chef 16.14.1 → 16.15.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c9b7fb70681334021fb8862c446ed789da0782c21a3eecaf332dbe2d6b140fa
-  data.tar.gz: 2324b707db73fa2b895253c881911713e59b72905055590dcef5bcf63e1105db
+  metadata.gz: 1a4e36c5d41c9a10ddd1c3ba836ba3a897b3808bb78f6d354be83ec14babd687
+  data.tar.gz: 35c05384479bbdb4a4e122207d82fb805fc15e19526567e04f049f909b359d45
 SHA512:
-  metadata.gz: bf4e6692007a79c0ee84b88a10bd9f9a31df1458cbd00ae99922cca8a4c880a5739da83d103e44a263b55f035e8a7a822de84355bdf1124a4048b82f79649ae9
-  data.tar.gz: 4b296a37c1a5444c3100c31bb61c92e27c799b0082d8d8da3925eed2c641aa5faeea4c76127b2ec8c8c09ffacf1e610891a87138ce53e675d4c81fc1f1aaa353
+  metadata.gz: cae2c4ce1e95cd8271eff16cd91947ee2bfce33413049f4e7db513ce3d837c741d96eec891460ff14e7f4d7183c70022ca4c541c84af60a0a6b63bfa9fa90657
+  data.tar.gz: e003bd87fa50c8082234346bb697764769e13c71861390d10a91d67b558d99cb97b254ca3af22acc5a395641c7ad9f6111846a136f6f5fd0e2ff326084266bca

data/lib/chef/cookbook_version.rb

@@ -138,11 +138,14 @@ class Chef
     end
 
     def recipe_yml_filenames_by_name
-      @recipe_ym_filenames_by_name ||= begin
+      @recipe_yml_filenames_by_name ||= begin
         name_map = yml_filenames_by_name(files_for("recipes"))
-        root_alias = cookbook_manifest.root_files.find { |record| record[:name] == "root_files/recipe.yml" }
+        root_alias = cookbook_manifest.root_files.find { |record|
+          record[:name] == "root_files/recipe.yml" ||
+            record[:name] == "root_files/recipe.yaml"
+        }
         if root_alias
-          Chef::Log.error("Cookbook #{name} contains both recipe.yml and and recipes/default.yml, ignoring recipes/default.yml") if name_map["default"]
+          Chef::Log.error("Cookbook #{name} contains both recipe.yml and recipes/default.yml, ignoring recipes/default.yml") if name_map["default"]
           name_map["default"] = root_alias[:full_path]
         end
         name_map
@@ -582,8 +585,27 @@ class Chef
       records.select { |record| record[:name] =~ /\.rb$/ }.inject({}) { |memo, record| memo[File.basename(record[:name], ".rb")] = record[:full_path]; memo }
     end
 
+    # Filters YAML files from the superset of provided files.
+    # Checks for duplicate basenames with differing extensions (eg yaml v yml)
+    # and raises error if any are detected.
+    # This prevents us from arbitrarily the ".yaml" or ".yml" version when both are present,
+    # because we don't know which is correct.
+    # This method runs in O(n^2) where N = number of yml files present. This number should be consistently
+    # low enough that there's no noticeable perf impact.
     def yml_filenames_by_name(records)
-      records.select { |record| record[:name] =~ /\.yml$/ }.inject({}) { |memo, record| memo[File.basename(record[:name], ".yml")] = record[:full_path]; memo }
+      yml_files = records.select { |record| record[:name] =~ /\.(y[a]?ml)$/ }
+      result = yml_files.inject({}) do |acc, record|
+        filename = record[:name]
+        base_dup_name = File.join(File.dirname(filename), File.basename(filename, File.extname(filename)))
+        yml_files.each do |other|
+          if other[:name] =~ /#{(File.extname(filename) == ".yml") ? "#{base_dup_name}.yaml" : "#{base_dup_name}.yml"}$/
+            raise Chef::Exceptions::AmbiguousYAMLFile.new("Cookbook #{name}@#{version} contains ambiguous files: #{filename} and #{other[:name]}. Please update the cookbook to remove the incorrect file.")
+          end
+        end
+        acc[File.basename(record[:name], File.extname(record[:name]))] = record[:full_path]
+        acc
+      end
+      result
     end
 
     def file_vendor

data/lib/chef/data_collector/run_end_message.rb

@@ -51,7 +51,7 @@ class Chef
             "id" => run_status&.run_id,
             "message_version" => "1.1.0",
             "message_type" => "run_converge",
-            "node" => node || {},
+            "node" => node&.data_for_save || {},
             "node_name" => node&.name || data_collector.node_name,
             "organization_name" => organization,
             "resources" => all_action_records(action_collection),

data/lib/chef/deprecated.rb

@@ -79,10 +79,12 @@ class Chef
         return true if location =~ /^(.*?):(\d+):in/ && begin
           # Don't buffer the whole file in memory, so read it one line at a time.
           line_no = $2.to_i
-          location_file = ::File.open($1)
-          (line_no - 1).times { location_file.readline } # Read all the lines we don't care about.
-          relevant_line = location_file.readline
-          relevant_line.match?(/#.*chef:silence_deprecation($|[^:]|:#{self.class.deprecation_key})/)
+          if File.exist?($1) # some stacktraces come from `eval` and not a file
+            location_file = ::File.open($1)
+            (line_no - 1).times { location_file.readline } # Read all the lines we don't care about.
+            relevant_line = location_file.readline
+            relevant_line.match?(/#.*chef:silence_deprecation($|[^:]|:#{self.class.deprecation_key})/)
+          end
         end
 
         false
@@ -249,6 +251,14 @@ class Chef
       target 32
     end
 
+    class PolicyfileCompatMode < Base
+      target 35
+    end
+
+    class AttributeWhitelistConfiguration < Base
+      target 34
+    end
+
     class Generic < Base
       def url
         "https://docs.chef.io/chef_deprecations_client/"

data/lib/chef/exceptions.rb

@@ -174,6 +174,9 @@ class Chef
     class CannotDetermineWindowsInstallerType < Package; end
     class NoWindowsPackageSource < Package; end
 
