chef 16.2.44 → 16.4.35

data/lib/chef/resource/windows_security_policy.rb

@@ -21,7 +21,9 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsSecurityPolicy < Chef::Resource
-      resource_name :windows_security_policy
+      unified_mode true
+
+      provides :windows_security_policy
 
       # The valid policy_names options found here
       # https://github.com/ChrisAWalker/cSecurityOptions under 'AccountSettings'
@@ -80,13 +82,55 @@ class Chef
       property :secvalue, String, required: true,
       description: "Policy value to be set for policy name."
 
+      load_current_value do |desired|
+        powershell_code = <<-CODE
+          C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null
+          # cspell:disable-next-line
+          $security_options_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String)
+          Remove-Item $env:TEMP\\secopts_export.inf -force
+          $security_options_hash = ($security_options_data -Replace '"'| ConvertFrom-StringData)
+          ([PSCustomObject]@{
+            RequireLogonToChangePassword = $security_options_hash.RequireLogonToChangePassword
+            PasswordComplexity = $security_options_hash.PasswordComplexity
+            LSAAnonymousNameLookup = $security_options_hash.LSAAnonymousNameLookup
+            EnableAdminAccount = $security_options_hash.EnableAdminAccount
+            PasswordHistorySize = $security_options_hash.PasswordHistorySize
+            MinimumPasswordLength = $security_options_hash.MinimumPasswordLength
+            ResetLockoutCount = $security_options_hash.ResetLockoutCount
+            MaximumPasswordAge = $security_options_hash.MaximumPasswordAge
+            ClearTextPassword = $security_options_hash.ClearTextPassword
+            NewAdministratorName = $security_options_hash.NewAdministratorName
+            LockoutDuration = $security_options_hash.LockoutDuration
+            EnableGuestAccount = $security_options_hash.EnableGuestAccount
+            ForceLogoffWhenHourExpire = $security_options_hash.ForceLogoffWhenHourExpire
+            MinimumPasswordAge = $security_options_hash.MinimumPasswordAge
+            NewGuestName = $security_options_hash.NewGuestName
+            LockoutBadCount = $security_options_hash.LockoutBadCount
+          }) | ConvertTo-Json
+        CODE
+        output = powershell_out(powershell_code)
+        current_value_does_not_exist! if output.stdout.empty?
+        state = Chef::JSONCompat.from_json(output.stdout)
+
+        if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration"
+          if state["LockoutBadCount"] == "0"
+            raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
+          else
+            secvalue state[desired.secoption.to_s]
+          end
+        else
+          secvalue state[desired.secoption.to_s]
+        end
+      end
+
       action :set do
-        security_option = new_resource.secoption
-        security_value = new_resource.secvalue
-        powershell_script "#{security_option} set to #{security_value}" do
-          convert_boolean_return true
-          code <<-EOH
+        converge_if_changed :secvalue do
+          security_option = new_resource.secoption
+          security_value = new_resource.secvalue
+
+          cmd = <<-EOH
             $security_option = "#{security_option}"
+            C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
             if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
               {
                 $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
@@ -99,21 +143,8 @@ class Chef
               }
             Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
           EOH
-          not_if <<-EOH
-            $#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
-            $ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option})
-            $check_digit = $ExportAudit -match '#{security_option} = #{security_value}'
-            $check_string = $ExportAudit -match '#{security_option} = "#{security_value}"'
-            if ( $check_string -Or $check_digit )
-              {
-                Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
-                $true
-              }
-            else
-              {
-                $false
-              }
-          EOH
+
+          powershell_out!(cmd)
         end
       end
     end

data/lib/chef/resource/windows_share.rb

@@ -26,6 +26,8 @@ require_relative "../util/path_helper"
 class Chef
   class Resource
     class WindowsShare < Chef::Resource
+      unified_mode true
+
       provides :windows_share
 
       description "Use the **windows_share** resource to create, modify and remove Windows shares."
@@ -59,7 +61,7 @@ class Chef
       # Specifies the path of the location of the folder to share. The path must be fully qualified. Relative paths or paths that contain wildcard characters are not permitted.
       property :path, String,
         description: "The path of the folder to share. Required when creating. If the share already exists on a different path then it is deleted and re-created.",
-        coerce: proc { |p| p.gsub(%r{/}, "\\") || p }
+        coerce: proc { |p| p.tr("/", "\\") || p }
 
