spec/support/shared/functional/execute_resource.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

#
# Author:: Adam Edwards (<adamed@chef.io>)
# Copyright:: Copyright (c) 2015 Chef Software, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

shared_context "a non-admin Windows user" do
  include Chef::Mixin::ShellOut

  let(:windows_nonadmin_user_domain) { ENV["COMPUTERNAME"] }
  let(:windows_nonadmin_user_qualified) { "#{windows_nonadmin_user_domain}\\#{windows_nonadmin_user}" }
  let(:temp_profile_path) { "#{ENV["USERPROFILE"]}\\..\\cheftesttempuser" }
  before do
    shell_out!("net.exe user /delete #{windows_nonadmin_user}", returns: [0, 2])

    # Supply a profile path when creating a user to avoid an apparent Windows bug where deleting
    # the user actually creates the profile when it did not immediately exist before executing
    # net user /delete! For some reason, specifying an explicit path ensures that the path
    # profile doesn't get created at deletion.
    shell_out!("net.exe user /add #{windows_nonadmin_user} \"#{windows_nonadmin_user_password}\" /profilepath:#{temp_profile_path}")
  end

  after do
    shell_out!("net.exe user /delete #{windows_nonadmin_user}", returns: [0, 2])
  end
end

shared_context "alternate user identity" do
  let(:windows_alternate_user) { "chef%02d%02d%02d" % [Time.now.year % 100, Time.now.month, Time.now.day] }
  let(:windows_alternate_user_password) { "lj28;fx3T!x,2" }
  let(:windows_alternate_user_qualified) { "#{ENV["COMPUTERNAME"]}\\#{windows_alternate_user}" }

  let(:windows_nonadmin_user) { windows_alternate_user }
  let(:windows_nonadmin_user_password) { windows_alternate_user_password }

  include_context "a non-admin Windows user"
end

shared_context "a command that can be executed as an alternate user" do
  include_context "alternate user identity"

  let(:script_output_dir) { Dir.mktmpdir }
  let(:script_output_path) { File.join(script_output_dir, make_tmpname("chef_execute_identity_test")) }
  let(:script_output) { File.read(script_output_path) }

  include Chef::Mixin::ShellOut

  before do
    shell_out!("icacls \"#{script_output_dir.gsub(%r{/}, '\\')}\" /grant \"authenticated users:(F)\"")
  end

  after do
    File.delete(script_output_path) if File.exists?(script_output_path)
    Dir.rmdir(script_output_dir) if Dir.exist?(script_output_dir)
  end
end

shared_examples_for "an execute resource that supports alternate user identity" do
  context "when running on Windows", :windows_only, :windows_service_requires_assign_token do

    include_context "a command that can be executed as an alternate user"

    let(:windows_current_user) { ENV["USERNAME"] }
    let(:windows_current_user_qualified) { "#{ENV["USERDOMAIN"] || ENV["COMPUTERNAME"]}\\#{windows_current_user}" }
    let(:resource_identity_command) { "powershell.exe -noprofile -command \"import-module microsoft.powershell.utility;([Security.Principal.WindowsPrincipal]([Security.Principal.WindowsIdentity]::GetCurrent())).identity.name | out-file -encoding ASCII '#{script_output_path}'\"" }

    let(:execute_resource) do
      resource.user(windows_alternate_user)
      resource.password(windows_alternate_user_password)
      resource.send(resource_command_property, resource_identity_command)
      resource
    end

    it "executes the process as an alternate user" do
      expect(windows_current_user.length).to be > 0
      expect { execute_resource.run_action(:run) }.not_to raise_error
      expect(script_output.chomp.length).to be > 0
      expect(script_output.chomp.downcase).to eq(windows_alternate_user_qualified.downcase)
      expect(script_output.chomp.downcase).not_to eq(windows_current_user.downcase)
      expect(script_output.chomp.downcase).not_to eq(windows_current_user_qualified.downcase)
    end

    let(:windows_alternate_user_password_invalid) { "#{windows_alternate_user_password}x" }

    it "raises an exception if the user's password is invalid" do
      execute_resource.password(windows_alternate_user_password_invalid)
      expect { execute_resource.run_action(:run) }.to raise_error(SystemCallError)
    end
  end
end

shared_examples_for "a resource with a guard specifying an alternate user identity" do
  context "when running on Windows", :windows_only, :windows_service_requires_assign_token do
    include_context "alternate user identity"

    let(:resource_command_property) { :command }

    let(:powershell_equal_to_alternate_user) { "-eq" }
    let(:powershell_not_equal_to_alternate_user) { "-ne" }
    let(:guard_identity_command) { "powershell.exe -noprofile -command \"import-module microsoft.powershell.utility;exit @(392,0)[[int32](([Security.Principal.WindowsPrincipal]([Security.Principal.WindowsIdentity]::GetCurrent())).Identity.Name #{comparison_to_alternate_user} '#{windows_alternate_user_qualified}')]\"" }

    before do
      resource.guard_interpreter(guard_interpreter_resource)
    end

    context "when the guard expression is true if the user is alternate and false otherwise" do
      let(:comparison_to_alternate_user) { powershell_equal_to_alternate_user }

      it "causes the resource to be updated for only_if" do
        resource.only_if(guard_identity_command, { user: windows_alternate_user, password: windows_alternate_user_password })
        resource.run_action(:run)
        expect(resource).to be_updated_by_last_action
      end

      it "causes the resource to not be updated for not_if" do
        resource.not_if(guard_identity_command, { user: windows_alternate_user, password: windows_alternate_user_password })
        resource.run_action(:run)
        expect(resource).not_to be_updated_by_last_action
      end
    end

    context "when the guard expression is false if the user is alternate and true otherwise" do
      let(:comparison_to_alternate_user) { powershell_not_equal_to_alternate_user }

      it "causes the resource not to be updated for only_if" do
        resource.only_if(guard_identity_command, { user: windows_alternate_user, password: windows_alternate_user_password })
        resource.run_action(:run)
        expect(resource).not_to be_updated_by_last_action
      end

      it "causes the resource to be updated for not_if" do
        resource.not_if(guard_identity_command, { user: windows_alternate_user, password: windows_alternate_user_password })
        resource.run_action(:run)
        expect(resource).to be_updated_by_last_action
      end
    end
  end
end