Update exception.pp

[ola-pt]

To handle continual enforcement of certain attributes

Pull Request (PR) description

The following attributes will get enforced. If the puppet resource using the class doesn't exist it will have the rule added. If the rule exists then the following attributes will get checked(if they don't exist then the rule will get removed):

• local port
• remote port
• protocol
• description
• & Remote IP (if the attribute isn't undefined)

This Pull Request (PR) fixes the following issues

Partially fixes the following issues:

• Puppet Modules should enforce a desired state #71
  Fixes:
• Removing rule with program set fails #117
• Use of any protocol in rule description #123
• Missing 'state' check of existing firewall rule. #23
• Change already created rules/exceptions #49

[ola-pt]

The static linter fails due to Powershell variables used within the various attribute checks

[ola-pt]

Feel free to handle that as you will; maybe an ignore comment for the linter?

[bellegarde-c]

Not a voxpupuli dev but this may help for a merge request:

• A better commit message
• Only one commit

[wolfaba]

If I understand this PR, if the code compares the values in current rule, and if the values are different from defined, then it deletes the rule and lets to create new rule with correct values.
Wouldn't it be better to read current values and generate update command?

The command netsh.exe advfirewall firewall show rule name="RULENAME" verbose can be used to read current values.

The command netsh.exe advfirewall firewall set rule name="RULENAME" new NEW-PARAMETERS can be used to update the values.

This patch uses powershell commands to get and delete firewall rules. Original code uses netsh.exe. Maybe it would be good to use only one tool to work with firewall.

I wanted to create new code for the rule update, but ...

#. I had to run netsh.exe advfirewall firewall show rule to read current values, but it outputs a table and then I had to parse these lines, which I am not sure, how to do it in puppet code (is it possible at all?). The keycloak module reads the current values using cli wrapper, but then the configuration is defined as types and this code is written in ruby in lib/puppet/type.

#. I think the checks/tests in spec/defines/windows_firewall/exception_spec.rb cannot then run correctly, because it should read current values from Windows firewall using netsh.exe, which is neither on github, nor on my linux host, nor in Docker.

netsh.exe advfirewall firewall show rule name=...

Rule Name:                            OpenSSH SSH Server (sshd)
----------------------------------------------------------------------
Description:                          Inbound rule for OpenSSH SSH Server (sshd)
Enabled:                              Yes
Direction:                            In
Profiles:                             Domain,Private
Grouping:                             OpenSSH Server
LocalIP:                              Any
RemoteIP:                             Any
Protocol:                             TCP
LocalPort:                            22
RemotePort:                           Any
Edge traversal:                       No
Program:                              C:\WINDOWS\system32\OpenSSH\sshd.exe
InterfaceTypes:                       Any
Security:                             NotRequired
Rule source:                          Local Setting
Action:                               Allow
Ok.

[wolfaba]

I see now, there is already some code in lib. The rule updating could be possible with the type.