puppet 6.15.0-x64-mingw32 → 6.19.1-x64-mingw32

data/lib/puppet/util/windows/eventlog.rb

@@ -140,12 +140,7 @@ class Puppet::Util::Windows::EventLog
   # @api private
   def from_string_to_wide_string(str, &block)
     str = wide_string(str)
-    FFI::MemoryPointer.new(:uchar, str.bytesize) do |ptr|
-      # uchar here is synonymous with byte
-      ptr.put_array_of_uchar(0, str.bytes.to_a)
-
-      yield ptr
-    end
+    FFI::MemoryPointer.from_wide_string(str) { |ptr| yield ptr }
 
     # ptr has already had free called, so nothing to return
     nil

data/lib/puppet/util/windows/monkey_patches/dir.rb

@@ -0,0 +1,40 @@
+require 'win32/dir/constants'
+require 'win32/dir/functions'
+require 'win32/dir/structs'
+
+class DirMonkeyPatched
+  include ::Dir::Structs
+  include ::Dir::Constants
+  extend  ::Dir::Functions
+
+  path  = nil
+  key   = :PERSONAL
+  value = 0x0005
+  buf   = 0.chr * 1024
+  buf.encode!(Encoding::UTF_16LE)
+
+  if SHGetFolderPathW(0, value, 0, 0, buf) == 0 # Current path
+    path = buf.strip
+  elsif SHGetFolderPathW(0, value, 0, 1, buf) == 0 # Default path
+    path = buf.strip
+  else
+    FFI::MemoryPointer.new(:long) do |ptr|
+      if SHGetFolderLocation(0, value, 0, 0, ptr) == 0
+        SHFILEINFO.new do |info|
+          flags = SHGFI_DISPLAYNAME | SHGFI_PIDL
+          if SHGetFileInfo(ptr.read_long, 0, info, info.size, flags) != 0
+            path = info[:szDisplayName].to_s
+          end
+        end
+      end
+    end
+  end
+
+  if path.nil?
+    begin
+      Dir.const_set(key, ''.encode(Encoding.default_external))
+    rescue Encoding::UndefinedConversionError
+      Dir.const_set(key, ''.encode(Encoding::UTF_8))
+    end
+  end
+end

data/lib/puppet/util/windows/principal.rb

@@ -41,6 +41,7 @@ module Puppet::Util::Windows::SID
     # = 8 + max sub identifiers (15) * 4
     MAXIMUM_SID_BYTE_LENGTH = 68
 
+    ERROR_INVALID_PARAMETER   = 87
     ERROR_INSUFFICIENT_BUFFER = 122
 
     def self.lookup_account_name(system_name = nil, account_name)
@@ -48,9 +49,7 @@ module Puppet::Util::Windows::SID
       begin
         if system_name
           system_name_wide = Puppet::Util::Windows::String.wide_string(system_name)
-          # uchar here is synonymous with byte
-          system_name_ptr = FFI::MemoryPointer.new(:byte, system_name_wide.bytesize)
-          system_name_ptr.put_array_of_uchar(0, system_name_wide.bytes.to_a)
+          system_name_ptr = FFI::MemoryPointer.from_wide_string(system_name_wide)
         end
 
         FFI::MemoryPointer.from_string_to_wide_string(account_name) do |account_name_ptr|
@@ -101,9 +100,7 @@ module Puppet::Util::Windows::SID
       begin
         if system_name
           system_name_wide = Puppet::Util::Windows::String.wide_string(system_name)
-          # uchar here is synonymous with byte
-          system_name_ptr = FFI::MemoryPointer.new(:byte, system_name_wide.bytesize)
-          system_name_ptr.put_array_of_uchar(0, system_name_wide.bytes.to_a)
+          system_name_ptr = FFI::MemoryPointer.from_wide_string(system_name_wide)
         end
 
