summaryrefslogtreecommitdiff
path: root/spec/unit/util/windows
AgeCommit message (Collapse)AuthorFilesLines
2014-06-26(PUP-2521) Don't use windows-pr constantsEthan J. Brown2-2/+2
- Somehow there were still some remaining constants referencing Windows:: which is part of windows-pr gem. Most are already defined locally as of the code being ported to FFI. Ensure that we use our internal constant definitions rather than those from gem: Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE Puppet::Util::Windows::File::STANDARD_RIGHTS_ALL Puppet::Util::Windows::File::SPECIFIC_RIGHTS_ALL Puppet::Util::Windows::File::FILE_ALL_ACCESS Puppet::Util::Windows::File::FILE_GENERIC_READ Puppet::Util::Windows::File::FILE_GENERIC_EXECUTE - Add new constants to Puppet::Util::Windows::Error ERROR_FILE_NOT_FOUND ERROR_ACCESS_DENIED
2014-06-23(PUP-1283) win32-security gem raises a different exceptionJosh Cooper1-1/+1
Previously, puppet relied on win32-security version 0.1.4, which raised Win32::Security::SID::Error when it failed to resolve a name into a SID. Newer FFI versions of win32-security raise SystemCallError instead, which is a StandardError subclass. When trying to run the puppet agent against newer versions of the library, puppet reports: Uninitialized constant Win32::Security::SID::Error This commit changes the rescue to capture SystemCallError instead. This exception is defined in ruby 1.8.7 and up.
2014-06-19(PUP-839) Remove SID mixin from SecurityEthan J. Brown2-16/+13
- SID methods can really standalone on their own, and should for the sake of sanity / code maintenance. Adjust all callsites (including specs) accordingly. - Make SID methods into static module_functions since they're already stateless
2014-06-18(PUP-2738) FFI from_string_to_wide_string blockEthan J. Brown1-4/+8
- MemoryPointer from_string_to_wide_string previously allocated a new MemoryPointer instance but didn't force callers to scope / free it. This allowed the Ruby runtime to clean it up on GC, but we prefer to force callers to use a block form, to clean up the unmanaged memory when the variable is no longer needed. Refactor the method to yield the ptr. - Since the ptr is no longer valid after the block yields, return nil from the method
2014-06-06(PUP-2656) FFI Puppet::Util::Windows::RegistryRob Reynolds1-6/+7
- FFI GetACP - Remove requirement on gem windows-pr by removing 'windows/national' - Moved require for windows/registry into windows platform specific - Added module definition to satisfy MSI/Windows Package
2014-05-22(PUP-2554) FFI Puppet::Util::ADSIEthan J. Brown1-0/+7
- Convert ADSI GetComputerName to FFI - Add missing error handling for GetComputerName Win32 function - Add test that verifies GetComputerName returns a non-empty string - Add FFI MemoryPointer aliases for dwords Conflicts: spec/unit/util/windows/adsi_spec.rb
2014-05-22(PUP-2544) Util::ADSI -> Util::Windows::ADSIEthan J. Brown1-0/+433
- Move Windows ADSI code out of puppet/util and into puppet/util/windows - Update namespace from Puppet::Util::ADSI to Puppet::Util::Windows::ADSI - Add module / class definitions for ADSI to util/windows.rb to prevent tests from blowing up on non-Windows - Moving Puppet.features.microsoft_windows? checks to top of user and group provider tests for ADSI - Update all dependent code, remove unnecessary references
2014-05-22(PUP-836) FFI Puppet::Util::Windows::UserEthan J. Brown2-0/+28
- LogonUserW, LoadUserProfile, UnloadUserProfile and PROFILEINFO have been converted from manually packing params with Win32API.new to automatically managed with FFI definitions. - Use MemoryPointer where appropriate. - Note that wide character LogonUserW is used rather than platform varying LogonUser as FFI is unable to use that. The pointer widths of PROFILEINFO vary depending on platform, which is handled by using :pointer. With LogonUserW the string pointed to is always wide character, which is properly handled by using wide_string. - Add FFI::MemoryPointer helper read_handle - Add FFI::MemoryPointer.from_wide_string and corresponding tests that ensure that a properly terminated UTF-16LE string is passed in - Add FFI::MemoryPointer#read_wide_string that reads a wide string buffer into a Ruby string with Encoding.default_external and corresponding tests - Add additional tests around User methods that make native Win32 API calls that will intentionally fail - Fix wide_string helper to return nil when given nil so that can be passed directly to Win32 as a null pointer
2014-01-17(PUP-1389) Embed the extra NULL within the stringJosh Cooper1-30/+14
Previously, we were appending a NULL to the wide encoded string to work around a ruby bug fixed in 2.1. However, we were calling `String#strip`, which makes a copy of the string, and in the process only preserves the first NULL. This commit embeds a NULL within the string itself, e.g. "bob\0". Since the NULL is part of the string data, ruby will preserve it. Also, `String#+` cannot combine strings with different encodings, e.g. "a".encode('UTF-16LE') + "\0" results in: incompatible character encodings: UTF-16LE and US-ASCII which is why we need to encode the terminator. The actual message depends on the default encoding, e.g. US-ASCII, UTF-8.
