puppet 6.17.0-x64-mingw32 → 6.21.0-x64-mingw32

data/lib/puppet/util/autoload.rb

@@ -10,6 +10,14 @@ require 'puppet/concurrent/synchronized'
 # @api private
 class Puppet::Util::ModuleDirectoriesAdapter < Puppet::Pops::Adaptable::Adapter
   attr_accessor :directories
+
+  def self.create_adapter(env)
+    adapter = super(env)
+    adapter.directories = env.modulepath.flat_map do |dir|
+      Dir.glob(File.join(dir, '*', 'lib'))
+    end
+    adapter
+  end
 end
 
 # Autoload paths, either based on names or all at once.
@@ -119,13 +127,7 @@ class Puppet::Util::Autoload
     def module_directories(env)
       raise ArgumentError, "Autoloader requires an environment" unless env
 
-      Puppet::Util::ModuleDirectoriesAdapter.adapt(env) do |a|
-        a.directories ||= env.modulepath.collect do |dir|
-          Dir.entries(dir).reject { |f| f =~ /^\./ }.collect { |f| File.join(dir, f, "lib") }
-        end.flatten.find_all do |d|
-          FileTest.directory?(d)
-        end
-      end.directories
+      Puppet::Util::ModuleDirectoriesAdapter.adapt(env).directories
     end
 
     # @api private
@@ -164,14 +166,7 @@ class Puppet::Util::Autoload
     # Normalize a path. This converts ALT_SEPARATOR to SEPARATOR on Windows
     # and eliminates unnecessary parts of a path.
     def cleanpath(path)
-      # There are two cases here because cleanpath does not handle absolute
-      # paths correctly on windows (c:\ and c:/ are treated as distinct) but
-      # we don't want to convert relative paths to absolute
-      if Puppet::Util.absolute_path?(path)
-        File.expand_path(path)
-      else
-        Pathname.new(path).cleanpath.to_s
-      end
+      Pathname.new(path).cleanpath.to_s
     end
   end
 

data/lib/puppet/util/character_encoding.rb

@@ -19,8 +19,9 @@ module Puppet::Util::CharacterEncoding
       begin
         if original_encoding == Encoding::UTF_8
           if !string_copy.valid_encoding?
-            Puppet.debug(_("%{value} is already labeled as UTF-8 but this encoding is invalid. It cannot be transcoded by Puppet.") %
-              { value: string.dump })
+            Puppet.debug {
+              _("%{value} is already labeled as UTF-8 but this encoding is invalid. It cannot be transcoded by Puppet.") % { value: string.dump }
+            }
           end
           # String is already valid UTF-8 - noop
           return string_copy
@@ -40,8 +41,9 @@ module Puppet::Util::CharacterEncoding
         # Catch both our own self-determined failure to transcode as well as any
         # error on ruby's part, ie Encoding::UndefinedConversionError on a
         # failure to encode!.
-        Puppet.debug(_("%{error}: %{value} cannot be transcoded by Puppet.") %
-          { error: detail.inspect, value: string.dump })
+        Puppet.debug {
+          _("%{error}: %{value} cannot be transcoded by Puppet.") % { error: detail.inspect, value: string.dump }
+        }
         return string_copy
       end
     end
@@ -67,7 +69,9 @@ module Puppet::Util::CharacterEncoding
       if string_copy.force_encoding(Encoding::UTF_8).valid_encoding?
         return string_copy
       else
-        Puppet.debug(_("%{value} is not valid UTF-8 and result of overriding encoding would be invalid.") % { value: string.dump })
+        Puppet.debug {
+          _("%{value} is not valid UTF-8 and result of overriding encoding would be invalid.") % { value: string.dump }
+        }
         # Set copy back to its original encoding before returning
         return string_copy.force_encoding(original_encoding)
       end

