knife-windows 0.8.6 → 1.0.0.rc.0

data/lib/chef/knife/bootstrap_windows_ssh.rb

@@ -53,7 +53,7 @@ class Chef
         :description => "The ssh port",
         :default => "22",
         :proc => Proc.new { |key| Chef::Config[:knife][:ssh_port] = key }
-        
+
       option :ssh_gateway,
         :short => "-G GATEWAY",
         :long => "--ssh-gateway GATEWAY",

data/lib/chef/knife/bootstrap_windows_winrm.rb

@@ -19,7 +19,8 @@
 require 'chef/knife/bootstrap_windows_base'
 require 'chef/knife/winrm'
 require 'chef/knife/winrm_base'
-require 'chef/knife/bootstrap'
+require 'chef/knife/winrm_knife_base'
+
 
 class Chef
   class Knife
@@ -27,6 +28,7 @@ class Chef
 
       include Chef::Knife::BootstrapWindowsBase
       include Chef::Knife::WinrmBase
+      include Chef::Knife::WinrmCommandSharedFunctions
 
       deps do
         require 'chef/knife/core/windows_bootstrap_context'
@@ -38,27 +40,33 @@ class Chef
       banner "knife bootstrap windows winrm FQDN (options)"
 
       def run
+        if (Chef::Config[:validation_key] && !File.exist?(File.expand_path(Chef::Config[:validation_key])))
+          if !negotiate_auth? && !(locate_config_value(:winrm_transport) == 'ssl')
+            ui.error("Validatorless bootstrap over unsecure winrm channels could expose your key to network sniffing")
+            exit 1
+          end
+        end
         bootstrap
       end
 
-
       def run_command(command = '')
         winrm = Chef::Knife::Winrm.new
         winrm.name_args = [ server_name, command ]
         winrm.config[:winrm_user] = locate_config_value(:winrm_user)
         winrm.config[:winrm_password] = locate_config_value(:winrm_password)
         winrm.config[:winrm_transport] = locate_config_value(:winrm_transport)
-        winrm.config[:kerberos_keytab_file] = Chef::Config[:knife][:kerberos_keytab_file] if Chef::Config[:knife][:kerberos_keytab_file]
-        winrm.config[:kerberos_realm] = Chef::Config[:knife][:kerberos_realm] if Chef::Config[:knife][:kerberos_realm]
-        winrm.config[:kerberos_service] = Chef::Config[:knife][:kerberos_service] if Chef::Config[:knife][:kerberos_service]
-        winrm.config[:ca_trust_file] = Chef::Config[:knife][:ca_trust_file] if Chef::Config[:knife][:ca_trust_file]
+        winrm.config[:winrm_ssl_verify_mode] = locate_config_value(:winrm_ssl_verify_mode)
+        winrm.config[:kerberos_keytab_file] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
+        winrm.config[:kerberos_realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
+        winrm.config[:kerberos_service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
+        winrm.config[:ca_trust_file] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
         winrm.config[:manual] = true
         winrm.config[:winrm_port] = locate_config_value(:winrm_port)
         winrm.config[:suppress_auth_failure] = true
-       
-        #If you turn off the return flag, then winrm.run won't atually check and 
+
+        #If you turn off the return flag, then winrm.run won't atually check and
         #return the error
-        #codes.  Otherwise, it ignores the return value of the server call.  
+        #codes.  Otherwise, it ignores the return value of the server call.
         winrm.config[:returns] = "0"
         winrm.run
       end
@@ -99,4 +107,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/knife/core/windows_bootstrap_context.rb

@@ -22,6 +22,7 @@ require 'chef/knife/core/bootstrap_context'
 require 'knife-windows/path_helper'
 # require 'chef/util/path_helper'
 
+
 class Chef
   class Knife
     module Core
@@ -34,27 +35,37 @@ class Chef
       class WindowsBootstrapContext < BootstrapContext
         PathHelper = ::Knife::Windows::PathHelper
 