+    # for example, if both recipes/default.yml, recipes/default.yaml are present
+    class AmbiguousYAMLFile < RuntimeError; end
+
     # Can not create staging file during file deployment
     class FileContentStagingError < RuntimeError
       def initialize(errors)

data/lib/chef/formatters/error_mapper.rb

@@ -27,7 +27,7 @@ class Chef
       # Failed to register this client with the server.
       def self.registration_failed(node_name, exception, config)
         error_inspector = ErrorInspectors::RegistrationErrorInspector.new(node_name, exception, config)
-        headline = "Chef encountered an error attempting to create the client \"#{node_name}\""
+        headline = "Chef Infra Client encountered an error attempting to create the client \"#{node_name}\""
         description = ErrorDescription.new(headline)
         error_inspector.add_explanation(description)
         description
@@ -35,7 +35,7 @@ class Chef
 
       def self.node_load_failed(node_name, exception, config)
         error_inspector = ErrorInspectors::NodeLoadErrorInspector.new(node_name, exception, config)
-        headline = "Chef encountered an error attempting to load the node data for \"#{node_name}\""
+        headline = "Chef Infra Client encountered an error attempting to load the node data for \"#{node_name}\""
         description = ErrorDescription.new(headline)
         error_inspector.add_explanation(description)
         description

data/lib/chef/http.rb

@@ -423,7 +423,7 @@ class Chef
           if response.is_a?(Net::HTTPServerError) && !Chef::Config.local_mode
             if http_retry_count - http_attempts >= 0
               sleep_time = 1 + (2**http_attempts) + rand(2**http_attempts)
-              Chef::Log.error("Server returned error #{response.code} for #{url}, retrying #{http_attempts}/#{http_retry_count} in #{sleep_time}s")
+              Chef::Log.warn("Server returned error #{response.code} for #{url}, retrying #{http_attempts}/#{http_retry_count} in #{sleep_time}s") # Updated from error to warn
               sleep(sleep_time)
               redo
             end
@@ -432,7 +432,7 @@ class Chef
         end
       rescue SocketError, Errno::ETIMEDOUT, Errno::ECONNRESET => e
         if http_retry_count - http_attempts >= 0
-          Chef::Log.error("Error connecting to #{url}, retry #{http_attempts}/#{http_retry_count}")
+          Chef::Log.warn("Error connecting to #{url}, retry #{http_attempts}/#{http_retry_count}") # Updated from error to warn
           sleep(http_retry_delay)
           retry
         end
@@ -440,21 +440,21 @@ class Chef
         raise e
       rescue Errno::ECONNREFUSED
         if http_retry_count - http_attempts >= 0
-          Chef::Log.error("Connection refused connecting to #{url}, retry #{http_attempts}/#{http_retry_count}")
+          Chef::Log.warn("Connection refused connecting to #{url}, retry #{http_attempts}/#{http_retry_count}") # Updated from error to warn
           sleep(http_retry_delay)
           retry
         end
         raise Errno::ECONNREFUSED, "Connection refused connecting to #{url}, giving up"
       rescue Timeout::Error
         if http_retry_count - http_attempts >= 0
-          Chef::Log.error("Timeout connecting to #{url}, retry #{http_attempts}/#{http_retry_count}")
+          Chef::Log.warn("Timeout connecting to #{url}, retry #{http_attempts}/#{http_retry_count}") # Updated from error to warn
           sleep(http_retry_delay)
           retry
         end
         raise Timeout::Error, "Timeout connecting to #{url}, giving up"
       rescue OpenSSL::SSL::SSLError => e
         if (http_retry_count - http_attempts >= 0) && !e.message.include?("certificate verify failed")
-          Chef::Log.error("SSL Error connecting to #{url}, retry #{http_attempts}/#{http_retry_count}")
+          Chef::Log.warn("SSL Error connecting to #{url}, retry #{http_attempts}/#{http_retry_count}") # Updated from error to warn
           sleep(http_retry_delay)
           retry
         end

data/lib/chef/node.rb

@@ -687,6 +687,25 @@ class Chef
       name <=> other.name
     end
 
+    # Returns hash of node data with attributes based on whitelist/blacklist rules.
+    def data_for_save
+      data = for_json
+      %w{automatic default normal override}.each do |level|
+        allowlist = allowlist_or_whitelist_config(level)
+        unless allowlist.nil? # nil => save everything
+          logger.info("Allowing #{level} node attributes for save.")
+          data[level] = Chef::AttributeAllowlist.filter(data[level], allowlist)
+        end
+
+        blocklist = blocklist_or_blacklist_config(level)
+        unless blocklist.nil? # nil => remove nothing
+          logger.info("Blocking #{level} node attributes for save")
+          data[level] = Chef::AttributeBlocklist.filter(data[level], blocklist)
+        end
+      end
+      data
+    end
+
     private
 
     def save_without_policyfile_attrs
@@ -712,7 +731,7 @@ class Chef
     # @param [String] level the attribute level
     def allowlist_or_whitelist_config(level)
       if Chef::Config["#{level}_attribute_whitelist".to_sym]
-        Chef.deprecated(:attribute_blacklist_configuration, "Attribute whitelist configurations have been deprecated. Use the allowed_LEVEL_attribute configs instead")
+        Chef.deprecated(:attribute_whitelist_configuration, "Attribute whitelist configurations have been deprecated. Use the allowed_LEVEL_attribute configs instead")
         Chef::Config["#{level}_attribute_whitelist".to_sym]
       else
         Chef::Config["allowed_#{level}_attributes".to_sym]
@@ -732,24 +751,6 @@ class Chef
       end
     end
 
-    def data_for_save
-      data = for_json
-      %w{automatic default normal override}.each do |level|
-        allowlist = allowlist_or_whitelist_config(level)
-        unless allowlist.nil? # nil => save everything
-          logger.info("Allowing #{level} node attributes for save.")
-          data[level] = Chef::AttributeAllowlist.filter(data[level], allowlist)
-        end
-
-        blocklist = blocklist_or_blacklist_config(level)
-        unless blocklist.nil? # nil => remove nothing
-          logger.info("Blocking #{level} node attributes for save")
-          data[level] = Chef::AttributeBlocklist.filter(data[level], blocklist)
-        end
-      end
-      data
-    end
-
     # Returns a UUID that uniquely identifies this node for reporting reasons.
     #
     # The node is read in from disk if it exists, or it's generated if it does

data/lib/chef/policy_builder/policyfile.rb

@@ -148,6 +148,11 @@ class Chef
         # consume_external_attrs may add items to the run_list. Save the
         # expanded run_list, which we will pass to the server later to
         # determine which versions of cookbooks to use.
+
+        unless Chef::Config[:policy_document_native_api]
+          Chef.deprecated(:policyfile_compat_mode, "The chef-server 11 policyfile compat mode is deprecated, please set policy_document_native_api to true in your config")
+        end
+
         node.reset_defaults_and_overrides
 
         node.consume_external_attrs(ohai_data, json_attribs)

data/lib/chef/provider/group/dscl.rb

@@ -158,7 +158,7 @@ class Chef
           if new_resource.group_name && (current_resource.group_name != new_resource.group_name)
             dscl_create_group
           end
-          if new_resource.gid && (current_resource.gid != new_resource.gid)
+          if new_resource.gid && (current_resource.gid != new_resource.gid.to_s)
             set_gid
           end
           if new_resource.members || new_resource.excluded_members

data/lib/chef/provider/package/powershell.rb

@@ -124,6 +124,11 @@ class Chef
           command.push("-RequiredVersion #{version}") if version
           command.push("-Source #{new_resource.source}") if new_resource.source && cmdlet_name =~ Regexp.union(/Install-Package/, /Find-Package/)
           command.push("-SkipPublisherCheck") if new_resource.skip_publisher_check && cmdlet_name !~ /Find-Package/
+          if new_resource.options && cmdlet_name !~ Regexp.union(/Get-Package/, /Find-Package/)
+            new_resource.options.each do |arg|
+              command.push(arg) unless command.include?(arg)
+            end
+          end
           command.push(").Version")
           command.join(" ")
         end

data/lib/chef/provider/template/content.rb

@@ -65,7 +65,7 @@ class Chef
           context[:template_finder] = template_finder
 
