chef 17.2.29 → 17.3.48

data/lib/chef/resource/habitat_user_toml.rb

@@ -0,0 +1,92 @@
+# Copyright:: Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing
+
+require_relative "../resource"
+class Chef
+  class Resource
+    class HabitatUserToml < Chef::Resource
+      unified_mode true
+      provides :habitat_user_toml
+
+      description "Use the **habitat_user_toml** to template a `user.toml` for Chef Habitat services. Configurations set in the  `user.toml` override the `default.toml` for a given package, which makes it an alternative to applying service group level configuration."
+      introduced "17.3"
+      examples <<~DOC
+      **Configure user specific settings to nginx**
+
+      ```ruby
+      habitat_user_toml 'nginx' do
+        config({
+          worker_count: 2,
+          http: {
+            keepalive_timeout: 120
+          }
+          })
+        end
+        ```
+      DOC
+
+      property :config, Mash, required: true, coerce: proc { |m| m.is_a?(Hash) ? Mash.new(m) : m },
+        description: "Only valid for `:create` action. The configuration to apply as a ruby hash, for example, `{ worker_count: 2, http: { keepalive_timeout: 120 } }`."
+
+      property :service_name, String, name_property: true, desired_state: false,
+        description: "The service group to apply the configuration to, for example, `nginx.default`."
+
+      action :create, description: "(default action) Create the user.toml from the specified config." do
+        directory config_directory do
+          mode "0755"
+          owner root_owner
+          group node["root_group"]
+          recursive true
+        end
+
+        file "#{config_directory}/user.toml" do
+          mode "0600"
+          owner root_owner
+          group node["root_group"]
+          content render_toml(new_resource.config)
+          sensitive true
+        end
+      end
+
+      action :delete, description: "Delete the user.toml" do
+        file "#{config_directory}/user.toml" do
+          sensitive true
+          action :delete
+        end
+      end
+
+      action_class do
+        def config_directory
+          windows? ? "C:/hab/user/#{new_resource.service_name}/config" : "/hab/user/#{new_resource.service_name}/config"
+        end
+
+        def wmi_property_from_query(wmi_property, wmi_query)
+          @wmi = ::WIN32OLE.connect("winmgmts://")
+          result = @wmi.ExecQuery(wmi_query)
+          return unless result.each.count > 0
+
+          result.each.next.send(wmi_property)
+        end
+
+        def root_owner
+          if windows?
+            wmi_property_from_query(:name, "select * from Win32_UserAccount where sid like 'S-1-5-21-%-500' and LocalAccount=True")
+          else
+            "root"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/lwrp_base.rb

@@ -37,7 +37,7 @@ class Chef
     class LWRPBase < Resource
 
       # Class methods
-      class <<self
+      class << self
 
         include Chef::Mixin::ConvertToClassName
         include Chef::Mixin::FromFile

data/lib/chef/resource/support/HabService.dll.config.erb

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <appSettings>
+    <add key="debug" value="false" />
+    <% if @auth_token %>
+    <add key="ENV_HAB_AUTH_TOKEN" value="<%= @auth_token %>" />
+    <% end %>
+    <% if @gateway_auth_token %>
+    <add key="ENV_HAB_SUP_GATEWAY_AUTH_TOKEN" value="<%= @gateway_auth_token %>" />
+    <% end %>
+    <% if @bldr_url %>
+    <add key="ENV_HAB_BLDR_URL" value="<%= @bldr_url %>" />
+    <% end %>
+    <%if  @exec_start_options %>
+    <add key="launcherArgs" value="--no-color <%= @exec_start_options %>" />
+    <% end %>
+    <add key="launcherPath" value="C:\Hab\pkgs\<%= `hab pkg list core/hab-launcher`.split().last %>\bin\hab-launch.exe"/>
+  </appSettings>
+</configuration>

data/lib/chef/resource/support/client.erb

@@ -18,10 +18,17 @@
       @pid_file
       @policy_group
       @policy_name
-      @ssl_verify_mode).each do |prop| -%>
+      @ssl_verify_mode
+      @policy_persist_run_list).each do |prop| -%>
 <% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
 <%=prop.delete_prefix("@") %> <%= instance_variable_get(prop).inspect %>
 <% end -%>
+<%# ohai_disabled_plugins and ohai_optional_plugins properties don't match the config value perfectly-%>
+<% %w(@ohai_disabled_plugins
+      @ohai_optional_plugins).each do |prop| -%>
+<% next if instance_variable_get(prop).nil? || instance_variable_get(prop).empty? -%>
+<%=prop.gsub("@ohai_", "ohai.") %> <%= instance_variable_get(prop).inspect %>
+<% end -%>
 <%# log_location is special due to STDOUT/STDERR from String -> IO Object -%>
 <% unless @log_location.nil? %>
   <% if @log_location.is_a?(String) && %w(STDOUT STDERR).include?(@log_location) -%>

data/lib/chef/resource/support/sup.toml.erb

@@ -0,0 +1,179 @@
+# sup.toml
+# Used for passing configuration options to the Chef Habitat supervisor
+# This file is controlled by the 'habitat' cookbook and should not be modified by hand -- local modifications may be overwritten.
+
+### The listen address for the Gossip Gateway
+<% if @listen_gossip %>
+listen_gossip = "<%= @listen_gossip %>"
+<% end %>
+
+### Start the supervisor in local mode
+# local_gossip_mode =
+
+### The listen address for the HTTP Gateway
+<% if @listen_http %>
+listen_http = "<%= @listen_http %>"
+<% end %>
+### Disable the HTTP Gateway completely
+# http_disable =
+
+### The listen address for the Control Gateway
+<% if @listen_ctl %>
+listen_ctl = "<%= @listen_ctl %>"
+<% end %>
+### The organization the Supervisor and its services are part of
+<% if @organization %>
+organization = "<%= @organization %>"
+<% end %>
+### The listen address of one or more initial peers (IP[:PORT])
+<% if @peer %>
+peer =  <%= @peer %>
+<% end %>
+### Make this Supervisor a permanent peer
+<% if @permanent_peer %>
+permanent_peer = <%= @permanent_peer %>
+<% end %>
+### Watch this file for connecting to the ring
+# peer_watch_file =
+
+### Cache for creating and searching for encryption keys
+# cache_key_path =
+
+### The name of the ring used by the Supervisor when running with wire encryption
+<% if @ring %>
+ring = "<%= @ring %>"
+<% end %>
+### Use the package config from this path rather than the package itself
+# config_from =
+
+### Enable automatic updates for the Supervisor itself
+<% if @auto_update %>
+auto_update = <%= @auto_update %>
+<% end %>
+### The period of time in seconds between Supervisor update checks
+# auto_update_period =
+
+### The period of time in seconds between service update checks
+# service_update_period =
+
+### The private key for HTTP Gateway TLS encryption
+###
+### Read the private key from KEY_FILE. This should be an RSA private key or PKCS8-encoded private key in PEM format.
+# key_file =
+
+### The server certificates for HTTP Gateway TLS encryption
+###
+### Read server certificates from CERT_FILE. This should contain PEM-format certificates in the right order. The first certificate should certify KEY_FILE. The last should be a root CA.
+# cert_file =
+
+### The CA certificate for HTTP Gateway TLS encryption
+###
+### Read the CA certificate from CA_CERT_FILE. This should contain PEM-format certificate that can be used to validate client requests
+# ca_cert_file =
+
+### Load a Habitat package as part of the Supervisor startup
+###
+### The package can be specified by a package identifier (ex: core/redis) or filepath to a Habitat artifact (ex: /home/core-redis-3.0.7-21120102031201-x86_64-linux.hart).
+# pkg_ident_or_artifact =
+
+### Verbose output showing file and line/column numbers
+# verbose =
+
+### Turn ANSI color off
+# no_color =
+
+### Use structured JSON logging for the Supervisor
+###
+### This option also sets NO_COLOR.
