Merge branch 'master' into version-check

Signed-off-by: Noah Kantrowitz <noah@coderanger.net>

21 files changed, 106 insertions, 125 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6cc342f854..8393be69f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,14 +1,20 @@
 This changelog reflects the current state of chef's master branch on github and may not reflect the current released version of chef, which is [![Gem Version](https://badge.fury.io/rb/chef.svg)](https://badge.fury.io/rb/chef).
 
-## [v13.1.20](https://github.com/chef/chef/tree/v13.1.20) (2017-05-16)
-[Full Changelog](https://github.com/chef/chef/compare/v12.20.3...v13.1.20)
+## [v13.1.28](https://github.com/chef/chef/tree/v13.1.28) (2017-05-25)
+[Full Changelog](https://github.com/chef/chef/compare/v12.20.3...v13.1.28)
 
 **Closed issues:**
 
 - Chef 13.0 regression in gem\_package related to finding gem binaries [\#6103](https://github.com/chef/chef/issues/6103)
+- Disable local mode's localhost socket by default in Chef 14 [\#6088](https://github.com/chef/chef/issues/6088)
 
 **Merged pull requests:**
 
+- convert breakpoint resource to a custom resource [\#6176](https://github.com/chef/chef/pull/6176) ([lamont-granquist](https://github.com/lamont-granquist))
+- Make non-legacy solo use socketless mode [\#6174](https://github.com/chef/chef/pull/6174) ([coderanger](https://github.com/coderanger))
+- Prefer Systemd with sysvinit script over Upstart for service provider [\#6157](https://github.com/chef/chef/pull/6157) ([shortdudey123](https://github.com/shortdudey123))
+- Prefer Systemd with sysvinit script over Upstart for service provider [\#6156](https://github.com/chef/chef/pull/6156) ([shortdudey123](https://github.com/shortdudey123))
+- Ensure that we check the embedded gem binary last [\#6154](https://github.com/chef/chef/pull/6154) ([thommay](https://github.com/thommay))
 - Fixing broken functional test in windows\_task resource [\#6139](https://github.com/chef/chef/pull/6139) ([NimishaS](https://github.com/NimishaS))
 - Discard caches for files not in the manifest [\#6129](https://github.com/chef/chef/pull/6129) ([akitada](https://github.com/akitada))
 - User on Windows with group incorrectly warns about passing GID [\#6125](https://github.com/chef/chef/pull/6125) ([harikesh-kolekar](https://github.com/harikesh-kolekar))
diff --git a/Gemfile b/Gemfile
index 0b72aac2ab..d488d8b01a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -72,5 +72,5 @@ end
 instance_eval(ENV["GEMFILE_MOD"]) if ENV["GEMFILE_MOD"]
 
 # If you want to load debugging tools into the bundle exec sandbox,
-# add these additional dependencies into chef/Gemfile.local
-eval(IO.read(__FILE__ + ".local"), binding) if File.exist?(__FILE__ + ".local")
+# add these additional dependencies into Gemfile.local
+eval_gemfile(__FILE__ + ".local") if File.exist?(__FILE__ + ".local")
diff --git a/Gemfile.lock b/Gemfile.lock
index 827ec8beae..7c21b36187 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -30,10 +30,10 @@ GIT
 PATH
   remote: .
   specs:
-    chef (13.1.21)
+    chef (13.1.29)
       addressable
       bundler (>= 1.10)
-      chef-config (= 13.1.21)
+      chef-config (= 13.1.29)
       chef-zero (>= 13.0)
       diff-lcs (~> 1.2, >= 1.2.4)
       erubis (~> 2.7)
@@ -60,10 +60,10 @@ PATH
       specinfra (~> 2.10)
       syslog-logger (~> 1.6)
       uuidtools (~> 2.1.5)
-    chef (13.1.21-universal-mingw32)
+    chef (13.1.29-universal-mingw32)
       addressable
       bundler (>= 1.10)
-      chef-config (= 13.1.21)
+      chef-config (= 13.1.29)
       chef-zero (>= 13.0)
       diff-lcs (~> 1.2, >= 1.2.4)
       erubis (~> 2.7)
@@ -105,7 +105,7 @@ PATH
 PATH
   remote: chef-config
   specs:
-    chef-config (13.1.21)
+    chef-config (13.1.29)
       addressable
       fuzzyurl
       mixlib-config (~> 2.0)
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index e01bfc9097..b8a134d9f3 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,6 +1,23 @@
 _This file holds "in progress" release notes for the current release under development and is intended for consumption by the Chef Documentation team. Please see <https://docs.chef.io/release_notes.html> for the official Chef release notes._
 
