chef 16.2.73 → 16.3.38

data/lib/chef/resource/openssl_x509_certificate.rb

@@ -206,12 +206,11 @@ class Chef
         end
 
         def request
-          request = if new_resource.csr_file.nil?
-                      gen_x509_request(subject, key)
-                    else
-                      OpenSSL::X509::Request.new ::File.read(new_resource.csr_file)
-                    end
-          request
+          if new_resource.csr_file.nil?
+            gen_x509_request(subject, key)
+          else
+            OpenSSL::X509::Request.new ::File.read(new_resource.csr_file)
+          end
         end
 
         def subject
@@ -227,12 +226,11 @@ class Chef
         end
 
         def ca_private_key
-          ca_private_key = if new_resource.csr_file.nil?
-                             key
-                           else
-                             OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
-                           end
-          ca_private_key
+          if new_resource.csr_file.nil?
+            key
+          else
+            OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
+          end
         end
 
         def ca_info
@@ -258,8 +256,7 @@ class Chef
         end
 
         def cert
-          cert = gen_x509_cert(request, extensions, ca_info, ca_private_key)
-          cert
+          gen_x509_cert(request, extensions, ca_info, ca_private_key)
         end
       end
     end

data/lib/chef/resource/openssl_x509_crl.rb

@@ -113,8 +113,7 @@ class Chef
         end
 
         def ca_private_key
-          ca_private_key = ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
-          ca_private_key
+          ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
         end
 
         def crl

data/lib/chef/resource/service.rb

@@ -25,8 +25,8 @@ require_relative "../dist"
 class Chef
   class Resource
     class Service < Chef::Resource
-      include ChefUtils::DSL::Service
-      extend ChefUtils::DSL::Service
+      include Chef::Platform::ServiceHelpers
+      extend Chef::Platform::ServiceHelpers
       unified_mode true
 
       provides :service, target_mode: true

data/lib/chef/resource/ssh_known_hosts_entry.rb

@@ -106,7 +106,7 @@ class Chef
 
         r = with_run_context :root do
           find_resource(:template, "update ssh known hosts file #{new_resource.file_location}") do
-            source ::File.expand_path("../support/ssh_known_hosts.erb", __FILE__)
+            source ::File.expand_path("support/ssh_known_hosts.erb", __dir__)
             local true
             path new_resource.file_location
             owner new_resource.owner

data/lib/chef/resource/sudo.rb

@@ -199,7 +199,7 @@ class Chef
           end
         else
           template file_path do
-            source ::File.expand_path("../support/sudoer.erb", __FILE__)
+            source ::File.expand_path("support/sudoer.erb", __dir__)
             local true
             mode "0440"
             variables sudoer:            (new_resource.groups + new_resource.users).join(","),

data/lib/chef/resource/user_ulimit.rb

@@ -80,7 +80,7 @@ class Chef
 
       action :create do
         template "/etc/security/limits.d/#{new_resource.filename}" do
-          source ::File.expand_path("../support/ulimit.erb", __FILE__)
+          source ::File.expand_path("support/ulimit.erb", __dir__)
           local true
           mode "0644"
           variables(

data/lib/chef/resource/windows_dns_record.rb

@@ -42,18 +42,34 @@ class Chef
         description: "The type of record to create, can be either ARecord, CNAME or PTR.",
         default: "ARecord", equal_to: %w{ARecord CNAME PTR}
 
+      property :dns_server, String,
+        description: "The name of the DNS server on which to create the record.",
+        default: "localhost",
+        introduced: "16.3"
+
       action :create do
         description "Creates and updates the DNS entry."
 
+        windows_feature "RSAT-DNS-Server" do
+          not_if new_resource.dns_server.casecmp?("localhost")
+        end
+
         powershell_package "xDnsServer" do
         end
+
         do_it "Present"
       end
 
       action :delete do
         description "Deletes a DNS entry."
+
+        windows_feature "RSAT-DNS-Server" do
+          not_if new_resource.dns_server.casecmp?("localhost")
+        end
+
         powershell_package "xDnsServer" do
         end
+
         do_it "Absent"
       end
 
@@ -67,6 +83,7 @@ class Chef
             property :Zone, new_resource.zone
             property :Type, new_resource.record_type
             property :Target, new_resource.target
+            property :DnsServer, new_resource.dns_server
           end
         end
       end

data/lib/chef/resource/windows_firewall_profile.rb

@@ -0,0 +1,197 @@
+#
+# Author:: John McCrae (<jmccrae@chef.io>)
+# Author:: Davin Taddeo (<davin@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class Resource
+    class WindowsFirewallProfile < Chef::Resource
+      provides :windows_firewall_profile
+      description "Use the **windows_firewall_profile** resource to enable, disable, and configure the Windows firewall."
+      introduced "16.3"
+
+      examples <<~DOC
+      **Enable and Configure the Private Profile of the Windows Profile**:
+
+      ```ruby
+      windows_firewall_profile 'Private' do
+        default_inbound_action 'Block'
+        default_outbound_action 'Allow'
+        allow_inbound_rules true
+        display_notification false
+        action :enable
+      end
+      ```
+
+      **Enable and Configure the Public Profile of the Windows Firewall**:
+
+      ```ruby
+      windows_firewall_profile 'Public' do
+        default_inbound_action 'Block'
+        default_outbound_action 'Allow'
+        allow_inbound_rules false
+        display_notification false
+        action :enable
+      end
+      ```
+
+      **Disable the Domain Profile of the Windows Firewall**:
+
+      ```ruby
+      windows_firewall_profile 'Disable the Domain Profile of the Windows Firewall' do
+        profile 'Domain'
+        action :disable
+      end
+      ```
+      DOC
+
+      unified_mode true
+
+      property :profile, String,
+        name_property: true,
+        equal_to: %w{ Domain Public Private },
+        description: "Set the Windows Profile being configured"
+
+      property :default_inbound_action, [String, nil],
+        equal_to: %w{ Allow Block NotConfigured },
+        description: "Set the default policy for inbound network traffic"
+
+      property :default_outbound_action, [String, nil],
+        equal_to: %w{ Allow Block NotConfigured },
+        description: "Set the default policy for outbound network traffic"
+
+      property :allow_inbound_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to set inbound firewall rules"
+      property :allow_local_firewall_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Merges inbound firewall rules into the policy"
+      property :allow_local_ipsec_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage local connection security rules"
+      property :allow_user_apps, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow user applications to manage firewall"
+      property :allow_user_ports, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage firewall port rules"
+      property :allow_unicast_response, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow unicast responses to multicast and broadcast messages"
+      property :display_notification, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Display a notification when firewall blocks certain activity"
+
+      load_current_value do |desired|
+        ps_get_net_fw_profile = load_firewall_state(desired.profile)
+        output = powershell_out(ps_get_net_fw_profile)
+        if output.stdout.empty?
+          current_value_does_not_exist!
+        else
+          state = Chef::JSONCompat.from_json(output.stdout)
+        end
+
+        default_inbound_action state["default_inbound_action"]
+        default_outbound_action state["default_outbound_action"]
+        allow_inbound_rules convert_to_ruby(state["allow_inbound_rules"])
+        allow_local_firewall_rules convert_to_ruby(state["allow_local_firewall_rules"])
+        allow_local_ipsec_rules convert_to_ruby(state["allow_local_ipsec_rules"])
+        allow_user_apps convert_to_ruby(state["allow_user_apps"])
+        allow_user_ports convert_to_ruby(state["allow_user_ports"])
+        allow_unicast_response convert_to_ruby(state["allow_unicast_response"])
+        display_notification convert_to_ruby(state["display_notification"])
+      end
+
