diff options
author | Davin Taddeo <davin@chef.io> | 2020-06-24 23:00:35 -0400 |
---|---|---|
committer | Davin Taddeo <davin@chef.io> | 2020-06-24 23:00:35 -0400 |
commit | a24f5cbfa094bcdde128575bfa9c836ca1a52799 (patch) | |
tree | 7f3ff548600de1a2c5a5fb4b83223fba8fe64f7f | |
parent | 696ecf12ff818f86c1d0853b407c0dd6cac9bc9f (diff) | |
download | chef-a24f5cbfa094bcdde128575bfa9c836ca1a52799.tar.gz |
update windows_security_policy for better idempotency, cleaner log output, and maybe faster execution.
Signed-off-by: Davin Taddeo <davin@chef.io>
-rw-r--r-- | lib/chef/resource/windows_security_policy.rb | 66 |
1 files changed, 47 insertions, 19 deletions
diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb index 4fd38807de..13db56a0c6 100644 --- a/lib/chef/resource/windows_security_policy.rb +++ b/lib/chef/resource/windows_security_policy.rb @@ -80,13 +80,25 @@ class Chef property :secvalue, String, required: true, description: "Policy value to be set for policy name." + load_current_value do |desired| + secopt_values = load_secopts_state + output = powershell_out(secopt_values) + if output.stdout.empty? + current_value_does_not_exist! + else + state = Chef::JSONCompat.from_json(output.stdout) + end + secvalue state[desired.secoption.to_s] + end + action :set do - security_option = new_resource.secoption - security_value = new_resource.secvalue - powershell_script "#{security_option} set to #{security_value}" do - convert_boolean_return true - code <<-EOH + converge_if_changed :secvalue do + security_option = new_resource.secoption + security_value = new_resource.secvalue + + cmd = <<-EOH $security_option = "#{security_option}" + C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") ) { $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf @@ -99,20 +111,36 @@ class Chef } Remove-Item $env:TEMP\\#{security_option}_Export.inf -force EOH - not_if <<-EOH - $#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf - $ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option}) - $check_digit = $ExportAudit -match '#{security_option} = #{security_value}' - $check_string = $ExportAudit -match '#{security_option} = "#{security_value}"' - if ( $check_string -Or $check_digit ) - { - Remove-Item $env:TEMP\\#{security_option}_Export.inf -force - $true - } - else - { - $false - } + + powershell_exec!(cmd) + end + end + + action_class do + def load_secopts_state + <<-EOH + C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null + $secopts_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String) + Remove-Item $env:TEMP\\secopts_export.inf -force + $secopts_hash = ($secopts_data -Replace '"'| ConvertFrom-StringData) + ([PSCustomObject]@{ + RequireLogonToChangePassword = $secopts_hash.RequireLogonToChangePassword + PasswordComplexity = $secopts_hash.PasswordComplexity + LSAAnonymousNameLookup = $secopts_hash.LSAAnonymousNameLookup + EnableAdminAccount = $secopts_hash.EnableAdminAccount + PasswordHistorySize = $secopts_hash.PasswordHistorySize + MinimumPasswordLength = $secopts_hash.MinimumPasswordLength + ResetLockoutCount = $secopts_hash.ResetLockoutCount + MaximumPasswordAge = $secopts_hash.MaximumPasswordAge + ClearTextPassword = $secopts_hash.ClearTextPassword + NewAdministratorName = $secopts_hash.NewAdministratorName + LockoutDuration = $secopts_hash.LockoutDuration + EnableGuestAccount = $secopts_hash.EnableGuestAccount + ForceLogoffWhenHourExpire = $secopts_hash.ForceLogoffWhenHourExpire + MinimumPasswordAge = $secopts_hash.MinimumPasswordAge + NewGuestName = $secopts_hash.NewGuestName + LockoutBadCount = $secopts_hash.LockoutBadCount + }) | ConvertTo-Json EOH end end |