summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Smith <tsmith@chef.io>2021-09-09 13:15:34 -0700
committerGitHub <noreply@github.com>2021-09-09 13:15:34 -0700
commit60b2d767c2da0f30bb98ccb3335e091e1deb420e (patch)
treee004a7592983eebafbd1304a8f55a51942cb81fa
parent1bf40f8e5ffaab4213c49d60a46fc7a5bfabdd10 (diff)
parentaa008fc4d173049eb299e54d28a244467d863bd0 (diff)
downloadchef-60b2d767c2da0f30bb98ccb3335e091e1deb420e.tar.gz
Merge branch 'main' into feature/s3-recipe-url
-rw-r--r--CHANGELOG.md13
-rw-r--r--Gemfile.lock28
-rw-r--r--VERSION2
-rw-r--r--chef-bin/lib/chef-bin/version.rb2
-rw-r--r--chef-config/lib/chef-config/version.rb2
-rw-r--r--chef-utils/lib/chef-utils/version.rb2
-rw-r--r--knife/lib/chef/knife/version.rb2
-rw-r--r--lib/chef/resource/chef_client_scheduled_task.rb5
-rw-r--r--lib/chef/resource/user_ulimit.rb1
-rw-r--r--lib/chef/secret_fetcher.rb7
-rw-r--r--lib/chef/secret_fetcher/akeyless_vault.rb57
-rw-r--r--lib/chef/secret_fetcher/hashi_vault.rb54
-rw-r--r--lib/chef/version.rb2
-rw-r--r--omnibus/Gemfile.lock32
-rw-r--r--spec/functional/resource/group_spec.rb6
-rw-r--r--spec/functional/resource/link_spec.rb8
-rw-r--r--spec/unit/resource/chef_client_scheduled_task_spec.rb14
-rw-r--r--spec/unit/resource/user_ulimit_spec.rb15
-rw-r--r--spec/unit/secret_fetcher/akeyless_vault_spec.rb37
-rw-r--r--spec/unit/secret_fetcher/hashi_vault_spec.rb57
20 files changed, 279 insertions, 67 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index aef2a76797..e58826c279 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,17 +1,24 @@
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
This changelog lists individual merged pull requests to Chef Infra Client and geared towards developers. For a list of significant changes per release see the [Chef Infra Client Release Notes](https://docs.chef.io/release_notes_client/).
-<!-- latest_release 17.4.47 -->
-## [v17.4.47](https://github.com/chef/chef/tree/v17.4.47) (2021-09-02)
+<!-- latest_release 17.5.1 -->
+## [v17.5.1](https://github.com/chef/chef/tree/v17.5.1) (2021-09-09)
#### Merged Pull Requests
-- Disable x25519 until we fix RHEL 7 failures [#11993](https://github.com/chef/chef/pull/11993) ([tas50](https://github.com/tas50))
+- Add AKeyless Vault support [#12012](https://github.com/chef/chef/pull/12012) ([marcparadise](https://github.com/marcparadise))
<!-- latest_release -->
<!-- release_rollup since=17.4.38 -->
### Changes not yet released to stable
#### Merged Pull Requests
+- Add AKeyless Vault support [#12012](https://github.com/chef/chef/pull/12012) ([marcparadise](https://github.com/marcparadise)) <!-- 17.5.1 -->
+- Update all deps to the latest [#12009](https://github.com/chef/chef/pull/12009) ([tas50](https://github.com/tas50)) <!-- 17.5.0 -->
+- Update HashiCorp Vault fetcher to support token auth [#12008](https://github.com/chef/chef/pull/12008) ([marcparadise](https://github.com/marcparadise)) <!-- 17.4.52 -->
+- Bump chef-zero to 15.0.9 [#12005](https://github.com/chef/chef/pull/12005) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 17.4.51 -->
+- Fix tests for new omnibus test systems [#12004](https://github.com/chef/chef/pull/12004) ([jeremiahsnapp](https://github.com/jeremiahsnapp)) <!-- 17.4.50 -->
+- Bump chef-vault to 4.1.3 [#12002](https://github.com/chef/chef/pull/12002) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 17.4.49 -->
+- ulimit: Fix sensitive property [#12000](https://github.com/chef/chef/pull/12000) ([ashwin-msys](https://github.com/ashwin-msys)) <!-- 17.4.48 -->
- Disable x25519 until we fix RHEL 7 failures [#11993](https://github.com/chef/chef/pull/11993) ([tas50](https://github.com/tas50)) <!-- 17.4.47 -->
- Bump inspec-core-bin to 4.41.20 [#11991](https://github.com/chef/chef/pull/11991) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 17.4.46 -->
- windows_user_privilege.rb : fixed exception: privilege is a required property, even when it was set [#11914](https://github.com/chef/chef/pull/11914) ([snehaldwivedi](https://github.com/snehaldwivedi)) <!-- 17.4.45 -->
diff --git a/Gemfile.lock b/Gemfile.lock
index 5b10baef1c..d90adfcd75 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -35,12 +35,12 @@ GIT
PATH
remote: .
specs:
- chef (17.4.47)
+ chef (17.5.1)
addressable
aws-sdk-s3 (~> 1.91)
aws-sdk-secretsmanager (~> 1.46)
- chef-config (= 17.4.47)
- chef-utils (= 17.4.47)
+ chef-config (= 17.5.1)
+ chef-utils (= 17.5.1)
chef-vault
chef-zero (>= 14.0.11)
diff-lcs (>= 1.2.4, < 1.4.0)
@@ -65,12 +65,12 @@ PATH
train-winrm (>= 0.2.5)
uuidtools (>= 2.1.5, < 3.0)
vault (~> 0.16)
- chef (17.4.47-universal-mingw32)
+ chef (17.5.1-universal-mingw32)
addressable
aws-sdk-s3 (~> 1.91)
aws-sdk-secretsmanager (~> 1.46)
- chef-config (= 17.4.47)
- chef-utils (= 17.4.47)
+ chef-config (= 17.5.1)
+ chef-utils (= 17.5.1)
chef-vault
chef-zero (>= 14.0.11)
diff-lcs (>= 1.2.4, < 1.4.0)
@@ -110,15 +110,15 @@ PATH
PATH
remote: chef-bin
specs:
- chef-bin (17.4.47)
- chef (= 17.4.47)
+ chef-bin (17.5.1)
+ chef (= 17.5.1)
PATH
remote: chef-config
specs:
- chef-config (17.4.47)
+ chef-config (17.5.1)
addressable
- chef-utils (= 17.4.47)
+ chef-utils (= 17.5.1)
fuzzyurl
mixlib-config (>= 2.2.12, < 4.0)
mixlib-shellout (>= 2.0, < 4.0)
@@ -127,7 +127,7 @@ PATH
PATH
remote: chef-utils
specs:
- chef-utils (17.4.47)
+ chef-utils (17.5.1)
concurrent-ruby
GEM
@@ -140,7 +140,7 @@ GEM
mixlib-shellout (>= 2.0, < 4.0)
ast (2.4.2)
aws-eventstream (1.2.0)
- aws-partitions (1.496.0)
+ aws-partitions (1.498.0)
aws-sdk-core (3.121.0)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
@@ -165,8 +165,8 @@ GEM
chef-telemetry (1.1.1)
chef-config
concurrent-ruby (~> 1.0)
- chef-vault (4.1.0)
- chef-zero (15.0.7)
+ chef-vault (4.1.3)
+ chef-zero (15.0.9)
ffi-yajl (~> 2.2)
hashie (>= 2.0, < 5.0)
mixlib-log (>= 2.0, < 4.0)
diff --git a/VERSION b/VERSION
index 65e4e8ca7b..e2619c4b20 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-17.4.47 \ No newline at end of file
+17.5.1 \ No newline at end of file
diff --git a/chef-bin/lib/chef-bin/version.rb b/chef-bin/lib/chef-bin/version.rb
index 588a7b65d7..92f3b6891d 100644
--- a/chef-bin/lib/chef-bin/version.rb
+++ b/chef-bin/lib/chef-bin/version.rb
@@ -21,7 +21,7 @@
module ChefBin
CHEFBIN_ROOT = File.expand_path("..", __dir__)
- VERSION = "17.4.47".freeze
+ VERSION = "17.5.1".freeze
end
#
diff --git a/chef-config/lib/chef-config/version.rb b/chef-config/lib/chef-config/version.rb
index 27fc55b166..844de1f871 100644
--- a/chef-config/lib/chef-config/version.rb
+++ b/chef-config/lib/chef-config/version.rb
@@ -15,5 +15,5 @@
module ChefConfig
CHEFCONFIG_ROOT = File.expand_path("..", __dir__)
- VERSION = "17.4.47".freeze
+ VERSION = "17.5.1".freeze
end
diff --git a/chef-utils/lib/chef-utils/version.rb b/chef-utils/lib/chef-utils/version.rb
index e19c67066f..4bad38f029 100644
--- a/chef-utils/lib/chef-utils/version.rb
+++ b/chef-utils/lib/chef-utils/version.rb
@@ -16,5 +16,5 @@
module ChefUtils
CHEFUTILS_ROOT = File.expand_path("..", __dir__)
- VERSION = "17.4.47"
+ VERSION = "17.5.1"
end
diff --git a/knife/lib/chef/knife/version.rb b/knife/lib/chef/knife/version.rb
index 10e4085698..bd1ee78d4e 100644
--- a/knife/lib/chef/knife/version.rb
+++ b/knife/lib/chef/knife/version.rb
@@ -17,7 +17,7 @@
class Chef
class Knife
KNIFE_ROOT = File.expand_path("../..", __dir__)
- VERSION = "17.4.47".freeze
+ VERSION = "17.5.1".freeze
end
end
