Brought back Chef::Win32::Security functional test for running as a non admin user

Signed-off-by: nimisha <nimisha.sharad@msystechnologies.com>
author: nimisha <nimisha.sharad@msystechnologies.com> 2017-12-18 17:44:15 +0530
committer: nimisha <nimisha.sharad@msystechnologies.com> 2018-01-24 15:00:37 +0530
commit: cc9766bd0a98b733eef3e9d40f3eac85a25f7e93 (patch)
tree: 5430925a36cbf05ed7949439a1e5686beeb1ea01
parent: 9382e77576921af4dd22de00bf5537e55ed60ac1 (diff)
download: chef-cc9766bd0a98b733eef3e9d40f3eac85a25f7e93.tar.gz
5 files changed, 21 insertions, 8 deletions
diff --git a/lib/chef/mixin/user_context.rb b/lib/chef/mixin/user_context.rb
index b4deaab20e..0807bd5a95 100644
--- a/lib/chef/mixin/user_context.rb
+++ b/lib/chef/mixin/user_context.rb
@@ -22,7 +22,8 @@ class Chef
   module Mixin
     module UserContext
 
-      def with_user_context(user, password, domain = nil, &block)
+      # valid logon_type values => :remote, :local
+      def with_user_context(user, password, domain = nil, logon_type = :remote, &block)
         unless Chef::Platform.windows?
           raise Exceptions::UnsupportedPlatform, "User context impersonation is supported only on the Windows platform"
         end
@@ -35,7 +36,7 @@ class Chef
 
         begin
           if user
-            logon_session = Chef::Util::Windows::LogonSession.new(user, password, domain)
+            logon_session = Chef::Util::Windows::LogonSession.new(user, password, domain, logon_type)
             logon_session.open
             logon_session.set_user_context
           end
diff --git a/lib/chef/provider/remote_file/network_file.rb b/lib/chef/provider/remote_file/network_file.rb
index a08bfd2453..a7ba0207bd 100644
--- a/lib/chef/provider/remote_file/network_file.rb
+++ b/lib/chef/provider/remote_file/network_file.rb
@@ -43,7 +43,7 @@ class Chef
             tempfile = Chef::FileContentManagement::Tempfile.new(new_resource).tempfile
             Chef::Log.debug("#{new_resource} staging #{@source} to #{tempfile.path}")
 
-            with_user_context(new_resource.remote_user, new_resource.remote_password, new_resource.remote_domain) do
+            with_user_context(new_resource.remote_user, new_resource.remote_password, new_resource.remote_domain, :remote) do
               ::File.open(@source, "rb") do |remote_file|
                 while data = remote_file.read(TRANSFER_CHUNK_SIZE)
                   tempfile.write(data)
diff --git a/lib/chef/util/windows/logon_session.rb b/lib/chef/util/windows/logon_session.rb
index ef80b113b1..5a126f0c4a 100644
--- a/lib/chef/util/windows/logon_session.rb
+++ b/lib/chef/util/windows/logon_session.rb
@@ -25,7 +25,7 @@ class Chef
       class LogonSession
         include Chef::Mixin::WideString
 
-        def initialize(username, password, domain = nil)
+        def initialize(username, password, domain = nil, logon_type)
           if username.nil? || password.nil?
             raise ArgumentError, "The logon session must be initialize with non-nil user name and password parameters"
           end
@@ -33,6 +33,7 @@ class Chef
           @original_username = username
           @original_password = password
           @original_domain = domain
+          @logon_type = logon_type
           @token = FFI::Buffer.new(:pointer)
           @session_opened = false
           @impersonating = false
@@ -47,7 +48,11 @@ class Chef
           password = wstring(original_password)
           domain = wstring(original_domain)
 
-          status = Chef::ReservedNames::Win32::API::Security.LogonUserW(username, domain, password, Chef::ReservedNames::Win32::API::Security::LOGON32_LOGON_NEW_CREDENTIALS, Chef::ReservedNames::Win32::API::Security::LOGON32_PROVIDER_DEFAULT, token)
+          if logon_type == :remote
+            status = Chef::ReservedNames::Win32::API::Security.LogonUserW(username, domain, password, Chef::ReservedNames::Win32::API::Security::LOGON32_LOGON_NEW_CREDENTIALS, Chef::ReservedNames::Win32::API::Security::LOGON32_PROVIDER_DEFAULT, token)
+          elsif logon_type == :local
+            status = Chef::ReservedNames::Win32::API::Security.LogonUserW(username, domain, password, Chef::ReservedNames::Win32::API::Security::LOGON32_LOGON_NETWORK, Chef::ReservedNames::Win32::API::Security::LOGON32_PROVIDER_DEFAULT, token)
+          end
 
           if !status
             last_error = FFI::LastError.error
@@ -110,6 +115,7 @@ class Chef
         attr_reader :original_username
         attr_reader :original_password
         attr_reader :original_domain
+        attr_reader :logon_type
 
         attr_reader :token
         attr_reader :session_opened
diff --git a/lib/chef/win32/security.rb b/lib/chef/win32/security.rb
index b8fdf1716f..2cb19ad520 100644
--- a/lib/chef/win32/security.rb
+++ b/lib/chef/win32/security.rb
@@ -647,7 +647,14 @@ class Chef
 
           true
         else
-          process_token = open_current_process_token(TOKEN_READ)
+          # a regular user doesn't have privileges to call Chef::ReservedNames::Win32::Security.OpenProcessToken
+          # hence we return false if the open_current_process_token fails with `Access is denied.` error message.
+          begin
+            process_token = open_current_process_token(TOKEN_READ)
+          rescue Exception => run_error
+            return false if run_error.message.match(/Access is denied/)
+            Chef::ReservedNames::Win32::Error.raise!
+          end
 
           # display token elevation details
           token_elevation_type = get_token_information_elevation_type(process_token)
diff --git a/spec/functional/win32/security_spec.rb b/spec/functional/win32/security_spec.rb
index f3faf24c52..1caa775481 100644
--- a/spec/functional/win32/security_spec.rb
+++ b/spec/functional/win32/security_spec.rb
@@ -42,7 +42,6 @@ describe "Chef::Win32::Security", :windows_only do
     before do
       allow_any_instance_of(Chef::Mixin::UserContext).to receive(:node).and_return({ "platform_family" => "windows" })
       allow(Chef::Platform).to receive(:windows_server_2003?).and_return(false)
-      allow(Chef::ReservedNames::Win32::Security).to receive(:OpenProcessToken).and_return(true)
       add_user = Mixlib::ShellOut.new("net user #{user} #{password} /ADD")
       add_user.run_command
       add_user.error!
@@ -54,7 +53,7 @@ describe "Chef::Win32::Security", :windows_only do
       delete_user.error!
     end
     it "has_admin_privileges? returns false" do
-      has_admin_privileges = with_user_context(user, password, domain) do
+      has_admin_privileges = with_user_context(user, password, domain, :local) do
         Chef::ReservedNames::Win32::Security.has_admin_privileges?
       end
       expect(has_admin_privileges).to eq(false)
author	nimisha <nimisha.sharad@msystechnologies.com>	2017-12-18 17:44:15 +0530
committer	nimisha <nimisha.sharad@msystechnologies.com>	2018-01-24 15:00:37 +0530
commit	cc9766bd0a98b733eef3e9d40f3eac85a25f7e93 (patch)
tree	5430925a36cbf05ed7949439a1e5686beeb1ea01
parent	9382e77576921af4dd22de00bf5537e55ed60ac1 (diff)
download	chef-cc9766bd0a98b733eef3e9d40f3eac85a25f7e93.tar.gz