chef 17.4.38-universal-mingw32 → 17.5.22-universal-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 84ec7e8ea8d183bc0319fbf78ed7eb5f6ea0830020bde33233f96ca1c26947bc
-  data.tar.gz: e49b65d28c30682629d84258b8352d4076fe650156ef5f314507a9fe0adb2ba8
+  metadata.gz: 95f1d69acabeb3bd1db7ead6e0e99b6f7b49a737807bc2175160dfe7a079ad21
+  data.tar.gz: ec4b4c4fd756e3c1bb6bb3933e5c5351c5bd2aa03c0f9f49277b5b4036306022
 SHA512:
-  metadata.gz: ad784e028b0347e81dfb3b75dd6c6d58c143d2d87a3bbd746eadbcf4d35f1c3cb242d4c4f1dcd2a2d16d66bb05232eb902ef65b4dd31bbc68f41dd5a81d9e5a1
-  data.tar.gz: f78342cb9b9410cc931f9158388faff31e1a34786e93c4e6892c7c903086b171a363f295adc203c473a3806de987a7a403b3699b105622d87dbe73085b1600f3
+  metadata.gz: 44d58787691091de198d15514755bb446df1add42ec991ced1616ea71befaf056628b3fe2f2925a44c40bf57da512c3d2d31a31beef32f1953f4e30d5d19bd08
+  data.tar.gz: 90ba00a5ef06ef90942d33ed0c9bbd2c22e7099301307daea21b595031c390ac6f21d6412e66b43920bafec80c0a1d20a8e7d2f11a65f8f85538bff567d8a9e3

data/chef.gemspec

@@ -55,7 +55,9 @@ Gem::Specification.new do |s|
 
   s.add_dependency "proxifier", "~> 1.0"
 
+  s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
+  s.add_dependency "vault", "~> 0.16" # hashi vault official client gem
   s.bindir       = "bin"
   s.executables  = %w{ }
 

data/lib/chef/application/base.rb

@@ -378,9 +378,19 @@ class Chef::Application::Base < Chef::Application
 
   def fetch_recipe_tarball(url, path)
     require "open-uri" unless defined?(OpenURI)
+    uri = URI.parse(url)
+
     Chef::Log.trace("Download recipes tarball from #{url} to #{path}")
     if File.exist?(url)
       FileUtils.cp(url, path)
+    elsif uri.scheme == "s3"
+      require "aws-sdk-s3" unless defined?(Aws::S3)
+
+      s3 = Aws::S3::Client.new
+      object = s3.get_object(bucket: uri.hostname, key: uri.path[1..-1])
+      File.open(path, "wb") do |f|
+        f.write(object.body.read)
+      end
     elsif URI::DEFAULT_PARSER.make_regexp.match?(url)
       File.open(path, "wb") do |f|
         URI.open(url) do |r|
@@ -388,7 +398,7 @@ class Chef::Application::Base < Chef::Application
         end
       end
     else
-      Chef::Application.fatal! "You specified --recipe-url but the value is neither a valid URL nor a path to a file that exists on disk." +
+      Chef::Application.fatal! "You specified --recipe-url but the value is neither a valid URL, an S3 bucket nor a path to a file that exists on disk." +
         "Please confirm the location of the tarball and try again."
     end
   end

data/lib/chef/client.rb

@@ -241,8 +241,7 @@ class Chef
 
         run_status.run_id = request_id = Chef::RequestID.instance.request_id
 
-        @run_context = Chef::RunContext.new
-        run_context.events = events
+        @run_context = Chef::RunContext.new(nil, nil, events)
         run_status.run_context = run_context
 
         events.run_start(Chef::VERSION, run_status)

