Class: Puppet::Util::Windows::SID::Principal

Inherits:

Object

• Object
• Puppet::Util::Windows::SID::Principal

Extended by:

FFI::Library

Defined in:

lib/puppet/util/windows.rb,
lib/puppet/util/windows/principal.rb

Constant Summary

MAXIMUM_SID_BYTE_LENGTH =

8 + max sub identifiers (15) * 4

68

ERROR_INVALID_PARAMETER =

87

ERROR_INSUFFICIENT_BUFFER =

122

SID_NAME_USE =

msdn.microsoft.com/en-us/library/windows/desktop/aa379601(v=vs.85).aspx

enum(
  :SidTypeUser, 1,
  :SidTypeGroup, 2,
  :SidTypeDomain, 3,
  :SidTypeAlias, 4,
  :SidTypeWellKnownGroup, 5,
  :SidTypeDeletedAccount, 6,
  :SidTypeInvalid, 7,
  :SidTypeUnknown, 8,
  :SidTypeComputer, 9,
  :SidTypeLabel, 10
)

Instance Attribute Summary

• #account ⇒ Object readonly

  Returns the value of attribute account.

• #account_type ⇒ Object readonly

  Returns the value of attribute account_type.

• #domain ⇒ Object readonly

  Returns the value of attribute domain.

• #domain_account ⇒ Object readonly

  Returns the value of attribute domain_account.

• #sid ⇒ Object readonly

  Returns the value of attribute sid.

• #sid_bytes ⇒ Object readonly

  Returns the value of attribute sid_bytes.

Class Method Summary

• .lookup_account_name(system_name = nil, sanitize = true, account_name) ⇒ Object
• .lookup_account_sid(system_name = nil, sid_bytes) ⇒ Object

Instance Method Summary

• #==(compare) ⇒ Object

  added for backward compatibility.

• #initialize(account, sid_bytes, sid, domain, account_type) ⇒ Principal constructor

  A new instance of Principal.

• #to_s ⇒ Object

  returns authority qualified account name prefer to compare Principal instances with == operator or by #sid.

Constructor Details

#initialize(account, sid_bytes, sid, domain, account_type) ⇒ Principal

Returns a new instance of Principal.

# File 'lib/puppet/util/windows/principal.rb', line 10

def initialize(account, sid_bytes, sid, domain, account_type)
  # This is only ever called from lookup_account_sid which has already
  # removed the potential for passing in an account like host\user
  @account = account
  @sid_bytes = sid_bytes
  @sid = sid
  @domain = domain
  @account_type = account_type
  # When domain is available and it is a Domain principal, use domain only
  #   otherwise if domain is available then combine it with parsed account
  #   otherwise when the domain is not available, use the account value directly
  # WinNT naming standard https://msdn.microsoft.com/en-us/library/windows/desktop/aa746534(v=vs.85).aspx
  if domain && !domain.empty? && @account_type == :SidTypeDomain
    @domain_account = @domain
  elsif domain && !domain.empty?
    @domain_account = "#{domain}\\#{@account}"
  else
    @domain_account = account
  end
end

Instance Attribute Details

#account ⇒ Object (readonly)

Returns the value of attribute account.

# File 'lib/puppet/util/windows/principal.rb', line 8

def account
  @account
end

#account_type ⇒ Object (readonly)

Returns the value of attribute account_type.

# File 'lib/puppet/util/windows/principal.rb', line 8

def account_type
  @account_type
end

#domain ⇒ Object (readonly)

Returns the value of attribute domain.

# File 'lib/puppet/util/windows/principal.rb', line 8

def domain
  @domain
end

#domain_account ⇒ Object (readonly)

Returns the value of attribute domain_account.

# File 'lib/puppet/util/windows/principal.rb', line 8

def domain_account
  @domain_account
end

#sid ⇒ Object (readonly)

Returns the value of attribute sid.

# File 'lib/puppet/util/windows/principal.rb', line 8

def sid
  @sid
end

#sid_bytes ⇒ Object (readonly)

Returns the value of attribute sid_bytes.

# File 'lib/puppet/util/windows/principal.rb', line 8

def sid_bytes
  @sid_bytes
end

Class Method Details

.lookup_account_name(system_name = nil, sanitize = true, account_name) ⇒ Object

# File 'lib/puppet/util/windows/principal.rb', line 49

def self.lookup_account_name(system_name = nil, sanitize = true, account_name)
  account_name = sanitize_account_name(account_name) if sanitize
  system_name_ptr = FFI::Pointer::NULL
  begin
    if system_name
      system_name_wide = Puppet::Util::Windows::String.wide_string(system_name)
      system_name_ptr = FFI::MemoryPointer.from_wide_string(system_name_wide)
    end

