diff options
author | Patrick Schaumburg <pschaumburg@tecracer.de> | 2020-03-30 11:40:39 +0200 |
---|---|---|
committer | Patrick Schaumburg <pschaumburg@tecracer.de> | 2020-03-30 11:40:39 +0200 |
commit | c2688e6b3673d95b9a356bd9eb340c3cd713ed13 (patch) | |
tree | ad42480521ee702671f7bbf91cdac510c32ba3d8 | |
parent | 08b457f75279927d4a023d5d73e2d78aa18fdf9a (diff) | |
download | chef-c2688e6b3673d95b9a356bd9eb340c3cd713ed13.tar.gz |
add check for protocol and icmp_type during action create
Signed-off-by: Patrick Schaumburg <pschaumburg@tecracer.de>
-rw-r--r-- | lib/chef/resource/windows_firewall_rule.rb | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/lib/chef/resource/windows_firewall_rule.rb b/lib/chef/resource/windows_firewall_rule.rb index 1f4dac4937..0ecdc22c6f 100644 --- a/lib/chef/resource/windows_firewall_rule.rb +++ b/lib/chef/resource/windows_firewall_rule.rb @@ -172,6 +172,13 @@ class Chef action :create do description "Create a Windows firewall entry." + unless is_set_properly?(new_resource.icmp_type, new_resource.protocol) + error_msg = "Verification for \"#{new_resource.rule_name}\" failed.\n" + + "It's mostly a combination of protocol (#{new_resource.protocol}) and icmp_type (#{new_resource.icmp_type}) which are not allowed.\n" + + "Please refer to: https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule" + raise Chef::Exceptions::ValidationFailed, error_msg + end + if current_resource converge_if_changed :rule_name, :description, :displayname, :local_address, :local_port, :remote_address, :remote_port, :direction, :protocol, :icmp_type, :firewall_action, :profile, :program, :service, @@ -229,12 +236,35 @@ class Chef cmd end + + # return the current firewall rule settings for icmp_type and protocol are correct + # @return [Boolean] + def is_set_properly?(icmp_type, protocol) + if icmp_type.to_s.empty? + return false + + elsif icmp_type.is_a?(Integer) + return false unless protocol.start_with?("ICMP") + return false unless (0..255).include?(icmp_type) + + elsif icmp_type.is_a?(String) + return false if !protocol.start_with?("ICMP") && icmp_type !~ /^\D+$/ + + return false if icmp_type.count("a-zA-Z") > 0 || icmp_type.count(":") > 1 + + if protocol.start_with?("ICMP") && icmp_type.include?(":") + return icmp_type.split(":").all? { |type| (0..255).include?(type.to_i) } + end + end + + return true + end end private # build the command to load the current resource - # # @return [String] current firewall state + # @return [String] current firewall state def load_firewall_state(rule_name) <<-EOH Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M |