1 files changed, 49 insertions, 6 deletions

diff --git a/spec/unit/provider/script_spec.rb b/spec/unit/provider/script_spec.rb
index 7e34a8f083..2f024c4c29 100644
--- a/spec/unit/provider/script_spec.rb
+++ b/spec/unit/provider/script_spec.rb
@@ -56,12 +56,55 @@ describe Chef::Provider::Script, "action_run" do
     end
   end
 
-  context "#set_owner_and_group" do
-    it "sets the owner and group for the script file" do
-      new_resource.user "toor"
-      new_resource.group "wheel"
-      expect(FileUtils).to receive(:chown).with("toor", "wheel", tempfile.path)
-      provider.set_owner_and_group
+  context "when configuring the script file's security" do
+    context "when not running on Windows" do
+      before do
+        allow(::Chef::Platform).to receive(:windows?).and_return(false)
+      end
+      context "#set_owner_and_group" do
+        it "sets the owner and group for the script file" do
+          new_resource.user "toor"
+          new_resource.group "wheel"
+          expect(FileUtils).to receive(:chown).with("toor", "wheel", tempfile.path)
+          provider.set_owner_and_group
+        end
+      end
+    end
+
+    context "when running on Windows" do
+      before do
+        allow(::Chef::Platform).to receive(:windows?).and_return(true)
+        expect(new_resource.user).to eq(nil)
+        stub_const("Chef::ReservedNames::Win32::API::Security::GENERIC_READ", 1)
+        stub_const("Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE", 4)
+        stub_const("Chef::ReservedNames::Win32::Security", Class.new)
+        stub_const("Chef::ReservedNames::Win32::Security::SecurableObject", Class.new)
+        stub_const("Chef::ReservedNames::Win32::Security::SID", Class.new)
+        stub_const("Chef::ReservedNames::Win32::Security::ACE", Class.new)
+        stub_const("Chef::ReservedNames::Win32::Security::ACL", Class.new)
+      end
+
+      context "when an alternate user is not specified" do
+        it "does not attempt to set the script file's security descriptor" do
+          expect(provider).to receive(:grant_alternate_user_read_access)
+          expect(Chef::ReservedNames::Win32::Security::SecurableObject).not_to receive(:new)
+          provider.set_owner_and_group
+        end
+      end
+
+      context "when an alternate user is specified" do
+        let(:security_descriptor) { instance_double("Chef::ReservedNames::Win32::Security::SecurityDescriptor", :dacl => []) }
+        let(:securable_object) { instance_double("Chef::ReservedNames::Win32::Security::SecurableObject", :security_descriptor => security_descriptor, :dacl= => nil) }
+        it "sets the script file's security descriptor" do
+          new_resource.user("toor")
+          expect(Chef::ReservedNames::Win32::Security::SecurableObject).to receive(:new).and_return(securable_object)
+          expect(Chef::ReservedNames::Win32::Security::SID).to receive(:from_account).and_return(nil)
+          expect(Chef::ReservedNames::Win32::Security::ACE).to receive(:access_allowed).and_return(nil)
+          expect(Chef::ReservedNames::Win32::Security::ACL).to receive(:create).and_return(nil)
+          expect(securable_object).to receive(:dacl=)
+          provider.set_owner_and_group
+        end
+      end
     end
   end