
           store.add_pfx(new_resource.source, new_resource.pfx_password, exportable)
         end
 
         def delete_cert
-          store = ::Win32::Certstore.open(new_resource.store_name)
-          store.delete(new_resource.source)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
+          store.delete(resolve_thumbprint(new_resource.source))
         end
 
         def fetch_cert
-          store = ::Win32::Certstore.open(new_resource.store_name)
-          store.get(new_resource.source)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
+          store.get(resolve_thumbprint(new_resource.source))
+        end
+
+        # Thumbprints should be exactly 40 Hex characters
+        def valid_thumbprint?(string)
+          string.scan(/\H/).empty? && string.length == 40
+        end
+
+        def get_thumbprint(store_name, location, source)
+          <<-GETTHUMBPRINTCODE
+            $content = Get-ChildItem  -Path Cert:\\#{location}\\#{store_name} | Where-Object {$_.Subject -Match "#{source}"} | Select-Object Thumbprint
+            $content.thumbprint
+          GETTHUMBPRINTCODE
+        end
+
+        def resolve_thumbprint(thumbprint)
+          return thumbprint if valid_thumbprint?(thumbprint)
+
+          powershell_exec!(get_thumbprint(new_resource.store_name, ps_cert_location, new_resource.source)).result
         end
 
         # Checks whether a certificate with the given thumbprint
@@ -187,9 +209,11 @@ class Chef
         # If the certificate is not present, verify_cert returns a String: "Certificate not found"
         # But if it is present but expired, it returns a Boolean: false
         # Otherwise, it returns a Boolean: true
+        # updated this method to accept either a subject name or a thumbprint - 1/29/2021
+
         def verify_cert(thumbprint = new_resource.source)
-          store = ::Win32::Certstore.open(new_resource.store_name)
-          store.valid?(thumbprint)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
+          store.valid?(resolve_thumbprint(thumbprint))
         end
 
         def show_or_store_cert(cert_obj)
@@ -230,13 +254,19 @@ class Chef
           out_file.close
         end
 
-        def cert_location
-          @location ||= new_resource.user_store ? "CurrentUser" : "LocalMachine"
+        # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
+        # Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
+        def ps_cert_location
+          new_resource.user_store ? "CurrentUser" : "LocalMachine"
+        end
+
+        def native_cert_location
+          new_resource.user_store ? CERT_SYSTEM_STORE_CURRENT_USER : CERT_SYSTEM_STORE_LOCAL_MACHINE
         end
 
         def cert_script(persist)
           cert_script = "$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2"
-          file = Chef::Util::PathHelper.cleanpath(new_resource.source)
+          file = Chef::Util::PathHelper.cleanpath(new_resource.source, ps_cert_location)
           cert_script << " \"#{file}\""
           if ::File.extname(file.downcase) == ".pfx"
             cert_script << ", \"#{new_resource.pfx_password}\""
@@ -252,14 +282,14 @@ class Chef
         def cert_exists_script(hash)
           <<-EOH
   $hash = #{hash}
-  Test-Path "Cert:\\#{cert_location}\\#{new_resource.store_name}\\$hash"
+  Test-Path "Cert:\\#{ps_cert_location}\\#{new_resource.store_name}\\$hash"
           EOH
         end
 
