From 84f866ffafbb27a6aa6a1eea92c393a63829e242 Mon Sep 17 00:00:00 2001 From: Eli Young Date: Wed, 28 Jan 2015 15:28:54 -0800 Subject: (MODULES-1738) Don't modify global seed in fqdn_rotate() As per puppetlabs/puppet@292233c, this leaves the global seed in a deterministic state, which is bad. Puppet::Util.deterministic_rand() exists to avoid running into this issue, but is only present starting in Puppet 3.2.0. --- lib/puppet/parser/functions/fqdn_rotate.rb | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'lib/puppet/parser/functions/fqdn_rotate.rb') diff --git a/lib/puppet/parser/functions/fqdn_rotate.rb b/lib/puppet/parser/functions/fqdn_rotate.rb index 7f4d37d..cf22d36 100644 --- a/lib/puppet/parser/functions/fqdn_rotate.rb +++ b/lib/puppet/parser/functions/fqdn_rotate.rb @@ -31,8 +31,20 @@ Rotates an array a random number of times based on a nodes fqdn. elements = result.size - srand(Digest::MD5.hexdigest([lookupvar('::fqdn'),arguments].join(':')).hex) - rand(elements).times { + seed = Digest::MD5.hexdigest([lookupvar('::fqdn'),arguments].join(':')).hex + # deterministic_rand() was added in Puppet 3.2.0; reimplement if necessary + if Puppet::Util.respond_to?(:deterministic_rand) + offset = Puppet::Util.deterministic_rand(seed, elements).to_i + else + if defined?(Random) == 'constant' && Random.class == Class + offset = Random.new(seed).rand(elements) + else + srand(seed) + offset = rand(elements) + srand() + end + end + offset.times { result.push result.shift } -- cgit v1.2.3 From 0dc0e0dbcf9574ed1515cf6cfe2800f06d8c1d0e Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Tue, 12 May 2015 15:01:55 +0100 Subject: fqdn_rotate: reset srand seed correctly on old ruby versions Without this, the global seed is reseeded on every use of fqdn_rotate, which is a waste. Older rubies might even use a time-base seed which adversly impacts the quality of the RNG. --- lib/puppet/parser/functions/fqdn_rotate.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/puppet/parser/functions/fqdn_rotate.rb') diff --git a/lib/puppet/parser/functions/fqdn_rotate.rb b/lib/puppet/parser/functions/fqdn_rotate.rb index cf22d36..d9741a0 100644 --- a/lib/puppet/parser/functions/fqdn_rotate.rb +++ b/lib/puppet/parser/functions/fqdn_rotate.rb @@ -39,9 +39,9 @@ Rotates an array a random number of times based on a nodes fqdn. if defined?(Random) == 'constant' && Random.class == Class offset = Random.new(seed).rand(elements) else - srand(seed) + old_seed = srand(seed) offset = rand(elements) - srand() + srand(old_seed) end end offset.times { -- cgit v1.2.3 From 601f681787c8d6c02bb3566b8cefde289377be0e Mon Sep 17 00:00:00 2001 From: Eli Young Date: Thu, 28 May 2015 18:15:05 -0700 Subject: fqdn_rotate: Don't use the value itself as part of the random seed Previously, the random number generator was seeded with the array or string to be rotated in addition to any values specifically provided for seeding. This behavior is potentially insecure in that it allows an attacker who can modify the source data to choose the post-shuffle order. --- lib/puppet/parser/functions/fqdn_rotate.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/puppet/parser/functions/fqdn_rotate.rb') diff --git a/lib/puppet/parser/functions/fqdn_rotate.rb b/lib/puppet/parser/functions/fqdn_rotate.rb index d9741a0..e1a50e6 100644 --- a/lib/puppet/parser/functions/fqdn_rotate.rb +++ b/lib/puppet/parser/functions/fqdn_rotate.rb @@ -11,7 +11,7 @@ Rotates an array a random number of times based on a nodes fqdn. raise(Puppet::ParseError, "fqdn_rotate(): Wrong number of arguments " + "given (#{arguments.size} for 1)") if arguments.size < 1 - value = arguments[0] + value = arguments.shift require 'digest/md5' unless value.is_a?(Array) || value.is_a?(String) -- cgit v1.2.3 From d7c846035321774e824e3424f59cb24703fcfb2a Mon Sep 17 00:00:00 2001 From: Eli Young Date: Mon, 1 Jun 2015 16:09:47 -0700 Subject: fqdn_rotate: Improve documentation --- lib/puppet/parser/functions/fqdn_rotate.rb | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'lib/puppet/parser/functions/fqdn_rotate.rb') diff --git a/lib/puppet/parser/functions/fqdn_rotate.rb b/lib/puppet/parser/functions/fqdn_rotate.rb index e1a50e6..b66431d 100644 --- a/lib/puppet/parser/functions/fqdn_rotate.rb +++ b/lib/puppet/parser/functions/fqdn_rotate.rb @@ -2,16 +2,23 @@ # fqdn_rotate.rb # -module Puppet::Parser::Functions - newfunction(:fqdn_rotate, :type => :rvalue, :doc => <<-EOS -Rotates an array a random number of times based on a nodes fqdn. - EOS - ) do |arguments| +Puppet::Parser::Functions.newfunction( + :fqdn_rotate, + :type => :rvalue, + :doc => "Usage: `fqdn_rotate(VALUE, [SEED])`. VALUE is required and + must be an array or a string. SEED is optional and may be any number + or string. + + Rotates VALUE a random number of times, combining the `$fqdn` fact and + the value of SEED for repeatable randomness. (That is, each node will + get a different random rotation from this function, but a given node's + result will be the same every time unless its hostname changes.) Adding + a SEED can be useful if you need more than one unrelated rotation.") do |args| raise(Puppet::ParseError, "fqdn_rotate(): Wrong number of arguments " + - "given (#{arguments.size} for 1)") if arguments.size < 1 + "given (#{args.size} for 1)") if args.size < 1 - value = arguments.shift + value = args.shift require 'digest/md5' unless value.is_a?(Array) || value.is_a?(String) @@ -31,7 +38,7 @@ Rotates an array a random number of times based on a nodes fqdn. elements = result.size - seed = Digest::MD5.hexdigest([lookupvar('::fqdn'),arguments].join(':')).hex + seed = Digest::MD5.hexdigest([lookupvar('::fqdn'),args].join(':')).hex # deterministic_rand() was added in Puppet 3.2.0; reimplement if necessary if Puppet::Util.respond_to?(:deterministic_rand) offset = Puppet::Util.deterministic_rand(seed, elements).to_i @@ -51,7 +58,6 @@ Rotates an array a random number of times based on a nodes fqdn. result = string ? result.join : result return result - end end # vim: set ts=2 sw=2 et : -- cgit v1.2.3