         FFI::MemoryPointer.new(:byte, sid_bytes.length) do |sid_ptr|
@@ -112,6 +109,11 @@ module Puppet::Util::Windows::SID
               FFI::MemoryPointer.new(:uint32, 1) do |name_use_enum_ptr|
 
                 sid_ptr.write_array_of_uchar(sid_bytes)
+
+                if Puppet::Util::Windows::SID.IsValidSid(sid_ptr) == FFI::WIN32_FALSE
+                  raise Puppet::Util::Windows::Error.new(_('Byte array for lookup_account_sid is invalid: %{sid_bytes}') % { sid_bytes: sid_bytes }, ERROR_INVALID_PARAMETER)
+                end
+
                 success = LookupAccountSidW(system_name_ptr, sid_ptr, FFI::Pointer::NULL, name_length_ptr,
                   FFI::Pointer::NULL, domain_length_ptr, name_use_enum_ptr)
                 last_error = FFI.errno

data/lib/puppet/util/windows/registry.rb

@@ -110,13 +110,16 @@ module Puppet::Util::Windows
 
     private
 
-    def reg_enum_key(key, index, max_key_length = Win32::Registry::Constants::MAX_KEY_LENGTH)
+    # max number of wide characters including NULL terminator
+    MAX_KEY_CHAR_LENGTH = 255 + 1
+
+    def reg_enum_key(key, index, max_key_char_length = MAX_KEY_CHAR_LENGTH)
       subkey, filetime = nil, nil
 
       FFI::MemoryPointer.new(:dword) do |subkey_length_ptr|
         FFI::MemoryPointer.new(FFI::WIN32::FILETIME.size) do |filetime_ptr|
-          FFI::MemoryPointer.new(:wchar, max_key_length) do |subkey_ptr|
-            subkey_length_ptr.write_dword(max_key_length)
+          FFI::MemoryPointer.new(:wchar, max_key_char_length) do |subkey_ptr|
+            subkey_length_ptr.write_dword(max_key_char_length)
 
             # RegEnumKeyEx cannot be called twice to properly size the buffer
             result = RegEnumKeyExW(key.hkey, index,
@@ -141,7 +144,10 @@ module Puppet::Util::Windows
       [subkey, filetime]
     end
 
-    def reg_enum_value(key, index, max_value_length = Win32::Registry::Constants::MAX_VALUE_LENGTH)
+    # max number of wide characters including NULL terminator
+    MAX_VALUE_CHAR_LENGTH = 16383 + 1
+
+    def reg_enum_value(key, index, max_value_length = MAX_VALUE_CHAR_LENGTH)
       subkey, type, data = nil, nil, nil
 
       FFI::MemoryPointer.new(:dword) do |subkey_length_ptr|
@@ -234,7 +240,7 @@ module Puppet::Util::Windows
         begin
           case type
             when Win32::Registry::REG_SZ, Win32::Registry::REG_EXPAND_SZ
-              result = [ type, sanitize(data_ptr.read_wide_string(string_length)) ]
+              result = [ type, data_ptr.read_wide_string(string_length, Encoding::UTF_8, true) ]
             when Win32::Registry::REG_MULTI_SZ
               result = [ type, data_ptr.read_wide_string(string_length).split(/\0/) ]
             when Win32::Registry::REG_BINARY
@@ -314,12 +320,6 @@ module Puppet::Util::Windows
       result
     end
 
-    def sanitize(value)
-      # Replace null bytes with a space
-      value.tr!("\x00", ' ')
-      value
-    end
-
     ffi_convention :stdcall
 
     # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724862(v=vs.85).aspx

data/lib/puppet/util/windows/security.rb

@@ -340,10 +340,10 @@ module Puppet::Util::Windows::Security
           Puppet.warning _("Setting control rights for %{path} owner SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
         elsif managing_owner && isownergroup
           #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-          Puppet.debug _("%{path} owner and group both set to user SYSTEM, but group is not managed directly: SYSTEM user rights will be set to FullControl by group") % { path: path }
+          Puppet.debug { _("%{path} owner and group both set to user SYSTEM, but group is not managed directly: SYSTEM user rights will be set to FullControl by group") % { path: path } }
         else
           #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-          Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+          Puppet.debug { _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path } }
           owner_allow = FILE::FILE_ALL_ACCESS
         end
       end
@@ -356,10 +356,10 @@ module Puppet::Util::Windows::Security
           Puppet.warning _("Setting control rights for %{path} group SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
         elsif managing_group && isownergroup
           #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-          Puppet.debug _("%{path} owner and group both set to user SYSTEM, but owner is not managed directly: SYSTEM user rights will be set to FullControl by owner") % { path: path }
+          Puppet.debug { _("%{path} owner and group both set to user SYSTEM, but owner is not managed directly: SYSTEM user rights will be set to FullControl by owner") % { path: path } }
         else
           #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-          Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+          Puppet.debug { _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path } }
           group_allow = FILE::FILE_ALL_ACCESS
         end
       end

data/lib/puppet/util/windows/service.rb

@@ -440,43 +440,60 @@ module Puppet::Util::Windows
     end
     module_function :service_start_type
 
