Jira (PUP-11198) Directoryservice user provider unable to deserialize XML ShadowHashData plists

[Gabriel Nagy (Jira)]

Gabriel Nagy created an issue

Puppet / PUP-11198 Directoryservice user provider unable to deserialize XML ShadowHashData plists Issue Type: Bug Assignee: Unassigned Created: 2021/08/04 8:20 AM Priority: Normal Reporter: Gabriel Nagy Puppet Version: reproduced with latest nightly (7.9.0.something) Puppet Server Version: n/a OS Name/Version: macOS 11 (probably others as well) An user with an embedded XML ShadowHashData plist will fail to parse correctly. The current directoryservice logic always expects embedded binary plists: https://github.com/puppetlabs/puppet/blob/9d0de43eefce442c7a329075aea9700b449f5987/lib/puppet/provider/user/directoryservice.rb#L148 failing object: [11] pry(directoryservice)> attribute_hash => {:guid=>"0DCC37EC-F153-4225-A24F-A9C402B7EAE4", :home=>"/Users/it-admin", :password=>"********", :gid=>20, :comment=>"IT Admin", :name=>"it-admin", :uid=>501, :shell=>"/bin/zsh", :ensure=>:present, :provider=>:directoryservice, :shadowhashdata=> ["<dict><key>SALTED-SHA512-PBKDF2</key><dict><key>entropy</key><data>wuNIQpiOdd/VETAO1tScduPp12lZo2Y9NCCN4DsSn4S9RW/yn9E3kZ7/u1OIK4BSWhF0HcT76wrTA29wy666YUQwCBskLw9wkO1UiRcPT1PIM1MhqmEkFZ/2GCSr447zXuMCwXXPbHRl33ePHqc95hZiCE4yIliq2n+9mn3RsNg=</data><key>iterations</key><integer>35279</integer><key>salt</key><data>95wTw19bCcvLG2y63//4HavWalWAOWQj/QwvD92pfrc=</data></dict></dict>"], :groups=>"_appserveradm,_appserverusr,_lpadmin,admin,staff"} good object [1] pry(directoryservice)> attribute_hash => {:guid=>"94F73AE5-5D18-446F-BCA3-B41E36CFBB58", :home=>"/dev/null", :password=>"********", :gid=>703, :comment=>"SophosEndpoint", :name=>"_sophos", :uid=>504, :shell=>"/usr/bin/false", :ensure=>:present, :provider=>:directoryservice, :shadowhashdata=> ["62706c69 73743030 d2010203 0a5f101e 5352502d 52464335 3035342d 34303936 2d534841 3531322d 50424b44 46325f10 1453414c 5445442d 53484135 31322d50 424b4446 32d30405 06070809 58766572 69666965 72547361 6c745a69 74657261 74696f6e 734f1102 003a2e27 eae7a5d2 843a63cf 4344147e af0a8261 e93c0e36 8b54a7cb 533ecca0 bd10a4f2 5ece2765 ae819f24 6c0dbd3d 24bc03ae 9106b118 daed9fe8 5c09e6cf 006d6837 35008851 f50564cb b08146a8 9752bffe fbc2f0ed 3681998b 2ead12ed e808f0ee 4c486c29 742aa5fd 81a15483 f0d7d3dc 8941a4c3 b05d7ede 0efc0fe8 4b07a053 cdd554ac 4e915e47 830fa935 e7556d43 b08119f4 033207e9 12be342b cee78077 04443f93 2a8faf00 c49702d9 bf990238 af680676 3c29e8a7 7c51de42 5f597b9b ed3d6c7b 72b61c8f 2a729d25 a9fa69dc 5db1516d bbea3125 3f0acac7 a39e5f8b c71b3656 2fef3027 a691e6bc 4327afb8 8a183905 ae2c6bd4 7e1f716f a8495dd0 2a9bc04e 75bf94a1 97c8fb26 ee08b013 d25dbe3d c84db248 484aaed6 75680b71 70b7ff05 f0e790cc f8da7c31 1272e682 3c579242 af1aca01 ffd567c4 fa0122f9 778b7b24 dcdacdc6 32a1cbb3 19cd6939 ebcf6dcb e3fbf121 237dd80c 2223de07 b60b55cb 907fe686 ae5a48ae 646be086 e699cde4 38e1628a 917ab61e b0014946 de877e37 8a544c8e e5fc3cb8 16578ec3 84256d43 c9146000 4195d769 44d04b60 ea4b569f ddc3fc3d 394b14c1 94a928df afd42e7d ed9e162a 9351e991 5badba97 b81e6cf6 dbfd9249 c45ca8dd a1f3338d a8668648 1da3f7bb c02e0ed4 17674988 2b88f74f 22791185 75d453b4 5ea69165 3cc1dafc a2d3f4a4 f3d69717 f54f1020 ed74982d 30b0dfb7 dd01fcdf eacba783 f3f5d527 ea1ee5c1 522dda7c 1d4b63ce 1200020f dfd30b05 060c0d0e 57656e74 726f7079 4f108082 d20410cd f7360d6c f3fed292 79f82987 f579b289 2163ca17 59140cd2 63c3af92 a9f58aa4 ec43a8af bcde5c8b baaef5fa 5a583962 23184fae 7850220f 1b23be31 c10eb4f5 83fd5b70 0b8eda18 91dc9430 47099f60 7c245d6c 710cd608 9163b4f5 6aad265f 9a1e8239 f1143ec5 983c33b9 4b5effff cfe836a8 3431a732 b1608a4f 102000b5 96992b40 025b7115 a5f17886 98613b27 cafec848 9e86e2b7 2c1c0a32 e9971200 02171a00 08000d00 2e004500 4c005500 5a006502 69028c02 91029802 a0032303 46000000 00000002 01000000 00000000 0f000000 00000000 00000000 00000003 4b"], :groups=>"staff"} Desired Behavior: Commands like puppet resource user work without raising an error. Actual Behavior: > puppet resource user --trace Debug: Converting binary plist to hash Debug: Failed with CFFormatError on : #<CFFormatError: content after root object> Error: Could not run: undefined method `[]' for nil:NilClass /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/user/directoryservice.rb:150:in `generate_attribute_hash' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/user/directoryservice.rb:88:in `block in instances' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/user/directoryservice.rb:87:in `collect' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/user/directoryservice.rb:87:in `instances' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1186:in `block in instances' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1185:in `collect' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1185:in `instances' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/resource/ral.rb:24:in `search' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:299:in `search' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/resource.rb:242:in `find_or_save_resources' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/resource.rb:147:in `block in main' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:306:in `override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/resource.rb:142:in `main' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:437:in `run_command' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:421:in `block in run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:744:in `exit_on_fail' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:421:in `run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute' /opt/puppetlabs/puppet/bin/puppet:5:in `<main>' I manually validated that the XML plist string can be parsed using Puppet::Util::Plist.parse_plist provided the plist has the correct DOCTYPE preamble (in this case it has to be added manually – something like '<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' + plist_data + '</plist>' Another thing to check would be whether embedded XML plists in ShadowHashData are valid at all; so try creating an account this way and attempt to log in. This specific "bad" plist comes from an MDM account. Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11198

Re: Directoryservice user provider unable to deserialize XML ShadowHashData plists maybe a dup of PUP-9819?

Add Comment

[Gabriel Nagy (Jira)]

Gabriel Nagy commented on PUP-11198

Re: Directoryservice user provider unable to deserialize XML ShadowHashData plists

facepalm yes, looks like I commented on that one an eternity ago; closing this as a dup

Add Comment