Merge pull request #9121 from cthorn42/maint/7.x/cherry-pick-PUP-11938

joshcooper · web-flow · commit d835ef603aa1 · 2023-10-09T15:41:41.000-07:00
(PUP-11938) Handle more errors around Windows SID and ASID
diff --git a/lib/puppet/util/windows/adsi.rb b/lib/puppet/util/windows/adsi.rb
@@ -175,6 +175,13 @@ def get_sids(adsi_child_collection)
         sids = []
         adsi_child_collection.each do |m|
           sids << Puppet::Util::Windows::SID.ads_to_principal(m)
+        rescue Puppet::Util::Windows::Error => e
+          case e.code
+          when Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE, Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE
+            sids << Puppet::Util::Windows::SID.unresolved_principal(m.name, m.sid)
+          else
+            raise e
+          end
         end
 
         sids
diff --git a/lib/puppet/util/windows/sid.rb b/lib/puppet/util/windows/sid.rb
@@ -6,8 +6,10 @@ module SID
     extend FFI::Library
 
     # missing from Windows::Error
-    ERROR_NONE_MAPPED           = 1332
-    ERROR_INVALID_SID_STRUCTURE = 1337
+    ERROR_NONE_MAPPED                  = 1332
+    ERROR_INVALID_SID_STRUCTURE        = 1337
+    ERROR_TRUSTED_DOMAIN_FAILURE       = 1788
+    ERROR_TRUSTED_RELATIONSHIP_FAILURE = 1789
 
     # Well Known SIDs
     Null                        = 'S-1-0'
diff --git a/spec/unit/util/windows/adsi_spec.rb b/spec/unit/util/windows/adsi_spec.rb
@@ -95,6 +95,31 @@
     end
   end
 
+  describe '.get_sids' do
+    it 'returns an array of SIDs given two an array of ADSI children' do
+      child1 = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      child2 = double('child2', name: 'Guest', sid: 'S-1-5-21-3882680660-671291151-3888264257-501')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child1).and_return('Administrator')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child2).and_return('Guest')
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child1, child2])
+      expect(sids).to eq(['Administrator', 'Guest'])
+    end
+
+    it 'returns an array of SIDs given an ADSI child and ads_to_principal returning domain failure' do
+      child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE))
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
+      expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
+    end
+
+    it 'returns an array of SIDs given an ADSI child and ads_to_principal returning relationship failure' do
+      child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE))
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
+      expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
+    end
+  end
+
   describe Puppet::Util::Windows::ADSI::User do
     let(:username)  { 'testuser' }
     let(:domain)    { 'DOMAIN' }
