File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/__pycache__/win_dacl.cpython-310.pyc
o
�����N�g�~�����������������������@���s����d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�m�Z�m�Z���d�Z�z�d�d�l Z d�d�l
Z
d�d�l�Z�d�d�l�Z�d�Z�W�n ��e
y5������Y�n�w�e���e���Z�d�Z�d�d���Z�d5d d
��Z�d6d�d���Z�d
d���Z�d�d���Z�d�d���Z�d7d�d���Z�d7d�d���Z�d7d�d���Z�d7d�d���Z� � � � � �d8d�d���Z�d9d�d ��Z�d6d!d"��Z� �d:d#d$��Z� �d:d%d&��Z d;d'd(��Z!d7d)d*��Z" � � � � �d<d+d,��Z#d=d-d.��Z$ � � � � � � � �d>d/d0��Z%d1d2��Z& � � � � �d?d3d4��Z'd�S�)@a����
============
Windows DACL
============
This salt utility contains objects and functions for setting permissions to
objects in Windows. You can use the built in functions or access the objects
directly to create your own custom functionality. There are two objects, Flags
and Dacl.
If you need access only to flags, use the Flags object.
.. code-block:: python
import salt.utils.win_dacl
flags = salt.utils.win_dacl.Flags()
flag_full_control = flags.ace_perms['file']['basic']['full_control']
The Dacl object inherits Flags. To use the Dacl object:
.. code-block:: python
import salt.utils.win_dacl
dacl = salt.utils.win_dacl.Dacl(obj_type='file')
dacl.add_ace('Administrators', 'grant', 'full_control')
dacl.save('C:\temp')
Object types are used by setting the `obj_type` parameter to a valid Windows
object. Valid object types are as follows:
- file
- service
- printer
- registry
- registry32 (for WOW64)
- share
Each object type has its own set up permissions and 'applies to' properties as
follows. At this time only basic permissions are used for setting. Advanced
permissions are listed for displaying the permissions of an object that don't
match the basic permissions, ie. Special permissions. These should match the
permissions you see when you look at the security for an object.
**Basic Permissions**
================ ==== ======== ===== ======= =======
Permissions File Registry Share Printer Service
================ ==== ======== ===== ======= =======
full_control X X X X
modify X
read_execute X
read X X X X
write X X X
read_write X
change X
print X
manage_printer X
manage_documents X
================ ==== ======== ===== ======= =======
**Advanced Permissions**
======================= ==== ======== ======= =======
Permissions File Registry Printer Service
======================= ==== ======== ======= =======
*** folder permissions
list_folder X
create_files X
create_folders X
traverse_folder X
delete_subfolders_files X
*** file permissions
read_data X
write_data X
append_data X
execute_file X
*** common permissions
read_ea X
write_ea X
read_attributes X
write_attributes X
delete X X
read_permissions X X X
change_permissions X X X
take_ownership X X
query_value X
set_value X
create_subkey X
enum_subkeys X
notify X
create_link X
read_control X
write_dac X
write_owner X
manage_printer X
print X
query_config X
change_config X
query_status X
enum_dependents X
start X
stop X
pause_resume X
interrogate X
user_defined X
change_owner X
======================= ==== ======== ======= =======
Only the registry and file object types have 'applies to' properties. These
should match what you see when you look at the properties for an object.
**File types:**
- this_folder_only: Applies only to this object
- this_folder_subfolders_files (default): Applies to this object
and all sub containers and objects
- this_folder_subfolders: Applies to this object and all sub
containers, no files
- this_folder_files: Applies to this object and all file
objects, no containers
- subfolders_files: Applies to all containers and objects
beneath this object
- subfolders_only: Applies to all containers beneath this object
- files_only: Applies to all file objects beneath this object
.. note::
'applies to' properties can only be modified on directories. Files
will always be ``this_folder_only``.
**Registry types:**
- this_key_only: Applies only to this key
- this_key_subkeys: Applies to this key and all subkeys
- subkeys_only: Applies to all subkeys beneath this object
�����N)���CommandExecutionError��SaltInvocationErrorFT��daclc��������������������C���s����t�j�j�����s�d�S�t�s�d�S�t�S�)�z4
Only load if Win32 Libraries are installed
)�Fz�win_dacl: Requires Windows)�Fz�win_dacl: Requires pywin32)���salt��utils��platformZ
is_windows� HAS_WIN32��__virtualname__��r
���r
����G/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/win_dacl.py��__virtual__����s
�������������r����c��������������������C���s$���t�s�d�S�G�d�d���d���}�|�r�|���S�|�S�)�a_���
Helper function for instantiating a Flags object
Args:
instantiated (bool):
True to return an instantiated object, False to return the object
definition. Use False if inherited by another class. Default is
True.
Returns:
object: An instance of the Flags object or its definition
Nc��������������������@���s����e�Z�d�Z�d�Z�d�d�d�d�d�d�d�d d
d�d�d
��i�d�d���d�d���d�d���d�d���d�d���d�d���d�d���d�d���d�d���d d!��d"d#��d$d%��d&d'��d(d���d)d���d*d���d+d���d�d�d�d�d�d�d�d�d�d d"d$d&d,�
��d-��d.d�d�d.d/d�d�d0d1d2d3�
i�d�d4��d�d5��d�d6��d�d7��d�d8��d�d9��d d!��d"d:��d$d;��d&d<��d=d���d>d���d?d���d@d���dAd���dBd���dCd ��d"d$d&dD����d-��d�dEd�d�d d
dF��i�d-��dGdHdIdJdKdLdM��dHdGd#d%d'dNd�d"d$d&dO�
d-��d.dPd�d�dQdRdSdTdU��i�d�dV��d�dW��d�dX��d�dY��d�dZ��d�d[��d�d\��d�d]��d�d^��d"d_��d$d`��d&da��dbd���dcd���ddd���ded���dfd���d�d�d�d�d"d$d&dg����d-��dh��Z�didjdkdldmdndodpd�d�dqdrdsdtdu��dvdwdxdpd�dsdy��dvdwdxdpd�dsdy��dz��Z�d{e�j�d|e�j�e�j�d{e�j�d|i�Z e�j
e�j�e�j�d}��Z
e�j�e�j�d~��Z�e�j�e�j�e�j�e�j�e�j�e�j�d��Z�d�S�)�z�flags.<locals>.FlagszV
Object containing all the flags for dealing with Windows permissions
z�Full controlZ�Modifyz�Read & execute with writez�Read & executeZ�ReadZ�Write���������������������)�r
���r����i����r����r����r������full_control��modifyZ�read_execute��read��write�����z�List folder / read data�����z�Create files / write data�����z�Create folders / append data�����z�Read extended attributes�����z�Write extended attributes� ���z�Traverse folder / execute file�@���z�Delete subfolders and files����z�Read attributes�����z�Write attributesi����Z�Delete�����z�Read permissions�����z�Change permissions�����z�Take ownershipZ�list_folderZ�create_filesZ�create_foldersZ�traverse_folder)
Z�delete_subfolders_filesZ read_dataZ
write_dataZ�append_dataZ�execute_fileZ�read_eaZ�write_eaZ�read_attributesZ�write_attributes��delete��read_permissions��change_permissions��take_ownership)���basic��advancedz�Full ControlZ�Execute�?�������������)