2014-01-14Merge branch 'pr/2261' into stableJosh Cooper1-0/+70
* pr/2261: (PUP-1389) Simplify logic for appending extra NULL (PUP-1389) ReplaceFile to FFI / move wide_string (PUP-1389) Ensure wide strings have double null terminators
2014-01-14(PUP-1389) ReplaceFile to FFI / move wide_stringRob Reynolds1-0/+70
Puppet::Util::Windows::File.replace_file now calls FFI to replace files in place on Windows. Puppet::Util::Windows::File.wide_string has now been moved to Puppet::Util::Windows::String.wide_string. This moves wide_string to lib/puppet/ubilt/windows/string.rb, adds specs concerning different encodings. In addition, we've removed Windows::API::WideString usages from everywhere it was found as it is known to cause issues with Windows 2012. Puppet::Util::Windows::Process.lookup_privilege_value in particular was changed to use LookupPrivilegeValueA (ANSI) as we control the privilege name being passed to it. Paired with Josh Cooper <josh@puppetlabs.com>
2014-01-07(PUP-1211) Force registry value encoding to match code pageJosh Cooper1-0/+54
Ruby uses ANSI versions of Win32 APIs to read values from the registry. The encoding of these strings depends on the active code page. However, ruby incorrectly sets the string encoding to US-ASCII.[1] As a result, if you try to perform a regex match on the string, and the string contains the registered trademark symbol, 0xAE, then ruby will raise an error saying 'Invalid byte sequence in US-ASCII' This commit forces the encoding of REG_SZ, REG_EXPAND_SZ, and REG_MULTI_SZ to the encoding for the active code page. So if the active code page is 1252, the ruby encoding will be `Encoding::CP1252`. See https://bugs.ruby-lang.org/issues/8943
2013-11-26(#11563) Create an explicit ace if the old ace is inheritedJosh Cooper1-0/+22
Given a directory owned by Administrators and group None, and with DACL: NT AUTHORITY\SYSTEM:(I)(OI)(CI) 0x1f01ff BUILTIN\Administrators:(I)(OI)(CI) 0x1f01ff WIN-QP47VOHA2P4\albert:(I)(OI)(CI) 0x1f01ff where the ACE for the owner is inherited (I). If puppet changed the owner to Users, it would copy all of the inherited ACEs as-is. But the new owner would not have any privileges, even though the old owner did. The same is true for group. This commit ensures that if we see an inherited ACE for the old owner, that we prepend a new explicit ACE, whose type (allow or deny), flags and mask grant/deny the same access as the inherited ACE did. Note that not all flags are valid when setting an ACE, e.g. INHERITED_ACE is only something you can read, not set. As a result of this change, when puppet changes the owner from Administrators to Users the dacl will have the following ACE prepended to the list, with the existing inherited ACEs copied as-is: BUILTIN\Users:(OI)(CI) 0x1f01ff Note that the new ACE has the same mask as the old one, and has the object and container inherit flags set.
2013-11-26(#11563) Model Windows security descriptorsJosh Cooper3-0/+295
Creates objects for modeling windows security descriptors, access control lists, and access control entries.
2013-11-15Merge branch 'stable'Kylo Ginsberg1-8/+10
2013-11-15(#23183) Use FFI to manage pointers in RootCerts moduleJosh Cooper1-8/+10
Previously, we made assumptions about the layout of the CERT_CONTEXT structure, specifically that PCERT_INFO (pointer to CERT_CONTEXT) was an unsigned 32-bit integer ('L'), and magically accessed the size of the returned structure as arr[2]. We were also memcpy 40-bytes which was larger than the size of the CERT_CONTEXT structure in both x86 and x64 and was the cause of infrequent segmentation faults. This commit uses FFI to define the layout of the CERT_CONTEXT structure, uses named fields, e.g. [:cbCertEncoded], to access offsets within the structure, and uses the FFI::Pointer#null? method to check for NULL pointer. Note that we use FFI::Pointer and not MemoryPointer, because the CertEnumCertificatesInStore function is responsible for freeing the previous CERT_CONTEXT pointer, not us. Also in the motto of "don't stub what you don't own" it exercises the Win32 APIs to make the tests more meaningful.
