Module: Puppet::Util::Windows::User Private

Extended by:
FFI::Library, String
Defined in:
lib/puppet/util/windows/user.rb

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

Defined Under Namespace

Classes: LSA_OBJECT_ATTRIBUTES, LSA_UNICODE_STRING, PROFILEINFO

Constant Summary collapse

SECURITY_MAX_SID_SIZE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

msdn.microsoft.com/en-us/library/windows/desktop/ee207397(v=vs.85).aspx

68
ERROR_ACCOUNT_RESTRICTION =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx These error codes indicate successful authentication but failure to logon for a separate reason

1327
ERROR_INVALID_LOGON_HOURS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

1328
ERROR_INVALID_WORKSTATION =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

1329
ERROR_ACCOUNT_DISABLED =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

1331
POLICY_VIEW_LOCAL_INFORMATION =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

ACCESS_MASK flags for Policy Objects docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/b61b7268-987a-420b-84f9-6c75f8dc8558

0x00000001
POLICY_VIEW_AUDIT_INFORMATION =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000002
POLICY_GET_PRIVATE_INFORMATION =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000004
POLICY_TRUST_ADMIN =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000008
POLICY_CREATE_ACCOUNT =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000010
POLICY_CREATE_SECRET =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000020
POLICY_CREATE_PRIVILEGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000040
POLICY_SET_DEFAULT_QUOTA_LIMITS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000080
POLICY_SET_AUDIT_REQUIREMENTS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000100
POLICY_AUDIT_LOG_ADMIN =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000200
POLICY_SERVER_ADMIN =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000400
POLICY_LOOKUP_NAMES =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00000800
POLICY_NOTIFICATION =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x00001000
WELL_KNOWN_SID_TYPE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

msdn.microsoft.com/en-us/library/windows/desktop/aa379650(v=vs.85).aspx

enum(
  :WinNullSid                                   , 0,
  :WinWorldSid                                  , 1,
  :WinLocalSid                                  , 2,
  :WinCreatorOwnerSid                           , 3,
  :WinCreatorGroupSid                           , 4,
  :WinCreatorOwnerServerSid                     , 5,
  :WinCreatorGroupServerSid                     , 6,
  :WinNtAuthoritySid                            , 7,
  :WinDialupSid                                 , 8,
  :WinNetworkSid                                , 9,
  :WinBatchSid                                  , 10,
  :WinInteractiveSid                            , 11,
  :WinServiceSid                                , 12,
  :WinAnonymousSid                              , 13,
  :WinProxySid                                  , 14,
  :WinEnterpriseControllersSid                  , 15,
  :WinSelfSid                                   , 16,
  :WinAuthenticatedUserSid                      , 17,
  :WinRestrictedCodeSid                         , 18,
  :WinTerminalServerSid                         , 19,
  :WinRemoteLogonIdSid                          , 20,
  :WinLogonIdsSid                               , 21,
  :WinLocalSystemSid                            , 22,
  :WinLocalServiceSid                           , 23,
  :WinNetworkServiceSid                         , 24,
  :WinBuiltinDomainSid                          , 25,
  :WinBuiltinAdministratorsSid                  , 26,
  :WinBuiltinUsersSid                           , 27,
  :WinBuiltinGuestsSid                          , 28,
  :WinBuiltinPowerUsersSid                      , 29,
  :WinBuiltinAccountOperatorsSid                , 30,
  :WinBuiltinSystemOperatorsSid                 , 31,
  :WinBuiltinPrintOperatorsSid                  , 32,
  :WinBuiltinBackupOperatorsSid                 , 33,
  :WinBuiltinReplicatorSid                      , 34,
  :WinBuiltinPreWindows2000CompatibleAccessSid  , 35,
  :WinBuiltinRemoteDesktopUsersSid              , 36,
  :WinBuiltinNetworkConfigurationOperatorsSid   , 37,
  :WinAccountAdministratorSid                   , 38,
  :WinAccountGuestSid                           , 39,
  :WinAccountKrbtgtSid                          , 40,
  :WinAccountDomainAdminsSid                    , 41,
  :WinAccountDomainUsersSid                     , 42,
  :WinAccountDomainGuestsSid                    , 43,
  :WinAccountComputersSid                       , 44,
  :WinAccountControllersSid                     , 45,
  :WinAccountCertAdminsSid                      , 46,
  :WinAccountSchemaAdminsSid                    , 47,
  :WinAccountEnterpriseAdminsSid                , 48,
  :WinAccountPolicyAdminsSid                    , 49,
  :WinAccountRasAndIasServersSid                , 50,
  :WinNTLMAuthenticationSid                     , 51,
  :WinDigestAuthenticationSid                   , 52,
  :WinSChannelAuthenticationSid                 , 53,
  :WinThisOrganizationSid                       , 54,
  :WinOtherOrganizationSid                      , 55,
  :WinBuiltinIncomingForestTrustBuildersSid     , 56,
  :WinBuiltinPerfMonitoringUsersSid             , 57,
  :WinBuiltinPerfLoggingUsersSid                , 58,
  :WinBuiltinAuthorizationAccessSid             , 59,
  :WinBuiltinTerminalServerLicenseServersSid    , 60,
  :WinBuiltinDCOMUsersSid                       , 61,
  :WinBuiltinIUsersSid                          , 62,
  :WinIUserSid                                  , 63,
  :WinBuiltinCryptoOperatorsSid                 , 64,
  :WinUntrustedLabelSid                         , 65,
  :WinLowLabelSid                               , 66,
  :WinMediumLabelSid                            , 67,
  :WinHighLabelSid                              , 68,
  :WinSystemLabelSid                            , 69,
  :WinWriteRestrictedCodeSid                    , 70,
  :WinCreatorOwnerRightsSid                     , 71,
  :WinCacheablePrincipalsGroupSid               , 72,
  :WinNonCacheablePrincipalsGroupSid            , 73,
  :WinEnterpriseReadonlyControllersSid          , 74,
  :WinAccountReadonlyControllersSid             , 75,
  :WinBuiltinEventLogReadersGroup               , 76,
  :WinNewEnterpriseReadonlyControllersSid       , 77,
  :WinBuiltinCertSvcDComAccessGroup             , 78,
  :WinMediumPlusLabelSid                        , 79,
  :WinLocalLogonSid                             , 80,
  :WinConsoleLogonSid                           , 81,
  :WinThisOrganizationCertificateSid            , 82,
  :WinApplicationPackageAuthoritySid            , 83,
  :WinBuiltinAnyPackageSid                      , 84,
  :WinCapabilityInternetClientSid               , 85,
  :WinCapabilityInternetClientServerSid         , 86,
  :WinCapabilityPrivateNetworkClientServerSid   , 87,
  :WinCapabilityPicturesLibrarySid              , 88,
  :WinCapabilityVideosLibrarySid                , 89,
  :WinCapabilityMusicLibrarySid                 , 90,
  :WinCapabilityDocumentsLibrarySid             , 91,
  :WinCapabilitySharedUserCertificatesSid       , 92,
  :WinCapabilityEnterpriseAuthenticationSid     , 93,
  :WinCapabilityRemovableStorageSid             , 94
)

