RubyGems - puppet - Versions diffs - 3.3.2 → 3.4.0.rc1 - Mend

puppet 3.3.2 → 3.4.0.rc1

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (589) hide show

data/CONTRIBUTING.md +22 -0
data/Gemfile +11 -2
data/README.md +13 -17
data/README_DEVELOPER.md +1 -1
data/Rakefile +1 -1
data/examples/hiera/README.md +4 -4
data/ext/debian/puppetmaster.init +1 -0
data/ext/debian/rules +2 -5
data/ext/nagios/check_puppet.rb +7 -7
data/ext/osx/file_mapping.yaml +1 -1
data/ext/osx/preflight.erb +34 -19
data/ext/rack/{files/config.ru → config.ru} +0 -0
data/ext/rack/{files/apache2.conf → example-passenger-vhost.conf} +6 -0
data/ext/redhat/puppet.spec.erb +20 -2
data/ext/systemd/{puppetagent.service → puppet.service} +0 -0
data/lib/hiera_puppet.rb +2 -2
data/lib/puppet/agent.rb +1 -6
data/lib/puppet/application.rb +15 -2
data/lib/puppet/application/agent.rb +2 -7
data/lib/puppet/application/apply.rb +8 -13
data/lib/puppet/application/cert.rb +47 -7
data/lib/puppet/application/device.rb +1 -6
data/lib/puppet/application/face_base.rb +1 -1
data/lib/puppet/application/filebucket.rb +1 -1
data/lib/puppet/application/inspect.rb +3 -12
data/lib/puppet/application/master.rb +1 -6
data/lib/puppet/application/queue.rb +1 -6
data/lib/puppet/application/resource.rb +2 -6
data/lib/puppet/coercion.rb +11 -0
data/lib/puppet/configurer.rb +5 -3
data/lib/puppet/configurer/downloader.rb +3 -1
data/lib/puppet/configurer/plugin_handler.rb +10 -0
data/lib/puppet/confine.rb +80 -0
data/lib/puppet/{provider/confine → confine}/exists.rb +3 -3
data/lib/puppet/{provider/confine → confine}/false.rb +2 -2
data/lib/puppet/{provider/confine → confine}/feature.rb +2 -2
data/lib/puppet/{provider/confine → confine}/true.rb +2 -2
data/lib/puppet/{provider/confine → confine}/variable.rb +2 -2
data/lib/puppet/{provider/confine_collection.rb → confine_collection.rb} +4 -4
data/lib/puppet/{provider/confiner.rb → confiner.rb} +4 -4
data/lib/puppet/daemon.rb +2 -6
data/lib/puppet/data_binding.rb +2 -30
data/lib/puppet/defaults.rb +283 -174
data/lib/puppet/error.rb +1 -0
data/lib/puppet/external/nagios.rb +0 -2
data/lib/puppet/external/nagios/base.rb +4 -3
data/lib/puppet/external/nagios/grammar.ry +173 -112
data/lib/puppet/external/nagios/parser.rb +233 -184
data/lib/puppet/face/file/store.rb +1 -1
data/lib/puppet/face/module/generate.rb +5 -7
data/lib/puppet/face/parser.rb +12 -2
data/lib/puppet/face/plugin.rb +6 -0
data/lib/puppet/feature/base.rb +16 -0
data/lib/puppet/feature/external_facts.rb +5 -0
data/lib/puppet/feature/libuser.rb +1 -1
data/lib/puppet/feature/msgpack.rb +1 -0
data/lib/puppet/feature/rails.rb +2 -2
data/lib/puppet/file_bucket/dipper.rb +8 -6
data/lib/puppet/file_bucket/file.rb +17 -1
data/lib/puppet/file_serving/base.rb +21 -10
data/lib/puppet/file_serving/configuration.rb +5 -7
data/lib/puppet/file_serving/configuration/parser.rb +1 -1
data/lib/puppet/file_serving/content.rb +1 -1
data/lib/puppet/file_serving/fileset.rb +3 -3
data/lib/puppet/file_serving/metadata.rb +22 -18
data/lib/puppet/file_serving/mount/file.rb +1 -1
data/lib/puppet/file_serving/mount/pluginfacts.rb +35 -0
data/lib/puppet/file_system.rb +3 -0
data/lib/puppet/file_system/file.rb +261 -0
data/lib/puppet/file_system/file18.rb +5 -0
data/lib/puppet/file_system/file19.rb +5 -0
data/lib/puppet/file_system/file19windows.rb +113 -0
data/lib/puppet/file_system/memory_file.rb +31 -0
data/lib/puppet/file_system/tempfile.rb +20 -0
data/lib/puppet/indirector/active_record.rb +1 -0
data/lib/puppet/indirector/catalog/compiler.rb +28 -0
data/lib/puppet/indirector/certificate_request/memory.rb +6 -0
data/lib/puppet/indirector/data_binding/hiera.rb +46 -2
data/lib/puppet/indirector/direct_file_server.rb +2 -2
data/lib/puppet/indirector/facts/facter.rb +25 -0
data/lib/puppet/indirector/file_bucket_file/file.rb +60 -74
data/lib/puppet/indirector/indirection.rb +5 -1
data/lib/puppet/indirector/json.rb +1 -1
data/lib/puppet/indirector/key/ca.rb +4 -0
data/lib/puppet/indirector/key/file.rb +7 -3
data/lib/puppet/indirector/key/memory.rb +6 -0
data/lib/puppet/indirector/node/write_only_yaml.rb +2 -2
data/lib/puppet/indirector/request.rb +17 -11
data/lib/puppet/indirector/resource/ral.rb +5 -0
data/lib/puppet/indirector/resource/rest.rb +1 -0
data/lib/puppet/indirector/resource/store_configs.rb +4 -0
data/lib/puppet/indirector/rest.rb +2 -1
data/lib/puppet/indirector/ssl_file.rb +7 -7
data/lib/puppet/indirector/terminus.rb +4 -0
data/lib/puppet/indirector/yaml.rb +3 -3
data/lib/puppet/interface/documentation.rb +4 -11
data/lib/puppet/module.rb +19 -6
data/lib/puppet/module_tool/applications/builder.rb +1 -1
data/lib/puppet/module_tool/applications/installer.rb +1 -1
data/lib/puppet/module_tool/checksums.rb +1 -1
data/lib/puppet/module_tool/dependency.rb +7 -3
data/lib/puppet/module_tool/metadata.rb +6 -2
data/lib/puppet/module_tool/tar.rb +2 -1
data/lib/puppet/module_tool/tar/gnu.rb +6 -2
data/lib/puppet/module_tool/tar/mini.rb +2 -0
data/lib/puppet/module_tool/tar/solaris.rb +2 -5
data/lib/puppet/network/authconfig.rb +0 -2
data/lib/puppet/network/authentication.rb +1 -1
data/lib/puppet/network/authstore.rb +6 -7
data/lib/puppet/network/format.rb +2 -3
data/lib/puppet/network/format_handler.rb +16 -11
data/lib/puppet/network/format_support.rb +14 -0
data/lib/puppet/network/formats.rb +26 -0
data/lib/puppet/network/http/connection.rb +8 -41
data/lib/puppet/network/http/handler.rb +28 -32
data/lib/puppet/network/http/webrick.rb +15 -22
data/lib/puppet/network/http_pool.rb +43 -9
data/lib/puppet/network/rights.rb +0 -0
data/lib/puppet/node.rb +24 -8
data/lib/puppet/node/environment.rb +18 -20
data/lib/puppet/node/facts.rb +23 -6
data/lib/puppet/parameter.rb +15 -2
data/lib/puppet/parameter/boolean.rb +5 -0
data/lib/puppet/parameter/value_collection.rb +6 -4
data/lib/puppet/parser/ast/resourceparam.rb +2 -1
data/lib/puppet/parser/compiler.rb +25 -9
data/lib/puppet/parser/files.rb +1 -1
data/lib/puppet/parser/functions.rb +12 -21
data/lib/puppet/parser/functions/collect.rb +6 -35
data/lib/puppet/parser/functions/contain.rb +26 -0
data/lib/puppet/parser/functions/create_resources.rb +5 -0
data/lib/puppet/parser/functions/extlookup.rb +2 -2
data/lib/puppet/parser/functions/file.rb +1 -1
data/lib/puppet/parser/functions/{reject.rb → filter.rb} +13 -12
data/lib/puppet/parser/functions/fqdn_rand.rb +13 -5
data/lib/puppet/parser/functions/include.rb +18 -1
data/lib/puppet/parser/functions/map.rb +44 -0
data/lib/puppet/parser/functions/select.rb +6 -38
data/lib/puppet/parser/lexer.rb +1 -1
data/lib/puppet/parser/parser_support.rb +1 -1
data/lib/puppet/parser/resource.rb +6 -45
data/lib/puppet/parser/scope.rb +33 -2
data/lib/puppet/parser/type_loader.rb +4 -60
data/lib/puppet/pops/binder/bindings_loader.rb +1 -1
data/lib/puppet/pops/binder/config/binder_config.rb +3 -3
data/lib/puppet/pops/binder/hiera2/bindings_provider.rb +1 -1
data/lib/puppet/pops/binder/scheme_handler/confdir_hiera_scheme.rb +1 -1
data/lib/puppet/pops/binder/scheme_handler/module_hiera_scheme.rb +2 -2
data/lib/puppet/pops/issues.rb +4 -0
data/lib/puppet/pops/model/ast_transformer.rb +4 -1
data/lib/puppet/pops/model/model_label_provider.rb +1 -1
data/lib/puppet/pops/parser/egrammar.ra +5 -24
data/lib/puppet/pops/parser/eparser.rb +859 -902
data/lib/puppet/pops/parser/lexer.rb +48 -30
data/lib/puppet/pops/parser/parser_support.rb +1 -1
data/lib/puppet/pops/patterns.rb +4 -4
data/lib/puppet/pops/utils.rb +1 -1
data/lib/puppet/pops/validation/checker3_1.rb +25 -20
data/lib/puppet/provider.rb +23 -6
data/lib/puppet/provider/aixobject.rb +0 -0
data/lib/puppet/provider/augeas/augeas.rb +21 -5
