chef 14.6.47 → 14.7.17

data/lib/chef/resource/windows_env.rb

@@ -31,9 +31,18 @@ class Chef
       default_action :create
       allowed_actions :create, :delete, :modify
 
-      property :key_name, String, identity: true, name_property: true
-      property :value, String, required: true
-      property :delim, [ String, nil, false ], desired_state: false
+      property :key_name, String,
+               description: "The name of the key that is to be created, deleted, or modified.",
+               identity: true, name_property: true
+
+      property :value, String,
+               description: "The value of the environmental variable to set.",
+               required: true
+
+      property :delim, [ String, nil, false ],
+               description: "The delimiter that is used to separate multiple values for a single key.",
+               desired_state: false
+
       property :user, String, default: "<System>"
     end
   end

data/lib/chef/resource/windows_feature.rb

@@ -24,35 +24,30 @@ class Chef
       resource_name :windows_feature
       provides(:windows_feature) { true }
 
-      description "Use the windows_feature resource to add, remove or delete Windows features and roles. This resource calls"\
-                  " the 'windows_feature_dism' or 'windows_feature_powershell' resources depending on the specified installation"\
-                  " method and defaults to dism, which is available on both Workstation and Server editions of Windows."
+      description "Use the windows_feature resource to add, remove or entirely delete Windows features and roles. This resource calls the 'windows_feature_dism' or 'windows_feature_powershell' resources depending on the specified installation method and defaults to dism, which is available on both Workstation and Server editions of Windows."
       introduced "14.0"
 
       property :feature_name, [Array, String],
-               description: "The name of the feature/role(s) to install. The same feature may have different"\
-                            " names depending on the underlying resource being used (ie DHCPServer vs DHCP;"\
-                            " DNS-Server-Full-Role vs DNS).",
+               description: "The name of the feature(s) or role(s) to install, if it differs from the resource block name. The same feature may have different names depending on the underlying installation method being used (ie DHCPServer vs DHCP; DNS-Server-Full-Role vs DNS).",
                name_property: true
 
       property :source, String,
-               description: "Use a local repository for the feature install."
+               description: "Specify a local repository for the feature install."
 
       property :all, [TrueClass, FalseClass],
                description: "Install all sub features.",
                default: false
 
       property :management_tools, [TrueClass, FalseClass],
-               description: "Install all applicable management tools of the roles, role services, or features (PowerShell only).",
+               description: "Install all applicable management tools for the roles, role services, or features (PowerShell-only).",
                default: false
 
       property :install_method, Symbol,
-               description: "If DISM or PowerShell should be used for the installation. Note feature names differ"\
-                            " between the two installation methods.",
+               description: "The underlying installation method to use for feature installation. Specify ':windows_feature_dism' for DISM or ':windows_feature_powershell' for PowerShell.",
                equal_to: [:windows_feature_dism, :windows_feature_powershell, :windows_feature_servermanagercmd]
 
       property :timeout, Integer,
-               description: "Specifies a timeout (in seconds) for feature install.",
+               description: "Specifies a timeout (in seconds) for the feature installation.",
                default: 600
 
       action :install do

data/lib/chef/resource/windows_feature_dism.rb

@@ -25,7 +25,7 @@ class Chef
       resource_name :windows_feature_dism
       provides(:windows_feature_dism) { true }
 
-      description "Use the windows_feature_dism resource to add, remove or delete Windows features and roles using DISM"
+      description "Use the windows_feature_dism resource to add, remove, or entirely delete Windows features and roles using DISM."
       introduced "14.0"
 
       property :feature_name, [Array, String],
@@ -41,7 +41,7 @@ class Chef
                default: false
 
       property :timeout, Integer,
-               description: "Specifies a timeout (in seconds) for feature install.",
+               description: "Specifies a timeout (in seconds) for the feature installation.",
                default: 600
 
       # @return [Array] lowercase the array unless we're on < Windows 2012

data/lib/chef/resource/windows_feature_powershell.rb

@@ -27,27 +27,23 @@ class Chef
       resource_name :windows_feature_powershell
       provides(:windows_feature_powershell) { true }
 
