chef 16.4.38 → 16.7.61

data/lib/chef/resource/windows_ad_join.rb

@@ -16,7 +16,7 @@
 #
 
 require_relative "../resource"
-require_relative "../dist"
+require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 
 class Chef
   class Resource
@@ -76,10 +76,15 @@ class Chef
 
       property :reboot, Symbol,
         equal_to: %i{immediate delayed never request_reboot reboot_now},
-        validation_message: "The reboot property accepts :immediate (reboot as soon as the resource completes), :delayed (reboot once the #{Chef::Dist::PRODUCT} run completes), and :never (Don't reboot)",
-        description: "Controls the system reboot behavior post domain joining. Reboot immediately, after the #{Chef::Dist::PRODUCT} run completes, or never. Note that a reboot is necessary for changes to take effect.",
+        validation_message: "The reboot property accepts :immediate (reboot as soon as the resource completes), :delayed (reboot once the #{ChefUtils::Dist::Infra::PRODUCT} run completes), and :never (Don't reboot)",
+        description: "Controls the system reboot behavior post domain joining. Reboot immediately, after the #{ChefUtils::Dist::Infra::PRODUCT} run completes, or never. Note that a reboot is necessary for changes to take effect.",
         default: :immediate
 
+      property :reboot_delay, Integer,
+        description: "The amount of time (in minutes) to delay a reboot request.",
+        default: 0,
+        introduced: "16.5"
+
       property :new_hostname, String,
         description: "Specifies a new hostname for the computer in the new domain.",
         introduced: "14.5"
@@ -104,18 +109,19 @@ class Chef
           cmd << " -Force"
 
           converge_by("join Active Directory domain #{new_resource.domain_name}") do
-            ps_run = powershell_out(cmd)
+            ps_run = powershell_exec(cmd)
             if ps_run.error?
               if sensitive?
                 raise "Failed to join the domain #{new_resource.domain_name}: *suppressed sensitive resource output*"
               else
-                raise "Failed to join the domain #{new_resource.domain_name}: #{ps_run.stderr}"
+                raise "Failed to join the domain #{new_resource.domain_name}: #{ps_run.errors}"
               end
             end
 
             unless new_resource.reboot == :never
               reboot "Reboot to join domain #{new_resource.domain_name}" do
                 action clarify_reboot(new_resource.reboot)
+                delay_mins new_resource.reboot_delay
                 reason "Reboot to join domain #{new_resource.domain_name}"
               end
             end
@@ -137,18 +143,19 @@ class Chef
           cmd << " -Force"
 
           converge_by("leave Active Directory domain #{node_domain}") do
-            ps_run = powershell_out(cmd)
+            ps_run = powershell_exec(cmd)
             if ps_run.error?
               if sensitive?
                 raise "Failed to leave the domain #{node_domain}: *suppressed sensitive resource output*"
               else
-                raise "Failed to leave the domain #{node_domain}: #{ps_run.stderr}"
+                raise "Failed to leave the domain #{node_domain}: #{ps_run.errors}"
               end
             end
 
             unless new_resource.reboot == :never
               reboot "Reboot to leave domain #{new_resource.domain_name}" do
                 action clarify_reboot(new_resource.reboot)
+                delay_mins new_resource.reboot_delay
                 reason "Reboot to leave domain #{new_resource.domain_name}"
               end
             end
@@ -163,10 +170,10 @@ class Chef
         #   workgroup the node is a member of.
         #
         def node_domain
-          node_domain = powershell_out!("(Get-WmiObject Win32_ComputerSystem).Domain")
-          raise "Failed to check if the system is joined to the domain #{new_resource.domain_name}: #{node_domain.stderr}}" if node_domain.error?
+          node_domain = powershell_exec!("(Get-WmiObject Win32_ComputerSystem).Domain")
+          raise "Failed to check if the system is joined to the domain #{new_resource.domain_name}: #{node_domain.errors}}" if node_domain.error?
 
-          node_domain.stdout.downcase.strip
+          node_domain.result.downcase.strip
         end
 
         #
@@ -175,10 +182,10 @@ class Chef
         #   workgroup.
         #
         def node_workgroup
-          node_workgroup = powershell_out!("(Get-WmiObject Win32_ComputerSystem).Workgroup")
+          node_workgroup = powershell_exec!("(Get-WmiObject Win32_ComputerSystem).Workgroup")
           raise "Failed to check if the system is currently a member of a workgroup" if node_workgroup.error?
 
