chef 17.2.29-universal-mingw32 → 17.3.48-universal-mingw32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +4 -3
- data/chef.gemspec +1 -0
- data/lib/chef/client.rb +1 -1
- data/lib/chef/data_bag.rb +1 -2
- data/lib/chef/data_bag_item.rb +1 -2
- data/lib/chef/deprecated.rb +10 -4
- data/lib/chef/dsl.rb +1 -0
- data/lib/chef/dsl/render_helpers.rb +44 -0
- data/lib/chef/dsl/secret.rb +64 -0
- data/lib/chef/dsl/toml.rb +116 -0
- data/lib/chef/dsl/universal.rb +5 -0
- data/lib/chef/exceptions.rb +22 -0
- data/lib/chef/handler/slow_report.rb +1 -1
- data/lib/chef/json_compat.rb +1 -1
- data/lib/chef/policy_builder/policyfile.rb +88 -45
- data/lib/chef/provider/file.rb +2 -2
- data/lib/chef/provider/lwrp_base.rb +1 -1
- data/lib/chef/provider/package/habitat.rb +168 -0
- data/lib/chef/provider/package/powershell.rb +5 -0
- data/lib/chef/providers.rb +1 -0
- data/lib/chef/resource/chef_client_config.rb +7 -2
- data/lib/chef/resource/chef_client_cron.rb +1 -1
- data/lib/chef/resource/chef_client_launchd.rb +1 -1
- data/lib/chef/resource/chef_client_scheduled_task.rb +1 -1
- data/lib/chef/resource/chef_client_systemd_timer.rb +1 -1
- data/lib/chef/resource/chef_client_trusted_certificate.rb +2 -2
- data/lib/chef/resource/chef_vault_secret.rb +2 -2
- data/lib/chef/resource/dsc_resource.rb +1 -1
- data/lib/chef/resource/execute.rb +3 -3
- data/lib/chef/resource/gem_package.rb +2 -1
- data/lib/chef/resource/habitat/_habitat_shared.rb +28 -0
- data/lib/chef/resource/habitat/habitat_package.rb +129 -0
- data/lib/chef/resource/habitat/habitat_sup.rb +329 -0
- data/lib/chef/resource/habitat/habitat_sup_systemd.rb +67 -0
- data/lib/chef/resource/habitat/habitat_sup_windows.rb +90 -0
- data/lib/chef/resource/habitat_config.rb +107 -0
- data/lib/chef/resource/habitat_install.rb +247 -0
- data/lib/chef/resource/habitat_service.rb +451 -0
- data/lib/chef/resource/habitat_user_toml.rb +92 -0
- data/lib/chef/resource/lwrp_base.rb +1 -1
- data/lib/chef/resource/support/HabService.dll.config.erb +19 -0
- data/lib/chef/resource/support/client.erb +8 -1
- data/lib/chef/resource/support/sup.toml.erb +179 -0
- data/lib/chef/resource/windows_defender.rb +163 -0
- data/lib/chef/resource/windows_defender_exclusion.rb +125 -0
- data/lib/chef/resource/windows_printer.rb +78 -44
- data/lib/chef/resource/windows_printer_port.rb +1 -1
- data/lib/chef/resource/windows_update_settings.rb +259 -0
- data/lib/chef/resources.rb +12 -1
- data/lib/chef/secret_fetcher.rb +54 -0
- data/lib/chef/secret_fetcher/aws_secrets_manager.rb +53 -0
- data/lib/chef/secret_fetcher/azure_key_vault.rb +56 -0
- data/lib/chef/secret_fetcher/base.rb +72 -0
- data/lib/chef/secret_fetcher/example.rb +46 -0
- data/lib/chef/version.rb +1 -1
- data/spec/functional/mixin/from_file_spec.rb +1 -1
- data/spec/integration/recipes/recipe_dsl_spec.rb +1 -1
- data/spec/integration/recipes/resource_action_spec.rb +4 -4
- data/spec/support/shared/unit/provider/file.rb +2 -8
- data/spec/unit/data_bag_item_spec.rb +2 -2
- data/spec/unit/data_bag_spec.rb +1 -1
- data/spec/unit/dsl/render_helpers_spec.rb +102 -0
- data/spec/unit/dsl/secret_spec.rb +65 -0
- data/spec/unit/policy_builder/dynamic_spec.rb +0 -5
- data/spec/unit/policy_builder/policyfile_spec.rb +144 -56
- data/spec/unit/provider/apt_update_spec.rb +3 -1
