chef 16.2.73-universal-mingw32 → 16.4.41-universal-mingw32

data/lib/chef/resource/windows_dns_zone.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsDnsZone < Chef::Resource
+      unified_mode true
+
       provides :windows_dns_zone
 
       description "The windows_dns_zone resource creates an Active Directory Integrated DNS Zone on the local server."
@@ -41,21 +43,24 @@ class Chef
       action :create do
         description "Creates and updates a DNS Zone."
 
-        powershell_package "xDnsServer" do
-        end
-        do_it "Present"
+        powershell_package "xDnsServer"
+
+        run_dsc_resource "Present"
       end
 
       action :delete do
         description "Deletes a DNS Zone."
 
-        powershell_package "xDnsServer" do
-        end
-        do_it "Absent"
+        powershell_package "xDnsServer"
+
+        run_dsc_resource "Absent"
       end
 
       action_class do
-        def do_it(ensure_prop)
+        private
+
+        # @api private
+        def run_dsc_resource(ensure_prop)
           if new_resource.server_type == "Domain"
             dsc_resource "xDnsServerADZone #{new_resource.zone_name} #{ensure_prop}" do
               module_name "xDnsServer"

data/lib/chef/resource/windows_feature.rb

@@ -125,6 +125,8 @@ class Chef
       end
 
       action_class do
+        private
+
         # call the appropriate windows_feature resource based on the specified subresource
         # @return [void]
         def run_default_subresource(desired_action)

data/lib/chef/resource/windows_feature_dism.rb

@@ -22,6 +22,8 @@ require_relative "../platform/query_helpers"
 class Chef
   class Resource
     class WindowsFeatureDism < Chef::Resource
+      unified_mode true
+
       provides(:windows_feature_dism) { true }
 
       description "Use the **windows_feature_dism** resource to add, remove, or entirely delete Windows features and roles using DISM."
@@ -125,6 +127,8 @@ class Chef
       end
 
       action_class do
+        private
+
         # @return [Array] features the user has requested to install which need installation
         def features_to_install
           @install ||= begin
@@ -171,6 +175,12 @@ class Chef
           raise "The Windows feature#{"s" if unavailable.count > 1} #{unavailable.join(",")} #{unavailable.count > 1 ? "are" : "is"} not available on this version of Windows. Run 'dism /online /Get-Features' to see the list of available feature names." unless unavailable.empty?
         end
 
+        #
+        # FIXME FIXME FIXME
+        # The node object should not be used for caching state like this and this is not a public API and may break.
+        # FIXME FIXME FIXME
+        #
+
         # run dism.exe to get a list of all available features and their state
         # and save that to the node at node.override level.
         # We do this because getting a list of features in dism takes at least a second

data/lib/chef/resource/windows_feature_powershell.rb

@@ -23,6 +23,8 @@ require_relative "../platform/query_helpers"
 class Chef
   class Resource
     class WindowsFeaturePowershell < Chef::Resource
+      unified_mode true
+
       provides(:windows_feature_powershell) { true }
 
       description "Use the **windows_feature_powershell** resource to add, remove, or entirely delete Windows features and roles using PowerShell. This resource offers significant speed benefits over the windows_feature_dism resource, but requires installation of the Remote Server Administration Tools on non-server releases of Windows."
@@ -141,8 +143,12 @@ class Chef
       action_class do
         # @return [Array] features the user has requested to install which need installation
         def features_to_install
-          # the intersection of the features to install & disabled features are what needs installing
-          @install ||= new_resource.feature_name & node["powershell_features_cache"]["disabled"]
+          # the intersection of the features to install & disabled/removed features are what needs installing
+          @features_to_install ||= begin
+            features = node["powershell_features_cache"]["disabled"]
+            features |= node["powershell_features_cache"]["removed"] if new_resource.source
+            new_resource.feature_name & features
+          end
         end
 