data/lib/puppet/util/connection.rb

@@ -8,7 +8,7 @@ module Puppet::Util
     # The logic for server and port is kind of gross. In summary:
     # IF an endpoint-specific setting is requested AND that setting has been set by the user
     #    Use that setting.
-    #         The defaults for these settings are the "normal" server/masterport settings, so
+    #         The defaults for these settings are the "normal" server/serverport settings, so
     #         when they are unset we instead want to "fall back" to the failover-selected
     #         host/port pair.
     # ELSE IF we have a failover-selected host/port
@@ -17,7 +17,7 @@ module Puppet::Util
     #    Use the first entry - failover hasn't happened yet, but that
     #    setting is still authoritative
     # ELSE
-    #    Go for the legacy server/masterport settings, and hope for the best
+    #    Go for the legacy server/serverport settings, and hope for the best
 
     # Determines which server to use based on the specified setting, taking into
     # account HA fallback from server_list.
@@ -55,7 +55,7 @@ module Puppet::Util
     # @param [Symbol] server_setting The server setting assoicated with this route.
     # @return [Integer] the port to use for use in the request
     def self.determine_port(port_setting, server_setting)
-      if (port_setting && port_setting != :masterport && Puppet.settings.set_by_config?(port_setting)) ||
+      if (port_setting && port_setting != :serverport && Puppet.settings.set_by_config?(port_setting)) ||
          (server_setting && server_setting != :server && Puppet.settings.set_by_config?(server_setting))
         debug_once _("Selected port from the %{setting} setting: %{port}") % {setting: port_setting, port: Puppet.settings[port_setting].to_i}
         Puppet.settings[port_setting].to_i
@@ -65,18 +65,18 @@ module Puppet::Util
           if primary_server
             # Port might not be set, so we want to fallback in that
             # case. We know we don't need to use `setting` here, since
-            # the default value of every port setting is `masterport`
+            # the default value of every port setting is `serverport`
             if primary_server[1]
               #TRANSLATORS 'server_list' is the name of a setting and should not be translated
               debug_once _("Dynamically-bound port lookup failed; using first entry from the `server_list` setting: %{port}") % {port: primary_server[1]}
               primary_server[1]
             else
-              #TRANSLATORS 'masterport' is the name of a setting and should not be translated
-              debug_once _("Dynamically-bound port lookup failed; falling back to `masterport` setting: %{port}") % {port: Puppet.settings[:masterport]}
-              Puppet.settings[:masterport]
+              #TRANSLATORS 'serverport' is the name of a setting and should not be translated
+              debug_once _("Dynamically-bound port lookup failed; falling back to `serverport` setting: %{port}") % {port: Puppet.settings[:serverport]}
+              Puppet.settings[:serverport]
             end
           else
-            port_setting ||= :masterport
+            port_setting ||= :serverport
             debug_once _("Dynamically-bound port lookup failed; falling back to %{setting} setting: %{port}") % {setting: port_setting, port: Puppet.settings[port_setting]}
             Puppet.settings[port_setting]
           end

data/lib/puppet/util/execution.rb

@@ -68,7 +68,7 @@ module Puppet::Util::Execution
     if respond_to? :debug
       debug "Executing '#{command_str}'"
     else
-      Puppet.debug "Executing '#{command_str}'"
+      Puppet.debug { "Executing '#{command_str}'" }
     end
 
     # force the run of the command with
@@ -186,7 +186,7 @@ module Puppet::Util::Execution
     if respond_to? :debug
       debug "Executing#{user_log_s}: '#{command_str}'"
     else
-      Puppet.debug "Executing#{user_log_s}: '#{command_str}'"
+      Puppet.debug { "Executing#{user_log_s}: '#{command_str}'" }
     end
 
     null_file = Puppet::Util::Platform.windows? ? 'NUL' : '/dev/null'

