Implemented profile selection

REFERENCE.md

@@ -18,7 +18,7 @@
 
 ### Data types
 
-* [`Windows_firewall::Port`](#Windows_firewall--Port)
+* [`Windows_firewall::Port`](#Windows_firewall--Port): The Windows_firewall::Port data type.
 
 ## Classes
 
@@ -118,6 +118,12 @@ Provides information about the firewall rule.
 [*allow_edge_traversal*]
 Specifies that the traffic for this exception traverses an edge device
 
+[*program*]
+Specifies that network packets with a specified program match this rule.
+
+[*profile*]
+Specifies that this exception applies only to the selected network profile(s)
+
 === Examples
 
  Exception for protocol/port:
@@ -132,6 +138,7 @@ Specifies that the traffic for this exception traverses an edge device
     remote_port  => 'any',
     remote_ip    => '10.0.0.1,10.0.0.2'
     program      => undef,
+    profile      => 'public'
     display_name => 'Windows Remote Management HTTP-In',
     description  => 'Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]',
   }
@@ -157,13 +164,14 @@ The following parameters are available in the `windows_firewall::exception` defi
 * [`action`](#-windows_firewall--exception--action)
 * [`enabled`](#-windows_firewall--exception--enabled)
 * [`protocol`](#-windows_firewall--exception--protocol)
+* [`remote_ip`](#-windows_firewall--exception--remote_ip)
 * [`local_port`](#-windows_firewall--exception--local_port)
 * [`remote_port`](#-windows_firewall--exception--remote_port)
-* [`remote_ip`](#-windows_firewall--exception--remote_ip)
-* [`program`](#-windows_firewall--exception--program)
 * [`display_name`](#-windows_firewall--exception--display_name)
 * [`description`](#-windows_firewall--exception--description)
 * [`allow_edge_traversal`](#-windows_firewall--exception--allow_edge_traversal)
+* [`program`](#-windows_firewall--exception--program)
+* [`profile`](#-windows_firewall--exception--profile)
 
 ##### <a name="-windows_firewall--exception--ensure"></a>`ensure`
 
@@ -205,33 +213,25 @@ Data type: `Optional[Enum['TCP', 'UDP', 'ICMPv4', 'ICMPv6']]`
 
 Default value: `undef`
 
-##### <a name="-windows_firewall--exception--local_port"></a>`local_port`
+##### <a name="-windows_firewall--exception--remote_ip"></a>`remote_ip`
 
-Data type: `Windows_firewall::Port`
+Data type: `Optional[String]`
 
 
 
 Default value: `undef`
 
-##### <a name="-windows_firewall--exception--remote_port"></a>`remote_port`
+##### <a name="-windows_firewall--exception--local_port"></a>`local_port`
 
 Data type: `Windows_firewall::Port`
 
 
 
 Default value: `undef`
 
-##### <a name="-windows_firewall--exception--remote_ip"></a>`remote_ip`
-
-Data type: `Optional[String]`
-
-
-
-Default value: `undef`
-
-##### <a name="-windows_firewall--exception--program"></a>`program`
+##### <a name="-windows_firewall--exception--remote_port"></a>`remote_port`
 
-Data type: `Optional[Stdlib::Windowspath]`
+Data type: `Windows_firewall::Port`
 
 
 
@@ -261,6 +261,22 @@ Data type: `Boolean`
 
 Default value: `false`
 
+##### <a name="-windows_firewall--exception--program"></a>`program`
+
+Data type: `Optional[Stdlib::Windowspath]`
+
+
+
+Default value: `undef`
+
+##### <a name="-windows_firewall--exception--profile"></a>`profile`
+
+Data type: `Optional[Variant[Enum['public', 'private', 'domain'], Array[Enum['public', 'private', 'domain']]]]`
+
+
+
+Default value: `undef`
+
 ## Resource types
 
 ### <a name="windowsfirewall"></a>`windowsfirewall`

manifests/exception.pp

@@ -13,39 +13,58 @@
 #
 # === Parameters
 #
+# @param ensure
 # [*ensure*]
 # Control the existence of a rule
 #
+# @param direction
 # [*direction*]
 # Specifies whether this rule matches inbound or outbound network traffic.
 #
+# @param action
 # [*action*]
 # Specifies what Windows Firewall with Advanced Security does to filter network packets that match the criteria specified in this rule.
 #
+# @param enabled
 # [*enabled*]
 # Specifies whether the rule is currently enabled.
 #
+# @param protocol
 # [*protocol*]
 # Specifies that network packets with a matching IP protocol match this rule.
 #
+# @param remote_ip
 # [*remote_ip*]
 # Specifies remote hosts that can use this rule.
 #
+# @param local_port
 # [*local_port*]
 # Specifies that network packets with matching local IP port numbers matched by this rule.
 #
+# @param remote_port
 # [*remote_port*]
 # Specifies that network packets with matching remote IP port numbers matched by this rule.
 #
+# @param display_name
 # [*display_name*]
 # Specifies the rule name assigned to the rule that you want to display. Defaults to the title of the resource.
 #
+# @param description
 # [*description*]
 # Provides information about the firewall rule.
 #
+# @param allow_edge_traversal
 # [*allow_edge_traversal*]
 # Specifies that the traffic for this exception traverses an edge device
 #
+# @param program
+# [*program*]
+# Specifies that network packets with a specified program match this rule.
+#
+# @param profile
+# [*profile*]
+# Specifies that this exception applies only to the selected network profile(s)
+#
 # === Examples
 #
 #  Exception for protocol/port:
@@ -60,6 +79,7 @@
 #     remote_port  => 'any',
 #     remote_ip    => '10.0.0.1,10.0.0.2'
 #     program      => undef,
+#     profile      => 'public'
 #     display_name => 'Windows Remote Management HTTP-In',
 #     description  => 'Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]',
 #   }
@@ -89,6 +109,7 @@
   String[0, 255] $display_name = $title,
   Optional[String[1, 255]] $description = undef,
   Boolean $allow_edge_traversal = false,
+  Optional[Variant[Enum['public', 'private', 'domain'], Array[Enum['public', 'private', 'domain']]]] $profile = undef,
 ) {
   # Check if we're allowing a program or port/protocol and validate accordingly
   if $program == undef {
@@ -126,6 +147,17 @@
     $allow_context = "program=\"${program}\""
   }
 
