From f8708215f0bb1f5e15be2c5af4fc27ea0c51dd41 Mon Sep 17 00:00:00 2001
From: ts <thomashaw@localhost.localdomain>
Date: Fri, 12 Oct 2018 10:51:48 +0100
Subject: [PATCH] WiP: Rework to avoid regressions.

---
 .../secgen_functions/manifests/leak_data.pp   |  44 +++++
 .../secgen_functions/manifests/leak_files.pp  | 151 ++++++------------
 .../account/secgen_local/local.rb             |  21 ++-
 .../account/secgen_metadata.xml               |   8 +-
 .../manifests/account.pp                      |  14 +-
 .../parameterised_accounts/manifests/init.pp  |   3 +-
 6 files changed, 125 insertions(+), 116 deletions(-)
 create mode 100644 modules/build/puppet/secgen_functions/manifests/leak_data.pp

diff --git a/modules/build/puppet/secgen_functions/manifests/leak_data.pp b/modules/build/puppet/secgen_functions/manifests/leak_data.pp
new file mode 100644
index 000000000..164278acd
--- /dev/null
+++ b/modules/build/puppet/secgen_functions/manifests/leak_data.pp
@@ -0,0 +1,44 @@
+define secgen_functions::leak_data (
+  $data_to_leak = [],
+  $storage_directory,
+  $owner        = 'root',
+  $group        = 'root',
+  $mode         = '0660',
+  $leaked_from  = ''
+) {
+
+  $data_to_leak.each |$i, $data_element| {
+    if "secgen_leaked_data" in $data_element {
+      $secgen_leaked_data = parsejson($data_element)
+
+      $data = $secgen_leaked_data['secgen_leaked_data']['data']
+      $filename = $secgen_leaked_data['secgen_leaked_data']['filename']
+      $ext = $secgen_leaked_data['secgen_leaked_data']['ext']
+      $subdirectory = $secgen_leaked_data['secgen_leaked_data']['subdirectory']
+
+      $storage_dir = "$storage_directory/$subdirectory"
+      $path_to_leak = "$storage_dir/$filename.$ext"
+      $leaked_file_resource = "$leaked_from-$path_to_leak"
+
+      unless $subdirectory == '' {
+        ::secgen_functions::create_directory { "create-$storage_dir-$i":
+          res    => "create-$storage_dir-$i",
+          path   => $storage_dir,
+          notify => File[$path_to_leak]
+        }
+      }
+
+      file { $path_to_leak:
+        ensure  => present,
+        owner   => $owner,
+        group   => $group,
+        mode    => $mode,
+        content => base64('decode', $data)
+      }
+
+    } else {
+      fail("Invalid data!")
+    }
+  }
+
+}
diff --git a/modules/build/puppet/secgen_functions/manifests/leak_files.pp b/modules/build/puppet/secgen_functions/manifests/leak_files.pp
index 539f12e61..e2abe595b 100644
--- a/modules/build/puppet/secgen_functions/manifests/leak_files.pp
+++ b/modules/build/puppet/secgen_functions/manifests/leak_files.pp
@@ -1,110 +1,53 @@
-define secgen_functions::leak_files (
-  $leaked_filenames = [],
-  $storage_directory,
-  $strings_to_leak  = [],
-  $data_to_leak     = [],
-  $images_to_leak   = [],
-  $owner            = 'root',
-  $group            = 'root',
-  $mode             = '0660',
-  $leaked_from
-) {
-
-  # Have a check on $data_to_leak for whether the file is a string or json with {"secgen_leaked_data": {}}
-  $data_to_leak.each |$i, $data_element| {
-    if "secgen_leaked_data" in $data_element {
-      $secgen_leaked_data = parsejson($data_element)
-
-      $data = $secgen_leaked_data['secgen_leaked_data']['data']
-      $filename = $secgen_leaked_data['secgen_leaked_data']['filename']
-      $ext = $secgen_leaked_data['secgen_leaked_data']['ext']
-      $subdirectory = $secgen_leaked_data['secgen_leaked_data']['subdirectory']
-
-      $storage_dir = "$storage_directory/$subdirectory"
-      $path_to_leak = "$storage_dir/$filename.$ext"
-      $leaked_file_resource = "$leaked_from-$path_to_leak"
-
-      unless $subdirectory == '' {
-        ::secgen_functions::create_directory { "create-$storage_dir-$i":
-          res => "create-$storage_dir-$i",
-          path   => $storage_dir,
-          notify => File[$path_to_leak]
-        }
-      }
-
-      file { $path_to_leak:
-        ensure  => present,
-        owner   => $owner,
-        group   => $group,
-        mode    => $mode,
-        content => base64('decode', $data)
-      }
-    } else {
-      notice("[$i] leaking string ... ")
-
-      # $filename = $leaked_filenames[0]
-      # $path_to_leak = "$storage_directory/$filename.txt"
-      #
-      # file { $path_to_leak:
-      #   ensure   => present,
-      #   owner    => $owner,
-      #   group    => $group,
-      #   mode     => $mode,
-      #   content  => $data_element
-      # }
-    }
-  }
+define secgen_functions::leak_files($leaked_filenames=[], $storage_directory, $strings_to_leak=[], $images_to_leak=[], $owner = 'root', $group = 'root', $mode = '0660', $leaked_from) {
 
