diff options
author | Pete Higgins <pete@peterhiggins.org> | 2020-05-29 16:31:53 -0700 |
---|---|---|
committer | Pete Higgins <pete@peterhiggins.org> | 2020-06-03 11:46:53 -0700 |
commit | b149c5967fdb3f084853f4cf06bff8ec607f7328 (patch) | |
tree | 35b2ac467ceb53fb74ffb3288efdebd85a62524e /lib | |
parent | 39fed5da413fa7906f893ff29ad693e5662d8e46 (diff) | |
download | chef-b149c5967fdb3f084853f4cf06bff8ec607f7328.tar.gz |
Move code using temp file from Script to WindowsScript.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/chef/provider/script.rb | 64 | ||||
-rw-r--r-- | lib/chef/provider/windows_script.rb | 69 |
2 files changed, 71 insertions, 62 deletions
diff --git a/lib/chef/provider/script.rb b/lib/chef/provider/script.rb index cb4fcd8a22..71b86e8657 100644 --- a/lib/chef/provider/script.rb +++ b/lib/chef/provider/script.rb @@ -37,70 +37,12 @@ class Chef def_delegators :new_resource, :interpreter, :flags, :code def command - "\"#{interpreter}\" #{flags} \"#{script_file.path}\"" + "\"#{interpreter}\" #{flags}" end - action :run do - script_file.puts(code) - script_file.close - - set_owner_and_group - - super() - - unlink_script_file - end - - def set_owner_and_group - if ChefUtils.windows? - # And on Windows also this is a no-op if there is no user specified. - grant_alternate_user_read_access - else - # FileUtils itself implements a no-op if +user+ or +group+ are nil - # You can prove this by running FileUtils.chown(nil,nil,'/tmp/file') - # as an unprivileged user. - FileUtils.chown(new_resource.user, new_resource.group, script_file.path) - end + def input + code end - - def grant_alternate_user_read_access - # Do nothing if an alternate user isn't specified -- the file - # will already have the correct permissions for the user as part - # of the default ACL behavior on Windows. - return if new_resource.user.nil? - - # Duplicate the script file's existing DACL - # so we can add an ACE later - securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(script_file.path) - aces = securable_object.security_descriptor.dacl.reduce([]) { |result, current| result.push(current) } - - username = new_resource.user - - if new_resource.domain - username = new_resource.domain + '\\' + new_resource.user - end - - # Create an ACE that allows the alternate user read access to the script - # file so it can be read and executed. - user_sid = Chef::ReservedNames::Win32::Security::SID.from_account(username) - read_ace = Chef::ReservedNames::Win32::Security::ACE.access_allowed(user_sid, Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE, 0) - aces.push(read_ace) - acl = Chef::ReservedNames::Win32::Security::ACL.create(aces) - - # This actually applies the modified DACL to the file - # Use parentheses to bypass RuboCop / ChefStyle warning - # about useless setter - (securable_object.dacl = acl) - end - - def script_file - @script_file ||= Tempfile.open("chef-script") - end - - def unlink_script_file - script_file && script_file.close! - end - end end end diff --git a/lib/chef/provider/windows_script.rb b/lib/chef/provider/windows_script.rb index f46acc60d9..225e0c5563 100644 --- a/lib/chef/provider/windows_script.rb +++ b/lib/chef/provider/windows_script.rb @@ -61,11 +61,78 @@ class Chef end end + def command + "\"#{interpreter}\" #{flags} \"#{script_file.path}\"" + end + + def set_owner_and_group + if ChefUtils.windows? + # And on Windows also this is a no-op if there is no user specified. + grant_alternate_user_read_access + else + # FileUtils itself implements a no-op if +user+ or +group+ are nil + # You can prove this by running FileUtils.chown(nil,nil,'/tmp/file') + # as an unprivileged user. + FileUtils.chown(new_resource.user, new_resource.group, script_file.path) + end + end + + def grant_alternate_user_read_access + # Do nothing if an alternate user isn't specified -- the file + # will already have the correct permissions for the user as part + # of the default ACL behavior on Windows. + return if new_resource.user.nil? + + # Duplicate the script file's existing DACL + # so we can add an ACE later + securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(script_file.path) + aces = securable_object.security_descriptor.dacl.reduce([]) { |result, current| result.push(current) } + + username = new_resource.user + + if new_resource.domain + username = new_resource.domain + '\\' + new_resource.user + end + + # Create an ACE that allows the alternate user read access to the script + # file so it can be read and executed. + user_sid = Chef::ReservedNames::Win32::Security::SID.from_account(username) + read_ace = Chef::ReservedNames::Win32::Security::ACE.access_allowed(user_sid, Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE, 0) + aces.push(read_ace) + acl = Chef::ReservedNames::Win32::Security::ACL.create(aces) + + # This actually applies the modified DACL to the file + # Use parentheses to bypass RuboCop / ChefStyle warning + # about useless setter + (securable_object.dacl = acl) + end + + def unlink_script_file + script_file && script_file.close! + end + + def with_temp_script_file + script_file.puts(code) + script_file.close + + set_owner_and_group + + yield + + unlink_script_file + end + + def input + nil + end + public action :run do with_wow64_redirection_disabled do - super() + with_temp_script_file do + super() + end end end |