data/lib/puppet/util/fact_dif.rb

@@ -0,0 +1,62 @@
+require 'json'
+
+class FactDif
+  def initialize(old_output, new_output, exclude_list = [])
+    @c_facter = JSON.parse(old_output)['values']
+    @next_facter = JSON.parse(new_output)['values']
+    @exclude_list = exclude_list
+    @diff = {}
+  end
+
+  def difs
+    search_hash(@c_facter, [])
+
+    @diff
+  end
+
+  private
+
+  def search_hash(sh, path = [])
+    if sh.is_a?(Hash)
+      sh.each do |k, v|
+        search_hash(v, path.push(k))
+        path.pop
+      end
+    elsif sh.is_a?(Array)
+      sh.each_with_index do |v, index|
+        search_hash(v, path.push(index))
+        path.pop
+      end
+    else
+      compare(path, sh)
+    end
+  end
+
+  def compare(fact_path, old_value)
+    new_value = @next_facter.dig(*fact_path)
+    if different?(new_value, old_value) && !excluded?(fact_path.join('.'))
+      @diff[fact_path.join('.')] = { new_value: new_value, old_value: old_value }
+    end
+  end
+
+  def different?(new, old)
+    if old.is_a?(String) && new.is_a?(String)
+      old_values = old.split(',')
+      new_values = new.split(',')
+
+      diff = old_values - new_values
+      # also add new entries only available in Facter 4
+      diff.concat(new_values - old_values)
+
+      return true if diff.any?
+
+      return false
+    end
+
+    old != new
+  end
+
+  def excluded?(fact_name)
+    @exclude_list.any? {|excluded_fact| fact_name =~ /#{excluded_fact}/}
+  end
+end

data/lib/puppet/util/posix.rb

@@ -12,11 +12,18 @@ module Puppet::Util::POSIX
   class << self
     # Returns an array of all the groups that the user's a member of.
     def groups_of(user)
-      groups = []
-      Puppet::Etc.group do |group|
-        groups << group.name if group.mem.include?(user)
+      begin
+        require 'puppet/ffi/posix'
+        groups = get_groups_list(user)
+      rescue StandardError, LoadError => e
+        Puppet.debug("Falling back to Puppet::Etc.group: #{e.message}")
+
+        groups = []
+        Puppet::Etc.group do |group|
+          groups << group.name if group.mem.include?(user)
+        end
       end
-  
+
       uniq_groups = groups.uniq
       if uniq_groups != groups
         Puppet.debug(_('Removing any duplicate group entries'))
@@ -24,6 +31,39 @@ module Puppet::Util::POSIX
 
       uniq_groups
     end
+
+    private
+    def get_groups_list(user)
+      raise LoadError, "The 'getgrouplist' method is not available" unless Puppet::FFI::POSIX::Functions.respond_to?(:getgrouplist)
+
+      user_gid = Puppet::Etc.getpwnam(user).gid
+      ngroups = Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS
+
+      while true do # rubocop:disable Lint/LiteralInCondition
+        FFI::MemoryPointer.new(:int) do |ngroups_ptr|
+          FFI::MemoryPointer.new(:uint, ngroups) do |groups_ptr|
+            old_ngroups = ngroups
+            ngroups_ptr.write_int(ngroups)
+
+            if Puppet::FFI::POSIX::Functions::getgrouplist(user, user_gid, groups_ptr, ngroups_ptr) != -1
+              groups_gids = groups_ptr.get_array_of_uint(0, ngroups_ptr.read_int)
+
+              result = []
+              groups_gids.each do |group_gid|
+                group_info = Puppet::Etc.getgrgid(group_gid)
+                result |= [group_info.name] if group_info.mem.include?(user)
+              end
+              return result
+            end
+
+            ngroups = ngroups_ptr.read_int
+            if ngroups <= old_ngroups
+              ngroups *= 2
+            end
+          end
+        end
+      end
+    end
   end
 
