(MODULES-5152) Fix ACE mutation on output #105
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Iristyle
changed the title
Iristyle
force-pushed
the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
from
2bc8493 to
88fab9a
Compare
|
Looks like an |
Iristyle
force-pushed
the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
from
88fab9a to
709cd72
Compare
|
Bummer.. output isn't quite right here as it now drops the original ACEs: But at least it doesn't crash. |
Iristyle
commented
Jun 29, 2017
lib/puppet/provider/acl/windows.rb
Outdated
| perm_hash = perm.to_hash | ||
| perm_hash['identity'] = get_account_name(perm.identity) | ||
| # TODO: is it just as easy to perm.dup instead? | ||
| Puppet::Type::Acl::Ace.new(perm_hash, nil) |
There was a problem hiding this comment.
Look into just returning an array of strings / hashes here instead... or calling .to_s directly on the Ace object and supplanting the identity.
Note that the behavior on Puppet 4 / Puppet 5 will be different.
Iristyle
force-pushed
the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
from
709cd72 to
480984e
Compare
Iristyle
commented
Jun 29, 2017
lib/puppet/type/acl/ace.rb
Outdated
| @@ -322,7 +323,7 @@ def inspect | |||
| if key_value.is_a? Array | |||
| "#{key} => #{key_value}" | |||
| else | |||
| "#{key} => '#{key_value}'" | |||
| "#{key} => '#{key_value}'" unless (key == 'id' && key_value.nil?) | |||
There was a problem hiding this comment.
Gross... designed to not emit an empty SID (to match prior behavior).
Might have to scrap adding id to the returned hash.
Iristyle
force-pushed
the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
2 times, most recently
from
dd4a78b to
18b147f
Compare
Iristyle
commented
Jun 30, 2017
lib/puppet/type/acl.rb
Outdated
| "'#{value}'" | ||
| end | ||
| end | ||
| # def self.format_value_for_display(value) |
There was a problem hiding this comment.
Commented this just to see if it's actually called anywhere... its unused in specs on OSX, but maybe it is called on Windows somehow?
Iristyle
force-pushed
the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
7 times, most recently
from
aa5d1fd to
c7b2ea2
Compare
|
Testing with manifest: file { 'c:/test': ensure => 'directory' } ~>
acl { 'c:/test':
purge => 'true',
permissions => [{ identity => 'ALL APPLICATION PACKAGES', rights => ['full']},],
inherit_parent_permissions => 'false',
} |
Iristyle
force-pushed
the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
8 times, most recently
from
d5976c7 to
d2390e1
Compare
Iristyle
changed the title
Iristyle
force-pushed
the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
from
be02ad1 to
94ff5e7
Compare
- Although some of the changes in this PR should be independent, it was necessary to combine them to get a passing commit, given the timeline of some related releases. - rspec-puppet introduced some monkey patching in 2.6.0 which breaks Windows on Windows testing - introduced in rodjek/rspec-puppet#498 - AppVeyor won't demonstrate the problem given Puppet 4.2.3 has been removed from the matrix, but this PR also pins puppet-module-win-dev-r21 back to `0.0.7` for a few reasons. 0.0.8+ doesn't work properly in Jenkins due to the addition of rspec-puppet-facts which requires json and triggers compilation of a native extension in spec environments without compilers. The 0.0.9 / 0.0.10 releases include a dependency on metadata-json-list 2.0.0+ which requires Puppet 4.7+ - Finally, the behavior of Puppet format_value_for_display changed in Puppet 5, which produces different output for change notifications and `puppet resource` in Puppet 5. This module will likely need to be refactored later to simplify the use of Ruby types (to remove Ace deriving from Hash), but for now, changing just the test to accurately portray Puppet behavior is sufficient.
Iristyle
force-pushed
the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
from
ab96e40 to
6333f0b
Compare
- Use manifests to prove that the ACL mdoule can properly handle the identities in APPLICATION PACKAGE AUTHORITY - namely S-1-15-2-1 / ALL APPLICATION PACKAGES and S-1-15-2-2 / ALL RESTRICTED APPLICATION PACKAGES. Note that accounts in APPLICATION PACKAGE AUTHORITY are handled strangely in the Windows API, and are not resolvable when fully qualified with the LookupAccountName like other accounts are. Therefore there are no tests showing that the fully qualified name actually works, and the README for this module will be updated accordingly.