       # Specifies an optional description of the SMB share. A description of the share is displayed by running the Get-SmbShare cmdlet. The description may not contain more than 256 characters.
       property :description, String,
@@ -117,8 +119,6 @@ class Chef
       # Specifies which files and folders in the SMB share are visible to users. AccessBased: SMB does not the display the files and folders for a share to a user unless that user has rights to access the files and folders. By default, access-based enumeration is disabled for new SMB shares. Unrestricted: SMB displays files and folders to a user even when the user does not have permission to access the items.
       # property :folder_enumeration_mode, String, equal_to: %(AccessBased Unrestricted)
 
-      include Chef::Mixin::PowershellOut
-
       load_current_value do |desired|
         # this command selects individual objects because EncryptData & CachingMode have underlying
         # types that get converted to their Integer values by ConvertTo-Json & we need to make sure
@@ -233,6 +233,8 @@ class Chef
       end
 
       action_class do
+        private
+
         def different_path?
           return false if current_resource.nil? # going from nil to something isn't different for our concerns
           return false if current_resource.path == Chef::Util::PathHelper.cleanpath(new_resource.path)

data/lib/chef/resource/windows_shortcut.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsShortcut < Chef::Resource
+      unified_mode true
+
       provides(:windows_shortcut) { true }
 
       description "Use the **windows_shortcut** resource to create shortcut files on Windows."

data/lib/chef/resource/windows_uac.rb

@@ -20,6 +20,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsUac < Chef::Resource
+      unified_mode true
+
       provides :windows_uac
 
       description 'The *windows_uac* resource configures UAC on Windows hosts by setting registry keys at `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`'

data/lib/chef/resource/windows_user_privilege.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsUserPrivilege < Chef::Resource
+      unified_mode true
+
       privilege_opts = %w{SeTrustedCredManAccessPrivilege
                           SeNetworkLogonRight
                           SeTcbPrivilege
@@ -112,6 +114,15 @@ class Chef
         action         :remove
       end
       ```
+
+      **Clear all users from the SeDenyNetworkLogonRight Privilege**:
+
+      ```ruby
+      windows_user_privilege 'Allow any user the Network Logon right' do
+        privilege      'SeDenyNetworkLogonRight'
+        action         :clear
+      end
+      ```
       DOC
 
       property :principal, String,
@@ -132,8 +143,8 @@ class Chef
          }
 
       load_current_value do |new_resource|
-        unless new_resource.principal.nil?
-          privilege Chef::ReservedNames::Win32::Security.get_account_right(new_resource.principal) unless new_resource.action.include?(:set)
+        if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))
+          privilege Chef::ReservedNames::Win32::Security.get_account_right(new_resource.principal)
         end
       end
 
@@ -180,6 +191,20 @@ class Chef
         end
       end
 
+      action :clear do
+        new_resource.privilege.each do |privilege|
+          accounts = Chef::ReservedNames::Win32::Security.get_account_with_user_rights(privilege)
+
+          # comparing the existing accounts for privilege with users
+          # Removing only accounts which is not matching with users in new_resource
+          accounts.each do |account|
+            converge_by("removing user '#{account}' from privilege #{privilege}") do
+              Chef::ReservedNames::Win32::Security.remove_account_right(account, privilege)
+            end
+          end
+        end
+      end
+
       action :remove do
         curr_res_privilege = current_resource.privilege
         missing_res_privileges = (new_resource.privilege - curr_res_privilege)

data/lib/chef/resource/windows_workgroup.rb

@@ -16,7 +16,6 @@
 #
 
 require_relative "../resource"
-require_relative "../mixin/powershell_out"
 require_relative "../dist"
 
 class Chef
@@ -24,8 +23,6 @@ class Chef
     class WindowsWorkgroup < Chef::Resource
       provides :windows_workgroup
 
-      include Chef::Mixin::PowershellOut
-
       description "Use the **windows_workgroup** resource to join or change the workgroup of a Windows host."
       introduced "14.5"
       examples <<~DOC
@@ -57,6 +54,7 @@ class Chef
 
       property :password, String,
         description: "The password for the local administrator user. Required if using the `user` property.",
+        sensitive: true,
         desired_state: false
 
       property :reboot, Symbol,
@@ -83,6 +81,7 @@ class Chef
       end
 
       # define this again so we can default it to true. Otherwise failures print the password
+      # FIXME: this should now be unnecessary with the password property itself marked sensitive?
       property :sensitive, [TrueClass, FalseClass],
         default: true, desired_state: false
 

