Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2025-02-16 22:18:38 +00:00
Code Issues Projects Releases Packages Wiki Activity

Renamed users_permissions to user_permissions and added docs.

Browse source 
Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
This commit is contained in:
Vasu1105 2021-12-22 19:53:28 +05:30
parent 4bfef5281f
commit 96249f24af
3 changed files with 46 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
docs-chef-io/content/inspec/resources/file.md
View file

@ -70,6 +70,7 @@ where
- `file_version`
- `product_version`
- `user_permissions`
## Resource Property Examples
@ -170,6 +171,14 @@ The `product_version` property tests if a Windows file's product version matches
its('product_version') { should eq '2.3.4' }
### user_permissions
The `user_permissions` property returns the hash containing the list of users or groups and their file permissions on Windows. for e.g. `{ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" }`
its('user_permissions') { should cmp { "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" } }
its('user_permissions') { should include "NT AUTHORITY\\SYSTEM"=>"FullControl" }
### selinux_label
The `selinux_label` property tests if the SELinux label for a file matches the specified value.
@ -587,3 +596,11 @@ return `true` if your file has a mode with greater permissions than specified.
it { should_not be_more_permissive_than('0644') }
it { should be_more_permissive_than('0000') }
end
### `be_inherit`
`be_inherit` matcher returns the `Boolean`. It will return `true` if file or foler has inheritance enabled in Windows. This matcher only works for Windows OS.
describe file('C://Example') do
it { should be_inherit }
end

54
lib/inspec/resources/file.rb
View file

@ -61,22 +61,22 @@ module Inspec::Resources
res.force_encoding("utf-8")
end
def users_permissions
raise "#{file.path} does not exist." unless exist?
if inspec.os.windows?
@perms_provider.users_permissions(file)
else
return skip_resource"`users_permissions` is not supported on your OS yet."
end
# returns hash containing list of users/groups and their file permissions.
def user_permissions
return {} unless exist?
return skip_reource"`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
@perms_provider.user_permissions(file)
end
# returns true if inheritance is enabled on file or folder
def inherit?
raise "#{file.path} does not exist." unless exist?
if inspec.os.windows?
@perms_provider.inherit?(file)
else
return skip_resource "`inherit?` is not supported on your OS yet."
end
return false unless exist?
return skip_resource "`inherit?` is not supported on your OS yet." unless inspec.os.windows?
@perms_provider.inherit?(file)
end
def contain(*_)
@ -263,23 +263,23 @@ module Inspec::Resources
class WindowsFilePermissions < FilePermissions
def users_permissions(file)
command = <<-EOH
$Acl = Get-Acl -Path #{file.path}
$Result = foreach ($Access in $acl.Access) {
[PSCustomObject]@{
$Access.IdentityReference.Value = $Access.FileSystemRights.ToString()
}
}
$Result | ConvertTo-Json
EOH
cmd = inspec.powershell(command)
JSON.load(cmd.stdout).inject(&:merge) unless cmd.stdout.empty?
def user_permissions(file)
script = <<-EOH
$Acl = Get-Acl -Path #{file.path}
$Result = foreach ($Access in $acl.Access) {
[PSCustomObject]@{
$Access.IdentityReference.Value = $Access.FileSystemRights.ToString()
}
}
$Result | ConvertTo-Json
EOH
result = inspec.powershell(script)
JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
end
def inherit?(file)
cmd = inspec.command("(Get-Acl 'C:/ExamlpeFolder').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
cmd.stdout.chomp == "0" ? false : true unless cmd.stdout.empty?
cmd = inspec.command("(Get-Acl -Path #{file.path}).access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
cmd.stdout.chomp == "0" ? false : true
end
def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)

4
test/unit/resources/file_test.rb
View file

@ -47,7 +47,7 @@ describe Inspec::Resources::FileResource do
resource.stubs(:file_permission_granted?).with("write", "by_usergroup", "by_specific_user").returns("test_result")
resource.stubs(:file_permission_granted?).with("execute", "by_usergroup", "by_specific_user").returns("test_result")
resource.stubs(:file_permission_granted?).with("full-control", "by_usergroup", "by_specific_user").returns("test_result")
resource.stubs(:users_permissions).returns({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
resource.stubs(:user_permissions).returns({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
_(resource.content).must_equal "content"
_(resource.exist?).must_equal true
_(resource.mounted?).must_equal true
@ -58,7 +58,7 @@ describe Inspec::Resources::FileResource do
_(resource.executable?("by_usergroup", "by_specific_user")).must_equal "test_result"
_(resource.allowed?("execute", by: "by_usergroup", by_user: "by_specific_user")).must_equal "test_result"
_(resource.allowed?("full-control", by: "by_usergroup", by_user: "by_specific_user")).must_equal "test_result"
_(resource.users_permissions).must_equal ({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
_(resource.user_permissions).must_equal({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
end
it "returns true if file has inherit enabled on Windows." do