data/lib/chef/compliance/input.rb

@@ -0,0 +1,115 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "yaml"
+
+class Chef
+  module Compliance
+    #
+    # Chef object that represents a single input file in the compliance segment
+    # of a cookbook.
+    #
+    class Input
+      # @return [Boolean] if the input has been enabled
+      attr_reader :enabled
+
+      # @return [String] The name of the cookbook that the input is in
+      attr_reader :cookbook_name
+
+      # @return [String] The full path on the host to the input yml file
+      attr_reader :path
+
+      # @return [String] the pathname in the cookbook
+      attr_reader :pathname
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_reader :events
+
+      # @api private
+      attr_reader :data
+
+      def initialize(events, data, path, cookbook_name)
+        @events = events
+        @data = data
+        @cookbook_name = cookbook_name
+        @path = path
+        @pathname = File.basename(path, File.extname(path)) unless path.nil?
+        disable!
+      end
+
+      # @return [Boolean] if the input has been enabled
+      #
+      def enabled?
+        !!@enabled
+      end
+
+      # Set the input to being enabled
+      #
+      def enable!
+        events.compliance_input_enabled(self)
+        @enabled = true
+      end
+
+      # Set the input as being disabled
+      #
+      def disable!
+        @enabled = false
+      end
+
+      # Render the input in a way that it can be consumed by inspec
+      #
+      def inspec_data
+        data
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      # Helper to construct a input object from a hash.  Since the path and
+      # cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_hash(events, hash, path = nil, cookbook_name = nil)
+        new(events, hash, path, cookbook_name)
+      end
+
+      # Helper to construct a input object from a yaml string.  Since the path
+      # and cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_yaml(events, string, path = nil, cookbook_name = nil)
+        from_hash(events, YAML.load(string), path, cookbook_name)
+      end
+
+      # @param filename [String] full path to the yml file in the cookbook
+      # @param cookbook_name [String] cookbook that the input is in
+      #
+      def self.from_file(events, filename, cookbook_name = nil)
+        from_yaml(events, IO.read(filename), filename, cookbook_name)
+      end
+    end
+  end
+end

data/lib/chef/compliance/input_collection.rb

@@ -0,0 +1,139 @@
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "input"
+
+class Chef
+  module Compliance
+    class InputCollection < Array
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_reader :events
+
+      def initialize(events)
+        @events = events
+      end
+
+      # Add a input to the input collection.  The cookbook_name needs to be determined by the
+      # caller and is used in the `include_input` API to match on.  The path should be the complete
+      # path on the host of the yml file, including the filename.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_file(filename, cookbook_name)
+        new_input = Input.from_file(events, filename, cookbook_name)
+        self << new_input
+        events.compliance_input_loaded(new_input)
+      end
+
+      # Add a input from a raw hash.  This input will be enabled by default.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_hash(hash)
+        new_input = Input.from_hash(events, hash)
+        new_input.enable!
+        self << new_input
+      end
+
+      # @return [Array<Input>] inspec inputs which are enabled in a form suitable to pass to inspec
+      #
+      def inspec_data
+        select(&:enabled?).each_with_object({}) { |input, hash| hash.merge(input.inspec_data) }
+      end
+
+      # DSL method to enable input files.  This matches on the filename of the input file.
+      # If the specific input is omitted then it uses the default input. The string
+      # supports regular expression matching.
+      #
+      # @example Specific input file in a cookbook
+      #
+      # include_input "acme_cookbook::ssh-001"
+      #
+      # @example The compliance/inputs/default.yml input in a cookbook
+      #
+      # include_input "acme_cookbook"
+      #
+      # @example Every input file in a cookbook
+      #
+      # include_input "acme_cookbook::.*"
+      #
+      # @example Matching inputs by regexp in a cookbook
+      #
+      # include_input "acme_cookbook::ssh.*"
+      #
+      # @example Matching inputs by regexp in any cookbook in the cookbook collection
+      #
+      # include_input ".*::ssh.*"
+      #
+      # @example Adding an arbitrary hash of data (not from any file in a cookbook)
+      #
+      # include_input({ "ssh_custom_path": "/usr/local/bin" })
+      #
+      def include_input(arg)
+        raise "include_input was given a nil value" if arg.nil?
+
+        # if we're given a hash argument just shove it in the raw_hash
+        if arg.is_a?(Hash)
+          from_hash(arg)
+          return
+        end
+
+        matching_inputs(arg).each(&:enable!)
+      end
+
+      def valid?(arg)
+        !matching_inputs(arg).empty?
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      private
+
+      def matching_inputs(arg, should_raise: false)
+        (cookbook_name, input_name) = arg.split("::")
+
+        input_name = "default" if input_name.nil?
+
+        inputs = select { |input| /^#{cookbook_name}$/.match?(input.cookbook_name) && /^#{input_name}$/.match?(input.pathname) }
+
+        if inputs.empty? && should_raise
+          raise "No inspec inputs matching '#{input_name}' found in cookbooks matching '#{cookbook_name}'"
+        end
+
+        inputs
+      end
+
+      def matching_inputs!(arg)
+        matching_inputs(arg, should_raise: true)
+      end
+    end
+  end
+end