-        def initialize(config, run_list, chef_config)
+        attr_accessor :client_pem
+
+        def initialize(config, run_list, chef_config, secret=nil)
           @config       = config
           @run_list     = run_list
           @chef_config  = chef_config
-          super(config, run_list, chef_config)
+          @secret       = secret
+          # Compatibility with Chef 12 and Chef 11 versions
+          begin
+            # Pass along the secret parameter for Chef 12
+            super(config, run_list, chef_config, secret)
+          rescue ArgumentError
+            # The Chef 11 base class only has parameters for initialize
+            super(config, run_list, chef_config)
+          end
         end
 
         def validation_key
-          if super
-            escape_and_echo(super)
+          if File.exist?(File.expand_path(@chef_config[:validation_key]))
+            IO.read(File.expand_path(@chef_config[:validation_key]))
           else
-            raise 'Knife-Windows < 1.0 does not support validatorless bootstraps'
+            false
           end
         end
 
-        def encrypted_data_bag_secret
-          escape_and_echo(@config[:encrypted_data_bag_secret])
+        def secret
+          escape_and_echo(@config[:secret])
         end
 
-        def trusted_certs
-          @trusted_certs ||= trusted_certs_content
+        def trusted_certs_script
+          @trusted_certs_script ||= trusted_certs_content
         end
 
         def config_content
@@ -64,8 +75,6 @@ log_location     STDOUT
 
 chef_server_url  "#{@chef_config[:chef_server_url]}"
 validation_client_name "#{@chef_config[:validation_client_name]}"
-client_key        "c:/chef/client.pem"
-validation_key    "c:/chef/validation.pem"
 
 file_cache_path   "c:/chef/cache"
 file_backup_path  "c:/chef/backup"
@@ -119,12 +128,12 @@ CONFIG
             client_rb << %Q{no_proxy       "#{knife_config[:bootstrap_no_proxy]}"\n}
           end
 
-          if @config[:encrypted_data_bag_secret]
+          if @config[:secret]
             client_rb << %Q{encrypted_data_bag_secret "c:/chef/encrypted_data_bag_secret"\n}
           end
 
-          unless trusted_certs.empty?
-            client_rb << %Q{trusted_certs_dir "C:/chef/trusted_certs"\n}
+          unless trusted_certs_script.empty?
+            client_rb << %Q{trusted_certs_dir "c:/chef/trusted_certs"\n}
           end
 
           escape_and_echo(client_rb)
@@ -158,10 +167,30 @@ CONFIG
         end
 
         def win_wget
+          # I tried my best to figure out how to properly url decode and switch / to \
+          # but this is VBScript - so I don't really care that badly.
           win_wget = <<-WGET
 url = WScript.Arguments.Named("url")
 path = WScript.Arguments.Named("path")
 proxy = null
+'* Vaguely attempt to handle file:// scheme urls by url unescaping and switching all
+'* / into \.  Also assume that file:/// is a local absolute path and that file://<foo>
+'* is possibly a network file path.
+If InStr(url, "file://") = 1 Then
+url = Unescape(url)
+If InStr(url, "file:///") = 1 Then
+sourcePath = Mid(url, Len("file:///") + 1)
+Else
+sourcePath = Mid(url, Len("file:") + 1)
+End If
+sourcePath = Replace(sourcePath, "/", "\\")
+
+Set objFSO = CreateObject("Scripting.FileSystemObject")
+If objFSO.Fileexists(path) Then objFSO.DeleteFile path
+objFSO.CopyFile sourcePath, path, true
+Set objFSO = Nothing
+
+Else
 Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")
 Set wshShell = CreateObject( "WScript.Shell" )
 Set objUserVariables = wshShell.Environment("USER")
@@ -200,8 +229,9 @@ Set objFSO = Nothing
 objADOStream.SaveToFile path
 objADOStream.Close
 Set objADOStream = Nothing
-End if
+End If
 Set objXMLHTTP = Nothing
+End If
 WGET
           escape_and_echo(win_wget)
         end
@@ -235,6 +265,21 @@ WGET_PS
           local_download_path = "%TEMP%\\chef-client-latest.msi"
         end
 