diff --git a/lib/chef/resource/chef_client_scheduled_task.rb b/lib/chef/resource/chef_client_scheduled_task.rb
index 6f88460d73..8b251b2441 100644
--- a/lib/chef/resource/chef_client_scheduled_task.rb
+++ b/lib/chef/resource/chef_client_scheduled_task.rb
@@ -129,6 +129,10 @@ class Chef
description: "An array of options to pass to the #{ChefUtils::Dist::Infra::CLIENT} command.",
default: []
+ property :priority, Integer,
+ description: "Use to set Priority Levels range from 0 to 10.",
+ default: 7, callbacks: { "should be in range of 0 to 10" => proc { |v| v >= 0 && v <= 10 } }
+
action :add, description: "Add a Windows Scheduled Task that runs #{ChefUtils::Dist::Infra::PRODUCT}." do
# TODO: Replace this with a :create_if_missing action on directory when that exists
unless Dir.exist?(new_resource.log_directory)
@@ -153,6 +157,7 @@ class Chef
start_day new_resource.start_date unless new_resource.start_date.nil?
random_delay new_resource.splay if frequency_supports_random_delay?
disallow_start_if_on_batteries new_resource.splay unless new_resource.run_on_battery
+ priority new_resource.priority
action %i{create enable}
end
end
diff --git a/lib/chef/resource/user_ulimit.rb b/lib/chef/resource/user_ulimit.rb
index 55331dfc1c..594b585dbf 100644
--- a/lib/chef/resource/user_ulimit.rb
+++ b/lib/chef/resource/user_ulimit.rb
@@ -83,6 +83,7 @@ class Chef
source ::File.expand_path("support/ulimit.erb", __dir__)
local true
mode "0644"
+ sensitive new_resource.sensitive
variables(
ulimit_user: new_resource.username,
filehandle_limit: new_resource.filehandle_limit,
diff --git a/lib/chef/secret_fetcher.rb b/lib/chef/secret_fetcher.rb
index e8e4602bb2..af3e1d5cbb 100644
--- a/lib/chef/secret_fetcher.rb
+++ b/lib/chef/secret_fetcher.rb
@@ -21,7 +21,7 @@ require_relative "exceptions"
class Chef
class SecretFetcher
- SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault hashi_vault}.freeze
+ SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault hashi_vault akeyless_vault}.freeze
# Returns a configured and validated instance
# of a [Chef::SecretFetcher::Base] for the given
@@ -45,10 +45,13 @@ class Chef
when :hashi_vault
require_relative "secret_fetcher/hashi_vault"
Chef::SecretFetcher::HashiVault.new(config, run_context)
+ when :akeyless_vault
+ require_relative "secret_fetcher/akeyless_vault"
+ Chef::SecretFetcher::AKeylessVault.new(config, run_context)
when nil, ""
raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS)
else
- raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service}", SECRET_FETCHERS)
+ raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: '#{service}'", SECRET_FETCHERS)
end
fetcher.validate!
fetcher
diff --git a/lib/chef/secret_fetcher/akeyless_vault.rb b/lib/chef/secret_fetcher/akeyless_vault.rb
new file mode 100644
index 0000000000..f80eeba7bc
--- /dev/null
+++ b/lib/chef/secret_fetcher/akeyless_vault.rb
@@ -0,0 +1,57 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require_relative "hashi_vault"
+
+class Chef
+ class SecretFetcher
+ # == Chef::SecretFetcher::AKeylessVault
+ # A fetcher that fetches a secret from AKeyless Vault. Initial implementation is
+ # based on HashiVault , because AKeyless provides a compatibility layer that makes this possible.
