From 8fba9119df4c93df775ad3c9120e65f1aa4c80b4 Mon Sep 17 00:00:00 2001
From: Daniel Neilson <53624638+ddneilson@users.noreply.github.com>
Date: Thu, 21 Mar 2024 15:01:11 +0000
Subject: [PATCH] fix: change windows logon type from NETWORK to INTERACTIVE

Problem:

Some applications have security controls that restrict what a network
logon user can do, but do not have such restrictions for interactive
logons.

Solution:

Change the win32 logon kind from NETWORK to INTERACTIVE. NETWORK was
oridinally chosen as it was believed that it was required for the logon
to have access to network shares, but INTERACTIVE grants the same
access so this should be a safe change.

Signed-off-by: Daniel Neilson <53624638+ddneilson@users.noreply.github.com>
---
 src/deadline_worker_agent/installer/win_installer.py          | 2 +-
 src/deadline_worker_agent/windows/win_credentials_resolver.py | 4 ++--
 test/unit/install/test_windows_installer.py                   | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/deadline_worker_agent/installer/win_installer.py b/src/deadline_worker_agent/installer/win_installer.py
index f9c36cc6..662b0387 100644
--- a/src/deadline_worker_agent/installer/win_installer.py
+++ b/src/deadline_worker_agent/installer/win_installer.py
@@ -200,7 +200,7 @@ def ensure_user_profile_exists(username: str, password: str):
         # https://timgolden.me.uk/pywin32-docs/win32security__LogonUser_meth.html
         logon_token = win32security.LogonUser(
             Username=username,
-            LogonType=win32security.LOGON32_LOGON_NETWORK_CLEARTEXT,
+            LogonType=win32security.LOGON32_LOGON_INTERACTIVE,
             LogonProvider=win32security.LOGON32_PROVIDER_DEFAULT,
             Password=password,
             Domain=None,
diff --git a/src/deadline_worker_agent/windows/win_credentials_resolver.py b/src/deadline_worker_agent/windows/win_credentials_resolver.py
index e71cfef8..7ef8d606 100644
--- a/src/deadline_worker_agent/windows/win_credentials_resolver.py
+++ b/src/deadline_worker_agent/windows/win_credentials_resolver.py
@@ -21,7 +21,7 @@
 from pywintypes import HANDLE as PyHANDLE
 from win32security import (
     LogonUser,
-    LOGON32_LOGON_NETWORK_CLEARTEXT,
+    LOGON32_LOGON_INTERACTIVE,
     LOGON32_PROVIDER_DEFAULT,
 )
 from win32profile import LoadUserProfile, PI_NOUI, UnloadUserProfile
@@ -214,7 +214,7 @@ def get_windows_session_user(self, user: str, passwordArn: str) -> WindowsSessio
                             # https://timgolden.me.uk/pywin32-docs/win32profile__LoadUserProfile_meth.html
                             logon_token = LogonUser(
                                 Username=user,
-                                LogonType=LOGON32_LOGON_NETWORK_CLEARTEXT,
+                                LogonType=LOGON32_LOGON_INTERACTIVE,
                                 LogonProvider=LOGON32_PROVIDER_DEFAULT,
                                 Password=password,
                                 Domain=None,
diff --git a/test/unit/install/test_windows_installer.py b/test/unit/install/test_windows_installer.py
index 919bf23a..fa578b53 100644
--- a/test/unit/install/test_windows_installer.py
+++ b/test/unit/install/test_windows_installer.py
@@ -238,7 +238,7 @@ def test_loads_user_profile(
         # THEN
         mock_LogonUser.assert_called_once_with(
             Username=username,
-            LogonType=win32security.LOGON32_LOGON_NETWORK_CLEARTEXT,
+            LogonType=win32security.LOGON32_LOGON_INTERACTIVE,
             LogonProvider=win32security.LOGON32_PROVIDER_DEFAULT,
             Password=password,
             Domain=None,