kitchen-provisioner-ice-temp 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 468d51adccc34199758691e4f870dc8871355fd30385f4566fce0ff45d13c37e
+  data.tar.gz: 0cc08b227af5a42025f618d83d45fcc7d4ed3a575bca390e669dccb5551816f8
+SHA512:
+  metadata.gz: fc7ac161ce6246f10c1631dabac90620a56d6eb091291b629235e4ad3d3b539d4790ee14df3e2c79e80ba05eb57684a23a81dc1e8e90618e2fa8381f89e62989
+  data.tar.gz: 2cbadb303a0b7bc1ccd81a67beb977393f0ce197f908b0d27e5806462c35a52f718a42712386b1adcbe75366cd0188682b03cc2911b15e13671044028890b833

data/LICENSE

@@ -0,0 +1,15 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,93 @@
+# kitchen-provisioner-ice-temp
+
+> **⚠️ This is a temporary stopgap gem.**
+> It provides Chef ICE (Chef Infra Client 19+) support for Test Kitchen
+> until a future Chef Workstation release ships with native chef-ice
+> provisioning built in. Once you upgrade to that version of Chef
+> Workstation, **uninstall this gem** and switch your `kitchen.yml` back
+> to the built-in provisioner.
+
+A [Test Kitchen](https://kitchen.ci/) provisioner for **Chef ICE** (Chef Infra Client 19+).
+
+This is a thin layer on top of the existing `ChefInfra` provisioner from `kitchen-omnibus-chef`. It overrides only the install path to use the Chef commercial downloads API (or a direct URL). Everything else — cookbook upload, data bags, roles, config files, `chef-client --local-mode` execution — is inherited.
+
+## Installation
+
+```
+gem install kitchen-provisioner-ice-temp
+```
+
+Or in your cookbook's `Gemfile`:
+
+```ruby
+gem "kitchen-provisioner-ice-temp"
+```
+
+## Usage
+
+### Via Chef commercial downloads API
+
+```yaml
+provisioner:
+  name: chef_ice
+  product_version: 19.2.12      # or "latest"
+  channel: stable
+  chef_license_key: "your-key"  # or set CHEF_LICENSE_KEY env var
+  chef_license: accept
+```
+
+### Via direct download URL
+
+```yaml
+provisioner:
+  name: chef_ice
+  download_url: https://my-mirror.example.com/chef-ice-19.2.12-1_amd64.deb
+  checksum: abc123...            # optional SHA-256
+  chef_license: accept
+```
+
+### Skip installation (pre-baked image)
+
+```yaml
+provisioner:
+  name: chef_ice
+  install_strategy: skip
+  chef_license: accept
+```
+
+## Configuration
+
+All settings from the standard `chef_infra` / `chef_zero` provisioner are supported. Additional settings:
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| `product_version` | `latest` | Chef ICE version |
+| `channel` | `stable` | Release channel |
+| `chef_license_key` | `ENV["CHEF_LICENSE_KEY"]` | License key for commercial API |
+| `downloads_api_url` | `https://commercial-acceptance.downloads.chef.co` | API base URL |
+| `download_url` | `nil` | Direct package URL (bypasses API) |
+
+## Removal
+
+When a future Chef Workstation ships with native chef-ice support:
+
+1. **Uninstall the gem:**
+
+   ```
+   chef exec gem uninstall kitchen-provisioner-ice-temp
+   ```
+
+2. **Update `kitchen.yml`** — the provisioner name `chef_ice` won't change, but check the Chef Workstation release notes in case the built-in provisioner uses a different name.
+
+3. **Remove from Gemfile** (if listed):
+
+   ```ruby
+   # DELETE this line:
+   gem "kitchen-provisioner-ice-temp"
+   ```
+
+That's it — all other configuration (`product_version`, `channel`, `chef_license_key`, etc.) should carry over to the built-in provisioner unchanged.
