1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#
# Author:: Serdar Sutay (<serdar@opscode.com>)
# Copyright:: Copyright (c) 2012 Opscode, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require "spec_helper"
if Chef::Platform.windows?
require "chef/win32/security"
end
describe "Chef::Win32::Security", :windows_only do
it "has_admin_privileges? returns true when running as admin" do
expect(Chef::ReservedNames::Win32::Security.has_admin_privileges?).to eq(true)
end
# We've done some investigation adding a negative test and it turned
# out to be a lot of work since mixlib-shellout doesn't have user
# support for windows.
#
# TODO - Add negative tests once mixlib-shellout has user support
it "has_admin_privileges? returns false when running as non-admin" do
skip "requires user support in mixlib-shellout"
end
describe "get_file_security" do
it "should return a security descriptor when called with a path that exists" do
security_descriptor = Chef::ReservedNames::Win32::Security.get_file_security(
"C:\\Program Files")
# Make sure the security descriptor works
expect(security_descriptor.dacl_present?).to be true
end
end
describe "access_check" do
let(:security_descriptor) {
Chef::ReservedNames::Win32::Security.get_file_security(
"C:\\Program Files")
}
let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_ALL_ACCESS }
let(:token) {
Chef::ReservedNames::Win32::Security.open_process_token(
Chef::ReservedNames::Win32::Process.get_current_process,
token_rights).duplicate_token(:SecurityImpersonation)
}
let(:mapping) {
mapping = Chef::ReservedNames::Win32::Security::GENERIC_MAPPING.new
mapping[:GenericRead] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_READ
mapping[:GenericWrite] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_WRITE
mapping[:GenericExecute] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_EXECUTE
mapping[:GenericAll] = Chef::ReservedNames::Win32::Security::FILE_ALL_ACCESS
mapping
}
let(:desired_access) { Chef::ReservedNames::Win32::Security::FILE_GENERIC_READ }
it "should check if the provided token has the desired access" do
expect(Chef::ReservedNames::Win32::Security.access_check(security_descriptor,
token, desired_access, mapping)).to be true
end
end
describe "Chef::Win32::Security::Token" do
let(:token) {
Chef::ReservedNames::Win32::Security.open_process_token(
Chef::ReservedNames::Win32::Process.get_current_process,
token_rights)
}
context "with all rights" do
let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_ALL_ACCESS }
it "can duplicate a token" do
expect{ token.duplicate_token(:SecurityImpersonation) }.not_to raise_error
end
end
context "with read only rights" do
let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_READ }
it "raises an exception when trying to duplicate" do
expect{ token.duplicate_token(:SecurityImpersonation) }.to raise_error(Chef::Exceptions::Win32APIError)
end
end
end
end
|