-# Chef Client Release Notes 13.0:
+# Chef Client Release Notes
+
+# 13.2
+
+## Socketless local mode by default
+
+For security reasons we are switching Local Mode to use socketless connections
+by default. This prevents potential attacks where an unprivileged user or process
+connects to the internal Zero server for the converge and changes data.
+
+If you use Chef Provisioning with Local Mode, you may need to pass `--listen` to
+`chef-client`.
+
+# 13.1
+
+No new major features.
+
+# 13.0
 
 ## Rubygems provider sources behavior changed.
 
@@ -85,6 +102,10 @@ The `inspec` and `train` gems are shipped by default in the chef omnibus
 package, making it easier for users in airgapped environments to use
 InSpec.
 
+## Properly support managing Sys-V services on Debian systemd hosts
+
+Chef now properly supports managing sys-v services on hosts running systemd. Previously Chef would incorrectly attempt to fallback to Upstart even if upstart was not installed.
+
 ## Backwards Compatibility Breaks
 
 ### Resource Cloning has been removed
@@ -384,3 +405,11 @@ The implementation switched to `shell_out_with_systems_locale` to match `execute
 Chef Client will only exit with exit codes defined in RFC 062.  This allows other tooling to respond to how a Chef run completes.  Attempting to exit Chef Client with an unsupported exit code (either via `Chef::Application.fatal!` or `Chef::Application.exit!`) will result in an exit code of 1 (GENERIC_FAILURE) and a warning in the event log.
 
 When Chef Client is running as a forked process on unix systems, the standardized exit codes are used by the child process.  To actually have Chef Client return the standard exit code, `client_fork false` will need to be set in Chef Client's configuration file.
+
+## New Deprecations
+
+### Removal of support for Ohai version 6 plugins (OHAI-10)
+
+<https://docs.chef.io/deprecations_ohai_v6_plugins.html>
+
+In Chef/Ohai 14 (April 2018) we will remove support for loading Ohai v6 plugins, which we deprecated in Ohai 7/Chef 11.12.
diff --git a/VERSION b/VERSION
index e411c2f5a3..6f132a9241 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-13.1.21
\ No newline at end of file
+13.1.29
\ No newline at end of file
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index 0666dd869d..beb78f25d0 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -381,10 +381,7 @@ module ChefConfig
     # Whether Chef Zero local mode should bind to a port. All internal requests
     # will go through the socketless code path regardless, so the socket is
     # only needed if other processes will connect to the local mode server.
-    #
-    # For compatibility this is set to true but it will be changed to false in
-    # the future.
-    default :listen, true
+    default :listen, false
 
     config_context :chef_zero do
       config_strict_mode true
diff --git a/chef-config/lib/chef-config/version.rb b/chef-config/lib/chef-config/version.rb
index caa5cf1167..c14bc6b4de 100644
--- a/chef-config/lib/chef-config/version.rb
+++ b/chef-config/lib/chef-config/version.rb
@@ -21,7 +21,7 @@
 
 module ChefConfig
   CHEFCONFIG_ROOT = File.expand_path("../..", __FILE__)
-  VERSION = "13.1.21"
+  VERSION = "13.1.29"
 end
 
