o

�N�g��@s�dZd
dl
Z
d
dlZd
dlZd
dlZd
dlmZ
zd
dlZd
dl	Z	d
dl
Z
dZWney3


dZYn
we
�
e�
ZdZGdd�d�Zd	d
�Zdd�Zd
d�Zd!dd�
Zdd�Zd"dd�
Zdd�Zd#dd�
Zd$dd�
Zd%dd�
Zd!dd�
Z				d&dd �
ZdS)'z=
Manage DACLs on Windows

:depends:   - winreg Python module
�N)
�CommandExecutionErrorTFZwin_daclc@s`eZ
dZd
Zdd�Zdd�Zdd�Zdd	�Zd
d�Zdd
�Z	dd�Z
dd�Zdd�Zdd�Z
dS)�
daclConstantsz3
    DACL constants used throughout the module
    c


Csdtj
tjBd
B|_ddddddddddddd�|_tjtjdd�tj	d	d�d
�tj
tjdd�tjdd�tj
tjBdd�tjtjBtj
BtjBd
d�|jd	d�d�i|_ddd�ddd�d�|_tjdtjd�dtjd�dtjtjBd�dtjd�dtjd�dtjtjBd�d�tj
iddtjd��
ddtjd��
ddtjtjBd��
ddtjd��
d d!tjd��
d"d#tjtjBtjBd��
d$d%tjtjBd��
d&d'tjtjBd��
d(dtjd��
d)dtjd��
d*dtjtjBd��
d+dtjd��
d,d!tjd��
d-d#tjtjBtjBd��
d.d%tjtjBd��
d/d'tjtjBd��
i|_tj	tj	tjBd0�|_tj
tj
tjd1�|_dS)2Ni�
�MACHINE�USERS�CURRENT_USER�CLASSES_ROOT)�HKEY_LOCAL_MACHINEZ
HKEY_USERS�HKEY_CURRENT_USERZHKEY_CLASSES_ROOTrrrrZHKLMZHKUZHKCUZHKCR�read)�BITS�TEXTzfull control)�READ�FULLCONTROL�writezread and execute�modify)r
ZWRITEzREAD&EXECUTEZMODIFYr�allowedr
)rrZdenied�
)ZALLOWZDENYz
this key onlyzthis key and subkeyszsubkeys only)ZKEYzKEY&SUBKEYSZSUBKEYSz
THIS KEY ONLYzTHIS KEY AND SUBKEYSzSUBKEYS ONLY�FILEzthis file/folder onlyZFOLDERzFOLDER&SUBFOLDERS&FILESz"this folder, subfolders, and fileszFOLDER&SUBFOLDERSzthis folder and subfolderszFOLDER&FILESzthis folder and fileszSUBFOLDERS&FILESzsubfolders and filesZ
SUBFOLDERSzsubfolders onlyZFILESz
files onlyzTHIS FILE ONLYzTHIS FOLDER ONLYz"THIS FOLDER, SUBFOLDERS, AND FILESzTHIS FOLDER AND SUBFOLDERSzTHIS FOLDER AND FILESzSUBFOLDERS AND FILESzSUBFOLDERS ONLYz
FILES ONLY)TF)rZ	DIRECTORYZREGISTRY)�
ntsecurityconZSTANDARD_RIGHTS_REQUIREDZSYNCHRONIZEZFILE_ALL_ACCESS�hkeys_security�
win32security�SE_REGISTRY_KEY�winregZKEY_READZKEY_ALL_ACCESSZSE_FILE_OBJECTZFILE_GENERIC_READZFILE_GENERIC_WRITEZFILE_GENERIC_EXECUTEZDELETE�rights�
validAceTypesZNO_INHERITANCEZCONTAINER_INHERIT_ACEZINHERIT_ONLY_ACEZOBJECT_INHERIT_ACE�validPropagationsZKEY_WOW64_64KEYZreflection_mask�
objectType)
�self�r�I/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/win_dacl.py�__init__.sZ
�










�



�




��
����
��
�


�

��
�
�

���


��

��	


���

��

��


����


���!


