puppet 6.15.0-universal-darwin → 6.19.1-universal-darwin
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CODEOWNERS +2 -7
- data/Gemfile +4 -2
- data/Gemfile.lock +29 -27
- data/README.md +3 -4
- data/Rakefile +4 -12
- data/lib/puppet.rb +32 -8
- data/lib/puppet/agent.rb +18 -4
- data/lib/puppet/agent/locker.rb +0 -7
- data/lib/puppet/application/agent.rb +23 -8
- data/lib/puppet/application/apply.rb +18 -20
- data/lib/puppet/application/device.rb +1 -1
- data/lib/puppet/application/doc.rb +1 -1
- data/lib/puppet/application/lookup.rb +16 -4
- data/lib/puppet/application/plugin.rb +1 -0
- data/lib/puppet/application/ssl.rb +1 -1
- data/lib/puppet/configurer.rb +61 -21
- data/lib/puppet/configurer/downloader.rb +31 -10
- data/lib/puppet/confine.rb +2 -2
- data/lib/puppet/confine/any.rb +1 -1
- data/lib/puppet/context/trusted_information.rb +14 -8
- data/lib/puppet/daemon.rb +13 -27
- data/lib/puppet/defaults.rb +119 -39
- data/lib/puppet/environments.rb +51 -10
- data/lib/puppet/face/catalog.rb +1 -1
- data/lib/puppet/face/config.rb +46 -16
- data/lib/puppet/face/facts.rb +1 -1
- data/lib/puppet/face/help.rb +29 -3
- data/lib/puppet/face/module/search.rb +5 -0
- data/lib/puppet/face/node.rb +3 -3
- data/lib/puppet/face/node/clean.rb +2 -2
- data/lib/puppet/face/plugin.rb +1 -1
- data/lib/puppet/face/status.rb +1 -1
- data/lib/puppet/feature/base.rb +1 -1
- data/lib/puppet/file_bucket/dipper.rb +1 -1
- data/lib/puppet/file_serving/http_metadata.rb +14 -2
- data/lib/puppet/file_serving/metadata.rb +4 -1
- data/lib/puppet/file_serving/mount/locales.rb +1 -2
- data/lib/puppet/file_serving/mount/pluginfacts.rb +1 -2
- data/lib/puppet/file_serving/mount/plugins.rb +1 -2
- data/lib/puppet/file_serving/terminus_selector.rb +7 -8
- data/lib/puppet/file_system/file_impl.rb +4 -4
- data/lib/puppet/file_system/uniquefile.rb +12 -16
- data/lib/puppet/forge.rb +1 -1
- data/lib/puppet/forge/cache.rb +1 -1
- data/lib/puppet/forge/repository.rb +4 -7
- data/lib/puppet/functions/filter.rb +1 -0
- data/lib/puppet/functions/lstrip.rb +4 -4
- data/lib/puppet/functions/new.rb +8 -3
- data/lib/puppet/functions/reverse_each.rb +1 -1
- data/lib/puppet/functions/rstrip.rb +4 -4
- data/lib/puppet/functions/step.rb +1 -1
- data/lib/puppet/functions/strip.rb +4 -4
- data/lib/puppet/gettext/config.rb +5 -5
- data/lib/puppet/gettext/module_translations.rb +4 -4
- data/lib/puppet/http.rb +1 -0
- data/lib/puppet/http/client.rb +28 -12
- data/lib/puppet/http/external_client.rb +0 -6
- data/lib/puppet/http/redirector.rb +9 -7
- data/lib/puppet/http/resolver.rb +5 -8
- data/lib/puppet/http/resolver/server_list.rb +18 -36
- data/lib/puppet/http/resolver/settings.rb +4 -4
- data/lib/puppet/http/resolver/srv.rb +5 -5
- data/lib/puppet/http/response.rb +19 -0
- data/lib/puppet/http/service.rb +3 -1
- data/lib/puppet/http/service/compiler.rb +1 -1
- data/lib/puppet/http/service/file_server.rb +1 -1
- data/lib/puppet/http/service/puppetserver.rb +39 -0
- data/lib/puppet/http/session.rb +5 -4
- data/lib/puppet/indirector.rb +1 -1
- data/lib/puppet/indirector/catalog/compiler.rb +1 -1
- data/lib/puppet/indirector/exec.rb +1 -1
- data/lib/puppet/indirector/facts/facter.rb +3 -3
- data/lib/puppet/indirector/facts/yaml.rb +1 -1
- data/lib/puppet/indirector/file_content/http.rb +5 -0
- data/lib/puppet/indirector/file_content/rest.rb +1 -1
- data/lib/puppet/indirector/file_metadata/http.rb +28 -8
- data/lib/puppet/indirector/file_metadata/rest.rb +2 -2
- data/lib/puppet/indirector/hiera.rb +4 -0
- data/lib/puppet/indirector/indirection.rb +1 -1
- data/lib/puppet/indirector/json.rb +1 -1
- data/lib/puppet/indirector/msgpack.rb +1 -1
- data/lib/puppet/indirector/report/processor.rb +2 -2
- data/lib/puppet/indirector/request.rb +5 -5
- data/lib/puppet/indirector/rest.rb +7 -1
- data/lib/puppet/indirector/yaml.rb +1 -1
- data/lib/puppet/module.rb +1 -2
- data/lib/puppet/network/format_support.rb +2 -2
- data/lib/puppet/network/http/api/indirected_routes.rb +1 -1
- data/lib/puppet/network/http/api/master/v3/environment.rb +3 -0
- data/lib/puppet/network/http/api/master/v3/environments.rb +0 -1
- data/lib/puppet/network/http/compression.rb +7 -0
- data/lib/puppet/network/http/connection.rb +2 -0
- data/lib/puppet/network/http/connection_adapter.rb +184 -0
- data/lib/puppet/network/http/nocache_pool.rb +1 -0
- data/lib/puppet/network/http/route.rb +2 -2
- data/lib/puppet/network/http_pool.rb +2 -2
- data/lib/puppet/node/environment.rb +12 -5
- data/lib/puppet/node/facts.rb +17 -0
- data/lib/puppet/pal/catalog_compiler.rb +5 -0
- data/lib/puppet/pal/pal_impl.rb +31 -4
- data/lib/puppet/parameter.rb +1 -1
- data/lib/puppet/parser/ast/leaf.rb +5 -5
- data/lib/puppet/parser/ast/pops_bridge.rb +0 -4
- data/lib/puppet/parser/compiler.rb +29 -26
- data/lib/puppet/parser/compiler/catalog_validator/env_relationship_validator.rb +2 -0
- data/lib/puppet/parser/compiler/catalog_validator/site_validator.rb +2 -0
- data/lib/puppet/parser/environment_compiler.rb +4 -1
- data/lib/puppet/parser/functions.rb +21 -17
- data/lib/puppet/parser/functions/create_resources.rb +11 -7
- data/lib/puppet/parser/functions/filter.rb +1 -0
- data/lib/puppet/parser/resource.rb +3 -2
- data/lib/puppet/parser/resource/param.rb +6 -0
- data/lib/puppet/parser/type_loader.rb +2 -2
- data/lib/puppet/pops/adaptable.rb +7 -13
- data/lib/puppet/pops/adapters.rb +8 -4
- data/lib/puppet/pops/evaluator/collectors/abstract_collector.rb +1 -3