 #
diff --git a/lib/chef/application/client.rb b/lib/chef/application/client.rb
index c8dbd76019..3765821993 100644
--- a/lib/chef/application/client.rb
+++ b/lib/chef/application/client.rb
@@ -286,7 +286,7 @@ class Chef::Application::Client < Chef::Application
   option :listen,
     :long           => "--[no-]listen",
     :description    => "Whether a local mode (-z) server binds to a port",
-    :boolean        => true
+    :boolean        => false
 
   option :fips,
     :long         => "--[no-]fips",
diff --git a/lib/chef/application/knife.rb b/lib/chef/application/knife.rb
index 521011348f..6a09427ccd 100644
--- a/lib/chef/application/knife.rb
+++ b/lib/chef/application/knife.rb
@@ -132,7 +132,7 @@ class Chef::Application::Knife < Chef::Application
   option :listen,
     :long           => "--[no-]listen",
     :description    => "Whether a local mode (-z) server binds to a port",
-    :boolean        => true
+    :boolean        => false
 
   option :version,
     :short        => "-v",
diff --git a/lib/chef/application/solo.rb b/lib/chef/application/solo.rb
index 2705a930ae..f246b1946a 100644
--- a/lib/chef/application/solo.rb
+++ b/lib/chef/application/solo.rb
@@ -257,6 +257,7 @@ class Chef::Application::Solo < Chef::Application
       end
 
       Chef::Config[:local_mode] = true
+      Chef::Config[:listen] = false
     else
       configure_legacy_mode!
     end
diff --git a/lib/chef/deprecated.rb b/lib/chef/deprecated.rb
index 04ecfe5a6e..372609c10a 100644
--- a/lib/chef/deprecated.rb
+++ b/lib/chef/deprecated.rb
@@ -238,6 +238,16 @@ class Chef
       end
     end
 
+    class LocalListen < Base
+      def id
+        18
+      end
+
+      def target
+        "local_listen.html"
+      end
+    end
+
     # id 3694 was deleted
 
     class Generic < Base
diff --git a/lib/chef/local_mode.rb b/lib/chef/local_mode.rb
index 5ce17e6fb3..5630a54335 100644
--- a/lib/chef/local_mode.rb
+++ b/lib/chef/local_mode.rb
@@ -73,6 +73,7 @@ class Chef
         @chef_zero_server = ChefZero::Server.new(server_options)
 
         if Chef::Config[:listen]
+          Chef.deprecated(:local_listen, "Starting local-mode server in deprecated socket mode")
           @chef_zero_server.start_background
         else
           @chef_zero_server.start_socketless
diff --git a/lib/chef/provider/breakpoint.rb b/lib/chef/provider/breakpoint.rb
deleted file mode 100644
index 9f8b8a6467..0000000000
--- a/lib/chef/provider/breakpoint.rb
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@kallistec.com>)
-# Copyright:: Copyright 2008-2017, Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-class Chef
-  class Provider
-    class Breakpoint < Chef::Provider
-
-      provides :breakpoint
-
-      def load_current_resource
-      end
-
-      def action_break
-        if defined?(Shell) && Shell.running?
-          run_context.resource_collection.iterator.pause
-          new_resource.updated_by_last_action(true)
-          run_context.resource_collection.iterator
-        end
-      end
-
-    end
-  end
-end
diff --git a/lib/chef/providers.rb b/lib/chef/providers.rb
index 41de44a1d6..0ea1786594 100644
--- a/lib/chef/providers.rb
+++ b/lib/chef/providers.rb
@@ -19,7 +19,6 @@
 require "chef/provider/apt_update"
 require "chef/provider/apt_repository"
 require "chef/provider/batch"
-require "chef/provider/breakpoint"
 require "chef/provider/cookbook_file"
 require "chef/provider/cron"
 require "chef/provider/cron/solaris"
diff --git a/lib/chef/resource/breakpoint.rb b/lib/chef/resource/breakpoint.rb
index a5eed0da94..be39dcadae 100644
--- a/lib/chef/resource/breakpoint.rb
+++ b/lib/chef/resource/breakpoint.rb
@@ -21,12 +21,24 @@ require "chef/resource"
 class Chef
   class Resource
     class Breakpoint < Chef::Resource
+      provides :breakpoint
+      resource_name :breakpoinst
+
       default_action :break
 