���&

��*

��.


���3

��7

��;


����A


���F


����h

�

�zdaclConstants.__init__c
CsJt|
t
�r#|
��}
z|j|
WSty"


td
�|
d�|j�
��
�
w|
S)zA
        returns the bit value of the string object type
        z@Invalid object type "{}". It should be one of the following:  {}�, )�
isinstance�str�upperr�KeyErrorr�format�join�r�
trrr�getObjectTypeBit�s







���zdaclConstants.getObjectTypeBitc
Cs4z|j|
WSt
y


td
�|
d�|j�
��
�
w)z]
        returns the necessary string value for an HKEY for the win32security module
        z;No HKEY named "{}".  It should be one of the following:  {}r!)rr%rr&r')r�
srrr�getSecurityHkey�s




���zdaclConstants.getSecurityHkeycCsPzt|t
�r|j|
|d
WS|WSty'


td�|d�|j|
�
��
�
w)zg
        returns a permission bit of the string permission value for the specified object type
        r�6No right "{}".  It should be one of the following:  {}r!)r"r#rr%rr&r'�rr)�
mrrr�getPermissionBit�s






���zdaclConstants.getPermissionBitcC�@z
|j|
|d
WSt
y


td�|d�|j|
�
��
�
w)zi
        returns the permission textual representation of a specified permission bit/object type
        rr-r!)rr%rr&r'r.rrr�getPermissionText��




���zdaclConstants.getPermissionTextc
C�8z|j|
d
WSt
y


td�|
d�|j�
��
�
w)z9
        returns the acetype bit of a text value
        r�9No ACE type "{}".  It should be one of the following:  {}r!�rr%rr&r'r(rrr�
getAceTypeBit
�




���zdaclConstants.getAceTypeBitc
Cr4)zE
        returns the textual representation of a acetype bit
        rr5r!r6r(rrr�getAceTypeText
r8zdaclConstants.getAceTypeTextcCr1)z=
        returns the propagation bit of a text value
        r�DNo propagation type of "{}".  It should be one of the following:  {}r!�rr%rr&r'�rr)�
prrr�getPropagationBit"
r3zdaclConstants.getPropagationBitcCr1)zI
        returns the textual representation of a propagation bit
        rr:r!r;r<rrr�getPropagationText/
r3z daclConstants.getPropagationTextcCsR|tj
kr!|
�d
�
}|�|�d�
���
}|�d|�
d�|�
}
|
Stj	�
|
�
}
|
S)z�
        processes a path/object type combo and returns:
            registry types with the correct HKEY text representation
            files/directories with environment variables expanded
        �
\r
z\\)rr�splitr,�popr$�insertr'�os�path�
expandvars)rrErZspltZhiverrr�processPath<
s






�
zdaclConstants.processPathN)�__name__�
__module__�__qualname__�__doc__r r*r,r0r2r7r9r>r?rGrrrrr$s
	 





rc

Cs:
i}
d
}|rft�
||tj�rfzt�|�
}Wnty4
}
zd|
d<d�||�|
d<WYd}~|
Sd}~w
wzt�d|�
d|
d<||
d	<W|
Stye
}
zd|
d<d
�||�|
d<WYd}~|
Sd}~w
wz|rqt�d|�dn
d}d|
d<||
d	<W|
Sty�
}
zd|
d<d�||�|
d<WYd}~|
Sd}~w
w)
z�
    return a state error dictionary, with 'sid' as a field if it could be returned
    if user is None, sid will also be None
    z^S-1(-\d+){1,}$F�resultzNUnable to obtain the binary security identifier for {}.  The exception was {}.�commentN�T�sidzSUnable to lookup the account for the security identifier {}.  The exception was {}.r
zGUnable to obtain the security identifier for {}.  The exception was {}.)	�re�match�
IrZGetBinarySid�	Exceptionr&�LookupAccountSidZLookupAccountName)�user�retZsid_patternrO�
errr�
_get_user_sidL
sN