r(���r)���r*���i����i��� i���@l������������r����r����r����z�Query Valuez Set Valuez
Create Subkeyz�Enumerate SubkeysZ�Notifyz�Create Linkz�Read Controlz Write DACz�Write OwnerZ�query_valueZ set_valueZ
create_subkeyZ�enum_subkeys��notifyZ�create_linkr"���)�Z�read_controlZ write_dacZ�write_ownerZ�Change)�r
���r����r����r����Z�changer����Z�Printz�Manage this printerz�Manage documents�����������0���)�r,���r-���r.�����print��manage_printerZ�manage_documents�����)
r1���r����r����r ���r!���r0���r/���r#���r$���r%���z�Read & Write�����������������)�r2���r3���r4���r5���r����Z
read_writer����r����z�Query Configz
Change Configz�Query Statusz�Enumerate DependentsZ�StartZ�Stopz�Pause/ResumeZ�Interrogatez�User-Defined Controlz�Read Permissionsz�Change Permissionsz�Change OwnerZ�query_configZ
change_configZ�query_statusZ�enum_dependents��start)���stopZ�pause_resumeZ�interrogateZ�user_definedr#���r$���Z�change_owner)���file��registry��share��printer��servicez�This folder onlyz�This folder and filesz�This folder and subfoldersz!This folder, subfolders and filesz
Files onlyz�Subfolders onlyz�Subfolders and files onlyr���������� ����
��������)�r����r����r����r=���r>���r?���r@���Z�this_folder_onlyZ�this_folder_filesZ�this_folder_subfolders��this_folder_subfolders_filesZ
files_onlyZ�subfolders_onlyZ�subfolders_filesz
This key onlyz�This key and subkeysz�Subkeys only)�r����r����r?���Z
this_key_only��this_key_subkeysZ�subkeys_only��r8���r9����
registry32��grant��deny)�r������group��owner)�� protected��unprotected)�r8���r<���r;���r9���rD���r:���N)���__name__�
__module__��__qualname__��__doc__� ace_perms��ace_prop�
win32security��ACCESS_ALLOWED_ACE_TYPE��ACCESS_DENIED_ACE_TYPE��ace_type��DACL_SECURITY_INFORMATION��GROUP_SECURITY_INFORMATION��OWNER_SECURITY_INFORMATION��elementZ#PROTECTED_DACL_SECURITY_INFORMATIONZ%UNPROTECTED_DACL_SECURITY_INFORMATION��inheritanceZ�SE_FILE_OBJECTZ
SE_SERVICEZ
SE_PRINTERZ�SE_REGISTRY_KEYZ�SE_REGISTRY_WOW64_32KEYZ
SE_LMSHARE��obj_typer
���r
���r
���r������Flags����s���������������������������������
����������������������������� ���
�����������
�����������������������������������������������������6���������������������
����������������������������� ���
�����������
���������������������������������(�����������������
�������������
�����������������������������������������
��������������������������������� �����������
��������������������������������������������7������������������������������������������� ���������������&����������������������������������
�r[���)�r����)�Z�instantiatedr[���r
���r
���r������flags����s
�����������zr\���r8���c������������������������s*���t�s�d�S�G���f�d�d���d�t�d���������|�|���S�)�aO���
Helper function for instantiating a Dacl class.
Args:
obj_name (str):
The full path to the object. If None, a blank DACL will be created.
Default is None.
obj_type (str):
The type of object. Default is 'File'
Returns:
object: An instantiated Dacl object
Nc������������������������sl���e�Z�d�Z�d�Z�d�d�d���Z�d�d���Z�d�d ��Z���f�d
d���Z�d�d
��Z�d�d���Z d�d���Z
d�d�d���Z�d�d�d���Z�d�d�d���Z
d�S�)�z�dacl.<locals>.Daclz�
DACL Object
Nr8���c����������������
���S���s����|�����|�j�v�r�t�d�|���������|�����|�_�|�d�u�r�t�����|�_�d�S�d�|�j�v�r(|���|���}�z�t���|�|�j�|�j���|�j d�����}�W�n!��t
j�yY��}���z�d�|�j�v�rTd�|�����}�t
��|�����t�|�������d�}�~�w�w�|�����|�_�|�j�d�u�rkt�����|�_�d�S�d�S�)�a����
Either load the DACL from the passed object or create an empty DACL.
If `obj_name` is not passed, an empty DACL is created.
Args:
obj_name (str):
The full path to the object. If None, a blank DACL will be
created
obj_type (Optional[str]):
The type of object.
Returns:
obj: A DACL object
Usage:
.. code-block:: python
# Create an Empty DACL
dacl = Dacl(obj_type=obj_type)
# Load the DACL of the named object
dacl = Dacl(obj_name, obj_type)
��Invalid "obj_type" passed: Nr9���r����z�The system cannot findz�System cannot find )���lowerrZ���r����� dacl_typerQ���Z�ACLr������get_reg_name��GetNamedSecurityInforX����
pywintypes��error��strerror��log� exceptionr������GetSecurityDescriptorDacl)���self��obj_namerZ�����sd��exc��msgr
���r
���r������__init__����s.�������
�����
�
�����������
�
�
���������
�
�����z�dacl.<locals>.Dacl.__init__c����������������
���S���s����d�d�d�d�d�d�d�d�d�d�d�d�d���}�|���d���}�|���d���}�z�|�|�������}�W�n���t�y5������t���d�|�����t�d |���������w�|���d�|�����d
��|���S�)�aY���
Take the obj_name and convert the hive to a valid registry hive.
Args:
obj_name (str):
The full path to the registry key including the hive, eg:
``HKLM\SOFTWARE\salt``. Valid options for the hive are:
- HKEY_LOCAL_MACHINE
- MACHINE
- HKLM
- HKEY_USERS
- USERS
- HKU
- HKEY_CURRENT_USER
- CURRENT_USER
- HKCU
- HKEY_CLASSES_ROOT
- CLASSES_ROOT
- HKCR
Returns:
str:
The full path to the registry key in the format expected by
the Windows API
Usage:
.. code-block:: python
import salt.utils.win_dacl
dacl = salt.utils.win_dacl.Dacl()
valid_key = dacl.get_reg_name('HKLM\SOFTWARE\salt')
# Returns: MACHINE\SOFTWARE\salt
��MACHINE��USERS��CURRENT_USER��CLASSES_ROOT)���HKEY_LOCAL_MACHINErn���Z�HKLMZ
HKEY_USERSro���Z�HKU��HKEY_CURRENT_USERrp���Z�HKCUZ�HKEY_CLASSES_ROOTrq���Z�HKCR��\r����z�Invalid Registry Hive: %sz�Invalid Registry Hive: z�\\) ��split��pop��upper��KeyErrorre���rf���r������insert��join)�rh���ri���Z�hivesZ�regZ�passed_hiveZ
valid_hiver
���r
���r����r`�������s.����*������������������������
�
���������������
�z�dacl.<locals>.Dacl.get_reg_namec������������
�������S���s����t�|���}�|�|�j�|�j���v�r�t�d�|�j���������|�j�d�u�r�t�d�����d�}�t�|�t���rLz�|�j�|�j���d���|���}�W�nI��t�yK��}���z�d�|�����}�t �
|�����t�|�|�����d�}�~�w�w�|�D�]+} z�|�|�j�|�j���d���| ��O�}�W�qN��t�yy��}���z�d�| ����}�t �
|�����t�|�|�����d�}�~�w�w�|�����d�v�r�t�d |���������zE|�����d
k�r�|�j��
t�j�|�j���|�j�i�����|���|�|�����W�d�S�|�����d�k�r�|�j���t�j�|�j���|�j�i�����|���|�|�����W�d�S�t �
d�|�����t�d
|�����������t�y���}���z
d�d�|�����f�W���Y�d�}�~�S�d�}�~�w�w�)�a����
Add an ACE to the DACL
Args:
principal (str):
The sid of the user/group to for the ACE
access_mode (str):
Determines the type of ACE to add. Must be either ``grant``
or ``deny``.
permissions (str, list):
The type of permissions to grant/deny the user. Can be one
of the basic permissions, or a list of advanced permissions.
applies_to (str):
The objects to which these permissions will apply. Not all
these options apply to all object types.