-      description "Use the windows_feature_powershell resource to add, remove or"\
-                  " delete Windows features and roles using PowerShell. This resource"\
-                  " offers significant speed benefits over the windows_feature_dism resource,"\
-                  " but requires installing the Remote Server Administration Tools on"\
-                  " non-server releases of Windows"
+      description "Use the windows_feature_powershell resource to add, remove, or entirely delete Windows features and roles using PowerShell. This resource offers significant speed benefits over the windows_feature_dism resource, but requires installing the Remote Server Administration Tools on non-server releases of Windows."
       introduced "14.0"
 
       property :feature_name, [Array, String],
-               description: "The name of the feature/role(s) to install if it differs from the resource name.",
+               description: "The name of the feature(s) or role(s) to install, if it differs from the resource block name.",
                coerce: proc { |x| to_formatted_array(x) },
                name_property: true
 
       property :source, String,
-               description: "Use a local repository for the feature install."
+               description: "Specify a local repository for the feature install."
 
       property :all, [TrueClass, FalseClass],
-               description: "Install all sub features. This is equivalent to using the -InstallAllSubFeatures switch with Add-WindowsFeature.",
+               description: "Install all subfeatures. When set to 'true', this is the equivalent of specifying the '-InstallAllSubFeatures' switch with 'Add-WindowsFeature'.",
                default: false
 
       property :timeout, Integer,
-               description: "Specifies a timeout (in seconds) for feature install.",
+               description: "Specifies a timeout (in seconds) for the feature installation.",
                default: 600
 
