diff options
| author | Davin Taddeo <davin@chef.io> | 2020-06-20 20:30:11 -0400 |
|---|---|---|
| committer | Davin Taddeo <davin@chef.io> | 2020-06-20 20:30:11 -0400 |
| commit | 3294f747631108592f7a3130216c1a6ffc1a966a (patch) | |
| tree | 45a7bc87149b564f5cd8d8c8b19a872d2fd6cf38 | |
| parent | 328d9fcdb438f00385255cfeac9a129ad4a57ede (diff) | |
| parent | 7f23b35885cd842092a25f8607658384bfd01528 (diff) | |
| download | chef-3294f747631108592f7a3130216c1a6ffc1a966a.tar.gz | |
Merge branch 'master' of github.com:chef/chef into windows_firewall_profile
42 files changed, 789 insertions, 608 deletions
diff --git a/.expeditor/verify_public.pipeline.yml b/.expeditor/verify_public.pipeline.yml index ae750546f0..7d016140cd 100644 --- a/.expeditor/verify_public.pipeline.yml +++ b/.expeditor/verify_public.pipeline.yml @@ -577,6 +577,7 @@ steps: - ruby -rjson -e "JSON.parse(File.read('cspell.json'))" 2>/dev/null || (echo "Failed to parse config file 'cspell.json', skipping spellcheck" && exit 1) - npm install -g cspell - cspell "**/*" + soft_fail: true expeditor: executor: docker: diff --git a/CHANGELOG.md b/CHANGELOG.md index c219d56057..260e5f3e61 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,62 +1,81 @@ <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ --> -<!-- latest_release 16.2.36 --> -## [v16.2.36](https://github.com/chef/chef/tree/v16.2.36) (2020-06-15) +<!-- latest_release 16.2.48 --> +## [v16.2.48](https://github.com/chef/chef/tree/v16.2.48) (2020-06-18) #### Merged Pull Requests -- Improve resource documentation [#9995](https://github.com/chef/chef/pull/9995) ([tas50](https://github.com/tas50)) +- Add more examples to the resource code [#10020](https://github.com/chef/chef/pull/10020) ([tas50](https://github.com/tas50)) <!-- latest_release --> -<!-- release_rollup since=16.1.16 --> +<!-- release_rollup since=16.2.44 --> ### Changes not yet released to stable #### Merged Pull Requests -- Improve resource documentation [#9995](https://github.com/chef/chef/pull/9995) ([tas50](https://github.com/tas50)) <!-- 16.2.36 --> -- Add "most recent call first" to traceback message [#9967](https://github.com/chef/chef/pull/9967) ([zfjagann](https://github.com/zfjagann)) <!-- 16.2.35 --> -- Create windows_audit_policy resource [#9980](https://github.com/chef/chef/pull/9980) ([chef-davin](https://github.com/chef-davin)) <!-- 16.2.34 --> -- Fix how enforce_license is set in run method for chef-apply [#9963](https://github.com/chef/chef/pull/9963) ([ramereth](https://github.com/ramereth)) <!-- 16.2.33 --> -- Disable snap dokken tests for now [#9993](https://github.com/chef/chef/pull/9993) ([tas50](https://github.com/tas50)) <!-- 16.2.32 --> -- Use .match? not =~ when match values aren't necessary [#9989](https://github.com/chef/chef/pull/9989) ([tas50](https://github.com/tas50)) <!-- 16.2.31 --> -- Fix snap_package bugs [#9944](https://github.com/chef/chef/pull/9944) ([jaymzh](https://github.com/jaymzh)) <!-- 16.2.30 --> -- Small code cleanups in script/windows_script [#9979](https://github.com/chef/chef/pull/9979) ([phiggins](https://github.com/phiggins)) <!-- 16.2.29 --> -- Update with 2020 MVPs [#9985](https://github.com/chef/chef/pull/9985) ([Xorima](https://github.com/Xorima)) <!-- 16.2.28 --> -- Use /etc/chef for bootstrapping instead of ChefConfig [#9984](https://github.com/chef/chef/pull/9984) ([dheerajd-msys](https://github.com/dheerajd-msys)) <!-- 16.2.28 --> -- Stop producing packages for EOL Debian 8 [#9981](https://github.com/chef/chef/pull/9981) ([tas50](https://github.com/tas50)) <!-- 16.2.27 --> -- Allow for the latest net-ssh and ffi 1.13.1 [#9978](https://github.com/chef/chef/pull/9978) ([tas50](https://github.com/tas50)) <!-- 16.2.26 --> -- Warn during bootstrapping when using validation keys [#9974](https://github.com/chef/chef/pull/9974) ([tas50](https://github.com/tas50)) <!-- 16.2.25 --> -- Let the user know what protocol we're using in knife bootstrap [#9973](https://github.com/chef/chef/pull/9973) ([tas50](https://github.com/tas50)) <!-- 16.2.24 --> -- Add Windows 8 Tester [#9971](https://github.com/chef/chef/pull/9971) ([christopher-snapp](https://github.com/christopher-snapp)) <!-- 16.2.23 --> -- knife vault on windows 10 fails due to ERROR: Chef::Exceptions::InvalidDataBagPath [#9952](https://github.com/chef/chef/pull/9952) ([snehaldwivedi](https://github.com/snehaldwivedi)) <!-- 16.2.22 --> -- Add more resource docs + improve yaml generation [#9960](https://github.com/chef/chef/pull/9960) ([tas50](https://github.com/tas50)) <!-- 16.2.21 --> -- Fix wrong unit test exposed by cleaning up rspec deprecations. [#9961](https://github.com/chef/chef/pull/9961) ([phiggins](https://github.com/phiggins)) <!-- 16.2.20 --> -- Update train-core to the latest [#9959](https://github.com/chef/chef/pull/9959) ([tas50](https://github.com/tas50)) <!-- 16.2.19 --> -- Update to the chef_client_scheduled_task resource frequency_modify default functionality [#9920](https://github.com/chef/chef/pull/9920) ([chef-davin](https://github.com/chef-davin)) <!-- 16.2.18 --> -- Change script resources to use pipes rather than writing to temp files [#9932](https://github.com/chef/chef/pull/9932) ([phiggins](https://github.com/phiggins)) <!-- 16.2.17 --> -- Fix rspec warning about `not_to raise_error` with a specific exception. [#9937](https://github.com/chef/chef/pull/9937) ([phiggins](https://github.com/phiggins)) <!-- 16.2.16 --> -- update learn chef name, discourse name, and copyright year [#9958](https://github.com/chef/chef/pull/9958) ([bennyvasquez](https://github.com/bennyvasquez)) <!-- 16.2.16 --> -- Fix zypper_repository key handling on SLES 15+ [#9956](https://github.com/chef/chef/pull/9956) ([tas50](https://github.com/tas50)) <!-- 16.2.16 --> -- Add spellcheck to CI [#9957](https://github.com/chef/chef/pull/9957) ([phiggins](https://github.com/phiggins)) <!-- 16.2.15 --> -- Fixed Powershell_Package does not throw error when it cannot connect … [#9946](https://github.com/chef/chef/pull/9946) ([sanga1794](https://github.com/sanga1794)) <!-- 16.2.14 --> -- Pin FFI < 1.13 and bump inspec-core-bin to 4.19.2 [#9954](https://github.com/chef/chef/pull/9954) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 16.2.13 --> -- Add nightly cleanup of orphaned test resources [#9943](https://github.com/chef/chef/pull/9943) ([christopher-snapp](https://github.com/christopher-snapp)) <!-- 16.2.12 --> -- archive_file: move ffi-libarchive into a simple helper method [#9951](https://github.com/chef/chef/pull/9951) ([tas50](https://github.com/tas50)) <!-- 16.2.11 --> -- archive_file: better handle mode property and deprecate Integer values [#9950](https://github.com/chef/chef/pull/9950) ([tas50](https://github.com/tas50)) <!-- 16.2.10 --> -- Add additional testing for macOS hosts [#9939](https://github.com/chef/chef/pull/9939) ([tas50](https://github.com/tas50)) <!-- 16.2.9 --> -- Set up CI with Azure Pipelines [#9894](https://github.com/chef/chef/pull/9894) ([btm](https://github.com/btm)) <!-- 16.2.9 --> -- Update chef-telemetry to 1.0.8 and InSpec to 4.19 [#9934](https://github.com/chef/chef/pull/9934) ([tas50](https://github.com/tas50)) <!-- 16.2.8 --> -- hostname: Improve the windows reboot message [#9927](https://github.com/chef/chef/pull/9927) ([tas50](https://github.com/tas50)) <!-- 16.2.7 --> -- hostname: Remove support for Solaris 5.10 [#9928](https://github.com/chef/chef/pull/9928) ([tas50](https://github.com/tas50)) <!-- 16.2.6 --> -- Make sure file is properly scoped in cron_access [#9931](https://github.com/chef/chef/pull/9931) ([tas50](https://github.com/tas50)) <!-- 16.2.5 --> -- Fix chefstyle violations. [#9929](https://github.com/chef/chef/pull/9929) ([phiggins](https://github.com/phiggins)) <!-- 16.2.4 --> -- Improve auto-generated docs [#9926](https://github.com/chef/chef/pull/9926) ([tas50](https://github.com/tas50)) <!-- 16.2.3 --> -- Update to ssl_verify_mode on remote_file [#9925](https://github.com/chef/chef/pull/9925) ([jaymzh](https://github.com/jaymzh)) <!-- 16.2.2 --> -- Update & add resource descriptions for documentation generation [#9923](https://github.com/chef/chef/pull/9923) ([tas50](https://github.com/tas50)) <!-- 16.2.1 --> -- Add ssl_verify option for remote_file [#9833](https://github.com/chef/chef/pull/9833) ([jaymzh](https://github.com/jaymzh)) <!-- 16.2.0 --> -- Add an input property to the execute resource for passing input on STDIN [#9910](https://github.com/chef/chef/pull/9910) ([phiggins](https://github.com/phiggins)) <!-- 16.1.19 --> -- Adds the homebrew_update resource [#9896](https://github.com/chef/chef/pull/9896) ([damacus](https://github.com/damacus)) <!-- 16.1.18 --> -- Chef-16.1 breaking change [#9890](https://github.com/chef/chef/pull/9890) ([lamont-granquist](https://github.com/lamont-granquist)) <!-- 16.1.17 --> +- Add more examples to the resource code [#10020](https://github.com/chef/chef/pull/10020) ([tas50](https://github.com/tas50)) <!-- 16.2.48 --> +- Fix for knife config use-profile doesn't validate that the profile exist [#10011](https://github.com/chef/chef/pull/10011) ([Vasu1105](https://github.com/Vasu1105)) <!-- 16.2.47 --> +- windows_security_policy was using resource_name instead of provides [#10018](https://github.com/chef/chef/pull/10018) ([chef-davin](https://github.com/chef-davin)) <!-- 16.2.46 --> +- Bump inspec-core-bin to 4.20.10 [#10017](https://github.com/chef/chef/pull/10017) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 16.2.45 --> <!-- release_rollup --> <!-- latest_stable_release --> +## [v16.2.44](https://github.com/chef/chef/tree/v16.2.44) (2020-06-17) + +#### Merged Pull Requests +- Chef-16.1 breaking change [#9890](https://github.com/chef/chef/pull/9890) ([lamont-granquist](https://github.com/lamont-granquist)) +- Adds the homebrew_update resource [#9896](https://github.com/chef/chef/pull/9896) ([damacus](https://github.com/damacus)) +- Add an input property to the execute resource for passing input on STDIN [#9910](https://github.com/chef/chef/pull/9910) ([phiggins](https://github.com/phiggins)) +- Add ssl_verify option for remote_file [#9833](https://github.com/chef/chef/pull/9833) ([jaymzh](https://github.com/jaymzh)) +- Update & add resource descriptions for documentation generation [#9923](https://github.com/chef/chef/pull/9923) ([tas50](https://github.com/tas50)) +- Update to ssl_verify_mode on remote_file [#9925](https://github.com/chef/chef/pull/9925) ([jaymzh](https://github.com/jaymzh)) +- Improve auto-generated docs [#9926](https://github.com/chef/chef/pull/9926) ([tas50](https://github.com/tas50)) +- Fix chefstyle violations. [#9929](https://github.com/chef/chef/pull/9929) ([phiggins](https://github.com/phiggins)) +- Make sure file is properly scoped in cron_access [#9931](https://github.com/chef/chef/pull/9931) ([tas50](https://github.com/tas50)) +- hostname: Remove support for Solaris 5.10 [#9928](https://github.com/chef/chef/pull/9928) ([tas50](https://github.com/tas50)) +- hostname: Improve the windows reboot message [#9927](https://github.com/chef/chef/pull/9927) ([tas50](https://github.com/tas50)) +- Update chef-telemetry to 1.0.8 and InSpec to 4.19 [#9934](https://github.com/chef/chef/pull/9934) ([tas50](https://github.com/tas50)) +- Set up CI with Azure Pipelines [#9894](https://github.com/chef/chef/pull/9894) ([btm](https://github.com/btm)) +- Add additional testing for macOS hosts [#9939](https://github.com/chef/chef/pull/9939) ([tas50](https://github.com/tas50)) +- archive_file: better handle mode property and deprecate Integer values [#9950](https://github.com/chef/chef/pull/9950) ([tas50](https://github.com/tas50)) +- archive_file: move ffi-libarchive into a simple helper method [#9951](https://github.com/chef/chef/pull/9951) ([tas50](https://github.com/tas50)) +- Add nightly cleanup of orphaned test resources [#9943](https://github.com/chef/chef/pull/9943) ([christopher-snapp](https://github.com/christopher-snapp)) +- Pin FFI < 1.13 and bump inspec-core-bin to 4.19.2 [#9954](https://github.com/chef/chef/pull/9954) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) +- Fixed Powershell_Package does not throw error when it cannot connect … [#9946](https://github.com/chef/chef/pull/9946) ([sanga1794](https://github.com/sanga1794)) +- Add spellcheck to CI [#9957](https://github.com/chef/chef/pull/9957) ([phiggins](https://github.com/phiggins)) +- Fix zypper_repository key handling on SLES 15+ [#9956](https://github.com/chef/chef/pull/9956) ([tas50](https://github.com/tas50)) +- update learn chef name, discourse name, and copyright year [#9958](https://github.com/chef/chef/pull/9958) ([bennyvasquez](https://github.com/bennyvasquez)) +- Fix rspec warning about `not_to raise_error` with a specific exception. [#9937](https://github.com/chef/chef/pull/9937) ([phiggins](https://github.com/phiggins)) +- Change script resources to use pipes rather than writing to temp files [#9932](https://github.com/chef/chef/pull/9932) ([phiggins](https://github.com/phiggins)) +- Update to the chef_client_scheduled_task resource frequency_modify default functionality [#9920](https://github.com/chef/chef/pull/9920) ([chef-davin](https://github.com/chef-davin)) +- Update train-core to the latest [#9959](https://github.com/chef/chef/pull/9959) ([tas50](https://github.com/tas50)) +- Fix wrong unit test exposed by cleaning up rspec deprecations. [#9961](https://github.com/chef/chef/pull/9961) ([phiggins](https://github.com/phiggins)) +- Add more resource docs + improve yaml generation [#9960](https://github.com/chef/chef/pull/9960) ([tas50](https://github.com/tas50)) +- knife vault on windows 10 fails due to ERROR: Chef::Exceptions::InvalidDataBagPath [#9952](https://github.com/chef/chef/pull/9952) ([snehaldwivedi](https://github.com/snehaldwivedi)) +- Add Windows 8 Tester [#9971](https://github.com/chef/chef/pull/9971) ([christopher-snapp](https://github.com/christopher-snapp)) +- Let the user know what protocol we're using in knife bootstrap [#9973](https://github.com/chef/chef/pull/9973) ([tas50](https://github.com/tas50)) +- Warn during bootstrapping when using validation keys [#9974](https://github.com/chef/chef/pull/9974) ([tas50](https://github.com/tas50)) +- Allow for the latest net-ssh and ffi 1.13.1 [#9978](https://github.com/chef/chef/pull/9978) ([tas50](https://github.com/tas50)) +- Stop producing packages for EOL Debian 8 [#9981](https://github.com/chef/chef/pull/9981) ([tas50](https://github.com/tas50)) +- Use /etc/chef for bootstrapping instead of ChefConfig [#9984](https://github.com/chef/chef/pull/9984) ([dheerajd-msys](https://github.com/dheerajd-msys)) +- Update with 2020 MVPs [#9985](https://github.com/chef/chef/pull/9985) ([Xorima](https://github.com/Xorima)) +- Small code cleanups in script/windows_script [#9979](https://github.com/chef/chef/pull/9979) ([phiggins](https://github.com/phiggins)) +- Fix snap_package bugs [#9944](https://github.com/chef/chef/pull/9944) ([jaymzh](https://github.com/jaymzh)) +- Use .match? not =~ when match values aren't necessary [#9989](https://github.com/chef/chef/pull/9989) ([tas50](https://github.com/tas50)) +- Disable snap dokken tests for now [#9993](https://github.com/chef/chef/pull/9993) ([tas50](https://github.com/tas50)) +- Fix how enforce_license is set in run method for chef-apply [#9963](https://github.com/chef/chef/pull/9963) ([ramereth](https://github.com/ramereth)) +- Create windows_audit_policy resource [#9980](https://github.com/chef/chef/pull/9980) ([chef-davin](https://github.com/chef-davin)) +- Add "most recent call first" to traceback message [#9967](https://github.com/chef/chef/pull/9967) ([zfjagann](https://github.com/zfjagann)) +- Improve resource documentation [#9995](https://github.com/chef/chef/pull/9995) ([tas50](https://github.com/tas50)) +- Cron and Cron_d resource weekday property fixes [#10001](https://github.com/chef/chef/pull/10001) ([tas50](https://github.com/tas50)) +- Cleanup more resource examples [#10002](https://github.com/chef/chef/pull/10002) ([tas50](https://github.com/tas50)) +- Silence exception output in threaded test. [#10005](https://github.com/chef/chef/pull/10005) ([phiggins](https://github.com/phiggins)) +- Soft fail spellchecker in ci [#10003](https://github.com/chef/chef/pull/10003) ([phiggins](https://github.com/phiggins)) +- Fix for windows_audit_policy bug for when a value for the subcategory property isn't entered [#10007](https://github.com/chef/chef/pull/10007) ([chef-davin](https://github.com/chef-davin)) +- Update InSpec to 4.20.6 [#10008](https://github.com/chef/chef/pull/10008) ([tas50](https://github.com/tas50)) +- Bump ohai to 16.2.0 [#10009](https://github.com/chef/chef/pull/10009) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) +- Add a umask property for resources. [#10000](https://github.com/chef/chef/pull/10000) ([phiggins](https://github.com/phiggins)) +- Minor docs updates and MacOS -> macOS [#10010](https://github.com/chef/chef/pull/10010) ([tas50](https://github.com/tas50)) +- Update the list of allowed policies for the windows_security_policy resource [#10012](https://github.com/chef/chef/pull/10012) ([chef-davin](https://github.com/chef-davin)) +<!-- latest_stable_release --> + ## [v16.1.16](https://github.com/chef/chef/tree/v16.1.16) (2020-05-27) #### Merged Pull Requests @@ -75,7 +94,6 @@ - Windows functional test should be single-use [#9908](https://github.com/chef/chef/pull/9908) ([christopher-snapp](https://github.com/christopher-snapp)) - Update our usage of OpenSSL::Digest to avoid Ruby 3 breaking change [#9905](https://github.com/chef/chef/pull/9905) ([tas50](https://github.com/tas50)) - Pull in updated omnibus-software for rubygems perf patch [#9916](https://github.com/chef/chef/pull/9916) ([tas50](https://github.com/tas50)) -<!-- latest_stable_release --> ## [v16.1.0](https://github.com/chef/chef/tree/v16.1.0) (2020-05-15) diff --git a/Dockerfile b/Dockerfile index 15564d7042..4d7f5c3f79 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ LABEL maintainer="Chef Software, Inc. <docker@chef.io>" ARG EXPEDITOR_CHANNEL ARG CHANNEL=stable ARG EXPEDITOR_VERSION -ARG VERSION=16.1.16 +ARG VERSION=16.2.44 # Allow the build arg below to be controlled by either build arguments ENV VERSION ${EXPEDITOR_VERSION:-${VERSION}} diff --git a/Gemfile.lock b/Gemfile.lock index 15d0e36cd6..d31de7d338 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,10 +8,10 @@ GIT GIT remote: https://github.com/chef/ohai.git - revision: c01c03fba0834bcebb7f90c9c27dd720ab8b4a58 + revision: fd8167b01d6648f6751da3bc47f2d49bc621e0cc branch: master specs: - ohai (16.1.1) + ohai (16.2.0) chef-config (>= 12.8, < 17) chef-utils (>= 16.0, < 17) ffi (~> 1.9) @@ -28,12 +28,12 @@ GIT PATH remote: . specs: - chef (16.2.36) + chef (16.2.48) addressable bcrypt_pbkdf (= 1.1.0.rc1) bundler (>= 1.10) - chef-config (= 16.2.36) - chef-utils (= 16.2.36) + chef-config (= 16.2.48) + chef-utils (= 16.2.48) chef-vault chef-zero (>= 14.0.11) diff-lcs (~> 1.2, >= 1.2.4) @@ -62,12 +62,12 @@ PATH train-winrm (>= 0.2.5) tty-screen (~> 0.6) uuidtools (~> 2.1.5) - chef (16.2.36-universal-mingw32) + chef (16.2.48-universal-mingw32) addressable bcrypt_pbkdf (= 1.1.0.rc1) bundler (>= 1.10) - chef-config (= 16.2.36) - chef-utils (= 16.2.36) + chef-config (= 16.2.48) + chef-utils (= 16.2.48) chef-vault chef-zero (>= 14.0.11) diff-lcs (~> 1.2, >= 1.2.4) @@ -112,15 +112,15 @@ PATH PATH remote: chef-bin specs: - chef-bin (16.2.36) - chef (= 16.2.36) + chef-bin (16.2.48) + chef (= 16.2.48) PATH remote: chef-config specs: - chef-config (16.2.36) + chef-config (16.2.48) addressable - chef-utils (= 16.2.36) + chef-utils (= 16.2.48) fuzzyurl mixlib-config (>= 2.2.12, < 4.0) mixlib-shellout (>= 2.0, < 4.0) @@ -129,7 +129,7 @@ PATH PATH remote: chef-utils specs: - chef-utils (16.2.36) + chef-utils (16.2.48) GEM remote: https://rubygems.org/ @@ -139,7 +139,7 @@ GEM appbundler (0.13.2) mixlib-cli (>= 1.4, < 3.0) mixlib-shellout (>= 2.0, < 4.0) - ast (2.4.0) + ast (2.4.1) bcrypt_pbkdf (1.1.0.rc1) bcrypt_pbkdf (1.1.0.rc1-x64-mingw32) bcrypt_pbkdf (1.1.0.rc1-x86-mingw32) @@ -198,7 +198,7 @@ GEM htmlentities (4.3.4) httpclient (2.8.3) iniparse (1.5.0) - inspec-core (4.19.2) + inspec-core (4.20.10) addressable (~> 2.4) chef-telemetry (~> 1.0) faraday (>= 0.9.0) @@ -219,12 +219,12 @@ GEM sslshake (~> 1.2) term-ansicolor (~> 1.7) thor (>= 0.20, < 2.0) - tomlrb (~> 1.2) + tomlrb (~> 1.2.0) train-core (~> 3.0) tty-prompt (~> 0.17) tty-table (~> 0.10) - inspec-core-bin (4.19.2) - inspec-core (= 4.19.2) + inspec-core-bin (4.20.10) + inspec-core (= 4.20.10) ipaddress (0.8.3) iso8601 (0.12.1) json (2.3.0) @@ -271,7 +271,7 @@ GEM net-ssh (>= 2.6.5) net-ssh-gateway (>= 1.2.0) nori (2.6.0) - parallel (1.19.1) + parallel (1.19.2) parser (2.7.1.3) ast (~> 2.4.0) parslet (1.8.2) @@ -293,7 +293,7 @@ GEM binding_of_caller (~> 0.7) pry (~> 0.13) public_suffix (4.0.5) - rack (2.2.2) + rack (2.2.3) rainbow (3.0.0) rake (13.0.1) rb-readline (0.5.5) @@ -337,7 +337,7 @@ GEM safe_yaml (1.0.5) semverse (3.0.0) slop (3.6.0) - sslshake (1.3.0) + sslshake (1.3.1) strings (0.1.8) strings-ansi (~> 0.1) unicode-display_width (~> 1.5) @@ -352,7 +352,7 @@ GEM thor (1.0.1) tins (1.25.0) sync - tomlrb (1.3.0) + tomlrb (1.2.9) train-core (3.3.1) addressable (~> 2.5) ffi (!= 1.13.0) diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index d6f49140f4..763a581331 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,6 +1,127 @@ This file holds "in progress" release notes for the current release under development and is intended for consumption by the Chef Documentation team. Please see <https://docs.chef.io/release_notes/> for the official Chef release notes. -# Chef Infra Client 16.1.16 +# What's New in 16.2 + +## Breaking Change in Resources + +In Chef Infra Client 16.0, we changed the way that custom resource names are applied in order to resolve some longstanding edge-cases. This change had several unintended side effects, so we're further changing how custom names are set in this release of Chef Infra Client. + +Previously you could set a custom name for a resource via `resource_name` and under the hood this would also magically set the `provides` for the resource. Magic is great when it works, but is confusing when it doesn't. We've decided to remove some of this magic and instead rely on more explicit `provides` statements in resources. For cookbooks that support just Chef Infra Client 16 and later, you should change any `resource_name` calls to `provides` instead. If you need to support older releases of Chef Infra Client as well as 16+, you'll want to include both `resource_name` and `provides` for full compatibility. + +**Pre-16 code:** + +```ruby +resource_name :foo +``` + +**Chef Infra Client 16+ code** + +```ruby +provides :foo +``` + +**Chef Infra Client < 16 backwards compatible code** + +```ruby +resource_name :foo +provides :foo +``` + +We've introduced several Cookstyle rules to detect both custom resources and legacy HWRPs that need to be updated for this change: + +**[ChefDeprecations/ResourceUsesOnlyResourceName](https://github.com/chef/cookstyle/blob/master/docs/cops_chefdeprecations.md#chefdeprecationsresourceusesonlyresourcename)**: detects resources that only set resource_name and automatically adds a provides call as well. + +**[ChefDeprecations/HWRPWithoutProvides](https://github.com/chef/cookstyle/blob/master/docs/cops_chefdeprecations.md#chefdeprecationshwrpwithoutprovides)**: detects legacy HWRPs that don't include the necessary provides and resource_name calls for Chef Infra Client 16. + +## Chef InSpec 4.20.6 + +Chef InSpec has been updated from 4.18.114 to 4.2.0.6. This new release includes the following improvements: + +- Develop your own Chef InSpec Reporter plugins to control how Chef InSpec will report result data. +- The `inspec archive` command packs your profile into a `tar.gz` file that includes the profile in JSON form as the inspec.json file. +- Certain substrings within a `.toml` file no longer cause unexpected crashes. +- Accurate InSpec CLI input parsing for numeric values and structured data, which were previously treated as strings. Numeric values are cast to an `integer` or `float` and `YAML` or `JSON` structures are converted to a hash or an array. +- Suppress deprecation warnings on inspec exec with the `--silence-deprecations` option. + +## New Resources + +### windows_audit_policy + +The `windows_audit_policy` resource is used to configure system-level and per-user Windows advanced audit policy settings. See the [windows_audit_policy Documentation](https://docs.chef.io/resources/windows_audit_policy/) for complete usage information. + +For example, you can enable auditing of successful credential validation: + +```ruby +windows_audit_policy "Set Audit Policy for 'Credential Validation' actions to 'Success'" do + subcategory 'Credential Validation' + success true + failure false + action :set +end +``` + +### homebrew_update + +The `homebrew_update` resource is used to update the available package cache for the Homebrew package system similar to the behavior of the `apt_update` resource. See the [homebrew_update Documentation](https://docs.chef.io/resources/homebrew_update/) for complete usage information. Thanks for adding this new resource, [@damacus](http://github.com/damacus). + +## Resource Updates + +### All resources now include umask property + +All resources, including custom resources, now have a `umask` property which allows you to specify a umask for file creation. If not specified the system default will continue to be used. + +### archive_file + +The `archive_file` resource has been updated with two important fixes. The resource will no longer fail with uninitialized constant errors under some scenarios. Additionally, the behavior of the `mode` property has been improved to prevent incorrect file modes from being applied to the decompressed files. Due to how file modes and Integer values are processed in Ruby, this resource will now produce a deprecation warning if integer values are passed. Using string values lets us accurately pass values such as '644' or '0644' without ambiguity as to the user's intent. Thanks for reporting these issues [@sfiggins](http://github.com/sfiggins) and [@hammerhead](http://github.com/hammerhead). + +### chef_client_scheduled_task + +The `chef_client_scheduled_task` resource has been updated to default the `frequency_modifier` property to `30` if the `frequency` property is set to `minutes`, otherwise it still defaults to `1`. This provides a more predictable schedule behavior for users. + +### cron / cron_d + +The `cron` and `cron_d` resources have been updated using the new Custom Resource Partials functionality introduced in Chef Infra Client 16. This has allowed us to standardize the properties used to declare cron job timing between the two resources. The timing properties in both resources all accept the same types and ranges, and include the same validation, which makes moving from `cron` to `cron_d` seamless. + +### cron_access + +The `cron_access` resource has been updated to support Solaris and AIX systems. Thanks [@aklyachkin](http://github.com/aklyachkin). + +### execute + +The `execute` resource has a new `input` property which allows you to pass `stdin` input to the command being executed. + +### powershell_package + +The `powershell_package` resource has been updated to use TLS 1.2 when communicating with the PowerShell Gallery on Windows Server 2012-2016. Previously this resource used the system default cipher suite which did not include TLS 1.2. The PowerShell Gallery now requires TLS 1.2 for all communication, which caused failures on Windows Server 2012-2016. Thanks for reporting this issue [@Xorima](http://github.com/Xorima). + +### remote_file + +The `remote_file` resource has a new property `ssl_verify_mode` which allows you to control SSL validation at the property level. This can be used to verify certificates (Chef Infra Client's