           # helper variables
-          context[:cookbook_name] = new_resource.cookbook_name unless context.keys.include?(:coookbook_name)
+          context[:cookbook_name] = new_resource.cookbook_name unless context.keys.include?(:cookbook_name)
           context[:recipe_name] = new_resource.recipe_name unless context.keys.include?(:recipe_name)
           context[:recipe_line_string] = new_resource.source_line unless context.keys.include?(:recipe_line_string)
           context[:recipe_path] = new_resource.source_line_file unless context.keys.include?(:recipe_path)

data/lib/chef/resource/homebrew_cask.rb

@@ -34,7 +34,7 @@ class Chef
 
       property :cask_name, String,
         description: "An optional property to set the cask name if it differs from the resource block's name.",
-        regex: %r{^[\w/-]+$},
+        regex: %r{^[\w/\-@]+$},
         validation_message: "The provided Homebrew cask name is not valid. Cask names can contain alphanumeric characters, _, -, or / only!",
         name_property: true
 
@@ -54,9 +54,12 @@ class Chef
         default: lazy { find_homebrew_username }
 
       action :install do
-        description "Install an application packaged as a Homebrew cask."
-
-        homebrew_tap "homebrew/cask" if new_resource.install_cask
+        if new_resource.install_cask
+          homebrew_tap "homebrew/cask" do
+            homebrew_path new_resource.homebrew_path
+            owner new_resource.owner
+          end
+        end
 
         unless casked?
           converge_by("install cask #{new_resource.cask_name} #{new_resource.options}") do
@@ -69,9 +72,12 @@ class Chef
       end
 
       action :remove do
-        description "Remove an application packaged as a Homebrew cask."
-
-        homebrew_tap "homebrew/cask" if new_resource.install_cask
+        if new_resource.install_cask
+          homebrew_tap "homebrew/cask" do
+            homebrew_path new_resource.homebrew_path
+            owner new_resource.owner
+          end
+        end
 
         if casked?
           converge_by("uninstall cask #{new_resource.cask_name}") do

data/lib/chef/resource/mount.rb

@@ -41,7 +41,7 @@ class Chef
         sensitive: true
 
       property :mount_point, String, name_property: true,
-               coerce: proc { |arg| arg.chomp("/") }, # Removed "/" from the end of str, because it was causing idempotency issue.
+               coerce: proc { |arg| (arg == "/" || arg.match?(":/$")) ? arg : arg.chomp("/") }, # Removed "/" from the end of str, because it was causing idempotency issue.
                description: "The directory (or path) in which the device is to be mounted. Defaults to the name of the resource block if not provided."
 
       property :device, String, identity: true,

data/lib/chef/resource/rhsm_subscription.rb

@@ -34,11 +34,11 @@ class Chef
       action :attach do
         description "Attach the node to a subscription pool."
 
-        execute "Attach subscription pool #{new_resource.pool_id}" do
-          command "subscription-manager attach --pool=#{new_resource.pool_id}"
-          default_env true
-          action :run
-          not_if { subscription_attached?(new_resource.pool_id) }
+        unless subscription_attached?(new_resource.pool_id)
+          converge_by("attach subscription pool #{new_resource.pool_id}") do
+            shell_out!("subscription-manager attach --pool=#{new_resource.pool_id}")
+            build_resource(:package, "rhsm_subscription-#{new_resource.pool_id}-flush_cache").run_action(:flush_cache)
+          end
         end
       end
 

data/lib/chef/resource/support/client.erb

@@ -22,6 +22,12 @@
 <% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
 <%=prop.delete_prefix("@") %> <%= instance_variable_get(prop).inspect %>
 <% end -%>
+<%# ohai_disabled_plugins and ohai_optional_plugins properties don't match the config value perfectly-%>
+<% %w(@ohai_disabled_plugins
+      @ohai_optional_plugins).each do |prop| -%>
+<% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
+<%=prop.gsub("@ohai_", "ohai.") %> <%= instance_variable_get(prop).inspect %>
+<% end -%>
 <%# log_location is special due to STDOUT/STDERR from String -> IO Object -%>
 <% unless @log_location.nil? %>
   <% if @log_location.is_a?(String) && %w(STDOUT STDERR).include?(@log_location) -%>

data/lib/chef/resource/systemd_unit.rb

@@ -113,7 +113,7 @@ class Chef
         when Hash
           IniParse.gen do |doc|
             content.each_pair do |sect, opts|
-              doc.section(sect) do |section|
+              doc.section(sect, { option_sep: "=" }) do |section|
                 opts.each_pair do |opt, val|
                   [val].flatten.each do |v|
                     section.option(opt, v)

data/lib/chef/resource/user_ulimit.rb

@@ -83,6 +83,7 @@ class Chef
           source ::File.expand_path("support/ulimit.erb", __dir__)
           local true
           mode "0644"
+          sensitive new_resource.sensitive
           variables(
             ulimit_user: new_resource.username,
             filehandle_limit: new_resource.filehandle_limit,

data/lib/chef/resource/windows_security_policy.rb

@@ -17,6 +17,7 @@
 # limitations under the License.
 
 require_relative "../resource"
+require "tempfile" unless defined?(Tempfile)
 
 class Chef
   class Resource
@@ -27,6 +28,7 @@ class Chef
 
       # The valid policy_names options found here
       # https://github.com/ChrisAWalker/cSecurityOptions under 'AccountSettings'
+      # This needs to be revisited - the list at the link above is non-exhaustive and is missing a couple of items
       policy_names = %w{LockoutDuration
                         MaximumPasswordAge
                         MinimumPasswordAge
@@ -35,6 +37,8 @@ class Chef
                         PasswordHistorySize
                         LockoutBadCount
                         ResetLockoutCount
+                        AuditPolicyChange
+                        LockoutDuration
                         RequireLogonToChangePassword
                         ForceLogoffWhenHourExpire
                         NewAdministratorName
@@ -43,7 +47,7 @@ class Chef
                         LSAAnonymousNameLookup
                         EnableAdminAccount
                         EnableGuestAccount
-                       }
+                      }
       description "Use the **windows_security_policy** resource to set a security policy on the Microsoft Windows platform."
       introduced "16.0"
 