data/lib/puppet/provider/confine.rb +5 -79
data/lib/puppet/provider/cron/crontab.rb +0 -0
data/lib/puppet/provider/exec.rb +9 -7
data/lib/puppet/provider/exec/posix.rb +10 -1
data/lib/puppet/provider/exec/windows.rb +1 -1
data/lib/puppet/provider/file/posix.rb +1 -0
data/lib/puppet/provider/file/windows.rb +16 -5
data/lib/puppet/provider/group/aix.rb +0 -0
data/lib/puppet/provider/group/windows_adsi.rb +33 -1
data/lib/puppet/provider/macauthorization/macauthorization.rb +1 -1
data/lib/puppet/provider/mailalias/aliases.rb +0 -0
data/lib/puppet/provider/maillist/mailman.rb +0 -0
data/lib/puppet/provider/mount/parsed.rb +0 -0
data/lib/puppet/provider/nameservice/directoryservice.rb +3 -3
data/lib/puppet/provider/package/appdmg.rb +1 -1
data/lib/puppet/provider/package/apple.rb +1 -1
data/lib/puppet/provider/package/apt.rb +1 -1
data/lib/puppet/provider/package/aptitude.rb +0 -0
data/lib/puppet/provider/package/blastwave.rb +1 -1
data/lib/puppet/provider/package/dpkg.rb +1 -1
data/lib/puppet/provider/package/fink.rb +1 -1
data/lib/puppet/provider/package/freebsd.rb +0 -0
data/lib/puppet/provider/package/gem.rb +0 -0
data/lib/puppet/provider/package/macports.rb +0 -0
data/lib/puppet/provider/package/msi.rb +4 -10
data/lib/puppet/provider/package/nim.rb +8 -8
data/lib/puppet/provider/package/openbsd.rb +1 -1
data/lib/puppet/provider/package/opkg.rb +0 -0
data/lib/puppet/provider/package/pacman.rb +2 -2
data/lib/puppet/provider/package/pkgdmg.rb +1 -1
data/lib/puppet/provider/package/pkgutil.rb +1 -1
data/lib/puppet/provider/package/ports.rb +0 -0
data/lib/puppet/provider/package/rpm.rb +39 -3
data/lib/puppet/provider/package/sun.rb +3 -3
data/lib/puppet/provider/package/sunfreeware.rb +0 -0
data/lib/puppet/provider/package/windows.rb +12 -19
data/lib/puppet/provider/package/windows/package.rb +1 -1
data/lib/puppet/provider/package/yum.rb +2 -2
data/lib/puppet/provider/parsedfile.rb +0 -0
data/lib/puppet/provider/port/parsed.rb +0 -0
data/lib/puppet/provider/service/base.rb +0 -0
data/lib/puppet/provider/service/bsd.rb +3 -3
data/lib/puppet/provider/service/daemontools.rb +8 -8
data/lib/puppet/provider/service/debian.rb +0 -0
data/lib/puppet/provider/service/freebsd.rb +3 -3
data/lib/puppet/provider/service/init.rb +5 -4
data/lib/puppet/provider/service/launchd.rb +35 -24
data/lib/puppet/provider/service/openbsd.rb +23 -0
data/lib/puppet/provider/service/redhat.rb +0 -0
data/lib/puppet/provider/service/runit.rb +3 -3
data/lib/puppet/provider/service/smf.rb +0 -0
data/lib/puppet/provider/service/src.rb +0 -0
data/lib/puppet/provider/service/systemd.rb +0 -0
data/lib/puppet/provider/service/upstart.rb +3 -3
data/lib/puppet/provider/ssh_authorized_key/parsed.rb +2 -2
data/lib/puppet/provider/sshkey/parsed.rb +0 -0
data/lib/puppet/provider/user/aix.rb +0 -0
data/lib/puppet/provider/user/directoryservice.rb +1 -1
data/lib/puppet/provider/user/useradd.rb +1 -1
data/lib/puppet/provider/zone/solaris.rb +1 -1
data/lib/puppet/rails/benchmark.rb +1 -1
data/lib/puppet/reference/configuration.rb +1 -2
data/lib/puppet/reference/indirection.rb +12 -14
data/lib/puppet/relationship.rb +7 -4
data/lib/puppet/reports.rb +2 -2
data/lib/puppet/reports/rrdgraph.rb +1 -1
data/lib/puppet/reports/store.rb +3 -3
data/lib/puppet/reports/tagmail.rb +2 -2
data/lib/puppet/resource.rb +66 -8
data/lib/puppet/resource/catalog.rb +18 -25
data/lib/puppet/resource/status.rb +10 -4
data/lib/puppet/run.rb +6 -2
data/lib/puppet/settings.rb +39 -119
data/lib/puppet/settings/base_setting.rb +8 -9
data/lib/puppet/settings/directory_setting.rb +8 -0
data/lib/puppet/settings/file_setting.rb +35 -1
data/lib/puppet/settings/priority_setting.rb +42 -0
data/lib/puppet/ssl.rb +4 -0
data/lib/puppet/ssl/certificate.rb +18 -0
data/lib/puppet/ssl/certificate_authority.rb +101 -72
data/lib/puppet/ssl/certificate_authority/autosign_command.rb +44 -0
data/lib/puppet/ssl/certificate_authority/interface.rb +21 -17
data/lib/puppet/ssl/certificate_factory.rb +38 -12
data/lib/puppet/ssl/certificate_request.rb +201 -47
data/lib/puppet/ssl/certificate_request_attributes.rb +34 -0
data/lib/puppet/ssl/certificate_revocation_list.rb +2 -2
data/lib/puppet/ssl/host.rb +21 -10
data/lib/puppet/ssl/inventory.rb +6 -10
data/lib/puppet/ssl/key.rb +1 -1
data/lib/puppet/ssl/oids.rb +78 -0
data/lib/puppet/ssl/validator.rb +41 -97
data/lib/puppet/ssl/validator/default_validator.rb +153 -0
data/lib/puppet/ssl/validator/no_validator.rb +17 -0
data/lib/puppet/status.rb +4 -0
data/lib/puppet/test/test_helper.rb +5 -0
data/lib/puppet/transaction.rb +13 -0
data/lib/puppet/transaction/event.rb +8 -3
data/lib/puppet/transaction/report.rb +6 -2
data/lib/puppet/transaction/resource_harness.rb +173 -115
data/lib/puppet/type.rb +30 -13
data/lib/puppet/type/augeas.rb +12 -46
data/lib/puppet/type/component.rb +1 -7
data/lib/puppet/type/cron.rb +0 -0
data/lib/puppet/type/exec.rb +13 -1
data/lib/puppet/type/file.rb +19 -10
data/lib/puppet/type/file/checksum.rb +0 -0
data/lib/puppet/type/file/content.rb +3 -0
data/lib/puppet/type/file/ensure.rb +33 -15
data/lib/puppet/type/file/group.rb +0 -0
data/lib/puppet/type/file/mode.rb +6 -2
data/lib/puppet/type/file/owner.rb +0 -0
data/lib/puppet/type/file/source.rb +65 -14
data/lib/puppet/type/file/target.rb +6 -6
data/lib/puppet/type/file/type.rb +0 -0
data/lib/puppet/type/filebucket.rb +0 -0
data/lib/puppet/type/group.rb +18 -0
data/lib/puppet/type/host.rb +0 -0
data/lib/puppet/type/k5login.rb +4 -4
data/lib/puppet/type/mailalias.rb +0 -0
data/lib/puppet/type/maillist.rb +0 -0
data/lib/puppet/type/mount.rb +15 -1
data/lib/puppet/type/package.rb +7 -1
data/lib/puppet/type/port.rb +0 -0
data/lib/puppet/type/schedule.rb +9 -4
data/lib/puppet/type/service.rb +1 -1
data/lib/puppet/type/sshkey.rb +0 -0
data/lib/puppet/type/tidy.rb +1 -1
data/lib/puppet/type/user.rb +3 -0
data/lib/puppet/type/yumrepo.rb +8 -6
data/lib/puppet/type/zpool.rb +0 -0
data/lib/puppet/util.rb +4 -31
data/lib/puppet/util/adsi.rb +73 -17
data/lib/puppet/util/autoload.rb +3 -3
data/lib/puppet/util/backups.rb +4 -4
data/lib/puppet/util/cacher.rb +7 -13
data/lib/puppet/util/checksums.rb +2 -2
data/lib/puppet/util/classgen.rb +3 -1
data/lib/puppet/util/colors.rb +1 -0
data/lib/puppet/util/command_line.rb +5 -0
data/lib/puppet/util/docs.rb +33 -27
data/lib/puppet/util/execution.rb +42 -18
data/lib/puppet/util/filetype.rb +3 -3
data/lib/puppet/util/instance_loader.rb +2 -2
data/lib/puppet/util/instrumentation.rb +23 -42
data/lib/puppet/util/instrumentation/data.rb +11 -4
data/lib/puppet/util/instrumentation/indirection_probe.rb +11 -4
data/lib/puppet/util/instrumentation/instrumentable.rb +7 -14
data/lib/puppet/util/instrumentation/listener.rb +15 -8
data/lib/puppet/util/instrumentation/listeners/log.rb +4 -10
data/lib/puppet/util/instrumentation/listeners/performance.rb +8 -14
data/lib/puppet/util/limits.rb +12 -0
data/lib/puppet/util/lockfile.rb +2 -2
data/lib/puppet/util/log.rb +14 -6
data/lib/puppet/util/log/destinations.rb +23 -1
data/lib/puppet/util/metric.rb +9 -3
data/lib/puppet/util/monkey_patches.rb +7 -2
data/lib/puppet/util/network_device/config.rb +1 -1
data/lib/puppet/util/plugins.rb +1 -1
data/lib/puppet/util/posix.rb +0 -0
data/lib/puppet/util/profiler.rb +7 -2
data/lib/puppet/util/provider_features.rb +2 -2
data/lib/puppet/util/rdoc.rb +28 -30
data/lib/puppet/util/rdoc/code_objects.rb +75 -25
data/lib/puppet/util/rdoc/generators/puppet_generator.rb +1 -1
data/lib/puppet/util/rdoc/parser.rb +12 -487
data/lib/puppet/util/rdoc/parser/puppet_parser_core.rb +477 -0
data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc1.rb +19 -0
