diff options
| author | Tim Smith <tsmith@chef.io> | 2021-11-16 17:16:20 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-16 17:16:20 -0800 |
| commit | 2ae926aaea63ee83cf5d3da6110b9beccb7a5b71 (patch) | |
| tree | 15e24470bd68b7ce466713b9a6e3ce3d9b4deb99 | |
| parent | 6ef32b815634ad6484fc3b9b7336054a9f859f09 (diff) | |
| parent | b7c1d00d0c949c1cd811d07e80534a6da3b7b369 (diff) | |
| download | chef-2ae926aaea63ee83cf5d3da6110b9beccb7a5b71.tar.gz | |
Merge branch 'main' into expeditor/chef/ohai_b10c8b43347ee88a89d74e6468bf9833233e600e
| -rw-r--r-- | CHANGELOG.md | 9 | ||||
| -rw-r--r-- | Gemfile.lock | 24 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | chef-bin/lib/chef-bin/version.rb | 2 | ||||
| -rw-r--r-- | chef-config/lib/chef-config/version.rb | 2 | ||||
| -rw-r--r-- | chef-utils/lib/chef-utils/version.rb | 2 | ||||
| -rw-r--r-- | knife/lib/chef/knife/version.rb | 2 | ||||
| -rw-r--r-- | lib/chef/compliance/default_attributes.rb | 12 | ||||
| -rw-r--r-- | lib/chef/compliance/runner.rb | 48 | ||||
| -rw-r--r-- | lib/chef/resource/macos_userdefaults.rb | 12 | ||||
| -rw-r--r-- | lib/chef/version.rb | 2 | ||||
| -rw-r--r-- | omnibus/Gemfile.lock | 4 | ||||
| -rw-r--r-- | spec/functional/resource/macos_userdefaults_spec.rb | 20 | ||||
| -rw-r--r-- | spec/unit/compliance/runner_spec.rb | 60 |
14 files changed, 167 insertions, 34 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index c75f2503ff..beeb7fecaf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,20 @@ <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ --> This changelog lists individual merged pull requests to Chef Infra Client and geared towards developers. For a list of significant changes per release see the [Chef Infra Client Release Notes](https://docs.chef.io/release_notes_client/). -<!-- latest_release 17.8.2 --> -## [v17.8.2](https://github.com/chef/chef/tree/v17.8.2) (2021-11-12) +<!-- latest_release 17.8.5 --> +## [v17.8.5](https://github.com/chef/chef/tree/v17.8.5) (2021-11-16) #### Merged Pull Requests -- Fix zypper_package behavior when there is no candidate_version [#12279](https://github.com/chef/chef/pull/12279) ([lamont-granquist](https://github.com/lamont-granquist)) +- fix invalid ffi type error after coerce in macos_userdefaults [#12234](https://github.com/chef/chef/pull/12234) ([rishichawda](https://github.com/rishichawda)) <!-- latest_release --> <!-- release_rollup since=17.7.29 --> ### Changes not yet released to stable #### Merged Pull Requests +- fix invalid ffi type error after coerce in macos_userdefaults [#12234](https://github.com/chef/chef/pull/12234) ([rishichawda](https://github.com/rishichawda)) <!-- 17.8.5 --> +- Bump omnibus-software from `b6f2ff8` to `32876cd` in /omnibus [#12287](https://github.com/chef/chef/pull/12287) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 17.8.4 --> +- Bump chef/chefstyle to 3a1257b8c5934344bc854e604a882d7e7e5a8733 [#12284](https://github.com/chef/chef/pull/12284) ([chef-expeditor[bot]](https://github.com/chef-expeditor[bot])) <!-- 17.8.3 --> - Fix zypper_package behavior when there is no candidate_version [#12279](https://github.com/chef/chef/pull/12279) ([lamont-granquist](https://github.com/lamont-granquist)) <!-- 17.8.2 --> - Bump omnibus-software from `9222241` to `b6f2ff8` in /omnibus [#12277](https://github.com/chef/chef/pull/12277) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 17.8.1 --> - pin omnibus builds to chef-16 [#12274](https://github.com/chef/chef/pull/12274) ([lamont-granquist](https://github.com/lamont-granquist)) <!