- data/lib/puppet/pops/evaluator/evaluator_impl.rb +5 -5
- data/lib/puppet/pops/evaluator/runtime3_converter.rb +2 -2
- data/lib/puppet/pops/issues.rb +5 -0
- data/lib/puppet/pops/loader/runtime3_type_loader.rb +4 -2
- data/lib/puppet/pops/loaders.rb +18 -11
- data/lib/puppet/pops/lookup/context.rb +1 -1
- data/lib/puppet/pops/lookup/hiera_config.rb +14 -1
- data/lib/puppet/pops/resource/resource_type_impl.rb +2 -0
- data/lib/puppet/pops/types/iterable.rb +34 -8
- data/lib/puppet/pops/types/p_meta_type.rb +1 -1
- data/lib/puppet/pops/types/p_type_set_type.rb +4 -0
- data/lib/puppet/pops/validation/checker4_0.rb +29 -15
- data/lib/puppet/pops/validation/validator_factory_4_0.rb +1 -0
- data/lib/puppet/provider/file/windows.rb +1 -1
- data/lib/puppet/provider/package/aix.rb +17 -2
- data/lib/puppet/provider/package/apt.rb +38 -1
- data/lib/puppet/provider/package/aptitude.rb +1 -1
- data/lib/puppet/provider/package/dnfmodule.rb +24 -4
- data/lib/puppet/provider/package/dpkg.rb +1 -1
- data/lib/puppet/provider/package/gem.rb +4 -2
- data/lib/puppet/provider/package/pip.rb +60 -37
- data/lib/puppet/provider/package/pip2.rb +17 -0
- data/lib/puppet/provider/package/portage.rb +2 -2
- data/lib/puppet/provider/package/puppet_gem.rb +5 -0
- data/lib/puppet/provider/package/puppetserver_gem.rb +180 -0
- data/lib/puppet/provider/package/yum.rb +9 -1
- data/lib/puppet/provider/package/zypper.rb +62 -1
- data/lib/puppet/provider/service/systemd.rb +21 -4
- data/lib/puppet/provider/service/windows.rb +23 -7
- data/lib/puppet/provider/user/aix.rb +1 -1
- data/lib/puppet/provider/user/user_role_add.rb +1 -1
- data/lib/puppet/provider/user/useradd.rb +16 -5
- data/lib/puppet/provider/user/windows_adsi.rb +18 -1
- data/lib/puppet/reports/http.rb +7 -3
- data/lib/puppet/resource.rb +2 -1
- data/lib/puppet/resource/type.rb +10 -1
- data/lib/puppet/rest/route.rb +2 -2
- data/lib/puppet/runtime.rb +25 -2
- data/lib/puppet/settings.rb +43 -6
- data/lib/puppet/ssl/ssl_context.rb +2 -2
- data/lib/puppet/ssl/ssl_provider.rb +20 -1
- data/lib/puppet/ssl/state_machine.rb +33 -8
- data/lib/puppet/ssl/validator/default_validator.rb +1 -1
- data/lib/puppet/ssl/verifier_adapter.rb +9 -1
- data/lib/puppet/test/test_helper.rb +19 -14
- data/lib/puppet/transaction.rb +2 -2
- data/lib/puppet/transaction/persistence.rb +1 -1
- data/lib/puppet/transaction/report.rb +12 -8
- data/lib/puppet/trusted_external.rb +29 -1
- data/lib/puppet/type.rb +15 -7
- data/lib/puppet/type/file.rb +40 -15
- data/lib/puppet/type/file/checksum.rb +4 -4
- data/lib/puppet/type/file/source.rb +33 -13
- data/lib/puppet/type/filebucket.rb +1 -1
- data/lib/puppet/type/notify.rb +2 -2
- data/lib/puppet/type/package.rb +16 -1
- data/lib/puppet/type/service.rb +59 -8
- data/lib/puppet/type/user.rb +19 -10
- data/lib/puppet/util.rb +41 -3
- data/lib/puppet/util/autoload.rb +10 -25
- data/lib/puppet/util/character_encoding.rb +9 -5
- data/lib/puppet/util/checksums.rb +19 -4
- data/lib/puppet/util/connection.rb +8 -8
- data/lib/puppet/util/execution.rb +2 -2
- data/lib/puppet/util/fileparsing.rb +2 -2
- data/lib/puppet/util/log/destinations.rb +1 -10
- data/lib/puppet/util/package/version/range.rb +4 -1
- data/lib/puppet/util/package/version/range/eq.rb +14 -0
- data/lib/puppet/util/provider_features.rb +1 -1
- data/lib/puppet/util/reference.rb +1 -1
- data/lib/puppet/util/run_mode.rb +5 -1
- data/lib/puppet/util/windows.rb +1 -0
- data/lib/puppet/util/windows/api_types.rb +60 -33
- data/lib/puppet/util/windows/eventlog.rb +1 -6
- data/lib/puppet/util/windows/monkey_patches/dir.rb +40 -0
- data/lib/puppet/util/windows/principal.rb +8 -6
- data/lib/puppet/util/windows/registry.rb +11 -11
- data/lib/puppet/util/windows/security.rb +4 -4
- data/lib/puppet/util/windows/service.rb +43 -26
- data/lib/puppet/util/windows/user.rb +242 -8
- data/lib/puppet/version.rb +1 -1
- data/locales/puppet.pot +541 -427
- data/man/man5/puppet.conf.5 +84 -19
- data/man/man8/puppet-agent.8 +7 -4
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +6 -6
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +6 -3
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +2 -2
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +4 -1
- data/man/man8/puppet-node.8 +4 -4
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet-status.8 +2 -2
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/integration/application/apply/environments/spec/modules/amod/lib/puppet/provider/applytest/applytest.rb +2 -0
- data/spec/fixtures/integration/application/apply/environments/spec/modules/amod/lib/puppet/type/applytest.rb +25 -0
- data/spec/fixtures/unit/forge/bacula-releases.json +128 -0
- data/spec/fixtures/unit/forge/bacula.tar.gz +0 -0
- data/spec/fixtures/unit/provider/package/dnfmodule/{dnf-module-list-enabled.txt → dnf-module-list.txt} +6 -0
- data/spec/fixtures/unit/provider/package/puppetserver_gem/gem-list-local-packages +30 -0
- data/spec/fixtures/unit/provider/package/zypper/zypper-search-uninstalled.out +13 -0
- data/spec/integration/application/agent_spec.rb +202 -52
- data/spec/integration/application/apply_spec.rb +149 -149
- data/spec/integration/application/config_spec.rb +74 -0
- data/spec/integration/application/doc_spec.rb +16 -6
- data/spec/integration/application/filebucket_spec.rb +70 -21
- data/spec/integration/application/help_spec.rb +42 -0
- data/spec/integration/application/lookup_spec.rb +13 -0
