Using win32 api to fetch the account with user rights. Used this method in set action to set the users for privileges and removed dsc_resource code

Signed-off-by: Vasu1105 <vasundhara.jagdale@msystechnologies.com>
author: Vasu1105 <vasundhara.jagdale@msystechnologies.com> 2020-02-23 22:37:07 -0800
committer: Vasu1105 <vasundhara.jagdale@msystechnologies.com> 2020-02-24 00:03:39 -0800
commit: b55fa03435b8045a3cea58693691cd0c12d1a3db (patch)
tree: 5213cf64086e72d1db0934bd249c4286d57f70fa /lib/chef/win32
parent: 8e5d87f13f91780f5a61cad4e78f2ae6c94f36b4 (diff)
download: chef-b55fa03435b8045a3cea58693691cd0c12d1a3db.tar.gz
2 files changed, 42 insertions, 2 deletions
diff --git a/lib/chef/win32/api/security.rb b/lib/chef/win32/api/security.rb
index b651283758..16671a9f6d 100644
--- a/lib/chef/win32/api/security.rb
+++ b/lib/chef/win32/api/security.rb
@@ -413,6 +413,11 @@ class Chef
             :Buffer, :PWSTR
         end
 
+        # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ns-ntsecapi-lsa_enumeration_information
+        class LSA_ENUMERATION_INFORMATION < FFI::Struct
+          layout :Sid, :PSID
+        end
+
         ffi_lib "advapi32"
 
         safe_attach_function :AccessCheck, %i{pointer HANDLE DWORD pointer pointer pointer pointer pointer}, :BOOL
@@ -448,6 +453,7 @@ class Chef
         safe_attach_function :LookupPrivilegeDisplayNameW, %i{LPCWSTR LPCWSTR LPWSTR LPDWORD LPDWORD}, :BOOL
         safe_attach_function :LookupPrivilegeValueW, %i{LPCWSTR LPCWSTR PLUID}, :BOOL
         safe_attach_function :LsaAddAccountRights, %i{pointer pointer pointer ULONG}, :NTSTATUS
+        safe_attach_function :LsaEnumerateAccountsWithUserRight, %i{LSA_HANDLE PLSA_UNICODE_STRING PVOID PULONG}, :NTSTATUS
         safe_attach_function :LsaRemoveAccountRights, %i{pointer pointer BOOL pointer ULONG}, :NTSTATUS
         safe_attach_function :LsaClose, [ :LSA_HANDLE ], :NTSTATUS
         safe_attach_function :LsaEnumerateAccountRights, %i{LSA_HANDLE PSID PLSA_UNICODE_STRING PULONG}, :NTSTATUS
diff --git a/lib/chef/win32/security.rb b/lib/chef/win32/security.rb
index 5b78b652eb..2879131210 100644
--- a/lib/chef/win32/security.rb
+++ b/lib/chef/win32/security.rb
@@ -214,6 +214,37 @@ class Chef
         privileges
       end
 
+      def self.get_account_with_user_rights(privilege)
+        privilege_pointer = FFI::MemoryPointer.new LSA_UNICODE_STRING, 1
+        privilege_lsa_string = LSA_UNICODE_STRING.new(privilege_pointer)
+        privilege_lsa_string[:Buffer] = FFI::MemoryPointer.from_string(privilege.to_wstring)
+        privilege_lsa_string[:Length] = privilege.length * 2
+        privilege_lsa_string[:MaximumLength] = (privilege.length + 1) * 2
+
+        buffer = FFI::MemoryPointer.new(:pointer)
+        count = FFI::MemoryPointer.new(:ulong)
+
+        accounts = []
+        with_lsa_policy(nil) do |policy_handle, sid|
+          result = LsaEnumerateAccountsWithUserRight(policy_handle.read_pointer, privilege_pointer, buffer, count)
+          win32_error = LsaNtStatusToWinError(result)
+          return [] if win32_error == 1313 # NO_SUCH_PRIVILEGE - https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1300-1699-
+
+          test_and_raise_lsa_nt_status(result)
+
+          count.read_ulong.times do |i|
+            sid = LSA_ENUMERATION_INFORMATION.new(buffer.read_pointer + i * LSA_ENUMERATION_INFORMATION.size)
+            sid_name = lookup_account_sid(sid[:Sid])
+            accounts << sid_name
+          end
+
+          result = LsaFreeMemory(buffer.read_pointer)
+          test_and_raise_lsa_nt_status(result)
+        end
+
+        accounts
+      end
+
       def self.get_ace(acl, index)
         acl = acl.pointer if acl.respond_to?(:pointer)
         ace = FFI::Buffer.new :pointer
@@ -616,18 +647,21 @@ class Chef
       end
 
       def self.with_lsa_policy(username)
-        sid = lookup_account_name(username)[1]
+        sid = lookup_account_name(username)[1] if username
 
         access = 0
         access |= POLICY_CREATE_ACCOUNT
         access |= POLICY_LOOKUP_NAMES
+        access |= POLICY_VIEW_LOCAL_INFORMATION if username.nil?
 
         policy_handle = FFI::MemoryPointer.new(:pointer)
         result = LsaOpenPolicy(nil, LSA_OBJECT_ATTRIBUTES.new, access, policy_handle)
         test_and_raise_lsa_nt_status(result)
 
+        sid_pointer = username.nil? ? nil : sid.pointer
+
         begin
-          yield policy_handle, sid.pointer
+          yield policy_handle, sid_pointer
         ensure
           result = LsaClose(policy_handle.read_pointer)
           test_and_raise_lsa_nt_status(result)
author	Vasu1105 <vasundhara.jagdale@msystechnologies.com>	2020-02-23 22:37:07 -0800
committer	Vasu1105 <vasundhara.jagdale@msystechnologies.com>	2020-02-24 00:03:39 -0800
commit	b55fa03435b8045a3cea58693691cd0c12d1a3db (patch)
tree	5213cf64086e72d1db0934bd249c4286d57f70fa /lib/chef/win32
parent	8e5d87f13f91780f5a61cad4e78f2ae6c94f36b4 (diff)
download	chef-b55fa03435b8045a3cea58693691cd0c12d1a3db.tar.gz