Returns:
bool: True if successful, otherwise False
Usage:
.. code-block:: python
dacl = Dacl(obj_type=obj_type)
dacl.add_ace(sid, access_mode, permission, applies_to)
dacl.save(obj_name, protected)
z�Invalid 'applies_to' for type Nz+You must load the DACL before adding an ACEr����r&���z�Invalid permission specified: r'�����rE���rF���z�Invalid Access Mode: rE���rF���z�Invalid access mode: %sz�Invalid access mode: Fz�Error: T)���get_sidrP���r_���r����r�����
isinstance��strrO���rx���re���rf���r����r^�����AddAccessAllowedAceExrQ�����ACL_REVISION_DS��get��AddAccessDeniedAceEx� Exception)
rh���� principal��access_mode��permissions�
applies_to��sidZ perm_flagrk���rl�����permr
���r
���r������add_aceS���sf���� ����
���
�����
�������
�
�
�������������
�
�
����������
��������������������������������������������z�dacl.<locals>.Dacl.add_acec������������ �����������s|�������}�����}�����}�����}�����}�t�d�|�j�������D�]�}�|�j���|���}�|�d���d���t�j�@�d�k�r�|�d���d���t�j�k�rF|�j���t�j�|�d���d���|�d���|�d�������q�|�d���d���t�j k�rb|�j���t�j�|�d���d���|�d���|�d�������q�|�d���d���t�j
k�r~|�j���t�j�|�d���d���|�d���|�d�������q�|�d���d���t�j�k�r�|�j���t�j�|�d���d���|�d���|�d�������q�t�d�|�j�������D�]}�|�j���|���}�|�d���d���t�j�@�t�j�k���r!|�d���d���t�j�A�}�|�d���d���t�j�k�r�|�j���t�j�|�|�d���|�d�������q�|�d���d���t�j k�r�|�j���t�j�|�|�d���|�d�������q�|�d���d���t�j
k���r |�j���t�j�|�|�d���|�d�������q�|�d���d���t�j�k���r!|�j���t�j�|�|�d���|�d�������q�t�d�|�j�������D�]�}�|�j���|���}�|�j���t�j�|�d���d���|�d���|�d���������q*t�d�|�j�������D�]�}�|�j���|���}�|�j���t�j�|�d���d���t�j�A�|�d���|�d���������qNt�d�|�j�������D�]�}�|�j���|���}�|�j���t�j�|�d���d���|�d���|�d���������qut�d�|�j�������D�]�}�|�j���|���}�|�j���t�j�|�d���d���t�j�A�|�d���|�d���������q�|�j�|�_�d�S�)�a\���
Put the ACEs in the ACL in the proper order. This is necessary
because the add_ace function puts ACEs at the end of the list
without regard for order. This will cause the following Windows
Security dialog to appear when viewing the security for the object:
``The permissions on Directory are incorrectly ordered, which may
cause some entries to be ineffective.``
.. note:: Run this function after adding all your ACEs.
Proper Orders is as follows:
1. Implicit Deny
2. Inherited Deny
3. Implicit Deny Object
4. Inherited Deny Object
5. Implicit Allow
6. Inherited Allow
7. Implicit Allow Object
8. Inherited Allow Object
Usage:
.. code-block:: python
dacl = Dacl(obj_type=obj_type)
dacl.add_ace(sid, access_mode, applies_to, permission)
dacl.order_acl()
dacl.save(obj_name, protected)
r����r����r����N)
��ranger������GetAceCount��GetAcerQ����
INHERITED_ACErS���r����r����Z�ACCESS_DENIED_OBJECT_ACE_TYPErR���r���Z�ACCESS_ALLOWED_OBJECT_ACE_TYPE) rh���Z�new_daclZ deny_daclZ
deny_obj_daclZ
allow_daclZ�allow_obj_dacl��i��acerP�������Daclr
���r����� order_acl����s����� ����������������������������������������������������������������������������������������������������������������������������������������������������z�dacl.<locals>.Dacl.order_aclc��������������������S���sB���t�|���}�|�����}�i�}�|�D�]�}�|�|�|���v�r�|�|�|���|���i�|�|�<�q�|�S�)�a����
Get the ACE for a specific principal.
Args:
principal (str):
The name of the user or group for which to get the ace. Can
also be a SID.
Returns:
dict: A dictionary containing the ACEs found for the principal
Usage:
.. code-block:: python
dacl = Dacl(obj_type=obj_type)
dacl.get_ace()
)���get_name� list_aces)�rh���r����Z�aces��retrY���r
���r
���r������get_ace.���s��������������������z�dacl.<locals>.Dacl.get_acec������������ �������S���s~���i�i�d���}�t�d�|�j�������D�]/}�|�j���|���}�|���|���\�}�}�}�}�}�|�|�|���v�r1|�|�d���|�|���|���|�<�q
|�|�|�d���i�|�|���|�<�q
|�S�)�a����
List all Entries in the dacl.
Returns:
dict: A dictionary containing the ACEs for the object
Usage:
.. code-block:: python
dacl = Dacl('C:\Temp')
dacl.list_aces()
��� Inherited�
Not Inheritedr����)��
applies tor����)�r����r����r����r������_ace_to_dict) rh���r����r����r������user��a_typeZ�a_propZ�a_permsrY���r
���r
���r����r����M���s����
���������������
�����z�dacl.<locals>.Dacl.list_acesc��������������������S���sx���t���|�d�����}�t�|���}�|�j�|�d���d�����}�|�d���d���t�j�@�d�k�}�|�d���d���t�j�@�d�k�}�d�}�|�j�d�v�rc|�d���d���}�|�rB|�d���d���t�j�A�}�|�rM|�d���d���t�j�A�}�z
|�j�|�j���|���}�W�n���t�yb������d�}�Y�n�w�|�j�d k�rjd
n�|�j�}�|�j |���d����
|�d���g���} | s�g�} |�j |���d���D�]�}
t�|
t���r�q�|�d���|
@�|
k�r�| �
|�j |���d���|
������q�| ������| s�d
|�d�������g�} |�|�|�| |�r�d�f�S�d�f�S�)�zP
Helper function for creating the ACE return dictionary
r����r����r����r����r����Z�NArC���z�Unknown propagationrD���r9���r&���r'���z�Undefined Permission: r����r����)�rQ�����ConvertSidToStringSidr����rT���r����Z�NO_PROPAGATE_INHERIT_ACEr_���rP���rx���rO���r����r}���r~�����append��sort)�rh���r����r����r����rT���� inheritedZ�container_onlyrP���rZ���rO���r����r
���r
���r����r����p���sL���������������
�������������������������������
�������������������������������z�dacl.<locals>.Dacl._ace_to_dict��allc������������ �������S���s����t�|���}�|�����}�d�}�g�}�t�d�|�j�������D�]@}�|�j���|�|�����}�|�d���d���t�j�@�d�k�}�|�d���|�k�rT|�sT|�d�k�s@|�j�|�d���d�����|�k�rT|�j�� |�|�������|��
|���|�������|�d�7�}�q�|�s]d�|�����g�}�|�S�)�a����
Remove a specific ACE from the DACL.
Args:
principal (str):
The user whose ACE to remove. Can be the user name or a SID.
ace_type (str):
The type of ACE to remove. If not specified, all ACEs will
be removed. Default is 'all'. Valid options are:
- 'grant'
- 'deny'
- 'all'
Returns:
list: List of removed aces
Usage:
.. code-block:: python
dacl = Dacl(obj_name='C:\temp', obj_type='file')
dacl.rm_ace('Users')
dacl.save(obj_name='C:\temp')
r����r����r����r����r����z�ACE not found for )�r|���r^���r����r����r����r����rQ���r����rT���� DeleteAcer����r����) rh���r����rT���r������offsetr����r����r����r����r
���r
���r������rm_ace����s �����������������������������������z�dacl.<locals>.Dacl.rm_acec��������������������S���s����d�}�g�}�|�����}�t�d�|�j�������D�]:}�|�j���|�|�����}�|�d���d���t�j�@�d�k�}�|�sJ|�d�k�s6|�j�|�d���d�����|�k�rJ|�j���|�|�������|�� |��
|�������|�d�7�}�q�|�S�)�ae���
Removes all ACEs from the DACL.