- data/spec/unit/provider/mount/aix_spec.rb +1 -1
- data/spec/unit/provider/package/powershell_spec.rb +74 -12
- data/spec/unit/resource/windows_defender_exclusion_spec.rb +62 -0
- data/spec/unit/resource/windows_defender_spec.rb +71 -0
- data/spec/unit/resource/windows_update_settings_spec.rb +64 -0
- data/spec/unit/secret_fetcher/azure_key_vault_spec.rb +63 -0
- data/spec/unit/secret_fetcher_spec.rb +82 -0
- metadata +51 -7
@@ -0,0 +1,92 @@
|
|
1
|
+
# Copyright:: Chef Software Inc.
|
2
|
+
# License:: Apache License, Version 2.0
|
3
|
+
#
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
#
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
#
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing
|
14
|
+
|
15
|
+
require_relative "../resource"
|
16
|
+
class Chef
|
17
|
+
class Resource
|
18
|
+
class HabitatUserToml < Chef::Resource
|
19
|
+
unified_mode true
|
20
|
+
provides :habitat_user_toml
|
21
|
+
|
22
|
+
description "Use the **habitat_user_toml** to template a `user.toml` for Chef Habitat services. Configurations set in the `user.toml` override the `default.toml` for a given package, which makes it an alternative to applying service group level configuration."
|
23
|
+
introduced "17.3"
|
24
|
+
examples <<~DOC
|
25
|
+
**Configure user specific settings to nginx**
|
26
|
+
|
27
|
+
```ruby
|
28
|
+
habitat_user_toml 'nginx' do
|
29
|
+
config({
|
30
|
+
worker_count: 2,
|
31
|
+
http: {
|
32
|
+
keepalive_timeout: 120
|
33
|
+
}
|
34
|
+
})
|
35
|
+
end
|
36
|
+
```
|
37
|
+
DOC
|
38
|
+
|
39
|
+
property :config, Mash, required: true, coerce: proc { |m| m.is_a?(Hash) ? Mash.new(m) : m },
|
40
|
+
description: "Only valid for `:create` action. The configuration to apply as a ruby hash, for example, `{ worker_count: 2, http: { keepalive_timeout: 120 } }`."
|
41
|
+
|
42
|
+
property :service_name, String, name_property: true, desired_state: false,
|
43
|
+
description: "The service group to apply the configuration to, for example, `nginx.default`."
|
44
|
+
|
45
|
+
action :create, description: "(default action) Create the user.toml from the specified config." do
|
46
|
+
directory config_directory do
|
47
|
+
mode "0755"
|
48
|
+
owner root_owner
|
49
|
+
group node["root_group"]
|
50
|
+
recursive true
|
51
|
+
end
|
52
|
+
|
53
|
+
file "#{config_directory}/user.toml" do
|
54
|
+
mode "0600"
|
55
|
+
owner root_owner
|
56
|
+
group node["root_group"]
|
57
|
+
content render_toml(new_resource.config)
|
58
|
+
sensitive true
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
action :delete, description: "Delete the user.toml" do
|
63
|
+
file "#{config_directory}/user.toml" do
|
64
|
+
sensitive true
|
65
|
+
action :delete
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
action_class do
|
70
|
+
def config_directory
|
71
|
+
windows? ? "C:/hab/user/#{new_resource.service_name}/config" : "/hab/user/#{new_resource.service_name}/config"
|
72
|
+
end
|
73
|
+
|
74
|
+
def wmi_property_from_query(wmi_property, wmi_query)
|
75
|
+
@wmi = ::WIN32OLE.connect("winmgmts://")
|
76
|
+
result = @wmi.ExecQuery(wmi_query)
|
77
|
+
return unless result.each.count > 0
|
78
|
+
|
79
|
+
result.each.next.send(wmi_property)
|
80
|
+
end
|
81
|
+
|
82
|
+
def root_owner
|
83
|
+
if windows?
