raw_exec windows: add support for setting the task user

[x-dvr]

Description

This PR adds support to set user under which task will be executed for raw_exec driver on Windows platform.
It will work for the case when nomad is being run as windows service, and the user for task is set to one of service accounts that do not require password. This is particularly important in environments with stricter security policies, where is is required to have as little workload do be run under system service account.

The following job file will allow to run task under more restrictive NT AUTHORITY\NetworkService account:

job "my-network-service" {
  datacenters = ["dc1"]
  task "task1" {
    user   = "NT AUTHORITY\\NetworkService"
    driver = "raw_exec"
    config {
      command = "whoami.exe"
      args    = ["/all"]
    }
  }
}

Links

Partially closes: #9424

Contributor Checklist

• Changelog Entry If this PR changes user-facing behavior, please generate and add a
  changelog entry using the make cl command.
• Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
  ensure regressions will be caught.
• Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
  and job configuration, please update the Nomad website documentation to reflect this. Refer to
  the website README for docs guidelines. Please also consider whether the
  change requires notes within the upgrade guide.

Reviewer Checklist

• Backport Labels Please add the correct backport labels as described by the internal
  backporting document.
• Commit Type Ensure the correct merge method is selected which should be "squash and merge"
  in the majority of situations. The main exceptions are long-lived feature branches or merges where
  history should be preserved.
• Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
  within the public repository.

[hashicorp-cla-app]

All committers have signed the CLA.

[tgross]

Hi @x-dvr! The overall approach you've got here looks good. I've left some comments about some of the details. Something that I'd really like to see with this PR is some kind of test that exercises the behavior. Is there a Windows user in the typical CI environments GHA has that would be appropriate to use here?

Also, can you run make cl to add a changelog entry for this PR? It would also be great if you could update the raw_exec docs and task.user docs to match the change you're making here? You can find those in website/content/docs

[tgross]

We don't have a lot of control or visibility into what's happening in the LogonUserW call. Is it ever possible that this value could be nil without returning an error? There's no guarantees of that in the API docs as far as I can tell.

Also, do you know if Go will close this handle when the object is garbage collected? Do we need to clean up this resource up manually?

[x-dvr]

When LogonUserW is not able to create token is should return 0 and this case is handled. So I would assume if function didn't return 0, then token value should be populated with correct handle.

You are right token needs to be manually closed. I will add clean up code for the token.

[x-dvr]

Hello @tgross! Thank you for the feedback. I have integrated it and also updated documentation.
Regarding the real test for this functionality, there are some limiting factors. In order to not require password of user, logonuserw function is used with LogonType equal to LOGON32_LOGON_SERVICE, which in turn limits the accounts that can be used to accounts that have the service privilege enabled.
I did some tests, and it only works when code doing this operation is running as SYSTEM service account.
According to this comment, it looks like it is possible to run GHA as system service on Self-Hosted runners:
actions/runner#2540 (comment)

[x-dvr]

As a side note, I did manual tests on my windows machine, with Nomad built from my branch.
I started Nomad as windows service:

sc.exe create "Nomad" binPath="c:\nomad\nomad.exe agent -dev -config=c:\nomad\nomad.hcl"

Contents of nomad.hcl:

server {
  enabled          = true
  bootstrap_expect = 1
}

client {
  enabled       = true
}

plugin "raw_exec" {
  config {
    enabled = true
  }
}

log_file = "c:\nomad\nomad.log"

So I executed the following job file:

job "my-network-service" {
  datacenters = ["dc1"]
  task "task1" {
    user   = "NT AUTHORITY\\NetworkService"
    driver = "raw_exec"
    config {
      command = "whoami.exe"
      args    = ["/all"]
    }
  }
}

When this job is run without user specified in the logs one can find:

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   

When the user is set to network service:

USER INFORMATION
----------------

User Name                    SID     
============================ ========
nt authority\network service S-1-5-20


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group

[x-dvr]

@tgross What should be my next steps?

[tgross]

@tgross What should be my next steps?

This is great. I think you're right about the testing on GHA and that's likely not practical. We might be able to get a test case in our end-to-end infra but there's currently an issue with our nightly runner on Windows, so that will have to wait. Give me some time to re-review and we'll look at getting this merged.

[aimeeu]

Thank you for updating the docs! I left some suggestions so the content conforms to your docs style guide.

[x-dvr]

Thank you for the feedback @aimeeu. I've integrated your proposed changes and updated my branch with latest changes from upstream