���



�

���



�

���rXcCstj
j��r
tr
tSd
S)z'
    Only works on Windows systems
    )Fz5Module win_dacl: module only works on Windows systems)�salt�utils�platformZ
is_windows�HAS_WINDOWS_MODULES�__virtualname__rrrr�__virtual__w
s

r^cCs4z
t�
||
tj���}W|Sty


d
}Y|Sw)z!
    Gets the DACL of a path
    N)r�GetNamedSecurityInfo�DACL_SECURITY_INFORMATION�GetSecurityDescriptorDaclrS)rEr�daclrrr�	_get_dacl�
s

���

�rcc
Cs�|gd
�}t|�
}|rG|
rGt
�}|�|
�
}|�||�}t||�}|rGtd|���D]}|�|�
}	|dr<|	d|dkrF|d�t	|	|��

q)|S)a~

    Get the ACL of an object. Will filter by user if one is provided.

    Args:
        path: The path to the object
        objectType: The type of object (FILE, DIRECTORY, REGISTRY)
        user: A user name to filter by

    Returns (dict): A dictionary containing the ACL

    CLI Example:

    .. code-block:: bash

        salt 'minion-id' win_dacl.get c:	emp directory
    )�Path�ACLsr
rO�re)
rXrr*rGrc�range�GetAceCount�GetAce�append�_ace_to_text)
rErrUrV�sidRet�dc�
objectTypeBit�tdacl�counter�tAcerrr�get�
s












�
rrcCs�
d
idd�}|r�|r�|r�|r�|r�|
��dkrd}t
�}|�|
�
}|�||�}|��}|����}|����}|����}t|�
}	|	dsF|	S|�||�}
|�|�
}|�||�}t	||�}
|
r�g}zG|dkrq|
�
tj||
|	d�
n|dkr�|
�
tj||
|	d�
t�||tjd
d
|
d
�
|�d	�||�|�
|�||�|�||���

d
|d<Wnty�
}
zd�|�
|d<d
|d<|WYd
}~Sd
}~w
w|r�||dd<|Sd|��|d<|Sd|d<d
|d<|S)a�
    add an ace to an object

    path:  path to the object (i.e. c:\\temp\\file, HKEY_LOCAL_MACHINE\\SOFTWARE\\KEY, etc)
    user: user to add
    permission:  permissions for the user
    acetype:  either allow/deny for each user/permission (ALLOW, DENY)
    propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS)

    CLI Example:

    .. code-block:: bash

        allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey, propagate to this key and subkeys
            salt 'myminion' win_dacl.add_ace 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'Registry' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'
    NrN�rL�changesrMrrLr
rOrz{} {} {} on {}Tz>An error occurred attempting to add the ace.  The error was {}rMFrtz
Added ACEszUnable to obtain the DACL of z1An empty value was specified for a required item.)r$rr*rG�striprXr0r7r>rcZAddAccessAllowedAceExrZACL_REVISIONZAddAccessDeniedAceEx�SetNamedSecurityInfor`rjr&r9r2r?rS)rErrU�
permission�acetype�propagationrVrmrnrl�
permissionbit�
acetypebit�propagationbitrbZ	acesAddedrWrrr�add_ace�
s�

























�




�






�	






��

��
��
��

r}c
CsBd
idd�}|�
r|�
rt�}|r|
�
�dkrd}|�|
�
}|�||�}|��}|r0|���
�n
d
}|r:|���
�n
d
}|rD|���
�n
d
}t||
||||d�d�
rt|�
}	|	ds]|	S|re|�||�n
d
}
|rn|�|�
n
d
}|rx|�	||�n
d
}t
||�}
d}g}||
��kr�|
�|�
}|dd	t
j@t
jkr�|d
|	dkr�|r�|dd|kr�|r�|dd	|@|kr�|
r�|d	|
kr�|
�|�

|d	}|�t||��

|d	}||
��ks�|�
rzt
�||t
jd
d
|
d
�
||dd
<d|d<W|St�
y
}
zd|d<d|�d�|d<|WYd
}~Sd
}~w
w|Sd|d<|S)a
    remove an ace to an object

    path:  path to the object (i.e. c:\\temp\\file, HKEY_LOCAL_MACHINE\\SOFTWARE\\KEY, etc)
    user: user to remove
    permission:  permissions for the user
    acetypes:  either allow/deny for each user/permission (ALLOW, DENY)
    propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS)

    If any of the optional parameters are omitted (or set to None) they act as wildcards.