-- 17.8.0 --> diff --git a/Gemfile.lock b/Gemfile.lock index 6488b6b8ca..f8cc52dd41 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -35,12 +35,12 @@ GIT PATH remote: . specs: - chef (17.8.2) + chef (17.8.5) addressable aws-sdk-s3 (~> 1.91) aws-sdk-secretsmanager (~> 1.46) - chef-config (= 17.8.2) - chef-utils (= 17.8.2) + chef-config (= 17.8.5) + chef-utils (= 17.8.5) chef-vault chef-zero (>= 14.0.11) corefoundation (~> 0.3.4) @@ -66,12 +66,12 @@ PATH train-winrm (>= 0.2.5) uuidtools (>= 2.1.5, < 3.0) vault (~> 0.16) - chef (17.8.2-universal-mingw32) + chef (17.8.5-universal-mingw32) addressable aws-sdk-s3 (~> 1.91) aws-sdk-secretsmanager (~> 1.46) - chef-config (= 17.8.2) - chef-utils (= 17.8.2) + chef-config (= 17.8.5) + chef-utils (= 17.8.5) chef-vault chef-zero (>= 14.0.11) corefoundation (~> 0.3.4) @@ -112,15 +112,15 @@ PATH PATH remote: chef-bin specs: - chef-bin (17.8.2) - chef (= 17.8.2) + chef-bin (17.8.5) + chef (= 17.8.5) PATH remote: chef-config specs: - chef-config (17.8.2) + chef-config (17.8.5) addressable - chef-utils (= 17.8.2) + chef-utils (= 17.8.5) fuzzyurl mixlib-config (>= 2.2.12, < 4.0) mixlib-shellout (>= 2.0, < 4.0) @@ -129,7 +129,7 @@ PATH PATH remote: chef-utils specs: - chef-utils (17.8.2) + chef-utils (17.8.5) concurrent-ruby GEM @@ -142,7 +142,7 @@ GEM mixlib-shellout (>= 2.0, < 4.0) ast (2.4.2) aws-eventstream (1.2.0) - aws-partitions (1.530.0) + aws-partitions (1.531.0) aws-sdk-core (3.122.1) aws-eventstream (~> 1, >= 1.0.2) aws-partitions (~> 1, >= 1.525.0) @@ -1 +1 @@ -17.8.2
\ No newline at end of file +17.8.5
\ No newline at end of file diff --git a/chef-bin/lib/chef-bin/version.rb b/chef-bin/lib/chef-bin/version.rb index 94bb3ed1aa..96a17d7aa1 100644 --- a/chef-bin/lib/chef-bin/version.rb +++ b/chef-bin/lib/chef-bin/version.rb @@ -21,7 +21,7 @@ module ChefBin CHEFBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "17.8.2".freeze + VERSION = "17.8.5".freeze end # diff --git a/chef-config/lib/chef-config/version.rb b/chef-config/lib/chef-config/version.rb index be5df8a758..ba7c8ac02b 100644 --- a/chef-config/lib/chef-config/version.rb +++ b/chef-config/lib/chef-config/version.rb @@ -15,5 +15,5 @@ module ChefConfig CHEFCONFIG_ROOT = File.expand_path("..", __dir__) - VERSION = "17.8.2".freeze + VERSION = "17.8.5".freeze end diff --git a/chef-utils/lib/chef-utils/version.rb b/chef-utils/lib/chef-utils/version.rb index eee9f16875..a58b53174a 100644 --- a/chef-utils/lib/chef-utils/version.rb +++ b/chef-utils/lib/chef-utils/version.rb @@ -16,5 +16,5 @@ module ChefUtils CHEFUTILS_ROOT = File.expand_path("..", __dir__) - VERSION = "17.8.2" + VERSION = "17.8.5" end diff --git a/knife/lib/chef/knife/version.rb b/knife/lib/chef/knife/version.rb index 47799d0112..39afadebcb 100644 --- a/knife/lib/chef/knife/version.rb +++ b/knife/lib/chef/knife/version.rb @@ -17,7 +17,7 @@ class Chef class Knife KNIFE_ROOT = File.expand_path("../..", __dir__) - VERSION = "17.8.2".freeze + VERSION = "17.8.5".freeze end end diff --git a/lib/chef/compliance/default_attributes.rb b/lib/chef/compliance/default_attributes.rb index 3ecb1cd056..fc30716205 100644 --- a/lib/chef/compliance/default_attributes.rb +++ b/lib/chef/compliance/default_attributes.rb @@ -94,7 +94,17 @@ class Chef # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have # profiles defined but do not have the audit cookbook enabled. - "compliance_phase" => false + "compliance_phase" => false, + + "interval" => { + # control how often inspec scans are run, if not on every node converge + # notes: false value will result in running inspec scan every converge + "enabled" => false, + + # controls how often inspec scans are run (in minutes) + # notes: only used if interval is enabled above + "time" => 1440, + } ) end end diff --git a/lib/chef/compliance/runner.rb b/lib/chef/compliance/runner.rb index ade35d4861..f6d3e89b15 100644 --- a/lib/chef/compliance/runner.rb +++ b/lib/chef/compliance/runner.rb @@ -71,7 +71,7 @@ class Chef logger.debug("#{self.class}##{__method__}: enabling Compliance Phase") - report + report_with_interval end def run_failed(_exception, _run_status) @@ -82,7 +82,7 @@ class Chef logger.debug("#{self.class}##{__method__}: enabling Compliance Phase") - report + report_with_interval end ### Below code adapted from audit cookbook's files/default/handler/audit_report.rb @@ -92,7 +92,6 @@ class Chef fail_if_not_present inspec_gem_source inspec_version - interval owner raise_if_unreachable }.freeze @@ -106,6 +105,15 @@ class Chef end end + def report_with_interval + if interval_seconds_left <= 0 + create_timestamp_file if interval_enabled + report + else + logger.info "Skipping Chef Infra Compliance Phase due to interval settings (next run in #{interval_seconds_left / 60.0} mins)" + end + end + def report(report = nil) logger.info "Starting Chef Infra Compliance Phase" report ||= generate_report @@ -362,6 +370,40 @@ class Chef def requested_reporters (Array(node["audit"]["reporter"]) + ["cli"]).uniq end + + def create_timestamp_file + FileUtils.touch report_timing_file + end + + def report_timing_file + ::File.join(Chef::FileCache.create_cache_path("compliance"), "report_timing.json") + end + + def interval_time + @interval_time ||= node.read("audit", "interval", "time") + end + + def interval_enabled + @interval_enabled ||= node.read("audit", "interval", "enabled") + end + + def interval_seconds + @interval_seconds ||= + if interval_enabled + logger.debug "Running Chef Infra Compliance Phase every #{interval_time} minutes" + interval_time * 60 + else + logger.debug "Running Chef Infra Compliance Phase on every run" + 0 + end + end + + def interval_seconds_left + return 0 unless ::File.exist?(report_timing_file) + + seconds_since_last_run = Time.now - ::File.mtime(report_timing_file) + interval_seconds - seconds_since_last_run + end end end end diff --git a/lib/chef/resource/macos_userdefaults.rb b/lib/chef/resource/macos_userdefaults.rb index b0b9c32fe0..9daea38aa4 100644 --- a/lib/chef/resource/macos_userdefaults.rb +++ b/lib/chef/resource/macos_userdefaults.rb @@ -81,8 +81,7 @@ class Chef property :host, [String, Symbol], description: "Set either :current, :all or a hostname to set the user default at the host level.", desired_state: false, - introduced: "16.3", - coerce: proc { |value| to_cf_host(value) } + introduced: "16.3" property :value, [Integer, Float, String, TrueClass, FalseClass, Hash, Array], description: "The value of the key. Note: With the `type` property set to `bool`, `String` forms of Boolean true/false values that Apple accepts in the defaults command will be coerced: 0/1, 'TRUE'/'FALSE,' 'true'/false', 'YES'/'NO', or 'yes'/'no'.", @@ -96,8 +95,7 @@ class Chef property :user, [String, Symbol], description: "The system user that the default will be applied to. Set :current for current user, :all for all users or pass a valid username", - desired_state: false, - coerce: proc { |value| to_cf_user(value) } + desired_state: false property :sudo, [TrueClass, FalseClass], description: "Set to true if the setting you wish to modify requires privileged access. This requires passwordless sudo for the `/usr/bin/defaults` command to be setup for the user running #{ChefUtils::Dist::Infra::PRODUCT}.", @@ -118,7 +116,7 @@ class Chef action :write, description: "Write the value to the specified domain/key." do converge_if_changed do Chef::Log.debug("Updating defaults value for #{new_resource.key} in #{new_resource.domain}") - CF::Preferences.set!(new_resource.key, new_resource.value, new_resource.domain, new_resource.user, new_resource.host) + CF::Preferences.set!(new_resource.key, new_resource.value, new_resource.domain, to_cf_user(new_resource.user), to_cf_host(new_resource.host)) end end @@ -128,12 +126,12 @@ class Chef converge_by("delete domain:#{new_resource.domain} key:#{new_resource.key}") do Chef::Log.debug("Removing defaults key: #{new_resource.key}") - CF::Preferences.set!(new_resource.key, nil, new_resource.domain, new_resource.user, new_resource.host) + CF::Preferences.set!(new_resource.key, nil, new_resource.domain, to_cf_user(new_resource.user), to_cf_host(new_resource.host)) end end def get_preference(new_resource) - CF::Preferences.get(new_resource.key, new_resource.domain, new_resource.user, new_resource.host) + CF::Preferences.get(new_resource.key, new_resource.domain, to_cf_user(new_resource.user), to_cf_host(new_resource.host)) end # Return valid hostname based on the input from host property diff --git a/lib/chef/version.rb b/lib/chef/version.rb index 7f0ebd16b9..932b3cdb95 100644 --- a/lib/chef/version.rb +++ b/lib/chef/version.rb @@ -23,7 +23,7 @@ require_relative "version_string" class Chef CHEF_ROOT = File.expand_path("..", __dir__) - VERSION = Chef::VersionString.new("17.8.2") + VERSION = Chef::VersionString.new("17.8.5") end # diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock index 0f4ee11c26..aaf22c7c2a 100644 --- a/omnibus/Gemfile.lock +++ b/omnibus/Gemfile.lock @@ -1,6 +1,6 @@ GIT remote: https://github.com/chef/omnibus-software.git - revision: b6f2ff8e4dfb7d70f49c8a512fdaa3e352a6d5fc + revision: 32876cd385807cd29b7b33cee219ad028dcc6f5f branch: main specs: omnibus-software (4.0.0) @@ -33,7 +33,7 @@ GEM artifactory (3.0.15) awesome_print (1.9.2) aws-eventstream (1.2.0) - aws-partitions (1.527.0) + aws-partitions (1.530.0) aws-sdk-core (3.122.1) aws-eventstream (~> 1, >= 1.0.2) aws-partitions (~> 1, >= 1.525.0) diff --git a/spec/functional/resource/macos_userdefaults_spec.rb b/spec/functional/resource/macos_userdefaults_spec.rb index 2f79135c45..0ed7839ad0 100644 --- a/spec/functional/resource/macos_userdefaults_spec.rb +++ b/spec/functional/resource/macos_userdefaults_spec.rb @@ -116,4 +116,24 @@ describe Chef::Resource::MacosUserDefaults, :macos_only do resource.key "titlesize" expect { resource.run_action(:delete) }. to_not raise_error end + + context "resource can process FFI::Pointer type" do + it "for host property" do + resource.domain "/Library/Preferences/ManagedInstalls" + resource.key "TestDictionaryValues" + resource.value "User": "/Library/Managed Installs/way_fake.log" + resource.host :current + resource.run_action(:write) + expect { resource.run_action(:write) }. to_not raise_error + end + + it "for user property" do + resource.domain "/Library/Preferences/ManagedInstalls" + resource.key "TestDictionaryValues" + resource.value "User": "/Library/Managed Installs/way_fake.log" + resource.user :current + resource.run_action(:write) + expect { resource.run_action(:write) }. to_not raise_error + end + end end diff --git a/spec/unit/compliance/runner_spec.rb b/spec/unit/compliance/runner_spec.rb index 602d675d4d..e8a08abfc1 100644 --- a/spec/unit/compliance/runner_spec.rb +++ b/spec/unit/compliance/runner_spec.rb @@ -1,4 +1,5 @@ require "spec_helper" +require "tmpdir" describe Chef::Compliance::Runner do let(:logger) { double(:logger).as_null_object } @@ -283,4 +284,63 @@ describe Chef::Compliance::Runner do expect(inputs["chef_node"]["chef_environment"]).to eq("_default") end end + + describe "interval running" do + let(:tempdir) { Dir.mktmpdir("chef-compliance-tests") } + + before do + allow(runner).to receive(:report_timing_file).and_return("#{tempdir}/report_timing.json") + end + + it "is disabled by default" do + expect(runner.node["audit"]["interval"]["enabled"]).to be false + end + + it "defaults to 24 hours / 1440 minutes" do + expect(runner.node["audit"]["interval"]["time"]).to be 1440 + end + + it "runs when the timing file does not exist" do + expect(runner).to receive(:report) + runner.report_with_interval + end + + it "runs when the timing file does not exist and intervals are enabled" do + node.normal["audit"]["interval"]["enabled"] = true + expect(runner).to receive(:report) + runner.report_with_interval + end + + it "runs when the timing file exists and has a recent timestamp" do + FileUtils.touch runner.report_timing_file + expect(runner).to receive(:report) + runner.report_with_interval + end + + it "does not runs when the timing file exists and has a recent timestamp and intervals are enabled" do + node.normal["audit"]["interval"]["enabled"] = true + FileUtils.touch runner.report_timing_file + expect(runner).not_to receive(:report) + runner.report_with_interval + end + + it "does not runs when the timing file exists and has a recent timestamp and intervals are enabled" do + node.normal["audit"]["interval"]["enabled"] = true + FileUtils.touch runner.report_timing_file + ten_minutes_ago = Time.now - 600 + File.utime ten_minutes_ago, ten_minutes_ago, runner.report_timing_file + expect(runner).not_to receive(:report) + runner.report_with_interval + end + + it "runs when the timing file exists and has a recent timestamp and intervals are enabled and the time is short" do + node.normal["audit"]["interval"]["enabled"] = true + node.normal["audit"]["interval"]["time"] = 9 + FileUtils.touch runner.report_timing_file + ten_minutes_ago = Time.now - 600 + File.utime ten_minutes_ago, ten_minutes_ago, runner.report_timing_file + expect(runner).to receive(:report) + runner.report_with_interval + end + end end |