   # Retrieve a field from a POSIX Etc object.  The id can be either an integer
@@ -144,8 +184,17 @@ module Puppet::Util::POSIX
       name = get_posix_field(location, :name, id)
       check_value = name
     end
+
     if check_value != field
-      return search_posix_field(location, id_field, field)
+      check_value_id = get_posix_field(location, id_field, check_value) if check_value
+
+      if id == check_value_id
+        Puppet.debug("Multiple entries found for resource: '#{location}' with #{id_field}: #{id}")
+        return id
+      else
+        Puppet.debug("The value retrieved: '#{check_value}' is different than the required state: '#{field}', searching in all entries")
+        return search_posix_field(location, id_field, field)
+      end
     else
       return id
     end

data/lib/puppet/util/rubygems.rb

@@ -41,7 +41,11 @@ module Puppet::Util::RubyGems
     def directories
       # `require 'mygem'` will consider and potentially load
       # prerelease gems, so we need to match that behavior.
-      Gem::Specification.latest_specs(true).collect do |spec|
+      #
+      # Just load the stub which points to the gem path, and
+      # delay loading the full specification until if/when the
+      # gem is required.
+      Gem::Specification.stubs.collect do |spec|
         File.join(spec.full_gem_path, 'lib')
       end
     end

data/lib/puppet/util/run_mode.rb

@@ -18,8 +18,12 @@ module Puppet
         end
       end
 
+      def server?
+        name == :master || name == :server
+      end
+
       def master?
-        name == :master
+        name == :master || name == :server
       end
 
       def agent?

data/lib/puppet/util/windows.rb

@@ -26,6 +26,7 @@ module Puppet::Util::Windows
     require 'win32ole' ; WIN32OLE.codepage = WIN32OLE::CP_UTF8
     # gems
     require 'win32/process'
+    require 'puppet/util/windows/monkey_patches/dir'
     require 'win32/dir'
     require 'win32/service'
 

data/lib/puppet/util/windows/api_types.rb

@@ -60,7 +60,7 @@ module Puppet::Util::Windows::APITypes
 
       str.encode(dst_encoding, str.encoding, encode_options)
     rescue EncodingError => e
-      Puppet.debug "Unable to convert value #{str.nil? ? 'nil' : str.dump} to encoding #{dst_encoding} due to #{e.inspect}"
+      Puppet.debug { "Unable to convert value #{str.nil? ? 'nil' : str.dump} to encoding #{dst_encoding} due to #{e.inspect}" }
       raise
     end
 
@@ -196,6 +196,20 @@ module Puppet::Util::Windows::APITypes
   FFI.typedef :uchar, :byte
   FFI.typedef :uint16, :wchar
 
+  # Definitions for data types used in LSA structures and functions
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/
+  # https://docs.microsoft.com/sr-latn-rs/windows/win32/secmgmt/management-data-types
+  FFI.typedef :pointer, :pwstr
+  FFI.typedef :pointer, :pulong
+  FFI.typedef :pointer, :lsa_handle
+  FFI.typedef :pointer, :plsa_handle
+  FFI.typedef :pointer, :psid
+  FFI.typedef :pointer, :pvoid
+  FFI.typedef :pointer, :plsa_unicode_string
+  FFI.typedef :pointer, :plsa_object_attributes
+  FFI.typedef :uint32,  :ntstatus
+  FFI.typedef :dword,   :access_mask
+
   module ::FFI::WIN32
     extend ::FFI::Library
 

