Merge pull request #10064 from chef-davin/windows_security_policy

Update windows_security_policy for better idempotency
author: Tim Smith <tsmith@chef.io> 2020-07-02 12:46:05 -0700
committer: GitHub <noreply@github.com> 2020-07-02 12:46:05 -0700
commit: fb8edc342a1556ff452d9943937dfe19c8e4ccc5 (patch)
tree: 29f5b623a892d7f415f3814db2942c6444e35cb6
parent: dcbe0c887b7255b6b03a1fd6f2e933f07d98e0ad (diff)
parent: f61ddcef61d79f9558836f69243d4cb975d89dc3 (diff)
download: chef-fb8edc342a1556ff452d9943937dfe19c8e4ccc5.tar.gz
1 files changed, 49 insertions, 20 deletions
diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb
index 4fd38807de..434e21141c 100644
--- a/lib/chef/resource/windows_security_policy.rb
+++ b/lib/chef/resource/windows_security_policy.rb
@@ -80,13 +80,55 @@ class Chef
       property :secvalue, String, required: true,
       description: "Policy value to be set for policy name."
 
+      load_current_value do |desired|
+        output = powershell_exec(<<-CODE).result
+          C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null
+          # cspell:disable-next-line
+          $security_options_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String)
+          Remove-Item $env:TEMP\\secopts_export.inf -force
+          $security_options_hash = ($security_options_data -Replace '"'| ConvertFrom-StringData)
+          ([PSCustomObject]@{
+            RequireLogonToChangePassword = $security_options_hash.RequireLogonToChangePassword
+            PasswordComplexity = $security_options_hash.PasswordComplexity
+            LSAAnonymousNameLookup = $security_options_hash.LSAAnonymousNameLookup
+            EnableAdminAccount = $security_options_hash.EnableAdminAccount
+            PasswordHistorySize = $security_options_hash.PasswordHistorySize
+            MinimumPasswordLength = $security_options_hash.MinimumPasswordLength
+            ResetLockoutCount = $security_options_hash.ResetLockoutCount
+            MaximumPasswordAge = $security_options_hash.MaximumPasswordAge
+            ClearTextPassword = $security_options_hash.ClearTextPassword
+            NewAdministratorName = $security_options_hash.NewAdministratorName
+            LockoutDuration = $security_options_hash.LockoutDuration
+            EnableGuestAccount = $security_options_hash.EnableGuestAccount
+            ForceLogoffWhenHourExpire = $security_options_hash.ForceLogoffWhenHourExpire
+            MinimumPasswordAge = $security_options_hash.MinimumPasswordAge
+            NewGuestName = $security_options_hash.NewGuestName
+            LockoutBadCount = $security_options_hash.LockoutBadCount
+          }) | ConvertTo-Json
+        CODE
+
+        current_value_does_not_exist! if output.empty?
+        state = Chef::JSONCompat.from_json(output)
+
+        if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration"
+          if state["LockoutBadCount"] == "0"
+            raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
+          else
+            secvalue state[desired.secoption.to_s]
+          end
+        else
+          secvalue state[desired.secoption.to_s]
+        end
+      end
+
       action :set do
-        security_option = new_resource.secoption
-        security_value = new_resource.secvalue
-        powershell_script "#{security_option} set to #{security_value}" do
-          convert_boolean_return true
-          code <<-EOH
+        converge_if_changed :secvalue do
+          security_option = new_resource.secoption
+          security_value = new_resource.secvalue
+
+          cmd = <<-EOH
             $security_option = "#{security_option}"
+            C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
             if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
               {
                 $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
@@ -99,21 +141,8 @@ class Chef
               }
             Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
           EOH
-          not_if <<-EOH
-            $#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
-            $ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option})
-            $check_digit = $ExportAudit -match '#{security_option} = #{security_value}'
-            $check_string = $ExportAudit -match '#{security_option} = "#{security_value}"'
-            if ( $check_string -Or $check_digit )
-              {
-                Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
-                $true
-              }
-            else
-              {
-                $false
-              }
-          EOH
+
+          powershell_exec!(cmd)
         end
       end
     end
author	Tim Smith <tsmith@chef.io>	2020-07-02 12:46:05 -0700
committer	GitHub <noreply@github.com>	2020-07-02 12:46:05 -0700
commit	fb8edc342a1556ff452d9943937dfe19c8e4ccc5 (patch)
tree	29f5b623a892d7f415f3814db2942c6444e35cb6
parent	dcbe0c887b7255b6b03a1fd6f2e933f07d98e0ad (diff)
parent	f61ddcef61d79f9558836f69243d4cb975d89dc3 (diff)
download	chef-fb8edc342a1556ff452d9943937dfe19c8e4ccc5.tar.gz