       property :management_tools, [TrueClass, FalseClass],

data/lib/chef/resource/windows_firewall_rule.rb

@@ -0,0 +1,205 @@
+# Author:: Matt Clifton (spartacus003@hotmail.com)
+# Author:: Matt Stratton (matt.stratton@gmail.com)
+# Author:: Tor Magnus Rakvåg (tor.magnus@outlook.com)
+# Author:: Tim Smith (tsmith@chef.io)
+# Copyright:: 2013-2015 Matt Clifton
+# Copyright:: 2018, Chef Software, Inc.
+# Copyright:: 2018, Intility AS
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef/json_compat"
+
+class Chef
+  class Resource
+    class WindowsFirewallRule < Chef::Resource
+      preview_resource true
+      resource_name :windows_firewall_rule
+
+      description "Use the windows_firewall_rule resource to create, change or remove windows firewall rules."
+      introduced "14.7"
+
+      property :rule_name, String,
+               name_property: true,
+               description: "The name to assign to the firewall rule."
+
+      property :description, String,
+               default: "Firewall rule",
+               description: "The description to assign to the firewall rule."
+
+      property :local_address, String,
+               description: "The local address the firewall rule applies to."
+
+      property :local_port, [String, Integer, Array],
+               # split various formats of comma separated lists and provide a sorted array of strings to match PS output
+               coerce: proc { |d| d.is_a?(String) ? d.split(/\s*,\s*/).sort : Array(d).sort.map { |x| x.to_s } },
+               description: "The local port the firewall rule applies to."
+
+      property :remote_address, String,
+               description: "The remote address the firewall rule applies to."
+
+      property :remote_port, [String, Integer, Array],
+               # split various formats of comma separated lists and provide a sorted array of strings to match PS output
+               coerce: proc { |d| d.is_a?(String) ? d.split(/\s*,\s*/).sort : Array(d).sort.map { |x| x.to_s } },
+               description: "The remote port the firewall rule applies to."
+
+      property :direction, [Symbol, String],
+               default: :inbound, equal_to: [:inbound, :outbound],
+               description: "The direction of the firewall rule. Direction means either inbound or outbound traffic.",
+               coerce: proc { |d| d.is_a?(String) ? d.downcase.to_sym : d }
+
+      property :protocol, String,
+               default: "TCP",
+               description: "The protocol the firewall rule applies to."
+
+      property :firewall_action, [Symbol, String],
+               default: :allow, equal_to: [:allow, :block, :notconfigured],
+               description: "The action of the firewall rule.",
+               coerce: proc { |f| f.is_a?(String) ? f.downcase.to_sym : f }
+
+      property :profile, [Symbol, String],
+               default: :any, equal_to: [:public, :private, :domain, :any, :notapplicable],
+               description: "The profile the firewall rule applies to.",
+               coerce: proc { |p| p.is_a?(String) ? p.downcase.to_sym : p }
+
+      property :program, String,
+               description: "The program the firewall rule applies to."
+
+      property :service, String,
+               description: "The service the firewall rule applies to."
+
+      property :interface_type, [Symbol, String],
+               default: :any, equal_to: [:any, :wireless, :wired, :remoteaccess],
+               description: "The interface type the firewall rule applies to.",
+               coerce: proc { |i| i.is_a?(String) ? i.downcase.to_sym : i }
+
+      property :enabled, [TrueClass, FalseClass],
+               default: true,
+               description: "Whether or not to enable the firewall rule."
+
+      alias_method :localip, :local_address
+      alias_method :remoteip, :remote_address
+      alias_method :localport, :local_port
+      alias_method :remoteport, :remote_port
+      alias_method :interfacetype, :interface_type
+
+      load_current_value do
+        load_state_cmd = load_firewall_state(rule_name)
+        output = powershell_out(load_state_cmd)
+        if output.stdout.empty?
+          current_value_does_not_exist!
+        else
+          state = Chef::JSONCompat.from_json(output.stdout)
+        end
+        local_address state["local_address"]
+        local_port Array(state["local_port"]).sort
+        remote_address state["remote_address"]
+        remote_port Array(state["remote_port"]).sort
+        direction state["direction"]
+        protocol state["protocol"]
+        firewall_action state["firewall_action"]
+        profile state["profile"]
+        program state["program"]
+        service state["service"]
+        interface_type state["interface_type"]
+        enabled state["enabled"]
+      end
+
+      action :create do
+        description "Create a Windows firewall entry."
+
+        if current_resource
+          converge_if_changed :rule_name, :local_address, :local_port, :remote_address, :remote_port, :direction,
+                              :protocol, :firewall_action, :profile, :program, :service, :interface_type, :enabled do
+            cmd = firewall_command("Set")
+            powershell_out!(cmd)
+          end
+        else
+          converge_by("create firewall rule #{new_resource.rule_name}") do
+            cmd = firewall_command("New")
+            powershell_out!(cmd)
+          end
+        end
+      end
+
+      action :delete do
+        description "Delete an existing Windows firewall entry."
+
+        if current_resource
+          converge_by("delete firewall rule #{new_resource.rule_name}") do
+            powershell_out!("Remove-NetFirewallRule -Name '#{new_resource.rule_name}'")
+          end
+        else
+          Chef::Log.info("Firewall rule \"#{new_resource.rule_name}\" doesn't exist. Skipping.")
+        end
+      end
+
+      action_class do
+        # build the command to create a firewall rule based on new_resource values
+        # @return [String] firewall create command
+        def firewall_command(cmdlet_type)
+          cmd = "#{cmdlet_type}-NetFirewallRule -Name '#{new_resource.rule_name}'"
+          cmd << " -DisplayName '#{new_resource.rule_name}'" if cmdlet_type == "New"
+          cmd << " -Description '#{new_resource.description}'" if new_resource.description
+          cmd << " -LocalAddress '#{new_resource.local_address}'" if new_resource.local_address
+          cmd << " -LocalPort #{new_resource.local_port.join(',')}" if new_resource.local_port
+          cmd << " -RemoteAddress '#{new_resource.remote_address}'" if new_resource.remote_address
+          cmd << " -RemotePort #{new_resource.remote_port.join(',')}" if new_resource.remote_port
+          cmd << " -Direction '#{new_resource.direction}'" if new_resource.direction
+          cmd << " -Protocol '#{new_resource.protocol}'" if new_resource.protocol
+          cmd << " -Action '#{new_resource.firewall_action}'" if new_resource.firewall_action
+          cmd << " -Profile '#{new_resource.profile}'" if new_resource.profile
+          cmd << " -Program '#{new_resource.program}'" if new_resource.program
+          cmd << " -Service '#{new_resource.service}'" if new_resource.service
+          cmd << " -InterfaceType '#{new_resource.interface_type}'" if new_resource.interface_type
+          cmd << " -Enabled '#{new_resource.enabled}'"
+
+          cmd
+        end
+      end
+
+      private
+
+      # build the command to load the current resource
+      # # @return [String] current firewall state
+      def load_firewall_state(rule_name)
+        <<-EOH
+          Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+          $rule = Get-NetFirewallRule -Name '#{rule_name}'
+          $addressFilter = $rule | Get-NetFirewallAddressFilter
+          $portFilter = $rule | Get-NetFirewallPortFilter
+          $applicationFilter = $rule | Get-NetFirewallApplicationFilter
+          $serviceFilter = $rule | Get-NetFirewallServiceFilter
+          $interfaceTypeFilter = $rule | Get-NetFirewallInterfaceTypeFilter
+          ([PSCustomObject]@{
+            rule_name = $rule.Name
+            description = $rule.Description
+            local_address = $addressFilter.LocalAddress
+            local_port = $portFilter.LocalPort
+            remote_address = $addressFilter.RemoteAddress
+            remote_port = $portFilter.RemotePort
+            direction = $rule.Direction.ToString()
+            protocol = $portFilter.Protocol
+            firewall_action = $rule.Action.ToString()
+            profile = $rule.Profile.ToString()
+            program = $applicationFilter.Program
+            service = $serviceFilter.Service
+            interface_type = $interfaceTypeFilter.InterfaceType.ToString()
+            enabled = [bool]::Parse($rule.Enabled.ToString())
+          }) | ConvertTo-Json
+        EOH
+      end
+    end
+  end
+end

