chef 16.2.73 → 16.3.38

Sign up to get free protection for your applications and to get access to all the features.
Files changed (155) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +4 -4
  3. data/Rakefile +1 -1
  4. data/chef-universal-mingw32.gemspec +2 -2
  5. data/chef.gemspec +2 -1
  6. data/lib/chef/application.rb +12 -0
  7. data/lib/chef/{whitelist.rb → attribute_allowlist.rb} +11 -11
  8. data/lib/chef/{blacklist.rb → attribute_blocklist.rb} +9 -9
  9. data/lib/chef/chef_fs/data_handler/organization_data_handler.rb +1 -2
  10. data/lib/chef/chef_fs/file_system/chef_server/cookbooks_dir.rb +1 -5
  11. data/lib/chef/chef_fs/file_system/repository/base_file.rb +1 -0
  12. data/lib/chef/chef_fs/parallelizer/parallel_enumerable.rb +1 -1
  13. data/lib/chef/client.rb +3 -3
  14. data/lib/chef/cookbook/remote_file_vendor.rb +1 -3
  15. data/lib/chef/cookbook/syntax_check.rb +1 -2
  16. data/lib/chef/cookbook_loader.rb +15 -29
  17. data/lib/chef/data_bag.rb +1 -2
  18. data/lib/chef/deprecated.rb +8 -0
  19. data/lib/chef/dsl/platform_introspection.rb +2 -0
  20. data/lib/chef/environment.rb +1 -2
  21. data/lib/chef/exceptions.rb +3 -0
  22. data/lib/chef/http/authenticator.rb +1 -1
  23. data/lib/chef/knife.rb +4 -4
  24. data/lib/chef/knife/bootstrap.rb +4 -10
  25. data/lib/chef/knife/bootstrap/train_connector.rb +1 -0
  26. data/lib/chef/knife/config_get.rb +1 -0
  27. data/lib/chef/knife/config_list_profiles.rb +4 -1
  28. data/lib/chef/knife/configure.rb +1 -1
  29. data/lib/chef/knife/cookbook_upload.rb +5 -10
  30. data/lib/chef/knife/core/gem_glob_loader.rb +1 -1
  31. data/lib/chef/knife/core/hashed_command_loader.rb +1 -0
  32. data/lib/chef/knife/core/subcommand_loader.rb +20 -1
  33. data/lib/chef/knife/core/ui.rb +8 -2
  34. data/lib/chef/knife/core/windows_bootstrap_context.rb +1 -2
  35. data/lib/chef/knife/rehash.rb +3 -21
  36. data/lib/chef/knife/ssh.rb +5 -1
  37. data/lib/chef/log.rb +7 -2
  38. data/lib/chef/mixin/chef_utils_wiring.rb +40 -0
  39. data/{spec/unit/log_spec.rb → lib/chef/mixin/default_paths.rb} +13 -5
  40. data/lib/chef/mixin/openssl_helper.rb +27 -5
  41. data/lib/chef/mixin/path_sanity.rb +5 -4
  42. data/lib/chef/mixin/shell_out.rb +4 -188
  43. data/lib/chef/mixin/template.rb +1 -0
  44. data/lib/chef/mixin/which.rb +6 -3
  45. data/lib/chef/mixins.rb +1 -0
  46. data/lib/chef/node.rb +36 -12
  47. data/lib/chef/node_map.rb +21 -18
  48. data/lib/chef/platform/service_helpers.rb +31 -28
  49. data/lib/chef/provider/git.rb +12 -4
  50. data/lib/chef/provider/mount/solaris.rb +0 -1
  51. data/lib/chef/provider/package/snap.rb +2 -3
  52. data/lib/chef/provider/package/windows.rb +9 -4
  53. data/lib/chef/provider/package/zypper.rb +0 -1
  54. data/lib/chef/provider/service.rb +2 -2
  55. data/lib/chef/provider/yum_repository.rb +1 -1
  56. data/lib/chef/provider/zypper_repository.rb +1 -1
  57. data/lib/chef/resource.rb +2 -0
  58. data/lib/chef/resource/build_essential.rb +2 -2
  59. data/lib/chef/resource/chef_client_scheduled_task.rb +1 -1
  60. data/lib/chef/resource/chocolatey_feature.rb +1 -2
  61. data/lib/chef/resource/cron/cron_d.rb +1 -1
  62. data/lib/chef/resource/cron_access.rb +2 -2
  63. data/lib/chef/resource/execute.rb +2 -2
  64. data/lib/chef/resource/lwrp_base.rb +1 -0
  65. data/lib/chef/resource/macos_userdefaults.rb +176 -61
  66. data/lib/chef/resource/openssl_x509_certificate.rb +11 -14
  67. data/lib/chef/resource/openssl_x509_crl.rb +1 -2
  68. data/lib/chef/resource/service.rb +2 -2
  69. data/lib/chef/resource/ssh_known_hosts_entry.rb +1 -1
  70. data/lib/chef/resource/sudo.rb +1 -1
  71. data/lib/chef/resource/user_ulimit.rb +1 -1
  72. data/lib/chef/resource/windows_dns_record.rb +17 -0
  73. data/lib/chef/resource/windows_firewall_profile.rb +197 -0
  74. data/lib/chef/resource/windows_security_policy.rb +49 -20
  75. data/lib/chef/resource_inspector.rb +7 -1
  76. data/lib/chef/resources.rb +1 -0
  77. data/lib/chef/role.rb +1 -2
  78. data/lib/chef/shell/shell_session.rb +2 -0
  79. data/lib/chef/util/diff.rb +0 -1
  80. data/lib/chef/version.rb +2 -2
  81. data/lib/chef/win32/registry.rb +1 -2
  82. data/spec/functional/knife/ssh_spec.rb +5 -16
  83. data/spec/functional/resource/aix_service_spec.rb +0 -2
  84. data/spec/functional/resource/aixinit_service_spec.rb +0 -1
  85. data/spec/functional/resource/apt_package_spec.rb +0 -1
  86. data/spec/functional/resource/cron_spec.rb +0 -1
  87. data/spec/functional/resource/git_spec.rb +23 -1
  88. data/spec/functional/resource/group_spec.rb +6 -2
  89. data/spec/functional/resource/insserv_spec.rb +0 -1
  90. data/spec/functional/resource/remote_file_spec.rb +1 -7
  91. data/spec/functional/resource/windows_user_privilege_spec.rb +1 -1
  92. data/spec/functional/run_lock_spec.rb +2 -1
  93. data/spec/functional/shell_spec.rb +5 -5
  94. data/spec/functional/util/powershell/cmdlet_spec.rb +1 -1
  95. data/spec/functional/version_spec.rb +1 -1
  96. data/spec/integration/knife/config_list_profiles_spec.rb +30 -2
  97. data/spec/integration/knife/cookbook_upload_spec.rb +27 -0
  98. data/spec/integration/recipes/accumulator_spec.rb +1 -1
  99. data/spec/integration/recipes/lwrp_inline_resources_spec.rb +1 -1
  100. data/spec/integration/recipes/lwrp_spec.rb +1 -1
  101. data/spec/integration/recipes/notifies_spec.rb +1 -1
  102. data/spec/integration/recipes/notifying_block_spec.rb +1 -1
  103. data/spec/integration/recipes/recipe_dsl_spec.rb +1 -1
  104. data/spec/integration/recipes/resource_converge_if_changed_spec.rb +2 -0
  105. data/spec/integration/recipes/resource_load_spec.rb +2 -0
  106. data/spec/integration/recipes/unified_mode_spec.rb +1 -1
  107. data/spec/integration/recipes/use_partial_spec.rb +1 -1
  108. data/spec/scripts/ssl-serve.rb +1 -1
  109. data/spec/spec_helper.rb +10 -4
  110. data/spec/support/chef_helpers.rb +1 -20
  111. data/spec/support/platform_helpers.rb +0 -2
  112. data/spec/support/shared/functional/file_resource.rb +0 -1
  113. data/spec/support/shared/integration/knife_support.rb +2 -9
  114. data/spec/support/shared/unit/application_dot_d.rb +0 -1
  115. data/spec/unit/application_spec.rb +4 -2
  116. data/spec/unit/chef_fs/file_system/operation_failed_error_spec.rb +2 -4
  117. data/spec/unit/chef_fs/{parallelizer.rb → parallelizer_spec.rb} +1 -1
  118. data/spec/unit/cookbook/gem_installer_spec.rb +2 -1
  119. data/spec/unit/data_collector_spec.rb +1 -1
  120. data/spec/unit/dsl/platform_introspection_spec.rb +1 -0
  121. data/spec/unit/event_dispatch/dispatcher_spec.rb +3 -0
  122. data/spec/unit/json_compat_spec.rb +1 -1
  123. data/spec/unit/knife/bootstrap_spec.rb +2 -6
  124. data/spec/unit/knife/cookbook_upload_spec.rb +7 -10
  125. data/spec/unit/log/syslog_spec.rb +6 -10
  126. data/spec/unit/log/winevt_spec.rb +21 -13
  127. data/spec/unit/lwrp_spec.rb +4 -4
  128. data/spec/unit/mixin/{path_sanity_spec.rb → default_paths_spec.rb} +14 -14
  129. data/spec/unit/mixin/powershell_exec_spec.rb +1 -1
  130. data/spec/unit/mixin/securable_spec.rb +0 -1
  131. data/spec/unit/mixin/shell_out_spec.rb +25 -26
  132. data/spec/unit/mixin/which.rb +8 -0
  133. data/spec/unit/node_spec.rb +98 -11
  134. data/spec/unit/property_spec.rb +5 -5
  135. data/spec/unit/provider/execute_spec.rb +0 -7
  136. data/spec/unit/provider/ifconfig_spec.rb +0 -1
  137. data/spec/unit/provider/package/dnf/python_helper_spec.rb +1 -1
  138. data/spec/unit/provider/package/rubygems_spec.rb +5 -10
  139. data/spec/unit/provider/package/smartos_spec.rb +1 -1
  140. data/spec/unit/provider/package/windows_spec.rb +30 -53
  141. data/spec/unit/provider/service/redhat_spec.rb +1 -1
  142. data/spec/unit/provider/service/windows_spec.rb +2 -6
  143. data/spec/unit/provider/systemd_unit_spec.rb +28 -24
  144. data/spec/unit/provider_spec.rb +1 -0
  145. data/spec/unit/resource/execute_spec.rb +10 -0
  146. data/spec/unit/resource/macos_user_defaults_spec.rb +103 -2
  147. data/spec/unit/resource/windows_firewall_profile_spec.rb +77 -0
  148. data/spec/unit/resource/windows_package_spec.rb +1 -0
  149. data/spec/unit/resource_reporter_spec.rb +1 -1
  150. data/spec/unit/run_context/cookbook_compiler_spec.rb +1 -1
  151. data/spec/unit/run_lock_spec.rb +1 -1
  152. data/spec/unit/scan_access_control_spec.rb +1 -1
  153. data/spec/unit/util/diff_spec.rb +1 -15
  154. data/spec/unit/win32/security_spec.rb +4 -3
  155. metadata +30 -13
@@ -206,12 +206,11 @@ class Chef
206
206
  end
207
207
 