   # $leaked_from is a mandatory resource specifying where the file was being leaked (i.e. which module / user leaked it.)
   # This is to avoid resource clashes if two users get the same 'leaked_filenames' results
 
   # Pair strings with the leaked_filenames and leak them.
-  # $string_leak_pairs = zip($strings_to_leak, $leaked_filenames)
-  # $string_leak_pairs.each |$counter, $leak_pair| {
-  #     $leaked_strings = $leak_pair[0]
-  #     $leaked_filename = $leak_pair[1]
-  #
-  #     # until we run out of filenames, create a new file per string
-  #     unless $leaked_filename == undef {
-  #       $leaked_file_resource = "$leaked_from-$leaked_filename-$counter"
-  #       secgen_functions::leak_file { $leaked_file_resource:
-  #         leaked_filename          => $leaked_filename,
-  #         storage_directory        => $storage_directory,
-  #         strings_to_leak          => $leaked_strings,
-  #         owner                    => $owner,
-  #         mode                     => $mode,
-  #         group                    => $group,
-  #       }
-  #     } else {
-  #       # Then just add to first file.
-  #       $first_filename = $leaked_filenames[0]
-  #       $leaked_file_resource = "$leaked_from-$first_filename-$counter"
-  #       secgen_functions::leak_file { $leaked_file_resource:
-  #         leaked_filename          => $first_filename,
-  #         storage_directory        => $storage_directory,
-  #         strings_to_leak          => $leaked_strings,
-  #         owner                    => $owner,
-  #         mode                     => $mode,
-  #         group                    => $group,
-  #         leaked_from              => $leaked_file_resource,  # pass this in when appending to avoid resource clashes
-  #       }
-  #     }
-  #   }
-  # #
-  # # # Leak images with name image#{$counter}.png
-  # # # First file is image1.png not image0.png
-  # # $images_to_leak.each |$counter, $image_contents| {
-  # #   $num = $counter + 1
-  # #   $filename = "image$num.png"
-  # #   $path_to_leak = "$storage_directory/$filename"
-  # #   $leaked_file_resource = "$leaked_from-$filename"
-  # #
-  # #   file { $path_to_leak:
-  # #     ensure  => present,
-  # #     owner   => $owner,
-  # #     group   => $group,
-  # #     mode    => $mode,
-  # #     content => base64('decode', $image_contents)
-  # #   }
-  # }
+  $string_leak_pairs = zip($strings_to_leak, $leaked_filenames)
+  $string_leak_pairs.each |$counter, $leak_pair| {
+    $leaked_strings = $leak_pair[0]
+    $leaked_filename = $leak_pair[1]
+
+    # until we run out of filenames, create a new file per string
+    unless $leaked_filename == undef {
+      $leaked_file_resource = "$leaked_from-$leaked_filename-$counter"
+      secgen_functions::leak_file { $leaked_file_resource:
+        leaked_filename          => $leaked_filename,
+        storage_directory        => $storage_directory,
+        strings_to_leak          => $leaked_strings,
+        owner                    => $owner,
+        mode                     => $mode,
+      }
+    } else {
+      # Then just add to first file.
+      $first_filename = $leaked_filenames[0]
+      $leaked_file_resource = "$leaked_from-$first_filename-$counter"
+      secgen_functions::leak_file { $leaked_file_resource:
+        leaked_filename          => $first_filename,
+        storage_directory        => $storage_directory,
+        strings_to_leak          => $leaked_strings,
+        owner                    => $owner,
+        mode                     => $mode,
+        leaked_from              => $leaked_file_resource,  # pass this in when appending to avoid resource clashes
+      }
+    }
+  }
+
+  # Leak images with name image#{$counter}.png
+  # First file is image1.png not image0.png
+  $images_to_leak.each |$counter, $image_contents| {
+    $num = $counter + 1
+    $filename = "image$num.png"
+    $path_to_leak = "$storage_directory/$filename"
+    $leaked_file_resource = "$leaked_from-$filename"
+
+    file { $path_to_leak:
+      ensure  => present,
+      owner   => $owner,
+      group   => $group,
+      mode    => $mode,
+      content => base64('decode', $image_contents)
+    }
+  }
 }
diff --git a/modules/generators/structured_content/account/secgen_local/local.rb b/modules/generators/structured_content/account/secgen_local/local.rb
index dedf70493..01194c725 100644
--- a/modules/generators/structured_content/account/secgen_local/local.rb
+++ b/modules/generators/structured_content/account/secgen_local/local.rb
@@ -4,8 +4,9 @@ class AccountGenerator < StringEncoder
   attr_accessor :username
   attr_accessor :password
   attr_accessor :super_user
-  attr_accessor :data_to_leak
+  attr_accessor :strings_to_leak
   attr_accessor :leaked_filenames
+  attr_accessor :data_to_leak
 
