chef 11.10.0.alpha.1-x86-mingw32 → 11.10.0.rc.0-x86-mingw32

data/lib/chef/provider/file.rb

@@ -352,16 +352,27 @@ class Chef
         if tempfile.path.nil? || !::File.exists?(tempfile.path)
           raise "chef-client is confused, trying to deploy a file that has no path or does not exist..."
         end
+
         # the file? on the next line suppresses the case in why-run when we have a not-file here that would have otherwise been removed
         if ::File.file?(@new_resource.path) && contents_changed?
-          diff.diff(@current_resource.path, tempfile.path)
-          @new_resource.diff( diff.for_reporting ) unless file_created?
-          description = [ "update content in file #{@new_resource.path} from #{short_cksum(@current_resource.checksum)} to #{short_cksum(checksum(tempfile.path))}" ]
-          description << diff.for_output
+          description = [ "update content in file #{@new_resource.path} from \
+#{short_cksum(@current_resource.checksum)} to #{short_cksum(checksum(tempfile.path))}" ]
+
+          # Hide the diff output if the resource is marked as a sensitive resource
+          if @new_resource.sensitive
+            @new_resource.diff("suppressed sensitive resource")
+            description << "suppressed sensitive resource"
+          else
+            diff.diff(@current_resource.path, tempfile.path)
+            @new_resource.diff( diff.for_reporting ) unless file_created?
+            description << diff.for_output
+          end
+
           converge_by(description) do
             update_file_contents
           end
         end
+
         # unlink necessary to clean up in why-run mode
         tempfile.unlink
       end
@@ -420,4 +431,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/provider/group.rb

@@ -91,7 +91,7 @@ class Chef
         if(@new_resource.append)
           missing_members = []
           @new_resource.members.each do |member|
-            next if @current_resource.members.include?(member)
+            next if has_current_group_member?(member)
             missing_members << member
           end
           if missing_members.length > 0
@@ -100,7 +100,7 @@ class Chef
 
           members_to_be_removed = []
           @new_resource.excluded_members.each do |member|
-            if @current_resource.members.include?(member)
+            if has_current_group_member?(member)
               members_to_be_removed << member
             end
           end
@@ -116,6 +116,10 @@ class Chef
         !@change_desc.empty?
       end
 
+      def has_current_group_member?(member)
+        @current_resource.members.include?(member)
+      end
+
       def action_create
         case @group_exists
         when false

data/lib/chef/provider/group/windows.rb

@@ -59,7 +59,7 @@ class Chef
           if @new_resource.append
             members_to_be_added = [ ]
             @new_resource.members.each do |member|
-              members_to_be_added << member if !@current_resource.members.include?(member)
+              members_to_be_added << member if ! has_current_group_member?(member)
             end
 
             # local_add_members will raise ERROR_MEMBER_IN_ALIAS if a
@@ -68,7 +68,8 @@ class Chef
 
             members_to_be_removed = [ ]
             @new_resource.excluded_members.each do |member|
-              members_to_be_removed << member if @current_resource.members.include?(member)
+              member_sid = local_group_name_to_sid(member)
+              members_to_be_removed << member if has_current_group_member?(member)
             end
             @net_group.local_delete_members(members_to_be_removed) unless members_to_be_removed.empty?
           else
@@ -76,10 +77,19 @@ class Chef
           end
         end
 
+        def has_current_group_member?(member)
+          member_sid = local_group_name_to_sid(member)
+          @current_resource.members.include?(member_sid)
+        end
+
         def remove_group
           @net_group.local_delete
         end
 
+        def local_group_name_to_sid(group_name)
+          locally_qualified_name = group_name.include?("\\") ? group_name : "#{ENV['COMPUTERNAME']}\\#{group_name}"
+          Chef::ReservedNames::Win32::Security.lookup_account_name(locally_qualified_name)[1].to_s
+        end
       end
     end
   end