|
84
|
+
wmi_property_from_query(:name, "select * from Win32_UserAccount where sid like 'S-1-5-21-%-500' and LocalAccount=True")
|
85
|
+
else
|
86
|
+
"root"
|
87
|
+
end
|
88
|
+
end
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
<?xml version="1.0" encoding="utf-8"?>
|
2
|
+
<configuration>
|
3
|
+
<appSettings>
|
4
|
+
<add key="debug" value="false" />
|
5
|
+
<% if @auth_token %>
|
6
|
+
<add key="ENV_HAB_AUTH_TOKEN" value="<%= @auth_token %>" />
|
7
|
+
<% end %>
|
8
|
+
<% if @gateway_auth_token %>
|
9
|
+
<add key="ENV_HAB_SUP_GATEWAY_AUTH_TOKEN" value="<%= @gateway_auth_token %>" />
|
10
|
+
<% end %>
|
11
|
+
<% if @bldr_url %>
|
12
|
+
<add key="ENV_HAB_BLDR_URL" value="<%= @bldr_url %>" />
|
13
|
+
<% end %>
|
14
|
+
<%if @exec_start_options %>
|
15
|
+
<add key="launcherArgs" value="--no-color <%= @exec_start_options %>" />
|
16
|
+
<% end %>
|
17
|
+
<add key="launcherPath" value="C:\Hab\pkgs\<%= `hab pkg list core/hab-launcher`.split().last %>\bin\hab-launch.exe"/>
|
18
|
+
</appSettings>
|
19
|
+
</configuration>
|
@@ -18,10 +18,17 @@
|
|
18
18
|
@pid_file
|
19
19
|
@policy_group
|
20
20
|
@policy_name
|
21
|
-
@ssl_verify_mode
|
21
|
+
@ssl_verify_mode
|
22
|
+
@policy_persist_run_list).each do |prop| -%>
|
22
23
|
<% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
|
23
24
|
<%=prop.delete_prefix("@") %> <%= instance_variable_get(prop).inspect %>
|
24
25
|
<% end -%>
|
26
|
+
<%# ohai_disabled_plugins and ohai_optional_plugins properties don't match the config value perfectly-%>
|
27
|
+
<% %w(@ohai_disabled_plugins
|
28
|
+
@ohai_optional_plugins).each do |prop| -%>
|
29
|
+
<% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
|
30
|
+
<%=prop.gsub("@ohai_", "ohai.") %> <%= instance_variable_get(prop).inspect %>
|
31
|
+
<% end -%>
|
25
32
|
<%# log_location is special due to STDOUT/STDERR from String -> IO Object -%>
|
26
33
|
<% unless @log_location.nil? %>
|
27
34
|
<% if @log_location.is_a?(String) && %w(STDOUT STDERR).include?(@log_location) -%>
|
@@ -0,0 +1,179 @@
|
|
1
|
+
# sup.toml
|
2
|
+
# Used for passing configuration options to the Chef Habitat supervisor
|
3
|
+
# This file is controlled by the 'habitat' cookbook and should not be modified by hand -- local modifications may be overwritten.
