omnibus 6.1.9 → 7.0.12

data/lib/omnibus/s3_helpers.rb

@@ -53,10 +53,7 @@ module Omnibus
       # @return [Aws::S3::Resource]
       #
       def client
-        Aws.config.update(
-          region: s3_configuration[:region],
-          credentials: get_credentials
-        )
+        Aws.config.update(region: s3_configuration[:region])
 
         @s3_client ||= Aws::S3::Resource.new(resource_params)
       end
@@ -70,6 +67,7 @@ module Omnibus
         params = {
           use_accelerate_endpoint: s3_configuration[:use_accelerate_endpoint],
           force_path_style: s3_configuration[:force_path_style],
+          credentials: get_credentials,
         }
 
         if s3_configuration[:use_accelerate_endpoint]
@@ -84,12 +82,14 @@ module Omnibus
       end
 
       #
-      # Create credentials object based on credential profile or access key
+      # Create credentials object based on AWS IAM role arn, credential profile or access key
       # parameters for use by the client object.
       #
       # @return [Aws::SharedCredentials, Aws::Credentials]
       def get_credentials
-        if s3_configuration[:profile]
+        if s3_configuration[:iam_role_arn]
+          Aws::AssumeRoleCredentials.new(role_arn: s3_configuration[:iam_role_arn], role_session_name: "omnibus-assume-role-s3-access")
+        elsif s3_configuration[:profile]
           Aws::SharedCredentials.new(profile_name: s3_configuration[:profile])
         elsif s3_configuration[:access_key_id] && s3_configuration[:secret_access_key]
           Aws::Credentials.new(s3_configuration[:access_key_id], s3_configuration[:secret_access_key])

data/lib/omnibus/software.rb

@@ -205,6 +205,46 @@ module Omnibus
     end
     expose :maintainer
 
+    #
+    # Sets the bin_dirs where this software installs bins.
+    #
+    # @example
+    #   bin_dirs ['/opt/chef-workstation/bin']
+    #
+    # @param [Array<String>] val
+    #   the bin_dirs of the software
+    #
+    # @return [Array<String>]
+    #
+    def bin_dirs(val = NULL)
+      if null?(val)
+        @bin_dirs || [windows_safe_path("#{install_dir}/bin"), windows_safe_path("#{install_dir}/embedded/bin")]
+      else
+        @bin_dirs = val
+      end
+    end
+    expose :bin_dirs
+
+    #
+    # Sets the lib_dirs where this software installs libs.
+    #
+    # @example
+    #   lib_dirs ['/opt/chef-workstation/bin']
+    #
+    # @param [Array<String>] val
+    #   the lib_dirs of the software
+    #
+    # @return [Array<String>]
+    #
+    def lib_dirs(val = NULL)
+      if null?(val)
+        @lib_dirs || [windows_safe_path("#{install_dir}/embedded/lib")]
+      else
+        @lib_dirs = val
+      end
+    end
+    expose :lib_dirs
+
     #
     # Add a software dependency to this software.
     #
@@ -668,33 +708,22 @@ module Omnibus
             "ARFLAGS" => "-X64 cru",
           }
         when "solaris2"
-          if platform_version.satisfies?("<= 5.10")
-            solaris_flags = {
-              # this override is due to a bug in libtool documented here:
-              # http://lists.gnu.org/archive/html/bug-libtool/2005-10/msg00004.html
-              "CC" => "gcc -static-libgcc",
-              "LDFLAGS" => "-R#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib -static-libgcc",
-              "CFLAGS" => "-I#{install_dir}/embedded/include -O2",
-            }
-          elsif platform_version.satisfies?(">= 5.11")
-            solaris_flags = {
-              "CC" => "gcc -m64 -static-libgcc",
-              "LDFLAGS" => "-Wl,-rpath,#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib -static-libgcc",
-              "CFLAGS" => "-I#{install_dir}/embedded/include -O2",
-            }
-          end
-          solaris_flags
+          {
+            "CC" => "gcc -m64 -static-libgcc",
+            "LDFLAGS" => "-Wl,-rpath,#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib -static-libgcc",
+            "CFLAGS" => "-I#{install_dir}/embedded/include -O2",
+          }
         when "freebsd"
           {
             "CC" => "clang",
             "CXX" => "clang++",
             "LDFLAGS" => "-L#{install_dir}/embedded/lib",
-            "CFLAGS" => "-I#{install_dir}/embedded/include -O2",
+            "CFLAGS" => "-I#{install_dir}/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
           }
         when "suse"
           suse_flags = {
             "LDFLAGS" => "-Wl,-rpath,#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib",
-            "CFLAGS" => "-I#{install_dir}/embedded/include -O2",
+            "CFLAGS" => "-I#{install_dir}/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
           }
           # Enable gcc version 4.8 if it is available
           if which("gcc-4.8") && platform_version.satisfies?("< 12")
@@ -721,7 +750,7 @@ module Omnibus
         else
           {
             "LDFLAGS" => "-Wl,-rpath,#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib",
-            "CFLAGS" => "-I#{install_dir}/embedded/include -O2",
+            "CFLAGS" => "-I#{install_dir}/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
           }
         end
 