data/lib/chef/compliance/profile.rb

@@ -0,0 +1,122 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  module Compliance
+    class Profile
+      # @return [Boolean] if the profile has been enabled
+      attr_accessor :enabled
+
+      # @return [String] The full path on the host to the profile inspec.yml
+      attr_reader :path
+
+      # @return [String] The name of the cookbook that the profile is in
+      attr_reader :cookbook_name
+
+      # @return [String] the pathname in the cookbook
+      attr_accessor :pathname
+
+      # @return [Chef::EventDispatch::Dispatcher] Event dispatcher for this run.
+      attr_reader :events
+
+      # @api private
+      attr_reader :data
+
+      def initialize(events, data, path, cookbook_name)
+        @events = events
+        @data = data
+        @path = path
+        @cookbook_name = cookbook_name
+        @pathname = File.basename(File.dirname(path))
+        disable!
+        validate!
+      end
+
+      # @return [String] name of the inspec profile from parsing the inspec.yml
+      def name
+        @data["name"]
+      end
+
+      # @return [String] version of the inspec profile from parsing the inspec.yml
+      def version
+        @data["version"]
+      end
+
+      # Raises if the inspec profile is not valid.
+      #
+      def validate!
+        raise "Inspec profile at #{path} has no name" unless name
+      end
+
+      # @return [Boolean] if the profile has been enabled
+      def enabled?
+        !!@enabled
+      end
+
+      # Set the profile to being enabled
+      #
+      def enable!
+        events.compliance_profile_enabled(self)
+        @enabled = true
+      end
+
+      # Set the profile as being disabled
+      #
+      def disable!
+        @enabled = false
+      end
+
+      # Render the profile in a way that it can be consumed by inspec
+      #
+      def inspec_data
+        { name: name, path: File.dirname(path) }
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+
+      # Helper to construct a profile object from a hash.  Since the path and
+      # cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_hash(events, hash, path, cookbook_name)
+        new(events, hash, path, cookbook_name)
+      end
+
+      # Helper to construct a profile object from a yaml string.  Since the path
+      # and cookbook_name are required this is probably not externally useful.
+      #
+      def self.from_yaml(events, string, path, cookbook_name)
+        from_hash(events, YAML.load(string), path, cookbook_name)
+      end
+
+      # @param filename [String] full path to the inspec.yml file in the cookbook
+      # @param cookbook_name [String] cookbook that the profile is in
+      #
+      def self.from_file(events, filename, cookbook_name)
+        from_yaml(events, IO.read(filename), filename, cookbook_name)
+      end
+    end
+  end
+end

data/lib/chef/compliance/profile_collection.rb

@@ -0,0 +1,109 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "profile"
+
+class Chef
+  module Compliance
+    class ProfileCollection < Array
+
+      # Event dispatcher for this run.
+      #
+      # @return [Chef::EventDispatch::Dispatcher]
+      #
+      attr_reader :events
+
+      def initialize(events)
+        @events = events
+      end
+
+      # Add a profile to the profile collection.  The cookbook_name needs to be determined by the
+      # caller and is used in the `include_profile` API to match on.  The path should be the complete
+      # path on the host of the inspec.yml file, including the filename.
+      #
+      # @param path [String]
+      # @param cookbook_name [String]
+      #
+      def from_file(path, cookbook_name)
+        new_profile = Profile.from_file(events, path, cookbook_name)
+        self << new_profile
+        events.compliance_profile_loaded(new_profile)
+      end
+
+      # @return [Boolean] if any of the profiles are enabled
+      #
+      def using_profiles?
+        any?(&:enabled?)
+      end
+
+      # @return [Array<Profile>] inspec profiles which are enabled in a form suitable to pass to inspec
+      #
+      def inspec_data
+        select(&:enabled?).each_with_object([]) { |profile, arry| arry << profile.inspec_data }
+      end
+
+      # DSL method to enable profile files.  This matches on the name of the profile being included it
+      # does not match on the filename of the input file.  If the specific profile is omitted then
+      # it uses the default profile. The string supports regular expression matching.
+      #
+      # @example Specific profile in a cookbook
+      #
+      # include_profile "acme_cookbook::ssh-001"
+      #
+      # @example The profile named "default" in a cookbook
+      #
+      # include_profile "acme_cookbook"
+      #
+      # @example Every profile in a cookbook
+      #
+      # include_profile "acme_cookbook::.*"
+      #
+      # @example Matching profiles by regexp in a cookbook
+      #
+      # include_profile "acme_cookbook::ssh.*"
+      #
+      # @example Matching profiles by regexp in any cookbook in the cookbook collection
+      #
+      # include_profile ".*::ssh.*"
+      #
+      def include_profile(arg)
+        (cookbook_name, profile_name) = arg.split("::")
+
+        profile_name = "default" if profile_name.nil?
+
+        profiles = select { |profile| /^#{cookbook_name}$/.match?(profile.cookbook_name) && /^#{profile_name}$/.match?(profile.pathname) }
+
+        if profiles.empty?
+          raise "No inspec profiles matching '#{profile_name}' found in cookbooks matching '#{cookbook_name}'"
+        end
+
+        profiles.each(&:enable!)
+      end
+
+      HIDDEN_IVARS = [ :@events ].freeze
+
+      # Omit the event object from error output
+      #
+      def inspect
+        ivar_string = (instance_variables.map(&:to_sym) - HIDDEN_IVARS).map do |ivar|
+          "#{ivar}=#{instance_variable_get(ivar).inspect}"
+        end.join(", ")
+        "#<#{self.class}:#{object_id} #{ivar_string}>"
+      end
+    end
+  end
+end

