add support for CWS on Windows

[paulcacheux]

What does this PR do?

This PR adds support for CWS on Windows. It also slightly cleans up the system probe recipe and adds a rspec test for this new support.

Motivation

Windows agent builders use chef to install the agent, since we want to enable CWS there, we need this new support.

Additional Notes

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

Use:

datadog:
  security_agent:
    cws:
      enabled: true

and check that CWS is actually enabled (this requires a custom agent build until 7.52 is released)

Reviewer's Checklist

[derekwbrown]

Suggested change

	sysprobe_enabled = if is_windows
	cws_enabled = node['datadog']['security_agent']['cws']['enabled']
	npm_enabled = node['datadog']['system_probe']['network_enabled']
	usm_enabled = node['datadog']['system_probe']['service_monitoring_enabled']
	sysprobe_enabled = node['datadog']['system_probe']['enabled']
	sysprobe_enabled = sysprobe_enabled || cws_enabled || npm_enabled || usm_enabled

[derekwbrown]

my suggestion didn't work out as clearly as I'd hoped.
I'd replace the whole sysprobe_enabled = if is_windows... block

[paulcacheux]

I did something similar to what you suggested, I think it makes things easier anyway even if we still have a small if is_windows

[derekwbrown]

Windows has USM; so on windows system probe should be enabled if usm is enabled.

(this is also somewhat outside the scope of what you're doing, because it's clear the USM support for windows is lacking in the chef recipe). So, I'm fine either way. But there's no underlying reason for the conditional at all.

[paulcacheux]

Ah didn't know that, yeah the USM is checked here but not plugged anywhere after that. I will simplify further then

[chouetz]

If you enable cws on windows, why do you change the condition on cspm? Was it initially incorrect?

[paulcacheux]

I think the original code was wrong, CSPM does not support windows for now. So I'm moving the is windows check to only apply to the CSPM part

[chouetz]

This is probably not related to this PR, but why???

[paulcacheux]

I have no idea.. I'm just copying what has been done for system probe

[derekwbrown]

is the name of the service on linux datadog-security-agent or datadog-agent-security?
Right now, the name of the service (on windows) is datadog-security-agent. Since we haven't shipped, we can make it datadog-agent-security without breaking anything, and then it will match linux if that's desirable.

[chouetz]

If I believe line 76 in recipes/security-agent.rb in windows the name changes, correct?

Suggested change

	Chef::Resource::Service.new('datadog-agent-security', solo.run_context))
	Chef::Resource::Service.new('datadog-security-agent', solo.run_context))

[paulcacheux]

I think there is a difference between the "public name" of the service which changes on windows, and the name of the chef service which is common on both platforms

[derekwbrown]

Approved as is; but noted there are some options we might want to take since we haven't shipped anything yet.

[derekwbrown]

this is probably OK for now, and is probably how we do it for system-probe.yaml, too.
But the root config dir is configurable on windows.
So, c:\programdata... is the correct default. But in theory it could be changed. it's not clear if the chef recipe as a whole supports that.

[julien-lebot]

We don't support changing the PROJECTLOCATION nor the APPLICATIONDATADIRECTORY with Chef on Windows.

[derekwbrown]

thanks. that's even better.

[derekwbrown]

is the name of the service on linux datadog-security-agent or datadog-agent-security?
Right now, the name of the service (on windows) is datadog-security-agent. Since we haven't shipped, we can make it datadog-agent-security without breaking anything, and then it will match linux if that's desirable.