cookstyle 7.25.10 → 7.30.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8e30d9d9b8eccc5de1ad1388d9c1a559c2413230a00163d0026ba388700838b4
-  data.tar.gz: 73771bda8cc6688d7fd67a66e22b8123bd276caccff733e30cff50629cfc4e9b
+  metadata.gz: af05586e951fed9a9a11777583d2f8b0ec7634cca38b3b5b9641e2afb11be50b
+  data.tar.gz: 8d727e0f4898bf20149fa74ee6d15782840577c98eeb9fe25048ae71ab13c4b1
 SHA512:
-  metadata.gz: 5c7b27f9a3c82fa49af42bbbce0af3313c39c2908c2a2d4e880a1f7af375a08cdba58f5413e41a5e4147c72ee5b4e5eb4d329d559ff68c6f995b1db804495b36
-  data.tar.gz: 6de5a48637e077f9ba4c2570fa6c6e6034c44501bbd4a8d8be75a26d5e174f720d65e2bb4d6dc00326248daa1b9d21b14ac76183ae9bfdc6108b2c010c732f61
+  metadata.gz: dbd9a0129be207bd120c0ba860260726c4547b8e0356eda5c221b70d29aaf9ec92fdce5af7450b919f8a74774b79820c128220749e883c226de4c82f45c21915
+  data.tar.gz: 74e57634c9aef93e952858a542cac3966c849fa3e1deb2dd5b0ef4b7cd9f8167eba767e55635b72c2cbc7f3d08228a3fed26ed4f2e072e4eb6d8c78a09c3b151

data/config/cookstyle.yml

@@ -506,6 +506,24 @@ Chef/Correctness/MetadataMissingVersion:
   Include:
     - '**/metadata.rb'
 
+Chef/Correctness/InvalidCookbookName:
+  Description: Cookbook names should not contain invalid characters such as periods.
+  StyleGuide: 'chef_correctness_invalidcookbookname'
+  Enabled: true
+  VersionAdded: '7.27'
+  Include:
+    - '**/metadata.rb'
+
+Chef/Correctness/InvalidNotificationResource:
+  Description: The resource to notify when calling `notifies` or `subscribes` must be a string.
+  StyleGuide: 'chef_correctness_invalidnotificationresource'
+  Enabled: true
+  VersionAdded: '7.28'
+  Exclude:
+    - '**/attributes/*.rb'
+    - '**/metadata.rb'
+    - '**/Berksfile'
+
 ###############################
 # Chef/Sharing: Issues that prevent sharing code with other teams or with the Chef community in general
 ###############################
@@ -2281,6 +2299,24 @@ InSpec/Deprecations/AttributeDefault:
   Include:
     - '**/controls/*.rb'
 
+#### Security Cops
+
+Chef/Security:
+  StyleGuideBaseURL: https://docs.chef.io/workstation/cookstyle/
+
+Chef/Security/ :
+  Description: Do not include plain text SSH private keys in your cookbook code. This sensitive data should be fetched from secrets management systems so that secrets are not uploaded in plain text to the Chef Infra Server or committed to source control systems.
+  StyleGuide: 'chef_security_sshprivatekey'
+  Enabled: true
+  VersionAdded: '7.28'
+  Include:
+    - '**/libraries/*.rb'
+    - '**/resources/*.rb'
+    - '**/providers/*.rb'
+    - '**/recipes/*.rb'
+    - '**/attributes/*.rb'
+    - '**/definitions/*.rb'
+    
 #### The base rubocop 0.37 enabled.yml file we started with ####
 
 Layout/AccessModifierIndentation:
@@ -3035,3 +3071,11 @@ Lint/DeprecatedConstants:
 # always turn on deprecation cops from rubocop
 Lint/ErbNewArguments:
   Enabled: true
+
+# reduce file read complexity
+Style/FileRead:
+  Enabled: true
+
+# reduce file write complexity
+Style/FileWrite:
+  Enabled: true