@@ -1075,8 +1104,8 @@ module Omnibus
           log.info(log_key) do
             "Forcing a build because resolved version is nil"
           end
-          execute_build
-          project.dirty!(self)
+          execute_build(build_wrappers)
+          project.dirty!(self) unless project.dirty? # omnibus can only be mildly dirty
         elsif project.dirty?
           log.info(log_key) do
             "Building because `#{project.culprit.name}' dirtied the cache"

data/lib/omnibus/version.rb

@@ -15,5 +15,5 @@
 #
 
 module Omnibus
-  VERSION = "6.1.9".freeze
+  VERSION = "7.0.12".freeze
 end

data/lib/omnibus/whitelist.rb

@@ -1,5 +1,5 @@
 
-# Copyright 2012-2018 Chef Software, Inc.
+# Copyright 2012-2020, Chef Software Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 WHITELIST_LIBS = [
     /ld-linux/,
+    /libanl\.so/,
     /libc\.so/,
     /libcrypt\.so/,
     /libdl/,
@@ -33,6 +34,7 @@ WHITELIST_LIBS = [
   ].freeze
 
 ARCH_WHITELIST_LIBS = [
+  /libanl\.so/,
   /libc\.so/,
   /libcrypt\.so/,
   /libdb-5\.3\.so/,

data/omnibus.gemspec

@@ -22,13 +22,14 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
 
   gem.add_dependency "aws-sdk-s3",       "~> 1"
-  gem.add_dependency "chef-sugar-ng",    ">= 3.3"
+  gem.add_dependency "chef-sugar",       ">= 3.3"
   gem.add_dependency "chef-cleanroom",   "~> 1.0"
+  gem.add_dependency "ffi",              "< 1.13" # 1.13 does not work on Windows: https://github.com/ffi/ffi/issues/784
   gem.add_dependency "ffi-yajl",         "~> 2.2"
   gem.add_dependency "mixlib-shellout",  ">= 2.0", "< 4.0"
-  gem.add_dependency "ohai",             ">= 13", "< 16"
+  gem.add_dependency "ohai",             ">= 13", "< 17"
   gem.add_dependency "ruby-progressbar", "~> 1.7"
-  gem.add_dependency "thor",             "~> 0.18"
+  gem.add_dependency "thor",             ">= 0.18", "< 2.0"
   gem.add_dependency "license_scout",    "~> 1.0"
 
   gem.add_dependency "mixlib-versioning"
@@ -36,7 +37,7 @@ Gem::Specification.new do |gem|
 
   gem.add_development_dependency "artifactory", "~> 3.0"
   gem.add_development_dependency "aruba",       "~> 0.5"
-  gem.add_development_dependency "chefstyle",   "= 0.13.3"
+  gem.add_development_dependency "chefstyle",   "= 1.1.0"
   gem.add_development_dependency "fauxhai",     ">= 5.2"
   gem.add_development_dependency "rspec",       "~> 3.0"
   gem.add_development_dependency "rspec-json_expectations"

data/resources/rpm/signing.erb

@@ -11,25 +11,22 @@ require 'pty'
 
 puts rpm_cmd
 PTY.spawn(rpm_cmd) do |r, w, pid|
+  # Older versions of rpmsign will prompt right away for the passphrase
   prompt = r.read(19)
 