@@ -83,6 +87,55 @@ class Chef
       description: "Policy value to be set for policy name."
 
       load_current_value do |desired|
+        current_state = load_security_options
+
+        if desired.secoption == "ResetLockoutCount"
+          if desired.secvalue.to_i > 30
+            raise Chef::Exceptions::ValidationFailed, "The \"ResetLockoutCount\" value cannot be greater than 30 minutes"
+          end
+        end
+        if (desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration") && current_state["LockoutBadCount"] == "0"
+          raise Chef::Exceptions::ValidationFailed, "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
+        end
+
+        secvalue current_state[desired.secoption.to_s]
+      end
+
+      action :set do
+        converge_if_changed :secvalue do
+          security_option = new_resource.secoption
+          security_value = new_resource.secvalue
+
+          file = Tempfile.new(["#{security_option}", ".inf"])
+          case security_option
+          when "LockoutBadCount"
+            cmd = "net accounts /LockoutThreshold:#{security_value}"
+          when "ResetLockoutCount"
+            cmd = "net accounts /LockoutWindow:#{security_value}"
+          when "LockoutDuration"
+            cmd = "net accounts /LockoutDuration:#{security_value}"
+          when "NewAdministratorName", "NewGuestName"
+            policy_line = "#{security_option} = \"#{security_value}\""
+            file.write("[Unicode]\r\nUnicode=yes\r\n[System Access]\r\n#{policy_line}\r\n[Version]\r\nsignature=\"$CHICAGO$\"\r\nRevision=1\r\n")
+            file.close
+            file_path = file.path.gsub("/", '\\')
+            cmd = "C:\\Windows\\System32\\secedit /configure /db C:\\windows\\security\\new.sdb /cfg #{file_path} /areas SECURITYPOLICY"
+          else
+            policy_line = "#{security_option} = #{security_value}"
+            file.write("[Unicode]\r\nUnicode=yes\r\n[System Access]\r\n#{policy_line}\r\n[Version]\r\nsignature=\"$CHICAGO$\"\r\nRevision=1\r\n")
+            file.close
+            file_path = file.path.gsub("/", '\\')
+            cmd = "C:\\Windows\\System32\\secedit /configure /db C:\\windows\\security\\new.sdb /cfg #{file_path} /areas SECURITYPOLICY"
+          end
+          shell_out!(cmd)
+          file.unlink
+        end
+      end
+
+      private
+
+      # Loads powershell to get current state on security options
+      def load_security_options
         powershell_code = <<-CODE
           C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null
           # cspell:disable-next-line
@@ -108,44 +161,7 @@ class Chef
             LockoutBadCount = $security_options_hash.LockoutBadCount
           })
         CODE
-        output = powershell_exec(powershell_code)
-        current_value_does_not_exist! if output.result.empty?
-        state = output.result
-
-        if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration"
-          if state["LockoutBadCount"] == "0"
-            raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
-          else
-            secvalue state[desired.secoption.to_s]
-          end
-        else
-          secvalue state[desired.secoption.to_s]
-        end
-      end
-
-      action :set do
-        converge_if_changed :secvalue do
-          security_option = new_resource.secoption
-          security_value = new_resource.secvalue
-
-          cmd = <<-EOH
-            $security_option = "#{security_option}"
-            C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
-            if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
-              {
-                $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
-                C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY
-              }
-            else
-              {
-                $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace "#{security_option}\\s*=\\s*\\d*", "#{security_option} = #{security_value}" } | Set-Content $env:TEMP\\#{security_option}_Export.inf
-                C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY
-              }
-            Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
-          EOH
-
-          powershell_exec!(cmd)
-        end
+        powershell_exec(powershell_code).result
       end
     end
   end

data/lib/chef/resource/windows_uac.rb

@@ -106,7 +106,9 @@ class Chef
         #
         # @return [Integer]
         def consent_behavior_users_symbol_to_reg(sym)
-          %i{auto_deny secure_prompt_for_creds prompt_for_creds}.index(sym)
+          # Since 2 isn't a valid value for ConsentPromptBehaviorUser, assign the value at index as nil.
+          # https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#registry-key-settings
+          [:auto_deny, :secure_prompt_for_creds, nil, :prompt_for_creds].index(sym)
         end
       end
     end

data/lib/chef/resource/windows_user_privilege.rb

@@ -139,7 +139,7 @@ class Chef
         coerce: proc { |v| Array(v) },
         callbacks: {
           "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
-        }
+        }, identity: true
 
       load_current_value do |new_resource|
         if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("16.14.1")
+  VERSION = Chef::VersionString.new("16.15.22")
 end
 
 #

data/lib/chef/win32/api.rb

@@ -43,6 +43,8 @@ class Chef
 
         host.ffi_convention :stdcall
 
+        win64 = ENV["PROCESSOR_ARCHITECTURE"] == "AMD64" || ENV["PROCESSOR_ARCHITEW6432"] == "AMD64"
+
         # Windows-specific type defs (ms-help://MS.MSDNQTR.v90.en/winprog/winprog/windows_data_types.htm):
         host.typedef :ushort,  :ATOM # Atom ~= Symbol: Atom table stores strings and corresponding identifiers. Application
         # places a string in an atom table and receives a 16-bit integer, called an atom, that
@@ -120,10 +122,15 @@ class Chef
         host.typedef :int32,   :LONG32 # 32-bit signed integer. The range is -2,147,483,648 through +...647 decimal.
         host.typedef :int64,   :LONG64 # 64-bit signed integer. The range is –9,223,372,036,854,775,808 through +...807
         host.typedef :int64,   :LONGLONG # 64-bit signed integer. The range is –9,223,372,036,854,775,808 through +...807
-        host.typedef :long,    :LONG_PTR # Signed long type for pointer precision. Use when casting a pointer to a long to
         # perform pointer arithmetic. BaseTsd.h:
         # if defined(_WIN64) host.typedef __int64 LONG_PTR; #else host.typedef long LONG_PTR;
-        host.typedef :long,    :LPARAM # Message parameter. WinDef.h as follows: #host.typedef LONG_PTR LPARAM;
+        if win64
+          host.typedef :int64,    :LONG_PTR # Signed long type for pointer precision. Use when casting a pointer to a long to
+          host.typedef :int64,    :LPARAM # Message parameter. WinDef.h as follows: #host.typedef LONG_PTR LPARAM;
+        else
+          host.typedef :long,    :LONG_PTR # Signed long type for pointer precision. Use when casting a pointer to a long to
+          host.typedef :long,    :LPARAM # Message parameter. WinDef.h as follows: #host.typedef LONG_PTR LPARAM;
+        end
         host.typedef :pointer, :LPBOOL # Pointer to a BOOL. WinDef.h as follows: #host.typedef BOOL far *LPBOOL;
         host.typedef :pointer, :LPBYTE # Pointer to a BYTE. WinDef.h as follows: #host.typedef BYTE far *LPBYTE;
         host.typedef :pointer, :LPCOLORREF # Pointer to a COLORREF value. WinDef.h as follows: #host.typedef DWORD *LPCOLORREF;