208
208
  def request
209
- request = if new_resource.csr_file.nil?
210
- gen_x509_request(subject, key)
211
- else
212
- OpenSSL::X509::Request.new ::File.read(new_resource.csr_file)
213
- end
214
- request
209
+ if new_resource.csr_file.nil?
210
+ gen_x509_request(subject, key)
211
+ else
212
+ OpenSSL::X509::Request.new ::File.read(new_resource.csr_file)
213
+ end
215
214
  end
216
215
 
217
216
  def subject
@@ -227,12 +226,11 @@ class Chef
227
226
  end
228
227
 
229
228
  def ca_private_key
230
- ca_private_key = if new_resource.csr_file.nil?
231
- key
232
- else
233
- OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
234
- end
235
- ca_private_key
229
+ if new_resource.csr_file.nil?
230
+ key
231
+ else
232
+ OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
233
+ end
236
234
  end
237
235
 
238
236
  def ca_info
@@ -258,8 +256,7 @@ class Chef
258
256
  end
259
257
 
260
258
  def cert
261
- cert = gen_x509_cert(request, extensions, ca_info, ca_private_key)
262
- cert
259
+ gen_x509_cert(request, extensions, ca_info, ca_private_key)
263
260
  end
264
261
  end
265
262
  end
@@ -113,8 +113,7 @@ class Chef
113
113
  end
114
114
 
115
115
  def ca_private_key
116
- ca_private_key = ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
117
- ca_private_key
116
+ ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
118
117
  end
119
118
 
120
119
  def crl
@@ -25,8 +25,8 @@ require_relative "../dist"
25
25
  class Chef
26
26
  class Resource
27
27
  class Service < Chef::Resource
28
- include ChefUtils::DSL::Service
29
- extend ChefUtils::DSL::Service
28
+ include Chef::Platform::ServiceHelpers
29
+ extend Chef::Platform::ServiceHelpers
30
30
  unified_mode true
31
31
 
32
32
  provides :service, target_mode: true
@@ -106,7 +106,7 @@ class Chef
106
106
 
107
107
  r = with_run_context :root do
108
108
  find_resource(:template, "update ssh known hosts file #{new_resource.file_location}") do
109
- source ::File.expand_path("../support/ssh_known_hosts.erb", __FILE__)
109
+ source ::File.expand_path("support/ssh_known_hosts.erb", __dir__)
110
110
  local true
111
111
  path new_resource.file_location
112
112
  owner new_resource.owner
@@ -199,7 +199,7 @@ class Chef
199
199
  end
200
200
  else
201
201
  template file_path do
202
- source ::File.expand_path("../support/sudoer.erb", __FILE__)
202
+ source ::File.expand_path("support/sudoer.erb", __dir__)
203
203
  local true
204
204
  mode "0440"
205
205
  variables sudoer: (new_resource.groups + new_resource.users).join(","),
@@ -80,7 +80,7 @@ class Chef
80
80
 
81
81
  action :create do
82
82
  template "/etc/security/limits.d/#{new_resource.filename}" do
83
- source ::File.expand_path("../support/ulimit.erb", __FILE__)
83
+ source ::File.expand_path("support/ulimit.erb", __dir__)
84
84
  local true
85
85
  mode "0644"
86
86
  variables(
@@ -42,18 +42,34 @@ class Chef
42
42
  description: "The type of record to create, can be either ARecord, CNAME or PTR.",
43
43
  default: "ARecord", equal_to: %w{ARecord CNAME PTR}
44
44
 
45
+ property :dns_server, String,
46
+ description: "The name of the DNS server on which to create the record.",
47
+ default: "localhost",
48
+ introduced: "16.3"
49
+
45
50
  action :create do
46
51
  description "Creates and updates the DNS entry."
47
52
 
53
+ windows_feature "RSAT-DNS-Server" do
54
+ not_if new_resource.dns_server.casecmp?("localhost")
55
+ end
56
+
48
57
  powershell_package "xDnsServer" do
49
58
  end
59
+
50
60
  do_it "Present"
51
61
  end
52
62
 
53
63
  action :delete do
54
64
  description "Deletes a DNS entry."
65
+
66
+ windows_feature "RSAT-DNS-Server" do
67
+ not_if new_resource.dns_server.casecmp?("localhost")
68
+ end
69
+
55
70
  powershell_package "xDnsServer" do
56
71
  end
72
+
57
73
  do_it "Absent"
58
74
  end
59
75
 