data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc2.rb +14 -0
data/lib/puppet/util/reference.rb +1 -1
data/lib/puppet/util/resource_template.rb +1 -1
data/lib/puppet/util/selinux.rb +1 -1
data/lib/puppet/util/storage.rb +2 -2
data/lib/puppet/util/suidmanager.rb +1 -1
data/lib/puppet/util/tag_set.rb +29 -0
data/lib/puppet/util/tagging.rb +8 -24
data/lib/puppet/util/watched_file.rb +1 -1
data/lib/puppet/util/watcher.rb +1 -1
data/lib/puppet/util/windows.rb +3 -0
data/lib/puppet/util/windows/access_control_entry.rb +84 -0
data/lib/puppet/util/windows/access_control_list.rb +106 -0
data/lib/puppet/util/windows/file.rb +213 -0
data/lib/puppet/util/windows/process.rb +199 -0
data/lib/puppet/util/windows/root_certs.rb +52 -37
data/lib/puppet/util/windows/security.rb +270 -245
data/lib/puppet/util/windows/security_descriptor.rb +62 -0
data/lib/puppet/util/windows/sid.rb +26 -4
data/lib/puppet/version.rb +2 -2
data/spec/fixtures/releases/jamtur01-apache/lib/puppet/provider/a2mod/debian.rb +1 -1
data/spec/fixtures/unit/indirector/{hiera → data_binding/hiera}/global.yaml +0 -0
data/spec/fixtures/unit/indirector/data_binding/hiera/invalid.yaml +1 -0
data/spec/fixtures/unit/module/trailing-comma.json +24 -0
data/spec/fixtures/unit/util/monkey_patches/x509.pem +32 -0
data/spec/integration/application/apply_spec.rb +1 -1
data/spec/integration/application/doc_spec.rb +1 -1
data/spec/integration/configurer_spec.rb +4 -2
data/spec/integration/data_binding.rb +100 -0
data/spec/integration/indirector/catalog/compiler_spec.rb +16 -13
data/spec/integration/indirector/direct_file_server_spec.rb +3 -5
data/spec/integration/indirector/file_content/file_server_spec.rb +2 -2
data/spec/integration/node/facts_spec.rb +1 -1
data/spec/integration/node_spec.rb +1 -1
data/spec/integration/parser/compiler_spec.rb +90 -0
data/spec/integration/parser/parser_spec.rb +2 -2
data/spec/integration/provider/cron/crontab_spec.rb +3 -5
data/spec/integration/resource/catalog_spec.rb +1 -1
data/spec/integration/ssl/autosign_spec.rb +90 -0
data/spec/integration/ssl/certificate_authority_spec.rb +62 -69
data/spec/integration/ssl/certificate_revocation_list_spec.rb +1 -1
data/spec/integration/ssl/host_spec.rb +1 -1
data/spec/integration/transaction_spec.rb +13 -13
data/spec/integration/type/exec_spec.rb +2 -2
data/spec/integration/type/file_spec.rb +287 -45
data/spec/integration/type/tidy_spec.rb +3 -3
data/spec/integration/util/rdoc/parser_spec.rb +236 -35
data/spec/integration/util/settings_spec.rb +1 -1
data/spec/integration/util/windows/process_spec.rb +22 -0
data/spec/integration/util/windows/security_spec.rb +316 -106
data/spec/lib/matchers/containment_matchers.rb +52 -0
data/spec/lib/puppet_spec/compiler.rb +6 -0
data/spec/lib/puppet_spec/files.rb +20 -21
data/spec/shared_behaviours/documentation_on_faces.rb +3 -3
data/spec/shared_behaviours/file_server_terminus.rb +2 -2
data/spec/shared_contexts/platform.rb +1 -0
data/spec/spec_helper.rb +13 -1
data/spec/unit/agent_spec.rb +0 -12
data/spec/unit/application/agent_spec.rb +4 -4
data/spec/unit/application/apply_spec.rb +18 -2
data/spec/unit/application/cert_spec.rb +8 -6
data/spec/unit/application/device_spec.rb +1 -1
data/spec/unit/application/filebucket_spec.rb +1 -1
data/spec/unit/application/inspect_spec.rb +1 -1
data/spec/unit/application_spec.rb +24 -0
data/spec/unit/configurer/downloader_spec.rb +8 -7
data/spec/unit/configurer/fact_handler_spec.rb +23 -0
data/spec/unit/configurer/plugin_handler_spec.rb +7 -2
data/spec/unit/configurer_spec.rb +15 -5
data/spec/unit/{provider/confine → confine}/exists_spec.rb +12 -12
data/spec/unit/{provider/confine → confine}/false_spec.rb +9 -9
data/spec/unit/{provider/confine → confine}/feature_spec.rb +10 -10
data/spec/unit/{provider/confine → confine}/true_spec.rb +7 -7
data/spec/unit/{provider/confine → confine}/variable_spec.rb +16 -16
data/spec/unit/{provider/confine_collection_spec.rb → confine_collection_spec.rb} +30 -30
data/spec/unit/{provider/confine_spec.rb → confine_spec.rb} +11 -11
data/spec/unit/{provider/confiner_spec.rb → confiner_spec.rb} +4 -4
data/spec/unit/face/parser_spec.rb +54 -0
data/spec/unit/file_bucket/dipper_spec.rb +2 -2
data/spec/unit/file_serving/base_spec.rb +32 -9
data/spec/unit/file_serving/configuration_spec.rb +7 -7
data/spec/unit/file_serving/content_spec.rb +12 -7
data/spec/unit/file_serving/fileset_spec.rb +57 -27
data/spec/unit/file_serving/metadata_spec.rb +74 -12
data/spec/unit/file_serving/mount/file_spec.rb +10 -10
data/spec/unit/file_serving/mount/pluginfacts_spec.rb +73 -0
data/spec/unit/file_system/file_spec.rb +486 -0
data/spec/unit/file_system/tempfile_spec.rb +48 -0
data/spec/unit/graph/relationship_graph_spec.rb +0 -6
data/spec/unit/hiera_puppet_spec.rb +2 -2
data/spec/unit/indirector/catalog/compiler_spec.rb +15 -19
data/spec/unit/indirector/certificate_status/file_spec.rb +30 -40
data/spec/unit/indirector/data_binding/hiera_spec.rb +95 -2
data/spec/unit/indirector/direct_file_server_spec.rb +6 -6
data/spec/unit/indirector/facts/facter_spec.rb +33 -0
data/spec/unit/indirector/file_bucket_file/file_spec.rb +61 -52
data/spec/unit/indirector/file_metadata/file_spec.rb +2 -2
data/spec/unit/indirector/file_server_spec.rb +4 -4
data/spec/unit/indirector/json_spec.rb +4 -4
data/spec/unit/indirector/key/file_spec.rb +13 -14
data/spec/unit/indirector/resource/ral_spec.rb +7 -0
data/spec/unit/indirector/resource/store_configs_spec.rb +11 -0
data/spec/unit/indirector/rest_spec.rb +7 -3
data/spec/unit/indirector/ssl_file_spec.rb +14 -17
data/spec/unit/indirector/yaml_spec.rb +4 -4
data/spec/unit/module_spec.rb +43 -15
data/spec/unit/module_tool/tar/gnu_spec.rb +2 -2
data/spec/unit/module_tool/tar/solaris_spec.rb +2 -2
data/spec/unit/module_tool/tar_spec.rb +45 -0
data/spec/unit/network/authconfig_spec.rb +2 -1
data/spec/unit/network/authentication_spec.rb +2 -2
data/spec/unit/network/format_handler_spec.rb +2 -2
data/spec/unit/network/formats_spec.rb +24 -0
data/spec/unit/network/http/connection_spec.rb +76 -199
data/spec/unit/network/http/handler_spec.rb +33 -34
data/spec/unit/network/http_pool_spec.rb +8 -5
data/spec/unit/node/environment_spec.rb +76 -90
data/spec/unit/node/facts_spec.rb +20 -3
data/spec/unit/node_spec.rb +43 -0
data/spec/unit/parameter/boolean_spec.rb +22 -12
data/spec/unit/parser/ast/resourceparam_spec.rb +51 -0
data/spec/unit/parser/compiler_spec.rb +103 -35
data/spec/unit/parser/eparser_adapter_spec.rb +12 -12
data/spec/unit/parser/files_spec.rb +11 -11
data/spec/unit/parser/functions/contain_spec.rb +185 -0
data/spec/unit/parser/functions/create_resources_spec.rb +13 -5
data/spec/unit/parser/functions/generate_spec.rb +1 -1
data/spec/unit/parser/functions_spec.rb +2 -2
data/spec/unit/parser/lexer_spec.rb +1 -1
data/spec/unit/parser/methods/each_spec.rb +1 -1
data/spec/unit/parser/methods/{select_spec.rb → filter_spec.rb} +11 -11
data/spec/unit/parser/methods/map_spec.rb +95 -0
data/spec/unit/parser/methods/reduce_spec.rb +12 -11
data/spec/unit/parser/methods/shared.rb +5 -5
data/spec/unit/parser/methods/slice_spec.rb +13 -13
data/spec/unit/parser/parser_spec.rb +1 -1
data/spec/unit/parser/resource/param_spec.rb +44 -0
data/spec/unit/parser/resource_spec.rb +16 -15
data/spec/unit/pops/model/ast_transformer_spec.rb +18 -4
data/spec/unit/pops/parser/lexer_spec.rb +22 -5
data/spec/unit/pops/parser/parse_calls_spec.rb +5 -5
data/spec/unit/pops/transformer/transform_calls_spec.rb +6 -6
data/spec/unit/pops/transformer/transform_containers_spec.rb +2 -2
data/spec/unit/pops/validator/validator_spec.rb +31 -0
data/spec/unit/provider/augeas/augeas_spec.rb +57 -2
