Assume credentials supplied are still valid if they cannot be validated due to a Windows account restriction (#7416)

Signed-off-by: Stuart Preston <stuart@chef.io>
author: Stuart Preston <stuart@chef.io> 2018-07-25 10:04:17 +0100
committer: GitHub <noreply@github.com> 2018-07-25 10:04:17 +0100
commit: c85f28481a7ee6308e4dc3e29ad26f05c38c9432 (patch)
tree: 75fdf2f0d2cb7b255a08c30196318425b2403cb6 /spec/functional
parent: 98762283604d272c39c9993dd407648f52db5c96 (diff)
download: chef-c85f28481a7ee6308e4dc3e29ad26f05c38c9432.tar.gz
1 files changed, 127 insertions, 17 deletions
diff --git a/spec/functional/resource/user/windows_spec.rb b/spec/functional/resource/user/windows_spec.rb
index 56ae962ee4..c5792b1ea9 100644
--- a/spec/functional/resource/user/windows_spec.rb
+++ b/spec/functional/resource/user/windows_spec.rb
@@ -1,5 +1,7 @@
 # Author:: Jay Mundrawala (<jdm@chef.io>)
-# Copyright:: Copyright 2015-2016, Chef Software
+# Author:: Stuart Preston (<stuart@chef.io>)
+#
+# Copyright:: Copyright 2015-2018, Chef Software
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -22,7 +24,7 @@ describe Chef::Provider::User::Windows, :windows_only do
   include Chef::Mixin::ShellOut
 
   let(:username) { "ChefFunctionalTest" }
-  let(:password) { SecureRandom.uuid }
+  let(:password) { "DummyP2ssw0rd!" }
 
   let(:node) do
     n = Chef::Node.new
@@ -44,29 +46,137 @@ describe Chef::Provider::User::Windows, :windows_only do
     shell_out("net user #{u} /delete")
   end
 
-  before do
+  def backup_secedit_policy
+    backup_command = "secedit /export /cfg #{ENV['TEMP']}\\secedit_restore.inf /areas SECURITYPOLICY"
+    shell_out(backup_command)
+  end
+
+  def restore_secedit_policy
+    security_database = "C:\\windows\\security\\database\\seceditnew.sdb"
+    restore_command = "secedit /configure /db #{security_database} /cfg #{ENV['TEMP']}\\secedit_restore.inf /areas SECURITYPOLICY"
+    shell_out(restore_command)
+  end
+
+  def set_windows_minimum_password_length(minimum_password_length = 0)
+    require "tempfile"
+    temp_security_database = "C:\\windows\\security\\database\\seceditnew.sdb"
+    temp_security_template = Tempfile.new(["chefpolicy", ".inf"])
+    file_content = <<~EOF
+      [Unicode]
+      Unicode=yes
+      [System Access]
+      MinimumPasswordLength = #{minimum_password_length}
+      PasswordComplexity = 0
+      [Version]
+      signature="$CHICAGO$"
+      Revision=1
+    EOF
+    windows_template_path = temp_security_template.path.gsub("/") { "\\" }
+    security_command = "secedit /configure /db #{temp_security_database} /cfg #{windows_template_path} /areas SECURITYPOLICY"
+    temp_security_template.write(file_content)
+    temp_security_template.close
+    shell_out(security_command)
+  end
+
+  before(:all) do
+    backup_secedit_policy
+  end
+
+  before(:each) do
     delete_user(username)
     allow(run_context).to receive(:logger).and_return(logger)
   end
 
+  after(:all) do
+    restore_secedit_policy
+  end
+
   describe "action :create" do
-    it "creates a user when a username and password are given" do
-      new_resource.run_action(:create)
-      expect(new_resource).to be_updated_by_last_action
-      expect(shell_out("net user #{username}").exitstatus).to eq(0)
-    end
+    context "on a Windows system with a policy that requires non-blank passwords and no complexity requirements" do
 
-    it "reports no changes if there are no changes needed" do
-      new_resource.run_action(:create)
-      new_resource.run_action(:create)
-      expect(new_resource).not_to be_updated_by_last_action
+      before(:all) do
+        set_windows_minimum_password_length(1)
+      end
+
+      context "when a username and non-empty password are given" do
+        it "creates a user" do
+          new_resource.run_action(:create)
+          expect(new_resource).to be_updated_by_last_action
+          expect(shell_out("net user #{username}").exitstatus).to eq(0)
+        end
+
+        it "is idempotent" do
+          new_resource.run_action(:create)
+          new_resource.run_action(:create)
+          expect(new_resource).not_to be_updated_by_last_action
+        end
+
+        it "allows changing the password" do
+          new_resource.run_action(:create)
+          new_resource.password(SecureRandom.uuid)
+          new_resource.run_action(:create)
+          expect(new_resource).to be_updated_by_last_action
+        end
+      end
+
+      context "when a username and empty password are given" do
+        it "does not create the specified user" do
+          new_resource.password("")
+          expect { new_resource.run_action(:create) }.to raise_exception(Chef::Exceptions::Win32APIError, /The password does not meet the password policy requirements/)
+        end
+      end
     end
 
-    it "allows chaning the password" do
-      new_resource.run_action(:create)
-      new_resource.password(SecureRandom.uuid)
-      new_resource.run_action(:create)
-      expect(new_resource).to be_updated_by_last_action
+    context "on a Windows system with a policy that allows blank passwords" do
+
+      before(:all) do
+        set_windows_minimum_password_length(0)
+      end
+
+      context "when a username and non-empty password are given" do
+        it "creates a user" do
+          new_resource.run_action(:create)
+          expect(new_resource).to be_updated_by_last_action
+          expect(shell_out("net user #{username}").exitstatus).to eq(0)
+        end
+
+        it "is idempotent" do
+          new_resource.run_action(:create)
+          new_resource.run_action(:create)
+          expect(new_resource).not_to be_updated_by_last_action
+        end
+
+        it "allows changing the password" do
+          new_resource.run_action(:create)
+          new_resource.password(SecureRandom.uuid)
+          new_resource.run_action(:create)
+          expect(new_resource).to be_updated_by_last_action
+        end
+      end
+
+      context "when a username and empty password are given" do
+        it "creates a user" do
+          new_resource.password("")
+          new_resource.run_action(:create)
+          expect(new_resource).to be_updated_by_last_action
+          expect(shell_out("net user #{username}").exitstatus).to eq(0)
+        end
+
+        it "is idempotent" do
+          new_resource.password("")
+          new_resource.run_action(:create)
+          new_resource.run_action(:create)
+          expect(new_resource).not_to be_updated_by_last_action
+        end
+
+        it "allows changing the password from empty to a value" do
+          new_resource.password("")
+          new_resource.run_action(:create)
+          new_resource.password(SecureRandom.uuid)
+          new_resource.run_action(:create)
+          expect(new_resource).to be_updated_by_last_action
+        end
+      end
     end
 
     context "with a gid specified" do
author	Stuart Preston <stuart@chef.io>	2018-07-25 10:04:17 +0100
committer	GitHub <noreply@github.com>	2018-07-25 10:04:17 +0100
commit	c85f28481a7ee6308e4dc3e29ad26f05c38c9432 (patch)
tree	75fdf2f0d2cb7b255a08c30196318425b2403cb6 /spec/functional
parent	98762283604d272c39c9993dd407648f52db5c96 (diff)
download	chef-c85f28481a7ee6308e4dc3e29ad26f05c38c9432.tar.gz