ruby-jss 1.5.3 → 1.6.0b1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5149851702056e5500ec5e13624a91c78510fceb3b3fa0545aac69f756adb984
-  data.tar.gz: 42c5312c401d7b1e626f5c97c9697a0ec9cf5070be310301e307e5b83f8c4cc1
+  metadata.gz: db33099b85c8a28905abb4885931b4782f169604fdda26458f0def90d9cec4cb
+  data.tar.gz: f004c3aa0aaed1934ccdf98dcce510af7f7c54e399d48692cccc6d9cffef011f
 SHA512:
-  metadata.gz: '09b9e201339f62871c2eb74e78cf5d3674997b0d984eb1d537431be60efcbe83a82e383b88873d306d2a89e1a6fc3259c0b1e9fcbda1323caac48198510f6e1a'
-  data.tar.gz: bb07643c17c47532bb3469853ea0d0eb317e5e97bcbcf8ed07b44d7f9b6e7ce794a4f20154e2f2e4986ba4291576bb52ec0c645a180fb5c98d1b3443b5588317
+  metadata.gz: 8ceb6d36bade8f595556f4c6208b318187bb37f228ae183d8204190f82129c3eaeb3580cfc56277d45d16e84d6889c9220c7a6b2dc02c91c689b9246355280f1
+  data.tar.gz: afa31ca7c07c083b0ee1c255153cdfc02c423e72bdcb4421035b8debe87a365c232d049932441a1583671a5552d4519a1307c8f18ca8e236114a79e1d0c8f3e4

data/CHANGES.md

@@ -4,6 +4,31 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## \[1.6.0] - 2021-05-??
+
+### Fixed
+
+  - Creating JSS::User's no longer requires a valid LDAP server. Many thanks to @aaron-mmt for filing and fixing this issue!
+
+  - HTTP 409 errors are handled more appropriately, and should report the actual error message from the server, e.g. 'Duplicate Primary MAC Address'
+
+### Changed
+
+  - ruby-jss no longer uses the 'plist' gem due to a remote code execution security issue when using `Plist.parse_xml`. Plists are now handled by the CFPropertyList gem.  The existing wrapper method `JSS.parse_plist` bas been updated to use the new gem, and a new wrapper method has been added to convert ruby data to XML plist: `JSS.xml_plist_from(data)`. All internal references to methods from the insecure 'plist' gem have been replaced with calls to those wrapper methods.
+
+  Many many thanks to actae0n of Blacksun Hackers Club for reporting this security issue and providing examples of how it could be exploited.
+
+  - In preparation for the removal of the 'runScript' command in the jamf binary, JSS::Script no longer uses it within the 'run' instance method. Instead, it just does what the jamf binary did: It creates a private temp folder, writes the script to disk in that temp folder, executes the script with any given params, then deletes the folder, returning the exit status and output from the script.
+
+  - Jamf::Script#run now takes parameters in the named params `p4:` through `p11:` for consistency with other parts of ruby-jss.
+
+  - Since Jamf Scripts can no longer be stored in a distribution point, which according to Jamf has been the case for a while, all code for dealing with them that way has been removed.
+
+  - JSS::NetworkSegment#include? now uses Range#cover? under the hood, rather than Range#include?, which can take a very very long time with large segments.
+
+  - JSS.expand_min_os has been updated to handle Apple's new version numbers for macOS. This method takes a string like '>=10.14.3' and expands it into a large array of greater OS versions and is used by the 'os_limitations' method of Packages and Scripts.  For any range of versions that includes Big Sur, both '11.x.x' and '10.16' as included in the output, to catch machines that may have SYSTEM_VERSION_COMPAT set in their env.
+
+
 ## \[1.5.3] - 2020-12-28
 
 ### Fixed

data/THANKS.md

@@ -1,6 +1,7 @@
 # With Thanks To...
 
+* Everyone who contributes to this project
 * Pixar Systems Management
-* The Pixar Mac Team
+* The Apple @ Pixar team
 * JAMF Folks
-* Alex
+* Alex

data/lib/jamf.rb

@@ -42,7 +42,6 @@ require 'digest'
 require 'open3'
 
 ### Gems
-require 'plist'
 
 # Used, among other places, in the Connection::APIError class
 require 'immutable-struct'

data/lib/jamf/api/base_classes/collection_resource.rb

@@ -176,18 +176,18 @@ module Jamf
     # those parameters will return the cached Array. Use `refresh: true` to
     # re-request that Array from the server. Note that the cache is of the raw
     # JSON Hash data. Using 'instantiate:' will still be slower as each item in
-    # the cache is instantiated. See 'Instantiation' below.
+    # the cache is instantiated. See 'Instantiation' above.
     #
-    # Some other methods, e.g. .all_names, will generate or use this cached Array
-    # to derive their values.
+    # Some other class methods, e.g. .all_names, will generate or use this cached
+    # Array to derive their values.
     #
     # If any of the parameters paged:, sort:, or filter: are used, an API
     # request is made every time, and no caches are used or stored.
     #
     #######
     #
-    # @param sort [String, Array<String>] Server-side sorting criteria in the format:
-    #   property:direction, where direction is 'asc' or 'desc'. Multiple
+    # @param sort [String, Array<String>] Server-side sorting criteria in the
+    #   format: property:direction, where direction is 'asc' or 'desc'. Multiple
     #   properties are supported, either as separate strings in an Array, or
     #   a single string, comma separated.
     #

data/lib/jamf/client.rb

@@ -179,7 +179,7 @@ module Jamf
     #
     def self.jamf_plist
       return {} unless JAMF_PLIST.file?
-      JSS.parse_plist JAMF_PLIST
+      Jamf.parse_plist JAMF_PLIST
     end
 
