WiP: Rework to avoid regressions.

2026-02-21 11:18:06 +00:00 · 2018-10-12 10:51:48 +01:00
parent a6b343fab6
commit f8708215f0
6 changed files with 125 additions and 116 deletions
--- a/modules/build/puppet/secgen_functions/manifests/leak_data.pp
+++ b/modules/build/puppet/secgen_functions/manifests/leak_data.pp
@@ -0,0 +1,44 @@
+define secgen_functions::leak_data (
+  $data_to_leak = [],
+  $storage_directory,
+  $owner        = 'root',
+  $group        = 'root',
+  $mode         = '0660',
+  $leaked_from  = ''
+) {
+
+  $data_to_leak.each |$i, $data_element| {
+    if "secgen_leaked_data" in $data_element {
+      $secgen_leaked_data = parsejson($data_element)
+
+      $data = $secgen_leaked_data['secgen_leaked_data']['data']
+      $filename = $secgen_leaked_data['secgen_leaked_data']['filename']
+      $ext = $secgen_leaked_data['secgen_leaked_data']['ext']
+      $subdirectory = $secgen_leaked_data['secgen_leaked_data']['subdirectory']
+
+      $storage_dir = "$storage_directory/$subdirectory"
+      $path_to_leak = "$storage_dir/$filename.$ext"
+      $leaked_file_resource = "$leaked_from-$path_to_leak"
+
+      unless $subdirectory == '' {
+        ::secgen_functions::create_directory { "create-$storage_dir-$i":
+          res    => "create-$storage_dir-$i",
+          path   => $storage_dir,
+          notify => File[$path_to_leak]
+        }
+      }
+
+      file { $path_to_leak:
+        ensure  => present,
+        owner   => $owner,
+        group   => $group,
+        mode    => $mode,
+        content => base64('decode', $data)
+      }
+
+    } else {
+      fail("Invalid data!")
+    }
+  }
+
+}
--- a/modules/build/puppet/secgen_functions/manifests/leak_files.pp
+++ b/modules/build/puppet/secgen_functions/manifests/leak_files.pp
@@ -1,110 +1,53 @@
-define secgen_functions::leak_files (
-  $leaked_filenames = [],
-  $storage_directory,
-  $strings_to_leak  = [],
-  $data_to_leak     = [],
-  $images_to_leak   = [],
-  $owner            = 'root',
-  $group            = 'root',
-  $mode             = '0660',
-  $leaked_from
-) {
-
-  # Have a check on $data_to_leak for whether the file is a string or json with {"secgen_leaked_data": {}}
-  $data_to_leak.each |$i, $data_element| {
-    if "secgen_leaked_data" in $data_element {
-      $secgen_leaked_data = parsejson($data_element)
-
-      $data = $secgen_leaked_data['secgen_leaked_data']['data']
-      $filename = $secgen_leaked_data['secgen_leaked_data']['filename']
-      $ext = $secgen_leaked_data['secgen_leaked_data']['ext']
-      $subdirectory = $secgen_leaked_data['secgen_leaked_data']['subdirectory']
-
-      $storage_dir = "$storage_directory/$subdirectory"
-      $path_to_leak = "$storage_dir/$filename.$ext"
-      $leaked_file_resource = "$leaked_from-$path_to_leak"
-
-      unless $subdirectory == '' {
-        ::secgen_functions::create_directory { "create-$storage_dir-$i":
-          res => "create-$storage_dir-$i",
-          path   => $storage_dir,
-          notify => File[$path_to_leak]
-        }
-      }
-
-      file { $path_to_leak:
-        ensure  => present,
-        owner   => $owner,
-        group   => $group,
-        mode    => $mode,
-        content => base64('decode', $data)
-      }
-    } else {
-      notice("[$i] leaking string ... ")
-
-      # $filename = $leaked_filenames[0]
-      # $path_to_leak = "$storage_directory/$filename.txt"
-      #
-      # file { $path_to_leak:
-      #   ensure   => present,
-      #   owner    => $owner,
-      #   group    => $group,
-      #   mode     => $mode,
-      #   content  => $data_element
-      # }
-    }
-  }
+define secgen_functions::leak_files($leaked_filenames=[], $storage_directory, $strings_to_leak=[], $images_to_leak=[], $owner = 'root', $group = 'root', $mode = '0660', $leaked_from) {

  # $leaked_from is a mandatory resource specifying where the file was being leaked (i.e. which module / user leaked it.)
  # This is to avoid resource clashes if two users get the same 'leaked_filenames' results

