diff --git a/lib/resources/users.rb b/lib/resources/users.rb index 0a1f4da3c..6907d5f12 100644 --- a/lib/resources/users.rb +++ b/lib/resources/users.rb @@ -576,42 +576,42 @@ module Inspec::Resources def collect_user_details # rubocop:disable Metrics/MethodLength return @users_cache if defined?(@users_cache) script = <<-EOH -Function ConvertTo-SID { Param([byte[]]$BinarySID) - (New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value +Function ConvertTo-SID { Param([byte[]]$BinarySID) + (New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value } -Function Convert-UserFlag { Param ($UserFlag) - $List = @() - Switch ($UserFlag) { - ($UserFlag -BOR 0x0001) { $List += 'SCRIPT' } - ($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' } - ($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' } - ($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' } - ($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' } - ($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' } - ($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' } - ($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' } - ($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' } - ($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' } - ($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' } - ($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' } - ($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' } - ($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' } - ($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' } - ($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' } - ($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' } - ($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' } - ($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' } - ($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' } - ($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' } - ($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' } +Function Convert-UserFlag { Param ($UserFlag) + $List = @() + Switch ($UserFlag) { + ($UserFlag -BOR 0x0001) { $List += 'SCRIPT' } + ($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' } + ($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' } + ($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' } + ($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' } + ($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' } + ($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' } + ($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' } + ($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' } + ($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' } + ($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' } + ($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' } + ($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' } + ($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' } + ($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' } + ($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' } + ($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' } + ($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' } + ($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' } + ($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' } + ($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' } + ($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' } } $List } -$Computername = $Env:Computername -$adsi = [ADSI]"WinNT://$Computername" -$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach { +$Computername = $Env:Computername +$adsi = [ADSI]"WinNT://$Computername" +$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach { New-Object PSObject -property @{ uid = ConvertTo-SID -BinarySID $_.ObjectSID[0] username = $_.Name[0] @@ -627,7 +627,7 @@ $adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach { maxbadpasswords = $_.MaxBadPasswordsAllowed[0] gid = $null group = $null - groups = $null + groups = @($_.Groups() | Foreach-Object { $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null) }) home = $_.HomeDirectory[0] shell = $null domain = $Computername diff --git a/test/helper.rb b/test/helper.rb index b86ca72d2..dff556811 100644 --- a/test/helper.rb +++ b/test/helper.rb @@ -231,7 +231,7 @@ class MockLoader # user info for freebsd 'pw usershow root -7' => cmd.call('pw-usershow-root-7'), # user info for windows (winrm 1.6.0, 1.6.1) - '21c8fabaade05b84ec979759a30814f04353722f173424921bddedc7b65cacbf' => cmd.call('adsiusers'), + '27c6cda89fa5d196506251c0ed0d20468b378c5689711981dc1e1e683c7b02c1' => cmd.call('adsiusers'), # group info for windows 'd8d5b3e3355650399e23857a526ee100b4e49e5c2404a0a5dbb7d85d7f4de5cc' => cmd.call('adsigroups'), # network interface diff --git a/test/integration/default/user_spec.rb b/test/integration/default/user_spec.rb index 8fed43c2d..1aa31367e 100644 --- a/test/integration/default/user_spec.rb +++ b/test/integration/default/user_spec.rb @@ -30,7 +30,7 @@ elsif os.windows? groupname: nil, uid: nil, gid: nil, - groups: nil, + groups: "Administrators", home: nil, shell: nil, } @@ -91,6 +91,7 @@ if os.windows? it { should exist } # should return the SID of the user its('uid') { should_not eq nil} + its('groups') { should include userinfo[:groups] } end # also support simple username for local users without domain @@ -98,6 +99,7 @@ if os.windows? it { should exist } # should return the SID of the user its('uid') { should_not eq nil} + its('groups') { should include userinfo[:groups] } end else # test single `user` resource diff --git a/test/unit/mock/cmd/adsiusers b/test/unit/mock/cmd/adsiusers index d02a9345e..5f6695e3d 100644 --- a/test/unit/mock/cmd/adsiusers +++ b/test/unit/mock/cmd/adsiusers @@ -18,7 +18,10 @@ "NORMAL_ACCOUNT", "PASSWORD_EXPIRED" ], - "groups": null, + "groups": [ + "Administrators", + "Users" + ], "gid": null, "maxdays": 42, "shell": null @@ -45,7 +48,9 @@ "NORMAL_ACCOUNT", "DONT_EXPIRE_PASSWORD" ], - "groups": null, + "groups": [ + "Users" + ], "gid": null, "maxdays": 42, "shell": null diff --git a/test/unit/resources/user_test.rb b/test/unit/resources/user_test.rb index b5ca93ccf..2ae15da64 100644 --- a/test/unit/resources/user_test.rb +++ b/test/unit/resources/user_test.rb @@ -98,12 +98,12 @@ describe 'Inspec::Resources::User' do _(resource.warndays).must_equal nil end - it 'read user on Windows' do + it 'read administrator user on Windows' do resource = MockLoader.new(:windows).load_resource('user', 'Administrator') _(resource.uid).wont_be_nil _(resource.exists?).must_equal true _(resource.group).must_equal nil - _(resource.groups).must_equal nil + _(resource.groups).must_equal ['Administrators', 'Users'] _(resource.home).must_equal nil _(resource.shell).must_equal nil _(resource.mindays).must_equal nil @@ -112,6 +112,20 @@ describe 'Inspec::Resources::User' do _(resource.disabled?).must_equal false end + it 'read guest user on Windows' do + resource = MockLoader.new(:windows).load_resource('user', 'Guest') + _(resource.uid).wont_be_nil + _(resource.exists?).must_equal true + _(resource.group).must_equal nil + _(resource.groups).must_equal ['Users'] + _(resource.home).must_equal nil + _(resource.shell).must_equal nil + _(resource.mindays).must_equal nil + _(resource.maxdays).must_equal nil + _(resource.warndays).must_equal nil + _(resource.disabled?).must_equal true + end + it 'read disabled user on Windows' do resource = MockLoader.new(:windows).load_resource('user', 'Guest') _(resource.uid).wont_be_nil