     # All the JAMF receipts on this client
@@ -232,7 +232,7 @@ module Jamf
     #
     def self.hardware_data
       raw = `/usr/sbin/system_profiler SPHardwareDataType -xml 2>/dev/null`
-      JSS.parse_plist(raw)[0]['_items'][0]
+      Jamf.parse_plist(raw)[0]['_items'][0]
     end
 
     # Who's currently got an active GUI session? - might be
@@ -284,7 +284,7 @@ module Jamf
       myudid = udid
       nc_prefs_file = Pathname.new "#{home}/#{USER_PREFS_BYHOST_FOLDER}/com.apple.notificationcenterui.#{myudid}.plist"
       return nil unless nc_prefs_file.readable?
-      JSS.parse_plist(nc_prefs_file)['doNotDisturb']
+      Jamf.parse_plist(nc_prefs_file)['doNotDisturb']
     end
 
     # The home dir of the specified user, nil if

data/lib/jamf/client/management_action.rb

@@ -94,7 +94,7 @@ module JSS
     #
     def self.set_mgmt_action_ncprefs_flags(user, flags, hup: true)
       plist = Pathname.new "/Users/#{user}/Library/Preferences/#{NCPREFS_DOMAIN}.plist"
-      prefs = JSS.parse_plist plist
+      prefs = Jamf.parse_plist plist
       mgmt_action_setting = prefs['apps'].select { |a| a['bundle-id'] == MGMT_ACTION_BUNDLE_ID }.first
       if mgmt_action_setting
         orig_flags = mgmt_action_setting['flags']
@@ -103,8 +103,7 @@ module JSS
         orig_flags = flags
         prefs['apps'] << { 'bundle-id' => MGMT_ACTION_BUNDLE_ID, 'flags' => flags }
       end
-      # system "/usr/bin/defaults write #{NCPREFS_DOMAIN} '#{prefs.to_plist}'"
-      plist.open('w') { |f| f.write prefs.to_plist }
+      plist.open('w') { |f| f.write Jamf.xml_plist_from(prefs) }
       system HUP_NOTIF_CTR_CMD if hup
       orig_flags
     end

data/lib/jamf/composer.rb

@@ -126,7 +126,7 @@ module Jamf
       ###
       comp_plist_out = Pathname.new "/tmp/#{PKG_BUNDLE_ID_PFX}-#{pkg_filename}.plist"
       system "#{PKGBUILD} --analyze --root '#{root}' '#{comp_plist_out}'"
-      comp_plist = Plist.parse_xml comp_plist_out.read
+      comp_plist = Jamf.parse_plist comp_plist_out
 
       ### if the plist is empty, there are no bundles in the pkg
       if comp_plist[0].nil?
@@ -141,7 +141,7 @@ module Jamf
           bndl['BundleHasStrictIdentifier'] = false
         end
         ### write out the edits
-        comp_plist_out.open('w') { |f| f.write comp_plist.to_plist }
+        comp_plist_out.open('w') { |f| f.write Jamf.xml_plist_from(comp_plist) }
         comp_plist_arg = "--component-plist '#{comp_plist_out}'"
       end
 

data/lib/jamf/utility.rb

@@ -187,19 +187,26 @@ module Jamf
     { stringform: valstr, arrayform: valarr }
   end # to_s_and_a
 
-  # Parse a plist into a Ruby data structure.
-  # This enhances Plist::parse_xml taking file paths, as well as XML Strings
-  # and reading the files regardless of binary/XML format.
+  # Parse a plist into a Ruby data structure. The plist parameter may be
+  # a String containing an XML plist, or a path to a plist file, or it may be
+  # a Pathname object pointing to a plist file. The plist files may be XML or
+  # binary.
   #
   # @param plist[Pathname, String] the plist XML, or the path to a plist file
   #
+  # @param symbol_keys[Boolean] should any Hash keys in the result be converted
+  #   into Symbols rather than remain as Strings?
+  #
   # @return [Object] the parsed plist as a ruby hash,array, etc.
   #
-  def self.parse_plist(plist)
+  def self.parse_plist(plist, symbol_keys: false)
+    require 'cfpropertylist'
+
     # did we get a string of xml, or a string pathname?
     case plist
     when String
-      return Plist.parse_xml plist if plist.include? '</plist>'
+      return CFPropertyList.native_types(CFPropertyList::List.new(data: plist).value, symbol_keys) if plist.include? '</plist>'
+
       plist = Pathname.new plist
     when Pathname
       true
@@ -208,11 +215,32 @@ module Jamf
     end # case plist
 
     # if we're here, its a Pathname
-    raise Jamf::MissingDataError, "No such file: #{plist}" unless plist.file?
+    raise JSS::MissingDataError, "No such file: #{plist}" unless plist.file?
 
