#
# Author:: John Snow (<jsnow@chef.io>)
# Copyright:: 2016-2018, John Snow
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative "../resource"
require "chef-utils/dist" unless defined?(ChefUtils::Dist)
class Chef
class Resource
class WindowsAdJoin < Chef::Resource
provides :windows_ad_join
unified_mode true
description "Use the **windows_ad_join** resource to join a Windows Active Directory domain."
introduced "14.0"
examples <<~DOC
**Join a domain**
```ruby
windows_ad_join 'ad.example.org' do
domain_user 'nick'
domain_password 'p@ssw0rd1'
end
```
**Join a domain, as `win-workstation`**
```ruby
windows_ad_join 'ad.example.org' do
domain_user 'nick'
domain_password 'p@ssw0rd1'
new_hostname 'win-workstation'
end
```
**Leave the current domain and re-join the `local` workgroup**
```ruby
windows_ad_join 'Leave domain' do
action :leave
workgroup 'local'
end
```
DOC
property :domain_name, String,
description: "An optional property to set the FQDN of the Active Directory domain to join if it differs from the resource block's name.",
validation_message: "The 'domain_name' property must be a FQDN.",
regex: /.\../, # anything.anything
name_property: true
property :domain_user, String,
description: "The domain user that will be used to join the domain.",
required: true
property :domain_password, String,
description: "The password for the domain user. Note that this resource is set to hide sensitive information by default. ",
required: true
property :ou_path, String,
description: "The path to the Organizational Unit where the host will be placed."
property :reboot, Symbol,
equal_to: %i{immediate delayed never request_reboot reboot_now},
validation_message: "The reboot property accepts :immediate (reboot as soon as the resource completes), :delayed (reboot once the #{ChefUtils::Dist::Infra::PRODUCT} run completes), and :never (Don't reboot)",
description: "Controls the system reboot behavior post domain joining. Reboot immediately, after the #{ChefUtils::Dist::Infra::PRODUCT} run completes, or never. Note that a reboot is necessary for changes to take effect.",
default: :immediate
property :reboot_delay, Integer,
description: "The amount of time (in minutes) to delay a reboot request.",
default: 0,
introduced: "16.5"
property :new_hostname, String,
description: "Specifies a new hostname for the computer in the new domain.",
introduced: "14.5"
property :workgroup_name, String,
description: "Specifies the name of a workgroup to which the computer is added to when it is removed from the domain. The default value is WORKGROUP. This property is only applicable to the :leave action.",
introduced: "15.4"
# define this again so we can default it to true. Otherwise failures print the password
property :sensitive, [TrueClass, FalseClass],
default: true, desired_state: false
action :join do
description "Join the Active Directory domain."
unless on_desired_domain?
cmd = "$pswd = ConvertTo-SecureString \'#{new_resource.domain_password}\' -AsPlainText -Force;"
cmd << "$credential = New-Object System.Management.Automation.PSCredential (\"#{sanitize_usename}\",$pswd);"
cmd << "Add-Computer -DomainName #{new_resource.domain_name} -Credential $credential"
cmd << " -OUPath \"#{new_resource.ou_path}\"" if new_resource.ou_path
cmd << " -NewName \"#{new_resource.new_hostname}\"" if new_resource.new_hostname
cmd << " -Force"
converge_by("join Active Directory domain #{new_resource.domain_name}") do
ps_run = powershell_out(cmd)
if ps_run.error?
if sensitive?
raise "Failed to join the domain #{new_resource.domain_name}: *suppressed sensitive resource output*"
else
raise "Failed to join the domain #{new_resource.domain_name}: #{ps_run.stderr}"
end
end
unless new_resource.reboot == :never
reboot "Reboot to join domain #{new_resource.domain_name}" do
action clarify_reboot(new_resource.reboot)
delay_mins new_resource.reboot_delay
reason "Reboot to join domain #{new_resource.domain_name}"
end
end
end
end
end
action :leave do
description "Leave the Active Directory domain."
if joined_to_domain?
cmd = ""
cmd << "$pswd = ConvertTo-SecureString \'#{new_resource.domain_password}\' -AsPlainText -Force;"
cmd << "$credential = New-Object System.Management.Automation.PSCredential (\"#{sanitize_usename}\",$pswd);"
cmd << "Remove-Computer"
cmd << " -UnjoinDomainCredential $credential"
cmd << " -NewName \"#{new_resource.new_hostname}\"" if new_resource.new_hostname
cmd << " -WorkgroupName \"#{new_resource.workgroup_name}\"" if new_resource.workgroup_name
cmd << " -Force"
converge_by("leave Active Directory domain #{node_domain}") do
ps_run = powershell_out(cmd)
if ps_run.error?
if sensitive?
raise "Failed to leave the domain #{node_domain}: *suppressed sensitive resource output*"
else
raise "Failed to leave the domain #{node_domain}: #{ps_run.stderr}"
end
end
unless new_resource.reboot == :never
reboot "Reboot to leave domain #{new_resource.domain_name}" do
action clarify_reboot(new_resource.reboot)
delay_mins new_resource.reboot_delay
reason "Reboot to leave domain #{new_resource.domain_name}"
end
end
end
end
end
action_class do
#
# @return [String] The domain name the node is joined to. When the node
# is not joined to a domain this will return the name of the
# workgroup the node is a member of.
#
def node_domain
node_domain = powershell_out!("(Get-WmiObject Win32_ComputerSystem).Domain")
raise "Failed to check if the system is joined to the domain #{new_resource.domain_name}: #{node_domain.stderr}}" if node_domain.error?
node_domain.stdout.downcase.strip
end
#
# @return [String] The workgroup the node is a member of. This will
# return an empty string if the system is not a member of a
# workgroup.
#
def node_workgroup
node_workgroup = powershell_out!("(Get-WmiObject Win32_ComputerSystem).Workgroup")
raise "Failed to check if the system is currently a member of a workgroup" if node_workgroup.error?
node_workgroup.stdout.downcase.strip
end
#
# @return [true, false] Whether or not the node is joined to ANY domain
#
def joined_to_domain?
node_workgroup.empty? && !node_domain.empty?
end
#
# @return [true, false] Whether or not the node is joined to the domain
# defined by the resource :domain_name property.
#
def on_desired_domain?
node_domain == new_resource.domain_name.downcase
end
#
# @return [String] the correct user and domain to use.
# if the domain_user property contains an @ symbol followed by any number of non white space characters
# then we assume it is a user from another domain than the one specified in the resource domain_name property.
# if this is the case we do not append the domain_name property to the domain_user property
# the domain_user and domain_name form the UPN (userPrincipalName)
# The specification for the UPN format is RFC 822
# links: https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname https://tools.ietf.org/html/rfc822
# regex: https://rubular.com/r/isAWojpTMKzlnp
def sanitize_usename
if /@/.match?(new_resource.domain_user)
new_resource.domain_user
else
"#{new_resource.domain_user}@#{new_resource.domain_name}"
end
end
# This resource historically took `:immediate` and `:delayed` as arguments to the reboot property but then
# tried to shove that straight to the `reboot` resource which objected strenuously
def clarify_reboot(reboot_action)
case reboot_action
when :immediate
:reboot_now
when :delayed
:request_reboot
else
reboot_action
end
end
def sensitive?
!!new_resource.sensitive
end
end
end
end
end