       def initialize(action = "break", *args)
         super(caller.first, *args)
       end
 
+      action :break do
+        if defined?(Shell) && Shell.running?
+          with_run_context :parent do
+            run_context.resource_collection.iterator.pause
+            new_resource.updated_by_last_action(true)
+            run_context.resource_collection.iterator
+          end
+        end
+      end
     end
   end
 end
diff --git a/lib/chef/version.rb b/lib/chef/version.rb
index b3949bd3f2..db114e90d0 100644
--- a/lib/chef/version.rb
+++ b/lib/chef/version.rb
@@ -23,7 +23,7 @@ require 'chef/version_string'
 
 class Chef
   CHEF_ROOT = File.expand_path("../..", __FILE__)
-  VERSION = Chef::VersionString.new("13.1.21")
+  VERSION = Chef::VersionString.new("13.1.29")
 end
 
 #
diff --git a/spec/functional/resource/chocolatey_package_spec.rb b/spec/functional/resource/chocolatey_package_spec.rb
index ce71c06229..e8dae581b9 100644
--- a/spec/functional/resource/chocolatey_package_spec.rb
+++ b/spec/functional/resource/chocolatey_package_spec.rb
@@ -18,7 +18,7 @@
 require "spec_helper"
 require "chef/mixin/powershell_out"
 
-describe Chef::Resource::ChocolateyPackage, :windows_only, :win2012r2_only do
+describe Chef::Resource::ChocolateyPackage, :windows_only, :choco_installed do
   include Chef::Mixin::PowershellOut
 
   let(:package_name) { "test-A" }
diff --git a/spec/functional/resource/windows_task_spec.rb b/spec/functional/resource/windows_task_spec.rb
index a04cbb5a83..14c78bd6be 100644
--- a/spec/functional/resource/windows_task_spec.rb
+++ b/spec/functional/resource/windows_task_spec.rb
@@ -396,7 +396,7 @@ describe Chef::Resource::WindowsTask, :windows_only do
     end
   end
 
-  describe "action :end" do
+  describe "action :end", :volatile do
     after { delete_task }
 
