diff options
author | Tim Smith <tsmith@chef.io> | 2020-09-11 18:23:37 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-11 18:23:37 -0700 |
commit | b10bec33e2fed45c6168b617e8fc4b5a3e7a385e (patch) | |
tree | de0e9636ecacd940d1ef18d96a8e7804e8cb2da8 | |
parent | 856483b16602f920fa9455d8abd0108152debfda (diff) | |
parent | 4e0ff025f51b6f29297a984afa57e1ab0a77cfd3 (diff) | |
download | chef-b10bec33e2fed45c6168b617e8fc4b5a3e7a385e.tar.gz |
Merge pull request #10422 from chef/chef-davin-main
Signed-off-by: Tim Smith <tsmith@chef.io>
-rw-r--r-- | lib/chef/resource/windows_user_privilege.rb | 107 | ||||
-rw-r--r-- | spec/unit/resource/windows_uac_spec.rb | 2 | ||||
-rw-r--r-- | spec/unit/resource/windows_user_privilege_spec.rb | 55 |
3 files changed, 109 insertions, 55 deletions
diff --git a/lib/chef/resource/windows_user_privilege.rb b/lib/chef/resource/windows_user_privilege.rb index a39250afc1..971338303d 100644 --- a/lib/chef/resource/windows_user_privilege.rb +++ b/lib/chef/resource/windows_user_privilege.rb @@ -23,52 +23,6 @@ class Chef class WindowsUserPrivilege < Chef::Resource unified_mode true - privilege_opts = %w{SeTrustedCredManAccessPrivilege - SeNetworkLogonRight - SeTcbPrivilege - SeMachineAccountPrivilege - SeIncreaseQuotaPrivilege - SeInteractiveLogonRight - SeRemoteInteractiveLogonRight - SeBackupPrivilege - SeChangeNotifyPrivilege - SeSystemtimePrivilege - SeTimeZonePrivilege - SeCreatePagefilePrivilege - SeCreateTokenPrivilege - SeCreateGlobalPrivilege - SeCreatePermanentPrivilege - SeCreateSymbolicLinkPrivilege - SeDebugPrivilege - SeDenyNetworkLogonRight - SeDenyBatchLogonRight - SeDenyServiceLogonRight - SeDenyInteractiveLogonRight - SeDenyRemoteInteractiveLogonRight - SeEnableDelegationPrivilege - SeRemoteShutdownPrivilege - SeAuditPrivilege - SeImpersonatePrivilege - SeIncreaseWorkingSetPrivilege - SeIncreaseBasePriorityPrivilege - SeLoadDriverPrivilege - SeLockMemoryPrivilege - SeBatchLogonRight - SeServiceLogonRight - SeSecurityPrivilege - SeRelabelPrivilege - SeSystemEnvironmentPrivilege - SeManageVolumePrivilege - SeProfileSingleProcessPrivilege - SeSystemProfilePrivilege - SeUndockPrivilege - SeAssignPrimaryTokenPrivilege - SeRestorePrivilege - SeShutdownPrivilege - SeSyncAgentPrivilege - SeTakeOwnershipPrivilege - } - provides :windows_user_privilege description "The windows_user_privilege resource allows to add and set principal (User/Group) to the specified privilege.\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment" @@ -125,22 +79,67 @@ class Chef ``` DOC + PRIVILEGE_OPTS = %w{ SeAssignPrimaryTokenPrivilege + SeAuditPrivilege + SeBackupPrivilege + SeBatchLogonRight + SeChangeNotifyPrivilege + SeCreateGlobalPrivilege + SeCreatePagefilePrivilege + SeCreatePermanentPrivilege + SeCreateSymbolicLinkPrivilege + SeCreateTokenPrivilege + SeDebugPrivilege + SeDenyBatchLogonRight + SeDenyInteractiveLogonRight + SeDenyNetworkLogonRight + SeDenyRemoteInteractiveLogonRight + SeDenyServiceLogonRight + SeEnableDelegationPrivilege + SeImpersonatePrivilege + SeIncreaseBasePriorityPrivilege + SeIncreaseQuotaPrivilege + SeIncreaseWorkingSetPrivilege + SeInteractiveLogonRight + SeLoadDriverPrivilege + SeLockMemoryPrivilege + SeMachineAccountPrivilege + SeManageVolumePrivilege + SeNetworkLogonRight + SeProfileSingleProcessPrivilege + SeRelabelPrivilege + SeRemoteInteractiveLogonRight + SeRemoteShutdownPrivilege + SeRestorePrivilege + SeSecurityPrivilege + SeServiceLogonRight + SeShutdownPrivilege + SeSyncAgentPrivilege + SeSystemEnvironmentPrivilege + SeSystemProfilePrivilege + SeSystemtimePrivilege + SeTakeOwnershipPrivilege + SeTcbPrivilege + SeTimeZonePrivilege + SeTrustedCredManAccessPrivilege + SeUndockPrivilege + }.freeze + property :principal, String, description: "An optional property to add the user to the given privilege. Use only with add and remove action.", name_property: true - property :users, Array, - description: "An optional property to set the privilege for given users. Use only with set action." + property :users, [Array, String], + description: "An optional property to set the privilege for given users. Use only with set action.", + coerce: proc { |v| Array(v) } property :privilege, [Array, String], - description: "Privilege to set for users.", + description: "One or more privileges to set for users.", required: true, - coerce: proc { |v| v.is_a?(String) ? Array[v] : v }, + coerce: proc { |v| Array(v) }, callbacks: { - "Option privilege must include any of the: #{privilege_opts}" => lambda { |v| - (privilege_opts & v).size == v.size - }, - } + "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? }, + } load_current_value do |new_resource| if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove)) diff --git a/spec/unit/resource/windows_uac_spec.rb b/spec/unit/resource/windows_uac_spec.rb index a82ca65421..48f2f33a16 100644 --- a/spec/unit/resource/windows_uac_spec.rb +++ b/spec/unit/resource/windows_uac_spec.rb @@ -44,7 +44,7 @@ describe Chef::Resource::WindowsUac do expect { resource.consent_behavior_users :bogus }.to raise_error(ArgumentError) end - it "sets the default action as :create" do + it "sets the default action as :configure" do expect(resource.action).to eql([:configure]) end end diff --git a/spec/unit/resource/windows_user_privilege_spec.rb b/spec/unit/resource/windows_user_privilege_spec.rb new file mode 100644 index 0000000000..73c800c8bd --- /dev/null +++ b/spec/unit/resource/windows_user_privilege_spec.rb @@ -0,0 +1,55 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::WindowsUserPrivilege do + let(:resource) { Chef::Resource::WindowsUserPrivilege.new("fakey_fakerton") } + + it "sets resource name as :windows_user_privilege" do + expect(resource.resource_name).to eql(:windows_user_privilege) + end + + it "the principal property is the name_property" do + expect(resource.principal).to eql("fakey_fakerton") + end + + it "the users property coerces to an array" do + resource.users "Administrator" + expect(resource.users).to eql(["Administrator"]) + end + + it "the privilege property coerces to an array" do + resource.privilege "SeDenyRemoteInteractiveLogonRight" + expect(resource.privilege).to eql(["SeDenyRemoteInteractiveLogonRight"]) + end + + it "the privilege property validates inputs against the allowed list of privs" do + expect { resource.privilege "invalidPriv" }.to raise_error(Chef::Exceptions::ValidationFailed) + end + + it "sets the default action as :add" do + expect(resource.action).to eql([:add]) + end + + it "supports :add, :set, :clear, :remove actions" do + expect { resource.action :add }.not_to raise_error + expect { resource.action :set }.not_to raise_error + expect { resource.action :clear }.not_to raise_error + expect { resource.action :remove }.not_to raise_error + end +end |