diff options
author | Tim Smith <tsmith@chef.io> | 2021-09-09 13:15:34 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-09 13:15:34 -0700 |
commit | 60b2d767c2da0f30bb98ccb3335e091e1deb420e (patch) | |
tree | e004a7592983eebafbd1304a8f55a51942cb81fa | |
parent | 1bf40f8e5ffaab4213c49d60a46fc7a5bfabdd10 (diff) | |
parent | aa008fc4d173049eb299e54d28a244467d863bd0 (diff) | |
download | chef-60b2d767c2da0f30bb98ccb3335e091e1deb420e.tar.gz |
Merge branch 'main' into feature/s3-recipe-url
-rw-r--r-- | CHANGELOG.md | 13 | ||||
-rw-r--r-- | Gemfile.lock | 28 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | chef-bin/lib/chef-bin/version.rb | 2 | ||||
-rw-r--r-- | chef-config/lib/chef-config/version.rb | 2 | ||||
-rw-r--r-- | chef-utils/lib/chef-utils/version.rb | 2 | ||||
-rw-r--r-- | knife/lib/chef/knife/version.rb | 2 | ||||
-rw-r--r-- | lib/chef/resource/chef_client_scheduled_task.rb | 5 | ||||
-rw-r--r-- | lib/chef/resource/user_ulimit.rb | 1 | ||||
-rw-r--r-- | lib/chef/secret_fetcher.rb | 7 | ||||
-rw-r--r-- | lib/chef/secret_fetcher/akeyless_vault.rb | 57 | ||||
-rw-r--r-- | lib/chef/secret_fetcher/hashi_vault.rb | 54 | ||||
-rw-r--r-- | lib/chef/version.rb | 2 | ||||
-rw-r--r-- | omnibus/Gemfile.lock | 32 | ||||
-rw-r--r-- | spec/functional/resource/group_spec.rb | 6 | ||||
-rw-r--r-- | spec/functional/resource/link_spec.rb | 8 | ||||
-rw-r--r-- | spec/unit/resource/chef_client_scheduled_task_spec.rb | 14 | ||||
-rw-r--r-- | spec/unit/resource/user_ulimit_spec.rb | 15 | ||||
-rw-r--r-- | spec/unit/secret_fetcher/akeyless_vault_spec.rb | 37 | ||||
-rw-r--r-- | spec/unit/secret_fetcher/hashi_vault_spec.rb | 57 |
20 files changed, 279 insertions, 67 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index aef2a76797..e58826c279 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,24 @@ <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ --> This changelog lists individual merged pull requests to Chef Infra Client and geared towards developers. For a list of significant changes per release see the [Chef Infra Client Release Notes](https://docs.chef.io/release_notes_client/). -<!-- latest_release 17.4.47 --> -## [v17.4.47](https://github.com/chef/chef/tree/v17.4.47) (2021-09-02) +<!-- latest_release 17.5.1 --> +## [v17.5.1](https://github.com/chef/chef/tree/v17.5.1) (2021-09-09) #### Merged Pull Requests -- Disable x25519 until we fix RHEL 7 failures [#11993](https://github.com/chef/chef/pull/11993) ([tas50](https://github.com/tas50)) +- Add AKeyless Vault support [#12012](https://github.com/chef/chef/pull/12012) ([marcparadise](https://github.com/marcparadise)) <!-- latest_release --> <!-- release_rollup since=17.4.38 --> ### Changes not yet released to stable #### Merged Pull Requests +- Add AKeyless Vault support [#12012](https://github.com/chef/chef/pull/12012) ([marcparadise](https://github.com/marcparadise)) <!-- 17.5.1 --> +- Update all deps to the latest [#12009](https://github.com/chef/chef/pull/12009) ([tas50](https://github.com/tas50)) <!-- 17.5.0 --> +- Update HashiCorp Vault fetcher to support token auth [#12008](https://github.com/chef/chef/pull/12008) ([marcparadise](https://github.com/marcparadise)) <!-- 17.4.52 --> +- Bump chef-zero to 15.0.9 [#12005](https://github.com/chef/chef/pull/12005) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 17.4.51 --> +- Fix tests for new omnibus test systems [#12004](https://github.com/chef/chef/pull/12004) ([jeremiahsnapp](https://github.com/jeremiahsnapp)) <!-- 17.4.50 --> +- Bump chef-vault to 4.1.3 [#12002](https://github.com/chef/chef/pull/12002) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 17.4.49 --> +- ulimit: Fix sensitive property [#12000](https://github.com/chef/chef/pull/12000) ([ashwin-msys](https://github.com/ashwin-msys)) <!