Args:
ace_type (str):
The type of ACE to remove. If not specified, all ACEs will
be removed. Default is 'all'. Valid options are:
- 'grant'
- 'deny'
- 'all'
Returns:
list: List of removed aces
Usage:
.. code-block:: python
dacl = Dacl(obj_name='C:\temp', obj_type='file')
dacl.rm_all_aces()
dacl.save(obj_name='C:\temp')
r����r����r����r����)�r^���r����r����r����r����rQ���r����rT���r����r����r����)�rh���rT���r����r����r����r����r����r
���r
���r������rm_all_aces����s������������������������������z�dacl.<locals>.Dacl.rm_all_acesc����������������
���S���s����|�j�d���}�|�d�u�r�|�r�|�|�j�d���B�}�n�|�|�j�d���B�}�|�j�d�v�r$|���|���}�z�t���|�|�j�|�j���|�d�d�|�j�d�����W�d�S���t�j yM��}���z t
d�|�����|�j�����d�}�~�w�w�)�ax���
Save the DACL
Args:
obj_name (str):
The object for which to set permissions. This can be the
path to a file or folder, a registry key, printer, etc. For
more information about how to format the name see:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379593(v=vs.85).aspx
protected (Optional[bool]):
True will disable inheritance for the object. False will
enable inheritance. None will make no change. Default is
``None``.
Returns:
bool: True if successful, Otherwise raises an exception
Usage:
.. code-block:: python
dacl = Dacl(obj_type='file')
dacl.save('C:\Temp', True)
r����NrI���rJ�����r9���rD���z�Failed to set permissions: T)�rX���rY���r_���r`���rQ�����SetNamedSecurityInforZ���r����rb���rc���r����rd���)�rh���ri���rI���Z�sec_infork���r
���r
���r������save����s0���
���������
�
�������
���������������������������z�dacl.<locals>.Dacl.save��Nr8���)�r����)�N)�rK���rL���rM���rN���rm���r`���r����r����r����r����r����r����r����r����r
���r����r
���r����r��������s��������
��6�G�`�{���#
E
2�,r����F)�r����r\�����ri���rZ���r
���r����r����r��������s��������������
~c��������������������C���s����|�d�u�r�d�}�z t�j�j���|���}�W�n���t�y�������|�}�Y�n�w�z�t���|���}�W�|�S���t�j�y8������t �
d�|�����t�d�|�����������t�y@������t���w�)�a����
Converts a username to a sid, or verifies a sid. Required for working with
the DACL.
Args:
principal(str):
The principal to lookup the sid. Can be a sid or a username.
Returns:
PySID Object: A sid
Usage:
.. code-block:: python
# Get a user's sid
salt.utils.win_dacl.get_sid('jsnuffy')
# Verify that the sid is valid
salt.utils.win_dacl.get_sid('S-1-5-32-544')
N��NULL SIDz�Invalid user/group or sid: %sz�Invalid user/group or sid: )�r����r����Z
win_functionsZ�get_sid_from_namer����rQ�����ConvertStringSidToSidrb���rc���re���rf���� TypeError)�r����r����r
���r
���r����r|���N���s �����������������������������������r|���c��������������������C���sl���|�d�u�r�d�}�z�t���|���W�S���t�y�������t�|���}�Y�n�w�z�t���|���W�S���t�j�y5������t���d�|�����t�d�|���������w�)�a����
Converts a PySID object to a string SID.
Args:
principal(str):
The principal to lookup the sid. Must be a PySID object.
Returns:
str: A string sid
Usage:
.. code-block:: python
# Get a PySID object
py_sid = salt.utils.win_dacl.get_sid('jsnuffy')
# Get the string version of the SID
salt.utils.win_dacl.get_sid_string(py_sid)
Nr����z�Invalid principal %sz�Invalid principal ) rQ���r����r����r|���rb���rc���re���rf���r������r����r
���r
���r������get_sid_string{���s������������������������������r����c��������������������C���s0���t�|�t�j���r |�}�n/|�d�u�r�d�}�z�t���|���}�W�n!��t�j�y7������z
t���d�|���d���}�W�n���t�j�y4������|�}�Y�n�w�Y�n�w�t�|���}�z�t���d�|���d���}�|�� d���rOd�|�����}�|�W�S���t�j�y���}���z9|�j
d�k�r|�� d���rqt���d�|�����W�Y�d�}�~�d�S�t���d |�����|�W���Y�d�}�~�S�d
|���d�|�j
��d���}�t���|�����t�|�|�����d�}�~�w�w�)
a����
Gets the name from the specified principal.
Args:
principal (str):
Find the Normalized name based on this. Can be a PySID object, a SID
string, or a username in any capitalization.
.. note::
Searching based on the username can be slow on hosts connected
to large Active Directory domains.
Returns:
str: The username that corresponds to the passed principal. If there is
no corresponding username, the string SID will be returned.
Capability SIDs will return ``None``.
Usage:
.. code-block:: python
salt.utils.win_dacl.get_name('S-1-5-32-544')
salt.utils.win_dacl.get_name('adminisTrators')
N��S-1-0-0r����z�S-1-5-80z�NT Service\i4���z�S-1-15-3z1Name mapping not available for capability SID: %sz�Could not resolve SID: %s
The user has either been removed from the system or is a domain user and the system is not connected to the domainz�Error resolving "z�: ��")�r}���rb���Z�SIDTyperQ���r����rc���Z�LookupAccountNamer����Z�LookupAccountSid�
startswith��winerrorre�����debugrd���rf���r����)�r����Z�sid_objZ�str_sid��namerk�����messager
���r
���r����r��������sF�������������������������������������
�
�����
�����������������
�
�����r����c����������������
���C���s����z
t���j�|�������}�W�n���t�y�������t�d�|���������w�|�d�v�r#t�����|���}�z�t���|�|�t�j ��}�|��
��}�W�t�|���S���t�yB������d�}�Y�t�|���S���t�j
ys��}���z%|�j�d�k�sT|�j�d�k�rWd�}�n�t���d�|�����t�d�|�����|�j�����W�Y�d�}�~�t�|���S�d�}�~�w�w�) a����
Gets the owner of the passed object
Args:
obj_name (str):
The path for which to obtain owner information. The format of this
parameter is different depending on the ``obj_type``
obj_type (str):
The type of object to query. This value changes the format of the
``obj_name`` parameter as follows:
- file: indicates a file or directory
- a relative path, such as ``FileName.txt`` or ``..\FileName``
- an absolute path, such as ``C:\DirName\FileName.txt``
- A UNC name, such as ``\\ServerName\ShareName\FileName.txt``
- service: indicates the name of a Windows service
- printer: indicates the name of a printer
- registry: indicates a registry key
- Uses the following literal strings to denote the hive:
- HKEY_LOCAL_MACHINE
- MACHINE
- HKLM
- HKEY_USERS
- USERS
- HKU
- HKEY_CURRENT_USER
- CURRENT_USER
- HKCU
- HKEY_CLASSES_ROOT
- CLASSES_ROOT
- HKCR
- Should be in the format of ``HIVE\Path\To\Key``. For example,
``HKLM\SOFTWARE\Windows``
- registry32: indicates a registry key under WOW64. Formatting is
the same as it is for ``registry``
- share: indicates a network share
Returns:
str: The owner (group or user)
Usage:
.. code-block:: python
salt.utils.win_dacl.get_owner('c:\\file')
r]���r����r����r�����2���z�Failed to get the owner: %sz�Failed to get owner: N)�r\���rZ���r^���rx���r����r����r`���rQ���ra���rW�����GetSecurityDescriptorOwner��MemoryErrorrb���rc���r����re���rf���r����rd���r����)�ri���rZ����
obj_type_flag��security_descriptorZ owner_sidrk���r
���r
���r����� get_owner����s6����6��������������������
�����������������������
�������r����c����������������
���C���s����z
t���j�|�������}�W�n���t�y�������t�d�|���������w�d�|�����v�r+t�����|���}�t���d�|�����z�t �
|�|�t j���}�|�����}�W�n9��t
yD������d�}�Y�n/��t�j�yr��}���z"|�j�d�k�sV|�j�d�k�rYd�}�n�t���d�|�����t�d�|�����|�j�����W�Y�d }�~�n�d }�~�w�w�t�t ��|�����S�)
a����
Gets the primary group of the passed object
Args:
obj_name (str):
The path for which to obtain primary group information
obj_type (str):
The type of object to query. This value changes the format of the
``obj_name`` parameter as follows:
- file: indicates a file or directory
- a relative path, such as ``FileName.txt`` or ``..\FileName``
- an absolute path, such as ``C:\DirName\FileName.txt``
- A UNC name, such as ``\\ServerName\ShareName\FileName.txt``
- service: indicates the name of a Windows service
- printer: indicates the name of a printer
- registry: indicates a registry key
- Uses the following literal strings to denote the hive:
- HKEY_LOCAL_MACHINE
- MACHINE
- HKLM
- HKEY_USERS
- USERS
- HKU
- HKEY_CURRENT_USER
- CURRENT_USER
- HKCU
- HKEY_CLASSES_ROOT
- CLASSES_ROOT
- HKCR
- Should be in the format of ``HIVE\Path\To\Key``. For example,
``HKLM\SOFTWARE\Windows``
- registry32: indicates a registry key under WOW64. Formatting is
the same as it is for ``registry``
- share: indicates a network share
Returns:
str: The primary group for the object
Usage:
.. code-block:: python
salt.utils.win_dacl.get_primary_group('c:\\file')
r]���r9���z�Name converted to: %sr����r����r����z#Failed to get the primary group: %sz�Failed to get primary group: N)�r\���rZ���r^���rx���r����r����r`���re���r����rQ���ra���rV�����GetSecurityDescriptorGroupr����rb���rc���r����rf���r����rd���r����r����)�ri���rZ���r����r����Z�primary_group_gidrk���r
���r
���r������get_primary_groupW���s4����6�������������������������������������������������
r����c������������
���
���C���s����t�|���}�t���}�|�����|�j�v�r�t�d�|���������d�|�����v�r!t�����|���}�t���}�t�� d�d���}�|��
|�t�j�f�����t�� d�d���}�|��
|�t�j�f�����t
����}�t���|�t�j�t�j�B���}�t���|�d�|�����z�t���|�|�j�|�������|�j�d���|�d�d�d�����W�d�S���t�j�y���} ��z�t���d |�| ����t�d
|�����| j�����d�} ~ w�w�)�ae���
Set the owner of an object. This can be a file, folder, registry key,
printer, service, etc...
Args:
obj_name (str):
The object for which to set owner. This can be the path to a file or
folder, a registry key, printer, etc. For more information about how
to format the name see:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379593(v=vs.85).aspx
principal (str):
The name of the user or group to make owner of the object. Can also
pass a SID.
obj_type (Optional[str]):
The type of object for which to set the owner. Default is ``file``
Returns:
bool: True if successful, raises an error otherwise
Usage:
.. code-block:: python
salt.utils.win_dacl.set_owner('C:\MyDirectory', 'jsnuffy', 'file')
r]���r9�������SeTakeOwnershipPrivilege��SeRestorePrivileger����rH���Nz�Failed to make %s the owner: %sz�Failed to set owner: T��r|���r\���r^���rZ���r����r����r`�����setrQ�����LookupPrivilegeValue��add��win32con��SE_PRIVILEGE_ENABLED��win32api��GetCurrentProcess��OpenProcessToken��TOKEN_ALL_ACCESS��TOKEN_ADJUST_PRIVILEGES��AdjustTokenPrivilegesr����rX���rb���rc���re���rf���r����rd���)
ri���r����rZ���r����� obj_flags� new_privs��luid��p_handle��t_handlerk���r
���r
���r����� set_owner����s@��������������������������������������������������������
����������r����c������������
���
���C���s����|�d�u�r�d�}�t�|���}�t���}�|�����|�j�v�r�t�d�|���������d�|�����v�r't�����|���}�t���}�t�� d�d���}�|��
|�t�j�f�����t�� d�d���}�|��
|�t�j�f�����t
����}�t���|�t�j�t�j�B���}�t���|�d�|�����z�t���|�|�j�|�������|�j�d ��d�|�d�d�����W�d�S���t�j�y���} ��z�t���d
|�| ����t�d�|�����| j�����d�} ~ w�w�)
as���
Set the primary group of an object. This can be a file, folder, registry
key, printer, service, etc...
Args:
obj_name (str):
The object for which to set primary group. This can be the path to a
file or folder, a registry key, printer, etc. For more information
about how to format the name see:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379593(v=vs.85).aspx
principal (str):
The name of the group to make primary for the object. Can also pass
a SID.
obj_type (Optional[str]):
The type of object for which to set the primary group.
Returns:
bool: True if successful, raises an error otherwise
Usage:
.. code-block:: python
salt.utils.win_dacl.set_primary_group('C:\MyDirectory', 'Administrators', 'file')
N��Noner]���r9���r����r����r����r����rG���z'Failed to make %s the primary group: %sz�Failed to set primary group: Tr����)
ri���r����rZ�����gidr����r����r����r����r����rk���r
���r
���r������set_primary_group����sH���� ����������������������������������������������������������������������r����rE���c������������ �������C���sx���|�d�u�r�d�|�����v�r
d�}�n�|�����d�k�r�d�}�|�r�t�|�d���}�n�t�|�|���}�|���|�|�����|���|�|�|�|�����|�������|���|�|�����d�S�)�aO���
Set the permissions of an object. This can be a file, folder, registry key,
printer, service, etc...
Args:
obj_name (str):
The object for which to set permissions. This can be the path to a
file or folder, a registry key, printer, etc. For more information
about how to format the name see:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379593(v=vs.85).aspx
principal (str):
The name of the user or group for which to set permissions. Can also
pass a SID.
permissions (str, list):
The type of permissions to grant/deny the user. Can be one of the
basic permissions, or a list of advanced permissions.
access_mode (Optional[str]):
Whether to grant or deny user the access. Valid options are:
- grant (default): Grants the user access
- deny: Denies the user access
applies_to (Optional[str]):
The objects to which these permissions will apply. Not all these
options apply to all object types. Defaults to
'this_folder_subfolders_files'
obj_type (Optional[str]):
The type of object for which to set permissions. Default is 'file'
reset_perms (Optional[bool]):
True will overwrite the permissions on the specified object. False
will append the permissions. Default is False
protected (Optional[bool]):
True will disable inheritance for the object. False will enable
inheritance. None will make no change. Default is None.
Returns:
bool: True if successful, raises an error otherwise
Usage:
.. code-block:: python
salt.utils.win_dacl.set_permissions(
'C:\Temp', 'jsnuffy', 'full_control', 'grant')
Nr9���rB���r8���rA�����rZ���T)�r^���r����r����r����r����r����) ri���r����r����r����r����rZ���Z�reset_permsrI�����obj_daclr
���r
���r������set_permissionsP���s�����@������������
�����������r����r����c��������������������C���s$���t�|�|���}�|���|�|�����|���|�����d�S�)�a����
Remove a user's ACE from an object. This can be a file, folder, registry
key, printer, service, etc...