+ # Future revisions will use native akeyless authentication.
+ #
+ # Required config:
+ # :access_id - the access id of the API key
+ # :access_key - the access key of the API key
+ #
+ #
+ # @example
+ #
+ # fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: "my-access-id", access_key: "my-access-key" }, run_context )
+ # fetcher.fetch("/secret/data/secretkey1")
+ #
+ AKEYLESS_VAULT_PROXY_ADDR = "https://hvp.akeyless.io".freeze
+ class AKeylessVault < HashiVault
+ def validate!
+ if config[:access_key].nil?
+ raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the secret access key in the configuration as :secret_access_key")
+ end
+ if config[:access_id].nil?
+ raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the access key id in the configuration as :access_key_id")
+ end
+
+ config[:vault_addr] ||= AKEYLESS_VAULT_PROXY_ADDR
+ config[:auth_method] = :token
+ config[:token] = "#{config[:access_id]}..#{config[:access_key]}"
+ super
+ end
+ end
+ end
+end
+
diff --git a/lib/chef/secret_fetcher/hashi_vault.rb b/lib/chef/secret_fetcher/hashi_vault.rb
index be975fc34f..47bf78f5c1 100644
--- a/lib/chef/secret_fetcher/hashi_vault.rb
+++ b/lib/chef/secret_fetcher/hashi_vault.rb
@@ -19,7 +19,6 @@
require_relative "base"
require "aws-sdk-core" # Support for aws instance profile auth
require "vault"
-
class Chef
class SecretFetcher
# == Chef::SecretFetcher::HashiVault
@@ -29,32 +28,60 @@ class Chef
# In this initial iteration the only supported authentication is IAM role-based
#
# Required config:
+ # :auth_method - one of :iam_role, :token. default: :iam_role
# :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200
- # If not explicitly provided, the environment variable VAULT_ADDR will be used.
- # :role_name - the name of the role in Vault that was created to support authentication
- # via IAM. See the Vault documentation for details[1]. A Terraform example is also available[2]
+ #
+ # For `:token` auth: `:token` - a Vault token valid for authentication.
+ #
+ # For `:iam_role`: `:role_name` - the name of the role in Vault that was created
+ # to support authentication via IAM. See the Vault documentation for details[1].
+ # A Terraform example is also available[2]
+ #
#
# [1] https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy
# [2] https://registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth
# an IAM principal ARN bound to it.
#
+ # Optional config
+ # :namespace - the namespace under which secrets are kept. Only supported in with Vault Enterprise
+ #
# @example
#
# fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
# fetcher.fetch("secretkey1")
+ #
+ # @example
+ #
+ # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+ # fetcher.fetch("secretkey1")
+ SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze
class HashiVault < Base
+
+ # Validate and authenticate the current session using the configured auth strategy and parameters
def validate!
- if config[:role_name].nil?
- raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name ")
- end
if config[:vault_addr].nil?
raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr")
end
- # Note that the token here is cached internal to the Vault implementation.
- Vault.auth.aws_iam(config[:role_name],
- Aws::InstanceProfileCredentials.new,
- config[:vault_addr] || ENV["VAULT_ADDR"])
+ Vault.address = config[:vault_addr]
+ Vault.namespace = config[:namespace] unless config[:namespace].nil?
+
+ case config[:auth_method]
+ when :token
+ if config[:token].nil?
+ raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")
+ end
+
+ Vault.auth.token(config[:token])
+ when :iam_role, nil
+ if config[:role_name].nil?
+ raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
+ end
+
+ Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
+ else
+ raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
+ end
end
# @param identifier [String] Identifier of the secret to be fetched, which should
@@ -62,7 +89,10 @@ class Chef
# @param _version [String] not used in this implementation
# @return [Hash] containing key/value pairs stored at the location given in 'identifier'
def do_fetch(identifier, _version)
- Vault.logical.read(identifier).data
+ result = Vault.logical.read(identifier)
+ raise Chef::Exceptions::Secret::FetchFailed.new("No secret found at #{identifier}. Check to ensure that there is a secrets engine configured for that path") if result.nil?
+
+ result.data
end
end
end
diff --git a/lib/chef/version.rb b/lib/chef/version.rb
index 16b92c7a8f..18006e4863 100644
--- a/lib/chef/version.rb
+++ b/lib/chef/version.rb
@@ -23,7 +23,7 @@ require_relative "version_string"
class Chef
CHEF_ROOT = File.expand_path("..", __dir__)
- VERSION = Chef::VersionString.new("17.4.47")
+ VERSION = Chef::VersionString.new("17.5.1")
end
#
diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock
index 4d123b6016..77af15facc 100644
--- a/omnibus/Gemfile.lock
+++ b/omnibus/Gemfile.lock
@@ -1,6 +1,6 @@
GIT
remote: https://github.com/chef/omnibus-software.git
- revision: b77420348413fc621ebe150a53f3ed0596faa640
+ revision: e0d92a629f91918272b7460addfd4462c539e8a0
branch: main
specs:
omnibus-software (4.0.0)
@@ -32,21 +32,21 @@ GEM
public_suffix (>= 2.0.2, < 5.0)
artifactory (3.0.15)
awesome_print (1.9.2)
- aws-eventstream (1.1.1)
- aws-partitions (1.492.0)
- aws-sdk-core (3.119.1)
+ aws-eventstream (1.2.0)
+ aws-partitions (1.498.0)
+ aws-sdk-core (3.121.0)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1.0)
- aws-sdk-kms (1.47.0)
- aws-sdk-core (~> 3, >= 3.119.0)
+ aws-sdk-kms (1.48.0)
+ aws-sdk-core (~> 3, >= 3.120.0)
aws-sigv4 (~> 1.1)
- aws-sdk-s3 (1.100.0)
- aws-sdk-core (~> 3, >= 3.119.0)
+ aws-sdk-s3 (1.102.0)
+ aws-sdk-core (~> 3, >= 3.120.0)
aws-sdk-kms (~> 1)
- aws-sigv4 (~> 1.1)
- aws-sigv4 (1.2.4)
+ aws-sigv4 (~> 1.4)
+ aws-sigv4 (1.4.0)
aws-eventstream (~> 1, >= 1.0.2)
bcrypt_pbkdf (1.1.0)
bcrypt_pbkdf (1.1.0-x64-mingw32)
@@ -162,8 +162,8 @@ GEM
chef-config
concurrent-ruby (~> 1.0)
chef-utils (16.14.1)
- chef-vault (4.1.0)
- chef-zero (15.0.7)
+ chef-vault (4.1.3)
+ chef-zero (15.0.9)
ffi-yajl (~> 2.2)
hashie (>= 2.0, < 5.0)
mixlib-log (>= 2.0, < 4.0)
@@ -194,9 +194,9 @@ GEM
faraday-net_http_persistent (1.2.0)
faraday_middleware (1.1.0)
faraday (~> 1.0)
- ffi (1.15.3)
- ffi (1.15.3-x64-mingw32)
- ffi (1.15.3-x86-mingw32)
+ ffi (1.15.4)
+ ffi (1.15.4-x64-mingw32)
+ ffi (1.15.4-x86-mingw32)
ffi-libarchive (1.0.17)
ffi (~> 1.0)
ffi-win32-extensions (1.0.4)
@@ -212,7 +212,7 @@ GEM
highline (2.0.3)
httpclient (2.8.3)
iniparse (1.5.0)
- inspec-core (4.41.2)
+ inspec-core (4.41.20)
addressable (~> 2.4)
chef-telemetry (~> 1.0, >= 1.0.8)
faraday (>= 0.9.0, < 1.5)
diff --git a/spec/functional/resource/group_spec.rb b/spec/functional/resource/group_spec.rb
index 279f8ac8d4..87953455b9 100644
--- a/spec/functional/resource/group_spec.rb
+++ b/spec/functional/resource/group_spec.rb
@@ -44,6 +44,10 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
members.shift # Get rid of GroupMembership: string
members.include?(user)
else
+ # TODO For some reason our temporary AIX 7.2 system does not correctly report group membership immediately after changes have been made.
