chef 0.10.8 → 0.10.10.beta.1

data/lib/chef/win32/security/ace.rb

@@ -0,0 +1,125 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright 2011 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/win32/security'
+require 'chef/win32/security/sid'
+require 'chef/win32/memory'
+
+require 'ffi'
+
+class Chef
+  module Win32
+    class Security
+      class ACE
+
+        def initialize(pointer, owner = nil)
+          if Chef::Win32::API::Security::ACE_WITH_MASK_AND_SID.supports?(pointer.read_uchar)
+            @struct = Chef::Win32::API::Security::ACE_WITH_MASK_AND_SID.new pointer
+          else
+            # TODO Support ALL the things
+            @struct = Chef::Win32::API::Security::ACE_HEADER.new pointer
+          end
+          # Keep a reference to the actual owner of this memory so we don't get freed
+          @owner = owner
+        end
+
+        def self.size_with_sid(sid)
+          Chef::Win32::API::Security::ACE_WITH_MASK_AND_SID.offset_of(:SidStart) + sid.size
+        end
+
+        def self.access_allowed(sid, mask, flags = 0)
+          create_ace_with_mask_and_sid(Chef::Win32::API::Security::ACCESS_ALLOWED_ACE_TYPE, flags, mask, sid)
+        end
+
+        def self.access_denied(sid, mask, flags = 0)
+          create_ace_with_mask_and_sid(Chef::Win32::API::Security::ACCESS_DENIED_ACE_TYPE, flags, mask, sid)
+        end
+
+        attr_reader :struct
+
+        def ==(other)
+          type == other.type && flags == other.flags && mask == other.mask && sid == other.sid
+        end
+
+        def dup
+          ACE.create_ace_with_mask_and_sid(type, flags, mask, sid)
+        end
+
+        def flags
+          struct[:AceFlags]
+        end
+
+        def flags=(val)
+          struct[:AceFlags] = val
+        end
+
+        def explicit?
+          ! inherited?
+        end
+
+        def inherited?
+          (struct[:AceFlags] & Chef::Win32::API::Security::INHERITED_ACE) != 0
+        end
+
+        def mask
+          struct[:Mask]
+        end
+
+        def mask=(val)
+          struct[:Mask] = val
+        end
+
+        def pointer
+          struct.pointer
+        end
+
+        def size
+          struct[:AceSize]
+        end
+
+        def sid
+          # The SID runs off the end of the structure, starting at :SidStart.
+          # Use pointer arithmetic to get a pointer to that location.
+          Chef::Win32::Security::SID.new(struct.pointer + struct.offset_of(:SidStart))
+        end
+
+        def to_s
+          "#{sid.account_name}/flags:#{flags.to_s(16)}/mask:#{mask.to_s(16)}"
+        end
+
+        def type
+          struct[:AceType]
+        end
+
+        private
+
+        def self.create_ace_with_mask_and_sid(type, flags, mask, sid)
+          size_needed = size_with_sid(sid)
+          pointer = FFI::MemoryPointer.new size_needed
+          struct = Chef::Win32::API::Security::ACE_WITH_MASK_AND_SID.new pointer
+          struct[:AceType] = type
+          struct[:AceFlags] = flags
+          struct[:AceSize] = size_needed
+          struct[:Mask] = mask
+          Chef::Win32::Memory.memcpy(struct.pointer + struct.offset_of(:SidStart), sid.pointer, sid.size)
+          ACE.new(struct.pointer)
+        end
+      end
+    end
+  end
+end