-    # Change the startup mode of a windows service
+    # Query the configuration of a service using QueryServiceConfigW
+    # to find its current logon account
     #
-    # @param [String] service_name the name of the service to modify
-    # @param [Integer] startup_type a code corresponding to a start type for
-    #  windows service, see the "Service start type codes" section in the
-    #  Puppet::Util::Windows::Service file for the list of available codes
-    # @param [Bool] delayed whether the service should be started with a delay
-    def set_startup_mode(service_name, startup_type, delayed=false)
-      startup_code = SERVICE_START_TYPES.key(startup_type)
-      if startup_code.nil?
-        raise Puppet::Error.new(_("Unknown start type %{start_type}") % {startup_type: startup_type.to_s})
+    # @return [String] logon_account account currently set for the service's logon
+    #  in the format "DOMAIN\Account" or ".\Account" if it's a local account
+    def logon_account(service_name)
+      open_service(service_name, SC_MANAGER_CONNECT, SERVICE_QUERY_CONFIG) do |service|
+        query_config(service) do |config|
+          return config[:lpServiceStartName].read_arbitrary_wide_string_up_to(Puppet::Util::Windows::ADSI::User::MAX_USERNAME_LENGTH)
+        end
       end
+    end
+    module_function :logon_account
+
+    # Set the startup configuration of a windows service
+    #
+    # @param [String] service_name the name of the service to modify
+    # @param [Hash] options the configuration to be applied. Expected option keys:
+    #   - [Integer] startup_type a code corresponding to a start type for
+    #       windows service, see the "Service start type codes" section in the
+    #       Puppet::Util::Windows::Service file for the list of available codes
+    #   - [String] logon_account the account to be used by the service for logon
+    #   - [String] logon_password the provided logon_account's password to be used by the service for logon
+    #   - [Bool] delayed whether the service should be started with a delay
+    def set_startup_configuration(service_name, options: {})
+      options[:startup_type] = SERVICE_START_TYPES.key(options[:startup_type]) || SERVICE_NO_CHANGE
+      options[:logon_account] = wide_string(options[:logon_account]) || FFI::Pointer::NULL
+      options[:logon_password] = wide_string(options[:logon_password]) || FFI::Pointer::NULL
+
       open_service(service_name, SC_MANAGER_CONNECT, SERVICE_CHANGE_CONFIG) do |service|
-        # Currently the only thing puppet's API can really manage
-        # in this list is dwStartType (the third param). Thus no
-        # generic function was written to make use of all the params
-        # since the API as-is couldn't use them anyway
         success = ChangeServiceConfigW(
           service,
-          SERVICE_NO_CHANGE,  # dwServiceType
-          startup_code,       # dwStartType
-          SERVICE_NO_CHANGE,  # dwErrorControl
-          FFI::Pointer::NULL, # lpBinaryPathName
-          FFI::Pointer::NULL, # lpLoadOrderGroup
-          FFI::Pointer::NULL, # lpdwTagId
-          FFI::Pointer::NULL, # lpDependencies
-          FFI::Pointer::NULL, # lpServiceStartName
-          FFI::Pointer::NULL, # lpPassword
-          FFI::Pointer::NULL  # lpDisplayName
+          SERVICE_NO_CHANGE,        # dwServiceType
+          options[:startup_type],   # dwStartType
+          SERVICE_NO_CHANGE,        # dwErrorControl
+          FFI::Pointer::NULL,       # lpBinaryPathName
+          FFI::Pointer::NULL,       # lpLoadOrderGroup
+          FFI::Pointer::NULL,       # lpdwTagId
+          FFI::Pointer::NULL,       # lpDependencies
+          options[:logon_account],  # lpServiceStartName
+          options[:logon_password], # lpPassword
+          FFI::Pointer::NULL        # lpDisplayName
         )
         if success == FFI::WIN32_FALSE
           raise Puppet::Util::Windows::Error.new(_("Failed to update service configuration"))
         end
       end
-      set_startup_mode_delayed(service_name, delayed)
+
+      if options[:startup_type]
+        options[:delayed] ||= false
+        set_startup_mode_delayed(service_name, options[:delayed])
+      end
     end
-    module_function :set_startup_mode
+    module_function :set_startup_configuration
 
