|
require 'puppet' |
|
|
|
Puppet.debug('Found our "vcsrepo" git provider monkey patch.') |
|
|
|
Puppet::Type.type(:vcsrepo).provider(:git).class_eval do |
|
[:exec_git].each do |item| |
|
old_item = instance_method(item) |
|
|
|
# XXX: CVE-2022-24765 threw a wrench in things. vcsrepo has two separate |
|
# properties: "owner" which identifies a user to whom the managed resources |
|
# should belong, and "user" which identifier the user as whom commands to |
|
# manage the resource should be performed... CVE-2022-24765 effectively |
|
# requires these two properties to have the same value, or, to otherwise |
|
# work around to mark our repos as "safe"... so let's mark 'em. |
|
# |
|
# @see https://github.com/puppetlabs/puppetlabs-vcsrepo/issues/535 |
|
|
|
define_method(item) do |*args| |
|
Puppet.debug("In monkey-patched/overridden #{self.class.name}.#{item.to_s} method for: #{@resource.value(:path)}") |
|
begin |
|
return old_item.bind(self).call(*args) |
|
rescue Puppet::ExecutionFailure => error |
|
kwargs = {failonfail: true, combine: true} |
|
rethrow = false |
|
begin |
|
Puppet.debug("Checking for existence of 'safe.directory' entry for #{@resource[:path]}.") |
|
pattern = "^#{@resource[:path]}$" |
|
Puppet::Util::Execution.execute([:git, ['config', '--system', '--get-all', 'safe.directory', pattern]], **kwargs) |
|
Puppet.debug("'safe.directory' entry for #{@resource[:path]} existed, so something else went wrong... rethrowing.") |
|
rethrow = true |
|
rescue Puppet::ExecutionFailure |
|
Puppet.debug("Failed to find 'safe.directory' entry for #{@resource[:path]}; attempting to add one.") |
|
Puppet::Util::Execution.execute([:git, ['config', '--system', '--add', 'safe.directory', @resource[:path]]], **kwargs) |
|
Puppet.debug("Added 'safe.directory' for #{@resource[:path]}; attempting original command again.") |
|
end |
|
|
|
if rethrow |
|
raise(error) |
|
end |
|
|
|
return old_item.bind(self).call(*args) |
|
end |
|
end |
|
end |
|
|
|
[:destroy].each do |item| |
|
old_item = instance_method(item) |
|
|
|
# XXX: CVE-2022-24765 threw a wrench in things. vcsrepo has two separate |
|
# properties: "owner" which identifies a user to whom the managed resources |
|
# should belong, and "user" which identifier the user as whom commands to |
|
# manage the resource should be performed... CVE-2022-24765 effectively |
|
# requires these two properties to have the same value, or, to otherwise |
|
# work around to mark our repos as "safe"... there's a good chance that we |
|
# have added the "safe.directory" thing, so... let's nuke it if it's |
|
# present. |
|
# |
|
# @see https://github.com/puppetlabs/puppetlabs-vcsrepo/issues/535 |
|
|
|
define_method(item) do |
|
pattern = "^#{@resource[:path]}$" |
|
kwargs = {failonfail: true, combine: true} |
|
begin |
|
Puppet.debug("Attempting to remove 'safe.directory' entry for #{@resource[:path]}.") |
|
Puppet::Util::Execution.execute([:git, ['config', 'system', '--unset-all', pattern]], **kwargs) |
|
Puppet.debug("Removed 'safe.directory' entry for #{@resource[:path]}.") |
|
rescue Puppet::ExecutionFailure |
|
Puppet.debug("Failed to remove 'safe.directory' entry for #{@resource[:path]}; might not have been one?") |
|
ensure |
|
return old_item.bind(self).call |
|
end |
|
end |
|
end |
|
end |
Just a note for others: git_exec requires versions of vcsrepo that require Puppet 6 or greater.