  # Pair strings with the leaked_filenames and leak them.
-  # $string_leak_pairs = zip($strings_to_leak, $leaked_filenames)
-  # $string_leak_pairs.each |$counter, $leak_pair| {
-  #     $leaked_strings = $leak_pair[0]
-  #     $leaked_filename = $leak_pair[1]
-  #
-  #     # until we run out of filenames, create a new file per string
-  #     unless $leaked_filename == undef {
-  #       $leaked_file_resource = "$leaked_from-$leaked_filename-$counter"
-  #       secgen_functions::leak_file { $leaked_file_resource:
-  #         leaked_filename          => $leaked_filename,
-  #         storage_directory        => $storage_directory,
-  #         strings_to_leak          => $leaked_strings,
-  #         owner                    => $owner,
-  #         mode                     => $mode,
-  #         group                    => $group,
-  #       }
-  #     } else {
-  #       # Then just add to first file.
-  #       $first_filename = $leaked_filenames[0]
-  #       $leaked_file_resource = "$leaked_from-$first_filename-$counter"
-  #       secgen_functions::leak_file { $leaked_file_resource:
-  #         leaked_filename          => $first_filename,
-  #         storage_directory        => $storage_directory,
-  #         strings_to_leak          => $leaked_strings,
-  #         owner                    => $owner,
-  #         mode                     => $mode,
-  #         group                    => $group,
-  #         leaked_from              => $leaked_file_resource,  # pass this in when appending to avoid resource clashes
-  #       }
-  #     }
-  #   }
-  # #
-  # # # Leak images with name image#{$counter}.png
-  # # # First file is image1.png not image0.png
-  # # $images_to_leak.each |$counter, $image_contents| {
-  # #   $num = $counter + 1
-  # #   $filename = "image$num.png"
-  # #   $path_to_leak = "$storage_directory/$filename"
-  # #   $leaked_file_resource = "$leaked_from-$filename"
-  # #
-  # #   file { $path_to_leak:
-  # #     ensure  => present,
-  # #     owner   => $owner,
-  # #     group   => $group,
-  # #     mode    => $mode,
-  # #     content => base64('decode', $image_contents)
-  # #   }
-  # }
+  $string_leak_pairs = zip($strings_to_leak, $leaked_filenames)
+  $string_leak_pairs.each |$counter, $leak_pair| {
+    $leaked_strings = $leak_pair[0]
+    $leaked_filename = $leak_pair[1]
+
+    # until we run out of filenames, create a new file per string
+    unless $leaked_filename == undef {
+      $leaked_file_resource = "$leaked_from-$leaked_filename-$counter"
+      secgen_functions::leak_file { $leaked_file_resource:
+        leaked_filename          => $leaked_filename,
+        storage_directory        => $storage_directory,
+        strings_to_leak          => $leaked_strings,
+        owner                    => $owner,
+        mode                     => $mode,
+      }
+    } else {
+      # Then just add to first file.
+      $first_filename = $leaked_filenames[0]
+      $leaked_file_resource = "$leaked_from-$first_filename-$counter"
+      secgen_functions::leak_file { $leaked_file_resource:
+        leaked_filename          => $first_filename,
+        storage_directory        => $storage_directory,
+        strings_to_leak          => $leaked_strings,
+        owner                    => $owner,
+        mode                     => $mode,
+        leaked_from              => $leaked_file_resource,  # pass this in when appending to avoid resource clashes
+      }
+    }
+  }
+
+  # Leak images with name image#{$counter}.png
+  # First file is image1.png not image0.png
+  $images_to_leak.each |$counter, $image_contents| {
+    $num = $counter + 1
+    $filename = "image$num.png"
+    $path_to_leak = "$storage_directory/$filename"
+    $leaked_file_resource = "$leaked_from-$filename"
+
+    file { $path_to_leak:
+      ensure  => present,
+      owner   => $owner,
+      group   => $group,
+      mode    => $mode,
+      content => base64('decode', $image_contents)
+    }
+  }
 }
--- a/modules/generators/structured_content/account/secgen_local/local.rb
+++ b/modules/generators/structured_content/account/secgen_local/local.rb
@@ -4,8 +4,9 @@ class AccountGenerator < StringEncoder
  attr_accessor :username
  attr_accessor :password
  attr_accessor :super_user
-  attr_accessor :data_to_leak
+  attr_accessor :strings_to_leak
  attr_accessor :leaked_filenames
+  attr_accessor :data_to_leak

  def initialize
    super
@@ -13,6 +14,7 @@ class AccountGenerator < StringEncoder
    self.username = ''
    self.password = ''
    self.super_user = ''
+    self.strings_to_leak = []
    self.data_to_leak = []
    self.leaked_filenames = []
  end
@@ -22,15 +24,17 @@ class AccountGenerator < StringEncoder
    account_hash['username'] = self.username
    account_hash['password'] = self.password
    account_hash['super_user'] = self.super_user
-    account_hash['data_to_leak'] = self.data_to_leak
+    account_hash['strings_to_leak'] = self.strings_to_leak
    account_hash['leaked_filenames'] = self.leaked_filenames
+    account_hash['data_to_leak'] = self.data_to_leak