data/lib/chef/provider/http_request.rb

@@ -36,7 +36,8 @@ class Chef
       # Send a HEAD request to @new_resource.url, with ?message=@new_resource.message
       def action_head
         message = check_message(@new_resource.message)
-        # returns true from Chef::REST if returns 2XX (Net::HTTPSuccess)
+        # CHEF-4762: we expect a nil return value from Chef::HTTP for a "200 Success" response
+        # and false for a "304 Not Modified" response
         modified = @http.head(
           "#{@new_resource.url}?message=#{message}",
           @new_resource.headers
@@ -44,7 +45,7 @@ class Chef
         Chef::Log.info("#{@new_resource} HEAD to #{@new_resource.url} successful")
         Chef::Log.debug("#{@new_resource} HEAD request response: #{modified}")
         # :head is usually used to trigger notifications, which converge_by now does
-        if modified
+        if modified != false
           converge_by("#{@new_resource} HEAD to #{@new_resource.url} returned modified, trigger notifications") {}
         end
       end

data/lib/chef/provider/package.rb

@@ -202,6 +202,7 @@ class Chef
         if template_available?(@new_resource.response_file)
           Chef::Log.debug("#{@new_resource} fetching preseed file via Template")
           remote_file = Chef::Resource::Template.new(cache_seed_to, run_context)
+          remote_file.variables(@new_resource.response_file_variables)
         elsif cookbook_file_available?(@new_resource.response_file)
           Chef::Log.debug("#{@new_resource} fetching preseed file via cookbook_file")
           remote_file = Chef::Resource::CookbookFile.new(cache_seed_to, run_context)

data/lib/chef/provider/package/aix.rb

@@ -88,7 +88,7 @@ class Chef
           status = popen4("installp -L -d #{@new_resource.source}") do |pid, stdin, stdout, stderr|
             stdout.each_line do |line|
               case line
-              when /\w:{Regexp.escape(@new_resource.package_name)}:(.*)/
+              when /\w:#{Regexp.escape(@new_resource.package_name)}:(.*)/
                 fields = line.split(":")
                 @candidate_version = fields[2]
                 @new_resource.version(fields[2])

data/lib/chef/provider/service/debian.rb

@@ -103,7 +103,7 @@ class Chef
           priority.each { |runlevel, arguments|
             Chef::Log.debug("#{@new_resource} runlevel #{runlevel}, action #{arguments[0]}, priority #{arguments[1]}")
             # if we are in a update-rc.d default startup runlevel && we start in this runlevel
-            if (2..5).include?(runlevel.to_i) && arguments[0] == :start
+            if %w[ 1 2 3 4 5 S ].include?(runlevel) && arguments[0] == :start
               enabled = true
             end
           }
@@ -113,7 +113,12 @@ class Chef
 
         # Override method from parent to ensure priority is up-to-date
         def action_enable
-          if @current_resource.enabled && @current_resource.priority == @new_resource.priority
+          if @new_resource.priority.nil?
+            priority_ok = true
+          else
+            priority_ok = @current_resource.priority == @new_resource.priority
+          end
+          if @current_resource.enabled and priority_ok
             Chef::Log.debug("#{@new_resource} already enabled - nothing to do")
           else
             converge_by("enable service #{@new_resource}") do

data/lib/chef/resource/file.rb

@@ -52,9 +52,9 @@ class Chef
         @force_unlink = false
         @manage_symlink_source = nil
         @diff = nil
+        @sensitive = false
       end
 
-
       def content(arg=nil)
         set_or_return(
           :content,
@@ -119,6 +119,13 @@ class Chef
         )
       end
 
+      def sensitive(arg=nil)
+        set_or_return(
+          :sensitive,
+          arg,
+          :kind_of => [ TrueClass, FalseClass ]
+        )
+      end
     end
   end
 end

data/lib/chef/resource/package.rb

@@ -36,6 +36,7 @@ class Chef
         @package_name = name
         @resource_name = :package
         @response_file = nil
+        @response_file_variables = Hash.new
         @source = nil
         @version = nil
       end
@@ -64,6 +65,14 @@ class Chef
         )
       end
 
+      def response_file_variables(arg=nil)
+        set_or_return(
+          :response_file_variables,
+          arg,
+          :kind_of => [ Hash ]
+        )
+      end
+
       def source(arg=nil)
         set_or_return(
           :source,

data/lib/chef/resource/service.rb

@@ -43,7 +43,6 @@ class Chef
         @init_command = nil
         @priority = nil
         @action = "nothing"
-        @startup_type = :automatic
         @supports = { :restart => false, :reload => false, :status => false }
         @allowed_actions.push(:enable, :disable, :start, :stop, :restart, :reload)
       end

data/lib/chef/rest.rb

@@ -32,6 +32,7 @@ require 'chef/http/decompressor'
 require 'chef/http/json_input'
 require 'chef/http/json_to_model_output'
 require 'chef/http/cookie_manager'
+require 'chef/http/validate_content_length'
 require 'chef/config'
 require 'chef/exceptions'
 require 'chef/platform/query_helpers'
@@ -62,6 +63,7 @@ class Chef
       @decompressor = Decompressor.new(options)
       @authenticator = Authenticator.new(options)
 
