diff options
author | Tim Smith <tsmith@chef.io> | 2020-03-05 22:37:43 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-05 22:37:43 -0800 |
commit | cf54870374035e47f4efd7b2a2dea2b371a4ec88 (patch) | |
tree | fc7c0506404420609d25a7eadbf38217362e2718 | |
parent | 67dfead0a709f22643d4afb849d45a88dc432675 (diff) | |
parent | a7b3b3d29adc087333f14ec41d55c299e29022db (diff) | |
download | chef-cf54870374035e47f4efd7b2a2dea2b371a4ec88.tar.gz |
Merge pull request #9280 from MsysTechnologiesllc/ash/add_windows_security_policy_resource
Add windows_security_policy resource
-rw-r--r-- | lib/chef/resource/windows_security_policy.rb | 90 | ||||
-rw-r--r-- | lib/chef/resources.rb | 1 | ||||
-rw-r--r-- | spec/functional/resource/windows_security_policy_spec.rb | 90 |
3 files changed, 181 insertions, 0 deletions
diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb new file mode 100644 index 0000000000..65d52acca8 --- /dev/null +++ b/lib/chef/resource/windows_security_policy.rb @@ -0,0 +1,90 @@ +# +# Author:: Ashwini Nehate (<anehate@chef.io>) +# Author:: Davin Taddeo (<davin@chef.io>) +# Author:: Jeff Brimager (<jbrimager@chef.io>) +# Copyright:: 2019-2020, Chef Software Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require_relative "../resource" + +class Chef + class Resource + class WindowsSecurityPolicy < Chef::Resource + resource_name :windows_security_policy + + # The valid policy_names options found here + # https://github.com/ChrisAWalker/cSecurityOptions under 'AccountSettings' + policy_names = %w{MinimumPasswordAge + MaximumPasswordAge + MinimumPasswordLength + PasswordComplexity + PasswordHistorySize + LockoutBadCount + RequireLogonToChangePassword + ForceLogoffWhenHourExpire + NewAdministratorName + NewGuestName + ClearTextPassword + LSAAnonymousNameLookup + EnableAdminAccount + EnableGuestAccount + } + description "Use the windows_security_policy resource to set a security policy on the Microsoft Windows platform." + introduced "16.0" + + property :secoption, String, name_property: true, required: true, equal_to: policy_names, + description: "The name of the policy to be set on windows platform to maintain its security." + + property :secvalue, String, required: true, + description: "Policy value to be set for policy name." + + action :set do + security_option = new_resource.secoption + security_value = new_resource.secvalue + powershell_script "#{security_option} set to #{security_value}" do + convert_boolean_return true + code <<-EOH + $security_option = "#{security_option}" + if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") ) + { + $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf + C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY + } + else + { + $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace "#{security_option}\\s*=\\s*\\d*", "#{security_option} = #{security_value}" } | Set-Content $env:TEMP\\#{security_option}_Export.inf + C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY + } + Remove-Item $env:TEMP\\#{security_option}_Export.inf -force + EOH + not_if <<-EOH + $#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf + $ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option}) + $check_digit = $ExportAudit -match '#{security_option} = #{security_value}' + $check_string = $ExportAudit -match '#{security_option} = "#{security_value}"' + if ( $check_string -Or $check_digit ) + { + Remove-Item $env:TEMP\\#{security_option}_Export.inf -force + $true + } + else + { + $false + } + EOH + end + end + end + end +end diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb index 8bdd207e84..7d9a24c830 100644 --- a/lib/chef/resources.rb +++ b/lib/chef/resources.rb @@ -159,3 +159,4 @@ require_relative "resource/windows_uac" require_relative "resource/windows_workgroup" require_relative "resource/timezone" require_relative "resource/windows_user_privilege" +require_relative "resource/windows_security_policy" diff --git a/spec/functional/resource/windows_security_policy_spec.rb b/spec/functional/resource/windows_security_policy_spec.rb new file mode 100644 index 0000000000..db100f5bd2 --- /dev/null +++ b/spec/functional/resource/windows_security_policy_spec.rb @@ -0,0 +1,90 @@ +# +# Author:: Ashwini Nehate (<anehate@chef.io>) +# Copyright:: Copyright 2019-2020, Chef Software, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" +require "functional/resource/base" +require "chef/mixin/powershell_out" + +describe Chef::Resource::WindowsSecurityPolicy, :windows_only do + include Chef::Mixin::PowershellExec + + let(:secoption) { "MaximumPasswordAge" } + let(:secvalue) { "30" } + let(:windows_test_run_context) do + node = Chef::Node.new + node.consume_external_attrs(OHAI_SYSTEM.data, {}) # node[:languages][:powershell][:version] + node.automatic["os"] = "windows" + node.automatic["platform"] = "windows" + node.automatic["platform_version"] = "6.1" + node.automatic["kernel"][:machine] = :x86_64 # Only 64-bit architecture is supported + empty_events = Chef::EventDispatch::Dispatcher.new + Chef::RunContext.new(node, {}, empty_events) + end + + subject do + new_resource = Chef::Resource::WindowsSecurityPolicy.new(secoption, windows_test_run_context) + new_resource.secoption = secoption + new_resource.secvalue = secvalue + new_resource + end + + describe "Set MaximumPasswordAge Policy" do + after { + subject.secvalue("60") + subject.run_action(:set) + } + + it "should set MaximumPasswordAge to 30" do + subject.secvalue("30") + subject.run_action(:set) + expect(subject).to be_updated_by_last_action + end + + it "should be idempotent" do + subject.secvalue("30") + subject.run_action(:set) + guardscript_and_script_time = subject.elapsed_time + subject.run_action(:set) + only_guardscript_time = subject.elapsed_time + expect(only_guardscript_time).to be < guardscript_and_script_time + end + end + + describe "secoption and id: " do + it "accepts 'MinimumPasswordAge', 'MinimumPasswordAge', 'MaximumPasswordAge', 'MinimumPasswordLength', 'PasswordComplexity', 'PasswordHistorySize', 'LockoutBadCount', 'RequireLogonToChangePassword', 'ForceLogoffWhenHourExpire', 'NewAdministratorName', 'NewGuestName', 'ClearTextPassword', 'LSAAnonymousNameLookup', 'EnableAdminAccount', 'EnableGuestAccount' " do + expect { subject.secoption("MinimumPasswordAge") }.not_to raise_error + expect { subject.secoption("MaximumPasswordAge") }.not_to raise_error + expect { subject.secoption("MinimumPasswordLength") }.not_to raise_error + expect { subject.secoption("PasswordComplexity") }.not_to raise_error + expect { subject.secoption("PasswordHistorySize") }.not_to raise_error + expect { subject.secoption("LockoutBadCount") }.not_to raise_error + expect { subject.secoption("RequireLogonToChangePassword") }.not_to raise_error + expect { subject.secoption("ForceLogoffWhenHourExpire") }.not_to raise_error + expect { subject.secoption("NewAdministratorName") }.not_to raise_error + expect { subject.secoption("NewGuestName") }.not_to raise_error + expect { subject.secoption("ClearTextPassword") }.not_to raise_error + expect { subject.secoption("LSAAnonymousNameLookup") }.not_to raise_error + expect { subject.secoption("EnableAdminAccount") }.not_to raise_error + expect { subject.secoption("EnableGuestAccount") }.not_to raise_error + end + + it "rejects any other option" do + expect { subject.secoption "XYZ" }.to raise_error(ArgumentError) + end + end +end |