+  if $profile {
+    if $profile =~ Array {
+      $profile_list = join($profile,',')
+    } else {
+      $profile_list = $profile
+    }
+    $profile_param = " profile=\"${profile_list}\""
+  } else {
+    $profile_param = ''
+  }
+
   # Set command to check for existing rules
   $netsh_exe = "${facts['os']['windows']['system32']}\\netsh.exe"
   $check_rule_existance= "${netsh_exe} advfirewall firewall show rule name=\"${display_name}\""
@@ -156,7 +188,7 @@
   if $fw_action == 'delete' and $program == undef {
     $netsh_command = "${netsh_exe} advfirewall firewall ${fw_action} rule name=\"${display_name}\" ${fw_description} dir=${direction} ${allow_context} remoteip=\"${remote_ip}\""
   } else {
-    $netsh_command = "${netsh_exe} advfirewall firewall ${fw_action} rule name=\"${display_name}\" ${fw_description} dir=${direction} action=${action} enable=${mode} edge=${edge} ${allow_context} remoteip=\"${remote_ip}\""
+    $netsh_command = "${netsh_exe} advfirewall firewall ${fw_action} rule name=\"${display_name}\" ${fw_description} dir=${direction} action=${action} enable=${mode} edge=${edge} ${allow_context} remoteip=\"${remote_ip}\"${profile_param}"
   }
   #
   exec { "set rule ${display_name}":

manifests/init.pp

@@ -13,9 +13,11 @@
 #
 # === Parameters
 #
+# @param ensure
 # [*ensure*]
 # Control the state of the windows firewall application
 #
+# @param exceptions
 # [*exceptions*]
 # Hash of exceptions to be created.
 #

spec/defines/windows_firewall/exception_spec.rb

@@ -403,5 +403,85 @@
         )
       end
     end
+
+    context "profile private rule with OS: #{os}, ensure: present" do
+      let :facts do
+        {
+          os: {
+            windows: {
+              system32: 'C:\\windows\\system32'
+            }
+          }
+        }
+      end
+      let(:title) { 'Windows Remote Management' }
+      let :params do
+        {
+          ensure: 'present', direction: 'in', action: 'allow', enabled: true,
+          protocol: 'TCP', local_port: 5985, remote_port: 'any',
+          description: 'Inbound rule for WinRM', profile: 'private'
+        }
+      end
+
+      it do
+        is_expected.to contain_exec('set rule Windows Remote Management').with(
+          'command' => 'C:\\windows\\system32\\netsh.exe advfirewall firewall add rule name="Windows Remote Management" description="Inbound rule for WinRM" dir=in action=allow enable=yes edge=no protocol=TCP localport=5985 remoteport=any remoteip="" profile="private"',
+          'provider' => 'windows'
+        )
+      end
+    end
+
+    context "profile private,domain rule with OS: #{os}, ensure: present" do
+      let :facts do
+        {
+          os: {
+            windows: {
+              system32: 'C:\\windows\\system32'
+            }
+          }
+        }
+      end
+      let(:title) { 'Windows Remote Management' }
+      let :params do
+        {
+          ensure: 'present', direction: 'in', action: 'allow', enabled: true,
+          protocol: 'TCP', local_port: 5985, remote_port: 'any',
+          description: 'Inbound rule for WinRM', profile: %w[private domain]
+        }
+      end
+
+      it do
+        is_expected.to contain_exec('set rule Windows Remote Management').with(
+          'command' => 'C:\\windows\\system32\\netsh.exe advfirewall firewall add rule name="Windows Remote Management" description="Inbound rule for WinRM" dir=in action=allow enable=yes edge=no protocol=TCP localport=5985 remoteport=any remoteip="" profile="private,domain"',
+          'provider' => 'windows'
+        )
+      end
+    end
+
+    context "with invalid custom param: os => #{os}, profile => invalid" do
+      let :facts do
+        {
+          os: {
+            windows: {
+              system32: 'C:\\windows\\system32'
+            }
+          }
+        }
+      end
+      let(:title) { 'Windows Remote Management' }
+      let :params do
+        {
+          ensure: 'present', direction: 'in', action: 'allow', enabled: true,
+          protocol: 'TCP', local_port: 5985, remote_port: 'any',
+          profile: 'invalid'
+        }
+      end
+
+      it do
+        expect do
+          is_expected.to contain_exec('set rule Windows Remote Management')
+        end.to raise_error(Puppet::Error)
+      end
+    end
   end
 end

types/port.pp

@@ -1 +1,2 @@
+# @summary The Windows_firewall::Port data type.
 type Windows_firewall::Port = Optional[Variant[Stdlib::Port, Enum['any'], Pattern[/\A[1-9]{1}\Z|[1-9]{1}[0-9,-]*[0-9]{1}\Z/]]]