data/lib/chef/resource/windows_path.rb

@@ -30,7 +30,9 @@ class Chef
       allowed_actions :add, :remove
       default_action :add
 
-      property :path, String, name_property: true
+      property :path, String,
+               description: "The name of the value to add to the system path",
+               name_property: true
     end
   end
 end

data/lib/chef/resource/windows_printer.rb

@@ -42,7 +42,7 @@ class Chef
                default: false
 
       property :driver_name, String,
-               description: "Exact name of printer driver. Note that the printer driver must already be installed on the node.",
+               description: "The exact name of printer driver installed on the system.",
                required: true
 
       property :location, String,
@@ -61,7 +61,7 @@ class Chef
                regex: Resolv::IPv4::Regex
 
       property :exists, [TrueClass, FalseClass],
-               desired_state: true
+               skip_docs: true
 
       PRINTERS_REG_KEY = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\\'.freeze unless defined?(PRINTERS_REG_KEY)
 

data/lib/chef/resource/windows_printer_port.rb

@@ -34,7 +34,7 @@ class Chef
                name_property: true,
                regex: Resolv::IPv4::Regex,
                validation_message: "The ipv4_address property must be in the format of WWW.XXX.YYY.ZZZ!",
-               description: "The IPv4 address of the printer port."
+               description: "An optional property for the IPv4 address of the printer if it differs from the resource block's name."
 
       property :port_name, String,
                description: "The port name."
@@ -51,12 +51,12 @@ class Chef
                default: false
 
       property :port_protocol, Integer,
-               description: "The printer port protocol, 1 (RAW), or 2 (LPR).",
+               description: "The printer port protocol: 1 (RAW) or 2 (LPR).",
                validation_message: "port_protocol must be either 1 for RAW or 2 for LPR!",
                default: 1, equal_to: [1, 2]
 
       property :exists, [TrueClass, FalseClass],
-               desired_state: true
+               skip_docs: true
 
       PORTS_REG_KEY = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports\\'.freeze unless defined?(PORTS_REG_KEY)
 

data/lib/chef/resource/windows_service.rb

@@ -50,6 +50,7 @@ class Chef
       # The display name to be used by user interface programs to identify the
       # service. This string has a maximum length of 256 characters.
       property :display_name, String, regex: /^.{1,256}$/,
+               validation_message: "The display_name can only be a maximum of 256 characters!",
                introduced: "14.0"
 
