o

�N�g9-�@s
dZd
dl
Z
d
dlZd
dlZd
dlZd
dlmZ
zd
dlZdZWne	y+


dZYn
wz,d
dl
Z
d
dlZd
dlZd
dl
Z
d
dlZd
dlZd
dlZd
dlZd
dlZd
dlZdZWne	yc


dZYn
we�e�
Zdd�Zdd	�Zddd�
Zdd
d�
Zddd�
ZdS)z.
Run processes as a different user in Windows
�N)
�CommandExecutionErrorTFc
Cstrt
sd
SdS)z4
    Only load if Win32 Libraries are installed
    )Fz(This utility requires pywin32 and psutilZ	win_runas)�	HAS_WIN32�
HAS_PSUTIL�rr�H/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/win_runas.py�__virtual__,s
rc
Cs<d
}
|}d|vr|�d�
\}}
d|vr|�d�
\}
}||
fS)zH
    Splits out the username from the domain name and returns both.
    �
.�
@�
\)
�split)�username�domainZ	user_namerrr�split_username6s





r�
c
Cs|t��}d
}d
}	zt
�|d�}Wntjy$
}
zWYd
}~nd
}~w
wn
t��||kr/n
q	|d
u
r6|S|d
u
r<|�
d
S)z�
    CreateEnvironmentBlock might fail when we close a login session and then
    try to re-open one very quickly. Run the method multiple times to work
    around the async nature of logoffs.
    NTF)�time�win32profileZCreateEnvironmentBlock�
pywintypes�error)�
user_token�inherit�timeout�start�env�excrrr�
create_envCs&






��

�	


�rc%
CsBt|
t
�s	t
|
�
}
zt�d
|
�\}}}t|
�
\}
}Wntjy4
}
z
t�|j	�
�
d�
}t|�
�
d
}~w
wtjtj
B}t�t��|�}	tjj�|	�

ztjjjtjjjddg
d�}
Wntyo


t�d�

d
}
t�|	�

Yn
w|
s~t�d�

t||
||�S|dkr�t�|
|d	tjtj�}n|r�t�|
||tjtj�}ntjj� |
�
j!}t�"|tj#�}|d
kr�t�"|tj$�}tjj�|�

tjj�%|�

t�&�}
d
|
_'t(�)|
d�\}}tjj�*|�
}t(�)|
d�\}}tjj�*|�
}t(�)|
d�\}}tjj�*|�
}t+j,t+j-Bt+j.B}tj/}|tj0O}tjjj1||j2|j2|j2d�}t3|d�}d
|v�
r'd|�d�}d
}z�tjjj4t5|�
d
d
|||||d�}|j6}|j7}|j8}|j9}tjjj:�|j2�

tjjj:�|j2�

tjjj:�|j2�

d|i
}t;�<|�
�=�
t>�?|t>j@�tjAk�
r�t+�B|�
}||d<tC�D|j2tEjFtEjGB�}tE�H|d��} | �I�}!|!�J�|d<Wd
�
n	1�
s�w



Y
tC�D|j2tEjFtEjGB�}"tE�H|"d��}#|#�I�}$|$|d<Wd
�
n	1�
s�w



Y
W|d
u
�
r�tjjj:�|�

t�|	�

t�|�

|
�
r�t�K�
t�|
�

|S|d
u
�r
tjjj:�|�

t�|	�

t�|�

|
�rt�K�
t�|
�

w)aB

    Run a command as another user. If the process is running as an admin or
    system account this method does not require a password. Other non
    privileged accounts need to provide a password for the user to runas.
    Commands are run in with the highest level privileges possible for the
    account provided.
    N�

r
ZSeTcbPrivilege)Z
session_idZprivsz!Unable to impersonate SYSTEM userz0No impersonation token, using unprivileged runaszNT AUTHORITY�r�ZdwFlagsZ	hStdInputZ
hStdOutputZ	hStdErrorF�&&�cmd /c "�
")�
logonflagsZapplicationname�commandline�currentdirectory�
creationflags�startupinfoZenvironment�pid�retcode�
r�stdout�stderr)L�
isinstance�str�
win32security�LookupAccountNamerrr�win32api�
FormatMessage�winerror�rstriprZTOKEN_QUERYZTOKEN_ADJUST_PRIVILEGESZOpenProcessTokenZGetCurrentProcess�salt�platform�winZ
elevate_tokenZimpersonate_sidZ
SYSTEM_SID�OSError�log�debug�CloseHandle�runas_unprivZ	LogonUser�win32conZLOGON32_LOGON_SERVICEZLOGON32_PROVIDER_DEFAULTZLOGON32_LOGON_INTERACTIVEZlogon_msv1_s4u�TokenZGetTokenInformationZTokenElevationTypeZTokenLinkedTokenZgrant_winsta_and_desktopZSECURITY_ATTRIBUTESZbInheritHandle�	win32pipe�
CreatePipeZmake_inheritable�win32processZCREATE_NO_WINDOWZCREATE_NEW_CONSOLEZCREATE_SUSPENDED�STARTF_USESTDHANDLES�STARTF_USESHOWWINDOW�STARTUPINFO�handlerZCreateProcessWithTokenW�int�hProcess�hThread�dwProcessId�
dwThreadId�kernel32�psutilZProcessZresume�
win32event�WaitForSingleObject�INFINITE�
WAIT_OBJECT_0�GetExitCodeProcess�msvcrt�open_osfhandle�os�O_RDONLY�O_TEXT�fdopen�read�stripZRevertToSelf)%ZcmdLiner�password�cwd�
_r
r�message�access�thZimpersonation_tokenrZelevation_typeZsecurity_attributesZ
stdin_readZstdin_writeZstdout_readZstdout_writeZstderr_readZstderr_writer$�flags�startup_inforrE�process_inforFrGrH�ret�exitcode�fd_out�f_outr)�fd_err�f_errr*rrr�runas[s








��






�



�







�




�	
�

�




���






�











�





�




�



��










�







rgc
Cs�t|
t
�s	t
|
�
}
zt�d
|
�\}}}t|
�
\}
}Wntjy4
}
z
t�|j	�
�
d�
}t|�
�
d
}~w
wtj
jjddd�\}}	tj
jjddd�\}
}tj
jj�tj
jj�
}tj
jj|dd�}
tj}|tjO}tj
jj||
|	|d�}d|vr|d	|�d
�}z4tj
jj|
||tj
jj|||d�}tj
jj�|j�

Wtj
jj�|
�

tj
jj�|	�

tj
jj�|�

ntj
jj�|
�

tj
jj�|	�

tj
jj�|�

wd|ji
}t�|tj tj!B�}t�"|d
��}|�#�|d<Wd
�
n1s�w



Y
t�|
tj tj!B�}t�"|d
��}|�#�|d<Wd
�
n	1�
sw



Y
tj
jj�$|j%t&j'�tj(k�
rDtj
jj)�*�}tj
jj�+|j%t,�-|�
�
|j.|d<tj
jj�|j%�

|S)z3
    Runas that works for non-privileged users
    NrFT)Zinherit_readZ
inherit_write)Z	srchandlerrrrr )rr
rXr!r"r%r#r&r(r)r*r')/r+r,r-r.rrrr/r0r1r2rr3r4r5r>rIZGetStdHandleZSTD_INPUT_HANDLEZDuplicateHandler;r@rArBZCreateProcessWithLogonWZLOGON_WITH_PROFILEr9rFrGrPrQrRrSrTrUrVrLrErKrMrNZwintypesZDWORDrO�ctypes�byref�value)�cmdrrXrYrZr
rr[�c2pread�c2pwrite�errread�errwrite�stdinZdupinr^r_r`rarcrdrerfrbrrrr:
s�






��


�


�

�






�







�	

�




�

�

��


�
r:)
r)NN)
N)�__doc__rh�loggingrRrZsalt.exceptionsrrJr�ImportErrorrPrr/r;rKr=r?rr-Zsalt.platform.winr3r�	getLogger�__name__r7rrrrgr:rrrr�<module>
sD





�









�



2