Merge branch 'release/5.0.0' into add-sensitivity

This commit is contained in:
Jacob Zaval 2022-03-07 08:49:58 -08:00 коммит произвёл GitHub
Родитель 03813ea930 f8d71056c9
Коммит c68a1113c5
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
19 изменённых файлов: 96 добавлений и 37 удалений

4
.rubocop.yml Normal file
Просмотреть файл

@ -0,0 +1,4 @@
Style/WordArray:
Enabled: false
Style/SymbolArray:
Enabled: false

Просмотреть файл

@ -1,5 +1,23 @@
# Changelog
## [4.3.0] - 2022-03-04
### Fixed
- Reversed order of arguments for certificate installation to address [Bug 244](https://github.com/microsoft/macos-cookbook/issues/244).
### Added
- New test suites and recipe change to account for `.cer` files.
- New certificate resource property: `kc_passwd` which allows setting of keychain password.
- Check for certificate existence within the keychain before installing a new one to ensure idempotency.
- Made password properties sensitive.
- Updated certificate resource documentation.
### Changed
- Removed dependency on using the `default['macos']['admin_password']` attribute for setting the keychain password when using the certificate resource.
## [4.2.3] - 2022-02-03
### Fixed

Просмотреть файл

@ -3,7 +3,7 @@ certificate
Use the **certificate** resource to manage certificates for keychains.
Under the hood, the [**certificate**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/certificate.rb) resource executes the `security`
command in the `security_cmd` library.
command in the [**security_cmd**](https://github.com/Microsoft/macos-cookbook/blob/master/libraries/security_cmd.rb) library.
Syntax
------
@ -16,6 +16,7 @@ certificate 'cert name' do
certfile String # certificate in .p12(PFX) or .cer(SSl certificate file) format
cert_passwd String # password for PFX format certificate file
keychain String # keychain to install certificate to
kc_passwd String # keychain password
apps Array # list of apps that may access the imported key
sensitive Boolean # run execute resource with sensitive
end
@ -49,6 +50,7 @@ certificate 'cert name' do
certfile '/User/edward/Documents/cert.p12'
cert_passwd 'teach'
keychain '/User/edward/Library/Keychains/florida.keychain'
kc_passwd 'test'
end
```

Просмотреть файл

@ -107,13 +107,13 @@ if node['platform_version'].match?(/10\.13/) || node['platform_version'].match?(
end
xcode '9.2' do
ios_simulators %w(11 10)
ios_simulators ['11', '10']
end
elsif node['platform_version'].match?(/10\.11/)
xcode '8.2.1' do
ios_simulators %w(10 9)
ios_simulators ['10', '9']
end
end
```
@ -122,7 +122,7 @@ end
```ruby
xcode '9.2' do
ios_simulators %w(11 10)
ios_simulators ['11', '10']
download_url 'file:///Users/johnny/Desktop/xcode_install.dmg'
end
```

Просмотреть файл

@ -41,7 +41,7 @@ platforms:
- name: monterey-chef17
driver:
box: microsoft/macos-monterey
box_version: 12.0-21A5506j
box_version: 12.2
provisioner:
product_version: 17

Просмотреть файл

@ -24,10 +24,6 @@ module MacOS
end
end
def convert_array_to_string(value)
end
def convert_to_string_from_data_type(value)
case value
when Array
@ -39,11 +35,13 @@ module MacOS
when TrueClass
"-bool #{value}"
when Hash
"-dict #{value.map { |key,value| Shellwords.shellescape(key) + ' ' + convert_to_string_from_data_type(value)}.join(' ')}"
"-dict #{value.map do |k, v|
Shellwords.shellescape(k) + ' ' + convert_to_string_from_data_type(v)
end.join(' ')}"
when String
"-string #{Shellwords.shellescape(value)}"
when Float
"-float #{value}"
"-float #{value}"
else
raise "Unknown or unsupported data type: #{value} of #{value.class}"
end
@ -88,7 +86,7 @@ module MacOS
when 'add'
type_to_commandline_string(value)
when 'set'
if value.class == Hash
if value.instance_of?(Hash)
sep = ':'
value.map { |k, v| "#{k} #{v}" }
else
@ -106,7 +104,7 @@ module MacOS
defaults_read_type_output = shell_out(defaults_executable, 'read-type', path, entry).stdout
data_type = defaults_read_type_output.split.last
if value.class == Hash
if value.instance_of?(Hash)
plutil_output = shell_out(plutil_executable, '-extract', entry, 'xml1', '-o', '-', path).stdout.chomp
{ key_type: data_type, key_value: Plist.parse_xml(plutil_output) }
else

Просмотреть файл

@ -33,7 +33,7 @@ module MacOS
end
def add_certificates
@keychain.empty? ? [@security_cmd, 'add-certificates', @cert] : [@security_cmd, 'add-certificates', @cert, '-k', @keychain]
@keychain.empty? ? [@security_cmd, 'add-certificates', @cert] : [@security_cmd, 'add-certificates', '-k', @keychain, @cert]
end
def import(cert_passwd, apps)

Просмотреть файл

@ -9,12 +9,12 @@ module MacOS
def desktop?
return false if @machine_model.nil?
@machine_model.match? Regexp.union %w(Macmini MacPro iMac)
@machine_model.match? Regexp.union ['Macmini', 'MacPro', 'iMac']
end
def portable?
return false if @machine_model.nil?
@machine_model.match? Regexp.union %w(MacBook)
@machine_model.match? Regexp.union ['MacBook']
end
end

Просмотреть файл

@ -4,7 +4,7 @@ maintainer_email 'chef@microsoft.com'
license 'MIT'
description 'Resources for configuring and provisioning macOS'
chef_version '>= 14.0'
version '4.2.3'
version '5.0.0'
source_url 'https://github.com/Microsoft/macos-cookbook'
issues_url 'https://github.com/Microsoft/macos-cookbook/issues'

Просмотреть файл

@ -1,29 +1,29 @@
unified_mode true
provides :certificate
default_action :install
property :certfile, String
property :cert_password, String, sensitive: true
property :keychain, String
property :keychain, String, required: true
property :kc_passwd, String, required: true, sensitive: true
property :apps, Array
property :sensitive, [true, false], default: false
action_class do
def keychain
new_resource.property_is_set?(:keychain) ? new_resource.keychain : ''
end
end
action :install do
cert = SecurityCommand.new(new_resource.certfile, keychain)
cert = SecurityCommand.new(new_resource.certfile, new_resource.keychain)
execute 'unlock keychain' do
command Array(cert.unlock_keychain(node['macos']['admin_password']))
command Array(cert.unlock_keychain(new_resource.kc_passwd))
sensitive new_resource.sensitive
end
cert_shasum = shell_out("shasum #{new_resource.certfile}").stdout.upcase.gsub(/\s.+/, '')
find_cert_output = shell_out("/usr/bin/security find-certificate -a -Z #{new_resource.keychain}").stdout
execute 'install-certificate' do
command Array(cert.install_certificate(new_resource.cert_password, new_resource.apps))
sensitive new_resource.sensitive
not_if { find_cert_output.include? cert_shasum }
end
end

Просмотреть файл

@ -1,7 +1,7 @@
unified_mode true
provides :xcode
default_action %i(install_gem install_xcode install_simulators)
default_action [:install_gem, :install_xcode, :install_simulators]
property :version, String, name_property: true
property :path, String, default: '/Applications/Xcode.app'

Просмотреть файл

@ -103,7 +103,7 @@ describe MacOS::PlistHelpers, '#type_to_commandline_string' do
end
it 'returns the required array entry type as a string' do
expect(type_to_commandline_string(%w(foo bar))).to eq 'array'
expect(type_to_commandline_string(['foo', 'bar'])).to eq 'array'
end
it 'returns the required dictionary entry type as a string' do
@ -147,11 +147,11 @@ describe MacOS::PlistHelpers, '#convert_to_string_from_data_type' do
end
it 'returns the required dictionary entry' do
expect(convert_to_string_from_data_type({'a' => 'b', 'c' => 'd'})).to eq '-dict a -string b c -string d'
expect(convert_to_string_from_data_type({ 'a' => 'b', 'c' => 'd' })).to eq '-dict a -string b c -string d'
end
it 'returns the required dictionary entry with embedded quotes and numbers' do
expect(convert_to_string_from_data_type({'a' => 3, 'c' => '"d"'})).to eq '-dict a -integer 3 c -string \"d\"'
expect(convert_to_string_from_data_type({ 'a' => 3, 'c' => '"d"' })).to eq '-dict a -integer 3 c -string \"d\"'
end
it 'returns the required array entry' do

Просмотреть файл

@ -63,7 +63,7 @@ describe MacOS::SecurityCommand, 'certificate creation commands' do
context 'adding a certificate (.cer) to a certain keychain' do
it 'adds a specified .cer certificate file' do
expect(cer_cert_kc.add_certificates).to eq ['/usr/bin/security', 'add-certificates', '/Users/vagrant/Test.cer', '-k', 'test.keychain']
expect(cer_cert_kc.add_certificates).to eq ['/usr/bin/security', 'add-certificates', '-k', 'test.keychain', '/Users/vagrant/Test.cer']
end
end

Просмотреть файл

@ -16,7 +16,7 @@ describe 'xcode' do
'4.3.2 for Lion',
'4.3.3 for Lion',
'4.4',
'4.4.1',
'4.4.1',
'4.5',
'4.5.1',
'4.5.2',

Просмотреть файл

@ -1,12 +1,42 @@
foobar_pem_path = '/Users/vagrant/foobar.pem'
foobar_cer_path = '/Users/vagrant/foobar.cer'
cookbook_file '/Users/vagrant/Test.p12' do
action :create
source 'Test.p12'
end
keychain 'test' do
kc_file '/Users/vagrant/Library/Keychains/test.keychain'
kc_passwd 'test'
action :create
end
openssl_x509_certificate foobar_pem_path do
common_name 'www.f00bar.com'
org 'Foo Bar'
org_unit 'Lab'
country 'US'
end
execute 'convert .pem certificate to .cer certificate' do
command ['/usr/bin/openssl', 'x509', '-inform', 'PEM', '-in', foobar_pem_path, '-outform', 'DER', '-out', foobar_cer_path]
only_if { ::File.exist? foobar_pem_path }
end
certificate 'install a .cer format certificate file' do
certfile foobar_cer_path
keychain '/Users/vagrant/Library/Keychains/login.keychain'
kc_passwd node['macos']['admin_password']
apps ['/Applications/Numbers.app']
action :install
end
certificate 'install a PFX format certificate file' do
certfile '/Users/vagrant/Test.p12'
cert_password 'test'
keychain '/Users/vagrant/Library/Keychains/login.keychain'
keychain '/Users/vagrant/Library/Keychains/test.keychain'
kc_passwd 'test'
apps ['/Applications/Safari.app']
action :install
end

Просмотреть файл

@ -3,7 +3,6 @@ user_home = File.join('/', 'Users', user)
if Gem::Version.new(node['platform_version']) >= Gem::Version.new('10.13')
admin_credentials = ['-adminUser', node['macos']['admin_user'], '-adminPassword', node['macos']['admin_password']]
else ''
end
execute "add user #{user}" do

Просмотреть файл

@ -10,7 +10,7 @@ macos_user 'create non-admin user with groups' do
username 'johnny'
fullname 'Johnny Appleseed'
password 'yang-yolked-cordon-karate'
groups %w(alpha beta)
groups ['alpha', 'beta']
end
macos_user 'create non-admin without groups' do

Просмотреть файл

@ -2,6 +2,6 @@ if node['platform_version'] >= '10.15.2'
xcode '11.5'
else
xcode '9.4.1' do
ios_simulators %w(11 10)
ios_simulators ['11', '10']
end
end

Просмотреть файл

@ -11,9 +11,17 @@ control 'certificate-install' do
it { should exist }
end
describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/login.keychain') do
describe file('/Users/vagrant/foobar.cer') do
it { should exist }
end
describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/test.keychain') do
its('stdout') { should include 'Test' }
end
describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/login.keychain') do
its('stdout') { should include 'f00bar' }
end
end
control 'keychain-creation' do