data/spec/unit/provider/exec/posix_spec.rb +8 -3
data/spec/unit/provider/file/posix_spec.rb +2 -2
data/spec/unit/provider/group/windows_adsi_spec.rb +70 -3
data/spec/unit/provider/nameservice/directoryservice_spec.rb +3 -3
data/spec/unit/provider/package/apt_spec.rb +1 -1
data/spec/unit/provider/package/msi_spec.rb +15 -42
data/spec/unit/provider/package/openbsd_spec.rb +3 -3
data/spec/unit/provider/package/rpm_spec.rb +56 -13
data/spec/unit/provider/package/windows_spec.rb +15 -19
data/spec/unit/provider/service/base_spec.rb +1 -1
data/spec/unit/provider/service/daemontools_spec.rb +18 -8
data/spec/unit/provider/service/freebsd_spec.rb +3 -3
data/spec/unit/provider/service/gentoo_spec.rb +5 -2
data/spec/unit/provider/service/init_spec.rb +17 -17
data/spec/unit/provider/service/launchd_spec.rb +76 -23
data/spec/unit/provider/service/openbsd_spec.rb +125 -0
data/spec/unit/provider/service/openwrt_spec.rb +1 -1
data/spec/unit/provider/service/runit_spec.rb +12 -5
data/spec/unit/provider/service/upstart_spec.rb +4 -4
data/spec/unit/provider/ssh_authorized_key/parsed_spec.rb +5 -5
data/spec/unit/provider/user/directoryservice_spec.rb +4 -4
data/spec/unit/provider/zone/solaris_spec.rb +1 -1
data/spec/unit/provider_spec.rb +2 -2
data/spec/unit/reports/http_spec.rb +19 -34
data/spec/unit/reports/store_spec.rb +2 -2
data/spec/unit/resource/catalog_spec.rb +81 -11
data/spec/unit/resource/status_spec.rb +11 -1
data/spec/unit/resource/type_spec.rb +30 -1
data/spec/unit/resource_spec.rb +40 -4
data/spec/unit/settings/file_setting_spec.rb +2 -2
data/spec/unit/settings/path_setting_spec.rb +2 -2
data/spec/unit/settings/priority_setting_spec.rb +66 -0
data/spec/unit/settings_spec.rb +16 -31
data/spec/unit/ssl/certificate_authority/autosign_command_spec.rb +30 -0
data/spec/unit/ssl/certificate_authority_spec.rb +129 -134
data/spec/unit/ssl/certificate_factory_spec.rb +18 -0
data/spec/unit/ssl/certificate_request_attributes_spec.rb +61 -0
data/spec/unit/ssl/certificate_request_spec.rb +103 -0
data/spec/unit/ssl/certificate_spec.rb +31 -18
data/spec/unit/ssl/host_spec.rb +34 -8
data/spec/unit/ssl/inventory_spec.rb +27 -62
data/spec/unit/ssl/key_spec.rb +4 -4
data/spec/unit/ssl/oids_spec.rb +48 -0
data/spec/unit/ssl/validator_spec.rb +49 -6
data/spec/unit/status_spec.rb +9 -0
data/spec/unit/transaction/event_spec.rb +1 -9
data/spec/unit/transaction/report_spec.rb +20 -1
data/spec/unit/transaction/resource_harness_spec.rb +60 -210
data/spec/unit/transaction_spec.rb +54 -8
data/spec/unit/type/component_spec.rb +2 -2
data/spec/unit/type/exec_spec.rb +14 -7
data/spec/unit/type/file/content_spec.rb +13 -2
data/spec/unit/type/file/ctime_spec.rb +1 -1
data/spec/unit/type/file/mode_spec.rb +48 -2
data/spec/unit/type/file/mtime_spec.rb +1 -1
data/spec/unit/type/file/source_spec.rb +177 -7
data/spec/unit/type/file_spec.rb +63 -71
data/spec/unit/type/group_spec.rb +20 -0
data/spec/unit/type/k5login_spec.rb +3 -3
data/spec/unit/type/mount_spec.rb +53 -0
data/spec/unit/type/nagios_spec.rb +216 -0
data/spec/unit/type/package_spec.rb +7 -1
data/spec/unit/type/schedule_spec.rb +6 -0
data/spec/unit/type/service_spec.rb +3 -3
data/spec/unit/type/tidy_spec.rb +14 -14
data/spec/unit/type/user_spec.rb +9 -0
data/spec/unit/type_spec.rb +86 -4
data/spec/unit/util/adsi_spec.rb +120 -12
data/spec/unit/util/autoload_spec.rb +14 -14
data/spec/unit/util/backups_spec.rb +29 -21
data/spec/unit/util/checksums_spec.rb +2 -1
data/spec/unit/util/command_line_spec.rb +41 -0
data/spec/unit/util/docs_spec.rb +91 -0
data/spec/unit/util/execution_spec.rb +26 -2
data/spec/unit/util/filetype_spec.rb +7 -7
data/spec/unit/util/lockfile_spec.rb +2 -2
data/spec/unit/util/log/destinations_spec.rb +32 -0
data/spec/unit/util/monkey_patches_spec.rb +41 -0
data/spec/unit/util/pidlock_spec.rb +6 -6
data/spec/unit/util/rdoc/parser_spec.rb +15 -13
data/spec/unit/util/rdoc_spec.rb +18 -24
data/spec/unit/util/resource_template_spec.rb +3 -3
data/spec/unit/util/selinux_spec.rb +4 -2
data/spec/unit/util/storage_spec.rb +4 -4
data/spec/unit/util/suidmanager_spec.rb +7 -0
data/spec/unit/util/tag_set_spec.rb +46 -0
data/spec/unit/util/tagging_spec.rb +82 -45
data/spec/unit/util/watcher_spec.rb +4 -1
data/spec/unit/util/windows/access_control_entry_spec.rb +67 -0
data/spec/unit/util/windows/access_control_list_spec.rb +133 -0
data/spec/unit/util/windows/root_certs_spec.rb +10 -8
data/spec/unit/util/windows/security_descriptor_spec.rb +117 -0
data/spec/unit/util/windows/sid_spec.rb +69 -0
data/spec/unit/util_spec.rb +7 -7
data/tasks/ci.rake +17 -36
metadata +2811 -2746
checksums.yaml +0 -7
data/examples/mac_automount.pp +0 -16
data/examples/mcx_dock_absent.pp +0 -4
data/examples/mcx_dock_default.pp +0 -118
data/examples/mcx_dock_full.pp +0 -125
data/examples/mcx_dock_invalid.pp +0 -9
data/examples/mcx_nogroup.pp +0 -118
data/examples/mcx_notexists_absent.pp +0 -4
data/ext/rack/README +0 -58
data/ext/rack/manifest.pp +0 -59
data/lib/puppet/external/lock.rb +0 -63
data/lib/puppet/indirector/hiera.rb +0 -39
data/lib/puppet/parser/functions/foreach.rb +0 -95
data/spec/integration/network/server/webrick_spec.rb +0 -76
data/spec/integration/parser/functions_spec.rb +0 -16
data/spec/unit/indirector/hiera_spec.rb +0 -154
data/spec/unit/parser/methods/collect_spec.rb +0 -153
data/spec/unit/parser/methods/foreach_spec.rb +0 -91
data/spec/unit/parser/methods/reject_spec.rb +0 -73
data/spec/unit/resource/resource_type.json +0 -34

data/lib/puppet/util/windows/process.rb CHANGED

@@ -8,6 +8,117 @@ module Puppet::Util::Windows::Process
   extend ::Windows::Handle
   extend ::Windows::Synchronize
+  module API
+    require 'ffi'
+    extend FFI::Library
+    ffi_convention :stdcall
+    ffi_lib 'kernel32'
+    # http://msdn.microsoft.com/en-us/library/windows/desktop/ms683179(v=vs.85).aspx
+    # HANDLE WINAPI GetCurrentProcess(void);
+    attach_function :get_current_process, :GetCurrentProcess, [], :uint
+    # BOOL WINAPI CloseHandle(
+    #   _In_  HANDLE hObject
+    # );
+    attach_function :close_handle, :CloseHandle, [:uint], :bool
+    ffi_lib 'advapi32'
+    # http://msdn.microsoft.com/en-us/library/windows/desktop/aa379295(v=vs.85).aspx
+    # BOOL WINAPI OpenProcessToken(
+    #   _In_   HANDLE ProcessHandle,
+    #   _In_   DWORD DesiredAccess,
+    #   _Out_  PHANDLE TokenHandle
+    # );
+    attach_function :open_process_token, :OpenProcessToken,
+      [:uint, :uint, :pointer], :bool
+    # http://msdn.microsoft.com/en-us/library/windows/desktop/aa379261(v=vs.85).aspx
+    # typedef struct _LUID {
+    #   DWORD LowPart;
+    #   LONG  HighPart;
+    # } LUID, *PLUID;
+    class LUID < FFI::Struct
+      layout :low_part, :uint,
+             :high_part, :int
+    end
+    # http://msdn.microsoft.com/en-us/library/Windows/desktop/aa379180(v=vs.85).aspx
+    # BOOL WINAPI LookupPrivilegeValue(
+    #   _In_opt_  LPCTSTR lpSystemName,
+    #   _In_      LPCTSTR lpName,
+    #   _Out_     PLUID lpLuid
+    # );
+    attach_function :lookup_privilege_value, :LookupPrivilegeValueW,
+      [:buffer_in, :buffer_in, :pointer], :bool
+    Token_Information = enum(
+        :token_user, 1,
+        :token_groups,
+        :token_privileges,
+        :token_owner,
+        :token_primary_group,
+        :token_default_dacl,
+        :token_source,
+        :token_type,
+        :token_impersonation_level,
+        :token_statistics,
+        :token_restricted_sids,
+        :token_session_id,
+        :token_groups_and_privileges,
+        :token_session_reference,
+        :token_sandbox_inert,
+        :token_audit_policy,
+        :token_origin,
+        :token_elevation_type,