     # enumerate over all services in all states and return them as a hash
     #

data/lib/puppet/util/windows/user.rb

@@ -16,6 +16,22 @@ module Puppet::Util::Windows::User
   end
   module_function :admin?
 
+  # The name of the account in all locales is `LocalSystem`. `.\LocalSystem` or `ComputerName\LocalSystem' can also be used.
+  # This account is not recognized by the security subsystem, so you cannot specify its name in a call to the `LookupAccountName` function.
+  # https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account
+  def localsystem?(name)
+    ["LocalSystem", ".\\LocalSystem", "#{Puppet::Util::Windows::ADSI.computer_name}\\LocalSystem"].any?{ |s| s.casecmp(name) == 0 }
+  end
+  module_function :localsystem?
+
+  # Check if a given user is one of the default system accounts
+  # These accounts do not have a password and all checks done through logon attempt will fail
+  # https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#default-local-system-accounts
+  def default_system_account?(name)
+    user_sid = Puppet::Util::Windows::SID.name_to_sid(name)
+    [Puppet::Util::Windows::SID::LocalSystem, Puppet::Util::Windows::SID::NtLocal, Puppet::Util::Windows::SID::NtNetwork].include?(user_sid)
+  end
+  module_function :default_system_account?
 
   # https://msdn.microsoft.com/en-us/library/windows/desktop/ee207397(v=vs.85).aspx
   SECURITY_MAX_SID_SIZE = 68
@@ -57,9 +73,9 @@ module Puppet::Util::Windows::User
   end
   module_function :check_token_membership
 
-  def password_is?(name, password)
+  def password_is?(name, password, domain = '.')
     begin
-      logon_user(name, password) { |token| }
+      logon_user(name, password, domain) { |token| }
     rescue Puppet::Util::Windows::Error => detail
 
       authenticated_error_codes = Set[
@@ -74,7 +90,7 @@ module Puppet::Util::Windows::User
   end
   module_function :password_is?
 
-  def logon_user(name, password, &block)
+  def logon_user(name, password, domain = '.', &block)
     fLOGON32_PROVIDER_DEFAULT = 0
     fLOGON32_LOGON_INTERACTIVE = 2
     fLOGON32_LOGON_NETWORK = 3
@@ -83,8 +99,8 @@ module Puppet::Util::Windows::User
     begin
       FFI::MemoryPointer.new(:handle, 1) do |token_pointer|
         #try logon using network else try logon using interactive mode
-        if logon_user_by_logon_type(name, password, fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
-          if logon_user_by_logon_type(name, password, fLOGON32_LOGON_INTERACTIVE, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
+        if logon_user_by_logon_type(name, domain, password, fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
+          if logon_user_by_logon_type(name, domain, password, fLOGON32_LOGON_INTERACTIVE, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
             raise Puppet::Util::Windows::Error.new(_("Failed to logon user %{name}") % {name: name.inspect})
           end
         end
@@ -98,11 +114,10 @@ module Puppet::Util::Windows::User
     # token has been closed by this point
     true
   end
-
   module_function :logon_user
 
-  def self.logon_user_by_logon_type(name, password, logon_type, logon_provider, token)
-    LogonUserW(wide_string(name), wide_string('.'), password.nil? ? FFI::Pointer::NULL : wide_string(password), logon_type, logon_provider, token)
+  def self.logon_user_by_logon_type(name, domain, password, logon_type, logon_provider, token)
+    LogonUserW(wide_string(name), wide_string(domain), password.nil? ? FFI::Pointer::NULL : wide_string(password), logon_type, logon_provider, token)
   end
 
   private_class_method :logon_user_by_logon_type
@@ -130,6 +145,125 @@ module Puppet::Util::Windows::User
   end
   module_function :load_profile
 