-    Plist.parse_xml `/usr/libexec/PlistBuddy -x -c print #{Shellwords.escape(plist.to_s)}`.force_encoding('UTF-8')
+    CFPropertyList.native_types(CFPropertyList::List.new(file: plist).value, symbol_keys)
   end # parse_plist
 
+  # Convert any ruby data to an XML plist.
+  #
+  # NOTE: Binary data is tricky. Easiest way is to pass in a
+  # Pathname or IO object (anything that responds to `read` and
+  # returns a bytestring)
+  # and then the CFPropertyList.guess method will read it and
+  # convert it to a Plist <data> element with base64 encoded
+  # data.
+  # For more info, see CFPropertyList.guess
+  #
+  # @param data [Object] the data to be converted, usually a Hash
+  #
+  # @return [String] the object converted into an XML plist
+  #
+  def self.xml_plist_from(data)
+    require 'cfpropertylist'
+    plist = CFPropertyList::List.new
+    plist.value = CFPropertyList.guess(data, convert_unknown_to_string: true)
+    plist.to_str(CFPropertyList::List::FORMAT_XML)
+  end
+
   # TODO: Sill needed in Jamf API?
   #
   # Converts anything that responds to #to_s to a Time, or nil

data/lib/jss.rb

@@ -60,7 +60,6 @@ module JSS
   ### Gems
   require 'faraday'
   require 'faraday_middleware'
-  require 'plist'
   require 'immutable-struct'
   require 'recursive-open-struct'
 

data/lib/jss/api_connection.rb

@@ -922,6 +922,7 @@ module JSS
       when 409
         err = JSS::ConflictError
         @last_http_response.body =~ /<p>(The server has not .*?)(<|$)/m
+        Regexp.last_match(1) ||  @last_http_response.body =~ %r{<p>Error: (.*?)</p>}
         msg = Regexp.last_match(1)
       when 400
         err = JSS::BadRequestError

data/lib/jss/api_object/configuration_profile.rb

@@ -123,7 +123,7 @@ module JSS
     #
     # @return [Hash] the parsed payloads plist.
     def parsed_payloads
-      Plist.parse_xml @payloads
+      JSS.parse_plist @payloads
     end
 
     # @return [Array<Hash>] the individual payloads from the payload Plist
@@ -151,7 +151,7 @@ module JSS
     def payload_content=(new_content)
       payload_plist_data = parsed_payloads
       payload_plist_data['PayloadContent'] = new_content
-      @payloads = payload_plist_data.to_plist
+      @payloads = JSS.xml_plist_from new_content
       @need_to_update = true
       @update_payloads = true
     end

data/lib/jss/api_object/network_segment.rb

@@ -435,9 +435,10 @@ module JSS
         @starting_address <= thing.range.begin && @ending_address >= thing.range.end
       else
         thing = IPAddr.new thing.to_s
-        range.include? thing
+        range.cover? thing
       end
     end
+    alias cover? include?
 
     ### Does this network segment equal another?
     ### equality means the ranges are equal
@@ -459,7 +460,7 @@ module JSS
     ### @return [void]
     ###
     def building=(newval)
-      new = 
+      new =
         if newval.to_s.empty?
           JSS::BLANK
         else
@@ -546,7 +547,7 @@ module JSS
     ### @return [void]
     ###
     def netboot_server=(newval)
-      new = 
+      new =
         if newval.to_s.empty?
           JSS::BLANK
         else
@@ -555,7 +556,7 @@ module JSS
 
           JSS::NetbootServer.map_all_ids_to(:name)[id]
         end
-      
+
       @netboot_server = new
       @need_to_update = true
     end
@@ -567,7 +568,7 @@ module JSS
     ### @return [void]
     ###
     def swu_server=(newval)
-      new = 
+      new =
         if newval.to_s.empty?
           JSS::BLANK
         else

data/lib/jss/api_object/policy.rb

@@ -287,6 +287,9 @@ module JSS
     # How is the category stored in the API data?
     CATEGORY_DATA_TYPE = Hash
 
+    # All valid script parameters
+    SCRIPT_PARAMETERS_AVAILABLE = %i[parameter4 parameter5 parameter6 parameter7 parameter8 parameter9 parameter10 parameter11].freeze
+
     # Class Methods
     ######################
 
@@ -1485,6 +1488,53 @@ module JSS
       removed
     end
 
+    # Set a script parameter
+    #
+    # @param identifier [Integer,String] identifier the id or name of a script in this policy
+    #
+    # @param opts [Hash] opts the options to alter for this script
+    #
+    # @option [String] parameter4: the value of the 4th parameter passed to the script. this
+    #   overrides the same parameter in the script object itself.
+    #
+    # @option [String] parameter5: the value of the 5th parameter passed to the script. this
+    #   overrides the same parameter in the script object itself.
+    #
+    # @option [String] parameter6: the value of the 6th parameter passed to the script. this
+    #   overrides the same parameter in the script object itself.
+    #
+    # @option [String] parameter7: the value of the 7th parameter passed to the script. this
+    #   overrides the same parameter in the script object itself.
+    #
+    # @option [String] parameter8: the value of the 8th parameter passed to the script. this
+    #   overrides the same parameter in the script object itself.
+    #
+    # @option [String] parameter9: the value of the 9th parameter passed to the script. this
+    #   overrides the same parameter in the script object itself.
+    #
+    # @option [String] parameter10: the value of the 10th parameter passed to the script. this
+    #   overrides the same parameter in the script object itself.
+    #
+    # @option [String] parameter11: the value of the 11th parameter passed to the script. this
+    #   overrides the same parameter in the script object itself.
+    #
+    # @return [Array] the scripts array
+    #
+    def set_script_parameters(identifier, **opts)
+      id = JSS::Script.valid_id identifier, api: @api
+      raise JSS::NoSuchItemError, "No script matches '#{identifier}'" unless id
+
+      script_data = @scripts.select { |s| s[:id] == id }[0]
+      raise JSS::InvalidDataError, "Script #{id} is not configured. Use add_script method." unless script_data
+
+      opts.each do |parameter, value|
+        script_data[parameter] = value if SCRIPT_PARAMETERS_AVAILABLE.include? parameter
+      end
+
+      @need_to_update = true
+      @scripts
+    end # end set_script_parameter
+
     ###### Directory Bindings
 