data/lib/puppet/util/windows/monkey_patches/dir.rb

@@ -0,0 +1,40 @@
+require 'win32/dir/constants'
+require 'win32/dir/functions'
+require 'win32/dir/structs'
+
+class DirMonkeyPatched
+  include ::Dir::Structs
+  include ::Dir::Constants
+  extend  ::Dir::Functions
+
+  path  = nil
+  key   = :PERSONAL
+  value = 0x0005
+  buf   = 0.chr * 1024
+  buf.encode!(Encoding::UTF_16LE)
+
+  if SHGetFolderPathW(0, value, 0, 0, buf) == 0 # Current path
+    path = buf.strip
+  elsif SHGetFolderPathW(0, value, 0, 1, buf) == 0 # Default path
+    path = buf.strip
+  else
+    FFI::MemoryPointer.new(:long) do |ptr|
+      if SHGetFolderLocation(0, value, 0, 0, ptr) == 0
+        SHFILEINFO.new do |info|
+          flags = SHGFI_DISPLAYNAME | SHGFI_PIDL
+          if SHGetFileInfo(ptr.read_long, 0, info, info.size, flags) != 0
+            path = info[:szDisplayName].to_s
+          end
+        end
+      end
+    end
+  end
+
+  if path.nil?
+    begin
+      Dir.const_set(key, ''.encode(Encoding.default_external))
+    rescue Encoding::UndefinedConversionError
+      Dir.const_set(key, ''.encode(Encoding::UTF_8))
+    end
+  end
+end

data/lib/puppet/util/windows/security.rb

@@ -340,10 +340,10 @@ module Puppet::Util::Windows::Security
           Puppet.warning _("Setting control rights for %{path} owner SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
         elsif managing_owner && isownergroup
           #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-          Puppet.debug _("%{path} owner and group both set to user SYSTEM, but group is not managed directly: SYSTEM user rights will be set to FullControl by group") % { path: path }
+          Puppet.debug { _("%{path} owner and group both set to user SYSTEM, but group is not managed directly: SYSTEM user rights will be set to FullControl by group") % { path: path } }
         else
           #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-          Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+          Puppet.debug { _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path } }
           owner_allow = FILE::FILE_ALL_ACCESS
         end
       end
@@ -356,10 +356,10 @@ module Puppet::Util::Windows::Security
           Puppet.warning _("Setting control rights for %{path} group SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
         elsif managing_group && isownergroup
           #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-          Puppet.debug _("%{path} owner and group both set to user SYSTEM, but owner is not managed directly: SYSTEM user rights will be set to FullControl by owner") % { path: path }
+          Puppet.debug { _("%{path} owner and group both set to user SYSTEM, but owner is not managed directly: SYSTEM user rights will be set to FullControl by owner") % { path: path } }
         else
           #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-          Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+          Puppet.debug { _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path } }
           group_allow = FILE::FILE_ALL_ACCESS
         end
       end

data/lib/puppet/util/windows/service.rb

@@ -191,7 +191,7 @@ module Puppet::Util::Windows
     SERVICE_CONFIG_PRESHUTDOWN_INFO         = 0x00000007
     SERVICE_CONFIG_TRIGGER_INFO             = 0x00000008
     SERVICE_CONFIG_PREFERRED_NODE           = 0x00000009
-    SERVICE_CONFIG_LAUNCH_PROTECTED         = 0x00000012
+    SERVICE_CONFIG_LAUNCH_PROTECTED         = 0x0000000C
     SERVICE_NO_CHANGE                       = 0xffffffff
     SERVICE_CONFIG_TYPES = {
       SERVICE_CONFIG_DESCRIPTION => :SERVICE_CONFIG_DESCRIPTION,

data/lib/puppet/util/windows/user.rb

@@ -145,6 +145,125 @@ module Puppet::Util::Windows::User
   end
   module_function :load_profile
 