|
4
|
+
|
5
|
+
### The listen address for the Gossip Gateway
|
6
|
+
<% if @listen_gossip %>
|
7
|
+
listen_gossip = "<%= @listen_gossip %>"
|
8
|
+
<% end %>
|
9
|
+
|
10
|
+
### Start the supervisor in local mode
|
11
|
+
# local_gossip_mode =
|
12
|
+
|
13
|
+
### The listen address for the HTTP Gateway
|
14
|
+
<% if @listen_http %>
|
15
|
+
listen_http = "<%= @listen_http %>"
|
16
|
+
<% end %>
|
17
|
+
### Disable the HTTP Gateway completely
|
18
|
+
# http_disable =
|
19
|
+
|
20
|
+
### The listen address for the Control Gateway
|
21
|
+
<% if @listen_ctl %>
|
22
|
+
listen_ctl = "<%= @listen_ctl %>"
|
23
|
+
<% end %>
|
24
|
+
### The organization the Supervisor and its services are part of
|
25
|
+
<% if @organization %>
|
26
|
+
organization = "<%= @organization %>"
|
27
|
+
<% end %>
|
28
|
+
### The listen address of one or more initial peers (IP[:PORT])
|
29
|
+
<% if @peer %>
|
30
|
+
peer = <%= @peer %>
|
31
|
+
<% end %>
|
32
|
+
### Make this Supervisor a permanent peer
|
33
|
+
<% if @permanent_peer %>
|
34
|
+
permanent_peer = <%= @permanent_peer %>
|
35
|
+
<% end %>
|
36
|
+
### Watch this file for connecting to the ring
|
37
|
+
# peer_watch_file =
|
38
|
+
|
39
|
+
### Cache for creating and searching for encryption keys
|
40
|
+
# cache_key_path =
|
41
|
+
|
42
|
+
### The name of the ring used by the Supervisor when running with wire encryption
|
43
|
+
<% if @ring %>
|
44
|
+
ring = "<%= @ring %>"
|
45
|
+
<% end %>
|
46
|
+
### Use the package config from this path rather than the package itself
|
47
|
+
# config_from =
|
48
|
+
|
49
|
+
### Enable automatic updates for the Supervisor itself
|
50
|
+
<% if @auto_update %>
|
51
|
+
auto_update = <%= @auto_update %>
|
52
|
+
<% end %>
|
53
|
+
### The period of time in seconds between Supervisor update checks
|
54
|
+
# auto_update_period =
|
55
|
+
|
56
|
+
### The period of time in seconds between service update checks
|
57
|
+
# service_update_period =
|
58
|
+
|
59
|
+
### The private key for HTTP Gateway TLS encryption
|
60
|
+
###
|
61
|
+
### Read the private key from KEY_FILE. This should be an RSA private key or PKCS8-encoded private key in PEM format.
|
62
|
+
# key_file =
|
63
|
+
|
64
|
+
### The server certificates for HTTP Gateway TLS encryption
|
65
|
+
###
|
66
|
+
### Read server certificates from CERT_FILE. This should contain PEM-format certificates in the right order. The first certificate should certify KEY_FILE. The last should be a root CA.
|
67
|
+
# cert_file =
|
68
|
+
|
69
|
+
### The CA certificate for HTTP Gateway TLS encryption
|
70
|
+
###
|
71
|
+
### Read the CA certificate from CA_CERT_FILE. This should contain PEM-format certificate that can be used to validate client requests
|
72
|
+
# ca_cert_file =
|
73
|
+
|
74
|
+
### Load a Habitat package as part of the Supervisor startup
|
75
|
+
###
|
76
|
+
### The package can be specified by a package identifier (ex: core/redis) or filepath to a Habitat artifact (ex: /home/core-redis-3.0.7-21120102031201-x86_64-linux.hart).
|
77
|
+
# pkg_ident_or_artifact =
|
78
|
+
|
79
|
+
### Verbose output showing file and line/column numbers
|
80
|
+
# verbose =
|
81
|
+
|
82
|
+
### Turn ANSI color off
|
83
|
+
# no_color =
|
84
|
+
|
85
|
+
### Use structured JSON logging for the Supervisor
|
86
|
+
###
|
87
|
+
### This option also sets NO_COLOR.
|
88
|
+
# json_logging =
|
89
|
+
|
90
|
+
### The IPv4 address to use as the `sys.ip` template variable
|
91
|
+
###
|
92
|
+
### If this argument is not set, the supervisor tries to dynamically determine an IP address. If that fails, the supervisor defaults to using `127.0.0.1`.