-  # match the expected prompt exactly, since that's the only way we know if
-  # something went wrong.
-  unless prompt == 'Enter pass phrase: '
-    STDERR.puts "unexpected output from `#{rpm_cmd}`: '#{prompt}'"
-    Process.kill(:KILL, pid)
-    exit 1
+  if prompt == 'Enter pass phrase: '
+    STDOUT.puts prompt
+    w.write("#{password}\n")
   end
 
-  STDOUT.puts prompt
-  w.write("#{password}\n")
-
   # Keep printing output unti the command exits
   loop do
     begin
       line = r.gets
       puts line
-      if (line =~ /failed/) && !(line =~ /warning:/)
+      if line =~ /Please enter the passphrase to unlock the OpenPGP secret key:/
+        w.write("#{password}\n")
+      elsif (line =~ /failed/) && !(line =~ /warning:/)
         STDERR.puts 'RPM signing failure'
         exit 1
       end

data/spec/unit/packagers/pkg_spec.rb

@@ -109,6 +109,158 @@ module Omnibus
       end
     end
 
+    describe "#sign_software_libs_and_bins" do
+      context "when pkg signing is disabled" do
+        it "does not sign anything" do
+          expect(subject).not_to receive(:sign_binary)
+          expect(subject).not_to receive(:sign_library)
+          subject.sign_software_libs_and_bins
+        end
+
+        it "returns an empty set" do
+          expect(subject.sign_software_libs_and_bins).to be_nil
+        end
+      end
+
+      context "when pkg signing is enabled" do
+        before do
+          subject.signing_identity("My Special Identity")
+        end
+
+        context "without software" do
+          it "does not sign anything" do
+            expect(subject).not_to receive(:sign_binary)
+            expect(subject).not_to receive(:sign_library)
+            subject.sign_software_libs_and_bins
+          end
+
+          it "returns an empty set" do
+            expect(subject.sign_software_libs_and_bins).to eq(Set.new)
+          end
+        end
+
+        context "project with software" do
+          let(:software) do
+            Software.new(project).tap do |software|
+              software.name("software-full-name")
+            end
+          end
+
+          before do
+            allow(project).to receive(:softwares).and_return([software])
+          end
+
+          context "with empty bin_dirs and lib_dirs" do
+            before do
+              allow(software).to receive(:lib_dirs).and_return([])
+              allow(software).to receive(:bin_dirs).and_return([])
+            end
+
+            it "does not sign anything" do
+              expect(subject).not_to receive(:sign_binary)
+              expect(subject).not_to receive(:sign_library)
+              subject.sign_software_libs_and_bins
+            end
+
+            it "returns an empty set" do
+              expect(subject.sign_software_libs_and_bins).to eq(Set.new)
+            end
+          end
+
+          context "with default bin_dirs and lib_dirs" do
+            context "with binaries" do
+              let(:bin) { "/opt/#{project.name}/bin/test_bin" }
+              let(:embedded_bin) { "/opt/#{project.name}/embedded/bin/test_bin" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([embedded_bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([])
+                allow(subject).to receive(:is_binary?).with(bin).and_return(true)
+                allow(subject).to receive(:is_binary?).with(embedded_bin).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(bin).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(embedded_bin).and_return([])
+                allow(subject).to receive(:sign_binary).with(bin, true)
+                allow(subject).to receive(:sign_binary).with(embedded_bin, true)
+              end
+
+              it "signs the binaries" do
+                expect(subject).to receive(:sign_binary).with(bin, true)
+                expect(subject).to receive(:sign_binary).with(embedded_bin, true)
+                subject.sign_software_libs_and_bins
+              end
+
+              it "returns a set with the signed binaries" do
+                expect(subject.sign_software_libs_and_bins).to eq(Set.new [bin, embedded_bin])