    FFI::MemoryPointer.from_string_to_wide_string(account_name) do |account_name_ptr|
      FFI::MemoryPointer.new(:byte, MAXIMUM_SID_BYTE_LENGTH) do |sid_ptr|
        FFI::MemoryPointer.new(:dword, 1) do |sid_length_ptr|
          FFI::MemoryPointer.new(:dword, 1) do |domain_length_ptr|
            FFI::MemoryPointer.new(:uint32, 1) do |name_use_enum_ptr|
              sid_length_ptr.write_dword(MAXIMUM_SID_BYTE_LENGTH)
              success = LookupAccountNameW(system_name_ptr, account_name_ptr, sid_ptr, sid_length_ptr,
                                           FFI::Pointer::NULL, domain_length_ptr, name_use_enum_ptr)
              last_error = FFI.errno

              if success == FFI::WIN32_FALSE && last_error != ERROR_INSUFFICIENT_BUFFER
                raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountNameW with account: %{account_name}') % { account_name: account_name }, last_error)
              end

              FFI::MemoryPointer.new(:lpwstr, domain_length_ptr.read_dword) do |domain_ptr|
                if LookupAccountNameW(system_name_ptr, account_name_ptr,
                                      sid_ptr, sid_length_ptr,
                                      domain_ptr, domain_length_ptr, name_use_enum_ptr) == FFI::WIN32_FALSE
                  raise Puppet::Util::Windows::Error, _('Failed to call LookupAccountNameW with account: %{account_name}') % { account_name: account_name }
                end

                # with a SID returned, loop back through lookup_account_sid to retrieve official name
                # necessary when accounts like . or '' are passed in
                return lookup_account_sid(
                  system_name,
                  sid_ptr.read_bytes(sid_length_ptr.read_dword).unpack('C*')
                )
              end
            end
          end
        end
      end
    end
  ensure
    system_name_ptr.free if system_name_ptr != FFI::Pointer::NULL
  end
end

.lookup_account_sid(system_name = nil, sid_bytes) ⇒ Object

# File 'lib/puppet/util/windows/principal.rb', line 96

def self.lookup_account_sid(system_name = nil, sid_bytes)
  system_name_ptr = FFI::Pointer::NULL
  if sid_bytes.nil? || (!sid_bytes.is_a? Array) || (sid_bytes.length == 0)
    # TRANSLATORS `lookup_account_sid` is a variable name and should not be translated
    raise Puppet::Util::Windows::Error, _('Byte array for lookup_account_sid must not be nil and must be at least 1 byte long')
  end

  begin
    if system_name
      system_name_wide = Puppet::Util::Windows::String.wide_string(system_name)
      system_name_ptr = FFI::MemoryPointer.from_wide_string(system_name_wide)
    end

    FFI::MemoryPointer.new(:byte, sid_bytes.length) do |sid_ptr|
      FFI::MemoryPointer.new(:dword, 1) do |name_length_ptr|
        FFI::MemoryPointer.new(:dword, 1) do |domain_length_ptr|
          FFI::MemoryPointer.new(:uint32, 1) do |name_use_enum_ptr|
            sid_ptr.write_array_of_uchar(sid_bytes)

            if Puppet::Util::Windows::SID.IsValidSid(sid_ptr) == FFI::WIN32_FALSE
              raise Puppet::Util::Windows::Error.new(_('Byte array for lookup_account_sid is invalid: %{sid_bytes}') % { sid_bytes: sid_bytes }, ERROR_INVALID_PARAMETER)
            end

            success = LookupAccountSidW(system_name_ptr, sid_ptr, FFI::Pointer::NULL, name_length_ptr,
                                        FFI::Pointer::NULL, domain_length_ptr, name_use_enum_ptr)
            last_error = FFI.errno

            if success == FFI::WIN32_FALSE && last_error != ERROR_INSUFFICIENT_BUFFER
              raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountSidW with bytes: %{sid_bytes}') % { sid_bytes: sid_bytes }, last_error)
            end

            FFI::MemoryPointer.new(:lpwstr, name_length_ptr.read_dword) do |name_ptr|
              FFI::MemoryPointer.new(:lpwstr, domain_length_ptr.read_dword) do |domain_ptr|
                if LookupAccountSidW(system_name_ptr, sid_ptr, name_ptr, name_length_ptr,
                                     domain_ptr, domain_length_ptr, name_use_enum_ptr) == FFI::WIN32_FALSE
                  raise Puppet::Util::Windows::Error, _('Failed to call LookupAccountSidW with bytes: %{sid_bytes}') % { sid_bytes: sid_bytes }
                end

                return new(
                  name_ptr.read_wide_string(name_length_ptr.read_dword),
                  sid_bytes,
                  Puppet::Util::Windows::SID.sid_ptr_to_string(sid_ptr),
                  domain_ptr.read_wide_string(domain_length_ptr.read_dword),
                  SID_NAME_USE[name_use_enum_ptr.read_uint32]
                )
              end
            end
          end
        end
      end
    end
  ensure
    system_name_ptr.free if system_name_ptr != FFI::Pointer::NULL
  end
end

Instance Method Details

#==(compare) ⇒ Object

added for backward compatibility

# File 'lib/puppet/util/windows/principal.rb', line 32

def ==(compare)
  compare.is_a?(Puppet::Util::Windows::SID::Principal) &&
    @sid_bytes == compare.sid_bytes
end

#to_s ⇒ Object

returns authority qualified account name prefer to compare Principal instances with == operator or by #sid

# File 'lib/puppet/util/windows/principal.rb', line 39

def to_s
  @domain_account
end