+  def get_rights(name)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    return "" unless user_info
+
+    rights = []
+    rights_pointer = FFI::MemoryPointer.new(:pointer)
+    number_of_rights = FFI::MemoryPointer.new(:ulong)
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaEnumerateAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, number_of_rights)
+      check_lsa_nt_status_and_raise_failures(result, "LsaEnumerateAccountRights")
+    end
+
+    number_of_rights.read_ulong.times do |index|
+      right = LSA_UNICODE_STRING.new(rights_pointer.read_pointer + index * LSA_UNICODE_STRING.size)
+      rights << right[:Buffer].read_arbitrary_wide_string_up_to
+    end
+
+    result = LsaFreeMemory(rights_pointer.read_pointer)
+    check_lsa_nt_status_and_raise_failures(result, "LsaFreeMemory")
+
+    rights.join(",")
+  end
+  module_function :get_rights
+
+  def set_rights(name, rights)
+    rights_pointer = new_lsa_unicode_strings_pointer(rights)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaAddAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, rights.size)
+      check_lsa_nt_status_and_raise_failures(result, "LsaAddAccountRights")
+    end
+  end
+  module_function :set_rights
+
+  def remove_rights(name, rights)
+    rights_pointer = new_lsa_unicode_strings_pointer(rights)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaRemoveAccountRights(policy_handle.read_pointer, sid_pointer, false, rights_pointer, rights.size)
+      check_lsa_nt_status_and_raise_failures(result, "LsaRemoveAccountRights")
+    end
+  end
+  module_function :remove_rights
+
+  # ACCESS_MASK flags for Policy Objects
+  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/b61b7268-987a-420b-84f9-6c75f8dc8558
+  POLICY_VIEW_LOCAL_INFORMATION   = 0x00000001
+  POLICY_VIEW_AUDIT_INFORMATION   = 0x00000002
+  POLICY_GET_PRIVATE_INFORMATION  = 0x00000004
+  POLICY_TRUST_ADMIN              = 0x00000008
+  POLICY_CREATE_ACCOUNT           = 0x00000010
+  POLICY_CREATE_SECRET            = 0x00000020
+  POLICY_CREATE_PRIVILEGE         = 0x00000040
+  POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080
+  POLICY_SET_AUDIT_REQUIREMENTS   = 0x00000100
+  POLICY_AUDIT_LOG_ADMIN          = 0x00000200
+  POLICY_SERVER_ADMIN             = 0x00000400
+  POLICY_LOOKUP_NAMES             = 0x00000800
+  POLICY_NOTIFICATION             = 0x00001000
+
+  def self.new_lsa_policy_handle
+    access = 0
+    access |= POLICY_LOOKUP_NAMES
+    access |= POLICY_CREATE_ACCOUNT
+    policy_handle = FFI::MemoryPointer.new(:pointer)
+
+    result = LsaOpenPolicy(nil, LSA_OBJECT_ATTRIBUTES.new, access, policy_handle)
+    check_lsa_nt_status_and_raise_failures(result, "LsaOpenPolicy")
+
+    begin
+      yield policy_handle
+    ensure
+      result = LsaClose(policy_handle.read_pointer)
+      check_lsa_nt_status_and_raise_failures(result, "LsaClose")
+    end
+  end
+  private_class_method :new_lsa_policy_handle
+
+  def self.new_lsa_unicode_strings_pointer(strings)
+    lsa_unicode_strings_pointer = FFI::MemoryPointer.new(LSA_UNICODE_STRING, strings.size)
+
+    strings.each_with_index do |string, index|
+      lsa_string = LSA_UNICODE_STRING.new(lsa_unicode_strings_pointer + index * LSA_UNICODE_STRING.size)
+      lsa_string[:Buffer] = FFI::MemoryPointer.from_string(wide_string(string))
+      lsa_string[:Length] = string.length * 2
+      lsa_string[:MaximumLength] = lsa_string[:Length] + 2
+    end
+
+    lsa_unicode_strings_pointer
+  end
+  private_class_method :new_lsa_unicode_strings_pointer
+
+  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d
+  def self.check_lsa_nt_status_and_raise_failures(status, method_name)
+    error_code = LsaNtStatusToWinError(status)
+
+    error_reason = case error_code.to_s(16)
+    when '0' # ERROR_SUCCESS
+      return # Method call succeded
+    when '2' # ERROR_FILE_NOT_FOUND
+      return # No rights/privilleges assigned to given user
+    when '5' # ERROR_ACCESS_DENIED
+      "Access is denied. Please make sure that puppet is running as administrator."
+    when '521' # ERROR_NO_SUCH_PRIVILEGE
+      "One or more of the given rights/privilleges are incorrect."
+    when '6ba' # RPC_S_SERVER_UNAVAILABLE
+      "The RPC server is unavailable or given domain name is invalid."
+    end
+
+    raise Puppet::Error.new("Calling `#{method_name}` returned 'Win32 Error Code 0x%08X'. #{error_reason}" % error_code)
+  end
+  private_class_method :check_lsa_nt_status_and_raise_failures
+
   ffi_convention :stdcall
 
