Adds user_permissions property to list user or group permissions on registry key and adds be_inherit matcher to check whether inheritance is enabled on the registry key

Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>

docs-chef-io/content/inspec/resources/registry_key.md

@@ -95,6 +95,16 @@ where `'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'` is the f
       its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
     end
 
+## Properties
+
+### user_permissions
+
+The `user_permissions` property returns the hash containing the list of users or groups and their registry key permissions. for e.g. `{ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" }`
+
+    its('user_permissions') { should cmp { "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" } }
+
+    its('user_permissions') { should include "NT AUTHORITY\\SYSTEM"=>"FullControl" }
+
 ## Matchers
 
 For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
@@ -153,6 +163,12 @@ The `name` matcher tests the value for the specified registry setting:
 
     its('name') { should eq 'value' }
 
+### be_inherit
+
+The `be_inherit` matcher returns the `Boolean`. It will return `true` if registry key has inheritance enabled.
+
+    it { should be_inherit }
+
 **Warning**: Any name with a dot will not work as expected: <code>its('explorer.exe') { should eq 'test' }</code>. For details, see <a href="https://github.com/inspec/inspec/issues/1281">https://github.com/inspec/inspec/issues/1281</a>
 
     # instead of:

lib/inspec/resources/registry_key.rb

@@ -105,6 +105,21 @@ module Inspec::Resources
       children_keys(@options[:path], filter)
     end
 
+    # returns hash containing users / groups and their permission
+    def user_permissions
+      return {} unless exists?
+
+      get_permissions(@options[:path])
+    end
+
+    # returns true if inheritance is enabled for registry key.
+    def inherit?
+      return false unless exists?
+
+      cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
+      cmd.stdout.chomp == "0" ? false : true
+    end
+
     # returns nil, if not existent or value
     def method_missing(*keys)
       # allow the use of array syntax in an `its` block so that users
@@ -283,6 +298,21 @@ module Inspec::Resources
 
       key.start_with?("\\") ? key : "\\#{key}"
     end
+
+    def get_permissions(path)
+      script = <<~EOH
+      $path = '#{path}'
+      $Acl = Get-Acl -Path ('Registry::' + $path)
+      $Result = foreach ($Access in $acl.Access) {
+        [PSCustomObject]@{
+          $Access.IdentityReference = $Access.RegistryRights.ToString()
+        }
+      }
+      $Result | ConvertTo-Json
+      EOH
+      result = inspec.powershell(script)
+      JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
+    end
   end
 
   class WindowsRegistryKey < RegistryKey

test/unit/resources/registry_key_test.rb

@@ -36,4 +36,17 @@ describe "Inspec::Resources::RegistryKey" do
     _(resource.send(:generate_registry_key_path_from_options)).must_equal 'my_hive\\key_with_no_slash'
   end
 
+  it "returns inherit and user permissions values" do
+    resource = MockLoader.new(:windows).load_resource("registry_key", 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule')
+    resource.stubs(:exist?).returns(true)
+    resource.stubs(:user_permissions).returns({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
+    _(resource.user_permissions).must_equal({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
+  end
+
+  it "returns true if file has inherit enabled on Windows." do
+    resource = MockLoader.new(:windows).load_resource("registry_key", 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule')
+    resource.stubs(:exist?).returns(true)
+    resource.stubs(:inherit?).returns(true)
+    _(resource.inherit?).must_equal true
+  end
 end