+              end
+            end
+
+            context "with library" do
+              let(:lib) { "/opt/#{project.name}/embedded/lib/test_lib" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([lib])
+                allow(subject).to receive(:is_macho?).with(lib).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(lib).and_return([])
+                allow(subject).to receive(:sign_library).with(lib)
+              end
+
+              it "signs the library" do
+                expect(subject).to receive(:sign_library).with(lib)
+                subject.sign_software_libs_and_bins
+              end
+            end
+
+            context "with binaries and libraries with linked libs" do
+              let(:bin) { "/opt/#{project.name}/bin/test_bin" }
+              let(:bin2) { "/opt/#{project.name}/bin/test_bin2" }
+              let(:embedded_bin) { "/opt/#{project.name}/embedded/bin/test_bin" }
+              let(:lib) { "/opt/#{project.name}/embedded/lib/test_lib" }
+              let(:lib2) { "/opt/#{project.name}/embedded/lib/test_lib2" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([bin, bin2])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([embedded_bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([lib])
+                allow(subject).to receive(:is_binary?).with(bin).and_return(true)
+                allow(subject).to receive(:is_binary?).with(bin2).and_return(true)
+                allow(subject).to receive(:is_binary?).with(embedded_bin).and_return(true)
+                allow(subject).to receive(:is_macho?).with(lib).and_return(true)
+                allow(subject).to receive(:is_macho?).with(lib2).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(bin).and_return([lib2])
+                allow(subject).to receive(:find_linked_libs).with(bin2).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(embedded_bin).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(lib).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(lib2).and_return([])
+                allow(subject).to receive(:sign_binary).with(bin, true)
+                allow(subject).to receive(:sign_binary).with(bin2, true)
+                allow(subject).to receive(:sign_binary).with(embedded_bin, true)
+                allow(subject).to receive(:sign_library).with(lib)
+                allow(subject).to receive(:sign_library).with(lib2)
+                allow(Digest::SHA256).to receive(:file).with(bin).and_return(Digest::SHA256.new.update(bin))
+                allow(Digest::SHA256).to receive(:file).with(bin2).and_return(Digest::SHA256.new.update(bin2))
+                allow(Digest::SHA256).to receive(:file).with(embedded_bin).and_return(Digest::SHA256.new.update(embedded_bin))
+                allow(Digest::SHA256).to receive(:file).with(lib).and_return(Digest::SHA256.new.update(lib))
+                allow(Digest::SHA256).to receive(:file).with(lib2).and_return(Digest::SHA256.new.update(lib2))
+              end
+
+              it "signs the binaries" do
+                expect(subject).to receive(:sign_binary).with(bin, true)
+                expect(subject).to receive(:sign_binary).with(bin2, true)
+                expect(subject).to receive(:sign_binary).with(embedded_bin, true)
+                subject.sign_software_libs_and_bins
+              end
+
+              it "signs the libraries" do
+                expect(subject).to receive(:sign_library).with(lib)
+                expect(subject).to receive(:sign_library).with(lib2)
+                subject.sign_software_libs_and_bins
+              end
+            end
+          end
+        end
+      end
+    end
+
     describe "#build_component_pkg" do
       it "executes the pkgbuild command" do
         expect(subject).to receive(:shellout!).with <<-EOH.gsub(/^ {10}/, "")
@@ -118,6 +270,7 @@ module Omnibus
             --scripts "#{staging_dir}/Scripts" \\
             --root "/opt/project-full-name" \\
             --install-location "/opt/project-full-name" \\
+            --preserve-xattr \\
             "project-full-name-core.pkg"
         EOH
 
