diff options
author | Tim Smith <tsmith@chef.io> | 2020-02-26 13:02:34 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-26 13:02:34 -0800 |
commit | df927bec7d28bb72f0a7e65cbafa6455b280a4c3 (patch) | |
tree | 87c1597848312a92c502e273feb5993c8b848572 /spec | |
parent | 4703a934ddfd4af48ecd3dbb1e6253fd5b74f179 (diff) | |
parent | 11a63c5b61ca1d703b368ddc1caecd7f16fc7e9c (diff) | |
download | chef-df927bec7d28bb72f0a7e65cbafa6455b280a4c3.tar.gz |
Merge pull request #9279 from MsysTechnologiesllc/vasundhara/MSYS-1230_Windows_user_privilege_resource
Migrating windows_user_privilege resource from windows cookbook
Diffstat (limited to 'spec')
-rw-r--r-- | spec/functional/resource/windows_user_privilege_spec.rb | 193 | ||||
-rw-r--r-- | spec/functional/win32/security_spec.rb | 22 |
2 files changed, 215 insertions, 0 deletions
diff --git a/spec/functional/resource/windows_user_privilege_spec.rb b/spec/functional/resource/windows_user_privilege_spec.rb new file mode 100644 index 0000000000..6dca54016a --- /dev/null +++ b/spec/functional/resource/windows_user_privilege_spec.rb @@ -0,0 +1,193 @@ +# +# Author:: Vasundhara Jagdale (<vasundhara.jagdale@chef.io>) +# Copyright 2008-2020, Chef Software, Inc. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "../../spec_helper" +require_relative "../../functional/resource/base" + +describe Chef::Resource::WindowsUserPrivilege, :windows_only do + let(:principal) { nil } + let(:privilege) { nil } + let(:users) { nil } + let(:sensitive) { true } + + let(:windows_test_run_context) do + node = Chef::Node.new + node.consume_external_attrs(OHAI_SYSTEM.data, {}) # node[:languages][:powershell][:version] + node.automatic["os"] = "windows" + node.automatic["platform"] = "windows" + node.automatic["platform_version"] = "6.1" + node.automatic["kernel"][:machine] = :x86_64 # Only 64-bit architecture is supported + empty_events = Chef::EventDispatch::Dispatcher.new + Chef::RunContext.new(node, {}, empty_events) + end + + subject do + new_resource = Chef::Resource::WindowsUserPrivilege.new(principal, windows_test_run_context) + new_resource.privilege = privilege + new_resource.principal = principal + new_resource.users = users + new_resource + end + + describe "#add privilege" do + after { subject.run_action(:remove) } + + context "when privilege is passed as string" do + let(:principal) { "Administrator" } + let(:privilege) { "SeCreateSymbolicLinkPrivilege" } + + it "adds user to privilege" do + # Removing so that add update happens + subject.run_action(:remove) + subject.run_action(:add) + expect(subject).to be_updated_by_last_action + end + + it "is idempotent" do + subject.run_action(:add) + subject.run_action(:add) + expect(subject).not_to be_updated_by_last_action + end + end + + context "when privilege is passed as array" do + let(:principal) { "Administrator" } + let(:privilege) { %w{SeCreateSymbolicLinkPrivilege SeCreatePagefilePrivilege} } + + it "adds user to privilege" do + subject.run_action(:add) + expect(subject).to be_updated_by_last_action + end + + it "is idempotent" do + subject.run_action(:add) + subject.run_action(:add) + expect(subject).not_to be_updated_by_last_action + end + end + end + + describe "#set privilege" do + after { remove_user_privilege("Administrator", subject.privilege) } + + let(:principal) { "user_privilege" } + let(:users) { %w{Administrators Administrator} } + let(:privilege) { %w{SeCreateSymbolicLinkPrivilege} } + + it "sets user to privilege" do + subject.action(:set) + subject.run_action(:set) + expect(subject).to be_updated_by_last_action + end + + it "is idempotent" do + subject.action(:set) + subject.run_action(:set) + subject.run_action(:set) + expect(subject).not_to be_updated_by_last_action + end + + it "raise error if users not provided" do + subject.users = nil + subject.action(:set) + expect { subject.run_action(:set) }.to raise_error(Chef::Exceptions::ValidationFailed) + end + end + + describe "#remove privilege" do + let(:principal) { "Administrator" } + context "when privilege is passed as array" do + let(:privilege) { "SeCreateSymbolicLinkPrivilege" } + it "remove user from privilege" do + subject.run_action(:add) + subject.run_action(:remove) + expect(subject).to be_updated_by_last_action + end + + it "is idempotent" do + subject.run_action(:add) + subject.run_action(:remove) + subject.run_action(:remove) + expect(subject).not_to be_updated_by_last_action + end + end + + context "when privilege is passed as array" do + let(:privilege) { %w{SeCreateSymbolicLinkPrivilege SeCreatePagefilePrivilege} } + it "remove user from privilege" do + subject.run_action(:add) + subject.run_action(:remove) + expect(subject).to be_updated_by_last_action + end + + it "is idempotent" do + subject.run_action(:add) + subject.run_action(:remove) + subject.run_action(:remove) + expect(subject).not_to be_updated_by_last_action + end + end + end + + describe "running with non admin user" do + include Chef::Mixin::UserContext + + let(:user) { "security_user" } + let(:password) { "Security@123" } + let(:principal) { "user_privilege" } + let(:users) { ["Administrators", "#{domain}\\security_user"] } + let(:privilege) { %w{SeCreateSymbolicLinkPrivilege} } + + let(:domain) do + ENV["COMPUTERNAME"] + end + + before do + allow_any_instance_of(Chef::Mixin::UserContext).to receive(:node).and_return({ "platform_family" => "windows" }) + add_user = Mixlib::ShellOut.new("net user #{user} #{password} /ADD") + add_user.run_command + add_user.error! + end + + after do + remove_user_privilege("#{domain}\\#{user}", subject.privilege) + delete_user = Mixlib::ShellOut.new("net user #{user} /delete") + delete_user.run_command + delete_user.error! + end + + it "sets user to privilege" do + subject.action(:set) + subject.run_action(:set) + expect(subject).to be_updated_by_last_action + end + + it "is idempotent" do + subject.action(:set) + subject.run_action(:set) + subject.run_action(:set) + expect(subject).not_to be_updated_by_last_action + end + end + + def remove_user_privilege(user, privilege) + subject.action(:remove) + subject.principal = user + subject.privilege = privilege + subject.run_action(:remove) + end +end diff --git a/spec/functional/win32/security_spec.rb b/spec/functional/win32/security_spec.rb index 3eb7bedd48..c01e9be9a3 100644 --- a/spec/functional/win32/security_spec.rb +++ b/spec/functional/win32/security_spec.rb @@ -199,6 +199,28 @@ describe "Chef::Win32::Security", :windows_only do end end + describe ".get_account_with_user_rights" do + let(:domain) { ENV["COMPUTERNAME"] } + let(:username) { ENV["USERNAME"] } + + context "when given a valid user right" do + it "gets all accounts associated with given user right" do + Chef::ReservedNames::Win32::Security.add_account_right(username, "SeBatchLogonRight") + expect(Chef::ReservedNames::Win32::Security.get_account_with_user_rights("SeBatchLogonRight").flatten).to include("#{domain}\\#{username}") + Chef::ReservedNames::Win32::Security.remove_account_right(username, "SeBatchLogonRight") + expect(Chef::ReservedNames::Win32::Security.get_account_with_user_rights("SeBatchLogonRight").flatten).not_to include("#{domain}\\#{username}") + end + end + + context "when given an invalid user right" do + let(:user_right) { "SeTest" } + + it "returns empty array" do + expect(Chef::ReservedNames::Win32::Security.get_account_with_user_rights(user_right)).to be_empty + end + end + end + describe ".test_and_raise_lsa_nt_status" do # NTSTATUS code: 0xC0000001 / STATUS_UNSUCCESSFUL # Windows Error: ERROR_GEN_FAILURE / 31 / 0x1F / A device attached to the system is not functioning. |