    CLI Example:

    .. code-block:: bash

        remove allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey propagated to this key and subkeys
            salt 'myminion' win_dacl.rm_ace 'Registry' 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'
    NrNrsrT�ExistsrLr
rrfrOrt�Removed ACEsFz#Error removing ACE.  The error was �
.rMz,The specified ACE was not found on the path.)rr$r*rGru�	check_acerXr0r7r>rcrhrir�
INHERITED_ACE�	DeleteAcerjrkrvr`rS)rErrUrwrxryrVrmrnrlrzr{r|rbrpZacesRemovedrqrWrrr�rm_ace
s�









�

���






�







��








�	

�


���
r�c		Csz
t�}|�
|
�
}
zt�d
|d�}|dr!|d�d|d��}n|d�}Wnty7


t�|d�
}Yn
w|d}|dd}|dd}d
}|jD]}|j|d|kra|j|d}
n
qM|j|
D]}|j|
|d|kr|j|
|d}
n
qg|tj@tjkr�d}|tjA}|j	|
D]}|j	|
|d|kr�|j	|
|d}
n
q�|�d	|�d	|�d
|�d	|��	S)zG
    helper function to convert an ace to a textual representation
    rNrfrr@r
rrz[Inherited]�
 z on )
rr*rrTrSZConvertSidToStringSidrrr�r)	�acerrmZuserSidZtPermZtAceTypeZtPropsZ
tInherited�
xrrrrkesD






�

�







�


�






� rkc

Cs�
d
did�}|r�z�t�
||
tj�}|��}|rq|rUd}g}	||��krL|�|�
}
|
ddtj@tjkrB|�|�

|	�t	|
|
��

n|d}||��ks#|	rT|	|dd<nd|dd	<t�
||
tjtjBd
d
|d
�
d|dd<nY|s�d}g}||��kr�|�|�
}
|
ddtj@tjkr�|�|�

|�t	|
|
��

n|d}||��ks}|r�||dd<nd
|dd<t�
||
tjtjBd
d
|d
�
d|dd<d|d<W|St
y�
}
zd
|d<d|�d�|d<WYd
}~|Sd
}~w
w|S)at

    helper function to set the inheritance
    Args:

        path (str): The path to the object

        objectType (str): The type of object

        inheritance (bool): True enables inheritance, False disables

        copy (bool): Copy inherited ACEs to the DACL before disabling
        inheritance

        clear (bool): Remove non-inherited ACEs from the DACL
    FrN)rLrMrtr
rrtrzLeft in the DACLzNon-Inherited ACEsNZEnabled�InheritancezCopied to the DACLzPreviously Inherited ACEsZDisabledTrLz8Error attempting to set the inheritance.  The error was r�rM)rr_r`rarhrir�r�rjrkrvZ%UNPROTECTED_DACL_SECURITY_INFORMATIONZ#PROTECTED_DACL_SECURITY_INFORMATIONrS)
rErZinheritance�copy�clearrV�sdrorpZremovedAcesrqZinheritedAcesRemovedrWrrr�_set_dacl_inheritance�s�


�







�

�	
�




�


�






�

�	
�




�


�


�

���r�cCs,t�}|�
|
�
}
|�||
�}t||
d
d|�S)a�

    enable/disable inheritance on an object

    Args:
        path: The path to the object
        objectType: The type of object (FILE, DIRECTORY, REGISTRY)
        clear: True will remove non-Inherited ACEs from the ACL

