diff options
author | Stuart Preston <stuart@chef.io> | 2018-07-12 14:06:17 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-07-12 14:06:17 +0100 |
commit | c6c3a74be7dcc765792ee5cac88a62da8730b14f (patch) | |
tree | 478e7c2350e4fbae00bd3f83e920d92c777cd11e | |
parent | feee4070b49e7581529b789be2731d874fd14edc (diff) | |
parent | f6962f86e20ce4a5dcc5a860b31d58b161f80e6e (diff) | |
download | chef-c6c3a74be7dcc765792ee5cac88a62da8730b14f.tar.gz |
Merge pull request #7445 from MsysTechnologiesllc/nimesh/MSYS-843/add_remove_account_right
[MSYS-843] - Add remove_account_right function to win32/security
-rw-r--r-- | lib/chef/win32/api/security.rb | 1 | ||||
-rw-r--r-- | lib/chef/win32/security.rb | 13 | ||||
-rw-r--r-- | spec/functional/win32/security_spec.rb | 21 |
3 files changed, 35 insertions, 0 deletions
diff --git a/lib/chef/win32/api/security.rb b/lib/chef/win32/api/security.rb index 6620f321aa..277e85a26b 100644 --- a/lib/chef/win32/api/security.rb +++ b/lib/chef/win32/api/security.rb @@ -446,6 +446,7 @@ class Chef safe_attach_function :LookupPrivilegeDisplayNameW, [ :LPCWSTR, :LPCWSTR, :LPWSTR, :LPDWORD, :LPDWORD ], :BOOL safe_attach_function :LookupPrivilegeValueW, [ :LPCWSTR, :LPCWSTR, :PLUID ], :BOOL safe_attach_function :LsaAddAccountRights, [ :pointer, :pointer, :pointer, :ULONG ], :NTSTATUS + safe_attach_function :LsaRemoveAccountRights, [ :pointer, :pointer, :BOOL, :pointer, :ULONG ], :NTSTATUS safe_attach_function :LsaClose, [ :LSA_HANDLE ], :NTSTATUS safe_attach_function :LsaEnumerateAccountRights, [ :LSA_HANDLE, :PSID, :PLSA_UNICODE_STRING, :PULONG ], :NTSTATUS safe_attach_function :LsaFreeMemory, [ :PVOID ], :NTSTATUS diff --git a/lib/chef/win32/security.rb b/lib/chef/win32/security.rb index 58f47e885b..879aba7f2b 100644 --- a/lib/chef/win32/security.rb +++ b/lib/chef/win32/security.rb @@ -117,6 +117,19 @@ class Chef end end + def self.remove_account_right(name, privilege) + privilege_pointer = FFI::MemoryPointer.new LSA_UNICODE_STRING, 1 + privilege_lsa_string = LSA_UNICODE_STRING.new(privilege_pointer) + privilege_lsa_string[:Buffer] = FFI::MemoryPointer.from_string(privilege.to_wstring) + privilege_lsa_string[:Length] = privilege.length * 2 + privilege_lsa_string[:MaximumLength] = (privilege.length + 1) * 2 + + with_lsa_policy(name) do |policy_handle, sid| + result = LsaRemoveAccountRights(policy_handle.read_pointer, sid, false, privilege_pointer, 1) + test_and_raise_lsa_nt_status(result) + end + end + def self.adjust_token_privileges(token, privileges) token = token.handle if token.respond_to?(:handle) old_privileges_size = FFI::Buffer.new(:long).write_long(privileges.size_with_privileges) diff --git a/spec/functional/win32/security_spec.rb b/spec/functional/win32/security_spec.rb index f88cde0204..5ef1f250ea 100644 --- a/spec/functional/win32/security_spec.rb +++ b/spec/functional/win32/security_spec.rb @@ -176,6 +176,27 @@ describe "Chef::Win32::Security", :windows_only do end end + describe ".remove_account_right" do + let(:username) { ENV["USERNAME"] } + + context "when given a valid username" do + it "removes the account right constants" do + Chef::ReservedNames::Win32::Security.add_account_right(username, "SeBatchLogonRight") + expect(Chef::ReservedNames::Win32::Security.get_account_right(username)).to include("SeBatchLogonRight") + Chef::ReservedNames::Win32::Security.remove_account_right(username, "SeBatchLogonRight") + expect(Chef::ReservedNames::Win32::Security.get_account_right(username)).not_to include("SeBatchLogonRight") + end + end + + context "when given an invalid username" do + let(:username) { "noooooooooope" } + + it "raises an exception" do + expect { Chef::ReservedNames::Win32::Security.remove_account_right(username, "SeBatchLogonRight") }.to raise_error(Chef::Exceptions::Win32APIError) + end + end + end + describe ".test_and_raise_lsa_nt_status" do # NTSTATUS code: 0xC0000001 / STATUS_UNSUCCESSFUL # Windows Error: ERROR_GEN_FAILURE / 31 / 0x1F / A device attached to the system is not functioning. |