chef-provisioning-aws 1.8.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3aed5292d699880d31eaffbff1b415985250bb92
-  data.tar.gz: c6f7e4c96e7b7c1a7a28a02c336666b0f03d1aa0
+  metadata.gz: 5474ba34beb9fa261bd2c3abbe9561772bd36877
+  data.tar.gz: 602d8d0ce78d094d41e0982e97ddd42654528777
 SHA512:
-  metadata.gz: 368067e2bc0e09bd9de87fe78c65b0c7ecfa3d55e1506783d552a77ff220dea5666c271f7f68625613b85bb9f5faef27abad62b3e9a34314b9dbe7e0a4309274
-  data.tar.gz: e8f0f0fa76803d7b13ab449ae4a4a50a2e254183a384efc24ada0a417a9c6e6761e6eecf2b4d55792f5bae763e74fa8105d1000d28cedb58a30a731881915f2c
+  metadata.gz: e410f83858985cc03647c57e074aafd8ad8ec7d9db663c0ed02c477823a33b70f06a7152b815c47298a35fbb8ef319565686fa7cade07db53100d4aea164322f
+  data.tar.gz: d42f36a75e6644ffc964e6cfc794e8cab50ca7622553e9310669d2630a5e5478a674581adcaadbf3f0e3003e5487efaa7b1a2a559ae03d2c73ef1438a34e3da0

data/README.md

@@ -149,6 +149,8 @@ with_machine_options({
   use_private_ip_for_ssh: false, # DEPRECATED, use `transport_address_location`
   transport_address_location: :public_ip, # `:public_ip` (default), `:private_ip` or `:dns`.  Defines how SSH or WinRM should find an address to communicate with the instance.
   is_windows: true, # false by default
+  winrm_username: "Administrator",
+  winrm_password: "password", # Override if you have specified your own password and are not fetching the password from AWS
 })
 ```
 
@@ -181,7 +183,14 @@ load_balancer "my_elb" do
           port: 443,
           ssl_certificate_id: "arn:aws:iam::360965486607:server-certificate/cloudfront/foreflight-2015-07-09"
       }
-    ]
+    ],
+    health_check: {
+      healthy_threshold: 2,
+      unhealthy_threshold: 4,
+      interval: 12,
+      timeout: 5,
+      target: 'HTTPS:443/_status'
+    }
   })
 ```
 

data/Rakefile

@@ -53,6 +53,7 @@ RSpec::Core::RakeTask.new(:machine_image) do |spec|
   spec.rspec_opts = "-b -t super_slow -e 'machine_image can create an image in the VPC'"
 end
 
+require "chef/provisioning/aws_driver/version"
 require "github_changelog_generator/task"
 
 GitHubChangelogGenerator::RakeTask.new :changelog do |config|

data/lib/chef/provisioning/aws_driver/driver.rb

@@ -598,6 +598,44 @@ winrm set winrm/config/service/auth '@{Basic="true"}'
 netsh advfirewall firewall add rule name="WinRM 5985" protocol=TCP dir=in localport=5985 action=allow
 netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP dir=in localport=5986 action=allow
 
+net stop winrm
+sc config winrm start=auto
+net start winrm
+</powershell>
+EOD
+    end
+
+    def https_user_data
+          <<EOD
+<powershell>
+winrm quickconfig -q
+winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
+winrm set winrm/config '@{MaxTimeoutms="1800000"}'
+
+netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP dir=in localport=5986 action=allow
+
+$SourceStoreScope = 'LocalMachine'
+$SourceStorename = 'Remote Desktop'
+
+$SourceStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $SourceStorename, $SourceStoreScope
+$SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
+
+$cert = $SourceStore.Certificates | Where-Object  -FilterScript {
+$_.subject -like '*'
+}
+
+$DestStoreScope = 'LocalMachine'
+$DestStoreName = 'My'
+
+$DestStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $DestStoreName, $DestStoreScope
+$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
+$DestStore.Add($cert)
+
+$SourceStore.Close()
+$DestStore.Close()
+
+winrm create winrm/config/listener?Address=*+Transport=HTTPS  `@`{Hostname=`"($certId)`"`;CertificateThumbprint=`"($cert.Thumbprint)`"`}
+
 net stop winrm
 sc config winrm start=auto
 net start winrm
@@ -648,11 +686,14 @@ EOD
       # sending out encrypted password, restarting instance, etc.
       if machine_spec.reference['is_windows']
         wait_until_machine(action_handler, machine_spec, "receive 'Windows is ready' message from the AWS console", instance) { |instance|
-          output = instance.console_output.output
-          if output.nil? || output.empty?
+          instance.console_output.output
+          # seems to be a bug as we need to run this twice
+          # to consistently ensure the output is fully pulled
+          encoded_output = instance.console_output.output
+          if encoded_output.nil? || encoded_output.empty?
             false
           else
-            output = Base64.decode64(output)
+            output = Base64.decode64(encoded_output)
             output =~ /Message: Windows is Ready to use/
           end
         }
@@ -845,10 +886,18 @@ EOD
       end
 
