Merge branch 'release/5.0.0' into add-sensitivity

.rubocop.yml

@@ -0,0 +1,4 @@
+Style/WordArray:
+  Enabled: false
+Style/SymbolArray:
+  Enabled: false

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [4.3.0] - 2022-03-04
+
+### Fixed
+
+- Reversed order of arguments for certificate installation to address [Bug 244](https://github.com/microsoft/macos-cookbook/issues/244).
+
+### Added
+
+- New test suites and recipe change to account for `.cer` files. 
+- New certificate resource property: `kc_passwd` which allows setting of keychain password. 
+- Check for certificate existence within the keychain before installing a new one to ensure idempotency. 
+- Made password properties sensitive. 
+- Updated certificate resource documentation.
+
+### Changed
+
+- Removed dependency on using the `default['macos']['admin_password']` attribute for setting the keychain password when using the certificate resource. 
+
 ## [4.2.3] - 2022-02-03
 
 ### Fixed

documentation/resource_certificate.md

@@ -3,7 +3,7 @@ certificate
 
 Use the **certificate** resource to manage certificates for keychains.
 Under the hood, the [**certificate**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/certificate.rb) resource executes the `security`
-command in the `security_cmd` library.
+command in the [**security_cmd**](https://github.com/Microsoft/macos-cookbook/blob/master/libraries/security_cmd.rb) library.
 
 Syntax
 ------
@@ -16,6 +16,7 @@ certificate 'cert name' do
   certfile                      String # certificate in .p12(PFX) or .cer(SSl certificate file) format
   cert_passwd                   String # password for PFX format certificate file
   keychain                      String # keychain to install certificate to
+  kc_passwd                     String # keychain password
   apps                          Array  # list of apps that may access the imported key
   sensitive                     Boolean # run execute resource with sensitive
 end
@@ -49,6 +50,7 @@ certificate 'cert name' do
   certfile '/User/edward/Documents/cert.p12'
   cert_passwd 'teach'
   keychain '/User/edward/Library/Keychains/florida.keychain'
+  kc_passwd 'test'
 end
 ```
 

documentation/resource_xcode.md

@@ -107,13 +107,13 @@ if node['platform_version'].match?(/10\.13/) || node['platform_version'].match?(
   end
 
   xcode '9.2' do
-    ios_simulators %w(11 10)
+    ios_simulators ['11', '10']
   end
 
 elsif node['platform_version'].match?(/10\.11/)
 
   xcode '8.2.1' do
-    ios_simulators %w(10 9)
+    ios_simulators ['10', '9']
   end
 end
 ```
@@ -122,7 +122,7 @@ end
 
 ```ruby
 xcode '9.2' do
-  ios_simulators %w(11 10)
+  ios_simulators ['11', '10']
   download_url 'file:///Users/johnny/Desktop/xcode_install.dmg'
 end
 ```

kitchen.yml

@@ -41,7 +41,7 @@ platforms:
 - name: monterey-chef17
   driver:
     box: microsoft/macos-monterey
-    box_version: 12.0-21A5506j
+    box_version: 12.2
   provisioner:
     product_version: 17
 

libraries/plist.rb

@@ -24,10 +24,6 @@ module MacOS
       end
     end
 
-    def convert_array_to_string(value)
-     
-    end
-
     def convert_to_string_from_data_type(value)
       case value
       when Array
@@ -39,11 +35,13 @@ module MacOS
       when TrueClass
         "-bool #{value}"
       when Hash
-        "-dict #{value.map { |key,value| Shellwords.shellescape(key) + ' ' + convert_to_string_from_data_type(value)}.join(' ')}"
+        "-dict #{value.map do |k, v|
+                   Shellwords.shellescape(k) + ' ' + convert_to_string_from_data_type(v)
+                 end.join(' ')}"
       when String
         "-string #{Shellwords.shellescape(value)}"
       when Float
-        "-float #{value}" 
+        "-float #{value}"
       else
         raise "Unknown or unsupported data type: #{value} of #{value.class}"
       end
@@ -88,7 +86,7 @@ module MacOS
             when 'add'
               type_to_commandline_string(value)
             when 'set'
-              if value.class == Hash
+              if value.instance_of?(Hash)
                 sep = ':'
                 value.map { |k, v| "#{k} #{v}" }
               else
@@ -106,7 +104,7 @@ module MacOS
       defaults_read_type_output = shell_out(defaults_executable, 'read-type', path, entry).stdout
       data_type = defaults_read_type_output.split.last
 
