From a2143b824985449c6b38d735815a3e8391434090 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Fri, 9 Sep 2016 15:03:35 +0200 Subject: [PATCH] identify enabled/disabled accounts for windows --- lib/resources/users.rb | 19 ++++++++++++++----- test/helper.rb | 2 +- test/unit/mock/cmd/GetUserAccount | 3 ++- test/unit/resources/user_test.rb | 1 + 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/lib/resources/users.rb b/lib/resources/users.rb index 21a75160b..c9dc11292 100644 --- a/lib/resources/users.rb +++ b/lib/resources/users.rb @@ -81,9 +81,10 @@ module Inspec::Resources .add(:mindays, field: :mindays) .add(:maxdays, field: :maxdays) .add(:warndays, field: :warndays) - .add(:exists?) { |x| - !x.entries.empty? - } + .add(:disabled, field: :disabled) + .add(:exists?) { |x| !x.entries.empty? } + .add(:disabled?) { |x| x.where { disabled == false }.entries.empty? } + .add(:enabled?) { |x| x.where { disabled == true }.entries.empty? } filter.connect(self, :collect_user_details) def to_s @@ -157,6 +158,14 @@ module Inspec::Resources !identity.nil? && !identity[:username].nil? end + def disabled? + identity[:disabled] == true unless identity.nil? + end + + def enabled? + identity[:disabled] == false unless identity.nil? + end + def username identity[:username] unless identity.nil? end @@ -576,7 +585,7 @@ module Inspec::Resources # get related groups $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status # filter user information - $user = $user | Select-Object -Property Caption, Description, Domain, Name, LocalAccount, Lockout, PasswordChangeable, PasswordExpires, PasswordRequired, SID, SIDType, Status + $user = $user | Select-Object -Property Caption, Description, Domain, Name, LocalAccount, Lockout, PasswordChangeable, PasswordExpires, PasswordRequired, SID, SIDType, Status, Disabled # build response object New-Object -Type PSObject | ` Add-Member -MemberType NoteProperty -Name User -Value ($user) -PassThru | ` @@ -599,13 +608,13 @@ module Inspec::Resources # if groups is no array, generate one group_hashes = [group_hashes] unless group_hashes.is_a?(Array) group_names = group_hashes.map { |grp| grp['Caption'] } - { uid: user_hash['SID'], username: user_hash['Caption'], gid: nil, group: nil, groups: group_names, + disabled: user_hash['Disabled'], } end diff --git a/test/helper.rb b/test/helper.rb index 550b2ee05..ae2054803 100644 --- a/test/helper.rb +++ b/test/helper.rb @@ -208,7 +208,7 @@ class MockLoader # user info for freebsd 'pw usershow root -7' => cmd.call('pw-usershow-root-7'), # user info for windows (winrm 1.6.0, 1.6.1) - '1f2dd0691487fe7ca8169dfd764e0197e6303f17de416e7c1b7439aedef87ae7' => cmd.call('GetUserAccount'), + '942eeec2b290bda610229d4bd29981ee945ed27b0f4ce7cca099aabe38af6386' => cmd.call('GetUserAccount'), # group info for windows 'Get-WmiObject Win32_Group | Select-Object -Property Caption, Domain, Name, SID, LocalAccount | ConvertTo-Json' => cmd.call('GetWin32Group'), # network interface diff --git a/test/unit/mock/cmd/GetUserAccount b/test/unit/mock/cmd/GetUserAccount index 499a825a5..2b9cc5a7f 100644 --- a/test/unit/mock/cmd/GetUserAccount +++ b/test/unit/mock/cmd/GetUserAccount @@ -11,7 +11,8 @@ "PasswordRequired": true, "SID": "S-1-5-21-725088257-906184668-2367214287-500", "SIDType": 1, - "Status": "OK" + "Status": "OK", + "Disabled": false }, "Groups": [{ "Caption": "WIN-K0AKLED332V\\Administrators", diff --git a/test/unit/resources/user_test.rb b/test/unit/resources/user_test.rb index d37f3c943..6d22d2f01 100644 --- a/test/unit/resources/user_test.rb +++ b/test/unit/resources/user_test.rb @@ -109,6 +109,7 @@ describe 'Inspec::Resources::User' do _(resource.mindays).must_equal nil _(resource.maxdays).must_equal nil _(resource.warndays).must_equal nil + _(resource.disabled?).must_equal false end it 'read user on undefined os' do