diff options
author | Tim Smith <tsmith@chef.io> | 2020-12-28 12:30:24 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-28 12:30:24 -0800 |
commit | 1aa1cce0cb3418d233bc587ff41575b02e1d8adb (patch) | |
tree | 29960382a81b9606a3cd4ff04d35350077521bfe | |
parent | 7fb52bfc0b8a2aff085fb2d89c9f9feff2561a27 (diff) | |
parent | 08c48b5a691fd6374abe8e3dc482c09a001fec68 (diff) | |
download | chef-1aa1cce0cb3418d233bc587ff41575b02e1d8adb.tar.gz |
Merge pull request #10699 from chef-davin/windows_security_policy
Refactor the code for windows_security_policy resource
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/windows.rb | 22 | ||||
-rw-r--r-- | lib/chef/resource/windows_security_policy.rb | 91 |
2 files changed, 73 insertions, 40 deletions
diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb index 58ccec9b26..46176901dd 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb @@ -27,9 +27,29 @@ timezone "Pacific Standard time" include_recipe "ntp" +windows_security_policy "NewGuestName" do + secvalue "down_with_guests" + action :set +end + windows_security_policy "EnableGuestAccount" do - secoption "EnableGuestAccount" secvalue "1" + action :set +end + +windows_security_policy "LockoutBadCount" do + secvalue "15" + action :set +end + +windows_security_policy "LockoutDuration" do + secvalue "30" + action :set +end + +windows_security_policy "ResetLockoutCount" do + secvalue "15" + action :set end windows_firewall_profile "Domain" do diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb index 1b0a285197..78d56e2e46 100644 --- a/lib/chef/resource/windows_security_policy.rb +++ b/lib/chef/resource/windows_security_policy.rb @@ -17,6 +17,7 @@ # limitations under the License. require_relative "../resource" +require "tempfile" unless defined?(Tempfile) class Chef class Resource @@ -43,7 +44,7 @@ class Chef LSAAnonymousNameLookup EnableAdminAccount EnableGuestAccount - } + } description "Use the **windows_security_policy** resource to set a security policy on the Microsoft Windows platform." introduced "16.0" @@ -83,6 +84,55 @@ class Chef description: "Policy value to be set for policy name." load_current_value do |desired| + current_state = load_security_options + + if desired.secoption == "ResetLockoutCount" + if desired.secvalue.to_i > 30 + raise Chef::Exceptions::ValidationFailed, "The \"ResetLockoutCount\" value cannot be greater than 30 minutes" + end + end + if (desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration") && current_state["LockoutBadCount"] == "0" + raise Chef::Exceptions::ValidationFailed, "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value" + end + + secvalue current_state[desired.secoption.to_s] + end + + action :set do + converge_if_changed :secvalue do + security_option = new_resource.secoption + security_value = new_resource.secvalue + + file = Tempfile.new(["#{security_option}", ".inf"]) + case security_option + when "LockoutBadCount" + cmd = "net accounts /LockoutThreshold:#{security_value}" + when "ResetLockoutCount" + cmd = "net accounts /LockoutWindow:#{security_value}" + when "LockoutDuration" + cmd = "net accounts /LockoutDuration:#{security_value}" + when "NewAdministratorName", "NewGuestName" + policy_line = "#{security_option} = \"#{security_value}\"" + file.write("[Unicode]\r\nUnicode=yes\r\n[System Access]\r\n#{policy_line}\r\n[Version]\r\nsignature=\"$CHICAGO$\"\r\nRevision=1\r\n") + file.close + file_path = file.path.gsub("/", '\\') + cmd = "C:\\Windows\\System32\\secedit /configure /db C:\\windows\\security\\new.sdb /cfg #{file_path} /areas SECURITYPOLICY" + else + policy_line = "#{security_option} = #{security_value}" + file.write("[Unicode]\r\nUnicode=yes\r\n[System Access]\r\n#{policy_line}\r\n[Version]\r\nsignature=\"$CHICAGO$\"\r\nRevision=1\r\n") + file.close + file_path = file.path.gsub("/", '\\') + cmd = "C:\\Windows\\System32\\secedit /configure /db C:\\windows\\security\\new.sdb /cfg #{file_path} /areas SECURITYPOLICY" + end + shell_out!(cmd) + file.unlink + end + end + + private + + # Loads powershell to get current state on security options + def load_security_options powershell_code = <<-CODE C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null # cspell:disable-next-line @@ -108,44 +158,7 @@ class Chef LockoutBadCount = $security_options_hash.LockoutBadCount }) CODE - output = powershell_exec(powershell_code) - current_value_does_not_exist! if output.result.empty? - state = output.result - - if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration" - if state["LockoutBadCount"] == "0" - raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value" - else - secvalue state[desired.secoption.to_s] - end - else - secvalue state[desired.secoption.to_s] - end - end - - action :set do - converge_if_changed :secvalue do - security_option = new_resource.secoption - security_value = new_resource.secvalue - - cmd = <<-EOH - $security_option = "#{security_option}" - C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf - if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") ) - { - $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf - C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY - } - else - { - $#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace "#{security_option}\\s*=\\s*\\d*", "#{security_option} = #{security_value}" } | Set-Content $env:TEMP\\#{security_option}_Export.inf - C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY - } - Remove-Item $env:TEMP\\#{security_option}_Export.inf -force - EOH - - powershell_exec!(cmd) - end + powershell_exec(powershell_code).result end end end |