chef 17.10.122 → 17.10.163

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fcc58bdfe166f363a61c524d527dddf623cd4feb8fdbeb91d88eb71cb969390d
-  data.tar.gz: 454ac2b049fb117bb00b77c149a9bb695b69721744c8139f09c80b62f1fa03a6
+  metadata.gz: 28b7b51e00a854a7faa87d094e44b46b0ec68a7d0951de058acfcc6bd180ce82
+  data.tar.gz: 06f7cf2a6059778845b765f6f88855334d464002926b69b5303fbfae7162e9e7
 SHA512:
-  metadata.gz: f4a9e103880243955a694ff47347391ac324cd7a01a8159777ebf8622fbbc147fe0e2701bf8d2e18bc5075b644110ea26b0589d1b55f1d05dfa887338dcd9028
-  data.tar.gz: 6e900a0852d44de18a4e6fd797e09f39db958e65c2448b93066362bedd66ece4f3464bad7cdff2ebcf46ad5fede243c78468921ce8e936ca3fb8611d73853b64
+  metadata.gz: dadfcf3a6ac945b7b3c901e9ae58e540f439bd62cab6ed229df02a29c0f43cf7a74fdd0411e91168e0455d714783792c6badf0655150d03e6a444a249d178702
+  data.tar.gz: aba33fe20cf50193f1326740170fb80c5989013721d67fdb95138fa4d7831072a672986f69392dfaa04ae008f5b635ad61077720e1f4c1cc9042c798e7aa47bb

data/Gemfile

@@ -18,12 +18,19 @@ end
 gem "cheffish", "~> 17.0.0"
 
 gem "ast", "~> 2.4.2"
-gem "rubocop-ast", ">= 1.30.0"
+gem "rubocop-ast", ">= 1.31.0"
+
+gem "rdoc", "~> 6.3.4" # 6.3.4.1 required for CVE-2024-27281, allow patch upgrades
+
+# Verify and macOS bring their own ruby setups are inconsistent with our OpenSSL configurations
+install_if -> { RUBY_PLATFORM !~ /darwin/ && ENV["BUILDKITE_PIPELINE_SLUG"] !~ /verify/ } do
+  gem "openssl", "= 3.2.0"
+end
 
 group(:omnibus_package) do
   gem "appbundler"
   gem "rb-readline"
-  gem "inspec-core-bin", "~> 5.22.36" # need to provide the binaries for inspec
+  gem "inspec-core-bin", "~> 5.22.40" # need to provide the binaries for inspec
   gem "chef-vault"
 end
 

data/chef-universal-mingw32.gemspec

@@ -15,7 +15,7 @@ gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "win32-certstore", "~> 0.6.15"
 gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
-gemspec.add_dependency "chef-powershell", "~> 1.0.12" # 0.5+ required for specifying user vs. system store
+gemspec.add_dependency "chef-powershell" , "~> 18.1.0"
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 

data/chef.gemspec

@@ -22,11 +22,11 @@ Gem::Specification.new do |s|
   s.email = "adam@chef.io"
   s.homepage = "https://www.chef.io"
 
-  s.required_ruby_version = ">= 2.7.0"
+  s.required_ruby_version = ">= 3.0.0"
 
   s.add_dependency "chef-config", "= #{Chef::VERSION}"
   s.add_dependency "chef-utils", "= #{Chef::VERSION}"
-  s.add_dependency "train-core", "~> 3.10" # 3.2.28 fixes sudo prompts. See https://github.com/chef/chef/pull/9635
+  s.add_dependency "train-core", "~> 3.10", "< 3.12.5"
   s.add_dependency "train-winrm", ">= 0.2.5"
 
   s.add_dependency "license-acceptance", ">= 1.0.5", "< 3"
@@ -35,8 +35,8 @@ Gem::Specification.new do |s|
   s.add_dependency "mixlib-authentication", ">= 2.1", "< 4"
   s.add_dependency "mixlib-shellout", ">= 3.1.1", "< 4.0"
   s.add_dependency "mixlib-archive", ">= 0.4", "< 2.0"
-  s.add_dependency "ohai", "~> 17.0"
-  s.add_dependency "inspec-core", "~> 5.22.36"
+  s.add_dependency "ohai", "~> 17.9"
+  s.add_dependency "inspec-core", "~> 5.22.40"
 
   s.add_dependency "ffi", "~> 1.15.5"
   s.add_dependency "ffi-yajl", ">= 2.2", "< 4.0"
@@ -58,10 +58,15 @@ Gem::Specification.new do |s|
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
-  s.add_dependency "vault", "~> 0.16" # hashi vault official client gem
+  s.add_dependency "vault", "~> 0.18.2" # hashi vault official client gem
   s.bindir       = "bin"
   s.executables  = %w{ }
 
+  if RUBY_VERSION.match?("3.0.0")
+    # Ruby 3.0.0 on Fedora specifically makes trouble
+    s.add_dependency "uri", "= 0.10.1"
+  end
+
   s.require_paths = %w{ lib }
   s.files = %w{Gemfile Rakefile LICENSE README.md} +
     Dir.glob("{lib,spec}/**/*", File::FNM_DOTMATCH).reject { |f| File.directory?(f) } +

data/lib/chef/client.rb

@@ -292,8 +292,6 @@ class Chef
         # keep this inside the main loop to get exception backtraces
         end_profiling
 
-        warn_if_eol
-
         # rebooting has to be the last thing we do, no exceptions.
         Chef::Platform::Rebooter.reboot_if_needed!(node)
       rescue Exception => run_error
@@ -322,35 +320,6 @@ class Chef
     # @todo make this stuff protected or private
     #
 
-    # @api private
-    def warn_if_eol
-      require_relative "version"
-
-      # New Date format is YYYY-MM-DD or false
-      new_date = eol_override
-
-      # We make a release every year so take the version you're on + 2006 and you get
-      # the year it goes EOL. 1/8/2024 - EOL for Chef-17 is now November 1, 2024
-      # eol_year = 2006 + Gem::Version.new(Chef::VERSION).segments.first
-      eol_year = "2024"
-      cut_off_date = !!new_date ? Time.parse(new_date) : Time.new(eol_year, 11, 30)
-
-      return if Time.now < cut_off_date
-
-      logger.warn("This release of #{ChefUtils::Dist::Infra::PRODUCT} became end of life (EOL) on #{cut_off_date.strftime("%b %d, %Y")}. Please update to a supported release to receive new features, bug fixes, and security updates.")
-    end
-
-    def eol_override
-      # If you want to override the existing EOL date, add a file in the root of Chef
-      # put a date in it in the form of YYYY-DD-MM.
-      override_file = "EOL_override"
-      if File.exist?(override_file)
-        File.read(File.expand_path(override_file)).strip
-      else
-        false
-      end
-    end
-
     # @api private
     def configure_formatters
       formatters_for_run.map do |formatter_name, output_path|

data/lib/chef/http/ssl_policies.rb

@@ -103,10 +103,10 @@ class Chef
         unless config[:ssl_client_cert] && config[:ssl_client_key]
           raise Chef::Exceptions::ConfigurationError, "You must configure ssl_client_cert and ssl_client_key together"
         end
-        unless ::File.exists?(config[:ssl_client_cert])
+        unless ::File.exist?(config[:ssl_client_cert])
           raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_cert #{config[:ssl_client_cert]} does not exist"
         end
-        unless ::File.exists?(config[:ssl_client_key])
+        unless ::File.exist?(config[:ssl_client_key])
           raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_key #{config[:ssl_client_key]} does not exist"
         end
 
@@ -132,7 +132,7 @@ class Chef
       def add_trusted_cert(cert)
         http_client.cert_store.add_cert(cert)
       rescue OpenSSL::X509::StoreError => e
-        raise e unless e.message == "cert already in hash table"
+        raise e unless e.message =~ /cert already in hash table/
       end
 
     end

data/lib/chef/mixin/openssl_helper.rb

@@ -157,7 +157,7 @@ class Chef
         raise TypeError, "curve must be a string" unless curve.is_a?(String)
         raise ArgumentError, "Specified curve is not available on this system" unless %w{prime256v1 secp384r1 secp521r1}.include?(curve)
 
-        ::OpenSSL::PKey::EC.new(curve).generate_key
+        ::OpenSSL::PKey::EC.generate(curve)
       end
 
       # generate pem format of the public key given a private key
@@ -170,18 +170,22 @@ class Chef
         key_content = ::File.exist?(priv_key) ? File.read(priv_key) : priv_key
         key = ::OpenSSL::PKey::EC.new key_content, priv_key_password
 
-        # Get curve type (prime256v1...)
-        group = ::OpenSSL::PKey::EC::Group.new(key.group.curve_name)
-        # Get Generator point & public point (priv * generator)
-        generator = group.generator
-        pub_point = generator.mul(key.private_key)
-        key.public_key = pub_point
-
-        # Public Key in pem
-        public_key = ::OpenSSL::PKey::EC.new
-        public_key.group = group
-        public_key.public_key = pub_point
-        public_key.to_pem
+        if windows? || macos? || aix?
+          # Get curve type (prime256v1...)
+          group = ::OpenSSL::PKey::EC::Group.new(key.group.curve_name)
+          # Get Generator point & public point (priv * generator)
+          generator = group.generator
+          pub_point = generator.mul(key.private_key)
+          key.public_key = pub_point
+
+          # Public Key in pem
+          public_key = ::OpenSSL::PKey::EC.new
+          public_key.group = group
+          public_key.public_key = pub_point
+          public_key.to_pem
+        else
+          key.public_to_pem
+        end
       end
 
       # generate a pem file given a cipher, key, an optional key_password

data/lib/chef/provider/cron.rb

@@ -88,7 +88,11 @@ class Chef
 
       def cron_different?
         CRON_ATTRIBUTES.any? do |cron_var|
-          new_resource.send(cron_var) != current_resource.send(cron_var)
+          if new_resource.send(cron_var).class == current_resource.send(cron_var).class
+            new_resource.send(cron_var) != current_resource.send(cron_var)
+          else
+            new_resource.send(cron_var).to_s != current_resource.send(cron_var).to_s
+          end
         end
       end
 

data/lib/chef/provider/package/chocolatey.rb

@@ -130,21 +130,17 @@ class Chef
         # install from, but like the rubygem provider's sources which are more like repos.
         def check_resource_semantics!; end
 
-        def self.get_choco_version
-          @get_choco_version ||= powershell_exec!("choco --version").result
+        def get_choco_version
+          @get_choco_version ||= powershell_exec!("#{choco_exe} --version").result
         end
 
         # Choco V2 uses 'Search' for remote repositories and 'List' for local packages
-        def self.query_command
+        def query_command
           return "list" if get_choco_version.match?(/^1/)
 
           "search"
         end
 
-        def query_command
-          self.class.query_command
-        end
-
         private
 
         def version_compare(v1, v2)

data/lib/chef/provider/package/yum/yum_helper.py

@@ -53,16 +53,14 @@ def install_only_packages(base, name):
     outpipe.flush()
 
 def query(base, command):
-    enabled_repos = base.repos.listEnabled()
-
     # Handle any repocontrols passed in with our options
 
     if 'repos' in command:
         for repo in command['repos']:
             if 'enable' in repo:
                 base.repos.enableRepo(repo['enable'])
-        if 'disable' in repo:
-            base.repos.disableRepo(repo['disable'])
+            if 'disable' in repo:
+                base.repos.disableRepo(repo['disable'])
 
     args = { 'name': command['provides'] }
     do_nevra = False
@@ -123,16 +121,6 @@ def query(base, command):
         outpipe.write("%(n)s %(e)s:%(v)s-%(r)s %(a)s\n" % { 'n': pkg.name, 'e': pkg.epoch, 'v': pkg.version, 'r': pkg.release, 'a': pkg.arch })
         outpipe.flush()
 
-    # Reset any repos we were passed in enablerepo/disablerepo to the original state in enabled_repos
-    if 'repos' in command:
-        for repo in command['repos']:
-            if 'enable' in repo:
-                if base.repos.getRepo(repo['enable']) not in enabled_repos:
-                    base.repos.disableRepo(repo['enable'])
-        if 'disable' in repo:
-            if base.repos.getRepo(repo['disable']) in enabled_repos:
-                base.repos.enableRepo(repo['disable'])
-
 # the design of this helper is that it should try to be 'brittle' and fail hard and exit in order
 # to keep process tables clean.  additional error handling should probably be added to the retry loop
 # on the ruby side.

data/lib/chef/provider/service/windows.rb

@@ -74,7 +74,6 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service
       current_resource.run_as_user(config_info.service_start_name)    if config_info.service_start_name
       current_resource.display_name(config_info.display_name)         if config_info.display_name
       current_resource.delayed_start(current_delayed_start)           if current_delayed_start
-      current_resource.description(config_info.description)           if new_resource.description
     end
 
     current_resource

data/lib/chef/resource/chef_client_config.rb

@@ -196,10 +196,12 @@ class Chef
 
       property :policy_persist_run_list, [true, false],
         description: "Override run lists defined in a Policyfile with the `run_list` defined on the #{ChefUtils::Dist::Server::PRODUCT}.",
-        introduced: "17.3"
+        introduced: "17.3",
+        default: false
 
       property :minimal_ohai, [true, false],
-        description: "Run a minimal set of Ohai plugins providing data necessary for the execution of #{ChefUtils::Dist::Infra::PRODUCT}'s built-in resources. Setting this to true will skip many large and time consuming data sets such as `cloud` or `packages`. Setting this this to true may break cookbooks that assume all Ohai data will be present."
+        description: "Run a minimal set of Ohai plugins providing data necessary for the execution of #{ChefUtils::Dist::Infra::PRODUCT}'s built-in resources. Setting this to true will skip many large and time consuming data sets such as `cloud` or `packages`. Setting this to true may break cookbooks that assume all Ohai data will be present.",
+        default: false
 
       property :start_handlers, Array,
         description: %q(An array of hashes that contain a report handler class and the arguments to pass to that class on initialization. The hash should include `class` and `argument` keys where `class` is a String and `argument` is an array of quoted String values. For example: `[{'class' => 'MyHandler', %w('"argument1"', '"argument2"')}]`),

data/lib/chef/resource/support/client.erb

@@ -10,18 +10,19 @@
       @https_proxy
       @ftp_proxy
       @log_level
-      @minimal_ohai
       @named_run_list
       @no_proxy
       @pid_file
       @policy_group
       @policy_name
       @rubygems_url
-      @ssl_verify_mode
-      @policy_persist_run_list).each do |prop| -%>
+      @ssl_verify_mode).each do |prop| -%>
 <% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
 <%=prop.delete_prefix("@") %> <%= instance_variable_get(prop).inspect %>
 <% end -%>
+<%# boolean properties are neither .nil? nor respond to .empty? so they are included below %>
+minimal_ohai <%= @minimal_ohai.inspect %>
+policy_persist_run_list <%= @policy_persist_run_list.inspect %>
 <%# ohai_disabled_plugins and ohai_optional_plugins properties don't match the config value perfectly-%>
 <% %w(@ohai_disabled_plugins
       @ohai_optional_plugins).each do |prop| -%>

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -59,7 +59,7 @@ class Chef
       end
 
       def validate!
-        raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :object_id, :client_id, or :mi_res_id" if [object_id, client_id, mi_res_id].count { |x| !x.nil? } > 1
+        raise Chef::Exceptions::Secret::ConfigurationInvalid, "You may only specify one (these are mutually exclusive): :config_object_id, :client_id, or :mi_res_id" if [config_object_id, client_id, mi_res_id].count { |x| !x.nil? } > 1
       end
 
       private
@@ -87,7 +87,7 @@ class Chef
         "https://vault.azure.net"
       end
 
-      def object_id
+      def config_object_id
         config[:object_id]
       end
 