|
93
|
+
# sys_ip_address =
|
94
|
+
|
95
|
+
### The name of the application for event stream purposes
|
96
|
+
###
|
97
|
+
### This will be attached to all events generated by this Supervisor.
|
98
|
+
<% if @event_stream_application %>
|
99
|
+
event_stream_application = "<%= @event_stream_application %>"
|
100
|
+
<% end %>
|
101
|
+
### The name of the environment for event stream purposes
|
102
|
+
###
|
103
|
+
### This will be attached to all events generated by this Supervisor.
|
104
|
+
<% if @event_stream_environment %>
|
105
|
+
event_stream_environment = "<%= @event_stream_environment %>"
|
106
|
+
<% end %>
|
107
|
+
### Event stream connection timeout before exiting the Supervisor
|
108
|
+
###
|
109
|
+
### Set to '0' to immediately start the Supervisor and continue running regardless of the initial connection status.
|
110
|
+
# event_stream_connect_timeout =
|
111
|
+
|
112
|
+
### The event stream connection url used to send events to Chef Automate
|
113
|
+
###
|
114
|
+
### This enables the event stream and requires EVENT_STREAM_APPLICATION, EVENT_STREAM_ENVIRONMENT, and EVENT_STREAM_TOKEN also be set.
|
115
|
+
<% if @event_stream_url %>
|
116
|
+
event_stream_url = "<%= @event_stream_url %>"
|
117
|
+
<% end %>
|
118
|
+
### The name of the site where this Supervisor is running for event stream purposes
|
119
|
+
<% if @event_stream_site %>
|
120
|
+
event_stream_site = "<%= @event_stream_site %>"
|
121
|
+
<% end %>
|
122
|
+
### The authentication token for connecting the event stream to Chef Automate
|
123
|
+
<% if @event_stream_token %>
|
124
|
+
event_stream_token = "<%= @event_stream_token %>"
|
125
|
+
<% end %>
|
126
|
+
### An arbitrary key-value pair to add to each event generated by this Supervisor
|
127
|
+
# event_meta = []
|
128
|
+
|
129
|
+
### The path to Chef Automate's event stream certificate used to establish a TLS connection
|
130
|
+
###
|
131
|
+
### The certificate should be in PEM format.
|
132
|
+
<% if @event_stream_server_certificate %>
|
133
|
+
event_stream_server_certificate = "<%= @event_stream_server_certificate %>"
|
134
|
+
<% end %>
|
135
|
+
### Automatically cleanup old packages
|
136
|
+
###
|
137
|
+
### The Supervisor will automatically cleanup old packages only keeping the KEEP_LATEST_PACKAGES latest packages. If this argument is not specified, no automatic package cleanup is performed.
|
138
|
+
<% if @keep_latest_packages %>
|
139
|
+
keep_latest_packages = "<%= @keep_latest_packages %>"
|
140
|
+
<% end %>
|
141
|
+
### Receive updates from the specified release channel
|
142
|
+
# channel =
|
143
|
+
|
144
|
+
### Specify an alternate Builder endpoint. If not specified, the value will be taken from the HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh)
|
145
|
+
<% if @bldr_url %>
|
146
|
+
bldr_url = "<%= @bldr_url %>"
|
147
|
+
<% end %>
|
148
|
+
### The service group with shared config and topology
|
149
|
+
# group =
|
150
|
+
|
151
|
+
### Service topology
|
152
|
+
# topology =
|
153
|
+
|
154
|
+
### The update strategy
|
155
|
+
# strategy =
|
156
|
+
|
157
|
+
### The condition dictating when this service should update
|
158
|
+
###
|
159
|
+
### latest: Runs the latest package that can be found in the configured channel and local packages.
|
160
|
+
###
|
161
|
+
### track-channel: Always run what is at the head of a given channel. This enables service rollback where demoting a package from a channel will cause the package to rollback to an older version of the package. A ramification of enabling this condition is packages newer than the package at the head of the channel will be automatically uninstalled during a service rollback.