+
+## License
+
+Apache-2.0

data/lib/kitchen/provisioner/chef_ice/version.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Kitchen
+  module Provisioner
+    CHEF_ICE_VERSION = begin
+      dir = File.expand_path("../../..", __dir__)
+      if File.directory?(File.join(dir, ".git"))
+        tag = `git -C #{dir} describe --tags --match 'v*' 2>/dev/null`.strip
+        tag.empty? ? "0.0.0" : tag.sub(/^v/, "").sub(/-(\d+)-g/, '.\1.dev.')
+      else
+        Gem.loaded_specs["kitchen-provisioner-ice-temp"]&.version&.to_s || "0.0.0"
+      end
+    end
+  end
+end

data/lib/kitchen/provisioner/chef_ice.rb

@@ -0,0 +1,467 @@
+# Test Kitchen provisioner for Chef ICE (Chef Infra Client 19+).
+#
+# Thin layer on top of the existing ChefInfra provisioner from
+# kitchen-omnibus-chef. Only overrides the install path to use the
+# Chef commercial downloads API or a direct download URL.
+# Everything else (sandbox, config files, run_command, policyfile/berkshelf)
+# is inherited from ChefInfra.
+#
+# Architecture
+# ------------
+# The package is downloaded in Ruby on the workstation during
+# create_sandbox, placed in the sandbox directory, and uploaded to
+# the node with the rest of the sandbox files (cookbooks, config, etc.).
+#
+# prepare_command (which runs AFTER the sandbox upload but BEFORE
+# run_command) installs the local package file using the native
+# package manager. No curl/wget is needed on the node, no URLs
+# appear in the shell script, and the license key never leaves
+# the workstation.
+
+require "kitchen/provisioner/chef_infra"
+require_relative "chef_ice/version"
+require "json"
+require "net/http"
+require "uri"
+require "fileutils"
+require "digest"
+
+
+
+module Kitchen
+  module Provisioner
+    class ChefIce < ChefInfra
+      kitchen_provisioner_api_version 2
+
+      plugin_version Kitchen::Provisioner::CHEF_ICE_VERSION
+
+      # Do NOT set product_name — it triggers mixlib-install validation
+      # in the parent which doesn't know about chef-ice.
+      # Instead we set require_chef_omnibus to false and handle install ourselves.
+      default_config :require_chef_omnibus, false
+
+      # Commercial downloads API base URL
+      default_config :downloads_api_url, "https://commercial-acceptance.downloads.chef.co"
+
+      # Licence key for the commercial downloads API
+      default_config :chef_license_key do |_p|
+        ENV["CHEF_LICENSE_KEY"]
+      end
+
+      default_config :product_version, "latest"
+      default_config :channel, "stable"
+      default_config :install_strategy, "once"   # once, always, skip
+      default_config :download_url, nil
+      default_config :checksum, nil
+
+      # Skip the enterprise gem delegation dance from ChefInfra —
+      # we ARE the replacement provisioner.
+      def self.new(config = {})
+        allocate.tap { |i| i.send(:initialize, config) }
+      end
+
+      # --- sandbox --------------------------------------------------
+
+      # Download the chef-ice package into the sandbox so it gets
+      # uploaded alongside cookbooks, data bags, etc.
+      def create_sandbox
+        super
+        return if config[:install_strategy] == "skip"
+
+        prepare_package
+      end
+
+      # --- commands sent to the node --------------------------------
+
+      # install_command runs BEFORE the sandbox upload.
+      # We only use it for the guard check — actual install happens
+      # in prepare_command after the package file has been uploaded.
+      def install_command
+        return if config[:install_strategy] == "skip"
+
+        prefix_command(wrap_shell_code(install_guard))
+      end
+
+      # prepare_command runs AFTER sandbox upload and BEFORE run_command.
+      # The package file(s) are now on the node under root_path.
+      def prepare_command
+        return if config[:install_strategy] == "skip"
+        return unless @package_files && !@package_files.empty?