-- 17.4.48 --> - Disable x25519 until we fix RHEL 7 failures [#11993](https://github.com/chef/chef/pull/11993) ([tas50](https://github.com/tas50)) <!-- 17.4.47 --> - Bump inspec-core-bin to 4.41.20 [#11991](https://github.com/chef/chef/pull/11991) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 17.4.46 --> - windows_user_privilege.rb : fixed exception: privilege is a required property, even when it was set [#11914](https://github.com/chef/chef/pull/11914) ([snehaldwivedi](https://github.com/snehaldwivedi)) <!-- 17.4.45 --> diff --git a/Gemfile.lock b/Gemfile.lock index 5b10baef1c..d90adfcd75 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -35,12 +35,12 @@ GIT PATH remote: . specs: - chef (17.4.47) + chef (17.5.1) addressable aws-sdk-s3 (~> 1.91) aws-sdk-secretsmanager (~> 1.46) - chef-config (= 17.4.47) - chef-utils (= 17.4.47) + chef-config (= 17.5.1) + chef-utils (= 17.5.1) chef-vault chef-zero (>= 14.0.11) diff-lcs (>= 1.2.4, < 1.4.0) @@ -65,12 +65,12 @@ PATH train-winrm (>= 0.2.5) uuidtools (>= 2.1.5, < 3.0) vault (~> 0.16) - chef (17.4.47-universal-mingw32) + chef (17.5.1-universal-mingw32) addressable aws-sdk-s3 (~> 1.91) aws-sdk-secretsmanager (~> 1.46) - chef-config (= 17.4.47) - chef-utils (= 17.4.47) + chef-config (= 17.5.1) + chef-utils (= 17.5.1) chef-vault chef-zero (>= 14.0.11) diff-lcs (>= 1.2.4, < 1.4.0) @@ -110,15 +110,15 @@ PATH PATH remote: chef-bin specs: - chef-bin (17.4.47) - chef (= 17.4.47) + chef-bin (17.5.1) + chef (= 17.5.1) PATH remote: chef-config specs: - chef-config (17.4.47) + chef-config (17.5.1) addressable - chef-utils (= 17.4.47) + chef-utils (= 17.5.1) fuzzyurl mixlib-config (>= 2.2.12, < 4.0) mixlib-shellout (>= 2.0, < 4.0) @@ -127,7 +127,7 @@ PATH PATH remote: chef-utils specs: - chef-utils (17.4.47) + chef-utils (17.5.1) concurrent-ruby GEM @@ -140,7 +140,7 @@ GEM mixlib-shellout (>= 2.0, < 4.0) ast (2.4.2) aws-eventstream (1.2.0) - aws-partitions (1.496.0) + aws-partitions (1.498.0) aws-sdk-core (3.121.0) aws-eventstream (~> 1, >= 1.0.2) aws-partitions (~> 1, >= 1.239.0) @@ -165,8 +165,8 @@ GEM chef-telemetry (1.1.1) chef-config concurrent-ruby (~> 1.0) - chef-vault (4.1.0) - chef-zero (15.0.7) + chef-vault (4.1.3) + chef-zero (15.0.9) ffi-yajl (~> 2.2) hashie (>= 2.0, < 5.0) mixlib-log (>= 2.0, < 4.0) @@ -1 +1 @@ -17.4.47
\ No newline at end of file +17.5.1
\ No newline at end of file diff --git a/chef-bin/lib/chef-bin/version.rb b/chef-bin/lib/chef-bin/version.rb index 588a7b65d7..92f3b6891d 100644 --- a/chef-bin/lib/chef-bin/version.rb +++ b/chef-bin/lib/chef-bin/version.rb @@ -21,7 +21,7 @@ module ChefBin CHEFBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "17.4.47".freeze + VERSION = "17.5.1".freeze end # diff --git a/chef-config/lib/chef-config/version.rb b/chef-config/lib/chef-config/version.rb index 27fc55b166..844de1f871 100644 --- a/chef-config/lib/chef-config/version.rb +++ b/chef-config/lib/chef-config/version.rb @@ -15,5 +15,5 @@ module ChefConfig CHEFCONFIG_ROOT = File.expand_path("..", __dir__) - VERSION = "17.4.47".freeze + VERSION = "17.5.1".freeze end diff --git a/chef-utils/lib/chef-utils/version.rb b/chef-utils/lib/chef-utils/version.rb index e19c67066f..4bad38f029 100644 --- a/chef-utils/lib/chef-utils/version.rb +++ b/chef-utils/lib/chef-utils/version.rb @@ -16,5 +16,5 @@ module ChefUtils CHEFUTILS_ROOT = File.expand_path("..", __dir__) - VERSION = "17.4.47" + VERSION = "17.5.1" end diff --git a/knife/lib/chef/knife/version.rb b/knife/lib/chef/knife/version.rb index 10e4085698..bd1ee78d4e 100644 --- a/knife/lib/chef/knife/version.rb +++ b/knife/lib/chef/knife/version.rb @@ -17,7 +17,7 @@ class Chef class Knife KNIFE_ROOT = File.expand_path("../..", __dir__) - VERSION = "17.4.47".freeze + VERSION = "17.5.1".freeze end end diff --git a/lib/chef/resource/chef_client_scheduled_task.rb b/lib/chef/resource/chef_client_scheduled_task.rb index 6f88460d73..8b251b2441 100644 --- a/lib/chef/resource/chef_client_scheduled_task.rb +++ b/lib/chef/resource/chef_client_scheduled_task.rb @@ -129,6 +129,10 @@ class Chef description: "An array of options to pass to the #{ChefUtils::Dist::Infra::CLIENT} command.", default: [] + property :priority, Integer, + description: "Use to set Priority Levels range from 0 to 10.", + default: 7, callbacks: { "should be in range of 0 to 10" => proc { |v| v >= 0 && v <= 10 } } + action :add, description: "Add a Windows Scheduled Task that runs #{ChefUtils::Dist::Infra::PRODUCT}." do # TODO: Replace this with a :create_if_missing action on directory when that exists unless Dir.exist?(new_resource.log_directory) @@ -153,6 +157,7 @@ class Chef start_day new_resource.start_date unless new_resource.start_date.nil? random_delay new_resource.splay if frequency_supports_random_delay? disallow_start_if_on_batteries new_resource.splay unless new_resource.run_on_battery + priority new_resource.priority action %i{create enable} end end diff --git a/lib/chef/resource/user_ulimit.rb b/lib/chef/resource/user_ulimit.rb index 55331dfc1c..594b585dbf 100644 --- a/lib/chef/resource/user_ulimit.rb +++ b/lib/chef/resource/user_ulimit.rb @@ -83,6 +83,7 @@ class Chef source ::File.expand_path("support/ulimit.erb", __dir__) local true mode "0644" + sensitive new_resource.sensitive variables( ulimit_user: new_resource.username, filehandle_limit: new_resource.filehandle_limit, diff --git a/lib/chef/secret_fetcher.rb b/lib/chef/secret_fetcher.rb index e8e4602bb2..af3e1d5cbb 100644 --- a/lib/chef/secret_fetcher.rb +++ b/lib/chef/secret_fetcher.rb @@ -21,7 +21,7 @@ require_relative "exceptions" class Chef class SecretFetcher - SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault hashi_vault}.freeze + SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault hashi_vault akeyless_vault}.freeze # Returns a configured and validated instance # of a [Chef::SecretFetcher::Base] for the given @@ -45,10 +45,13 @@ class Chef when :hashi_vault require_relative "secret_fetcher/hashi_vault" Chef::SecretFetcher::HashiVault.new(config, run_context) + when :akeyless_vault + require_relative "secret_fetcher/akeyless_vault" + Chef::SecretFetcher::AKeylessVault.new(config, run_context) when nil, "" raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS) else - raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service}", SECRET_FETCHERS) + raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: '#{service}'", SECRET_FETCHERS) end fetcher.validate! fetcher diff --git a/lib/chef/secret_fetcher/akeyless_vault.rb b/lib/chef/secret_fetcher/akeyless_vault.rb new file mode 100644 index 0000000000..f80eeba7bc --- /dev/null +++ b/lib/chef/secret_fetcher/akeyless_vault.rb @@ -0,0 +1,57 @@ +# +# Author:: Marc Paradise (<marc@chef.io>) +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "base" +require_relative "hashi_vault" + +class Chef + class SecretFetcher + # == Chef::SecretFetcher::AKeylessVault + # A fetcher that fetches a secret from AKeyless Vault. Initial implementation is + # based on HashiVault , because AKeyless provides a compatibility layer that makes this possible. + # Future revisions will use native akeyless authentication. + # + # Required config: + # :access_id - the access id of the API key + # :access_key - the access key of the API key + # + # + # @example + # + # fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: "my-access-id", access_key: "my-access-key" }, run_context ) + # fetcher.fetch("/secret/data/secretkey1") + # + AKEYLESS_VAULT_PROXY_ADDR = "https://hvp.akeyless.io".freeze + class AKeylessVault < HashiVault + def validate! + if config[:access_key].nil? + raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the secret access key in the configuration as :secret_access_key") + end + if config[:access_id].nil? + raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the access key id in the configuration as :access_key_id") + end + + config[:vault_addr] ||= AKEYLESS_VAULT_PROXY_ADDR + config[:auth_method] = :token + config[:token] = "#{config[:access_id]}..