data/config/disable_all.yml

@@ -491,6 +491,8 @@ Naming/AccessorMethodName:
   Enabled: false
 Naming/AsciiIdentifiers:
   Enabled: false
+Naming/BlockForwarding:
+  Enabled: false
 Naming/BlockParameterName:
   Enabled: false
 Naming/ClassAndModuleCamelCase:
@@ -641,6 +643,10 @@ Style/ExplicitBlockArgument:
   Enabled: false
 Style/ExponentialNotation:
   Enabled: false
+Style/FileRead:
+  Enabled: false
+Style/FileWrite:
+  Enabled: false
 Style/FloatDivision:
   Enabled: false
 Style/For:
@@ -705,6 +711,8 @@ Style/LambdaCall:
   Enabled: false
 Style/LineEndConcatenation:
   Enabled: false
+Style/MapToHash:
+  Enabled: false
 Style/MethodCallWithoutArgsParentheses:
   Enabled: false
 Style/MethodCallWithArgsParentheses:

data/config/upstream.yml

@@ -78,6 +78,8 @@ AllCops:
   # When specifying style guide URLs, any paths and/or fragments will be
   # evaluated relative to the base URL.
   StyleGuideBaseURL: https://rubystyle.guide
+  # Documentation URLs will be constructed using the base URL.
+  DocumentationBaseURL: https://docs.rubocop.org/rubocop
   # Extra details are not displayed in offense messages by default. Change
   # behavior by overriding ExtraDetails, or by giving the
   # `-E/--extra-details` option.
@@ -449,7 +451,11 @@ Layout/ClosingParenthesisIndentation:
 Layout/CommentIndentation:
   Description: 'Indentation of comments.'
   Enabled: true
+  # When true, allows comments to have extra indentation if that aligns them
+  # with a comment on the preceding line.
+  AllowForAlignment: false
   VersionAdded: '0.49'
+  VersionChanged: '1.24'
 
 Layout/ConditionPosition:
   Description: >-
@@ -1796,7 +1802,9 @@ Lint/ImplicitStringConcatenation:
 Lint/IncompatibleIoSelectWithFiberScheduler:
   Description: 'Checks for `IO.select` that is incompatible with Fiber Scheduler.'
   Enabled: pending
+  SafeAutoCorrect: false
   VersionAdded: '1.21'
+  VersionChanged: '1.24'
 
 Lint/IneffectiveAccessModifier:
   Description: >-
@@ -2479,6 +2487,16 @@ Naming/BinaryOperatorParameterName:
   VersionAdded: '0.50'
   VersionChanged: '1.2'
 
+Naming/BlockForwarding:
+  Description: 'Use anonymous block forwarding.'
+  StyleGuide: '#block-forwarding'
+  Enabled: pending
+  VersionAdded: '1.24'
+  EnforcedStyle: anonymous
+  SupportedStyles:
+    - anonymous
+    - explicit
+
 Naming/BlockParameterName:
   Description: >-
                  Checks for block parameter names that contain capital letters,
@@ -3492,6 +3510,18 @@ Style/ExponentialNotation:
     - engineering
     - integral
 
+Style/FileRead:
+  Description: 'Favor `File.(bin)read` convenience methods.'
+  StyleGuide: '#file-read'
+  Enabled: pending
+  VersionAdded: '1.24'
+
+Style/FileWrite:
+  Description: 'Favor `File.(bin)write` convenience methods.'
+  StyleGuide: '#file-write'
+  Enabled: pending
+  VersionAdded: '1.24'
+
 Style/FloatDivision:
   Description: 'For performing float division, coerce one side only.'
   StyleGuide: '#float-division'
@@ -3650,7 +3680,7 @@ Style/HashSyntax:
   StyleGuide: '#hash-literals'
   Enabled: true
   VersionAdded: '0.9'
-  VersionChanged: '0.43'
+  VersionChanged: '1.24'
   EnforcedStyle: ruby19
   SupportedStyles:
     # checks for 1.9 syntax (e.g. {a: 1}) for all symbol keys
@@ -3661,6 +3691,13 @@ Style/HashSyntax:
     - no_mixed_keys
     # enforces both ruby19 and no_mixed_keys styles
     - ruby19_no_mixed_keys
+  # Force hashes that have a hash value omission
+  EnforcedShorthandSyntax: always
+  SupportedShorthandSyntax:
+    # forces use of the 3.1 syntax (e.g. {foo:}) when the hash key and value are the same.
+    - always
+    # forces use of explicit hash literal value.
+    - never
   # Force hashes that have a symbol value to use hash rockets
   UseHashRocketsWithSymbolValues: false
   # Do not suggest { a?: 1 } over { :a? => 1 } in ruby19 style
@@ -3837,6 +3874,12 @@ Style/LineEndConcatenation:
   VersionAdded: '0.18'
   VersionChanged: '0.64'
 