@@ -67,6 +83,7 @@ class Chef
67
83
  property :Zone, new_resource.zone
68
84
  property :Type, new_resource.record_type
69
85
  property :Target, new_resource.target
86
+ property :DnsServer, new_resource.dns_server
70
87
  end
71
88
  end
72
89
  end
@@ -0,0 +1,197 @@
1
+ #
2
+ # Author:: John McCrae (<jmccrae@chef.io>)
3
+ # Author:: Davin Taddeo (<davin@chef.io>)
4
+ # Copyright:: Copyright (c) Chef Software Inc.
5
+ #
6
+ # Licensed under the Apache License, Version 2.0 (the "License");
7
+ # you may not use this file except in compliance with the License.
8
+ # You may obtain a copy of the License at
9
+ #
10
+ # http://www.apache.org/licenses/LICENSE-2.0
11
+ #
12
+ # Unless required by applicable law or agreed to in writing, software
13
+ # distributed under the License is distributed on an "AS IS" BASIS,
14
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
+ # See the License for the specific language governing permissions and
16
+ # limitations under the License.
17
+ #
18
+
19
+ class Chef
20
+ class Resource
21
+ class WindowsFirewallProfile < Chef::Resource
22
+ provides :windows_firewall_profile
23
+ description "Use the **windows_firewall_profile** resource to enable, disable, and configure the Windows firewall."
24
+ introduced "16.3"
25
+
26
+ examples <<~DOC
27
+ **Enable and Configure the Private Profile of the Windows Profile**:
28
+
29
+ ```ruby
30
+ windows_firewall_profile 'Private' do
31
+ default_inbound_action 'Block'
32
+ default_outbound_action 'Allow'
33
+ allow_inbound_rules true
34
+ display_notification false
35
+ action :enable
36
+ end
37
+ ```
38
+
39
+ **Enable and Configure the Public Profile of the Windows Firewall**:
40
+
41
+ ```ruby
42
+ windows_firewall_profile 'Public' do
43
+ default_inbound_action 'Block'
44
+ default_outbound_action 'Allow'
45
+ allow_inbound_rules false
46
+ display_notification false
47
+ action :enable
48
+ end
49
+ ```
50
+
51
+ **Disable the Domain Profile of the Windows Firewall**:
52
+
53
+ ```ruby
54
+ windows_firewall_profile 'Disable the Domain Profile of the Windows Firewall' do
55
+ profile 'Domain'
56
+ action :disable
57
+ end
58
+ ```
59
+ DOC
60
+
61
+ unified_mode true
62
+
63
+ property :profile, String,
64
+ name_property: true,
65
+ equal_to: %w{ Domain Public Private },
66
+ description: "Set the Windows Profile being configured"
67
+
68
+ property :default_inbound_action, [String, nil],
69
+ equal_to: %w{ Allow Block NotConfigured },
70
+ description: "Set the default policy for inbound network traffic"
71
+
72
+ property :default_outbound_action, [String, nil],
73
+ equal_to: %w{ Allow Block NotConfigured },
74
+ description: "Set the default policy for outbound network traffic"
75
+
76
+ property :allow_inbound_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to set inbound firewall rules"
77
+ property :allow_local_firewall_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Merges inbound firewall rules into the policy"
78
+ property :allow_local_ipsec_rules, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage local connection security rules"
79
+ property :allow_user_apps, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow user applications to manage firewall"
80
+ property :allow_user_ports, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow users to manage firewall port rules"
81
+ property :allow_unicast_response, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Allow unicast responses to multicast and broadcast messages"
82
+ property :display_notification, [true, false, String], equal_to: [true, false, "NotConfigured"], description: "Display a notification when firewall blocks certain activity"
83
+
84
+ load_current_value do |desired|
85
+ ps_get_net_fw_profile = load_firewall_state(desired.profile)
86
+ output = powershell_out(ps_get_net_fw_profile)
87
+ if output.stdout.empty?
88
+ current_value_does_not_exist!
89
+ else
90
+ state = Chef::JSONCompat.from_json(output.stdout)
91
+ end
92
+
93
+ default_inbound_action state["default_inbound_action"]
94
+ default_outbound_action state["default_outbound_action"]
95
+ allow_inbound_rules convert_to_ruby(state["allow_inbound_rules"])
96
+ allow_local_firewall_rules convert_to_ruby(state["allow_local_firewall_rules"])
97
+ allow_local_ipsec_rules convert_to_ruby(state["allow_local_ipsec_rules"])
98
+ allow_user_apps convert_to_ruby(state["allow_user_apps"])
99
+ allow_user_ports convert_to_ruby(state["allow_user_ports"])
100
