chef 15.17.4-universal-mingw32 → 16.0.257-universal-mingw32

data/lib/chef/resource/windows_firewall_rule.rb

@@ -24,24 +24,72 @@ require_relative "../json_compat"
 class Chef
   class Resource
     class WindowsFirewallRule < Chef::Resource
-      resource_name :windows_firewall_rule
+      provides :windows_firewall_rule
 
-      description "Use the windows_firewall_rule resource to create, change or remove windows firewall rules."
+      description "Use the windows_firewall_rule resource to create, change or remove Windows firewall rules."
       introduced "14.7"
+      examples <<~DOC
+      Allowing port 80 access
+      ```ruby
+      windows_firewall_rule 'IIS' do
+        local_port '80'
+        protocol 'TCP'
+        firewall_action :allow
+      end
+      ```
+
+      Allow protocol ICMPv6 with ICMP Type
+      ```ruby
+      windows_firewall_rule 'CoreNet-Rule' do
+        rule_name 'CoreNet-ICMP6-LR2-In'
+        display_name 'Core Networking - Multicast Listener Report v2 (ICMPv6-In)'
+        local_port 'RPC'
+        protocol 'ICMPv6'
+        icmp_type '8'
+      end
+      ```
+
+      Blocking WinRM over HTTP on a particular IP
+      ```ruby
+      windows_firewall_rule 'Disable WinRM over HTTP' do
+        local_port '5985'
+        protocol 'TCP'
+        firewall_action :block
+        local_address '192.168.1.1'
+      end
+      ```
+
+      Deleting an existing rule
+      ```ruby
+      windows_firewall_rule 'Remove the SSH rule' do
+        rule_name 'ssh'
+        action :delete
+      end
+      ```
+      DOC
 
       property :rule_name, String,
         name_property: true,
         description: "An optional property to set the name of the firewall rule to assign if it differs from the resource block's name."
 
       property :description, String,
-        default: "Firewall rule",
         description: "The description to assign to the firewall rule."
 
+      property :displayname, String,
+        description: "The displayname to assign to the firewall rule.",
+        default: lazy { rule_name },
+        default_description: "The rule_name property value.",
+        introduced: "16.0"
+
+      property :group, String,
+        description: "Specifies that only matching firewall rules of the indicated group association are copied.",
+        introduced: "16.0"
+
       property :local_address, String,
         description: "The local address the firewall rule applies to."
 
       property :local_port, [String, Integer, Array],
-        # split various formats of comma separated lists and provide a sorted array of strings to match PS output
+               # split various formats of comma separated lists and provide a sorted array of strings to match PS output
         coerce: proc { |d| d.is_a?(String) ? d.split(/\s*,\s*/).sort : Array(d).sort.map(&:to_s) },
         description: "The local port the firewall rule applies to."
 
@@ -49,7 +97,7 @@ class Chef
         description: "The remote address the firewall rule applies to."
 
       property :remote_port, [String, Integer, Array],
-        # split various formats of comma separated lists and provide a sorted array of strings to match PS output
+               # split various formats of comma separated lists and provide a sorted array of strings to match PS output
         coerce: proc { |d| d.is_a?(String) ? d.split(/\s*,\s*/).sort : Array(d).sort.map(&:to_s) },
         description: "The remote port the firewall rule applies to."
 
@@ -62,6 +110,11 @@ class Chef
         default: "TCP",
         description: "The protocol the firewall rule applies to."
 
+      property :icmp_type, [String, Integer],
+        description: "Specifies the ICMP Type parameter for using a protocol starting with ICMP",
+        default: "Any",
+        introduced: "16.0"
+
       property :firewall_action, [Symbol, String],
         default: :allow, equal_to: %i{allow block notconfigured},
         description: "The action of the firewall rule.",
@@ -110,12 +163,16 @@ class Chef
         # Need to reverse `$rule.Profile.ToString()` in powershell command
         current_profiles = state["profile"].split(", ").map(&:to_sym)
 
