RubyGems - puppet - Versions diffs - 4.3.1 → 4.3.2 - Mend

puppet 4.3.1 → 4.3.2

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (128) hide show

data/lib/puppet/util/windows/principal.rb ADDED

@@ -0,0 +1,181 @@
+require 'puppet/util/windows'
+module Puppet::Util::Windows::SID
+  class Principal
+    extend FFI::Library
+    attr_reader :account, :sid_bytes, :sid, :domain, :domain_account, :account_type
+    def initialize(account, sid_bytes, sid, domain, account_type)
+      # Calling lookup_account_name like host\user is valid and therefore this
+      # value may include two components, but favor the domain value passed in
+      @account = account =~ /(.+)\\(.+)/ ? $2 : account
+      @sid_bytes = sid_bytes
+      @sid = sid
+      @domain = domain
+      # when domain is available, combine it with parsed account
+      # otherwise use the account value directly
+      @domain_account = domain && !domain.empty? ?
+        "#{domain}\\#{@account}" : account
+      @account_type = account_type
+    end
+    # added for backward compatibility
+    def ==(compare)
+      compare.is_a?(Puppet::Util::Windows::SID::Principal) &&
+        @sid_bytes == compare.sid_bytes
+    end
+    # added for backward compatibility
+    def to_s
+      @sid
+    end
+    # = 8 + max sub identifiers (15) * 4
+    MAXIMUM_SID_BYTE_LENGTH = 68
+    ERROR_INSUFFICIENT_BUFFER = 122
+    def self.lookup_account_name(system_name = nil, account_name)
+      system_name_ptr = FFI::Pointer::NULL
+      begin
+        if system_name
+          system_name_wide = Puppet::Util::Windows::String.wide_string(system_name)
+          # uchar here is synonymous with byte
+          system_name_ptr = FFI::MemoryPointer.new(:byte, system_name_wide.bytesize)
+          system_name_ptr.put_array_of_uchar(0, system_name_wide.bytes.to_a)
+        end
+        FFI::MemoryPointer.from_string_to_wide_string(account_name) do |account_name_ptr|
+          FFI::MemoryPointer.new(:byte, MAXIMUM_SID_BYTE_LENGTH) do |sid_ptr|
+            FFI::MemoryPointer.new(:dword, 1) do |sid_length_ptr|
+              FFI::MemoryPointer.new(:dword, 1) do |domain_length_ptr|
+                FFI::MemoryPointer.new(:uint32, 1) do |name_use_enum_ptr|
+                sid_length_ptr.write_dword(MAXIMUM_SID_BYTE_LENGTH)
+                success = LookupAccountNameW(system_name_ptr, account_name_ptr, sid_ptr, sid_length_ptr,
+                  FFI::Pointer::NULL, domain_length_ptr, name_use_enum_ptr)
+                last_error = FFI.errno
+                if (success == FFI::WIN32_FALSE && last_error != ERROR_INSUFFICIENT_BUFFER)
+                  raise Puppet::Util::Windows::Error.new('Failed to call LookupAccountNameW', last_error)
+                end
+                FFI::MemoryPointer.new(:lpwstr, domain_length_ptr.read_dword) do |domain_ptr|
+                  if LookupAccountNameW(system_name_ptr, account_name_ptr,
+                      sid_ptr, sid_length_ptr,
+                      domain_ptr, domain_length_ptr, name_use_enum_ptr) == FFI::WIN32_FALSE
+                   raise Puppet::Util::Windows::Error.new('Failed to call LookupAccountNameW')
+                  end
+                  return new(
+                    account_name,
+                    sid_ptr.read_bytes(sid_length_ptr.read_dword).unpack('C*'),
+                    Puppet::Util::Windows::SID.sid_ptr_to_string(sid_ptr),
+                    domain_ptr.read_wide_string(domain_length_ptr.read_dword),
+                    SID_NAME_USE[name_use_enum_ptr.read_uint32])
+                  end
+                end
+              end
+            end
+          end
+        end
+      ensure
+        system_name_ptr.free if system_name_ptr != FFI::Pointer::NULL
+      end
+    end
+    def self.lookup_account_sid(system_name = nil, sid_bytes)
+      system_name_ptr = FFI::Pointer::NULL
