Skip to content

Commit

Permalink
fix: non-user-friendly error when trying to install the worker agent …
Browse files Browse the repository at this point in the history
…as domain user

Signed-off-by: Josh Usiskin <[email protected]>
  • Loading branch information
jusiskin committed Oct 29, 2024
1 parent 4937200 commit 3d1906d
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 0 deletions.
25 changes: 25 additions & 0 deletions src/deadline_worker_agent/installer/win_installer.py
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,21 @@ def print_banner():
)


def is_domain_user(username: str) -> bool:
# There are two formats for specifying domain users:
#
# 1. User Principal Name (UPN), e.g:
#
# <USERNAME>@<DOMAIN>
#
# 2. Down-Level Logon Name, e.g:
#
# <DOMAIN>\<USERNAME>
#
# See https://learn.microsoft.com/en-us/windows/win32/secauthn/user-name-formats
return "\\" in username or "@" in username


def check_account_existence(account_name: str) -> bool:
"""
Checks if an account exists on the system by attempting to resolve the account's SID.
Expand Down Expand Up @@ -851,18 +866,28 @@ def print_helping_info_and_exit():
logging.error(f"User does not have Administrator privileges: {os.environ['USERNAME']}")
print_helping_info_and_exit()

# Validate that if a windows job user override is specified, that the user exists
if windows_job_user is not None and not check_account_existence(windows_job_user):
raise InstallerFailedException(
f"Account {windows_job_user} provided for argument windows-job-user does not exist. "
"Please create the account before proceeding."
)
# Validate that if a windows job user override is specified, that it is not the same as the worker agent user
elif windows_job_user is not None and users_equal(windows_job_user, user_name):
raise InstallerFailedException(
f"Argument for windows-job-user cannot be the same as the worker agent user: {user_name}. "
"If you wish to run jobs as the agent user, set run_jobs_as_agent_user = true in the agent "
"configuration file."
)

# Validate that the --user argument is not a domain user. The installer does not currently support this.
if is_domain_user(user_name):
raise InstallerFailedException(
"running worker agent as a domain user is not currently supported. You can "
"have jobs run as a domain user by configuring the queue job run user to specify a "
"domain user account."
)

# Print configuration
print_banner()

Expand Down
34 changes: 34 additions & 0 deletions test/unit/install/test_windows_installer.py
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,40 @@ def test_start_windows_installer_fails_when_windows_job_user_is_agent_user(
)


# Override the "user" fixture, which feeds into the parsed_kwargs fixture
# with Valid domain username formats. For valid domain user formats, see:
# https://learn.microsoft.com/en-us/windows/win32/secauthn/user-name-formats
@pytest.mark.parametrize(
argnames="user",
argvalues=(
pytest.param("user@domain", id="user principal name"),
pytest.param(r"domain\username", id="down-level logon name"),
),
)
# No job user override
@pytest.mark.parametrize(
argnames="windows_job_user",
argvalues=(None,),
)
def test_start_windows_installer_fails_on_domain_worker_user(
parsed_kwargs: dict,
) -> None:
# GIVEN
with (
patch.object(shell, "IsUserAnAdmin", return_value=True),
pytest.raises(win_installer.InstallerFailedException) as raise_ctx,
):
# WHEN
win_installer.start_windows_installer(**parsed_kwargs)

# THEN
assert str(raise_ctx.value) == (
"running worker agent as a domain user is not currently supported. You can "
"have jobs run as a domain user by configuring the queue job run user to specify a "
"domain user account."
)


class TestCreateLocalQueueUserGroup:
"""Tests for the create_local_queue_user_group function"""

Expand Down

0 comments on commit 3d1906d

Please sign in to comment.