data/lib/chef/win32/security/acl.rb

@@ -0,0 +1,101 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright 2011 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/win32/security'
+require 'chef/win32/security/ace'
+require 'ffi'
+
+class Chef
+  module Win32
+    class Security
+      class ACL
+        include Enumerable
+
+        def initialize(pointer, owner = nil)
+          @struct = Chef::Win32::API::Security::ACLStruct.new pointer
+          # Keep a reference to the actual owner of this memory so that it isn't freed out from under us
+          # TODO this could be avoided if we could mark a pointer's parent manually
+          @owner = owner
+        end
+
+        def self.create(aces)
+          aces_size = aces.inject(0) { |sum,ace| sum + ace.size }
+          acl_size = align_dword(Chef::Win32::API::Security::ACLStruct.size + aces_size) # What the heck is 94???
+          acl = Chef::Win32::Security.initialize_acl(acl_size)
+          aces.each { |ace| Chef::Win32::Security.add_ace(acl, ace) }
+          acl
+        end
+
+        attr_reader :struct
+
+        def ==(other)
+          return false if length != other.length
+          0.upto(length-1) do |i|
+            return false if self[i] != other[i]
+          end
+          return true
+        end
+
+        def pointer
+          struct.pointer
+        end
+
+        def [](index)
+          Chef::Win32::Security.get_ace(self, index)
+        end
+
+        def delete_at(index)
+          Chef::Win32::Security.delete_ace(self, index)
+        end
+
+        def each
+          0.upto(length-1) { |i| yield self[i] }
+        end
+
+        def insert(index, *aces)
+          aces.reverse_each { |ace| add_ace(self, ace, index) }
+        end
+
+        def length
+          struct[:AceCount]
+        end
+
+        def push(*aces)
+          aces.each { |ace| Chef::Win32::Security.add_ace(self, ace) }
+        end
+
+        def unshift(*aces)
+          aces.each { |ace| Chef::Win32::Security.add_ace(self, ace, 0) }
+        end
+
+        def valid?
+          Chef::Win32::Security.is_valid_acl(self)
+        end
+
+        def to_s
+          "[#{self.collect { |ace| ace.to_s }.join(", ")}]"
+        end
+        private
+
+        def self.align_dword(size)
+          (size + 4 - 1) & 0xfffffffc
+        end
+      end
+    end
+  end
+end

data/lib/chef/win32/security/securable_object.rb

@@ -0,0 +1,109 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright 2011 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/win32/security'
+require 'chef/win32/security/acl'
+require 'chef/win32/security/sid'
+
+class Chef
+  module Win32
+    class Security
+      class SecurableObject
+
+        def initialize(path, type = :SE_FILE_OBJECT)
+          @path = path
+          @type = type
+        end
+
+        attr_reader :path
+        attr_reader :type
+
+        SecurityConst = Chef::Win32::API::Security
+
+        # This method predicts what the rights mask would be on an object
+        # if you created an ACE with the given mask.  Specifically, it looks for
+        # generic attributes like GENERIC_READ, and figures out what specific
+        # attributes will be set.  This is important if you want to try to
+        # compare an existing ACE with one you want to create.
+        def predict_rights_mask(generic_mask)
+          mask = generic_mask
+          #mask |= Chef::Win32::API::Security::STANDARD_RIGHTS_READ if (mask | Chef::Win32::API::Security::GENERIC_READ) != 0
+          #mask |= Chef::Win32::API::Security::STANDARD_RIGHTS_WRITE if (mask | Chef::Win32::API::Security::GENERIC_WRITE) != 0
+          #mask |= Chef::Win32::API::Security::STANDARD_RIGHTS_EXECUTE if (mask | Chef::Win32::API::Security::GENERIC_EXECUTE) != 0
+          #mask |= Chef::Win32::API::Security::STANDARD_RIGHTS_ALL if (mask | Chef::Win32::API::Security::GENERIC_ALL) != 0
+          if type == :SE_FILE_OBJECT
+            mask |= Chef::Win32::API::Security::FILE_GENERIC_READ if (mask & Chef::Win32::API::Security::GENERIC_READ) != 0
+            mask |= Chef::Win32::API::Security::FILE_GENERIC_WRITE if (mask & Chef::Win32::API::Security::GENERIC_WRITE) != 0
+            mask |= Chef::Win32::API::Security::FILE_GENERIC_EXECUTE if (mask & Chef::Win32::API::Security::GENERIC_EXECUTE) != 0
+            mask |= Chef::Win32::API::Security::FILE_ALL_ACCESS if (mask & Chef::Win32::API::Security::GENERIC_ALL) != 0
+          else
+            raise "Unimplemented object type for predict_security_mask: #{type}"
+          end
+          mask &= ~(Chef::Win32::API::Security::GENERIC_READ | Chef::Win32::API::Security::GENERIC_WRITE | Chef::Win32::API::Security::GENERIC_EXECUTE | Chef::Win32::API::Security::GENERIC_ALL)
+          mask
+        end
+
+        def security_descriptor(include_sacl = false)
+          security_information = Chef::Win32::API::Security::OWNER_SECURITY_INFORMATION | Chef::Win32::API::Security::GROUP_SECURITY_INFORMATION | Chef::Win32::API::Security::DACL_SECURITY_INFORMATION
+          if include_sacl
+            security_information |= Chef::Win32::API::Security::SACL_SECURITY_INFORMATION
+            Security.with_privileges("SeSecurityPrivilege") do
+              Security.get_named_security_info(path, type, security_information)
+            end
+          else
+            Security.get_named_security_info(path, type, security_information)
+          end
+        end
+
+        def dacl=(val)
+          Security.set_named_security_info(path, type, :dacl => val)
+        end
+
+        # You don't set dacl_inherits without also setting dacl,
+        # because Windows gets angry and denies you access.  So
+        # if you want to do that, you may as well do both at once.
+        def set_dacl(dacl, dacl_inherits)
+          Security.set_named_security_info(path, type, :dacl => dacl, :dacl_inherits => dacl_inherits)
+        end
+
+        def group=(val)
+          Security.set_named_security_info(path, type, :group => val)
+        end
+
+        def owner=(val)
+          # TODO to fix serious permissions problems, we may need to enable SeBackupPrivilege.  But we might need it (almost) everywhere else, too.
+          Security.with_privileges("SeTakeOwnershipPrivilege", "SeRestorePrivilege") do
+            Security.set_named_security_info(path, type, :owner => val)
+          end
+        end
+
+        def sacl=(val)
+          Security.with_privileges("SeSecurityPrivilege") do
+            Security.set_named_security_info(path, type, :sacl => val)
+          end
+        end
+
+        def set_sacl(sacl, sacl_inherits)
+          Security.with_privileges("SeSecurityPrivilege") do
+            Security.set_named_security_info(path, type, :sacl => sacl, :sacl_inherits => sacl_inherits)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/win32/security/security_descriptor.rb

