Module: Puppet::Util::Windows::SID

Extended by:

FFI::Library

Included in:

AccessControlEntry, SecurityDescriptor

Defined in:

lib/puppet/util/windows.rb,
lib/puppet/util/windows/sid.rb,
lib/puppet/util/windows/principal.rb

Defined Under Namespace

Classes: Principal

Constant Summary

ERROR_NONE_MAPPED =

missing from Windows::Error

1332

ERROR_INVALID_SID_STRUCTURE =

1337

Null =

Well Known SIDs

'S-1-0'

Nobody =

'S-1-0-0'

World =

'S-1-1'

Everyone =

'S-1-1-0'

Local =

'S-1-2'

Creator =

'S-1-3'

CreatorOwner =

'S-1-3-0'

CreatorGroup =

'S-1-3-1'

CreatorOwnerServer =

'S-1-3-2'

CreatorGroupServer =

'S-1-3-3'

NonUnique =

'S-1-4'

Nt =

'S-1-5'

Dialup =

'S-1-5-1'

Network =

'S-1-5-2'

Batch =

'S-1-5-3'

Interactive =

'S-1-5-4'

Service =

'S-1-5-6'

Anonymous =

'S-1-5-7'

Proxy =

'S-1-5-8'

EnterpriseDomainControllers =

'S-1-5-9'

PrincipalSelf =

'S-1-5-10'

AuthenticatedUsers =

'S-1-5-11'

RestrictedCode =

'S-1-5-12'

TerminalServerUsers =

'S-1-5-13'

LocalSystem =

'S-1-5-18'

NtLocal =

'S-1-5-19'

NtNetwork =

'S-1-5-20'

BuiltinAdministrators =

'S-1-5-32-544'

BuiltinUsers =

'S-1-5-32-545'

Guests =

'S-1-5-32-546'

PowerUsers =

'S-1-5-32-547'

AccountOperators =

'S-1-5-32-548'

ServerOperators =

'S-1-5-32-549'

PrintOperators =

'S-1-5-32-550'

BackupOperators =

'S-1-5-32-551'

Replicators =

'S-1-5-32-552'

MAXIMUM_SID_STRING_LENGTH =

stackoverflow.com/a/1792930 - 68 bytes, 184 characters in a string

184

Class Method Summary

• .get_length_sid(sid_ptr) ⇒ Object
• .name_to_sid(name) ⇒ Object

  Convert an account name, e.g.

• .name_to_sid_object(name) ⇒ Object

  Convert an account name, e.g.

• .octet_string_to_sid_object(bytes) ⇒ Object

  Converts an octet string array of bytes to a SID object, e.g.

• .sid_ptr_to_string(psid) ⇒ Object

  Convert a SID pointer to a SID string, e.g.

• .sid_to_name(value) ⇒ Object

  Convert a SID string, e.g.

• .string_to_sid_ptr(string_sid, &block) ⇒ Object

  Convert a SID string, e.g.

• .valid_sid?(string_sid) ⇒ Boolean

  Return true if the string is a valid SID, e.g.

Methods included from FFI::Library

attach_function_private

Class Method Details

.get_length_sid(sid_ptr) ⇒ Object

# File 'lib/puppet/util/windows/sid.rb', line 186

def get_length_sid(sid_ptr)
  # MSDN states IsValidSid should be called on pointer first
  if ! sid_ptr.kind_of?(FFI::Pointer) || IsValidSid(sid_ptr) == FFI::WIN32_FALSE
    raise Puppet::Util::Windows::Error.new(_("Invalid SID"))
  end

  GetLengthSid(sid_ptr)
end

.name_to_sid(name) ⇒ Object

Convert an account name, e.g. ‘Administrators’ into a SID string, e.g. ‘S-1-5-32-544’. The name can be specified as ‘Administrators’, ‘BUILTINAdministrators’, or ‘S-1-5-32-544’, and will return the SID. Returns nil if the account doesn’t exist.

# File 'lib/puppet/util/windows/sid.rb', line 54

def name_to_sid(name)
  sid = name_to_sid_object(name)

  sid ? sid.sid : nil
end

.name_to_sid_object(name) ⇒ Object

Convert an account name, e.g. ‘Administrators’ into a SID object, e.g. ‘S-1-5-32-544’. The name can be specified as ‘Administrators’, ‘BUILTINAdministrators’, or ‘S-1-5-32-544’, and will return the SID object. Returns nil if the account doesn’t exist. This method returns a SID::Principal with the account, domain, SID, etc

# File 'lib/puppet/util/windows/sid.rb', line 66

def name_to_sid_object(name)
  # Apparently, we accept a symbol..
  name = name.to_s.strip if name