Args:
obj_name (str):
The object from which to remove the ace. This can be the
path to a file or folder, a registry key, printer, etc. For more
information about how to format the name see:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379593(v=vs.85).aspx
principal (str):
The name of the user or group for which to set permissions. Can also
pass a SID.
ace_type (Optional[str]):
The type of ace to remove. There are two types of ACEs, 'grant' and
'deny'. 'all' will remove all ACEs for the user. Default is 'all'
obj_type (Optional[str]):
The type of object for which to set permissions. Default is 'file'
Returns:
bool: True if successful, raises an error otherwise
Usage:
.. code-block:: python
# Remove jsnuffy's grant ACE from C:\Temp
salt.utils.win_dacl.rm_permissions('C:\\Temp', 'jsnuffy', 'grant')
# Remove all ACEs for jsnuffy from C:\Temp
salt.utils.win_dacl.rm_permissions('C:\\Temp', 'jsnuffy')
T)�r����r����r����)�ri���r����rT���rZ���r����r
���r
���r������rm_permissions����s����
&��
���r����c��������������������C���s&���t�|�|�d���}�|�d�u�r�|�����S�|���|���S�)�av���
Get the permissions for the passed object
Args:
obj_name (str):
The name of or path to the object.
principal (Optional[str]):
The name of the user or group for which to get permissions. Can also
pass a SID. If None, all ACEs defined on the object will be
returned. Default is None
obj_type (Optional[str]):
The type of object for which to get permissions.
Returns:
dict: A dictionary representing the object permissions
Usage:
.. code-block:: python
salt.utils.win_dacl.get_permissions('C:\Temp')
r����N)�r����r����r����)�ri���r����rZ���r����r
���r
���r������get_permissions����s����������
�r����c��������������������C���s����|�����d�v�r
t�d�|���������|�����}�t�|�|���}�|�����}�t�|���}�|�j�|���d�����|�����|�j�|���d�����|�����d�����}�|�s?t�d�|���������d�} t�d�|�j�������D�]�}
|�j���|
��}�|�d ��|�k�rf|�j |�d���d�����|�k�rf|�d
��} qI| skd�S�|�rq| |�k�S�| |�@�|�k�S�)�a����
Check if the object has a specific permission
Args:
obj_name (str):
The name of or path to the object.
principal (str):
The name of the user or group for which to get permissions. Can also
pass a SID.
permission (str):
The permission to verify. Valid options depend on the obj_type.
access_mode (Optional[str]):
The access mode to check. Is the user granted or denied the
permission. Default is 'grant'. Valid options are:
- grant
- deny
obj_type (Optional[str]):
The type of object for which to check permissions. Default is 'file'
exact (Optional[bool]):
True for an exact match, otherwise check to see if the permission is
included in the ACE. Default is True
Returns:
bool: True if the object has the permission, otherwise False
Usage:
.. code-block:: python
# Does Joe have read permissions to C:\Temp
salt.utils.win_dacl.has_permission('C:\\Temp', 'joe', 'read', 'grant', exact=False)
# Does Joe have Full Control of C:\Temp
salt.utils.win_dacl.has_permission('C:\\Temp', 'joe', 'full_control', 'grant')
r{�����Invalid "access_mode" passed: r&���r'���F��Invalid "permission" passed: Nr����r����r����)
r^���r����r����r|���rO���r����r����r����r����rT���)�ri���r�����
permissionr����rZ�����exactr����r������chk_flag��cur_flagr����r����r
���r
���r������has_permission����s.����.����
�����������������������"���������������r����c������������
��� ���C���s����t�|�t���r�t�|�|�|�|�|�|�d���S�|�����d�v�r�t�d�|���������|�����}�t�|�|���}�|�����}�t�|���}�d�}�|�D�]%} |�|�j�|���d�����| ����|�j�|���d�����| ����d�����O�}�|�sVt�d�| ��������q1d }
t d�|�j��
����D�]�}�|�j���|���}�|�d
��|�k�r~|�j�|�d���d�����|�k�r~|�d���}
qa|
s�d�S�|�r�|
|�k�S�|
|�@�|�k�S�)�a|���
Check if the object has the passed permissions. Can be all them or the exact
permissions passed and nothing more.
Args:
obj_name (str):
The name of or path to the object.
principal (str):
The name of the user or group for which to get permissions. Can also
pass a SID.
permissions (list):
The list of permissions to verify
access_mode (Optional[str]):
The access mode to check. Is the user granted or denied the
permission. Default is 'grant'. Valid options are:
- grant
- deny
obj_type (Optional[str]):
The type of object for which to check permissions. Default is 'file'
exact (Optional[bool]):
``True`` checks if the permissions are exactly those passed in
permissions. ``False`` checks to see if the permissions are included
in the ACE. Default is ``True``
Returns:
bool: True if the object has the permission, otherwise False
Usage:
.. code-block:: python
# Does Joe have read and write permissions to C:\Temp
salt.utils.win_dacl.has_permission('C:\\Temp', 'joe', ['read', 'write'], 'grant', exact=False)
# Does Joe have Full Control of C:\Temp
salt.utils.win_dacl.has_permissions('C:\\Temp', 'joe', 'full_control', 'grant')
)�ri���rZ���r����r����r����r����r{���r����r����r&���r'���Fr����Nr����r����)
r}���r~���r����r^���r����r����r|���rO���r����r����r����r����rT���)
ri���r����r����r����rZ���r����r����r����r����r����r����r����r����r
���r
���r������has_permissionsL���sF���
0�����������������
����
�����������������������������"���������������r����c��������������������C���s>���|�d�v�r�t�d�|���������|�r�t�|�d���}�n�t�|�|���}�|���|�|�����S�)�a����
Enable or disable an objects inheritance.
Args:
obj_name (str):
The name of the object
enabled (bool):
True to enable inheritance, False to disable
obj_type (Optional[str]):
The type of object. Only three objects allow inheritance. Valid
objects are:
- file (default): This is a file or directory
- registry
- registry32 (for WOW64)
clear (Optional[bool]):
True to clear existing ACEs, False to keep existing ACEs.
Default is False
Returns:
bool: True if successful, otherwise an Error
Usage:
.. code-block:: python
salt.utils.win_dacl.set_inheritance('C:\Temp', False)
rC���z*obj_type called with incorrect parameter: r����)�r����r����r����)�ri�����enabledrZ�����clearr����r
���r
���r������set_inheritance����s�����!����������
���r����c��������������������C���sR���t�|�|�d���}�t�j�}�t�d�|�j�������D�]�}�|�j���|���}�|�d���d���|�@�|�k�r&��d�S�q�d�S�)�a����
Get an object's inheritance.
Args:
obj_name (str):
The name of the object
obj_type (Optional[str]):
The type of object. Only three object types allow inheritance. Valid
objects are:
- file (default): This is a file or directory
- registry
- registry32 (for WOW64)
The following should return False as there is no inheritance:
- service
- printer
- share
Returns:
bool: True if enabled, otherwise False
Usage:
.. code-block:: python
salt.utils.win_dacl.get_inheritance('HKLM\SOFTWARE\salt', 'registry')
r����r����r����TF)�r����rQ���r����r����r����r����)�ri���rZ���r����r����r����r����r
���r
���r������get_inheritance����s����� ��������������r����c����������������
���C���s����t�|�d���}�d�|�����v�r!|���|���}�t���d�|�����|���|���}�t���d�|�����z
t���j�|�������}�W�n���t�y9������t�d�|���������w�d�} |�rC| t j
O�} |�rJ| t j�O�} |�rQ| t j�O�} |�rX| t j
O�} | s^t�d�����t���}
t ��d�d ��}�|
��|�t�j�f�����t ��d�d
��}�|
��|�t�j�f�����t ��d�d���}�|
��|�t�j�f�����t�����}�t ��|�t j�t�j�B���}
t ��|
d�|
����t ��|�|�| ��}�|�����}�|�����}�|�����}�|�����}�z�t ��|�|�| |�|�|�|�����W�d�S���t�j y���}���z�t!d�|�j"��������d
}�~�w�w�)�a����
Copy the security descriptor of the Source to the Target. You can specify a
specific portion of the security descriptor to copy using one of the
`copy_*` parameters.
