summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Edwards <adamed@opscode.com>2015-10-11 07:53:02 -0700
committerAdam Edwards <adamed@opscode.com>2015-10-11 07:53:02 -0700
commit614abb345ab8656e1316b8b4c8dd2e85b480824a (patch)
tree84f6a931acccda69b153c002b43b951cf972c057
parentececa3438f122d25986fa34557694fa1e86527d2 (diff)
downloadchef-adamedx/windows-execute-user.tar.gz
Enable user identity for execute resourcesadamedx/windows-execute-user
-rw-r--r--lib/chef/mixin/shell_out.rb4
-rw-r--r--lib/chef/provider/execute.rb4
-rw-r--r--lib/chef/provider/powershell_script.rb8
-rw-r--r--lib/chef/provider/script.rb19
-rw-r--r--lib/chef/resource/execute.rb26
5 files changed, 58 insertions, 3 deletions
diff --git a/lib/chef/mixin/shell_out.rb b/lib/chef/mixin/shell_out.rb
index 529023056d..5685bb5b6d 100644
--- a/lib/chef/mixin/shell_out.rb
+++ b/lib/chef/mixin/shell_out.rb
@@ -90,10 +90,12 @@ class Chef
end
private
-
+require 'pry'
def shell_out_command(*command_args)
cmd = Mixlib::ShellOut.new(*run_command_compatible_options(command_args))
cmd.live_stream ||= io_for_live_stream
+ puts "COMMAND: #{cmd.command}"
+ # binding.pry if cmd.command.include?("chef-script")
cmd.run_command
cmd
end
diff --git a/lib/chef/provider/execute.rb b/lib/chef/provider/execute.rb
index b44112c19e..a703179883 100644
--- a/lib/chef/provider/execute.rb
+++ b/lib/chef/provider/execute.rb
@@ -27,7 +27,7 @@ class Chef
provides :execute
- def_delegators :@new_resource, :command, :returns, :environment, :user, :group, :cwd, :umask, :creates
+ def_delegators :@new_resource, :command, :returns, :environment, :user, :domain, :password, :group, :cwd, :umask, :creates
def load_current_resource
current_resource = Chef::Resource::Execute.new(new_resource.name)
@@ -75,6 +75,7 @@ class Chef
opts[:returns] = returns if returns
opts[:environment] = environment if environment
opts[:user] = user if user
+ opts[:password] = password if password
opts[:group] = group if group
opts[:cwd] = cwd if cwd
opts[:umask] = umask if umask
@@ -99,6 +100,7 @@ class Chef
( cwd && creates_relative? ) ? ::File.join(cwd, creates) : creates
))
end
+
end
end
end
diff --git a/lib/chef/provider/powershell_script.rb b/lib/chef/provider/powershell_script.rb
index cea9a45dad..da8a652213 100644
--- a/lib/chef/provider/powershell_script.rb
+++ b/lib/chef/provider/powershell_script.rb
@@ -149,6 +149,14 @@ EOH
<<-EOH
# Chef Client wrapper for powershell_script resources
+# In rare cases, this module is not present and the
+# new-variable cmdlet is not available, so import it
+# just in case
+if ( get-module -ListAvailable Microsoft.PowerShell.Utility )
+{
+ Import-Module Microsoft.PowerShell.Utility
+}
+
# LASTEXITCODE can be uninitialized -- make it explictly 0
# to avoid incorrect detection of failure (non-zero) codes
$global:LASTEXITCODE = 0
diff --git a/lib/chef/provider/script.rb b/lib/chef/provider/script.rb
index e8b5235b7a..9bc070466e 100644
--- a/lib/chef/provider/script.rb
+++ b/lib/chef/provider/script.rb
@@ -18,6 +18,7 @@
require 'tempfile'
require 'chef/provider/execute'
+require 'chef/win32/security'
require 'forwardable'
class Chef
@@ -68,9 +69,25 @@ class Chef
# FileUtils itself implements a no-op if +user+ or +group+ are nil
# You can prove this by running FileUtils.chown(nil,nil,'/tmp/file')
# as an unprivileged user.
- FileUtils.chown(new_resource.user, new_resource.group, script_file.path)
+ if ! Chef::Platform.windows?
+ FileUtils.chown(new_resource.user, new_resource.group, script_file.path)
+ else
+ grant_alternate_user_read_access
+ end
+ end
+
+ def grant_alternate_user_read_access
+ securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(script_file.path)
+ aces = securable_object.security_descriptor.dacl.reduce([]) { | result, current | result.push(current) }
+# aces = securable_object.security_descriptor.dacl.flatten
+ user_sid = Chef::ReservedNames::Win32::Security::SID.from_account(new_resource.user)
+ read_ace = Chef::ReservedNames::Win32::Security::ACE.access_allowed(user_sid, Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE, 0)
+ aces.push(read_ace)
+ acl = Chef::ReservedNames::Win32::Security::ACL.create(aces)
+ securable_object.dacl = acl
end
+
def script_file
@script_file ||= Tempfile.open("chef-script")
end
diff --git a/lib/chef/resource/execute.rb b/lib/chef/resource/execute.rb
index ec669a75d3..238557c078 100644
--- a/lib/chef/resource/execute.rb
+++ b/lib/chef/resource/execute.rb
@@ -46,6 +46,8 @@ class Chef
@returns = 0
@timeout = nil
@user = nil
+ @domain = nil
+ @password = nil
@umask = nil
@default_guard_interpreter = :execute
@is_guard_interpreter = false
@@ -135,6 +137,30 @@ class Chef
)
end
+ def domain(arg=nil)
+ set_or_return(
+ :domain,
+ arg,
+ :kind_of => [ String ]
+ )
+ end
+
+ def password(arg=nil)
+ set_or_return(
+ :password,
+ arg,
+ :kind_of => [ String ]
+ )
+ end
+
+ def sensitive(arg=nil)
+ if password
+ true
+ else
+ super
+ end
+ end
+
def self.set_guard_inherited_attributes(*inherited_attributes)
@class_inherited_attributes = inherited_attributes
end