|
162
|
+
<% if @update_condition %>
|
163
|
+
update_condition = "<%= @update_condition %>"
|
164
|
+
<% end %>
|
165
|
+
### One or more service groups to bind to a configuration
|
166
|
+
# bind = []
|
167
|
+
|
168
|
+
### Governs how the presence or absence of binds affects service startup
|
169
|
+
###
|
170
|
+
### strict: blocks startup until all binds are present.
|
171
|
+
# binding_mode =
|
172
|
+
|
173
|
+
### The interval in seconds on which to run health checks
|
174
|
+
# health_check_interval =
|
175
|
+
|
176
|
+
### The delay in seconds after sending the shutdown signal to wait before killing the service process
|
177
|
+
###
|
178
|
+
### The default value can be set in the packages plan file.
|
179
|
+
# shutdown_timeout =
|
@@ -0,0 +1,163 @@
|
|
1
|
+
#
|
2
|
+
# Copyright:: Chef Software, Inc.
|
3
|
+
#
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
#
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
#
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
#
|
16
|
+
|
17
|
+
require_relative "../resource"
|
18
|
+
|
19
|
+
class Chef
|
20
|
+
class Resource
|
21
|
+
class WindowsDefender < Chef::Resource
|
22
|
+
unified_mode true
|
23
|
+
provides :windows_defender
|
24
|
+
|
25
|
+
description "Use the **windows_defender** resource to enable or disable the Microsoft Windows Defender service."
|
26
|
+
introduced "17.3"
|
27
|
+
examples <<~DOC
|
28
|
+
**Configure Windows Defender AV settings**:
|
29
|
+
|
30
|
+
```ruby
|
31
|
+
windows_defender 'Configure Defender' do
|
32
|
+
realtime_protection true
|
33
|
+
intrusion_protection_system true
|
34
|
+
lock_ui true
|
35
|
+
scan_archives true
|
36
|
+
scan_scripts true
|
37
|
+
scan_email true
|
38
|
+
scan_removable_drives true
|
39
|
+
scan_network_files false
|
40
|
+
scan_mapped_drives false
|
41
|
+
action :enable
|
42
|
+
end
|
43
|
+
```
|
44
|
+
|
45
|
+
**Disable Windows Defender AV**:
|
46
|
+
|
47
|
+
```ruby
|
48
|
+
windows_defender 'Disable Defender' do
|
49
|
+
action :disable
|
50
|
+
end
|
51
|
+
```
|
52
|
+
DOC
|
53
|
+
|
54
|
+
# DisableIOAVProtection
|
55
|
+
property :realtime_protection, [true, false],
|
56
|
+
default: true,
|
57
|
+
description: "Enable realtime scanning of downloaded files and attachments."
|
58
|
+
|
59
|
+
# DisableIntrusionPreventionSystem
|
60
|
+
property :intrusion_protection_system, [true, false],
|
61
|
+
default: true,
|
62
|
+
description: "Enable network protection against exploitation of known vulnerabilities."
|
63
|
+
|
64
|
+
# UILockdown
|
65
|
+
property :lock_ui, [true, false],
|
66
|
+
description: "Lock the UI to prevent users from changing Windows Defender settings.",
|
67
|
+
default: false
|
68
|
+
|
69
|
+
# DisableArchiveScanning
|
70
|
+
property :scan_archives, [true, false],
|
71
|
+
default: true,
|
72
|
+
description: "Scan file archives such as .zip or .gz archives."
|
73
|
+
|
74
|
+
# DisableScriptScanning
|
75
|
+
property :scan_scripts, [true, false],
|
76
|
+
default: false,
|
77
|
+
description: "Scan scripts in malware scans."
|
78
|
+
|
79
|
+
# DisableEmailScanning
|
80
|
+
property :scan_email, [true, false],
|
81
|
+
default: false,
|
82
|
+
description: "Scan e-mails for malware."
|
83
|
+
|
84
|
+
# DisableRemovableDriveScanning
|
85
|
+
property :scan_removable_drives, [true, false],
|
86
|
+
default: false,
|
87
|
+
description: "Scan content of removable drives."