@@ -0,0 +1,93 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright 2011 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/win32/security'
+require 'chef/win32/security/acl'
+require 'chef/win32/security/sid'
+
+class Chef
+  module Win32
+    class Security
+      class SecurityDescriptor
+
+        def initialize(pointer)
+          @pointer = pointer
+        end
+
+        attr_reader :pointer
+
+        def absolute?
+          !self_relative?
+        end
+
+        def control
+          control, version = Chef::Win32::Security.get_security_descriptor_control(self)
+          control
+        end
+
+        def dacl
+          raise "DACL not present" if !dacl_present?
+          present, acl, defaulted = Chef::Win32::Security.get_security_descriptor_dacl(self)
+          acl
+        end
+
+        def dacl_inherits?
+          (control & Chef::Win32::API::Security::SE_DACL_PROTECTED) == 0
+        end
+
+        def dacl_present?
+          (control & Chef::Win32::API::Security::SE_DACL_PRESENT) != 0
+        end
+
+        def group
+          result, defaulted = Chef::Win32::Security.get_security_descriptor_group(self)
+          result
+        end
+
+        def owner
+          result, defaulted = Chef::Win32::Security.get_security_descriptor_owner(self)
+          result
+        end
+
+        def sacl
+          raise "SACL not present" if !sacl_present?
+          Security.with_privileges("SeSecurityPrivilege") do
+            present, acl, defaulted = Chef::Win32::Security.get_security_descriptor_sacl(self)
+            acl
+          end
+        end
+
+        def sacl_inherits?
+          (control & Chef::Win32::API::Security::SE_SACL_PROTECTED) == 0
+        end
+
+        def sacl_present?
+          (control & Chef::Win32::API::Security::SE_SACL_PRESENT) != 0
+        end
+
+        def self_relative?
+          (control & Chef::Win32::API::Security::SE_SELF_RELATIVE) != 0
+        end
+
+        def valid?
+          Chef::Win32::Security.is_valid_security_descriptor(self)
+        end
+      end
+    end
+  end
+end