         def within_store_script
           inner_script = yield "$store"
           <<-EOH
-  $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "#{new_resource.store_name}", ([System.Security.Cryptography.X509Certificates.StoreLocation]::#{cert_location})
+  $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "#{new_resource.store_name}", ([System.Security.Cryptography.X509Certificates.StoreLocation]::#{ps_cert_location})
   $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
   #{inner_script}
   $store.Close()
@@ -273,7 +303,7 @@ class Chef
           # and from https://msdn.microsoft.com/en-us/library/windows/desktop/bb204778(v=vs.85).aspx
           set_acl_script = <<-EOH
   $hash = #{hash}
-  $storeCert = Get-ChildItem "cert:\\#{cert_location}\\#{new_resource.store_name}\\$hash"
+  $storeCert = Get-ChildItem "cert:\\#{ps_cert_location}\\#{new_resource.store_name}\\$hash"
   if ($storeCert -eq $null) { throw 'no key exists.' }
   $keyname = $storeCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
   if ($keyname -eq $null) { throw 'no private key exists.' }
@@ -340,7 +370,7 @@ class Chef
             if verify_cert(thumbprint) == true
               Chef::Log.debug("Certificate is already present")
             else
-              converge_by("Adding certificate #{new_resource.source} into Store #{new_resource.store_name}") do
+              converge_by("Adding certificate #{new_resource.source} into #{ps_cert_location} Store #{new_resource.store_name}") do
                 if is_pfx
                   add_pfx_cert
                 else

data/lib/chef/resource_inspector.rb

@@ -41,7 +41,11 @@ class Chef
       data[:description] = resource.description
       # data[:deprecated] = resource.deprecated || false
       data[:default_action] = resource.default_action
-      data[:actions] = resource.allowed_actions
+      data[:actions] = {}
+      resource.allowed_actions.each do |action|
+        data[:actions][action] = resource.action_description(action)
+      end
+
       data[:examples] = resource.examples
       data[:introduced] = resource.introduced
       data[:preview] = resource.preview_resource

data/lib/chef/shell.rb

@@ -352,13 +352,13 @@ module Shell
       puts "loading configuration: #{config_msg}"
 
       # load the config (if we have one)
-      if !config[:config_file].nil?
+      unless config[:config_file].nil?
         if File.exist?(config[:config_file]) && File.readable?(config[:config_file])
           Chef::Config.from_file(config[:config_file])
         end
 
         # even if we couldn't load that, we need to tell Chef::Config what
-        # the file was so it sets confdir and d_dir and such properly
+        # the file was so it sets conf dir and d_dir and such properly
         Chef::Config[:config_file] = config[:config_file]
 
         # now attempt to load any relevant dot-dirs

data/lib/chef/util/dsc/configuration_generator.rb

@@ -105,7 +105,7 @@ class Chef::Util::DSC
     #   The name may not be null or empty, and should start with a letter.
     def validate_configuration_name!(configuration_name)
       if !!(configuration_name =~ /\A[A-Za-z]+[_a-zA-Z0-9]*\Z/) == false
-        raise ArgumentError, 'Configuration `#{configuration_name}` is not a valid PowerShell cmdlet name'
+        raise ArgumentError, "Configuration `#{configuration_name}` is not a valid PowerShell cmdlet name"
       end
     end
 

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("16.9.32")
+  VERSION = Chef::VersionString.new("16.10.8")
 end
 
 #

data/spec/integration/recipes/resource_action_spec.rb

@@ -223,6 +223,10 @@ module ResourceActionSpec
           ActionJackson.succeeded = ActionJackson.ruby_block_converged
         end
 
+        action :test1, description: "Original description" do
+          true
+        end
+
         def foo_public
           "foo_public!"
         end
@@ -293,7 +297,12 @@ module ResourceActionSpec
             ActionJackalope.jackalope_ran = :access_attribute
             ActionJackalope.succeeded = ActionJackson.succeeded
           end
+
+          action :test1, description: "An old action with a new description" do
+            super
+          end
         end
+
         before do
           ActionJackalope.jackalope_ran = nil
           ActionJackalope.load_current_resource_ran = nil
@@ -344,6 +353,11 @@ module ResourceActionSpec
           expect(ActionJackalope.succeeded).to eq "foo!alope blarghle! bar!alope"
         end
 