       # https://github.com/djberg96/win32-service/blob/ffi/lib/win32/windows/constants.rb#L19-L29

data/lib/chef/resource/windows_share.rb

@@ -0,0 +1,315 @@
+#
+# Author:: Sölvi Páll Ásgeirsson (<solvip@gmail.com>)
+# Author:: Richard Lavey (richard.lavey@calastone.com)
+# Author:: Tim Smith (tsmith@chef.io)
+#
+# Copyright:: 2014-2017, Sölvi Páll Ásgeirsson.
+# Copyright:: 2018, Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef/resource"
+require "chef/json_compat"
+
+class Chef
+  class Resource
+    class WindowsShare < Chef::Resource
+      preview_resource true
+      resource_name :windows_share
+
+      description "Use the windows_share resource to create, modify and remove Windows shares."
+      introduced "14.7"
+
+      # Specifies a name for the SMB share. The name may be composed of any valid file name characters, but must be less than 80 characters long. The names pipe and mailslot are reserved for use by the computer.
+      property :share_name, String,
+               description: "The name to assign to the share.",
+               name_property: true
+
+      # Specifies the path of the location of the folder to share. The path must be fully qualified. Relative paths or paths that contain wildcard characters are not permitted.
+      property :path, String,
+               description: "The path of the folder to share. Required when creating. If the share already exists on a different path then it is deleted and re-created."
+
+      # Specifies an optional description of the SMB share. A description of the share is displayed by running the Get-SmbShare cmdlet. The description may not contain more than 256 characters.
+      property :description, String,
+               description: "The description to be applied to the share.",
+               default: ""
+
+      # Specifies which accounts are granted full permission to access the share. Use a comma-separated list to specify multiple accounts. An account may not be specified more than once in the FullAccess, ChangeAccess, or ReadAccess parameter lists, but may be specified once in the FullAccess, ChangeAccess, or ReadAccess parameter list and once in the NoAccess parameter list.
+      property :full_users, Array,
+               description: "The users that should have 'Full control' permissions on the share in domain\\username format.",
+               default: lazy { [] }, coerce: proc { |u| u.sort }
+
+      # Specifies which users are granted modify permission to access the share
+      property :change_users, Array,
+               description: "The users that should have 'modify' permission on the share in domain\\username format.",
+               default: lazy { [] }, coerce: proc { |u| u.sort }
+
+      # Specifies which users are granted read permission to access the share. Multiple users can be specified by supplying a comma-separated list.
+      property :read_users, Array,
+               description: "The users that should have 'read' permission on the share in domain\\username format.",
+               default: lazy { [] }, coerce: proc { |u| u.sort }
+
+      # Specifies the lifetime of the new SMB share. A temporary share does not persist beyond the next restart of the computer. By default, new SMB shares are persistent, and non-temporary.
+      property :temporary, [TrueClass, FalseClass],
+               description: "The lifetime of the new SMB share. A temporary share does not persist beyond the next restart of the computer.",
+               default: false
+
+      # Specifies the scope name of the share.
+      property :scope_name, String,
+               description: "The scope name of the share.",
+               default: "*"
+
+      # Specifies the continuous availability time-out for the share.
+      property :ca_timeout, Integer,
+               description: "The continuous availability time-out for the share.",
+               default: 0
+
+      # Indicates that the share is continuously available.
+      property :continuously_available, [TrueClass, FalseClass],
+               description: "Indicates that the share is continuously available.",
+               default: false
+
+      # Specifies the caching mode of the offline files for the SMB share.
+      # property :caching_mode, String, equal_to: %w(None Manual Documents Programs BranchCache)
+
+      # Specifies the maximum number of concurrently connected users that the new SMB share may accommodate. If this parameter is set to zero (0), then the number of users is unlimited.
+      property :concurrent_user_limit, Integer,
+               description: "The maximum number of concurrently connected users the share can accommodate.",
+               default: 0
+
+      # Indicates that the share is encrypted.
+      property :encrypt_data, [TrueClass, FalseClass],
+               description: "Indicates that the share is encrypted.",
+               default: false
+
+      # Specifies which files and folders in the SMB share are visible to users. AccessBased: SMB does not the display the files and folders for a share to a user unless that user has rights to access the files and folders. By default, access-based enumeration is disabled for new SMB shares. Unrestricted: SMB displays files and folders to a user even when the user does not have permission to access the items.