+Style/MapToHash:
+  Description: 'Prefer `to_h` with a block over `map.to_h`.'
+  Enabled: pending
+  VersionAdded: '1.24'
+  Safe: false
+
 Style/MethodCallWithArgsParentheses:
   Description: 'Use parentheses for method calls with arguments.'
   StyleGuide: '#method-invocation-parens'
@@ -4205,6 +4248,8 @@ Style/NumericLiterals:
   VersionChanged: '0.48'
   MinDigits: 5
   Strict: false
+  # You can specify allowed numbers. (e.g. port number 3000, 8080, and etc)
+  AllowedNumbers: []
 
 Style/NumericPredicate:
   Description: >-

data/lib/cookstyle/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Cookstyle
-  VERSION = "7.25.10" # rubocop: disable Style/StringLiterals
-  RUBOCOP_VERSION = '1.23.0'
+  VERSION = "7.30.1" # rubocop: disable Style/StringLiterals
+  RUBOCOP_VERSION = '1.24.1'
 end

data/lib/rubocop/chef/cookbook_helpers.rb

@@ -111,6 +111,8 @@ module RuboCop
         case node.type
         when :send
           yield(node) if node.receiver.nil? # if it's not nil then we're not in a property foo we're in bar.foo
+        when :block # ie: not_if { ruby_foo }
+          yield(node)
         when :while
           extract_send_types(node.body) { |t| yield(t) }
         when :if

data/lib/rubocop/cop/chef/correctness/invalid_cookbook_name.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+#
+# Copyright:: 2022, Chef Software Inc.
+# Author:: Tim Smith (<tsmith@chef.io>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Cop
+    module Chef
+      module Correctness
+        # Cookbook names should not contain invalid characters such as periods.
+        #
+        # @example
+        #
+        #   #### incorrect
+        #   name 'foo.bar'
+        #
+        #   #### correct
+        #   name 'foo_bar'
+        #
+        class InvalidCookbookName < Base
+          RESTRICT_ON_SEND = [:name].freeze
+          MSG = 'Cookbook names should not contain invalid characters such as periods.'
+
+          def_node_matcher :has_name?, '(send nil? :name $str)'
+
+          def on_send(node)
+            has_name?(node) do |val|
+              add_offense(node, message: MSG, severity: :refactor) if val.value.include?('.')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/chef/correctness/invalid_notification_resource.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+#
+# Copyright:: 2022, Chef Software, Inc.
+# Author:: Tim Smith (<tsmith@chef.io>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Cop
+    module Chef
+      module Correctness
+        # The resource to notify when calling `notifies` or `subscribes` must be a string.
+        #
+        # @example
+        #
+        #   #### incorrect
+        #
+        #   template '/etc/www/configures-apache.conf' do
+        #     notifies :restart, service['apache'], :immediately
+        #   end
+        #
+        #   template '/etc/www/configures-apache.conf' do
+        #     notifies :restart, service[apache], :immediately
+        #   end
+        #
+        #   #### correct
+        #
+        #   template '/etc/www/configures-apache.conf' do
+        #     notifies :restart, 'service[apache]', :immediately
+        #   end
+        #
+        class InvalidNotificationResource < Base
+          MSG = 'The resource to notify when calling `notifies` or `subscribes` must be a string.'
+          RESTRICT_ON_SEND = [:notifies, :subscribes].freeze
+
+          def_node_matcher :invalid_notification?, <<-PATTERN
+            (send nil? {:notifies :subscribes} (sym _) $(send (send nil? _) :[] ...) ...)
+          PATTERN
+
+          def on_send(node)
+            invalid_notification?(node) do |resource|
+              add_offense(resource, message: MSG, severity: :refactor)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/chef/deprecation/depends_poise.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 #
-# Copyright:: 2019, Chef Software, Inc.
+# Copyright:: 2019-2022, Chef Software, Inc.
 # Author:: Tim Smith (<tsmith@chef.io>)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -26,6 +26,7 @@ module RuboCop
         #   #### incorrect
         #   depends 'poise'
         #   depends 'poise-service'
+        #   depends 'poise-hoist'
         #
         class CookbookDependsOnPoise < Base
           MSG = 'Cookbooks should not depend on the deprecated Poise framework'
@@ -37,7 +38,7 @@ module RuboCop
 