@@ -267,5 +420,206 @@ module Omnibus
         end
       end
     end
+
+    describe "#find_linked_libs" do
+      context "with linked libs" do
+        let(:file) { "/opt/#{project.name}/embedded/bin/test_bin" }
+        let(:stdout) do
+          <<~EOH
+            /opt/#{project.name}/embedded/bin/test_bin:
+                      /opt/#{project.name}/embedded/lib/lib.dylib (compatibility version 7.0.0, current version 7.4.0)
+                      /opt/#{project.name}/embedded/lib/lib.6.dylib (compatibility version 7.0.0, current version 7.4.0)
+                      /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.0.0)
+          EOH
+        end
+        let(:shellout) { Mixlib::ShellOut.new }
+
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return(stdout)
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([
+            "/opt/#{project.name}/embedded/lib/lib.dylib",
+            "/opt/#{project.name}/embedded/lib/lib.6.dylib",
+          ])
+        end
+      end
+
+      context "with only system linked libs" do
+        let(:file) { "/opt/#{project.name}/embedded/lib/lib.dylib" }
+        let(:stdout) do
+          <<~EOH
+            /opt/#{project.name}/embedded/lib/lib.dylib:
+                      /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.0.0)
+          EOH
+        end
+        let(:shellout) { Mixlib::ShellOut.new }
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return(stdout)
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([])
+        end
+      end
+
+      context "file is just a file" do
+        let(:file) { "/opt/#{project.name}/embedded/lib/file.rb" }
+        let(:shellout) { Mixlib::ShellOut.new }
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return("#{file}: is not an object file")
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([])
+        end
+      end
+    end
+
+    describe "#is_binary?" do
+      context "when is a file, executable, and not a symlink" do
+        before do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+        end
+
+        it "returns true" do
+          expect(subject.is_binary?("file")).to be true
+        end
+      end
+
+      context "when not a file" do
+        before do
+          allow(File).to receive(:file?).with("file").and_return(false)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+        end
+
+        it "returns false" do
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+
+      context "when not an executable" do
+        it "returns false" do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(false)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+
+      context "when is symlink" do
+        it "returns false" do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(true)
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+    end
+
+    describe "#is_macho?" do
+      let(:shellout) { Mixlib::ShellOut.new }
+
+      context "when is a Mach-O library" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: Mach-O 64-bit dynamically linked shared library x86_64")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be true
+        end
+      end
+
+      context "when is a Mach-O Bundle" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: Mach-O 64-bit bundle x86_64")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be true
+        end
+      end
+
+      context "when is not a Mach-O Bundle or Mach-O library" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: ASCII text")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be false
+        end
+      end
+    end
+
+    describe "#sign_library" do
+      before do
+        subject.signing_identity("My Special Identity")
+      end
+
+      it "calls sign_binary without hardened runtime" do
+        expect(subject).to receive(:sign_binary).with("file")
+        subject.sign_library("file")
+      end
+    end
+
+    describe "#sign_binary" do
+      before do
+        subject.signing_identity("My Special Identity")
+      end
+
+      it "it signs the binary without hardened runtime" do
+        expect(subject).to receive(:shellout!)
+          .with("codesign -s '#{subject.signing_identity}' 'file' --force\n")
+        subject.sign_binary("file")
+      end
+
+      context "with hardened runtime" do
+        it "it signs the binary with hardened runtime" do
+          expect(subject).to receive(:shellout!)
+            .with("codesign -s '#{subject.signing_identity}' 'file' --options=runtime --force\n")
+          subject.sign_binary("file", true)
+        end
+
+        context "with entitlements" do
+          let(:entitlements_file) { File.join(tmp_path, "project-full-name/resources/project-full-name/pkg/entitlements.plist") }
+
+          it "it signs the binary with the entitlements" do
+            allow(subject).to receive(:resource_path).with("entitlements.plist").and_return(entitlements_file)
+            allow(File).to receive(:exist?).with(entitlements_file).and_return(true)
+            expect(subject).to receive(:shellout!)
+              .with("codesign -s '#{subject.signing_identity}' 'file' --options=runtime --entitlements #{entitlements_file} --force\n")
+            subject.sign_binary("file", true)
+          end
+        end
+      end
+    end
   end
 end