    Returns (dict): A dictionary containing the results

    CLI Example:

    .. code-block:: bash

        salt 'minion-id' win_dacl.enable_inheritance c:	emp directory
    TN�rr*rGr�)rErr�rmrrr�enable_inheritance��


r�cCs,t�}|�
|
�
}
|�||
�}t||
d
|d�S)a�

    Disable inheritance on an object

    Args:
        path: The path to the object
        objectType: The type of object (FILE, DIRECTORY, REGISTRY)
        copy: True will copy the Inherited ACEs to the DACL before disabling inheritance

    Returns (dict): A dictionary containing the results

    CLI Example:

    .. code-block:: bash

        salt 'minion-id' win_dacl.disable_inheritance c:	emp directory
    FNr�)rErr�rmrrr�disable_inheritance�r�r�c
Cs�d
d
dd�}t|�
}t
�}|�|
�
}
|�||
�}zt�||
tj�}|��}Wn tyF
}
zd
|d<d|�d�|d<|WYd}~Sd}~w
wt	d	|�
��D]%}	|�|	�
}
|
d	d
tj@tjkrs|drm|
d|dkrsd
|d<
n
qNd
|d<|S)a�

    Check a specified path to verify if inheritance is enabled

    Args:
        path: path of the registry key or file system object to check
        objectType: The type of object (FILE, DIRECTORY, REGISTRY)
        user: if provided, will consider only the ACEs for that user

    Returns (bool): 'Inheritance' of True/False

    CLI Example:

    .. code-block:: bash

        salt 'minion-id' win_dacl.check_inheritance c:	emp directory <username>
    FrN)rLr�rMrLz=Error obtaining the Security Descriptor or DACL of the path: r�rMNr
rrOrfTr�)
rXrr*rGrr_r`rarSrgrhrir�)rErrUrVrlrmr��daclsrWrpr�rrr�check_inheritances4




�


���





�
r�cCs|
d
d
dd�}t�}|�
|
�
}	|�||	�}|r|��n
d}|r"|��n
d}|r*|��n
d}|r4|�|	|�n
d}
|r=|�|�
n
d}|rG|�|	|�n
d}t|�
}
|
dsS|
St||	�}d|d<|r�t	d|�
��D]P}|�|�
}|d|
d	kr�|r~|dd|kr�|r�|dd
|@|kr�|
s�d|d<|
S|r�|d
|
kr�d|d<|
Sqe|d
|
@|
kr�d|d<|
Sqe|Sd|d
<|S)aP
    Checks a path to verify the ACE (access control entry) specified exists

    Args:
        path:  path to the file/reg key
        objectType: The type of object (FILE, DIRECTORY, REGISTRY)
        user:  user that the ACL is for
        permission:  permission to test for (READ, FULLCONTROL, etc)
        acetype:  the type of ACE (ALLOW or DENY)
        propagation:  the propagation type of the ACE (FILES, FOLDERS, KEY, KEY&SUBKEYS, SUBKEYS, etc)
        exactPermissionMatch:  the ACL must match exactly, IE if READ is specified, the user must have READ exactly and not FULLCONTROL (which also has the READ permission obviously)

    Returns (dict): 'Exists' true if the ACE exists, false if it does not

    CLI Example:

    .. code-block:: bash

        salt 'minion-id' win_dacl.check_ace c:	emp directory <username> fullcontrol
    FrN)rLr~rMNrLTr
rfrOrr~zNo DACL found for object.rM)rr*rGr$r0r7r>rXrcrgrhri)rErrUrwrxryZexactPermissionMatchrVrmrnrzr{r|rlr�rpr�rrrr�DsP




��









�





�

��
r�)
N)NNN)TTF)
F)
T)NNNF)rK�loggingrDrPZsalt.utils.platformrYZsalt.exceptionsrrrrr\�ImportError�	getLoggerrH�logr]rrXr^rcrrr}r�rkr�r�r�r�r�rrrr�<module>
sF






�
*+	

"
[[
$
Z

5


