mirror of
https://github.com/inspec/inspec
synced 2024-11-30 08:30:39 +00:00
Merge pull request #1681 from Happycoil/add-windows-user-groups
fetch user groups while building user object
This commit is contained in:
commit
b03ee9d0ba
5 changed files with 58 additions and 37 deletions
|
@ -576,42 +576,42 @@ module Inspec::Resources
|
||||||
def collect_user_details # rubocop:disable Metrics/MethodLength
|
def collect_user_details # rubocop:disable Metrics/MethodLength
|
||||||
return @users_cache if defined?(@users_cache)
|
return @users_cache if defined?(@users_cache)
|
||||||
script = <<-EOH
|
script = <<-EOH
|
||||||
Function ConvertTo-SID { Param([byte[]]$BinarySID)
|
Function ConvertTo-SID { Param([byte[]]$BinarySID)
|
||||||
(New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
|
(New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
|
||||||
}
|
}
|
||||||
|
|
||||||
Function Convert-UserFlag { Param ($UserFlag)
|
Function Convert-UserFlag { Param ($UserFlag)
|
||||||
$List = @()
|
$List = @()
|
||||||
Switch ($UserFlag) {
|
Switch ($UserFlag) {
|
||||||
($UserFlag -BOR 0x0001) { $List += 'SCRIPT' }
|
($UserFlag -BOR 0x0001) { $List += 'SCRIPT' }
|
||||||
($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' }
|
($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' }
|
||||||
($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' }
|
($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' }
|
||||||
($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' }
|
($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' }
|
||||||
($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' }
|
($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' }
|
||||||
($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' }
|
($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' }
|
||||||
($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
|
($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
|
||||||
($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' }
|
($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' }
|
||||||
($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' }
|
($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' }
|
||||||
($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
|
($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
|
||||||
($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' }
|
($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' }
|
||||||
($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' }
|
($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' }
|
||||||
($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' }
|
($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' }
|
||||||
($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' }
|
($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' }
|
||||||
($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' }
|
($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' }
|
||||||
($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' }
|
($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' }
|
||||||
($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' }
|
($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' }
|
||||||
($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' }
|
($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' }
|
||||||
($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' }
|
($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' }
|
||||||
($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' }
|
($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' }
|
||||||
($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
|
($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
|
||||||
($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' }
|
($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' }
|
||||||
}
|
}
|
||||||
$List
|
$List
|
||||||
}
|
}
|
||||||
|
|
||||||
$Computername = $Env:Computername
|
$Computername = $Env:Computername
|
||||||
$adsi = [ADSI]"WinNT://$Computername"
|
$adsi = [ADSI]"WinNT://$Computername"
|
||||||
$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
|
$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
|
||||||
New-Object PSObject -property @{
|
New-Object PSObject -property @{
|
||||||
uid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
|
uid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
|
||||||
username = $_.Name[0]
|
username = $_.Name[0]
|
||||||
|
@ -627,7 +627,7 @@ $adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
|
||||||
maxbadpasswords = $_.MaxBadPasswordsAllowed[0]
|
maxbadpasswords = $_.MaxBadPasswordsAllowed[0]
|
||||||
gid = $null
|
gid = $null
|
||||||
group = $null
|
group = $null
|
||||||
groups = $null
|
groups = @($_.Groups() | Foreach-Object { $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null) })
|
||||||
home = $_.HomeDirectory[0]
|
home = $_.HomeDirectory[0]
|
||||||
shell = $null
|
shell = $null
|
||||||
domain = $Computername
|
domain = $Computername
|
||||||
|
|
|
@ -231,7 +231,7 @@ class MockLoader
|
||||||
# user info for freebsd
|
# user info for freebsd
|
||||||
'pw usershow root -7' => cmd.call('pw-usershow-root-7'),
|
'pw usershow root -7' => cmd.call('pw-usershow-root-7'),
|
||||||
# user info for windows (winrm 1.6.0, 1.6.1)
|
# user info for windows (winrm 1.6.0, 1.6.1)
|
||||||
'21c8fabaade05b84ec979759a30814f04353722f173424921bddedc7b65cacbf' => cmd.call('adsiusers'),
|
'27c6cda89fa5d196506251c0ed0d20468b378c5689711981dc1e1e683c7b02c1' => cmd.call('adsiusers'),
|
||||||
# group info for windows
|
# group info for windows
|
||||||
'd8d5b3e3355650399e23857a526ee100b4e49e5c2404a0a5dbb7d85d7f4de5cc' => cmd.call('adsigroups'),
|
'd8d5b3e3355650399e23857a526ee100b4e49e5c2404a0a5dbb7d85d7f4de5cc' => cmd.call('adsigroups'),
|
||||||
# network interface
|
# network interface
|
||||||
|
|
|
@ -30,7 +30,7 @@ elsif os.windows?
|
||||||
groupname: nil,
|
groupname: nil,
|
||||||
uid: nil,
|
uid: nil,
|
||||||
gid: nil,
|
gid: nil,
|
||||||
groups: nil,
|
groups: "Administrators",
|
||||||
home: nil,
|
home: nil,
|
||||||
shell: nil,
|
shell: nil,
|
||||||
}
|
}
|
||||||
|
@ -91,6 +91,7 @@ if os.windows?
|
||||||
it { should exist }
|
it { should exist }
|
||||||
# should return the SID of the user
|
# should return the SID of the user
|
||||||
its('uid') { should_not eq nil}
|
its('uid') { should_not eq nil}
|
||||||
|
its('groups') { should include userinfo[:groups] }
|
||||||
end
|
end
|
||||||
|
|
||||||
# also support simple username for local users without domain
|
# also support simple username for local users without domain
|
||||||
|
@ -98,6 +99,7 @@ if os.windows?
|
||||||
it { should exist }
|
it { should exist }
|
||||||
# should return the SID of the user
|
# should return the SID of the user
|
||||||
its('uid') { should_not eq nil}
|
its('uid') { should_not eq nil}
|
||||||
|
its('groups') { should include userinfo[:groups] }
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
# test single `user` resource
|
# test single `user` resource
|
||||||
|
|
|
@ -18,7 +18,10 @@
|
||||||
"NORMAL_ACCOUNT",
|
"NORMAL_ACCOUNT",
|
||||||
"PASSWORD_EXPIRED"
|
"PASSWORD_EXPIRED"
|
||||||
],
|
],
|
||||||
"groups": null,
|
"groups": [
|
||||||
|
"Administrators",
|
||||||
|
"Users"
|
||||||
|
],
|
||||||
"gid": null,
|
"gid": null,
|
||||||
"maxdays": 42,
|
"maxdays": 42,
|
||||||
"shell": null
|
"shell": null
|
||||||
|
@ -45,7 +48,9 @@
|
||||||
"NORMAL_ACCOUNT",
|
"NORMAL_ACCOUNT",
|
||||||
"DONT_EXPIRE_PASSWORD"
|
"DONT_EXPIRE_PASSWORD"
|
||||||
],
|
],
|
||||||
"groups": null,
|
"groups": [
|
||||||
|
"Users"
|
||||||
|
],
|
||||||
"gid": null,
|
"gid": null,
|
||||||
"maxdays": 42,
|
"maxdays": 42,
|
||||||
"shell": null
|
"shell": null
|
||||||
|
|
|
@ -98,12 +98,12 @@ describe 'Inspec::Resources::User' do
|
||||||
_(resource.warndays).must_equal nil
|
_(resource.warndays).must_equal nil
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'read user on Windows' do
|
it 'read administrator user on Windows' do
|
||||||
resource = MockLoader.new(:windows).load_resource('user', 'Administrator')
|
resource = MockLoader.new(:windows).load_resource('user', 'Administrator')
|
||||||
_(resource.uid).wont_be_nil
|
_(resource.uid).wont_be_nil
|
||||||
_(resource.exists?).must_equal true
|
_(resource.exists?).must_equal true
|
||||||
_(resource.group).must_equal nil
|
_(resource.group).must_equal nil
|
||||||
_(resource.groups).must_equal nil
|
_(resource.groups).must_equal ['Administrators', 'Users']
|
||||||
_(resource.home).must_equal nil
|
_(resource.home).must_equal nil
|
||||||
_(resource.shell).must_equal nil
|
_(resource.shell).must_equal nil
|
||||||
_(resource.mindays).must_equal nil
|
_(resource.mindays).must_equal nil
|
||||||
|
@ -112,6 +112,20 @@ describe 'Inspec::Resources::User' do
|
||||||
_(resource.disabled?).must_equal false
|
_(resource.disabled?).must_equal false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'read guest user on Windows' do
|
||||||
|
resource = MockLoader.new(:windows).load_resource('user', 'Guest')
|
||||||
|
_(resource.uid).wont_be_nil
|
||||||
|
_(resource.exists?).must_equal true
|
||||||
|
_(resource.group).must_equal nil
|
||||||
|
_(resource.groups).must_equal ['Users']
|
||||||
|
_(resource.home).must_equal nil
|
||||||
|
_(resource.shell).must_equal nil
|
||||||
|
_(resource.mindays).must_equal nil
|
||||||
|
_(resource.maxdays).must_equal nil
|
||||||
|
_(resource.warndays).must_equal nil
|
||||||
|
_(resource.disabled?).must_equal true
|
||||||
|
end
|
||||||
|
|
||||||
it 'read disabled user on Windows' do
|
it 'read disabled user on Windows' do
|
||||||
resource = MockLoader.new(:windows).load_resource('user', 'Guest')
|
resource = MockLoader.new(:windows).load_resource('user', 'Guest')
|
||||||
_(resource.uid).wont_be_nil
|
_(resource.uid).wont_be_nil
|
||||||
|
|
Loading…
Reference in a new issue