+# json_logging =
+
+### The IPv4 address to use as the `sys.ip` template variable
+###
+### If this argument is not set, the supervisor tries to dynamically determine an IP address. If that fails, the supervisor defaults to using `127.0.0.1`.
+# sys_ip_address =
+
+### The name of the application for event stream purposes
+###
+### This will be attached to all events generated by this Supervisor.
+<% if @event_stream_application %>
+event_stream_application = "<%= @event_stream_application %>"
+<% end %>
+### The name of the environment for event stream purposes
+###
+### This will be attached to all events generated by this Supervisor.
+<% if @event_stream_environment %>
+event_stream_environment = "<%= @event_stream_environment %>"
+<% end %>
+### Event stream connection timeout before exiting the Supervisor
+###
+### Set to '0' to immediately start the Supervisor and continue running regardless of the initial connection status.
+# event_stream_connect_timeout =
+
+### The event stream connection url used to send events to Chef Automate
+###
+### This enables the event stream and requires EVENT_STREAM_APPLICATION, EVENT_STREAM_ENVIRONMENT, and EVENT_STREAM_TOKEN also be set.
+<% if @event_stream_url %>
+event_stream_url = "<%= @event_stream_url %>"
+<% end %>
+### The name of the site where this Supervisor is running for event stream purposes
+<% if @event_stream_site %>
+event_stream_site = "<%= @event_stream_site %>"
+<% end %>
+### The authentication token for connecting the event stream to Chef Automate
+<% if @event_stream_token %>
+event_stream_token = "<%= @event_stream_token %>"
+<% end %>
+### An arbitrary key-value pair to add to each event generated by this Supervisor
+# event_meta = []
+
+### The path to Chef Automate's event stream certificate used to establish a TLS connection
+###
+### The certificate should be in PEM format.
+<% if @event_stream_server_certificate %>
+event_stream_server_certificate = "<%= @event_stream_server_certificate %>"
+<% end %>
+### Automatically cleanup old packages
+###
+### The Supervisor will automatically cleanup old packages only keeping the KEEP_LATEST_PACKAGES latest packages. If this argument is not specified, no automatic package cleanup is performed.
+<% if @keep_latest_packages %>
+keep_latest_packages = "<%= @keep_latest_packages %>"
+<% end %>
+### Receive updates from the specified release channel
+# channel =
+
+### Specify an alternate Builder endpoint. If not specified, the value will be taken from the HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh)
+<% if @bldr_url %>
+bldr_url = "<%= @bldr_url %>"
+<% end %>
+### The service group with shared config and topology
+# group =
+
+### Service topology
+# topology =
+
+### The update strategy
+# strategy =
+
+### The condition dictating when this service should update
+###
+### latest: Runs the latest package that can be found in the configured channel and local packages.
+###
+### track-channel: Always run what is at the head of a given channel. This enables service rollback where demoting a package from a channel will cause the package to rollback to an older version of the package. A ramification of enabling this condition is packages newer than the package at the head of the channel will be automatically uninstalled during a service rollback.
+<% if @update_condition %>
+update_condition = "<%= @update_condition %>"
+<% end %>
+### One or more service groups to bind to a configuration
+# bind = []
+
+### Governs how the presence or absence of binds affects service startup
+###
+### strict: blocks startup until all binds are present.
+# binding_mode =
+
+### The interval in seconds on which to run health checks
+# health_check_interval =
+
+### The delay in seconds after sending the shutdown signal to wait before killing the service process
+###
+### The default value can be set in the packages plan file.
+# shutdown_timeout =