+      begin
+        if system_name
+          system_name_wide = Puppet::Util::Windows::String.wide_string(system_name)
+          # uchar here is synonymous with byte
+          system_name_ptr = FFI::MemoryPointer.new(:byte, system_name_wide.bytesize)
+          system_name_ptr.put_array_of_uchar(0, system_name_wide.bytes.to_a)
+        end
+        FFI::MemoryPointer.new(:byte, sid_bytes.length) do |sid_ptr|
+          FFI::MemoryPointer.new(:dword, 1) do |name_length_ptr|
+            FFI::MemoryPointer.new(:dword, 1) do |domain_length_ptr|
+              FFI::MemoryPointer.new(:uint32, 1) do |name_use_enum_ptr|
+                sid_ptr.write_array_of_uchar(sid_bytes)
+                success = LookupAccountSidW(system_name_ptr, sid_ptr, FFI::Pointer::NULL, name_length_ptr,
+                  FFI::Pointer::NULL, domain_length_ptr, name_use_enum_ptr)
+                last_error = FFI.errno
+                if (success == FFI::WIN32_FALSE && last_error != ERROR_INSUFFICIENT_BUFFER)
+                  raise Puppet::Util::Windows::Error.new('Failed to call LookupAccountSidW', last_error)
+                end
+                FFI::MemoryPointer.new(:lpwstr, name_length_ptr.read_dword) do |name_ptr|
+                  FFI::MemoryPointer.new(:lpwstr, domain_length_ptr.read_dword) do |domain_ptr|
+                    if LookupAccountSidW(system_name_ptr, sid_ptr, name_ptr, name_length_ptr,
+                        domain_ptr, domain_length_ptr, name_use_enum_ptr) == FFI::WIN32_FALSE
+                     raise Puppet::Util::Windows::Error.new('Failed to call LookupAccountSidW')
+                    end
+                    return new(
+                      name_ptr.read_wide_string(name_length_ptr.read_dword),
+                      sid_bytes,
+                      Puppet::Util::Windows::SID.sid_ptr_to_string(sid_ptr),
+                      domain_ptr.read_wide_string(domain_length_ptr.read_dword),
+                      SID_NAME_USE[name_use_enum_ptr.read_uint32])
+                  end
+                end
+              end
+            end
+          end
+        end
+      ensure
+        system_name_ptr.free if system_name_ptr != FFI::Pointer::NULL
+      end
+    end
+    ffi_convention :stdcall
+    # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379601(v=vs.85).aspx
+    SID_NAME_USE = enum(
+      :SidTypeUser, 1,
+      :SidTypeGroup, 2,
+      :SidTypeDomain, 3,
+      :SidTypeAlias, 4,
+      :SidTypeWellKnownGroup, 5,
+      :SidTypeDeletedAccount, 6,
+      :SidTypeInvalid, 7,
+      :SidTypeUnknown, 8,
+      :SidTypeComputer, 9,
+      :SidTypeLabel, 10
+    )
+    # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379159(v=vs.85).aspx
+    # BOOL WINAPI LookupAccountName(
+    #   _In_opt_  LPCTSTR       lpSystemName,
+    #   _In_      LPCTSTR       lpAccountName,
+    #   _Out_opt_ PSID          Sid,
+    #   _Inout_   LPDWORD       cbSid,
+    #   _Out_opt_ LPTSTR        ReferencedDomainName,
+    #   _Inout_   LPDWORD       cchReferencedDomainName,
+    #   _Out_     PSID_NAME_USE peUse
+    # );
+    ffi_lib :advapi32
+    attach_function_private :LookupAccountNameW,
+      [:lpcwstr, :lpcwstr, :pointer, :lpdword, :lpwstr, :lpdword, :pointer], :win32_bool
+    # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379166(v=vs.85).aspx
+    # BOOL WINAPI LookupAccountSid(
+    #   _In_opt_  LPCTSTR       lpSystemName,
+    #   _In_      PSID          lpSid,
+    #   _Out_opt_ LPTSTR        lpName,
+    #   _Inout_   LPDWORD       cchName,
+    #   _Out_opt_ LPTSTR        lpReferencedDomainName,
+    #   _Inout_   LPDWORD       cchReferencedDomainName,
+    #   _Out_     PSID_NAME_USE peUse
+    # );
+    ffi_lib :advapi32
+    attach_function_private :LookupAccountSidW,
+      [:lpcwstr, :pointer, :lpwstr, :lpdword, :lpwstr, :lpdword, :pointer], :win32_bool
+  end
+end

