From 9d6c9c968b12bf416e1d06d909526b8d9784a271 Mon Sep 17 00:00:00 2001 From: Christopher Thorn Date: Wed, 4 Oct 2023 15:38:35 -0700 Subject: [PATCH] (PUP-11938) Handle more errors around Windows SID and ASID This commit introduces two new errors, ERROR_TRUSTED_DOMAIN_FAILURE and ERROR_TRUSTED_RELATIONSHIP_FAILURE. Those two errors can occur when looking up a SID and the a host fails a trust call with the AD. We can still recover and should attept to. --- lib/puppet/util/windows/adsi.rb | 7 +++++++ lib/puppet/util/windows/sid.rb | 6 ++++-- spec/unit/util/windows/adsi_spec.rb | 25 +++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/lib/puppet/util/windows/adsi.rb b/lib/puppet/util/windows/adsi.rb index ac31546fba2..877b5c9a2f9 100644 --- a/lib/puppet/util/windows/adsi.rb +++ b/lib/puppet/util/windows/adsi.rb @@ -176,6 +176,13 @@ def get_sids(adsi_child_collection) sids = [] adsi_child_collection.each do |m| sids << Puppet::Util::Windows::SID.ads_to_principal(m) + rescue Puppet::Util::Windows::Error => e + case e.code + when Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE, Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE + sids << Puppet::Util::Windows::SID.unresolved_principal(m.name, m.sid) + else + raise e + end end sids diff --git a/lib/puppet/util/windows/sid.rb b/lib/puppet/util/windows/sid.rb index e3ec7938b4d..88557bfd5ce 100644 --- a/lib/puppet/util/windows/sid.rb +++ b/lib/puppet/util/windows/sid.rb @@ -7,8 +7,10 @@ module SID extend FFI::Library # missing from Windows::Error - ERROR_NONE_MAPPED = 1332 - ERROR_INVALID_SID_STRUCTURE = 1337 + ERROR_NONE_MAPPED = 1332 + ERROR_INVALID_SID_STRUCTURE = 1337 + ERROR_TRUSTED_DOMAIN_FAILURE = 1788 + ERROR_TRUSTED_RELATIONSHIP_FAILURE = 1789 # Well Known SIDs Null = 'S-1-0' diff --git a/spec/unit/util/windows/adsi_spec.rb b/spec/unit/util/windows/adsi_spec.rb index fa1095f8f66..28b06775302 100644 --- a/spec/unit/util/windows/adsi_spec.rb +++ b/spec/unit/util/windows/adsi_spec.rb @@ -95,6 +95,31 @@ end end + describe '.get_sids' do + it 'returns an array of SIDs given two an array of ADSI children' do + child1 = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500') + child2 = double('child2', name: 'Guest', sid: 'S-1-5-21-3882680660-671291151-3888264257-501') + allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child1).and_return('Administrator') + allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child2).and_return('Guest') + sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child1, child2]) + expect(sids).to eq(['Administrator', 'Guest']) + end + + it 'returns an array of SIDs given an ADSI child and ads_to_principal returning domain failure' do + child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500') + allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE)) + sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child]) + expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown)) + end + + it 'returns an array of SIDs given an ADSI child and ads_to_principal returning relationship failure' do + child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500') + allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE)) + sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child]) + expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown)) + end + end + describe Puppet::Util::Windows::ADSI::User do let(:username) { 'testuser' } let(:domain) { 'DOMAIN' }