Merge pull request #8566 from luchihoratiu/PUP-10999

ciprianbadescu · web-flow · commit c7072d5f3cbd · 2021-05-07T15:47:06.000+03:00
(PUP-10999) Fix logon account setting for Windows services
diff --git a/acceptance/tests/resource/service/windows.rb b/acceptance/tests/resource/service/windows.rb
@@ -45,10 +45,27 @@ def service_manifest(name, params)
   }
 
   new_user = "tempUser#{rand(999999).to_i}"
+  fresh_user = "freshUser#{rand(999999).to_i}"
+
+  fresh_user_manifest = <<-MANIFEST
+    user { '#{fresh_user}':
+      ensure => present,
+      password => 'freshUserPassword',
+      roles => 'SeServiceLogonRight'
+    }
+
+    service { '#{mock_service_nofail[:name]}':
+      logonaccount => '#{fresh_user}',
+      logonpassword => 'freshUserPassword',
+      require => User['#{fresh_user}']
+    }
+  MANIFEST
 
   teardown do
+    delete_service(agent, mock_service_nofail[:name])
     delete_service(agent, mock_service_long_start_stop[:name])
     on(agent, puppet("resource user #{new_user} ensure=absent"))
+    on(agent, puppet("resource user #{fresh_user} ensure=absent"))
   end
 
   agents.each do |agent|
@@ -87,10 +104,22 @@ def service_manifest(name, params)
       assert_service_properties_on(agent, mock_service_nofail[:name], State: 'Running')
     end
 
-    step 'Verify that we can change logonaccount, for an already running service, using SID' do
+    step 'Verify that we can change logonaccount, for an already running service, using user created in the same manifest' do
       assert_service_properties_on(agent, mock_service_nofail[:name], StartName: 'LocalSystem')
+      apply_manifest_on(agent, fresh_user_manifest, expect_changes: true)
+      assert_service_properties_on(agent, mock_service_nofail[:name], StartName: fresh_user)
+    end
+
+    step 'Verify that running the same manifest twice causes no more changes' do
+      assert_service_properties_on(agent, mock_service_nofail[:name], StartName: fresh_user)
+      apply_manifest_on(agent, fresh_user_manifest, catch_changes: true)
+      assert_service_properties_on(agent, mock_service_nofail[:name], StartName: fresh_user)
+    end
+
+    step 'Verify that we can change logonaccount, for an already running service, using SID' do
+      assert_service_properties_on(agent, mock_service_nofail[:name], StartName: fresh_user)
       on(agent, puppet("resource service #{mock_service_nofail[:name]} logonaccount=S-1-5-19")) do |result|
-        assert_match(/Service\[#{mock_service_nofail[:name]}\]\/logonaccount: logonaccount changed 'LocalSystem' to '#{Regexp.escape(local_service_locale_name)}'/, result.stdout)
+        assert_match(/Service\[#{mock_service_nofail[:name]}\]\/logonaccount: logonaccount changed '.\\#{fresh_user}' to '#{Regexp.escape(local_service_locale_name)}'/, result.stdout)
         assert_no_match(/Transitioning the #{mock_service_nofail[:name]} service from SERVICE_RUNNING to SERVICE_STOPPED/, result.stdout, 
           "Expected no service restarts since ensure isn't being managed as 'running'.")
         assert_no_match(/Successfully started the #{mock_service_nofail[:name]} service/, result.stdout)
@@ -218,7 +247,7 @@ def service_manifest(name, params)
     end
 
     step 'Verify that a user with `Logon As A Service` right denied will raise error when managing it as logonaccount for a service' do
-      apply_manifest_on(agent, service_manifest(mock_service_nofail[:name], logonaccount: new_user), :acceptable_exit_codes => [1], catch_changes: true) do |result|
+      apply_manifest_on(agent, service_manifest(mock_service_nofail[:name], logonaccount: new_user), :acceptable_exit_codes => [1, 4]) do |result|
         assert_match(/#{new_user}\" has the 'Log On As A Service' right set to denied./, result.stderr)
       end
       assert_service_properties_on(agent, mock_service_nofail[:name], StartName: new_user, State: 'Stopped')
diff --git a/lib/puppet/provider/service/windows.rb b/lib/puppet/provider/service/windows.rb
@@ -128,17 +128,55 @@ def self.instances
     services
   end
 