+        :token_linked_token,
+        :token_elevation,
+        :token_has_restrictions,
+        :token_access_information,
+        :token_virtualization_allowed,
+        :token_virtualization_enabled,
+        :token_integrity_level,
+        :token_ui_access,
+        :token_mandatory_policy,
+        :token_logon_sid,
+        :max_token_info_class
+      )
+    # http://msdn.microsoft.com/en-us/library/windows/desktop/aa379263(v=vs.85).aspx
+    # typedef struct _LUID_AND_ATTRIBUTES {
+    #   LUID  Luid;
+    #   DWORD Attributes;
+    # } LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES;
+    class LUID_And_Attributes < FFI::Struct
+      layout :luid, LUID,
+             :attributes, :uint
+    end
+    # http://msdn.microsoft.com/en-us/library/windows/desktop/aa379630(v=vs.85).aspx
+    # typedef struct _TOKEN_PRIVILEGES {
+    #   DWORD               PrivilegeCount;
+    #   LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
+    # } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
+    class Token_Privileges < FFI::Struct
+      layout :privilege_count, :uint,
+             :privileges, [LUID_And_Attributes, 1]    # placeholder for offset
+    end
+    # http://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx
+    # BOOL WINAPI GetTokenInformation(
+    #   _In_       HANDLE TokenHandle,
+    #   _In_       TOKEN_INFORMATION_CLASS TokenInformationClass,
+    #   _Out_opt_  LPVOID TokenInformation,
+    #   _In_       DWORD TokenInformationLength,
+    #   _Out_      PDWORD ReturnLength
+    # );
+    attach_function :get_token_information, :GetTokenInformation,
+      [:uint, Token_Information, :pointer, :uint, :pointer ], :bool
+  end
   def execute(command, arguments, stdin, stdout, stderr)
     Process.create( :command_line => command, :startup_info => {:stdin => stdin, :stdout => stdout, :stderr => stderr}, :close_handles => false )
   end
@@ -33,4 +144,92 @@ module Puppet::Util::Windows::Process
     exit_status
   end
   module_function :wait_process
+  def get_current_process
+    # this pseudo-handle does not require closing per MSDN docs
+    API.get_current_process
+  end
+  module_function :get_current_process
+  def open_process_token(handle, desired_access)
+    token_handle_ptr = FFI::MemoryPointer.new(:uint, 1)
+    result = API.open_process_token(handle, desired_access, token_handle_ptr)
+    if !result
+      raise Puppet::Util::Windows::Error.new(
+        "OpenProcessToken(#{handle}, #{desired_access.to_s(8)}, #{token_handle_ptr})")
+    end
+    begin
+      yield token_handle = token_handle_ptr.read_uint
+    ensure
+      API.close_handle(token_handle)
+    end
+  end
+  module_function :open_process_token
+  def lookup_privilege_value(name, system_name = '')
+    luid = FFI::MemoryPointer.new(API::LUID.size)
+    result = API.lookup_privilege_value(WideString.new(system_name),
+      WideString.new(name.to_s), luid)
+    return API::LUID.new(luid) if result
+    raise Puppet::Util::Windows::Error.new(
+      "LookupPrivilegeValue(#{system_name}, #{name}, #{luid})")
+  end
+  module_function :lookup_privilege_value
+  def get_token_information(token_handle, token_information)
+    # to determine buffer size
+    return_length_ptr = FFI::MemoryPointer.new(:uint, 1)
+    result = API.get_token_information(token_handle, token_information, nil, 0, return_length_ptr)
+    return_length = return_length_ptr.read_uint
+    if return_length <= 0
+      raise Puppet::Util::Windows::Error.new(
+        "GetTokenInformation(#{token_handle}, #{token_information}, nil, 0, #{return_length_ptr})")
+    end
+    # re-call API with properly sized buffer for all results
+    token_information_buf = FFI::MemoryPointer.new(return_length)
+    result = API.get_token_information(token_handle, token_information,
+      token_information_buf, return_length, return_length_ptr)
+    if !result
+      raise Puppet::Util::Windows::Error.new(
+        "GetTokenInformation(#{token_handle}, #{token_information}, #{token_information_buf}, " +
+          "#{return_length}, #{return_length_ptr})")
+    end
+    raw_privileges = API::Token_Privileges.new(token_information_buf)
+    privileges = { :count => raw_privileges[:privilege_count], :privileges => [] }
+    offset = token_information_buf + API::Token_Privileges.offset_of(:privileges)
+    privilege_ptr = FFI::Pointer.new(API::LUID_And_Attributes, offset)
+    # extract each instance of LUID_And_Attributes
+    0.upto(privileges[:count] - 1) do |i|
+      privileges[:privileges] <<  API::LUID_And_Attributes.new(privilege_ptr[i])
+    end
+    privileges
+  end
+  module_function :get_token_information
+  TOKEN_ALL_ACCESS = 0xF01FF
+  ERROR_NO_SUCH_PRIVILEGE = 1313
+  def process_privilege_symlink?
+    handle = get_current_process
+    open_process_token(handle, TOKEN_ALL_ACCESS) do |token_handle|
+      luid = lookup_privilege_value('SeCreateSymbolicLinkPrivilege')
+      token_info = get_token_information(token_handle, :token_privileges)
+      token_info[:privileges].any? { |p| p[:luid].values == luid.values }
+    end
+  rescue Puppet::Util::Windows::Error => e
+    if e.code == ERROR_NO_SUCH_PRIVILEGE
+      false # pre-Vista
+    else
+      raise e
+    end
+  end
+  module_function :process_privilege_symlink?
 end

data/lib/puppet/util/windows/root_certs.rb CHANGED

@@ -1,17 +1,16 @@
 require 'puppet/util/windows'
 require 'openssl'
-require 'Win32API'
-require 'windows/msvcrt/buffer'
+require 'ffi'
 # Represents a collection of trusted root certificates.
 #
 # @api public
 class Puppet::Util::Windows::RootCerts
   include Enumerable
+  extend FFI::Library
-  CertOpenSystemStore         = Win32API.new('crypt32', 'CertOpenSystemStore', ['L','P'], 'L')
-  CertEnumCertificatesInStore = Win32API.new('crypt32', 'CertEnumCertificatesInStore', ['L', 'L'], 'L')
-  CertCloseStore              = Win32API.new('crypt32', 'CertCloseStore', ['L', 'L'], 'B')
+  typedef :ulong, :dword
+  typedef :uintptr_t, :handle
   def initialize(roots)
     @roots = roots
@@ -24,10 +23,6 @@ class Puppet::Util::Windows::RootCerts
     @roots.each {|cert| yield cert}
   end
-  class << self
-    include Windows::MSVCRT::Buffer
-  end
   # Returns a new instance.
   # @return [Puppet::Util::Windows::RootCerts] object constructed from current root certificates
   def self.instance
@@ -43,34 +38,12 @@ class Puppet::Util::Windows::RootCerts
     # This is based on a patch submitted to openssl:
     # http://www.mail-archive.com/openssl-dev@openssl.org/msg26958.html
-    context = 0
-    store = CertOpenSystemStore.call(0, "ROOT")
+    ptr = FFI::Pointer::NULL
+    store = CertOpenSystemStoreA(nil, "ROOT")
     begin
-      while (context = CertEnumCertificatesInStore.call(store, context) and context != 0)
-        # 466 typedef struct _CERT_CONTEXT {
-        # 467     DWORD      dwCertEncodingType;
-        # 468     BYTE       *pbCertEncoded;
-        # 469     DWORD      cbCertEncoded;
-        # 470     PCERT_INFO pCertInfo;
-        # 471     HCERTSTORE hCertStore;
-        # 472 } CERT_CONTEXT, *PCERT_CONTEXT;
-        # buffer to hold struct above
-        ctx_buf = 0.chr * 5 * 8
-        # copy from win to ruby
-        memcpy(ctx_buf, context, ctx_buf.size)
-        # unpack structure
-        arr = ctx_buf.unpack('LLLLL')
-        # create buf of length cbCertEncoded
-        cert_buf = 0.chr * arr[2]
-        # copy pbCertEncoded from win to ruby
-        memcpy(cert_buf, arr[1], cert_buf.length)
-        # create a cert
+      while (ptr = CertEnumCertificatesInStore(store, ptr)) and not ptr.null?