-          node_workgroup.stdout.downcase.strip
+          node_workgroup.result
         end
 
         #

data/lib/chef/resource/windows_audit_policy.rb

@@ -152,30 +152,6 @@ class Chef
       property :audit_base_directories, [true, false],
                description: "Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of container objects such as directories."
 
-      def subcategory_configured?(sub_cat, success_value, failure_value)
-        setting = if success_value && failure_value
-                    "Success and Failure$"
-                  elsif success_value && !failure_value
-                    "Success$"
-                  elsif !success_value && failure_value
-                    "(Failure$)&!(Success and Failure$)"
-                  else
-                    "No Auditing"
-                  end
-        powershell_exec(<<-CODE).result
-          $auditpol_config = auditpol /get /subcategory:"#{sub_cat}"
-          if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false }
-        CODE
-      end
-
-      def option_configured?(option_name, option_setting)
-        setting = option_setting ? "Enabled$" : "Disabled$"
-        powershell_exec(<<-CODE).result
-          $auditpol_config = auditpol /get /option:#{option_name}
-          if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false }
-        CODE
-      end
-
       action :set do
         unless new_resource.subcategory.nil?
           new_resource.subcategory.each do |subcategory|
@@ -225,6 +201,32 @@ class Chef
           end
         end
       end
+
+      action_class do
+        def subcategory_configured?(sub_cat, success_value, failure_value)
+          setting = if success_value && failure_value
+                      "Success and Failure$"
+                    elsif success_value && !failure_value
+                      "Success$"
+                    elsif !success_value && failure_value
+                      "#{sub_cat}\\s+Failure$"
+                    else
+                      "No Auditing"
+                    end
+          powershell_exec!(<<-CODE).result
+            $auditpol_config = auditpol /get /subcategory:"#{sub_cat}"
+            if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false }
+          CODE
+        end
+
+        def option_configured?(option_name, option_setting)
+          setting = option_setting ? "Enabled$" : "Disabled$"
+          powershell_exec!(<<-CODE).result
+            $auditpol_config = auditpol /get /option:#{option_name}
+            if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false }
+          CODE
+        end
+      end
     end
   end
 end

data/lib/chef/resource/windows_certificate.rb

@@ -19,9 +19,11 @@
 
 require_relative "../util/path_helper"
 require_relative "../resource"
-require "win32-certstore" if Chef::Platform.windows?
-require "openssl" unless defined?(OpenSSL)
-require_relative "../dist"
+module Win32
+  autoload :Certstore, "win32-certstore" if Chef::Platform.windows?
+end
+autoload :OpenSSL, "openssl"
+require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 
 class Chef
   class Resource
@@ -78,11 +80,11 @@ class Chef
         default: false
 
       property :cert_path, String,
-        description: ""
+        description: "The path to the certificate."
 
       # lazy used to set default value of sensitive to true if password is set
       property :sensitive, [TrueClass, FalseClass],
-        description: "Ensure that sensitive resource data is not logged by the #{Chef::Dist::CLIENT}.",
+        description: "Ensure that sensitive resource data is not logged by the #{ChefUtils::Dist::Infra::CLIENT}.",
         default: lazy { pfx_password ? true : false }, skip_docs: true
 
       action :create do
@@ -205,16 +207,16 @@ class Chef
           when ".der"
             out_file.puts(cert_obj.to_der)
           when ".cer"
-            cert_out = powershell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CER").stdout
+            cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CER").stdout
             out_file.puts(cert_out)
           when ".crt"
-            cert_out = powershell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CRT").stdout
+            cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CRT").stdout
             out_file.puts(cert_out)
           when ".pfx"
-            cert_out = powershell_out("openssl pkcs12 -export -nokeys -in #{cert_obj.to_pem} -outform PFX").stdout
+            cert_out = shell_out("openssl pkcs12 -export -nokeys -in #{cert_obj.to_pem} -outform PFX").stdout
             out_file.puts(cert_out)
           when ".p7b"
-            cert_out = powershell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
+            cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
             out_file.puts(cert_out)
           else
             Chef::Log.info("Supported certificate format .pem, .der, .cer, .crt, .pfx and .p7b")
@@ -325,7 +327,7 @@ class Chef
         # @return [Boolean] Whether the certificate file is binary encoded or not
         #
         def binary_cert?
-          powershell_out!("file -b --mime-encoding #{new_resource.source}").stdout.strip == "binary"
+          shell_out!("file -b --mime-encoding #{new_resource.source}").stdout.strip == "binary"
         end
 