@@ -104,7 +104,7 @@ class Chef
           p = {}
           p["api-version"] = api_version
           p["resource"] = resource
-          p["object_id"] = object_id if object_id
+          p["object_id"] = config_object_id if config_object_id
           p["client_id"] = client_id if client_id
           p["mi_res_id"] = mi_res_id if mi_res_id
           URI.encode_www_form(p)

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.10.122")
+  VERSION = Chef::VersionString.new("17.10.163")
 end
 
 #

data/spec/functional/assets/yumrepo-empty/repodata/repomd.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
+ <revision>1667508211</revision>
+<data type="filelists">
+  <checksum type="sha256">401dc19bda88c82c403423fb835844d64345f7e95f5b9835888189c03834cc93</checksum>
+  <open-checksum type="sha256">bf9808b81cb2dbc54b4b8e35adc584ddcaa73bd81f7088d73bf7dbbada961310</open-checksum>
+  <location href="repodata/401dc-filelists.xml.gz"/>
+  <timestamp>1667508211</timestamp>
+  <size>123</size>
+  <open-size>125</open-size>
+</data>
+<data type="primary">
+  <checksum type="sha256">dabe2ce5481d23de1f4f52bdcfee0f9af98316c9e0de2ce8123adeefa0dd08b9</checksum>
+  <open-checksum type="sha256">e1e2ffd2fb1ee76f87b70750d00ca5677a252b397ab6c2389137a0c33e7b359f</open-checksum>
+  <location href="repodata/dabe2-primary.xml.gz"/>
+  <timestamp>1667508211</timestamp>
+  <size>134</size>
+  <open-size>167</open-size>
+</data>
+<data type="primary_db">
+  <checksum type="sha256">5dc1e6e73c84803f059bb3065e684e56adfc289a7e398946574d79dac6643945</checksum>
+  <open-checksum type="sha256">f0d550414e8f2e960e82e704549364299ca9e3e8664ad4faffd208262c3b6d12</open-checksum>
+  <location href="repodata/5dc1e-primary.sqlite.bz2"/>
+  <timestamp>1667508211</timestamp>
+  <database_version>10</database_version>
+  <size>1131</size>
+  <open-size>21504</open-size>
+</data>
+<data type="other_db">
+  <checksum type="sha256">7c36572015e075add2b38b900837bcdbb8a504130ddff49b2351a7fc0affa3d4</checksum>
+  <open-checksum type="sha256">4de0fe7c5dd2674849a7c63c326e42f33af0a0f46219bc6dd59f51dfa2ac8c68</open-checksum>
+  <location href="repodata/7c365-other.sqlite.bz2"/>
+  <timestamp>1667508211</timestamp>
+  <database_version>10</database_version>
+  <size>575</size>
+  <open-size>6144</open-size>
+</data>
+<data type="other">
+  <checksum type="sha256">6bf9672d0862e8ef8b8ff05a2fd0208a922b1f5978e6589d87944c88259cb670</checksum>
+  <open-checksum type="sha256">e0ed5e0054194df036cf09c1a911e15bf2a4e7f26f2a788b6f47d53e80717ccc</open-checksum>
+  <location href="repodata/6bf96-other.xml.gz"/>
+  <timestamp>1667508211</timestamp>
+  <size>123</size>
+  <open-size>121</open-size>
+</data>
+<data type="filelists_db">
+  <checksum type="sha256">01a3b489a465bcac22a43492163df43451dc6ce47d27f66de289756b91635523</checksum>
+  <open-checksum type="sha256">c4211f57bdcbb142c9f93a6d32401539f775eb6a670ab7a423e13f435ce94689</open-checksum>
+  <location href="repodata/01a3b-filelists.sqlite.bz2"/>
+  <timestamp>1667508211</timestamp>
+  <database_version>10</database_version>
+  <size>586</size>
+  <open-size>7168</open-size>
+</data>
+</repomd>

data/spec/functional/resource/chocolatey_package_spec.rb

@@ -24,7 +24,7 @@ describe Chef::Resource::ChocolateyPackage, :windows_only, :choco_installed do
   let(:package_name) { "test-A" }
   let(:package_source) { File.join(CHEF_SPEC_ASSETS, "chocolatey_feed") }
   let(:package_list) do
-    if Chef::Provider::Package::Chocolatey.query_command == "list"
+    if provider.query_command == "list"
       # using result of query_command because that indicates which "search" command to use
       # which coincides with the package list output
       proc { shell_out!("choco search -lo #{Array(package_name).join(" ")}").stdout.chomp }
@@ -63,7 +63,7 @@ describe Chef::Resource::ChocolateyPackage, :windows_only, :choco_installed do
   end
 
   after(:each) do
-    described_class.instance_variable_set(:@get_choco_version, nil)
+    provider.instance_variable_set(:@get_choco_version, nil)
   end
 
   context "installing a package" do

data/spec/functional/resource/group_spec.rb

@@ -25,24 +25,33 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
 
   def group_should_exist(group)
     case ohai[:os]
-    when "linux"
-      expect { Etc.getgrnam(group) }.not_to raise_error
-      expect(group).to eq(Etc.getgrnam(group).name)
+    when "freebsd"
+      expect(shell_out("pw groupshow -n #{group}").exitstatus).to eq(0)
     when "windows"
       expect { Chef::Util::Windows::NetGroup.new(group).local_get_members }.not_to raise_error
+    else
+      expect { Etc.getgrnam(group) }.not_to raise_error
+      expect(group).to eq(Etc.getgrnam(group).name)
     end
   end
 