   # https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
@@ -314,4 +448,104 @@ module Puppet::Util::Windows::User
   ffi_lib :advapi32
   attach_function_private :IsValidSid,
     [:pointer], :win32_bool
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/lsalookup/ns-lsalookup-lsa_object_attributes
+  # typedef struct _LSA_OBJECT_ATTRIBUTES {
+  #   ULONG               Length;
+  #   HANDLE              RootDirectory;
+  #   PLSA_UNICODE_STRING ObjectName;
+  #   ULONG               Attributes;
+  #   PVOID               SecurityDescriptor;
+  #   PVOID               SecurityQualityOfService;
+  # } LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
+  class LSA_OBJECT_ATTRIBUTES < FFI::Struct
+    layout :Length, :ulong,
+      :RootDirectory, :handle,
+      :ObjectName, :plsa_unicode_string,
+      :Attributes, :ulong,
+      :SecurityDescriptor, :pvoid,
+      :SecurityQualityOfService, :pvoid
+  end
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/lsalookup/ns-lsalookup-lsa_unicode_string
+  # typedef struct _LSA_UNICODE_STRING {
+  #   USHORT Length;
+  #   USHORT MaximumLength;
+  #   PWSTR  Buffer;
+  # } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
+  class LSA_UNICODE_STRING < FFI::Struct
+    layout :Length, :ushort,
+      :MaximumLength, :ushort,
+      :Buffer, :pwstr
+  end
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaenumerateaccountrights
+  # https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment
+  # NTSTATUS LsaEnumerateAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   PLSA_UNICODE_STRING *UserRights,
+  #   PULONG              CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaEnumerateAccountRights,
+    [:lsa_handle, :psid, :plsa_unicode_string, :pulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaaddaccountrights
+  # NTSTATUS LsaAddAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   PLSA_UNICODE_STRING UserRights,
+  #   ULONG               CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaAddAccountRights,
+    [:lsa_handle, :psid, :plsa_unicode_string, :ulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaremoveaccountrights
+  # NTSTATUS LsaRemoveAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   BOOLEAN             AllRights,
+  #   PLSA_UNICODE_STRING UserRights,
+  #   ULONG               CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaRemoveAccountRights,
+    [:lsa_handle, :psid, :bool, :plsa_unicode_string, :ulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaopenpolicy
+  # NTSTATUS LsaOpenPolicy(
+  #   PLSA_UNICODE_STRING    SystemName,
+  #   PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
+  #   ACCESS_MASK            DesiredAccess,
+  #   PLSA_HANDLE            PolicyHandle
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaOpenPolicy,
+    [:plsa_unicode_string, :plsa_object_attributes, :access_mask, :plsa_handle], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaclose
+  # NTSTATUS LsaClose(
+  #   LSA_HANDLE ObjectHandle
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaClose,
+    [:lsa_handle], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsafreememory
+  # NTSTATUS LsaFreeMemory(
+  #   PVOID Buffer
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaFreeMemory,
+    [:pvoid], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsantstatustowinerror
+  # ULONG LsaNtStatusToWinError(
+  #   NTSTATUS Status
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaNtStatusToWinError,
+    [:ntstatus], :ulong
 end