Windows alternate user support for execute resources

2 files changed, 141 insertions, 6 deletions

diff --git a/spec/unit/provider/execute_spec.rb b/spec/unit/provider/execute_spec.rb
index 4b0afcb928..e83e347fb6 100644
--- a/spec/unit/provider/execute_spec.rb
+++ b/spec/unit/provider/execute_spec.rb
@@ -239,5 +239,97 @@ describe Chef::Provider::Execute do
       end
     end
 
+    describe "when an alternate user identity is specified" do
+      before do
+        allow(provider).to receive(:shell_out!).and_return(nil)
+      end
+
+      context "when running on Windows" do
+        before do
+          allow(::Chef::Platform).to receive(:windows?).and_return(true)
+        end
+
+        context "when the username is specified" do
+          before do
+            new_resource.user('starchild')
+          end
+
+          context "when the domain is specified" do
+            before do
+              new_resource.domain('mydomain')
+            end
+
+            it "should raise an error if the password is not specified" do
+              expect(new_resource).to receive(:password).at_least(1).times.and_return(nil)
+              expect { provider.run_action(:run) }.to raise_error(ArgumentError)
+            end
+
+            it "should not raise an error if the password is specified" do
+              expect(new_resource).to receive(:password).at_least(1).times.and_return('we.funk!')
+              expect { provider.run_action(:run) }.not_to raise_error
+            end
+          end
+
+          context "when the domain is not specified" do
+            before do
+              expect(new_resource).to receive(:domain).at_least(1).times.and_return(nil)
+            end
+
+            it "should raise an error if the password is not specified" do
+              expect(new_resource).to receive(:password).at_least(1).times.and_return(nil)
+              expect { provider.run_action(:run) }.to raise_error(ArgumentError)
+            end
+
+            it "should not raise an error if the password is specified" do
+              expect(new_resource).to receive(:password).at_least(1).times.and_return('we.funk!')
+              expect { provider.run_action(:run) }.not_to raise_error
+
+            end
+          end
+        end
+
+        context "when the username is not specified" do
+          before do
+            expect(new_resource).to receive(:user).at_least(1).times.and_return(nil)
+          end
+
+          it "should raise an error if the password is specified" do
+            expect(new_resource).to receive(:password).at_least(1).times.and_return('we.funk!')
+            expect { provider.run_action(:run) }.to raise_error(ArgumentError)
+          end
+
+          it "should raise an error if the domain is specified" do
+            expect(new_resource).to receive(:domain).at_least(1).times.and_return('mothership')
+            expect { provider.run_action(:run) }.to raise_error(ArgumentError)
+          end
+
+          it "should raise an error if the domain and password are specified" do
+            expect(new_resource).to receive(:password).at_least(1).times.and_return('we.funk!')
+            expect(new_resource).to receive(:domain).at_least(1).times.and_return('mothership')
+            expect { provider.run_action(:run) }.to raise_error(ArgumentError)
+          end
+        end
+      end
+
+      context "when not running on Windows" do
+        before do
+          allow(::Chef::Platform).to receive(:windows?).and_return(false)
+        end
+
+        it "should not raise an error if the user is specified" do
+          new_resource.user('starchild')
+        end
+
+        it "should raise an error if the password is specified" do
+          expect(new_resource).to receive(:password).and_return('we.funk!')
+          expect { provider.run_action(:run) }.to raise_error(Chef::Exceptions::UnsupportedPlatform)
+        end
+
+        it "should raise an error if the domain is specified" do
+          expect(new_resource).to receive(:domain).and_return('we.funk!')
+          expect { provider.run_action(:run) }.to raise_error(Chef::Exceptions::UnsupportedPlatform)
+        end
+      end
+    end
   end
 end
diff --git a/spec/unit/provider/script_spec.rb b/spec/unit/provider/script_spec.rb
index 7e34a8f083..e7f09cf275 100644
--- a/spec/unit/provider/script_spec.rb
+++ b/spec/unit/provider/script_spec.rb
@@ -56,12 +56,55 @@ describe Chef::Provider::Script, "action_run" do
     end
   end
 
-  context "#set_owner_and_group" do
-    it "sets the owner and group for the script file" do
-      new_resource.user "toor"
-      new_resource.group "wheel"
-      expect(FileUtils).to receive(:chown).with("toor", "wheel", tempfile.path)
-      provider.set_owner_and_group
+  context "when configuring the script file's security" do
+    context 'when not running on Windows' do
+      before do
+        allow(::Chef::Platform).to receive(:windows?).and_return(false)
+      end
+      context "#set_owner_and_group" do
+        it "sets the owner and group for the script file" do
+          new_resource.user 'toor'
+          new_resource.group 'wheel'
+          expect(FileUtils).to receive(:chown).with('toor', 'wheel', tempfile.path)
+          provider.set_owner_and_group
+        end
+      end
+    end
+
+    context 'when running on Windows' do
+      before do
+        allow(::Chef::Platform).to receive(:windows?).and_return(true)
+        expect(new_resource.user).to eq(nil)
+        stub_const('Chef::ReservedNames::Win32::API::Security::GENERIC_READ', 1)
+        stub_const('Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE', 4)
+        stub_const('Chef::ReservedNames::Win32::Security', Class.new)
+        stub_const('Chef::ReservedNames::Win32::Security::SecurableObject', Class.new)
+        stub_const('Chef::ReservedNames::Win32::Security::SID', Class.new)
+        stub_const('Chef::ReservedNames::Win32::Security::ACE', Class.new)
+        stub_const('Chef::ReservedNames::Win32::Security::ACL', Class.new)
+      end
+
+      context "when an alternate user is not specified" do
+        it "does not attempt to set the script file's security descriptor" do
+          expect(provider).to receive(:grant_alternate_user_read_access)
+          expect(Chef::ReservedNames::Win32::Security::SecurableObject).not_to receive(:new)
+          provider.set_owner_and_group
+        end
+      end
+
+      context "when an alternate user is specified" do
+        let(:security_descriptor) { instance_double('Chef::ReservedNames::Win32::Security::SecurityDescriptor', :dacl => []) }
+        let(:securable_object) { instance_double('Chef::ReservedNames::Win32::Security::SecurableObject', :security_descriptor => security_descriptor, :dacl= => nil) }
+        it "sets the script file's security descriptor" do
+          new_resource.user('toor')
+          expect(Chef::ReservedNames::Win32::Security::SecurableObject).to receive(:new).and_return(securable_object)
+          expect(Chef::ReservedNames::Win32::Security::SID).to receive(:from_account).and_return(nil)
+          expect(Chef::ReservedNames::Win32::Security::ACE).to receive(:access_allowed).and_return(nil)
+          expect(Chef::ReservedNames::Win32::Security::ACL).to receive(:create).and_return(nil)
+          expect(securable_object).to receive(:dacl=)
+          provider.set_owner_and_group
+        end
+      end
     end
   end