+      @middlewares << ValidateContentLength.new(options)
       @middlewares << JSONInput.new(options)
       @middlewares << JSONToModelOutput.new(options)
       @middlewares << CookieManager.new(options)

data/lib/chef/run_context.rb

@@ -146,7 +146,7 @@ class Chef
         false
       else
         loaded_recipe(cookbook_name, recipe_short_name)
-
+        node.loaded_recipe(cookbook_name, recipe_short_name)
         cookbook = cookbook_collection[cookbook_name]
         cookbook.load_recipe(recipe_short_name, self)
       end

data/lib/chef/util/file_edit.rb

@@ -33,7 +33,7 @@ class Chef
         @file_edited = false
 
         raise ArgumentError, "File doesn't exist" unless File.exist? @original_pathname
-        @contents = File.new(@original_pathname).readlines
+        @contents = File.new(@original_pathname){ |f| f.readlines }
       end
 
       #search the file line by line and match each line with the given regex

data/lib/chef/util/windows/net_group.rb

@@ -55,19 +55,20 @@ class Chef::Util::Windows::NetGroup < Chef::Util::Windows
       nread = 0.chr * PTR_SIZE
       total = 0.chr * PTR_SIZE
 
-      rc = NetLocalGroupGetMembers.call(nil, @name, 1, ptr, -1,
+      rc = NetLocalGroupGetMembers.call(nil, @name, 0, ptr, -1,
                                         nread, total, handle)
       if (rc == NERR_Success) || (rc == ERROR_MORE_DATA)
         ptr = ptr.unpack('L')[0]
         nread = nread.unpack('i')[0]
-        members = 0.chr * (nread * (PTR_SIZE * 3)) #nread * sizeof(LOCALGROUP_MEMBERS_INFO_1)
+        members = 0.chr * (nread * PTR_SIZE ) #nread * sizeof(LOCALGROUP_MEMBERS_INFO_0)
         memcpy(members, ptr, members.size)
 
-        # 3 pointer fields in LOCALGROUP_MEMBERS_INFO_1, offset 2*PTR_SIZE is lgrmi1_name
+        # 1 pointer field in LOCALGROUP_MEMBERS_INFO_0, offset 0 is lgrmi0_sid
         nread.times do |i|
-          offset = (i * 3) + 2
-          member = lpwstr_to_s(members, offset)
-          group_members << member
+          sid_address = members[i * PTR_SIZE, PTR_SIZE].unpack('L')[0]
+          sid_ptr = FFI::Pointer.new(sid_address)
+          member_sid = Chef::ReservedNames::Win32::Security::SID.new(sid_ptr)
+          group_members << member_sid.to_s
         end
         NetApiBufferFree(ptr)
       else

data/lib/chef/version.rb

@@ -17,7 +17,7 @@
 
 class Chef
   CHEF_ROOT = File.dirname(File.expand_path(File.dirname(__FILE__)))
-  VERSION = '11.10.0.alpha.1'
+  VERSION = '11.10.0.rc.0'
 end
 
 # NOTE: the Chef::Version class is defined in version_class.rb

data/lib/chef/win32/version.rb

@@ -35,20 +35,25 @@ class Chef
         Win32API.new('user32', 'GetSystemMetrics', 'I', 'I').call(n_index)
       end
 
+      def self.method_name_from_marketing_name(marketing_name)
+        "#{marketing_name.gsub(/\s/, '_').gsub(/\./, '_').downcase}?"
+        # "#{marketing_name.gsub(/\s/, '_').gsub(//, '_').downcase}?"       
+      end
+
       public
 