defaults) with `:verify_peer` or to skip verification in the case of a self-signed certificate with `:verify_none`. Thanks [@jaymzh](http://github.com/jaymzh). + +### script + +The various `script` resources such as `bash` or `ruby` now pass the provided script content to the interpreter using system pipes instead of writing to a temporary file and executing it. Executing script content using pipes is faster, more secure as potentially sensitive scripts aren't written to disk, and bypasses issues around user privileges. + +### snap_package + +Multiple issues with the `snap_package` resource have been resolved, including an infinite wait that occurred, and issues with specifying the package version or channel. Thanks [@jaymzh](http://github.com/jaymzh). + +### zypper_repository + +The `zypper_repository` resource has been updated to work with the newer release of GPG in openSUSE 15 and SLES 15. This prevents failures when importing GPG keys in the resource. + +## Knife bootstrap updates + +- Knife bootstrap will now warn when bootstrapping a system using a validation key. Users should instead use `validatorless bootstrapping` with `knife bootstrap` which generates node and client keys using the client key of the user bootstrapping the node. This method is far more secure as an org-wide validation key does not not need to be distributed or rotated. Users can switch to `validatorless bootstrapping` by removing any `validation_key` entries in their `config.rb (knife.rb)` file. +- Resolved an error bootstrapping Linux nodes from Windows hosts +- Improved information messages during the bootstrap process + +## Platform Packages + +- Debian 8 packages are no longer being produced as Debian 8 is now end-of-life. +- We now produce Windows 8 packages + +# What's New in 16.1.16 This release resolves high-priority bugs in the 16.1 release of Chef Infra Client: @@ -16,7 +137,7 @@ This release resolves high-priority bugs in the 16.1 release of Chef Infra Clien openSSL has been updated from 1.0.2u to 1.0.2v which does not address any particular CVEs, but includes multiple security hardening updates. -# Chef Infra Client 16.1 +# What's New in 16.1 ## Ohai 16.1 @@ -40,7 +161,7 @@ Chef Infra Client packages are now produced for Debian 10 on the aarch64 archite - The `:disable` action in the `launchd` resource no longer fails if the plist was not found. - Several Ruby 2.7 deprecation warnings have been resolved. -# Chef Infra Client 16.0.287 +# What's New in 16.0.287 The Chef Infra Client 16.0.287 release includes important bug fixes for the Chef Infra Client 16 release: @@ -51,7 +172,7 @@ The Chef Infra Client 16.0.287 release includes important bug fixes for the Chef - Fixes the incorrectly spelled `knife user invite recind` command to be `knife user invite rescind`. <!-- cspell:disable-line !--> - Update Chef InSpec to 4.8.111 with several minor improvements. -# Chef Infra Client 16.0.275 +# What's New in 16.0.275 The Chef Infra Client 16.0.275 release includes important regression fixes for the Chef Infra Client 16 release: @@ -62,7 +183,7 @@ The Chef Infra Client 16.0.275 release includes important regression fixes for t - The `knife yaml convert` command now correctly converts symbol values. - The `sysctl`, `apt_preference`, and `cron_d` remove actions no longer fail with missing property warnings. -# Chef Infra Client 16.0 +# What's New in 16.0 ## Breaking Changes @@ -151,7 +272,7 @@ depends 'windows', '>> 1.0' ### Logging Improvements May Cause Behavior Changes -We've make low level changes to how logging behaves in Chef Infra Client that resolves many complaints we've heard of the years. With these change you'll now see the same logging output when you run `chef-client` on the command line as you will in logs from a daemonized client run. This also corrects often confusing behavior where running `chef-client` on the command line would log to the console, but not to the log file location defined your `client.rb`. In that scenario you'll now see logs in your console and in your log file. We believe this is the expected behavior and will mean that your on-disk log files can always be the source of truth for changes that were made by Chef Infra Client. This may cause unexpected behavior changes for users that relied on using the command line flags to override the `client.rb` log location - in this case logging will be sent to *both* the locations in `client.rb` and on the command line. If you have daemons running that log using the command line options you want to make sure that `client.rb` log location either matches or isn't defined. +We've made low level changes to how logging behaves in Chef Infra Client that resolves many complaints we've heard of the years. With these change you'll now see the same logging output when you run `chef-client` on the command line as you will in logs from a daemonized client run. This also corrects often confusing behavior where running `chef-client` on the command line would log to the console, but not to the log file location defined your `client.rb`. In that scenario you'll now see logs in your console and in your log file. We believe this is the expected behavior and will mean that your on-disk log files can always be the source of truth for changes that were made by Chef Infra Client. This may cause unexpected behavior changes for users that relied on using the command line flags to override the `client.rb` log location - in this case logging will be sent to *both* the locations in `client.rb` and on the command line. If you have daemons running that log using the command line options you want to make sure that `client.rb` log location either matches or isn't defined. ### Red Hat / CentOS 6 Systems Require C11 GCC for Some Gem Installations @@ -583,7 +704,7 @@ Several legacy Windows helpers have been deprecated as they will always return t - Chef::Platform.supports_powershell_execution_bypass? - Chef::Platform.windows_nano_server? -# Chef Infra Client 15.10 +# What's New in 15.10 ## Improvements @@ -613,7 +734,7 @@ Several legacy Windows helpers have been deprecated as they will always return t Chef Infra Client is now tested on Amazon Linux 2 running on x86_64 and aarch64 with packages available on the [Chef Downloads Page](https://downloads.chef.io/chef). -# Chef Infra Client 15.9 +# What's New in 15.9 ## Chef InSpec 4.18.100 @@ -677,7 +798,7 @@ libarchive has been updated from 3.4.0 to 3.4.2 to resolve multiple security vul - [CVE-2019-19221](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19221): archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call - [CVE-2020-9308](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9308): archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header -# Chef Infra Client 15.8 +# What's New in 15.8 ## New notify_group functionality @@ -840,7 +961,7 @@ vm.swappiness = 10 Each binary in the macOS Chef Infra Client installation is now signed to improve the integrity of the installation and ensure compatibility with macOS Catalina security requirements. -# Chef Infra Client 15.7 +# What's New in 15.7 ## Updated Resources @@ -914,7 +1035,7 @@ Returns `true` if the system is a Windows Server Core edition. OpenSSL has been updated to 1.0.2u to resolve [CVE-2019-1551](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551) -# Chef Infra Client 15.6 +# What's New in 15.6 ## Updated Resources @@ -946,13 +1067,13 @@ We've further optimized our install footprint and reduced the size of `/opt/chef Ohai 15.6 includes new `node['filesystem2']` data on Windows hosts. Fileystem2 presents filesystem data by both mountpoint and by device name. This data structure matches that of the filesystem plugin on Linux and other *nix operating systems. Thanks [@jaymzh](https://github.com/jaymzh) for this new data structure. -# Chef Infra Client 15.5.15 +# What's New in 15.5.15 The Chef Infra Client 15.5.15 release includes fixes for two regressions. A regression in the `build_essential` resource caused failures on `rhel` platforms and a second regression caused Chef Infra Client to fail when starting with `enforce_path_sanity` enabled. As part of this fix we've added a new property, `raise_if_unsupported`, to the `build-essential` resource. Instead of silently continuing, this property will fail a Chef Infra Client run if an unknown platform is encountered. We've also updated the `windows_package` resource. The resource will now provide better error messages if invalid options are passed to the `installer_type` property and the `checksum` property will now accept uppercase SHA256 checksums. -# Chef Infra Client 15.5.9 +# What's New in 15.5.9 ## New Cookbook Helpers @@ -1024,7 +1145,7 @@ The `windows_firewall` resource has been updated to support passing in an array libxslt has been updated to 1.1.34 to resolve [CVE-2019-13118](https://nvd.nist.gov/vuln/detail/CVE-2019-13118). -# Chef Infra Client 15.4 +# What's New in 15.4 ## converge_if_changed Improvements @@ -1109,7 +1230,7 @@ Ruby has been updated from 2.6.4 to 2.6.5 in order to resolve the following CVEs - [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845): A NUL injection vulnerability of File.fnmatch and File.fnmatch? - [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201): Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication -# Chef Infra Client 15.3 +# What's New in 15.3 ## Custom Resource Unified Mode @@ -1210,7 +1331,7 @@ openssl has been updated from 1.0.2s to 1.0.2t in order to resolve [CVE-2019-156 nokogiri has been updated from 1.10.2 to 1.10.4 in order to resolve [CVE-2019-5477](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477) -# Chef Infra Client 15.2 +# What's New in 15.2 ## Updated Resources @@ -1272,7 +1393,7 @@ Chef InSpec has been updated from 4.6.4 to 4.10.4 with the following changes: bzip2 has been updated from 1.0.6 to 1.0.8 to resolve [CVE-2016-3189](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189) and [CVE-2019-12900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900). -# Chef Infra Client 15.1 +# What's New in 15.1 ## New Resources @@ -1320,13 +1441,13 @@ Chef InSpec has been updated from 4.3.2 to 4.6.4 with the following changes: - When fetching profiles from GitHub, the URL can now include periods. - The performance of InSpec startup has been improved. -# Chef Infra Client 15.0.300 +# What's New in 15.0.300 This release includes critical bugfixes for the 15.0 release: - Fix `knife bootstrap` over SSH when `requiretty` is configured on the host. - Added the `--chef-license` CLI flag to `chef-apply` and `chef-solo` commands. -# Chef Infra Client 15.0.298 +# What's New in 15.0.298 This release includes critical bugfixes for the 15.0 release: - Allow accepting the license on non-interactive Windows sessions @@ -1336,7 +1457,7 @@ This release includes critical bugfixes for the 15.0 release: - Avoid failures due to Train::Transports::SSHFailed class not being loaded in `knife bootstrap` - Resolve failures using the ca_trust_file option with `knife bootstrap` -# Chef Infra Client 15.0.293 +# What's New in 15.0.293 ## Chef Client is now Chef Infra Client @@ -1745,7 +1866,7 @@ The `refresh_plugins` method in the `Ohai::System` class has been removed as it The `Virtualization` plugin will no longer detect systems running on the circa ~2005 VirtualPC or VirtualServer hypervisors. These hypervisors were long ago deprecated by Microsoft and support can no longer be tested. -# Chef Client Release Notes 14.15 +# What's New in 14.15 ## Updated Resources @@ -1769,8 +1890,8 @@ Chef Infra Client is now tested against the following platforms with packages av ### Retired Platforms - - Chef Infra Clients packages are no longer produced for Windows 2008 R2 as this release reached its end of life on Jan 14th, 2020. - - Chef Infra Client packages are no longer produced for RHEL 6 on the s390x platform. +- Chef Infra Clients packages are no longer produced for Windows 2008 R2 as this release reached its end of life on Jan 14th, 2020. +- Chef Infra Client packages are no longer produced for RHEL 6 on the s390x platform. ## Security Updates @@ -1782,17 +1903,16 @@ OpenSSL has been updated to 1.0.2u to resolve [CVE-2019-1551](https://cve.mitre. Ruby has been updated from 2.5.7 to 2.5.8 to resolve the following CVEs: - - [CVE-2020-16255](https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/): Unsafe Object Creation Vulnerability in JSON (Additional fix) - - [CVE-2020-10933](https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/): Heap exposure vulnerability in the socket library - +- [CVE-2020-16255](https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/): Unsafe Object Creation Vulnerability in JSON (Additional fix) +- [CVE-2020-10933](https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/): Heap exposure vulnerability in the socket library -# Chef Client Release Notes 14.14.29 +# What's New in 14.14.29 ## Bug Fixes - - Fixed an error with the `service` and `systemd_unit` resources which would try to re-enable services with an indirect status. - - The `systemd_unit` resource now logs at the info level. - - Fixed knife config when it returned a `TypeError: no implicit conversion of nil into String` error. +- Fixed an error with the `service` and `systemd_unit` resources which would try to re-enable services with an indirect status. +- The `systemd_unit` resource now logs at the info level. +- Fixed knife config when it returned a `TypeError: no implicit conversion of nil into String` error. ## Security Updates @@ -1800,7 +1920,7 @@ Ruby has been updated from 2.5.7 to 2.5.8 to resolve the following CVEs: libxslt has been updated to 1.1.34 to resolve [CVE-2019-13118](https://nvd.nist.gov/vuln/detail/CVE-2019-13118). -# Chef Client Release Notes 14.14.25 +# What's New in 14.14.25 ## Bug Fixes @@ -1809,11 +1929,11 @@ libxslt has been updated to 1.1.34 to resolve [CVE-2019-13118](https://nvd.nist. - Fixed crash in knife when displaying a missing profile error message - Fixed knife subcommand --help not working as intended for some commands - Fixed knife ssh interactive mode exit error -- Fixed for `:day`` option not accepting integer value in the `windows_task` resource +- Fixed for `:day` option not accepting integer value in the `windows_task` resource - Fixed for `user` resource not handling a GID if it is specified as a string - Fixed the `ifconfig` resource to support interfaces with a `-` in the name -# Chef Client Release Notes 14.14 +## What's New in 14.14.14 ## Platform Updates @@ -1901,12 +2021,13 @@ Knife now fails with a descriptive error message when attempting to bootstrap no ### Ruby Ruby has been updated from 2.5.5 to 2.5.7 in order to resolve the following CVEs: - - [CVE-2012-6708](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708) - - [CVE-2015-9251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). - - [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845). - - [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). - - [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254). - - [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255). + +- [CVE-2012-6708](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708) +- [CVE-2015-9251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). +- [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845). +- [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). +- [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254). +- [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255). ### openssl @@ -1916,7 +2037,7 @@ openssl has been updated from 1.0.2s to 1.0.2t in order to resolve [CVE-2019-156 nokogiri has been updated from 1.10.2 to 1.10.4 in order to resolve [CVE-2019-5477](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477). -# Chef Infra Client Release Notes 14.13: +# What's New in 14.13 ## Updated Resources @@ -1957,7 +2078,7 @@ The `CHEF-25` deprecation for resource collisions between cookbooks and resource - openssl 1.0.2r -> 1.0.2s (bugfix only release) - cacerts 2019-01-23 -> 2019-05-15 -# Chef Client Release Notes 14.12.9: +# What's New in 14.12.9 ## License Acceptance Placeholder Flag @@ -1969,7 +2090,7 @@ In preparation for Chef Infra Client 15.0 we've added a placeholder `--chef-lice - You may now encrypt a previously unencrypted data bag. - Resolved a regression introduced in Chef Infra Client 14.12.3 that resulted in errors when managing Windows services -# Chef Infra Client Release Notes 14.12.3: +# What's New in 14.12.3 ## Updated Resources @@ -1988,7 +2109,7 @@ The windows_certificate resource now imports nested certificates while importing - InSpec 3.7.1 -> 3.9.0 - The unused windows-api gem is no longer bundled with Chef on Windows hosts -# Chef Infra Client Release Notes 14.11: +# What's New in 14.11 ## Updated Resources @@ -2035,14 +2156,15 @@ OpenSSL has been updated to 1.0.2r in order to resolve [CVE-2019-1559](https://c ### RubyGems RubyGems has been updated to 2.7.9 in order to resolve the following CVEs: - - [CVE-2019-8320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320): Delete directory using symlink when decompressing tar - - [CVE-2019-8321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321): Escape sequence injection vulnerability in verbose - - [CVE-2019-8322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322): Escape sequence injection vulnerability in gem owner - - [CVE-2019-8323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323): Escape sequence injection vulnerability in API response handling - - [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution - - [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors -# Chef Client Release Notes 14.10: +- [CVE-2019-8320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320): Delete directory using symlink when decompressing tar +- [CVE-2019-8321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321): Escape sequence injection vulnerability in verbose +- [CVE-2019-8322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322): Escape sequence injection vulnerability in gem owner +- [CVE-2019-8323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323): Escape sequence injection vulnerability in API response handling +- [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution +- [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors + +# What's New in 14.10 ## Updated Resources @@ -2076,7 +2198,7 @@ Chef's Audit mode was introduced in 2015 as a beta that needed to be enabled via Cookbook shadowing was deprecated in 0.10 and will be removed in Chef Infra Client 15 (April 2019). Cookbook shadowing allowed combining cookbooks within a mono-repo, so long as the cookbooks in question had the same name and were present in both the cookbooks directory and the site-cookbooks directory. -# Chef Client Release Notes 14.9: +# What's New in 14.9 ## Updated Resources @@ -2136,7 +2258,7 @@ InSpec has been updated from 3.0.64 to 3.2.6 with improved resources for auditin The necessary VC++ runtimes for the powershell_exec helper are now bundled with Chef to prevent failures on hosts that lacked the runtimes. -# Chef Client Release Notes 14.8: +# What's New in 14.8 ## Updated Resources @@ -2185,6 +2307,7 @@ A regression was resolved that prevented ChefSpec from testing the windows_task Detection of Linux guests running on Hyper-V has been improved. In addition, Linux guests on Hyper-V hypervisors will also now detect their hypervisor's hostname. Thank you [@safematix](https://github.com/safematix) for contributing this enhancement. Example `node['virtualization']` data: + ```json { "systems": { @@ -2218,10 +2341,11 @@ BSD-based systems can now detect guests running on KVM and Amazon's hypervisor w ### OpenSSL OpenSSL has been updated to 1.0.2q in order to resolve: -- Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407](https://nvd.nist.gov/vuln/detail/CVE-2018-5407)) + +- Microarchitecture timing vulnerability in ECC scalar multiplication [CVE-2018-5407](https://nvd.nist.gov/vuln/detail/CVE-2018-5407) - Timing vulnerability in DSA signature generation ([CVE-2018-0734](https://nvd.nist.gov/vuln/detail/CVE-2018-0734)) -# Chef Client Release Notes 14.7: +# What's New in 14.7 ## New Resources @@ -2267,7 +2391,7 @@ macOS support has been added to the timezone resource. A regression in Chef 14.6's windows_task resource which resulted in tasks being created with the "Run only when user is logged on" option being set when created with a specific user other than SYSTEM, has been resolved. -# Chef Client Release Notes 14.6: +# What's New in 14.6 ## Smaller Package and Install Size @@ -2317,7 +2441,7 @@ end ## InSpec 3.0 -Inspec has been updated to version 3.0 with addition resources, exception handling, and a new plugin system. See https://blog.chef.io/2018/10/16/announcing-inspec-3-0/ for details. +Inspec has been updated to version 3.0 with addition resources, exception handling, and a new plugin system. See <https://blog.chef.io/2018/10/16/announcing-inspec-3-0/> for details. ## macOS Mojave (10.14) @@ -2357,19 +2481,21 @@ The system_profile plugin will be removed from Chef/Ohai 15 in April 2019. This ### Ruby 2.5.3 Ruby has been updated to from 2.5.1 to 2.5.3 to resolve multiple CVEs and bugs: + - [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) - [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) -# Chef Client Release Notes 14.5.33: +# What's New in 14.5.33 This release resolves a regression that caused the ``windows_ad_join`` resource to fail to run. It also makes the following additional fixes: - - The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This will be removed in Chef Infra Client 15.0. - - Error messages in the ``windows_feature`` resources have been improved. - - The ``windows_service`` resource will no longer log potentially sensitive information if the ``sensitive`` property is used. + +- The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This will be removed in Chef Infra Client 15.0. +- Error messages in the ``windows_feature`` resources have been improved. +- The ``windows_service`` resource will no longer log potentially sensitive information if the ``sensitive`` property is used. Thanks to @cpjones01, @kitforbes, and @dgreeninger for their help with this release. -# Chef Client Release Notes 14.5.27: +# What's New in 14.5.27 ## New Resources @@ -2402,11 +2528,12 @@ Thanks [@derekgroh](https://github.com/derekgroh) for contributing this new prop ## InSpec 2.2.102 InSpec has been updated from 2.2.70 to 2.2.102. This new version includes the following improvements: - - Support for using ERB templating within the .yml files - - HTTP basic auth support for fetching dependent profiles - - A new global attributes concept - - Better error handling with Automate reporting - - Vendor command now vendors profiles when using path:// + +- Support for using ERB templating within the .yml files +- HTTP basic auth support for fetching dependent profiles +- A new global attributes concept +- Better error handling with Automate reporting +- Vendor command now vendors profiles when using path:// ## Ohai 14.5 @@ -2428,7 +2555,7 @@ Ohai now properly handles relative paths to config files when running on the com The rubyzip gem has been updated to 1.2.2 to resolve [CVE-2018-1000544](https://www.cvedetails.com/cve/CVE-2018-1000544/) -# Chef Client Release Notes 14.4: +# What's New in 14.4 ## Knife configuration profile management commands @@ -2535,10 +2662,11 @@ Thank you [@dbresson](https://github.com/dbresson) for this contribution. ### OpenSSL OpenSSL updated to 1.0.2p to resolve: + - Client DoS due to large DH parameter ([CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732)) - Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737)) -# Chef Client Release Notes 14.3: +# What's New in 14.3 ## New Preview Resources Concept @@ -2734,7 +2862,7 @@ See [CHEF-26 Deprecation Page](https://docs.chef.io/deprecations_shell_out) for Chef Infra Client 15 will remove support for the legacy FreeBSD pkg format. We will continue to support the pkgng format introduced in FreeBSD 10. -# Chef Client Release Notes 14.2: +# What's New in 14.2: ## `ssh-agent` support for user keys @@ -2765,7 +2893,7 @@ Chef now bundles the inspec-core and train-core gems, which omit many cloud depe Ohai now detects the virtualization hypervisor `amazonec2` when running on Amazon's new C5/M5 instances. -# Chef Client Release Notes 14.1.12: +# What's New in 14.1.12 This release resolves a number of regressions in 14.1.1: @@ -2782,13 +2910,13 @@ This release resolves a number of regressions in 14.1.1: - `shard` plugin: work in FIPS compliant environments - `filesystem` plugin: Handle BSD platforms -# Chef Client Release Notes 14.1.1: +# What's New in 14.1.1 ## Platform Additions Enable Ubuntu-18.04 and Debian-9 tested chef-client packages. -# Chef Client Release Notes 14.1: +# What's New in 14.1 ## Windows Task @@ -2832,7 +2960,7 @@ The Shard plugin has been returned to a default plugin rather than an optional o A new plugin to enumerate SCSI devices has been added. This plugin is optional. -# Chef Client Release Notes 14.0.202: +# What's New in 14.0.202 This release of Chef 14 resolves several regressions in the Chef 14.0 release. @@ -2841,7 +2969,7 @@ This release of Chef 14 resolves several regressions in the Chef 14.0 release. - `yum_package` changed the order of `disablerepo` and `enablerepo` options - Depsolving large numbers of cookbooks with chef zero/local took a very long time -# Chef Client Release Notes 14.0: +# What's New in 14.0 ## New Resources @@ -3259,7 +3387,7 @@ optional_plugins in the client.rb file: optional_plugins [ "lspci", "passwd" ] ``` -# Chef Client Release Notes 13.12.14 +# What's New in 13.12.14 ## Bugfixes @@ -3290,7 +3418,7 @@ RubyGems has been updated to 2.7.9 in order to resolve the following CVEs: - [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution - [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors -# Chef Client Release Notes 13.12.3 +# What's New in 13.12.3 ## Smaller Package and Install Size @@ -3338,7 +3466,7 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as - [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) - [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) -# Chef Client Release Notes 13.11 +# What's New in 13.11 ### Sensitive Properties on Windows @@ -3362,7 +3490,7 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as - Updated Rubyzip to 1.2.2 to resolve [CVE-2018-1000544](https://nvd.nist.gov/vuln/detail/CVE-2018-1000544) -# Chef Client Release Notes 13.10 +# What's New in 13.10 ## Bugfixes @@ -3381,7 +3509,7 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as - CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS -# Chef Client Release Notes 13.9.X: +# What's New in 13.9.X: ## Security Updates @@ -3425,13 +3553,13 @@ The whitelist of DMI IDs is now user configurable using the `additional_dmi_ids` The Filesystem2 functionality has been backported to BSD systems to provide a consistent filesystem format. -# Chef Client Release Notes 13.9.1: +# What's New in 13.9.1: ## Platform Additions Enable Ubuntu-18.04 and Debian-9 tested chef-client packages. -# Chef Client Release Notes 13.9: +# What's New in 13.9: - On Windows, the installer now correctly re-extracts files during repair mode - The mount resource will now not create duplicate entries when the device type differs @@ -3509,7 +3637,7 @@ end - Use the current Azure metadata endpoint - Correctly detect macOS guests on VMware and VirtualBox -# Chef Client Release Notes 13.8: +# What's New in 13.8: ## Revert attributes changes from 13.7 @@ -3523,7 +3651,7 @@ Per <https://discourse.chef.io/t/regression-in-chef-client-13-7-16/12518/1> , th - Updated libxml2 to 2.9.7; fixes: CVE-2017-15412 -# Chef Client Release Notes 13.7: +# What's New in 13.7: ## The `windows_task` Resource should be better behaved @@ -3586,7 +3714,7 @@ The EC2 plugin has been updated to properly detect the