|
88
|
+
|
89
|
+
# DisableScanningNetworkFiles
|
90
|
+
property :scan_network_files, [true, false],
|
91
|
+
default: false,
|
92
|
+
description: "Scan files on a network."
|
93
|
+
|
94
|
+
# DisableScanningMappedNetworkDrivesForFullScan
|
95
|
+
property :scan_mapped_drives, [true, false],
|
96
|
+
default: true,
|
97
|
+
description: "Scan files on mapped network drives."
|
98
|
+
|
99
|
+
load_current_value do
|
100
|
+
values = powershell_exec!("Get-MPpreference").result
|
101
|
+
|
102
|
+
lock_ui values["UILockdown"]
|
103
|
+
realtime_protection !values["DisableIOAVProtection"]
|
104
|
+
intrusion_protection_system !values["DisableIntrusionPreventionSystem"]
|
105
|
+
scan_archives !values["DisableArchiveScanning"]
|
106
|
+
scan_scripts !values["DisableScriptScanning"]
|
107
|
+
scan_email !values["DisableEmailScanning"]
|
108
|
+
scan_removable_drives !values["DisableRemovableDriveScanning"]
|
109
|
+
scan_network_files !values["DisableScanningNetworkFiles"]
|
110
|
+
scan_mapped_drives !values["DisableScanningMappedNetworkDrivesForFullScan"]
|
111
|
+
end
|
112
|
+
|
113
|
+
action :enable, description: "Enable and configure Windows Defender." do
|
114
|
+
windows_service "Windows Defender" do
|
115
|
+
service_name "WinDefend"
|
116
|
+
action %i{start enable}
|
117
|
+
startup_type :automatic
|
118
|
+
end
|
119
|
+
|
120
|
+
converge_if_changed do
|
121
|
+
powershell_exec!(set_mppreference_cmd)
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
action :disable, description: "Disable Windows Defender." do
|
126
|
+
windows_service "Windows Defender" do
|
127
|
+
service_name "WinDefend"
|
128
|
+
action %i{disable stop}
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
132
|
+
action_class do
|
133
|
+
require "chef/mixin/powershell_type_coercions"
|
134
|
+
include Chef::Mixin::PowershellTypeCoercions
|
135
|
+
|
136
|
+
PROPERTY_TO_PS_MAP = {
|
137
|
+
realtime_protection: "DisableIOAVProtection",
|
138
|
+
intrusion_protection_system: "DisableIntrusionPreventionSystem",
|
139
|
+
scan_archives: "DisableArchiveScanning",
|
140
|
+
scan_scripts: "DisableScriptScanning",
|
141
|
+
scan_email: "DisableEmailScanning",
|
142
|
+
scan_removable_drives: "DisableRemovableDriveScanning",
|
143
|
+
scan_network_files: "DisableScanningNetworkFiles",
|
144
|
+
scan_mapped_drives: "DisableScanningMappedNetworkDrivesForFullScan",
|
145
|
+
}.freeze
|
146
|
+
|
147
|
+
def set_mppreference_cmd
|
148
|
+
cmd = "Set-MpPreference -Force"
|
149
|
+
cmd << " -UILockdown #{type_coercion(new_resource.lock_ui)}"
|
150
|
+
|
151
|
+
# the values are the opposite in Set-MpPreference and our properties so we have to iterate
|
152
|
+
# over the list and negate the provided values so it makes sense with the cmdlet flag's expected value
|
153
|
+
PROPERTY_TO_PS_MAP.each do |prop, flag|
|
154
|
+
next if new_resource.send(prop).nil? || current_resource.send(prop) == new_resource.send(prop)
|
155
|
+
|
156
|
+
cmd << " -#{flag} #{type_coercion(!new_resource.send(prop))}"
|
157
|
+
end
|
158
|
+
cmd
|
159
|
+
end
|
160
|
+
end
|
161
|
+
end
|
162
|
+
end
|
163
|
+
end
|