       WIN_VERSIONS = {
-        "Windows 8.1" => {:major => 6, :minor => 3, :callable => lambda{ @product_type == VER_NT_WORKSTATION }},
-        "Windows Server 2012 R2" => {:major => 6, :minor => 3, :callable => lambda{ @product_type != VER_NT_WORKSTATION }},
-        "Windows 8" => {:major => 6, :minor => 2, :callable => lambda{ @product_type == VER_NT_WORKSTATION }},
-        "Windows Server 2012" => {:major => 6, :minor => 2, :callable => lambda{ @product_type != VER_NT_WORKSTATION }},
-        "Windows 7" => {:major => 6, :minor => 1, :callable => lambda{ @product_type == VER_NT_WORKSTATION }},
-        "Windows Server 2008 R2" => {:major => 6, :minor => 1, :callable => lambda{ @product_type != VER_NT_WORKSTATION }},
-        "Windows Server 2008" => {:major => 6, :minor => 0, :callable => lambda{ @product_type != VER_NT_WORKSTATION }},
-        "Windows Vista" => {:major => 6, :minor => 0, :callable => lambda{ @product_type == VER_NT_WORKSTATION }},
-        "Windows Server 2003 R2" => {:major => 5, :minor => 2, :callable => lambda{ get_system_metrics(SM_SERVERR2) != 0 }},
-        "Windows Home Server" => {:major => 5, :minor => 2, :callable => lambda{  (@suite_mask & VER_SUITE_WH_SERVER) == VER_SUITE_WH_SERVER }},
-        "Windows Server 2003" => {:major => 5, :minor => 2, :callable => lambda{ get_system_metrics(SM_SERVERR2) == 0 }},
+        "Windows 8.1" => {:major => 6, :minor => 3, :callable => lambda{ |product_type, suite_mask| product_type == VER_NT_WORKSTATION }},
+        "Windows Server 2012 R2" => {:major => 6, :minor => 3, :callable => lambda {|product_type, suite_mask| product_type != VER_NT_WORKSTATION }},
+        "Windows 8" => {:major => 6, :minor => 2, :callable => lambda{ |product_type, suite_mask| product_type == VER_NT_WORKSTATION }},
+        "Windows Server 2012" => {:major => 6, :minor => 2, :callable => lambda{ |product_type, suite_mask| product_type != VER_NT_WORKSTATION }},
+        "Windows 7" => {:major => 6, :minor => 1, :callable => lambda{ |product_type, suite_mask| product_type == VER_NT_WORKSTATION }},
+        "Windows Server 2008 R2" => {:major => 6, :minor => 1, :callable => lambda{ |product_type, suite_mask| product_type != VER_NT_WORKSTATION }},
+        "Windows Server 2008" => {:major => 6, :minor => 0, :callable => lambda{ |product_type, suite_mask| product_type != VER_NT_WORKSTATION }},
+        "Windows Vista" => {:major => 6, :minor => 0, :callable => lambda{ |product_type, suite_mask| product_type == VER_NT_WORKSTATION }},
+        "Windows Server 2003 R2" => {:major => 5, :minor => 2, :callable => lambda{ |product_type, suite_mask| get_system_metrics(SM_SERVERR2) != 0 }},
+        "Windows Home Server" => {:major => 5, :minor => 2, :callable => lambda{ |product_type, suite_mask| (suite_mask & VER_SUITE_WH_SERVER) == VER_SUITE_WH_SERVER }},
+        "Windows Server 2003" => {:major => 5, :minor => 2, :callable => lambda{ |product_type, suite_mask| get_system_metrics(SM_SERVERR2) == 0 }},
         "Windows XP" => {:major => 5, :minor => 1},
         "Windows 2000" => {:major => 5, :minor => 0}
       }
@@ -77,11 +82,11 @@ class Chef
 
       # General Windows checks
       WIN_VERSIONS.each do |k,v|
-        method_name = "#{k.gsub(/\s/, '_').downcase}?"
+        method_name = method_name_from_marketing_name(k)
         define_method(method_name) do
           (@major_version == v[:major]) &&
           (@minor_version == v[:minor]) &&
-          (v[:callable] ? v[:callable].call : true)
+          (v[:callable] ? v[:callable].call(@product_type, @suite_mask) : true)
         end
         marketing_names << [k, method_name]
       end
@@ -105,11 +110,19 @@ class Chef
       private
 
       def get_version
-        version = GetVersion()
-        major = LOBYTE(LOWORD(version))
-        minor = HIBYTE(LOWORD(version))
-        build = version < 0x80000000 ? HIWORD(version) : 0
-        [major, minor, build]
+        # Use WMI here because API's like GetVersion return faked
+        # version numbers on Windows Server 2012 R2 and Windows 8.1 --
+        # WMI always returns the truth. See article at
+        # http://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
+        require 'ruby-wmi'
+
+        os_info = WMI::Win32_OperatingSystem.find(:first)
+        os_version = os_info.send('Version')
+
+        # The operating system version is a string in the following form
+        # that can be split into components based on the '.' delimiter:
+        # MajorVersionNumber.MinorVersionNumber.BuildNumber
+        os_version.split('.').collect { | version_string | version_string.to_i }
       end
 
       def get_version_ex

data/spec/data/cookbooks/preseed/templates/default/preseed-template-variables.seed