+
+        prefix_command(wrap_shell_code(install_package_script))
+      end
+
+      # Skip the parent's license check which goes through
+      # license-acceptance gem with product names it may not recognise.
+      def check_license
+        # chef-ice license is handled by chef_license / chef_license_key
+        # config passed to chef-client at run time.
+      end
+
+      private
+
+      # ---------------------------------------------------------------
+      # Package download (runs on workstation during create_sandbox)
+      # ---------------------------------------------------------------
+
+      # Decide which path to take and download the package into the
+      # sandbox directory.
+      def prepare_package
+        if config[:download_url]
+          download_from_url
+        elsif config[:chef_license_key]
+          download_from_api
+        else
+          raise UserError,
+            "chef_license_key is required to download chef-ice from the " \
+            "commercial downloads API. Set it in kitchen.yml or via the " \
+            "CHEF_LICENSE_KEY env var. Alternatively, set download_url to " \
+            "point at a local package."
+        end
+      end
+
+      # Download from a user-supplied direct URL.
+      def download_from_url
+        url  = config[:download_url]
+        name = File.basename(URI.parse(url).path)
+        dest = File.join(sandbox_path, name)
+
+        info("Downloading chef-ice from #{url}")
+        http_download(URI.parse(url), dest)
+        verify_sha256(dest, config[:checksum]) if config[:checksum]
+
+        @package_files = [{ filename: name }]
+      end
+
+      # Walk the commercial downloads API and download the correct
+      # package(s) for the target platform into the sandbox.
+      def download_from_api
+        version  = resolve_version
+        packages = fetch_packages(version)
+
+        info("Chef ICE #{version} (license: ****)")
+
+        # Only download formats the target platform can use.
+        formats = windows_os? ? %w[msi] : %w[rpm deb]
+        platform = windows_os? ? "windows" : "linux"
+
+        @package_files = []
+
+        packages.each do |arch, pm_map|
+          formats.each do |pm|
+            detail = pm_map[pm]
+            next unless detail
+
+            url    = detail["url"]
+            sha256 = detail["sha256"]
+
+            # Check the shared Chef Workstation cache first.
+            # Layout: ~/.chef/cached-packages/{platform}/{arch}/{pm}/chef-ice/{version}/
+            cache_subdir = File.join(platform, arch, pm, "chef-ice", version)
+            cached = find_in_cache(cache_subdir, sha256)
+
+            if cached
+              filename = File.basename(cached)
+              dest = File.join(sandbox_path, filename)
+              info("  Using cached #{filename}")
+              FileUtils.cp(cached, dest)
+            else
+              # Download to a temp location, resolve real filename from
+              # Content-Disposition header, then move into cache.
+              info("  Downloading chef-ice #{version} #{pm} (#{arch})")
+              tmpfile = File.join(sandbox_path, "chef-ice-download.tmp")
+              real_name = http_download(URI.parse(url), tmpfile)
+
+              # Use Content-Disposition filename if we got one,
+              # otherwise fall back to a constructed name.
+              filename = real_name || "chef-ice-#{version}-#{arch}.#{pm}"
+              dest = File.join(sandbox_path, filename)
+              FileUtils.mv(tmpfile, dest) if File.exist?(tmpfile)
+
+              verify_sha256(dest, sha256) if sha256 && !sha256.empty?
+              store_in_cache(dest, cache_subdir, sha256)
+            end
+
+            @package_files << { arch: arch, pm: pm, filename: filename }
+          end
+        end
+
+        if @package_files.empty?
+          raise UserError, "No downloadable packages found for chef-ice #{version}"
+        end
+      end
+
+      # ---------------------------------------------------------------
+      # API helpers (run on workstation — key never sent to the node)
+      # ---------------------------------------------------------------
+
+      # GET a JSON endpoint from the commercial downloads API.
