class Inspec::Resources::WindowsFilePermissions
Public Instance Methods
check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
click to toggle source
# File lib/inspec/resources/file.rb, line 247 def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user) raise "`check_file_permission_by_mask` is not supported on Windows" end
check_file_permission_by_user(access_type, user, path)
click to toggle source
# File lib/inspec/resources/file.rb, line 255 def check_file_permission_by_user(access_type, user, path) access_rule = translate_perm_names(access_type) access_rule = convert_to_powershell_array(access_rule) cmd = inspec.command("@(@((Get-Acl '#{path}').access | Where-Object {$_.AccessControlType -eq 'Allow' -and $_.IdentityReference -eq '#{user}' }) | Where-Object {($_.FileSystemRights.ToString().Split(',') | % {$_.trim()} | ? {#{access_rule} -contains $_}) -ne $null}) | measure | % { $_.Count }") cmd.stdout.chomp == "0" ? false : true end
more_permissive_than?(*)
click to toggle source
# File lib/inspec/resources/file.rb, line 251 def more_permissive_than?(*) raise Inspec::Exceptions::ResourceSkipped, "The `more_permissive_than?` matcher is not supported on your OS yet." end
Private Instance Methods
convert_to_powershell_array(arr)
click to toggle source
# File lib/inspec/resources/file.rb, line 265 def convert_to_powershell_array(arr) if arr.empty? "@()" else %{@('#{arr.join("', '")}')} end end
translate_common_perms(access_type)
click to toggle source
# File lib/inspec/resources/file.rb, line 287 def translate_common_perms(access_type) case access_type when "full-control" %w{FullControl} when "modify" translate_perm_names("full-control") + %w{Modify} when "read" translate_perm_names("modify") + %w{ReadAndExecute Read} when "write" translate_perm_names("modify") + %w{Write} when "execute" translate_perm_names("modify") + %w{ReadAndExecute ExecuteFile Traverse} when "delete" translate_perm_names("modify") + %w{Delete} end end
translate_granular_perms(access_type)
click to toggle source
# File lib/inspec/resources/file.rb, line 317 def translate_granular_perms(access_type) case access_type when "write-data", "create-files" translate_perm_names("write") + %w{WriteData CreateFiles} when "append-data", "create-directories" translate_perm_names("write") + %w{CreateDirectories AppendData} when "write-extended-attributes" translate_perm_names("write") + %w{WriteExtendedAttributes} when "write-attributes" translate_perm_names("write") + %w{WriteAttributes} when "read-data", "list-directory" translate_perm_names("read") + %w{ReadData ListDirectory} when "read-attributes" translate_perm_names("read") + %w{ReadAttributes} when "read-extended-attributes" translate_perm_names("read") + %w{ReadExtendedAttributes} when "read-permissions" translate_perm_names("read") + %w{ReadPermissions} end end
translate_perm_names(access_type)
click to toggle source
Translates a developer-friendly string into a list of acceptable FileSystemRights that match it, because Windows has a fun heirarchy of permissions that are able to be noted in multiple ways.
See also: www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table
# File lib/inspec/resources/file.rb, line 278 def translate_perm_names(access_type) names = translate_common_perms(access_type) names ||= translate_granular_perms(access_type) names ||= translate_uncommon_perms(access_type) raise "Invalid access_type provided" unless names names end
translate_uncommon_perms(access_type)
click to toggle source
# File lib/inspec/resources/file.rb, line 304 def translate_uncommon_perms(access_type) case access_type when "delete-subdirectories-and-files" translate_perm_names("full-control") + %w{DeleteSubdirectoriesAndFiles} when "change-permissions" translate_perm_names("full-control") + %w{ChangePermissions} when "take-ownership" translate_perm_names("full-control") + %w{TakeOwnership} when "synchronize" translate_perm_names("full-control") + %w{Synchronize} end end