@@ -0,0 +1 @@
+chef-integration-test chef-integration-test/sample-var string "<%= @template_variable -%>"

data/spec/functional/resource/file_spec.rb

@@ -115,5 +115,4 @@ describe Chef::Resource::File do
       end
     end
   end
-
 end

data/spec/functional/resource/group_spec.rb

@@ -38,7 +38,8 @@ describe Chef::Resource::Group, :requires_root_or_running_windows, :not_supporte
   def user_exist_in_group?(user)
     case ohai[:platform_family]
     when "windows"
-      Chef::Util::Windows::NetGroup.new(group_name).local_get_members.include?(user)
+      user_sid = sid_string_from_user(user)
+      user_sid.nil? ? false : Chef::Util::Windows::NetGroup.new(group_name).local_get_members.include?(user_sid)
     else
       Etc::getgrnam(group_name).mem.include?(user)
     end
@@ -57,6 +58,25 @@ describe Chef::Resource::Group, :requires_root_or_running_windows, :not_supporte
     return resource.gid == Etc::getgrnam(resource.name).gid if unix?
   end
 
+  def sid_string_from_user(user)
+    begin
+      sid = Chef::ReservedNames::Win32::Security.lookup_account_name(user)
+    rescue Chef::Exceptions::Win32APIError
+      sid = nil
+    end
+
+    sid.nil? ? nil : sid[1].to_s
+  end
+
+  def windows_domain_user?(user_name)
+    domain, user = user_name.split('\\')
+
+    if user && domain != '.'
+      computer_name = ENV['computername']
+      domain.downcase != computer_name.downcase
+    end
+  end
+
   def user(username)
     usr = Chef::Resource::User.new("#{username}", run_context)
     if ohai[:platform_family] == "windows"
@@ -66,12 +86,12 @@ describe Chef::Resource::Group, :requires_root_or_running_windows, :not_supporte
   end
 
   def create_user(username)
-    user(username).run_action(:create)
+    user(username).run_action(:create) if ! windows_domain_user?(username)
     # TODO: User shouldn't exist
   end
 
   def remove_user(username)
-    user(username).run_action(:remove)
+    user(username).run_action(:remove) if ! windows_domain_user?(username)
     # TODO: User shouldn't exist
   end
 
@@ -108,24 +128,24 @@ describe Chef::Resource::Group, :requires_root_or_running_windows, :not_supporte
     end
 
     describe "when append is not set" do
-      let(:included_members) { ["spec-Eric"] }
+      let(:included_members) { [spec_members[1]] }
 
       before do
-        create_user("spec-Eric")
-        create_user("spec-Gordon")
-        add_members_to_group(["spec-Gordon"])
+        create_user(spec_members[1])
+        create_user(spec_members[0])
+        add_members_to_group([spec_members[0]])
       end
 
       after do
-        remove_user("spec-Eric")
-        remove_user("spec-Gordon")
+        remove_user(spec_members[1])
+        remove_user(spec_members[0])
       end
 
       it "should remove the existing users and add the new users to the group" do
         group_resource.run_action(tested_action)
 
-        user_exist_in_group?("spec-Eric").should == true
-        user_exist_in_group?("spec-Gordon").should == false
+        user_exist_in_group?(spec_members[1]).should == true
+        user_exist_in_group?(spec_members[0]).should == false
       end
     end
 
@@ -160,7 +180,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows, :not_supporte
 
         describe "when group contains some users" do
           before(:each) do
-            add_members_to_group([ "spec-Gordon", "spec-Anthony" ])
+            add_members_to_group([ spec_members[0], spec_members[2] ])
           end
 
           it "should add the included users and remove excluded users" do
@@ -192,6 +212,42 @@ describe Chef::Resource::Group, :requires_root_or_running_windows, :not_supporte
     end
   end
 
