Addressing a couple things:

- failing functionality tests (load_current_value wasn't pulling in the method from the action_class)
- Creating a failure condition if users try to update LockoutDuration or RresetlockoutCount when LockoutBadCount is set to 0 (must be non-zero to have the other two options configurable).
- Moving from powershell_out() to powershell_exec()

Signed-off-by: Davin Taddeo <davin@chef.io>

1 files changed, 35 insertions, 34 deletions

diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb
index 34f7bd0021..5520a86e3f 100644
--- a/lib/chef/resource/windows_security_policy.rb
+++ b/lib/chef/resource/windows_security_policy.rb
@@ -81,12 +81,43 @@ class Chef
       description: "Policy value to be set for policy name."
 
       load_current_value do |desired|
-        security_option_values = load_security_options_state
-        output = powershell_out(security_option_values).stdout.strip
-        current_value_does_not_exist! if output.empty?
+        output = powershell_exec(<<-CODE).result
+          C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null
+          $secopts_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String)
+          Remove-Item $env:TEMP\\secopts_export.inf -force
+          $secopts_hash = ($secopts_data -Replace '"'| ConvertFrom-StringData)
+          ([PSCustomObject]@{
+            RequireLogonToChangePassword = $secopts_hash.RequireLogonToChangePassword
+            PasswordComplexity = $secopts_hash.PasswordComplexity
+            LSAAnonymousNameLookup = $secopts_hash.LSAAnonymousNameLookup
+            EnableAdminAccount = $secopts_hash.EnableAdminAccount
+            PasswordHistorySize = $secopts_hash.PasswordHistorySize
+            MinimumPasswordLength = $secopts_hash.MinimumPasswordLength
+            ResetLockoutCount = $secopts_hash.ResetLockoutCount
+            MaximumPasswordAge = $secopts_hash.MaximumPasswordAge
+            ClearTextPassword = $secopts_hash.ClearTextPassword
+            NewAdministratorName = $secopts_hash.NewAdministratorName
+            LockoutDuration = $secopts_hash.LockoutDuration
+            EnableGuestAccount = $secopts_hash.EnableGuestAccount
+            ForceLogoffWhenHourExpire = $secopts_hash.ForceLogoffWhenHourExpire
+            MinimumPasswordAge = $secopts_hash.MinimumPasswordAge
+            NewGuestName = $secopts_hash.NewGuestName
+            LockoutBadCount = $secopts_hash.LockoutBadCount
+          }) | ConvertTo-Json
+        CODE
 
+        current_value_does_not_exist! if output.empty?
         state = Chef::JSONCompat.from_json(output)
-        secvalue state[desired.secoption.to_s]
+
+        if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration"
+          if state["LockoutBadCount"] == "0"
+            raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
+          else
+            secvalue state[desired.secoption.to_s]
+          end
+        else
+          secvalue state[desired.secoption.to_s]
+        end
       end
 
       action :set do
@@ -113,36 +144,6 @@ class Chef
           powershell_exec!(cmd)
         end
       end
-
-      action_class do
-        def load_security_options_state
-          <<-EOH
-            C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\security_options_export.inf | Out-Null
-            # cspell:disable-next-line
-            $security_options_data = (Get-Content $env:TEMP\\security_options_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String)
-            Remove-Item $env:TEMP\\security_options_export.inf -force
-            $security_options_hash = ($security_options_data -Replace '"'| ConvertFrom-StringData)
-            ([PSCustomObject]@{
-              RequireLogonToChangePassword = $security_options_hash.RequireLogonToChangePassword
-              PasswordComplexity = $security_options_hash.PasswordComplexity
-              LSAAnonymousNameLookup = $security_options_hash.LSAAnonymousNameLookup
-              EnableAdminAccount = $security_options_hash.EnableAdminAccount
-              PasswordHistorySize = $security_options_hash.PasswordHistorySize
-              MinimumPasswordLength = $security_options_hash.MinimumPasswordLength
-              ResetLockoutCount = $security_options_hash.ResetLockoutCount
-              MaximumPasswordAge = $security_options_hash.MaximumPasswordAge
-              ClearTextPassword = $security_options_hash.ClearTextPassword
-              NewAdministratorName = $security_options_hash.NewAdministratorName
-              LockoutDuration = $security_options_hash.LockoutDuration
-              EnableGuestAccount = $security_options_hash.EnableGuestAccount
-              ForceLogoffWhenHourExpire = $security_options_hash.ForceLogoffWhenHourExpire
-              MinimumPasswordAge = $security_options_hash.MinimumPasswordAge
-              NewGuestName = $security_options_hash.NewGuestName
-              LockoutBadCount = $security_options_hash.LockoutBadCount
-            }) | ConvertTo-Json
-          EOH
-        end
-      end
     end
   end
 end