+  def get_rights(name)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    return "" unless user_info
+
+    rights = []
+    rights_pointer = FFI::MemoryPointer.new(:pointer)
+    number_of_rights = FFI::MemoryPointer.new(:ulong)
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaEnumerateAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, number_of_rights)
+      check_lsa_nt_status_and_raise_failures(result, "LsaEnumerateAccountRights")
+    end
+
+    number_of_rights.read_ulong.times do |index|
+      right = LSA_UNICODE_STRING.new(rights_pointer.read_pointer + index * LSA_UNICODE_STRING.size)
+      rights << right[:Buffer].read_arbitrary_wide_string_up_to
+    end
+
+    result = LsaFreeMemory(rights_pointer.read_pointer)
+    check_lsa_nt_status_and_raise_failures(result, "LsaFreeMemory")
+
+    rights.join(",")
+  end
+  module_function :get_rights
+
+  def set_rights(name, rights)
+    rights_pointer = new_lsa_unicode_strings_pointer(rights)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaAddAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, rights.size)
+      check_lsa_nt_status_and_raise_failures(result, "LsaAddAccountRights")
+    end
+  end
+  module_function :set_rights
+
+  def remove_rights(name, rights)
+    rights_pointer = new_lsa_unicode_strings_pointer(rights)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaRemoveAccountRights(policy_handle.read_pointer, sid_pointer, false, rights_pointer, rights.size)
+      check_lsa_nt_status_and_raise_failures(result, "LsaRemoveAccountRights")
+    end
+  end
+  module_function :remove_rights
+
+  # ACCESS_MASK flags for Policy Objects
+  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/b61b7268-987a-420b-84f9-6c75f8dc8558
+  POLICY_VIEW_LOCAL_INFORMATION   = 0x00000001
+  POLICY_VIEW_AUDIT_INFORMATION   = 0x00000002
+  POLICY_GET_PRIVATE_INFORMATION  = 0x00000004
+  POLICY_TRUST_ADMIN              = 0x00000008
+  POLICY_CREATE_ACCOUNT           = 0x00000010
+  POLICY_CREATE_SECRET            = 0x00000020
+  POLICY_CREATE_PRIVILEGE         = 0x00000040
+  POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080
+  POLICY_SET_AUDIT_REQUIREMENTS   = 0x00000100
+  POLICY_AUDIT_LOG_ADMIN          = 0x00000200
+  POLICY_SERVER_ADMIN             = 0x00000400
+  POLICY_LOOKUP_NAMES             = 0x00000800
+  POLICY_NOTIFICATION             = 0x00001000
+
+  def self.new_lsa_policy_handle
+    access = 0
+    access |= POLICY_LOOKUP_NAMES
+    access |= POLICY_CREATE_ACCOUNT
+    policy_handle = FFI::MemoryPointer.new(:pointer)
+
+    result = LsaOpenPolicy(nil, LSA_OBJECT_ATTRIBUTES.new, access, policy_handle)
+    check_lsa_nt_status_and_raise_failures(result, "LsaOpenPolicy")
+
+    begin
+      yield policy_handle
+    ensure
+      result = LsaClose(policy_handle.read_pointer)
+      check_lsa_nt_status_and_raise_failures(result, "LsaClose")
+    end
+  end
+  private_class_method :new_lsa_policy_handle
+
+  def self.new_lsa_unicode_strings_pointer(strings)
+    lsa_unicode_strings_pointer = FFI::MemoryPointer.new(LSA_UNICODE_STRING, strings.size)
+
+    strings.each_with_index do |string, index|
+      lsa_string = LSA_UNICODE_STRING.new(lsa_unicode_strings_pointer + index * LSA_UNICODE_STRING.size)
+      lsa_string[:Buffer] = FFI::MemoryPointer.from_string(wide_string(string))
+      lsa_string[:Length] = string.length * 2
+      lsa_string[:MaximumLength] = lsa_string[:Length] + 2
+    end
+
+    lsa_unicode_strings_pointer
+  end
+  private_class_method :new_lsa_unicode_strings_pointer
+
+  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d
+  def self.check_lsa_nt_status_and_raise_failures(status, method_name)
+    error_code = LsaNtStatusToWinError(status)
+
+    error_reason = case error_code.to_s(16)
+    when '0' # ERROR_SUCCESS
+      return # Method call succeded
+    when '2' # ERROR_FILE_NOT_FOUND
+      return # No rights/privilleges assigned to given user
+    when '5' # ERROR_ACCESS_DENIED
+      "Access is denied. Please make sure that puppet is running as administrator."
+    when '521' # ERROR_NO_SUCH_PRIVILEGE
+      "One or more of the given rights/privilleges are incorrect."
+    when '6ba' # RPC_S_SERVER_UNAVAILABLE
+      "The RPC server is unavailable or given domain name is invalid."
+    end
+
+    raise Puppet::Error.new("Calling `#{method_name}` returned 'Win32 Error Code 0x%08X'. #{error_reason}" % error_code)
+  end
+  private_class_method :check_lsa_nt_status_and_raise_failures
+
   ffi_convention :stdcall
 
