(PUP-7498) update char encoding util per feedback

[MosesMendoza]

This PR splits out adjustments to the character encoding heuristics that were previously a part of #5509 and contains changes based on feedback on that PR.

The three primary changes are:

• Binary string handling
  Prior to this PR, we would transcode to UTF-8 a string not composed of valid UTF-8 bytes but valid in its current encoding. This presents a challenge for BINARY strings, which if originating in an encoding other to UTF-8 are otherwise valid, but cannot be transcoded (because we have no idea where they came from). In order to transcode successfully, we need an originating encoding to work with. Rather than just blindly call encode! with binary strings, we can take one more guess as to their origin - which is that they originated in Encoding.default_external. I.e., if a system is running in
  Encoding::Windows_31J, and a string is returned as BINARY, we can guess that the string might have been Encoding::Windows_31J. This perhaps substantially increases our odds that we'll be able to convert the (binary) string to UTF-8 successfully.

• Consistently return nil
  Prior to this PR, we were modifying the supplied string in Puppet::Util::CharacterEncoding as a side-effect of the recent change that added force_encoding(Encoding.default_external) on binary strings. In the case where we fail to encode! that change leaves the original string with a
  different external encoding than it started. This PR addresses that by ensuring any on failure to convert we set the string back to its original external encoding. A quirk was accounted for in that we don't set external_encoding if the default external encoding is UTF-8. The reason is we've already determined that this string doesn't represent valid UTF-8 bytes so doing a force_encoding to UTF-8 doesn't get us any closer to being able to transcode it to UTF-8, and ruby won't do anything on encode! to string already has as its default_external set to the encoding supplied to encode!.

• Separate out conversion from overriding of string encoding
  Prior to this PR, the Puppet::Util::CharacterEncoding::convert_to_utf_8! was inaccurately named in that the method would both convert (transcode) and override (set external encoding) on a string in different circumstances. After review, it was determined that this behavior was potentially dangerous and also could lead to inadvertent destruction or loss of string fidelity unintentionally. This PR updates the method to split out the two different operations, each with an improved description for when to use it. Conversion should be our primary use-case, for when we believe that the encoding of a string is an accurate representation of that string. Overriding a string's encoding should be used sparingly, effectively only when we have reason to believe that the existing encoding is inaccurate/incorrect.

  This PR adjusts the Puppet::Etc wrapper to account for the modified heuristics in Puppet::Util::CharacterEncoding. We leverage the new distinction between converting and overriding by only "overriding" the encoding to UTF-8 when the string is returned in BINARY and otherwise defaulting to converting it. This is a shift in default assumptions - whereas before we would assume the string encoding was not valid for that environment, now we do. We retain the preceding requirement that strings that cannot be converted are left unmodified in the Etc struct.

  In addition to updating the Etc wrapper to account for the preceding change to split out two methods in CharacterEncoding, prior to this PR the encoding management in our Etc wrapper incorrectly expected that ruby Etc would return BINARY encoded strings when the values on disk are invalid in the system encoding. This is incorrect - ruby Etc quite happily returns strings with invalid encoding. The only case where it appears to return binary is when the environment's encoding (Encoding.default_external) is ASCII (7-bit), and any individual character bit representation is equal to or greater than \x80 (binary 10000000), ie the first 8-bit value. We account for this change in expectation by fixing our spec tests to expect and test for the appropriate scenarios.

Finally, we also add a small spec helper for running a block in a different external encoding.

[puppetcla]

CLA signed by all contributors.

[MosesMendoza]

@joshcooper @Iristyle This change is the crux of our discussion - This now basically says we are explicitly overriding the encoding of the string returned by Etc to UTF-8 (not converting it) if it is a) not already UTF-8 and b) would be valid UTF-8. We are starting from the assumption that it is incorrectly labeled with whatever encoding it has (ie ISO-8859-1) because we have reason to believe it is actually UTF-8 because Puppet set (or will set) the value to UTF-8.

Just to reiterate for PR posterity why I believe this is the correct behavior: Consider these two scenarios. In the first, we default to assuming the encoding is correct from Etc and do encode! and in the second we assume the encoding is incorrect and override it with force_encoding.

• Puppet agent is creating a new user with managed comment property. The host is running in ISO-8859-1 encoding. When puppet agent get's its should value via the catalog, the should value is UTF-8 and its bytes are written to disk as-is with no re-encoding/modification (we don't use Etc for writing, only reading). When Puppet runs next time, Ruby::Etc will read in these bytes and label them as ISO-8859-1, which will likely be valid in that encoding. At least, our commonly used mixed_utf8 string in tests is "valid" ISO-8859-1. When we pipe these values through Puppet::Etc, they'll now be encode!d as UTF-8 - changing the byte representation. So our original UTF-8 has now been modified to something else. When Puppet compares this is value to the catalog should value, they won't be the same... so Puppet will consider the resource out of sync and write the should value to disk again - and will every time it runs.