new AWS hypervisor used i The mdadm plugin has been updated to properly handle arrays with more than 10 disks and to properly handle journal and spare drives in the disk counts -# Chef Client Release Notes 13.6.4: +# What's New in 13.6.4: ## Bugfixes @@ -3597,7 +3725,7 @@ The mdadm plugin has been updated to properly handle arrays with more than 10 di - OpenSSL has been upgraded to 1.0.2m to resolve CVE-2017-3735 and CVE-2017-3736 - RubyGems has been upgraded to 2.6.14 to resolve CVE-2017-0903 -# Chef Client Release Notes 13.6: +# What's New in 13.6: ## `deploy` Resource Is Deprecated @@ -3643,7 +3771,7 @@ The Packages plugin now supports gathering packages data on Amazon Linux In Ohai 13 we replaced the filesystem and cloud plugins with the filesystem2 and cloud_v2 plugins. To maintain compatibility with users of the previous V2 plugins we write data to both locations. We had originally planned to continue writing data to both locations until Chef Infra Client 15. Instead due to the large amount of duplicate node data this introduces we are updating OHAI-11 and OHAI-12 deprecations to remove node['cloud_v2'] and node['filesystem2'] with the release of Chef 14 in April 2018. -# Chef Client Release Notes 13.5: +# What's New in 13.5: ## Mount's password property is now marked as sensitive @@ -3665,7 +3793,7 @@ Previously we would ignore routes that ended `::`, and now we properly detect th Debug logs will show the length of time each plugin takes to run, making debugging of long ohai runs easier. -# Chef Client Release Notes 13.4: +# What's New in 13.4: ## Security release of Ruby @@ -3881,7 +4009,7 @@ Sample data now available under azure: The Package plugin has been updated to include package information on Arch Linux systems. -# Chef Client Release Notes 13.3: +# What's New in 13.3: ## Unprivileged Symlink Creation on Windows @@ -4002,7 +4130,7 @@ Ohai now properly detects the [F5 Big-IP](https://www.f5.com/) platform and plat - platform: bigip - platform_family: rhel -# Chef Client Release Notes 13.2: +# What's New in 13.2: ## Properly send policyfile data @@ -4389,7 +4517,7 @@ Chef Client will only exit with exit codes defined in RFC 062\. This allows othe When Chef Client is running as a forked process on unix systems, the standardized exit codes are used by the child process. To actually have Chef Client return the standard exit code, `client_fork false` will need to be set in Chef Client's configuration file. -# Chef Client Release Notes 12.22: +# What's New in 12.22: ## Security Updates @@ -4415,7 +4543,7 @@ The new LsPci plugin provides a node[:pci] hash with information about the PCI b The virtualization plugin has been updated to properly detect when running on Docker CE -# Chef Client Release Notes 12.21: +# What's New in 12.21: ## Security Fixes @@ -4467,7 +4595,7 @@ When Chef crashes, the output now includes details about the platform and version of Chef that was running, so that a bug report has more detail from the off. -# Chef Client Release Notes 12.19: +# What's New in 12.19: ## Highlighted enhancements for this release: @@ -1 +1 @@ -16.2.36
\ No newline at end of file +16.2.48
\ No newline at end of file diff --git a/azure-pipelines.yml b/azure-pipelines.yml index a40fba3f9f..f808fa6ff9 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -1,4 +1,4 @@ -# End-to-End Test of Chef in MacOS +# End-to-End Test of Chef in macOS variables: FORCE_FFI_YAJL: 'ext' diff --git a/chef-bin/lib/chef-bin/version.rb b/chef-bin/lib/chef-bin/version.rb index e740829915..9f1be8aa93 100644 --- a/chef-bin/lib/chef-bin/version.rb +++ b/chef-bin/lib/chef-bin/version.rb @@ -21,7 +21,7 @@ module ChefBin CHEFBIN_ROOT = File.expand_path("../..", __FILE__) - VERSION = "16.2.36".freeze + VERSION = "16.2.48".freeze end # diff --git a/chef-config/lib/chef-config/version.rb b/chef-config/lib/chef-config/version.rb index 0da772ff4c..f4b62d1427 100644 --- a/chef-config/lib/chef-config/version.rb +++ b/chef-config/lib/chef-config/version.rb @@ -15,5 +15,5 @@ module ChefConfig CHEFCONFIG_ROOT = File.expand_path("../..", __FILE__) - VERSION = "16.2.36".freeze + VERSION = "16.2.48".freeze end diff --git a/chef-utils/lib/chef-utils/version.rb b/chef-utils/lib/chef-utils/version.rb index b0da1db688..c8d63ef711 100644 --- a/chef-utils/lib/chef-utils/version.rb +++ b/chef-utils/lib/chef-utils/version.rb @@ -15,5 +15,5 @@ module ChefUtils CHEFUTILS_ROOT = File.expand_path("../..", __FILE__) - VERSION = "16.2.36".freeze + VERSION = "16.2.48".freeze end diff --git a/cspell.json b/cspell.json index e76e32973c..a5625ed840 100644 --- a/cspell.json +++ b/cspell.json @@ -2203,7 +2203,10 @@ "zypp", "Zypper", "zypper", - "Ásgeirsson" + "Ásgeirsson", + "damacus", + "sfiggins", + "aklyachkin" ], // flagWords - list of words to be always considered incorrect // This is useful for offensive words and common spelling errors. diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb index 2d228badfb..22f78db319 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb @@ -27,6 +27,11 @@ timezone "UTC" include_recipe "ntp" +windows_security_policy "EnableGuestAccount" do + secoption "EnableGuestAccount" + secvalue "1" +end + users_manage "remove sysadmin" do group_name "sysadmin" group_id 2300 diff --git a/lib/chef/knife/config_use_profile.rb b/lib/chef/knife/config_use_profile.rb index 134ae5e8b6..745a250523 100644 --- a/lib/chef/knife/config_use_profile.rb +++ b/lib/chef/knife/config_use_profile.rb @@ -33,17 +33,27 @@ class Chef end def run + credentials_data = self.class.config_loader.parse_credentials_file context_file = ChefConfig::PathHelper.home(".chef", "context").freeze profile = @name_args[0]&.strip - if profile && !profile.empty? + if profile.nil? || profile.empty? + show_usage + ui.fatal("You must specify a profile") + exit 1 + end + + if credentials_data.nil? || credentials_data.empty? + ui.fatal("No profiles found, #{self.class.config_loader.credentials_file_path} does not exist or is empty") + exit 1 + end + + if credentials_data[profile].nil? + raise ChefConfig::ConfigurationError, "Profile #{profile} doesn't exist. Please add it to #{self.class.config_loader.credentials_file_path} and if it is profile with DNS name check that you are not missing single quotes around it as per docs https://docs.chef.io/workstation/knife_setup/#knife-profiles." + else # Ensure the .chef/ folder exists. FileUtils.mkdir_p(File.dirname(context_file)) IO.write(context_file, "#{profile}\n") ui.msg("Set default profile to #{profile}") - else - show_usage - ui.fatal("You must specify a profile") - exit 1 end end diff --git a/lib/chef/provider/cron.rb b/lib/chef/provider/cron.rb index 8a978b7eca..622f8f5e63 100644 --- a/lib/chef/provider/cron.rb +++ b/lib/chef/provider/cron.rb @@ -15,7 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # - require_relative "../log" require_relative "../provider" @@ -27,8 +26,6 @@ class Chef SPECIAL_TIME_VALUES = %i{reboot yearly annually monthly weekly daily midnight hourly}.freeze CRON_ATTRIBUTES = %i{minute hour day month weekday time command mailto path shell home environment}.freeze - WEEKDAY_SYMBOLS = %i{sunday monday tuesday wednesday thursday friday saturday}.freeze - CRON_PATTERN = %r{\A([-0-9*,/]+)\s([-0-9*,/]+)\s([-0-9*,/]+)\s([-0-9*,/]+|[a-zA-Z]{3})\s([-0-9*,/]+|[a-zA-Z]{3})\s(.*)}.freeze SPECIAL_PATTERN = /\A(@(#{SPECIAL_TIME_VALUES.join('|')}))\s(.*)/.freeze ENV_PATTERN = /\A(\S+)=(\S*)/.freeze @@ -288,15 +285,6 @@ class Chef newcron.join("\n") end - - def weekday_in_crontab - weekday_in_crontab = WEEKDAY_SYMBOLS.index(new_resource.weekday) - if weekday_in_crontab.nil? - new_resource.weekday - else - weekday_in_crontab.to_s - end - end end end end diff --git a/lib/chef/provider/user/dscl.rb b/lib/chef/provider/user/dscl.rb index fade7097b5..4c056b00fd 100644 --- a/lib/chef/provider/user/dscl.rb +++ b/lib/chef/provider/user/dscl.rb @@ -536,7 +536,7 @@ in 'password', with the associated 'salt' and 'iterations'.") # We flush the cache here in order to make sure that we read fresh information # for the user. - shell_out("dscacheutil", "-flushcache") # FIXME: this is MacOS version dependent + shell_out("dscacheutil", "-flushcache") # FIXME: this is macOS version dependent begin user_plist_file = "#{USER_PLIST_DIRECTORY}/#{new_resource.username}.plist" diff --git a/lib/chef/resource.rb b/lib/chef/resource.rb index 2c63abeaa3..37e964a243 100644 --- a/lib/chef/resource.rb +++ b/lib/chef/resource.rb @@ -451,6 +451,17 @@ class Chef description: "Determines whether or not the resource is executed during the compile time phase.", default: false, desired_state: false + # Set a umask to be used for the duration of converging the resource. + # Defaults to `nil`, which means to use the system umask. + # + # @param arg [String] The umask to apply while converging the resource. + # @return [Boolean] The umask to apply while converging the resource. + # + property :umask, String, + desired_state: false, + introduced: "16.2", + description: "Set a umask to be used for the duration of converging the resource. Defaults to `nil`, which means to use the system umask." + # The time it took (in seconds) to run the most recently-run action. Not # cumulative across actions. This is set to 0 as soon as a new action starts # running, and set to the elapsed time at the end of the action. @@ -588,7 +599,9 @@ class Chef begin return if should_skip?(action) - provider_for_action(action).run_action + with_umask do + provider_for_action(action).run_action + end rescue StandardError => e if ignore_failure logger.error("#{custom_exception_message(e)}; ignore_failure is set, continuing") @@ -612,6 +625,13 @@ class Chef events.resource_completed(self) end + def with_umask + old_value = ::File.umask(umask.oct) if umask + yield + ensure + ::File.umask(old_value) if umask + end + # # If we are currently initializing the resource, this will be true. # diff --git a/lib/chef/resource/alternatives.rb b/lib/chef/resource/alternatives.rb index 58de3d5102..fe5af6b7b6 100644 --- a/lib/chef/resource/alternatives.rb +++ b/lib/chef/resource/alternatives.rb @@ -89,7 +89,7 @@ class Chef description: "The path to the alternatives link." property :path, String, - description: "The full path to the original application binary such as `/usr/bin/ruby27`." + description: "The absolute path to the original application binary such as `/usr/bin/ruby27`." property :priority, [String, Integer], coerce: proc { |n| n.to_i }, diff --git a/lib/chef/resource/cron.rb b/lib/chef/resource/cron.rb deleted file mode 100644 index 79cf5642af..0000000000 --- a/lib/chef/resource/cron.rb +++ /dev/null @@ -1,157 +0,0 @@ -# -# Author:: Bryan McLellan (btm@loftninjas.org) -# Author:: Tyler Cloke (<tyler@chef.io>) -# Copyright:: Copyright 2009-2016, Bryan McLellan -# License:: Apache License, Version 2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -require_relative "../resource" -require_relative "helpers/cron_validations" -require_relative "../provider/cron" # do not remove. we actually need this below - -class Chef - class Resource - class Cron < Chef::Resource - unified_mode true - provides :cron - - description "Use the **cron** resource to manage cron entries for time-based job scheduling. Properties for a schedule will default to * if not provided. The cron resource requires access to a crontab program, typically cron." - - state_attrs :minute, :hour, :day, :month, :weekday, :user - - default_action :create - allowed_actions :create, :delete - - def initialize(name, run_context = nil) - super - @month = "*" - @weekday = "*" - end - - property :minute, [Integer, String], - description: "The minute at which the cron entry should run (`0 - 59`).", - default: "*", callbacks: { - "should be a valid minute spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 0, 59) }, - } - - property :hour, [Integer, String], - description: "The hour at which the cron entry is to run (`0 - 23`).", - default: "*", callbacks: { - "should be a valid hour spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 0, 23) }, - } - - property :day, [Integer, String], - description: "The day of month at which the cron entry should run (`1 - 31`).", - default: "*", callbacks: { - "should be a valid day spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 1, 31) }, - } - - property :month, [Integer, String], - description: "The month in the year on which a cron entry is to run (`1 - 12`, `jan-dec`, or `*`).", - default: "*", callbacks: { - "should be a valid month spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_month(spec) }, - } - - def weekday(arg = nil) - if arg.is_a?(Integer) - converted_arg = arg.to_s - else - converted_arg = arg - end - begin - error_message = "You provided '#{arg}' as a weekday, acceptable values are " - error_message << Provider::Cron::WEEKDAY_SYMBOLS.map { |sym| ":#{sym}" }.join(", ") - error_message << " and a string in crontab format" - if (arg.is_a?(Symbol) && !Provider::Cron::WEEKDAY_SYMBOLS.include?(arg)) || - (!arg.is_a?(Symbol) && integerize(arg) > 7) || - (!arg.is_a?(Symbol) && integerize(arg) < 0) - raise RangeError, error_message - end - rescue ArgumentError - end - set_or_return( - :weekday, - converted_arg, - kind_of: [String, Symbol] - ) - end - - property :time, Symbol, - description: "A time interval.", - equal_to: Chef::Provider::Cron::SPECIAL_TIME_VALUES - - property :mailto, String, - description: "Set the `MAILTO` environment variable." - - property :path, String, - description: "Set the `PATH` environment variable." - - property :home, String, - description: "Set the `HOME` environment variable." - - property :shell, String, - description: "Set the `SHELL` environment variable." - - property :command, String, - description: "The command to be run, or the path to a file that contains the command to be run.", - identity: true - - property :user, String, - description: "The name of the user that runs the command. If the user property is changed, the original user for the crontab program continues to run until that crontab program is deleted. This property is not applicable on the AIX platform.", - default: "root" - - property :environment, Hash, - description: "A Hash containing additional arbitrary environment variables under which the cron job will be run in the form of `({'ENV_VARIABLE' => 'VALUE'})`.", - default: lazy { {} } - - TIMEOUT_OPTS = %w{duration preserve-status foreground kill-after signal}.freeze - TIMEOUT_REGEX = /\A\S+/.freeze - - property :time_out, Hash, - description: "A Hash of timeouts in the form of `({'OPTION' => 'VALUE'})`. - Accepted valid options are: - `preserve-status` (BOOL, default: 'false'), - `foreground` (BOOL, default: 'false'), - `kill-after` (in seconds), - `signal` (a name like 'HUP' or a number)", - default: lazy { {} }, - introduced: "15.7", - coerce: proc { |h| - if h.is_a?