         # @return [Array] features the user has requested to remove which need removing
@@ -182,6 +188,12 @@ class Chef
         # @return [void]
         def reload_cached_powershell_data
           Chef::Log.debug("Caching Windows features available via Get-WindowsFeature.")
+
+          #
+          # FIXME FIXME FIXME
+          # The node object should not be used for caching state like this and this is not a public API and may break.
+          # FIXME FIXME FIXME
+          #
           node.override["powershell_features_cache"] = Mash.new
           node.override["powershell_features_cache"]["enabled"] = []
           node.override["powershell_features_cache"]["disabled"] = []

data/lib/chef/resource/windows_firewall_profile.rb

@@ -0,0 +1,199 @@
+#
+# Author:: John McCrae (<jmccrae@chef.io>)
+# Author:: Davin Taddeo (<davin@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class Resource
+    class WindowsFirewallProfile < Chef::Resource
+      unified_mode true
+
+      provides :windows_firewall_profile
+      description "Use the **windows_firewall_profile** resource to enable, disable, and configure the Windows firewall."
+      introduced "16.3"
+
+      examples <<~DOC
+      **Enable and Configure the Private Profile of the Windows Profile**:
+
+      ```ruby
+      windows_firewall_profile 'Private' do
+        default_inbound_action 'Block'
+        default_outbound_action 'Allow'
+        allow_inbound_rules true
+        display_notification false
+        action :enable
+      end
+      ```
+
+      **Enable and Configure the Public Profile of the Windows Firewall**:
+
+      ```ruby
+      windows_firewall_profile 'Public' do
+        default_inbound_action 'Block'
+        default_outbound_action 'Allow'
+        allow_inbound_rules false
+        display_notification false
+        action :enable
+      end
+      ```
+
+      **Disable the Domain Profile of the Windows Firewall**:
+
+      ```ruby
+      windows_firewall_profile 'Disable the Domain Profile of the Windows Firewall' do
+        profile 'Domain'
+        action :disable
+      end
+      ```
+      DOC
+
+      unified_mode true
+
+      property :profile, String,
+        name_property: true,
+        equal_to: %w{ Domain Public Private },
+        description: "Set the Windows Profile being configured"
+
+      property :default_inbound_action, [String, nil],
+        equal_to: %w{ Allow Block NotConfigured },
+        description: "Set the default policy for inbound network traffic"
+
+      property :default_outbound_action, [String, nil],
+        equal_to: %w{ Allow Block NotConfigured },
+        description: "Set the default policy for outbound network traffic"
+
+      property :allow_inbound_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to set inbound firewall rules"
+      property :allow_local_firewall_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Merges inbound firewall rules into the policy"
+      property :allow_local_ipsec_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage local connection security rules"
+      property :allow_user_apps, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow user applications to manage firewall"
+      property :allow_user_ports, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage firewall port rules"
+      property :allow_unicast_response, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow unicast responses to multicast and broadcast messages"
+      property :display_notification, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Display a notification when firewall blocks certain activity"
+
+      load_current_value do |desired|
+        ps_get_net_fw_profile = load_firewall_state(desired.profile)
+        output = powershell_out(ps_get_net_fw_profile)
+        if output.stdout.empty?
+          current_value_does_not_exist!
+        else
+          state = Chef::JSONCompat.from_json(output.stdout)
+        end
+
+        default_inbound_action state["default_inbound_action"]
+        default_outbound_action state["default_outbound_action"]
+        allow_inbound_rules convert_to_ruby(state["allow_inbound_rules"])
+        allow_local_firewall_rules convert_to_ruby(state["allow_local_firewall_rules"])
+        allow_local_ipsec_rules convert_to_ruby(state["allow_local_ipsec_rules"])
+        allow_user_apps convert_to_ruby(state["allow_user_apps"])
+        allow_user_ports convert_to_ruby(state["allow_user_ports"])
+        allow_unicast_response convert_to_ruby(state["allow_unicast_response"])
+        display_notification convert_to_ruby(state["display_notification"])