       if machine_options[:is_windows]
-        Chef::Log.debug "Setting Default WinRM userdata for windows..."
-        bootstrap_options[:user_data] = Base64.encode64(user_data) if bootstrap_options[:user_data].nil?
+        Chef::Log.debug "Setting Default windows userdata based on WinRM transport"
+        if bootstrap_options[:user_data].nil?
+          case machine_options[:winrm_transport]
+          when 'https'
+            data = https_user_data
+          else
+            data = user_data
+          end
+            bootstrap_options[:user_data] = Base64.encode64(data)
+        end
       else
-        Chef::Log.debug "Non-windows, not setting userdata"
+        Chef::Log.debug "Non-windows, not setting Default userdata"
       end
 
       bootstrap_options = AWSResource.lookup_options(bootstrap_options, managed_entry_store: machine_spec.managed_entry_store, driver: self)
@@ -984,31 +1033,115 @@ EOD
 
     def create_winrm_transport(machine_spec, machine_options, instance)
       remote_host = determine_remote_host(machine_spec, instance)
+      username = machine_options[:winrm_username] || 'Administrator'
+      # default to http for now, should upgrade to https when knife support self-signed
+      transport_type = machine_options[:winrm_transport] || 'http'
+      type = case transport_type
+             when 'http'
+               :plaintext
+             when 'https'
+               :ssl
+             end
+      if machine_spec.reference[:winrm_port]
+        port = machine_spec.reference[:winrm_port]
+      else #default port
+        port = case transport_type
+               when 'http'
+                 '5985'
+               when 'https'
+                 '5986'
+               end
+      end
+      endpoint = "#{transport_type}://#{remote_host}:#{port}/wsman"
 
-      port = machine_spec.reference['winrm_port'] || 5985
-      endpoint = "http://#{remote_host}:#{port}/wsman"
-      type = :plaintext
       pem_bytes = get_private_key(instance.key_name)
 
-      # TODO plaintext password = bad
-      password = machine_spec.reference['winrm_password']
-      if password.nil? || password.empty?
-        encrypted_admin_password = instance.password_data.password_data
-        if encrypted_admin_password.nil? || encrypted_admin_password.empty?
-          raise "You did not specify winrm_password in the machine options and no encrytpted password could be fetched from the instance"
+      if machine_options[:winrm_password]
+        password = machine_options[:winrm_password]
+      else # pull from ec2 and store in reference
+        if machine_spec.reference['winrm_encrypted_password']
+          decoded = Base64.decode64(machine_spec.reference['winrm_encrypted_password'])
+        else
+          encrypted_admin_password = instance.password_data.password_data
+          if encrypted_admin_password.nil? || encrypted_admin_password.empty?
+            raise "You did not specify winrm_password in the machine options and no encrytpted password could be fetched from the instance"
+          end
+
+          machine_spec.reference['winrm_encrypted_password']||=encrypted_admin_password
+          # ^^ saves encrypted password to the machine_spec
+          decoded = Base64.decode64(encrypted_admin_password)
         end
-        decoded = Base64.decode64(encrypted_admin_password)
-        private_key = OpenSSL::PKey::RSA.new(pem_bytes)
+        # decrypt so we can utilize
+        private_key = OpenSSL::PKey::RSA.new(get_private_key(instance.key_name))
         password = private_key.private_decrypt decoded
       end
 
+      disable_sspi =  machine_options[:winrm_disable_sspi] || false # default to Negotiate
+      basic_auth_only = machine_options[:winrm_basic_auth_only] || false # disallow Basic auth by default
+      no_ssl_peer_verification = machine_options[:winrm_no_ssl_peer_verification] || false #disallow MITM potential by default
+
       winrm_options = {
-        :user => machine_spec.reference['winrm_username'] || 'Administrator',
-        :pass => password,
-        :disable_sspi => true,
-        :basic_auth_only => true
+        user: username,
+        pass: password,
+        disable_sspi: disable_sspi,
+        basic_auth_only: basic_auth_only,
+        no_ssl_peer_verification: no_ssl_peer_verification,
       }
 