[1] pry(main)> mixed_utf_8 = "A\u06FF\u16A0\u{2070E}"
=> "Aۿᚠ𠜎"
[2] pry(main)> mixed_utf_8.bytes
=> [65, 219, 191, 225, 154, 160, 240, 160, 156, 142]
[3] pry(main)> mixed_utf_8.force_encoding(Encoding::ISO_8859_1)
=> "A\xDB\xBF\xE1\x9A\xA0\xF0\xA0\x9C\x8E"
[4] pry(main)> mixed_utf_8.valid_encoding?
=> true
[5] pry(main)> mixed_utf_8.encode!(Encoding::UTF_8)
=> "AÛ¿á\u009A ð \u009C\u008E"
[6] pry(main)> mixed_utf_8.bytes
=> [65, 195, 155, 194, 191, 195, 161, 194, 154, 194, 160, 195, 176, 194, 160, 194, 156, 194, 142]
[7] pry(main)> orig_mixed_utf_8 = "A\u06FF\u16A0\u{2070E}"
=> "Aۿᚠ𠜎"
[8] pry(main)> mixed_utf_8 == orig_mixed_utf_8
=> false

Etc is a special case for us. Consider the same scenario above - ie host in ISO-8859-1 managed by Puppet, but instead believing the non-UTF-8 encoding is inaccurate and doing force_encoding!.

• Puppet will be managing the properties of a user, but Puppet has not run yet on the host. The values on disk or accurate an accurate representation of their encoding, ie ISO-8859-1. When Puppet first runs, these values are read in and incorrectly re-labeled (overridden) as UTF-8 by Puppet::Etc. Puppet compares these values to the the UTF-8 should values, finds them out of sync, and overwrites them on the system with the UTF-8 values. The next time Puppet runs, the UTF-8 values are read in as ISO-8859-1, but correctly overridden by Puppet::Etc to UTF-8, and Puppet correctly finds them in sync with the catalog should values. Even if we had not incorrectly overridden the encoding on the very first Puppet run, the result would have been the same - Puppet would have found the values out of sync, as the ISO-8859-1 value would not equal the UTF-8 value, and corrected them.

[Iristyle]

We should probably introduce a failure spec here that shows an incoming BINARY byte sequence that is not valid in Encoding.default_external ... i.e. it should raise an exception of InvalidByteSequenceError

One that is not valid in 31J is "\xFF\xFE\xFD"

[MosesMendoza]

Test added

[Iristyle]

We don't need to address it here, but it seems to me that convert_to_utf_8 should return a copy of the initial string rather than mutating it...

[MosesMendoza]

Updated - no longer a destructive method

[Iristyle]

Should we be emitting a string into debug output that we know isn't UTF-8, or will dump always produce UTF-8 due to its behavior?

https://ruby-doc.org/core-2.2.0/String.html#method-i-dump

[MosesMendoza]

Right - dump will print the escaped hex values of the string ie so the ultimate character output is, strictly speaking, valid UTF-8, even though it doesn't represent valid UTF-8.

[1] pry(main)> s = [255, 254, 253].pack('C*').force_encoding(Encoding::UTF_8)
=> "\xFF\xFE\xFD"
[2] pry(main)> s.valid_encoding?
=> false
[3] pry(main)> output = "bar #{s}"
=> "bar \xFF\xFE\xFD"
[4] pry(main)> puts output
bar ���
=> nil
[5] pry(main)> output = "bar #{s.dump}"
=> "bar \"\\xFF\\xFE\\xFD\""
[6] pry(main)> puts output
bar "\xFF\xFE\xFD"

[Iristyle]

Should we add to the expectation:

expect(snowman.encoding).to eq(Encoding::UTF_8)

[MosesMendoza]

👍 added

[Iristyle]

Can the valid_bytes implementation be simplified to?

def valid_utf_8_bytes?(string)
  string.dup.force_encoding(Encoding::UTF_8).valid_encoding?
end

Given one of your prior PRs, we determined .dup doesn't copy a string, but just creates a new wrapper around the same underlying string data - making dup pretty cheap. This lets us test bytes without having to do the save / revert of encoding on the original string.

[MosesMendoza]

👍 that seems like a reasonable optimization

[MosesMendoza]

added

[Iristyle]

Note to re-examine these tests... not sure on the logic exactly. Might be helpful to make a small map of inputs / outputs / expectations to get a better handle on it.

[MosesMendoza]

These were invalid, and they were being masked because we were modifying the expected original values. Pushed a new commit that ensures we're acting on copies for our tests so that the originals go unmodified.