data/lib/chef/compliance/runner.rb

@@ -12,6 +12,8 @@ class Chef
 
       attr_accessor :run_id
       attr_reader :node
+      attr_reader :run_context
+
       def_delegators :node, :logger
 
       def enabled?
@@ -25,7 +27,9 @@ class Chef
         logger.debug("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}")
         logger.debug("#{self.class}##{__method__}: compliance phase attr? #{node["audit"]["compliance_phase"]}")
 
-        if node["audit"]["compliance_phase"].nil?
+        if safe_profile_collection&.using_profiles?
+          true
+        elsif node["audit"]["compliance_phase"].nil?
           inspec_profiles.any? && !audit_cookbook_present
         else
           node["audit"]["compliance_phase"]
@@ -41,6 +45,14 @@ class Chef
         self.node = node
       end
 
+      # This hook gives us the run_context immediately after it is created so that we can wire up this object to it.
+      #
+      # (see EventDispatch::Base#)
+      #
+      def cookbook_compilation_start(run_context)
+        @run_context = run_context
+      end
+
       def run_started(run_status)
         self.run_id = run_status.run_id
       end
@@ -121,8 +133,16 @@ class Chef
         end
       end
 
+      def inputs_from_collection
+        safe_input_collection&.inspec_data || {}
+      end
+
+      def waivers_from_collection
+        safe_waiver_collection&.inspec_data || {}
+      end
+
       def inspec_opts
-        inputs = inputs_from_attributes
+        inputs = inputs_from_attributes.merge(inputs_from_collection).merge(waivers_from_collection)
 
         if node["audit"]["chef_node_attribute_enabled"]
           inputs["chef_node"] = node.to_h
@@ -133,24 +153,34 @@ class Chef
           backend_cache: node["audit"]["inspec_backend_cache"],
           inputs: inputs,
           logger: logger,
+          # output: STDOUT,
           output: node["audit"]["quiet"] ? ::File::NULL : STDOUT,
           report: true,
           reporter: ["json-automate"],
+          # reporter: ["cli"],
           reporter_backtrace_inclusion: node["audit"]["result_include_backtrace"],
           reporter_message_truncation: node["audit"]["result_message_limit"],
-          waiver_file: Array(node["audit"]["waiver_file"]),
+          waiver_file: waiver_files,
         }
       end
 
+      def waiver_files
+        Array(node["audit"]["waiver_file"])
+      end
+
       def inspec_profiles
         profiles = node["audit"]["profiles"]
         unless profiles.respond_to?(:map) && profiles.all? { |_, p| p.respond_to?(:transform_keys) && p.respond_to?(:update) }
           raise "CMPL010: #{Inspec::Dist::PRODUCT_NAME} profiles specified in an unrecognized format, expected a hash of hashes."
         end
 
-        profiles.map do |name, profile|
+        from_attributes = profiles.map do |name, profile|
           profile.transform_keys(&:to_sym).update(name: name)
-        end
+        end || []
+
+        from_cookbooks = safe_profile_collection&.inspec_data || []
+
+        from_attributes + from_cookbooks
       end
 
       def load_fetchers!
@@ -316,6 +346,18 @@ class Chef
 
         @validation_passed = true
       end
+
+      def safe_profile_collection
+        run_context&.profile_collection
+      end
+
+      def safe_waiver_collection
+        run_context&.waiver_collection
+      end
+
+      def safe_input_collection
+        run_context&.input_collection
+      end
     end
   end
 end