Class Method Summary collapse

Methods included from String

wide_string

Class Method Details

.admin?Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

  • (Boolean)

9
10
11
12
13
14
15
# File 'lib/puppet/util/windows/user.rb', line 9

def admin?
  return false unless check_token_membership

  # if Vista or later, check for unrestricted process token
  elevated_supported = Puppet::Util::Windows::Process.supports_elevated_security?
  return elevated_supported ? Puppet::Util::Windows::Process.elevated_security? : true
end

.check_token_membershipObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/puppet/util/windows/user.rb', line 46

def check_token_membership
  is_admin = false
  FFI::MemoryPointer.new(:byte, SECURITY_MAX_SID_SIZE) do |sid_pointer|
    FFI::MemoryPointer.new(:dword, 1) do |size_pointer|
      size_pointer.write_uint32(SECURITY_MAX_SID_SIZE)

      if CreateWellKnownSid(:WinBuiltinAdministratorsSid, FFI::Pointer::NULL, sid_pointer, size_pointer) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new(_("Failed to create administrators SID"))
      end
    end

    if IsValidSid(sid_pointer) == FFI::WIN32_FALSE
      raise Puppet::Util::Windows::Error.new(_("Invalid SID"))
    end

    FFI::MemoryPointer.new(:win32_bool, 1) do |ismember_pointer|
      if CheckTokenMembership(FFI::Pointer::NULL_HANDLE, sid_pointer, ismember_pointer) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new(_("Failed to check membership"))
      end

      # Is administrators SID enabled in calling thread's access token?
      is_admin = ismember_pointer.read_win32_bool
    end
  end

  is_admin
end

.default_system_account?(name) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Check if a given user is one of the default system accounts These accounts do not have a password and all checks done through logon attempt will fail docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#default-local-system-accounts

Returns:

  • (Boolean)

29
30
31
32
# File 'lib/puppet/util/windows/user.rb', line 29

def default_system_account?(name)
  user_sid = Puppet::Util::Windows::SID.name_to_sid(name)
  [Puppet::Util::Windows::SID::LocalSystem, Puppet::Util::Windows::SID::NtLocal, Puppet::Util::Windows::SID::NtNetwork].include?(user_sid)
end

