summaryrefslogtreecommitdiff
path: root/spec/integration/util/windows/security_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/integration/util/windows/security_spec.rb')
-rwxr-xr-xspec/integration/util/windows/security_spec.rb71
1 files changed, 36 insertions, 35 deletions
diff --git a/spec/integration/util/windows/security_spec.rb b/spec/integration/util/windows/security_spec.rb
index fa0eadc0d..7f7aa7cb6 100755
--- a/spec/integration/util/windows/security_spec.rb
+++ b/spec/integration/util/windows/security_spec.rb
@@ -1,8 +1,6 @@
#!/usr/bin/env ruby
require 'spec_helper'
-require 'puppet/util/adsi'
-
if Puppet.features.microsoft_windows?
class WindowsSecurityTester
require 'puppet/util/windows/security'
@@ -15,11 +13,11 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
before :all do
@sids = {
- :current_user => Puppet::Util::Windows::Security.name_to_sid(Sys::Admin.get_login),
+ :current_user => Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name),
:system => Win32::Security::SID::LocalSystem,
- :admin => Puppet::Util::Windows::Security.name_to_sid("Administrator"),
+ :admin => Puppet::Util::Windows::SID.name_to_sid("Administrator"),
:administrators => Win32::Security::SID::BuiltinAdministrators,
- :guest => Puppet::Util::Windows::Security.name_to_sid("Guest"),
+ :guest => Puppet::Util::Windows::SID.name_to_sid("Guest"),
:users => Win32::Security::SID::BuiltinUsers,
:power_users => Win32::Security::SID::PowerUsers,
:none => Win32::Security::SID::Nobody,
@@ -31,11 +29,12 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
# (like \\localhost) to fail with unhelpful error messages.
# Put a check for this upfront to aid debug should this strike again.
service = Puppet::Type.type(:service).new(:name => 'lmhosts')
- service.provider.status.should == :running
+ expect(service.provider.status).to eq(:running), 'lmhosts service is not running'
end
let (:sids) { @sids }
let (:winsec) { WindowsSecurityTester.new }
+ let (:klass) { Puppet::Util::Windows::File }
def set_group_depending_on_current_user(path)
if sids[:current_user] == sids[:system]
@@ -53,8 +52,8 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
def grant_everyone_full_access(path)
sd = winsec.get_security_descriptor(path)
everyone = 'S-1-1-0'
- inherit = WindowsSecurityTester::OBJECT_INHERIT_ACE | WindowsSecurityTester::CONTAINER_INHERIT_ACE
- sd.dacl.allow(everyone, Windows::File::FILE_ALL_ACCESS, inherit)
+ inherit = Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE | Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE
+ sd.dacl.allow(everyone, klass::FILE_ALL_ACCESS, inherit)
winsec.set_security_descriptor(path, sd)
end
@@ -178,7 +177,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
# when running under SYSTEM account, multiple ACEs come back
# so we only care that we have at least one of these
system_aces.any? do |ace|
- ace.mask == Windows::File::FILE_ALL_ACCESS
+ ace.mask == klass::FILE_ALL_ACCESS
end.should be_true
# changing the owner/group will no longer make the SD protected
@@ -186,7 +185,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
winsec.set_owner(sids[:administrators], path)
system_aces.find do |ace|
- ace.mask == Windows::File::FILE_ALL_ACCESS && ace.inherited?
+ ace.mask == klass::FILE_ALL_ACCESS && ace.inherited?
end.should_not be_nil
end
@@ -227,7 +226,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
# when running under SYSTEM account, multiple ACEs come back
# so we only care that we have at least one of these
system_aces.any? do |ace|
- ace.mask == WindowsSecurityTester::FILE_ALL_ACCESS
+ ace.mask == klass::FILE_ALL_ACCESS
end.should be_true
# changing the mode will make the SD protected
@@ -237,7 +236,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
# and should have a non-inherited SYSTEM ACE(s)
system_aces = winsec.get_aces_for_path_by_sid(path, sids[:system])
system_aces.each do |ace|
- ace.mask.should == Windows::File::FILE_ALL_ACCESS && ! ace.inherited?
+ ace.mask.should == klass::FILE_ALL_ACCESS && ! ace.inherited?
end
end
@@ -259,25 +258,25 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
before :each do
winsec.set_group(sids[:none], path)
winsec.set_mode(0600, path)
- winsec.add_attributes(path, WindowsSecurityTester::FILE_ATTRIBUTE_READONLY)
- (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should be_nonzero
+ Puppet::Util::Windows::File.add_attributes(path, klass::FILE_ATTRIBUTE_READONLY)
+ (Puppet::Util::Windows::File.get_attributes(path) & klass::FILE_ATTRIBUTE_READONLY).should be_nonzero
end
it "should make them writable if any sid has write permission" do
winsec.set_mode(WindowsSecurityTester::S_IWUSR, path)
- (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should == 0
+ (Puppet::Util::Windows::File.get_attributes(path) & klass::FILE_ATTRIBUTE_READONLY).should == 0
end
it "should leave them read-only if no sid has write permission and should allow full access for SYSTEM" do
winsec.set_mode(WindowsSecurityTester::S_IRUSR | WindowsSecurityTester::S_IXGRP, path)
- (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should be_nonzero
+ (Puppet::Util::Windows::File.get_attributes(path) & klass::FILE_ATTRIBUTE_READONLY).should be_nonzero
system_aces = winsec.get_aces_for_path_by_sid(path, sids[:system])
# when running under SYSTEM account, and set_group / set_owner hasn't been called
# SYSTEM full access will be restored
system_aces.any? do |ace|
- ace.mask == Windows::File::FILE_ALL_ACCESS
+ ace.mask == klass::FILE_ALL_ACCESS
end.should be_true
end
end
@@ -291,7 +290,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
it "should report when extra aces are encounted" do
sd = winsec.get_security_descriptor(path)
(544..547).each do |rid|
- sd.dacl.allow("S-1-5-32-#{rid}", WindowsSecurityTester::STANDARD_RIGHTS_ALL)
+ sd.dacl.allow("S-1-5-32-#{rid}", klass::STANDARD_RIGHTS_ALL)
end
winsec.set_security_descriptor(path, sd)
@@ -301,12 +300,12 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
it "should return deny aces" do
sd = winsec.get_security_descriptor(path)
- sd.dacl.deny(sids[:guest], WindowsSecurityTester::FILE_GENERIC_WRITE)
+ sd.dacl.deny(sids[:guest], klass::FILE_GENERIC_WRITE)
winsec.set_security_descriptor(path, sd)
guest_aces = winsec.get_aces_for_path_by_sid(path, sids[:guest])
guest_aces.find do |ace|
- ace.type == WindowsSecurityTester::ACCESS_DENIED_ACE_TYPE
+ ace.type == Puppet::Util::Windows::AccessControlEntry::ACCESS_DENIED_ACE_TYPE
end.should_not be_nil
end
@@ -314,12 +313,12 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
sd = winsec.get_security_descriptor(path)
dacl = Puppet::Util::Windows::AccessControlList.new
dacl.allow(
- sids[:current_user], WindowsSecurityTester::STANDARD_RIGHTS_ALL | WindowsSecurityTester::SPECIFIC_RIGHTS_ALL
+ sids[:current_user], klass::STANDARD_RIGHTS_ALL | klass::SPECIFIC_RIGHTS_ALL
)
dacl.allow(
sids[:everyone],
- WindowsSecurityTester::FILE_GENERIC_READ,
- WindowsSecurityTester::INHERIT_ONLY_ACE | WindowsSecurityTester::OBJECT_INHERIT_ACE
+ klass::FILE_GENERIC_READ,
+ Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE | Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE
)
winsec.set_security_descriptor(path, sd)
@@ -344,8 +343,8 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
it "should be present when the access control list is unprotected" do
# add a bunch of aces to the parent with permission to add children
- allow = WindowsSecurityTester::STANDARD_RIGHTS_ALL | WindowsSecurityTester::SPECIFIC_RIGHTS_ALL
- inherit = WindowsSecurityTester::OBJECT_INHERIT_ACE | WindowsSecurityTester::CONTAINER_INHERIT_ACE
+ allow = klass::STANDARD_RIGHTS_ALL | klass::SPECIFIC_RIGHTS_ALL
+ inherit = Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE | Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE
sd = winsec.get_security_descriptor(parent)
sd.dacl.allow(
@@ -356,7 +355,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
(544..547).each do |rid|
sd.dacl.allow(
"S-1-5-32-#{rid}",
- WindowsSecurityTester::STANDARD_RIGHTS_ALL,
+ klass::STANDARD_RIGHTS_ALL,
inherit
)
end
@@ -371,10 +370,12 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
describe "for an administrator", :if => Puppet.features.root? do
before :each do
+ is_dir = Puppet::FileSystem.directory?(path)
winsec.set_mode(WindowsSecurityTester::S_IRWXU | WindowsSecurityTester::S_IRWXG, path)
set_group_depending_on_current_user(path)
winsec.set_owner(sids[:guest], path)
- lambda { File.open(path, 'r') }.should raise_error(Errno::EACCES)
+ expected_error = RUBY_VERSION =~ /^2\./ && is_dir ? Errno::EISDIR : Errno::EACCES
+ lambda { File.open(path, 'r') }.should raise_error(expected_error)
end
after :each do
@@ -446,14 +447,14 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
describe "when the sid refers to a deleted trustee" do
it "should retrieve the user sid" do
sid = nil
- user = Puppet::Util::ADSI::User.create("delete_me_user")
+ user = Puppet::Util::Windows::ADSI::User.create("delete_me_user")
user.commit
begin
- sid = Sys::Admin::get_user(user.name).sid
+ sid = Puppet::Util::Windows::ADSI::User.new(user.name).sid.to_s
winsec.set_owner(sid, path)
winsec.set_mode(WindowsSecurityTester::S_IRWXU, path)
ensure
- Puppet::Util::ADSI::User.delete(user.name)
+ Puppet::Util::Windows::ADSI::User.delete(user.name)
end
winsec.get_owner(path).should == sid
@@ -462,14 +463,14 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
it "should retrieve the group sid" do
sid = nil
- group = Puppet::Util::ADSI::Group.create("delete_me_group")
+ group = Puppet::Util::Windows::ADSI::Group.create("delete_me_group")
group.commit
begin
- sid = Sys::Admin::get_group(group.name).sid
+ sid = Puppet::Util::Windows::ADSI::Group.new(group.name).sid.to_s
winsec.set_group(sid, path)
winsec.set_mode(WindowsSecurityTester::S_IRWXG, path)
ensure
- Puppet::Util::ADSI::Group.delete(group.name)
+ Puppet::Util::Windows::ADSI::Group.delete(group.name)
end
winsec.get_group(path).should == sid
winsec.get_mode(path).should == WindowsSecurityTester::S_IRWXG
@@ -813,7 +814,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE
sd = winsec.get_security_descriptor(dir)
- sd.dacl.allow(sd.owner, Windows::File::FILE_ALL_ACCESS, inherit_flags)
+ sd.dacl.allow(sd.owner, klass::FILE_ALL_ACCESS, inherit_flags)
winsec.set_security_descriptor(dir, sd)
sd = winsec.get_security_descriptor(dir)
@@ -834,7 +835,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE
sd = winsec.get_security_descriptor(dir)
- sd.dacl.deny(sids[:guest], Windows::File::FILE_ALL_ACCESS, inherit_flags)
+ sd.dacl.deny(sids[:guest], klass::FILE_ALL_ACCESS, inherit_flags)
winsec.set_security_descriptor(dir, sd)
sd = winsec.get_security_descriptor(dir)
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-07 14:04:52 +0000