+      def api_get(path, params = {})
+        params["license_id"] = config[:chef_license_key]
+        uri = URI.parse("#{config[:downloads_api_url]}#{path}")
+        uri.query = URI.encode_www_form(params)
+
+        response = http_get_follow(uri, 5)
+
+        unless response.is_a?(Net::HTTPSuccess)
+          safe_uri = uri.to_s.gsub(config[:chef_license_key].to_s, "****")
+          raise UserError,
+            "Chef downloads API returned #{response.code}: " \
+            "#{response.body.strip} (#{safe_uri})"
+        end
+
+        JSON.parse(response.body)
+      end
+
+      # Resolve "latest" to a concrete version string.
+      def resolve_version
+        version = config[:product_version]
+        return version unless version.nil? || version == "latest"
+
+        channel  = config[:channel]
+        versions = api_get("/#{channel}/chef-ice/versions/all")
+
+        raise UserError, "No versions found for chef-ice on #{channel} channel" if versions.empty?
+
+        versions.sort_by { |v| Gem::Version.new(v) }.last
+      end
+
+      # Fetch the packages map and merge all platform keys.
+      # Returns: { "x86_64" => { "rpm" => { ... }, "deb" => { ... } }, ... }
+      def fetch_packages(version)
+        channel  = config[:channel]
+        response = api_get("/#{channel}/chef-ice/packages", "v" => version)
+
+        merged = {}
+        response.each_value do |arch_map|
+          next unless arch_map.is_a?(Hash)
+
+          arch_map.each do |arch, pm_map|
+            merged[arch] ||= {}
+            merged[arch].merge!(pm_map) if pm_map.is_a?(Hash)
+          end
+        end
+
+        raise UserError, "No packages found for chef-ice #{version}" if merged.empty?
+
+        merged
+      end
+
+
+
+      # ---------------------------------------------------------------
+      # HTTP helpers
+      # ---------------------------------------------------------------
+
+      # GET with redirect following — returns the response object.
+      def http_get_follow(uri, limit)
+        raise UserError, "Too many HTTP redirects" if limit <= 0
+
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = (uri.scheme == "https")
+        http.open_timeout = 10
+        http.read_timeout = 30
+
+        response = http.request(Net::HTTP::Get.new(uri))
+
+        case response
+        when Net::HTTPRedirection
+          http_get_follow(URI.parse(response["location"]), limit - 1)
+        else
+          response
+        end
+      end
+
+      # Stream a URI to a local file, following redirects.
+      # Returns the filename from Content-Disposition header if present, else nil.
+      def http_download(uri, dest, limit = 5)
+        raise UserError, "Too many HTTP redirects downloading #{File.basename(dest)}" if limit <= 0
+
+        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
+          request = Net::HTTP::Get.new(uri)
+          http.request(request) do |response|
+            case response
+            when Net::HTTPRedirection
+              return http_download(URI.parse(response["location"]), dest, limit - 1)
+            when Net::HTTPSuccess
+              File.open(dest, "wb") do |f|
+                response.read_body { |chunk| f.write(chunk) }
+              end
+              # Extract filename from Content-Disposition if present
+              cd = response["content-disposition"]
+              if cd && cd =~ /filename=["']?([^"';\s]+)/
+                return $1
+              end
+              return nil
+            else
+              raise UserError,
+                "Failed to download #{File.basename(dest)}: HTTP #{response.code}"
+            end
+          end
+        end
+      end
+
+      # Verify a file matches an expected SHA-256 hex digest.