         # Imports the certificate object into cert store

data/lib/chef/resource/windows_dfs_server.rb

@@ -49,14 +49,14 @@ class Chef
         default: 3600
 
       load_current_value do
-        ps_results = powershell_out("Get-DfsnServerConfiguration -ComputerName '#{ENV["COMPUTERNAME"]}' | Select LdapTimeoutSec, PreferLogonDC, EnableSiteCostedReferrals, SyncIntervalSec, UseFqdn | ConvertTo-Json")
+        ps_results = powershell_exec("Get-DfsnServerConfiguration -ComputerName '#{ENV["COMPUTERNAME"]}' | Select LdapTimeoutSec, PreferLogonDC, EnableSiteCostedReferrals, SyncIntervalSec, UseFqdn")
 
         if ps_results.error?
           raise "The dfs_server resource failed to fetch the current state via the Get-DfsnServerConfiguration PowerShell cmdlet. Is the DFS Windows feature installed?"
         end
 
-        Chef::Log.debug("The Get-DfsnServerConfiguration results were #{ps_results.stdout}")
-        results = Chef::JSONCompat.from_json(ps_results.stdout)
+        Chef::Log.debug("The Get-DfsnServerConfiguration results were #{ps_results.result}")
+        results = ps_results.result
 
         use_fqdn results["UseFqdn"] || false
         ldap_timeout_secs results["LdapTimeoutSec"]
@@ -69,7 +69,10 @@ class Chef
         description "Configure DFS settings."
 
         converge_if_changed do
-          powershell_out("Set-DfsnServerConfiguration -ComputerName '#{ENV["COMPUTERNAME"]}' EnableSiteCostedReferrals $#{new_resource.enable_site_costed_referrals} -UseFqdn $#{new_resource.use_fqdn} -LdapTimeoutSec #{new_resource.ldap_timeout_secs} -PreferLogonDC $#{new_resource.prefer_login_dc} -SyncIntervalSec #{new_resource.sync_interval_secs}")
+          dfs_cmd = "Set-DfsnServerConfiguration -ComputerName '#{ENV["COMPUTERNAME"]}' -UseFqdn $#{new_resource.use_fqdn} -LdapTimeoutSec #{new_resource.ldap_timeout_secs} -SyncIntervalSec #{new_resource.sync_interval_secs}"
+          dfs_cmd << " -EnableSiteCostedReferrals $#{new_resource.enable_site_costed_referrals}" if new_resource.enable_site_costed_referrals != current_resource.enable_site_costed_referrals
+          dfs_cmd << " -PreferLogonDC $#{new_resource.prefer_login_dc}" if new_resource.prefer_login_dc != current_resource.prefer_login_dc
+          powershell_exec!(dfs_cmd)
         end
       end
     end

data/lib/chef/resource/windows_env.rb

@@ -18,10 +18,13 @@
 #
 
 require_relative "../resource"
+require_relative "../mixin/windows_env_helper"
 
 class Chef
   class Resource
     class WindowsEnv < Chef::Resource
+      unified_mode true
+
       provides :windows_env
       provides :env # backwards compat with the pre-Chef 14 resource name
 
@@ -52,6 +55,176 @@ class Chef
         desired_state: false
 
       property :user, String, default: "<System>"
+
+      action_class do
+        include Chef::Mixin::WindowsEnvHelper
+
+        def whyrun_supported?
+          false
+        end
+
+        def load_current_resource
+          @current_resource = Chef::Resource::WindowsEnv.new(new_resource.name)
+          current_resource.key_name(new_resource.key_name)
+
+          if key_exists?
+            current_resource.value(env_value(new_resource.key_name))
+          else
+            logger.trace("#{new_resource} key does not exist")
+          end
+
+          current_resource
+        end
+
+        def key_exists?
+          @key_exists ||= !!env_value(new_resource.key_name)
+        end
+
+        def requires_modify_or_create?
+          if new_resource.delim
+            # e.g. check for existing value within PATH
+            new_values.inject(0) do |index, val|
+              next_index = current_values.find_index val
+              return true if next_index.nil? || next_index < index
+
+              next_index
+            end
+            false
+          else
+            new_resource.value != current_resource.value
+          end
+        end
+
+        alias_method :compare_value, :requires_modify_or_create?
+
+        # e.g. delete a PATH element
+        #
+        # ==== Returns
+        # <true>:: If we handled the element case and caller should not delete the key
+        # <false>:: Caller should delete the key, either no :delim was specific or value was empty
+        #           after we removed the element.
+        def delete_element
+          return false unless new_resource.delim # no delim: delete the key
+
+          needs_delete = new_values.any? { |v| current_values.include?(v) }
+          if !needs_delete
+            logger.trace("#{new_resource} element '#{new_resource.value}' does not exist")
+            true # do not delete the key
+          else
+            new_value =
+              current_values.select do |item|
+                not new_values.include?(item)
+              end.join(new_resource.delim)
+
+            if new_value.empty?
+              false # nothing left here, delete the key
+            else
+              old_value = new_resource.value(new_value)
+              create_env
+              logger.trace("#{new_resource} deleted #{old_value} element")
+              new_resource.updated_by_last_action(true)
+              true # we removed the element and updated; do not delete the key
+            end
+          end
+        end
+
+        def create_env
+          obj = env_obj(@new_resource.key_name)
+          unless obj
+            obj = WIN32OLE.connect("winmgmts://").get("Win32_Environment").spawninstance_
+            obj.name = @new_resource.key_name
+            obj.username = new_resource.user
+          end
+          obj.variablevalue = @new_resource.value
+          obj.put_
+          value = @new_resource.value
+          value = expand_path(value) if @new_resource.key_name.casecmp("PATH") == 0
+          ENV[@new_resource.key_name] = value
+          broadcast_env_change
+        end
+
+        def delete_env
+          obj = env_obj(@new_resource.key_name)
+          if obj
+            obj.delete_
+            broadcast_env_change
+          end
+          if ENV[@new_resource.key_name]
+            ENV.delete(@new_resource.key_name)
+          end
+        end
+
+        def modify_env
+          if new_resource.delim
+            new_resource.value((new_values + current_values).uniq.join(new_resource.delim))
+          end
+          create_env
+        end
+
+        # Returns the current values to split by delimiter
+        def current_values
+          @current_values ||= current_resource.value.split(new_resource.delim)
+        end
+
+        # Returns the new values to split by delimiter
+        def new_values
+          @new_values ||= new_resource.value.split(new_resource.delim)
+        end
+
+        def env_value(key_name)
+          obj = env_obj(key_name)
+          obj.variablevalue if obj
+        end
+
+        def env_obj(key_name)
+          return @env_obj if @env_obj
+
+          wmi = WmiLite::Wmi.new
+          # Note that by design this query is case insensitive with regard to key_name
+          environment_variables = wmi.query("select * from Win32_Environment where name = '#{key_name}'")
+          if environment_variables && environment_variables.length > 0
+            environment_variables.each do |env|
+              @env_obj = env.wmi_ole_object
+              return @env_obj if @env_obj.username.split('\\').last.casecmp(new_resource.user) == 0
+            end
+          end
+          @env_obj = nil
+        end
+      end
+
+      action :create do
+        if key_exists?
+          if requires_modify_or_create?
+            modify_env
+            logger.info("#{new_resource} altered")
+            new_resource.updated_by_last_action(true)
+          end
+        else
+          create_env
+          logger.info("#{new_resource} created")
+          new_resource.updated_by_last_action(true)
+        end
+      end
+
+      action :delete do
+        if ( ENV[new_resource.key_name] || key_exists? ) && !delete_element
+          delete_env
+          logger.info("#{new_resource} deleted")
+          new_resource.updated_by_last_action(true)
+        end
+      end
+
+      action :modify do
+        if key_exists?
+          if requires_modify_or_create?
+            modify_env
+            logger.info("#{new_resource} modified")
+            new_resource.updated_by_last_action(true)
+          end
+        else
+          raise Chef::Exceptions::WindowsEnv, "Cannot modify #{new_resource} - key does not exist!"
+        end
+      end
     end
   end
 end

data/lib/chef/resource/windows_feature.rb

@@ -21,6 +21,8 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsFeature < Chef::Resource
+      unified_mode true
+
       provides(:windows_feature) { true }
 
       description "Use the **windows_feature** resource to add, remove or entirely delete Windows features and roles. This resource calls the 'windows_feature_dism' or 'windows_feature_powershell' resources depending on the specified installation method, and defaults to DISM, which is available on both Workstation and Server editions of Windows."

