diff options
author | Tim Smith <tsmith@chef.io> | 2020-07-02 12:46:05 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-02 12:46:05 -0700 |
commit | fb8edc342a1556ff452d9943937dfe19c8e4ccc5 (patch) | |
tree | 29f5b623a892d7f415f3814db2942c6444e35cb6 | |
parent | dcbe0c887b7255b6b03a1fd6f2e933f07d98e0ad (diff) | |
parent | f61ddcef61d79f9558836f69243d4cb975d89dc3 (diff) | |
download | chef-fb8edc342a1556ff452d9943937dfe19c8e4ccc5.tar.gz |
Merge pull request #10064 from chef-davin/windows_security_policy
Update windows_security_policy for better idempotency
-rw-r--r-- | lib/chef/resource/windows_security_policy.rb | 69 |
1 files changed, 49 insertions, 20 deletions
diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb index 4fd38807de..434e21141c 100644 --- a/lib/chef/resource/windows_security_policy.rb +++ b/lib/chef/resource/windows_security_policy.rb @@ -80,13 +80,55 @@ class Chef property :secvalue, String, required: true, description: "Policy value to be set for policy name." + load_current_value do |desired| + output = powershell_exec(<<-CODE).result + C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null + # cspell:disable-next-line + $security_options_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String) + Remove-Item $env:TEMP\\secopts_export.inf -force + $security_options_hash = ($security_options_data -Replace '"'| ConvertFrom-StringData) + ([PSCustomObject]@{ + RequireLogonToChangePassword = $security_options_hash.RequireLogonToChangePassword + PasswordComplexity = $security_options_hash.PasswordComplexity + LSAAnonymousNameLookup = $security_options_hash.LSAAnonymousNameLookup + EnableAdminAccount = $security_options_hash.EnableAdminAccount + PasswordHistorySize = $security_options_hash.PasswordHistorySize + MinimumPasswordLength = $security_options_hash.MinimumPasswordLength + ResetLockoutCount = $security_options_hash.ResetLockoutCount + MaximumPasswordAge = $security_options_hash.MaximumPasswordAge + ClearTextPassword = $security_options_hash.ClearTextPassword + NewAdministratorName = $security_options_hash.NewAdministratorName + LockoutDuration = $security_options_hash.LockoutDuration + EnableGuestAccount = $security_options_hash.EnableGuestAccount + ForceLogoffWhenHourExpire = $security_options_hash.ForceLogoffWhenHourExpire + MinimumPasswordAge = $security_options_hash.MinimumPasswordAge + NewGuestName = $security_options_hash.NewGuestName + LockoutBadCount = $security_options_hash.LockoutBadCount + }) | ConvertTo-Json + CODE + + current_value_does_not_exist! if output.empty? + state = Chef::JSONCompat.from_json(output) + + if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration" + if state["LockoutBadCount"] == "0" + raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value" + else + secvalue state[desired.secoption.to_s] + end + else + secvalue state[desired.secoption.to_s] + end + end + action :set do - security_option = new_resource.secoption - security_value = new_resource.secvalue - powershell_script "#{security_option} set to #{security_value}" do - convert_boolean_return true - code <<-EOH + converge_if_changed :secvalue do + security_option = new_resource.secoption + security_value = new_resource.secvalue + + cmd = <<-EOH $security_option = "#{security_option}" + C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") ) { $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf @@ -99,21 +141,8 @@ class Chef } Remove-Item $env:TEMP\\#{security_option}_Export.inf -force EOH - not_if <<-EOH - $#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf - $ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option}) - $check_digit = $ExportAudit -match '#{security_option} = #{security_value}' - $check_string = $ExportAudit -match '#{security_option} = "#{security_value}"' - if ( $check_string -Or $check_digit ) - { - Remove-Item $env:TEMP\\#{security_option}_Export.inf -force - $true - } - else - { - $false - } - EOH + + powershell_exec!(cmd) end end end |