     # @return [Array] the id's of the directory_bindings handled by the policy

data/lib/jss/api_object/script.rb

@@ -1,94 +1,91 @@
-### Copyright 2020 Pixar
-
-###
-###    Licensed under the Apache License, Version 2.0 (the "Apache License")
-###    with the following modification; you may not use this file except in
-###    compliance with the Apache License and the following modification to it:
-###    Section 6. Trademarks. is deleted and replaced with:
-###
-###    6. Trademarks. This License does not grant permission to use the trade
-###       names, trademarks, service marks, or product names of the Licensor
-###       and its affiliates, except as required to comply with Section 4(c) of
-###       the License and to reproduce the content of the NOTICE file.
-###
-###    You may obtain a copy of the Apache License at
-###
-###        http://www.apache.org/licenses/LICENSE-2.0
-###
-###    Unless required by applicable law or agreed to in writing, software
-###    distributed under the Apache License with the above modification is
-###    distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-###    KIND, either express or implied. See the Apache License for the specific
-###    language governing permissions and limitations under the Apache License.
-###
-###
-
-###
+# Copyright 2020 Pixar
+
+#
+#    Licensed under the Apache License, Version 2.0 (the "Apache License")
+#    with the following modification; you may not use this file except in
+#    compliance with the Apache License and the following modification to it:
+#    Section 6. Trademarks. is deleted and replaced with:
+#
+#    6. Trademarks. This License does not grant permission to use the trade
+#       names, trademarks, service marks, or product names of the Licensor
+#       and its affiliates, except as required to comply with Section 4(c) of
+#       the License and to reproduce the content of the NOTICE file.
+#
+#    You may obtain a copy of the Apache License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the Apache License with the above modification is
+#    distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the Apache License for the specific
+#    language governing permissions and limitations under the Apache License.
+#
+#
+
+#
 module JSS
 
-  ### Module Constants
+  # Module Constants
   #####################################
 
-  ### Module Variables
+  # Module Variables
   #####################################
 
-  ### Module Methods
+  # Module Methods
   #####################################
 
-  ### Classes
+  # Classes
   #####################################
 
-  ### A Script in the JSS.
-  ###
-  ### As of Casper 9.4, the script contents as stored in the database are
-  ### accessible via the API
-  ###
-  ### This class will save the script contents back to the database with
-  ### the {#create} or {#update} methods
-  ###
-  ### If your scripts are stored on the master distribution point instead of
-  ### the database, you can use {#upload_master_file} to save it to the server,
-  ### and {#delete_master_file} to delete it from the server.
-  ###
-  ### Use the {#run} method to run the script on the local machine via the 'jamf runScript' command
-  ###
-  ### @see JSS::APIObject
-  ###
+  # A Script in the JSS.
+  #
+  # As of Casper 9.4, the script contents as stored in the database are
+  # accessible via the API
+  #
+  # According to Jamf as of early 2021, it has been some years now since
+  # its been possible to store script contents on a dist. point - they
+  # are all always in the database.
+  #
+  # Use the {#run} method to run the script on the local machine.
+  #
+  # @see JSS::APIObject
+  #
   class Script < JSS::APIObject
 
-    ### Mix-Ins
+    # Mix-Ins
     #####################################
 
     include JSS::Creatable
     include JSS::Updatable
     include JSS::Categorizable
 
-    ### Class Methods
+    # Class Methods
     #####################################
 
-    ### Class Constants
+    # Class Constants
     #####################################
 
-    ### The base for REST resources of this class
+    # The base for REST resources of this class
     RSRC_BASE = 'scripts'.freeze
 
-    ### the hash key used for the JSON list output of all objects in the JSS
+    # the hash key used for the JSON list output of all objects in the JSS
     RSRC_LIST_KEY = :scripts
 
-    ### The hash key used for the JSON object output.
-    ### It's also used in various error messages
+    # The hash key used for the JSON object output.
+    # It's also used in various error messages
     RSRC_OBJECT_KEY = :script
 
-    ### The script storage folder on the distribution point, if used
+    # The script storage folder on the distribution point, if used
     DIST_POINT_SCRIPTS_FOLDER = 'Scripts'.freeze
 
-    ### Priority to use for running the script in relation to other actions during imaging
+    # Priority to use for running the script in relation to other actions during imaging
     PRIORITIES = ['Before', 'After', 'At Reboot'].freeze
 
-    ### which is default?
+    # which is default?
     DEFAULT_PRIORITY = 'After'.freeze
 
-    ### The keys used in the @parameters Hash
+    # The keys used in the @parameters Hash
     PARAMETER_KEYS = [:parameter4, :parameter5, :parameter6, :parameter7, :parameter8, :parameter9, :parameter10, :parameter11].freeze
 
     # the object type for this object in
@@ -103,34 +100,39 @@ module JSS
     CATEGORY_DATA_TYPE = String
 
 
-    ### Attributes
+    # Attributes
     #####################################
 
-    ### @return [String] the file name of the script, if stored in a dist. point
+    # @return [String] the file name of the script, if stored in a dist. point
     attr_reader :filename
 
-    ### @return [Array<String>] the OS versions this can be installed onto. For all minor versions, the format is 10.5.x
+    # @return [Array<String>] the OS versions this can be installed onto. For all minor versions, the format is 10.5.x
     attr_reader :os_requirements
 
-    ### @return [String] either 'Before' or 'After' or "At Reboot".
+    # @return [String] either 'Before' or 'After' or "At Reboot".
     attr_reader :priority
 
-    ### @return [String] the info field for this script
+    # @return [String] the info field for this script
     attr_reader :info
 
-    ### @return [String] the notes field for this script
+    # @return [String] the notes field for this script
     attr_reader :notes
 