     subject do
diff --git a/spec/unit/provider/breakpoint_spec.rb b/spec/unit/provider/breakpoint_spec.rb
deleted file mode 100644
index ffe8c8261f..0000000000
--- a/spec/unit/provider/breakpoint_spec.rb
+++ /dev/null
@@ -1,53 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@kallistec.com>)
-# Copyright:: Copyright 2008-2016, Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require "spec_helper"
-describe Chef::Provider::Breakpoint do
-
-  before do
-    @resource = Chef::Resource::Breakpoint.new
-    @node = Chef::Node.new
-    @events = Chef::EventDispatch::Dispatcher.new
-    @run_context = Chef::RunContext.new(@node, {}, @events)
-    @collection = double("resource collection")
-    allow(@run_context).to receive(:resource_collection).and_return(@collection)
-    @provider = Chef::Provider::Breakpoint.new(@resource, @run_context)
-  end
-
-  it "responds to load_current_resource" do
-    expect(@provider).to respond_to(:load_current_resource)
-  end
-
-  it "gets the iterator from @collection and pauses it" do
-    allow(Shell).to receive(:running?).and_return(true)
-    @iterator = double("stepable_iterator")
-    allow(@collection).to receive(:iterator).and_return(@iterator)
-    expect(@iterator).to receive(:pause)
-    @provider.action_break
-    expect(@resource).to be_updated
-  end
-
-  it "doesn't pause the iterator if chef-shell isn't running" do
-    allow(Shell).to receive(:running?).and_return(false)
-    @iterator = double("stepable_iterator")
-    allow(@collection).to receive(:iterator).and_return(@iterator)
-    expect(@iterator).not_to receive(:pause)
-    @provider.action_break
-  end
-
-end
diff --git a/spec/unit/provider_resolver_spec.rb b/spec/unit/provider_resolver_spec.rb
index 0a504fa5fe..1902fb5375 100644
--- a/spec/unit/provider_resolver_spec.rb
+++ b/spec/unit/provider_resolver_spec.rb
@@ -554,7 +554,7 @@ describe Chef::ProviderResolver do
     PROVIDERS =
       {
         bash:                   [ Chef::Resource::Bash, Chef::Provider::Script ],
-        breakpoint:             [ Chef::Resource::Breakpoint, Chef::Provider::Breakpoint ],
+        breakpoint:             [ Chef::Resource::Breakpoint, Chef::Resource::Breakpoint.action_class ],
         chef_gem:               [ Chef::Resource::ChefGem, Chef::Provider::Package::Rubygems ],
         cookbook_file:          [ Chef::Resource::CookbookFile, Chef::Provider::CookbookFile ],
         csh:                    [ Chef::Resource::Csh, Chef::Provider::Script ],
diff --git a/spec/unit/resource/breakpoint_spec.rb b/spec/unit/resource/breakpoint_spec.rb
index a5b27bae16..ce0df676dd 100644
--- a/spec/unit/resource/breakpoint_spec.rb
+++ b/spec/unit/resource/breakpoint_spec.rb
@@ -17,31 +17,48 @@
 #
 
 require "spec_helper"
-require "support/shared/unit/resource/static_provider_resolution"
 
 describe Chef::Resource::Breakpoint do
 
-  static_provider_resolution(
-    resource: Chef::Resource::Breakpoint,
-    provider: Chef::Provider::Breakpoint,
-    name: :breakpoint,
-    action: :break
-  )
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:collection) { double("resource collection") }
+  let(:resource) { Chef::Resource::Breakpoint.new("name", run_context) }
+  let(:provider) { resource.provider_for_action(:break) }
 
   before do
-    @breakpoint = Chef::Resource::Breakpoint.new
+    allow(run_context).to receive(:resource_collection).and_return(collection)
+  end
+
+  it "gets the iterator from @collection and pauses it" do
+    allow(Shell).to receive(:running?).and_return(true)
+    iterator = double("stepable_iterator")
+    allow(collection).to receive(:iterator).and_return(iterator)
+    expect(iterator).to receive(:pause)
+    provider.action_break
+    expect(resource).to be_updated
+  end
+
+  it "doesn't pause the iterator if chef-shell isn't running" do
+    allow(Shell).to receive(:running?).and_return(false)
+    iterator = double("stepable_iterator")
+    allow(collection).to receive(:iterator).and_return(iterator)
+    expect(iterator).not_to receive(:pause)
+    provider.action_break
   end
 
   it "allows the action :break" do
-    expect(@breakpoint.allowed_actions).to include(:break)
+    expect(resource.allowed_actions).to include(:break)
   end
 
   it "defaults to the break action" do
-    expect(@breakpoint.action).to eq([:break])
+    expect(resource.action).to eq([:break])
   end
 
   it "names itself after the line number of the file where it's created" do
-    expect(@breakpoint.name).to match(/breakpoint_spec\.rb\:[\d]{2}\:in \`new\'$/)
+    resource = Chef::Resource::Breakpoint.new
+    expect(resource.name).to match(/breakpoint_spec\.rb\:[\d]{2}\:in \`new\'$/)
   end
 
 end