Merge pull request #1681 from Happycoil/add-windows-user-groups

fetch user groups while building user object
2024-11-26 22:50:36 +00:00 · 2017-04-21 11:00:49 +02:00 · 2017-04-21 11:00:49 +02:00 · b03ee9d0ba
commit b03ee9d0ba
parent 09f3a41496 8ad02f4d04
5 changed files with 58 additions and 37 deletions
--- a/lib/resources/users.rb
+++ b/lib/resources/users.rb
@ -576,42 +576,42 @@ module Inspec::Resources
    def collect_user_details # rubocop:disable Metrics/MethodLength
      return @users_cache if defined?(@users_cache)
      script = <<-EOH
-Function  ConvertTo-SID { Param([byte[]]$BinarySID)
-  (New-Object  System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
+Function ConvertTo-SID { Param([byte[]]$BinarySID)
+  (New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
 }

-Function  Convert-UserFlag { Param  ($UserFlag)
-  $List  = @()
-  Switch  ($UserFlag) {
-    ($UserFlag  -BOR 0x0001)  { $List += 'SCRIPT' }
-    ($UserFlag  -BOR 0x0002)  { $List += 'ACCOUNTDISABLE' }
-    ($UserFlag  -BOR 0x0008)  { $List += 'HOMEDIR_REQUIRED' }
-    ($UserFlag  -BOR 0x0010)  { $List += 'LOCKOUT' }
-    ($UserFlag  -BOR 0x0020)  { $List += 'PASSWD_NOTREQD' }
-    ($UserFlag  -BOR 0x0040)  { $List += 'PASSWD_CANT_CHANGE' }
-    ($UserFlag  -BOR 0x0080)  { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
-    ($UserFlag  -BOR 0x0100)  { $List += 'TEMP_DUPLICATE_ACCOUNT' }
-    ($UserFlag  -BOR 0x0200)  { $List += 'NORMAL_ACCOUNT' }
-    ($UserFlag  -BOR 0x0800)  { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
-    ($UserFlag  -BOR 0x1000)  { $List += 'WORKSTATION_TRUST_ACCOUNT' }
-    ($UserFlag  -BOR 0x2000)  { $List += 'SERVER_TRUST_ACCOUNT' }
-    ($UserFlag  -BOR 0x10000)  { $List += 'DONT_EXPIRE_PASSWORD' }
-    ($UserFlag  -BOR 0x20000)  { $List += 'MNS_LOGON_ACCOUNT' }
-    ($UserFlag  -BOR 0x40000)  { $List += 'SMARTCARD_REQUIRED' }
-    ($UserFlag  -BOR 0x80000)  { $List += 'TRUSTED_FOR_DELEGATION' }
-    ($UserFlag  -BOR 0x100000)  { $List += 'NOT_DELEGATED' }
-    ($UserFlag  -BOR 0x200000)  { $List += 'USE_DES_KEY_ONLY' }
-    ($UserFlag  -BOR 0x400000)  { $List += 'DONT_REQ_PREAUTH' }
-    ($UserFlag  -BOR 0x800000)  { $List += 'PASSWORD_EXPIRED' }
-    ($UserFlag  -BOR 0x1000000)  { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
-    ($UserFlag  -BOR 0x04000000)  { $List += 'PARTIAL_SECRETS_ACCOUNT' }
+Function Convert-UserFlag { Param  ($UserFlag)
+  $List = @()
+  Switch ($UserFlag) {
+    ($UserFlag -BOR 0x0001) { $List += 'SCRIPT' }
+    ($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' }
+    ($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' }
+    ($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' }
+    ($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' }
+    ($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' }
+    ($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
+    ($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' }
+    ($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' }
+    ($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
+    ($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' }
+    ($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' }
+    ($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' }
+    ($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' }
+    ($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' }
+    ($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' }
+    ($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' }
+    ($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' }
+    ($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' }
+    ($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' }
+    ($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
+    ($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' }
  }
  $List
 }