data/lib/chef/win32/security/sid.rb

@@ -0,0 +1,199 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright 2011 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/win32/security'
+
+class Chef
+  module Win32
+    class Security
+      class SID
+
+        def initialize(pointer, owner = nil)
+          @pointer = pointer
+          # Keep a reference to the actual owner of this memory so we don't get freed
+          @owner = owner
+        end
+
+        def self.from_account(name)
+          domain, sid, use = Chef::Win32::Security.lookup_account_name(name)
+          sid
+        end
+
+        def self.from_string_sid(string_sid)
+          Chef::Win32::Security::convert_string_sid_to_sid(string_sid)
+        end
+
+        def ==(other)
+          other != nil && Chef::Win32::Security.equal_sid(self, other)
+        end
+
+        attr_reader :pointer
+
+        def account
+          Chef::Win32::Security.lookup_account_sid(self)
+        end
+
+        def account_name
+          domain, name, use = account
+          (domain != nil && domain.length > 0) ? "#{domain}\\#{name}" : name
+        end
+
+        def size
+          Chef::Win32::Security.get_length_sid(self)
+        end
+
+        def to_s
+          Chef::Win32::Security.convert_sid_to_string_sid(self)
+        end
+
+        def valid?
+          Chef::Win32::Security.is_valid_sid(self)
+        end
+
+        # Well-known SIDs
+        def self.Null
+          SID.from_string_sid('S-1-0')
+        end
+        def self.Nobody
+          SID.from_string_sid('S-1-0-0')
+        end
+        def self.World
+          SID.from_string_sid('S-1-1')
+        end
+        def self.Everyone
+          SID.from_string_sid('S-1-1-0')
+        end
+        def self.Local
+          SID.from_string_sid('S-1-2')
+        end
+        def self.Creator
+          SID.from_string_sid('S-1-3')
+        end
+        def self.CreatorOwner
+          SID.from_string_sid('S-1-3-0')
+        end
+        def self.CreatorGroup
+          SID.from_string_sid('S-1-3-1')
+        end
+        def self.CreatorOwnerServer
+          SID.from_string_sid('S-1-3-2')
+        end
+        def self.CreatorGroupServer
+          SID.from_string_sid('S-1-3-3')
+        end
+        def self.NonUnique
+          SID.from_string_sid('S-1-4')
+        end
+        def self.Nt
+          SID.from_string_sid('S-1-5')
+        end
+        def self.Dialup
+          SID.from_string_sid('S-1-5-1')
+        end
+        def self.Network
+          SID.from_string_sid('S-1-5-2')
+        end
+        def self.Batch
+          SID.from_string_sid('S-1-5-3')
+        end
+        def self.Interactive
+          SID.from_string_sid('S-1-5-4')
+        end
+        def self.Service
+          SID.from_string_sid('S-1-5-6')
+        end
+        def self.Anonymous
+          SID.from_string_sid('S-1-5-7')
+        end
+        def self.Proxy
+          SID.from_string_sid('S-1-5-8')
+        end
+        def self.EnterpriseDomainControllers
+          SID.from_string_sid('S-1-5-9')
+        end
+        def self.PrincipalSelf
+          SID.from_string_sid('S-1-5-10')
+        end
+        def self.AuthenticatedUsers
+          SID.from_string_sid('S-1-5-11')
+        end
+        def self.RestrictedCode
+          SID.from_string_sid('S-1-5-12')
+        end
+        def self.TerminalServerUsers
+          SID.from_string_sid('S-1-5-13')
+        end
+        def self.LocalSystem
+          SID.from_string_sid('S-1-5-18')
+        end
+        def self.NtLocal
+          SID.from_string_sid('S-1-5-19')
+        end
+        def self.NtNetwork
+          SID.from_string_sid('S-1-5-20')
+        end
+        def self.BuiltinAdministrators
+          SID.from_string_sid('S-1-5-32-544')
+        end
+        def self.BuiltinUsers
+          SID.from_string_sid('S-1-5-32-545')
+        end
+        def self.Guests
+          SID.from_string_sid('S-1-5-32-546')
+        end
+        def self.PowerUsers
+          SID.from_string_sid('S-1-5-32-547')
+        end
+        def self.AccountOperators
+          SID.from_string_sid('S-1-5-32-548')
+        end
+        def self.ServerOperators
+          SID.from_string_sid('S-1-5-32-549')
+        end
+        def self.PrintOperators
+          SID.from_string_sid('S-1-5-32-550')
+        end
+        def self.BackupOperators
+          SID.from_string_sid('S-1-5-32-551')
+        end
+        def self.Replicators
+          SID.from_string_sid('S-1-5-32-552')
+        end
+        def self.Administrators
+          SID.from_string_sid('S-1-5-32-544')
+        end
+
+        # Machine-specific, well-known SIDs
+        # TODO: don't use strings, dummy
+        def self.None
+          SID.from_account("#{::ENV['COMPUTERNAME']}\\None")
+        end
+        def self.Administrator
+          SID.from_account("#{::ENV['COMPUTERNAME']}\\Administrator")
+        end
+        def self.Guest
+          SID.from_account("#{::ENV['COMPUTERNAME']}\\Guest")
+        end
+
+        def self.current_user
+          SID.from_account("#{::ENV['USERDOMAIN']}\\#{::ENV['USERNAME']}")
+        end
+      end
+    end
+  end
+end