+ allow_unicast_response convert_to_ruby(state["allow_unicast_response"])
101
+ display_notification convert_to_ruby(state["display_notification"])
102
+ end
103
+
104
+ def convert_to_ruby(obj)
105
+ if obj.to_s.downcase == "true"
106
+ true
107
+ elsif obj.to_s.downcase == "false"
108
+ false
109
+ elsif obj.to_s.downcase == "notconfigured"
110
+ "NotConfigured"
111
+ end
112
+ end
113
+
114
+ def convert_to_powershell(obj)
115
+ if obj.to_s.downcase == "true"
116
+ "True"
117
+ elsif obj.to_s.downcase == "false"
118
+ "False"
119
+ elsif obj.to_s.downcase == "notconfigured"
120
+ "NotConfigured"
121
+ end
122
+ end
123
+
124
+ action :enable do
125
+ converge_if_changed :default_inbound_action, :default_outbound_action, :allow_inbound_rules, :allow_local_firewall_rules,
126
+ :allow_local_ipsec_rules, :allow_user_apps, :allow_user_ports, :allow_unicast_response, :display_notification do
127
+ fw_cmd = firewall_command(new_resource.profile)
128
+ powershell_exec!(fw_cmd)
129
+ end
130
+ unless firewall_enabled?(new_resource.profile)
131
+ converge_by "Enable the #{new_resource.profile} Firewall Profile" do
132
+ cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"True\""
133
+ powershell_out!(cmd)
134
+ end
135
+ end
136
+ end
137
+
138
+ action :disable do
139
+ if firewall_enabled?(new_resource.profile)
140
+ converge_by "Disable the #{new_resource.profile} Firewall Profile" do
141
+ cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"False\""
142
+ powershell_out!(cmd)
143
+ end
144
+ end
145
+ end
146
+
147
+ action_class do
148
+ def firewall_command(fw_profile)
149
+ cmd = "Set-NetFirewallProfile -Profile \"#{fw_profile}\""
150
+ cmd << " -DefaultInboundAction \"#{new_resource.default_inbound_action}\"" unless new_resource.default_inbound_action.nil?
151
+ cmd << " -DefaultOutboundAction \"#{new_resource.default_outbound_action}\"" unless new_resource.default_outbound_action.nil?
152
+ cmd << " -AllowInboundRules \"#{convert_to_powershell(new_resource.allow_inbound_rules)}\"" unless new_resource.allow_inbound_rules.nil?
153
+ cmd << " -AllowLocalFirewallRules \"#{convert_to_powershell(new_resource.allow_local_firewall_rules)}\"" unless new_resource.allow_local_firewall_rules.nil?
154
+ cmd << " -AllowLocalIPsecRules \"#{convert_to_powershell(new_resource.allow_local_ipsec_rules)}\"" unless new_resource.allow_local_ipsec_rules.nil?
155
+ cmd << " -AllowUserApps \"#{convert_to_powershell(new_resource.allow_user_apps)}\"" unless new_resource.allow_user_apps.nil?
156
+ cmd << " -AllowUserPorts \"#{convert_to_powershell(new_resource.allow_user_ports)}\"" unless new_resource.allow_user_ports.nil?
157
+ cmd << " -AllowUnicastResponseToMulticast \"#{convert_to_powershell(new_resource.allow_unicast_response)}\"" unless new_resource.allow_unicast_response.nil?
158
+ cmd << " -NotifyOnListen \"#{convert_to_powershell(new_resource.display_notification)}\"" unless new_resource.display_notification.nil?
159
+ cmd
160
+ end
161
+
162
+ def load_firewall_state(profile_name)
163
+ <<-EOH
164
+ Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
165
+ $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
166
+ ([PSCustomObject]@{
167
+ default_inbound_action = $#{profile_name}.DefaultInboundAction.ToString()
168
+ default_outbound_action = $#{profile_name}.DefaultOutboundAction.ToString()
169
+ allow_inbound_rules = $#{profile_name}.AllowInboundRules.ToString()
170
+ allow_local_firewall_rules = $#{profile_name}.AllowLocalFirewallRules.ToString()
171
+ allow_local_ipsec_rules = $#{profile_name}.AllowLocalIPsecRules.ToString()
172
+ allow_user_apps = $#{profile_name}.AllowUserApps.ToString()
173
+ allow_user_ports = $#{profile_name}.AllowUserPorts.ToString()
174
+ allow_unicast_response = $#{profile_name}.AllowUnicastResponseToMulticast.ToString()
175
+ display_notification = $#{profile_name}.NotifyOnListen.ToString()
176
+ }) | ConvertTo-Json
177
+ EOH
178
+ end
179
+
180
+ def firewall_enabled?(profile_name)
181
+ cmd = <<~CODE
182
+ $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
183
+ if ($#{profile_name}.Enabled) {
184
+ return $true
185
+ } else {return $false}
186
+ CODE
187
+ firewall_status = powershell_out(cmd).stdout
188
+ if firewall_status =~ /True/
189
+ true
190
+ elsif firewall_status =~ /False/
191
+ false
192
+ end
193
+ end
194
+ end
195
+ end
196
+ end
197
+ end
@@ -80,13 +80,55 @@ class Chef
80
80
  property :secvalue, String, required: true,
81
81
  description: "Policy value to be set for policy name."
82
82
 
83
+ load_current_value do |desired|
84
+ powershell_code = <<-CODE
85
+ C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null
86
+ # cspell:disable-next-line
87
+ $security_options_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String)
88
+ Remove-Item $env:TEMP\\secopts_export.inf -force
89
+ $security_options_hash = ($security_options_data -Replace '"'| ConvertFrom-StringData)
90
+ ([PSCustomObject]@{
91
+ RequireLogonToChangePassword = $security_options_hash.RequireLogonToChangePassword
92
+ PasswordComplexity = $security_options_hash.PasswordComplexity
93
+ LSAAnonymousNameLookup = $security_options_hash.LSAAnonymousNameLookup
94
+ EnableAdminAccount = $security_options_hash.EnableAdminAccount
95
+ PasswordHistorySize = $security_options_hash.PasswordHistorySize
96
+ MinimumPasswordLength = $security_options_hash.MinimumPasswordLength
97
+ ResetLockoutCount = $security_options_hash.ResetLockoutCount
98
+ MaximumPasswordAge = $security_options_hash.MaximumPasswordAge
99
+ ClearTextPassword = $security_options_hash.ClearTextPassword
100
+ NewAdministratorName = $security_options_hash.NewAdministratorName
101
+ LockoutDuration = $security_options_hash.LockoutDuration
102
+ EnableGuestAccount = $security_options_hash.EnableGuestAccount
103
+ ForceLogoffWhenHourExpire = $security_options_hash.ForceLogoffWhenHourExpire
104
+ MinimumPasswordAge = $security_options_hash.MinimumPasswordAge
105
+ NewGuestName = $security_options_hash.NewGuestName
106
+ LockoutBadCount = $security_options_hash.LockoutBadCount
107
+ }) | ConvertTo-Json
108
+ CODE
109
+ output = powershell_out(powershell_code)
110
+ current_value_does_not_exist! if output.stdout.empty?
111
+ state = Chef::JSONCompat.from_json(output.stdout)
112
+
113
+ if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration"
114
+ if state["LockoutBadCount"] == "0"
115
+ raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
116
+ else
117
+ secvalue state[desired.secoption.to_s]
118
+ end
119
+ else
120
+ secvalue state[desired.secoption.to_s]
121
+ end
122
+ end
123
+
83
124
  action :set do
84
- security_option = new_resource.secoption
85
- security_value = new_resource.secvalue
86
- powershell_script "#{security_option} set to #{security_value}" do
87
- convert_boolean_return true
88
- code <<-EOH
125
+ converge_if_changed :secvalue do
126
+ security_option = new_resource.secoption
127
+ security_value = new_resource.secvalue
128
+
129
+ cmd = <<-EOH
89
130
  $security_option = "#{security_option}"
131
+ C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
90
132
  if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
91
133
  {
92
134
  $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
@@ -99,21 +141,8 @@ class Chef
99
141
  }
100
142
  Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
101
143
  EOH
102
- not_if <<-EOH
103
- $#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
104
- $ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option})
105
- $check_digit = $ExportAudit -match '#{security_option} = #{security_value}'
106
- $check_string = $ExportAudit -match '#{security_option} = "#{security_value}"'
107
- if ( $check_string -Or $check_digit )
108
- {
109
- Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
110
- $true
111
- }
112
- else
113
- {
114
- $false
115
- }
116
- EOH
144
+
145
+ powershell_out!(cmd)
117
146
  end
118
147
  end
119
148
  end
@@ -59,11 +59,17 @@ module ResourceInspector
59
59
  required: opts[:required] || false,
60
60
  default: opts[:default_description] || get_default(opts[:default]),
61
61
  name_property: opts[:name_property] || false,
62
- equal_to: Array(opts[:equal_to]).sort.map(&:inspect) }
62
+ equal_to: sort_equal_to(opts[:equal_to]) }
63
63
  end
64
64
  data
65
65
  end
66
66
 
67
+ def self.sort_equal_to(equal_to)
68
+ Array(equal_to).sort.map(&:inspect)
69
+ rescue ArgumentError
70
+ Array(equal_to).map(&:inspect)
71
+ end
72
+
67
73
  def self.extract_cookbook(path, complete)
68
74
  path = File.expand_path(path)
69
75
  dir, name = File.split(path)
@@ -153,6 +153,7 @@ require_relative "resource/windows_dns_zone"
153
153
  require_relative "resource/windows_feature"
154
154
  require_relative "resource/windows_feature_dism"
155
155
  require_relative "resource/windows_feature_powershell"
156
+ require_relative "resource/windows_firewall_profile"
156
157
  require_relative "resource/windows_firewall_rule"
157
158
  require_relative "resource/windows_font"
158
159
  require_relative "resource/windows_pagefile"