1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#
# Author:: Serdar Sutay (<serdar@opscode.com>)
# Copyright:: Copyright (c) 2012 Opscode, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'spec_helper'
if Chef::Platform.windows?
require 'chef/win32/security'
end
describe 'Chef::Win32::Security', :windows_only do
it "has_admin_privileges? returns true when running as admin" do
expect(Chef::ReservedNames::Win32::Security.has_admin_privileges?).to eq(true)
end
# We've done some investigation adding a negative test and it turned
# out to be a lot of work since mixlib-shellout doesn't have user
# support for windows.
#
# TODO - Add negative tests once mixlib-shellout has user support
it "has_admin_privileges? returns false when running as non-admin" do
skip "requires user support in mixlib-shellout"
end
describe 'get_file_security' do
it 'should return a security descriptor when called with a path that exists' do
security_descriptor = Chef::ReservedNames::Win32::Security.get_file_security(
"C:\\Program Files")
# Make sure the security descriptor works
expect(security_descriptor.dacl_present?).to be true
end
end
describe 'access_check' do
let(:security_descriptor) {
Chef::ReservedNames::Win32::Security.get_file_security(
"C:\\Program Files")
}
let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_ALL_ACCESS }
let(:token) {
Chef::ReservedNames::Win32::Security.open_process_token(
Chef::ReservedNames::Win32::Process.get_current_process,
token_rights).duplicate_token(:SecurityImpersonation)
}
let(:mapping) {
mapping = Chef::ReservedNames::Win32::Security::GENERIC_MAPPING.new
mapping[:GenericRead] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_READ
mapping[:GenericWrite] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_WRITE
mapping[:GenericExecute] = Chef::ReservedNames::Win32::Security::FILE_GENERIC_EXECUTE
mapping[:GenericAll] = Chef::ReservedNames::Win32::Security::FILE_ALL_ACCESS
mapping
}
let(:desired_access) { Chef::ReservedNames::Win32::Security::FILE_GENERIC_READ }
it 'should check if the provided token has the desired access' do
expect(Chef::ReservedNames::Win32::Security.access_check(security_descriptor,
token, desired_access, mapping)).to be true
end
end
describe 'Chef::Win32::Security::Token' do
let(:token) {
Chef::ReservedNames::Win32::Security.open_process_token(
Chef::ReservedNames::Win32::Process.get_current_process,
token_rights)
}
context 'with all rights' do
let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_ALL_ACCESS }
it 'can duplicate a token' do
expect{ token.duplicate_token(:SecurityImpersonation) }.not_to raise_error
end
end
context 'with read only rights' do
let(:token_rights) { Chef::ReservedNames::Win32::Security::TOKEN_READ }
it 'raises an exception when trying to duplicate' do
expect{ token.duplicate_token(:SecurityImpersonation) }.to raise_error(Chef::Exceptions::Win32APIError)
end
end
end
end
|