.. note::
At least one `copy_*` parameter must be ``True``
.. note::
The user account running this command must have the following
privileges:
- SeTakeOwnershipPrivilege
- SeRestorePrivilege
- SeSecurityPrivilege
Args:
source (str):
The full path to the source. This is where the security info will be
copied from
target (str):
The full path to the target. This is where the security info will be
applied
obj_type (str): file
The type of object to query. This value changes the format of the
``obj_name`` parameter as follows:
- file: indicates a file or directory
- a relative path, such as ``FileName.txt`` or ``..\FileName``
- an absolute path, such as ``C:\DirName\FileName.txt``
- A UNC name, such as ``\\ServerName\ShareName\FileName.txt``
- service: indicates the name of a Windows service
- printer: indicates the name of a printer
- registry: indicates a registry key
- Uses the following literal strings to denote the hive:
- HKEY_LOCAL_MACHINE
- MACHINE
- HKLM
- HKEY_USERS
- USERS
- HKU
- HKEY_CURRENT_USER
- CURRENT_USER
- HKCU
- HKEY_CLASSES_ROOT
- CLASSES_ROOT
- HKCR
- Should be in the format of ``HIVE\Path\To\Key``. For example,
``HKLM\SOFTWARE\Windows``
- registry32: indicates a registry key under WOW64. Formatting is
the same as it is for ``registry``
- share: indicates a network share
copy_owner (bool): True
``True`` copies owner information. Default is ``True``
copy_group (bool): True
``True`` copies group information. Default is ``True``
copy_dacl (bool): True
``True`` copies the DACL. Default is ``True``
copy_sacl (bool): True
``True`` copies the SACL. Default is ``True``
Returns:
bool: ``True`` if successful
Raises:
SaltInvocationError: When parameters are invalid
CommandExecutionError: On failure to set security
Usage:
.. code-block:: python
salt.utils.win_dacl.copy_security(
source='C:\\temp\\source_file.txt',
target='C:\\temp\\target_file.txt',
obj_type='file')
salt.utils.win_dacl.copy_security(
source='HKLM\\SOFTWARE\\salt\\test_source',
target='HKLM\\SOFTWARE\\salt\\test_target',
obj_type='registry',
copy_owner=False)
r����r9���z�Source converted to: %sz�Target converted to: %sr]���r����zCOne of copy_owner, copy_group, copy_dacl, or copy_sacl must be Truer����r����r����Z�SeSecurityPrivilegez�Failed to set security info: NT)#r����r^���r`���re�����infor\���rZ���rx���r����rQ���rW���rV���rU���Z�SACL_SECURITY_INFORMATIONr����r����r����r����r����r����r����r����r����r����r����ra���r����r����rg���Z�GetSecurityDescriptorSaclr����rb���rc���r����rd���)���source��targetrZ���Z
copy_ownerZ
copy_groupZ copy_daclZ copy_saclr����r����Z�security_flagsr����r����r����r����Z�secZ�sd_sidZ�sd_gidZ�sd_daclZ�sd_saclrk���r
���r
���r�����
copy_security ���sd���
b��
���
�����������������
���
���
���
�������������������������������������������������������������r����c��������������������C���s����|�����}�|���d���}�t�|�|�d���}�i�}�|�D�]�} t�| d���}
|
t�| d���k�r/|�d�����d���|�����| ������q�|
d�u�rA|�d�����d���|�����| ������q�|
|�d���v�rh|���| i�����|�| ��d ��|�| ��d
<�d�|�| ��v�rg|�| ��d���|�| ��d�<�q�t�|�|
|�| ��d ��|�|�d�d
��s�|���| i�����|�| ��d ��|�| ��d
<�d�|�| ��v�r�|�| ��d���}�t ��j
|���|���}�t ��j
|���|���}
|�|�d���|
��v�r�|�d���|
��|���d���|
k�s�|���| i�����|�|�| ��d�<�q�|���rG|�d�����|�i�����|�D�]v} t�| d���}
|�d�u�r�|�d���|�����| i�����|�| ��|�d���|���| <�q�|���sFz+t�|�|
|�| ��d
��|�|�| ����d���|�d�����|�d�����|�i�����| i�����|�| ��|�d���|���| <�W�q���t
��yE��}���z�d�|�d�<�|�d�����d���|�| |�| ��|�j�������W�Y�d�}�~�q�d�}�~�w�w�q�|�S�)�a����
Helper function used by ``check_perms`` for checking and setting Grant and
Deny permissions.
Args:
obj_name (str):
The name or full path to the object
obj_type (Optional[str]):
The type of object for which to check permissions. Default is 'file'
new_perms (dict):
A dictionary containing the user/group and the basic permissions to
check/grant, ie: ``{'user': {'perms': 'basic_permission'}}``.
access_mode (str):
The access mode to set. Either ``grant`` or ``deny``
ret (dict):
A dictionary to append changes to and return. If not passed, will
create a new dictionary to return.
test_mode (bool):
``True`` will only return the changes that would be made. ``False``
will make the changes as well as return the changes that would be
made.
Returns:
dict: A dictionary of return data as expected by the state system
Z�_permsr����r������commentz9{} Perms: Could not find a corresponding username for: {}Nz%{} Perms: Skipping Capability SID: {}r������permsr����r����T)�ri���r����r����r����rZ���r����r������changes)�ri���r����r����r����r����rZ���F��resultz8Failed to change {} permissions for "{}" to {}
Error: {})�r^���r����r����r����r������format�
capitalize�
setdefaultr����r\���rP���r����r����r����rd���)�ri���rZ���� new_permsr����r����� test_modeZ�perms_label� cur_permsr����r����� user_namer������at_flagZ�applies_to_textrk���r
���r
���r������_check_perms����s�����
�������
�����������������������������������������������
���������������������������������������������
�����������������
�������������������������������������r����c �����������
��� ���C���s$���|�����t���j�v�r�t�d�|���������|�����}�|�s�|�i�g�d�d���}�d�} n�|�d���} g�|�d�<�|�rqt�|�d���}�t�|�|�d���}
|�|
k�rq|�d�u�rC|�|�d���d <�n.z�t�|�|�|�d
����t���d�|�����|�|�d���d <�W�n���t yp������d�|�d
<�|�d����
d�|���d�������Y�n�w�|�d�u�r�|�t�|�|�d���k�s�|�d�u�r�|�|�d���d�<�n2z�t�|�|�|�d�����t���d�|�r�d�n�d�����|�|�d���d�<�W�n���t y�������d�|�d
<�|�d����
d��
|�|�������Y�n�w�|���rct���d�|�����t�|�|�d���}�|�d���D�]�}�|�d�d���|�p�i�D���v���r�d�|�d���|���v���r�|�d�����d�i�����|�d�u���r�|�d���d�����|�|�d���|���i�����n�t�|�|�d�|�d�����|�d���d�����|�|�d���|���i�����|�d�d���|���p i�D���v���rbd�|�d���|���v���rb|�d�����d�i�����|�d�u���rK|�d���d�����|�|�d���|���i�����q�t�|�|�d�|�d�����|�d���d�����|�|�d���|���i�����q�t���d |�����|�d�u���rxt�|�|�|�d�|�|�d!��}�|�d�u���r�t�|�|�|�d�|�|�d!��}�|���r�|���s�t���d�|�����t�|�|�d���}�|�d���D�]?}�|�d"d���|���p�i�D���v���r�d�|�d���|���v���r�t�|�|�d�|�d�����|�d#d���|���p�i�D���v���r�d�|�d���|���v���r�t�|�|�d�|�d�������q�t�| t�����r�| ��r�|�d�����d$| ����n�| ��r�| ��|�d�����|�d�<�d%��|�d�����|�d�<�|���r�|�d�����r�d�|�d
<�|�S�)&a����
Check owner and permissions for the passed directory. This function checks
the permissions and sets them, returning the changes made.