- data/spec/integration/application/module_spec.rb +68 -0
- data/spec/integration/application/plugin_spec.rb +75 -2
- data/spec/integration/configurer_spec.rb +14 -0
- data/spec/integration/data_binding_spec.rb +82 -0
- data/spec/integration/defaults_spec.rb +27 -3
- data/spec/integration/directory_environments_spec.rb +17 -17
- data/spec/integration/http/client_spec.rb +6 -1
- data/spec/integration/indirector/facts/facter_spec.rb +8 -6
- data/spec/integration/network/http_pool_spec.rb +73 -0
- data/spec/integration/node/environment_spec.rb +1 -1
- data/spec/integration/parser/compiler_spec.rb +11 -0
- data/spec/integration/type/file_spec.rb +1 -1
- data/spec/integration/util/execution_spec.rb +22 -0
- data/spec/integration/util/windows/adsi_spec.rb +7 -2
- data/spec/integration/util/windows/monkey_patches/dir_spec.rb +11 -0
- data/spec/integration/util/windows/process_spec.rb +26 -32
- data/spec/integration/util/windows/registry_spec.rb +7 -7
- data/spec/integration/util/windows/user_spec.rb +47 -5
- data/spec/integration/util_spec.rb +7 -33
- data/spec/lib/puppet_spec/https.rb +6 -0
- data/spec/lib/puppet_spec/matchers.rb +0 -80
- data/spec/lib/puppet_spec/puppetserver.rb +8 -0
- data/spec/shared_contexts/types_setup.rb +2 -0
- data/spec/unit/agent_spec.rb +47 -1
- data/spec/unit/application/agent_spec.rb +7 -8
- data/spec/unit/application/doc_spec.rb +2 -2
- data/spec/unit/application/face_base_spec.rb +6 -4
- data/spec/unit/application/facts_spec.rb +41 -10
- data/spec/unit/application/man_spec.rb +52 -0
- data/spec/unit/application/resource_spec.rb +3 -1
- data/spec/unit/application/ssl_spec.rb +15 -2
- data/spec/unit/application_spec.rb +9 -4
- data/spec/unit/configurer/downloader_spec.rb +10 -0
- data/spec/unit/configurer/fact_handler_spec.rb +4 -4
- data/spec/unit/configurer_spec.rb +86 -37
- data/spec/unit/confine_spec.rb +2 -1
- data/spec/unit/context/trusted_information_spec.rb +25 -2
- data/spec/unit/daemon_spec.rb +5 -64
- data/spec/unit/environments_spec.rb +99 -32
- data/spec/unit/face/config_spec.rb +59 -1
- data/spec/unit/face/module/search_spec.rb +17 -0
- data/spec/unit/face/node_spec.rb +2 -2
- data/spec/unit/file_serving/http_metadata_spec.rb +37 -14
- data/spec/unit/file_serving/mount/locales_spec.rb +2 -2
- data/spec/unit/file_serving/mount/pluginfacts_spec.rb +2 -2
- data/spec/unit/file_serving/mount/plugins_spec.rb +2 -2
- data/spec/unit/file_serving/terminus_selector_spec.rb +45 -26
- data/spec/unit/file_system/uniquefile_spec.rb +29 -0
- data/spec/unit/file_system_spec.rb +1 -2
- data/spec/unit/http/client_spec.rb +74 -19
- data/spec/unit/http/external_client_spec.rb +9 -9
- data/spec/unit/http/resolver_spec.rb +24 -5
- data/spec/unit/http/response_spec.rb +6 -0
- data/spec/unit/http/service/ca_spec.rb +2 -3
- data/spec/unit/http/service/compiler_spec.rb +2 -3
- data/spec/unit/http/service/file_server_spec.rb +2 -3
- data/spec/unit/http/service/puppetserver_spec.rb +82 -0
- data/spec/unit/http/service/report_spec.rb +2 -3
- data/spec/unit/http/service_spec.rb +0 -1
- data/spec/unit/http/session_spec.rb +8 -21
- data/spec/unit/indirector/catalog/compiler_spec.rb +1 -0
- data/spec/unit/indirector/catalog/json_spec.rb +1 -1
- data/spec/unit/indirector/catalog/rest_spec.rb +1 -1
- data/spec/unit/indirector/facts/rest_spec.rb +1 -1
- data/spec/unit/indirector/file_metadata/http_spec.rb +194 -0
- data/spec/unit/indirector/file_metadata/rest_spec.rb +15 -14
- data/spec/unit/indirector/json_spec.rb +8 -8
- data/spec/unit/indirector/msgpack_spec.rb +8 -8
- data/spec/unit/indirector/node/rest_spec.rb +1 -1
- data/spec/unit/indirector/request_spec.rb +5 -5
- data/spec/unit/indirector/rest_spec.rb +14 -1
- data/spec/unit/indirector/status/rest_spec.rb +1 -1
- data/spec/unit/indirector/yaml_spec.rb +7 -7
- data/spec/unit/interface_spec.rb +3 -3
- data/spec/unit/module_tool/tar/mini_spec.rb +20 -0
- data/spec/unit/network/format_support_spec.rb +3 -2
- data/spec/unit/network/http/api/indirected_routes_spec.rb +2 -1
- data/spec/unit/network/http/api/master/v3/environments_spec.rb +12 -23
- data/spec/unit/network/http/connection_spec.rb +552 -190
- data/spec/unit/network/http/nocache_pool_spec.rb +22 -0
- data/spec/unit/network/http_pool_spec.rb +63 -57
- data/spec/unit/network/http_spec.rb +1 -1
- data/spec/unit/node/environment_spec.rb +18 -1
- data/spec/unit/parser/ast/block_expression_spec.rb +1 -1
- data/spec/unit/parser/environment_compiler_spec.rb +7 -0
- data/spec/unit/parser/scope_spec.rb +1 -1
- data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +15 -1
- data/spec/unit/pops/loaders/loaders_spec.rb +71 -1
- data/spec/unit/pops/lookup/lookup_spec.rb +25 -0
- data/spec/unit/pops/types/type_calculator_spec.rb +1 -11
- data/spec/unit/provider/exec_spec.rb +4 -3
- data/spec/unit/provider/package/aix_spec.rb +29 -0
- data/spec/unit/provider/package/apt_spec.rb +77 -0
- data/spec/unit/provider/package/aptitude_spec.rb +1 -0
- data/spec/unit/provider/package/dnfmodule_spec.rb +25 -5
- data/spec/unit/provider/package/dpkg_spec.rb +22 -7
- data/spec/unit/provider/package/openbsd_spec.rb +2 -0
- data/spec/unit/provider/package/pip2_spec.rb +36 -0
- data/spec/unit/provider/package/pip_spec.rb +42 -16
- data/spec/unit/provider/package/portage_spec.rb +5 -0
- data/spec/unit/provider/package/puppet_gem_spec.rb +4 -1
- data/spec/unit/provider/package/puppetserver_gem_spec.rb +137 -0
- data/spec/unit/provider/package/yum_spec.rb +47 -8
