Enable user identity for execute resourcesadamedx/windows-execute-user

5 files changed, 58 insertions, 3 deletions

diff --git a/lib/chef/mixin/shell_out.rb b/lib/chef/mixin/shell_out.rb
index 529023056d..5685bb5b6d 100644
--- a/lib/chef/mixin/shell_out.rb
+++ b/lib/chef/mixin/shell_out.rb
@@ -90,10 +90,12 @@ class Chef
       end
 
       private
-
+require 'pry'
       def shell_out_command(*command_args)
         cmd = Mixlib::ShellOut.new(*run_command_compatible_options(command_args))
         cmd.live_stream ||= io_for_live_stream
+        puts "COMMAND: #{cmd.command}"
+  #      binding.pry if cmd.command.include?("chef-script")
         cmd.run_command
         cmd
       end
diff --git a/lib/chef/provider/execute.rb b/lib/chef/provider/execute.rb
index b44112c19e..a703179883 100644
--- a/lib/chef/provider/execute.rb
+++ b/lib/chef/provider/execute.rb
@@ -27,7 +27,7 @@ class Chef
 
       provides :execute
 
-      def_delegators :@new_resource, :command, :returns, :environment, :user, :group, :cwd, :umask, :creates
+      def_delegators :@new_resource, :command, :returns, :environment, :user, :domain, :password, :group, :cwd, :umask, :creates
 
       def load_current_resource
         current_resource = Chef::Resource::Execute.new(new_resource.name)
@@ -75,6 +75,7 @@ class Chef
         opts[:returns]     = returns if returns
         opts[:environment] = environment if environment
         opts[:user]        = user if user
+        opts[:password]    = password if password
         opts[:group]       = group if group
         opts[:cwd]         = cwd if cwd
         opts[:umask]       = umask if umask
@@ -99,6 +100,7 @@ class Chef
            ( cwd && creates_relative? ) ? ::File.join(cwd, creates) : creates
         ))
       end
+
     end
   end
 end
diff --git a/lib/chef/provider/powershell_script.rb b/lib/chef/provider/powershell_script.rb
index cea9a45dad..da8a652213 100644
--- a/lib/chef/provider/powershell_script.rb
+++ b/lib/chef/provider/powershell_script.rb
@@ -149,6 +149,14 @@ EOH
 <<-EOH
 # Chef Client wrapper for powershell_script resources
 
+# In rare cases, this module is not present and the
+# new-variable cmdlet is not available, so import it
+# just in case
+if ( get-module -ListAvailable Microsoft.PowerShell.Utility )
+{
+    Import-Module Microsoft.PowerShell.Utility
+}
+
 # LASTEXITCODE can be uninitialized -- make it explictly 0
 # to avoid incorrect detection of failure (non-zero) codes
 $global:LASTEXITCODE = 0
diff --git a/lib/chef/provider/script.rb b/lib/chef/provider/script.rb
index e8b5235b7a..9bc070466e 100644
--- a/lib/chef/provider/script.rb
+++ b/lib/chef/provider/script.rb
@@ -18,6 +18,7 @@
 
 require 'tempfile'
 require 'chef/provider/execute'
+require 'chef/win32/security'
 require 'forwardable'
 
 class Chef
@@ -68,9 +69,25 @@ class Chef
         # FileUtils itself implements a no-op if +user+ or +group+ are nil
         # You can prove this by running FileUtils.chown(nil,nil,'/tmp/file')
         # as an unprivileged user.
-        FileUtils.chown(new_resource.user, new_resource.group, script_file.path)
+        if ! Chef::Platform.windows?
+          FileUtils.chown(new_resource.user, new_resource.group, script_file.path)
+        else
+          grant_alternate_user_read_access
+        end
+      end
+
+      def grant_alternate_user_read_access
+        securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(script_file.path)
+        aces = securable_object.security_descriptor.dacl.reduce([]) { | result, current | result.push(current) }
+#        aces = securable_object.security_descriptor.dacl.flatten
+        user_sid = Chef::ReservedNames::Win32::Security::SID.from_account(new_resource.user)
+        read_ace = Chef::ReservedNames::Win32::Security::ACE.access_allowed(user_sid, Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE, 0)
+        aces.push(read_ace)
+        acl = Chef::ReservedNames::Win32::Security::ACL.create(aces)
+        securable_object.dacl = acl
       end
 
+
       def script_file
         @script_file ||= Tempfile.open("chef-script")
       end
diff --git a/lib/chef/resource/execute.rb b/lib/chef/resource/execute.rb
index ec669a75d3..238557c078 100644
--- a/lib/chef/resource/execute.rb
+++ b/lib/chef/resource/execute.rb
@@ -46,6 +46,8 @@ class Chef
         @returns = 0
         @timeout = nil
         @user = nil
+        @domain = nil
+        @password = nil
         @umask = nil
         @default_guard_interpreter = :execute
         @is_guard_interpreter = false
@@ -135,6 +137,30 @@ class Chef
         )
       end
 
+      def domain(arg=nil)
+        set_or_return(
+          :domain,
+          arg,
+          :kind_of => [ String ]
+        )
+      end
+
+      def password(arg=nil)
+        set_or_return(
+          :password,
+          arg,
+          :kind_of => [ String ]
+        )
+      end
+
+      def sensitive(arg=nil)
+        if password
+          true
+        else
+          super
+        end
+      end
+
       def self.set_guard_inherited_attributes(*inherited_attributes)
         @class_inherited_attributes = inherited_attributes
       end