chef 16.2.50-universal-mingw32 → 16.4.38-universal-mingw32

data/lib/chef/resource/sudo.rb

@@ -199,7 +199,7 @@ class Chef
           end
         else
           template file_path do
-            source ::File.expand_path("../support/sudoer.erb", __FILE__)
+            source ::File.expand_path("support/sudoer.erb", __dir__)
             local true
             mode "0440"
             variables sudoer:            (new_resource.groups + new_resource.users).join(","),
@@ -255,7 +255,7 @@ class Chef
         end
 
         def visudo_content(path)
-          if ::File.exists?(path)
+          if ::File.exist?(path)
             "cat #{new_resource.config_prefix}/sudoers | #{new_resource.visudo_binary} -cf - && #{new_resource.visudo_binary} -cf %{path}"
           else
             "cat #{new_resource.config_prefix}/sudoers %{path} | #{new_resource.visudo_binary} -cf -"

data/lib/chef/resource/sysctl.rb

@@ -128,11 +128,11 @@ class Chef
       end
 
       load_current_value do
-        begin
-          value get_sysctl_value(key)
-        rescue
-          current_value_does_not_exist!
-        end
+
+        value get_sysctl_value(key)
+      rescue
+        current_value_does_not_exist!
+
       end
 
       action :apply do

data/lib/chef/resource/user_ulimit.rb

@@ -80,7 +80,7 @@ class Chef
 
       action :create do
         template "/etc/security/limits.d/#{new_resource.filename}" do
-          source ::File.expand_path("../support/ulimit.erb", __FILE__)
+          source ::File.expand_path("support/ulimit.erb", __dir__)
           local true
           mode "0644"
           variables(

data/lib/chef/resource/windows_ad_join.rb

@@ -23,6 +23,8 @@ class Chef
     class WindowsAdJoin < Chef::Resource
       provides :windows_ad_join
 
+      unified_mode true
+
       description "Use the **windows_ad_join** resource to join a Windows Active Directory domain."
       introduced "14.0"
       examples <<~DOC

data/lib/chef/resource/windows_audit_policy.rb

@@ -82,6 +82,9 @@ class Chef
                                  "User / Device Claims",
                                  "User Account Management",
                                 ].freeze
+
+      unified_mode true
+
       provides :windows_audit_policy
 
       description "Use the **windows_audit_policy** resource to configure system level and per-user Windows advanced audit policy settings."

data/lib/chef/resource/windows_auto_run.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsAutorun < Chef::Resource
+      unified_mode true
+
       provides(:windows_auto_run) { true }
 
       description "Use the **windows_auto_run** resource to set applications to run at login."

data/lib/chef/resource/windows_certificate.rb

@@ -26,6 +26,8 @@ require_relative "../dist"
 class Chef
   class Resource
     class WindowsCertificate < Chef::Resource
+      unified_mode true
+
       provides :windows_certificate
 
       description "Use the **windows_certificate** resource to install a certificate into the Windows certificate store from a file. The resource grants read-only access to the private key for designated accounts. Due to current limitations in WinRM, installing certificates remotely may not work if the operation requires a user profile. Operations on the local machine store should still work."

data/lib/chef/resource/windows_dfs_folder.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDfsFolder < Chef::Resource
+      unified_mode true
+
       provides :windows_dfs_folder
 
       description "Use the **windows_dfs_folder** resource to creates a folder within DFS as many levels deep as required."

data/lib/chef/resource/windows_dfs_namespace.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDfsNamespace < Chef::Resource
+      unified_mode true
+
       provides :windows_dfs_namespace
 
       description "Use the **windows_dfs_namespace** resource to creates a share and DFS namespace on a Windows server."

data/lib/chef/resource/windows_dfs_server.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDfsServer < Chef::Resource
+      unified_mode true
+
       provides :windows_dfs_server
 
       description "Use the **windows_dfs_server** resource to set system-wide DFS settings."

data/lib/chef/resource/windows_dns_record.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDnsRecord < Chef::Resource
+      unified_mode true
+
       provides :windows_dns_record
 
       description "The windows_dns_record resource creates a DNS record for the given domain."
@@ -42,23 +44,40 @@ class Chef
         description: "The type of record to create, can be either ARecord, CNAME or PTR.",
         default: "ARecord", equal_to: %w{ARecord CNAME PTR}
 
+      property :dns_server, String,
+        description: "The name of the DNS server on which to create the record.",
+        default: "localhost",
+        introduced: "16.3"
+
       action :create do
         description "Creates and updates the DNS entry."
 
-        powershell_package "xDnsServer" do
+        windows_feature "RSAT-DNS-Server" do
+          not_if new_resource.dns_server.casecmp?("localhost")
         end
-        do_it "Present"
+
+        powershell_package "xDnsServer"
+
+        run_dsc_resource "Present"
       end
 
       action :delete do
         description "Deletes a DNS entry."
-        powershell_package "xDnsServer" do
+
+        windows_feature "RSAT-DNS-Server" do
+          not_if new_resource.dns_server.casecmp?("localhost")
         end
-        do_it "Absent"
+
+        powershell_package "xDnsServer"
+
+        run_dsc_resource "Absent"
       end
 
       action_class do
-        def do_it(ensure_prop)
+        private
+
+        # @api private
+        def run_dsc_resource(ensure_prop)
           dsc_resource "xDnsRecord #{new_resource.record_name}.#{new_resource.zone} #{ensure_prop}" do
             module_name "xDnsServer"
             resource :xDnsRecord
@@ -67,6 +86,7 @@ class Chef
             property :Zone, new_resource.zone
             property :Type, new_resource.record_type
             property :Target, new_resource.target
+            property :DnsServer, new_resource.dns_server
           end
         end
       end

data/lib/chef/resource/windows_dns_zone.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDnsZone < Chef::Resource
+      unified_mode true
+
       provides :windows_dns_zone
 
       description "The windows_dns_zone resource creates an Active Directory Integrated DNS Zone on the local server."
@@ -41,21 +43,24 @@ class Chef
       action :create do
         description "Creates and updates a DNS Zone."
 
-        powershell_package "xDnsServer" do
-        end
-        do_it "Present"
+        powershell_package "xDnsServer"
+
+        run_dsc_resource "Present"
       end
 
       action :delete do
         description "Deletes a DNS Zone."
 
-        powershell_package "xDnsServer" do
-        end
-        do_it "Absent"
+        powershell_package "xDnsServer"
+
+        run_dsc_resource "Absent"
       end
 
       action_class do
-        def do_it(ensure_prop)
+        private
+
+        # @api private
+        def run_dsc_resource(ensure_prop)
           if new_resource.server_type == "Domain"
             dsc_resource "xDnsServerADZone #{new_resource.zone_name} #{ensure_prop}" do
               module_name "xDnsServer"

data/lib/chef/resource/windows_feature.rb

@@ -125,6 +125,8 @@ class Chef
       end
 
       action_class do
+        private
+
         # call the appropriate windows_feature resource based on the specified subresource
         # @return [void]
         def run_default_subresource(desired_action)

data/lib/chef/resource/windows_feature_dism.rb

@@ -22,6 +22,8 @@ require_relative "../platform/query_helpers"
 class Chef
   class Resource
     class WindowsFeatureDism < Chef::Resource
+      unified_mode true
+
       provides(:windows_feature_dism) { true }
 
       description "Use the **windows_feature_dism** resource to add, remove, or entirely delete Windows features and roles using DISM."
@@ -125,6 +127,8 @@ class Chef
       end
 
       action_class do
+        private
+
         # @return [Array] features the user has requested to install which need installation
         def features_to_install
           @install ||= begin
@@ -171,6 +175,12 @@ class Chef
           raise "The Windows feature#{"s" if unavailable.count > 1} #{unavailable.join(",")} #{unavailable.count > 1 ? "are" : "is"} not available on this version of Windows. Run 'dism /online /Get-Features' to see the list of available feature names." unless unavailable.empty?
         end
 
+        #
+        # FIXME FIXME FIXME
+        # The node object should not be used for caching state like this and this is not a public API and may break.
+        # FIXME FIXME FIXME
+        #
+
         # run dism.exe to get a list of all available features and their state
         # and save that to the node at node.override level.
         # We do this because getting a list of features in dism takes at least a second

data/lib/chef/resource/windows_feature_powershell.rb

@@ -23,6 +23,8 @@ require_relative "../platform/query_helpers"
 class Chef
   class Resource
     class WindowsFeaturePowershell < Chef::Resource
+      unified_mode true
+
       provides(:windows_feature_powershell) { true }
 
       description "Use the **windows_feature_powershell** resource to add, remove, or entirely delete Windows features and roles using PowerShell. This resource offers significant speed benefits over the windows_feature_dism resource, but requires installation of the Remote Server Administration Tools on non-server releases of Windows."
@@ -141,8 +143,12 @@ class Chef
       action_class do
         # @return [Array] features the user has requested to install which need installation
         def features_to_install
-          # the intersection of the features to install & disabled features are what needs installing
-          @install ||= new_resource.feature_name & node["powershell_features_cache"]["disabled"]
+          # the intersection of the features to install & disabled/removed features are what needs installing
+          @features_to_install ||= begin
+            features = node["powershell_features_cache"]["disabled"]
+            features |= node["powershell_features_cache"]["removed"] if new_resource.source
+            new_resource.feature_name & features
+          end
         end
 
         # @return [Array] features the user has requested to remove which need removing
@@ -182,6 +188,12 @@ class Chef
         # @return [void]
         def reload_cached_powershell_data
           Chef::Log.debug("Caching Windows features available via Get-WindowsFeature.")
+
+          #
+          # FIXME FIXME FIXME
+          # The node object should not be used for caching state like this and this is not a public API and may break.
+          # FIXME FIXME FIXME
+          #
           node.override["powershell_features_cache"] = Mash.new
           node.override["powershell_features_cache"]["enabled"] = []
           node.override["powershell_features_cache"]["disabled"] = []

data/lib/chef/resource/windows_firewall_profile.rb

@@ -0,0 +1,199 @@
+#
+# Author:: John McCrae (<jmccrae@chef.io>)
+# Author:: Davin Taddeo (<davin@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class Resource
+    class WindowsFirewallProfile < Chef::Resource
+      unified_mode true
+
+      provides :windows_firewall_profile
+      description "Use the **windows_firewall_profile** resource to enable, disable, and configure the Windows firewall."
+      introduced "16.3"
+
+      examples <<~DOC
+      **Enable and Configure the Private Profile of the Windows Profile**:
+
+      ```ruby
+      windows_firewall_profile 'Private' do
+        default_inbound_action 'Block'
+        default_outbound_action 'Allow'
+        allow_inbound_rules true
+        display_notification false
+        action :enable
+      end
+      ```
+
+      **Enable and Configure the Public Profile of the Windows Firewall**:
+
+      ```ruby
+      windows_firewall_profile 'Public' do
+        default_inbound_action 'Block'
+        default_outbound_action 'Allow'
+        allow_inbound_rules false
+        display_notification false
+        action :enable
+      end
+      ```
+
+      **Disable the Domain Profile of the Windows Firewall**:
+
+      ```ruby
+      windows_firewall_profile 'Disable the Domain Profile of the Windows Firewall' do
+        profile 'Domain'
+        action :disable
+      end
+      ```
+      DOC
+
+      unified_mode true
+
+      property :profile, String,
+        name_property: true,
+        equal_to: %w{ Domain Public Private },
+        description: "Set the Windows Profile being configured"
+
+      property :default_inbound_action, [String, nil],
+        equal_to: %w{ Allow Block NotConfigured },
+        description: "Set the default policy for inbound network traffic"
+
+      property :default_outbound_action, [String, nil],
+        equal_to: %w{ Allow Block NotConfigured },
+        description: "Set the default policy for outbound network traffic"
+
+      property :allow_inbound_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to set inbound firewall rules"
+      property :allow_local_firewall_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Merges inbound firewall rules into the policy"
+      property :allow_local_ipsec_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage local connection security rules"
+      property :allow_user_apps, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow user applications to manage firewall"
+      property :allow_user_ports, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage firewall port rules"
+      property :allow_unicast_response, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow unicast responses to multicast and broadcast messages"
+      property :display_notification, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Display a notification when firewall blocks certain activity"
+
+      load_current_value do |desired|
+        ps_get_net_fw_profile = load_firewall_state(desired.profile)
+        output = powershell_out(ps_get_net_fw_profile)
+        if output.stdout.empty?
+          current_value_does_not_exist!
+        else
+          state = Chef::JSONCompat.from_json(output.stdout)
+        end
+
+        default_inbound_action state["default_inbound_action"]
+        default_outbound_action state["default_outbound_action"]
+        allow_inbound_rules convert_to_ruby(state["allow_inbound_rules"])
+        allow_local_firewall_rules convert_to_ruby(state["allow_local_firewall_rules"])
+        allow_local_ipsec_rules convert_to_ruby(state["allow_local_ipsec_rules"])
+        allow_user_apps convert_to_ruby(state["allow_user_apps"])
+        allow_user_ports convert_to_ruby(state["allow_user_ports"])
+        allow_unicast_response convert_to_ruby(state["allow_unicast_response"])
+        display_notification convert_to_ruby(state["display_notification"])