-      if value.class == Hash
+      if value.instance_of?(Hash)
         plutil_output = shell_out(plutil_executable, '-extract', entry, 'xml1', '-o', '-', path).stdout.chomp
         { key_type: data_type, key_value: Plist.parse_xml(plutil_output) }
       else

libraries/security_cmd.rb

@@ -33,7 +33,7 @@ module MacOS
     end
 
     def add_certificates
-      @keychain.empty? ? [@security_cmd, 'add-certificates', @cert] : [@security_cmd, 'add-certificates', @cert, '-k', @keychain]
+      @keychain.empty? ? [@security_cmd, 'add-certificates', @cert] : [@security_cmd, 'add-certificates', '-k', @keychain, @cert]
     end
 
     def import(cert_passwd, apps)

libraries/system.rb

@@ -9,12 +9,12 @@ module MacOS
 
       def desktop?
         return false if @machine_model.nil?
-        @machine_model.match? Regexp.union %w(Macmini MacPro iMac)
+        @machine_model.match? Regexp.union ['Macmini', 'MacPro', 'iMac']
       end
 
       def portable?
         return false if @machine_model.nil?
-        @machine_model.match? Regexp.union %w(MacBook)
+        @machine_model.match? Regexp.union ['MacBook']
       end
     end
 

metadata.rb

@@ -4,7 +4,7 @@ maintainer_email 'chef@microsoft.com'
 license 'MIT'
 description 'Resources for configuring and provisioning macOS'
 chef_version '>= 14.0'
-version '4.2.3'
+version '5.0.0'
 
 source_url 'https://github.com/Microsoft/macos-cookbook'
 issues_url 'https://github.com/Microsoft/macos-cookbook/issues'

resources/certificate.rb

@@ -1,29 +1,29 @@
 unified_mode true
 
 provides :certificate
+default_action :install
 
 property :certfile, String
 property :cert_password, String, sensitive: true
-property :keychain, String
+property :keychain, String, required: true
+property :kc_passwd, String, required: true, sensitive: true
 property :apps, Array
 property :sensitive, [true, false], default: false
 
-action_class do
-  def keychain
-    new_resource.property_is_set?(:keychain) ? new_resource.keychain : ''
-  end
-end
-
 action :install do
-  cert = SecurityCommand.new(new_resource.certfile, keychain)
+  cert = SecurityCommand.new(new_resource.certfile, new_resource.keychain)
 
   execute 'unlock keychain' do
-    command Array(cert.unlock_keychain(node['macos']['admin_password']))
+    command Array(cert.unlock_keychain(new_resource.kc_passwd))
     sensitive new_resource.sensitive
   end
 
+  cert_shasum = shell_out("shasum #{new_resource.certfile}").stdout.upcase.gsub(/\s.+/, '')
+  find_cert_output = shell_out("/usr/bin/security find-certificate -a -Z #{new_resource.keychain}").stdout
+
   execute 'install-certificate' do
     command Array(cert.install_certificate(new_resource.cert_password, new_resource.apps))
     sensitive new_resource.sensitive
+    not_if { find_cert_output.include? cert_shasum }
   end
 end

resources/xcode.rb

@@ -1,7 +1,7 @@
 unified_mode true
 
 provides :xcode
-default_action %i(install_gem install_xcode install_simulators)
+default_action [:install_gem, :install_xcode, :install_simulators]
 
 property :version, String, name_property: true
 property :path, String, default: '/Applications/Xcode.app'

spec/unit/libraries/plist_spec.rb

@@ -103,7 +103,7 @@ describe MacOS::PlistHelpers, '#type_to_commandline_string' do
     end
 
     it 'returns the required array entry type as a string' do
-      expect(type_to_commandline_string(%w(foo bar))).to eq 'array'
+      expect(type_to_commandline_string(['foo', 'bar'])).to eq 'array'
     end
 
     it 'returns the required dictionary entry type as a string' do
@@ -147,11 +147,11 @@ describe MacOS::PlistHelpers, '#convert_to_string_from_data_type' do
     end
 
     it 'returns the required dictionary entry' do
-      expect(convert_to_string_from_data_type({'a' => 'b', 'c' => 'd'})).to eq '-dict a -string b c -string d'
+      expect(convert_to_string_from_data_type({ 'a' => 'b', 'c' => 'd' })).to eq '-dict a -string b c -string d'
     end
 
     it 'returns the required dictionary entry with embedded quotes and numbers' do
-      expect(convert_to_string_from_data_type({'a' => 3, 'c' => '"d"'})).to eq '-dict a -integer 3 c -string \"d\"'
+      expect(convert_to_string_from_data_type({ 'a' => 3, 'c' => '"d"' })).to eq '-dict a -integer 3 c -string \"d\"'
     end
 
     it 'returns the required array entry' do

spec/unit/libraries/security_cmd_spec.rb

@@ -63,7 +63,7 @@ describe MacOS::SecurityCommand, 'certificate creation commands' do
 
   context 'adding a certificate (.cer) to a certain keychain' do
     it 'adds a specified .cer certificate file' do
-      expect(cer_cert_kc.add_certificates).to eq ['/usr/bin/security', 'add-certificates', '/Users/vagrant/Test.cer', '-k', 'test.keychain']
+      expect(cer_cert_kc.add_certificates).to eq ['/usr/bin/security', 'add-certificates', '-k', 'test.keychain', '/Users/vagrant/Test.cer']
     end
   end
 

spec/unit/resources/xcode_spec.rb

@@ -16,7 +16,7 @@ describe 'xcode' do
                    '4.3.2 for Lion',
                    '4.3.3 for Lion',
                    '4.4',
-                   '4.4.1', 
+                   '4.4.1',
                    '4.5',
                    '4.5.1',
                    '4.5.2',

test/cookbooks/macos_test/recipes/certificate.rb

@@ -1,12 +1,42 @@
+foobar_pem_path = '/Users/vagrant/foobar.pem'
+foobar_cer_path = '/Users/vagrant/foobar.cer'
+
 cookbook_file '/Users/vagrant/Test.p12' do
   action :create
   source 'Test.p12'
 end
 
+keychain 'test' do
+  kc_file '/Users/vagrant/Library/Keychains/test.keychain'
+  kc_passwd 'test'
+  action :create
+end
+
+openssl_x509_certificate foobar_pem_path do
+  common_name 'www.f00bar.com'
+  org 'Foo Bar'
+  org_unit 'Lab'
+  country 'US'
+end
+
+execute 'convert .pem certificate to .cer certificate' do
+  command ['/usr/bin/openssl', 'x509', '-inform', 'PEM', '-in', foobar_pem_path, '-outform', 'DER', '-out', foobar_cer_path]
+  only_if { ::File.exist? foobar_pem_path }
+end
+
+certificate 'install a .cer format certificate file' do
+  certfile foobar_cer_path
+  keychain '/Users/vagrant/Library/Keychains/login.keychain'
+  kc_passwd node['macos']['admin_password']
+  apps ['/Applications/Numbers.app']
+  action :install
+end
+
 certificate 'install a PFX format certificate file' do
   certfile '/Users/vagrant/Test.p12'
   cert_password 'test'
-  keychain '/Users/vagrant/Library/Keychains/login.keychain'
+  keychain '/Users/vagrant/Library/Keychains/test.keychain'
+  kc_passwd 'test'
   apps ['/Applications/Safari.app']
   action :install
 end

test/cookbooks/macos_test/recipes/delete_users.rb

@@ -3,7 +3,6 @@ user_home = File.join('/', 'Users', user)
 
 if Gem::Version.new(node['platform_version']) >= Gem::Version.new('10.13')
   admin_credentials = ['-adminUser', node['macos']['admin_user'], '-adminPassword', node['macos']['admin_password']]
-else ''
 end
 
 execute "add user #{user}" do

test/cookbooks/macos_test/recipes/new_users.rb

@@ -10,7 +10,7 @@ macos_user 'create non-admin user with groups' do
   username 'johnny'
   fullname 'Johnny Appleseed'
   password 'yang-yolked-cordon-karate'
-  groups %w(alpha beta)
+  groups ['alpha', 'beta']
 end
 
 macos_user 'create non-admin without groups' do

test/cookbooks/macos_test/recipes/xcode_from_apple.rb

@@ -2,6 +2,6 @@ if node['platform_version'] >= '10.15.2'
   xcode '11.5'
 else
   xcode '9.4.1' do
-    ios_simulators %w(11 10)
+    ios_simulators ['11', '10']
   end
 end

test/integration/default/controls/security_test.rb

@@ -11,9 +11,17 @@ control 'certificate-install' do
     it { should exist }
   end
 
-  describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/login.keychain') do
+  describe file('/Users/vagrant/foobar.cer') do
+    it { should exist }
+  end
+
+  describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/test.keychain') do
     its('stdout') { should include 'Test' }
   end
+
+  describe command('/usr/bin/security find-certificate /Users/vagrant/Library/Keychains/login.keychain') do
+    its('stdout') { should include 'f00bar' }
+  end
 end
 
 control 'keychain-creation' do