.get_rights(name) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# File 'lib/puppet/util/windows/user.rb', line 147

def get_rights(name)
   = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
  return "" unless 

  rights = []
  rights_pointer = FFI::MemoryPointer.new(:pointer)
  number_of_rights = FFI::MemoryPointer.new(:ulong)
  sid_pointer = FFI::MemoryPointer.new(:byte, .sid_bytes.length).write_array_of_uchar(.sid_bytes)

  new_lsa_policy_handle do |policy_handle|
    result = LsaEnumerateAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, number_of_rights)
    check_lsa_nt_status_and_raise_failures(result, "LsaEnumerateAccountRights")
  end

  number_of_rights.read_ulong.times do |index|
    right = LSA_UNICODE_STRING.new(rights_pointer.read_pointer + index * LSA_UNICODE_STRING.size)
    rights << right[:Buffer].read_arbitrary_wide_string_up_to
  end

  result = LsaFreeMemory(rights_pointer.read_pointer)
  check_lsa_nt_status_and_raise_failures(result, "LsaFreeMemory")

  rights.join(",")
end

.load_profile(user, password) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# File 'lib/puppet/util/windows/user.rb', line 124

def load_profile(user, password)
  logon_user(user, password) do |token|
    FFI::MemoryPointer.from_string_to_wide_string(user) do |lpUserName|
      pi = PROFILEINFO.new
      pi[:dwSize] = PROFILEINFO.size
      pi[:dwFlags] = 1 # PI_NOUI - prevents display of profile error msgs
      pi[:lpUserName] = lpUserName

      # Load the profile. Since it doesn't exist, it will be created
      if LoadUserProfileW(token, pi.pointer) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new(_("Failed to load user profile %{user}") % { user: user.inspect })
      end

      Puppet.debug("Loaded profile for #{user}")

      if UnloadUserProfile(token, pi[:hProfile]) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new(_("Failed to unload user profile %{user}") % { user: user.inspect })
      end
    end
  end
end

.localsystem?(name) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

The name of the account in all locales is `LocalSystem`. `.LocalSystem` or `ComputerNameLocalSystem' can also be used. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the `LookupAccountName` function. docs.microsoft.com/en-us/windows/win32/services/localsystem-account

Returns:

  • (Boolean)

21
22
23
# File 'lib/puppet/util/windows/user.rb', line 21

def localsystem?(name)
  ["LocalSystem", ".\\LocalSystem", "#{Puppet::Util::Windows::ADSI.computer_name}\\LocalSystem"].any?{ |s| s.casecmp(name) == 0 }
end

.logon_user(name, password, domain = '.', &block) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# File 'lib/puppet/util/windows/user.rb', line 92

def logon_user(name, password, domain = '.', &block)
  fLOGON32_PROVIDER_DEFAULT = 0
  fLOGON32_LOGON_INTERACTIVE = 2
  fLOGON32_LOGON_NETWORK = 3

  token = nil
  begin
    FFI::MemoryPointer.new(:handle, 1) do |token_pointer|
      #try logon using network else try logon using interactive mode
      if logon_user_by_logon_type(name, domain, password, fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
        if logon_user_by_logon_type(name, domain, password, fLOGON32_LOGON_INTERACTIVE, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
          raise Puppet::Util::Windows::Error.new(_("Failed to logon user %{name}") % {name: name.inspect})
        end
      end

      yield token = token_pointer.read_handle
    end
  ensure
    FFI::WIN32.CloseHandle(token) if token
  end

  # token has been closed by this point
  true
end

.password_is?(name, password, domain = '.') ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

  • (Boolean)

75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/puppet/util/windows/user.rb', line 75

def password_is?(name, password, domain = '.')
  begin
    logon_user(name, password, domain) { |token| }
  rescue Puppet::Util::Windows::Error => detail

    authenticated_error_codes = Set[
      ERROR_ACCOUNT_RESTRICTION,
      ERROR_INVALID_LOGON_HOURS,
      ERROR_INVALID_WORKSTATION,
      ERROR_ACCOUNT_DISABLED,
    ]

    return authenticated_error_codes.include?(detail.code)
  end
end

.remove_rights(name, rights) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


185
186
187
188
189
190
191
192
193
194
# File 'lib/puppet/util/windows/user.rb', line 185

def remove_rights(name, rights)
  rights_pointer = new_lsa_unicode_strings_pointer(rights)
   = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
  sid_pointer = FFI::MemoryPointer.new(:byte, .sid_bytes.length).write_array_of_uchar(.sid_bytes)

  new_lsa_policy_handle do |policy_handle|
    result = LsaRemoveAccountRights(policy_handle.read_pointer, sid_pointer, false, rights_pointer, rights.size)
    check_lsa_nt_status_and_raise_failures(result, "LsaRemoveAccountRights")
  end
end

.set_rights(name, rights) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


173
174
175
176
177
178
179
180
181
182
# File 'lib/puppet/util/windows/user.rb', line 173

def set_rights(name, rights)
  rights_pointer = new_lsa_unicode_strings_pointer(rights)
   = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
  sid_pointer = FFI::MemoryPointer.new(:byte, .sid_bytes.length).write_array_of_uchar(.sid_bytes)

  new_lsa_policy_handle do |policy_handle|
    result = LsaAddAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, rights.size)
    check_lsa_nt_status_and_raise_failures(result, "LsaAddAccountRights")
  end
end