(Hash) - invalid_keys = h.keys - TIMEOUT_OPTS - unless invalid_keys.empty? - error_msg = "Key of option time_out must be equal to one of: \"#{TIMEOUT_OPTS.join('", "')}\"! You passed \"#{invalid_keys.join(", ")}\"." - raise Chef::Exceptions::ValidationFailed, error_msg - end - unless h.values.all? { |x| x =~ TIMEOUT_REGEX } - error_msg = "Values of option time_out should be non-empty string without any leading whitespace." - raise Chef::Exceptions::ValidationFailed, error_msg - end - h - elsif h.is_a?(Integer) || h.is_a?(String) - { "duration" => h } - end - } - - private - - def integerize(integerish) - Integer(integerish) - rescue TypeError - 0 - end - end - end -end diff --git a/lib/chef/resource/cron/_cron_shared.rb b/lib/chef/resource/cron/_cron_shared.rb new file mode 100644 index 0000000000..2f6a116a05 --- /dev/null +++ b/lib/chef/resource/cron/_cron_shared.rb @@ -0,0 +1,98 @@ +unified_mode true + +TIMEOUT_OPTS = %w{duration preserve-status foreground kill-after signal}.freeze +TIMEOUT_REGEX = /\A\S+/.freeze +WEEKDAYS = { + sunday: "0", monday: "1", tuesday: "2", wednesday: "3", thursday: "4", friday: "5", saturday: "6", + sun: "0", mon: "1", tue: "2", wed: "3", thu: "4", fri: "5", sat: "6" +}.freeze + +property :minute, [Integer, String], + description: "The minute at which the cron entry should run (`0 - 59`).", + default: "*", callbacks: { + "should be a valid minute spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 0, 59) }, + } + +property :hour, [Integer, String], + description: "The hour at which the cron entry is to run (`0 - 23`).", + default: "*", callbacks: { + "should be a valid hour spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 0, 23) }, + } + +property :day, [Integer, String], + description: "The day of month at which the cron entry should run (`1 - 31`).", + default: "*", callbacks: { + "should be a valid day spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 1, 31) }, + } + +property :month, [Integer, String], + description: "The month in the year on which a cron entry is to run (`1 - 12`, `jan-dec`, or `*`).", + default: "*", callbacks: { + "should be a valid month spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_month(spec) }, + } + +property :weekday, [Integer, String, Symbol], + description: "The day of the week on which this entry is to run (`0-7`, `mon-sun`, `monday-sunday`, or `*`), where Sunday is both `0` and `7`.", + default: "*", coerce: proc { |day| weekday_in_crontab(day) }, + callbacks: { + "should be a valid weekday spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_dow(spec) }, + } + +property :shell, String, + description: "Set the `SHELL` environment variable." + +property :path, String, + description: "Set the `PATH` environment variable." + +property :home, String, + description: "Set the `HOME` environment variable." + +property :mailto, String, + description: "Set the `MAILTO` environment variable." + +property :command, String, + description: "The command to be run, or the path to a file that contains the command to be run.", + identity: true, + required: [:create] + +property :user, String, + description: "The name of the user that runs the command.", + default: "root" + +property :environment, Hash, + description: "A Hash containing additional arbitrary environment variables under which the cron job will be run in the form of `({'ENV_VARIABLE' => 'VALUE'})`. **Note**: These variables must exist for a command to be run successfully.", + default: lazy { {} } + +property :time_out, Hash, + description: "A Hash of timeouts in the form of `({'OPTION' => 'VALUE'})`. Accepted valid options are: + - `preserve-status` (BOOL, default: 'false'), + - `foreground` (BOOL, default: 'false'), + - `kill-after` (in seconds), + - `signal` (a name like 'HUP' or a number)", + default: lazy { {} }, + introduced: "15.7", + coerce: proc { |h| + if h.is_a?(Hash) + invalid_keys = h.keys - TIMEOUT_OPTS + unless invalid_keys.empty? + error_msg = "Key of option time_out must be equal to one of: \"#{TIMEOUT_OPTS.join('", "')}\"! You passed \"#{invalid_keys.join(", ")}\"." + raise Chef::Exceptions::ValidationFailed, error_msg + end + unless h.values.all? { |x| x =~ TIMEOUT_REGEX } + error_msg = "Values of option time_out should be non-empty strings without any leading whitespace." + raise Chef::Exceptions::ValidationFailed, error_msg + end + h + elsif h.is_a?(Integer) || h.is_a?(String) + { "duration" => h } + end + } + +private +# Convert weekday input value into crontab format that +# could be written in the crontab +# @return [Integer, String] A weekday formed as per the user inputs. +def weekday_in_crontab(day) + weekday = day.to_s.downcase.to_sym + WEEKDAYS[weekday] || day +end diff --git a/lib/chef/resource/cron/cron.rb b/lib/chef/resource/cron/cron.rb new file mode 100644 index 0000000000..31d6efcfde --- /dev/null +++ b/lib/chef/resource/cron/cron.rb @@ -0,0 +1,46 @@ +# +# Author:: Bryan McLellan (btm@loftninjas.org) +# Author:: Tyler Cloke (<tyler@chef.io>) +# Copyright:: Copyright 2009-2016, Bryan McLellan +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "../../resource" +require_relative "../helpers/cron_validations" +require_relative "../../provider/cron" # do not remove. we actually need this below + +class Chef + class Resource + class Cron < Chef::Resource + unified_mode true + + use "cron_shared" + + provides :cron + + description "Use the **cron** resource to manage cron entries for time-based job scheduling. Properties for a schedule will default to * if not provided. The cron resource requires access to a crontab program, typically cron." + + state_attrs :minute, :hour, :day, :month, :weekday, :user + + default_action :create + allowed_actions :create, :delete + + property :time, Symbol, + description: "A time interval.", + equal_to: Chef::Provider::Cron::SPECIAL_TIME_VALUES + + end + end +end diff --git a/lib/chef/resource/cron_d.rb b/lib/chef/resource/cron/cron_d.rb index c60240acc2..3a913b22c3 100644 --- a/lib/chef/resource/cron_d.rb +++ b/lib/chef/resource/cron/cron_d.rb @@ -15,15 +15,18 @@ # limitations under the License. # -require_relative "../resource" -require_relative "helpers/cron_validations" +require_relative "../../resource" +require_relative "../helpers/cron_validations" require "shellwords" unless defined?(Shellwords) -require_relative "../dist" +require_relative "../../dist" class Chef class Resource class CronD < Chef::Resource unified_mode true + + use "cron_shared" + provides :cron_d introduced "14.4" @@ -98,92 +101,9 @@ class Chef description: "Schedule your cron job with one of the special predefined value instead of ** * pattern.", equal_to: %w{ @reboot @yearly @annually @monthly @weekly @daily @midnight @hourly } - property :minute, [Integer, String], - description: "The minute at which the cron entry should run (`0 - 59`).", - default: "*", callbacks: { - "should be a valid minute spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 0, 59) }, - } - - property :hour, [Integer, String], - description: "The hour at which the cron entry is to run (`0 - 23`).", - default: "*", callbacks: { - "should be a valid hour spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 0, 23) }, - } - - property :day, [Integer, String], - description: "The day of month at which the cron entry should run (`1 - 31`).", - default: "*", callbacks: { - "should be a valid day spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_numeric(spec, 1, 31) }, - } - - property :month, [Integer, String], - description: "The month in the year on which a cron entry is to run (`1 - 12`, `jan-dec`, or `*`).", - default: "*", callbacks: { - "should be a valid month spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_month(spec) }, - } - - property :weekday, [Integer, String], - description: "The day of the week on which this entry is to run (`0-7`, `mon-sun`, or `*`), where Sunday is both `0` and `7`.", - default: "*", callbacks: { - "should be a valid weekday spec" => ->(spec) { Chef::ResourceHelpers::CronValidations.validate_dow(spec) }, - } - - property :command, String, - description: "The command to run.", - required: [:create] - - property :user, String, - description: "The name of the user that runs the command.", - default: "root" - - property :mailto, String, - description: "Set the `MAILTO` environment variable in the cron.d file." - - property :path, String, - description: "Set the `PATH` environment variable in the cron.d file." - - property :home, String, - description: "Set the `HOME` environment variable in the cron.d file." - - property :shell, String, - description: "Set the `SHELL` environment variable in the cron.d file." - property :comment, String, description: "A comment to place in the cron.d file." - property :environment, Hash, - description: "A Hash containing additional arbitrary environment variables under which the cron job will be run in the form of `({'ENV_VARIABLE' => 'VALUE'})`.", - default: lazy { {} } - - TIMEOUT_OPTS = %w{duration preserve-status foreground kill-after signal}.freeze - TIMEOUT_REGEX = /\A\S+/.freeze - - property :time_out, Hash, - description: "A Hash of timeouts in the form of `({'OPTION' => 'VALUE'})`. - Accepted valid options are: - `preserve-status` (BOOL, default: 'false'), - `foreground` (BOOL, default: 'false'), - `kill-after` (in seconds), - `signal` (a name like 'HUP' or a number)", - default: lazy { {} }, - introduced: "15.7", - coerce: proc { |h| - if h.is_a?(Hash) - invalid_keys = h.keys - TIMEOUT_OPTS - unless invalid_keys.empty? - error_msg = "Key of option time_out must be equal to one of: \"#{TIMEOUT_OPTS.join('", "')}\"! You passed \"#{invalid_keys.join(", ")}\"." - raise Chef::Exceptions::ValidationFailed, error_msg - end - unless h.values.all? { |x| x =~ TIMEOUT_REGEX } - error_msg = "Values of option time_out should be non-empty string without any leading whitespace." - raise Chef::Exceptions::ValidationFailed, error_msg - end - h - elsif h.is_a?(Integer) || h.is_a?(String) - { "duration" => h } - end - } - property :mode, [String, Integer], description: "The octal mode of the generated crontab file.", default: "0600" @@ -238,7 +158,7 @@ class Chef # @todo this is Chef 12 era cleanup. Someday we should remove it all template "/etc/cron.d/#{sanitized_name}" do - source ::File.expand_path("../support/cron.d.erb", __FILE__) + source ::File.expand_path("../../support/cron.d.erb", __FILE__) local true mode new_resource.mode variables( diff --git a/lib/chef/resource/dmg_package.rb b/lib/chef/resource/dmg_package.rb index b1d464b547..1b996e4c5e 100644 --- a/lib/chef/resource/dmg_package.rb +++ b/lib/chef/resource/dmg_package.rb @@ -66,7 +66,7 @@ class Chef description: "The remote URL that is used to download the `.dmg` file, if specified." property :file, String, - description: "The full path to the `.dmg` file on the local system." + description: "The absolute path to the `.dmg` file on the local system." property :owner, [String, Integer], description: "The user that should own the package installation." diff --git a/lib/chef/resource/execute.rb b/lib/chef/resource/execute.rb index b3c182ddd8..2584a6e4b5 100644 --- a/lib/chef/resource/execute.rb +++ b/lib/chef/resource/execute.rb @@ -27,15 +27,7 @@ class Chef provides :execute, target_mode: true - description <<~DESC - Use the **execute** resource to execute a single command. Commands that - are executed with this resource are (by their nature) not idempotent, - as they are typically unique to the environment in which they are run. - Use not_if and only_if to guard this resource for idempotence. - - Note: Use the **script** resource to execute a script using a specific - interpreter (Ruby, Python, Perl, csh, or Bash).' - DESC + description "Use the **execute** resource to execute a single command. Commands that are executed with this resource are (by their nature) not idempotent, as they are typically unique to the environment in which they are run. Use not_if and only_if to guard this resource for idempotence. Note: Use the **script** resource to execute a script using a specific interpreter (Ruby, Python, Perl, csh, or Bash)." examples <<~EXAMPLES **Run a command upon notification**: @@ -90,35 +82,6 @@ class Chef file '/etc/yum.repos.d/bad.repo' do action :delete notifies :run, 'execute[clean-yum-cache]', :immediately - - notifies :create, 'ruby_block[reload-internal-yum-cache]', :immediately - end - ``` - - **Install repositories from a file, trigger a command, and force the internal cache to reload**: - - The following example shows how to install new Yum repositories from a file, - where the installation of the repository triggers a creation of the Yum cache - that forces the internal cache for Chef Infra Client to reload. - - ```ruby - execute 'create-yum-cache' do - command 'yum -q makecache' - action :nothing - end - - ruby_block 'reload-internal-yum-cache' do - block do - Chef::Provider::Package::Yum::YumCache.instance.reload - end - action :nothing - end - - cookbook_file '/etc/yum.repos.d/custom.repo' do - source 'custom' - mode '0755' - notifies :run, 'execute[create-yum-cache]', :immediately - notifies :create, 'ruby_block[reload-internal-yum-cache]', :immediately end ``` @@ -243,9 +206,7 @@ class Chef execute 'install-mysql' do command "mv \#{node['mysql']['data_dir']} \#{node['mysql']['ec2_path']}" - not_if do - FileTest.directory?