Changed EOP to 'EOP' to avoid content expansionafiune/COOL-617/fix-here-strings-in-bash

[ZD-12489] This change fixes the content expansion of the
bootstrap command in the option `--json-attributes`.

Reference:
https://www.gnu.org/software/bash/manual/html_node/Redirections.html

It might be possible that some users are counting on this expansion
to occur.

Signed-off-by: Salim Afiune <afiune@chef.io>

2 files changed, 35 insertions, 6 deletions

diff --git a/lib/chef/knife/bootstrap/templates/chef-full.erb b/lib/chef/knife/bootstrap/templates/chef-full.erb
index 6007ff9859..145761a39e 100644
--- a/lib/chef/knife/bootstrap/templates/chef-full.erb
+++ b/lib/chef/knife/bootstrap/templates/chef-full.erb
@@ -182,21 +182,21 @@ fi
 mkdir -p /etc/chef
 
 <% if client_pem -%>
-cat > /etc/chef/client.pem <<EOP
+cat > /etc/chef/client.pem <<'EOP'
 <%= ::File.read(::File.expand_path(client_pem)) %>
 EOP
 chmod 0600 /etc/chef/client.pem
 <% end -%>
 
 <% if validation_key -%>
-cat > /etc/chef/validation.pem <<EOP
+cat > /etc/chef/validation.pem <<'EOP'
 <%= validation_key %>
 EOP
 chmod 0600 /etc/chef/validation.pem
 <% end -%>
 
 <% if encrypted_data_bag_secret -%>
-cat > /etc/chef/encrypted_data_bag_secret <<EOP
+cat > /etc/chef/encrypted_data_bag_secret <<'EOP'
 <%= encrypted_data_bag_secret %>
 EOP
 chmod 0600 /etc/chef/encrypted_data_bag_secret
@@ -212,17 +212,17 @@ mkdir -p /etc/chef/trusted_certs
 mkdir -p /etc/chef/ohai/hints
 
 <% @chef_config[:knife][:hints].each do |name, hash| -%>
-cat > /etc/chef/ohai/hints/<%= name %>.json <<EOP
+cat > /etc/chef/ohai/hints/<%= name %>.json <<'EOP'
 <%= Chef::JSONCompat.to_json(hash) %>
 EOP
 <% end -%>
 <% end -%>
 
-cat > /etc/chef/client.rb <<EOP
+cat > /etc/chef/client.rb <<'EOP'
 <%= config_content %>
 EOP
 
-cat > /etc/chef/first-boot.json <<EOP
+cat > /etc/chef/first-boot.json <<'EOP'
 <%= Chef::JSONCompat.to_json(first_boot) %>
 EOP
 
diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb
index c2f68277c5..4201963b7d 100644
--- a/spec/unit/knife/bootstrap_spec.rb
+++ b/spec/unit/knife/bootstrap_spec.rb
@@ -48,6 +48,35 @@ describe Chef::Knife::Bootstrap do
     expect(File.basename(knife.bootstrap_template)).to eq("chef-full")
   end
 
+  context "when using the chef-full default template" do
+    let(:rendered_template) do
+      knife.merge_configs
+      knife.render_template
+    end
+
+    it "should render client.rb" do
+      expect(rendered_template).to match("cat > /etc/chef/client.rb <<'EOP'")
+      expect(rendered_template).to match("chef_server_url  \"https://localhost:443\"")
+      expect(rendered_template).to match("validation_client_name \"chef-validator\"")
+      expect(rendered_template).to match("log_location   STDOUT")
+    end
+
+    it "should render first-boot.json" do
+      expect(rendered_template).to match("cat > /etc/chef/first-boot.json <<'EOP'")
+      expect(rendered_template).to match('{"run_list":\[\]}')
+    end
+
+    context "and encrypted_data_bag_secret was provided" do
+      it "should render encrypted_data_bag_secret file" do
+        expect(knife).to receive(:encryption_secret_provided_ignore_encrypt_flag?).and_return(true)
+        expect(knife).to receive(:read_secret).and_return("secrets")
+        expect(rendered_template).to match("cat > /etc/chef/encrypted_data_bag_secret <<'EOP'")
+        expect(rendered_template).to match('{"run_list":\[\]}')
+        expect(rendered_template).to match(%r{secrets})
+      end
+    end
+  end
+
   context "with --bootstrap-vault-item" do
     let(:bootstrap_cli_options) { [ "--bootstrap-vault-item", "vault1:item1", "--bootstrap-vault-item", "vault1:item2", "--bootstrap-vault-item", "vault2:item1" ] }
     it "sets the knife config cli option correctly" do