chef 17.1.35-universal-mingw32 → 17.4.38-universal-mingw32

data/lib/chef/resource/support/HabService.dll.config.erb

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <appSettings>
+    <add key="debug" value="false" />
+    <% if @auth_token %>
+    <add key="ENV_HAB_AUTH_TOKEN" value="<%= @auth_token %>" />
+    <% end %>
+    <% if @gateway_auth_token %>
+    <add key="ENV_HAB_SUP_GATEWAY_AUTH_TOKEN" value="<%= @gateway_auth_token %>" />
+    <% end %>
+    <% if @bldr_url %>
+    <add key="ENV_HAB_BLDR_URL" value="<%= @bldr_url %>" />
+    <% end %>
+    <%if  @exec_start_options %>
+    <add key="launcherArgs" value="--no-color <%= @exec_start_options %>" />
+    <% end %>
+    <add key="launcherPath" value="C:\Hab\pkgs\<%= `hab pkg list core/hab-launcher`.split().last %>\bin\hab-launch.exe"/>
+  </appSettings>
+</configuration>

data/lib/chef/resource/support/client.erb

@@ -18,10 +18,17 @@
       @pid_file
       @policy_group
       @policy_name
-      @ssl_verify_mode).each do |prop| -%>
+      @ssl_verify_mode
+      @policy_persist_run_list).each do |prop| -%>
 <% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
 <%=prop.delete_prefix("@") %> <%= instance_variable_get(prop).inspect %>
 <% end -%>
+<%# ohai_disabled_plugins and ohai_optional_plugins properties don't match the config value perfectly-%>
+<% %w(@ohai_disabled_plugins
+      @ohai_optional_plugins).each do |prop| -%>
+<% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
+<%=prop.gsub("@ohai_", "ohai.") %> <%= instance_variable_get(prop).inspect %>
+<% end -%>
 <%# log_location is special due to STDOUT/STDERR from String -> IO Object -%>
 <% unless @log_location.nil? %>
   <% if @log_location.is_a?(String) && %w(STDOUT STDERR).include?(@log_location) -%>

data/lib/chef/resource/support/sup.toml.erb

@@ -0,0 +1,179 @@
+# sup.toml
+# Used for passing configuration options to the Chef Habitat supervisor
+# This file is controlled by the 'habitat' cookbook and should not be modified by hand -- local modifications may be overwritten.
+
+### The listen address for the Gossip Gateway
+<% if @listen_gossip %>
+listen_gossip = "<%= @listen_gossip %>"
+<% end %>
+
+### Start the supervisor in local mode
+# local_gossip_mode =
+
+### The listen address for the HTTP Gateway
+<% if @listen_http %>
+listen_http = "<%= @listen_http %>"
+<% end %>
+### Disable the HTTP Gateway completely
+# http_disable =
+
+### The listen address for the Control Gateway
+<% if @listen_ctl %>
+listen_ctl = "<%= @listen_ctl %>"
+<% end %>
+### The organization the Supervisor and its services are part of
+<% if @organization %>
+organization = "<%= @organization %>"
+<% end %>
+### The listen address of one or more initial peers (IP[:PORT])
+<% if @peer %>
+peer =  <%= @peer %>
+<% end %>
+### Make this Supervisor a permanent peer
+<% if @permanent_peer %>
+permanent_peer = <%= @permanent_peer %>
+<% end %>
+### Watch this file for connecting to the ring
+# peer_watch_file =
+
+### Cache for creating and searching for encryption keys
+# cache_key_path =
+
+### The name of the ring used by the Supervisor when running with wire encryption
+<% if @ring %>
+ring = "<%= @ring %>"
+<% end %>
+### Use the package config from this path rather than the package itself
+# config_from =
+
+### Enable automatic updates for the Supervisor itself
+<% if @auto_update %>
+auto_update = <%= @auto_update %>
+<% end %>
+### The period of time in seconds between Supervisor update checks
+# auto_update_period =
+
+### The period of time in seconds between service update checks
+# service_update_period =
+
+### The private key for HTTP Gateway TLS encryption
+###
+### Read the private key from KEY_FILE. This should be an RSA private key or PKCS8-encoded private key in PEM format.
+# key_file =
+
+### The server certificates for HTTP Gateway TLS encryption
+###
+### Read server certificates from CERT_FILE. This should contain PEM-format certificates in the right order. The first certificate should certify KEY_FILE. The last should be a root CA.
+# cert_file =
+
+### The CA certificate for HTTP Gateway TLS encryption
+###
+### Read the CA certificate from CA_CERT_FILE. This should contain PEM-format certificate that can be used to validate client requests
+# ca_cert_file =
+
+### Load a Habitat package as part of the Supervisor startup
+###
+### The package can be specified by a package identifier (ex: core/redis) or filepath to a Habitat artifact (ex: /home/core-redis-3.0.7-21120102031201-x86_64-linux.hart).
+# pkg_ident_or_artifact =
+
+### Verbose output showing file and line/column numbers
+# verbose =
+
+### Turn ANSI color off
+# no_color =
+
+### Use structured JSON logging for the Supervisor
+###
+### This option also sets NO_COLOR.
+# json_logging =
+
+### The IPv4 address to use as the `sys.ip` template variable
+###
+### If this argument is not set, the supervisor tries to dynamically determine an IP address. If that fails, the supervisor defaults to using `127.0.0.1`.
+# sys_ip_address =
+
+### The name of the application for event stream purposes
+###
+### This will be attached to all events generated by this Supervisor.
+<% if @event_stream_application %>
+event_stream_application = "<%= @event_stream_application %>"
+<% end %>
+### The name of the environment for event stream purposes
+###
+### This will be attached to all events generated by this Supervisor.
+<% if @event_stream_environment %>
+event_stream_environment = "<%= @event_stream_environment %>"
+<% end %>
+### Event stream connection timeout before exiting the Supervisor
+###
+### Set to '0' to immediately start the Supervisor and continue running regardless of the initial connection status.
+# event_stream_connect_timeout =
+
+### The event stream connection url used to send events to Chef Automate
+###
+### This enables the event stream and requires EVENT_STREAM_APPLICATION, EVENT_STREAM_ENVIRONMENT, and EVENT_STREAM_TOKEN also be set.
+<% if @event_stream_url %>
+event_stream_url = "<%= @event_stream_url %>"
+<% end %>
+### The name of the site where this Supervisor is running for event stream purposes
+<% if @event_stream_site %>
+event_stream_site = "<%= @event_stream_site %>"
+<% end %>
+### The authentication token for connecting the event stream to Chef Automate
+<% if @event_stream_token %>
+event_stream_token = "<%= @event_stream_token %>"
+<% end %>
+### An arbitrary key-value pair to add to each event generated by this Supervisor
+# event_meta = []
+
+### The path to Chef Automate's event stream certificate used to establish a TLS connection
+###
+### The certificate should be in PEM format.
+<% if @event_stream_server_certificate %>
+event_stream_server_certificate = "<%= @event_stream_server_certificate %>"
+<% end %>
+### Automatically cleanup old packages
+###
+### The Supervisor will automatically cleanup old packages only keeping the KEEP_LATEST_PACKAGES latest packages. If this argument is not specified, no automatic package cleanup is performed.
+<% if @keep_latest_packages %>
+keep_latest_packages = "<%= @keep_latest_packages %>"
+<% end %>
+### Receive updates from the specified release channel
+# channel =
+
+### Specify an alternate Builder endpoint. If not specified, the value will be taken from the HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh)
+<% if @bldr_url %>
+bldr_url = "<%= @bldr_url %>"
+<% end %>
+### The service group with shared config and topology
+# group =
+
+### Service topology
+# topology =
+
+### The update strategy
+# strategy =
+
+### The condition dictating when this service should update
+###
+### latest: Runs the latest package that can be found in the configured channel and local packages.
+###
+### track-channel: Always run what is at the head of a given channel. This enables service rollback where demoting a package from a channel will cause the package to rollback to an older version of the package. A ramification of enabling this condition is packages newer than the package at the head of the channel will be automatically uninstalled during a service rollback.
+<% if @update_condition %>
+update_condition = "<%= @update_condition %>"
+<% end %>
+### One or more service groups to bind to a configuration
+# bind = []
+
+### Governs how the presence or absence of binds affects service startup
+###
+### strict: blocks startup until all binds are present.
+# binding_mode =
+
+### The interval in seconds on which to run health checks
+# health_check_interval =
+
+### The delay in seconds after sending the shutdown signal to wait before killing the service process
+###
+### The default value can be set in the packages plan file.
+# shutdown_timeout =