- data/spec/unit/provider/package/zypper_spec.rb +98 -0
- data/spec/unit/provider/service/base_spec.rb +2 -4
- data/spec/unit/provider/service/bsd_spec.rb +5 -1
- data/spec/unit/provider/service/daemontools_spec.rb +1 -1
- data/spec/unit/provider/service/debian_spec.rb +3 -5
- data/spec/unit/provider/service/freebsd_spec.rb +1 -1
- data/spec/unit/provider/service/gentoo_spec.rb +4 -5
- data/spec/unit/provider/service/init_spec.rb +46 -5
- data/spec/unit/provider/service/launchd_spec.rb +5 -6
- data/spec/unit/provider/service/openbsd_spec.rb +9 -0
- data/spec/unit/provider/service/openrc_spec.rb +4 -5
- data/spec/unit/provider/service/openwrt_spec.rb +2 -1
- data/spec/unit/provider/service/redhat_spec.rb +10 -1
- data/spec/unit/provider/service/runit_spec.rb +2 -1
- data/spec/unit/provider/service/smf_spec.rb +1 -1
- data/spec/unit/provider/service/src_spec.rb +3 -5
- data/spec/unit/provider/service/systemd_spec.rb +87 -19
- data/spec/unit/provider/service/upstart_spec.rb +4 -5
- data/spec/unit/provider/service/windows_spec.rb +50 -14
- data/spec/unit/provider/user/openbsd_spec.rb +1 -0
- data/spec/unit/provider/user/useradd_spec.rb +30 -16
- data/spec/unit/provider/user/windows_adsi_spec.rb +82 -0
- data/spec/unit/puppet_pal_2pec.rb +40 -0
- data/spec/unit/puppet_pal_catalog_spec.rb +43 -0
- data/spec/unit/puppet_spec.rb +33 -0
- data/spec/unit/reports/http_spec.rb +1 -1
- data/spec/unit/reports/store_spec.rb +17 -13
- data/spec/unit/resource_spec.rb +3 -3
- data/spec/unit/rest/route_spec.rb +4 -4
- data/spec/unit/settings_spec.rb +182 -22
- data/spec/unit/ssl/ssl_provider_spec.rb +69 -43
- data/spec/unit/ssl/state_machine_spec.rb +52 -8
- data/spec/unit/test/test_helper_spec.rb +17 -0
- data/spec/unit/transaction/persistence_spec.rb +15 -0
- data/spec/unit/transaction/report_spec.rb +3 -1
- data/spec/unit/type/file/source_spec.rb +4 -4
- data/spec/unit/type/file_spec.rb +122 -96
- data/spec/unit/type/filebucket_spec.rb +1 -1
- data/spec/unit/type/service_spec.rb +218 -8
- data/spec/unit/type/user_spec.rb +32 -3
- data/spec/unit/type_spec.rb +50 -0
- data/spec/unit/util/autoload_spec.rb +2 -1
- data/spec/unit/util/character_encoding_spec.rb +4 -4
- data/spec/unit/util/checksums_spec.rb +16 -0
- data/spec/unit/util/command_line_spec.rb +11 -6
- data/spec/unit/util/log/destinations_spec.rb +1 -29
- data/spec/unit/util/package/version/range_spec.rb +22 -1
- data/spec/unit/util/run_mode_spec.rb +6 -6
- data/spec/unit/util/windows/api_types_spec.rb +104 -40
- data/spec/unit/util/windows/service_spec.rb +4 -4
- data/spec/unit/util_spec.rb +3 -3
- data/spec/unit/x509/cert_provider_spec.rb +1 -1
- data/tasks/manpages.rake +5 -35
- metadata +43 -49
- data/spec/integration/faces/config_spec.rb +0 -91
- data/spec/integration/faces/documentation_spec.rb +0 -57
- data/spec/integration/file_bucket/file_spec.rb +0 -50
- data/spec/integration/file_serving/content_spec.rb +0 -7
- data/spec/integration/file_serving/fileset_spec.rb +0 -12
- data/spec/integration/file_serving/metadata_spec.rb +0 -8
- data/spec/integration/file_serving/terminus_helper_spec.rb +0 -20
- data/spec/integration/file_system/uniquefile_spec.rb +0 -26
- data/spec/integration/module_tool/forge_spec.rb +0 -51
- data/spec/integration/module_tool/tar/mini_spec.rb +0 -28
- data/spec/integration/provider/service/init_spec.rb +0 -48
- data/spec/integration/provider/service/systemd_spec.rb +0 -25
- data/spec/integration/provider/service/windows_spec.rb +0 -50
- data/spec/integration/reference/providers_spec.rb +0 -21
- data/spec/integration/reports_spec.rb +0 -13
- data/spec/integration/ssl/certificate_request_spec.rb +0 -44
- data/spec/integration/ssl/host_spec.rb +0 -72
- data/spec/integration/ssl/key_spec.rb +0 -99
- data/spec/integration/test/test_helper_spec.rb +0 -31
- data/spec/shared_behaviours/file_serving_model.rb +0 -51
- data/spec/unit/face/man_spec.rb +0 -25
- data/spec/unit/man_spec.rb +0 -31
@@ -140,12 +140,7 @@ class Puppet::Util::Windows::EventLog
|
|
140
140
|
# @api private
|
141
141
|
def from_string_to_wide_string(str, &block)
|
142
142
|
str = wide_string(str)
|
143
|
-
FFI::MemoryPointer.
|
144
|
-
# uchar here is synonymous with byte
|
145
|
-
ptr.put_array_of_uchar(0, str.bytes.to_a)
|
146
|
-
|
147
|
-
yield ptr
|
148
|
-
end
|
143
|
+
FFI::MemoryPointer.from_wide_string(str) { |ptr| yield ptr }
|
149
144
|
|
150
145
|
# ptr has already had free called, so nothing to return
|
151
146
|
nil
|
@@ -0,0 +1,40 @@
|
|
1
|
+
require 'win32/dir/constants'
|
2
|
+
require 'win32/dir/functions'
|
3
|
+
require 'win32/dir/structs'
|
4
|
+
|
5
|
+
class DirMonkeyPatched
|
6
|
+
include ::Dir::Structs
|
7
|
+
include ::Dir::Constants
|
8
|
+
extend ::Dir::Functions
|
9
|
+
|
10
|
+
path = nil
|
11
|
+
key = :PERSONAL
|
12
|
+
value = 0x0005
|
13
|
+
buf = 0.chr * 1024
|
14
|
+
buf.encode!(Encoding::UTF_16LE)
|
15
|
+
|
16
|
+
if SHGetFolderPathW(0, value, 0, 0, buf) == 0 # Current path
|
17
|
+
path = buf.strip
|
18
|
+
elsif SHGetFolderPathW(0, value, 0, 1, buf) == 0 # Default path
|
19
|
+
path = buf.strip
|
20
|
+
else
|
21
|
+
FFI::MemoryPointer.new(:long) do |ptr|
|
22
|
+
if SHGetFolderLocation(0, value, 0, 0, ptr) == 0
|
23
|
+
SHFILEINFO.new do |info|
|
24
|
+
flags = SHGFI_DISPLAYNAME | SHGFI_PIDL
|
25
|
+
if SHGetFileInfo(ptr.read_long, 0, info, info.size, flags) != 0
|
26
|
+
path = info[:szDisplayName].to_s
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
if path.nil?
