Skip to content

Commit

Permalink
Fixes #3554 update windows preflight check for user in required groups
Browse files Browse the repository at this point in the history
remove the username from Get-LocalGroupMember cmdlet and get the list of users
belonging to  group and perform string comparison to determine if current user
is part of the group

this should work around the need to supply the username with or without the
domain part depending on whether the machine was currently domain joined
  • Loading branch information
anjannath committed Apr 4, 2023
1 parent 05b62a7 commit fc92752
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 4 deletions.
53 changes: 49 additions & 4 deletions pkg/crc/preflight/preflight_checks_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,15 +100,60 @@ func checkHyperVServiceRunning() error {
}

func checkUserPartOfCrcUsersAndHypervAdminsGroup() error {
_, _, err := powershell.Execute(fmt.Sprintf("Get-LocalGroupMember -Group 'crc-users' -Member '%s'", username()))
groupMembers, _, err := powershell.Execute(`(Get-LocalGroupMember -Group 'crc-users').Name`)
if err != nil {
return err
}

logging.Debug("Checking current user is in the 'crc-user' group")
if !usernameInMembersList(username(), groupMembers) {
return fmt.Errorf("Could not find: %s in the 'crc-users' group", username())
}
// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
// BUILTIN\Hyper-V Administrators => S-1-5-32-578
_, _, err = powershell.Execute(fmt.Sprintf("Get-LocalGroupMember -SID 'S-1-5-32-578' -Member '%s'", username()))
return err
groupMembers, _, err = powershell.Execute(`(Get-LocalGroupMember -SID 'S-1-5-32-578').Name`)
if err != nil {
return err
}
logging.Debug("Checking current user is in the 'Hyper-v Administrators' group")
if !usernameInMembersList(username(), groupMembers) {
return fmt.Errorf("Could not find: %s in the 'Hyper-v Administrators' group", username())
}
return nil
}

func usernameInMembersList(username, members string) bool {
m := strings.Split(members, "\n")
var memberList []string
// remove any empty elements
for _, elem := range m {
if strings.TrimSpace(elem) != "" {
memberList = append(memberList, strings.TrimSpace(elem))
}
}
logging.Debugf("group members: %s", strings.Join(memberList, ","))
for _, member := range memberList {
// we get the members of a group in the form domain\username
// if the current username is also returned in the same form
// check if that full domain\username is present in the list
if strings.Contains(username, "\\") {
if username == member {
return true
}
continue
}

// if we get only the username without domain part then we
// compare it with the username part of the group members
m := strings.Split(member, "\\")
if len(m) == 2 {
if m[1] == username {
return true
}
} else {
logging.Warnf("Got group member's name in unexpected format: %s", member)
}
}
return false
}

func fixUserPartOfCrcUsersAndHypervAdminsGroup() error {
Expand Down
29 changes: 29 additions & 0 deletions pkg/crc/preflight/preflight_checks_windows_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
package preflight

import (
"testing"

"github.com/stretchr/testify/assert"
)

func TestUserInMemberList(t *testing.T) {
members := `DESKTOP-R05QDNL\someUser1
DESKTOP-R05QDNL\someUser2
NT AUTHORITY\INTERACTIVE
DESKTOP-G7H96M0\crc`

tests := []struct {
username string
expected bool
}{
{`some`, false},
{`DESKTOP-G7H96M0\someUser1`, false},
{`DESK`, false},
{`someUser2`, true},
{`crc`, true},
}

for _, tt := range tests {
assert.Equal(t, tt.expected, usernameInMembersList(tt.username, members))
}
}

0 comments on commit fc92752

Please sign in to comment.