+  shared_examples_for "an expected invalid domain error case" do
+    let(:invalid_domain_user_name) { "no space\\administrator" }
+    let(:nonexistent_domain_user_name) { "xxfakedom\\administrator" }
+    before(:each) do
+      group_resource.members []
+      group_resource.excluded_members []
+      group_resource.append(true)
+      group_resource.run_action(:create)
+      group_should_exist(group_name)
+    end
+
+    describe "when updating membership" do
+      it "raises an error for a non well-formed domain name" do
+        group_resource.members [invalid_domain_user_name]
+        lambda { group_resource.run_action(tested_action) }.should raise_error Chef::Exceptions::Win32APIError
+      end
+
+      it "raises an error for a nonexistent domain" do
+        group_resource.members [nonexistent_domain_user_name]
+        lambda { group_resource.run_action(tested_action) }.should raise_error Chef::Exceptions::Win32APIError
+      end
+    end
+
+    describe "when removing members" do
+      it "raises an error for a non well-formed domain name" do
+        group_resource.excluded_members [invalid_domain_user_name]
+        lambda { group_resource.run_action(tested_action) }.should raise_error Chef::Exceptions::Win32APIError
+      end
+
+      it "raises an error for a nonexistent domain" do
+        group_resource.excluded_members [nonexistent_domain_user_name]
+        lambda { group_resource.run_action(tested_action) }.should raise_error Chef::Exceptions::Win32APIError
+      end
+    end
+  end
+
   let(:group_name) { "cheftest-#{SecureRandom.random_number(9999)}" }
   let(:included_members) { nil }
   let(:excluded_members) { nil }
@@ -274,8 +330,9 @@ downthestreetalwayshadagoodsmileonhisfacetheoldmanwalkingdownthestreeQQQQQQ" }
   end
 
   describe "group modify action", :not_supported_on_solaris do
-    let(:included_members) { ["spec-Gordon", "spec-Eric"] }
-    let(:excluded_members) { ["spec-Anthony"] }
+    let(:spec_members){ ["spec-Gordon", "spec-Eric", "spec-Anthony"] }
+    let(:included_members) { [spec_members[0], spec_members[1]] }
+    let(:excluded_members) { [spec_members[2]] }
     let(:tested_action) { :modify }
 
     describe "when there is no group" do
@@ -287,11 +344,23 @@ downthestreetalwayshadagoodsmileonhisfacetheoldmanwalkingdownthestreeQQQQQQ" }
     describe "when there is a group" do
       it_behaves_like "correct group management"
     end
+
+    describe "when running on Windows", :windows_only do
+      describe "when members are Active Directory domain identities", :windows_domain_joined_only do
+        let(:computer_domain) { ohai[:kernel]['cs_info']['domain'].split('.')[0] }
+        let(:spec_members){ ["#{computer_domain}\\Domain Admins", "#{computer_domain}\\Domain Users", "#{computer_domain}\\Domain Computers"] }
+
+        include_examples "correct group management"
+      end
+
+      it_behaves_like "an expected invalid domain error case"
+    end
   end
 
   describe "group manage action", :not_supported_on_solaris do
-    let(:included_members) { ["spec-Gordon", "spec-Eric"] }
-    let(:excluded_members) { ["spec-Anthony"] }
+    let(:spec_members){ ["spec-Gordon", "spec-Eric", "spec-Anthony"] }
+    let(:included_members) { [spec_members[0], spec_members[1]] }
+    let(:excluded_members) { [spec_members[2]] }
     let(:tested_action) { :manage }
 
     describe "when there is no group" do
@@ -304,6 +373,17 @@ downthestreetalwayshadagoodsmileonhisfacetheoldmanwalkingdownthestreeQQQQQQ" }
     describe "when there is a group" do
       it_behaves_like "correct group management"
     end
+
+    describe "running on windows", :windows_only do
+      describe "when members are Windows domain identities", :windows_domain_joined_only do
+        let(:computer_domain) { ohai[:kernel]['cs_info']['domain'].split('.')[0] }
+        let(:spec_members){ ["#{computer_domain}\\Domain Admins", "#{computer_domain}\\Domain Users", "#{computer_domain}\\Domain Computers"] }
+
+        include_examples "correct group management"
+      end
+
+      it_behaves_like "an expected invalid domain error case"
+    end
   end
 
   describe "group resource with Usermod provider", :solaris_only do