data/spec/functional/resource/group_spec.rb

@@ -44,6 +44,10 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
       members.shift # Get rid of GroupMembership: string
       members.include?(user)
     else
+      # TODO For some reason our temporary AIX 7.2 system does not correctly report group membership immediately after changes have been made.
+      # Adding a 2 second delay for this platform is enough to get correct results.
+      # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+      sleep 2 if aix? && (ohai[:platform_version] == "7.2")
       Etc.getgrnam(group_name).mem.include?(user)
     end
   end
@@ -181,7 +185,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
 
     describe "when the users exist" do
       before do
-        high_uid = 30000
+        high_uid = 40000
         (spec_members).each do |member|
           remove_user(member)
           create_user(member, high_uid)

data/spec/functional/resource/link_spec.rb

@@ -345,9 +345,17 @@ describe Chef::Resource::Link do
             let(:test_user) { "test-link-user" }
             before do
               user(test_user).run_action(:create)
+              # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made.
+              # Adding a 2 second delay for this platform is enough to get correct results.
+              # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+              sleep 2 if aix? && (ohai[:platform_version] == "7.2")
             end
             after do
               user(test_user).run_action(:remove)
+              # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made.
+              # Adding a 2 second delay for this platform is enough to get correct results.
+              # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+              sleep 2 if aix? && (ohai[:platform_version] == "7.2")
             end
             before(:each) do
               resource.owner(test_user)

data/spec/unit/cookbook_version_spec.rb

@@ -41,7 +41,59 @@ describe Chef::CookbookVersion do
     it "has empty metadata" do
       expect(cookbook_version.metadata).to eq(Chef::Cookbook::Metadata.new)
     end
+  end
+
+  describe "#recipe_yml_filenames_by_name" do
+    let(:cookbook_version) { Chef::CookbookVersion.new("mycb", "/tmp/mycb") }
+
+    def files_for_recipe(extension)
+      [
+        { name: "recipes/default.#{extension}", full_path: "/home/user/repo/cookbooks/test/recipes/default.#{extension}" },
+        { name: "recipes/other.#{extension}", full_path: "/home/user/repo/cookbooks/test/recipes/other.#{extension}" },
+      ]
+    end
+    context "and YAML files present include both a recipes/default.yml and a recipes/default.yaml" do
+      before(:each) do
+        allow(cookbook_version).to receive(:files_for).with("recipes").and_return(
+          [
+            { name: "recipes/default.yml", full_path: "/home/user/repo/cookbooks/test/recipes/default.yml" },
+            { name: "recipes/default.yaml", full_path: "/home/user/repo/cookbooks/test/recipes/default.yaml" },
+          ]
+        )
+      end
+      it "because both are valid and we can't pick, it raises an error that contains the info needed to fix the problem" do
+        expect { cookbook_version.recipe_yml_filenames_by_name }
+          .to raise_error(Chef::Exceptions::AmbiguousYAMLFile, /.*default.yml.*default.yaml.*update the cookbook to remove/)
+      end
+    end
+
+    %w{yml yaml}.each do |extension|
+
+      context "and YAML files are present including a recipes/default.#{extension}" do
+        before(:each) do
+          allow(cookbook_version).to receive(:files_for).with("recipes").and_return(files_for_recipe(extension))
+        end
+
+        context "and manifest does not include a root_files/recipe.#{extension}" do
+          it "returns all YAML recipes with a correct default of default.#{extension}" do
+            expect(cookbook_version.recipe_yml_filenames_by_name).to eq({ "default" => "/home/user/repo/cookbooks/test/recipes/default.#{extension}",
+                                                                        "other" => "/home/user/repo/cookbooks/test/recipes/other.#{extension}" })
+          end
+        end
+
+        context "and manifest also includes a root_files/recipe.#{extension}" do
+          let(:root_files) { [{ name: "root_files/recipe.#{extension}", full_path: "/home/user/repo/cookbooks/test/recipe.#{extension}" } ] }
+          before(:each) do
+            allow(cookbook_version.cookbook_manifest).to receive(:root_files).and_return(root_files)
+          end
 
+          it "returns all YAML recipes with a correct default of recipe.#{extension}" do
+            expect(cookbook_version.recipe_yml_filenames_by_name).to eq({ "default" => "/home/user/repo/cookbooks/test/recipe.#{extension}",
+                                                                         "other" => "/home/user/repo/cookbooks/test/recipes/other.#{extension}" })
+          end
+        end
+      end
+    end
   end
 
   describe "with a cookbook directory named tatft" do

data/spec/unit/data_collector_spec.rb

@@ -142,11 +142,17 @@ describe Chef::DataCollector do
   def expect_converge_message(keys)
     keys["message_type"] = "run_converge"
     keys["message_version"] = "1.1.0"
+    # if (keys.key?("node") && !keys["node"].empty?)
+    #   expect(rest_client).to receive(:post) do |_a, hash, _b|
+    #     require 'pry'; binding.pry
+    #   end
+    # else
     expect(rest_client).to receive(:post).with(
       nil,
       hash_including(keys),
       { "Content-Type" => "application/json" }
     )
+    # end
   end
 
   def resource_has_diff(new_resource, status)
@@ -202,7 +208,7 @@ describe Chef::DataCollector do
     end
 
     it "has a node" do
-      expect_converge_message("node" => expected_node)
+      expect_converge_message("node" => expected_node.is_a?(Chef::Node) ? expected_node.data_for_save : expected_node)
       send_run_failed_or_completed_event
     end
 
@@ -808,6 +814,46 @@ describe Chef::DataCollector do
         it_behaves_like "sends a converge message"
       end
 
+      context "when node attributes are block-listed" do
+        let(:status) { "success" }
+        before do
+          Chef::Config[:blocked_default_attributes] = [
+            %w{secret key_to_the_kingdom},
+          ]
+          node.default = {
+            "secret" => { "key_to_the_kingdom" => "under the flower pot to the left of the drawbridge" },
+            "publicinfo" => { "num_flower_pots" => 18 },
+          }
+        end
+
+        it "payload should exclude blocked attributes" do
+          expect(rest_client).to receive(:post) do |_addr, hash, _headers|
+            expect(hash["node"]["default"]).to eq({ "secret" => {}, "publicinfo" => { "num_flower_pots" => 18 } })
+          end
+          send_run_failed_or_completed_event
+        end
+      end
+
+      context "when node attributes are allow-listed" do
+        let(:status) { "success" }
+        before do
+          Chef::Config[:allowed_default_attributes] = [
+            %w{public entrance},
+          ]
+          node.default = {
+            "public" => { "entrance" => "is the drawbridge" },
+            "secret" => { "entrance" => "is the tunnel" },
+          }
+        end
+
+        it "payload should include only allowed attributes" do
+          expect(rest_client).to receive(:post) do |_addr, hash, _headers|
+            expect(hash["node"]["default"]).to eq({ "public" => { "entrance" => "is the drawbridge" } })
+          end
+          send_run_failed_or_completed_event
+        end
+      end
+
     end
   end
 