+      # property :folder_enumeration_mode, String, equal_to: %(AccessBased Unrestricted)
+
+      include Chef::Mixin::PowershellOut
+
+      load_current_value do |desired|
+        # this command selects individual objects because EncryptData & CachingMode have underlying
+        # types that get converted to their Integer values by ConvertTo-Json & we need to make sure
+        # those get written out as strings
+        share_state_cmd = "Get-SmbShare -Name '#{desired.share_name}' | Select-Object Name,Path, Description, Temporary, CATimeout, ContinuouslyAvailable, ConcurrentUserLimit, EncryptData | ConvertTo-Json"
+
+        Chef::Log.debug("Running '#{share_state_cmd}' to determine share state'")
+        ps_results = powershell_out(share_state_cmd)
+
+        # detect a failure without raising and then set current_resource to nil
+        if ps_results.error?
+          Chef::Log.debug("Error fetching share state: #{ps_results.stderr}")
+          current_value_does_not_exist!
+        end
+
+        Chef::Log.debug("The Get-SmbShare results were #{ps_results.stdout}")
+        results = Chef::JSONCompat.from_json(ps_results.stdout)
+
+        path results["Path"]
+        description results["Description"]
+        temporary results["Temporary"]
+        ca_timeout results["CATimeout"]
+        continuously_available results["ContinuouslyAvailable"]
+        # caching_mode results['CachingMode']
+        concurrent_user_limit results["ConcurrentUserLimit"]
+        encrypt_data results["EncryptData"]
+        # folder_enumeration_mode results['FolderEnumerationMode']
+
+        perm_state_cmd = %{Get-SmbShareAccess -Name "#{desired.share_name}" | Select-Object AccountName,AccessControlType,AccessRight | ConvertTo-Json}
+
+        Chef::Log.debug("Running '#{perm_state_cmd}' to determine share permissions state'")
+        ps_perm_results = powershell_out(perm_state_cmd)
+
+        # we raise here instead of warning like above because we'd only get here if the above Get-SmbShare
+        # command was successful and that continuing would leave us with 1/2 known state
+        raise "Could not determine #{desired.share_name} share permissions by running '#{perm_state_cmd}'" if ps_perm_results.error?
+
+        Chef::Log.debug("The Get-SmbShareAccess results were #{ps_perm_results.stdout}")
+
+        f_users, c_users, r_users = parse_permissions(ps_perm_results.stdout)
+
+        full_users f_users
+        change_users c_users
+        read_users r_users
+      end
+
+      def after_created
+        raise "The windows_share resource relies on PowerShell cmdlets not present in Windows releases prior to 8/2012. Cannot continue!" if node["platform_version"].to_f < 6.3
+      end
+
+# given the string output of Get-SmbShareAccess parse out
+# arrays of full access users, change users, and read only users
+      def parse_permissions(results_string)
+        json_results = Chef::JSONCompat.from_json(results_string)
+        json_results = [json_results] unless json_results.is_a?(Array) # single result is not an array
+
+        f_users = []
+        c_users = []
+        r_users = []
+
+        json_results.each do |perm|
+          next unless perm["AccessControlType"] == 0 # allow
+          case perm["AccessRight"]
+          when 0 then f_users << stripped_account(perm["AccountName"]) # 0 full control
+          when 1 then c_users << stripped_account(perm["AccountName"]) # 1 == change
+          when 2 then r_users << stripped_account(perm["AccountName"]) # 2 == read
+          end
+        end
+        [f_users, c_users, r_users]
+      end
+
+# local names are returned from Get-SmbShareAccess in the full format MACHINE\\NAME
+# but users of this resource would simply say NAME so we need to strip the values for comparison
+      def stripped_account(name)
+        name.slice!("#{node['hostname']}\\")
+        name
+      end
+
+      action :create do
+        description "Create and modify Windows shares."
+
+        # we do this here instead of requiring the property because :delete doesn't need path set
+        raise "No path property set" unless new_resource.path
+
+        converge_if_changed do
+          # you can't actually change the path so you have to delete the old share first
+          delete_share if different_path?
+
+          # powershell cmdlet for create is different than updates
+          if current_resource.nil?
+            Chef::Log.debug("The current resource is nil so we will create a new share")
+            create_share
+          else
+            Chef::Log.debug("The current resource was not nil so we will update an existing share")
+            update_share
+          end
+
+          # creating the share does not set permissions so we need to update
+          update_permissions
+        end
+      end
+
+      action :delete do
+        description "Delete an existing Windows share."
+
+        if current_resource.nil?