    self.outputs << account_hash.to_json
  end

  def get_options_array
-    super + [['--data_to_leak', GetoptLong::OPTIONAL_ARGUMENT],
+    super + [['--strings_to_leak', GetoptLong::OPTIONAL_ARGUMENT],
             ['--leaked_filenames', GetoptLong::OPTIONAL_ARGUMENT],
+             ['--data_to_leak', GetoptLong::OPTIONAL_ARGUMENT],
             ['--username', GetoptLong::REQUIRED_ARGUMENT],
             ['--password', GetoptLong::REQUIRED_ARGUMENT],
             ['--super_user', GetoptLong::REQUIRED_ARGUMENT]]
@@ -45,10 +49,12 @@ class AccountGenerator < StringEncoder
        self.password << arg;
      when '--super_user'
        self.super_user << arg;
-      when '--data_to_leak'
-        self.data_to_leak << arg;
+      when '--strings_to_leak'
+        self.strings_to_leak << arg;
      when '--leaked_filenames'
        self.leaked_filenames << arg;
+      when '--data_to_leak'
+        self.data_to_leak << arg;
    end
  end

@@ -56,8 +62,9 @@ class AccountGenerator < StringEncoder
    'username: ' + self.username.to_s + print_string_padding +
    'password: ' + self.password.to_s  + print_string_padding +
    'super_user: ' + self.super_user.to_s + print_string_padding +
-    'data_to_leak: ' + self.data_to_leak.to_s + print_string_padding +
-    'leaked_filenames: ' + self.leaked_filenames.to_s
+    'strings_to_leak: ' + self.strings_to_leak.to_s + print_string_padding +
+    'leaked_filenames: ' + self.leaked_filenames.to_s + print_string_padding +
+    'data_to_leak: ' + self.data_to_leak.to_s
  end
 end

--- a/modules/generators/structured_content/account/secgen_metadata.xml
+++ b/modules/generators/structured_content/account/secgen_metadata.xml
@@ -17,8 +17,9 @@
  <read_fact>username</read_fact>
  <read_fact>password</read_fact>
  <read_fact>super_user</read_fact>
-  <read_fact>data_to_leak</read_fact>
+  <read_fact>strings_to_leak</read_fact>
  <read_fact>leaked_filenames</read_fact>
+  <read_fact>data_to_leak</read_fact>

  <default_input into="username">
    <generator type="username_generator"/>
@@ -29,12 +30,15 @@
  <default_input into="super_user">
    <value>false</value>
  </default_input>
-  <default_input into="data_to_leak">
+  <default_input into="strings_to_leak">
    <generator type="message_generator"/>
  </default_input>
  <default_input into="leaked_filenames">
    <generator type="filename_generator"/>
  </default_input>
+  <default_input into="data_to_leak">
+    <generator type="message_generator"/>
+  </default_input>

  <output_type>account</output_type>
 </generator>
--- a/modules/utilities/unix/system/parameterised_accounts/manifests/account.pp
+++ b/modules/utilities/unix/system/parameterised_accounts/manifests/account.pp
@@ -2,8 +2,9 @@ define parameterised_accounts::account (
  $username,
  $password,
  $super_user,
-  $data_to_leak,
-  $leaked_filenames
+  $strings_to_leak,
+  $leaked_filenames,
+  $data_to_leak
 ) {
  # ::accounts::user changes permissions on group, passwd, shadow etc. so needs to run before
  if defined('writable_groups::config') {
@@ -49,7 +50,16 @@ define parameterised_accounts::account (
  # Leak strings in a text file in the users home directory
  ::secgen_functions::leak_files { "$username-file-leak":
    storage_directory => "/home/$username/",
+    strings_to_leak   => $strings_to_leak,
    leaked_filenames  => $leaked_filenames,
+    owner             => $username,
+    group             => $username,
+    mode              => '0444',
+    leaked_from       => "accounts_$username",
+  }
+
+  ::secgen_functions::leak_data { "$username-data-leak":
+    storage_directory => "/home/$username/",
    data_to_leak      => $data_to_leak,
    owner             => $username,
    group             => $username,
--- a/modules/utilities/unix/system/parameterised_accounts/manifests/init.pp
+++ b/modules/utilities/unix/system/parameterised_accounts/manifests/init.pp
@@ -10,8 +10,9 @@ class parameterised_accounts::init {
        username        => $username,
        password        => $account['password'],
        super_user      => str2bool($account['super_user']),
-        data_to_leak    => $account['data_to_leak'],
+        strings_to_leak => $account['strings_to_leak'],
        leaked_filenames => $account['leaked_filenames'],
+        data_to_leak    => $account['data_to_leak'],
      }
    }
  }