module Puppet::Util::Windows::User

Constants

SECURITY_MAX_SID_SIZE: msdn.microsoft.com/en-us/library/windows/desktop/ee207397(v=vs.85).aspx
WELL_KNOWN_SID_TYPE: msdn.microsoft.com/en-us/library/windows/desktop/aa379650(v=vs.85).aspx

Public Class Methods

admin?() click to toggle source

# File lib/puppet/util/windows/user.rb, line 10
def admin?
  majversion = Facter.value(:kernelmajversion)
  return false unless majversion

  # if Vista or later, check for unrestricted process token
  return Puppet::Util::Windows::Process.elevated_security? unless majversion.to_f < 6.0

  # otherwise 2003 or less
  check_token_membership
end

check_token_membership() click to toggle source

# File lib/puppet/util/windows/user.rb, line 26
def check_token_membership
  is_admin = false
  FFI::MemoryPointer.new(:byte, SECURITY_MAX_SID_SIZE) do |sid_pointer|
    FFI::MemoryPointer.new(:dword, 1) do |size_pointer|
      size_pointer.write_uint32(SECURITY_MAX_SID_SIZE)

      if CreateWellKnownSid(:WinBuiltinAdministratorsSid, FFI::Pointer::NULL, sid_pointer, size_pointer) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new("Failed to create administrators SID")
      end
    end

    if IsValidSid(sid_pointer) == FFI::WIN32_FALSE
      raise Puppet::Util::Windows::Error.new("Invalid SID")
    end

    FFI::MemoryPointer.new(:win32_bool, 1) do |ismember_pointer|
      if CheckTokenMembership(FFI::Pointer::NULL_HANDLE, sid_pointer, ismember_pointer) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new("Failed to check membership")
      end

      # Is administrators SID enabled in calling thread's access token?
      is_admin = ismember_pointer.read_win32_bool != FFI::WIN32_FALSE
    end
  end

  is_admin
end

load_profile(user, password) click to toggle source

# File lib/puppet/util/windows/user.rb, line 85
def load_profile(user, password)
  logon_user(user, password) do |token|
    FFI::MemoryPointer.from_string_to_wide_string(user) do |lpUserName|
      pi = PROFILEINFO.new
      pi[:dwSize] = PROFILEINFO.size
      pi[:dwFlags] = 1 # PI_NOUI - prevents display of profile error msgs
      pi[:lpUserName] = lpUserName

      # Load the profile. Since it doesn't exist, it will be created
      if LoadUserProfileW(token, pi.pointer) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new("Failed to load user profile #{user.inspect}")
      end

      Puppet.debug("Loaded profile for #{user}")

      if UnloadUserProfile(token, pi[:hProfile]) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new("Failed to unload user profile #{user.inspect}")
      end
    end
  end
end

logon_user(name, password) { |token = read_handle| ... } click to toggle source

# File lib/puppet/util/windows/user.rb, line 62
def logon_user(name, password, &block)
  fLOGON32_LOGON_NETWORK = 3
  fLOGON32_PROVIDER_DEFAULT = 0

  token = nil
  begin
    FFI::MemoryPointer.new(:handle, 1) do |token_pointer|
      if LogonUserW(wide_string(name), wide_string('.'), wide_string(password),
          fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new("Failed to logon user #{name.inspect}")
      end

      yield token = token_pointer.read_handle
    end
  ensure
    FFI::WIN32.CloseHandle(token) if token
  end

  # token has been closed by this point
  true
end

password_is?(name, password) click to toggle source

# File lib/puppet/util/windows/user.rb, line 55
def password_is?(name, password)
  logon_user(name, password) { |token| }
rescue Puppet::Util::Windows::Error
  false
end