data/spec/unit/policy_builder/policyfile_spec.rb

@@ -206,7 +206,7 @@ describe Chef::PolicyBuilder::Policyfile do
     end
 
     before do
-      Chef::Config[:policy_document_native_api] = false
+      Chef::Config[:policy_document_native_api] = true
       Chef::Config[:deployment_group] = "example-policy-stage"
       allow(policy_builder).to receive(:api_service).and_return(api_service)
     end
@@ -214,6 +214,8 @@ describe Chef::PolicyBuilder::Policyfile do
     describe "when using compatibility mode (policy_document_native_api == false)" do
 
       before do
+        Chef::Config[:policy_document_native_api] = false
+        Chef::Config[:treat_deprecation_warnings_as_errors] = false
         Chef::Config[:deployment_group] = "example-policy-stage"
       end
 
@@ -339,6 +341,10 @@ describe Chef::PolicyBuilder::Policyfile do
       end
 
       describe "validating the Policyfile.lock" do
+        before do
+          Chef::Config[:policy_group] = "policy-stage"
+          Chef::Config[:policy_name] = "example"
+        end
 
         it "errors if the policyfile json contains any non-recipe items" do
           parsed_policyfile_json["run_list"] = ["role[foo]"]
@@ -806,6 +812,10 @@ describe Chef::PolicyBuilder::Policyfile do
         context "when using compatibility mode (policy_document_native_api == false)" do
           let(:cookbook1_url) { "cookbooks/example1/#{example1_xyz_version}" }
           let(:cookbook2_url) { "cookbooks/example2/#{example2_xyz_version}" }
+          before do
+            Chef::Config[:policy_document_native_api] = false
+            Chef::Config[:treat_deprecation_warnings_as_errors] = false
+          end
 
           context "when the cookbooks don't exist on the server" do
             include_examples "fetching cookbooks when they don't exist"

data/spec/unit/provider/package/powershell_spec.rb

@@ -105,6 +105,10 @@ describe Chef::Provider::Package::Powershell, :windows_only, :windows_gte_10 do
   let(:generated_install_cmdlet) { "#{tls_set_command} ( Install-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue ).Version" }
   let(:generated_install_cmdlet_with_version) { "#{tls_set_command} ( Install-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue -RequiredVersion 1.0.0.0 ).Version" }
   let(:generated_install_cmdlet_with_source) { "#{tls_set_command} ( Install-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue -Source MyGallery ).Version" }
+  let(:generated_install_cmdlet_with_options) { "#{tls_set_command} ( Install-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue -AcceptLicense -Verbose ).Version" }
+  let(:generated_install_cmdlet_with_version_and_options) { "#{tls_set_command} ( Install-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue -RequiredVersion 1.0.0.0 -AcceptLicense -Verbose ).Version" }
+  let(:generated_install_cmdlet_with_source_and_options) { "#{tls_set_command} ( Install-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue -Source MyGallery -AcceptLicense -Verbose ).Version" }
+  let(:generated_install_cmdlet_with_source_and_version_and_options) { "#{tls_set_command} ( Install-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue -RequiredVersion 1.0.0.0 -Source MyGallery -AcceptLicense -Verbose ).Version" }
   let(:generated_install_cmdlet_with_source_and_version) { "#{tls_set_command} ( Install-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue -RequiredVersion 1.0.0.0 -Source MyGallery ).Version" }
   let(:generated_uninstall_cmdlet) { "#{tls_set_command} ( Uninstall-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue ).Version" }
   let(:generated_uninstall_cmdlet_with_version) { "#{tls_set_command} ( Uninstall-Package xNetworking -Force -ForceBootstrap -WarningAction SilentlyContinue -RequiredVersion 1.0.0.0 ).Version" }
@@ -204,11 +208,11 @@ describe Chef::Provider::Package::Powershell, :windows_only, :windows_gte_10 do
     end
 
     context "when source is nil" do
-      it "build get commands correctly" do
+      it "builds get commands correctly" do
         expect(provider.build_powershell_package_command("Get-Package xNetworking")).to eql(generated_get_cmdlet)
       end
 
-      it "build get commands correctly when a version is passed" do
+      it "builds get commands correctly when a version is passed" do
         expect(provider.build_powershell_package_command("Get-Package xNetworking", "1.0.0.0")).to eql(generated_get_cmdlet_with_version)
       end
 
@@ -220,30 +224,45 @@ describe Chef::Provider::Package::Powershell, :windows_only, :windows_gte_10 do
         expect(provider.build_powershell_package_command("Find-Package xNetworking", "1.0.0.0")).to eql(generated_find_cmdlet_with_version)
       end
 
-      it "build install commands correctly" do
+      it "builds install commands correctly" do
         expect(provider.build_powershell_package_command("Install-Package xNetworking")).to eql(generated_install_cmdlet)
       end
 
-      it "build install commands correctly when a version is passed" do
+      it "builds install commands correctly when a version is passed" do
         expect(provider.build_powershell_package_command("Install-Package xNetworking", "1.0.0.0")).to eql(generated_install_cmdlet_with_version)
       end
 
-      it "build install commands correctly" do
+      it "builds install commands correctly when options are passed" do
+        new_resource.options("-AcceptLicense -Verbose")
+        expect(provider.build_powershell_package_command("Install-Package xNetworking")).to eql(generated_install_cmdlet_with_options)
+      end
+
+      it "builds install commands correctly when duplicate options are passed" do
+        new_resource.options("-WarningAction SilentlyContinue")
+        expect(provider.build_powershell_package_command("Install-Package xNetworking")).to eql(generated_install_cmdlet)
+      end
+
+      it "builds install commands correctly when a version and options are passed" do
+        new_resource.options("-AcceptLicense -Verbose")
+        expect(provider.build_powershell_package_command("Install-Package xNetworking", "1.0.0.0")).to eql(generated_install_cmdlet_with_version_and_options)
+      end
+
+      it "builds install commands correctly" do
         expect(provider.build_powershell_package_command("Uninstall-Package xNetworking")).to eql(generated_uninstall_cmdlet)
       end
 
-      it "build install commands correctly when a version is passed" do
+      it "builds install commands correctly when a version is passed" do
         expect(provider.build_powershell_package_command("Uninstall-Package xNetworking", "1.0.0.0")).to eql(generated_uninstall_cmdlet_with_version)
       end
     end
 
     context "when source is set" do
-      it "build get commands correctly" do
+      it "builds get commands correctly" do
         new_resource.source("MyGallery")
         expect(provider.build_powershell_package_command("Get-Package xNetworking")).to eql(generated_get_cmdlet)
       end
 