+        context = CERT_CONTEXT.new(ptr)
+        cert_buf = context[:pbCertEncoded].read_bytes(context[:cbCertEncoded])
         begin
           certs << OpenSSL::X509::Certificate.new(cert_buf)
         rescue => detail
@@ -78,9 +51,51 @@ class Puppet::Util::Windows::RootCerts
         end
       end
     ensure
-      CertCloseStore.call(store, 0)
+      CertCloseStore(store, 0)
     end
     certs
   end
+  private
+  # typedef ULONG_PTR HCRYPTPROV_LEGACY;
+  # typedef void *HCERTSTORE;
+  class CERT_CONTEXT < FFI::Struct
+    layout(
+      :dwCertEncodingType, :dword,
+      :pbCertEncoded,      :pointer,
+      :cbCertEncoded,      :dword,
+      :pCertInfo,          :pointer,
+      :hCertStore,         :handle
+    )
+  end
+  # HCERTSTORE
+  # WINAPI
+  # CertOpenSystemStoreA(
+  #   __in_opt HCRYPTPROV_LEGACY hProv,
+  #   __in LPCSTR szSubsystemProtocol
+  #   );
+  ffi_lib :crypt32
+  attach_function :CertOpenSystemStoreA, [:pointer, :string], :handle
+  # PCCERT_CONTEXT
+  # WINAPI
+  # CertEnumCertificatesInStore(
+  #   __in HCERTSTORE hCertStore,
+  #   __in_opt PCCERT_CONTEXT pPrevCertContext
+  #   );
+  ffi_lib :crypt32
+  attach_function :CertEnumCertificatesInStore, [:handle, :pointer], :pointer
+  # BOOL
+  # WINAPI
+  # CertCloseStore(
+  #   __in_opt HCERTSTORE hCertStore,
+  #   __in DWORD dwFlags
+  #   );
+  ffi_lib :crypt32
+  attach_function :CertCloseStore, [:handle, :dword], :bool
 end

data/lib/puppet/util/windows/security.rb CHANGED

@@ -53,6 +53,8 @@
 #   enables Puppet to detect when file/dirs are out-of-sync,
 #   especially those that Puppet did not create, but is attempting
 #   to manage.
+# * A special case of this is S_ISYSTEM_MISSING, which is set when the
+#   SYSTEM permissions are *not* present on the DACL.
 # * On Unix, the owner and group can be modified without changing the
 #   mode. But on Windows, an access control entry specifies which SID
 #   it applies to. As a result, the set_owner and set_group methods
@@ -100,11 +102,13 @@ module Puppet::Util::Windows::Security
   S_IRWXO = 0000007
   S_ISVTX = 0001000
   S_IEXTRA = 02000000  # represents an extra ace
+  S_ISYSTEM_MISSING = 04000000
   # constants that are missing from Windows::Security
   PROTECTED_DACL_SECURITY_INFORMATION   = 0x80000000
   UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
   NO_INHERITANCE = 0x0
+  SE_DACL_PROTECTED = 0x1000
   # Set the owner of the object referenced by +path+ to the specified
   # +owner_sid+.  The owner sid should be of the form "S-1-5-32-544"
@@ -112,9 +116,12 @@ module Puppet::Util::Windows::Security
   # SE_RESTORE_NAME privilege in their process token can overwrite the
   # object's owner to something other than the current user.
   def set_owner(owner_sid, path)
-    old_sid = get_owner(path)
+    sd = get_security_descriptor(path)
-    change_sid(old_sid, owner_sid, OWNER_SECURITY_INFORMATION, path)
+    if owner_sid != sd.owner
+      sd.owner = owner_sid
+      set_security_descriptor(path, sd)
+    end
   end
   # Get the owner of the object referenced by +path+.  The returned
@@ -125,7 +132,7 @@ module Puppet::Util::Windows::Security
   def get_owner(path)
     return unless supports_acl?(path)
-    get_sid(OWNER_SECURITY_INFORMATION, path)
+    get_security_descriptor(path).owner
   end
   # Set the owner of the object referenced by +path+ to the specified
@@ -134,9 +141,12 @@ module Puppet::Util::Windows::Security
   # access to the object can change the group (regardless of whether
   # the current user belongs to that group or not).
   def set_group(group_sid, path)
-    old_sid = get_group(path)
+    sd = get_security_descriptor(path)
-    change_sid(old_sid, group_sid, GROUP_SECURITY_INFORMATION, path)
+    if group_sid != sd.group
+      sd.group = group_sid
+      set_security_descriptor(path, sd)
+    end
   end
   # Get the group of the object referenced by +path+.  The returned
@@ -147,7 +157,7 @@ module Puppet::Util::Windows::Security
   def get_group(path)
     return unless supports_acl?(path)
-    get_sid(GROUP_SECURITY_INFORMATION, path)
+    get_security_descriptor(path).group
   end
   def supports_acl?(path)
@@ -163,31 +173,6 @@ module Puppet::Util::Windows::Security
     (flags.unpack('L')[0] & Windows::File::FILE_PERSISTENT_ACLS) != 0
   end
-  def change_sid(old_sid, new_sid, info, path)
-    if old_sid != new_sid
-      mode = get_mode(path)
-      string_to_sid_ptr(new_sid) do |psid|
-        with_privilege(SE_RESTORE_NAME) do
-          open_file(path, WRITE_OWNER) do |handle|
-            set_security_info(handle, info, psid)
-          end
-        end
-      end
-      # rebuild dacl now that sid has changed
-      set_mode(mode, path)
-    end
-  end
-  def get_sid(info, path)
-    with_privilege(SE_BACKUP_NAME) do
-      open_file(path, READ_CONTROL) do |handle|
-        get_security_info(handle, info)
-      end
-    end
-  end
   def get_attributes(path)
     attributes = GetFileAttributes(path)
@@ -222,6 +207,10 @@ module Puppet::Util::Windows::Security
     (FILE_GENERIC_EXECUTE & ~FILE_READ_ATTRIBUTES) => S_IXOTH
   }
+  def get_aces_for_path_by_sid(path, sid)
+    get_security_descriptor(path).dacl.select { |ace| ace.sid == sid }
+  end
   # Get the mode of the object referenced by +path+.  The returned
   # integer value represents the POSIX-style read, write, and execute
   # modes for the user, group, and other classes, e.g. 0640.  Any user
@@ -231,58 +220,61 @@ module Puppet::Util::Windows::Security
   def get_mode(path)
     return unless supports_acl?(path)
-    owner_sid = get_owner(path)
-    group_sid = get_group(path)
     well_known_world_sid = Win32::Security::SID::Everyone
     well_known_nobody_sid = Win32::Security::SID::Nobody
+    well_known_system_sid = Win32::Security::SID::LocalSystem
-    with_privilege(SE_BACKUP_NAME) do
-      open_file(path, READ_CONTROL) do |handle|
-        mode = 0
-        get_dacl(handle).each do |ace|
-          case ace[:sid]
-          when owner_sid
-            MASK_TO_MODE.each_pair do |k,v|
-              if (ace[:mask] & k) == k
-                mode |= (v << 6)
-              end
-            end
-          when group_sid
-            MASK_TO_MODE.each_pair do |k,v|
-              if (ace[:mask] & k) == k
-                mode |= (v << 3)
-              end
-            end
-          when well_known_world_sid
-            MASK_TO_MODE.each_pair do |k,v|
-              if (ace[:mask] & k) == k
-                mode |= (v << 6) | (v << 3) | v
-              end
-            end
-            if File.directory?(path) and (ace[:mask] & (FILE_WRITE_DATA | FILE_EXECUTE | FILE_DELETE_CHILD)) == (FILE_WRITE_DATA | FILE_EXECUTE)
-              mode |= S_ISVTX;
-            end
-          when well_known_nobody_sid
-            if (ace[:mask] & FILE_APPEND_DATA).nonzero?
-              mode |= S_ISVTX
-            end
-          else
-            #puts "Warning, unable to map SID into POSIX mode: #{ace[:sid]}"
-            mode |= S_IEXTRA
-          end
+    mode = S_ISYSTEM_MISSING
-          # if owner and group the same, then user and group modes are the OR of both
-          if owner_sid == group_sid
-            mode |= ((mode & S_IRWXG) << 3) | ((mode & S_IRWXU) >> 3)
-            #puts "owner: #{group_sid}, 0x#{ace[:mask].to_s(16)}, #{mode.to_s(8)}"
+    sd = get_security_descriptor(path)
+    sd.dacl.each do |ace|
+      next if ace.inherit_only?
+      case ace.sid
+      when sd.owner
+        MASK_TO_MODE.each_pair do |k,v|
+          if (ace.mask & k) == k
+            mode |= (v << 6)
+          end
+        end
+      when sd.group
+        MASK_TO_MODE.each_pair do |k,v|
+          if (ace.mask & k) == k
+            mode |= (v << 3)
+          end
+        end
+      when well_known_world_sid
+        MASK_TO_MODE.each_pair do |k,v|
+          if (ace.mask & k) == k
+            mode |= (v << 6) | (v << 3) | v
           end
         end
+        if File.directory?(path) && (ace.mask & (FILE_WRITE_DATA | FILE_EXECUTE | FILE_DELETE_CHILD)) == (FILE_WRITE_DATA | FILE_EXECUTE)
+          mode |= S_ISVTX;
+        end
+      when well_known_nobody_sid
+        if (ace.mask & FILE_APPEND_DATA).nonzero?