+        def msi_url(machine_os=nil, machine_arch=nil, download_context=nil)
+          # The default msi path has a number of url query parameters - we attempt to substitute
+          # such parameters in as long as they are provided by the template.
+
+          if @config[:msi_url].nil? || @config[:msi_url].empty?
+            url = "https://www.chef.io/chef/download?p=windows"
+            url += "&pv=#{machine_os}" unless machine_os.nil?
+            url += "&m=#{machine_arch}" unless machine_arch.nil?
+            url += "&DownloadContext=#{download_context}" unless download_context.nil?
+            url += latest_current_windows_chef_version_query
+          else
+            @config[:msi_url]
+          end
+        end
+
         def first_boot
           first_boot_attributes_and_run_list = (@config[:first_boot_attributes] || {}).merge(:run_list => @run_list)
           escape_and_echo(first_boot_attributes_and_run_list.to_json)
@@ -250,9 +295,15 @@ WGET_PS
         private
 
         def install_command(executor_quote)
-          "msiexec /qn /log #{executor_quote}%CHEF_CLIENT_MSI_LOG_PATH%#{executor_quote} /i #{executor_quote}%LOCAL_DESTINATION_MSI_PATH%#{executor_quote}"
+          if @config[:install_as_service]
+            "msiexec /qn /log #{executor_quote}%CHEF_CLIENT_MSI_LOG_PATH%#{executor_quote} /i #{executor_quote}%LOCAL_DESTINATION_MSI_PATH%#{executor_quote} ADDLOCAL=#{executor_quote}ChefClientFeature,ChefServiceFeature#{executor_quote}"
+          else              
+            "msiexec /qn /log #{executor_quote}%CHEF_CLIENT_MSI_LOG_PATH%#{executor_quote} /i #{executor_quote}%LOCAL_DESTINATION_MSI_PATH%#{executor_quote}"
+          end
         end
 
+        # Returns a string for copying the trusted certificates on the workstation to the system being bootstrapped
+        # This string should contain both the commands necessary to both create the files, as well as their content
         def trusted_certs_content
           content = ""
           if @chef_config[:trusted_certs_dir]

data/lib/chef/knife/windows_cert_generate.rb

@@ -0,0 +1,155 @@
+# Author:: Mukta Aphale (<mukta.aphale@clogeny.com>)
+# Copyright:: Copyright (c) 2014 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/knife/winrm_base'
+require 'openssl'
+require 'socket'
+
+class Chef
+  class Knife
+    class WindowsCertGenerate < Knife
+
+      attr_accessor :thumbprint, :hostname
+
+      banner "knife windows cert generate FILE_PATH (options)"
+
+      option :hostname,
+        :short => "-H HOSTNAME",
+        :long => "--hostname HOSTNAME",
+        :description => "Use to specify the hostname for the listener.
+        For example, --hostname something.mydomain.com or *.mydomain.com.",
+        :required => true
+
+      option :output_file,
+        :short => "-o PATH",
+        :long => "--output-file PATH",
+        :description => "Specifies the file path at which to generate the 3 certificate files of type .pfx, .b64, and .pem. The default is './winrmcert'.",
+        :default => "winrmcert"
+
+      option :key_length,
+        :short => "-k LENGTH",
+        :long => "--key-length LENGTH",
+        :description => "Default is 2048",
+        :default => "2048"
+
+      option :cert_validity,
+        :short => "-cv MONTHS",
+        :long => "--cert-validity MONTHS",
+        :description => "Default is 24 months",
+        :default => "24"
+
+      option :cert_passphrase,
+        :short => "-cp PASSWORD",
+        :long => "--cert-passphrase PASSWORD",
+        :description => "Password for certificate."
+
+      def generate_keypair
+        OpenSSL::PKey::RSA.new(config[:key_length].to_i)
+      end
+
+      def prompt_for_passphrase
+        passphrase = ""
+        begin
+          print "Passphrases do not match.  Try again.\n" unless passphrase.empty?
+          print "Enter certificate passphrase (empty for no passphrase):"
+          passphrase = STDIN.gets
+          return passphrase.strip if passphrase == "\n"
+          print "Enter same passphrase again:"
+          confirm_passphrase = STDIN.gets
+        end until passphrase == confirm_passphrase
+        passphrase.strip
+      end
+
+      def generate_certificate rsa_key
+        @hostname = config[:hostname] if config[:hostname]
+
+        #Create a self-signed X509 certificate from the rsa_key (unencrypted)
+        cert = OpenSSL::X509::Certificate.new
+        cert.version = 2
+        cert.serial = Random.rand(65534) + 1 # 2 digit byte range random number for better security aspect
+
+        cert.subject = OpenSSL::X509::Name.parse "/CN=#{@hostname}"
+        cert.issuer = cert.subject
+        cert.public_key = rsa_key.public_key
+        cert.not_before = Time.now
+        cert.not_after = cert.not_before + 2 * 365 * config[:cert_validity].to_i * 60 * 60 # 2 years validity
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.subject_certificate = cert
+        ef.issuer_certificate = cert
+        cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+        cert.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
+        cert.add_extension(ef.create_extension("extendedKeyUsage", "1.3.6.1.5.5.7.3.1", false))
+        cert.sign(rsa_key, OpenSSL::Digest::SHA1.new)
+        @thumbprint = OpenSSL::Digest::SHA1.new(cert.to_der)
+        cert
+      end
+
+      def write_certificate_to_file(cert, file_path, rsa_key)
+        File.open(file_path + ".pem", "wb") { |f| f.print cert.to_pem }
+        config[:cert_passphrase] = prompt_for_passphrase unless config[:cert_passphrase]
+        pfx = OpenSSL::PKCS12.create("#{config[:cert_passphrase]}", "winrmcert", rsa_key, cert)
+        File.open(file_path + ".pfx", "wb") { |f| f.print pfx.to_der }
+        File.open(file_path + ".b64", "wb") { |f| f.print Base64.strict_encode64(pfx.to_der) }
+      end
+
+      def certificates_already_exist?(file_path)
+        certs_exists = false
+        %w{pem pfx b64}.each do |extn|
+          if !Dir.glob("#{file_path}.*#{extn}").empty?
+            certs_exists = true
+            break
+          end
+        end
+
+        if certs_exists
+          begin
+            confirm("Do you really want to overwrite existing certificates")
+          rescue SystemExit   # Need to handle this as confirming with N/n raises SystemExit exception
+            exit!
+          end
+        end
+      end
+
+      def run
+        STDOUT.sync = STDERR.sync = true
+
+        # takes user specified first cli value as a destination file path for generated cert.
+        file_path = @name_args.empty? ? config[:output_file].sub(/\.(\w+)$/,'') : @name_args.first
+
+        # check if certs already exists at given file path
+        certificates_already_exist? file_path
+
+        begin
+          filename = File.basename(file_path)
+          rsa_key = generate_keypair
+          cert = generate_certificate rsa_key
+          write_certificate_to_file cert, file_path, rsa_key
+          ui.info "Generated Certificates:"
+          ui.info "- #{filename}.pfx - PKCS12 format key pair. Contains public and private keys, can be used with an SSL server."
+          ui.info "- #{filename}.b64 - Base64 encoded PKCS12 key pair. Contains public and private keys, used by some cloud provider API's to configure SSL servers." 
+          ui.info "- #{filename}.pem - Base64 encoded public certificate only. Required by the client to connect to the server."
+          ui.info "Certificate Thumbprint: #{@thumbprint.to_s.upcase}"
+        rescue => e
+          puts "ERROR: + #{e}"
+        end
+      end
+
+    end
+  end
+end
+