+      end
+
+      def convert_to_ruby(obj)
+        if obj.to_s.downcase == "true"
+          true
+        elsif obj.to_s.downcase == "false"
+          false
+        elsif obj.to_s.downcase == "notconfigured"
+          "NotConfigured"
+        end
+      end
+
+      def convert_to_powershell(obj)
+        if obj.to_s.downcase == "true"
+          "True"
+        elsif obj.to_s.downcase == "false"
+          "False"
+        elsif obj.to_s.downcase == "notconfigured"
+          "NotConfigured"
+        end
+      end
+
+      action :enable do
+        converge_if_changed :default_inbound_action, :default_outbound_action, :allow_inbound_rules, :allow_local_firewall_rules,
+          :allow_local_ipsec_rules, :allow_user_apps, :allow_user_ports, :allow_unicast_response, :display_notification do
+            fw_cmd = firewall_command(new_resource.profile)
+            powershell_exec!(fw_cmd)
+          end
+        unless firewall_enabled?(new_resource.profile)
+          converge_by "Enable the #{new_resource.profile} Firewall Profile" do
+            cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"True\""
+            powershell_out!(cmd)
+          end
+        end
+      end
+
+      action :disable do
+        if firewall_enabled?(new_resource.profile)
+          converge_by "Disable the #{new_resource.profile} Firewall Profile" do
+            cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"False\""
+            powershell_out!(cmd)
+          end
+        end
+      end
+
+      action_class do
+        def firewall_command(fw_profile)
+          cmd = "Set-NetFirewallProfile -Profile \"#{fw_profile}\""
+          cmd << " -DefaultInboundAction \"#{new_resource.default_inbound_action}\"" unless new_resource.default_inbound_action.nil?
+          cmd << " -DefaultOutboundAction \"#{new_resource.default_outbound_action}\"" unless new_resource.default_outbound_action.nil?
+          cmd << " -AllowInboundRules \"#{convert_to_powershell(new_resource.allow_inbound_rules)}\"" unless new_resource.allow_inbound_rules.nil?
+          cmd << " -AllowLocalFirewallRules \"#{convert_to_powershell(new_resource.allow_local_firewall_rules)}\"" unless new_resource.allow_local_firewall_rules.nil?
+          cmd << " -AllowLocalIPsecRules \"#{convert_to_powershell(new_resource.allow_local_ipsec_rules)}\"" unless new_resource.allow_local_ipsec_rules.nil?
+          cmd << " -AllowUserApps \"#{convert_to_powershell(new_resource.allow_user_apps)}\"" unless new_resource.allow_user_apps.nil?
+          cmd << " -AllowUserPorts \"#{convert_to_powershell(new_resource.allow_user_ports)}\"" unless new_resource.allow_user_ports.nil?
+          cmd << " -AllowUnicastResponseToMulticast \"#{convert_to_powershell(new_resource.allow_unicast_response)}\"" unless new_resource.allow_unicast_response.nil?
+          cmd << " -NotifyOnListen \"#{convert_to_powershell(new_resource.display_notification)}\"" unless new_resource.display_notification.nil?
+          cmd
+        end
+
+        def load_firewall_state(profile_name)
+          <<-EOH
+            Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+            $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
+            ([PSCustomObject]@{
+              default_inbound_action = $#{profile_name}.DefaultInboundAction.ToString()
+              default_outbound_action = $#{profile_name}.DefaultOutboundAction.ToString()
+              allow_inbound_rules = $#{profile_name}.AllowInboundRules.ToString()
+              allow_local_firewall_rules = $#{profile_name}.AllowLocalFirewallRules.ToString()
+              allow_local_ipsec_rules = $#{profile_name}.AllowLocalIPsecRules.ToString()
+              allow_user_apps = $#{profile_name}.AllowUserApps.ToString()
+              allow_user_ports = $#{profile_name}.AllowUserPorts.ToString()
+              allow_unicast_response = $#{profile_name}.AllowUnicastResponseToMulticast.ToString()
+              display_notification = $#{profile_name}.NotifyOnListen.ToString()
+            }) | ConvertTo-Json
+          EOH
+        end
+
+        def firewall_enabled?(profile_name)
+          cmd = <<~CODE
+            $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
+            if ($#{profile_name}.Enabled) {
+                return $true
+            } else {return $false}
+          CODE
+          firewall_status = powershell_out(cmd).stdout
+          if /True/.match?(firewall_status)
+            true
+          elsif /False/.match?(firewall_status)
+            false
+          end
+        end
+      end
+    end
+  end
+end