1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
require 'spec_helper'
describe "Puppet::Util::Windows::User", :if => Puppet.features.microsoft_windows? do
describe "2003 without UAC" do
before :each do
allow(Puppet::Util::Windows::Process).to receive(:windows_major_version).and_return(5)
allow(Puppet::Util::Windows::Process).to receive(:supports_elevated_security?).and_return(false)
end
it "should be an admin if user's token contains the Administrators SID" do
expect(Puppet::Util::Windows::User).to receive(:check_token_membership).and_return(true)
expect(Puppet::Util::Windows::User).to be_admin
end
it "should not be an admin if user's token doesn't contain the Administrators SID" do
expect(Puppet::Util::Windows::User).to receive(:check_token_membership).and_return(false)
expect(Puppet::Util::Windows::User).not_to be_admin
end
it "should raise an exception if we can't check token membership" do
expect(Puppet::Util::Windows::User).to receive(:check_token_membership).and_raise(Puppet::Util::Windows::Error, "Access denied.")
expect { Puppet::Util::Windows::User.admin? }.to raise_error(Puppet::Util::Windows::Error, /Access denied./)
end
end
context "2008 with UAC" do
before :each do
allow(Puppet::Util::Windows::Process).to receive(:windows_major_version).and_return(6)
allow(Puppet::Util::Windows::Process).to receive(:supports_elevated_security?).and_return(true)
end
describe "in local administrators group" do
before :each do
allow(Puppet::Util::Windows::User).to receive(:check_token_membership).and_return(true)
end
it "should be an admin if user is running with elevated privileges" do
allow(Puppet::Util::Windows::Process).to receive(:elevated_security?).and_return(true)
expect(Puppet::Util::Windows::User).to be_admin
end
it "should not be an admin if user is not running with elevated privileges" do
allow(Puppet::Util::Windows::Process).to receive(:elevated_security?).and_return(false)
expect(Puppet::Util::Windows::User).not_to be_admin
end
it "should raise an exception if the process fails to open the process token" do
allow(Puppet::Util::Windows::Process).to receive(:elevated_security?).and_raise(Puppet::Util::Windows::Error, "Access denied.")
expect { Puppet::Util::Windows::User.admin? }.to raise_error(Puppet::Util::Windows::Error, /Access denied./)
end
end
describe "not in local administrators group" do
before :each do
allow(Puppet::Util::Windows::User).to receive(:check_token_membership).and_return(false)
end
it "should not be an admin if user is running with elevated privileges" do
allow(Puppet::Util::Windows::Process).to receive(:elevated_security?).and_return(true)
expect(Puppet::Util::Windows::User).not_to be_admin
end
it "should not be an admin if user is not running with elevated privileges" do
allow(Puppet::Util::Windows::Process).to receive(:elevated_security?).and_return(false)
expect(Puppet::Util::Windows::User).not_to be_admin
end
end
end
describe "module function" do
let(:username) { 'fabio' }
let(:bad_password) { 'goldilocks' }
let(:logon_fail_msg) { /Failed to logon user "fabio": Logon failure: unknown user name or bad password./ }
def expect_logon_failure_error(&block)
expect {
yield
}.to raise_error { |error|
expect(error).to be_a(Puppet::Util::Windows::Error)
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx
# ERROR_LOGON_FAILURE 1326
expect(error.code).to eq(1326)
}
end
describe "load_profile" do
it "should raise an error when provided with an incorrect username and password" do
expect_logon_failure_error {
Puppet::Util::Windows::User.load_profile(username, bad_password)
}
end
it "should raise an error when provided with an incorrect username and nil password" do
expect_logon_failure_error {
Puppet::Util::Windows::User.load_profile(username, nil)
}
end
end
describe "logon_user" do
let(:fLOGON32_PROVIDER_DEFAULT) {0}
let(:fLOGON32_LOGON_INTERACTIVE) {2}
let(:fLOGON32_LOGON_NETWORK) {3}
let(:token) {'test'}
let(:user) {'test'}
let(:passwd) {'test'}
it "should raise an error when provided with an incorrect username and password" do
expect_logon_failure_error {
Puppet::Util::Windows::User.logon_user(username, bad_password)
}
end
it "should raise an error when provided with an incorrect username and nil password" do
expect_logon_failure_error {
Puppet::Util::Windows::User.logon_user(username, nil)
}
end
it 'should raise error given that logon returns false' do
allow(Puppet::Util::Windows::User).to receive(:logon_user_by_logon_type).with(
user, passwd, fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, anything).and_return (0)
allow(Puppet::Util::Windows::User).to receive(:logon_user_by_logon_type).with(
user, passwd, fLOGON32_LOGON_INTERACTIVE, fLOGON32_PROVIDER_DEFAULT, anything).and_return(0)
expect {Puppet::Util::Windows::User.logon_user(user, passwd) {}}
.to raise_error(Puppet::Util::Windows::Error, /Failed to logon user/)
end
end
describe "password_is?" do
it "should return false given an incorrect username and password" do
expect(Puppet::Util::Windows::User.password_is?(username, bad_password)).to be_falsey
end
it "should return false given a nil username and an incorrect password" do
expect(Puppet::Util::Windows::User.password_is?(nil, bad_password)).to be_falsey
end
context "with a correct password" do
it "should return true even if account restrictions are in place " do
error = Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::User::ERROR_ACCOUNT_RESTRICTION)
allow(Puppet::Util::Windows::User).to receive(:logon_user).and_raise(error)
expect(Puppet::Util::Windows::User.password_is?(username, 'p@ssword')).to be(true)
end
it "should return true even for an account outside of logon hours" do
error = Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::User::ERROR_INVALID_LOGON_HOURS)
allow(Puppet::Util::Windows::User).to receive(:logon_user).and_raise(error)
expect(Puppet::Util::Windows::User.password_is?(username, 'p@ssword')).to be(true)
end
it "should return true even for an account not allowed to log into this workstation" do
error = Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::User::ERROR_INVALID_WORKSTATION)
allow(Puppet::Util::Windows::User).to receive(:logon_user).and_raise(error)
expect(Puppet::Util::Windows::User.password_is?(username, 'p@ssword')).to be(true)
end
it "should return true even for a disabled account" do
error = Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::User::ERROR_ACCOUNT_DISABLED)
allow(Puppet::Util::Windows::User).to receive(:logon_user).and_raise(error)
expect(Puppet::Util::Windows::User.password_is?(username, 'p@ssword')).to be(true)
end
end
end
describe "check_token_membership" do
it "should not raise an error" do
# added just to call an FFI code path on all platforms
expect { Puppet::Util::Windows::User.check_token_membership }.not_to raise_error
end
end
end
end
|