   def initialize
     super
@@ -13,6 +14,7 @@ class AccountGenerator < StringEncoder
     self.username = ''
     self.password = ''
     self.super_user = ''
+    self.strings_to_leak = []
     self.data_to_leak = []
     self.leaked_filenames = []
   end
@@ -22,15 +24,17 @@ class AccountGenerator < StringEncoder
     account_hash['username'] = self.username
     account_hash['password'] = self.password
     account_hash['super_user'] = self.super_user
-    account_hash['data_to_leak'] = self.data_to_leak
+    account_hash['strings_to_leak'] = self.strings_to_leak
     account_hash['leaked_filenames'] = self.leaked_filenames
+    account_hash['data_to_leak'] = self.data_to_leak
 
     self.outputs << account_hash.to_json
   end
 
   def get_options_array
-    super + [['--data_to_leak', GetoptLong::OPTIONAL_ARGUMENT],
+    super + [['--strings_to_leak', GetoptLong::OPTIONAL_ARGUMENT],
              ['--leaked_filenames', GetoptLong::OPTIONAL_ARGUMENT],
+             ['--data_to_leak', GetoptLong::OPTIONAL_ARGUMENT],
              ['--username', GetoptLong::REQUIRED_ARGUMENT],
              ['--password', GetoptLong::REQUIRED_ARGUMENT],
              ['--super_user', GetoptLong::REQUIRED_ARGUMENT]]
@@ -45,10 +49,12 @@ class AccountGenerator < StringEncoder
         self.password << arg;
       when '--super_user'
         self.super_user << arg;
-      when '--data_to_leak'
-        self.data_to_leak << arg;
+      when '--strings_to_leak'
+        self.strings_to_leak << arg;
       when '--leaked_filenames'
         self.leaked_filenames << arg;
+      when '--data_to_leak'
+        self.data_to_leak << arg;
     end
   end
 
@@ -56,8 +62,9 @@ class AccountGenerator < StringEncoder
     'username: ' + self.username.to_s + print_string_padding +
     'password: ' + self.password.to_s  + print_string_padding +
     'super_user: ' + self.super_user.to_s + print_string_padding +
-    'data_to_leak: ' + self.data_to_leak.to_s + print_string_padding +
-    'leaked_filenames: ' + self.leaked_filenames.to_s
+    'strings_to_leak: ' + self.strings_to_leak.to_s + print_string_padding +
+    'leaked_filenames: ' + self.leaked_filenames.to_s + print_string_padding +
+    'data_to_leak: ' + self.data_to_leak.to_s
   end
 end
 
diff --git a/modules/generators/structured_content/account/secgen_metadata.xml b/modules/generators/structured_content/account/secgen_metadata.xml
index f1ed30aab..fac68f260 100644
--- a/modules/generators/structured_content/account/secgen_metadata.xml
+++ b/modules/generators/structured_content/account/secgen_metadata.xml
@@ -17,8 +17,9 @@
   <read_fact>username</read_fact>
   <read_fact>password</read_fact>
   <read_fact>super_user</read_fact>
-  <read_fact>data_to_leak</read_fact>
+  <read_fact>strings_to_leak</read_fact>
   <read_fact>leaked_filenames</read_fact>
+  <read_fact>data_to_leak</read_fact>
 
   <default_input into="username">
     <generator type="username_generator"/>
@@ -29,12 +30,15 @@
   <default_input into="super_user">
     <value>false</value>
   </default_input>
-  <default_input into="data_to_leak">
+  <default_input into="strings_to_leak">
     <generator type="message_generator"/>
   </default_input>
   <default_input into="leaked_filenames">
     <generator type="filename_generator"/>
   </default_input>
+  <default_input into="data_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
 
   <output_type>account</output_type>
 </generator>
diff --git a/modules/utilities/unix/system/parameterised_accounts/manifests/account.pp b/modules/utilities/unix/system/parameterised_accounts/manifests/account.pp
index d7744d82b..487bfbd52 100644
--- a/modules/utilities/unix/system/parameterised_accounts/manifests/account.pp
+++ b/modules/utilities/unix/system/parameterised_accounts/manifests/account.pp
@@ -2,8 +2,9 @@ define parameterised_accounts::account (
   $username,
   $password,
   $super_user,
-  $data_to_leak,
-  $leaked_filenames
+  $strings_to_leak,
+  $leaked_filenames,
+  $data_to_leak
 ) {
   # ::accounts::user changes permissions on group, passwd, shadow etc. so needs to run before
   if defined('writable_groups::config') {
@@ -49,7 +50,16 @@ define parameterised_accounts::account (
   # Leak strings in a text file in the users home directory
   ::secgen_functions::leak_files { "$username-file-leak":
     storage_directory => "/home/$username/",
+    strings_to_leak   => $strings_to_leak,
     leaked_filenames  => $leaked_filenames,
+    owner             => $username,
+    group             => $username,
+    mode              => '0444',
+    leaked_from       => "accounts_$username",
+  }
+
+  ::secgen_functions::leak_data { "$username-data-leak":
+    storage_directory => "/home/$username/",
     data_to_leak      => $data_to_leak,
     owner             => $username,
     group             => $username,
diff --git a/modules/utilities/unix/system/parameterised_accounts/manifests/init.pp b/modules/utilities/unix/system/parameterised_accounts/manifests/init.pp
index 784dafc81..680b58156 100644
--- a/modules/utilities/unix/system/parameterised_accounts/manifests/init.pp
+++ b/modules/utilities/unix/system/parameterised_accounts/manifests/init.pp
@@ -10,8 +10,9 @@ class parameterised_accounts::init {
         username        => $username,
         password        => $account['password'],
         super_user      => str2bool($account['super_user']),
-        data_to_leak    => $account['data_to_leak'],
+        strings_to_leak => $account['strings_to_leak'],
         leaked_filenames => $account['leaked_filenames'],
+        data_to_leak    => $account['data_to_leak'],
       }
     }
   }