+ # Adding a 2 second delay for this platform is enough to get correct results.
+ # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+ sleep 2 if aix? && (ohai[:platform_version] == "7.2")
Etc.getgrnam(group_name).mem.include?(user)
end
end
@@ -181,7 +185,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
describe "when the users exist" do
before do
- high_uid = 30000
+ high_uid = 40000
(spec_members).each do |member|
remove_user(member)
create_user(member, high_uid)
diff --git a/spec/functional/resource/link_spec.rb b/spec/functional/resource/link_spec.rb
index 734897aaa4..4637896fd7 100644
--- a/spec/functional/resource/link_spec.rb
+++ b/spec/functional/resource/link_spec.rb
@@ -345,9 +345,17 @@ describe Chef::Resource::Link do
let(:test_user) { "test-link-user" }
before do
user(test_user).run_action(:create)
+ # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made.
+ # Adding a 2 second delay for this platform is enough to get correct results.
+ # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+ sleep 2 if aix? && (ohai[:platform_version] == "7.2")
end
after do
user(test_user).run_action(:remove)
+ # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made.
+ # Adding a 2 second delay for this platform is enough to get correct results.
+ # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+ sleep 2 if aix? && (ohai[:platform_version] == "7.2")
end
before(:each) do
resource.owner(test_user)
diff --git a/spec/unit/resource/chef_client_scheduled_task_spec.rb b/spec/unit/resource/chef_client_scheduled_task_spec.rb
index b3c663cdae..0acc268a10 100644
--- a/spec/unit/resource/chef_client_scheduled_task_spec.rb
+++ b/spec/unit/resource/chef_client_scheduled_task_spec.rb
@@ -73,6 +73,20 @@ describe Chef::Resource::ChefClientScheduledTask do
expect(resource.chef_binary_path).to eql("C:/opscode/chef/bin/chef-client")
end
+ context "priority" do
+ it "default value is 7" do
+ expect(resource.priority).to eq(7)
+ end
+
+ it "raise error when priority value less than 0" do
+ expect { resource.priority(-1) }.to raise_error(Chef::Exceptions::ValidationFailed, "Option priority's value -1 should be in range of 0 to 10!")
+ end
+
+ it "raise error when priority values is greater than 10" do
+ expect { resource.priority 11 }.to raise_error(Chef::Exceptions::ValidationFailed, "Option priority's value 11 should be in range of 0 to 10!")
+ end
+ end
+
it "supports :add and :remove actions" do
expect { resource.action :add }.not_to raise_error
expect { resource.action :remove }.not_to raise_error
diff --git a/spec/unit/resource/user_ulimit_spec.rb b/spec/unit/resource/user_ulimit_spec.rb
index f451870ac1..7acd9239a5 100644
--- a/spec/unit/resource/user_ulimit_spec.rb
+++ b/spec/unit/resource/user_ulimit_spec.rb
@@ -17,7 +17,6 @@
#
require "spec_helper"
-
describe Chef::Resource::UserUlimit do
let(:node) { Chef::Node.new }
let(:events) { Chef::EventDispatch::Dispatcher.new }
@@ -50,4 +49,18 @@ describe Chef::Resource::UserUlimit do
expect { resource.action :create }.not_to raise_error
expect { resource.action :delete }.not_to raise_error
end
+
+ describe "sensitive attribute" do
+ context "should be insensitive by default" do
+ it { expect(resource.sensitive).to(be_falsey) }
+ end
+
+ context "when set" do
+ before { resource.sensitive(true) }
+
+ it "should be set on the resource" do
+ expect(resource.sensitive).to(be_truthy)
+ end
+ end
+ end
end
diff --git a/spec/unit/secret_fetcher/akeyless_vault_spec.rb b/spec/unit/secret_fetcher/akeyless_vault_spec.rb
new file mode 100644
index 0000000000..f827e99399
--- /dev/null
+++ b/spec/unit/secret_fetcher/akeyless_vault_spec.rb
@@ -0,0 +1,37 @@
+#
+# Author:: Marc Paradise <marc@chef.io>
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../../spec_helper"
+require "chef/secret_fetcher/akeyless_vault"
+
+describe Chef::SecretFetcher::AKeylessVault do
+ let(:node) { {} }
+ let(:run_context) { double("run_context", node: node) }
+
+ context "when validating provided AKeyless Vault configuration" do
+ it "raises ConfigurationInvalid when :secret_access_key is not provided" do
+ fetcher = Chef::SecretFetcher::AKeylessVault.new( { access_id: "provided" }, run_context)