+      def verify_sha256(path, expected)
+        actual = Digest::SHA256.file(path).hexdigest
+        return if actual == expected
+
+        raise UserError,
+          "Checksum mismatch for #{File.basename(path)}: " \
+          "expected #{expected}, got #{actual}"
+      end
+
+      # ---------------------------------------------------------------
+      # Package cache — shared with chef-pkg at ~/.chef/cached-packages/
+      #
+      # Layout:
+      #   ~/.chef/cached-packages/{platform}/{arch}/{pm}/chef-ice/{version}/
+      #     chef-ice-19.2.12-1.amzn2.x86_64.rpm
+      #     chef-ice-19.2.12-1.amzn2.x86_64.rpm.sha256
+      # ---------------------------------------------------------------
+
+      CACHE_ROOT = File.join(Dir.home, ".chef", "cached-packages")
+
+      # Find a cached package file by scanning the cache subdirectory
+      # for a file whose .sha256 sidecar matches the expected digest.
+      # Returns the full path to the cached file, or nil.
+      def find_in_cache(subdir, expected_sha256)
+        dir = File.join(CACHE_ROOT, subdir)
+        return nil unless File.directory?(dir)
+        return nil if expected_sha256.nil? || expected_sha256.empty?
+
+        Dir.glob(File.join(dir, "*")).each do |path|
+          next if path.end_with?(".sha256")
+
+          sidecar = "#{path}.sha256"
+          next unless File.exist?(sidecar)
+          next unless File.read(sidecar).strip == expected_sha256
+
+          return path
+        end
+
+        nil
+      end
+
+      # Store a downloaded file in the cache with a .sha256 sidecar.
+      def store_in_cache(source, subdir, sha256)
+        return if sha256.nil? || sha256.empty?
+
+        dir = File.join(CACHE_ROOT, subdir)
+        FileUtils.mkdir_p(dir)
+        dest = File.join(dir, File.basename(source))
+        FileUtils.cp(source, dest)
+        File.write("#{dest}.sha256", sha256)
+      end
+
+      # ---------------------------------------------------------------
+      # Shell script generators (run on the node)
+      # ---------------------------------------------------------------
+
+      # Guard clause: skip install if chef-client already present.
+      def install_guard
+        <<~SH
+          if [ -x "#{config[:chef_client_path]}" ]; then
+            echo "-----> Chef ICE already installed, skipping"
+            exit 0
+          fi
+        SH
+      end
+
+      # Generate a shell script that installs the package file(s)
+      # already uploaded to root_path on the node.
+      def install_package_script
+        if @package_files.length == 1 && !@package_files[0][:arch]
+          # Single file from download_url — install directly
+          remote = remote_path_join(config[:root_path], @package_files[0][:filename])
+          return install_single_package(remote)
+        end
+
+        # Multiple arch/pm files from the API — pick the right one at runtime
+        install_multi_package
+      end
+
+      # Install a single known package file.
+      def install_single_package(remote_pkg)
+        <<~SH
+          echo "-----> Installing Chef ICE from uploaded package"
+          case "#{remote_pkg}" in
+            *.deb) #{sudo("dpkg")} -i "#{remote_pkg}" || #{sudo("apt-get")} install -fy ;;
+            *.rpm)
+              if command -v dnf >/dev/null 2>&1; then #{sudo("dnf")} install -y "#{remote_pkg}"
+              elif command -v yum >/dev/null 2>&1; then #{sudo("yum")} install -y "#{remote_pkg}"
+              else #{sudo("rpm")} -Uvh "#{remote_pkg}"
+              fi ;;
+            *.msi) msiexec /qn /i "#{remote_pkg}" ;;
+            *) echo "ERROR: unknown package format" >&2; exit 1 ;;
+          esac
+        SH
+      end
+
+      # Build a shell script with arch detection and pm detection that
+      # picks the correct package file from the set uploaded to root_path.