+        description state["description"]
+        displayname state["displayname"]
+        group state["group"]
         local_address state["local_address"]
         local_port Array(state["local_port"]).sort
         remote_address state["remote_address"]
         remote_port Array(state["remote_port"]).sort
         direction state["direction"]
         protocol state["protocol"]
+        icmp_type state["icmp_type"]
         firewall_action state["firewall_action"]
         profile current_profiles
         program state["program"]
@@ -126,13 +183,18 @@ class Chef
 
       action :create do
         description "Create a Windows firewall entry."
-
         if current_resource
-          converge_if_changed :rule_name, :local_address, :local_port, :remote_address, :remote_port, :direction,
-            :protocol, :firewall_action, :profile, :program, :service, :interface_type, :enabled do
+          converge_if_changed :rule_name, :description, :displayname, :local_address, :local_port, :remote_address,
+            :remote_port, :direction, :protocol, :icmp_type, :firewall_action, :profile, :program, :service,
+            :interface_type, :enabled do
               cmd = firewall_command("Set")
               powershell_out!(cmd)
             end
+          converge_if_changed :group do
+            powershell_out!("Remove-NetFirewallRule -Name '#{new_resource.rule_name}'")
+            cmd = firewall_command("New")
+            powershell_out!(cmd)
+          end
         else
           converge_by("create firewall rule #{new_resource.rule_name}") do
             cmd = firewall_command("New")
@@ -158,7 +220,9 @@ class Chef
         # @return [String] firewall create command
         def firewall_command(cmdlet_type)
           cmd = "#{cmdlet_type}-NetFirewallRule -Name '#{new_resource.rule_name}'"
-          cmd << " -DisplayName '#{new_resource.rule_name}'" if cmdlet_type == "New"
+          cmd << " -DisplayName '#{new_resource.displayname}'" if new_resource.displayname && cmdlet_type == "New"
+          cmd << " -NewDisplayName '#{new_resource.displayname}'" if new_resource.displayname && cmdlet_type == "Set"
+          cmd << " -Group '#{new_resource.group}'" if new_resource.group && cmdlet_type == "New"
           cmd << " -Description '#{new_resource.description}'" if new_resource.description
           cmd << " -LocalAddress '#{new_resource.local_address}'" if new_resource.local_address
           cmd << " -LocalPort '#{new_resource.local_port.join("', '")}'" if new_resource.local_port
@@ -166,6 +230,7 @@ class Chef
           cmd << " -RemotePort '#{new_resource.remote_port.join("', '")}'" if new_resource.remote_port
           cmd << " -Direction '#{new_resource.direction}'" if new_resource.direction
           cmd << " -Protocol '#{new_resource.protocol}'" if new_resource.protocol
+          cmd << " -IcmpType '#{new_resource.icmp_type}'"
           cmd << " -Action '#{new_resource.firewall_action}'" if new_resource.firewall_action
           cmd << " -Profile '#{new_resource.profile.join("', '")}'" if new_resource.profile
           cmd << " -Program '#{new_resource.program}'" if new_resource.program
@@ -175,12 +240,53 @@ class Chef
 
           cmd
         end
+
+        def define_resource_requirements
+          requirements.assert(:create) do |a|
+            a.assertion do
+              if new_resource.icmp_type.is_a?(String)
+                !new_resource.icmp_type.empty?
+              elsif new_resource.icmp_type.is_a?(Integer)
+                !new_resource.icmp_type.nil?
+              end
+            end
+            a.failure_message("The :icmp_type property can not be empty in #{new_resource.rule_name}")
+          end
+
+          requirements.assert(:create) do |a|
+            a.assertion do
+              if new_resource.icmp_type.is_a?(Integer)
+                new_resource.protocol.start_with?("ICMP")
+              elsif new_resource.icmp_type.is_a?(String) && !new_resource.protocol.start_with?("ICMP")
+                new_resource.icmp_type == "Any"
+              else
+                true
+              end
+            end
+            a.failure_message("The :icmp_type property has a value of #{new_resource.icmp_type} set, but is not allowed for :protocol #{new_resource.protocol} in #{new_resource.rule_name}")
+          end
+
+          requirements.assert(:create) do |a|
+            a.assertion do
+              if new_resource.icmp_type.is_a?(Integer)
+                (0..255).include?(new_resource.icmp_type)
+              elsif new_resource.icmp_type.is_a?(String) && !new_resource.icmp_type.include?(":") && new_resource.protocol.start_with?("ICMP")
+                (0..255).include?(new_resource.icmp_type.to_i)
+              elsif new_resource.icmp_type.is_a?(String) && new_resource.icmp_type.include?(":") && new_resource.protocol.start_with?("ICMP")
+                new_resource.icmp_type.split(":").all? { |type| (0..255).include?(type.to_i) }
+              else
+                true
+              end
+            end
+            a.failure_message("Can not set :icmp_type to #{new_resource.icmp_type} as one value is out of range (0 to 255) in #{new_resource.rule_name}")
+          end
+        end
       end
 