+          Chef::Log.debug("#{new_resource.share_name} does not exist - nothing to do")
+        else
+          converge_by("delete #{new_resource.share_name}") do
+            delete_share
+          end
+        end
+      end
+
+      action_class do
+        def different_path?
+          return false if current_resource.nil? # going from nil to something isn't different for our concerns
+          return false if current_resource.path == new_resource.path
+          true
+        end
+
+        def delete_share
+          delete_command = "Remove-SmbShare -Name '#{new_resource.share_name}' -Force"
+
+          Chef::Log.debug("Running '#{delete_command}' to remove the share")
+          powershell_out!(delete_command)
+        end
+
+        def update_share
+          update_command = "Set-SmbShare -Name '#{new_resource.share_name}' -Description '#{new_resource.description}' -Force"
+
+          Chef::Log.debug("Running '#{update_command}' to update the share")
+          powershell_out!(update_command)
+        end
+
+        def create_share
+          raise "#{new_resource.path} is missing or not a directory. Shares cannot be created if the path doesn't first exist." unless ::File.directory? new_resource.path
+
+          share_cmd = "New-SmbShare -Name '#{new_resource.share_name}' -Path '#{new_resource.path}' -Description '#{new_resource.description}' -ConcurrentUserLimit #{new_resource.concurrent_user_limit} -CATimeout #{new_resource.ca_timeout} -EncryptData:#{bool_string(new_resource.encrypt_data)} -ContinuouslyAvailable:#{bool_string(new_resource.continuously_available)}"
+          share_cmd << " -ScopeName #{new_resource.scope_name}" unless new_resource.scope_name == "*" # passing * causes the command to fail
+          share_cmd << " -Temporary:#{bool_string(new_resource.temporary)}" if new_resource.temporary # only set true
+
+          Chef::Log.debug("Running '#{share_cmd}' to create the share")
+          powershell_out!(share_cmd)
+        end
+
+        # determine what users in the current state don't exist in the desired state
+        # users/groups will have their permissions updated with the same command that
+        # sets it, but removes must be performed with Revoke-SmbShareAccess
+        def users_to_revoke
+          @users_to_revoke ||= begin
+            # if the resource doesn't exist then nothing needs to be revoked
+            if current_resource.nil?
+              []
+            else # if it exists then calculate the current to new resource diffs
+              (current_resource.full_users + current_resource.change_users + current_resource.read_users) - (new_resource.full_users + new_resource.change_users + new_resource.read_users)
+            end
+          end
+        end
+
+        # update existing permissions on a share
+        def update_permissions
+          # revoke any users that had something, but now has nothing
+          revoke_user_permissions(users_to_revoke) unless users_to_revoke.empty?
+
+          # set permissions for each of the permission types
+          %w{full read change}.each do |perm_type|
+            # set permissions for a brand new share OR
+            # update permissions if the current state and desired state differ
+            next unless permissions_need_update?(perm_type)
+            grant_command = "Grant-SmbShareAccess -Name '#{new_resource.share_name}' -AccountName \"#{new_resource.send("#{perm_type}_users").join('","')}\" -Force -AccessRight #{perm_type}"
+
+            Chef::Log.debug("Running '#{grant_command}' to update the share permissions")
+            powershell_out!(grant_command)
+          end
+        end
+
+        # determine if permissions need to be updated.
+        # Brand new share with no permissions defined: no
+        # Brand new share with permissions defined: yes
+        # Existing share with differing permissions: yes
+        #
+        # @param [String] type the permissions type (Full, Read, or Change)
+        def permissions_need_update?(type)
+          property_name = "#{type}_users"
+
+          # brand new share, but nothing to set
+          return false if current_resource.nil? && new_resource.send(property_name).empty?
+
+          # brand new share with new permissions to set
+          return true if current_resource.nil? && !new_resource.send(property_name).empty?
+
+          # there's a difference between the current and desired state
+          return true unless (new_resource.send(property_name) - current_resource.send(property_name)).empty?
+
+          # anything else
+          false
+        end
+
+        def revoke_user_permissions(users)
+          revoke_command = "Revoke-SmbShareAccess -Name '#{new_resource.share_name}' -AccountName \"#{users.join(',')}\" -Force"
+          Chef::Log.debug("Running '#{revoke_command}' to revoke share permissions")
+          powershell_out!(revoke_command)
+        end
+
+        # convert True/False into "$True" & "$False"
+        def bool_string(bool)
+          # bool ? 1 : 0
+          bool ? "$true" : "$false"
+        end
+      end
+
+    end
+  end
+end