+        it "allows overridden action to have a description separate from the action defined in the base resource" do
+          expect(ActionJackson.action_description(:test1)).to eql "Original description"
+          expect(ActionJackalope.action_description(:test1)).to eql "An old action with a new description"
+        end
+
         it "non-overridden actions run and can access overridden and non-overridden variables (but not necessarily new ones)" do
           converge do
             action_jackalope "hi" do

data/spec/unit/dsl/reboot_pending_spec.rb

@@ -57,12 +57,12 @@ describe Chef::DSL::RebootPending do
         end
 
         it "should return true if /var/run/reboot-required exists" do
-          allow(File).to receive(:exists?).with("/var/run/reboot-required").and_return(true)
+          allow(File).to receive(:exist?).with("/var/run/reboot-required").and_return(true)
           expect(recipe.reboot_pending?).to be_truthy
         end
 
         it "should return false if /var/run/reboot-required does not exist" do
-          allow(File).to receive(:exists?).with("/var/run/reboot-required").and_return(false)
+          allow(File).to receive(:exist?).with("/var/run/reboot-required").and_return(false)
           expect(recipe.reboot_pending?).to be_falsey
         end
       end

data/spec/unit/formatters/error_inspectors/resource_failure_inspector_spec.rb

@@ -115,7 +115,7 @@ describe Chef::Formatters::ErrorInspectors::ResourceFailureInspector do
         # fake code to run through #recipe_snippet
         source_file = [ "if true", "var = non_existent", "end" ]
         allow(IO).to receive(:readlines).and_return(source_file)
-        allow(File).to receive(:exists?).and_return(true)
+        allow(File).to receive(:exist?).and_return(true)
       end
 
       it "parses a Windows path" do
@@ -141,7 +141,7 @@ describe Chef::Formatters::ErrorInspectors::ResourceFailureInspector do
 
       context "when the recipe file does not exist" do
         before do
-          allow(File).to receive(:exists?).and_return(false)
+          allow(File).to receive(:exist?).and_return(false)
           allow(IO).to receive(:readlines).and_raise(Errno::ENOENT)
         end
 

data/spec/unit/knife/bootstrap_spec.rb

@@ -1726,7 +1726,8 @@ describe Chef::Knife::Bootstrap do
 
   describe "#perform_bootstrap" do
     let(:exit_status) { 0 }
-    let(:result_mock) { double("result", exit_status: exit_status, stderr: "A message") }
+    let(:stdout) { "" }
+    let(:result_mock) { double("result", exit_status: exit_status, stderr: "A message", stdout: stdout) }
 
     before do
       allow(connection).to receive(:hostname).and_return "testhost"
@@ -1739,12 +1740,13 @@ describe Chef::Knife::Bootstrap do
       expect(connection)
         .to receive(:run_command)
         .with("sh /path.sh")
-        .and_yield("output here")
+        .and_yield("output here", nil)
         .and_return result_mock
 
       expect(knife.ui).to receive(:msg).with(/testhost/)
       knife.perform_bootstrap("/path.sh")
     end
+
     context "when the remote command fails" do
       let(:exit_status) { 1 }
       it "shows an error and exits" do
@@ -1756,6 +1758,25 @@ describe Chef::Knife::Bootstrap do
         expect { knife.perform_bootstrap("/path.sh") }.to raise_error(SystemExit)
       end
     end
+
+    context "when the remote command failed due to su auth error" do
+      let(:exit_status) { 1 }
+      let(:stdout) { "su: Authentication failure" }
+      let(:connection_obj) { double("connection", transport_options: {}) }
+      it "shows an error and exits" do
+        allow(connection).to receive(:connection).and_return(connection_obj)
+        expect(knife.ui).to receive(:info).with(/Bootstrapping.*/)
+        expect(knife).to receive(:bootstrap_command)
+          .with("/path.sh")
+          .and_return("su - USER -c 'sh /path.sh'")
+        expect(connection)
+          .to receive(:run_command)
+          .with("su - USER -c 'sh /path.sh'")
+          .and_yield("output here", nil)
+          .and_raise(Train::UserError)
+        expect { knife.perform_bootstrap("/path.sh") }.to raise_error(Train::UserError)
+      end
+    end
   end
 