-    ### @return [Hash] script parameters 4-11. Parameters 1-3 are predefined as target drive, computer name, and username
+    # @return [Hash] descriptions of parameters 4-11. Parameters 1-3 are predefined as target drive, computer name, and username
     attr_reader :parameters
+    alias parameter_labels parameters
+    alias parameter_descriptions parameters
 
-    ### @return {String] the actual code for this script, if it's stored in the database.
+    # @return {String] the actual code for this script, if it's stored in the database.
     attr_reader :script_contents
 
-    ### Constructor
+    # @return [String] the code for this script, Base64-encoded
+    attr_reader :script_contents_encoded
+
+    # Constructor
     #####################################
 
-    ###
+    #
     def initialize(args = {})
       super
 
@@ -141,19 +143,23 @@ module JSS
       @parameters = @init_data[:parameters] ? @init_data[:parameters] : {}
       @priority = @init_data[:priority] || DEFAULT_PRIORITY
       @script_contents = @init_data[:script_contents]
+      @script_contents_encoded = @init_data[:script_contents_encoded]
+      if @script_contents && @script_contents_encoded.to_s.empty?
+        @script_contents_encoded = Base64.encode64 @script_contents
+      end
     end # initialize
 
-    ### Change the script filename
-    ###
-    ### Setting it to nil will make it match the script name
-    ###
-    ### @param new_val[String,Nil] the new filename
-    ###
-    ### @return [void]
-    ###
-    ### @note This method does NOT change the filename on the distribution point
-    ###   if that's where you store your scripts.
-    ###
+    # Change the script filename
+    #
+    # Setting it to nil will make it match the script name
+    #
+    # @param new_val[String,Nil] the new filename
+    #
+    # @return [void]
+    #
+    # @note This method does NOT change the filename on the distribution point
+    #   if that's where you store your scripts.
+    #
     def filename=(new_val)
       new_val = nil if new_val == ''
       new_val = @name unless new_val
@@ -164,14 +170,14 @@ module JSS
       @need_to_update = true
     end # filename=
 
-    ### Change the script's display name
-    ###
-    ### If the filename is the same as the name, the filename  will be changed also
-    ###
-    ### @param new_val[String] the new display name
-    ###
-    ### @return [void]
-    ###
+    # Change the script's display name
+    #
+    # If the filename is the same as the name, the filename  will be changed also
+    #
+    # @param new_val[String] the new display name
+    #
+    # @return [void]
+    #
     def name=(new_val)
       new_val = new_val.to_s
       return if new_val == @name
@@ -179,39 +185,39 @@ module JSS
       raise JSS::MissingDataError, "Name can't be empty" if new_val.empty?
       raise JSS::AlreadyExistsError, "A script already exists with the name '#{new_val}'" if JSS::Script.all_names.include? new_val
 
-      ### if the filename matches the name, change that too.
+      # if the filename matches the name, change that too.
       @filename = new_val if @filename == @name
       @name = new_val
 
-      ### if our REST resource is based on the name, update that too
+      # if our REST resource is based on the name, update that too
       @rest_rsrc = "#{RSRC_BASE}/name/#{CGI.escape @name.to_s}" if @rest_rsrc.include? '/name/'
       @need_to_update = true
     end # name=
 
-    ### Change the os_requirements
-    ###
-    ### Minumum OS's can be specified as a string using the notation ">=10.6.7"
-    ### See the {JSS.expand_min_os} method for details.
-    ###
-    ### @param new_val[String, Array<String>] the new os requirements as a comma-separted String or an Array of Strings
-    ###
-    ### @return [void]
-    ###
-    ### @example String value
-    ###   myscript.os_requirements "10.5, 10.5.3, 10.6.x"
-    ###
-    ### @example Array value
-    ###   ok_oses = ['10.5', '10.5.3', '10.6.x']
-    ###   myscript.os_requirements ok_oses
-    ###
-    ### @example Minimum OS
-    ###   myscript.os_requirements ">=10.7.5"
-    ###
+    # Change the os_requirements
+    #
+    # Minumum OS's can be specified as a string using the notation ">=10.6.7"
+    # See the {JSS.expand_min_os} method for details.
+    #
+    # @param new_val[String, Array<String>] the new os requirements as a comma-separted String or an Array of Strings
+    #
+    # @return [void]
+    #
+    # @example String value
+    #   myscript.os_requirements "10.5, 10.5.3, 10.6.x"
+    #
+    # @example Array value
+    #   ok_oses = ['10.5', '10.5.3', '10.6.x']
+    #   myscript.os_requirements ok_oses
+    #
+    # @example Minimum OS
+    #   myscript.os_requirements ">=10.7.5"
+    #
     def os_requirements=(new_val)
-      ### nil should be an empty array
+      # nil should be an empty array
       new_val = [] if new_val.to_s.empty?
 
