Merge branch 'release/5.0.0' into add-sensitivity
This commit is contained in:
Коммит
c68a1113c5
|
@ -0,0 +1,4 @@
|
|||
Style/WordArray:
|
||||
Enabled: false
|
||||
Style/SymbolArray:
|
||||
Enabled: false
|
18
CHANGELOG.md
18
CHANGELOG.md
|
@ -1,5 +1,23 @@
|
|||
# Changelog
|
||||
|
||||
## [4.3.0] - 2022-03-04
|
||||
|
||||
### Fixed
|
||||
|
||||
- Reversed order of arguments for certificate installation to address [Bug 244](https://github.com/microsoft/macos-cookbook/issues/244).
|
||||
|
||||
### Added
|
||||
|
||||
- New test suites and recipe change to account for `.cer` files.
|
||||
- New certificate resource property: `kc_passwd` which allows setting of keychain password.
|
||||
- Check for certificate existence within the keychain before installing a new one to ensure idempotency.
|
||||
- Made password properties sensitive.
|
||||
- Updated certificate resource documentation.
|
||||
|
||||
### Changed
|
||||
|
||||
- Removed dependency on using the `default['macos']['admin_password']` attribute for setting the keychain password when using the certificate resource.
|
||||
|
||||
## [4.2.3] - 2022-02-03
|
||||
|
||||
### Fixed
|
||||
|
|
|
@ -3,7 +3,7 @@ certificate
|
|||
|
||||
Use the **certificate** resource to manage certificates for keychains.
|
||||
Under the hood, the [**certificate**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/certificate.rb) resource executes the `security`
|
||||
command in the `security_cmd` library.
|
||||
command in the [**security_cmd**](https://github.com/Microsoft/macos-cookbook/blob/master/libraries/security_cmd.rb) library.
|
||||
|
||||
Syntax
|
||||
------
|
||||
|
@ -16,6 +16,7 @@ certificate 'cert name' do
|
|||
certfile String # certificate in .p12(PFX) or .cer(SSl certificate file) format
|
||||
cert_passwd String # password for PFX format certificate file
|
||||
keychain String # keychain to install certificate to
|
||||
kc_passwd String # keychain password
|
||||
apps Array # list of apps that may access the imported key
|
||||
sensitive Boolean # run execute resource with sensitive
|
||||
end
|
||||
|
@ -49,6 +50,7 @@ certificate 'cert name' do
|
|||
certfile '/User/edward/Documents/cert.p12'
|
||||
cert_passwd 'teach'
|
||||
keychain '/User/edward/Library/Keychains/florida.keychain'
|
||||
kc_passwd 'test'
|
||||
end
|
||||
```
|
||||
|
||||
|
|
|
@ -107,13 +107,13 @@ if node['platform_version'].match?(/10\.13/) || node['platform_version'].match?(
|
|||
end
|
||||
|
||||
xcode '9.2' do
|
||||
ios_simulators %w(11 10)
|
||||
ios_simulators ['11', '10']
|
||||
end
|
||||
|
||||
elsif node['platform_version'].match?(/10\.11/)
|
||||
|
||||
xcode '8.2.1' do
|
||||
ios_simulators %w(10 9)
|
||||
ios_simulators ['10', '9']
|
||||
end
|
||||
end
|
||||
```
|
||||
|
@ -122,7 +122,7 @@ end
|
|||
|
||||
```ruby
|
||||
xcode '9.2' do
|
||||
ios_simulators %w(11 10)
|
||||
ios_simulators ['11', '10']
|
||||
download_url 'file:///Users/johnny/Desktop/xcode_install.dmg'
|
||||
end
|
||||
```
|
||||
|
|
|
@ -41,7 +41,7 @@ platforms:
|
|||
- name: monterey-chef17
|
||||
driver:
|
||||
box: microsoft/macos-monterey
|
||||
box_version: 12.0-21A5506j
|
||||
box_version: 12.2
|
||||
provisioner:
|
||||
product_version: 17
|
||||
|
||||
|
|
|
@ -24,10 +24,6 @@ module MacOS
|
|||
end
|
||||
end
|
||||
|
||||
def convert_array_to_string(value)
|
||||
|
||||
end
|
||||
|
||||
def convert_to_string_from_data_type(value)
|
||||
case value
|
||||
when Array
|
||||
|
@ -39,11 +35,13 @@ module MacOS
|
|||
when TrueClass
|
||||
"-bool #{value}"
|
||||
when Hash
|
||||
"-dict #{value.map { |key,value| Shellwords.shellescape(key) + ' ' + convert_to_string_from_data_type(value)}.join(' ')}"
|
||||
"-dict #{value.map do |k, v|
|
||||
Shellwords.shellescape(k) + ' ' + convert_to_string_from_data_type(v)
|
||||
end.join(' ')}"
|
||||
when String
|
||||
"-string #{Shellwords.shellescape(value)}"
|
||||
when Float
|
||||
"-float #{value}"
|
||||
"-float #{value}"
|
||||
else
|
||||
raise "Unknown or unsupported data type: #{value} of #{value.class}"
|
||||
end
|
||||
|
@ -88,7 +86,7 @@ module MacOS
|
|||
when 'add'
|
||||
type_to_commandline_string(value)
|
||||
when 'set'
|
||||
if value.class == Hash
|
||||
if value.instance_of?(Hash)
|
||||
sep = ':'
|
||||
value.map { |k, v| "#{k} #{v}" }
|
||||
else
|
||||
|
@ -106,7 +104,7 @@ module MacOS
|
|||
defaults_read_type_output = shell_out(defaults_executable, 'read-type', path, entry).stdout
|
||||
data_type = defaults_read_type_output.split.last
|
||||
|
||||
if value.class == Hash
|
||||
if value.instance_of?(Hash)
|
||||
plutil_output = shell_out(plutil_executable, '-extract', entry, 'xml1', '-o', '-', path).stdout.chomp
|
||||
{ key_type: data_type, key_value: Plist.parse_xml(plutil_output) }
|
||||
else
|
||||
|
|
|
@ -33,7 +33,7 @@ module MacOS
|
|||
end
|
||||
|
||||
def add_certificates
|
||||
@keychain.empty? ? [@security_cmd, 'add-certificates', @cert] : [@security_cmd, 'add-certificates', @cert, '-k', @keychain]
|
||||
@keychain.empty? ? [@security_cmd, 'add-certificates', @cert] : [@security_cmd, 'add-certificates', '-k', @keychain, @cert]
|
||||
end
|
||||
|
||||
def import(cert_passwd, apps)
|
||||
|
|
|
@ -9,12 +9,12 @@ module MacOS
|
|||
|
||||
def desktop?
|
||||
return false if @machine_model.nil?
|
||||
@machine_model.match? Regexp.union %w(Macmini MacPro iMac)
|
||||
@machine_model.match? Regexp.union ['Macmini', 'MacPro', 'iMac']
|
||||
end
|
||||
|
||||
def portable?
|
||||
return false if @machine_model.nil?
|
||||
@machine_model.match? Regexp.union %w(MacBook)
|
||||
@machine_model.match? Regexp.union ['MacBook']
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ maintainer_email 'chef@microsoft.com'
|
|||
license 'MIT'
|
||||
description 'Resources for configuring and provisioning macOS'
|
||||
chef_version '>= 14.0'
|
||||
version '4.2.3'
|
||||
version '5.0.0'
|
||||
|
||||
source_url 'https://github.com/Microsoft/macos-cookbook'
|
||||
issues_url 'https://github.com/Microsoft/macos-cookbook/issues'
|
||||
|
|
|
@ -1,29 +1,29 @@
|
|||
unified_mode true
|
||||
|
||||
provides :certificate
|
||||
default_action :install
|
||||
|
||||
property :certfile, String
|
||||
property :cert_password, String, sensitive: true
|
||||
property :keychain, String
|
||||
property :keychain, String, required: true
|
||||
property :kc_passwd, String, required: true, sensitive: true
|
||||
property :apps, Array
|
||||
property :sensitive, [true, false], default: false
|
||||
|
||||
action_class do
|
||||
def keychain
|
||||
new_resource.property_is_set?(:keychain) ? new_resource.keychain : ''
|
||||
end
|
||||
end
|
||||
|
||||
action :install do
|
||||
cert = SecurityCommand.new(new_resource.certfile, keychain)
|
||||
cert = SecurityCommand.new(new_resource.certfile, new_resource.keychain)
|
||||
|
||||
execute 'unlock keychain' do
|
||||
command Array(cert.unlock_keychain(node['macos']['admin_password']))
|
||||
command Array(cert.unlock_keychain(new_resource.kc_passwd))
|
||||
sensitive new_resource.sensitive
|
||||
end
|
||||
|
||||
cert_shasum = shell_out("shasum #{new_resource.certfile}").stdout.upcase.gsub(/\s.+/, '')
|
||||
find_cert_output = shell_out("/usr/bin/security find-certificate -a -Z #{new_resource.keychain}").stdout
|
||||
|
||||
execute 'install-certificate' do
|
||||
command Array(cert.install_certificate(new_resource.cert_password, new_resource.apps))
|
||||
sensitive new_resource.sensitive
|
||||
not_if { find_cert_output.include? cert_shasum }
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
unified_mode true
|
||||
|
||||
provides :xcode
|
||||
default_action %i(install_gem install_xcode install_simulators)
|
||||
default_action [:install_gem, :install_xcode, :install_simulators]
|
||||
|
||||
property :version, String, name_property: true
|
||||
property :path, String, default: '/Applications/Xcode.app'
|
||||
|
|
|
@ -103,7 +103,7 @@ describe MacOS::PlistHelpers, '#type_to_commandline_string' do
|
|||
end
|
||||
|
||||
it 'returns the required array entry type as a string' do
|
||||
expect(type_to_commandline_string(%w(foo bar))).to eq 'array'
|
||||
expect(type_to_commandline_string(['foo', 'bar'])).to eq 'array'
|
||||
end
|
||||
|
||||
it 'returns the required dictionary entry type as a string' do
|
||||
|
@ -147,11 +147,11 @@ describe MacOS::PlistHelpers, '#convert_to_string_from_data_type' do
|
|||
end
|
||||
|
||||
it 'returns the required dictionary entry' do
|
||||
expect(convert_to_string_from_data_type({'a' => 'b', 'c' => 'd'})).to eq '-dict a -string b c -string d'
|
||||
expect(convert_to_string_from_data_type({ 'a' => 'b', 'c' => 'd' })).to eq '-dict a -string b c -string d'
|
||||
end
|
||||
|
||||
it 'returns the required dictionary entry with embedded quotes and numbers' do
|
||||
expect(convert_to_string_from_data_type({'a' => 3, 'c' => '"d"'})).to eq '-dict a -integer 3 c -string \"d\"'
|
||||
expect(convert_to_string_from_data_type({ 'a' => 3, 'c' => '"d"' })).to eq '-dict a -integer 3 c -string \"d\"'
|
||||
end
|
||||
|
||||
it 'returns the required array entry' do
|
||||
|
|
|
@ -63,7 +63,7 @@ describe MacOS::SecurityCommand, 'certificate creation commands' do
|
|||
|
||||
context 'adding a certificate (.cer) to a certain keychain' do
|
||||
it 'adds a specified .cer certificate file' do
|
||||
expect(cer_cert_kc.add_certificates).to eq ['/usr/bin/security', 'add-certificates', '/Users/vagrant/Test.cer', '-k', 'test.keychain']
|
||||
expect(cer_cert_kc.add_certificates).to eq ['/usr/bin/security', 'add-certificates', '-k', 'test.keychain', '/Users/vagrant/Test.cer']
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ describe 'xcode' do
|
|||
'4.3.2 for Lion',
|
||||
'4.3.3 for Lion',
|
||||
'4.4',
|
||||
'4.4.1',
|
||||
'4.4.1',
|
||||
'4.5',
|
||||
'4.5.1',
|
||||
'4.5.2',
|
||||
|
|
|
@ -1,12 +1,42 @@
|
|||
foobar_pem_path = '/Users/vagrant/foobar.pem'
|
||||
foobar_cer_path = '/Users/vagrant/foobar.cer'
|
||||
|
||||
cookbook_file '/Users/vagrant/Test.p12' do
|
||||
action :create
|
||||
source 'Test.p12'
|
||||
end
|
||||
|
||||
keychain 'test' do
|
||||
kc_file '/Users/vagrant/Library/Keychains/test.keychain'
|
||||
kc_passwd 'test'
|
||||
action :create
|
||||
end
|
||||
|
||||
openssl_x509_certificate foobar_pem_path do
|
||||
common_name 'www.f00bar.com'
|
||||
org 'Foo Bar'
|
||||
org_unit 'Lab'
|
||||
country 'US'
|
||||
end
|
||||
|
||||
execute 'convert .pem certificate to .cer certificate' do
|
||||
command ['/usr/bin/openssl', 'x509', '-inform', 'PEM', '-in', foobar_pem_path, '-outform', 'DER', '-out', foobar_cer_path]
|
||||
only_if { ::File.exist? foobar_pem_path }
|
||||
end
|
||||
|
||||
certificate 'install a .cer format certificate file' do
|
||||
certfile foobar_cer_path
|
||||
keychain '/Users/vagrant/Library/Keychains/login.keychain'
|
||||
kc_passwd node['macos']['admin_password']
|
||||
apps ['/Applications/Numbers.app']
|
||||
action :install
|
||||
end
|
||||
|
||||
certificate 'install a PFX format certificate file' do
|
||||
certfile '/Users/vagrant/Test.p12'
|
||||
cert_password 'test'
|
||||
keychain '/Users/vagrant/Library/Keychains/login.keychain'
|
||||
keychain '/Users/vagrant/Library/Keychains/test.keychain'
|
||||
kc_passwd 'test'
|
||||
apps ['/Applications/Safari.app']
|
||||
action :install
|
||||
end
|
||||
|
|
|
@ -3,7 +3,6 @@ user_home = File.join('/', 'Users', user)
|
|||
|
||||
if Gem::Version.new(node['platform_version']) >= Gem::Version.new('10.13')
|
||||
admin_credentials = ['-adminUser', node['macos']['admin_user'], '-adminPassword', node['macos']['admin_password']]
|
||||
else ''
|
||||
end
|
||||
|
||||
execute "add user #{user}" do
|
||||
|
|
|
@ -10,7 +10,7 @@ macos_user 'create non-admin user with groups' do
|
|||
username 'johnny'
|
||||
fullname 'Johnny Appleseed'
|
||||
password 'yang-yolked-cordon-karate'
|
||||
groups %w(alpha beta)
|
||||
groups ['alpha', 'beta']
|
||||
end
|
||||
|
||||
macos_user 'create non-admin without groups' do
|
||||
|
|
|
@ -2,6 +2,6 @@ if node['platform_version'] >= '10.15.2'
|
|||
xcode '11.5'
|
||||
else
|
||||
xcode '9.4.1' do
|
||||
ios_simulators %w(11 10)
|
||||
ios_simulators ['11', '10']
|
||||
end
|
||||
end
|
||||
|
|
|
@ -11,9 +11,17 @@ control 'certificate-install' do
|
|||
it { should exist }
|
||||
end
|
||||
|
||||
describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/login.keychain') do
|
||||
describe file('/Users/vagrant/foobar.cer') do
|
||||
it { should exist }
|
||||
end
|
||||
|
||||
describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/test.keychain') do
|
||||
its('stdout') { should include 'Test' }
|
||||
end
|
||||
|
||||
describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/login.keychain') do
|
||||
its('stdout') { should include 'f00bar' }
|
||||
end
|
||||
end
|
||||
|
||||
control 'keychain-creation' do
|
||||
|
|
Загрузка…
Ссылка в новой задаче