           def on_send(node)
             depends_method?(node) do |arg|
-              add_offense(node, message: MSG, severity: :warning) if %w(poise poise-service).include?(arg.value)
+              add_offense(node, message: MSG, severity: :warning) if %w(poise poise-service poise-hoist).include?(arg.value)
             end
           end
         end

data/lib/rubocop/cop/chef/redundant/use_create_if_missing.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 #
-# Copyright:: 2020, Chef Software, Inc.
+# Copyright:: 2020-2022, Chef Software, Inc.
 # Author:: Tim Smith (<tsmith@chef.io>)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,7 +19,7 @@ module RuboCop
   module Cop
     module Chef
       module RedundantCode
-        # Use the :create_if_missing action instead of not_if with a ::File.exist(FOO) check.
+        # Use the `:create_if_missing` action instead of `not_if` with a `::File.exist(FOO)` check.
         #
         # @example
         #
@@ -32,6 +32,15 @@ module RuboCop
         #     not_if { ::File.exists?('/logs/foo/error.log') }
         #   end
         #
+        #   remote_file 'Download file' do
+        #     path '/foo/bar'
+        #     source 'https://foo.com/bar'
+        #     owner 'root'
+        #     group 'root'
+        #     mode '0644'
+        #     not_if { ::File.exist?('/foo/bar') }
+        #   end
+        #
         #   #### correct
         #   cookbook_file '/logs/foo/error.log' do
         #     source 'error.log'
@@ -41,30 +50,61 @@ module RuboCop
         #     action :create_if_missing
         #   end
         #
+        #   remote_file 'Download file' do
+        #     path '/foo/bar'
+        #     source 'https://foo.com/bar'
+        #     owner 'root'
+        #     group 'root'
+        #     mode '0644'
+        #     action :create_if_missing
+        #   end
+        #
         class UseCreateIfMissing < Base
           include RuboCop::Chef::CookbookHelpers
           extend AutoCorrector
+          include RangeHelp
 
           MSG = 'Use the :create_if_missing action instead of not_if with a ::File.exist(FOO) check.'
+          RESOURCES = %i(cookbook_file file remote_directory cron_d remote_file template).freeze
 
-          def_node_matcher :not_if_file_exist?, <<-PATTERN
-          (block (send nil? :not_if) (args) (send (const {nil? (cbase)} :File) {:exist? :exists?} $(str ...)))
+          def_node_matcher :file_exist_value, <<-PATTERN
+          (send (const {nil? (cbase)} :File) {:exist? :exists?} $(...))
           PATTERN
 
-          def_node_matcher :file_like_resource?, <<-PATTERN
-          (block (send nil? {:cookbook_file :file :remote_directory :cron_d :remote_file :template} $str) ... )
-          PATTERN
+          def_node_search :has_action?, '(send nil? :action ...)'
 
-          def_node_search :create_action?, '(send nil? :action $sym)'
+          def_node_search :create_action, '(send nil? :action $sym)'
+
+          def_node_search :path_property_node, '(send nil? :path $...)'
 
           def on_block(node)
-            not_if_file_exist?(node) do |props|
-              file_like_resource?(node.parent.parent) do |resource_blk_name|
-                # the not_if file name is the same as the resource name and there's no action defined (it's the default)
-                return unless props == resource_blk_name && create_action?(node.parent.parent).nil?
+            match_property_in_resource?(RESOURCES, :not_if, node) do |prop|
+              # if it's not a block type then it's not a ruby block with a file.exist
+              return unless prop.block_type?
+
+              file_exist_value(prop.body) do |exists_content| # check the contents of the ruby block that's passed
+                # not an offense if:
+                #   - The resource block name (the last arg of the send) doesn't match the exists check content
+                #   - If a path property is used it doesn't match the exists check content
+                return unless exists_content == node.send_node.last_argument ||
+                              exists_content == path_property_node(node)&.first&.first
+
+                # we have an action so check if it is :create. If that's the case we can replace that value
+                # and delete the not_if line. Otherwise it's an action like :remove and while the whole resource
+                # no longer makes sense that's not our problem here.
+                create_action(node) do |create_action|
+                  return unless create_action == s(:sym, :create)
+                  add_offense(prop, message: MSG, severity: :refactor) do |corrector|
+                    corrector.replace(create_action, ':create_if_missing')
+                    corrector.remove(range_by_whole_lines(prop.source_range, include_final_newline: true))
+                  end
+                  return
+                end
 