-      ### if any value starts with >=, expand it
+      # if any value starts with >=, expand it
       case new_val
       when String
         new_val = JSS.expand_min_os(new_val) if new_val =~ /^>=/
@@ -223,17 +229,17 @@ module JSS
         raise JSS::InvalidDataError, 'os_requirements must be a String or an Array of strings'
       end # case
 
-      ### get the array version
+      # get the array version
       @os_requirements = JSS.to_s_and_a(new_val)[:arrayform]
       @need_to_update = true
     end # os_requirements=
 
-    ### Change the priority of this script
-    ###
-    ### @param new_val[Integer] the new priority, which must be one of {PRIORITIES}
-    ###
-    ### @return [void]
-    ###
+    # Change the priority of this script
+    #
+    # @param new_val[Integer] the new priority, which must be one of {PRIORITIES}
+    #
+    # @return [void]
+    #
     def priority=(new_val)
       return nil if new_val == @priority
       new_val = DEFAULT_PRIORITY if new_val.nil? || (new_val == '')
@@ -242,47 +248,47 @@ module JSS
       @need_to_update = true
     end # priority=
 
-    ### Change the info field
-    ###
-    ### @param new_val[String] the new info
-    ###
-    ### @return [void]
-    ###
+    # Change the info field
+    #
+    # @param new_val[String] the new info
+    #
+    # @return [void]
+    #
     def info=(new_val)
       return nil if new_val == @info
-      ### line breaks should be \r
+      # line breaks should be \r
       new_val = new_val.to_s.tr("\n", "\r")
       @info = new_val
       @need_to_update = true
     end # info=
 
-    ### Change the notes field
-    ###
-    ### @param new_val[String] the new notes
-    ###
-    ### @return [void]
-    ###
+    # Change the notes field
+    #
+    # @param new_val[String] the new notes
+    #
+    # @return [void]
+    #
     def notes=(new_val)
       return nil if new_val == @notes
-      ### line breaks should be \r
+      # line breaks should be \r
       new_val = new_val.to_s.tr("\n", "\r")
       @notes = new_val
       @need_to_update = true
     end # notes=
 
-    ### Replace all the script parameters at once.
-    ###
-    ### This will replace the entire set with the hash provided.
-    ###
-    ### @param new_val[Hash]  the Hash keys must exist in {PARAMETER_KEYS}
-    ###
-    ### @return [void]
-    ###
+    # Replace all the script parameters at once.
+    #
+    # This will replace the entire set with the hash provided.
+    #
+    # @param new_val[Hash]  the Hash keys must exist in {PARAMETER_KEYS}
+    #
+    # @return [void]
+    #
     def parameters=(new_val)
       return nil if new_val == @parameters
       new_val = {} if new_val.nil? || (new_val == '')
 
-      ### check the values
+      # check the values
       raise JSS::InvalidDataError, ':parameters must be a Hash with keys :parameter4 thru :parameter11' unless \
         new_val.is_a?(Hash) && ((new_val.keys & PARAMETER_KEYS) == new_val.keys)
       new_val.each do |_k, v|
@@ -293,14 +299,14 @@ module JSS
       @need_to_update = true
     end # parameters=
 
-    ### Change one of the stored parameters
-    ###
-    ### @param param_num[Integer] which param are we setting? must be 4..11
-    ###
-    ### @param new_val[String] the new value for the parameter
-    ###
-    ### @return [void]
-    ###
+    # Change one of the stored parameters
+    #
+    # @param param_num[Integer] which param are we setting? must be 4..11
+    #
+    # @param new_val[String] the new value for the parameter
+    #
+    # @return [void]
+    #
     def set_parameter(param_num, new_val)
       raise JSS::NoSuchItemError, 'Parameter numbers must be from 4-11' unless (4..11).cover? param_num
       pkey = "parameter#{param_num}".to_sym
@@ -309,21 +315,23 @@ module JSS
       @parameters[pkey] = new_val
       @need_to_update = true
     end
-
-    ### Change the executable code of this script.
-    ###
-    ### If the arg is a Pathname instance, or a String starting with "/"
-    ### Then the arg is assumed to be a file from which to read the code.
-    ###
-    ### Otherwise it should be a String with the code itself, and it must start with '#!"
-    ###
-    ### After doing this, use {#create} or {#update} to write it to the database or
-    ### use {#upload_master_file} to save it to the master dist. point.
-    ###
-    ### @param new_val[String,Pathname] the new script contents or a path to a file containing it.
-    ###
-    ### @return [void]
-    ###
+    alias set_parameter_label set_parameter
+    alias set_parameter_description set_parameter
+
+    # Change the executable code of this script.
+    #
+    # If the arg is a Pathname instance, or a String starting with "/"
+    # Then the arg is assumed to be a file from which to read the code.
+    #
+    # Otherwise it should be a String with the code itself, and it must start with '#!"
+    #
+    # After doing this, use {#create} or {#update} to write it to the database or
+    # use {#upload_master_file} to save it to the master dist. point.
+    #
+    # @param new_val[String,Pathname] the new script contents or a path to a file containing it.
+    #
+    # @return [void]
+    #
     def script_contents=(new_val)
       new_code = case new_val
                  when String
@@ -341,207 +349,89 @@ module JSS
       raise JSS::InvalidDataError, "Script contents must start with '#!'" unless new_code.start_with? '#!'
 
       @script_contents = new_code
+      @script_contents_encoded = Base64.encode64 @script_contents
       @need_to_update = true
     end
 