(node['mysql']['ec2_path']) - end + not_if { ::File.directory?(node['mysql']['ec2_path']) } end [node['mysql']['ec2_path'], node['mysql']['data_dir']].each do |dir| @@ -293,8 +254,7 @@ class Chef remote_file "\#{Chef::Config[:file_cache_path]}/distribute_setup.py" do source 'http://python-distribute.org/distribute_setup.py' mode '0755' - - not_if { File.exist?(pip_binary) } + not_if { ::File.exist?(pip_binary) } end execute 'install-pip' do @@ -302,7 +262,7 @@ class Chef command <<~EOF # command for installing Python goes here EOF - not_if { File.exist?(pip_binary) } + not_if { ::File.exist?(pip_binary) } end ``` @@ -334,7 +294,7 @@ class Chef ```ruby execute 'start-tomcat' do - command '/etc/init.d/tomcat6 start' + command '/etc/init.d/tomcat start' action :run end ``` @@ -350,27 +310,12 @@ class Chef search for users: ```ruby - # the following code sample comes from the openvpn cookbook: https://github.com/chef-cookbooks/openvpn + # the following code sample comes from the openvpn cookbook: search("users", "*:*") do |u| execute "generate-openvpn-\#{u['id']}" do command "./pkitool \#{u['id']}" cwd '/etc/openvpn/easy-rsa' - - environment( - 'EASY_RSA' => '/etc/openvpn/easy-rsa', - 'KEY_CONFIG' => '/etc/openvpn/easy-rsa/openssl.cnf', - 'KEY_DIR' => node['openvpn']['key_dir'], - 'CA_EXPIRE' => node['openvpn']['key']['ca_expire'].to_s, - 'KEY_EXPIRE' => node['openvpn']['key']['expire'].to_s, - 'KEY_SIZE' => node['openvpn']['key']['size'].to_s, - 'KEY_COUNTRY' => node['openvpn']['key']['country'], - 'KEY_PROVINCE' => node['openvpn']['key']['province'], - 'KEY_CITY' => node['openvpn']['key']['city'], - 'KEY_ORG' => node['openvpn']['key']['org'], - 'KEY_EMAIL' => node['openvpn']['key']['email'] - ) - not_if { File.exist?("\#{node['openvpn']['key_dir']}/\#{u['id']}.crt") } end %w{ conf ovpn }.each do |ext| @@ -379,23 +324,12 @@ class Chef variables :username => u['id'] end end - - execute "create-openvpn-tar-\#{u['id']}" do - cwd node['openvpn']['key_dir'] - command <<~EOH - tar zcf \#{u['id']}.tar.gz ca.crt \#{u['id']}.crt \#{u['id']}.key \#{u['id']}.conf \#{u['id']}.ovpn - EOH - not_if { File.exist?("\#{node['openvpn']['key_dir']}/\#{u['id']}.tar.gz") } - end end ``` where - - the search will use both of the **execute** resources, unless the condition - specified by the `not_if` commands are met - - the `environments` property in the first **execute** resource is being used to - define values that appear as variables in the OpenVPN configuration + - the search data will be used to create **execute** resources - the **template** resource tells Chef Infra Client which template to use **Enable remote login for macOS**: @@ -594,13 +528,13 @@ class Chef description: "The current working directory from which the command will be run." property :environment, Hash, - description: "A Hash of environment variables in the form of ({'ENV_VARIABLE' => 'VALUE'})." + description: "A Hash of environment variables in the form of `({'ENV_VARIABLE' => 'VALUE'})`. **Note**: These variables must exist for a command to be run successfully." property :group, [ String, Integer ], description: "The group name or group ID that must be changed before running a command." property :live_stream, [ TrueClass, FalseClass ], default: false, - description: "Send the output of the command run by this execute resource block to the #{Chef::Dist::CLIENT} event stream." + description: "Send the output of the command run by this execute resource block to the #{Chef::Dist::PRODUCT} event stream." # default_env defaults to `false` so that the command execution more exactly matches what the user gets on the command line without magic property :default_env, [ TrueClass, FalseClass ], desired_state: false, default: false, @@ -628,7 +562,7 @@ class Chef # lazy used to set default value of sensitive to true if password is set property :sensitive, [ TrueClass, FalseClass ], - description: "Ensure that sensitive resource data is not logged by the #{Chef::Dist::CLIENT}.", + description: "Ensure that sensitive resource data is not logged by the #{Chef::Dist::PRODUCT}.", default: lazy { password ? true : false }, default_description: "True if the password property is set. False otherwise." property :elevated, [ TrueClass, FalseClass ], default: false, diff --git a/lib/chef/resource/helpers/cron_validations.rb b/lib/chef/resource/helpers/cron_validations.rb index 8b5e9a22c4..60861be617 100644 --- a/lib/chef/resource/helpers/cron_validations.rb +++ b/lib/chef/resource/helpers/cron_validations.rb @@ -62,13 +62,16 @@ class Chef end end - # validate the provided day of the week is sun-sat, 0-7, or * + # validate the provided day of the week is sun-sat, sunday-saturday, 0-7, or * + # Added crontab param to check cron resource # @param spec the value to validate # @return [Boolean] valid or not? def validate_dow(spec) + spec = spec.to_s spec == "*" || validate_numeric(spec, 0, 7) || - %w{sun mon tue wed thu fri sat}.include?(String(spec).downcase) + %w{sun mon tue wed thu fri sat}.include?(spec.downcase) || + %w{sunday monday tuesday wednesday thursday friday saturday}.include?(spec.downcase) end # validate the day of the month is 1-31 diff --git a/lib/chef/resource/homebrew_update.rb b/lib/chef/resource/homebrew_update.rb index 36dcda810d..a13d22c223 100644 --- a/lib/chef/resource/homebrew_update.rb +++ b/lib/chef/resource/homebrew_update.rb @@ -19,6 +19,7 @@ # require_relative "../resource" +require_relative "../dist" class Chef class Resource @@ -27,7 +28,7 @@ class Chef provides(:homebrew_update) { true } - description "Use the **homebrew_update** resource to manage Homebrew repository updates on MacOS." + description "Use the **homebrew_update** resource to manage Homebrew repository updates on macOS." introduced "16.2" examples <<~DOC **Update the homebrew repository data at a specified interval**: @@ -37,7 +38,7 @@ class Chef action :periodic end ``` - **Update the Homebrew repository at the start of a Chef Infra Client run**: + **Update the Homebrew repository at the start of a #{Chef::Dist::PRODUCT} run**: ```ruby homebrew_update 'update' ``` diff --git a/lib/chef/resource/ssh_known_hosts_entry.rb b/lib/chef/resource/ssh_known_hosts_entry.rb index 95a1b75644..0bc835392c 100644 --- a/lib/chef/resource/ssh_known_hosts_entry.rb +++ b/lib/chef/resource/ssh_known_hosts_entry.rb @@ -29,6 +29,21 @@ class Chef description "Use the **ssh_known_hosts_entry** resource to add an entry for the specified host in /etc/ssh/ssh_known_hosts or a user's known hosts file if specified." introduced "14.3" + examples <<~DOC + **Add a single entry for github.com with the key auto detected** + + ```ruby + ssh_known_hosts_entry 'github.com' + ``` + + **Add a single entry with your own provided key** + + ```ruby + ssh_known_hosts_entry 'github.com' do + key 'node.example.com ssh-rsa ...' + end + ``` + DOC property :host, String, description: "The host to add to the known hosts file.", diff --git a/lib/chef/resource/sudo.rb b/lib/chef/resource/sudo.rb index 377e0e432e..d7babd8f96 100644 --- a/lib/chef/resource/sudo.rb +++ b/lib/chef/resource/sudo.rb @@ -34,6 +34,33 @@ class Chef " installation of the required sudo version. Chef-supported releases of Ubuntu, SuSE, Debian,"\ " and RHEL (6+) all support this feature." introduced "14.0" + examples <<~DOC + **Grant a user sudo privileges for any command** + + ```ruby + sudo 'admin' do + user 'admin' + end + ``` + + **Grant a user and groups sudo privileges for any command** + + ```ruby + sudo 'admins' do + users 'bob' + groups 'sysadmins, superusers' + end + ``` + + **Grant passwordless sudo privileges for specific commands** + + ```ruby + sudo 'passwordless-access' do + commands ['/bin/systemctl restart httpd', '/bin/systemctl restart mysql'] + nopasswd true + end + ``` + DOC # According to the sudo man pages sudo will ignore files in an include dir that have a `.` or `~` # We convert either to `__` @@ -53,7 +80,7 @@ class Chef coerce: proc { |x| coerce_groups(x) } property :commands, Array, - description: "An array of commands this sudoer can execute.", + description: "An array of full paths to commands this sudoer can execute.", default: ["ALL"] property :host, String, @@ -112,7 +139,7 @@ class Chef # handle legacy cookbook property def after_created - raise "The 'visudo_path' property from the sudo cookbook has been replaced with the 'visudo_binary' property. The path is now more intelligently determined and for most users specifying the path should no longer be necessary. If this resource still cannot determine the path to visudo then provide the full path to the binary with the 'visudo_binary' property." if visudo_path + raise "The 'visudo_path' property from the sudo cookbook has been replaced with the 'visudo_binary' property. The path is now more intelligently determined and for most users specifying the path should no longer be necessary. If this resource still cannot determine the path to visudo then provide the absolute path to the binary with the 'visudo_binary' property." if visudo_path end # VERY old legacy properties diff --git a/lib/chef/resource/swap_file.rb b/lib/chef/resource/swap_file.rb index 7049b34ea7..3d8f31de48 100644 --- a/lib/chef/resource/swap_file.rb +++ b/lib/chef/resource/swap_file.rb @@ -26,6 +26,23 @@ class Chef description "Use the **swap_file** resource to create or delete swap files on Linux systems, and optionally to manage the swappiness configuration for a host." introduced "14.0" + examples <<~DOC + **Create a swap file** + + ```ruby + swap_file '/dev/sda1' do + size 1024 + end + ``` + + **Remove a swap file** + + ```ruby + swap_file '/dev/sda1' do + action :remove + end + ``` + DOC property :path, String, description: "The path where the swap file will be created on the system if it differs from the resource block's name.", diff --git a/lib/chef/resource/timezone.rb b/lib/chef/resource/timezone.rb index a7813ce9c2..fe03940e1d 100644 --- a/lib/chef/resource/timezone.rb +++ b/lib/chef/resource/timezone.rb @@ -28,6 +28,21 @@ class Chef description "Use the **timezone** resource to change the system timezone on Windows, Linux, and macOS hosts. Timezones are specified in tz database format, with a complete list of available TZ values for Linux and macOS here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones and for Windows here: https://ss64.com/nt/timezones.html." introduced "14.6" + examples <<~DOC + **Set the timezone to UTC** + + ```ruby + timezone 'UTC' + ``` + + **Set the timezone to UTC with a friendly resource name** + + ```ruby + timezone 'Set the host's timezone to UTC' do + timezone 'UTC' + end + ``` + DOC property :timezone, String, description: "An optional property to set the timezone value if it differs from the resource block's name.", diff --git a/lib/chef/resource/windows_audit_policy.rb b/lib/chef/resource/windows_audit_policy.rb index 684fafcd15..c7873dad09 100644 --- a/lib/chef/resource/windows_audit_policy.rb +++ b/lib/chef/resource/windows_audit_policy.rb @@ -174,7 +174,7 @@ class Chef end action :set do - unless new_resource.subcategory.empty? + unless new_resource.subcategory.nil? new_resource.subcategory.each do |subcategory| next if subcategory_configured?(subcategory, new_resource.success, new_resource.failure) diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb index ffcbb8d139..4fd38807de 100644 --- a/lib/chef/resource/windows_security_policy.rb +++ b/lib/chef/resource/windows_security_policy.rb @@ -21,25 +21,27 @@ require_relative "../resource" class Chef class Resource class WindowsSecurityPolicy < Chef::Resource - resource_name :windows_security_policy + provides :windows_security_policy # The valid policy_names options found here # https://github.com/ChrisAWalker/cSecurityOptions under 'AccountSettings' - policy_names = %w{MinimumPasswordAge - MaximumPasswordAge - MinimumPasswordLength - PasswordComplexity - PasswordHistorySize - LockoutBadCount - RequireLogonToChangePassword - ForceLogoffWhenHourExpire - NewAdministratorName - NewGuestName - ClearTextPassword - LSAAnonymousNameLookup - EnableAdminAccount - EnableGuestAccount - } + policy_names = %w{LockoutDuration + MaximumPasswordAge + MinimumPasswordAge + MinimumPasswordLength + PasswordComplexity + PasswordHistorySize + LockoutBadCount + ResetLockoutCount + RequireLogonToChangePassword + ForceLogoffWhenHourExpire + NewAdministratorName + NewGuestName + ClearTextPassword + LSAAnonymousNameLookup + EnableAdminAccount + EnableGuestAccount + } description "Use the **windows_security_policy** resource to set a security policy on the Microsoft Windows platform." introduced "16.0" diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb index cf48e8f4bc..a47b96cb5c 100644 --- a/lib/chef/resources.rb +++ b/lib/chef/resources.rb @@ -38,9 +38,9 @@ require_relative "resource/chocolatey_config" require_relative "resource/chocolatey_feature" require_relative "resource/chocolatey_package" require_relative "resource/chocolatey_source" -require_relative "resource/cron" +require_relative "resource/cron/cron" require_relative "resource/cron_access" -require_relative "resource/cron_d" +require_relative "resource/cron/cron_d" require_relative "resource/csh" require_relative "resource/directory" require_relative "resource/dmg_package" diff --git a/lib/chef/util/diff.rb b/lib/chef/util/diff.rb index 6f10cbde35..5cc8bf5e82 100644 --- a/lib/chef/util/diff.rb +++ b/lib/chef/util/diff.rb @@ -136,7 +136,7 @@ class Chef return "(file sizes exceed #{diff_filesize_threshold} bytes, diff output suppressed)" end - # MacOSX(BSD?) diff will *sometimes* happily spit out nasty binary diffs + # macOS(BSD?) diff will *sometimes* happily spit out nasty binary diffs return "(current file is binary, diff output suppressed)" if is_binary?