-      it "build get commands correctly when a version is passed" do
+      it "builds get commands correctly when a version is passed" do
         new_resource.source("MyGallery")
         expect(provider.build_powershell_package_command("Get-Package xNetworking", "1.0.0.0")).to eql(generated_get_cmdlet_with_version)
       end
@@ -258,22 +277,40 @@ describe Chef::Provider::Package::Powershell, :windows_only, :windows_gte_10 do
         expect(provider.build_powershell_package_command("Find-Package xNetworking", "1.0.0.0")).to eql(generated_find_cmdlet_with_source_and_version)
       end
 
-      it "build install commands correctly" do
+      it "builds install commands correctly" do
         new_resource.source("MyGallery")
         expect(provider.build_powershell_package_command("Install-Package xNetworking")).to eql(generated_install_cmdlet_with_source)
       end
 
-      it "build install commands correctly when a version is passed" do
+      it "builds install commands correctly when a version is passed" do
         new_resource.source("MyGallery")
         expect(provider.build_powershell_package_command("Install-Package xNetworking", "1.0.0.0")).to eql(generated_install_cmdlet_with_source_and_version)
       end
 
-      it "build install commands correctly" do
+      it "builds install commands correctly when options are passed" do
+        new_resource.source("MyGallery")
+        new_resource.options("-AcceptLicense -Verbose")
+        expect(provider.build_powershell_package_command("Install-Package xNetworking")).to eql(generated_install_cmdlet_with_source_and_options)
+      end
+
+      it "builds install commands correctly when duplicate options are passed" do
+        new_resource.source("MyGallery")
+        new_resource.options("-Force -ForceBootstrap")
+        expect(provider.build_powershell_package_command("Install-Package xNetworking")).to eql(generated_install_cmdlet_with_source)
+      end
+
+      it "builds install commands correctly when a version and options are passed" do
+        new_resource.source("MyGallery")
+        new_resource.options("-AcceptLicense -Verbose")
+        expect(provider.build_powershell_package_command("Install-Package xNetworking", "1.0.0.0")).to eql(generated_install_cmdlet_with_source_and_version_and_options)
+      end
+
+      it "builds install commands correctly" do
         new_resource.source("MyGallery")
         expect(provider.build_powershell_package_command("Uninstall-Package xNetworking")).to eql(generated_uninstall_cmdlet)
       end
 
-      it "build install commands correctly when a version is passed" do
+      it "builds install commands correctly when a version is passed" do
         new_resource.source("MyGallery")
         expect(provider.build_powershell_package_command("Uninstall-Package xNetworking", "1.0.0.0")).to eql(generated_uninstall_cmdlet_with_version)
       end
@@ -434,6 +471,19 @@ describe Chef::Provider::Package::Powershell, :windows_only, :windows_gte_10 do
       provider.run_action(:install)
       expect(new_resource).to be_updated_by_last_action
     end
+
+    it "should install a package using provided options" do
+      provider.load_current_resource
+      new_resource.package_name(["xCertificate"])
+      new_resource.version(nil)
+      new_resource.options(%w{-AcceptLicense -Verbose})
+      allow(provider).to receive(:powershell_out).with("#{tls_set_command} ( Find-Package 'xCertificate' -Force -ForceBootstrap -WarningAction SilentlyContinue ).Version", { timeout: new_resource.timeout }).and_return(package_xcertificate_available)
+      allow(provider).to receive(:powershell_out).with("#{tls_set_command} ( Get-Package 'xCertificate' -Force -ForceBootstrap -WarningAction SilentlyContinue ).Version", { timeout: new_resource.timeout }).and_return(package_xcertificate_not_available)
+      allow(provider).to receive(:powershell_out).with("$PSVersionTable.PSVersion.Major").and_return(powershell_installed_version)
+      expect(provider).to receive(:powershell_out).with("#{tls_set_command} ( Install-Package 'xCertificate' -Force -ForceBootstrap -WarningAction SilentlyContinue -RequiredVersion 2.1.0.0 -AcceptLicense -Verbose ).Version", { timeout: new_resource.timeout })
+      provider.run_action(:install)
+      expect(new_resource).to be_updated_by_last_action
+    end
   end
 
   describe "#action_remove" do
@@ -499,5 +549,17 @@ describe Chef::Provider::Package::Powershell, :windows_only, :windows_gte_10 do
       provider.run_action(:remove)
       expect(new_resource).to be_updated_by_last_action
     end
+
+    it "should remove a package using provided options" do
+      new_resource.package_name(["xCertificate"])
+      new_resource.options(%w{-AllVersions})
+      allow(provider).to receive(:powershell_out).with("#{tls_set_command} ( Find-Package 'xCertificate' -Force -ForceBootstrap -WarningAction SilentlyContinue ).Version", { timeout: new_resource.timeout }).and_return(package_xcertificate_available)
+      allow(provider).to receive(:powershell_out).with("#{tls_set_command} ( Get-Package 'xCertificate' -Force -ForceBootstrap -WarningAction SilentlyContinue ).Version", { timeout: new_resource.timeout }).and_return(package_xcertificate_available)
+      allow(provider).to receive(:powershell_out).with("$PSVersionTable.PSVersion.Major").and_return(powershell_installed_version)
+      provider.load_current_resource
+      expect(provider).to receive(:powershell_out).with("#{tls_set_command} ( Uninstall-Package 'xCertificate' -Force -ForceBootstrap -WarningAction SilentlyContinue -AllVersions ).Version", { timeout: new_resource.timeout }).and_return(package_xcertificate_not_available)
+      provider.run_action(:remove)
+      expect(new_resource).to be_updated_by_last_action
+    end
   end
 end

data/spec/unit/resource/homebrew_cask_spec.rb

@@ -19,22 +19,40 @@ require "spec_helper"
 
 describe Chef::Resource::HomebrewCask do
 
-  let(:resource) { Chef::Resource::HomebrewCask.new("fakey_fakerton") }
+  context "name with under bar" do
+    let(:resource) { Chef::Resource::HomebrewCask.new("fakey_fakerton") }
 
-  it "has a resource name of :homebrew_cask" do
-    expect(resource.resource_name).to eql(:homebrew_cask)
-  end
+    it "has a resource name of :homebrew_cask" do
+      expect(resource.resource_name).to eql(:homebrew_cask)
+    end
+
+    it "the cask_name property is the name_property" do
+      expect(resource.cask_name).to eql("fakey_fakerton")
+    end
+
+    it "sets the default action as :install" do
+      expect(resource.action).to eql([:install])
+    end
 
-  it "the cask_name property is the name_property" do
-    expect(resource.cask_name).to eql("fakey_fakerton")
+    it "supports :install, :remove actions" do
+      expect { resource.action :install }.not_to raise_error
+      expect { resource.action :remove }.not_to raise_error
+    end
   end
 
