chef 16.2.73-universal-mingw32 → 16.3.38-universal-mingw32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +4 -4
- data/Rakefile +1 -1
- data/chef-universal-mingw32.gemspec +2 -2
- data/chef.gemspec +2 -1
- data/lib/chef/application.rb +12 -0
- data/lib/chef/{whitelist.rb → attribute_allowlist.rb} +11 -11
- data/lib/chef/{blacklist.rb → attribute_blocklist.rb} +9 -9
- data/lib/chef/chef_fs/data_handler/organization_data_handler.rb +1 -2
- data/lib/chef/chef_fs/file_system/chef_server/cookbooks_dir.rb +1 -5
- data/lib/chef/chef_fs/file_system/repository/base_file.rb +1 -0
- data/lib/chef/chef_fs/parallelizer/parallel_enumerable.rb +1 -1
- data/lib/chef/client.rb +3 -3
- data/lib/chef/cookbook/remote_file_vendor.rb +1 -3
- data/lib/chef/cookbook/syntax_check.rb +1 -2
- data/lib/chef/cookbook_loader.rb +15 -29
- data/lib/chef/data_bag.rb +1 -2
- data/lib/chef/deprecated.rb +8 -0
- data/lib/chef/dsl/platform_introspection.rb +2 -0
- data/lib/chef/environment.rb +1 -2
- data/lib/chef/exceptions.rb +3 -0
- data/lib/chef/http/authenticator.rb +1 -1
- data/lib/chef/knife.rb +4 -4
- data/lib/chef/knife/bootstrap.rb +4 -10
- data/lib/chef/knife/bootstrap/train_connector.rb +1 -0
- data/lib/chef/knife/config_get.rb +1 -0
- data/lib/chef/knife/config_list_profiles.rb +4 -1
- data/lib/chef/knife/configure.rb +1 -1
- data/lib/chef/knife/cookbook_upload.rb +5 -10
- data/lib/chef/knife/core/gem_glob_loader.rb +1 -1
- data/lib/chef/knife/core/hashed_command_loader.rb +1 -0
- data/lib/chef/knife/core/subcommand_loader.rb +20 -1
- data/lib/chef/knife/core/ui.rb +8 -2
- data/lib/chef/knife/core/windows_bootstrap_context.rb +1 -2
- data/lib/chef/knife/rehash.rb +3 -21
- data/lib/chef/knife/ssh.rb +5 -1
- data/lib/chef/log.rb +7 -2
- data/lib/chef/mixin/chef_utils_wiring.rb +40 -0
- data/{spec/unit/log_spec.rb → lib/chef/mixin/default_paths.rb} +13 -5
- data/lib/chef/mixin/openssl_helper.rb +27 -5
- data/lib/chef/mixin/path_sanity.rb +5 -4
- data/lib/chef/mixin/shell_out.rb +4 -188
- data/lib/chef/mixin/template.rb +1 -0
- data/lib/chef/mixin/which.rb +6 -3
- data/lib/chef/mixins.rb +1 -0
- data/lib/chef/node.rb +36 -12
- data/lib/chef/node_map.rb +21 -18
- data/lib/chef/platform/service_helpers.rb +31 -28
- data/lib/chef/provider/git.rb +12 -4
- data/lib/chef/provider/mount/solaris.rb +0 -1
- data/lib/chef/provider/package/snap.rb +2 -3
- data/lib/chef/provider/package/windows.rb +9 -4
- data/lib/chef/provider/package/zypper.rb +0 -1
- data/lib/chef/provider/service.rb +2 -2
- data/lib/chef/provider/yum_repository.rb +1 -1
- data/lib/chef/provider/zypper_repository.rb +1 -1
- data/lib/chef/resource.rb +2 -0
- data/lib/chef/resource/build_essential.rb +2 -2
- data/lib/chef/resource/chef_client_scheduled_task.rb +1 -1