-    ### Save the @script_contents for this script to a file on the Master Distribution point.
-    ###
-    ### If you'll be uploading several files you can specify unmount as false, and do it manually when all
-    ### are finished.
-    ###
-    ### use {#script_contents=}  to set the script_contents from a String or Pathname
-    ###
-    ### @param rw_pw[String] the password for the read/write account on the master Distribution Point
-    ###
-    ### @param unmount[Boolean] whether or not ot unount the distribution point when finished.
-    ###
-    ### @return [void]
-    ###
-    def upload_master_file(rw_pw, unmount = true)
-      raise JSS::MissingDataError, 'No code specified. Use #code= first.' if @script_contents.nil? || @script_contents.empty?
-
-      mdp = JSS::DistributionPoint.master_distribution_point
-      raise JSS::InvaldDatatError, 'Incorrect password for read-write access to master distribution point.' unless mdp.check_pw :rw, rw_pw
-
-      destination = mdp.mount(rw_pw, :rw) + "#{DIST_POINT_SCRIPTS_FOLDER}/#{@filename}"
-      destination.save @script_contents
-      mdp.unmount if unmount
-    end # upload
-
-    ### Delete the filename from the master distribution point, if it exists.
-    ###
-    ### If you'll be uploading several files you can specify unmount as false, and do it manually when all
-    ### are finished.
-    ###
-    ### @param rw_pw[String] the password for the read/write account on the master Distribution Point
-    ###
-    ### @param unmount[Boolean] whether or not ot unount the distribution point when finished.
-    ###
-    ### @return [Boolean] was the file deleted?
-    ###
-    def delete_master_file(rw_pw, unmount = true)
-      file = JSS::DistributionPoint.master_distribution_point.mount(rw_pw, :rw) + "#{DIST_POINT_SCRIPTS_FOLDER}/#{@filename}"
-      if file.exist?
-        file.delete
-        did_it = true
-      else
-        did_it = false
-      end # if exists
-      JSS::DistributionPoint.master_distribution_point.unmount if unmount
-      did_it
-    end
-
-    ### Run this script on the current machine using the "jamf runScript" command.
-    ###
-    ### If the script code is available in the {#script_contents} attribute, then that
-    ### code is saved to a tmp file, and executed. Otherwise, the script is assumed
-    ### to be stored on the distribution point.
-    ###
-    ### If the dist. point has http downloads enabled, then the URL is used as the path with the
-    ### 'jamf runScript' command.
-    ###
-    ### If http is not an option, the dist.point is mounted, and the script copied locally before running.
-    ### In this case the options must include :ro_pw => 'somepass'
-    ### to provide the read-only password for mounting the distribution point. If :unmount => true
-    ### is provided, the dist. point will be unmounted immediately after copying
-    ### the script locally.  Otherwise it will remain mounted, in case there's further need of it.
-    ###
-    ### Any local on-disk copies of the script are removed after running.
-    ###
-    ### After the script runs, this method returns a two-item Array.
-    ### - the first item is an Integer, the exit status of the script itself (0 means success)
-    ### - the second item is a String, the output (stdout + stderr) of the jamf binary, which will include
-    ###   the script output.
-    ### The exit status of the jamf binary process will be available as a Process::Status object
-    ### in $? immediately after running.
-    ###
-    ### @param opts[Hash] the options for running the script
-    ###
-    ### @option opts :target[String,Pathname] the 'target drive', passed to the script as the first commandline option.
-    ###   Defaults to '/'
-    ###
-    ### @option opts :computer_name[String] the name of the computer, passed to the script as the second commandline
-    ###   option. Defaults to the name of the current machine
-    ###
-    ### @option opts :username[String] the username to be passed to the script as the third commandline option.
-    ###
-    ### @option opts :p1..:p8[String] the values to be passed as the 4th - 11th commandline options, overriding
-    ###   those defined with the script in the JSS
-    ###
-    ### @option opts :ro_pw[String] the read-only password for mounting the distribution point, if needed
-    ###
-    ### @option opts :unmount[Boolean} should the dist. point be unmounted when finished, if we mounted it?
-    ###
-    ### @option opts :verbose[Boolean] should the 'jamf runScript' command be verbose?
-    ###
-    ### @option opts :show_output[Boolean] should the output (stdout + stderr) of 'jamf runScript' be copied to
-    ###  stdout in realtime, as well as returned?
-    ###
-    ### @return [Array<(Integer,String)>] the exit status of the *script* and stdout+stderr of 'jamf runScript'.
-    ###   The exit status of the jamf binary will be available in $? immediately after running.
-    ###
-    ### *NOTE* In the WEB UI and API, the definable parameters are numbered 4-11, since 1, 2, & 3 are the
-    ### target drive, computer name, and user name respectively.  However, the jamf binary refers to them as
-    ### p1-p8, and that's how they are expected as options to #run. So if :p1=> "new param" is given as an
-    ### aption to #run, it will override any value that the API provided in @parameters[:parameter4]
-    ###
+    # Run this script on the current machine.
+    #
+    # If the script code is available in the {#script_contents} attribute, then that
+    # code is saved to a tmp file, and executed. The tmp file is deleted immediately
+    # after running
+    #
+    # After the script runs, this method returns a two-item Array.
+    # - the first item is an Integer, the exit status of the script itself (0 means success)
+    # - the second item is a String, the output (stdout + stderr) of the script.
+    #
+    # The exit status of the jamf binary process will be available as a Process::Status object
+    # in $? immediately after running.
+    #
+    # @param opts[Hash] the options for running the script
+    #
+    # @option opts :target[String,Pathname] the 'target drive', passed to the script as the first commandline option.
+    #   Defaults to '/'
+    #
+    # @option opts :computer_name[String] the name of the computer, passed to the script as the second commandline
+    #   option. Defaults to the name of the current machine
+    #
+    # @option opts :username[String] the username to be passed to the script as the third commandline option.
+    #   Defaults to the current console user.
+    #
+    # @option opts :p4..:p11[String] the values to be passed as the 4th - 11th commandline params
+    #   Script params 1, 2, & 3 are the target:, computer_name: and username: params
+    #
+    # @option opts :show_output[Boolean] should the output (stdout + stderr) be copied to
+    #  stdout in realtime, as well as returned?
+    #
+    # @return [Array<(Integer,String)>] the exit status and stdout+stderr of the script
+    #
     def run(opts = {})
-      opts[:target] ||= '/'
-      opts[:p1] ||= @parameters[:parameter4]
-      opts[:p2] ||= @parameters[:parameter5]
-      opts[:p3] ||= @parameters[:parameter6]
-      opts[:p4] ||= @parameters[:parameter7]
-      opts[:p5] ||= @parameters[:parameter8]
-      opts[:p6] ||= @parameters[:parameter9]
-      opts[:p7] ||= @parameters[:parameter10]
-      opts[:p8] ||= @parameters[:parameter11]
-
-      dp_mount_pt = nil
-      delete_exec = false
-
-      begin
-
-        # do we have the code already? if so, save it out and make it executable
-        if @script_contents && !@script_contents.empty?
-
-          script_path = JSS::Client::DOWNLOADS_FOLDER
-
-          executable = script_path + @filename
-
-          executable.jss_touch
-          executable.chmod 0o700
-          executable.jss_save @script_contents
-          delete_exec = true
-
-        # otherwise, get it from the dist. point
-        else
-          dist_point = JSS::DistributionPoint.my_distribution_point api: @api
+      raise JSS::MissingDataError, 'script_contents does not start with #!' unless @script_contents.to_s.start_with? '#!'
 