+          mode |= S_ISVTX
+        end
+      when well_known_system_sid
+      else
+        #puts "Warning, unable to map SID into POSIX mode: #{ace.sid}"
+        mode |= S_IEXTRA
+      end
-        #puts "get_mode: #{mode.to_s(8)}"
-        mode
+      if ace.sid == well_known_system_sid
+        mode &= ~S_ISYSTEM_MISSING
+      end
+      # if owner and group the same, then user and group modes are the OR of both
+      if sd.owner == sd.group
+        mode |= ((mode & S_IRWXG) << 3) | ((mode & S_IRWXU) >> 3)
+        #puts "owner: #{sd.group}, 0x#{ace.mask.to_s(16)}, #{mode.to_s(8)}"
       end
     end
+    #puts "get_mode: #{mode.to_s(8)}"
+    mode
   end
   MODE_TO_MASK = {
@@ -305,15 +297,16 @@ module Puppet::Util::Windows::Security
   # privileges in their process token can change the mode for objects
   # that they do not have read and write access to.
   def set_mode(mode, path, protected = true)
-    owner_sid = get_owner(path)
-    group_sid = get_group(path)
+    sd = get_security_descriptor(path)
     well_known_world_sid = Win32::Security::SID::Everyone
     well_known_nobody_sid = Win32::Security::SID::Nobody
+    well_known_system_sid = Win32::Security::SID::LocalSystem
     owner_allow = STANDARD_RIGHTS_ALL  | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES
     group_allow = STANDARD_RIGHTS_READ | FILE_READ_ATTRIBUTES | SYNCHRONIZE
     other_allow = STANDARD_RIGHTS_READ | FILE_READ_ATTRIBUTES | SYNCHRONIZE
     nobody_allow = 0
+    system_allow = 0
     MODE_TO_MASK.each do |k,v|
       if ((mode >> 6) & k) == k
@@ -331,22 +324,29 @@ module Puppet::Util::Windows::Security
       nobody_allow |= FILE_APPEND_DATA;
     end
+    # caller is NOT managing SYSTEM by using group or owner, so set to FULL
+    if ! [sd.owner, sd.group].include? well_known_system_sid
+      # we don't check S_ISYSTEM_MISSING bit, but automatically carry over existing SYSTEM perms
+      # by default set SYSTEM perms to full
+      system_allow = FILE_ALL_ACCESS
+    end
     isdir = File.directory?(path)
     if isdir
       if (mode & (S_IWUSR | S_IXUSR)) == (S_IWUSR | S_IXUSR)
         owner_allow |= FILE_DELETE_CHILD
       end
-      if (mode & (S_IWGRP | S_IXGRP)) == (S_IWGRP | S_IXGRP) and (mode & S_ISVTX) == 0
+      if (mode & (S_IWGRP | S_IXGRP)) == (S_IWGRP | S_IXGRP) && (mode & S_ISVTX) == 0
         group_allow |= FILE_DELETE_CHILD
       end
-      if (mode & (S_IWOTH | S_IXOTH)) == (S_IWOTH | S_IXOTH) and (mode & S_ISVTX) == 0
+      if (mode & (S_IWOTH | S_IXOTH)) == (S_IWOTH | S_IXOTH) && (mode & S_ISVTX) == 0
         other_allow |= FILE_DELETE_CHILD
       end
     end
     # if owner and group the same, then map group permissions to the one owner ACE
-    isownergroup = owner_sid == group_sid
+    isownergroup = sd.owner == sd.group
     if isownergroup
       owner_allow |= group_allow
     end
@@ -357,64 +357,37 @@ module Puppet::Util::Windows::Security
       remove_attributes(path, FILE_ATTRIBUTE_READONLY)
     end
-    set_acl(path, protected) do |acl|
-      #puts "ace: owner #{owner_sid}, mask 0x#{owner_allow.to_s(16)}"
-      add_access_allowed_ace(acl, owner_allow, owner_sid)
-      unless isownergroup
-        #puts "ace: group #{group_sid}, mask 0x#{group_allow.to_s(16)}"
-        add_access_allowed_ace(acl, group_allow, group_sid)
-      end
-      #puts "ace: other #{well_known_world_sid}, mask 0x#{other_allow.to_s(16)}"
-      add_access_allowed_ace(acl, other_allow, well_known_world_sid)
+    dacl = Puppet::Util::Windows::AccessControlList.new
+    dacl.allow(sd.owner, owner_allow)
+    unless isownergroup
+      dacl.allow(sd.group, group_allow)
+    end
+    dacl.allow(well_known_world_sid, other_allow)
+    dacl.allow(well_known_nobody_sid, nobody_allow)
-      #puts "ace: nobody #{well_known_nobody_sid}, mask 0x#{nobody_allow.to_s(16)}"
-      add_access_allowed_ace(acl, nobody_allow, well_known_nobody_sid)
+    # TODO: system should be first?
+    dacl.allow(well_known_system_sid, system_allow)
-      # add inherit-only aces for child dirs and files that are created within the dir
-      if isdir
-        inherit = INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE
-        add_access_allowed_ace(acl, owner_allow, Win32::Security::SID::CreatorOwner, inherit)
-        add_access_allowed_ace(acl, group_allow, Win32::Security::SID::CreatorGroup, inherit)
+    # add inherit-only aces for child dirs and files that are created within the dir
+    if isdir
+      inherit = INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE
+      dacl.allow(Win32::Security::SID::CreatorOwner, owner_allow, inherit)
+      dacl.allow(Win32::Security::SID::CreatorGroup, group_allow, inherit)
-        inherit = INHERIT_ONLY_ACE |  OBJECT_INHERIT_ACE
-        add_access_allowed_ace(acl, owner_allow & ~FILE_EXECUTE, Win32::Security::SID::CreatorOwner, inherit)
-        add_access_allowed_ace(acl, group_allow & ~FILE_EXECUTE, Win32::Security::SID::CreatorGroup, inherit)
-      end
+      inherit = INHERIT_ONLY_ACE |  OBJECT_INHERIT_ACE
+      dacl.allow(Win32::Security::SID::CreatorOwner, owner_allow & ~FILE_EXECUTE, inherit)
+      dacl.allow(Win32::Security::SID::CreatorGroup, group_allow & ~FILE_EXECUTE, inherit)
     end
+    new_sd = Puppet::Util::Windows::SecurityDescriptor.new(sd.owner, sd.group, dacl, protected)
+    set_security_descriptor(path, new_sd)
     nil
   end
-  # setting DACL requires both READ_CONTROL and WRITE_DACL access rights,
-  # and their respective privileges, SE_BACKUP_NAME and SE_RESTORE_NAME.
-  def set_acl(path, protected = true)
-    with_privilege(SE_BACKUP_NAME) do
-      with_privilege(SE_RESTORE_NAME) do
-        open_file(path, READ_CONTROL | WRITE_DAC) do |handle|
-          acl = 0.chr * 1024 # This can be increased later as needed
-          unless InitializeAcl(acl, acl.size, ACL_REVISION)
-            raise Puppet::Util::Windows::Error.new("Failed to initialize ACL")
-          end
-          raise Puppet::Util::Windows::Error.new("Invalid DACL") unless IsValidAcl(acl)
-          yield acl
-          # protected means the object does not inherit aces from its parent
-          info = DACL_SECURITY_INFORMATION
-          info |= protected ? PROTECTED_DACL_SECURITY_INFORMATION : UNPROTECTED_DACL_SECURITY_INFORMATION
-          # set the DACL
-          set_security_info(handle, info, acl)
-        end
-      end
-    end
-  end
+  def add_access_allowed_ace(acl, mask, sid, inherit = nil)
+    inherit ||= NO_INHERITANCE
-  def add_access_allowed_ace(acl, mask, sid, inherit = NO_INHERITANCE)
     string_to_sid_ptr(sid) do |sid_ptr|
       raise Puppet::Util::Windows::Error.new("Invalid SID") unless IsValidSid(sid_ptr)
@@ -434,126 +407,68 @@ module Puppet::Util::Windows::Security
     end
   end
-  def get_dacl(handle)
-    get_dacl_ptr(handle) do |dacl_ptr|
-      # REMIND: need to handle NULL DACL
-      raise Puppet::Util::Windows::Error.new("Invalid DACL") unless IsValidAcl(dacl_ptr)
-      # ACL structure, size and count are the important parts. The
-      # size includes both the ACL structure and all the ACEs.
+  def parse_dacl(dacl_ptr)
+    # REMIND: need to handle NULL DACL
+    raise Puppet::Util::Windows::Error.new("Invalid DACL") unless IsValidAcl(dacl_ptr)
+    # ACL structure, size and count are the important parts. The
+    # size includes both the ACL structure and all the ACEs.
+    #
+    # BYTE AclRevision
+    # BYTE Padding1
+    # WORD AclSize
+    # WORD AceCount
+    # WORD Padding2
+    acl_buf = 0.chr * 8
+    memcpy(acl_buf, dacl_ptr, acl_buf.size)
+    ace_count = acl_buf.unpack('CCSSS')[3]
+    dacl = Puppet::Util::Windows::AccessControlList.new
+    # deny all
+    return dacl if ace_count == 0
+    0.upto(ace_count - 1) do |i|
+      ace_ptr = [0].pack('L')
+      next unless GetAce(dacl_ptr, i, ace_ptr)
+      # ACE structures vary depending on the type. All structures
+      # begin with an ACE header, which specifies the type, flags
+      # and size of what follows. We are only concerned with
+      # ACCESS_ALLOWED_ACE and ACCESS_DENIED_ACEs, which have the
+      # same structure:
       #
-      # BYTE AclRevision
-      # BYTE Padding1
-      # WORD AclSize
-      # WORD AceCount
-      # WORD Padding2
-      acl_buf = 0.chr * 8
-      memcpy(acl_buf, dacl_ptr, acl_buf.size)
-      ace_count = acl_buf.unpack('CCSSS')[3]
-      dacl = []
-      # deny all
-      return dacl if ace_count == 0
-      0.upto(ace_count - 1) do |i|
-        ace_ptr = [0].pack('L')
-        next unless GetAce(dacl_ptr, i, ace_ptr)
-        # ACE structures vary depending on the type. All structures
-        # begin with an ACE header, which specifies the type, flags
-        # and size of what follows. We are only concerned with
-        # ACCESS_ALLOWED_ACE and ACCESS_DENIED_ACEs, which have the
-        # same structure:
-        #
-        # BYTE  C AceType
-        # BYTE  C AceFlags
-        # WORD  S AceSize
-        # DWORD L ACCESS_MASK
-        # DWORD L Sid
-        # ..      ...