+      end
+
+      def convert_to_ruby(obj)
+        if obj.to_s.downcase == "true"
+          true
+        elsif obj.to_s.downcase == "false"
+          false
+        elsif obj.to_s.downcase == "notconfigured"
+          "NotConfigured"
+        end
+      end
+
+      def convert_to_powershell(obj)
+        if obj.to_s.downcase == "true"
+          "True"
+        elsif obj.to_s.downcase == "false"
+          "False"
+        elsif obj.to_s.downcase == "notconfigured"
+          "NotConfigured"
+        end
+      end
+
+      action :enable do
+        converge_if_changed :default_inbound_action, :default_outbound_action, :allow_inbound_rules, :allow_local_firewall_rules,
+          :allow_local_ipsec_rules, :allow_user_apps, :allow_user_ports, :allow_unicast_response, :display_notification do
+            fw_cmd = firewall_command(new_resource.profile)
+            powershell_exec!(fw_cmd)
+          end
+        unless firewall_enabled?(new_resource.profile)
+          converge_by "Enable the #{new_resource.profile} Firewall Profile" do
+            cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"True\""
+            powershell_out!(cmd)
+          end
+        end
+      end
+
+      action :disable do
+        if firewall_enabled?(new_resource.profile)
+          converge_by "Disable the #{new_resource.profile} Firewall Profile" do
+            cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"False\""
+            powershell_out!(cmd)
+          end
+        end
+      end
+
+      action_class do
+        def firewall_command(fw_profile)
+          cmd = "Set-NetFirewallProfile -Profile \"#{fw_profile}\""
+          cmd << " -DefaultInboundAction \"#{new_resource.default_inbound_action}\"" unless new_resource.default_inbound_action.nil?
+          cmd << " -DefaultOutboundAction \"#{new_resource.default_outbound_action}\"" unless new_resource.default_outbound_action.nil?
+          cmd << " -AllowInboundRules \"#{convert_to_powershell(new_resource.allow_inbound_rules)}\"" unless new_resource.allow_inbound_rules.nil?
+          cmd << " -AllowLocalFirewallRules \"#{convert_to_powershell(new_resource.allow_local_firewall_rules)}\"" unless new_resource.allow_local_firewall_rules.nil?
+          cmd << " -AllowLocalIPsecRules \"#{convert_to_powershell(new_resource.allow_local_ipsec_rules)}\"" unless new_resource.allow_local_ipsec_rules.nil?
+          cmd << " -AllowUserApps \"#{convert_to_powershell(new_resource.allow_user_apps)}\"" unless new_resource.allow_user_apps.nil?
+          cmd << " -AllowUserPorts \"#{convert_to_powershell(new_resource.allow_user_ports)}\"" unless new_resource.allow_user_ports.nil?
+          cmd << " -AllowUnicastResponseToMulticast \"#{convert_to_powershell(new_resource.allow_unicast_response)}\"" unless new_resource.allow_unicast_response.nil?
+          cmd << " -NotifyOnListen \"#{convert_to_powershell(new_resource.display_notification)}\"" unless new_resource.display_notification.nil?
+          cmd
+        end
+
+        def load_firewall_state(profile_name)
+          <<-EOH
+            Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+            $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
+            ([PSCustomObject]@{
+              default_inbound_action = $#{profile_name}.DefaultInboundAction.ToString()
+              default_outbound_action = $#{profile_name}.DefaultOutboundAction.ToString()
+              allow_inbound_rules = $#{profile_name}.AllowInboundRules.ToString()
+              allow_local_firewall_rules = $#{profile_name}.AllowLocalFirewallRules.ToString()
+              allow_local_ipsec_rules = $#{profile_name}.AllowLocalIPsecRules.ToString()
+              allow_user_apps = $#{profile_name}.AllowUserApps.ToString()
+              allow_user_ports = $#{profile_name}.AllowUserPorts.ToString()
+              allow_unicast_response = $#{profile_name}.AllowUnicastResponseToMulticast.ToString()
+              display_notification = $#{profile_name}.NotifyOnListen.ToString()
+            }) | ConvertTo-Json
+          EOH
+        end
+
+        def firewall_enabled?(profile_name)
+          cmd = <<~CODE
+            $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
+            if ($#{profile_name}.Enabled) {
+                return $true
+            } else {return $false}
+          CODE
+          firewall_status = powershell_out(cmd).stdout
+          if /True/.match?(firewall_status)
+            true
+          elsif /False/.match?(firewall_status)
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/windows_firewall_rule.rb