data/lib/chef/knife/windows_cert_install.rb

@@ -0,0 +1,62 @@
+# Author:: Mukta Aphale (<mukta.aphale@clogeny.com>)
+# Copyright:: Copyright (c) 2014 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/knife/winrm_base'
+
+class Chef
+  class Knife
+    class WindowsCertInstall < Knife
+
+      banner "knife windows cert install CERT [CERT] (options)"
+
+      option :cert_passphrase,
+        :short => "-cp PASSWORD",
+        :long => "--cert-passphrase PASSWORD",
+        :description => "Password for certificate."
+
+      def get_cert_passphrase
+        print "Enter given certificate's passphrase (empty for no passphrase):"
+        passphrase = STDIN.gets
+        passphrase.strip
+      end
+
+      def run
+        STDOUT.sync = STDERR.sync = true
+        if @name_args.empty?
+          ui.error "Please specify the certificate path. e.g-  'knife windows cert install <path>"
+          exit 1
+        end
+        file_path = @name_args.first
+        config[:cert_passphrase] = get_cert_passphrase unless config[:cert_passphrase]
+
+        begin
+          ui.info "Adding certificate to the Windows Certificate Store..."
+          result = %x{powershell.exe -Command " '#{config[:cert_passphrase]}' | certutil -importPFX '#{file_path}' AT_KEYEXCHANGE"}
+          if $?.exitstatus == 0
+            ui.info "Certificate added to Certificate Store"
+          else
+            ui.info "Error adding the certificate. Use -VV option for details"
+          end
+          Chef::Log.debug "#{result}"
+        rescue => e
+          puts "ERROR: + #{e}"
+        end
+      end
+    end
+  end
+end