-        # DWORD L Sid
-        ace_buf = 0.chr * 8
-        memcpy(ace_buf, ace_ptr.unpack('L')[0], ace_buf.size)
-        ace_type, ace_flags, size, mask = ace_buf.unpack('CCSL')
-        # skip aces that only serve to propagate inheritance
-        next if (ace_flags & INHERIT_ONLY_ACE).nonzero?
-        case ace_type
-        when ACCESS_ALLOWED_ACE_TYPE
-          sid_ptr = ace_ptr.unpack('L')[0] + 8 # address of ace_ptr->SidStart
-          raise Puppet::Util::Windows::Error.new("Failed to read DACL, invalid SID") unless IsValidSid(sid_ptr)
-          sid = sid_ptr_to_string(sid_ptr)
-          dacl << {:sid => sid, :type => ace_type, :mask => mask}
-        else
-          Puppet.warning "Unsupported access control entry type: 0x#{ace_type.to_s(16)}"
-        end
+      # BYTE  C AceType
+      # BYTE  C AceFlags
+      # WORD  S AceSize
+      # DWORD L ACCESS_MASK
+      # DWORD L Sid
+      # ..      ...
+      # DWORD L Sid
+      ace_buf = 0.chr * 8
+      memcpy(ace_buf, ace_ptr.unpack('L')[0], ace_buf.size)
+      ace_type, ace_flags, size, mask = ace_buf.unpack('CCSL')
+      case ace_type
+      when ACCESS_ALLOWED_ACE_TYPE
+        sid_ptr = ace_ptr.unpack('L')[0] + 8 # address of ace_ptr->SidStart
+        raise Puppet::Util::Windows::Error.new("Failed to read DACL, invalid SID") unless IsValidSid(sid_ptr)
+        sid = sid_ptr_to_string(sid_ptr)
+        dacl.allow(sid, mask, ace_flags)
+      when ACCESS_DENIED_ACE_TYPE
+        sid_ptr = ace_ptr.unpack('L')[0] + 8 # address of ace_ptr->SidStart
+        raise Puppet::Util::Windows::Error.new("Failed to read DACL, invalid SID") unless IsValidSid(sid_ptr)
+        sid = sid_ptr_to_string(sid_ptr)
+        dacl.deny(sid, mask, ace_flags)
+      else
+        Puppet.warning "Unsupported access control entry type: 0x#{ace_type.to_s(16)}"
       end
-      dacl
     end
-  end
-  def get_dacl_ptr(handle)
-    dacl = [0].pack('L')
-    sd = [0].pack('L')
-    rv = GetSecurityInfo(
-         handle,
-         SE_FILE_OBJECT,
-         DACL_SECURITY_INFORMATION,
-         nil,
-         nil,
-         dacl, #dacl
-         nil, #sacl
-         sd) #sec desc
-    raise Puppet::Util::Windows::Error.new("Failed to get DACL") unless rv == ERROR_SUCCESS
-    begin
-      yield dacl.unpack('L')[0]
-    ensure
-      LocalFree(sd.unpack('L')[0])
-    end
-  end
-  # Set the security info on the specified handle.
-  def set_security_info(handle, info, ptr)
-    rv = SetSecurityInfo(
-         handle,
-         SE_FILE_OBJECT,
-         info,
-         (info & OWNER_SECURITY_INFORMATION) == OWNER_SECURITY_INFORMATION ? ptr : nil,
-         (info & GROUP_SECURITY_INFORMATION) == GROUP_SECURITY_INFORMATION ? ptr : nil,
-         (info & DACL_SECURITY_INFORMATION) == DACL_SECURITY_INFORMATION ? ptr : nil,
-         nil)
-    raise Puppet::Util::Windows::Error.new("Failed to set security information") unless rv == ERROR_SUCCESS
-  end
-  # Get the SID string, e.g. "S-1-5-32-544", for the specified handle
-  # and type of information (owner, group).
-  def get_security_info(handle, info)
-    sid = [0].pack('L')
-    sd = [0].pack('L')
-    rv = GetSecurityInfo(
-         handle,
-         SE_FILE_OBJECT,
-         info, # security info
-         info == OWNER_SECURITY_INFORMATION ? sid : nil,
-         info == GROUP_SECURITY_INFORMATION ? sid : nil,
-         nil, #dacl
-         nil, #sacl
-         sd) #sec desc
-    raise Puppet::Util::Windows::Error.new("Failed to get security information") unless rv == ERROR_SUCCESS
-    begin
-      return sid_ptr_to_string(sid.unpack('L')[0])
-    ensure
-      LocalFree(sd.unpack('L')[0])
-    end
+    dacl
   end
   # Open an existing file with the specified access mode, and execute a
@@ -565,7 +480,7 @@ module Puppet::Util::Windows::Security
              FILE_SHARE_READ | FILE_SHARE_WRITE,
              0, # security_attributes
              OPEN_EXISTING,
-             FILE_FLAG_BACKUP_SEMANTICS,
+             FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_BACKUP_SEMANTICS,
              0) # template
     raise Puppet::Util::Windows::Error.new("Failed to open '#{path}'") if handle == INVALID_HANDLE_VALUE
     begin
@@ -620,4 +535,114 @@ module Puppet::Util::Windows::Security
       CloseHandle(token)
     end
   end
+  def get_security_descriptor(path)
+    sd = nil
+    with_privilege(SE_BACKUP_NAME) do
+      open_file(path, READ_CONTROL) do |handle|
+        owner_sid = [0].pack('L')
+        group_sid = [0].pack('L')
+        dacl = [0].pack('L')
+        ppsd = [0].pack('L')
+        rv = GetSecurityInfo(
+          handle,
+          SE_FILE_OBJECT,
+          OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
+          owner_sid,
+          group_sid,
+          dacl,
+          nil, #sacl
+          ppsd) #sec desc
+        raise Puppet::Util::Windows::Error.new("Failed to get security information") unless rv == ERROR_SUCCESS
+        begin
+          owner = sid_ptr_to_string(owner_sid.unpack('L')[0])
+          group = sid_ptr_to_string(group_sid.unpack('L')[0])
+          control = FFI::MemoryPointer.new(:uint16, 1)
+          revision = FFI::MemoryPointer.new(:uint32, 1)
+          ffsd = FFI::Pointer.new(ppsd.unpack('L')[0])
+          if ! API.get_security_descriptor_control(ffsd, control, revision)
+            raise Puppet::Util::Windows::Error.new("Failed to get security descriptor control")
+          end
+          protect = (control.read_uint16 & SE_DACL_PROTECTED) == SE_DACL_PROTECTED
+          dacl = parse_dacl(dacl.unpack('L')[0])
+          sd = Puppet::Util::Windows::SecurityDescriptor.new(owner, group, dacl, protect)
+        ensure
+          LocalFree(ppsd.unpack('L')[0])
+        end
+      end
+    end
+    sd
+  end
+  # setting DACL requires both READ_CONTROL and WRITE_DACL access rights,
+  # and their respective privileges, SE_BACKUP_NAME and SE_RESTORE_NAME.
+  def set_security_descriptor(path, sd)
+    # REMIND: FFI
+    acl = 0.chr * 1024 # This can be increased later as neede
+    unless InitializeAcl(acl, acl.size, ACL_REVISION)
+      raise Puppet::Util::Windows::Error.new("Failed to initialize ACL")
+    end
+    raise Puppet::Util::Windows::Error.new("Invalid DACL") unless IsValidAcl(acl)
+    with_privilege(SE_BACKUP_NAME) do
+      with_privilege(SE_RESTORE_NAME) do
+        open_file(path, READ_CONTROL | WRITE_DAC | WRITE_OWNER) do |handle|
+          string_to_sid_ptr(sd.owner) do |ownersid|
+            string_to_sid_ptr(sd.group) do |groupsid|
+              sd.dacl.each do |ace|
+                case ace.type
+                when ACCESS_ALLOWED_ACE_TYPE
+                  #puts "ace: allow, sid #{sid_to_name(ace.sid)}, mask 0x#{ace.mask.to_s(16)}"
+                  add_access_allowed_ace(acl, ace.mask, ace.sid, ace.flags)
+                when ACCESS_DENIED_ACE_TYPE
+                  #puts "ace: deny, sid #{sid_to_name(ace.sid)}, mask 0x#{ace.mask.to_s(16)}"
+                  add_access_denied_ace(acl, ace.mask, ace.sid)
+                else
+                  raise "We should never get here"
+                  # TODO: this should have been a warning in an earlier commit
+                end
+              end
+              # protected means the object does not inherit aces from its parent
+              flags = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION
+              flags |= sd.protect ? PROTECTED_DACL_SECURITY_INFORMATION : UNPROTECTED_DACL_SECURITY_INFORMATION
+              rv = SetSecurityInfo(handle,
+                                   SE_FILE_OBJECT,
+                                   flags,
+                                   ownersid,
+                                   groupsid,
+                                   acl,
+                                   nil)
+              raise Puppet::Util::Windows::Error.new("Failed to set security information") unless rv == ERROR_SUCCESS
+            end
+          end
+        end
+      end
+    end
+  end
+  module API
+    extend FFI::Library
+    ffi_lib 'kernel32'
+    ffi_convention :stdcall
+    # typedef WORD SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL;
+    # BOOL WINAPI GetSecurityDescriptorControl(
+    #   _In_   PSECURITY_DESCRIPTOR pSecurityDescriptor,
+    #   _Out_  PSECURITY_DESCRIPTOR_CONTROL pControl,
+    #   _Out_  LPDWORD lpdwRevision
+    # );
+    ffi_lib :advapi32
+    attach_function :get_security_descriptor_control, :GetSecurityDescriptorControl, [:pointer, :pointer, :pointer], :bool
+  end
 end