2013-10-09(#17031) Add SID.name_to_sid_objectEthan J. Brown1-0/+30
- Simple wrapper around creating new SID instances - Used to insulate tests from Win32::Security - Existing name_to_sid now delegates to this method
2013-10-02(#17031) Add SID.octet_string_to_sid_objectEthan J. Brown1-0/+39
- This will allow a WIN32OLE instance returned by the connect method to convert its objectSID property (an octet stream / array of bytes) to a standard user friendly SID object
2013-01-31(#11276) Load default root certs on WindowsJosh Cooper1-0/+15
On Windows calling OpenSSL::X509::Store#set_default_paths does nothing. As a result, puppet is unable to make authenticated SSL connections to well-known SSL servers, like forge.puppetlabs.com. This commit adds a RootCerts class that loads the root certs from the Windows system cert store, and monkey patches the OpenSSL::X509::Store#set_default_paths to behave as expected on Windows. Note the actual semantics for set_default_paths are slightly different, in that on *nix, it sets the paths that openssl will look for trusted root certs, whereas this patch loads them into the X509::Store object on Windows. But the net effect is the same, we're specifying the set of root certs that we trust when authenticating SSL servers. This commit monkey patches openssl, because there isn't a central way to create SSL contexts in ruby. Specifically, open-uri hides the process of setting up the SSL context, so the caller doesn't have to "worry" about it. In doing so, it calls set_default_paths expecting that is all that is needed. But it makes it next to impossible for the caller to add other root certs. Specifically, the module tool uses open-uri to download tar.gz content, but that said the issue is not specific to the module tool. This commit also adds an SSL acceptance test.
2012-10-24Merge remote-tracking branch 'upstream/2.7.x' into 3.0.xAndrew Parker1-0/+100
* upstream/2.7.x: (#16581) Refactor code for sid validation (#16581) Deprecate sid_for_account (#16581) Use native Win32 APIs to resolve SIDs in file provider (#16581) Use native Win32 APIs to resolve SIDs in providers (#16581) Documentation changes (#16581) Use win32-security gem to resolve SIDs (#16581) Refactor code for converting string and binary sids Conflicts: Gemfile.lock lib/puppet/util/windows.rb
2012-10-24(#16581) Refactor code for sid validationJosh Cooper1-4/+20
Previously, the windows file provider knew too much about how to validate a sid, e.g. catching a specific windows-specific exception. This commit moves that logic into a `valid_sid?` method and updates the file provider to call it. In doing so, the logic for `string_to_sid_ptr` is simplier, in that it always expects a block. It also removes tests that were refactored into sid_spec.rb in an earlier commit.
2012-10-19(#16581) Use win32-security gem to resolve SIDsJosh Cooper1-3/+37
This commit adds methods for resolving Windows account names into binary encoded SIDs and back. Account names may be specified with or without the domain component, or as a SID string. So all of the following are equivalent names for the LocalSystem account: NT AUTHORITY\SYSTEM SYSTEM S-1-5-18 There is a bug[1] in the `SID.string_to_sid` method in versions of win32-security prior to 0.1.4, so this commit updates the Gemfile accordingly. [1] https://github.com/djberg96/win32-security/pull/1 Conflicts: spec/unit/util/windows/sid_spec.rb
2012-10-19(#16581) Refactor code for converting string and binary sidsJosh Cooper1-0/+50
This commit moves the methods that were previously part of the security module into a sid module, and adds tests that only execute on windows due to its reliance on the `win32/security` gem.
2012-09-26(Maint) Remove rspec from shebang lineJeff McCune1-1/+1
Without this patch Ruby 1.9 is still complaining loudly about trying to parse the spec files. The previous attempt to clean up this problem in edc3ddf works for Ruby 1.8 but not 1.9. I'd prefer to remove the shebang lines entirely, but doing so will cause encoding errors in Ruby 1.9. This patch strives for a happy middle ground of convincing Ruby it is actually working with Ruby while not confusing it to think it should exec() to rspec. This patch is the result of the following command run against the source tree: find spec -type f -print0 | \ xargs -0 perl -pl -i -e 's,^\#\!\s?/(.*)rspec,\#! /usr/bin/env ruby,'
2012-08-14(Maint) Include the registry key path in the exceptionJosh Cooper1-1/+2
Previously, it wasn't clear from the exception message which registry key we failed to open. This commit adds the registry key path to the message to debug issues we are seeing in CI, but is also generally helpful.
2012-08-06(#11870) Add registry moduleJosh Cooper1-0/+85
Ruby includes a built-in set of modules and classes for interacting with the registry, however, it is only present on Windows. This makes it difficult to write spec tests that can run on non-Windows platforms due to the `Win32` namespace and related constants. This commit adds a utility module to wrap the Windows specific code. This way if you write a module/class that uses the registry, you can just add expects/stub expectations to the utility module or the class that includes/extends it.