[CHEF-17477] Automated pipelines for the habitat

.github/workflows/habitat-build.yml

@@ -0,0 +1,116 @@
+name: Build Habitat packages
+
+on:
+  push:
+    branches:
+      - workstation-LTS
+  pull_request:
+    branches:
+      - workstation-LTS
+
+env:
+  # BLDR URL Defined as: 'https://bldr.habitat.sh/' but as an env var in workspace settings.
+  BLDR_URL: ${{ vars.BLDR_URL }}
+   # HAB_ORIGIN Defined as: 'chef' defined in workspace settings.
+  HAB_ORIGIN: ${{ vars.HAB_ORIGIN }}
+  # BLDR_CHANNEL defaulted to unstable, but can be switched to stable, it is defined via the environment setting https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment
+  BLDR_CHANNEL: ${{ vars.BLDR_CHANNEL }}
+  # HABITAT_VERSION_SET this is the version of habitat CLI you are using, defaults to latest.
+  HABITAT_VERSION_SET: ${{ vars.HABITAT_VERSION_SET }}
+  # HAB_AUTH_TOKEN your orgs/projects auth token value
+  HAB_AUTH_TOKEN: ${{ secrets.HAB_AUTH_TOKEN }}
+  # HABITAT_TARGET this is the CPU arch for the linux CLI tool, its defaulted to x86_64
+  #HABITAT_TARGET: $#{{vars.HABITAT_TARGET}}
+  HAB_FALLBACK_CHANNEL: ${{ vars.HAB_FALLBACK_CHANNEL }}
+
+permissions:
+  contents: write
+
+jobs:
+  pre-build:
+    name: Setup before building packages
+    runs-on: ubuntu-latest
+    outputs:
+      app_version: ${{ steps.app_version.outputs.APP_VERSION }}
+    steps:
+      - name: Get branch name
+        id: get_branch_name
+        run: |
+          echo "BRANCH_NAME=${GITHUB_REF_NAME//\//-}" >> "$GITHUB_OUTPUT"
+      - name: Get version from tag
+        id: app_version
+        run: |
+          echo "APP_VERSION=${{ github.ref_type == 'tag' && github.ref_name || format('{0}-{1}', steps.get_branch_name.outputs.BRANCH_NAME, github.sha) }}" >> "$GITHUB_OUTPUT"
+  agent-matrix:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+      # matrix strategy is described at https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
+
+    runs-on: ${{ matrix.os }}
+    # free runner types are https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
+    # from macos-latest, windows-latest, ubuntu-latest, ubuntu-20.04, ubuntu-18.04, ubuntu-16.04, windows-2019, windows-2016
+    # included software packages on runners are at https://github.com/actions/runner-images#available-images
+    # defaulted to unstable, but can be switched to stable, it is defined via the environment setting https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment
+    # environment: unstable
+    steps:
+      - name: print OS
+        run: echo "--- ${{ matrix.os }}"
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: install habitat on Linux
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        shell: bash
+        run: |
+          echo "--- STARTING HAB INSTALL ON  ${{ matrix.os }} UBUNTU with habitat version:${{vars.HABITAT_VERSION_SET}}"
+          export HABITAT_VERSION="${{vars.HABITAT_VERSION_SET}}"
+          export HAB_FALLBACK_CHANNEL="${{vars.HAB_FALLBACK_CHANNEL}}"
+          HABITAT_VERSION="${HABITAT_VERSION:?HABITAT_VERSION must be set}"
+          HABITAT_TARGET="${HABITAT_TARGET:-x86_64-linux}"
+          curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo bash -s -- -v "$HABITAT_VERSION" -t "$HABITAT_TARGET"
+      - name: run Habitat packaging (linux)
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        shell: bash
+        run: |
+          hab license accept
+          hab origin key download $HAB_ORIGIN
+          hab origin key download --auth $HAB_AUTH_TOKEN --secret $HAB_ORIGIN
+          echo "--- running linux hab build"
+          hab pkg build .
+          hartfile=$(ls ./results | grep "chef-vault" | tail -n 1)
+          sudo hab license accept
+          export CHEF_LICENSE="accept-no-persist"
+          export HAB_LICENSE="accept-no-persist"
+          export HAB_NONINTERACTIVE="true"
+          sudo hab pkg install ./results/$hartfile
+          . ./results/last_build.env
+          export pkg_ident
+          chmod +x habitat/tests/test.sh
+          habitat/tests/test.sh
+      - name: Install Habitat on Windows
+        if: ${{ matrix.os == 'windows-latest' }}
+        shell: pwsh
+        run: |
+          write-output "--- STARTING HAB INSTALL ON ${{ matrix.os }} WINDOWS with habitat version:${{vars.HABITAT_VERSION_SET}}"
+          $env:HAB_LICENSE = "accept-no-persist"
+          $env:HAB_NONINTERACTIVE = "true"
+          $env:HAB_FALLBACK_CHANNEL= "${{vars.HAB_FALLBACK_CHANNEL}}"
+          Invoke-Expression "& { $(Invoke-RestMethod https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1) } -Version ${{vars.HABITAT_VERSION_SET}}"
+      - name: run habitat packaging windows
+        if: ${{ matrix.os == 'windows-latest' }}
+        shell: pwsh
+        run: |
+          $env:Path += ";C:\ProgramData\Habitat"
+          hab license accept
+          hab origin key download ${{ env.HAB_ORIGIN }}
+          hab origin key download --auth ${{ secrets.HAB_AUTH_TOKEN }} --secret ${{ env.HAB_ORIGIN }}
+          write-output "--- running windows hab build"
+          hab pkg build .
+          $hartfile=(ls ./results -Name | findstr "chef-vault")
+          hab pkg install ./results/$hartfile
+          . ./results/last_build.ps1
+          habitat/tests/test.ps1 $pkg_ident

.github/workflows/habitat-publish.yml

@@ -0,0 +1,111 @@
+name: Publish Habitat packages
+
+on:
+  push:
+    branches:
+      - workstation-LTS
+  release:
+    types:
+      - created
+
+env:
+  # BLDR URL Defined as: 'https://bldr.habitat.sh/' but as an env var in workspace settings.
+  BLDR_URL: ${{ vars.BLDR_URL }}
+   # HAB_ORIGIN Defined as: 'chef' defined in workspace settings.
+  HAB_ORIGIN: ${{ vars.HAB_ORIGIN }}
+  # BLDR_CHANNEL defaulted to unstable, but can be switched to stable, it is defined via the environment setting https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment
+  BLDR_CHANNEL: ${{ vars.BLDR_CHANNEL }}
+  # HABITAT_VERSION_SET this is the version of habitat CLI you are using, defaults to latest.
+  HABITAT_VERSION_SET: ${{ vars.HABITAT_VERSION_SET }}
+  # HAB_PACKAGE is the name of the project you are on, IE: node-management-agent
+  HAB_PACKAGE: ${{ vars.HAB_PACKAGE }}
+  # HAB_AUTH_TOKEN your orgs/projects auth token value
+  HAB_AUTH_TOKEN: ${{ secrets.HAB_AUTH_TOKEN }}
+  HAB_FALLBACK_CHANNEL: ${{ vars.HAB_FALLBACK_CHANNEL }}
+  # HABITAT_TARGET this is the CPU arch for the linux CLI tool, its defaulted to x86_64
+  #HABITAT_TARGET: $#{{vars.HABITAT_TARGET}}
+  # org-wide access token on https://github.com/organizations/progress-platform-services/settings/secrets/actions
+
+permissions:
+  contents: write
+
+jobs:
+  pre-build:
+    name: Setup before building packages
+    runs-on: ubuntu-latest
+    outputs:
+      app_version: ${{ steps.app_version.outputs.APP_VERSION }}
+    steps:
+      - name: Get branch name
+        id: get_branch_name
+        run: |
+          echo "BRANCH_NAME=${GITHUB_REF_NAME//\//-}" >> "$GITHUB_OUTPUT"
+      - name: Get version from tag
+        id: app_version
+        run: |
+          echo "APP_VERSION=${{ github.ref_type == 'tag' && github.ref_name || format('{0}-{1}', steps.get_branch_name.outputs.BRANCH_NAME, github.sha) }}" >> "$GITHUB_OUTPUT"
+  agent-matrix:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+      # matrix strategy is described at https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
+
+    runs-on: ${{ matrix.os }}
+    # free runner types are https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
+    # from macos-latest, windows-latest, ubuntu-latest, ubuntu-20.04, ubuntu-18.04, ubuntu-16.04, windows-2019, windows-2016
+    # included software packages on runners are at https://github.com/actions/runner-images#available-images
+    # environment: unstable
+    steps:
+      - name: print OS
+        run: echo "--- ${{ matrix.os }}"
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: install habitat on Linux
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        shell: bash
+        run: |
+          echo "--- STARTING HAB INSTALL ON  ${{ matrix.os }} UBUNTU with habitat version:${{vars.HABITAT_VERSION_SET}}"
+          export HABITAT_VERSION="${{vars.HABITAT_VERSION_SET}}"
+          HABITAT_VERSION="${HABITAT_VERSION:?HABITAT_VERSION must be set}"
+          HABITAT_TARGET="${HABITAT_TARGET:-x86_64-linux}"
+          export HAB_FALLBACK_CHANNEL="${{vars.HAB_FALLBACK_CHANNEL}}"
+          curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo bash -s -- -v "$HABITAT_VERSION" -t "$HABITAT_TARGET"
+      - name: run Habitat packaging (linux)
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        shell: bash
+        run: |
+          hab license accept
+          hab origin key download $HAB_ORIGIN
+          hab origin key download --auth $HAB_AUTH_TOKEN --secret $HAB_ORIGIN
+          echo "--- running linux hab build"
+          hab pkg build .
+          echo "--- pushing to ${{ env.BLDR_URL }}/#/${{ env.HAB_ORIGIN }}/${{ env.HAB_PACKAGE }}..."
+          source results/last_build.env
+          hab pkg upload --auth $HAB_AUTH_TOKEN results/$pkg_artifact
+          echo "--- push complete!!"
+      - name: Install Habitat on Windows
+        if: ${{ matrix.os == 'windows-latest' }}
+        shell: pwsh
+        run: |
+          write-output "--- STARTING HAB INSTALL ON ${{ matrix.os }} WINDOWS with habitat version:${{vars.HABITAT_VERSION_SET}}"
+          $env:HAB_LICENSE = "accept-no-persist"
+          $env:HAB_FALLBACK_CHANNEL= "${{vars.HAB_FALLBACK_CHANNEL}}"
+          Invoke-Expression "& { $(Invoke-RestMethod https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1) } -Version ${{vars.HABITAT_VERSION_SET}}"
+      - name: run habitat packaging windows
+        if: ${{ matrix.os == 'windows-latest' }}
+        shell: pwsh
+        run: |
+          $env:Path += ";C:\ProgramData\Habitat"
+          hab license accept
+          hab origin key download ${{ env.HAB_ORIGIN }}
+          hab origin key download --auth ${{ secrets.HAB_AUTH_TOKEN }} --secret ${{ env.HAB_ORIGIN }}
+          write-output "--- running windows hab build"
+          hab pkg build .
+          write-output "--- pushing hab to unstable channel"
+          . results\last_build.ps1
+          hab pkg upload results\$pkg_artifact --auth ${{ secrets.HAB_AUTH_TOKEN }}
+          write-output "--- push complete!!"

.github/workflows/unit.yml

@@ -27,5 +27,4 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           failedThreshold: 90
-          resultPath: coverage/.last_run.json 
-
+          resultPath: coverage/.last_run.json

CHANGELOG.md

@@ -1,16 +1,17 @@
 # chef-vault Change Log
 
-<!-- latest_release 4.1.12 -->
-## [v4.1.12](https://github.com/chef/chef-vault/tree/v4.1.12) (2023-03-27)
+<!-- latest_release 4.1.13 -->
+## [v4.1.13](https://github.com/chef/chef-vault/tree/v4.1.13) (2024-09-25)
 
 #### Merged Pull Requests
-- Integrating with sonarQube [#406](https://github.com/chef/chef-vault/pull/406) ([nikhil2611](https://github.com/nikhil2611))
+- CHEF-3710-chef-vault warning message includes sensitive info [#414](https://github.com/chef/chef-vault/pull/414) ([nikhil2611](https://github.com/nikhil2611))
 <!-- latest_release -->
 
 <!-- release_rollup since=4.1.11 -->
 ### Changes not yet released to rubygems.org
 
 #### Merged Pull Requests
+- CHEF-3710-chef-vault warning message includes sensitive info [#414](https://github.com/chef/chef-vault/pull/414) ([nikhil2611](https://github.com/nikhil2611)) <!-- 4.1.13 -->
 - Integrating with sonarQube [#406](https://github.com/chef/chef-vault/pull/406) ([nikhil2611](https://github.com/nikhil2611)) <!-- 4.1.12 -->
 <!-- release_rollup -->
 

VERSION

@@ -1 +1 @@
-4.1.12
+4.1.13

habitat/tests/test.ps1

@@ -0,0 +1,22 @@
+param (
+    [Parameter()]
+    [string]$PackageIdentifier = $(throw "Usage: test.ps1 [test_pkg_ident] e.g. test.ps1 ci/user-windows/1.0.0/20190812103929")
+)
+
+
+Write-Host "--- :fire: Smokish test"
+# Pester the Package
+$help_message=hab pkg exec "${pkg_ident}" -- chef-vault -h
+$original_message="Usage: chef-vault"
+
+Write-Host "Checking the help message of the package"
+Write-Host "Expected: $original_message"
+Write-Host "Actual: $help_message"
+if ($help_message.Contains($original_message))
+{
+    Write "Chef-vault is working fine"
+}
+else {
+    Write-Error "chef-vault binary doesn't return the correct usage message "
+    throw "Chef-vault windows pipeline not working for hab pkg"
+}

habitat/tests/test.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -euo pipefail
+
+project_root="$(git rev-parse --show-toplevel)"
+
+# print error message followed by usage and exit
+error () {
+  local message="$1"
+
+  echo -e "\nERROR: ${message}\n" >&2
+
+  exit 1
+}
+
+[[ -n "$pkg_ident" ]] || error 'no hab package identity provided'
+
+package_version=$(awk -F / '{print $3}' <<<"$pkg_ident")
+
+cd "${project_root}"
+
+echo "--- :mag_right: Testing ${pkg_ident} executables"
+help_message=$(hab pkg exec "${pkg_ident}" -- chef-vault -h)
+original_help="Usage: chef-vault"
+[[ $help_message =~ $original_help ]] || error "chef-vault help command is not as expected"

lib/chef-vault/version.rb

@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "4.1.12"
+  VERSION = "4.1.13"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

lib/chef/knife/mixin/helper.rb

@@ -49,16 +49,26 @@ def values_from_json(json)
       # Raises `InvalidValue` if any of the json's values contain non-printable characters.
       def validate_json(json)
         begin
-          evaled_json = eval(json) # rubocop: disable Security/Eval
-        rescue SyntaxError
+          parsed_json = JSON.parse(json)
+        rescue JSON::ParserError
           raise ChefVault::Exceptions::InvalidValue, "#{json} is not valid JSON!"
         end
 
-        if evaled_json.is_a?(Hash)
-          evaled_json.each do |key, value|
-            next unless printable?(value.to_s)
+        check_value(parsed_json) # Start checking from the root of the parsed JSON
+      end
+
+      def check_value(value, parent_key = nil)
+        if value.is_a?(Array)
+          value.each { |item| check_value(item, parent_key) }
+        elsif value.is_a?(Hash)
+          value.each do |key, nested_value|
+            next if key == "password" # Skip the password key
 
-            msg = "Value '#{value}' of key '#{key}' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\\\\Windows) in double-quoted strings."
+            check_value(nested_value, key)
+          end
+        else
+          unless printable?(value.to_s)
+            msg = "Value '#{value}' of key '#{parent_key}' contains non-printable characters."
             ChefVault::Log.warn(msg)
           end
         end
@@ -69,7 +79,7 @@ def validate_json(json)
       # returns true if string is free of non-printable characters (escape sequences)
       # this returns false for whitespace escape sequences as well, e.g. \n\t
       def printable?(string)
-        /[^[:print:]]|[[:space:]]/.match(string)
+        !/[[:^print:]]/.match?(string) # Returns true if the string is printable
       end
     end
   end

spec/chef/helper_spec.rb

@@ -20,7 +20,7 @@
     it "not to raise error if data consist of tab/new line OR space" do
       %w{abc\tabc abc\nabc}.each do |pass|
         json_data_with_slash = json.merge("password": pass)
-        expect { validate_json(json_data_with_slash.to_s) }.to_not raise_error
+        expect { validate_json(json_data_with_slash.to_json) }.to_not raise_error
       end
     end
   end