   # https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
@@ -329,4 +448,104 @@ module Puppet::Util::Windows::User
   ffi_lib :advapi32
   attach_function_private :IsValidSid,
     [:pointer], :win32_bool
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/lsalookup/ns-lsalookup-lsa_object_attributes
+  # typedef struct _LSA_OBJECT_ATTRIBUTES {
+  #   ULONG               Length;
+  #   HANDLE              RootDirectory;
+  #   PLSA_UNICODE_STRING ObjectName;
+  #   ULONG               Attributes;
+  #   PVOID               SecurityDescriptor;
+  #   PVOID               SecurityQualityOfService;
+  # } LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
+  class LSA_OBJECT_ATTRIBUTES < FFI::Struct
+    layout :Length, :ulong,
+      :RootDirectory, :handle,
+      :ObjectName, :plsa_unicode_string,
+      :Attributes, :ulong,
+      :SecurityDescriptor, :pvoid,
+      :SecurityQualityOfService, :pvoid
+  end
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/lsalookup/ns-lsalookup-lsa_unicode_string
+  # typedef struct _LSA_UNICODE_STRING {
+  #   USHORT Length;
+  #   USHORT MaximumLength;
+  #   PWSTR  Buffer;
+  # } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
+  class LSA_UNICODE_STRING < FFI::Struct
+    layout :Length, :ushort,
+      :MaximumLength, :ushort,
+      :Buffer, :pwstr
+  end
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaenumerateaccountrights
+  # https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment
+  # NTSTATUS LsaEnumerateAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   PLSA_UNICODE_STRING *UserRights,
+  #   PULONG              CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaEnumerateAccountRights,
+    [:lsa_handle, :psid, :plsa_unicode_string, :pulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaaddaccountrights
+  # NTSTATUS LsaAddAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   PLSA_UNICODE_STRING UserRights,
+  #   ULONG               CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaAddAccountRights,
+    [:lsa_handle, :psid, :plsa_unicode_string, :ulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaremoveaccountrights
+  # NTSTATUS LsaRemoveAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   BOOLEAN             AllRights,
+  #   PLSA_UNICODE_STRING UserRights,
+  #   ULONG               CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaRemoveAccountRights,
+    [:lsa_handle, :psid, :bool, :plsa_unicode_string, :ulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaopenpolicy
+  # NTSTATUS LsaOpenPolicy(
+  #   PLSA_UNICODE_STRING    SystemName,
+  #   PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
+  #   ACCESS_MASK            DesiredAccess,
+  #   PLSA_HANDLE            PolicyHandle
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaOpenPolicy,
+    [:plsa_unicode_string, :plsa_object_attributes, :access_mask, :plsa_handle], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaclose
+  # NTSTATUS LsaClose(
+  #   LSA_HANDLE ObjectHandle
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaClose,
+    [:lsa_handle], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsafreememory
+  # NTSTATUS LsaFreeMemory(
+  #   PVOID Buffer
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaFreeMemory,
+    [:pvoid], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsantstatustowinerror
+  # ULONG LsaNtStatusToWinError(
+  #   NTSTATUS Status
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaNtStatusToWinError,
+    [:ntstatus], :ulong
 end