-                add_offense(node, message: MSG, severity: :refactor) do |corrector|
-                  corrector.replace(node, 'action :create_if_missing')
+                # if we got this far we didn't return above when we had an action
+                # so we can just replace the not_if line with a new :create_if_missing action
+                add_offense(prop, message: MSG, severity: :refactor) do |corrector|
+                  corrector.replace(prop, 'action :create_if_missing')
                 end
               end
             end

data/lib/rubocop/cop/chef/security/ssh_private_key.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+#
+# Copyright:: 2021-2022, Chef Software, Inc.
+# Author:: Tim Smith (<tsmith@chef.io>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Cop
+    module Chef
+      module Security
+        # Do not include plain text SSH private keys in your cookbook code. This sensitive data should be fetched from secrets management systems so that secrets are not uploaded in plain text to the Chef Infra Server or committed to source control systems.
+        #
+        # @example
+        #
+        #   #### incorrect
+        #   file '/Users/bob_bobberson/.ssh/id_rsa' do
+        #     content '-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----'
+        #     mode '600'
+        #   end
+        #
+        class SshPrivateKey < Base
+          MSG = 'Do not include plain text SSH private keys in your cookbook code. This sensitive data should be fetched from secrets management systems so that secrets are not uploaded in plain text to the Chef Infra Server or committed to source control systems.'
+
+          def on_send(node)
+            return unless node.arguments?
+            node.arguments.each do |arg|
+              next unless arg.str_type? || arg.dstr_type?
+
+              if arg.value.start_with?('-----BEGIN RSA PRIVATE', '-----BEGIN EC PRIVATE') # cookstyle: disable Chef/Security/SshPrivateKey
+                add_offense(node, message: MSG, severity: :warning)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/monkey_patches/directive_comment.rb

@@ -3,7 +3,7 @@ module RuboCop
   # we're monkey patching the config regex to allow for # cookstyle: disable whatever
   # in addition to the # rubocop: disable whatever that comes with RuboCop
   class DirectiveComment
-    remove_const('DIRECTIVE_COMMENT_REGEXP')
+    remove_const(:DIRECTIVE_COMMENT_REGEXP)
     DIRECTIVE_COMMENT_REGEXP = Regexp.new(
       "# (?:rubocop|cookstyle) : ((?:disable|enable|todo))\\b #{COPS_PATTERN}"
         .gsub(' ', '\s*')

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cookstyle
 version: !ruby/object:Gem::Version
-  version: 7.25.10
+  version: 7.30.1
 platform: ruby
 authors:
 - Thom May
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-15 00:00:00.000000000 Z
+date: 2022-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -17,14 +17,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.23.0
+        version: 1.24.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.23.0
+        version: 1.24.1
 description: 
 email:
 - thom@chef.io
@@ -55,7 +55,9 @@ files:
 - lib/rubocop/cop/chef/correctness/conditional_ruby_shellout.rb
 - lib/rubocop/cop/chef/correctness/dnf_package_allow_downgrades.rb
 - lib/rubocop/cop/chef/correctness/incorrect_library_injection.rb
+- lib/rubocop/cop/chef/correctness/invalid_cookbook_name.rb
 - lib/rubocop/cop/chef/correctness/invalid_default_action.rb
+- lib/rubocop/cop/chef/correctness/invalid_notification_resource.rb
 - lib/rubocop/cop/chef/correctness/invalid_notification_timing.rb
 - lib/rubocop/cop/chef/correctness/invalid_platform_family_helper.rb
 - lib/rubocop/cop/chef/correctness/invalid_platform_family_values_in_case.rb
@@ -273,6 +275,7 @@ files:
 - lib/rubocop/cop/chef/redundant/unnecessary_desired_state.rb
 - lib/rubocop/cop/chef/redundant/unnecessary_name_property.rb
 - lib/rubocop/cop/chef/redundant/use_create_if_missing.rb
+- lib/rubocop/cop/chef/security/ssh_private_key.rb
 - lib/rubocop/cop/chef/sharing/default_maintainer_metadata.rb
 - lib/rubocop/cop/chef/sharing/empty_metadata_field.rb
 - lib/rubocop/cop/chef/sharing/include_property_descriptions.rb