- Existing code mutates an Ace instance in the methods used to emit string versions of Ace objects - permissions_should_to_s and permissions_to_s. In particular, the `ALL APPLICATION PACKAGES` group is special as it must be specified without the leading `APPLICATION PACKAGE AUTHORITY` to properly resolve to a SID with the Windows API. Previously, for the sake of outputting the name of the group to users in the output of change messages / `puppet resource`, a SID name would be resolved to a complete name like `APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES` *and* the original Ace instance would be mutated causing future misbehavior as a result. - Previously permissions_to_s produced an Array of Puppet::Type::Acl::Ace objects, but now produces an Array of Ruby Hash objects, which can still be turned into log messages just fine. Puppet 5 in particular changed how values are logged to display to support arbitrarily nested structures. - Update documentation for how to use these accounts correctly. - Add integration tests for APPLICATION PACKAGES - though these unfortunately do not prove that the accounts can be used in a real manifest.
eputnam
approved these changes
Jul 25, 2017
glennsarti
reviewed
Jul 26, 2017
| @@ -443,6 +443,11 @@ To ensure that a specific set of permissions are absent from the ACL, set `purge | |||
|
|
|||
| * When using SIDs for identities, autorequire tries to match to users with fully qualified names (e.g., User[BUILTIN\Administrators]) in addition to SIDs (User[S-1-5-32-544]). However, it can't match against 'User[Administrators]', because that could cause issues if domain accounts and local accounts share the same name e.g., 'Domain\Bob' and 'LOCAL\Bob'. | |||
|
|
|||
| * When referring to accounts in the `APPLICATION PACKAGE AUTHORITY`, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualifed account names from being used. | |||
There was a problem hiding this comment.
Think it's missing a word "accounts in the APPLICATION PACKAGE AUTHORITY" should be "accounts in the APPLICATION PACKAGE AUTHORITY domain" ?
There was a problem hiding this comment.
In Windows terms, I believe they're actually referred to as authorities, even though they look like domains.
Other authorities (including SECURITY_APP_PACKAGE_AUTHORITY ({0,0,0,0,0,15} AKA S-1-15)):
https://msdn.microsoft.com/en-us/library/dd302645.aspx
The new defs in WinNT.h (added for Windows 8) - https://recxltd.blogspot.com/2012/03/windows-8-app-container-security-notes.html
//
// Application Package Authority.
//
#define SECURITY_APP_PACKAGE_AUTHORITY {0,0,0,0,0,15}
#define SECURITY_APP_PACKAGE_BASE_RID (0x00000002L)
#define SECURITY_BUILTIN_APP_PACKAGE_RID_COUNT (2L)
#define SECURITY_APP_PACKAGE_RID_COUNT (8L)
#define SECURITY_CAPABILITY_BASE_RID (0x00000003L)
#define SECURITY_BUILTIN_CAPABILITY_RID_COUNT (2L)
#define SECURITY_CAPABILITY_RID_COUNT (5L)There was a problem hiding this comment.
There was a problem hiding this comment.
Ahh ok so APPLICATION PACKAGE AUTHORITY is an authority and it would look odd to have " ... in the APPLICATION PACKAGE AUTHORITY authority. PR is good for merge.
Iristyle
deleted the
ticket/MODULES-5152-error-with-ALL-APPLICATION-PACKAGES
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Existing code mutates an Ace instance in the methods used to emit
string versions of Ace objects - permissions_should_to_s and
permissions_to_s. In particular, the
ALL APPLICATION PACKAGESgroup is special as it must be specified without the leading
APPLICATION PACKAGE AUTHORITYto properly resolve to a SIDwith the Windows API.
Previously, for the sake of outputting the name of the group
to users in the output of change messages /
puppet resource,a SID name would be resolved to a complete name like
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESandthe original Ace instance would be mutated causing future
misbehavior as a result.
Previously permissions_to_s produced an Array of
Puppet::Type::Acl::Ace objects, but now produces an Array of
Ruby Hash objects, which can still be turned into log messages
just fine. Puppet 5 in particular changed how values are
logged to display to support arbitrarily nested structures.
Update documentation for how to use these accounts correctly.
Add integration tests for APPLICATION PACKAGES - though these
unfortunately do not prove that the accounts can be used in a
real manifest.