From 551751cc48cb705458665144583894832bd0fa19 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 24 May 2022 12:13:53 +0600 Subject: backport Windows Certificate fixes to Chef-17 Signed-off-by: John McCrae --- chef-universal-mingw32.gemspec | 2 +- .../recipes/_chef_client_trusted_certificate.rb | 16 ++-- lib/chef/resource/windows_certificate.rb | 97 ++++++++++++---------- .../resource/windows_certificate_spec.rb | 27 +++--- 4 files changed, 78 insertions(+), 64 deletions(-) diff --git a/chef-universal-mingw32.gemspec b/chef-universal-mingw32.gemspec index 6d9497486c..a001bdc46c 100644 --- a/chef-universal-mingw32.gemspec +++ b/chef-universal-mingw32.gemspec @@ -14,7 +14,7 @@ gemspec.add_dependency "win32-service", ">= 2.1.5", "< 3.0" gemspec.add_dependency "wmi-lite", "~> 1.0" gemspec.add_dependency "win32-taskscheduler", "~> 2.0" gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out -gemspec.add_dependency "win32-certstore", "~> 0.6.2" +gemspec.add_dependency "win32-certstore", "~> 0.6.14" gemspec.add_dependency "chef-powershell", "~> 1.0.12" # 0.5+ required for specifying user vs. system store gemspec.extensions << "ext/win32-eventlog/Rakefile" gemspec.files += Dir.glob("{distro,ext}/**/*") diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb b/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb index 94e6cedde8..e719a01837 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/_chef_client_trusted_certificate.rb @@ -1,10 +1,10 @@ chef_client_trusted_certificate "self-signed.badssl.com" do certificate <<~CERT -----BEGIN CERTIFICATE----- -MIIDeTCCAmGgAwIBAgIJAMnA8BB8xT6wMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV +MIIDeTCCAmGgAwIBAgIJALvxdCPEMG1VMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0y -MTEwMTEyMDAzNTRaFw0yMzEwMTEyMDAzNTRaMGIxCzAJBgNVBAYTAlVTMRMwEQYD +MjA1MTcyMTE1MjVaFw0yNDA1MTYyMTE1MjVaMGIxCzAJBgNVBAYTAlVTMRMwEQYD VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2 @@ -14,12 +14,12 @@ xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI -hvcNAQELBQADggEBAC4DensZ5tCTeCNJbHABYPwwqLUFOMITKOOgF3t8EqOan0CH -ST1NNi4jPslWrVhQ4Y3UbAhRBdqXl5N/NFfMzDosPpOjFgtifh8Z2s3w8vdlEZzf -A4mYTC8APgdpWyNgMsp8cdXQF7QOfdnqOfdnY+pfc8a8joObR7HEaeVxhJs+XL4E -CLByw5FR+svkYgCbQGWIgrM1cRpmXemt6Gf/XgFNP2PdubxqDEcnWlTMk8FCBVb1 -nVDSiPjYShwnWsOOshshCRCAiIBPCKPX0QwKDComQlRrgMIvddaSzFFTKPoNZjC+ -CUspSNnL7V9IIHvqKlRSmu+zIpm2VJCp1xLulk8= +hvcNAQELBQADggEBAI8cPgdGNaXwomKxzksJPMCHQC3zkTKQBqGAk4yWp3w7/WHV +1dTz/ezCH1UpxRUqTIZ/jS7OwrERRJCw6wr84WrKj0TKgZI00LEoRg3eK+U5QJj1 +4HZ8UTVkYL7OhPBanGgACw0eOvFtLdwizBTAw+B79Uzx0j84babX8HFq8UJR997H +FN+Fo9w4+ObXiA6BB9+fsqhRKPcIvt4HI6eQ4S/5lBkZbhHIPSR5oy4y7AsnZeb8 +hFNhP/WPdRvk4za0cAkuhoY5/3A/U4eFrXYL4N8mhqiRWvqbSaBT2YnlbSVxEDQM +CJWRCL+Lq4ZHGYgXSi1T0/LJHSlOa1F5qhZpk9A= -----END CERTIFICATE----- CERT end diff --git a/lib/chef/resource/windows_certificate.rb b/lib/chef/resource/windows_certificate.rb index 528b0c53f6..79abfa4c19 100644 --- a/lib/chef/resource/windows_certificate.rb +++ b/lib/chef/resource/windows_certificate.rb @@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist) class Chef class Resource class WindowsCertificate < Chef::Resource - unified_mode true provides :windows_certificate @@ -129,14 +128,14 @@ class Chef end action :delete, description: "Deletes a certificate." do - cert_obj = fetch_cert + cert_is_valid = verify_cert - if cert_obj + if cert_is_valid == true converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do delete_cert end else - Chef::Log.debug("Certificate not found") + Chef::Log.debug("Certificate Not Found") end end @@ -146,17 +145,25 @@ class Chef end if ::File.extname(new_resource.output_path) == ".pfx" - powershell_exec!(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password )) + + validated_thumbprint = validate_thumbprint(new_resource.source) + if validated_thumbprint != false # is the thumbprint valid + cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password )) + else + message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n" + raise Chef::Exceptions::InvalidKeyAttribute, message + end + else cert_obj = fetch_cert end - if cert_obj + if cert_obj != false && cert_obj != "Certificate Not Found" converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password) end else - Chef::Log.debug("Certificate not found") + Chef::Log.debug("Certificate Not Found") end end @@ -187,7 +194,7 @@ class Chef def delete_cert store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) - store.delete(resolve_thumbprint(new_resource.source)) + store.delete(validate_thumbprint(new_resource.source)) end def fetch_cert @@ -196,17 +203,16 @@ class Chef fetch_key else - store.get(resolve_thumbprint(new_resource.source), store_name: new_resource.store_name, store_location: native_cert_location) + store.get(validate_thumbprint(new_resource.source)) end end def fetch_key require "openssl" unless defined?(OpenSSL) file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path)) - directory = ::File.dirname(new_resource.output_path) pfx_file = file_name + ".pfx" new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file) - powershell_exec(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password )) + powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password )) pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password) f = ::File.open(new_resource.output_path, "w") f.write(pkcs12.key.to_s) @@ -245,10 +251,6 @@ class Chef ::File.file?(source) end - def is_file?(source) - ::File.file?(source) - end - # Thumbprints should be exactly 40 Hex characters def valid_thumbprint?(string) string.match?(/[0-9A-Fa-f]/) && string.length == 40 @@ -261,29 +263,29 @@ class Chef GETTHUMBPRINTCODE end - def resolve_thumbprint(thumbprint) - return thumbprint if valid_thumbprint?(thumbprint) - - powershell_exec!(get_thumbprint(new_resource.store_name, ps_cert_location, new_resource.source)).result + def validate_thumbprint(thumbprint) + # valid_thumbprint can return false under at least 2 conditions: + # one is that the thumbprint is in fact busted + # the second is that the thumbprint is valid but belongs to an expired certificate already installed + results = valid_thumbprint?(thumbprint) + results == true ? thumbprint : false end - # Checks whether a certificate with the given thumbprint - # is already present and valid in certificate store - # If the certificate is not present, verify_cert returns a String: "Certificate not found" - # But if it is present but expired, it returns a Boolean: false - # Otherwise, it returns a Boolean: true - # updated this method to accept either a subject name or a thumbprint - 1/29/2021 - + # Checks to make sure whether the cert is found or not + # if it IS found, is it still valid - has it expired? def verify_cert(thumbprint = new_resource.source) store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) - if new_resource.pfx_password.nil? - store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name ) + validated_thumbprint = validate_thumbprint(thumbprint) + if validated_thumbprint != false + result = store.valid?(thumbprint) + result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true else - store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name) + message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n" + raise Chef::Exceptions::InvalidKeyAttribute, message end end - # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores + # this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores # Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here def ps_cert_location new_resource.user_store ? "CurrentUser" : "LocalMachine" @@ -436,7 +438,7 @@ class Chef end def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:) - # Delete the cert if it exists. This is non-destructive in that it only removes the file and not the entire path. + # Delete the cert if it exists on disk already. # We want to ensure we're not randomly loading an old stinky cert. if ::File.exists?(output_path) ::File.delete(output_path) @@ -460,7 +462,20 @@ class Chef cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout out_file.puts(cert_out) when ".pfx" - pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password ) + validated_thumbprint = validate_thumbprint(new_resource.source) + if validated_thumbprint != false # is the thumbprint valid + store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) + result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint + temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true + if temp == true + pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password ) + else + Chef::Log.debug("The requested certificate is not found or has expired") + end + else + message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n" + raise Chef::Exceptions::InvalidKeyAttribute, message + end when ".p7b" cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout out_file.puts(cert_out) @@ -481,14 +496,11 @@ class Chef # def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location) [cert_objs].flatten.each do |cert_obj| - # thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s - # pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password) - # cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem) thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s - if is_pfx - if verify_cert(thumbprint) == true - Chef::Log.debug("Certificate is already present") - else + if verify_cert(thumbprint) == true + Chef::Log.debug("Certificate is already present") + elsif verify_cert(thumbprint) == false # Not found already in the CertStore + if is_pfx if is_file?(new_resource.source) converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do add_pfx_cert(new_resource.source) @@ -502,15 +514,14 @@ class Chef message << exception.message raise Chef::Exceptions::ArgumentError, message end - end - else - if verify_cert(thumbprint) == true - Chef::Log.debug("Certificate is already present") else converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do add_cert(cert_obj) end end + else + message = "Certificate could not be imported" + raise Chef::Exceptions::CertificateNotImportable, message end end end diff --git a/spec/functional/resource/windows_certificate_spec.rb b/spec/functional/resource/windows_certificate_spec.rb index df2d1cbec8..9552d559b3 100644 --- a/spec/functional/resource/windows_certificate_spec.rb +++ b/spec/functional/resource/windows_certificate_spec.rb @@ -89,7 +89,9 @@ describe Chef::Resource::WindowsCertificate, :windows_only do end - after { delete_store } + after do + delete_store + end describe "action: create" do it "starts with no certificates" do @@ -195,7 +197,7 @@ describe Chef::Resource::WindowsCertificate, :windows_only do create_store end it "fails with no certificates in the store" do - expect(Chef::Log).to receive(:info).with("Certificate not found") + expect(Chef::Log).to receive(:info).with("Certificate not valid") resource.source = tests_thumbprint resource.run_action(:verify) @@ -219,7 +221,7 @@ describe Chef::Resource::WindowsCertificate, :windows_only do end it "fails with an invalid thumbprint" do - expect(Chef::Log).to receive(:info).with("Certificate not found") + expect(Chef::Log).to