[REVIEW please] CreateGroups additions #530

bevanweiss · 2024-06-19T12:08:03Z

Just a placeholder for the current state of development on the ability to add Groups. wixtoolset/issues#8577

Not sure if it works yet, splitting out the tables cost me a little more time than I anticipated, and I'm unsure that the decompile is right.

I'll build out a few more of the build test cases, to validate the expected preconditions etc (i.e. marking CreateGroup when it's not under a component, and similar).

Please raise any style / formatting issues, that way I've got the most time to address them :)

I've just noticed I've missed a couple of Wix4-.Wix6 references (around CustomAction names). I'll tidy these up tomorrow.

Closes wixtoolset/issues#8577

src/wix/WixToolset.Converters/WixConverter.cs

src/ext/Util/ca/scaexec.cpp

src/ext/Util/ca/scagroup.cpp

bevanweiss · 2024-07-14T10:24:37Z

@barnson Are there any additional integration tests that you think would be good to have beyond what I've already got in this?
There's a small set that I haven't yet put in that would be around the domain functionality (similar to the new user one I've added on the other PR #547), I think that would be:

Creating/removing a domain group
Adding/removing a domain user from a domain group
Adding/removing a domain group from a domain group
Adding/removing a domain user from a local group
Adding/removing a domain group from a local group

I know there's a heap of code in this PR, however there's not really many easily separable portions that would be meaningful on their own. However, let me know if there's any way you can see that I could split it into more easily reviewable/pull-able portions.

barnson · 2024-07-15T02:31:05Z

I'm not a domain expert but the tests look reasonable to me.

robmen · 2024-12-26T15:56:31Z

One new test failed:

[xUnit.net 00:04:46.85]     WixToolsetTest.MsiE2E.UtilExtensionGroupTests.FailsIfRestrictedDomain [FAIL]
  Failed WixToolsetTest.MsiE2E.UtilExtensionGroupTests.FailsIfRestrictedDomain [16 s]
  Error Message:
   Assert.True() Failure
Expected: True
Actual:   False
  Stack Trace:
     at WixToolsetTest.MsiE2E.UtilExtensionGroupTests.FailsIfRestrictedDomain() in D:\a\wix\wix\src\test\msi\WixToolsetTest.MsiE2E\UtilExtensionGroupTests.cs:line 159

This is the test:

// Verify that a group cannot be created on a domain on which you don't have create user permission.
[RuntimeFact]
public void FailsIfRestrictedDomain()
{
    var productRestrictedDomain = this.CreatePackageInstaller("ProductRestrictedDomain");

    string logFile = productRestrictedDomain.InstallProduct(MSIExec.MSIExecReturnCode.ERROR_INSTALL_FAILURE, "TESTDOMAIN=DOESNOTEXIST");

    // Verify expected error message in the log file
    Assert.True(LogVerifier.MessageInLogFile(logFile, "CreateGroup:  Error 0x8007054b: failed to find Domain DOESNOTEXIST."));
}

bevanweiss · 2024-12-26T18:59:27Z

Thanks, it looks like it's the log error message that couldn't be found.
I'll have a look into it.

Any chance there's a way to retrieve the log file from the Github Action?

robmen · 2024-12-26T20:20:14Z

Any chance there's a way to retrieve the log file from the Github Action?

Not today. E2E Burn logs are captured, but MSI E2E logs are not. 😢

bevanweiss · 2024-12-26T21:43:19Z

Any chance there's a way to retrieve the log file from the Github Action?

Not today. E2E Burn logs are captured, but MSI E2E logs are not. 😢

No worries.
I did see what looked like that (Burn but not MSI) from the action.

And in your recent PR to update the runner actions it looked like the master repo was exempted from exporting those artefacts to prevent secret leakage also.

I just wanted to avoid a ‘works for me..’ situation.

robmen · 2024-12-26T22:26:12Z

The master branch handling is for official builds and is (will be) done differently in WiX v6. You can ignore all references to master in the conditions.

bevanweiss · 2024-12-27T23:57:17Z

Drats. This looks like an issue with the revised Domain->Server method.
I think the intent of this method has changed, my understanding of the original version was that given a Domain, it would identify an applicable Domain Server (Domain Controller, DC) that should be used to direct the domain requests to.
If an invalid Domain was provided to the original method, it would return an error, indicating this domain was not known, and no server could be found.
The revised version of this method appears to just return the domain name as the server, and then because the HRESULT error from the NetAPI call (to get the domain server) is overwritten with the StringCopy result, the method itself returns all happy indications.

I think this GetDomainFromServerName doesn't make sense as-is... since we are explicitely given the domain. It's the domain server that we need to identify (i.e. DC01.DOMAIN / PDC.DOMAIN etc).
And a side effect of this was the validation of the domain (i.e. if the domain doesn't exist, there can be no valid domain server for it, and hence the result value from the method should indicate this).
It was this PR that changed the method: #548

Unsure how I skipped this test on re-basing after that PR landed though...

Signed-off-by: Bevan Weiss <[email protected]>

Local group membership Add/Remove working, however with BUILTIN local system groups .NET doesn't appear to locate them as either groups nor basic security Principals. Still needs work to fix the test for nested groups. Ideally with some way to test for domain groups. Signed-off-by: Bevan Weiss <[email protected]>

Signed-off-by: Bevan Weiss <[email protected]>

Fixups to a few test cases. Signed-off-by: Bevan Weiss <[email protected]>

Since there's no reason to not have them identical where practical. Signed-off-by: Bevan Weiss <[email protected]>

Signed-off-by: Bevan Weiss <[email protected]>

bevanweiss · 2025-01-05T02:33:41Z

One new test failed:

Fixed. I went back to the earlier GetDomainServerName() method, since this provides a usable HRESULT if the domain doesn't actually exist.