data/lib/chef/resource_collection/stepable_iterator.rb

@@ -20,8 +20,7 @@ class Chef
     class StepableIterator
 
       def self.for_collection(new_collection)
-        instance = new(new_collection)
-        instance
+        new(new_collection)
       end
 
       attr_accessor :collection

data/lib/chef/resource_inspector.rb

@@ -59,11 +59,17 @@ module ResourceInspector
                required: opts[:required] || false,
                default: opts[:default_description] || get_default(opts[:default]),
                name_property: opts[:name_property] || false,
-               equal_to: Array(opts[:equal_to]).sort.map(&:inspect) }
+               equal_to: sort_equal_to(opts[:equal_to]) }
     end
     data
   end
 
+  def self.sort_equal_to(equal_to)
+    Array(equal_to).sort.map(&:inspect)
+  rescue ArgumentError
+    Array(equal_to).map(&:inspect)
+  end
+
   def self.extract_cookbook(path, complete)
     path = File.expand_path(path)
     dir, name = File.split(path)

data/lib/chef/resources.rb

@@ -153,6 +153,7 @@ require_relative "resource/windows_dns_zone"
 require_relative "resource/windows_feature"
 require_relative "resource/windows_feature_dism"
 require_relative "resource/windows_feature_powershell"
+require_relative "resource/windows_firewall_profile"
 require_relative "resource/windows_firewall_rule"
 require_relative "resource/windows_font"
 require_relative "resource/windows_pagefile"

data/lib/chef/role.rb

@@ -133,7 +133,7 @@ class Chef
     def to_h
       env_run_lists_without_default = @env_run_lists.dup
       env_run_lists_without_default.delete("_default")
-      result = {
+      {
         "name" => @name,
         "description" => @description,
         "json_class" => self.class.name,
@@ -149,7 +149,6 @@ class Chef
           accumulator
         end,
       }
-      result
     end
 
     alias_method :to_hash, :to_h
@@ -257,11 +256,11 @@ class Chef
 
         js_path, rb_path = js_files.first, rb_files.first
 
-        if js_path && File.exists?(js_path)
+        if js_path && File.exist?(js_path)
           # from_json returns object.class => json_class in the JSON.
           hsh = Chef::JSONCompat.parse(IO.read(js_path))
           return from_hash(hsh)
-        elsif rb_path && File.exists?(rb_path)
+        elsif rb_path && File.exist?(rb_path)
           role = Chef::Role.new
           role.name(name)
           role.from_file(rb_path)

data/lib/chef/run_context/cookbook_compiler.rb

@@ -169,17 +169,17 @@ class Chef
       def compile_recipes
         @events.recipe_load_start(run_list_expansion.recipes.size)
         run_list_expansion.recipes.each do |recipe|
-          begin
-            path = resolve_recipe(recipe)
-            @run_context.load_recipe(recipe)
-            @events.recipe_file_loaded(path, recipe)
-          rescue Chef::Exceptions::RecipeNotFound => e
-            @events.recipe_not_found(e)
-            raise
-          rescue Exception => e
-            @events.recipe_file_load_failed(path, e, recipe)
-            raise
-          end
+
+          path = resolve_recipe(recipe)
+          @run_context.load_recipe(recipe)
+          @events.recipe_file_loaded(path, recipe)
+        rescue Chef::Exceptions::RecipeNotFound => e
+          @events.recipe_not_found(e)
+          raise
+        rescue Exception => e
+          @events.recipe_file_load_failed(path, e, recipe)
+          raise
+
         end
         @events.recipe_load_complete
       end
@@ -231,14 +231,14 @@ class Chef
 
       def load_libraries_from_cookbook(cookbook_name, globs = "**/*.rb")
         each_file_in_cookbook_by_segment(cookbook_name, :libraries, globs) do |filename|
-          begin
-            logger.trace("Loading cookbook #{cookbook_name}'s library file: #{filename}")
-            Kernel.require(filename)
-            @events.library_file_loaded(filename)
-          rescue Exception => e
-            @events.library_file_load_failed(filename, e)
-            raise
-          end
+
+          logger.trace("Loading cookbook #{cookbook_name}'s library file: #{filename}")
+          Kernel.require(filename)
+          @events.library_file_loaded(filename)
+        rescue Exception => e
+          @events.library_file_load_failed(filename, e)
+          raise
+
         end
       end
 