.. versionadded:: 2019.2.0
Args:
obj_name (str):
The name or full path to the object
obj_type (Optional[str]):
The type of object for which to check permissions. Default is 'file'
ret (dict):
A dictionary to append changes to and return. If not passed, will
create a new dictionary to return.
owner (str):
The owner to set for the directory.
grant_perms (dict):
A dictionary containing the user/group and the basic permissions to
check/grant, ie: ``{'user': {'perms': 'basic_permission'}}``.
Default is ``None``.
deny_perms (dict):
A dictionary containing the user/group and permissions to
check/deny. Default is ``None``.
inheritance (bool):
``True`` will enable inheritance from the parent object. ``False``
will disable inheritance. Default is ``True``.
reset (bool):
``True`` will clear the DACL and set only the permissions defined
in ``grant_perms`` and ``deny_perms``. ``False`` append permissions
to the existing DACL. Default is ``False``. This does NOT affect
inherited permissions.
test_mode (bool):
``True`` will only return the changes that would be made. ``False``
will make the changes as well as return the changes that would be
made.
Returns:
dict: A dictionary of changes that have been made
Usage:
.. code-block:: bash
# You have to use __utils__ in order for __opts__ to be available
# To see changes to ``C:\Temp`` if the 'Users' group is given 'read & execute' permissions.
__utils__['dacl.check_perms'](obj_name='C:\Temp',
obj_type='file',
owner='Administrators',
grant_perms={
'Users': {
'perms': 'read_execute'
}
})
# Specify advanced attributes with a list
__utils__['dacl.check_perms'](obj_name='C:\Temp',
obj_type='file',
owner='Administrators',
grant_perms={
'jsnuffy': {
'perms': [
'read_attributes',
'read_ea'
],
'applies_to': 'files_only'
}
})
r]���T)�r����r����r����r����r����r����r����r����r����rH���)�ri���r����rZ���z�Owner set to %sFr����z�Failed to change owner to "r����NrY���)�ri���r����rZ���z�%s inheritanceZ�EnablingZ Disablingz(Failed to set inheritance for "{}" to {}z�Resetting permissions for %sr����c��������������������S��������h�|�]�}�t�|�����q�S�r
�����r��������.0��kr
���r
���r����� <setcomp>� ���������z�check_perms.<locals>.<setcomp>rE���Z�remove_perms)�ri���r����rT���rZ���c��������������������S���r����r
���r����r����r
���r
���r����r����� ��r����rF���z"Getting current permissions for %s)�ri���rZ���r����r����r����r����c��������������������S���r����r
���r����r����r
���r
���r����r�����
��r����c��������������������S���r����r
���r����r����r
���r
���r����r�����
��r����r������
)�r^���r\���rZ���r����r����r����r����re���r����r����r����r����r����r����r����r������updater����r����r}���r~���ry�����extendrz���)
ri���rZ���r����rH�����grant_perms�
deny_permsrY�����resetr����Z�orig_commentZ
current_ownerr����r����r
���r
���r������check_perms- ��s�����Z����������������
������������������������������������������������������������������
������������
�������������������������������
�����������������������������
�����������������
�����������������
������������������������������������������������������������r����c��������������������C���s����|�����}�i�}�|�D�]�}�t�|���}�|�t�|���k�r�q�d�}�|�d�v�rwd�|�|���v�rq|�|�d���v�rad�|�d���|���v�rat���j�|���D�]+} t���j�|���| ��|�d���|���d���d���k�r`| }
t���j�|���D�]�}�t���j�|���|���|
k�r_|�}�qQq5|�sp|�d�k�rjd�}�n
d�|�v�rpd }�n�|�|���d���}�|�j�|�|�|�|���d
��|�d���r�|�|���|�|�<�q�|�S�)�NrC���r����r����rF���r����r8���rA���r9���rB���r����)�r����r����r����r����)�r^���r����r����r\���rP���r����)�r����rZ���r����r����r����r����r����r����r������flagr����Z�flag1r
���r
���r�����
_set_perms*
��sL�������������������������������������������������������������������
�����������r
���c������������ �������C���s����i�}�|�r�t�|�d���}�i�i�d���}�n�t�|�|�d���}�t�|�|�d���}�|�d�u�r*t�|�|�|�|�d�d���|�d�<�|�d�u�r9t�|�|�|�|�d�d���|�d�<�|�������|���|�|�����rF|�S�i�S�)�a�
��
Set permissions for the given path
.. versionadded:: 2019.2.0
Args:
obj_name (str):
The name or full path to the object
obj_type (Optional[str]):
The type of object for which to check permissions. Default is 'file'
grant_perms (dict):
A dictionary containing the user/group and the basic permissions to
grant, ie: ``{'user': {'perms': 'basic_permission'}}``. You can also
set the ``applies_to`` setting here. The default for ``applise_to``
is ``this_folder_subfolders_files``. Specify another ``applies_to``
setting like this:
.. code-block:: yaml
{'user': {'perms': 'full_control', 'applies_to': 'this_folder'}}
To set advanced permissions use a list for the ``perms`` parameter,
ie:
.. code-block:: yaml
{'user': {'perms': ['read_attributes', 'read_ea'], 'applies_to': 'this_folder'}}
To see a list of available attributes and applies to settings see
the documentation for salt.utils.win_dacl.
A value of ``None`` will make no changes to the ``grant`` portion of
the DACL. Default is ``None``.
deny_perms (dict):
A dictionary containing the user/group and permissions to deny along
with the ``applies_to`` setting. Use the same format used for the
``grant_perms`` parameter. Remember, deny permissions supersede
grant permissions.
A value of ``None`` will make no changes to the ``deny`` portion of
the DACL. Default is ``None``.
inheritance (bool):
If ``True`` the object will inherit permissions from the parent, if
``False``, inheritance will be disabled. Inheritance setting will
not apply to parent directories if they must be created. Default is
``False``.
reset (bool):
If ``True`` the existing DCL will be cleared and replaced with the
settings defined in this function. If ``False``, new entries will be
appended to the existing DACL. Default is ``False``.
Returns:
bool: True if successful
Raises:
CommandExecutionError: If unsuccessful
Usage:
.. code-block:: bash
import salt.utils.win_dacl
# To grant the 'Users' group 'read & execute' permissions.
salt.utils.win_dacl.set_perms(obj_name='C:\Temp',
obj_type='file',
grant_perms={
'Users': {
'perms': 'read_execute'
}
})
# Specify advanced attributes with a list
salt.utils.win_dacl.set_perms(obj_name='C:\Temp',
obj_type='file',
grant_perms={
'jsnuffy': {
'perms': [
'read_attributes',
'read_ea'
],
'applies_to': 'this_folder_only'
}
}"
r����r����r����NrF���)�r����rZ���r����r����r����rE���)�r����r����r
���r����r����) ri���rZ���r����r����rY���r����r����r����r����r
���r
���r����� set_perms^
��s4����c��
���������������������
�� ������������
�� ������r����)�Tr����)�r8���)�rE���Nr8���FN)�r����r8���)�rE���r8���T)�r8���F)�r8���TTTT)�F)�r8���NNNNTFF)�r8���NNTF)(rN�����loggingZ�salt.utils.platformr����Z�salt.utils.win_functionsZ�salt.exceptionsr����r����r����rb���r����r����rQ�����ImportError� getLoggerrK���re���r ���r����r\���r����r|���r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����r
���r����r
���r
���r
���r������<module>����s��������
��������������������������
�����
��
���������-�'
`
U
V
N�Y��������
�
W
.�#
��V
�
d
.�.��������
��
(���������������
���~�6����������