|
34
|
+
begin
|
35
|
+
Dir.const_set(key, ''.encode(Encoding.default_external))
|
36
|
+
rescue Encoding::UndefinedConversionError
|
37
|
+
Dir.const_set(key, ''.encode(Encoding::UTF_8))
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
@@ -41,6 +41,7 @@ module Puppet::Util::Windows::SID
|
|
41
41
|
# = 8 + max sub identifiers (15) * 4
|
42
42
|
MAXIMUM_SID_BYTE_LENGTH = 68
|
43
43
|
|
44
|
+
ERROR_INVALID_PARAMETER = 87
|
44
45
|
ERROR_INSUFFICIENT_BUFFER = 122
|
45
46
|
|
46
47
|
def self.lookup_account_name(system_name = nil, account_name)
|
@@ -48,9 +49,7 @@ module Puppet::Util::Windows::SID
|
|
48
49
|
begin
|
49
50
|
if system_name
|
50
51
|
system_name_wide = Puppet::Util::Windows::String.wide_string(system_name)
|
51
|
-
|
52
|
-
system_name_ptr = FFI::MemoryPointer.new(:byte, system_name_wide.bytesize)
|
53
|
-
system_name_ptr.put_array_of_uchar(0, system_name_wide.bytes.to_a)
|
52
|
+
system_name_ptr = FFI::MemoryPointer.from_wide_string(system_name_wide)
|
54
53
|
end
|
55
54
|
|
56
55
|
FFI::MemoryPointer.from_string_to_wide_string(account_name) do |account_name_ptr|
|
@@ -101,9 +100,7 @@ module Puppet::Util::Windows::SID
|
|
101
100
|
begin
|
102
101
|
if system_name
|
103
102
|
system_name_wide = Puppet::Util::Windows::String.wide_string(system_name)
|
104
|
-
|
105
|
-
system_name_ptr = FFI::MemoryPointer.new(:byte, system_name_wide.bytesize)
|
106
|
-
system_name_ptr.put_array_of_uchar(0, system_name_wide.bytes.to_a)
|
103
|
+
system_name_ptr = FFI::MemoryPointer.from_wide_string(system_name_wide)
|
107
104
|
end
|
108
105
|
|
109
106
|
FFI::MemoryPointer.new(:byte, sid_bytes.length) do |sid_ptr|
|
@@ -112,6 +109,11 @@ module Puppet::Util::Windows::SID
|
|
112
109
|
FFI::MemoryPointer.new(:uint32, 1) do |name_use_enum_ptr|
|
113
110
|
|
114
111
|
sid_ptr.write_array_of_uchar(sid_bytes)
|
112
|
+
|
113
|
+
if Puppet::Util::Windows::SID.IsValidSid(sid_ptr) == FFI::WIN32_FALSE
|
114
|
+
raise Puppet::Util::Windows::Error.new(_('Byte array for lookup_account_sid is invalid: %{sid_bytes}') % { sid_bytes: sid_bytes }, ERROR_INVALID_PARAMETER)
|
115
|
+
end
|
116
|
+
|
115
117
|
success = LookupAccountSidW(system_name_ptr, sid_ptr, FFI::Pointer::NULL, name_length_ptr,
|
116
118
|
FFI::Pointer::NULL, domain_length_ptr, name_use_enum_ptr)
|
117
119
|
last_error = FFI.errno
|
@@ -110,13 +110,16 @@ module Puppet::Util::Windows
|
|
110
110
|
|
111
111
|
private
|
112
112
|
|
113
|
-
|
113
|
+
# max number of wide characters including NULL terminator
|
114
|
+
MAX_KEY_CHAR_LENGTH = 255 + 1
|
115
|
+
|
116
|
+
def reg_enum_key(key, index, max_key_char_length = MAX_KEY_CHAR_LENGTH)
|
114
117
|
subkey, filetime = nil, nil
|
115
118
|
|
116
119
|
FFI::MemoryPointer.new(:dword) do |subkey_length_ptr|
|
117
120
|
FFI::MemoryPointer.new(FFI::WIN32::FILETIME.size) do |filetime_ptr|
|
118
|
-
FFI::MemoryPointer.new(:wchar,
|
119
|
-
subkey_length_ptr.write_dword(
|
121
|
+
FFI::MemoryPointer.new(:wchar, max_key_char_length) do |subkey_ptr|
|
122
|
+
subkey_length_ptr.write_dword(max_key_char_length)
|
120
123
|
|
121
124
|
# RegEnumKeyEx cannot be called twice to properly size the buffer
|
122
125
|
result = RegEnumKeyExW(key.hkey, index,
|
@@ -141,7 +144,10 @@ module Puppet::Util::Windows
|
|
141
144
|
[subkey, filetime]
|
142
145
|
end
|
143
146
|
|
144
|
-
|
147
|
+
# max number of wide characters including NULL terminator
|
148
|
+
MAX_VALUE_CHAR_LENGTH = 16383 + 1
|
149
|
+
|
150
|
+
def reg_enum_value(key, index, max_value_length = MAX_VALUE_CHAR_LENGTH)
|
145
151
|
subkey, type, data = nil, nil, nil
|
146
152
|
|
147
153
|
FFI::MemoryPointer.new(:dword) do |subkey_length_ptr|
|
@@ -234,7 +240,7 @@ module Puppet::Util::Windows
|
|
234
240
|
begin
|
235
241
|
case type
|
236
242
|
when Win32::Registry::REG_SZ, Win32::Registry::REG_EXPAND_SZ
|
237
|
-
result = [ type,
|
243
|
+
result = [ type, data_ptr.read_wide_string(string_length, Encoding::UTF_8, true) ]
|
238
244
|
when Win32::Registry::REG_MULTI_SZ
|
239
245
|
result = [ type, data_ptr.read_wide_string(string_length).split(/\0/) ]
|
240
246
|
when Win32::Registry::REG_BINARY
|
@@ -314,12 +320,6 @@ module Puppet::Util::Windows
|
|
314
320
|
result
|
315
321
|
end
|
316
322
|
|
317
|
-
def sanitize(value)
|
318
|
-
# Replace null bytes with a space
|
319
|
-
value.tr!("\x00", ' ')
|
320
|
-
value
|
321
|
-
end
|
322
|
-
|
323
323
|
ffi_convention :stdcall
|
324
324
|
|
325
325
|
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms724862(v=vs.85).aspx
|
@@ -340,10 +340,10 @@ module Puppet::Util::Windows::Security
|
|
340
340
|
Puppet.warning _("Setting control rights for %{path} owner SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
|
341
341
|
elsif managing_owner && isownergroup
|
342
342
|
#TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
|
343
|
-
Puppet.debug _("%{path} owner and group both set to user SYSTEM, but group is not managed directly: SYSTEM user rights will be set to FullControl by group") % { path: path }
|
343
|
+
Puppet.debug { _("%{path} owner and group both set to user SYSTEM, but group is not managed directly: SYSTEM user rights will be set to FullControl by group") % { path: path } }
|
344
344
|
else
|
345
345
|
#TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
|
346
|
-
Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
|
346
|
+
Puppet.debug { _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path } }
|
347
347
|
owner_allow = FILE::FILE_ALL_ACCESS
|
348
348
|
end
|
349
349
|
end
|
@@ -356,10 +356,10 @@ module Puppet::Util::Windows::Security
|
|
356
356
|
Puppet.warning _("Setting control rights for %{path} group SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
|
357
357
|
elsif managing_group && isownergroup
|
358
358
|
#TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
|
359
|
-
Puppet.debug _("%{path} owner and group both set to user SYSTEM, but owner is not managed directly: SYSTEM user rights will be set to FullControl by owner") % { path: path }
|
359
|
+
Puppet.debug { _("%{path} owner and group both set to user SYSTEM, but owner is not managed directly: SYSTEM user rights will be set to FullControl by owner") % { path: path } }
|
360
360
|
else
|
361
361
|
#TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
|
362
|
-
Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
|
362
|
+
Puppet.debug { _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path } }
|
363
363
|
group_allow = FILE::FILE_ALL_ACCESS
|
364
364
|
end
|
365
365
|
end
|
@@ -440,43 +440,60 @@ module Puppet::Util::Windows
|
|
440
440
|
end
|
441
441
|
module_function :service_start_type
|
442
442
|
|
443
|
-
#
|
443
|
+
# Query the configuration of a service using QueryServiceConfigW
|
444
|
+
# to find its current logon account
|
444
445
|
#
|
445
|
-
# @
|
446
|
-
#
|
447
|
-
|
448
|
-
|
449
|
-
|
450
|
-
|
451
|
-
|
452
|
-
if startup_code.nil?
|
453
|
-
raise Puppet::Error.new(_("Unknown start type %{start_type}") % {startup_type: startup_type.to_s})
|
446
|
+
# @return [String] logon_account account currently set for the service's logon
|
447
|
+
# in the format "DOMAIN\Account" or ".\Account" if it's a local account
|
448
|
+
def logon_account(service_name)
|
449
|
+
open_service(service_name, SC_MANAGER_CONNECT, SERVICE_QUERY_CONFIG) do |service|
|
450
|
+
query_config(service) do |config|
|
451
|
+
return config[:lpServiceStartName].read_arbitrary_wide_string_up_to(Puppet::Util::Windows::ADSI::User::MAX_USERNAME_LENGTH)
|
452
|
+
end
|
454
453
|
end
|
454
|
+
end
|
455
|
+
module_function :logon_account
|
456
|
+
|
457
|
+
# Set the startup configuration of a windows service
|
458
|
+
#
|
459
|
+
# @param [String] service_name the name of the service to modify
|
460
|
+
# @param [Hash] options the configuration to be applied. Expected option keys:
|
461
|
+
# - [Integer] startup_type a code corresponding to a start type for
|
462
|
+
# windows service, see the "Service start type codes" section in the
|
463
|
+
# Puppet::Util::Windows::Service file for the list of available codes
|
464
|
+
# - [String] logon_account the account to be used by the service for logon
|
465
|
+
# - [String] logon_password the provided logon_account's password to be used by the service for logon
|
466
|
+
# - [Bool] delayed whether the service should be started with a delay
|
467
|
+
def set_startup_configuration(service_name, options: {})
|
468
|
+
options[:startup_type] = SERVICE_START_TYPES.key(options[:startup_type]) || SERVICE_NO_CHANGE
|
469
|
+
options[:logon_account] = wide_string(options[:logon_account]) || FFI::Pointer::NULL
|
470
|
+
options[:logon_password] = wide_string(options[:logon_password]) || FFI::Pointer::NULL
|
471
|
+
|
455
472
|
open_service(service_name, SC_MANAGER_CONNECT, SERVICE_CHANGE_CONFIG) do |service|
|
456
|
-
# Currently the only thing puppet's API can really manage
|
457
|
-
# in this list is dwStartType (the third param). Thus no
|
458
|
-
# generic function was written to make use of all the params
|
459
|
-
# since the API as-is couldn't use them anyway
|
460
473
|
success = ChangeServiceConfigW(
|
461
474
|
service,
|
462
|
-
SERVICE_NO_CHANGE,
|
463
|
-
|
464
|
-
SERVICE_NO_CHANGE,
|
465
|
-
FFI::Pointer::NULL,
|
466
|
-
FFI::Pointer::NULL,
|
467
|
-
FFI::Pointer::NULL,
|
468
|
-
FFI::Pointer::NULL,
|
469
|
-
|
470
|
-
|
471
|
-
FFI::Pointer::NULL
|
475
|
+
SERVICE_NO_CHANGE, # dwServiceType
|
476
|
+
options[:startup_type], # dwStartType
|
477
|
+
SERVICE_NO_CHANGE, # dwErrorControl
|
478
|
+
FFI::Pointer::NULL, # lpBinaryPathName
|
479
|
+
FFI::Pointer::NULL, # lpLoadOrderGroup
|
480
|
+
FFI::Pointer::NULL, # lpdwTagId
|
481
|
+
FFI::Pointer::NULL, # lpDependencies
|
482
|
+
options[:logon_account], # lpServiceStartName
|
483
|
+
options[:logon_password], # lpPassword
|
484
|
+
FFI::Pointer::NULL # lpDisplayName
|
472
485
|
)
|
473
486
|
if success == FFI::WIN32_FALSE
|
474
487
|
raise Puppet::Util::Windows::Error.new(_("Failed to update service configuration"))
|
475
488
|
end
|
476
489
|
end
|
477
|
-
|
490
|
+
|
491
|
+
if options[:startup_type]
|
492
|
+
options[:delayed] ||= false
|
493
|
+
set_startup_mode_delayed(service_name, options[:delayed])
|
494
|
+
end
|
478
495
|
end
|
479
|
-
module_function :
|
496
|
+
module_function :set_startup_configuration
|
480
497
|
|
481
498
|
# enumerate over all services in all states and return them as a hash
|
482
499
|
#
|
@@ -16,6 +16,22 @@ module Puppet::Util::Windows::User
|
|
16
16
|
end
|
17
17
|
module_function :admin?
|
18
18
|
|
19
|
+
# The name of the account in all locales is `LocalSystem`. `.\LocalSystem` or `ComputerName\LocalSystem' can also be used.
|
20
|
+
# This account is not recognized by the security subsystem, so you cannot specify its name in a call to the `LookupAccountName` function.
|
21
|
+
# https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account
|
22
|
+
def localsystem?(name)
|
23
|
+
["LocalSystem", ".\\LocalSystem", "#{Puppet::Util::Windows::ADSI.computer_name}\\LocalSystem"].any?{ |s| s.casecmp(name) == 0 }
|
24
|
+
end
|
25
|
+
module_function :localsystem?
|
26
|
+
|
27
|
+
# Check if a given user is one of the default system accounts
|
28
|
+
# These accounts do not have a password and all checks done through logon attempt will fail
|
29
|
+
# https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#default-local-system-accounts
|
30
|
+
def default_system_account?(name)
|
31
|
+
user_sid = Puppet::Util::Windows::SID.name_to_sid(name)
|
32
|
+
[Puppet::Util::Windows::SID::LocalSystem, Puppet::Util::Windows::SID::NtLocal, Puppet::Util::Windows::SID::NtNetwork].include?(user_sid)
|
33
|
+
end
|
34
|
+
module_function :default_system_account?
|
19
35
|
|
20
36
|
# https://msdn.microsoft.com/en-us/library/windows/desktop/ee207397(v=vs.85).aspx
|
21
37
|
SECURITY_MAX_SID_SIZE = 68
|
@@ -57,9 +73,9 @@ module Puppet::Util::Windows::User
|
|
57
73
|
end
|
58
74
|
module_function :check_token_membership
|
59
75
|
|
60
|
-
def password_is?(name, password)
|
76
|
+
def password_is?(name, password, domain = '.')
|
61
77
|
begin
|
62
|
-
logon_user(name, password) { |token| }
|
78
|
+
logon_user(name, password, domain) { |token| }
|
63
79
|
rescue Puppet::Util::Windows::Error => detail
|
64
80
|
|
65
81
|
authenticated_error_codes = Set[
|
@@ -74,7 +90,7 @@ module Puppet::Util::Windows::User
|
|
74
90
|
end
|
75
91
|
module_function :password_is?
|
76
92
|
|
77
|
-
def logon_user(name, password, &block)
|
93
|
+
def logon_user(name, password, domain = '.', &block)
|
78
94
|
fLOGON32_PROVIDER_DEFAULT = 0
|
79
95
|
fLOGON32_LOGON_INTERACTIVE = 2
|
80
96
|
fLOGON32_LOGON_NETWORK = 3
|
@@ -83,8 +99,8 @@ module Puppet::Util::Windows::User
|
|
83
99
|
begin
|
84
100
|
FFI::MemoryPointer.new(:handle, 1) do |token_pointer|
|
85
101
|
#try logon using network else try logon using interactive mode
|
86
|
-
if logon_user_by_logon_type(name, password, fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
|
87
|
-
if logon_user_by_logon_type(name, password, fLOGON32_LOGON_INTERACTIVE, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
|
102
|
+
if logon_user_by_logon_type(name, domain, password, fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
|
103
|
+
if logon_user_by_logon_type(name, domain, password, fLOGON32_LOGON_INTERACTIVE, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
|
88
104
|
raise Puppet::Util::Windows::Error.new(_("Failed to logon user %{name}") % {name: name.inspect})
|
89
105
|
end
|
90
106
|
end
|
@@ -98,11 +114,10 @@ module Puppet::Util::Windows::User
|
|
98
114
|
# token has been closed by this point
|
99
115
|
true
|
100
116
|
end
|
101
|
-
|
102
117
|
module_function :logon_user
|
103
118
|
|
104
|
-
def self.logon_user_by_logon_type(name, password, logon_type, logon_provider, token)
|
105
|
-
LogonUserW(wide_string(name), wide_string(
|
119
|
+
def self.logon_user_by_logon_type(name, domain, password, logon_type, logon_provider, token)
|
120
|
+
LogonUserW(wide_string(name), wide_string(domain), password.nil? ? FFI::Pointer::NULL : wide_string(password), logon_type, logon_provider, token)
|
106
121
|
end
|
107
122
|
|
108
123
|
private_class_method :logon_user_by_logon_type
|
@@ -130,6 +145,125 @@ module Puppet::Util::Windows::User
|
|
130
145
|
end
|
131
146
|
module_function :load_profile
|
132
147
|
|
148
|
+
def get_rights(name)
|
149
|
+
user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
|
150
|
+
return "" unless user_info
|
151
|
+
|
152
|
+
rights = []
|
153
|
+
rights_pointer = FFI::MemoryPointer.new(:pointer)
|
154
|
+
number_of_rights = FFI::MemoryPointer.new(:ulong)
|
155
|
+
sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
|
156
|
+
|
157
|
+
new_lsa_policy_handle do |policy_handle|
|
158
|
+
result = LsaEnumerateAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, number_of_rights)
|
159
|
+
check_lsa_nt_status_and_raise_failures(result, "LsaEnumerateAccountRights")
|
160
|
+
end
|
161
|
+
|
162
|
+
number_of_rights.read_ulong.times do |index|
|
163
|
+
right = LSA_UNICODE_STRING.new(rights_pointer.read_pointer + index * LSA_UNICODE_STRING.size)
|
164
|
+
rights << right[:Buffer].read_arbitrary_wide_string_up_to
|
165
|
+
end
|
166
|
+
|
167
|
+
result = LsaFreeMemory(rights_pointer.read_pointer)
|
168
|
+
check_lsa_nt_status_and_raise_failures(result, "LsaFreeMemory")
|
169
|
+
|
170
|
+
rights.join(",")
|
171
|
+
end
|
172
|
+
module_function :get_rights
|
173
|
+
|
174
|
+
def set_rights(name, rights)
|
175
|
+
rights_pointer = new_lsa_unicode_strings_pointer(rights)
|
176
|
+
user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
|
177
|
+
sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
|
178
|
+
|
179
|
+
new_lsa_policy_handle do |policy_handle|
|
180
|
+
result = LsaAddAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, rights.size)
|
181
|
+
check_lsa_nt_status_and_raise_failures(result, "LsaAddAccountRights")
|
182
|
+
end
|
183
|
+
end
|
184
|
+
module_function :set_rights
|
185
|
+
|
186
|
+
def remove_rights(name, rights)
|
187
|
+
rights_pointer = new_lsa_unicode_strings_pointer(rights)
|
188
|
+
user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
|
189
|
+
sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
|
190
|
+
|
191
|
+
new_lsa_policy_handle do |policy_handle|
|
192
|
+
result = LsaRemoveAccountRights(policy_handle.read_pointer, sid_pointer, false, rights_pointer, rights.size)
|
193
|
+
check_lsa_nt_status_and_raise_failures(result, "LsaRemoveAccountRights")
|
194
|
+
end
|
195
|
+
end
|
196
|
+
module_function :remove_rights
|
197
|
+
|
198
|
+
# ACCESS_MASK flags for Policy Objects
|
199
|
+
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/b61b7268-987a-420b-84f9-6c75f8dc8558
|
200
|
+
POLICY_VIEW_LOCAL_INFORMATION = 0x00000001
|
201
|
+
POLICY_VIEW_AUDIT_INFORMATION = 0x00000002
|
202
|
+
POLICY_GET_PRIVATE_INFORMATION = 0x00000004
|
203
|
+
POLICY_TRUST_ADMIN = 0x00000008
|
204
|
+
POLICY_CREATE_ACCOUNT = 0x00000010
|
205
|
+
POLICY_CREATE_SECRET = 0x00000020
|
206
|
+
POLICY_CREATE_PRIVILEGE = 0x00000040
|
207
|
+
POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080
|
208
|
+
POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100
|
209
|
+
POLICY_AUDIT_LOG_ADMIN = 0x00000200
|
210
|
+
POLICY_SERVER_ADMIN = 0x00000400
|
211
|
+
POLICY_LOOKUP_NAMES = 0x00000800
|
212
|
+
POLICY_NOTIFICATION = 0x00001000
|
213
|
+
|
214
|
+
def self.new_lsa_policy_handle
|
215
|
+
access = 0
|
216
|
+
access |= POLICY_LOOKUP_NAMES
|
217
|
+
access |= POLICY_CREATE_ACCOUNT
|
218
|
+
policy_handle = FFI::MemoryPointer.new(:pointer)
|
219
|
+
|
220
|
+
result = LsaOpenPolicy(nil, LSA_OBJECT_ATTRIBUTES.new, access, policy_handle)
|
221
|
+
check_lsa_nt_status_and_raise_failures(result, "LsaOpenPolicy")
|
222
|
+
|
223
|
+
begin
|
224
|
+
yield policy_handle
|
225
|
+
ensure
|
226
|
+
result = LsaClose(policy_handle.read_pointer)
|
227
|
+
check_lsa_nt_status_and_raise_failures(result, "LsaClose")
|
228
|
+
end
|
229
|
+
end
|
230
|
+
private_class_method :new_lsa_policy_handle
|
231
|
+
|
232
|
+
def self.new_lsa_unicode_strings_pointer(strings)
|
233
|
+
lsa_unicode_strings_pointer = FFI::MemoryPointer.new(LSA_UNICODE_STRING, strings.size)
|
234
|
+
|
235
|
+
strings.each_with_index do |string, index|
|
236
|
+
lsa_string = LSA_UNICODE_STRING.new(lsa_unicode_strings_pointer + index * LSA_UNICODE_STRING.size)
|
237
|
+
lsa_string[:Buffer] = FFI::MemoryPointer.from_string(wide_string(string))
|
238
|
+
lsa_string[:Length] = string.length * 2
|
239
|
+
lsa_string[:MaximumLength] = lsa_string[:Length] + 2
|
240
|
+
end
|
241
|
+
|
242
|
+
lsa_unicode_strings_pointer
|
243
|
+
end
|
244
|
+
private_class_method :new_lsa_unicode_strings_pointer
|
245
|
+
|
246
|
+
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d
|
247
|
+
def self.check_lsa_nt_status_and_raise_failures(status, method_name)
|
248
|
+
error_code = LsaNtStatusToWinError(status)
|
249
|
+
|
250
|
+
error_reason = case error_code.to_s(16)
|
251
|
+
when '0' # ERROR_SUCCESS
|
252
|
+
return # Method call succeded
|
253
|
+
when '2' # ERROR_FILE_NOT_FOUND
|
254
|
+
return # No rights/privilleges assigned to given user
|
255
|
+
when '5' # ERROR_ACCESS_DENIED
|
256
|
+
"Access is denied. Please make sure that puppet is running as administrator."
|
257
|
+
when '521' # ERROR_NO_SUCH_PRIVILEGE
|
258
|
+
"One or more of the given rights/privilleges are incorrect."
|
259
|
+
when '6ba' # RPC_S_SERVER_UNAVAILABLE
|
260
|
+
"The RPC server is unavailable or given domain name is invalid."
|
261
|
+
end
|
262
|
+
|
263
|
+
raise Puppet::Error.new("Calling `#{method_name}` returned 'Win32 Error Code 0x%08X'. #{error_reason}" % error_code)
|
264
|
+
end
|
265
|
+
private_class_method :check_lsa_nt_status_and_raise_failures
|
266
|
+
|
133
267
|
ffi_convention :stdcall
|
134
268
|
|
135
269
|
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
|
@@ -314,4 +448,104 @@ module Puppet::Util::Windows::User
|
|
314
448
|
ffi_lib :advapi32
|
315
449
|
attach_function_private :IsValidSid,
|
316
450
|
[:pointer], :win32_bool
|
451
|
+
|
452
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/lsalookup/ns-lsalookup-lsa_object_attributes
|
453
|
+
# typedef struct _LSA_OBJECT_ATTRIBUTES {
|
454
|
+
# ULONG Length;
|
455
|
+
# HANDLE RootDirectory;
|
456
|
+
# PLSA_UNICODE_STRING ObjectName;
|
457
|
+
# ULONG Attributes;
|
458
|
+
# PVOID SecurityDescriptor;
|
459
|
+
# PVOID SecurityQualityOfService;
|
460
|
+
# } LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
|
461
|
+
class LSA_OBJECT_ATTRIBUTES < FFI::Struct
|
462
|
+
layout :Length, :ulong,
|
463
|
+
:RootDirectory, :handle,
|
464
|
+
:ObjectName, :plsa_unicode_string,
|
465
|
+
:Attributes, :ulong,
|
466
|
+
:SecurityDescriptor, :pvoid,
|
467
|
+
:SecurityQualityOfService, :pvoid
|
468
|
+
end
|
469
|
+
|
470
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/lsalookup/ns-lsalookup-lsa_unicode_string
|
471
|
+
# typedef struct _LSA_UNICODE_STRING {
|
472
|
+
# USHORT Length;
|
473
|
+
# USHORT MaximumLength;
|
474
|
+
# PWSTR Buffer;
|
475
|
+
# } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
|
476
|
+
class LSA_UNICODE_STRING < FFI::Struct
|
477
|
+
layout :Length, :ushort,
|
478
|
+
:MaximumLength, :ushort,
|
479
|
+
:Buffer, :pwstr
|
480
|
+
end
|
481
|
+
|
482
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaenumerateaccountrights
|
483
|
+
# https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment
|
484
|
+
# NTSTATUS LsaEnumerateAccountRights(
|
485
|
+
# LSA_HANDLE PolicyHandle,
|
486
|
+
# PSID AccountSid,
|
487
|
+
# PLSA_UNICODE_STRING *UserRights,
|
488
|
+
# PULONG CountOfRights
|
489
|
+
# );
|
490
|
+
ffi_lib :advapi32
|
491
|
+
attach_function_private :LsaEnumerateAccountRights,
|
492
|
+
[:lsa_handle, :psid, :plsa_unicode_string, :pulong], :ntstatus
|
493
|
+
|
494
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaaddaccountrights
|
495
|
+
# NTSTATUS LsaAddAccountRights(
|
496
|
+
# LSA_HANDLE PolicyHandle,
|
497
|
+
# PSID AccountSid,
|
498
|
+
# PLSA_UNICODE_STRING UserRights,
|
499
|
+
# ULONG CountOfRights
|
500
|
+
# );
|
501
|
+
ffi_lib :advapi32
|
502
|
+
attach_function_private :LsaAddAccountRights,
|
503
|
+
[:lsa_handle, :psid, :plsa_unicode_string, :ulong], :ntstatus
|
504
|
+
|
505
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaremoveaccountrights
|
506
|
+
# NTSTATUS LsaRemoveAccountRights(
|
507
|
+
# LSA_HANDLE PolicyHandle,
|
508
|
+
# PSID AccountSid,
|
509
|
+
# BOOLEAN AllRights,
|
510
|
+
# PLSA_UNICODE_STRING UserRights,
|
511
|
+
# ULONG CountOfRights
|
512
|
+
# );
|
513
|
+
ffi_lib :advapi32
|
514
|
+
attach_function_private :LsaRemoveAccountRights,
|
515
|
+
[:lsa_handle, :psid, :bool, :plsa_unicode_string, :ulong], :ntstatus
|
516
|
+
|
517
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaopenpolicy
|
518
|
+
# NTSTATUS LsaOpenPolicy(
|
519
|
+
# PLSA_UNICODE_STRING SystemName,
|
520
|
+
# PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
|
521
|
+
# ACCESS_MASK DesiredAccess,
|
522
|
+
# PLSA_HANDLE PolicyHandle
|
523
|
+
# );
|
524
|
+
ffi_lib :advapi32
|
525
|
+
attach_function_private :LsaOpenPolicy,
|
526
|
+
[:plsa_unicode_string, :plsa_object_attributes, :access_mask, :plsa_handle], :ntstatus
|
527
|
+
|
528
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaclose
|
529
|
+
# NTSTATUS LsaClose(
|
530
|
+
# LSA_HANDLE ObjectHandle
|
531
|
+
# );
|
532
|
+
ffi_lib :advapi32
|
533
|
+
attach_function_private :LsaClose,
|
534
|
+
[:lsa_handle], :ntstatus
|
535
|
+
|
536
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsafreememory
|
537
|
+
# NTSTATUS LsaFreeMemory(
|
538
|
+
# PVOID Buffer
|
539
|
+
# );
|
540
|
+
ffi_lib :advapi32
|
541
|
+
attach_function_private :LsaFreeMemory,
|
542
|
+
[:pvoid], :ntstatus
|
543
|
+
|
544
|
+
# https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsantstatustowinerror
|
545
|
+
# ULONG LsaNtStatusToWinError(
|
546
|
+
# NTSTATUS Status
|
547
|
+
# );
|
548
|
+
ffi_lib :advapi32
|
549
|
+
attach_function_private :LsaNtStatusToWinError,
|
550
|
+
[:ntstatus], :ulong
|
317
551
|
end
|