data/lib/chef/resource/swap_file.rb

@@ -63,9 +63,7 @@ class Chef
       property :swappiness, Integer,
         description: "The swappiness value to set on the system."
 
-      action :create do
-        description "Create a swapfile."
-
+      action :create, description: "Create a swapfile." do
         if swap_enabled?
           Chef::Log.debug("#{new_resource} already created - nothing to do")
         else
@@ -85,9 +83,7 @@ class Chef
         end
       end
 
-      action :remove do
-        description "Remove a swapfile and disable swap."
-
+      action :remove, description: "Remove a swapfile and disable swap." do
         swapoff if swap_enabled?
         remove_swapfile if ::File.exist?(new_resource.path)
       end

data/lib/chef/resource/sysctl.rb

@@ -131,7 +131,7 @@ class Chef
 
       end
 
-      action :apply, description: "Apply a sysctl value" do
+      action :apply, description: "Set the kernel parameter and update the `sysctl` settings." do
         converge_if_changed do
           # set it temporarily
           set_sysctl_param(new_resource.key, new_resource.value)
@@ -150,7 +150,7 @@ class Chef
         end
       end
 
-      action :remove, description: "Remove a sysctl value" do
+      action :remove, description: "Remove the kernel parameter and update the `sysctl` settings." do
         # only converge the resource if the file actually exists to delete
         if ::File.exist?("#{new_resource.conf_dir}/99-chef-#{new_resource.key.tr("/", ".")}.conf")
           converge_by "removing sysctl config at #{new_resource.conf_dir}/99-chef-#{new_resource.key.tr("/", ".")}.conf" do

data/lib/chef/resource/systemd_unit.rb

@@ -34,7 +34,7 @@ class Chef
 
       ```ruby
       systemd_unit 'etcd.service' do
-        content(Unit: {
+        content({ Unit: {
                   Description: 'Etcd',
                   Documentation: ['https://coreos.com/etcd', 'man:etcd(1)'],
                   After: 'network.target',
@@ -46,7 +46,7 @@ class Chef
                 },
                 Install: {
                   WantedBy: 'multi-user.target',
-                })
+                } })
         action [:create, :enable]
       end
       ```
@@ -113,7 +113,7 @@ class Chef
         when Hash
           IniParse.gen do |doc|
             content.each_pair do |sect, opts|
-              doc.section(sect) do |section|
+              doc.section(sect, { option_sep: "=" }) do |section|
                 opts.each_pair do |opt, val|
                   [val].flatten.each do |v|
                     section.option(opt, v)

data/lib/chef/resource/timezone.rb

@@ -119,7 +119,7 @@ class Chef
         end
       end
 
-      action :set, description: "Set the system timezone" do
+      action :set, description: "Set the system timezone." do
         # we have to check windows first since the value isn't case sensitive here
         if windows?
           unless current_windows_tz.casecmp?(new_resource.timezone)

data/lib/chef/resource/user_ulimit.rb

@@ -78,7 +78,7 @@ class Chef
                coerce: proc { |m| m.end_with?(".conf") ? m : m + ".conf" },
                default: lazy { |r| r.username == "*" ? "00_all_limits.conf" : "#{r.username}_limits.conf" }
 
-      action :create, description: "Create a ulimit configuration file" do
+      action :create, description: "Create a ulimit configuration file." do
         template "/etc/security/limits.d/#{new_resource.filename}" do
           source ::File.expand_path("support/ulimit.erb", __dir__)
           local true
@@ -106,7 +106,7 @@ class Chef
         end
       end
 