-$Computername =  $Env:Computername
-$adsi  = [ADSI]"WinNT://$Computername"
-$adsi.Children | where {$_.SchemaClassName -eq  'user'} |  ForEach {
+$Computername = $Env:Computername
+$adsi = [ADSI]"WinNT://$Computername"
+$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
  New-Object PSObject -property @{
    uid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
    username = $_.Name[0]
@ -627,7 +627,7 @@ $adsi.Children | where {$_.SchemaClassName -eq  'user'} |  ForEach {
    maxbadpasswords = $_.MaxBadPasswordsAllowed[0]
    gid = $null
    group = $null
-    groups = $null
+    groups = @($_.Groups() | Foreach-Object { $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null) })
    home = $_.HomeDirectory[0]
    shell = $null
    domain = $Computername
--- a/test/helper.rb
+++ b/test/helper.rb
@ -231,7 +231,7 @@ class MockLoader
      # user info for freebsd
      'pw usershow root -7' => cmd.call('pw-usershow-root-7'),
      # user info for windows (winrm 1.6.0, 1.6.1)
-      '21c8fabaade05b84ec979759a30814f04353722f173424921bddedc7b65cacbf' => cmd.call('adsiusers'),
+      '27c6cda89fa5d196506251c0ed0d20468b378c5689711981dc1e1e683c7b02c1' => cmd.call('adsiusers'),
      # group info for windows
      'd8d5b3e3355650399e23857a526ee100b4e49e5c2404a0a5dbb7d85d7f4de5cc' => cmd.call('adsigroups'),
      # network interface
--- a/test/integration/default/user_spec.rb
+++ b/test/integration/default/user_spec.rb
@ -30,7 +30,7 @@ elsif os.windows?
    groupname: nil,
    uid: nil,
    gid: nil,
-    groups: nil,
+    groups: "Administrators",
    home: nil,
    shell: nil,
  }
@ -91,6 +91,7 @@ if os.windows?
    it { should exist }
    # should return the SID of the user
    its('uid') { should_not eq nil}
+    its('groups') { should include userinfo[:groups] }
  end

  # also support simple username for local users without domain
@ -98,6 +99,7 @@ if os.windows?
    it { should exist }
    # should return the SID of the user
    its('uid') { should_not eq nil}
+    its('groups') { should include userinfo[:groups] }
  end
 else
  # test single `user` resource
--- a/test/unit/mock/cmd/adsiusers
+++ b/test/unit/mock/cmd/adsiusers
@ -18,7 +18,10 @@
                          "NORMAL_ACCOUNT",
                          "PASSWORD_EXPIRED"
                      ],
-        "groups":  null,
+        "groups":  [
+            "Administrators",
+            "Users"
+        ],
        "gid":  null,
        "maxdays":  42,
        "shell":  null
@ -45,7 +48,9 @@
                          "NORMAL_ACCOUNT",
                          "DONT_EXPIRE_PASSWORD"
                      ],
-        "groups":  null,
+        "groups":  [
+            "Users"
+        ],
        "gid":  null,
        "maxdays":  42,
        "shell":  null
--- a/test/unit/resources/user_test.rb
+++ b/test/unit/resources/user_test.rb
@ -98,12 +98,12 @@ describe 'Inspec::Resources::User' do
    _(resource.warndays).must_equal nil
  end

-  it 'read user on Windows' do
+  it 'read administrator user on Windows' do
    resource = MockLoader.new(:windows).load_resource('user', 'Administrator')
    _(resource.uid).wont_be_nil
    _(resource.exists?).must_equal true
    _(resource.group).must_equal nil
-    _(resource.groups).must_equal nil
+    _(resource.groups).must_equal ['Administrators', 'Users']
    _(resource.home).must_equal nil
    _(resource.shell).must_equal nil
    _(resource.mindays).must_equal nil
@ -112,6 +112,20 @@ describe 'Inspec::Resources::User' do
    _(resource.disabled?).must_equal false
  end

+  it 'read guest user on Windows' do
+    resource = MockLoader.new(:windows).load_resource('user', 'Guest')
+    _(resource.uid).wont_be_nil
+    _(resource.exists?).must_equal true
+    _(resource.group).must_equal nil
+    _(resource.groups).must_equal ['Users']
+    _(resource.home).must_equal nil
+    _(resource.shell).must_equal nil
+    _(resource.mindays).must_equal nil
+    _(resource.maxdays).must_equal nil
+    _(resource.warndays).must_equal nil
+    _(resource.disabled?).must_equal true
+  end
+
  it 'read disabled user on Windows' do
    resource = MockLoader.new(:windows).load_resource('user', 'Guest')
    _(resource.uid).wont_be_nil