#{config[:access_key]}" + super + end + end + end +end + diff --git a/lib/chef/secret_fetcher/hashi_vault.rb b/lib/chef/secret_fetcher/hashi_vault.rb index be975fc34f..47bf78f5c1 100644 --- a/lib/chef/secret_fetcher/hashi_vault.rb +++ b/lib/chef/secret_fetcher/hashi_vault.rb @@ -19,7 +19,6 @@ require_relative "base" require "aws-sdk-core" # Support for aws instance profile auth require "vault" - class Chef class SecretFetcher # == Chef::SecretFetcher::HashiVault @@ -29,32 +28,60 @@ class Chef # In this initial iteration the only supported authentication is IAM role-based # # Required config: + # :auth_method - one of :iam_role, :token. default: :iam_role # :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200 - # If not explicitly provided, the environment variable VAULT_ADDR will be used. - # :role_name - the name of the role in Vault that was created to support authentication - # via IAM. See the Vault documentation for details[1]. A Terraform example is also available[2] + # + # For `:token` auth: `:token` - a Vault token valid for authentication. + # + # For `:iam_role`: `:role_name` - the name of the role in Vault that was created + # to support authentication via IAM. See the Vault documentation for details[1]. + # A Terraform example is also available[2] + # # # [1] https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy # [2] https://registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth # an IAM principal ARN bound to it. # + # Optional config + # :namespace - the namespace under which secrets are kept. Only supported in with Vault Enterprise + # # @example # # fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context ) # fetcher.fetch("secretkey1") + # + # @example + # + # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context ) + # fetcher.fetch("secretkey1") + SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze class HashiVault < Base + + # Validate and authenticate the current session using the configured auth strategy and parameters def validate! - if config[:role_name].nil? - raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name ") - end if config[:vault_addr].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr") end - # Note that the token here is cached internal to the Vault implementation. - Vault.auth.aws_iam(config[:role_name], - Aws::InstanceProfileCredentials.new, - config[:vault_addr] || ENV["VAULT_ADDR"]) + Vault.address = config[:vault_addr] + Vault.namespace = config[:namespace] unless config[:namespace].nil? + + case config[:auth_method] + when :token + if config[:token].nil? + raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token") + end + + Vault.auth.token(config[:token]) + when :iam_role, nil + if config[:role_name].nil? + raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name") + end + + Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new) + else + raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ") + end end # @param identifier [String] Identifier of the secret to be fetched, which should @@ -62,7 +89,10 @@ class Chef # @param _version [String] not used in this implementation # @return [Hash] containing key/value pairs stored at the location given in 'identifier' def do_fetch(identifier, _version) - Vault.logical.read(identifier).data + result = Vault.logical.read(identifier) + raise Chef::Exceptions::Secret::FetchFailed.new("No secret found at #{identifier}. Check to ensure that there is a secrets engine configured for that path") if result.nil? + + result.data end end end diff --git a/lib/chef/version.rb b/lib/chef/version.rb index 16b92c7a8f..18006e4863 100644 --- a/lib/chef/version.rb +++ b/lib/chef/version.rb @@ -23,7 +23,7 @@ require_relative "version_string" class Chef CHEF_ROOT = File.expand_path("..", __dir__) - VERSION = Chef::VersionString.new("17.4.47") + VERSION = Chef::VersionString.new("17.5.1") end # diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock index 4d123b6016..77af15facc 100644 --- a/omnibus/Gemfile.lock +++ b/omnibus/Gemfile.lock @@ -1,6 +1,6 @@ GIT remote: https://github.com/chef/omnibus-software.git - revision: b77420348413fc621ebe150a53f3ed0596faa640 + revision: e0d92a629f91918272b7460addfd4462c539e8a0 branch: main specs: omnibus-software (4.0.0) @@ -32,21 +32,21 @@ GEM public_suffix (>= 2.0.2, < 5.0) artifactory (3.0.15) awesome_print (1.9.2) - aws-eventstream (1.1.1) - aws-partitions (1.492.0) - aws-sdk-core (3.119.1) + aws-eventstream (1.2.0) + aws-partitions (1.498.0) + aws-sdk-core (3.121.0) aws-eventstream (~> 1, >= 1.0.2) aws-partitions (~> 1, >= 1.239.0) aws-sigv4 (~> 1.1) jmespath (~> 1.0) - aws-sdk-kms (1.47.0) - aws-sdk-core (~> 3, >= 3.119.0) + aws-sdk-kms (1.48.0) + aws-sdk-core (~> 3, >= 3.120.0) aws-sigv4 (~> 1.1) - aws-sdk-s3 (1.100.0) - aws-sdk-core (~> 3, >= 3.119.0) + aws-sdk-s3 (1.102.0) + aws-sdk-core (~> 3, >= 3.120.0) aws-sdk-kms (~> 1) - aws-sigv4 (~> 1.1) - aws-sigv4 (1.2.4) + aws-sigv4 (~> 1.4) + aws-sigv4 (1.4.0) aws-eventstream (~> 1, >= 1.0.2) bcrypt_pbkdf (1.1.0) bcrypt_pbkdf (1.1.0-x64-mingw32) @@ -162,8 +162,8 @@ GEM chef-config concurrent-ruby (~> 1.0) chef-utils (16.14.1) - chef-vault (4.1.0) - chef-zero (15.0.7) + chef-vault (4.1.3) + chef-zero (15.0.9) ffi-yajl (~> 2.2) hashie (>= 2.0, < 5.0) mixlib-log (>= 2.0, < 4.0) @@ -194,9 +194,9 @@ GEM faraday-net_http_persistent (1.2.0) faraday_middleware (1.1.0) faraday (~> 1.0) - ffi (1.15.3) - ffi (1.15.3-x64-mingw32) - ffi (1.15.3-x86-mingw32) + ffi (1.15.4) + ffi (1.15.4-x64-mingw32) + ffi (1.15.4-x86-mingw32) ffi-libarchive (1.0.17) ffi (~> 1.0) ffi-win32-extensions (1.0.4) @@ -212,7 +212,7 @@ GEM highline (2.0.3) httpclient (2.8.3) iniparse (1.5.0) - inspec-core (4.41.2) + inspec-core (4.41.20) addressable (~> 2.4) chef-telemetry (~> 1.0, >= 1.0.8) faraday (>= 0.9.0, < 1.5) diff --git a/spec/functional/resource/group_spec.rb b/spec/functional/resource/group_spec.rb index 279f8ac8d4..87953455b9 100644 --- a/spec/functional/resource/group_spec.rb +++ b/spec/functional/resource/group_spec.rb @@ -44,6 +44,10 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do members.shift # Get rid of GroupMembership: string members.include?(user) else + # TODO For some reason our temporary AIX 7.2 system does not correctly report group membership immediately after changes have been made. + # Adding a 2 second delay for this platform is enough to get correct results. + # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617 + sleep 2 if aix? && (ohai[:platform_version] == "7.2") Etc.getgrnam(group_name).mem.include?(user) end end @@ -181,7 +185,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do describe "when the users exist" do before do - high_uid = 30000 + high_uid = 40000 (spec_members).each do |member| remove_user(member) create_user(member, high_uid) diff --git a/spec/functional/resource/link_spec.rb b/spec/functional/resource/link_spec.rb index 734897aaa4..4637896fd7 100644 --- a/spec/functional/resource/link_spec.rb +++ b/spec/functional/resource/link_spec.rb @@ -345,9 +345,17 @@ describe Chef::Resource::Link do let(:test_user) { "test-link-user" } before do