  # if name is a SID string, convert it to raw bytes for use with lookup_account_sid
  raw_sid_bytes = nil
  begin
    string_to_sid_ptr(name) do |sid_ptr|
      valid = ! sid_ptr.nil? && ! sid_ptr.null?
      raw_sid_bytes = sid_ptr.read_array_of_uchar(get_length_sid(sid_ptr))
    end
  rescue
  end

  raw_sid_bytes ? Principal.lookup_account_sid(raw_sid_bytes) : Principal.lookup_account_name(name)
rescue
  nil
end

.octet_string_to_sid_object(bytes) ⇒ Object

Converts an octet string array of bytes to a SID object, e.g. [1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0] is the representation for S-1-5-18, the local ‘SYSTEM’ account. Raises an Error for nil or non-array input. This method returns a SID::Principal with the account, domain, SID, etc

# File 'lib/puppet/util/windows/sid.rb', line 91

def octet_string_to_sid_object(bytes)
  if !bytes || !bytes.respond_to?('pack') || bytes.empty?
    raise Puppet::Util::Windows::Error.new(_("Octet string must be an array of bytes"))
  end

  Principal.lookup_account_sid(bytes)
end

.sid_ptr_to_string(psid) ⇒ Object

Convert a SID pointer to a SID string, e.g. “S-1-5-32-544”.

# File 'lib/puppet/util/windows/sid.rb', line 125

def sid_ptr_to_string(psid)
  if ! psid.kind_of?(FFI::Pointer) || IsValidSid(psid) == FFI::WIN32_FALSE
    raise Puppet::Util::Windows::Error.new(_("Invalid SID"))
  end

  sid_string = nil
  FFI::MemoryPointer.new(:pointer, 1) do |buffer_ptr|
    if ConvertSidToStringSidW(psid, buffer_ptr) == FFI::WIN32_FALSE
      raise Puppet::Util::Windows::Error.new(_("Failed to convert binary SID"))
    end

    buffer_ptr.read_win32_local_pointer do |wide_string_ptr|
      if wide_string_ptr.null?
        raise Puppet::Error.new(_("ConvertSidToStringSidW failed to allocate buffer for sid"))
      end

      sid_string = wide_string_ptr.read_arbitrary_wide_string_up_to(MAXIMUM_SID_STRING_LENGTH)
    end
  end

  sid_string
end

.sid_to_name(value) ⇒ Object

Convert a SID string, e.g. “S-1-5-32-544” to a name, e.g. ‘BUILTINAdministrators’. Returns nil if an account for that SID does not exist.

# File 'lib/puppet/util/windows/sid.rb', line 103

def sid_to_name(value)

  sid_bytes = []
  begin
    string_to_sid_ptr(value) do |ptr|
      valid = ! ptr.nil? && ! ptr.null?
      sid_bytes = ptr.read_array_of_uchar(get_length_sid(ptr))
    end
  rescue Puppet::Util::Windows::Error => e
    raise if e.code != ERROR_INVALID_SID_STRUCTURE
  end

  Principal.lookup_account_sid(sid_bytes).domain_account
rescue
  nil
end

.string_to_sid_ptr(string_sid, &block) ⇒ Object

Convert a SID string, e.g. “S-1-5-32-544” to a pointer (containing the address of the binary SID structure). The returned value can be used in Win32 APIs that expect a PSID, e.g. IsValidSid. The account for this SID may or may not exist.

# File 'lib/puppet/util/windows/sid.rb', line 153

def string_to_sid_ptr(string_sid, &block)
  FFI::MemoryPointer.from_string_to_wide_string(string_sid) do |lpcwstr|
    FFI::MemoryPointer.new(:pointer, 1) do |sid_ptr_ptr|

      if ConvertStringSidToSidW(lpcwstr, sid_ptr_ptr) == FFI::WIN32_FALSE
        raise Puppet::Util::Windows::Error.new(_("Failed to convert string SID: %{string_sid}") % { string_sid: string_sid })
      end

      sid_ptr_ptr.read_win32_local_pointer do |sid_ptr|
        yield sid_ptr
      end
    end
  end

  # yielded sid_ptr has already had LocalFree called, nothing to return
  nil
end

.valid_sid?(string_sid) ⇒ Boolean

Return true if the string is a valid SID, e.g. “S-1-5-32-544”, false otherwise.

Returns:

• (Boolean)

# File 'lib/puppet/util/windows/sid.rb', line 173

def valid_sid?(string_sid)
  valid = false

  begin
    string_to_sid_ptr(string_sid) { |ptr| valid = ! ptr.nil? && ! ptr.null? }
  rescue Puppet::Util::Windows::Error => e
    raise if e.code != ERROR_INVALID_SID_STRUCTURE
  end

  valid
end