   def user_exist_in_group?(user)
     case ohai[:platform_family]
-    when "windows"
-      user_sid = sid_string_from_user(user)
-      user_sid.nil? ? false : Chef::Util::Windows::NetGroup.new(group_name).local_get_members.include?(user_sid)
+    when "freebsd"
+      cmd = Mixlib::ShellOut.new("getent group #{group_name}  #{user}").run_command.stdout
+      if cmd.include? user
+        true
+      else
+        false
+      end
     when "mac_os_x"
       membership_info = shell_out("dscl . -read /Groups/#{group_name}").stdout
       members = membership_info.split(" ")
       members.shift # Get rid of GroupMembership: string
       members.include?(user)
+    when "windows"
+      user_sid = sid_string_from_user(user)
+      user_sid.nil? ? false : Chef::Util::Windows::NetGroup.new(group_name).local_get_members.include?(user_sid)
     else
       # TODO For some reason our temporary AIX 7.2 system does not correctly report group membership immediately after changes have been made.
       # Adding a 2 second delay for this platform is enough to get correct results.
@@ -54,10 +63,12 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
 
   def group_should_not_exist(group)
     case ohai[:os]
-    when "linux"
-      expect { Etc.getgrnam(group) }.to raise_error(ArgumentError, "can't find group for #{group}")
+    when "freebsd"
+      expect(shell_out("pw groupshow -n #{group}").exitstatus).to eq(65)
     when "windows"
       expect { Chef::Util::Windows::NetGroup.new(group).local_get_members }.to raise_error(ArgumentError, /The group name could not be found./)
+    else
+      expect { Etc.getgrnam(group) }.to raise_error(ArgumentError, "can't find group for #{group}")
     end
   end
 
@@ -158,7 +169,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
     end
 
     # dscl doesn't perform any error checking and will let you add users that don't exist.
-    describe "when no users exist", :not_supported_on_macos do
+    describe "when no users exist", :not_supported_on_macos, :not_supported_on_freebsd_gte_12_3 do
       describe "when append is not set" do
         # excluded_members can only be used when append is set.  It is ignored otherwise.
         let(:excluded_members) { [] }
@@ -199,13 +210,14 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
         end
       end
 
-      describe "when append is not set" do
+      describe "when append is not set", :not_supported_on_freebsd_gte_12_3 do
         it "should set the group to to contain given members" do
           group_resource.run_action(tested_action)
 
           included_members.each do |member|
             expect(user_exist_in_group?(member)).to eq(true)
           end
+
           (spec_members - included_members).each do |member|
             expect(user_exist_in_group?(member)).to eq(false)
           end
@@ -223,14 +235,16 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
             included_members.each do |member|
               expect(user_exist_in_group?(member)).to eq(true)
             end
-            (spec_members - included_members).each do |member|
-              expect(user_exist_in_group?(member)).to eq(false)
+            unless freebsd?
+              (spec_members - included_members).each do |member|
+                expect(user_exist_in_group?(member)).to eq(false)
+              end
             end
           end
         end
       end
 
-      describe "when append is set" do
+      describe "when append is set", :not_supported_on_freebsd_gte_12_3 do
         before(:each) do
           group_resource.append(true)
         end
@@ -241,6 +255,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
           included_members.each do |member|
             expect(user_exist_in_group?(member)).to eq(true)
           end
+
           excluded_members.each do |member|
             expect(user_exist_in_group?(member)).to eq(false)
           end
@@ -257,6 +272,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
             included_members.each do |member|
               expect(user_exist_in_group?(member)).to eq(true)
             end
+
             excluded_members.each do |member|
               expect(user_exist_in_group?(member)).to eq(false)
             end
@@ -336,7 +352,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
     expect(group_resource.append).to eq(false)
   end
 
-  describe "group create action" do
+  describe "group create action", :not_supported_on_freebsd_gte_12_3, :not_supported_on_macos, :not_supported_on_aix do
     after(:each) do
       group_resource.run_action(:remove)
       group_should_not_exist(group_name)
@@ -393,7 +409,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
   end
 
   describe "group remove action" do
-    describe "when there is a group" do
+    describe "when there is a group", :not_supported_on_freebsd_gte_12_3, :not_supported_on_macos, :not_supported_on_aix do
       before do
         group_resource.run_action(:create)
         group_should_exist(group_name)
@@ -425,7 +441,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
       end
     end
 
-    describe "when there is a group" do
+    describe "when there is a group", :not_supported_on_macos, :not_supported_on_aix do
       it_behaves_like "correct group management"
     end
 
@@ -458,12 +474,16 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
       end
 
       it "does not raise an error on manage" do
-        allow(Etc).to receive(:getpwnam).and_return(double("User"))
+        if freebsd?
+          allow(shell_out).to receive("pw user show").and_return(double("User"))
+        else
+          allow(Etc).to receive(:getpwnam).and_return(double("User"))
+        end
         expect { group_resource.run_action(:manage) }.not_to raise_error
       end
     end
 
-    describe "when there is a group" do
+    describe "when there is a group", :not_supported_on_macos, :not_supported_on_aix do
       it_behaves_like "correct group management"
     end
 

data/spec/functional/resource/yum_package_spec.rb

@@ -57,6 +57,12 @@ describe Chef::Resource::YumPackage, :requires_root, external: exclude_test, not
         baseurl=file://#{CHEF_SPEC_ASSETS}/yumrepo
         enable=1
         gpgcheck=0
+        [chef-yum-empty]
+        name=Chef DNF spec empty repo
+        baseurl=file://#{CHEF_SPEC_ASSETS}/yumrepo-empty
+        enable=1
+        gpgcheck=0
+
       EOF
     end
     # ensure we don't have any stray chef_rpms installed
@@ -1095,6 +1101,16 @@ describe Chef::Resource::YumPackage, :requires_root, external: exclude_test, not
         end.should_not_be_updated
       end
 
+      it "should work to disable a repo" do
+        flush_cache
+        expect {
+          yum_package "chef_rpm" do
+            options "--disablerepo=chef-yum-localtesting --enablerepo=chef-yum-empty"
+            action :install
+          end
+        }.to raise_error(Chef::Exceptions::Package, /No candidate version available/)
+      end
+
       it "when an idempotent install action is run, does not leave repos disabled" do
         flush_cache
         # this is a bit tricky -- we need this action to be idempotent, so that it doesn't recycle any

data/spec/functional/win32/registry_spec.rb

@@ -395,6 +395,9 @@ describe "Chef::Win32::Registry", :windows_only do
       expect { @registry.get_subkeys("JKLM\\Software\\Root") }.to raise_error(Chef::Exceptions::Win32RegHiveMissing)
     end
     it "returns the array of subkeys for a given key" do
+      ::Win32::Registry.define_method :export_string do |str, enc = (Encoding.default_internal || "utf-8")|
+        str.encode(enc)
+      end
       subkeys = @registry.get_subkeys("HKCU\\Software\\Root")
       reg_subkeys = []
       ::Win32::Registry::HKEY_CURRENT_USER.open("Software\\Root", Win32::Registry::KEY_ALL_ACCESS) do |reg|

data/spec/integration/client/fips_spec.rb

@@ -0,0 +1,29 @@
+require "spec_helper"
+
+describe "chef-client fips" do
+  def enable_fips
+    OpenSSL.fips_mode = true
+  end
+
+  # All tests assume fips mode is off at present
+  after { OpenSSL.fips_mode = false }
+
+  # For non-FIPS OSes/builds of Ruby, enabling FIPS should error
+  example "Error enabling fips_mode if FIPS not linked", fips_mode: false do
+    expect { enable_fips }.to raise_error(OpenSSL::OpenSSLError)
+  end
+
+  example "Do not error on MD5 if not fips_mode", fips_mode: false do
+    expect { OpenSSL::Digest.new("MD5", "test string for digesting") }.not_to raise_error
+  end
+
+  # For FIPS OSes/builds of Ruby, enabling FIPS should not error
+  example "Do not error enabling fips_mode if FIPS linked", fips_mode: true do
+    expect { enable_fips }.not_to raise_error
+  end
+
+  example "Error on MD5 if fips_mode", fips_mode: true do
+    enable_fips
+    expect { OpenSSL::Digest.new("MD5", "test string for digesting") }.to raise_error(OpenSSL::Digest::DigestError)
+  end
+end

data/spec/integration/client/open_ssl_spec.rb

@@ -0,0 +1,20 @@
+require "spec_helper"
+
+describe "openssl checks" do
+  let(:openssl_version_default) do
+    if windows? || aix?
+      "1.0.2zi"
+    elsif macos?
+      "1.1.1m"
+    else
+      "3.0.9"
+    end
+  end
+
+  %w{version library_version}.each do |method|
+    # macOS just picks up its own for some reason, maybe it circumvents a build step
+    example "check #{method}", openssl_version_check: true, not_supported_on_macos: true do
+      expect(OpenSSL.const_get("OPENSSL_#{method.upcase}")).to match(openssl_version_default), "OpenSSL doesn't match omnibus_overrides.rb"
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -138,6 +138,9 @@ RSpec.configure do |config|
 
   config.filter_run_excluding skip_buildkite: true if ENV["BUILDKITE"]
 
+  config.filter_run_excluding fips_mode: !fips_mode_build?
+
+  config.filter_run_excluding not_supported_on_freebsd_gte_12_3: true if freebsd_gte_12_3?
   config.filter_run_excluding windows_only: true unless windows?
   config.filter_run_excluding not_supported_on_windows: true if windows?
   config.filter_run_excluding not_supported_on_macos: true if macos?
@@ -163,6 +166,8 @@ RSpec.configure do |config|
   config.filter_run_excluding linux_only: true unless linux?
   config.filter_run_excluding aix_only: true unless aix?
   config.filter_run_excluding suse_only: true unless suse?
+  # These aren't valid on verify pipeline because the docker container brings its own OpenSSL
+  config.filter_run_excluding openssl_version_check: true if ENV["BUILDKITE_PIPELINE_SLUG"] =~ /verify/
   config.filter_run_excluding opensuse: true unless opensuse?
   config.filter_run_excluding debian_family_only: true unless debian_family?
   config.filter_run_excluding supports_cloexec: true unless supports_cloexec?

data/spec/support/platform_helpers.rb

@@ -127,6 +127,10 @@ def freebsd?
   RUBY_PLATFORM.include?("freebsd")
 end
 
+def freebsd_gte_12_3?
+  RUBY_PLATFORM.include?("freebsd") && !!(ohai[:platform_version].to_f >= 12.3)
+end
+
 def intel_64bit?
   !!(ohai[:kernel][:machine] == "x86_64")
 end
@@ -219,6 +223,10 @@ def aes_256_gcm?
   OpenSSL::Cipher.ciphers.include?("aes-256-gcm")
 end
 
+def fips_mode_build?
+  OpenSSL::OPENSSL_FIPS
+end
+
 def fips?
   ENV["CHEF_FIPS"] == "1"
 end

data/spec/unit/client_spec.rb

@@ -308,25 +308,6 @@ describe Chef::Client do
     end
   end
 
-  describe "eol release warning" do
-    it "warns when running an EOL release" do
-      stub_const("Chef::VERSION", 15)
-      # added a call to client because Time.now gets invoked multiple times during instantiation. Don't mock Time until after client initialized
-      client
-      expect(Time).to receive(:now).and_return(Time.new(2024, 12, 1, 5))
-      allow(client).to receive(:eol_override).and_return(false)
-      expect(logger).to receive(:warn).with("This release of Chef Infra Client became end of life (EOL) on Nov 30, 2024. Please update to a supported release to receive new features, bug fixes, and security updates.")
-      client.warn_if_eol
-    end
-
-    it "does not warn when running an non-EOL release" do
-      stub_const("Chef::VERSION", 15)
-      allow(Time).to receive(:now).and_return(Time.new(2021, 4, 30))
-      expect(logger).to_not receive(:warn).with(/became end of life/)
-      client.warn_if_eol
-    end
-  end
-
   describe "authentication protocol selection" do
     context "when FIPS is disabled" do
       before do

data/spec/unit/mixin/openssl_helper_spec.rb

@@ -92,7 +92,7 @@ describe Chef::Mixin::OpenSSLHelper do
 
     context "When the dhparam.pem file does exist, and does contain a vaild dhparam key" do
       it "returns true" do
-        @dhparam_file.puts(::OpenSSL::PKey::DH.new(256).to_pem) # this is 256 to speed up specs
+        @dhparam_file.puts(::OpenSSL::PKey::DH.new(1024).to_pem)
         @dhparam_file.close
         expect(instance.dhparam_pem_valid?(@dhparam_file.path)).to be_truthy
       end

data/spec/unit/provider/cron_spec.rb

@@ -769,6 +769,40 @@ describe Chef::Provider::Cron do
         end
       end
 
+      context "when integers are provided to the resource to express time values" do
+        it "should not report any difference" do
+          @new_resource.minute(1)
+          @new_resource.hour(1)
+          @new_resource.day(1)
+          @new_resource.month(1)
+          @new_resource.weekday(1)
+          allow(@provider).to receive(:read_crontab).and_return(<<~CRONTAB)
+            # Chef Name: cronhole some stuff
+            1 1 1 1 1 /bin/true
+          CRONTAB
+
+          @provider.run_action(:create)
+          expect(@new_resource).not_to be_updated_by_last_action
+        end
+      end
+
+      context "when strings are provided to the resource to express time values" do
+        it "should not report any difference" do
+          @new_resource.minute("1")
+          @new_resource.hour("1")
+          @new_resource.day("1")
+          @new_resource.month("1")
+          @new_resource.weekday("1")
+          allow(@provider).to receive(:read_crontab).and_return(<<~CRONTAB)
+            # Chef Name: cronhole some stuff
+            1 1 1 1 1 /bin/true
+          CRONTAB
+
+          @provider.run_action(:create)
+          expect(@new_resource).not_to be_updated_by_last_action
+        end
+      end
+
       context "when environment variable is used" do
         before :each do
           @provider.cron_exists = true

data/spec/unit/provider/package/chocolatey_spec.rb

@@ -47,10 +47,11 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
     allow(provider).to receive(:choco_exe).and_return(choco_exe)
     local_list_obj = double(stdout: local_list_stdout)
     allow(provider).to receive(:shell_out_compacted!).with(choco_exe, "list", "-l", "-r", { returns: [0, 2], timeout: timeout }).and_return(local_list_obj)
+    allow(provider).to receive(:powershell_exec!).with("#{choco_exe} --version").and_return(double(result: "2.1.0"))
   end
 
   after(:each) do
-    described_class.instance_variable_set(:@get_choco_version, nil)
+    provider.instance_variable_set(:@get_choco_version, nil)
   end
 
   def allow_remote_list(package_names, args = nil)
@@ -65,9 +66,9 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
     remote_list_obj = double(stdout: remote_list_stdout)
     package_names.each do |pkg|
       if args
-        allow(provider).to receive(:shell_out_compacted!).with(choco_exe, described_class.query_command, "-r", pkg, *args, { returns: [0, 2], timeout: timeout }).and_return(remote_list_obj)
+        allow(provider).to receive(:shell_out_compacted!).with(choco_exe, provider.query_command, "-r", pkg, *args, { returns: [0, 2], timeout: timeout }).and_return(remote_list_obj)
       else
-        allow(provider).to receive(:shell_out_compacted!).with(choco_exe, described_class.query_command, "-r", pkg, { returns: [0, 2], timeout: timeout }).and_return(remote_list_obj)
+        allow(provider).to receive(:shell_out_compacted!).with(choco_exe, provider.query_command, "-r", pkg, { returns: [0, 2], timeout: timeout }).and_return(remote_list_obj)
       end
     end
   end
@@ -84,12 +85,12 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
 