data/lib/chef/resource/windows_firewall_profile.rb

@@ -19,8 +19,6 @@
 class Chef
   class Resource
     class WindowsFirewallProfile < Chef::Resource
-      unified_mode true
-
       provides :windows_firewall_profile
       description "Use the **windows_firewall_profile** resource to enable, disable, and configure the Windows firewall."
       introduced "16.3"
@@ -85,11 +83,11 @@ class Chef
 
       load_current_value do |desired|
         ps_get_net_fw_profile = load_firewall_state(desired.profile)
-        output = powershell_out(ps_get_net_fw_profile)
-        if output.stdout.empty?
+        output = powershell_exec(ps_get_net_fw_profile)
+        if output.result.empty?
           current_value_does_not_exist!
         else
-          state = Chef::JSONCompat.from_json(output.stdout)
+          state = output.result
         end
 
         default_inbound_action state["default_inbound_action"]
@@ -132,7 +130,7 @@ class Chef
         unless firewall_enabled?(new_resource.profile)
           converge_by "Enable the #{new_resource.profile} Firewall Profile" do
             cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"True\""
-            powershell_out!(cmd)
+            powershell_exec!(cmd)
           end
         end
       end
@@ -141,7 +139,7 @@ class Chef
         if firewall_enabled?(new_resource.profile)
           converge_by "Disable the #{new_resource.profile} Firewall Profile" do
             cmd = "Set-NetFirewallProfile -Profile #{new_resource.profile} -Enabled \"False\""
-            powershell_out!(cmd)
+            powershell_exec!(cmd)
           end
         end
       end
@@ -161,24 +159,6 @@ class Chef
           cmd
         end
 
-        def load_firewall_state(profile_name)
-          <<-EOH
-            Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
-            $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
-            ([PSCustomObject]@{
-              default_inbound_action = $#{profile_name}.DefaultInboundAction.ToString()
-              default_outbound_action = $#{profile_name}.DefaultOutboundAction.ToString()
-              allow_inbound_rules = $#{profile_name}.AllowInboundRules.ToString()
-              allow_local_firewall_rules = $#{profile_name}.AllowLocalFirewallRules.ToString()
-              allow_local_ipsec_rules = $#{profile_name}.AllowLocalIPsecRules.ToString()
-              allow_user_apps = $#{profile_name}.AllowUserApps.ToString()
-              allow_user_ports = $#{profile_name}.AllowUserPorts.ToString()
-              allow_unicast_response = $#{profile_name}.AllowUnicastResponseToMulticast.ToString()
-              display_notification = $#{profile_name}.NotifyOnListen.ToString()
-            }) | ConvertTo-Json
-          EOH
-        end
-
         def firewall_enabled?(profile_name)
           cmd = <<~CODE
             $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
@@ -186,14 +166,31 @@ class Chef
                 return $true
             } else {return $false}
           CODE
-          firewall_status = powershell_out(cmd).stdout
-          if /True/.match?(firewall_status)
-            true
-          elsif /False/.match?(firewall_status)
-            false
-          end
+          powershell_exec!(cmd).result
         end
       end
+
+      private
+
+      # build the command to load the current resource
+      # @return [String] current firewall state
+      def load_firewall_state(profile_name)
+        <<-EOH
+          Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+          $#{profile_name} = Get-NetFirewallProfile -Profile #{profile_name}
+          ([PSCustomObject]@{
+            default_inbound_action = $#{profile_name}.DefaultInboundAction.ToString()
+            default_outbound_action = $#{profile_name}.DefaultOutboundAction.ToString()
+            allow_inbound_rules = $#{profile_name}.AllowInboundRules.ToString()
+            allow_local_firewall_rules = $#{profile_name}.AllowLocalFirewallRules.ToString()
+            allow_local_ipsec_rules = $#{profile_name}.AllowLocalIPsecRules.ToString()
+            allow_user_apps = $#{profile_name}.AllowUserApps.ToString()
+            allow_user_ports = $#{profile_name}.AllowUserPorts.ToString()
+            allow_unicast_response = $#{profile_name}.AllowUnicastResponseToMulticast.ToString()
+            display_notification = $#{profile_name}.NotifyOnListen.ToString()
+          })
+        EOH
+      end
     end
   end
 end