Merge pull request #205 from katiewasnothere/gh_actions

Add CI github action for testing on push and PR
microsoft · Apr 21, 2021 · 3e47278 · 3e47278
2 parents e98b56d + 085c1a9
commit 3e47278
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 14 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,12 @@
+name: CI 
+on:
+  - push
+  - pull_request
+
+jobs: 
+  test:
+    runs-on: 'windows-2019'
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+      - run: go test -gcflags=all=-d=checkptr -v ./...
diff --git a/pkg/security/grantvmgroupaccess_test.go b/pkg/security/grantvmgroupaccess_test.go
@@ -13,6 +13,11 @@ import (
 	exec "golang.org/x/sys/execabs"
 )
 
+const (
+	vmAccountName = `NT VIRTUAL MACHINE\\Virtual Machines`
+	vmAccountSID  = "S-1-5-83-0"
+)
+
 // TestGrantVmGroupAccess verifies for the three case of a file, a directory,
 // and a file in a directory that the appropriate ACEs are set, including
 // inheritance in the second two examples. These are the expected ACES. Is
@@ -59,9 +64,9 @@ func TestGrantVmGroupAccess(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	verifyicacls(t,
+	verifyVMAccountDACLs(t,
 		f.Name(),
-		[]string{`NT VIRTUAL MACHINE\\Virtual Machines:(R)`},
+		[]string{`(R)`},
 	)
 
 	// Two items here:
@@ -74,35 +79,42 @@ func TestGrantVmGroupAccess(t *testing.T) {
 	//
 	// In properties for the directory, advanced security settings, this will
 	// show as a single line "Allow/Virtual Machines/Read/Inherited from none/This folder, subfolder and files
-	verifyicacls(t,
+	verifyVMAccountDACLs(t,
 		d,
-		[]string{`NT VIRTUAL MACHINE\\Virtual Machines:(R)`, `NT VIRTUAL MACHINE\\Virtual Machines:(OI)(CI)(IO)(GR)`},
+		[]string{`(R)`, `(OI)(CI)(IO)(GR)`},
 	)
 
-	verifyicacls(t,
+	verifyVMAccountDACLs(t,
 		find.Name(),
-		[]string{`NT VIRTUAL MACHINE\\Virtual Machines:(I)(R)`},
+		[]string{`(I)(R)`},
 	)
 
 }
 
-func verifyicacls(t *testing.T, name string, aces []string) {
+func verifyVMAccountDACLs(t *testing.T, name string, permissions []string) {
 	cmd := exec.Command("icacls", name)
 	outb, err := cmd.CombinedOutput()
 	if err != nil {
 		t.Fatal(err)
 	}
 	out := string(outb)
 
-	for _, ace := range aces {
+	for _, p := range permissions {
 		// Avoid '(' and ')' being part of match groups
-		ace = strings.Replace(ace, "(", "\\(", -1)
-		ace = strings.Replace(ace, ")", "\\)", -1)
+		p = strings.Replace(p, "(", "\\(", -1)
+		p = strings.Replace(p, ")", "\\)", -1)
+
+		nameToCheck := vmAccountName + ":" + p
+		sidToCheck := vmAccountSID + ":" + p
+
+		rxName := regexp.MustCompile(nameToCheck)
+		rxSID := regexp.MustCompile(sidToCheck)
+
+		matchesName := rxName.FindAllStringIndex(out, -1)
+		matchesSID := rxSID.FindAllStringIndex(out, -1)
 
-		rx := regexp.MustCompile(ace)
-		matches := rx.FindAllStringIndex(out, -1)
-		if len(matches) != 1 {
-			t.Fatalf("expected one match for %s got %d\n%s", ace, len(matches), out)
+		if len(matchesName) != 1 && len(matchesSID) != 1 {
+			t.Fatalf("expected one match for %s or %s\n%s", nameToCheck, sidToCheck, out)
 		}
 	}
 }