       private
 
       # build the command to load the current resource
-      # # @return [String] current firewall state
+      # @return [String] current firewall state
       def load_firewall_state(rule_name)
         <<-EOH
           Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
@@ -193,12 +299,15 @@ class Chef
           ([PSCustomObject]@{
             rule_name = $rule.Name
             description = $rule.Description
+            displayname = $rule.DisplayName
+            group = $rule.Group
             local_address = $addressFilter.LocalAddress
             local_port = $portFilter.LocalPort
             remote_address = $addressFilter.RemoteAddress
             remote_port = $portFilter.RemotePort
             direction = $rule.Direction.ToString()
             protocol = $portFilter.Protocol
+            icmp_type = $portFilter.IcmpType
             firewall_action = $rule.Action.ToString()
             profile = $rule.Profile.ToString()
             program = $applicationFilter.Program

data/lib/chef/resource/windows_font.rb

@@ -22,7 +22,6 @@ class Chef
     class WindowsFont < Chef::Resource
       require_relative "../util/path_helper"
 
-      resource_name :windows_font
       provides(:windows_font) { true }
 
       description "Use the windows_font resource to install font files on Windows. By default, the font is sourced from the cookbook using the resource, but a URI source can be specified as well."
@@ -90,9 +89,8 @@ class Chef
         def font_exists?
           require "win32ole" if RUBY_PLATFORM =~ /mswin|mingw32|windows/
           fonts_dir = WIN32OLE.new("WScript.Shell").SpecialFolders("Fonts")
-          fonts_dir_local = Chef::Util::PathHelper.join(ENV["home"], "AppData/Local/Microsoft/Windows/fonts")
           logger.trace("Seeing if the font at #{Chef::Util::PathHelper.join(fonts_dir, new_resource.font_name)} exists")
-          ::File.exist?(Chef::Util::PathHelper.join(fonts_dir, new_resource.font_name)) || ::File.exist?(Chef::Util::PathHelper.join(fonts_dir_local, new_resource.font_name))
+          ::File.exist?(Chef::Util::PathHelper.join(fonts_dir, new_resource.font_name))
         end
 
         # Parse out the schema provided to us to see if it's one we support via remote_file.

data/lib/chef/resource/windows_package.rb

@@ -27,7 +27,6 @@ class Chef
     class WindowsPackage < Chef::Resource::Package
       include Chef::Mixin::Uris
 
-      resource_name :windows_package
       provides(:windows_package) { true }
       provides :package, os: "windows"
 
@@ -41,6 +40,13 @@ class Chef
         @source ||= source(@package_name) if @package_name.downcase.end_with?(".msi")
       end
 
+      property :package_name, String,
+        description: "An optional property to set the package name if it differs from the resource block's name.",
+        identity: true
+
+      property :version, String,
+        description: "The version of a package to be installed or upgraded."
+
       # windows can't take array options yet
       property :options, String,
         description: "One (or more) additional options that are passed to the command."
@@ -52,12 +58,15 @@ class Chef
 
       property :timeout, [ String, Integer ], default: 600,
         default_description: "600 (seconds)",
-        description: "The amount of time (in seconds) to wait before timing out."
+        description: "The amount of time (in seconds) to wait before timing out.",
+        desired_state: false
 
       # In the past we accepted return code 127 for an unknown reason and 42 because of a bug
-      property :returns, [ String, Integer, Array ], default: [ 0 ],
+      # we accept 3010 which means success, but a reboot is necessary
+      property :returns, [ String, Integer, Array ], default: [ 0, 3010 ],
         desired_state: false,
-        description: "A comma-delimited list of return codes that indicate the success or failure of the package command that was run."
+        description: "A comma-delimited list of return codes that indicate the success or failure of the package command that was run.",
+        default_description: "0 (success) and 3010 (success where a reboot is necessary)"
 
       property :source, String,
         coerce: (proc do |s|

data/lib/chef/resource/windows_pagefile.rb

@@ -20,7 +20,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsPagefile < Chef::Resource
-      resource_name :windows_pagefile
       provides(:windows_pagefile) { true }
 
       description "Use the windows_pagefile resource to configure pagefile settings on Windows."

data/lib/chef/resource/windows_path.rb

@@ -21,7 +21,6 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsPath < Chef::Resource
-      resource_name :windows_path
       provides(:windows_path) { true }
 
       description "Use the windows_path resource to manage the path environment variable on Microsoft Windows."

data/lib/chef/resource/windows_printer.rb

@@ -24,7 +24,6 @@ class Chef
     class WindowsPrinter < Chef::Resource
       require "resolv"
 