receive(:info).with("Certificate not valid") resource.source = others_thumbprint resource.run_action(:verify) @@ -253,7 +255,7 @@ describe Chef::Resource::WindowsCertificate, :windows_only do end it "fails with an invalid thumbprint" do - expect(Chef::Log).to receive(:info).with("Certificate not found") + expect(Chef::Log).to receive(:info).with("Certificate not valid") resource.source = others_thumbprint resource.run_action(:verify) @@ -265,11 +267,11 @@ describe Chef::Resource::WindowsCertificate, :windows_only do describe "action: fetch" do context "with no certificate in the store" do - it "throws an error with no certificates in the store" do - expect(Chef::Log).not_to receive(:info) + it "logs a debug error with no certificates in the store" do + expect(Chef::Log).to receive(:debug).with("Certificate Not Found") resource.source = others_thumbprint resource.output_path = cert_output_path - expect { resource.run_action :fetch }.to raise_error(ArgumentError) + resource.run_action(:fetch) end end @@ -288,7 +290,7 @@ describe Chef::Resource::WindowsCertificate, :windows_only do end it "fails with an invalid thumbprint" do - expect(Chef::Log).not_to receive(:info) + expect(Chef::Log).to receive(:debug).with("Certificate Not Found") resource.source = others_thumbprint @@ -296,7 +298,7 @@ describe Chef::Resource::WindowsCertificate, :windows_only do path = File.join(dir, "test.pem") resource.output_path = path - expect { resource.run_action :fetch }.to raise_error(ArgumentError) + resource.run_action(:fetch) end end @@ -340,9 +342,10 @@ describe Chef::Resource::WindowsCertificate, :windows_only do end describe "action: delete" do - it "throws an argument error when attempting to delete a certificate that doesn't exist" do + it "logs an error when attempting to delete a certificate that doesn't exist" do + expect(Chef::Log).to receive(:debug).with("Certificate Not Found") resource.source = tests_thumbprint - expect { resource.run_action :delete }.to raise_error(ArgumentError) + resource.run_action(:delete) end it "deletes an existing certificate while leaving other certificates alone" do @@ -360,7 +363,7 @@ describe Chef::Resource::WindowsCertificate, :windows_only do expect(certificate_count).to eq(1) expect(resource).to be_updated_by_last_action - expect { resource.run_action :delete }.to raise_error(ArgumentError) + expect { resource.run_action :delete }.not_to raise_error expect(certificate_count).to eq(1) expect(resource).not_to be_updated_by_last_action -- cgit v1.2.1 From 32b64561b611a6d21f19df1c6508326f12aaf271 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 24 May 2022 12:19:19 +0600 Subject: backport Windows Certificate fixes to Chef-17 Signed-off-by: John McCrae --- Gemfile.lock | 30 +++++++++++++++--------------- omnibus/Gemfile.lock | 34 +++++++++++++++++----------------- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e6344acf2b..b2848199bf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -100,7 +100,7 @@ PATH uuidtools (>= 2.1.5, < 3.0) vault (~> 0.16) win32-api (~> 1.5.3) - win32-certstore (~> 0.6.2) + win32-certstore (~> 0.6.14) win32-event (~> 0.6.1) win32-eventlog (= 0.6.3) win32-mmap (~> 0.4.1) @@ -143,13 +143,13 @@ GEM mixlib-shellout (>= 2.0, < 4.0) ast (2.4.2) aws-eventstream (1.2.0) - aws-partitions (1.587.0) - aws-sdk-core (3.131.0) + aws-partitions (1.590.0) + aws-sdk-core (3.131.1) aws-eventstream (~> 1, >= 1.0.2) aws-partitions (~> 1, >= 1.525.0) aws-sigv4 (~> 1.1) - jmespath (~> 1.0) - aws-sdk-kms (1.56.0) + jmespath (~> 1, >= 1.6.1) + aws-sdk-kms (1.57.0) aws-sdk-core (~> 3, >= 3.127.0) aws-sigv4 (~> 1.1) aws-sdk-s3 (1.114.0) @@ -230,7 +230,7 @@ GEM hashie (4.1.0) httpclient (2.8.3) iniparse (1.5.0) - inspec-core (4.56.19) + inspec-core (4.56.20) addressable (~> 2.4) chef-telemetry (~> 1.0, >= 1.0.8) faraday (>= 0.9.0, < 1.5) @@ -253,12 +253,12 @@ GEM train-core (~> 3.0) tty-prompt (~> 0.17) tty-table (~> 0.10) - inspec-core-bin (4.56.19) - inspec-core (= 4.56.19) + inspec-core-bin (4.56.20) + inspec-core (= 4.56.20) ipaddress (0.8.3) iso8601 (0.13.0) jmespath (1.6.1) - json (2.6.1) + json (2.6.2) libyajl2 (2.1.0) license-acceptance (2.1.13) pastel (~> 0.7) @@ -316,7 +316,7 @@ GEM rainbow (3.1.1) rake (13.0.6) rb-readline (0.5.5) - regexp_parser (2.3.0) + regexp_parser (2.4.0) rexml (3.2.5) rspec (3.11.0) rspec-core (~> 3.11.0) @@ -343,13 +343,13 @@ GEM rubocop-ast (>= 1.15.1, < 2.0) ruby-progressbar (~> 1.7) unicode-display_width (>= 1.4.0, < 3.0) - rubocop-ast (1.17.0) + rubocop-ast (1.18.0) parser (>= 3.1.1.0) ruby-progressbar (1.11.0) ruby2_keywords (0.0.5) rubyntlm (0.6.3) rubyzip (2.3.2) - semverse (3.0.0) + semverse (3.0.2) sslshake (1.3.1) strings (0.2.1) strings-ansi (~> 0.2) @@ -400,7 +400,7 @@ GEM hashdiff (>= 0.4.0, < 2.0.0) webrick (1.7.0) win32-api (1.5.3-universal-mingw32) - win32-certstore (0.6.13) + win32-certstore (0.6.15) chef-powershell (>= 1.0.12) ffi win32-event (0.6.3) @@ -413,7 +413,7 @@ GEM ffi win32-mutex (0.4.3) win32-ipc (>= 0.6.0) - win32-process (0.9.0) + win32-process (0.10.0) ffi (>= 1.0.0) win32-service (2.3.2) ffi @@ -471,4 +471,4 @@ DEPENDENCIES webmock BUNDLED WITH - 2.3.7 + 2.3.5 diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock index 0420bc1329..0886df82ad 100644 --- a/omnibus/Gemfile.lock +++ b/omnibus/Gemfile.lock @@ -1,6 +1,6 @@ GIT remote: https://github.com/chef/omnibus-software.git - revision: 8a0e391d4232ab3fc5fb7a03b15932335a0214c4 + revision: 36f49ec7dff16c5bf5d60e106ae709dcf1f824b1 branch: main specs: omnibus-software (4.0.0) @@ -33,28 +33,28 @@ GEM artifactory (3.0.15) awesome_print (1.9.2) aws-eventstream (1.2.0) - aws-partitions (1.577.0) - aws-sdk-core (3.130.1) + aws-partitions (1.590.0) + aws-sdk-core (3.131.1) aws-eventstream (~> 1, >= 1.0.2) aws-partitions (~> 1, >= 1.525.0) aws-sigv4 (~> 1.1) - jmespath (~> 1.0) - aws-sdk-kms (1.55.0) + jmespath (~> 1, >= 1.6.1) + aws-sdk-kms (1.57.0) aws-sdk-core (~> 3, >= 3.127.0) aws-sigv4 (~> 1.1) - aws-sdk-s3 (1.113.0) + aws-sdk-s3 (1.114.0) aws-sdk-core (~> 3, >= 3.127.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.4) - aws-sdk-secretsmanager (1.59.0) + aws-sdk-secretsmanager (1.61.0) aws-sdk-core (~> 3, >= 3.127.0) aws-sigv4 (~> 1.1) - aws-sigv4 (1.4.0) + aws-sigv4 (1.5.0) aws-eventstream (~> 1, >= 1.0.2) bcrypt_pbkdf (1.1.0) bcrypt_pbkdf (1.1.0-x64-mingw32) bcrypt_pbkdf (1.1.0-x86-mingw32) - berkshelf (7.2.2) + berkshelf (8.0.1) chef (>= 15.7.32) chef-config cleanroom (~> 1.0) @@ -210,7 +210,7 @@ GEM hashie (4.1.0) httpclient (2.8.3) iniparse (1.5.0) - inspec-core (4.56.19) + inspec-core (4.56.20) addressable (~> 2.4) chef-telemetry (~> 1.0, >= 1.0.8) faraday (>= 0.9.0, < 1.5) @@ -237,7 +237,7 @@ GEM ipaddress (0.8.3) iso8601 (0.13.0) jmespath (1.6.1) - json (2.6.1) + json (2.6.2) kitchen-vagrant (1.11.0) test-kitchen (>= 1.4, < 4) libyajl2 (2.1.0) @@ -347,7 +347,7 @@ GEM sawyer (0.8.2) addressable (>= 2.3.5) faraday (> 0.8, < 2.0) - semverse (3.0.0) + semverse (3.0.2) solve (4.0.4) molinillo (~> 0.6) semverse (>= 1.1, < 4.0) @@ -409,13 +409,13 @@ GEM unicode-display_width (2.1.0) unicode_utils (1.4.0) uuidtools (2.2.0) - vault (0.16.0) + vault (0.17.0) aws-sigv4 webrick (1.7.0) win32-api (1.5.3-universal-mingw32) - win32-certstore (0.6.2) + win32-certstore (0.6.15) + chef-powershell (>= 1.0.12) ffi - mixlib-shellout win32-event (0.6.3) win32-ipc (>= 0.6.0) win32-eventlog (0.6.3) @@ -426,7 +426,7 @@ GEM ffi win32-mutex (0.4.3) win32-ipc (>= 0.6.0) - win32-process (0.9.0) + win32-process (0.10.0) ffi (>= 1.0.0) win32-service (2.3.2) ffi @@ -472,4 +472,4 @@ DEPENDENCIES winrm-fs (~> 1.0) BUNDLED WITH - 2.3.7 + 2.3.5 -- cgit v1.2.1 From 44e0f6680a9a2ffbd519c29e517a8f962d428eec Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 24 May 2022 14:22:50 +0600 Subject: backport Windows Certificate fixes to Chef-17 Signed-off-by: John McCrae --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index b2848199bf..3e23c1dda1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -258,7 +258,7 @@ GEM ipaddress (0.8.3) iso8601 (0.13.0) jmespath (1.6.1) - json (2.6.2) + json (2.6.0) libyajl2 (2.1.0) license-acceptance (2.1.13) pastel (~> 0.7) -- cgit v1.2.1 From 72080139235ecab69769270c04f808fe8501f915 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 24 May 2022 15:22:29 +0600 Subject: backport Windows Certificate fixes to Chef-17 Signed-off-by: John McCrae --- .github/workflows/kitchen.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/kitchen.yml b/.github/workflows/kitchen.yml index c9b77573ad..2a3245111d 100644 --- a/.github/workflows/kitchen.yml +++ b/.github/workflows/kitchen.yml @@ -30,6 +30,14 @@ jobs: run: | $env:PATH = "C:\opscode\chef\bin;C:\opscode\chef\embedded\bin;" + $env:PATH $env:OHAI_VERSION = ( Select-String -Path .\Gemfile.lock -Pattern '(?<=ohai \()\d.*(?=\))' | ForEach-Object { $_.Matches[0].Value } ) + + # The chef-client installer does not put the file 'ansidecl.h' down in the correct location + # This leads to failures during testing. Moving that file to its correct position here. + # Another example of 'bad' that needs to be corrected + $output = gci -path C:\opscode\ -file ansidecl.h -Recurse + $target_path = $($output.Directory.Parent.FullName + "\x86_64-w64-mingw32\include") + Move-Item -Path $output.FullName -Destination $target_path + gem install appbundler appbundle-updater --no-doc If ($lastexitcode -ne 0) { Exit $lastexitcode } appbundle-updater chef chef $env:GITHUB_SHA --tarball --github $env:GITHUB_REPOSITORY @@ -51,12 +59,6 @@ jobs: Remove-Item -Path C:\opscode\chef\embedded\bin\htmldiff Remove-Item -Path C:\opscode\chef\embedded\bin\ldiff } - # The chef-client installer does not put the file 'ansidecl.h' down in the correct location - # This leads to failures during testing. Moving that file to its correct position here. - # Another example of 'bad' that needs to be corrected - $output = gci -path C:\opscode\ -file ansidecl.h -Recurse - $target_path = $($output.Directory.Parent.FullName + "\x86_64-w64-mingw32\include") - Move-Item -Path $output.FullName -Destination $target_path bundle install --jobs=3 --retry=3 # If ($lastexitcode -ne 0) { Exit $lastexitcode } @@ -70,7 +72,7 @@ jobs: If ($lastexitcode -ne 0) { Exit $lastexitcode } berks vendor cookbooks If ($lastexitcode -ne 0) { Exit $lastexitcode } - chef-client -z -o end_to_end --chef-license accept-no-persist + chef-client -z -o end_to_end --chef-license accept-no-persistt macos: strategy: -- cgit v1.2.1 From 4559e3d2157160cc097b81e595a8caf5ee43ee94 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 24 May 2022 19:01:12 +0600 Subject: backport Windows Certificate fixes to Chef-17 Signed-off-by: John McCrae --- .github/workflows/kitchen.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kitchen.yml b/.github/workflows/kitchen.yml index 2a3245111d..9a88eccb06 100644 --- a/.github/workflows/kitchen.yml +++ b/.github/workflows/kitchen.yml @@ -72,7 +72,7 @@ jobs: If ($lastexitcode -ne 0) { Exit $lastexitcode } berks vendor cookbooks If ($lastexitcode -ne 0) { Exit $lastexitcode } - chef-client -z -o end_to_end --chef-license accept-no-persistt + chef-client -z -o end_to_end --chef-license accept-no-persist macos: strategy: -- cgit v1.2.1