chef 17.0.242-universal-mingw32 → 17.4.25-universal-mingw32

data/lib/chef/resource/windows_defender.rb

@@ -0,0 +1,163 @@
+#
+# Copyright:: Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class WindowsDefender < Chef::Resource
+      unified_mode true
+      provides :windows_defender
+
+      description "Use the **windows_defender** resource to enable or disable the Microsoft Windows Defender service."
+      introduced "17.3"
+      examples <<~DOC
+      **Configure Windows Defender AV settings**:
+
+      ```ruby
+      windows_defender 'Configure Defender' do
+        realtime_protection true
+        intrusion_protection_system true
+        lock_ui true
+        scan_archives true
+        scan_scripts true
+        scan_email true
+        scan_removable_drives true
+        scan_network_files false
+        scan_mapped_drives false
+        action :enable
+      end
+      ```
+
+      **Disable Windows Defender AV**:
+
+      ```ruby
+      windows_defender 'Disable Defender' do
+        action :disable
+      end
+      ```
+      DOC
+
+      # DisableIOAVProtection
+      property :realtime_protection, [true, false],
+        default: true,
+        description: "Enable realtime scanning of downloaded files and attachments."
+
+      # DisableIntrusionPreventionSystem
+      property :intrusion_protection_system, [true, false],
+        default: true,
+        description: "Enable network protection against exploitation of known vulnerabilities."
+
+      # UILockdown
+      property :lock_ui, [true, false],
+        description: "Lock the UI to prevent users from changing Windows Defender settings.",
+        default: false
+
+      # DisableArchiveScanning
+      property :scan_archives, [true, false],
+        default: true,
+        description: "Scan file archives such as .zip or .gz archives."
+
+      # DisableScriptScanning
+      property :scan_scripts, [true, false],
+        default: false,
+        description: "Scan scripts in malware scans."
+
+      # DisableEmailScanning
+      property :scan_email, [true, false],
+        default: false,
+        description: "Scan e-mails for malware."
+
+      # DisableRemovableDriveScanning
+      property :scan_removable_drives, [true, false],
+        default: false,
+        description: "Scan content of removable drives."
+
+      # DisableScanningNetworkFiles
+      property :scan_network_files, [true, false],
+        default: false,
+        description: "Scan files on a network."
+
+      # DisableScanningMappedNetworkDrivesForFullScan
+      property :scan_mapped_drives, [true, false],
+        default: true,
+        description: "Scan files on mapped network drives."
+
+      load_current_value do
+        values = powershell_exec!("Get-MPpreference").result
+
+        lock_ui values["UILockdown"]
+        realtime_protection !values["DisableIOAVProtection"]
+        intrusion_protection_system !values["DisableIntrusionPreventionSystem"]
+        scan_archives !values["DisableArchiveScanning"]
+        scan_scripts !values["DisableScriptScanning"]
+        scan_email !values["DisableEmailScanning"]
+        scan_removable_drives !values["DisableRemovableDriveScanning"]
+        scan_network_files !values["DisableScanningNetworkFiles"]
+        scan_mapped_drives !values["DisableScanningMappedNetworkDrivesForFullScan"]
+      end
+
+      action :enable, description: "Enable and configure Windows Defender." do
+        windows_service "Windows Defender" do
+          service_name "WinDefend"
+          action %i{start enable}
+          startup_type :automatic
+        end
+
+        converge_if_changed do
+          powershell_exec!(set_mppreference_cmd)
+        end
+      end
+
+      action :disable, description: "Disable Windows Defender." do
+        windows_service "Windows Defender" do
+          service_name "WinDefend"
+          action %i{disable stop}
+        end
+      end
+
+      action_class do
+        require "chef/mixin/powershell_type_coercions"
+        include Chef::Mixin::PowershellTypeCoercions
+
+        PROPERTY_TO_PS_MAP = {
+          realtime_protection: "DisableIOAVProtection",
+          intrusion_protection_system: "DisableIntrusionPreventionSystem",
+          scan_archives: "DisableArchiveScanning",
+          scan_scripts: "DisableScriptScanning",
+          scan_email: "DisableEmailScanning",
+          scan_removable_drives: "DisableRemovableDriveScanning",
+          scan_network_files: "DisableScanningNetworkFiles",
+          scan_mapped_drives: "DisableScanningMappedNetworkDrivesForFullScan",
+        }.freeze
+
+        def set_mppreference_cmd
+          cmd = "Set-MpPreference -Force"
+          cmd << " -UILockdown #{type_coercion(new_resource.lock_ui)}"
+
+          # the values are the opposite in Set-MpPreference and our properties so we have to iterate
+          # over the list and negate the provided values so it makes sense with the cmdlet flag's expected value
+          PROPERTY_TO_PS_MAP.each do |prop, flag|
+            next if new_resource.send(prop).nil? || current_resource.send(prop) == new_resource.send(prop)
+
+            cmd << " -#{flag} #{type_coercion(!new_resource.send(prop))}"
+          end
+          cmd
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/windows_defender_exclusion.rb