@@ -24,6 +24,8 @@ require_relative "../json_compat"
 class Chef
   class Resource
     class WindowsFirewallRule < Chef::Resource
+      unified_mode true
+
       provides :windows_firewall_rule
 
       description "Use the **windows_firewall_rule** resource to create, change or remove Windows firewall rules."
@@ -273,11 +275,11 @@ class Chef
           requirements.assert(:create) do |a|
             a.assertion do
               if new_resource.icmp_type.is_a?(Integer)
-                (0..255).include?(new_resource.icmp_type)
+                (0..255).cover?(new_resource.icmp_type)
               elsif new_resource.icmp_type.is_a?(String) && !new_resource.icmp_type.include?(":") && new_resource.protocol.start_with?("ICMP")
-                (0..255).include?(new_resource.icmp_type.to_i)
+                (0..255).cover?(new_resource.icmp_type.to_i)
               elsif new_resource.icmp_type.is_a?(String) && new_resource.icmp_type.include?(":") && new_resource.protocol.start_with?("ICMP")
-                new_resource.icmp_type.split(":").all? { |type| (0..255).include?(type.to_i) }
+                new_resource.icmp_type.split(":").all? { |type| (0..255).cover?(type.to_i) }
               else
                 true
               end

data/lib/chef/resource/windows_font.rb

@@ -21,6 +21,7 @@ class Chef
   class Resource
     class WindowsFont < Chef::Resource
       require_relative "../util/path_helper"
+      unified_mode true
 
       provides(:windows_font) { true }
 
@@ -98,8 +99,9 @@ class Chef
         def font_exists?
           require "win32ole" if RUBY_PLATFORM.match?(/mswin|mingw32|windows/)
           fonts_dir = WIN32OLE.new("WScript.Shell").SpecialFolders("Fonts")
+          fonts_dir_local = Chef::Util::PathHelper.join(ENV["home"], "AppData/Local/Microsoft/Windows/fonts")
           logger.trace("Seeing if the font at #{Chef::Util::PathHelper.join(fonts_dir, new_resource.font_name)} exists")
-          ::File.exist?(Chef::Util::PathHelper.join(fonts_dir, new_resource.font_name))
+          ::File.exist?(Chef::Util::PathHelper.join(fonts_dir, new_resource.font_name)) || ::File.exist?(Chef::Util::PathHelper.join(fonts_dir_local, new_resource.font_name))
         end
 
         # Parse out the schema provided to us to see if it's one we support via remote_file.

data/lib/chef/resource/windows_pagefile.rb

@@ -20,6 +20,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsPagefile < Chef::Resource
+      unified_mode true
+
       provides(:windows_pagefile) { true }
 
       description "Use the **windows_pagefile** resource to configure pagefile settings on Windows."
@@ -109,6 +111,8 @@ class Chef
       end
 
       action_class do
+        private
+
         # make sure the provided name property matches the appropriate format
         # we do this here and not in the property itself because if automatic_managed
         # is set then this validation is not necessary / doesn't make sense at all

data/lib/chef/resource/windows_printer.rb

@@ -22,6 +22,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsPrinter < Chef::Resource
+      unified_mode true
+
       require "resolv"
 
       provides(:windows_printer) { true }
@@ -79,31 +81,17 @@ class Chef
         validation_message: "The ipv4_address property must be in the IPv4 format of `WWW.XXX.YYY.ZZZ`",
         regex: Resolv::IPv4::Regex
 
-      property :exists, [TrueClass, FalseClass],
-        skip_docs: true
-
       PRINTERS_REG_KEY = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\\'.freeze unless defined?(PRINTERS_REG_KEY)
 
-      # does the printer exist
-      #
-      # @param [String] name the name of the printer
-      # @return [Boolean]
-      def printer_exists?(name)
-        printer_reg_key = PRINTERS_REG_KEY + name
-        logger.trace "Checking to see if this reg key exists: '#{printer_reg_key}'"
-        registry_key_exists?(printer_reg_key)
-      end
-
       # @todo Set @current_resource printer properties from registry
       load_current_value do |desired|
         name desired.name
-        exists printer_exists?(desired.name)
       end
 
       action :create do
         description "Create a new printer and a printer port if one doesn't already exist."
 
-        if @current_resource.exists
+        if printer_exists?
           Chef::Log.info "#{@new_resource} already exists - nothing to do."
         else
           converge_by("Create #{@new_resource}") do
@@ -115,7 +103,7 @@ class Chef
       action :delete do
         description "Delete an existing printer. Note this does not delete the associated printer port."
 
-        if @current_resource.exists
+        if printer_exists?
           converge_by("Delete #{@new_resource}") do
             delete_printer
           end
@@ -125,11 +113,22 @@ class Chef
       end
 
       action_class do
+        private
+
+        # does the printer exist
+        #
+        # @param [String] name the name of the printer
+        # @return [Boolean]
+        def printer_exists?
+          printer_reg_key = PRINTERS_REG_KEY + new_resource.name
+          logger.trace "Checking to see if this reg key exists: '#{printer_reg_key}'"
+          registry_key_exists?(printer_reg_key)
+        end
+
         # creates the printer port and then the printer
         def create_printer
           # Create the printer port first
-          windows_printer_port new_resource.ipv4_address do
-          end
+          windows_printer_port new_resource.ipv4_address
 
           port_name = "IP_#{new_resource.ipv4_address}"