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:secret_access_key/)
+ end
+
+ it "raises ConfigurationInvalid when :access_key_id is not provided" do
+ fetcher = Chef::SecretFetcher::AKeylessVault.new( { access_key: "provided" }, run_context)
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:access_key_id/)
+ end
+ end
+end
diff --git a/spec/unit/secret_fetcher/hashi_vault_spec.rb b/spec/unit/secret_fetcher/hashi_vault_spec.rb
index db93a051e4..e69c397c17 100644
--- a/spec/unit/secret_fetcher/hashi_vault_spec.rb
+++ b/spec/unit/secret_fetcher/hashi_vault_spec.rb
@@ -15,7 +15,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-#
require_relative "../../spec_helper"
require "chef/secret_fetcher/hashi_vault"
@@ -24,23 +23,57 @@ describe Chef::SecretFetcher::HashiVault do
let(:node) { {} }
let(:run_context) { double("run_context", node: node) }
- context "when validating HashiVault provided configuration" do
- it "raises ConfigurationInvalid when the role_name is not provided" do
- fetcher = Chef::SecretFetcher::HashiVault.new( { vault_addr: "vault.example.com" }, run_context)
- expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+ context "when validating provided HashiVault configuration" do
+ it "raises ConfigurationInvalid when the :auth_method is not valid" do
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com:8200" }, run_context)
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:auth_method/)
end
it "raises ConfigurationInvalid when the vault_addr is not provided" do
- fetcher = Chef::SecretFetcher::HashiVault.new( { role_name: "vault.example.com" }, run_context)
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, role_name: "example-role" }, run_context)
expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
end
- it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do
- fetcher = Chef::SecretFetcher::HashiVault.new( { vault_addr: "vault.example.com", role_name: "example-role" }, run_context)
- auth_stub =
- allow(Aws::InstanceProfileCredentials).to receive(:new).and_return double("credentials")
- allow(Vault).to receive(:auth).and_return(instance_double(Vault::Authenticate, aws_iam: nil))
- fetcher.validate!
+ context "and using auth_method: :iam_role" do
+ it "raises ConfigurationInvalid when the role_name is not provided" do
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "https://vault.example.com:8200" }, run_context)
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+ end
+
+ it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "https://vault.example.com:8200", role_name: "example-role" }, run_context)
+ allow(Aws::InstanceProfileCredentials).to receive(:new).and_return instance_double(Aws::InstanceProfileCredentials)
+ auth_double = instance_double(Vault::Authenticate)
+ expect(auth_double).to receive(:aws_iam)
+ allow(Vault).to receive(:auth).and_return(auth_double)
+ fetcher.validate!
+ end
+ end
+
+ context "and using auth_method: :token" do
+ it "raises ConfigurationInvalid when no token is provided" do
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, vault_addr: "https://vault.example.com:8200" }, run_context)
+ expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+ end
+
+ it "authenticates using the token during validation when all configuration is correct" do
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, token: "t.1234abcd", vault_addr: "https://vault.example.com:8200" }, run_context)
+ auth = instance_double(Vault::Authenticate)
+ auth_double = instance_double(Vault::Authenticate)
+ expect(auth_double).to receive(:token)
+ allow(Vault).to receive(:auth).and_return(auth_double)
+ fetcher.validate!
+ end
+ end
+ end
+
+ context "when fetching a secret from Hashi Vault" do
+ it "raises an FetchFailed message when no secret is returned due to invalid engine path" do
+ fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com:8200" }, run_context)
+ logical_double = instance_double(Vault::Logical)
+ expect(logical_double).to receive(:read).and_return nil
+ expect(Vault).to receive(:logical).and_return(logical_double)
+ expect { fetcher.do_fetch("anything", nil) }.to raise_error(Chef::Exceptions::Secret::FetchFailed)
end
end
end