@@ -0,0 +1,125 @@
+#
+# Copyright:: Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class WindowsDefenderExclusion < Chef::Resource
+
+      provides :windows_defender_exclusion
+
+      description "Use the **windows_defender_exclusion** resource to exclude paths, processes, or file types from Windows Defender realtime protection scanning."
+      introduced "17.3"
+      examples <<~DOC
+      **Add excluded items to Windows Defender scans**:
+
+      ```ruby
+      windows_defender_exclusion 'Add to things to be excluded from scanning' do
+        paths 'c:\\foo\\bar, d:\\bar\\baz'
+        extensions 'png, foo, ppt, doc'
+        process_paths 'c:\\windows\\system32'
+        action :add
+      end
+      ```
+
+      **Remove excluded items from Windows Defender scans**:
+
+      ```ruby
+      windows_defender_exclusion 'Remove things from the list to be excluded' do
+        process_paths 'c:\\windows\\system32'
+        action :remove
+      end
+      ```
+      DOC
+      unified_mode true
+
+      property :paths, [String, Array], default: [],
+        coerce: proc { |x| to_consistent_path_array(x) },
+        description: "File or directory paths to exclude from scanning."
+
+      property :extensions, [String, Array], default: [],
+        coerce: proc { |x| to_consistent_path_array(x) },
+        description: "File extensions to exclude from scanning."
+
+      property :process_paths, [String, Array], default: [],
+        coerce: proc { |x| to_consistent_path_array(x) },
+        description: "Paths to executables to exclude from scanning."
+
+      def to_consistent_path_array(x)
+        fixed = x.dup || []
+        fixed = fixed.split(/\s*,\s*/) if fixed.is_a?(String)
+        fixed.map!(&:downcase)
+        fixed.map! { |v| v.gsub(%r{/}, "\\") }
+        fixed
+      end
+
+      load_current_value do |new_resource|
+        Chef::Log.debug("Running 'Get-MpPreference | Select-Object ExclusionExtension,ExclusionPath,ExclusionProcess' to get Windows Defender State")
+
+        values = powershell_exec!("Get-MPpreference | Select-Object ExclusionExtension,ExclusionPath,ExclusionProcess").result
+
+        values.transform_values! { |x| Array(x) }
+
+        paths new_resource.paths & values["ExclusionPath"]
+        extensions new_resource.extensions & values["ExclusionExtension"]
+        process_paths new_resource.process_paths & values["ExclusionProcess"]
+      end
+
+      action :add, description: "Add an exclusion to Windows Defender." do
+        converge_if_changed do
+          powershell_exec!(add_cmd)
+        end
+      end
+
+      action :remove, description: "Remove an exclusion to Windows Defender." do
+        converge_if_changed do
+          powershell_exec!(remove_cmd)
+        end
+      end
+
+      action_class do
+        MAPPING = {
+          paths: "ExclusionPath",
+          extensions: "ExclusionExtension",
+          process_paths: "ExclusionProcess",
+        }.freeze
+
+        def add_cmd
+          cmd = "Add-MpPreference -Force"
+
+          MAPPING.each do |prop, flag|
+            to_add = new_resource.send(prop) - current_resource.send(prop)
+            cmd << " -#{flag} #{to_add.join(",")}" unless to_add.empty?
+          end
+
+          cmd
+        end
+
+        def remove_cmd
+          cmd = "Remove-MpPreference -Force"
+
+          MAPPING.each do |prop, flag|
+            to_add = new_resource.send(prop) & current_resource.send(prop)
+            cmd << " -#{flag} #{to_add.join(",")}" unless to_add.empty?
+          end
+
+          cmd
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/windows_dfs_folder.rb

@@ -42,7 +42,7 @@ class Chef
       property :description, String,
         description: "Description for the share."
 
-      action :create, description: "Creates the folder in dfs namespace" do
+      action :create, description: "Creates the folder in dfs namespace." do
         raise "target_path is required for install" unless property_is_set?(:target_path)
         raise "description is required for install" unless property_is_set?(:description)
 
@@ -60,7 +60,7 @@ class Chef
         end
       end
 
-      action :delete, description: "Deletes the folder in the dfs namespace" do
+      action :delete, description: "Deletes the folder in the dfs namespace." do
         powershell_script "Delete DFS Namespace" do
           code <<-EOH
             Remove-DfsnFolder -Path '\\\\#{ENV["COMPUTERNAME"]}\\#{new_resource.namespace_name}\\#{new_resource.folder_path}' -Force

data/lib/chef/resource/windows_dfs_namespace.rb

@@ -52,7 +52,7 @@ class Chef
         description: "The root from which to create the DFS tree. Defaults to C:\\DFSRoots.",
         default: 'C:\\DFSRoots'
 
-      action :create, description: "Creates the dfs namespace on the server" do
+      action :create, description: "Creates the dfs namespace on the server." do
         directory file_path do
           action :create
           recursive true
@@ -82,7 +82,7 @@ class Chef
         end
       end
 
