class Inspec::Resources::WindowsFilePermissions

Public Instance Methods

check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user) click to toggle source
# File lib/inspec/resources/file.rb, line 247
def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
  raise "`check_file_permission_by_mask` is not supported on Windows"
end
check_file_permission_by_user(access_type, user, path) click to toggle source
# File lib/inspec/resources/file.rb, line 255
def check_file_permission_by_user(access_type, user, path)
  access_rule = translate_perm_names(access_type)
  access_rule = convert_to_powershell_array(access_rule)

  cmd = inspec.command("@(@((Get-Acl '#{path}').access | Where-Object {$_.AccessControlType -eq 'Allow' -and $_.IdentityReference -eq '#{user}' }) | Where-Object {($_.FileSystemRights.ToString().Split(',') | % {$_.trim()} | ? {#{access_rule} -contains $_}) -ne $null}) | measure | % { $_.Count }")
  cmd.stdout.chomp == "0" ? false : true
end
more_permissive_than?(*) click to toggle source
# File lib/inspec/resources/file.rb, line 251
def more_permissive_than?(*)
  raise Inspec::Exceptions::ResourceSkipped, "The `more_permissive_than?` matcher is not supported on your OS yet."
end

Private Instance Methods

convert_to_powershell_array(arr) click to toggle source
# File lib/inspec/resources/file.rb, line 265
def convert_to_powershell_array(arr)
  if arr.empty?
    "@()"
  else
    %{@('#{arr.join("', '")}')}
  end
end
translate_common_perms(access_type) click to toggle source
# File lib/inspec/resources/file.rb, line 287
def translate_common_perms(access_type)
  case access_type
  when "full-control"
    %w{FullControl}
  when "modify"
    translate_perm_names("full-control") + %w{Modify}
  when "read"
    translate_perm_names("modify") + %w{ReadAndExecute Read}
  when "write"
    translate_perm_names("modify") + %w{Write}
  when "execute"
    translate_perm_names("modify") + %w{ReadAndExecute ExecuteFile Traverse}
  when "delete"
    translate_perm_names("modify") + %w{Delete}
  end
end
translate_granular_perms(access_type) click to toggle source
# File lib/inspec/resources/file.rb, line 317
def translate_granular_perms(access_type)
  case access_type
  when "write-data", "create-files"
    translate_perm_names("write") + %w{WriteData CreateFiles}
  when "append-data", "create-directories"
    translate_perm_names("write") + %w{CreateDirectories AppendData}
  when "write-extended-attributes"
    translate_perm_names("write") + %w{WriteExtendedAttributes}
  when "write-attributes"
    translate_perm_names("write") + %w{WriteAttributes}
  when "read-data", "list-directory"
    translate_perm_names("read") + %w{ReadData ListDirectory}
  when "read-attributes"
    translate_perm_names("read") + %w{ReadAttributes}
  when "read-extended-attributes"
    translate_perm_names("read") + %w{ReadExtendedAttributes}
  when "read-permissions"
    translate_perm_names("read") + %w{ReadPermissions}
  end
end
translate_perm_names(access_type) click to toggle source

Translates a developer-friendly string into a list of acceptable FileSystemRights that match it, because Windows has a fun heirarchy of permissions that are able to be noted in multiple ways.

See also: www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table

# File lib/inspec/resources/file.rb, line 278
def translate_perm_names(access_type)
  names = translate_common_perms(access_type)
  names ||= translate_granular_perms(access_type)
  names ||= translate_uncommon_perms(access_type)
  raise "Invalid access_type provided" unless names

  names
end
translate_uncommon_perms(access_type) click to toggle source
# File lib/inspec/resources/file.rb, line 304
def translate_uncommon_perms(access_type)
  case access_type
  when "delete-subdirectories-and-files"
    translate_perm_names("full-control") + %w{DeleteSubdirectoriesAndFiles}
  when "change-permissions"
    translate_perm_names("full-control") + %w{ChangePermissions}
  when "take-ownership"
    translate_perm_names("full-control") + %w{TakeOwnership}
  when "synchronize"
    translate_perm_names("full-control") + %w{Synchronize}
  end
end