-          ### how do we access our dist. point?
-          if dist_point.http_downloads_enabled
-            script_path = dist_point.http_url + "/#{DIST_POINT_SCRIPTS_FOLDER}/"
-
-          else
-            dp_mount_pt = dist_point.mount opts[:ro_pw]
-
-            script_path = (dp_mount_pt + DIST_POINT_SCRIPTS_FOLDER)
-
-          end # if http enabled
-
-        end # if @script_contents and (not @script_contents.empty?)
-
-        # build the command as an array.
-        command_arry = ['-script', @filename, '-path', script_path.to_s]
-
-        command_arry << '-target'
-        command_arry << opts[:target].to_s
-
-        command_arry << '-computerName' if opts[:computer_name]
-        command_arry << opts[:computer_name] if opts[:computer_name]
-
-        command_arry << '-username' if opts[:username]
-        command_arry << opts[:username] if opts[:username]
-
-        command_arry << '-p1' if opts[:p1]
-        command_arry << opts[:p1] if opts[:p1]
-
-        command_arry << '-p2' if opts[:p2]
-        command_arry << opts[:p2] if opts[:p2]
-
-        command_arry << '-p3' if opts[:p3]
-        command_arry << opts[:p3] if opts[:p3]
-
-        command_arry << '-p4' if opts[:p4]
-        command_arry << opts[:p4] if opts[:p4]
-
-        command_arry << '-p5' if opts[:p5]
-        command_arry << opts[:p5] if opts[:p5]
+      opts[:target] ||= '/'
+      opts[:computer_name] ||= JSS::Client.run_jamf('getComputerName')[/>(.)</, 1]
+      opts[:username] ||= JSS::Client.console_user
 
-        command_arry << '-p6' if opts[:p6]
-        command_arry << opts[:p6] if opts[:p6]
+      params = [opts[:target], opts[:computer_name], opts[:username]]
+      params << opts[:p4]
+      params << opts[:p5]
+      params << opts[:p6]
+      params << opts[:p7]
+      params << opts[:p8]
+      params << opts[:p9]
+      params << opts[:p10]
+      params << opts[:p11]
 
-        command_arry << '-p7' if opts[:p7]
-        command_arry << opts[:p7] if opts[:p7]
+      # everything must be a string
+      params.map! &:to_s
 
-        command_arry << '-p8' if opts[:p8]
-        command_arry << opts[:p8] if opts[:p8]
+      # remove nils
+      params.compact!
 
-        command_arry << '-verbose' if opts[:verbose]
+      # remove empty strings
+      params.delete_if &:empty?
 
-        command = command_arry.shelljoin
+      return_value = []
 
-        jamf_output =  JSS::Client.run_jamf 'runScript', command, opts[:show_output]
+      # Save and run the script from a private temp dir
+      # which will be deleted when finished
+      require 'tmpdir'
+      Dir.mktmpdir do |dir|
+        executable = Pathname.new "#{dir}/#{@name}"
+        executable.jss_touch
+        executable.chmod 0o700
+        executable.jss_save @script_contents
 
-        jamf_output =~ /^.*Script exit code: (\d+)(\D|$)/
+        cmd = [executable.to_s]
+        cmd += params
 
-        script_exitstatus = Regexp.last_match(1).to_i
+        stdout_and_stderr_str, status = Open3.capture2e(*cmd)
 
-      ensure
-        executable.delete if delete_exec && executable.exist?
-        dist_point.unmount if dp_mount_pt && dp_mount_pt.mountpoint? && opts[:unmount]
-      end # begin/ensure
+        return_value << status.exitstatus
+        return_value << stdout_and_stderr_str
+      end # Dir.mktmpdirs
 
-      [script_exitstatus, jamf_output]
+      return_value
     end # def run
 
     # aliases under their methods seem to confuse the YARD documenter, so I'm putting them all here.
@@ -552,13 +442,13 @@ module JSS
     alias contents script_contents
     alias contents= script_contents=
 
-    ### Private Instance Methods
+    # Private Instance Methods
     #####################################
 
     private
 
-    ### Return the xml for creating or updating this script in the JSS
-    ###
+    # Return the xml for creating or updating this script in the JSS
+    #
     def rest_xml
       doc = REXML::Document.new
       scpt = doc.add_element 'script'
@@ -579,7 +469,7 @@ module JSS
         PARAMETER_KEYS.each { |p| pars.add_element(p.to_s).text = @parameters[p] }
       end
 
-      scpt.add_element('script_contents_encoded').text = Base64.encode64(@script_contents)
+      scpt.add_element('script_contents_encoded').text = script_contents_encoded
 
       doc.to_s
     end # rest xml