-  it "sets the default action as :install" do
-    expect(resource.action).to eql([:install])
+  context "name with high fun" do
+    let(:resource) { Chef::Resource::HomebrewCask.new("fakey-fakerton") }
+
+    it "the cask_name property is the name_property" do
+      expect(resource.cask_name).to eql("fakey-fakerton")
+    end
   end
 
-  it "supports :install, :remove actions" do
-    expect { resource.action :install }.not_to raise_error
-    expect { resource.action :remove }.not_to raise_error
+  context "name with at mark" do
+    let(:resource) { Chef::Resource::HomebrewCask.new("fakey-fakerton@10") }
+
+    it "the cask_name property is the name_property" do
+      expect(resource.cask_name).to eql("fakey-fakerton@10")
+    end
   end
 end

data/spec/unit/resource/mount_spec.rb

@@ -59,6 +59,16 @@ describe Chef::Resource::Mount do
     expect(resource.mount_point).to eql("//192.168.11.102/Share/backup")
   end
 
+  it "does not strip slash when mount_point is root directory" do
+    resource.mount_point "/"
+    expect(resource.mount_point).to eql("/")
+  end
+
+  it "does not strip slash when mount_point is root of network mount" do
+    resource.mount_point "127.0.0.1:/"
+    expect(resource.mount_point).to eql("127.0.0.1:/")
+  end
+
   it "raises error when mount_point property is not set" do
     expect { resource.mount_point nil }.to raise_error(Chef::Exceptions::ValidationFailed, "Property mount_point must be one of: String!  You passed nil.")
   end

data/spec/unit/resource/rhsm_subscription_spec.rb

@@ -18,15 +18,24 @@
 require "spec_helper"
 
 describe Chef::Resource::RhsmSubscription do
-  let(:resource) { Chef::Resource::RhsmSubscription.new("fakey_fakerton") }
-  let(:provider) { resource.provider_for_action(:attach) }
+  let(:event_dispatch) { Chef::EventDispatch::Dispatcher.new }
+  let(:node) { Chef::Node.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, event_dispatch) }
+
+  let(:pool_id) { "8a8dd78c766232550226b46e59404aba" }
+  let(:resource) { Chef::Resource::RhsmSubscription.new(pool_id, run_context) }
+  let(:provider) { resource.provider_for_action(Array(resource.action).first) }
+
+  before do
+    allow(resource).to receive(:provider_for_action).with(:attach).and_return(provider)
+  end
 
   it "has a resource name of :rhsm_subscription" do
     expect(resource.resource_name).to eql(:rhsm_subscription)
   end
 
   it "the pool_id property is the name_property" do
-    expect(resource.pool_id).to eql("fakey_fakerton")
+    expect(resource.pool_id).to eql(pool_id)
   end
 
   it "sets the default action as :attach" do
@@ -38,6 +47,44 @@ describe Chef::Resource::RhsmSubscription do
     expect { resource.action :remove }.not_to raise_error
   end
 
+  describe "#action_attach" do
+    let(:yum_package_double) { instance_double("Chef::Resource::YumPackage") }
+    let(:so_double) { instance_double("Mixlib::ShellOut", stdout: "Successfully attached a subscription for: My Subscription", exitstatus: 0, error?: false) }
+
+    before do
+      allow(provider).to receive(:shell_out!).with("subscription-manager attach --pool=#{resource.pool_id}").and_return(so_double)
+      allow(provider).to receive(:build_resource).with(:package, "rhsm_subscription-#{pool_id}-flush_cache").and_return(yum_package_double)
+      allow(yum_package_double).to receive(:run_action).with(:flush_cache)
+    end
+
+    context "when already attached to pool" do
+      before do
+        allow(provider).to receive(:subscription_attached?).with(resource.pool_id).and_return(true)
+      end
+
+      it "does not attach to pool" do
+        expect(provider).not_to receive(:shell_out!)
+        resource.run_action(:attach)
+      end
+    end
+
+    context "when not attached to pool" do
+      before do
+        allow(provider).to receive(:subscription_attached?).with(resource.pool_id).and_return(false)
+      end
+
+      it "attaches to pool" do
+        expect(provider).to receive(:shell_out!).with("subscription-manager attach --pool=#{resource.pool_id}")
+        resource.run_action(:attach)
+      end
+
+      it "flushes package provider cache" do
+        expect(yum_package_double).to receive(:run_action).with(:flush_cache)
+        resource.run_action(:attach)
+      end
+    end
+  end
+
   describe "#subscription_attached?" do
     let(:cmd)    { double("cmd") }
     let(:output) { "Pool ID:    pool123" }

data/spec/unit/resource/systemd_unit_spec.rb

@@ -20,7 +20,7 @@ require "spec_helper"
 
 describe Chef::Resource::SystemdUnit do
   let(:resource) { Chef::Resource::SystemdUnit.new("sysstat-collect.timer") }
-  let(:unit_content_string) { "[Unit]\nDescription = Run system activity accounting tool every 10 minutes\nDocumentation = foo\nDocumentation = bar\n\n[Timer]\nOnCalendar = *:00/10\n\n[Install]\nWantedBy = sysstat.service\n" }
+  let(:unit_content_string) { "[Unit]\nDescription=Run system activity accounting tool every 10 minutes\nDocumentation=foo\nDocumentation=bar\n\n[Timer]\nOnCalendar=*:00/10\n\n[Install]\nWantedBy=sysstat.service\n" }
   let(:unit_content_hash) do
     {
       "Unit" => {

data/spec/unit/resource/user_ulimit_spec.rb

@@ -17,7 +17,6 @@
 #
 
 require "spec_helper"
-
 describe Chef::Resource::UserUlimit do
   let(:node) { Chef::Node.new }
   let(:events) { Chef::EventDispatch::Dispatcher.new }
@@ -50,4 +49,18 @@ describe Chef::Resource::UserUlimit do
     expect { resource.action :create }.not_to raise_error
     expect { resource.action :delete }.not_to raise_error
   end
+
+  describe "sensitive attribute" do
+    context "should be insensitive by default" do
+      it { expect(resource.sensitive).to(be_falsey) }
+    end
+
+    context "when set" do
+      before { resource.sensitive(true) }
+
+      it "should be set on the resource" do
+        expect(resource.sensitive).to(be_truthy)
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef
 version: !ruby/object:Gem::Version
-  version: 16.14.1
+  version: 16.15.22
 platform: ruby
 authors:
 - Adam Jacob
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-27 00:00:00.000000000 Z
+date: 2021-09-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-config
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.14.1
+        version: 16.15.22
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.14.1
+        version: 16.15.22
 - !ruby/object:Gem::Dependency
   name: chef-utils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.14.1
+        version: 16.15.22
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.14.1
+        version: 16.15.22
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement