mirror of
https://github.com/inspec/inspec
synced 2024-11-26 22:50:36 +00:00
Adds user_permissions property to list user or group permissions on registry key and adds be_inherit matcher to check whether inheritance is enabled on the registry key
Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
This commit is contained in:
parent
01bc7afc7a
commit
084bf70392
3 changed files with 59 additions and 0 deletions
|
@ -95,6 +95,16 @@ where `'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'` is the f
|
||||||
its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
|
its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
## Properties
|
||||||
|
|
||||||
|
### user_permissions
|
||||||
|
|
||||||
|
The `user_permissions` property returns the hash containing the list of users or groups and their registry key permissions. for e.g. `{ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" }`
|
||||||
|
|
||||||
|
its('user_permissions') { should cmp { "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" } }
|
||||||
|
|
||||||
|
its('user_permissions') { should include "NT AUTHORITY\\SYSTEM"=>"FullControl" }
|
||||||
|
|
||||||
## Matchers
|
## Matchers
|
||||||
|
|
||||||
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||||
|
@ -153,6 +163,12 @@ The `name` matcher tests the value for the specified registry setting:
|
||||||
|
|
||||||
its('name') { should eq 'value' }
|
its('name') { should eq 'value' }
|
||||||
|
|
||||||
|
### be_inherit
|
||||||
|
|
||||||
|
The `be_inherit` matcher returns the `Boolean`. It will return `true` if registry key has inheritance enabled.
|
||||||
|
|
||||||
|
it { should be_inherit }
|
||||||
|
|
||||||
**Warning**: Any name with a dot will not work as expected: <code>its('explorer.exe') { should eq 'test' }</code>. For details, see <a href="https://github.com/inspec/inspec/issues/1281">https://github.com/inspec/inspec/issues/1281</a>
|
**Warning**: Any name with a dot will not work as expected: <code>its('explorer.exe') { should eq 'test' }</code>. For details, see <a href="https://github.com/inspec/inspec/issues/1281">https://github.com/inspec/inspec/issues/1281</a>
|
||||||
|
|
||||||
# instead of:
|
# instead of:
|
||||||
|
|
|
@ -105,6 +105,21 @@ module Inspec::Resources
|
||||||
children_keys(@options[:path], filter)
|
children_keys(@options[:path], filter)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# returns hash containing users / groups and their permission
|
||||||
|
def user_permissions
|
||||||
|
return {} unless exists?
|
||||||
|
|
||||||
|
get_permissions(@options[:path])
|
||||||
|
end
|
||||||
|
|
||||||
|
# returns true if inheritance is enabled for registry key.
|
||||||
|
def inherit?
|
||||||
|
return false unless exists?
|
||||||
|
|
||||||
|
cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
|
||||||
|
cmd.stdout.chomp == "0" ? false : true
|
||||||
|
end
|
||||||
|
|
||||||
# returns nil, if not existent or value
|
# returns nil, if not existent or value
|
||||||
def method_missing(*keys)
|
def method_missing(*keys)
|
||||||
# allow the use of array syntax in an `its` block so that users
|
# allow the use of array syntax in an `its` block so that users
|
||||||
|
@ -283,6 +298,21 @@ module Inspec::Resources
|
||||||
|
|
||||||
key.start_with?("\\") ? key : "\\#{key}"
|
key.start_with?("\\") ? key : "\\#{key}"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def get_permissions(path)
|
||||||
|
script = <<~EOH
|
||||||
|
$path = '#{path}'
|
||||||
|
$Acl = Get-Acl -Path ('Registry::' + $path)
|
||||||
|
$Result = foreach ($Access in $acl.Access) {
|
||||||
|
[PSCustomObject]@{
|
||||||
|
$Access.IdentityReference = $Access.RegistryRights.ToString()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$Result | ConvertTo-Json
|
||||||
|
EOH
|
||||||
|
result = inspec.powershell(script)
|
||||||
|
JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
class WindowsRegistryKey < RegistryKey
|
class WindowsRegistryKey < RegistryKey
|
||||||
|
|
|
@ -36,4 +36,17 @@ describe "Inspec::Resources::RegistryKey" do
|
||||||
_(resource.send(:generate_registry_key_path_from_options)).must_equal 'my_hive\\key_with_no_slash'
|
_(resource.send(:generate_registry_key_path_from_options)).must_equal 'my_hive\\key_with_no_slash'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "returns inherit and user permissions values" do
|
||||||
|
resource = MockLoader.new(:windows).load_resource("registry_key", 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule')
|
||||||
|
resource.stubs(:exist?).returns(true)
|
||||||
|
resource.stubs(:user_permissions).returns({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
|
||||||
|
_(resource.user_permissions).must_equal({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns true if file has inherit enabled on Windows." do
|
||||||
|
resource = MockLoader.new(:windows).load_resource("registry_key", 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule')
|
||||||
|
resource.stubs(:exist?).returns(true)
|
||||||
|
resource.stubs(:inherit?).returns(true)
|
||||||
|
_(resource.inherit?).must_equal true
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue