puppet 6.17.0-x64-mingw32 → 7.1.0-x64-mingw32

data/lib/puppet/util/windows/string.rb

@@ -1,16 +1,15 @@
-require 'puppet/util/windows'
+module Puppet
+  module Util
+    module Windows
+      module String
+        def wide_string(str)
+          # if given a nil string, assume caller wants to pass a nil pointer to win32
+          return nil if str.nil?
 
-module Puppet::Util::Windows::String
-  def wide_string(str)
-    # if given a nil string, assume caller wants to pass a nil pointer to win32
-    return nil if str.nil?
-    # ruby (< 2.1) does not respect multibyte terminators, so it is possible
-    # for a string to contain a single trailing null byte, followed by garbage
-    # causing buffer overruns.
-    #
-    # See http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=41920&view=revision
-    newstr = str + "\0".encode(str.encoding)
-    newstr.encode!('UTF-16LE')
+          str.encode('UTF-16LE')
+        end
+        module_function :wide_string
+      end
+    end
   end
-  module_function :wide_string
 end

data/lib/puppet/util/windows/user.rb

@@ -145,6 +145,125 @@ module Puppet::Util::Windows::User
   end
   module_function :load_profile
 
+  def get_rights(name)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    return "" unless user_info
+
+    rights = []
+    rights_pointer = FFI::MemoryPointer.new(:pointer)
+    number_of_rights = FFI::MemoryPointer.new(:ulong)
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaEnumerateAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, number_of_rights)
+      check_lsa_nt_status_and_raise_failures(result, "LsaEnumerateAccountRights")
+    end
+
+    number_of_rights.read_ulong.times do |index|
+      right = LSA_UNICODE_STRING.new(rights_pointer.read_pointer + index * LSA_UNICODE_STRING.size)
+      rights << right[:Buffer].read_arbitrary_wide_string_up_to
+    end
+
+    result = LsaFreeMemory(rights_pointer.read_pointer)
+    check_lsa_nt_status_and_raise_failures(result, "LsaFreeMemory")
+
+    rights.join(",")
+  end
+  module_function :get_rights
+
+  def set_rights(name, rights)
+    rights_pointer = new_lsa_unicode_strings_pointer(rights)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaAddAccountRights(policy_handle.read_pointer, sid_pointer, rights_pointer, rights.size)
+      check_lsa_nt_status_and_raise_failures(result, "LsaAddAccountRights")
+    end
+  end
+  module_function :set_rights
+
+  def remove_rights(name, rights)
+    rights_pointer = new_lsa_unicode_strings_pointer(rights)
+    user_info = Puppet::Util::Windows::SID.name_to_principal(name.sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\"))
+    sid_pointer = FFI::MemoryPointer.new(:byte, user_info.sid_bytes.length).write_array_of_uchar(user_info.sid_bytes)
+
+    new_lsa_policy_handle do |policy_handle|
+      result = LsaRemoveAccountRights(policy_handle.read_pointer, sid_pointer, false, rights_pointer, rights.size)
+      check_lsa_nt_status_and_raise_failures(result, "LsaRemoveAccountRights")
+    end
+  end
+  module_function :remove_rights
+
+  # ACCESS_MASK flags for Policy Objects
+  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/b61b7268-987a-420b-84f9-6c75f8dc8558
+  POLICY_VIEW_LOCAL_INFORMATION   = 0x00000001
+  POLICY_VIEW_AUDIT_INFORMATION   = 0x00000002
+  POLICY_GET_PRIVATE_INFORMATION  = 0x00000004
+  POLICY_TRUST_ADMIN              = 0x00000008
+  POLICY_CREATE_ACCOUNT           = 0x00000010
+  POLICY_CREATE_SECRET            = 0x00000020
+  POLICY_CREATE_PRIVILEGE         = 0x00000040
+  POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080
+  POLICY_SET_AUDIT_REQUIREMENTS   = 0x00000100
+  POLICY_AUDIT_LOG_ADMIN          = 0x00000200
+  POLICY_SERVER_ADMIN             = 0x00000400
+  POLICY_LOOKUP_NAMES             = 0x00000800
+  POLICY_NOTIFICATION             = 0x00001000
+
+  def self.new_lsa_policy_handle
+    access = 0
+    access |= POLICY_LOOKUP_NAMES
+    access |= POLICY_CREATE_ACCOUNT
+    policy_handle = FFI::MemoryPointer.new(:pointer)
+
+    result = LsaOpenPolicy(nil, LSA_OBJECT_ATTRIBUTES.new, access, policy_handle)
+    check_lsa_nt_status_and_raise_failures(result, "LsaOpenPolicy")
+
+    begin
+      yield policy_handle
+    ensure
+      result = LsaClose(policy_handle.read_pointer)
+      check_lsa_nt_status_and_raise_failures(result, "LsaClose")
+    end
+  end
+  private_class_method :new_lsa_policy_handle
+
+  def self.new_lsa_unicode_strings_pointer(strings)
+    lsa_unicode_strings_pointer = FFI::MemoryPointer.new(LSA_UNICODE_STRING, strings.size)
+
+    strings.each_with_index do |string, index|
+      lsa_string = LSA_UNICODE_STRING.new(lsa_unicode_strings_pointer + index * LSA_UNICODE_STRING.size)
+      lsa_string[:Buffer] = FFI::MemoryPointer.from_string(wide_string(string))
+      lsa_string[:Length] = string.length * 2
+      lsa_string[:MaximumLength] = lsa_string[:Length] + 2
+    end
+
+    lsa_unicode_strings_pointer
+  end
+  private_class_method :new_lsa_unicode_strings_pointer
+
+  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d
+  def self.check_lsa_nt_status_and_raise_failures(status, method_name)
+    error_code = LsaNtStatusToWinError(status)
+
+    error_reason = case error_code.to_s(16)
+    when '0' # ERROR_SUCCESS
+      return # Method call succeded
+    when '2' # ERROR_FILE_NOT_FOUND
+      return # No rights/privilleges assigned to given user
+    when '5' # ERROR_ACCESS_DENIED
+      "Access is denied. Please make sure that puppet is running as administrator."
+    when '521' # ERROR_NO_SUCH_PRIVILEGE
+      "One or more of the given rights/privilleges are incorrect."
+    when '6ba' # RPC_S_SERVER_UNAVAILABLE
+      "The RPC server is unavailable or given domain name is invalid."
+    end
+
+    raise Puppet::Error.new("Calling `#{method_name}` returned 'Win32 Error Code 0x%08X'. #{error_reason}" % error_code)
+  end
+  private_class_method :check_lsa_nt_status_and_raise_failures
+
   ffi_convention :stdcall
 
   # https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
@@ -329,4 +448,104 @@ module Puppet::Util::Windows::User
   ffi_lib :advapi32
   attach_function_private :IsValidSid,
     [:pointer], :win32_bool
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/lsalookup/ns-lsalookup-lsa_object_attributes
+  # typedef struct _LSA_OBJECT_ATTRIBUTES {
+  #   ULONG               Length;
+  #   HANDLE              RootDirectory;
+  #   PLSA_UNICODE_STRING ObjectName;
+  #   ULONG               Attributes;
+  #   PVOID               SecurityDescriptor;
+  #   PVOID               SecurityQualityOfService;
+  # } LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
+  class LSA_OBJECT_ATTRIBUTES < FFI::Struct
+    layout :Length, :ulong,
+      :RootDirectory, :handle,
+      :ObjectName, :plsa_unicode_string,
+      :Attributes, :ulong,
+      :SecurityDescriptor, :pvoid,
+      :SecurityQualityOfService, :pvoid
+  end
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/lsalookup/ns-lsalookup-lsa_unicode_string
+  # typedef struct _LSA_UNICODE_STRING {
+  #   USHORT Length;
+  #   USHORT MaximumLength;
+  #   PWSTR  Buffer;
+  # } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
+  class LSA_UNICODE_STRING < FFI::Struct
+    layout :Length, :ushort,
+      :MaximumLength, :ushort,
+      :Buffer, :pwstr
+  end
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaenumerateaccountrights
+  # https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment
+  # NTSTATUS LsaEnumerateAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   PLSA_UNICODE_STRING *UserRights,
+  #   PULONG              CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaEnumerateAccountRights,
+    [:lsa_handle, :psid, :plsa_unicode_string, :pulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaaddaccountrights
+  # NTSTATUS LsaAddAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   PLSA_UNICODE_STRING UserRights,
+  #   ULONG               CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaAddAccountRights,
+    [:lsa_handle, :psid, :plsa_unicode_string, :ulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaremoveaccountrights
+  # NTSTATUS LsaRemoveAccountRights(
+  #   LSA_HANDLE          PolicyHandle,
+  #   PSID                AccountSid,
+  #   BOOLEAN             AllRights,
+  #   PLSA_UNICODE_STRING UserRights,
+  #   ULONG               CountOfRights
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaRemoveAccountRights,
+    [:lsa_handle, :psid, :bool, :plsa_unicode_string, :ulong], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaopenpolicy
+  # NTSTATUS LsaOpenPolicy(
+  #   PLSA_UNICODE_STRING    SystemName,
+  #   PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
+  #   ACCESS_MASK            DesiredAccess,
+  #   PLSA_HANDLE            PolicyHandle
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaOpenPolicy,
+    [:plsa_unicode_string, :plsa_object_attributes, :access_mask, :plsa_handle], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaclose
+  # NTSTATUS LsaClose(
+  #   LSA_HANDLE ObjectHandle
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaClose,
+    [:lsa_handle], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsafreememory
+  # NTSTATUS LsaFreeMemory(
+  #   PVOID Buffer
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaFreeMemory,
+    [:pvoid], :ntstatus
+
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsantstatustowinerror
+  # ULONG LsaNtStatusToWinError(
+  #   NTSTATUS Status
+  # );
+  ffi_lib :advapi32
+  attach_function_private :LsaNtStatusToWinError,
+    [:ntstatus], :ulong
 end

data/lib/puppet/util/yaml.rb

@@ -42,28 +42,6 @@ module Puppet::Util::Yaml
     safe_load(yaml, allowed_classes, filename)
   end
 
-  # @deprecated Use {#safe_load_file} instead.
-  def self.load_file(filename, default_value = false, strip_classes = false)
-    Puppet.deprecation_warning(_("Puppet::Util::Yaml.load_file is deprecated. Use safe_load_file instead."))
-
-    if(strip_classes) then
-      data = YAML::parse_file(filename)
-      data.root.each do |o|
-        if o.respond_to?(:tag=) and
-           o.tag != nil and
-           o.tag.start_with?("!ruby")
-          o.tag = nil
-        end
-      end
-      data.to_ruby || default_value
-    else
-      yaml = YAML.load_file(filename)
-      yaml || default_value
-    end
-  rescue *YamlLoadExceptions => detail
-    raise YamlLoadError.new(detail.message, detail)
-  end
-
   def self.dump(structure, filename)
     Puppet::FileSystem.replace_file(filename, 0660) do |fh|
       YAML.dump(structure, fh)

data/lib/puppet/vendor/require_vendored.rb

@@ -2,4 +2,3 @@
 # Add one requirement per vendored package (or a comment if it is loaded on demand).
 
