Merge pull request #1681 from Happycoil/add-windows-user-groups

fetch user groups while building user object
This commit is contained in:
Christoph Hartmann 2017-04-21 11:00:49 +02:00 committed by GitHub
commit b03ee9d0ba
5 changed files with 58 additions and 37 deletions

View file

@ -576,42 +576,42 @@ module Inspec::Resources
def collect_user_details # rubocop:disable Metrics/MethodLength def collect_user_details # rubocop:disable Metrics/MethodLength
return @users_cache if defined?(@users_cache) return @users_cache if defined?(@users_cache)
script = <<-EOH script = <<-EOH
Function ConvertTo-SID { Param([byte[]]$BinarySID) Function ConvertTo-SID { Param([byte[]]$BinarySID)
(New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value (New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
} }
Function Convert-UserFlag { Param ($UserFlag) Function Convert-UserFlag { Param ($UserFlag)
$List = @() $List = @()
Switch ($UserFlag) { Switch ($UserFlag) {
($UserFlag -BOR 0x0001) { $List += 'SCRIPT' } ($UserFlag -BOR 0x0001) { $List += 'SCRIPT' }
($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' } ($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' }
($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' } ($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' }
($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' } ($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' }
($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' } ($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' }
($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' } ($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' }
($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' } ($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' } ($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' }
($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' } ($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' }
($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' } ($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' } ($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' }
($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' } ($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' }
($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' } ($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' }
($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' } ($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' }
($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' } ($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' }
($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' } ($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' }
($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' } ($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' }
($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' } ($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' }
($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' } ($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' }
($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' } ($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' }
($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' } ($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' } ($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' }
} }
$List $List
} }
$Computername = $Env:Computername $Computername = $Env:Computername
$adsi = [ADSI]"WinNT://$Computername" $adsi = [ADSI]"WinNT://$Computername"
$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach { $adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
New-Object PSObject -property @{ New-Object PSObject -property @{
uid = ConvertTo-SID -BinarySID $_.ObjectSID[0] uid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
username = $_.Name[0] username = $_.Name[0]
@ -627,7 +627,7 @@ $adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
maxbadpasswords = $_.MaxBadPasswordsAllowed[0] maxbadpasswords = $_.MaxBadPasswordsAllowed[0]
gid = $null gid = $null
group = $null group = $null
groups = $null groups = @($_.Groups() | Foreach-Object { $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null) })
home = $_.HomeDirectory[0] home = $_.HomeDirectory[0]
shell = $null shell = $null
domain = $Computername domain = $Computername

View file

@ -231,7 +231,7 @@ class MockLoader
# user info for freebsd # user info for freebsd
'pw usershow root -7' => cmd.call('pw-usershow-root-7'), 'pw usershow root -7' => cmd.call('pw-usershow-root-7'),
# user info for windows (winrm 1.6.0, 1.6.1) # user info for windows (winrm 1.6.0, 1.6.1)
'21c8fabaade05b84ec979759a30814f04353722f173424921bddedc7b65cacbf' => cmd.call('adsiusers'), '27c6cda89fa5d196506251c0ed0d20468b378c5689711981dc1e1e683c7b02c1' => cmd.call('adsiusers'),
# group info for windows # group info for windows
'd8d5b3e3355650399e23857a526ee100b4e49e5c2404a0a5dbb7d85d7f4de5cc' => cmd.call('adsigroups'), 'd8d5b3e3355650399e23857a526ee100b4e49e5c2404a0a5dbb7d85d7f4de5cc' => cmd.call('adsigroups'),
# network interface # network interface

View file

@ -30,7 +30,7 @@ elsif os.windows?
groupname: nil, groupname: nil,
uid: nil, uid: nil,
gid: nil, gid: nil,
groups: nil, groups: "Administrators",
home: nil, home: nil,
shell: nil, shell: nil,
} }
@ -91,6 +91,7 @@ if os.windows?
it { should exist } it { should exist }
# should return the SID of the user # should return the SID of the user
its('uid') { should_not eq nil} its('uid') { should_not eq nil}
its('groups') { should include userinfo[:groups] }
end end
# also support simple username for local users without domain # also support simple username for local users without domain
@ -98,6 +99,7 @@ if os.windows?
it { should exist } it { should exist }
# should return the SID of the user # should return the SID of the user
its('uid') { should_not eq nil} its('uid') { should_not eq nil}
its('groups') { should include userinfo[:groups] }
end end
else else
# test single `user` resource # test single `user` resource

View file

@ -18,7 +18,10 @@
"NORMAL_ACCOUNT", "NORMAL_ACCOUNT",
"PASSWORD_EXPIRED" "PASSWORD_EXPIRED"
], ],
"groups": null, "groups": [
"Administrators",
"Users"
],
"gid": null, "gid": null,
"maxdays": 42, "maxdays": 42,
"shell": null "shell": null
@ -45,7 +48,9 @@
"NORMAL_ACCOUNT", "NORMAL_ACCOUNT",
"DONT_EXPIRE_PASSWORD" "DONT_EXPIRE_PASSWORD"
], ],
"groups": null, "groups": [
"Users"
],
"gid": null, "gid": null,
"maxdays": 42, "maxdays": 42,
"shell": null "shell": null

View file

@ -98,12 +98,12 @@ describe 'Inspec::Resources::User' do
_(resource.warndays).must_equal nil _(resource.warndays).must_equal nil
end end
it 'read user on Windows' do it 'read administrator user on Windows' do
resource = MockLoader.new(:windows).load_resource('user', 'Administrator') resource = MockLoader.new(:windows).load_resource('user', 'Administrator')
_(resource.uid).wont_be_nil _(resource.uid).wont_be_nil
_(resource.exists?).must_equal true _(resource.exists?).must_equal true
_(resource.group).must_equal nil _(resource.group).must_equal nil
_(resource.groups).must_equal nil _(resource.groups).must_equal ['Administrators', 'Users']
_(resource.home).must_equal nil _(resource.home).must_equal nil
_(resource.shell).must_equal nil _(resource.shell).must_equal nil
_(resource.mindays).must_equal nil _(resource.mindays).must_equal nil
@ -112,6 +112,20 @@ describe 'Inspec::Resources::User' do
_(resource.disabled?).must_equal false _(resource.disabled?).must_equal false
end end
it 'read guest user on Windows' do
resource = MockLoader.new(:windows).load_resource('user', 'Guest')
_(resource.uid).wont_be_nil
_(resource.exists?).must_equal true
_(resource.group).must_equal nil
_(resource.groups).must_equal ['Users']
_(resource.home).must_equal nil
_(resource.shell).must_equal nil
_(resource.mindays).must_equal nil
_(resource.maxdays).must_equal nil
_(resource.warndays).must_equal nil
_(resource.disabled?).must_equal true
end
it 'read disabled user on Windows' do it 'read disabled user on Windows' do
resource = MockLoader.new(:windows).load_resource('user', 'Guest') resource = MockLoader.new(:windows).load_resource('user', 'Guest')
_(resource.uid).wont_be_nil _(resource.uid).wont_be_nil