-      resource_name :windows_printer
       provides(:windows_printer) { true }
 
       description "Use the windows_printer resource to setup Windows printers. Note that this doesn't currently install a printer driver. You must already have the driver installed on the system."

data/lib/chef/resource/windows_printer_port.rb

@@ -24,7 +24,6 @@ class Chef
     class WindowsPrinterPort < Chef::Resource
       require "resolv"
 
-      resource_name :windows_printer_port
       provides(:windows_printer_port) { true }
 
       description "Use the windows_printer_port resource to create and delete TCP/IPv4 printer ports on Windows."

data/lib/chef/resource/windows_script.rb

@@ -25,6 +25,8 @@ class Chef
     class WindowsScript < Chef::Resource::Script
       unified_mode true
 
+      provides :windows_script
+
       # This is an abstract resource meant to be subclasses; thus no 'provides'
 
       set_guard_inherited_attributes(:architecture)
@@ -54,10 +56,7 @@ class Chef
       protected
 
       def assert_architecture_compatible!(desired_architecture)
-        if desired_architecture == :i386 && Chef::Platform.windows_nano_server?
-          raise Chef::Exceptions::Win32ArchitectureIncorrect,
-            "cannot execute script with requested architecture 'i386' on Windows Nano Server"
-        elsif ! node_supports_windows_architecture?(node, desired_architecture)
+        unless node_supports_windows_architecture?(node, desired_architecture)
           raise Chef::Exceptions::Win32ArchitectureIncorrect,
             "cannot execute script with requested architecture '#{desired_architecture}' on a system with architecture '#{node_windows_architecture(node)}'"
         end

data/lib/chef/resource/windows_security_policy.rb

@@ -0,0 +1,90 @@
+#
+# Author:: Ashwini Nehate (<anehate@chef.io>)
+# Author:: Davin Taddeo (<davin@chef.io>)
+# Author:: Jeff Brimager (<jbrimager@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class WindowsSecurityPolicy < Chef::Resource
+      resource_name :windows_security_policy
+
+      # The valid policy_names options found here
+      # https://github.com/ChrisAWalker/cSecurityOptions under 'AccountSettings'
+      policy_names = %w{MinimumPasswordAge
+                MaximumPasswordAge
+                MinimumPasswordLength
+                PasswordComplexity
+                PasswordHistorySize
+                LockoutBadCount
+                RequireLogonToChangePassword
+                ForceLogoffWhenHourExpire
+                NewAdministratorName
+                NewGuestName
+                ClearTextPassword
+                LSAAnonymousNameLookup
+                EnableAdminAccount
+                EnableGuestAccount
+                }
+      description "Use the windows_security_policy resource to set a security policy on the Microsoft Windows platform."
+      introduced "16.0"
+
+      property :secoption, String, name_property: true, required: true, equal_to: policy_names,
+      description: "The name of the policy to be set on windows platform to maintain its security."
+
+      property :secvalue, String, required: true,
+      description: "Policy value to be set for policy name."
+
+      action :set do
+        security_option = new_resource.secoption
+        security_value = new_resource.secvalue
+        powershell_script "#{security_option} set to #{security_value}" do
+          convert_boolean_return true
+          code <<-EOH
+            $security_option = "#{security_option}"
+            if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
+              {
+                $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
+                C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY
+              }
+            else
+              {
+                $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace "#{security_option}\\s*=\\s*\\d*", "#{security_option} = #{security_value}" } | Set-Content $env:TEMP\\#{security_option}_Export.inf
+                C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY
+              }
+            Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
+          EOH
+          not_if <<-EOH
+            $#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
+            $ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option})
+            $check_digit = $ExportAudit -match '#{security_option} = #{security_value}'
+            $check_string = $ExportAudit -match '#{security_option} = "#{security_value}"'
+            if ( $check_string -Or $check_digit )
+              {
+                Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
+                $true
+              }
+            else
+              {
+                $false
+              }
+          EOH
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/windows_service.rb

@@ -41,41 +41,52 @@ class Chef
 
       allowed_actions :configure_startup, :create, :delete, :configure
 
-      # The display name to be used by user interface programs to identify the
-      # service. This string has a maximum length of 256 characters.
+      property :timeout, Integer,
+        description: "The amount of time (in seconds) to wait before timing out.",
+        default: 60,
+        desired_state: false
+
       property :display_name, String, regex: /^.{1,256}$/,
-               validation_message: "The display_name can only be a maximum of 256 characters!",
-               introduced: "14.0"
+        description: "The display name to be used by user interface programs to identify the service. This string has a maximum length of 256 characters.",
+        validation_message: "The display_name can only be a maximum of 256 characters!",
+        introduced: "14.0"
 