   describe "#connect!" do
@@ -1964,7 +1985,25 @@ describe Chef::Knife::Bootstrap do
     context "under Linux" do
       let(:linux_test) { true }
       it "prefixes the command to run under sh" do
-        expect(knife.bootstrap_command("bootstrap")).to eq "sh bootstrap"
+        expect(knife.bootstrap_command("bootstrap.sh")).to eq "sh bootstrap.sh"
+      end
+
+      context "with --su-user option" do
+        let(:connection_obj) { double("connection", transport_options: {}) }
+        before do
+          knife.config[:su_user] = "root"
+          allow(connection).to receive(:connection).and_return(connection_obj)
+        end
+        it "prefixes the command to run using su -USER -c" do
+          expect(knife.bootstrap_command("bootstrap.sh")).to eq "su - #{knife.config[:su_user]} -c 'sh bootstrap.sh'"
+          expect(connection_obj.transport_options.key?(:pty)).to eq true
+        end
+
+        it "sudo appended if --sudo option enabled" do
+          knife.config[:use_sudo] = true
+          expect(knife.bootstrap_command("bootstrap.sh")).to eq "sudo su - #{knife.config[:su_user]} -c 'sh bootstrap.sh'"
+          expect(connection_obj.transport_options.key?(:pty)).to eq true
+        end
       end
     end
   end

data/spec/unit/knife/supermarket_share_spec.rb

@@ -46,7 +46,9 @@ describe Chef::Knife::SupermarketShare do
 
     allow(@knife).to receive(:shell_out!).and_return(true)
     @stdout = StringIO.new
+    @stderr = StringIO.new
     allow(@knife.ui).to receive(:stdout).and_return(@stdout)
+    allow(@knife.ui).to receive(:stderr).and_return(@stderr)
   end
 
   describe "run" do
@@ -140,7 +142,9 @@ describe Chef::Knife::SupermarketShare do
       before do
         allow(Chef::CookbookSiteStreamingUploader).to receive(:create_build_dir).and_return("/var/tmp/dummy")
         @knife.config = { dry_run: true }
-        allow(@knife).to receive_message_chain(:shell_out!, :stdout).and_return("file")
+        @so = instance_double("Mixlib::ShellOut")
+        allow(@knife).to receive(:shell_out!).and_return(@so)
+        allow(@so).to receive(:stdout).and_return("file")
       end
 
       it "should list files in the tarball" do
@@ -151,7 +155,6 @@ describe Chef::Knife::SupermarketShare do
       end
 
       it "does not upload the cookbook" do
-        allow(@knife).to receive(:shell_out!).and_return(true)
         expect(@knife).not_to receive(:do_upload)
         @knife.run
       end
@@ -164,10 +167,6 @@ describe Chef::Knife::SupermarketShare do
       @upload_response = double("Net::HTTPResponse")
       allow(Chef::CookbookSiteStreamingUploader).to receive(:post).and_return(@upload_response)
 
-      @stdout = StringIO.new
-      @stderr = StringIO.new
-      allow(@knife.ui).to receive(:stdout).and_return(@stdout)
-      allow(@knife.ui).to receive(:stderr).and_return(@stderr)
       allow(File).to receive(:open).and_return(true)
     end
 

data/spec/unit/provider/package/dnf/python_helper_spec.rb

@@ -19,11 +19,17 @@ require "spec_helper"
 