   describe "choco searches change with the version" do
     it "Choco V1 uses List" do
-      allow(described_class).to receive(:get_choco_version).and_return("1.4.0")
+      allow(provider).to receive(:powershell_exec!).with("#{choco_exe} --version").and_return(double(result: "1.4.0"))
       expect(provider.query_command).to eql("list")
     end
 
     it "Choco V2 uses Search" do
-      allow(described_class).to receive(:get_choco_version).and_return("2.1.0")
+      allow(provider).to receive(:powershell_exec!).with("#{choco_exe} --version").and_return(double(result: "2.1.0"))
       expect(provider.query_command).to eql("search")
     end
   end
@@ -166,7 +167,7 @@ describe Chef::Provider::Package::Chocolatey, :windows_only do
       new_resource.package_name("package-does-not-exist")
       new_resource.returns([0])
       allow(provider).to receive(:shell_out_compacted!)
-        .with(choco_exe, described_class.query_command, "-r", new_resource.package_name.first, { returns: new_resource.returns, timeout: timeout })
+        .with(choco_exe, provider.query_command, "-r", new_resource.package_name.first, { returns: new_resource.returns, timeout: timeout })
         .and_raise(Mixlib::ShellOut::ShellCommandFailed, "Expected process to exit with [0], but received '2'")
       expect { provider.send(:available_packages) }.to raise_error(Mixlib::ShellOut::ShellCommandFailed, "Expected process to exit with [0], but received '2'")
     end

data/spec/unit/resource_spec.rb

@@ -958,14 +958,7 @@ describe Chef::Resource do
       klz.provides :energy, platform: %w{autobots decepticons}
     end
 
-    it "adds mappings for all platforms", ruby: "< 2.7" do
-      expect(Chef.resource_handler_map).to receive(:set).with(
-        :tape_deck, Chef::Resource::Klz, {}
-      )
-      klz.provides :tape_deck
-    end
-
-    it "adds mappings for all platforms", ruby: ">= 2.7" do
+    it "adds mappings for all platforms", ruby: ">= 3.0" do
       expect(Chef.resource_handler_map).to receive(:set).with(
         :tape_deck, Chef::Resource::Klz
       )

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef
 version: !ruby/object:Gem::Version
-  version: 17.10.122
+  version: 17.10.163
 platform: ruby
 authors:
 - Adam Jacob
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-28 00:00:00.000000000 Z
+date: 2024-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-config
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 17.10.122
+        version: 17.10.163
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 17.10.122
+        version: 17.10.163
 - !ruby/object:Gem::Dependency
   name: chef-utils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 17.10.122
+        version: 17.10.163
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 17.10.122
+        version: 17.10.163
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement
@@ -45,6 +45,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.10'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.12.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -52,6 +55,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.10'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.12.5
 - !ruby/object:Gem::Dependency
   name: train-winrm
   requirement: !ruby/object:Gem::Requirement
@@ -192,28 +198,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '17.0'
+        version: '17.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '17.0'
+        version: '17.9'
 - !ruby/object:Gem::Dependency
   name: inspec-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.22.36
+        version: 5.22.40
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.22.36
+        version: 5.22.40
 - !ruby/object:Gem::Dependency
   name: ffi
   requirement: !ruby/object:Gem::Requirement
@@ -494,14 +500,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: 0.18.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: 0.18.2
 description: A systems integration framework, built to bring the benefits of configuration
   management to your entire infrastructure.
 email: adam@chef.io
@@ -1673,6 +1679,13 @@ files:
 - spec/functional/assets/mytest-1.0-1.noarch.rpm
 - spec/functional/assets/mytest-2.0-1.noarch.rpm
 - spec/functional/assets/testchefsubsys
+- spec/functional/assets/yumrepo-empty/repodata/01a3b-filelists.sqlite.bz2
+- spec/functional/assets/yumrepo-empty/repodata/401dc-filelists.xml.gz
+- spec/functional/assets/yumrepo-empty/repodata/5dc1e-primary.sqlite.bz2
+- spec/functional/assets/yumrepo-empty/repodata/6bf96-other.xml.gz
+- spec/functional/assets/yumrepo-empty/repodata/7c365-other.sqlite.bz2
+- spec/functional/assets/yumrepo-empty/repodata/dabe2-primary.xml.gz
+- spec/functional/assets/yumrepo-empty/repodata/repomd.xml
 - spec/functional/assets/yumrepo/chef_rpm-1.10-1.aarch64.rpm
 - spec/functional/assets/yumrepo/chef_rpm-1.10-1.i686.rpm
 - spec/functional/assets/yumrepo/chef_rpm-1.10-1.ppc64.rpm
@@ -1791,7 +1804,9 @@ files:
 - spec/functional/win32/versions_spec.rb
 - spec/integration/client/client_spec.rb
 - spec/integration/client/exit_code_spec.rb
+- spec/integration/client/fips_spec.rb
 - spec/integration/client/ipv6_spec.rb
+- spec/integration/client/open_ssl_spec.rb
 - spec/integration/compliance/compliance_spec.rb
 - spec/integration/ohai/ohai_spec.rb
 - spec/integration/recipes/accumulator_spec.rb
@@ -2387,7 +2402,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="