Class: Puppet::Util::Windows::ADSI::User

Inherits:

Object

• Object
• Puppet::Util::Windows::ADSI::User

Extended by:

Enumerable, FFI::Library, Shared

Defined in:

lib/puppet/util/windows.rb,
lib/puppet/util/windows/adsi.rb

Constant Summary

MAX_USERNAME_LENGTH =

UNLEN from lmcons.h - stackoverflow.com/a/2155176

256

Instance Attribute Summary

• #name ⇒ Object readonly
• #native_user ⇒ Object
• #sid ⇒ Object readonly

Class Method Summary

• .create(name) ⇒ Object
• .current_user_name ⇒ Object
• .delete(name) ⇒ Object
• .each(&block) ⇒ Object
• .exists?(name_or_sid) ⇒ Boolean
• .logon(name, password) ⇒ Object

Instance Method Summary

• #[](attribute) ⇒ Object
• #[]=(attribute, value) ⇒ Object
• #add_flag(flag_name, value) ⇒ Object
• #add_group_sids(*sids) ⇒ Object
• #add_to_groups(*group_names) ⇒ Object (also: #add_to_group)
• #commit ⇒ Object
• #group_sids ⇒ Object
• #groups ⇒ Object
• #initialize(name, native_user = nil) ⇒ User constructor

  A new instance of User.

• #password=(password) ⇒ Object
• #password_is?(password) ⇒ Boolean
• #remove_from_groups(*group_names) ⇒ Object (also: #remove_from_group)
• #remove_group_sids(*sids) ⇒ Object
• #set_groups(desired_groups, minimum = true) ⇒ Object
• #uri ⇒ Object

Methods included from Shared

get_sids, name_sid_hash, parse_name

Methods included from FFI::Library

attach_function_private

Constructor Details

#initialize(name, native_user = nil) ⇒ User

Returns a new instance of User.

# File 'lib/puppet/util/windows/adsi.rb', line 165

def initialize(name, native_user = nil)
  @name = name
  @native_user = native_user
end

Instance Attribute Details

#name ⇒ Object (readonly)

# File 'lib/puppet/util/windows/adsi.rb', line 164

def name
  @name
end

#native_user ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 163

def native_user
  @native_user
end

#sid ⇒ Object (readonly)

# File 'lib/puppet/util/windows/adsi.rb', line 164

def sid
  @sid
end

Class Method Details

.create(name) ⇒ Object

Raises:

• (Puppet::Error)

# File 'lib/puppet/util/windows/adsi.rb', line 297

def self.create(name)
  # Windows error 1379: The specified local group already exists.
  raise Puppet::Error.new( "Cannot create user if group '#{name}' exists." ) if Puppet::Util::Windows::ADSI::Group.exists? name
  new(name, Puppet::Util::Windows::ADSI.create(name, 'user'))
end

.current_user_name ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 305

def self.current_user_name
  user_name = ''
  max_length = MAX_USERNAME_LENGTH + 1 # NULL terminated
  FFI::MemoryPointer.new(max_length * 2) do |buffer| # wide string
    FFI::MemoryPointer.new(:dword, 1) do |buffer_size|
      buffer_size.write_dword(max_length) # length in TCHARs

      if GetUserNameW(buffer, buffer_size) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new("Failed to get user name")
      end
      # buffer_size includes trailing NULL
      user_name = buffer.read_wide_string(buffer_size.read_dword - 1)
    end
  end

  user_name
end

.delete(name) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 347

def self.delete(name)
  Puppet::Util::Windows::ADSI.delete(name, 'user')
end

.each(&block) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 351

def self.each(&block)
  wql = Puppet::Util::Windows::ADSI.execquery('select name from win32_useraccount where localaccount = "TRUE"')

  users = []
  wql.each do |u|
    users << new(u.name)
  end

  users.each(&block)
end

.exists?(name_or_sid) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/util/windows/adsi.rb', line 323

def self.exists?(name_or_sid)
  well_known = false
  if (sid = Puppet::Util::Windows::SID.name_to_sid_object(name_or_sid))
    return true if sid.account_type == :SidTypeUser

    # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM
    # so try to resolve it
    # https://msdn.microsoft.com/en-us/library/cc234477.aspx
    well_known = sid.account_type == :SidTypeWellKnownGroup
    return false if sid.account_type != :SidTypeAlias && !well_known
    name_or_sid = "#{sid.domain}\\#{sid.account}"
  end

  user = Puppet::Util::Windows::ADSI.connect(User.uri(*User.parse_name(name_or_sid)))
  # otherwise, verify that the account is actually a User account
  user.Class == 'User'
rescue
  # special accounts like SYSTEM cannot resolve via moniker like WinNT://./SYSTEM,user
  # and thus fail to connect - so given a validly resolved SID, this failure is ambiguous as it
  # may indicate either a group like Service or an account like SYSTEM
  well_known
end

.logon(name, password) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 182

def self.logon(name, password)
  Puppet::Util::Windows::User.password_is?(name, password)
end

Instance Method Details

#[](attribute) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 186

def [](attribute)
  native_user.Get(attribute)
end

#[]=(attribute, value) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 190

def []=(attribute, value)
  native_user.Put(attribute, value)
end

#add_flag(flag_name, value) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 215

def add_flag(flag_name, value)
  flag = native_user.Get(flag_name) rescue 0

  native_user.Put(flag_name, flag | value)

  commit
end

#add_group_sids(*sids) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 256

def add_group_sids(*sids)
  group_names = sids.map { |s| s.domain_account }
  add_to_groups(*group_names)
end

#add_to_groups(*group_names) ⇒ Object Also known as: add_to_group

# File 'lib/puppet/util/windows/adsi.rb', line 241

def add_to_groups(*group_names)
  group_names.each do |group_name|
    Puppet::Util::Windows::ADSI::Group.new(group_name).add_member_sids(sid)
  end
end

#commit ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 194

def commit
  begin
    native_user.SetInfo unless native_user.nil?
  rescue WIN32OLERuntimeError => e
    # ERROR_BAD_USERNAME 2202L from winerror.h
    if e.message =~ /8007089A/m
      raise Puppet::Error.new(
       "Puppet is not able to create/delete domain users with the user resource.",
       e
      )
    end

    raise Puppet::Error.new( "User update failed: #{e}", e )
  end
  self
end

#group_sids ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 266

def group_sids
  self.class.get_sids(native_user.Groups)
end

#groups ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 233

def groups
  # https://msdn.microsoft.com/en-us/library/aa746342.aspx
  # WIN32OLE objects aren't enumerable, so no map
  groups = []
  native_user.Groups.each {|g| groups << g.Name} rescue nil
  groups
end

#password=(password) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 223

def password=(password)
  if !password.nil?
    native_user.SetPassword(password)
    commit
  end

  fADS_UF_DONT_EXPIRE_PASSWD = 0x10000
  add_flag("UserFlags", fADS_UF_DONT_EXPIRE_PASSWD)
end

#password_is?(password) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/util/windows/adsi.rb', line 211

def password_is?(password)
  self.class.logon(name, password)
end

#remove_from_groups(*group_names) ⇒ Object Also known as: remove_from_group

# File 'lib/puppet/util/windows/adsi.rb', line 248

def remove_from_groups(*group_names)
  group_names.each do |group_name|
    Puppet::Util::Windows::ADSI::Group.new(group_name).remove_member_sids(sid)
  end
end

#remove_group_sids(*sids) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 261

def remove_group_sids(*sids)
  group_names = sids.map { |s| s.domain_account }
  remove_from_groups(*group_names)
end

#set_groups(desired_groups, minimum = true) ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 270

def set_groups(desired_groups, minimum = true)
  return if desired_groups.nil?

  desired_groups = desired_groups.split(',').map(&:strip)

  current_hash = Hash[ self.group_sids.map { |sid| [sid.sid, sid] } ]
  desired_hash = self.class.name_sid_hash(desired_groups)

  # First we add the user to all the groups it should be in but isn't
  if !desired_groups.empty?
    groups_to_add = (desired_hash.keys - current_hash.keys).map { |sid| desired_hash[sid] }
    add_group_sids(*groups_to_add)
  end

  # Then we remove the user from all groups it is in but shouldn't be, if
  # that's been requested
  if !minimum
    if desired_hash.empty?
      groups_to_remove = current_hash.values
    else
      groups_to_remove = (current_hash.keys - desired_hash.keys).map { |sid| current_hash[sid] }
    end

    remove_group_sids(*groups_to_remove)
  end
end

#uri ⇒ Object

# File 'lib/puppet/util/windows/adsi.rb', line 178

def uri
  self.class.uri(sid.account, sid.domain)
end