+  def logonaccount_insync?(current)
+    @normalized_logon_account ||= normalize_logonaccount
+    @resource[:logonaccount] = @normalized_logon_account
+
+    insync = @resource[:logonaccount] == current
+    self.logonpassword = @resource[:logonpassword] if insync
+    insync
+  end
+
   def logonaccount
     return unless Puppet::Util::Windows::Service.exists?(@resource[:name])
     Puppet::Util::Windows::Service.logon_account(@resource[:name])
   end
 
   def logonaccount=(value)
+    validate_logon_credentials
     Puppet::Util::Windows::Service.set_startup_configuration(@resource[:name], options: {logon_account: value, logon_password: @resource[:logonpassword]})
     restart if @resource[:ensure] == :running && [:running, :paused].include?(status)
   end
 
   def logonpassword=(value)
+    validate_logon_credentials
     Puppet::Util::Windows::Service.set_startup_configuration(@resource[:name], options: {logon_password: value})
   end
+
+  private
+
+  def normalize_logonaccount
+    logon_account = @resource[:logonaccount].sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
+    return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(logon_account)
+
+    @logonaccount_information ||= Puppet::Util::Windows::SID.name_to_principal(logon_account)
+    return logon_account unless @logonaccount_information
+    return ".\\#{@logonaccount_information.account}" if @logonaccount_information.domain == Puppet::Util::Windows::ADSI.computer_name
+    @logonaccount_information.domain_account
+  end
+
+  def validate_logon_credentials
+    unless Puppet::Util::Windows::User::localsystem?(@normalized_logon_account)
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" is not a valid account") unless @logonaccount_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(@logonaccount_information.account_type)
+
+      user_rights = Puppet::Util::Windows::User::get_rights(@logonaccount_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(@normalized_logon_account)
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
+    end
+
+    is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@normalized_logon_account) || @normalized_logon_account == 'LocalSystem'
+    account_info = @normalized_logon_account.split("\\")
+    able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], @resource[:logonpassword], account_info[0]) unless is_a_predefined_local_account
+    raise Puppet::Error.new("The given password is invalid for user '#{@normalized_logon_account}'.") unless is_a_predefined_local_account || able_to_logon
+  end
 end
diff --git a/lib/puppet/type/service.rb b/lib/puppet/type/service.rb
@@ -139,42 +139,17 @@ def sync
     newproperty(:logonaccount, :required_features => :manages_logon_credentials) do
       desc "Specify an account for service logon"
 
-      munge do |value|
-        return value unless Puppet::Util::Platform.windows?
-        return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(value)
-
-        value.sub!(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
-        user_information = Puppet::Util::Windows::SID.name_to_principal(value)
-        raise Puppet::Error.new("\"#{value}\" is not a valid account") unless user_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(user_information.account_type)
-
-        user_rights = Puppet::Util::Windows::User::get_rights(user_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(value)
-        raise Puppet::Error.new("\"#{user_information.domain_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
-        raise Puppet::Error.new("\"#{user_information.domain_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
-
-        if user_information.domain == Puppet::Util::Windows::ADSI.computer_name
-          ".\\#{user_information.account}"
-        else
-          user_information.domain_account
-        end
+      def insync?(current)
+        return provider.logonaccount_insync?(current) if provider.respond_to?(:logonaccount_insync?)
+        super(current)
       end
     end
 
     newparam(:logonpassword, :required_features => :manages_logon_credentials) do
       desc "Specify a password for service logon. Default value is an empty string (when logonaccount is specified)."
 
       validate do |value|
-        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.") unless @resource[:logonaccount]
-        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) and value.include?(":")
-        return unless Puppet::Util::Platform.windows?
-
-        is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@resource[:logonaccount]) || @resource[:logonaccount] == 'LocalSystem'
-
-        account_info = @resource[:logonaccount].split("\\")
-        able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], value, account_info[0]) unless is_a_predefined_local_account
-
-        raise Puppet::Error.new("The given password is invalid for user '#{@resource[:logonaccount]}'.") unless is_a_predefined_local_account || able_to_logon
-
-        provider.logonpassword=(value)
+        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) && value.include?(":")
       end
 