user(test_user).run_action(:create) + # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made. + # Adding a 2 second delay for this platform is enough to get correct results. + # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617 + sleep 2 if aix? && (ohai[:platform_version] == "7.2") end after do user(test_user).run_action(:remove) + # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made. + # Adding a 2 second delay for this platform is enough to get correct results. + # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617 + sleep 2 if aix? && (ohai[:platform_version] == "7.2") end before(:each) do resource.owner(test_user) diff --git a/spec/unit/resource/chef_client_scheduled_task_spec.rb b/spec/unit/resource/chef_client_scheduled_task_spec.rb index b3c663cdae..0acc268a10 100644 --- a/spec/unit/resource/chef_client_scheduled_task_spec.rb +++ b/spec/unit/resource/chef_client_scheduled_task_spec.rb @@ -73,6 +73,20 @@ describe Chef::Resource::ChefClientScheduledTask do expect(resource.chef_binary_path).to eql("C:/opscode/chef/bin/chef-client") end + context "priority" do + it "default value is 7" do + expect(resource.priority).to eq(7) + end + + it "raise error when priority value less than 0" do + expect { resource.priority(-1) }.to raise_error(Chef::Exceptions::ValidationFailed, "Option priority's value -1 should be in range of 0 to 10!") + end + + it "raise error when priority values is greater than 10" do + expect { resource.priority 11 }.to raise_error(Chef::Exceptions::ValidationFailed, "Option priority's value 11 should be in range of 0 to 10!") + end + end + it "supports :add and :remove actions" do expect { resource.action :add }.not_to raise_error expect { resource.action :remove }.not_to raise_error diff --git a/spec/unit/resource/user_ulimit_spec.rb b/spec/unit/resource/user_ulimit_spec.rb index f451870ac1..7acd9239a5 100644 --- a/spec/unit/resource/user_ulimit_spec.rb +++ b/spec/unit/resource/user_ulimit_spec.rb @@ -17,7 +17,6 @@ # require "spec_helper" - describe Chef::Resource::UserUlimit do let(:node) { Chef::Node.new } let(:events) { Chef::EventDispatch::Dispatcher.new } @@ -50,4 +49,18 @@ describe Chef::Resource::UserUlimit do expect { resource.action :create }.not_to raise_error expect { resource.action :delete }.not_to raise_error end + + describe "sensitive attribute" do + context "should be insensitive by default" do + it { expect(resource.sensitive).to(be_falsey) } + end + + context "when set" do + before { resource.sensitive(true) } + + it "should be set on the resource" do + expect(resource.sensitive).to(be_truthy) + end + end + end end diff --git a/spec/unit/secret_fetcher/akeyless_vault_spec.rb b/spec/unit/secret_fetcher/akeyless_vault_spec.rb new file mode 100644 index 0000000000..f827e99399 --- /dev/null +++ b/spec/unit/secret_fetcher/akeyless_vault_spec.rb @@ -0,0 +1,37 @@ +# +# Author:: Marc Paradise <marc@chef.io> +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "../../spec_helper" +require "chef/secret_fetcher/akeyless_vault" + +describe Chef::SecretFetcher::AKeylessVault do + let(:node) { {} } + let(:run_context) { double("run_context", node: node) } + + context "when validating provided AKeyless Vault configuration" do + it "raises ConfigurationInvalid when :secret_access_key is not provided" do + fetcher = Chef::SecretFetcher::AKeylessVault.new( { access_id: "provided" }, run_context) + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:secret_access_key/) + end + + it "raises ConfigurationInvalid when :access_key_id is not provided" do + fetcher = Chef::SecretFetcher::AKeylessVault.new( { access_key: "provided" }, run_context) + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:access_key_id/) + end + end +end diff --git a/spec/unit/secret_fetcher/hashi_vault_spec.rb