+      def install_multi_package
+        root = config[:root_path]
+
+        arch_branches = {}
+        @package_files.each do |pf|
+          arch_branches[pf[:arch]] ||= []
+          arch_branches[pf[:arch]] << pf
+        end
+
+        script = []
+        script << <<~SH
+          echo "-----> Installing Chef ICE from uploaded package"
+          machine="$(uname -m)"
+          case "$machine" in
+            x86_64|amd64)  arch="x86_64" ;;
+            aarch64|arm64) arch="aarch64" ;;
+            *)             echo "ERROR: unsupported architecture $machine" >&2; exit 1 ;;
+          esac
+        SH
+
+        case_lines = []
+        arch_branches.each do |arch, files|
+          pm_lines = []
+          files.each do |pf|
+            remote = remote_path_join(root, pf[:filename])
+            keyword = pm_lines.empty? ? "if" : "elif"
+            case pf[:pm]
+            when "rpm"
+              pm_lines << "    #{keyword} command -v rpm >/dev/null 2>&1; then"
+              pm_lines << "      if command -v dnf >/dev/null 2>&1; then #{sudo("dnf")} install -y \"#{remote}\""
+              pm_lines << "      elif command -v yum >/dev/null 2>&1; then #{sudo("yum")} install -y \"#{remote}\""
+              pm_lines << "      else #{sudo("rpm")} -Uvh \"#{remote}\""
+              pm_lines << "      fi"
+            when "deb"
+              pm_lines << "    #{keyword} command -v dpkg >/dev/null 2>&1; then"
+              pm_lines << "      #{sudo("dpkg")} -i \"#{remote}\" || #{sudo("apt-get")} install -fy"
+            when "msi"
+              pm_lines << "    #{keyword} command -v msiexec >/dev/null 2>&1; then"
+              pm_lines << "      msiexec /qn /i \"#{remote}\""
+            end
+          end
+          unless pm_lines.empty?
+            pm_lines << "    else"
+            pm_lines << "      echo \"ERROR: no supported package manager found\" >&2"
+            pm_lines << "      exit 1"
+            pm_lines << "    fi"
+          end
+          case_lines << "  #{arch})\n#{pm_lines.join("\n")}\n    ;;"
+        end
+
+        script << <<~SH
+          case "$arch" in
+          #{case_lines.join("\n")}
+            *)
+              echo "ERROR: no chef-ice package for architecture $arch" >&2
+              exit 1
+              ;;
+          esac
+        SH
+
+        script.join("\n")
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,62 @@
+--- !ruby/object:Gem::Specification
+name: kitchen-provisioner-ice-temp
+version: !ruby/object:Gem::Version
+  version: 0.0.0
+platform: ruby
+authors:
+- Richard Nixon
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-03-30 00:00:00.000000000 Z
+dependencies: []
+description: A temporary stopgap Test Kitchen provisioner for chef-ice (chef-client
+  19+). Uninstall this gem once Chef Workstation ships with native chef-ice provisioning
+  built in. See README.md for removal instructions.
+email:
+- richard.nixon@btinternet.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/kitchen/provisioner/chef_ice.rb
+- lib/kitchen/provisioner/chef_ice/version.rb
+homepage: https://github.com/trickyearlobe-chef/kitchen-provisioner-ice-temp
+licenses:
+- Apache-2.0
+metadata:
+  rubygems_mfa_required: 'true'
+  source_code_uri: https://github.com/trickyearlobe-chef/kitchen-provisioner-ice-temp
+  bug_tracker_uri: https://github.com/trickyearlobe-chef/kitchen-provisioner-ice-temp/issues
+post_install_message: |
+  ┌──────────────────────────────────────────────────────────────────┐
+  │ kitchen-provisioner-ice-temp is a TEMPORARY stopgap gem.         │
+  │                                                                  │
+  │ Once Chef Workstation ships with native chef-ice support,        │
+  │ uninstall this gem and switch to the built-in provisioner:       │
+  │                                                                  │
+  │   chef exec gem uninstall kitchen-provisioner-ice-temp           │
+  │                                                                  │
+  │ See README.md for full migration instructions.                   │
+  └──────────────────────────────────────────────────────────────────┘
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.1'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: TEMPORARY Test Kitchen provisioner for Chef ICE (Chef Infra Client 19+)
+test_files: []