Adds system-wide safe.directory entries for all vcsrepo git invocations,
as presumably, you should only be dealing with safe things?
Slap the git_zz.rb into a module somewhere, as something like <module dir>/lib/puppet/provider/vcsrepo/git_zz.rb...
then, running Puppet with --debug, you should be able to see when it creates the safe.directory entries.
| require 'puppet' | |
| Puppet.debug('Found our "vcsrepo" git provider monkey patch.') | |
| Puppet::Type.type(:vcsrepo).provider(:git).class_eval do | |
| [:exec_git].each do |item| | |
| old_item = instance_method(item) | |
| # XXX: CVE-2022-24765 threw a wrench in things. vcsrepo has two separate | |
| # properties: "owner" which identifies a user to whom the managed resources | |
| # should belong, and "user" which identifier the user as whom commands to | |
| # manage the resource should be performed... CVE-2022-24765 effectively | |
| # requires these two properties to have the same value, or, to otherwise | |
| # work around to mark our repos as "safe"... so let's mark 'em. | |
| # | |
| # @see https://github.com/puppetlabs/puppetlabs-vcsrepo/issues/535 | |
| define_method(item) do |*args| | |
| Puppet.debug("In monkey-patched/overridden #{self.class.name}.#{item.to_s} method for: #{@resource.value(:path)}") | |
| begin | |
| return old_item.bind(self).call(*args) | |
| rescue Puppet::ExecutionFailure => error | |
| kwargs = {failonfail: true, combine: true} | |
| rethrow = false | |
| begin | |
| Puppet.debug("Checking for existence of 'safe.directory' entry for #{@resource[:path]}.") | |
| pattern = "^#{@resource[:path]}$" | |
| Puppet::Util::Execution.execute([:git, ['config', '--system', '--get-all', 'safe.directory', pattern]], **kwargs) | |
| Puppet.debug("'safe.directory' entry for #{@resource[:path]} existed, so something else went wrong... rethrowing.") | |
| rethrow = true | |
| rescue Puppet::ExecutionFailure | |
| Puppet.debug("Failed to find 'safe.directory' entry for #{@resource[:path]}; attempting to add one.") | |
| Puppet::Util::Execution.execute([:git, ['config', '--system', '--add', 'safe.directory', @resource[:path]]], **kwargs) | |
| Puppet.debug("Added 'safe.directory' for #{@resource[:path]}; attempting original command again.") | |
| end | |
| if rethrow | |
| raise(error) | |
| end | |
| return old_item.bind(self).call(*args) | |
| end | |
| end | |
| end | |
| [:destroy].each do |item| | |
| old_item = instance_method(item) | |
| # XXX: CVE-2022-24765 threw a wrench in things. vcsrepo has two separate | |
| # properties: "owner" which identifies a user to whom the managed resources | |
| # should belong, and "user" which identifier the user as whom commands to | |
| # manage the resource should be performed... CVE-2022-24765 effectively | |
| # requires these two properties to have the same value, or, to otherwise | |
| # work around to mark our repos as "safe"... there's a good chance that we | |
| # have added the "safe.directory" thing, so... let's nuke it if it's | |
| # present. | |
| # | |
| # @see https://github.com/puppetlabs/puppetlabs-vcsrepo/issues/535 | |
| define_method(item) do | |
| pattern = "^#{@resource[:path]}$" | |
| kwargs = {failonfail: true, combine: true} | |
| begin | |
| Puppet.debug("Attempting to remove 'safe.directory' entry for #{@resource[:path]}.") | |
| Puppet::Util::Execution.execute([:git, ['config', 'system', '--unset-all', pattern]], **kwargs) | |
| Puppet.debug("Removed 'safe.directory' entry for #{@resource[:path]}.") | |
| rescue Puppet::ExecutionFailure | |
| Puppet.debug("Failed to remove 'safe.directory' entry for #{@resource[:path]}; might not have been one?") | |
| ensure | |
| return old_item.bind(self).call | |
| end | |
| end | |
| end | |
| end |
Just a note for others: git_exec requires versions of vcsrepo that require Puppet 6 or greater.