1 files changed, 74 insertions, 4 deletions

diff --git a/spec/support/shared/functional/windows_script.rb b/spec/support/shared/functional/windows_script.rb
index 908198add4..8a9a19d4ad 100644
--- a/spec/support/shared/functional/windows_script.rb
+++ b/spec/support/shared/functional/windows_script.rb
@@ -46,10 +46,6 @@ shared_context Chef::Resource::WindowsScript do
     File.delete(script_output_path) if File.exists?(script_output_path)
   end
 
-  let!(:resource) do
-    Chef::Resource::WindowsScript::Batch.new("Batch resource functional test", @run_context)
-  end
-
   shared_examples_for "a script resource with architecture attribute" do
     context "with the given architecture attribute value" do
       let(:expected_architecture) do
@@ -125,6 +121,55 @@ shared_context Chef::Resource::WindowsScript do
   end
 
   shared_examples_for "a Windows script running on Windows" do
+    shared_examples_for "a script that cannot be accessed by other users if they are not administrators" do
+      include Chef::Mixin::ShellOut
+
+      let(:script_provider) { resource.provider_for_action(:run) }
+      let(:script_file) { script_provider.script_file }
+      let(:script_file_path) { script_file.to_path }
+
+      let(:read_access_denied_command) { "::File.read('#{script_file_path}')" }
+      let(:modify_access_denied_command) { "::File.write('#{script_file_path}', 'stuff')" }
+      let(:delete_access_denied_command) { "::File.delete('#{script_file_path}')" }
+      let(:access_denied_sentinel) { 7334 }
+      let(:access_allowed_sentinel) { 1586 }
+      let(:access_command_invalid) { 0 }
+
+      let(:ruby_interpreter_path) { RbConfig.ruby }
+      let(:ruby_command_template) { "require 'FileUtils';status = 0;begin; #{ruby_access_command};rescue Exception => e; puts e; status = e.class == Errno::EACCES ? #{access_denied_sentinel} : #{access_allowed_sentinel};end;exit status" }
+      let(:command_template) { "set BUNDLE_GEMFILE=&#{ruby_interpreter_path} -e \"#{ruby_command_template}\"" }
+      let(:access_command) { command_template }
+
+      before do
+        expect(script_provider).to receive(:unlink_script_file)
+        resource.code("echo hi")
+        script_provider.action_run
+      end
+
+      after do
+        script_file.close! if script_file
+        ::File.delete(script_file.to_path) if script_file && ::File.exists?(script_file.to_path)
+      end
+
+      include_context "alternate user identity"
+
+      shared_examples_for "a script whose file system location cannot be accessed by other non-admin users" do
+        let(:ruby_access_command) { file_access_command }
+        it "generates a script in the local file system that prevents read access to other non-admin users" do
+          shell_out!(access_command, { user: windows_nonadmin_user, password: windows_nonadmin_user_password, returns: [access_denied_sentinel] })
+        end
+      end
+
+      context "when a different non-admin user attempts write (modify) to access the script" do
+        let(:file_access_command) { modify_access_denied_command }
+        it_behaves_like "a script whose file system location cannot be accessed by other non-admin users"
+      end
+
+      context "when a different non-admin user attempts write (delete) to access the script" do
+        let(:file_access_command) { delete_access_denied_command }
+        it_behaves_like "a script whose file system location cannot be accessed by other non-admin users"
+      end
+    end
 
     describe "when the run action is invoked on Windows" do
       it "executes the script code" do
@@ -132,6 +177,21 @@ shared_context Chef::Resource::WindowsScript do
         resource.returns(0)
         resource.run_action(:run)
       end
+
+      context "the script is executed with the identity of the current user" do
+        it_behaves_like "a script that cannot be accessed by other users if they are not administrators"
+      end
+
+      context "the script is executed with an alternate non-admin identity" do
+        include_context "alternate user identity"
+
+        before do
+          resource.user(windows_alternate_user)
+          resource.password(windows_alternate_user_password)
+        end
+
+        it_behaves_like "a script that cannot be accessed by other users if they are not administrators"
+      end
     end
 
     context "when $env:TMP has a space" do
@@ -165,6 +225,11 @@ shared_context Chef::Resource::WindowsScript do
         expect(resource.class).to receive(:new).and_call_original
         expect(resource.should_skip?(:run)).to be_falsey
       end
+
+      context "when this resource is used as a guard and it is specified with an alternate user identity" do
+        let(:guard_interpreter_resource) { resource.resource_name }
+        it_behaves_like "a resource with a guard specifying an alternate user identity"
+      end
     end
 
     context "when the architecture attribute is not set" do
@@ -181,6 +246,11 @@ shared_context Chef::Resource::WindowsScript do
       let(:resource_architecture) { :x86_64 }
       it_behaves_like "a script resource with architecture attribute"
     end
+
+    describe "when running with an alternate user identity" do
+      let(:resource_command_property) { :code }
+      it_behaves_like "an execute resource that supports alternate user identity"
+    end
   end
 
   def get_windows_script_output(suffix = "")