+      if no_ssl_peer_verification or type != :ssl
+        # =>  we won't verify certs at all
+        Chef::Log.info "No SSL or no peer verification"
+      elsif machine_spec.reference['winrm_ssl_thumbprint']
+        # we have stored the cert
+        Chef::Log.info "Using stored fingerprint"
+      else
+        # we need to retrieve the cert and verify it by connecting just to
+        # retrieve the ssl certificate and compare it to what we see in the
+        # console logs
+        instance.console_output.data.output
+        # again this seem to need to be run twice, to ensure
+        encoded_output = instance.console_output.data.output
+        console_lines = Base64.decode64(encoded_output).lines
+        fp_context = OpenSSL::SSL::SSLContext.new
+        tcp_connection = TCPSocket.new(instance.private_ip_address, port)
+        ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, fp_context)
+
+        begin
+          ssl_connection.connect
+        rescue OpenSSL::SSL::SSLError => e
+          raise e unless e.message =~ /bad signature/
+        ensure
+          tcp_connection.close
+        end
+
+        winrm_cert = ssl_connection.peer_cert_chain.first
+
+        rdp_thumbprint = console_lines.grep(
+          /RDPCERTIFICATE-THUMBPRINT/)[-1].split(': ').last.chomp
+        rdp_subject = console_lines.grep(
+          /RDPCERTIFICATE-SUBJECTNAME/)[-1].split(': ').last.chomp
+        winrm_subject = winrm_cert.subject.to_s.split('=').last.upcase
+        winrm_thumbprint=OpenSSL::Digest::SHA1.new(winrm_cert.to_der).to_s.upcase
+
+        if rdp_subject != winrm_subject or rdp_thumbprint != winrm_thumbprint
+          Chef::Log.fatal "Winrm ssl port certificate differs from rdp console logs"
+        end
+        # now cache these for later use in the reference
+        if machine_spec.reference['winrm_ssl_subject'] != winrm_subject
+          machine_spec.reference['winrm_ssl_subject'] = winrm_subject
+        end
+        if machine_spec.reference['winrm_ssl_thumbprint'] != winrm_thumbprint
+          machine_spec.reference['winrm_ssl_thumbprint'] = winrm_thumbprint
+        end
+        if machine_spec.reference['winrm_ssl_cert'] != winrm_cert.to_pem
+          machine_spec.reference['winrm_ssl_cert'] = winrm_cert.to_pem
+        end
+      end
+
+      if machine_spec.reference['winrm_ssl_thumbprint']
+        winrm_options[:ssl_peer_fingerprint] = machine_spec.reference['winrm_ssl_thumbprint']
+      end
+
       Chef::Provisioning::Transport::WinRM.new("#{endpoint}", type, winrm_options, {})
     end
 

data/lib/chef/provisioning/aws_driver/version.rb

@@ -1,7 +1,7 @@
 class Chef
 module Provisioning
 module AWSDriver
-  VERSION = '1.8.0'
+  VERSION = '1.9.0'
 end
 end
 end

data/lib/chef/resource/aws_instance.rb

@@ -13,7 +13,7 @@ class Chef::Resource::AwsInstance < Chef::Provisioning::AWSDriver::AWSResourceWi
   attribute :name, kind_of: String, name_attribute: true
 
   attribute :instance_id, kind_of: String, aws_id_attribute: true, default: lazy {
-    name =~ /^i-[a-f0-9]{8}$/ ? name : nil
+    name =~ /^i-(?:[a-f0-9]{8}|[a-f0-9]{17})$/ ? name : nil
   }
 
   def aws_object

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef-provisioning-aws
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.9.0
 platform: ruby
 authors:
 - John Ewart
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-03 00:00:00.000000000 Z
+date: 2016-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-provisioning
@@ -307,7 +307,6 @@ files:
 - lib/chef/resource/aws_subnet.rb
 - lib/chef/resource/aws_vpc.rb
 - lib/chef/resource/aws_vpc_peering_connection.rb
-- spec/acceptance/aws_ebs_volume/nodes/ettores-mbp.lan.json
 - spec/aws_support.rb
 - spec/aws_support/aws_resource_run_wrapper.rb
 - spec/aws_support/deep_matcher.rb
@@ -372,7 +371,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 2.6.3
 signing_key: 
 specification_version: 4
 summary: Provisioner for creating aws containers in Chef Provisioning.

data/spec/acceptance/aws_ebs_volume/nodes/ettores-mbp.lan.json

@@ -1,3 +0,0 @@
-{
-  "name": "ettores-mbp.lan"
-}