spec/functional/win32/security_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

#
# Author:: Serdar Sutay (<serdar@chef.io>)
# Copyright:: Copyright 2012-2016, Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

require "spec_helper"
require "mixlib/shellout"
require "chef/mixin/user_context"
if Chef::Platform.windows?
  require "chef/win32/security"
end

describe "Chef::Win32::Security", :windows_only do
  it "has_admin_privileges? returns true when running as admin" do
    expect(Chef::ReservedNames::Win32::Security.has_admin_privileges?).to eq(true)
  end

  describe "running as non admin user" do
    include Chef::Mixin::UserContext
    let(:user) { "security_user" }
    let(:password) { "Security@123" }

    let(:domain) do
      whoami = Mixlib::ShellOut.new("whoami")
      whoami.run_command
      whoami.error!
      whoami.stdout.split("\\")[0]
    end
    before do
      allow_any_instance_of(Chef::Mixin::UserContext).to receive(:node).and_return({ "platform_family" => "windows" })
      allow(Chef::Platform).to receive(:windows_server_2003?).and_return(false)
      allow(Chef::ReservedNames::Win32::Security).to receive(:OpenProcessToken).and_return(true)
      add_user = Mixlib::ShellOut.new("net user #{user} #{password} /ADD")
      add_user.run_command
      add_user.error!
    end

    after do
      delete_user = Mixlib::ShellOut.new("net user #{user} /delete")
      delete_user.run_command
      delete_user.error!
    end
    it "has_admin_privileges? returns false" do
      has_admin_privileges = with_user_context(user, password, domain) do
        Chef::ReservedNames::Win32::Security.has_admin_privileges?
      end
      expect(has_admin_privileges).to eq(false)
    end
  end

  describe "get_file_security" do
    it "should return a security descriptor when called with a path that exists" do
      security_descriptor = Chef::ReservedNames::Win32::Security.get_file_security(
        "C:\\Program Files")
      # Make sure the security descriptor works
      expect(security_descriptor.dacl_present?).to be true
    end
  end

  describe "access_check" do
    let(:security_descriptor) do
      Chef::ReservedNames::Win32::Security.get_file_security(
        "C:\\Program Files")
    end

    let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_ALL_ACCESS }

    let(:token) do
      Chef::ReservedNames::Win32::Security.open_process_token(
        Chef::ReservedNames::Win32::Process.get_current_process,
        token_rights).duplicate_token(:SecurityImpersonation)
    end

    let(:mapping) do
      mapping = Chef::ReservedNames::Win32::Security::GENERIC_MAPPING.new
      mapping[:GenericRead] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_READ
      mapping[:GenericWrite] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_WRITE
      mapping[:GenericExecute] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_EXECUTE
      mapping[:GenericAll] = Chef::ReservedNames::Win32::Security::FILE_ALL_ACCESS
      mapping
    end

    let(:desired_access) { Chef::ReservedNames::Win32::Security::FILE_GENERIC_READ }

    it "should check if the provided token has the desired access" do
      expect(Chef::ReservedNames::Win32::Security.access_check(security_descriptor,
                     token, desired_access, mapping)).to be true
    end
  end

  describe "Chef::Win32::Security::Token" do
    let(:token) do
      Chef::ReservedNames::Win32::Security.open_process_token(
        Chef::ReservedNames::Win32::Process.get_current_process,
        token_rights)
    end
    context "with all rights" do
      let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_ALL_ACCESS }

      it "can duplicate a token" do
        expect { token.duplicate_token(:SecurityImpersonation) }.not_to raise_error
      end
    end

    context "with read only rights" do
      let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_READ }

      it "raises an exception when trying to duplicate" do
        expect { token.duplicate_token(:SecurityImpersonation) }.to raise_error(Chef::Exceptions::Win32APIError)
      end
    end
  end
end