 # The vendored library 'rgen' is loaded on demand.
-# The vendored library 'pathspec' is loaded on demand.

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '6.17.0'
+  PUPPETVERSION = '7.1.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet/x509.rb

@@ -1,7 +1,11 @@
 require 'puppet'
 require 'puppet/ssl/openssl_loader'
 
-module Puppet::X509 # :nodoc:
+# Responsible for loading and saving certificates and private keys.
+#
+# @see Puppet::X509::CertProvider
+# @api private
+module Puppet::X509
   require 'puppet/x509/pem_store'
   require 'puppet/x509/cert_provider'
 end

data/lib/puppet/x509/cert_provider.rb

@@ -1,6 +1,11 @@
 require 'puppet/x509'
 
-# Class for loading and saving cert related objects.
+# Class for loading and saving cert related objects. By default the provider
+# loads and saves based on puppet's default settings, such as `Puppet[:localcacert]`.
+# The providers sets the permissions on files it saves, such as the private key.
+# All of the `load_*` methods take an optional `required` parameter. If an object
+# doesn't exist, then by default the provider returns `nil`. However, if the
+# `required` parameter is true, then an exception will be raised instead.
 #
 # @api private
 class Puppet::X509::CertProvider
@@ -32,6 +37,7 @@ class Puppet::X509::CertProvider
   #
   # @param certs [Array<OpenSSL::X509::Certificate>] Array of CA certs to save
   # @raise [Puppet::Error] if the certs cannot be saved
+  #
   # @api private
   def save_cacerts(certs)
     save_pem(certs.map(&:to_pem).join, @capath, **permissions_for_setting(:localcacert))
@@ -45,6 +51,7 @@ class Puppet::X509::CertProvider
   # @return (see #load_cacerts_from_pem)
   # @raise (see #load_cacerts_from_pem)
   # @raise [Puppet::Error] if the certs cannot be loaded
+  #
   # @api private
   def load_cacerts(required: false)
     pem = load_pem(@capath)
@@ -61,6 +68,7 @@ class Puppet::X509::CertProvider
   # @param pem [String] PEM encoded certificate(s)
   # @return [Array<OpenSSL::X509::Certificate>] Array of CA certs
   # @raise [OpenSSL::X509::CertificateError] The `pem` text does not contain a valid cert
+  #
   # @api private
   def load_cacerts_from_pem(pem)
     # TRANSLATORS 'PEM' is an acronym and shouldn't be translated
@@ -75,6 +83,7 @@ class Puppet::X509::CertProvider
   #
   # @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs to save
   # @raise [Puppet::Error] if the CRLs cannot be saved
+  #
   # @api private
   def save_crls(crls)
     save_pem(crls.map(&:to_pem).join, @crlpath, **permissions_for_setting(:hostcrl))
@@ -88,6 +97,7 @@ class Puppet::X509::CertProvider
   # @return (see #load_crls_from_pem)
   # @raise (see #load_crls_from_pem)
   # @raise [Puppet::Error] if the CRLs cannot be loaded
+  #
   # @api private
   def load_crls(required: false)
     pem = load_pem(@crlpath)
@@ -104,6 +114,7 @@ class Puppet::X509::CertProvider
   # @param pem [String] PEM encoded CRL(s)
   # @return [Array<OpenSSL::X509::CRL>] Array of CRLs
   # @raise [OpenSSL::X509::CRLError] The `pem` text does not contain a valid CRL
+  #
   # @api private
   def load_crls_from_pem(pem)
     # TRANSLATORS 'PEM' is an acronym and shouldn't be translated
@@ -118,6 +129,8 @@ class Puppet::X509::CertProvider
   #
   # @return [Time, nil] Time when the CRL was last updated, or nil if we don't
   #   have a CRL
+  #
+  # @api private
   def crl_last_update
     stat = Puppet::FileSystem.stat(@crlpath)
     Time.at(stat.mtime)
@@ -129,6 +142,7 @@ class Puppet::X509::CertProvider
   #
   # @param time [Time] The last updated time
   #
+  # @api private
   def crl_last_update=(time)
     Puppet::FileSystem.touch(@crlpath, mtime: time)
   end
@@ -142,6 +156,7 @@ class Puppet::X509::CertProvider
   #   from the password, and use that to encrypt the private key. If nil,
   #   save the private key unencrypted.
   # @raise [Puppet::Error] if the private key cannot be saved
+  #
   # @api private
   def save_private_key(name, key, password: nil)
     pem = if password
@@ -167,6 +182,7 @@ class Puppet::X509::CertProvider
   # @return (see #load_private_key_from_pem)
   # @raise (see #load_private_key_from_pem)
   # @raise [Puppet::Error] if the private key cannot be loaded
+  #
   # @api private
   def load_private_key(name, required: false, password: nil)
     path = @hostprivkey || to_path(@privatekeydir, name)
@@ -187,6 +203,7 @@ class Puppet::X509::CertProvider
   #   not specified, then the key cannot be loaded.
   # @return [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] The private key
   # @raise [OpenSSL::PKey::PKeyError] The `pem` text does not contain a valid key
+  #
   # @api private
   def load_private_key_from_pem(pem, password: nil)
     # set a non-nil password to ensure openssl doesn't prompt
@@ -216,6 +233,8 @@ class Puppet::X509::CertProvider
   #
   # @return [String, nil] The private key password as a binary string or nil
   #   if there is none.
+  #
+  # @api private
   def load_private_key_password
     Puppet::FileSystem.read(Puppet[:passfile], :encoding => Encoding::BINARY)
   rescue Errno::ENOENT
@@ -227,6 +246,7 @@ class Puppet::X509::CertProvider
   # @param name [String] The client cert identity
   # @param cert [OpenSSL::X509::Certificate] The cert to save
   # @raise [Puppet::Error] if the client cert cannot be saved
+  #
   # @api private
   def save_client_cert(name, cert)
     path = @hostcert || to_path(@certdir, name)
@@ -242,6 +262,7 @@ class Puppet::X509::CertProvider
   # @return (see #load_request_from_pem)
   # @raise (see #load_client_cert_from_pem)
   # @raise [Puppet::Error] if the client cert cannot be loaded
+  #
   # @api private
   def load_client_cert(name, required: false)
     path = @hostcert || to_path(@certdir, name)
@@ -259,6 +280,7 @@ class Puppet::X509::CertProvider
   # @param pem [String] PEM encoded cert
   # @return [OpenSSL::X509::Certificate] the certificate
   # @raise [OpenSSL::X509::CertificateError] The `pem` text does not contain a valid cert
+  #
   # @api private
   def load_client_cert_from_pem(pem)
     OpenSSL::X509::Certificate.new(pem)
@@ -270,6 +292,7 @@ class Puppet::X509::CertProvider
   # @param private_key [OpenSSL::PKey::RSA] private key
   # @return [Puppet::X509::Request] The request
   #
+  # @api private
   def create_request(name, private_key)
     options = {}
 
@@ -292,6 +315,7 @@ class Puppet::X509::CertProvider
   # @param name [String] the request identity
   # @param csr [OpenSSL::X509::Request] the request
   # @raise [Puppet::Error] if the cert request cannot be saved
+  #
   # @api private
   def save_request(name, csr)
     path = to_path(@requestdir, name)
@@ -306,6 +330,7 @@ class Puppet::X509::CertProvider
   # @return (see #load_request_from_pem)
   # @raise (see #load_request_from_pem)
   # @raise [Puppet::Error] if the cert request cannot be saved
+  #
   # @api private
   def load_request(name)
     path = to_path(@requestdir, name)
@@ -319,6 +344,8 @@ class Puppet::X509::CertProvider
   #
   # @param name [String] The request identity
   # @return [Boolean] true if the CSR was deleted
+  #
+  # @api private
   def delete_request(name)
     path = to_path(@requestdir, name)
     delete_pem(path)
@@ -331,6 +358,7 @@ class Puppet::X509::CertProvider
   # @param pem [String] PEM encoded request
   # @return [OpenSSL::X509::Request] the request
   # @raise [OpenSSL::X509::RequestError] The `pem` text does not contain a valid request
+  #
   # @api private
   def load_request_from_pem(pem)
     OpenSSL::X509::Request.new(pem)