-      action :delete, description: "Delete an existing ulimit configuration file" do
+      action :delete, description: "Delete an existing ulimit configuration file." do
         file "/etc/security/limits.d/#{new_resource.filename}" do
           action :delete
         end

data/lib/chef/resource/windows_ad_join.rb

@@ -97,7 +97,7 @@ class Chef
       property :sensitive, [TrueClass, FalseClass],
         default: true, desired_state: false
 
-      action :join, description: "Join the Active Directory domain" do
+      action :join, description: "Join the Active Directory domain." do
         unless on_desired_domain?
           cmd = "$pswd = ConvertTo-SecureString \'#{new_resource.domain_password}\' -AsPlainText -Force;"
           cmd << "$credential = New-Object System.Management.Automation.PSCredential (\"#{sanitize_usename}\",$pswd);"
@@ -127,7 +127,7 @@ class Chef
         end
       end
 
-      action :leave, description: "Leave an Active Directory domain and re-join a workgroup" do
+      action :leave, description: "Leave an Active Directory domain and re-join a workgroup." do
         if joined_to_domain?
           cmd = ""
           cmd << "$pswd = ConvertTo-SecureString \'#{new_resource.domain_password}\' -AsPlainText -Force;"

data/lib/chef/resource/windows_audit_policy.rb

@@ -106,7 +106,7 @@ class Chef
 
       ```ruby
       windows_audit_policy "Set Audit Policy for 'Credential Validation' actions to 'Success'" do
-        subcategory  'Credential Validation'
+        subcategory 'Credential Validation'
         success true
         failure false
         action :set
@@ -152,7 +152,7 @@ class Chef
       property :audit_base_directories, [true, false],
                description: "Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of container objects such as directories."
 
-      action :set, description: "Configure an audit policy" do
+      action :set, description: "Configure an audit policy." do
         unless new_resource.subcategory.nil?
           new_resource.subcategory.each do |subcategory|
             next if subcategory_configured?(subcategory, new_resource.success, new_resource.failure)

data/lib/chef/resource/windows_auto_run.rb

@@ -57,7 +57,7 @@ class Chef
 
       alias_method :program, :path
 
-      action :create, description: "Create an item to be run at login" do
+      action :create, description: "Create an item to be run at login." do
 
         data = "\"#{new_resource.path}\""
         data << " #{new_resource.args}" if new_resource.args
@@ -72,7 +72,7 @@ class Chef
         end
       end
 
-      action :remove, description: "Remove an item that was previously configured to run at login" do
+      action :remove, description: "Remove an item that was previously configured to run at login." do
         registry_key registry_path do
           values [{
             name: new_resource.program_name,

data/lib/chef/resource/windows_certificate.rb

@@ -160,7 +160,7 @@ class Chef
         end
       end
 
-      action :verify, description: "Verifies a certificate and logs the result" do
+      action :verify, description: "Verifies a certificate and logs the result." do
         out = verify_cert
         if !!out == out
           out = out ? "Certificate is valid" : "Certificate not valid"

data/lib/chef/resource/windows_defender.rb

@@ -0,0 +1,163 @@
+#
+# Copyright:: Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class WindowsDefender < Chef::Resource
+      unified_mode true
+      provides :windows_defender
+
+      description "Use the **windows_defender** resource to enable or disable the Microsoft Windows Defender service."
+      introduced "17.3"
+      examples <<~DOC
+      **Configure Windows Defender AV settings**:
+
+      ```ruby
+      windows_defender 'Configure Defender' do
+        realtime_protection true
+        intrusion_protection_system true
+        lock_ui true
+        scan_archives true
+        scan_scripts true
+        scan_email true
+        scan_removable_drives true
+        scan_network_files false
+        scan_mapped_drives false
+        action :enable
+      end
+      ```
+
+      **Disable Windows Defender AV**:
+
+      ```ruby
+      windows_defender 'Disable Defender' do
+        action :disable
+      end
+      ```
+      DOC
+
+      # DisableIOAVProtection
+      property :realtime_protection, [true, false],
+        default: true,
+        description: "Enable realtime scanning of downloaded files and attachments."
+
+      # DisableIntrusionPreventionSystem
+      property :intrusion_protection_system, [true, false],
+        default: true,
+        description: "Enable network protection against exploitation of known vulnerabilities."
+
+      # UILockdown
+      property :lock_ui, [true, false],
+        description: "Lock the UI to prevent users from changing Windows Defender settings.",
+        default: false
+
+      # DisableArchiveScanning
+      property :scan_archives, [true, false],
+        default: true,
+        description: "Scan file archives such as .zip or .gz archives."
+
+      # DisableScriptScanning
+      property :scan_scripts, [true, false],
+        default: false,
+        description: "Scan scripts in malware scans."
+
+      # DisableEmailScanning
+      property :scan_email, [true, false],
+        default: false,
+        description: "Scan e-mails for malware."
+
+      # DisableRemovableDriveScanning
+      property :scan_removable_drives, [true, false],
+        default: false,
+        description: "Scan content of removable drives."
+
+      # DisableScanningNetworkFiles
+      property :scan_network_files, [true, false],
+        default: false,
+        description: "Scan files on a network."
+
+      # DisableScanningMappedNetworkDrivesForFullScan
+      property :scan_mapped_drives, [true, false],
+        default: true,
+        description: "Scan files on mapped network drives."
+
+      load_current_value do
+        values = powershell_exec!("Get-MPpreference").result
+
+        lock_ui values["UILockdown"]
+        realtime_protection !values["DisableIOAVProtection"]
+        intrusion_protection_system !values["DisableIntrusionPreventionSystem"]
+        scan_archives !values["DisableArchiveScanning"]
+        scan_scripts !values["DisableScriptScanning"]
+        scan_email !values["DisableEmailScanning"]
+        scan_removable_drives !values["DisableRemovableDriveScanning"]
+        scan_network_files !values["DisableScanningNetworkFiles"]
+        scan_mapped_drives !values["DisableScanningMappedNetworkDrivesForFullScan"]
+      end
+
+      action :enable, description: "Enable and configure Windows Defender." do
+        windows_service "Windows Defender" do
+          service_name "WinDefend"
+          action %i{start enable}
+          startup_type :automatic
+        end
+
+        converge_if_changed do
+          powershell_exec!(set_mppreference_cmd)
+        end
+      end
+
+      action :disable, description: "Disable Windows Defender." do
+        windows_service "Windows Defender" do
+          service_name "WinDefend"
+          action %i{disable stop}
+        end
+      end
+
+      action_class do
+        require "chef/mixin/powershell_type_coercions"
+        include Chef::Mixin::PowershellTypeCoercions
+
+        PROPERTY_TO_PS_MAP = {
+          realtime_protection: "DisableIOAVProtection",
+          intrusion_protection_system: "DisableIntrusionPreventionSystem",
+          scan_archives: "DisableArchiveScanning",
+          scan_scripts: "DisableScriptScanning",
+          scan_email: "DisableEmailScanning",
+          scan_removable_drives: "DisableRemovableDriveScanning",
+          scan_network_files: "DisableScanningNetworkFiles",
+          scan_mapped_drives: "DisableScanningMappedNetworkDrivesForFullScan",
+        }.freeze
+
+        def set_mppreference_cmd
+          cmd = "Set-MpPreference -Force"
+          cmd << " -UILockdown #{type_coercion(new_resource.lock_ui)}"
+
+          # the values are the opposite in Set-MpPreference and our properties so we have to iterate
+          # over the list and negate the provided values so it makes sense with the cmdlet flag's expected value
+          PROPERTY_TO_PS_MAP.each do |prop, flag|
+            next if new_resource.send(prop).nil? || current_resource.send(prop) == new_resource.send(prop)
+
+            cmd << " -#{flag} #{type_coercion(!new_resource.send(prop))}"
+          end
+          cmd
+        end
+      end
+    end
+  end
+end