 # NOTE: most of the tests of this functionality are baked into the func tests for the dnf package provider
 
-describe Chef::Provider::Package::Dnf::PythonHelper do
+# run this test only for following platforms.
+exclude_test = !(%w{rhel fedora amazon}.include?(ohai[:platform_family]) && File.exist?("/usr/bin/dnf"))
+describe Chef::Provider::Package::Dnf::PythonHelper, :requires_root, external: exclude_test do
   let(:helper) { Chef::Provider::Package::Dnf::PythonHelper.instance }
 
   it "propagates stacktraces on stderr from the forked subprocess", :rhel do
     allow(helper).to receive(:dnf_command).and_return("ruby -e 'raise \"your hands in the air\"'")
     expect { helper.package_query(:whatprovides, "tcpdump") }.to raise_error(/your hands in the air/)
   end
+
+  it "compares EVRAs with dots in the release correctly" do
+    expect(helper.compare_versions("0:1.8.29-6.el8.x86_64", "0:1.8.29-6.el8_3.1.x86_64")).to eql(-1)
+  end
 end

data/spec/unit/resource_inspector_spec.rb

@@ -28,7 +28,11 @@ class DummyResource < Chef::Resource
   introduced "14.0"
   property :first, String, description: "My First Property", introduced: "14.0"
 
-  action :dummy do
+  action :dummy, description: "Dummy action" do
+    return true
+  end
+
+  action :dummy_no_desc do
     return true
   end
 end
@@ -39,7 +43,8 @@ describe Chef::ResourceInspector do
 
     it "returns a hash with required data" do
       expect(subject[:description]).to eq "A dummy resource"
-      expect(subject[:actions]).to match_array %i{nothing dummy}
+      expect(subject[:actions]).to eq({ nothing: nil, dummy: "Dummy action",
+                                        dummy_no_desc: nil })
     end
 
     context "excluding built in properties" do

data/spec/unit/resource_spec.rb

@@ -1162,6 +1162,52 @@ describe Chef::Resource do
     end
   end
 
+  describe "#action_description" do
+    class TestResource < ::Chef::Resource
+      action :symbol_action, description: "a symbol test" do; end
+      action "string_action", description: "a string test" do; end
+      action :base_action0 do; end
+      action :base_action1, description: "unmodified base action 1 desc" do; end
+      action :base_action2, description: "unmodified base action 2 desc" do; end
+      action :base_action3, description: "unmodified base action 3 desc" do; end
+    end
+
+    it "returns nil when no description was provided for the action" do
+      expect(TestResource.action_description(:base_action0)).to eql(nil)
+    end
+
+    context "when action definition is a string" do
+      it "returns the description whether a symbol or string is used to look it up" do
+        expect(TestResource.action_description("string_action")).to eql("a string test")
+        expect(TestResource.action_description(:string_action)).to eql("a string test")
+      end
+    end
+
+    context "when action definition is a symbol" do
+      it "returns the description whether a symbol or string is used to look up" do
+        expect(TestResource.action_description("symbol_action")).to eql("a symbol test")
+        expect(TestResource.action_description(:symbol_action)).to eql("a symbol test")
+      end
+    end
+
+    context "when inheriting from an existing resource" do
+      class TestResourceChild < TestResource
+        action :base_action2, description: "modified base action 2 desc" do; end
+        action :base_action3 do; end
+      end
+
+      it "returns original description when a described action is not overridden in child resource" do
+        expect(TestResourceChild.action_description(:base_action1)).to eq "unmodified base action 1 desc"
+      end
+      it "returns original description when the child resource overrides an inherited action but NOT its description" do
+        expect(TestResourceChild.action_description(:base_action3)).to eq "unmodified base action 3 desc"
+      end
+      it "returns new description when the child resource overrides an inherited action and its description" do
+        expect(TestResourceChild.action_description(:base_action2)).to eq "modified base action 2 desc"
+      end
+    end
+  end
+
   describe ".default_action" do
     let(:default_action) {}
     let(:resource_class) do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef
 version: !ruby/object:Gem::Version
-  version: 16.9.32
+  version: 16.10.8
 platform: ruby
 authors:
 - Adam Jacob
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-27 00:00:00.000000000 Z
+date: 2021-02-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-config
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.9.32
+        version: 16.10.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.9.32
+        version: 16.10.8
 - !ruby/object:Gem::Dependency
   name: chef-utils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.9.32
+        version: 16.10.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.9.32
+        version: 16.10.8
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement