Skip to content

CHEF-29762 add chef-ice package_manger support to generated scripts #417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Stromweld wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

CHEF-29762 add chef-ice package_manger support to generated scripts #417

Stromweld wants to merge 14 commits into from
+1,540 −54

Conversation

@Stromweld
Copy link
Contributor

@Stromweld Stromweld commented Jan 21, 2026

Description

add chef-ice package_manger support to generated scripts

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@Stromweld
add chef-ice package_manger support to generated scripts
3b0e2c3 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
add chef-ice package_manger support to generated scripts
1969e4e 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
Merge branch 'package-manager' of https://github.com/chef/mixlib-install
155a3f7 
 into package-manager
@Stromweld
trial restriction updates
88caef7 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
update copilot-instructions
2b2a396 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld Stromweld changed the title add chef-ice package_manger support to generated scripts CHEF-29762 add chef-ice package_manger support to generated scripts Jan 23, 2026
@Stromweld
remove unused new_install_sh parameter not used since mixlib-install …
678e2d3 
…will be source of truth

Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
add license_id option to script_generator
ff5405b 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
fix download_url when no filename is in path, fix script_generator mi…
eb8bb02 
…ssing license_id option

Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
test
5b37ae9 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
test
ba31e93 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
test
ea329fd 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
test
1a29589 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
test
d3cd547 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
@Stromweld
update script_generator to support chef-ice downloads
1c44300 
Signed-off-by: Corey Hemminger <hemminger@hotmail.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 27, 2026
View reviewed changes
lib/mixlib/install/script_generator.rb
# @return [String] the omnibus URL (commercial/trial or standard omnitruck)
# @api private
def omnibus_url_for_license
return omnibus_url if license_id.nil? || license_id.to_s.empty? || !omnibus_url.include?("omnitruck.chef.io")

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
omnitruck.chef.io
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI 33 minutes ago

In general, the problem should be fixed by parsing the URL and validating the host component explicitly, rather than using a substring check on the entire URL string. That means using URI.parse (from Ruby’s standard library) to get uri.host, and then comparing that to an allowlist ("omnitruck.chef.io" and any officially supported aliases) or a strict pattern, instead of using .include?.

In this specific file, on line 227 we should replace !omnibus_url.include?("omnitruck.chef.io") with a small helper that safely checks the host of omnibus_url. To keep behavior consistent and localized:

  • Add a private helper method in ScriptGenerator that:
    • Uses URI.parse(omnibus_url.to_s) to parse the URL.
    • Returns true only if uri.host matches "omnitruck.chef.io" (or, if appropriate for this project, matches a small set of official hosts).
    • Rescues URI::InvalidURIError and returns false in that case.
  • Update omnibus_url_for_license to call this helper (e.g., !omnitruck_host?(omnibus_url) instead of !omnibus_url.include?("omnitruck.chef.io")).

We only need to modify lib/mixlib/install/script_generator.rb, adding the helper method near the other private helpers (e.g., after metadata_endpoint_from_project) and updating the conditional in omnibus_url_for_license. URI is a standard Ruby library; since the file doesn’t currently require it explicitly, we should add require "uri" near the top alongside the other requires.

Suggested changeset 1
lib/mixlib/install/script_generator.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/lib/mixlib/install/script_generator.rb b/lib/mixlib/install/script_generator.rb
--- a/lib/mixlib/install/script_generator.rb
+++ b/lib/mixlib/install/script_generator.rb
@@ -21,6 +21,7 @@
 require_relative "generator/powershell"
 require_relative "dist"
 require "cgi"
+require "uri"
 
 module Mixlib
   class Install
@@ -220,11 +221,27 @@
         end
       end
 
+      # Returns true if the given URL points to the official Omnitruck host.
+      # @param url [String] the URL to check
+      # @return [Boolean] whether the URL's host matches the Omnitruck host
+      # @api private
+      def omnitruck_host?(url)
+        return false if url.nil? || url.to_s.empty?
+
+        begin
+          uri = URI.parse(url.to_s)
+          host = uri.host
+          host == "omnitruck.chef.io"
+        rescue URI::InvalidURIError
+          false
+        end
+      end
+
       # Returns the appropriate omnibus URL based on whether license_id is provided
       # @return [String] the omnibus URL (commercial/trial or standard omnitruck)
       # @api private
       def omnibus_url_for_license
-        return omnibus_url if license_id.nil? || license_id.to_s.empty? || !omnibus_url.include?("omnitruck.chef.io")
+        return omnibus_url if license_id.nil? || license_id.to_s.empty? || !omnitruck_host?(omnibus_url)
 
         # Determine if this is a trial or commercial license
         base_url = if license_id.start_with?("free-", "trial-")
EOF
@@ -21,6 +21,7 @@
require_relative "generator/powershell"
require_relative "dist"
require "cgi"
require "uri"

module Mixlib
class Install
@@ -220,11 +221,27 @@
end
end

# Returns true if the given URL points to the official Omnitruck host.
# @param url [String] the URL to check
# @return [Boolean] whether the URL's host matches the Omnitruck host
# @api private
def omnitruck_host?(url)
return false if url.nil? || url.to_s.empty?

begin
uri = URI.parse(url.to_s)
host = uri.host
host == "omnitruck.chef.io"
rescue URI::InvalidURIError
false
end
end

# Returns the appropriate omnibus URL based on whether license_id is provided
# @return [String] the omnibus URL (commercial/trial or standard omnitruck)
# @api private
def omnibus_url_for_license
return omnibus_url if license_id.nil? || license_id.to_s.empty? || !omnibus_url.include?("omnitruck.chef.io")
return omnibus_url if license_id.nil? || license_id.to_s.empty? || !omnitruck_host?(omnibus_url)

# Determine if this is a trial or commercial license
base_url = if license_id.start_with?("free-", "trial-")
Copilot is powered by AI and may make mistakes. Always verify output.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 27, 2026

Quality Gate Passed Quality Gate passed

Issues
17 New issues
0 Accepted issues

Measures
2 Security Hotspots
0.0% Coverage on New Code
12.7% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaymzh jaymzh Awaiting requested review from jaymzh jaymzh will be requested when the pull request is marked ready for review jaymzh is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Stromweld