data/lib/chef/resource/windows_defender.rb

@@ -0,0 +1,163 @@
+#
+# Copyright:: Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class WindowsDefender < Chef::Resource
+      unified_mode true
+      provides :windows_defender
+
+      description "Use the **windows_defender** resource to enable or disable the Microsoft Windows Defender service."
+      introduced "17.3"
+      examples <<~DOC
+      **Configure Windows Defender AV settings**:
+
+      ```ruby
+      windows_defender 'Configure Defender' do
+        realtime_protection true
+        intrusion_protection_system true
+        lock_ui true
+        scan_archives true
+        scan_scripts true
+        scan_email true
+        scan_removable_drives true
+        scan_network_files false
+        scan_mapped_drives false
+        action :enable
+      end
+      ```
+
+      **Disable Windows Defender AV**:
+
+      ```ruby
+      windows_defender 'Disable Defender' do
+        action :disable
+      end
+      ```
+      DOC
+
+      # DisableIOAVProtection
+      property :realtime_protection, [true, false],
+        default: true,
+        description: "Enable realtime scanning of downloaded files and attachments."
+
+      # DisableIntrusionPreventionSystem
+      property :intrusion_protection_system, [true, false],
+        default: true,
+        description: "Enable network protection against exploitation of known vulnerabilities."
+
+      # UILockdown
+      property :lock_ui, [true, false],
+        description: "Lock the UI to prevent users from changing Windows Defender settings.",
+        default: false
+
+      # DisableArchiveScanning
+      property :scan_archives, [true, false],
+        default: true,
+        description: "Scan file archives such as .zip or .gz archives."
+
+      # DisableScriptScanning
+      property :scan_scripts, [true, false],
+        default: false,
+        description: "Scan scripts in malware scans."
+
+      # DisableEmailScanning
+      property :scan_email, [true, false],
+        default: false,
+        description: "Scan e-mails for malware."
+
+      # DisableRemovableDriveScanning
+      property :scan_removable_drives, [true, false],
+        default: false,
+        description: "Scan content of removable drives."
+
+      # DisableScanningNetworkFiles
+      property :scan_network_files, [true, false],
+        default: false,
+        description: "Scan files on a network."
+
+      # DisableScanningMappedNetworkDrivesForFullScan
+      property :scan_mapped_drives, [true, false],
+        default: true,
+        description: "Scan files on mapped network drives."
+
+      load_current_value do
+        values = powershell_exec!("Get-MPpreference").result
+
+        lock_ui values["UILockdown"]
+        realtime_protection !values["DisableIOAVProtection"]
+        intrusion_protection_system !values["DisableIntrusionPreventionSystem"]
+        scan_archives !values["DisableArchiveScanning"]
+        scan_scripts !values["DisableScriptScanning"]
+        scan_email !values["DisableEmailScanning"]
+        scan_removable_drives !values["DisableRemovableDriveScanning"]
+        scan_network_files !values["DisableScanningNetworkFiles"]
+        scan_mapped_drives !values["DisableScanningMappedNetworkDrivesForFullScan"]
+      end
+
+      action :enable, description: "Enable and configure Windows Defender." do
+        windows_service "Windows Defender" do
+          service_name "WinDefend"
+          action %i{start enable}
+          startup_type :automatic
+        end
+
+        converge_if_changed do
+          powershell_exec!(set_mppreference_cmd)
+        end
+      end
+
+      action :disable, description: "Disable Windows Defender." do
+        windows_service "Windows Defender" do
+          service_name "WinDefend"
+          action %i{disable stop}
+        end
+      end
+
+      action_class do
+        require "chef/mixin/powershell_type_coercions"
+        include Chef::Mixin::PowershellTypeCoercions
+
+        PROPERTY_TO_PS_MAP = {
+          realtime_protection: "DisableIOAVProtection",
+          intrusion_protection_system: "DisableIntrusionPreventionSystem",
+          scan_archives: "DisableArchiveScanning",
+          scan_scripts: "DisableScriptScanning",
+          scan_email: "DisableEmailScanning",
+          scan_removable_drives: "DisableRemovableDriveScanning",
+          scan_network_files: "DisableScanningNetworkFiles",
+          scan_mapped_drives: "DisableScanningMappedNetworkDrivesForFullScan",
+        }.freeze
+
+        def set_mppreference_cmd
+          cmd = "Set-MpPreference -Force"
+          cmd << " -UILockdown #{type_coercion(new_resource.lock_ui)}"
+
+          # the values are the opposite in Set-MpPreference and our properties so we have to iterate
+          # over the list and negate the provided values so it makes sense with the cmdlet flag's expected value
+          PROPERTY_TO_PS_MAP.each do |prop, flag|
+            next if new_resource.send(prop).nil? || current_resource.send(prop) == new_resource.send(prop)
+
+            cmd << " -#{flag} #{type_coercion(!new_resource.send(prop))}"
+          end
+          cmd
+        end
+      end
+    end
+  end
+end