       # https://github.com/chef/win32-service/blob/ffi/lib/win32/windows/constants.rb#L19-L29
-      property :desired_access, Integer, default: SERVICE_ALL_ACCESS
+      property :desired_access, Integer,
+        default: SERVICE_ALL_ACCESS,
+        introduced: "14.0"
 
       # https://github.com/chef/win32-service/blob/ffi/lib/win32/windows/constants.rb#L31-L41
-      property :service_type, Integer, default: SERVICE_WIN32_OWN_PROCESS
+      property :service_type, Integer, default: SERVICE_WIN32_OWN_PROCESS,
+      introduced: "14.0"
 
       # Valid options:
       #   - :automatic
       #   - :manual
       #   - :disabled
       # Reference: https://github.com/chef/win32-service/blob/ffi/lib/win32/windows/constants.rb#L49-L54
-      property :startup_type, [Symbol], equal_to: %i{automatic manual disabled}, default: :automatic, coerce: proc { |x|
-        if x.is_a?(Integer)
-          ALLOWED_START_TYPES.invert.fetch(x) do
-            Chef::Log.warn("Unsupported startup_type #{x}, falling back to :automatic")
-            :automatic
+      property :startup_type, [Symbol],
+        equal_to: %i{automatic manual disabled},
+        default: :automatic,
+        description: "Use to specify the startup type of the service.",
+        coerce: proc { |x|
+          if x.is_a?(Integer)
+            ALLOWED_START_TYPES.invert.fetch(x) do
+              Chef::Log.warn("Unsupported startup_type #{x}, falling back to :automatic")
+              :automatic
+            end
+          elsif x.is_a?(String)
+            x.to_sym
+          else
+            x
           end
-        elsif x.is_a?(String)
-          x.to_sym
-        else
-          x
-        end
-      }
-
-      # This only applies if startup_type is :automatic
+        }
+
       # 1 == delayed start is enabled
       # 0 == NO delayed start
       property :delayed_start, [TrueClass, FalseClass],
         introduced: "14.0",
+        description: "Set the startup type to delayed start. This only applies if `startup_type` is `:automatic`",
         default: false, coerce: proc { |x|
           if x.is_a?(Integer)
             x == 0 ? false : true
@@ -85,31 +96,34 @@ class Chef
         }
 
       # https://github.com/chef/win32-service/blob/ffi/lib/win32/windows/constants.rb#L43-L47
-      property :error_control, Integer, default: SERVICE_ERROR_NORMAL
+      property :error_control, Integer,
+        default: SERVICE_ERROR_NORMAL,
+        introduced: "14.0"
 
       property :binary_path_name, String,
         introduced: "14.0",
-        description: "The fully qualified path to the service binary file. The path can also include arguments for an auto-start service. This is required for ':create' and ':configure' actions"
+        description: "The fully qualified path to the service binary file. The path can also include arguments for an auto-start service. This is required for `:create` and `:configure` actions"
 
       property :load_order_group, String,
         introduced: "14.0",
-        description: "The names of the load ordering group of which this service is a member. Don't set this property if the service does not belong to a group."
-
-      # A pointer to a double null-terminated array of null-separated names of
-      # services or load ordering groups that the system must start before this
-      # service. Specify nil or an empty string if the service has no
-      # dependencies. Dependency on a group means that this service can run if
-      # at least one member of the group is running after an attempt to start
-      # all members of the group.
+        description: "The name of the service's load ordering group(s)."
+
       property :dependencies, [String, Array],
+        description: "A pointer to a double null-terminated array of null-separated names of services or load ordering groups that the system must start before this service. Specify `nil` or an empty string if the service has no dependencies. Dependency on a group means that this service can run if at least one member of the group is running after an attempt to start all members of the group.",
         introduced: "14.0"
 
       property :description, String,
         description: "Description of the service.",
         introduced: "14.0"
 
-      property :run_as_user, String, default: "localsystem", coerce: proc { |x| x.downcase }
-      property :run_as_password, String, default: ""
+      property :run_as_user, String,
+        description: "The user under which a Microsoft Windows service runs.",
+        default: "localsystem",
+        coerce: proc { |x| x.downcase }
+
+      property :run_as_password, String,
+        description: "The password for the user specified by `run_as_user`.",
+        default: ""
     end
   end
 end