@@ -325,7 +325,7 @@ class Chef
 
       def count_files_by_segment(segment, root_alias = nil)
         cookbook_collection.inject(0) do |count, cookbook_by_name|
-          count + cookbook_by_name[1].segment_filenames(segment).size + (root_alias ? cookbook_by_name[1].files_for(:root_files).select { |record| record[:name] == root_alias }.size : 0)
+          count + cookbook_by_name[1].segment_filenames(segment).size + (root_alias ? cookbook_by_name[1].files_for(:root_files).count { |record| record[:name] == root_alias } : 0)
         end
       end
 

data/lib/chef/run_status.rb

@@ -25,17 +25,13 @@ class Chef::RunStatus
 
   attr_reader :events
 
-  attr_reader :run_context
-
-  attr_writer :run_context
+  attr_accessor :run_context
 
   attr_reader :start_time
 
   attr_reader :end_time
 
-  attr_reader :exception
-
-  attr_writer :exception
+  attr_accessor :exception
 
   attr_accessor :run_id
 

data/lib/chef/server_api_versions.rb

@@ -51,6 +51,10 @@ class Chef
       @unversioned
     end
 
+    def negotiated?
+      !@versions.nil? || unversioned?
+    end
+
     def reset!
       @versions = nil
       @unversioned = false

data/lib/chef/shell.rb

@@ -339,7 +339,7 @@ module Shell
       config[:config_file] = config_file_for_shell_mode(environment)
       config_msg = config[:config_file] || "none (standalone session)"
       puts "loading configuration: #{config_msg}"
-      Chef::Config.from_file(config[:config_file]) if !config[:config_file].nil? && File.exists?(config[:config_file]) && File.readable?(config[:config_file])
+      Chef::Config.from_file(config[:config_file]) if !config[:config_file].nil? && File.exist?(config[:config_file]) && File.readable?(config[:config_file])
       Chef::Config.merge!(config)
     end
 

data/lib/chef/shell/shell_session.rb

@@ -41,6 +41,7 @@ module Shell
 
     attr_accessor :node, :compile, :recipe, :json_configuration
     attr_reader :node_attributes, :client
+
     def initialize
       @node_built = false
       formatter = Chef::Formatters.new(Chef::Config.formatter, STDOUT, STDERR)
@@ -75,6 +76,7 @@ module Shell
     end
 
     attr_writer :run_context
+
     def run_context
       @run_context ||= rebuild_context
     end

data/lib/chef/util/backup.rb

@@ -87,7 +87,7 @@ class Chef
       end
 
       def sorted_backup_files
-        unsorted_backup_files.sort { |a, b| b <=> a }
+        unsorted_backup_files.sort.reverse # faster than sort { |a, b| b <=> a }
       end
     end
   end

data/lib/chef/util/diff.rb

@@ -48,7 +48,6 @@ class Chef
     class Diff
       # @todo: to_a, to_s, to_json, inspect defs, accessors for @diff and @error
       # @todo: move coercion to UTF-8 into to_json
-      # @todo: replace shellout to diff -u with diff-lcs gem
 
       def for_output
         # formatted output to a terminal uses arrays of strings and returns error strings
@@ -64,7 +63,7 @@ class Chef
 
       def use_tempfile_if_missing(file)
         tempfile = nil
-        unless File.exists?(file)
+        unless File.exist?(file)
           Chef::Log.trace("File #{file} does not exist to diff against, using empty tempfile")
           tempfile = Tempfile.new("chef-diff")
           file = tempfile.path
@@ -107,16 +106,16 @@ class Chef
         # join them. otherwise, print out the old one.
         old_hunk = hunk = nil
         diff_data.each do |piece|
-          begin
-            hunk = ::Diff::LCS::Hunk.new(old_data, new_data, piece, 3, file_length_difference)
-            file_length_difference = hunk.file_length_difference
-            next unless old_hunk
-            next if hunk.merge(old_hunk)
-
-            diff_str << old_hunk.diff(:unified) << "\n"
-          ensure
-            old_hunk = hunk
-          end
+
+          hunk = ::Diff::LCS::Hunk.new(old_data, new_data, piece, 3, file_length_difference)
+          file_length_difference = hunk.file_length_difference
+          next unless old_hunk
+          next if hunk.merge(old_hunk)
+
+          diff_str << old_hunk.diff(:unified) << "\n"
+        ensure
+          old_hunk = hunk
+
         end
         diff_str << old_hunk.diff(:unified) << "\n"
         diff_str