Release/1.9 (#73)

americanhanko · web-flow · commit 0db78307ef7a · 2018-03-21T15:20:39.000-07:00
* Add documentation detailing new certificate resource changes incorporating the -T option

* modify security library and certificate resource to accomodate -T option

* Testing for new and improved certificate resource

* Fix Chef Spec tests

* bump version to 1.9.0

* hotfix for plist encoding type utf-8

* move plutil_format_map to libraries

* using Chef::Application.fatal to enforce encoding types

* add one second after each systemsetup call

* Add support for more hypervisors in keep_awake

- Leverage the node['virtualization']['systems'] ohai attribute to
determine whether we are a guest or a host
- Add appropriate chefspec tests

* Add another context for empty virtualization hash

* bump to 1.8.1

* ensure xcode-install gem is in Chef embedded even if ChefDK is present

* adjust implementation of running_in_a_vm?

* fix rspec shared context

* re-arrange chefspec keep_awake unit tests
diff --git a/README.md b/README.md
@@ -126,7 +126,7 @@ Resources
 ---------
 
 - [ARD (Apple Remote Desktop)](https://github.com/Microsoft/macos-cookbook/blob/master/documentation/resource_ard.md)
-- [Certificate](https://github.com/Microsoft/macos-cookbook/blob/master/documentation/resource_certificate.md)
+- [Certificate (security)](https://github.com/Microsoft/macos-cookbook/blob/master/documentation/resource_certificate.md)
 - [Machine Name](https://github.com/Microsoft/macos-cookbook/blob/master/documentation/resource_machine_name.md)
 - [Plist](https://github.com/Microsoft/macos-cookbook/blob/master/documentation/resource_plist.md)
 - [Spotlight (mdutil)](https://github.com/Microsoft/macos-cookbook/blob/master/documentation/resource_spotlight.md)
diff --git a/documentation/resource_certificate.md b/documentation/resource_certificate.md
@@ -20,6 +20,7 @@ certificate 'cert name' do
   certfile                      String # certificate in .p12(PFX) or .cer(SSl certificate file) format
   cert_passwd                   String # password for PFX format certificate file
   keychain                      String # keychain to install certificate to
+  apps                          Array  # list of apps that may access the imported key
 end
 ```
 
@@ -69,4 +70,13 @@ certificate 'cert name' do
   certfile '/User/edward/Documents/cert.p12'
   keychain '/User/edward/Library/Keychains/florida.keychain'
 end
+```
+
+**Install PFX format certificate to default keychain, accessible by certain app**
+```ruby
+certificate 'cert name' do
+  certfile '/User/edward/Documents/cert.p12'
+  cert_passwd 'teach'
+  apps ['/Applications/Maps.app', '/Applications/Time Machine.app']
+end
 ```
diff --git a/libraries/plist.rb b/libraries/plist.rb
@@ -80,6 +80,13 @@ def setting_from_plist(entry, path)
       { key_type: defaults_read_type_output.split.last, key_value: defaults_read_output.strip }
     end
 
+    def plutil_format_map
+      { 'us-ascii' => 'xml1',
+        'text/xml' => 'xml1',
+        'utf-8' => 'xml1',
+        'binary' => 'binary1' }
+    end
+
     private
 
     def defaults_executable
@@ -92,5 +99,6 @@ def plistbuddy_executable
   end
 end
 
-Chef::Recipe.include(MacOS::PlistHelpers)
-Chef::Resource.include(MacOS::PlistHelpers)
+Chef::Recipe.include MacOS::PlistHelpers
+Chef::Resource.include MacOS::PlistHelpers
+Chef::DSL::Recipe.include MacOS::MachineName
diff --git a/libraries/security_cmd.rb b/libraries/security_cmd.rb
@@ -20,16 +20,28 @@ def add_certificates
       @keychain == '' ? [@security_cmd, 'add-certificates', @cert] : [@security_cmd, 'add-certificates', @cert, '-k', @keychain]
     end
 
-    def import(cert_passwd)
-      @keychain == '' ? [@security_cmd, 'import', @cert, '-P', cert_passwd] : [@security_cmd, 'import', @cert, '-P', cert_passwd, '-k', @keychain]
+    def import(cert_passwd, apps)
+      app_array = []
+
+      apps.each do |app|
+        app_array.push('-T')
+        app_array.push(app)
+      end
+      @keychain == '' ? [@security_cmd, 'import', @cert, '-P', cert_passwd, *app_array] : [@security_cmd, 'import', @cert, '-P', cert_passwd, '-k', @keychain, *app_array]
     end
 
-    def install_certificate(cert_passwd)
+    def install_certificate(cert_passwd, apps)
       valid_pkcs12 = ['.p12', '.pfx']
       valid_certs = ['.der', '.crt', '.cer']
 
+      apps.each do |app|
+        unless app.is_a? String
+          Chef::Exception.fatal("Invalid application: #{@app}.")
+        end
+      end
+
       if valid_pkcs12.any? { |extension| ::File.extname(@cert).match? extension }
-        import(cert_passwd)
+        import(cert_passwd, apps)
       elsif valid_certs.any? { |extension| ::File.extname(@cert).match? extension }
         add_certificates
       else
diff --git a/libraries/systemsetup.rb b/libraries/systemsetup.rb
@@ -1,7 +1,8 @@
 module MacOS
   module SystemSetup
     def running_in_a_vm?
-      Chef.node['hardware']['machine_model'].match?(/Parallels/) # TODO: cover more hypervisors
+      virtualization_systems = Chef.node['virtualization']['systems']
+      virtualization_systems.empty? || virtualization_systems.values.include?('guest') ? true : false
     end
 
     def power_button_model?
diff --git a/metadata.rb b/metadata.rb
@@ -5,7 +5,7 @@
 description 'Resources for configuring and provisioning macOS'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 chef_version '~> 13.0' if respond_to?(:chef_version)
-version '1.8.2'
+version '1.9.0'
 
 source_url 'https://github.com/Microsoft/macos-cookbook'
 issues_url 'https://github.com/Microsoft/macos-cookbook/issues'
diff --git a/resources/certificate.rb b/resources/certificate.rb
@@ -3,6 +3,7 @@
 property :certfile, String
 property :cert_password, String
 property :keychain, String
+property :apps, Array
 
 action_class do
   def keychain
@@ -18,6 +19,6 @@ def keychain
   end
 
   execute 'install-certificate' do
-    command [*cert.install_certificate(new_resource.cert_password)]
+    command [*cert.install_certificate(new_resource.cert_password, new_resource.apps)]
   end
 end
diff --git a/resources/plist.rb b/resources/plist.rb
@@ -3,7 +3,7 @@
 property :path, String, name_property: true, desired_state: true
 property :entry, String, desired_state: true
 property :value, [TrueClass, FalseClass, String, Integer, Float], desired_state: true
-property :encoding, String, desired_state: true, default: 'binary', equal_to: ['text/xml', 'binary', 'us-ascii']
+property :encoding, String, desired_state: true, default: 'binary'
 
 load_current_value do |desired|
   current_value_does_not_exist! unless ::File.exist? desired.path
@@ -52,17 +52,12 @@
 
   converge_if_changed :encoding do
     converge_by 'change format' do
+      Chef::Application.fatal!(
+        "Option encoding must be equal to one of: #{plutil_format_map.keys}!  You passed \"#{new_resource.encoding}\"."
+      ) unless plutil_format_map.keys.include? new_resource.encoding
       execute ['/usr/bin/plutil', '-convert', plutil_format_map[new_resource.encoding], new_resource.path] do
         action :run
       end
     end
   end
 end
-
-action_class do
-  def plutil_format_map
-    { 'us-ascii' => 'xml1',
-      'text/xml' => 'xml1',
-      'binary' => 'binary1' }
-  end
-end
diff --git a/resources/system_preference.rb b/resources/system_preference.rb
@@ -20,6 +20,11 @@
     converge_by "set #{new_resource.preference} to #{new_resource.setting}" do
       set_pref = ['-set', new_resource.preference.to_s].join('')
       execute ['/usr/sbin/systemsetup', set_pref, new_resource.setting]
+      ruby_block 'sleep one second' do
+        block do
+          sleep 1
+        end
+      end
     end
   end
 end
diff --git a/resources/xcode.rb b/resources/xcode.rb
@@ -7,7 +7,7 @@
 
 action :setup do
   chef_gem 'xcode-install' do
-    options('--no-document')
+    options('--no-document --no-user-install')
   end
 
   CREDENTIALS_DATA_BAG = data_bag_item(:credentials, :apple_id)
diff --git a/spec/unit/libraries/security_cmd_spec.rb b/spec/unit/libraries/security_cmd_spec.rb
@@ -39,13 +39,19 @@
 
   context 'importing a certificate (.p12)' do
     it 'imports a specified .p12 certificate file' do
-      expect(p12_cert.import('password')).to eq ['/usr/bin/security', 'import', '/Users/vagrant/Test.p12', '-P', 'password']
+      expect(p12_cert.import('password', [])).to eq ['/usr/bin/security', 'import', '/Users/vagrant/Test.p12', '-P', 'password']
     end
   end
 
   context 'importing a certificate (.p12)' do
     it 'imports a specified .p12 certificate file to a specified keychain' do
-      expect(p12_cert_kc.import('password')).to eq ['/usr/bin/security', 'import', '/Users/vagrant/Test.p12', '-P', 'password', '-k', 'test.keychain']
+      expect(p12_cert_kc.import('password', [])).to eq ['/usr/bin/security', 'import', '/Users/vagrant/Test.p12', '-P', 'password', '-k', 'test.keychain']
+    end
+  end
+
+  context 'importing a certificate (.p12) accessible by Mail and App Store ' do
+    it 'imports a specified .p12 certificate file to a specified keychain' do
+      expect(p12_cert_kc.import('password', ['/Applications/Mail.app', '/Applications/App Store.app'])).to eq ['/usr/bin/security', 'import', '/Users/vagrant/Test.p12', '-P', 'password', '-k', 'test.keychain', '-T', '/Applications/Mail.app', '-T', '/Applications/App Store.app']
     end
   end
 
@@ -63,13 +69,13 @@
 
   context 'installing a certificate (.p12)' do
     it 'installs a specified .p12 certificate file' do
-      expect(p12_cert.install_certificate('password')).to eq ['/usr/bin/security', 'import', '/Users/vagrant/Test.p12', '-P', 'password']
+      expect(p12_cert.install_certificate('password', [])).to eq ['/usr/bin/security', 'import', '/Users/vagrant/Test.p12', '-P', 'password']
     end
   end
 
   context 'installing a certificate (.cer)' do
     it 'adds a specified .cer certificate file' do
-      expect(cer_cert.install_certificate('password')).to eq ['/usr/bin/security', 'add-certificates', '/Users/vagrant/Test.cer']
+      expect(cer_cert.install_certificate('password', [])).to eq ['/usr/bin/security', 'add-certificates', '/Users/vagrant/Test.cer']
     end
   end
 end
diff --git a/spec/unit/recipes/keep_awake_spec.rb b/spec/unit/recipes/keep_awake_spec.rb
@@ -1,13 +1,121 @@
 require 'spec_helper'
 
-describe 'macos::keep_awake' do
-  context 'When all attributes are default, on macOS High Sierra 10.13' do
-    let(:chef_run) { ChefSpec::SoloRunner.new.converge(described_recipe) }
+include MacOS::SystemSetup
+
+shared_context 'when running on bare metal' do
+  shared_examples 'setting metal-specific power preferences' do
+    before(:each) do
+      allow_any_instance_of(Chef::Resource).to receive(:power_button_model?).and_return(true)
+      chef_run.node.normal['virtualization']['systems'] = { 'vbox' => 'host', 'parallels' => 'host' }
+      stub_command('which git').and_return('/usr/bin/git')
+    end
+
+    it 'returns false' do
+      expect(running_in_a_vm?).to be false
+    end
+
+    it 'sets wake on lan' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to set_system_preference('wake the computer when accessed using a network connection')
+    end
+
+    it 'disables power button sleep' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to set_system_preference('pressing power button does not sleep computer')
+    end
+
+    it 'sets restart after a power failure' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to set_system_preference('restart after a power failure')
+    end
+
+    it 'converges successfully on bare metal' do
+      expect { chef_run }.to_not raise_error
+    end
+  end
+end
+
+shared_context 'running in a parallels virtual machine' do
+  before(:each) do
+    allow_any_instance_of(Chef::Resource).to receive(:power_button_model?).and_return(false)
+    chef_run.node.normal['virtualization']['systems'] = { 'parallels' => 'guest' }
+    stub_command('which git').and_return('/usr/bin/git')
+  end
+
+  shared_examples 'not setting metal-specific power prefs' do
+    it 'confirms we are in a vm' do
+      expect(running_in_a_vm?).to be true
+    end
+
+    it 'does not set wake on lan' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to_not set_system_preference('wake the computer when accessed using a network connection')
+    end
+
+    it 'skips disabling power button sleep' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to_not set_system_preference('pressing power button does not sleep computer')
+    end
+
+    it 'does not set restart after a power failure' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to_not set_system_preference('restart after a power failure')
+    end
 
-    it 'converges successfully' do
-      allow_any_instance_of(Chef::Resource).to receive(:running_in_a_vm?).and_return(false)
-      allow_any_instance_of(Chef::Resource).to receive(:power_button_model?).and_return(false)
+    it 'converges successfully in a vm' do
       expect { chef_run }.to_not raise_error
     end
   end
 end
+
+shared_context 'running in an undetermined virtualization system' do
+  before(:each) do
+    allow_any_instance_of(Chef::Resource).to receive(:power_button_model?).and_return(false)
+    chef_run.node.override['virtualization']['systems'] = {}
+    stub_command('which git').and_return('/usr/bin/git')
+  end
+
+  shared_examples 'not setting metal-specific power prefs' do
+    it 'assumes we are in a vm' do
+      expect(running_in_a_vm?).to be true
+    end
+
+    it 'does not set wake on lan' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to_not set_system_preference('wake the computer when accessed using a network connection')
+    end
+
+    it 'skips disabling power button sleep' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to_not set_system_preference('pressing power button does not sleep computer')
+    end
+
+    it 'does not set restart after a power failure' do
+      chef_run.converge(described_recipe)
+      expect(chef_run).to_not set_system_preference('restart after a power failure')
+    end
+
+    it 'converges successfully in a vm' do
+      expect { chef_run }.to_not raise_error
+    end
+  end
+end
+
+describe 'macos::keep_awake' do
+  let(:chef_run) { ChefSpec::SoloRunner.new }
+
+  describe 'keep_awake in a parallels vm' do
+    include_context 'running in a parallels virtual machine'
+    it_behaves_like 'not setting metal-specific power prefs'
+  end
+
+  describe 'keep_awake in an undetermined virtualization system' do
+    include_context 'running in an undetermined virtualization system'
+    it_behaves_like 'not setting metal-specific power prefs'
+  end
+
+  describe 'keep_awake on bare metal' do
+    include_context 'when running on bare metal'
+    it_behaves_like 'setting metal-specific power preferences'
+  end
+end
diff --git a/test/cookbooks/macos_test/recipes/certificate.rb b/test/cookbooks/macos_test/recipes/certificate.rb
@@ -8,5 +8,6 @@
   certfile '/Users/vagrant/Test.p12'
   cert_password 'test'
   keychain '/Users/vagrant/Library/Keychains/login.keychain'
+  apps ['/Applications/Mail.app', '/Applications/App Store.app']
   action :install
 end
diff --git a/test/smoke/default/new_users_test.rb b/test/smoke/default/new_users_test.rb
@@ -22,7 +22,7 @@
     its('groups') { should_not include  'admin' }
   end
 
-  describe groups.where { name == 'admin'} do
+  describe groups.where { name == 'admin' } do
     it { should exist }
     its('gids') { should include 80 }
   end