-      action :delete, description: "Deletes a DFS Namespace including the directory on disk" do
+      action :delete, description: "Deletes a DFS Namespace including the directory on disk." do
         powershell_script "Delete DFS Namespace" do
           code <<-EOH
             Remove-DfsnRoot -Path '\\\\#{ENV["COMPUTERNAME"]}\\#{new_resource.namespace_name}' -Force

data/lib/chef/resource/windows_dns_record.rb

@@ -49,7 +49,7 @@ class Chef
         default: "localhost",
         introduced: "16.3"
 
-      action :create, description: "Creates and updates the DNS entry" do
+      action :create, description: "Creates and updates the DNS entry." do
         windows_feature "RSAT-DNS-Server" do
           not_if new_resource.dns_server.casecmp?("localhost")
         end
@@ -59,7 +59,7 @@ class Chef
         run_dsc_resource "Present"
       end
 
-      action :delete, description: "Deletes a DNS entry" do
+      action :delete, description: "Deletes a DNS entry." do
         windows_feature "RSAT-DNS-Server" do
           not_if new_resource.dns_server.casecmp?("localhost")
         end

data/lib/chef/resource/windows_dns_zone.rb

@@ -40,13 +40,13 @@ class Chef
         description: "The type of DNS server, Domain or Standalone.",
         default: "Domain", equal_to: %w{Domain Standalone}
 
-      action :create, description: "Creates and updates a DNS Zone" do
+      action :create, description: "Creates and updates a DNS Zone." do
         powershell_package "xDnsServer"
 
         run_dsc_resource "Present"
       end
 
-      action :delete, description: "Deletes a DNS Zone" do
+      action :delete, description: "Deletes a DNS Zone." do
         powershell_package "xDnsServer"
 
         run_dsc_resource "Absent"

data/lib/chef/resource/windows_env.rb

@@ -186,7 +186,7 @@ class Chef
           if environment_variables && environment_variables.length > 0
             environment_variables.each do |env|
               @env_obj = env.wmi_ole_object
-              return @env_obj if @env_obj.username.split('\\').last.casecmp(new_resource.user) == 0
+              return @env_obj if @env_obj.username.split("\\").last.casecmp(new_resource.user) == 0
             end
           end
           @env_obj = nil

data/lib/chef/resource/windows_feature.rb

@@ -108,15 +108,15 @@ class Chef
         default: 600,
         desired_state: false
 
-      action :install, description: "Install a Windows role / feature" do
+      action :install, description: "Install a Windows role or feature." do
         run_default_subresource :install
       end
 
-      action :remove, description: "Remove a Windows role / feature" do
+      action :remove, description: "Remove a Windows role or feature." do
         run_default_subresource :remove
       end
 
-      action :delete, description: "Remove a Windows role/feature from the image" do
+      action :delete, description: "Remove a Windows role or feature from the image." do
         run_default_subresource :delete
       end
 

data/lib/chef/resource/windows_feature_dism.rb

@@ -65,9 +65,7 @@ class Chef
         x.map(&:downcase)
       end
 
-      action :install do
-        description "Install a Windows role/feature using DISM"
-
+      action :install, description: "Install a Windows role/feature using DISM." do
         reload_cached_dism_data unless node["dism_features_cache"]
         fail_if_unavailable # fail if the features don't exist
 
@@ -91,7 +89,7 @@ class Chef
         end
       end
 
-      action :remove, description: "Remove a Windows role / feature using DISM" do
+      action :remove, description: "Remove a Windows role or feature using DISM." do
         reload_cached_dism_data unless node["dism_features_cache"]
 
         logger.trace("Windows features needing removal: #{features_to_remove.empty? ? "none" : features_to_remove.join(",")}")
@@ -106,7 +104,7 @@ class Chef
         end
       end
 
-      action :delete, description: "Remove a Windows role / feature from the image using DISM" do
+      action :delete, description: "Remove a Windows role or feature from the image using DISM." do
         reload_cached_dism_data unless node["dism_features_cache"]
 
         fail_if_unavailable # fail if the features don't exist

data/lib/chef/resource/windows_feature_powershell.rb

@@ -87,7 +87,7 @@ class Chef
         x.map(&:downcase)
       end
 
-      action :install, description: "Install a Windows role / feature using PowerShell" do
+      action :install, description: "Install a Windows role or feature using PowerShell." do
         reload_cached_powershell_data unless node["powershell_features_cache"]
         fail_if_unavailable # fail if the features don't exist
         fail_if_removed # fail if the features are in removed state
@@ -108,7 +108,7 @@ class Chef
         end
       end
 
-      action :remove, description: "Remove a Windows role / feature using PowerShell" do
+      action :remove, description: "Remove a Windows role or feature using PowerShell." do
         reload_cached_powershell_data unless node["powershell_features_cache"]
 
         Chef::Log.debug("Windows features needing removal: #{features_to_remove.empty? ? "none" : features_to_remove.join(",")}")
@@ -123,7 +123,7 @@ class Chef
         end
       end
 
-      action :delete, description: "Delete a Windows role / feature from the image using PowerShell" do
+      action :delete, description: "Delete a Windows role or feature from the image using PowerShell." do
         reload_cached_powershell_data unless node["powershell_features_cache"]
 
         fail_if_unavailable # fail if the features don't exist