data/lib/puppet/util/windows/registry.rb CHANGED

@@ -207,21 +207,27 @@ module Puppet::Util::Windows
         # buffer is raw bytes, *not* chars - less a NULL terminator
         string_length = (byte_length / FFI.type_size(:wchar)) - 1 if byte_length > 0
-        case type
-        when Win32::Registry::REG_SZ, Win32::Registry::REG_EXPAND_SZ
-          result = [ type, data_ptr.read_wide_string(string_length) ]
-        when Win32::Registry::REG_MULTI_SZ
-          result = [ type, data_ptr.read_wide_string(string_length).split(/\0/) ]
-        when Win32::Registry::REG_BINARY
-          result = [ type, data.read_bytes(0, byte_length) ]
-        when Win32::Registry::REG_DWORD
-          result = [ type, data_ptr.read_dword ]
-        when Win32::Registry::REG_DWORD_BIG_ENDIAN
-          result = [ type, data_ptr.order(:big).read_dword ]
-        when Win32::Registry::REG_QWORD
-          result = [ type, data_ptr.read_qword ]
-        else
-          raise TypeError, "Type #{type} is not supported."
+        begin
+          case type
+            when Win32::Registry::REG_SZ, Win32::Registry::REG_EXPAND_SZ
+              result = [ type, data_ptr.read_wide_string(string_length) ]
+            when Win32::Registry::REG_MULTI_SZ
+              result = [ type, data_ptr.read_wide_string(string_length).split(/\0/) ]
+            when Win32::Registry::REG_BINARY
+              result = [ type, data_ptr.read_bytes(byte_length) ]
+            when Win32::Registry::REG_DWORD
+              result = [ type, data_ptr.read_dword ]
+            when Win32::Registry::REG_DWORD_BIG_ENDIAN
+              result = [ type, data_ptr.order(:big).read_dword ]
+            when Win32::Registry::REG_QWORD
+              result = [ type, data_ptr.read_qword ]
+            else
+              raise TypeError, "Type #{type} is not supported."
+          end
+        rescue IndexError => ex
+          raise if (ex.message !~ /^Memory access .* is out of bounds$/i)
+          parent_key_name = key.parent ? "#{key.parent.keyname}\\" : ""
+          Puppet.warning "A value in the registry key #{parent_key_name}#{key.keyname} is corrupt or invalid"
         end
       end

data/lib/puppet/util/windows/sid.rb CHANGED

@@ -16,7 +16,7 @@ module Puppet::Util::Windows
     def name_to_sid(name)
       sid = name_to_sid_object(name)
-      sid ? sid.to_s : nil
+      sid ? sid.sid : nil
     end
     module_function :name_to_sid
@@ -24,14 +24,22 @@ module Puppet::Util::Windows
     # e.g. 'S-1-5-32-544'. The name can be specified as 'Administrators',
     # 'BUILTIN\Administrators', or 'S-1-5-32-544', and will return the
     # SID object. Returns nil if the account doesn't exist.
+    # This method returns a SID::Principal with the account, domain, SID, etc
     def name_to_sid_object(name)
       # Apparently, we accept a symbol..
       name = name.to_s.strip if name
-      # if it's in SID string form, convert to user
-      parsed_sid = Win32::Security::SID.string_to_sid(name) rescue nil
+      # if name is a SID string, convert it to raw bytes for use with lookup_account_sid
+      raw_sid_bytes = nil
+      begin
+        string_to_sid_ptr(name) do |sid_ptr|
+          valid = ! sid_ptr.nil? && ! sid_ptr.null?
+          raw_sid_bytes = sid_ptr.read_array_of_uchar(get_length_sid(sid_ptr))
+        end
+      rescue
+      end
-      parsed_sid ? Win32::Security::SID.new(parsed_sid) : Win32::Security::SID.new(name)
+      raw_sid_bytes ? Principal.lookup_account_sid(raw_sid_bytes) : Principal.lookup_account_name(name)
     rescue
       nil
     end
@@ -41,12 +49,13 @@ module Puppet::Util::Windows
     # e.g. [1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0] is the representation for
     # S-1-5-18, the local 'SYSTEM' account.
     # Raises an Error for nil or non-array input.
+    # This method returns a SID::Principal with the account, domain, SID, etc
     def octet_string_to_sid_object(bytes)
       if !bytes || !bytes.respond_to?('pack') || bytes.empty?
         raise Puppet::Util::Windows::Error.new("Octet string must be an array of bytes")
       end
-      Win32::Security::SID.new(bytes.pack('C*'))
+      Principal.lookup_account_sid(bytes)
     end
     module_function :octet_string_to_sid_object
@@ -54,13 +63,18 @@ module Puppet::Util::Windows
     # e.g. 'BUILTIN\Administrators'. Returns nil if an account
     # for that SID does not exist.
     def sid_to_name(value)
-      sid = Win32::Security::SID.new(Win32::Security::SID.string_to_sid(value))
-      if sid.domain and sid.domain.length > 0
-        "#{sid.domain}\\#{sid.account}"
-      else
-        sid.account
+      sid_bytes = []
+      begin
+        string_to_sid_ptr(value) do |ptr|
+          valid = ! ptr.nil? && ! ptr.null?
+          sid_bytes = ptr.read_array_of_uchar(get_length_sid(ptr))
+        end
+      rescue Puppet::Util::Windows::Error => e
+        raise if e.code != ERROR_INVALID_SID_STRUCTURE
       end
+      Principal.lookup_account_sid(sid_bytes).domain_account
     rescue
       nil
     end
@@ -71,7 +85,7 @@ module Puppet::Util::Windows
     # Convert a SID pointer to a SID string, e.g. "S-1-5-32-544".
     def sid_ptr_to_string(psid)
-      if ! psid.instance_of?(FFI::Pointer) || IsValidSid(psid) == FFI::WIN32_FALSE
+      if ! psid.kind_of?(FFI::Pointer) || IsValidSid(psid) == FFI::WIN32_FALSE
         raise Puppet::Util::Windows::Error.new("Invalid SID")
       end
@@ -131,6 +145,16 @@ module Puppet::Util::Windows
     end
     module_function :valid_sid?
+    def get_length_sid(sid_ptr)
+      # MSDN states IsValidSid should be called on pointer first
+      if ! sid_ptr.kind_of?(FFI::Pointer) || IsValidSid(sid_ptr) == FFI::WIN32_FALSE
+        raise Puppet::Util::Windows::Error.new("Invalid SID")
+      end
+      GetLengthSid(sid_ptr)
+    end
+    module_function :get_length_sid
     ffi_convention :stdcall
     # http://msdn.microsoft.com/en-us/library/windows/desktop/aa379151(v=vs.85).aspx
@@ -158,5 +182,12 @@ module Puppet::Util::Windows
     ffi_lib :advapi32
     attach_function_private :ConvertStringSidToSidW,
       [:lpcwstr, :pointer], :win32_bool
+    # https://msdn.microsoft.com/en-us/library/windows/desktop/aa446642(v=vs.85).aspx
+    # DWORD WINAPI GetLengthSid(
+    #   _In_ PSID pSid
+    # );
+    ffi_lib :advapi32
+    attach_function_private :GetLengthSid, [:pointer], :dword
   end
 end

data/lib/puppet/version.rb CHANGED

@@ -7,7 +7,7 @@
 module Puppet
-  PUPPETVERSION = '4.3.1'
+  PUPPETVERSION = '4.3.2'
   ##
   # version is a public API method intended to always provide a fast and

data/spec/fixtures/unit/application/environments/production/data/common.yaml CHANGED

@@ -1,3 +1,7 @@
 ---
 a: This is A
 b: This is B
+c: "This is%{cx}"
+lookup_options:
+  a: first

data/spec/fixtures/unit/application/environments/production/manifests/site.pp ADDED

	@@ -0,0 +1 @@
1	+ $cx = ' C from site.pp'

data/spec/fixtures/unit/application/environments/puppet_func_provider/environment.conf ADDED

	@@ -0,0 +1 @@
1	+ environment_data_provider = 'function'

data/spec/fixtures/unit/application/environments/puppet_func_provider/functions/data.pp ADDED

@@ -0,0 +1,10 @@
+function environment::data() {
+  {
+     a => 'This is A',
+     b => 'This is B',
+     c => "This is ${if $cx == undef { 'C from data.pp' } else { $cx }}",
+     lookup_options => {
+        a => 'first'
+     }
+  }
+}

data/spec/fixtures/unit/application/environments/puppet_func_provider/manifests/site.pp ADDED

	@@ -0,0 +1 @@
1	+ $cx = 'C from site.pp'

data/spec/fixtures/unit/data_providers/environments/hiera_module_config/data/common.yaml ADDED

@@ -0,0 +1,4 @@
+---
+users::local:
+  bob:
+    name: Bob

data/spec/fixtures/unit/data_providers/environments/hiera_module_config/data/specific.yaml ADDED

@@ -0,0 +1,4 @@
+---
+users::local:
+  bob:
+    shell: /bin/zsh

data/spec/fixtures/unit/data_providers/environments/hiera_module_config/hiera.yaml ADDED

@@ -0,0 +1,7 @@
+---
+:version: 4
+:hierarchy:
+  - :name: "common"
+    :backend: yaml
+  - :name: "specific"
+    :backend: yaml

data/spec/fixtures/unit/data_providers/environments/hiera_modules/data/common.yaml ADDED

@@ -0,0 +1,4 @@
+---
+one::local:
+  bob:
+    name: Bob

data/spec/fixtures/unit/data_providers/environments/hiera_modules/data/specific.yaml ADDED

@@ -0,0 +1,4 @@
+---
+one::local:
+  bob:
+    shell: /bin/zsh

data/spec/fixtures/unit/data_providers/environments/hiera_modules/environment.conf ADDED

	@@ -0,0 +1,2 @@
1	+ # Use the 'sample' env data provider (in this fixture)
2	+ environment_data_provider=hiera

data/spec/fixtures/unit/data_providers/environments/hiera_modules/hiera.yaml ADDED

@@ -0,0 +1,7 @@
+---
+:version: 4
+:hierarchy:
+  - :name: "common"
+    :backend: yaml
+  - :name: "specific"
+    :backend: yaml

data/spec/fixtures/unit/data_providers/environments/hiera_modules/manifests/site.pp ADDED

	@@ -0,0 +1 @@
1	+ include one::test

data/spec/fixtures/unit/data_providers/environments/hiera_modules/modules/one/data/common.yaml ADDED

@@ -0,0 +1,6 @@
+---
+lookup_options:
+  one::local:
+    merge:
+       strategy: "deep"
+       merge_hash_arrays: true

data/spec/fixtures/unit/data_providers/environments/hiera_modules/modules/one/hiera.yaml ADDED

@@ -0,0 +1,5 @@
+---
+:version: 4
+:hierarchy:
+  - :name: "common"
+    :backend: yaml

data/spec/fixtures/unit/data_providers/environments/hiera_modules/modules/one/manifests/init.pp ADDED

	@@ -0,0 +1,2 @@
1	+ class one($local={}) {
2	+ }

data/spec/fixtures/unit/data_providers/environments/hiera_modules/modules/one/metadata.json ADDED

@@ -0,0 +1,9 @@
+{
+    "name": "example/one",
+    "version": "0.0.2",
+    "source": "git@github.com/example/example-one.git",
+    "dependencies": [],
+    "author": "Bob the Builder",
+    "license": "Apache-2.0",
+    "data_provider": "hiera"
+}