(old_file) return "(new content is binary, diff output suppressed)" if is_binary?(new_file) diff --git a/lib/chef/version.rb b/lib/chef/version.rb index e10a103ba8..0fcafc0e61 100644 --- a/lib/chef/version.rb +++ b/lib/chef/version.rb @@ -23,7 +23,7 @@ require_relative "version_string" class Chef CHEF_ROOT = File.expand_path("../..", __FILE__) - VERSION = Chef::VersionString.new("16.2.36") + VERSION = Chef::VersionString.new("16.2.48") end # diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock index e91e6a4946..87bf6688c3 100644 --- a/omnibus/Gemfile.lock +++ b/omnibus/Gemfile.lock @@ -1,13 +1,12 @@ GIT remote: https://github.com/chef/omnibus - revision: 656496eaefadc4e5676eae5ad722acd6f8c22b2a + revision: d75718522deb9faeb3c21b50c60e94daf70ce9b6 branch: master specs: - omnibus (7.0.12) + omnibus (7.0.13) aws-sdk-s3 (~> 1) chef-cleanroom (~> 1.0) chef-sugar (>= 3.3) - ffi (< 1.13) ffi-yajl (~> 2.2) license_scout (~> 1.0) mixlib-shellout (>= 2.0, < 4.0) @@ -33,17 +32,17 @@ GEM artifactory (3.0.15) awesome_print (1.8.0) aws-eventstream (1.1.0) - aws-partitions (1.327.0) - aws-sdk-core (3.98.0) + aws-partitions (1.329.0) + aws-sdk-core (3.100.0) aws-eventstream (~> 1, >= 1.0.2) aws-partitions (~> 1, >= 1.239.0) aws-sigv4 (~> 1.1) jmespath (~> 1.0) - aws-sdk-kms (1.33.0) - aws-sdk-core (~> 3, >= 3.71.0) + aws-sdk-kms (1.34.1) + aws-sdk-core (~> 3, >= 3.99.0) aws-sigv4 (~> 1.1) - aws-sdk-s3 (1.67.1) - aws-sdk-core (~> 3, >= 3.96.1) + aws-sdk-s3 (1.68.1) + aws-sdk-core (~> 3, >= 3.99.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.1) aws-sigv4 (1.1.4) @@ -172,9 +171,9 @@ GEM erubis (2.7.0) faraday (1.0.1) multipart-post (>= 1.2, < 3) - ffi (1.12.1) - ffi (1.12.1-x64-mingw32) - ffi (1.12.1-x86-mingw32) + ffi (1.13.1) + ffi (1.13.1-x64-mingw32) + ffi (1.13.1-x86-mingw32) ffi-libarchive (1.0.0) ffi (~> 1.0) ffi-win32-extensions (1.0.3) @@ -275,7 +274,7 @@ GEM progressbar (1.10.1) proxifier (1.0.3) public_suffix (4.0.5) - rack (2.2.2) + rack (2.2.3) rainbow (3.0.0) retryable (3.0.5) ruby-progressbar (1.10.1) @@ -296,7 +295,7 @@ GEM structured_warnings (0.4.0) syslog-logger (1.6.8) systemu (2.6.5) - test-kitchen (2.5.1) + test-kitchen (2.5.2) bcrypt_pbkdf (~> 1.0) ed25519 (~> 1.2) license-acceptance (~> 1.0, >= 1.0.11) @@ -305,11 +304,11 @@ GEM net-scp (>= 1.1, < 4.0) net-ssh (>= 2.9, < 7.0) net-ssh-gateway (>= 1.2, < 3.0) - thor (~> 0.19) + thor (>= 0.19, < 2.0) winrm (~> 2.0) winrm-elevated (~> 1.0) winrm-fs (~> 1.1) - thor (0.20.3) + thor (1.0.1) toml-rb (2.0.1) citrus (~> 3.0, > 3.0) tomlrb (1.3.0) diff --git a/spec/functional/resource/cron_spec.rb b/spec/functional/resource/cron_spec.rb index 66f630018e..ed4905b980 100644 --- a/spec/functional/resource/cron_spec.rb +++ b/spec/functional/resource/cron_spec.rb @@ -80,6 +80,16 @@ describe Chef::Resource::Cron, :requires_root, :unix_only do 5.times { new_resource.run_action(:create) } cron_should_exists(new_resource.name, new_resource.command) end + + # Test cron for day of week + weekdays = { Mon: 1, tuesday: 2, '3': 3, 'thursday': 4, 'Fri': 5, 6 => 6 } + weekdays.each do |key, value| + it "should create crontab entry and set #{value} for #{key} as weekday" do + new_resource.weekday key + expect { new_resource.run_action(:create) }.not_to raise_error + cron_should_exists(new_resource.name, new_resource.command) + end + end end describe "delete action" do diff --git a/spec/integration/knife/config_use_profile_spec.rb b/spec/integration/knife/config_use_profile_spec.rb index 213fe19f88..9451e74325 100644 --- a/spec/integration/knife/config_use_profile_spec.rb +++ b/spec/integration/knife/config_use_profile_spec.rb @@ -30,6 +30,7 @@ describe "knife config use-profile", :workstation do knife("config", "use-profile", *cmd_args, instance_filter: lambda { |instance| # Fake the failsafe check because this command doesn't actually process knife.rb. $__KNIFE_INTEGRATION_FAILSAFE_CHECK << " ole" + allow(File).to receive(:file?).and_call_original }) end @@ -73,15 +74,56 @@ describe "knife config use-profile", :workstation do context "with an argument" do let(:cmd_args) { %w{production} } + before { file(".chef/credentials", <<~EOH) } + [production] + client_name = "testuser" + client_key = "testkey.pem" + chef_server_url = "https://example.com/organizations/testorg" + EOH it do is_expected.to eq "Set default profile to production\n" expect(File.read(path_to(".chef/context"))).to eq "production\n" end end + context "with no credentials file" do + let(:cmd_args) { %w{production} } + subject { knife_use_profile.stderr } + it { is_expected.to eq "FATAL: No profiles found, #{path_to(".chef/credentials")} does not exist or is empty\n" } + end + + context "with an empty credentials file" do + let(:cmd_args) { %w{production} } + before { file(".chef/credentials", "") } + subject { knife_use_profile.stderr } + it { is_expected.to eq "FATAL: No profiles found, #{path_to(".chef/credentials")} does not exist or is empty\n" } + end + + context "with an wrong argument" do + let(:cmd_args) { %w{staging} } + before { file(".chef/credentials", <<~EOH) } + [production] + client_name = "testuser" + client_key = "testkey.pem" + chef_server_url = "https://example.com/organizations/testorg" + EOH + subject { knife_use_profile } + it { expect { subject }.to raise_error ChefConfig::ConfigurationError, "Profile staging doesn't exist. Please add it to #{path_to(".chef/credentials")} and if it is profile with DNS name check that you are not missing single quotes around it as per docs https://docs.chef.io/workstation/knife_setup/#knife-profiles." } + end + context "with $CHEF_HOME" do let(:cmd_args) { %w{staging} } - before { ENV["CHEF_HOME"] = path_to("chefhome"); file("chefhome/tmp", "") } + before do + ENV["CHEF_HOME"] = path_to("chefhome"); file("chefhome/tmp", "") + file("chefhome/.chef/credentials", <<~EOH + [staging] + client_name = "testuser" + client_key = "testkey.pem" + chef_server_url = "https://example.com/organizations/testorg" + EOH + ) + end + it do is_expected.to eq "Set default profile to staging\n" expect(File.read(path_to("chefhome/.chef/context"))).to eq "staging\n" @@ -91,7 +133,18 @@ describe "knife config use-profile", :workstation do context "with $KNIFE_HOME" do let(:cmd_args) { %w{development} } - before { ENV["KNIFE_HOME"] = path_to("knifehome"); file("knifehome/tmp", "") } + + before do + ENV["KNIFE_HOME"] = path_to("knifehome"); file("knifehome/tmp", "") + file("knifehome/.chef/credentials", <<~EOH + [development] + client_name = "testuser" + client_key = "testkey.pem" + chef_server_url = "https://example.com/organizations/testorg" + EOH + ) + end + it do is_expected.to eq "Set default profile to development\n" expect(File.read(path_to("knifehome/.chef/context"))).to eq "development\n" diff --git a/spec/unit/provider/cron_spec.rb b/spec/unit/provider/cron_spec.rb index bebde66a8b..76f170312e 100644 --- a/spec/unit/provider/cron_spec.rb +++ b/spec/unit/provider/cron_spec.rb @@ -15,7 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # - require "spec_helper" describe Chef::Provider::Cron do @@ -322,7 +321,7 @@ describe Chef::Provider::Cron do expect(cron.hour).to eq("5") expect(cron.day).to eq("*") expect(cron.month).to eq("Jan") - expect(cron.weekday).to eq("Mon") + expect(cron.weekday).to eq("1") expect(cron.command).to eq("/bin/true param1 param2") end @@ -338,6 +337,7 @@ describe Chef::Provider::Cron do 0 2 * * * /some/other/command # Chef Name: cronhole some stuff + * * * * * /bin/true CRONTAB cron = @provider.load_current_resource expect(@provider.cron_exists).to eq(true) @@ -347,7 +347,7 @@ describe Chef::Provider::Cron do expect(cron.month).to eq("*") expect(cron.weekday).to eq("*") expect(cron.time).to eq(nil) - expect(cron.command).to eq(nil) + expect(cron.command).to eq("/bin/true") end it "should not pick up a commented out crontab line" do @@ -355,6 +355,7 @@ describe Chef::Provider::Cron do 0 2 * * * /some/other/command # Chef Name: cronhole some stuff + * * * * * /bin/true #* 5 * 1 * /bin/true param1 param2 CRONTAB cron = @provider.load_current_resource @@ -365,7 +366,7 @@ describe Chef::Provider::Cron do expect(cron.month).to eq("*") expect(cron.weekday).to eq("*") expect(cron.time).to eq(nil) - expect(cron.command).to eq(nil) + expect(cron.command).to eq("/bin/true") end it "should not pick up a later crontab entry" do @@ -373,6 +374,7 @@ describe Chef::Provider::Cron do 0 2 * * * /some/other/command # Chef Name: cronhole some stuff + * * * * * /bin/true #* 5 * 1 * /bin/true param1 param2 # Chef Name: something else 2 * 1 * * /bin/false @@ -387,7 +389,7 @@ describe Chef::Provider::Cron do expect(cron.month).to eq("*") expect(cron.weekday).to eq("*") expect(cron.time).to eq(nil) - expect(cron.command).to eq(nil) + expect(cron.command).to eq("/bin/true") end end end @@ -1040,48 +1042,6 @@ describe Chef::Provider::Cron do end end - describe "weekday_in_crontab" do - context "when weekday is symbol" do - it "should return weekday in crontab format" do - @new_resource.weekday :wednesday - expect(@provider.send(:weekday_in_crontab)).to eq("3") - end - - it "should raise an error with an unknown weekday" do - expect { @new_resource.weekday :caturday }.to raise_error(RangeError) - end - end - - context "when weekday is a number in a string" do - it "should return the string" do - @new_resource.weekday "3" - expect(@provider.send(:weekday_in_crontab)).to eq("3") - end - - it "should raise an error with an out of range number" do - expect { @new_resource.weekday "-1" }.to raise_error(RangeError) - end - end - - context "when weekday is string with the name of the week" do - it "should return the string" do - @new_resource.weekday "mon" - expect(@provider.send(:weekday_in_crontab)).to eq("mon") - end - end - - context "when weekday is an integer" do - it "should return the integer" do - @new_resource.weekday 1 - expect(@provider.send(:weekday_in_crontab)).to eq("1") - end - - it "should raise an error with an out of range integer" do - expect { @new_resource.weekday 45 }.to raise_error(RangeError) - end - end - end - describe "#env_var_str" do context "when no env vars are set" do it "returns an empty string" do @@ -1196,8 +1156,8 @@ describe Chef::Provider::Cron do context "Without command, passed" do context "as nil" do it "returns an empty string with a next line" do - @new_resource.command nil - expect(@provider.send(:cmd_str)).to eq(" \n") + @new_resource.command "bin/true" + expect(@provider.send(:cmd_str)).to eq(" bin/true\n") end end context "as an empty string" do diff --git a/spec/unit/resource/cron_spec.rb b/spec/unit/resource/cron_spec.rb index 4322d6c24b..c9dbef06c6 100644 --- a/spec/unit/resource/cron_spec.rb +++ b/spec/unit/resource/cron_spec.rb @@ -132,10 +132,10 @@ describe Chef::Resource::Cron do describe "weekday" do it "rejects any weekday over 7" do - expect { resource.weekday "8" }.to raise_error(RangeError) + expect { resource.weekday "8" }.to raise_error(Chef::Exceptions::ValidationFailed) end it "rejects any symbols which don't represent day of week" do - expect { resource.weekday :foo }.to raise_error(RangeError) + expect { resource.weekday :foo }.to raise_error(Chef::Exceptions::ValidationFailed) end end diff --git a/spec/unit/resource/helpers/cron_validations_spec.rb b/spec/unit/resource/helpers/cron_validations_spec.rb index 6b7d8f592c..9ec58e8b5f 100644 --- a/spec/unit/resource/helpers/cron_validations_spec.rb +++ b/spec/unit/resource/helpers/cron_validations_spec.rb @@ -34,8 +34,12 @@ describe Chef::ResourceHelpers::CronValidations do expect(Chef::ResourceHelpers::CronValidations.validate_dow(8)).to be false end + it "it accepts the string day with full name" do + expect(Chef::ResourceHelpers::CronValidations.validate_dow("monday")).to be true + end + it "returns false for an invalid string" do - expect(Chef::ResourceHelpers::CronValidations.validate_dow("monday")).to be false + expect(Chef::ResourceHelpers::CronValidations.validate_dow("funday")).to be false end end diff --git a/spec/unit/resource_spec.rb b/spec/unit/resource_spec.rb index fd32313c83..5181414215 100644 --- a/spec/unit/resource_spec.rb +++ b/spec/unit/resource_spec.rb @@ -1236,4 +1236,56 @@ describe Chef::Resource do expect(resource.tagged?("foo")).to be(false) end end + + describe "#with_umask" do + let(:resource) { Chef::Resource.new("testy testerson") } + let!(:original_umask) { ::File.umask } + + after do + ::File.umask(original_umask) + end + + it "does not affect the umask by default" do + block_value = nil + + resource.with_umask do + block_value = ::File.umask + end + + expect(block_value).to eq(original_umask) + end + + it "changes the umask in the block to the set value" do + resource.umask = "0123" + + block_value = nil + + resource.with_umask do + block_value = ::File.umask + end + + # Format the returned value so a potential error message is easier to understand. + actual_value = block_value.to_s(8).rjust(4, "0") + + expect(actual_value).to eq("0123") + end + + it "resets the umask afterwards" do + resource.umask = "0123" + + resource.with_umask do + "noop" + end + + expect(::File.umask).to eq(original_umask) + end + + it "resets the umask if the block raises an error" do + resource.umask = "0123" + + expect { resource.with_umask { 1 / 0 } }.to raise_error(ZeroDivisionError) + + expect(::File.umask).to eq(original_umask) + end + end end diff --git a/spec/unit/util/threaded_job_queue_spec.rb b/spec/unit/util/threaded_job_queue_spec.rb index de56bd0318..6925cb5dda 100644 --- a/spec/unit/util/threaded_job_queue_spec.rb +++ b/spec/unit/util/threaded_job_queue_spec.rb @@ -21,6 +21,15 @@ end describe Chef::Util::ThreadedJobQueue do let(:queue) { Chef::Util::ThreadedJobQueue.new } + around(:example) do |example| + old_value = Thread.report_on_exception + Thread.report_on_exception = false + + example.run + + Thread.report_on_exception = old_value + end + it "should pass mutex to jobs with an arity of 1" do job = double expect(job).to receive(:arity).at_least(:once).and_return(1) |