       sensitive true
@@ -320,5 +295,11 @@ def refresh
     def self.needs_ensure_retrieved
       false
     end
+
+    validate do
+      if @parameters[:logonpassword] && @parameters[:logonaccount].nil?
+        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.")
+      end
+    end
   end
 end
diff --git a/spec/unit/provider/service/windows_spec.rb b/spec/unit/provider/service/windows_spec.rb
@@ -271,4 +271,206 @@
       }.to raise_error(Puppet::Error, /Cannot enable #{name}/)
     end
   end
+
+  describe "when managing logon credentials" do
+    before do
+      allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return(computer_name)
+      allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(principal)
+      allow(Puppet::Util::Windows::Service).to receive(:set_startup_configuration).and_return(nil)
+    end
+
+    let(:computer_name) { 'myPC' }
+
+    describe "#logonaccount=" do
+      before do
+        allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
+        resource[:logonaccount] = user_input
+        provider.logonaccount_insync?(user_input)
+      end
+
+      let(:user_input) { principal.account }
+      let(:principal) do
+        Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, computer_name, :SidTypeUser)
+      end
+
+      context "when given user is 'myUser'" do
+        it "should fail when the `Log On As A Service` right is missing from given user" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("")
+          expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" is missing the 'Log On As A Service' right./)
+        end
+
+        it "should fail when the `Log On As A Service` right is set to denied for given user" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeDenyServiceLogonRight")
+          expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" has the 'Log On As A Service' right set to denied./)
+        end
+
+        it "should not fail when given user has the `Log On As A Service` right" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
+          expect { provider.logonaccount=(user_input) }.not_to raise_error
+        end
+
+        ['myUser', 'myPC\\myUser', ".\\myUser", "MYPC\\mYuseR"].each do |user_input_variant|
+          let(:user_input) { user_input_variant }
+
+          it "should succesfully munge #{user_input_variant} to '.\\myUser'" do
+            allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq(".\\myUser")
+          end
+        end
+      end
+
+      context "when given user is a system account" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
+        end
+
+        let(:user_input) { principal.account }
+        let(:principal) do
+          Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
+        end
+
+        it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
+          expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
+          expect { provider.logonaccount=(user_input) }.not_to raise_error
+        end
+
+        ['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input_variant|
+          let(:user_input) { user_input_variant }
+
+          it "should succesfully munge #{user_input_variant} to 'LocalSystem'" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('LocalSystem')
+          end
+        end
+      end
+
+      context "when domain is different from computer name" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return("SeServiceLogonRight")
+        end
+
+        context "when given user is from AD" do
+          let(:user_input) { 'myRemoteUser' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("myRemoteUser", nil, nil, "AD", :SidTypeUser)
+          end
+
+          it "should not raise any error" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+          end
+
+          it "should succesfully be munged" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('AD\myRemoteUser')
+          end
+        end
+
+        context "when given user is LocalService" do
+          let(:user_input) { 'LocalService' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup)
+          end
+
+          it "should succesfully munge well known user" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
+          end
+        end
+
+        context "when given user is in SID form" do
+          let(:user_input) { 'S-1-5-20' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
+          end
+
+          it "should succesfully munge" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
+          end
+        end
+
+        context "when given user is actually a group" do
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias)
+          end
+          let(:user_input) { 'Administrators' }
+
+          it "should fail when sid type is not user or well known user" do
+            expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /"BUILTIN\\#{user_input}" is not a valid account/)
+          end
+        end
+      end
+    end
+
+    describe "#logonpassword=" do
+      before do
+        allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
+        resource[:logonaccount] = account
+        resource[:logonpassword] = user_input
+        provider.logonaccount_insync?(account)
+      end
+
+      let(:account) { 'LocalSystem' }
+
+      describe "when given logonaccount is a predefined_local_account" do
+        let(:user_input) { 'pass' }
+        let(:principal) { nil }
+
+        it "should pass validation when given account is 'LocalSystem'" do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(true)
+
+          expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+          expect { provider.logonpassword=(user_input) }.not_to raise_error
+        end
+
+        ['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
+          describe "when given account is #{predefined_local_account}" do
+            let(:account) { 'predefined_local_account' }
+            let(:principal) do
+              Puppet::Util::Windows::SID::Principal.new(account, nil, nil, "NT AUTHORITY", :SidTypeUser)
+            end
+
+            it "should pass validation" do
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.account).and_return(false)
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.domain_account).and_return(false)
+              expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(principal.domain_account).and_return(true).twice
+
+              expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+              expect { provider.logonpassword=(user_input) }.not_to raise_error
+            end
+          end
+        end
+      end
+
+      describe "when given logonaccount is not a predefined local account" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(".\\#{principal.account}").and_return(false)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with(".\\#{principal.account}").and_return(false)
+        end
+
+        let(:account) { 'myUser' }
+        let(:principal) do
+          Puppet::Util::Windows::SID::Principal.new(account, nil, nil, computer_name, :SidTypeUser)
+        end
+
+        describe "when password is proven correct" do
+          let(:user_input) { 'myPass' }
+          it "should pass validation" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
+            expect { provider.logonpassword=(user_input) }.not_to raise_error
+          end
+        end
+
+        describe "when password is not proven correct" do
+          let(:user_input) { 'myWrongPass' }
+          it "should not pass validation" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
+            expect { provider.logonpassword=(user_input) }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
+          end
+        end
+      end
+    end
+  end
 end
diff --git a/spec/unit/type/service_spec.rb b/spec/unit/type/service_spec.rb