+      def convert_to_ruby(obj)
+        if obj.to_s.downcase == "true"
+          true
+        elsif obj.to_s.downcase == "false"
+          false
+        elsif obj.to_s.downcase == "notconfigured"
+          "NotConfigured"
+        end
+      end
+
+      def convert_to_powershell(obj)
+        if obj.to_s.downcase == "true"
+          "True"
+        elsif obj.to_s.downcase == "false"
+          "False"
+        elsif obj.to_s.downcase == "notconfigured"
+          "NotConfigured"
+        end
+      end
+
+      action :enable do
+        converge_if_changed :default_inbound_action, :default_outbound_action, :allow_inbound_rules, :allow_local_firewall_rules,
+          :allow_local_ipsec_rules, :allow_user_apps, :allow_user_ports, :allow_unicast_response, :display_notification do
+            fw_cmd = firewall_command(new_resource.profile)
+            powershell_exec!(fw_cmd)
+          end
+        unless firewall_enabled?(new_resource.profile)
+          converge_by "Enable the #{new_resource.profile} Firewall Profile" do
+            cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"True\""
+            powershell_out!(cmd)
+          end
+        end
+      end
+
+      action :disable do
+        if firewall_enabled?(new_resource.profile)
+          converge_by "Disable the #{new_resource.profile} Firewall Profile" do
+            cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"False\""
+            powershell_out!(cmd)
+          end
+        end
+      end
+
+      action_class do
+        def firewall_command(fw_profile)
+          cmd = "Set-NetFirewallProfile -Profile \"#{fw_profile}\""
+          cmd << " -DefaultInboundAction \"#{new_resource.default_inbound_action}\"" unless new_resource.default_inbound_action.nil?
+          cmd << " -DefaultOutboundAction \"#{new_resource.default_outbound_action}\"" unless new_resource.default_outbound_action.nil?
+          cmd << " -AllowInboundRules \"#{convert_to_powershell(new_resource.allow_inbound_rules)}\"" unless new_resource.allow_inbound_rules.nil?
+          cmd << " -AllowLocalFirewallRules \"#{convert_to_powershell(new_resource.allow_local_firewall_rules)}\"" unless new_resource.allow_local_firewall_rules.nil?
+          cmd << " -AllowLocalIPsecRules \"#{convert_to_powershell(new_resource.allow_local_ipsec_rules)}\"" unless new_resource.allow_local_ipsec_rules.nil?
+          cmd << " -AllowUserApps \"#{convert_to_powershell(new_resource.allow_user_apps)}\"" unless new_resource.allow_user_apps.nil?
+          cmd << " -AllowUserPorts \"#{convert_to_powershell(new_resource.allow_user_ports)}\"" unless new_resource.allow_user_ports.nil?
+          cmd << " -AllowUnicastResponseToMulticast \"#{convert_to_powershell(new_resource.allow_unicast_response)}\"" unless new_resource.allow_unicast_response.nil?
+          cmd << " -NotifyOnListen \"#{convert_to_powershell(new_resource.display_notification)}\"" unless new_resource.display_notification.nil?
+          cmd
+        end
+
+        def load_firewall_state(profile_name)
+          <<-EOH
+            Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+            $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
+            ([PSCustomObject]@{
+              default_inbound_action = $#{profile_name}.DefaultInboundAction.ToString()
+              default_outbound_action = $#{profile_name}.DefaultOutboundAction.ToString()
+              allow_inbound_rules = $#{profile_name}.AllowInboundRules.ToString()
+              allow_local_firewall_rules = $#{profile_name}.AllowLocalFirewallRules.ToString()
+              allow_local_ipsec_rules = $#{profile_name}.AllowLocalIPsecRules.ToString()
+              allow_user_apps = $#{profile_name}.AllowUserApps.ToString()
+              allow_user_ports = $#{profile_name}.AllowUserPorts.ToString()
+              allow_unicast_response = $#{profile_name}.AllowUnicastResponseToMulticast.ToString()
+              display_notification = $#{profile_name}.NotifyOnListen.ToString()
+            }) | ConvertTo-Json
+          EOH
+        end
+
+        def firewall_enabled?(profile_name)
+          cmd = <<~CODE
+            $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
+            if ($#{profile_name}.Enabled) {
+                return $true
+            } else {return $false}
+          CODE
+          firewall_status = powershell_out(cmd).stdout
+          if firewall_status =~ /True/
+            true
+          elsif firewall_status =~ /False/
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/windows_security_policy.rb

@@ -80,13 +80,55 @@ class Chef
       property :secvalue, String, required: true,
       description: "Policy value to be set for policy name."
 
+      load_current_value do |desired|
+        powershell_code = <<-CODE
+          C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null
+          # cspell:disable-next-line
+          $security_options_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String)
+          Remove-Item $env:TEMP\\secopts_export.inf -force
+          $security_options_hash = ($security_options_data -Replace '"'| ConvertFrom-StringData)
+          ([PSCustomObject]@{
+            RequireLogonToChangePassword = $security_options_hash.RequireLogonToChangePassword
+            PasswordComplexity = $security_options_hash.PasswordComplexity
+            LSAAnonymousNameLookup = $security_options_hash.LSAAnonymousNameLookup
+            EnableAdminAccount = $security_options_hash.EnableAdminAccount
+            PasswordHistorySize = $security_options_hash.PasswordHistorySize
+            MinimumPasswordLength = $security_options_hash.MinimumPasswordLength
+            ResetLockoutCount = $security_options_hash.ResetLockoutCount
+            MaximumPasswordAge = $security_options_hash.MaximumPasswordAge
+            ClearTextPassword = $security_options_hash.ClearTextPassword
+            NewAdministratorName = $security_options_hash.NewAdministratorName
+            LockoutDuration = $security_options_hash.LockoutDuration
+            EnableGuestAccount = $security_options_hash.EnableGuestAccount
+            ForceLogoffWhenHourExpire = $security_options_hash.ForceLogoffWhenHourExpire
+            MinimumPasswordAge = $security_options_hash.MinimumPasswordAge
+            NewGuestName = $security_options_hash.NewGuestName
+            LockoutBadCount = $security_options_hash.LockoutBadCount
+          }) | ConvertTo-Json
+        CODE
+        output = powershell_out(powershell_code)
+        current_value_does_not_exist! if output.stdout.empty?
+        state = Chef::JSONCompat.from_json(output.stdout)
+
+        if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration"
+          if state["LockoutBadCount"] == "0"
+            raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
+          else
+            secvalue state[desired.secoption.to_s]
+          end
+        else
+          secvalue state[desired.secoption.to_s]
+        end
+      end
+
       action :set do
-        security_option = new_resource.secoption
-        security_value = new_resource.secvalue
-        powershell_script "#{security_option} set to #{security_value}" do
-          convert_boolean_return true
-          code <<-EOH
+        converge_if_changed :secvalue do
+          security_option = new_resource.secoption
+          security_value = new_resource.secvalue
+
+          cmd = <<-EOH
             $security_option = "#{security_option}"
+            C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
             if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
               {
                 $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
@@ -99,21 +141,8 @@ class Chef
               }
             Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
           EOH
-          not_if <<-EOH
-            $#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
-            $ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option})
-            $check_digit = $ExportAudit -match '#{security_option} = #{security_value}'
-            $check_string = $ExportAudit -match '#{security_option} = "#{security_value}"'
-            if ( $check_string -Or $check_digit )
-              {
-                Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
-                $true
-              }
-            else
-              {
-                $false
-              }
-          EOH
+
+          powershell_out!(cmd)
         end
       end
     end

data/lib/chef/resource_inspector.rb

@@ -59,11 +59,17 @@ module ResourceInspector
                required: opts[:required] || false,
                default: opts[:default_description] || get_default(opts[:default]),
                name_property: opts[:name_property] || false,
-               equal_to: Array(opts[:equal_to]).sort.map(&:inspect) }
+               equal_to: sort_equal_to(opts[:equal_to]) }
     end
     data
   end
 
+  def self.sort_equal_to(equal_to)
+    Array(equal_to).sort.map(&:inspect)
+  rescue ArgumentError
+    Array(equal_to).map(&:inspect)
+  end
+
   def self.extract_cookbook(path, complete)
     path = File.expand_path(path)
     dir, name = File.split(path)

data/lib/chef/resources.rb

@@ -153,6 +153,7 @@ require_relative "resource/windows_dns_zone"
 require_relative "resource/windows_feature"
 require_relative "resource/windows_feature_dism"
 require_relative "resource/windows_feature_powershell"
+require_relative "resource/windows_firewall_profile"
 require_relative "resource/windows_firewall_rule"
 require_relative "resource/windows_font"
 require_relative "resource/windows_pagefile"