[Iristyle]

👍

[Iristyle]

Why not just:

duplicate_struct_values(group)

[MosesMendoza]

thanks for pointing that out

[Iristyle]

Everything is looking pretty good... One last thing to check before merge is:

• Configure a Linux system with Latin1
• Create a user with a name that contains a Latin1 accented character that is represented with different bytes in UTF-8 (José is a good option - the 4 bytes used should be [74, 111, 115, 233] - 233 is xE9)
• Create a Puppet manifest that tries to create the same user, but with the name José represented in UTF-8 as its a manifest (the 5 bytes will be - [74, 111, 115, 195, 169] (195, 169 is xC3 xA9 / aka U+00E9)
• Run puppet apply on manifest / observe output - assumption is that we end up with 2 users now.
• Run puppet apply on manifest again to check for idempotency / observe output
• Run puppet resource user at the shell with Latin1 encoding - observe output - \xC3 from UTF-8 is represented as à in Latin1 and \xA9 from UTF-8 is represented as © in Latin1
• Run puppet resource user at the shell with UTF-8 encoding - observe output - \xE9 is not a valid byte sequence in UTF-8, so should hopefully show a replacement character?

Make sure we get what we want here... and also validate against existing Puppet behavior prior to any Etc changes (may have to go back a release or two)

• https://en.wikipedia.org/wiki/%C3%89 has the breakdown for é
• ISO-8859-1 codepage layout

[MosesMendoza]

Re-added blocked label. in running through manual testing with @Iristyle we determined that this works in a manifest driven workflow with agent in LATIN-1, but fails when running puppet resource directly on the agent when the resource values contain a mix of latin-1 and utf-8 strings.

[MosesMendoza]

This change needs a test done

[MosesMendoza]

These tests need updated

[MosesMendoza]

should get coverage for the new struct objects via these methods done

[MosesMendoza]

per commit comment, ultimately kept this method (albeit with non-destructive form) because we have need to only override if the bytes are invalid when running puppet resource user in non-utf8 form. Otherwise, we then issue replacement characters in our now-invalid-utf8 string, which causes incorrect puppet resource user output.

[MosesMendoza]

scrub isn't present in 1.9.3, and various iterations on encode with replacement characters failed to work. supplying utf-8 for the first two args to encode is a no-op, and supplying binary as the second arg causes any non-ascii character to be replaced regardless of the original encoding or validity of the string...

[MosesMendoza]

TODO: need test fixups done

@Iristyle this is an implementation using extended structs with canonical values. ultimately not sure it's worth the extra logic, but it seems cleaner and more future proof though in case there are other places in the codebase that need what we have done in nameservice (still need to audit). as-is though I think this now works in all the cases we were testing together previously.

[Iristyle]

Are these all strings?

[MosesMendoza]

The member names will be strings - the values can vary

[MosesMendoza]

Well, strictly speaking, all the member names are returned here as an array of symbols, but the interpolation implicitly calls to_s on the symbol

[Iristyle]

Ah sorry, what I meant was... aren't canonical_ fields only useful for string values?

For instance, canonical_expire, canonical_gid, canonical_uid aren't really useful, are they?

[MosesMendoza]

Nope, not particularly useful. To avoid that, we could hard code the list of available attributes here? I thought about it but decided to go with this because there's a couple things that make that more annoying

• the list varies based on the struct class (and knowing ruby could change without warning) so we maintain different lists based on if we're doing a user or group struct
• the list actually varies based on the flags passed to ruby during compilation . This means we'd need to conditionally check for the presence of the members that we expect to exist and have string values and only duplicate those. I feel like there's a tradeoff there in maintainability vs the completeness of just duplicating all the members
• A sidenote that doesn't necessarily impact this discussion but is worth noting is that the Etc struct members aren't actually typed - any field could just as easily return a string as an integer. So if for some reason the underlying system changes the return value for any of these we're going to be in trouble. We could guard by only trying to encode things that are strings rather than expecting specific fields to be, but again that felt like going to far. Happy to entertain alternatives there though.

[Iristyle]

Are these all strings?

[MosesMendoza]

Same

[MosesMendoza]

cleaned up whitespace. This ran a local ci:test:git run against ubuntu 1604 and appeared to only fail in expected ways - at least none apparently related to this PR

[MosesMendoza]

Should be good to merge 🤞

[Iristyle]

FYI - I think this should be targeted at stable... I've rebased and I'm testing that locally.

[MosesMendoza]

@Iristyle rebased against stable

[Iristyle]

Can this just be simplified to r.force_encoding(Encoding.default_external) - i.e. is the check roughly as costly as performing the effectual no-op?

[MosesMendoza]

good idea

[MosesMendoza]

updated

[puppetcla]

CLA signed by all contributors.

[Iristyle]

valid_utf_8_bytes was not in prior commit and should be torched

[MosesMendoza]

oh hell

[Iristyle]

Merged to stable in 365d6a9