b/spec/unit/secret_fetcher/hashi_vault_spec.rb index db93a051e4..e69c397c17 100644 --- a/spec/unit/secret_fetcher/hashi_vault_spec.rb +++ b/spec/unit/secret_fetcher/hashi_vault_spec.rb @@ -15,7 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # -# require_relative "../../spec_helper" require "chef/secret_fetcher/hashi_vault" @@ -24,23 +23,57 @@ describe Chef::SecretFetcher::HashiVault do let(:node) { {} } let(:run_context) { double("run_context", node: node) } - context "when validating HashiVault provided configuration" do - it "raises ConfigurationInvalid when the role_name is not provided" do - fetcher = Chef::SecretFetcher::HashiVault.new( { vault_addr: "vault.example.com" }, run_context) - expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) + context "when validating provided HashiVault configuration" do + it "raises ConfigurationInvalid when the :auth_method is not valid" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com:8200" }, run_context) + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:auth_method/) end it "raises ConfigurationInvalid when the vault_addr is not provided" do - fetcher = Chef::SecretFetcher::HashiVault.new( { role_name: "vault.example.com" }, run_context) + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, role_name: "example-role" }, run_context) expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) end - it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do - fetcher = Chef::SecretFetcher::HashiVault.new( { vault_addr: "vault.example.com", role_name: "example-role" }, run_context) - auth_stub = - allow(Aws::InstanceProfileCredentials).to receive(:new).and_return double("credentials") - allow(Vault).to receive(:auth).and_return(instance_double(Vault::Authenticate, aws_iam: nil)) - fetcher.validate! + context "and using auth_method: :iam_role" do + it "raises ConfigurationInvalid when the role_name is not provided" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "https://vault.example.com:8200" }, run_context) + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) + end + + it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "https://vault.example.com:8200", role_name: "example-role" }, run_context) + allow(Aws::InstanceProfileCredentials).to receive(:new).and_return instance_double(Aws::InstanceProfileCredentials) + auth_double = instance_double(Vault::Authenticate) + expect(auth_double).to receive(:aws_iam) + allow(Vault).to receive(:auth).and_return(auth_double) + fetcher.validate! + end + end + + context "and using auth_method: :token" do + it "raises ConfigurationInvalid when no token is provided" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, vault_addr: "https://vault.example.com:8200" }, run_context) + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) + end + + it "authenticates using the token during validation when all configuration is correct" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, token: "t.1234abcd", vault_addr: "https://vault.example.com:8200" }, run_context) + auth = instance_double(Vault::Authenticate) + auth_double = instance_double(Vault::Authenticate) + expect(auth_double).to receive(:token) + allow(Vault).to receive(:auth).and_return(auth_double) + fetcher.validate! + end + end + end + + context "when fetching a secret from Hashi Vault" do + it "raises an FetchFailed message when no secret is returned due to invalid engine path" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com:8200" }, run_context) + logical_double = instance_double(Vault::Logical) + expect(logical_double).to receive(:read).and_return nil + expect(Vault).to receive(:logical).and_return(logical_double) + expect { fetcher.do_fetch("anything", nil) }.to raise_error(Chef::Exceptions::Secret::FetchFailed) end end end |