- data/lib/chef/resource/chocolatey_feature.rb +1 -2
- data/lib/chef/resource/cron/cron_d.rb +1 -1
- data/lib/chef/resource/cron_access.rb +2 -2
- data/lib/chef/resource/execute.rb +2 -2
- data/lib/chef/resource/lwrp_base.rb +1 -0
- data/lib/chef/resource/macos_userdefaults.rb +176 -61
- data/lib/chef/resource/openssl_x509_certificate.rb +11 -14
- data/lib/chef/resource/openssl_x509_crl.rb +1 -2
- data/lib/chef/resource/service.rb +2 -2
- data/lib/chef/resource/ssh_known_hosts_entry.rb +1 -1
- data/lib/chef/resource/sudo.rb +1 -1
- data/lib/chef/resource/user_ulimit.rb +1 -1
- data/lib/chef/resource/windows_dns_record.rb +17 -0
- data/lib/chef/resource/windows_firewall_profile.rb +197 -0
- data/lib/chef/resource/windows_security_policy.rb +49 -20
- data/lib/chef/resource_inspector.rb +7 -1
- data/lib/chef/resources.rb +1 -0
- data/lib/chef/role.rb +1 -2
- data/lib/chef/shell/shell_session.rb +2 -0
- data/lib/chef/util/diff.rb +0 -1
- data/lib/chef/version.rb +2 -2
- data/lib/chef/win32/registry.rb +1 -2
- data/spec/functional/knife/ssh_spec.rb +5 -16
- data/spec/functional/resource/aix_service_spec.rb +0 -2
- data/spec/functional/resource/aixinit_service_spec.rb +0 -1
- data/spec/functional/resource/apt_package_spec.rb +0 -1
- data/spec/functional/resource/cron_spec.rb +0 -1
- data/spec/functional/resource/git_spec.rb +23 -1
- data/spec/functional/resource/group_spec.rb +6 -2
- data/spec/functional/resource/insserv_spec.rb +0 -1
- data/spec/functional/resource/remote_file_spec.rb +1 -7
- data/spec/functional/resource/windows_user_privilege_spec.rb +1 -1
- data/spec/functional/run_lock_spec.rb +2 -1
- data/spec/functional/shell_spec.rb +5 -5
- data/spec/functional/util/powershell/cmdlet_spec.rb +1 -1
- data/spec/functional/version_spec.rb +1 -1
- data/spec/integration/knife/config_list_profiles_spec.rb +30 -2
- data/spec/integration/knife/cookbook_upload_spec.rb +27 -0
- data/spec/integration/recipes/accumulator_spec.rb +1 -1
- data/spec/integration/recipes/lwrp_inline_resources_spec.rb +1 -1
- data/spec/integration/recipes/lwrp_spec.rb +1 -1
- data/spec/integration/recipes/notifies_spec.rb +1 -1
- data/spec/integration/recipes/notifying_block_spec.rb +1 -1
- data/spec/integration/recipes/recipe_dsl_spec.rb +1 -1
- data/spec/integration/recipes/resource_converge_if_changed_spec.rb +2 -0
- data/spec/integration/recipes/resource_load_spec.rb +2 -0
- data/spec/integration/recipes/unified_mode_spec.rb +1 -1
- data/spec/integration/recipes/use_partial_spec.rb +1 -1
- data/spec/scripts/ssl-serve.rb +1 -1
- data/spec/spec_helper.rb +10 -4
- data/spec/support/chef_helpers.rb +1 -20
- data/spec/support/platform_helpers.rb +0 -2
- data/spec/support/shared/functional/file_resource.rb +0 -1
- data/spec/support/shared/integration/knife_support.rb +2 -9
- data/spec/support/shared/unit/application_dot_d.rb +0 -1
- data/spec/unit/application_spec.rb +4 -2
- data/spec/unit/chef_fs/file_system/operation_failed_error_spec.rb +2 -4
- data/spec/unit/chef_fs/{parallelizer.rb → parallelizer_spec.rb} +1 -1
- data/spec/unit/cookbook/gem_installer_spec.rb +2 -1
- data/spec/unit/data_collector_spec.rb +1 -1
- data/spec/unit/dsl/platform_introspection_spec.rb +1 -0
- data/spec/unit/event_dispatch/dispatcher_spec.rb +3 -0
- data/spec/unit/json_compat_spec.rb +1 -1
- data/spec/unit/knife/bootstrap_spec.rb +2 -6
- data/spec/unit/knife/cookbook_upload_spec.rb +7 -10
- data/spec/unit/log/syslog_spec.rb +6 -10
- data/spec/unit/log/winevt_spec.rb +21 -13
- data/spec/unit/lwrp_spec.rb +4 -4
- data/spec/unit/mixin/{path_sanity_spec.rb → default_paths_spec.rb} +14 -14
- data/spec/unit/mixin/powershell_exec_spec.rb +1 -1
- data/spec/unit/mixin/securable_spec.rb +0 -1
- data/spec/unit/mixin/shell_out_spec.rb +25 -26
- data/spec/unit/mixin/which.rb +8 -0
- data/spec/unit/node_spec.rb +98 -11
- data/spec/unit/property_spec.rb +5 -5
- data/spec/unit/provider/execute_spec.rb +0 -7
- data/spec/unit/provider/ifconfig_spec.rb +0 -1
- data/spec/unit/provider/package/dnf/python_helper_spec.rb +1 -1
- data/spec/unit/provider/package/rubygems_spec.rb +5 -10
- data/spec/unit/provider/package/smartos_spec.rb +1 -1
- data/spec/unit/provider/package/windows_spec.rb +30 -53
- data/spec/unit/provider/service/redhat_spec.rb +1 -1
- data/spec/unit/provider/service/windows_spec.rb +2 -6
- data/spec/unit/provider/systemd_unit_spec.rb +28 -24
- data/spec/unit/provider_spec.rb +1 -0
- data/spec/unit/resource/execute_spec.rb +10 -0
- data/spec/unit/resource/macos_user_defaults_spec.rb +103 -2
- data/spec/unit/resource/windows_firewall_profile_spec.rb +77 -0
- data/spec/unit/resource/windows_package_spec.rb +1 -0
- data/spec/unit/resource_reporter_spec.rb +1 -1
- data/spec/unit/run_context/cookbook_compiler_spec.rb +1 -1
- data/spec/unit/run_lock_spec.rb +1 -1
- data/spec/unit/scan_access_control_spec.rb +1 -1
- data/spec/unit/util/diff_spec.rb +1 -15
- data/spec/unit/win32/security_spec.rb +4 -3
- metadata +38 -15
@@ -206,12 +206,11 @@ class Chef
|
|
206
206
|
end
|
207
207
|
|
208
208
|
def request
|
209
|
-
|
210
|
-
|
211
|
-
|
212
|
-
|
213
|
-
|
214
|
-
request
|
209
|
+
if new_resource.csr_file.nil?
|
210
|
+
gen_x509_request(subject, key)
|
211
|
+
else
|
212
|
+
OpenSSL::X509::Request.new ::File.read(new_resource.csr_file)
|
213
|
+
end
|
215
214
|
end
|
216
215
|
|
217
216
|
def subject
|
@@ -227,12 +226,11 @@ class Chef
|
|
227
226
|
end
|
228
227
|
|
229
228
|
def ca_private_key
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
ca_private_key
|
229
|
+
if new_resource.csr_file.nil?
|
230
|
+
key
|
231
|
+
else
|
232
|
+
OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
|
233
|
+
end
|
236
234
|
end
|
237
235
|
|
238
236
|
def ca_info
|
@@ -258,8 +256,7 @@ class Chef
|
|
258
256
|
end
|
259
257
|
|
260
258
|
def cert
|
261
|
-
|
262
|
-
cert
|
259
|
+
gen_x509_cert(request, extensions, ca_info, ca_private_key)
|
263
260
|
end
|
264
261
|
end
|
265
262
|
end
|
@@ -113,8 +113,7 @@ class Chef
|
|
113
113
|
end
|
114
114
|
|
115
115
|
def ca_private_key
|
116
|
-
|
117
|
-
ca_private_key
|
116
|
+
::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
|
118
117
|
end
|
119
118
|
|
120
119
|
def crl
|
@@ -25,8 +25,8 @@ require_relative "../dist"
|
|
25
25
|
class Chef
|
26
26
|
class Resource
|
27
27
|
class Service < Chef::Resource
|
28
|
-
include
|
29
|
-
extend
|
28
|
+
include Chef::Platform::ServiceHelpers
|
29
|
+
extend Chef::Platform::ServiceHelpers
|
30
30
|
unified_mode true
|
31
31
|
|
32
32
|
provides :service, target_mode: true
|
@@ -106,7 +106,7 @@ class Chef
|
|
106
106
|
|
107
107
|
r = with_run_context :root do
|
108
108
|
find_resource(:template, "update ssh known hosts file #{new_resource.file_location}") do
|
109
|
-
source ::File.expand_path("
|
109
|
+
source ::File.expand_path("support/ssh_known_hosts.erb", __dir__)
|
110
110
|
local true
|
111
111
|
path new_resource.file_location
|
112
112
|
owner new_resource.owner
|
data/lib/chef/resource/sudo.rb
CHANGED
@@ -199,7 +199,7 @@ class Chef
|
|
199
199
|
end
|
200
200
|
else
|
201
201
|
template file_path do
|
202
|
-
source ::File.expand_path("
|
202
|
+
source ::File.expand_path("support/sudoer.erb", __dir__)
|
203
203
|
local true
|
204
204
|
mode "0440"
|
205
205
|
variables sudoer: (new_resource.groups + new_resource.users).join(","),
|
@@ -80,7 +80,7 @@ class Chef
|
|
80
80
|
|
81
81
|
action :create do
|
82
82
|
template "/etc/security/limits.d/#{new_resource.filename}" do
|
83
|
-
source ::File.expand_path("
|
83
|
+
source ::File.expand_path("support/ulimit.erb", __dir__)
|
84
84
|
local true
|
85
85
|
mode "0644"
|
86
86
|
variables(
|
@@ -42,18 +42,34 @@ class Chef
|
|
42
42
|
description: "The type of record to create, can be either ARecord, CNAME or PTR.",
|
43
43
|
default: "ARecord", equal_to: %w{ARecord CNAME PTR}
|
44
44
|
|
45
|
+
property :dns_server, String,
|
46
|
+
description: "The name of the DNS server on which to create the record.",
|
47
|
+
default: "localhost",
|
48
|
+
introduced: "16.3"
|
49
|
+
|
45
50
|
action :create do
|
46
51
|
description "Creates and updates the DNS entry."
|
47
52
|
|
53
|
+
windows_feature "RSAT-DNS-Server" do
|
54
|
+
not_if new_resource.dns_server.casecmp?("localhost")
|
55
|
+
end
|
56
|
+
|
48
57
|
powershell_package "xDnsServer" do
|
49
58
|
end
|
59
|
+
|
50
60
|
do_it "Present"
|
51
61
|
end
|
52
62
|
|
53
63
|
action :delete do
|
54
64
|
description "Deletes a DNS entry."
|
65
|
+
|
66
|
+
windows_feature "RSAT-DNS-Server" do
|
67
|
+
not_if new_resource.dns_server.casecmp?("localhost")
|
68
|
+
end
|
69
|
+
|
55
70
|
powershell_package "xDnsServer" do
|
56
71
|
end
|
72
|
+
|
57
73
|
do_it "Absent"
|
58
74
|
end
|
59
75
|
|
@@ -67,6 +83,7 @@ class Chef
|
|
67
83
|
property :Zone, new_resource.zone
|
68
84
|
property :Type, new_resource.record_type
|
69
85
|
property :Target, new_resource.target
|
86
|
+
property :DnsServer, new_resource.dns_server
|
70
87
|
end
|
71
88
|
end
|
72
89
|
end
|
@@ -0,0 +1,197 @@
|
|
1
|
+
#
|
2
|
+
# Author:: John McCrae (<jmccrae@chef.io>)
|
3
|
+
# Author:: Davin Taddeo (<davin@chef.io>)
|
4
|
+
# Copyright:: Copyright (c) Chef Software Inc.
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
class Chef
|
20
|
+
class Resource
|
21
|
+
class WindowsFirewallProfile < Chef::Resource
|
22
|
+
provides :windows_firewall_profile
|
23
|
+
description "Use the **windows_firewall_profile** resource to enable, disable, and configure the Windows firewall."
|
24
|
+
introduced "16.3"
|
25
|
+
|
26
|
+
examples <<~DOC
|
27
|
+
**Enable and Configure the Private Profile of the Windows Profile**:
|
28
|
+
|
29
|
+
```ruby
|
30
|
+
windows_firewall_profile 'Private' do
|
31
|
+
default_inbound_action 'Block'
|
32
|
+
default_outbound_action 'Allow'
|
33
|
+
allow_inbound_rules true
|
34
|
+
display_notification false
|
35
|
+
action :enable
|
36
|
+
end
|
37
|
+
```
|
38
|
+
|
39
|
+
**Enable and Configure the Public Profile of the Windows Firewall**:
|
40
|
+
|
41
|
+
```ruby
|
42
|
+
windows_firewall_profile 'Public' do
|
43
|
+
default_inbound_action 'Block'
|
44
|
+
default_outbound_action 'Allow'
|
45
|
+
allow_inbound_rules false
|
46
|
+
display_notification false
|
47
|
+
action :enable
|
48
|
+
end
|
49
|
+
```
|
50
|
+
|
51
|
+
**Disable the Domain Profile of the Windows Firewall**:
|
52
|
+
|
53
|
+
```ruby
|
54
|
+
windows_firewall_profile 'Disable the Domain Profile of the Windows Firewall' do
|
55
|
+
profile 'Domain'
|
56
|
+
action :disable
|
57
|
+
end
|
58
|
+
```
|
59
|
+
DOC
|
60
|
+
|
61
|
+
unified_mode true
|
62
|
+
|
63
|
+
property :profile, String,
|
64
|
+
name_property: true,
|
65
|
+
equal_to: %w{ Domain Public Private },
|
66
|
+
description: "Set the Windows Profile being configured"
|
67
|
+
|
68
|
+
property :default_inbound_action, [String, nil],
|
69
|
+
equal_to: %w{ Allow Block NotConfigured },
|
70
|
+
description: "Set the default policy for inbound network traffic"
|
71
|
+
|
72
|
+
property :default_outbound_action, [String, nil],
|
73
|
+
equal_to: %w{ Allow Block NotConfigured },
|
74
|
+
description: "Set the default policy for outbound network traffic"
|
75
|
+
|
76
|
+
property :allow_inbound_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to set inbound firewall rules"
|
77
|
+
property :allow_local_firewall_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Merges inbound firewall rules into the policy"
|
78
|
+
property :allow_local_ipsec_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage local connection security rules"
|
79
|
+
property :allow_user_apps, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow user applications to manage firewall"
|
80
|
+
property :allow_user_ports, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage firewall port rules"
|
81
|
+
property :allow_unicast_response, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow unicast responses to multicast and broadcast messages"
|
82
|
+
property :display_notification, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Display a notification when firewall blocks certain activity"
|
83
|
+
|
84
|
+
load_current_value do |desired|
|
85
|
+
ps_get_net_fw_profile = load_firewall_state(desired.profile)
|
86
|
+
output = powershell_out(ps_get_net_fw_profile)
|
87
|
+
if output.stdout.empty?
|
88
|
+
current_value_does_not_exist!
|
89
|
+
else
|
90
|
+
state = Chef::JSONCompat.from_json(output.stdout)
|
91
|
+
end
|
92
|
+
|
93
|
+
default_inbound_action state["default_inbound_action"]
|
94
|
+
default_outbound_action state["default_outbound_action"]
|
95
|
+
allow_inbound_rules convert_to_ruby(state["allow_inbound_rules"])
|
96
|
+
allow_local_firewall_rules convert_to_ruby(state["allow_local_firewall_rules"])
|
97
|
+
allow_local_ipsec_rules convert_to_ruby(state["allow_local_ipsec_rules"])
|
98
|
+
allow_user_apps convert_to_ruby(state["allow_user_apps"])
|
99
|
+
allow_user_ports convert_to_ruby(state["allow_user_ports"])
|
100
|
+
allow_unicast_response convert_to_ruby(state["allow_unicast_response"])
|
101
|
+
display_notification convert_to_ruby(state["display_notification"])
|
102
|
+
end
|
103
|
+
|
104
|
+
def convert_to_ruby(obj)
|
105
|
+
if obj.to_s.downcase == "true"
|
106
|
+
true
|
107
|
+
elsif obj.to_s.downcase == "false"
|
108
|
+
false
|
109
|
+
elsif obj.to_s.downcase == "notconfigured"
|
110
|
+
"NotConfigured"
|
111
|
+
end
|
112
|
+
end
|
113
|
+
|
114
|
+
def convert_to_powershell(obj)
|
115
|
+
if obj.to_s.downcase == "true"
|
116
|
+
"True"
|
117
|
+
elsif obj.to_s.downcase == "false"
|
118
|
+
"False"
|
119
|
+
elsif obj.to_s.downcase == "notconfigured"
|
120
|
+
"NotConfigured"
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
action :enable do
|
125
|
+
converge_if_changed :default_inbound_action, :default_outbound_action, :allow_inbound_rules, :allow_local_firewall_rules,
|
126
|
+
:allow_local_ipsec_rules, :allow_user_apps, :allow_user_ports, :allow_unicast_response, :display_notification do
|
127
|
+
fw_cmd = firewall_command(new_resource.profile)
|
128
|
+
powershell_exec!(fw_cmd)
|
129
|
+
end
|
130
|
+
unless firewall_enabled?(new_resource.profile)
|
131
|
+
converge_by "Enable the #{new_resource.profile} Firewall Profile" do
|
132
|
+
cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"True\""
|
133
|
+
powershell_out!(cmd)
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
action :disable do
|
139
|
+
if firewall_enabled?(new_resource.profile)
|
140
|
+
converge_by "Disable the #{new_resource.profile} Firewall Profile" do
|
141
|
+
cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"False\""
|
142
|
+
powershell_out!(cmd)
|
143
|
+
end
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
147
|
+
action_class do
|
148
|
+
def firewall_command(fw_profile)
|
149
|
+
cmd = "Set-NetFirewallProfile -Profile \"#{fw_profile}\""
|
150
|
+
cmd << " -DefaultInboundAction \"#{new_resource.default_inbound_action}\"" unless new_resource.default_inbound_action.nil?
|
151
|
+
cmd << " -DefaultOutboundAction \"#{new_resource.default_outbound_action}\"" unless new_resource.default_outbound_action.nil?
|
152
|
+
cmd << " -AllowInboundRules \"#{convert_to_powershell(new_resource.allow_inbound_rules)}\"" unless new_resource.allow_inbound_rules.nil?
|
153
|
+
cmd << " -AllowLocalFirewallRules \"#{convert_to_powershell(new_resource.allow_local_firewall_rules)}\"" unless new_resource.allow_local_firewall_rules.nil?
|
154
|
+
cmd << " -AllowLocalIPsecRules \"#{convert_to_powershell(new_resource.allow_local_ipsec_rules)}\"" unless new_resource.allow_local_ipsec_rules.nil?
|
155
|
+
cmd << " -AllowUserApps \"#{convert_to_powershell(new_resource.allow_user_apps)}\"" unless new_resource.allow_user_apps.nil?
|
156
|
+
cmd << " -AllowUserPorts \"#{convert_to_powershell(new_resource.allow_user_ports)}\"" unless new_resource.allow_user_ports.nil?
|
157
|
+
cmd << " -AllowUnicastResponseToMulticast \"#{convert_to_powershell(new_resource.allow_unicast_response)}\"" unless new_resource.allow_unicast_response.nil?
|
158
|
+
cmd << " -NotifyOnListen \"#{convert_to_powershell(new_resource.display_notification)}\"" unless new_resource.display_notification.nil?
|
159
|
+
cmd
|
160
|
+
end
|
161
|
+
|
162
|
+
def load_firewall_state(profile_name)
|
163
|
+
<<-EOH
|
164
|
+
Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
|
165
|
+
$#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
|
166
|
+
([PSCustomObject]@{
|
167
|
+
default_inbound_action = $#{profile_name}.DefaultInboundAction.ToString()
|
168
|
+
default_outbound_action = $#{profile_name}.DefaultOutboundAction.ToString()
|
169
|
+
allow_inbound_rules = $#{profile_name}.AllowInboundRules.ToString()
|
170
|
+
allow_local_firewall_rules = $#{profile_name}.AllowLocalFirewallRules.ToString()
|
171
|
+
allow_local_ipsec_rules = $#{profile_name}.AllowLocalIPsecRules.ToString()
|
172
|
+
allow_user_apps = $#{profile_name}.AllowUserApps.ToString()
|
173
|
+
allow_user_ports = $#{profile_name}.AllowUserPorts.ToString()
|
174
|
+
allow_unicast_response = $#{profile_name}.AllowUnicastResponseToMulticast.ToString()
|
175
|
+
display_notification = $#{profile_name}.NotifyOnListen.ToString()
|
176
|
+
}) | ConvertTo-Json
|
177
|
+
EOH
|
178
|
+
end
|
179
|
+
|
180
|
+
def firewall_enabled?(profile_name)
|
181
|
+
cmd = <<~CODE
|
182
|
+
$#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
|
183
|
+
if ($#{profile_name}.Enabled) {
|
184
|
+
return $true
|
185
|
+
} else {return $false}
|
186
|
+
CODE
|
187
|
+
firewall_status = powershell_out(cmd).stdout
|
188
|
+
if firewall_status =~ /True/
|
189
|
+
true
|
190
|
+
elsif firewall_status =~ /False/
|
191
|
+
false
|
192
|
+
end
|
193
|
+
end
|
194
|
+
end
|
195
|
+
end
|
196
|
+
end
|
197
|
+
end
|
@@ -80,13 +80,55 @@ class Chef
|
|
80
80
|
property :secvalue, String, required: true,
|
81
81
|
description: "Policy value to be set for policy name."
|
82
82
|
|
83
|
+
load_current_value do |desired|
|
84
|
+
powershell_code = <<-CODE
|
85
|
+
C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null
|
86
|
+
# cspell:disable-next-line
|
87
|
+
$security_options_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String)
|
88
|
+
Remove-Item $env:TEMP\\secopts_export.inf -force
|
89
|
+
$security_options_hash = ($security_options_data -Replace '"'| ConvertFrom-StringData)
|
90
|
+
([PSCustomObject]@{
|
91
|
+
RequireLogonToChangePassword = $security_options_hash.RequireLogonToChangePassword
|
92
|
+
PasswordComplexity = $security_options_hash.PasswordComplexity
|
93
|
+
LSAAnonymousNameLookup = $security_options_hash.LSAAnonymousNameLookup
|
94
|
+
EnableAdminAccount = $security_options_hash.EnableAdminAccount
|
95
|
+
PasswordHistorySize = $security_options_hash.PasswordHistorySize
|
96
|
+
MinimumPasswordLength = $security_options_hash.MinimumPasswordLength
|
97
|
+
ResetLockoutCount = $security_options_hash.ResetLockoutCount
|
98
|
+
MaximumPasswordAge = $security_options_hash.MaximumPasswordAge
|
99
|
+
ClearTextPassword = $security_options_hash.ClearTextPassword
|
100
|
+
NewAdministratorName = $security_options_hash.NewAdministratorName
|
101
|
+
LockoutDuration = $security_options_hash.LockoutDuration
|
102
|
+
EnableGuestAccount = $security_options_hash.EnableGuestAccount
|
103
|
+
ForceLogoffWhenHourExpire = $security_options_hash.ForceLogoffWhenHourExpire
|
104
|
+
MinimumPasswordAge = $security_options_hash.MinimumPasswordAge
|
105
|
+
NewGuestName = $security_options_hash.NewGuestName
|
106
|
+
LockoutBadCount = $security_options_hash.LockoutBadCount
|
107
|
+
}) | ConvertTo-Json
|
108
|
+
CODE
|
109
|
+
output = powershell_out(powershell_code)
|
110
|
+
current_value_does_not_exist! if output.stdout.empty?
|
111
|
+
state = Chef::JSONCompat.from_json(output.stdout)
|
112
|
+
|
113
|
+
if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration"
|
114
|
+
if state["LockoutBadCount"] == "0"
|
115
|
+
raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
|
116
|
+
else
|
117
|
+
secvalue state[desired.secoption.to_s]
|
118
|
+
end
|
119
|
+
else
|
120
|
+
secvalue state[desired.secoption.to_s]
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
83
124
|
action :set do
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
125
|
+
converge_if_changed :secvalue do
|
126
|
+
security_option = new_resource.secoption
|
127
|
+
security_value = new_resource.secvalue
|
128
|
+
|
129
|
+
cmd = <<-EOH
|
89
130
|
$security_option = "#{security_option}"
|
131
|
+
C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
|
90
132
|
if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
|
91
133
|
{
|
92
134
|
$#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
|
@@ -99,21 +141,8 @@ class Chef
|
|
99
141
|
}
|
100
142
|
Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
|
101
143
|
EOH
|
102
|
-
|
103
|
-
|
104
|
-
$ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option})
|
105
|
-
$check_digit = $ExportAudit -match '#{security_option} = #{security_value}'
|
106
|
-
$check_string = $ExportAudit -match '#{security_option} = "#{security_value}"'
|
107
|
-
if ( $check_string -Or $check_digit )
|
108
|
-
{
|
109
|
-
Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
|
110
|
-
$true
|
111
|
-
}
|
112
|
-
else
|
113
|
-
{
|
114
|
-
$false
|
115
|
-
}
|
116
|
-
EOH
|
144
|
+
|
145
|
+
powershell_out!(cmd)
|
117
146
|
end
|
118
147
|
end
|
119
148
|
end
|
@@ -59,11 +59,17 @@ module ResourceInspector
|
|
59
59
|
required: opts[:required] || false,
|
60
60
|
default: opts[:default_description] || get_default(opts[:default]),
|
61
61
|
name_property: opts[:name_property] || false,
|
62
|
-
equal_to:
|
62
|
+
equal_to: sort_equal_to(opts[:equal_to]) }
|
63
63
|
end
|
64
64
|
data
|
65
65
|
end
|
66
66
|
|
67
|
+
def self.sort_equal_to(equal_to)
|
68
|
+
Array(equal_to).sort.map(&:inspect)
|
69
|
+
rescue ArgumentError
|
70
|
+
Array(equal_to).map(&:inspect)
|
71
|
+
end
|
72
|
+
|
67
73
|
def self.extract_cookbook(path, complete)
|
68
74
|
path = File.expand_path(path)
|
69
75
|
dir, name = File.split(path)
|
data/lib/chef/resources.rb
CHANGED
@@ -153,6 +153,7 @@ require_relative "resource/windows_dns_zone"
|
|
153
153
|
require_relative "resource/windows_feature"
|
154
154
|
require_relative "resource/windows_feature_dism"
|
155
155
|
require_relative "resource/windows_feature_powershell"
|
156
|
+
require_relative "resource/windows_firewall_profile"
|
156
157
|
require_relative "resource/windows_firewall_rule"
|
157
158
|
require_relative "resource/windows_font"
|
158
159
|
require_relative "resource/windows_pagefile"
|