knife-windows 0.8.6 → 1.0.0.rc.0

data/lib/chef/knife/winrm_base.rb

@@ -24,6 +24,9 @@ class Chef
   class Knife
     module WinrmBase
 
+      # It includes supported WinRM authentication protocol.
+      WINRM_AUTH_PROTOCOL_LIST ||= %w{basic negotiate kerberos}
+
       # :nodoc:
       # Would prefer to do this in a rational way, but can't be done b/c of
       # Mixlib::CLI's design :(
@@ -48,11 +51,19 @@ class Chef
             :description => "The WinRM password",
             :proc => Proc.new { |key| Chef::Config[:knife][:winrm_password] = key }
 
+          option :winrm_transport,
+            :short => "-t TRANSPORT",
+            :long => "--winrm-transport TRANSPORT",
+            :description => "The WinRM transport type.  valid choices are [ssl, plaintext]",
+            :default => 'plaintext',
+            :proc => Proc.new { |transport| Chef::Config[:knife][:winrm_port] = '5986' if transport == 'ssl'
+                                Chef::Config[:knife][:winrm_transport] = transport }
+
           option :winrm_port,
             :short => "-p PORT",
             :long => "--winrm-port PORT",
-            :description => "The WinRM port, by default this is 5985",
-            :default => "5985",
+            :description => "The WinRM port, by default this is '5985' for 'plaintext' and '5986' for 'ssl' winrm transport",
+            :default => '5985',
             :proc => Proc.new { |key| Chef::Config[:knife][:winrm_port] = key }
 
           option :identity_file,
@@ -60,15 +71,8 @@ class Chef
             :long => "--identity-file IDENTITY_FILE",
             :description => "The SSH identity file used for authentication"
 
-          option :winrm_transport,
-            :short => "-t TRANSPORT",
-            :long => "--winrm-transport TRANSPORT",
-            :description => "The WinRM transport type.  valid choices are [ssl, plaintext]",
-            :default => 'plaintext',
-            :proc => Proc.new { |transport| Chef::Config[:knife][:winrm_transport] = transport }
-
           option :kerberos_keytab_file,
-            :short => "-i KEYTAB_FILE",
+            :short => "-T KEYTAB_FILE",
             :long => "--keytab-file KEYTAB_FILE",
             :description => "The Kerberos keytab file used for authentication",
             :proc => Proc.new { |keytab| Chef::Config[:knife][:kerberos_keytab_file] = keytab }
@@ -91,9 +95,31 @@ class Chef
             :description => "The Certificate Authority (CA) trust file used for SSL transport",
             :proc => Proc.new { |trust| Chef::Config[:knife][:ca_trust_file] = trust }
 
+          option :winrm_ssl_verify_mode,
+            :long => "--winrm-ssl-verify-mode SSL_VERIFY_MODE",
+            :description => "The WinRM peer verification mode. Valid choices are [verify_peer, verify_none]",
+            :default => :verify_peer,
+            :proc => Proc.new { |verify_mode| verify_mode.to_sym }
+
+          option :winrm_authentication_protocol,
+            :long => "--winrm-authentication-protocol AUTHENTICATION_PROTOCOL",
+            :description => "The authentication protocol used during WinRM communication. The supported protocols are #{WINRM_AUTH_PROTOCOL_LIST.join(',')}. Default is 'negotiate'.",
+            :default => "negotiate",
+            :proc => Proc.new { |protocol| Chef::Config[:knife][:winrm_authentication_protocol] = protocol }
+
+          option :session_timeout,
+            :long => "--session-timeout Minutes",
+            :description => "The timeout for the client for the maximum length of the WinRM session",
+            :default => 30
         end
       end
 
+      def locate_config_value(key)
+        key = key.to_sym
+        value = config[key] || Chef::Config[:knife][key] || default_config[key]
+        Chef::Log.debug("Looking for key #{key} and found value #{value}")
+        value
+      end
     end
   end
 end

data/lib/chef/knife/winrm_knife_base.rb

@@ -0,0 +1,201 @@
+#
+# Author:: Steven Murawski (<smurawski@chef.io)
+# Copyright:: Copyright (c) 2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+require 'chef/knife'
+require 'chef/knife/winrm_base'
+require 'chef/knife/winrm_shared_options'
+
+class Chef
+  class Knife
+    module WinrmCommandSharedFunctions
+      def self.included(includer)
+        includer.class_eval do
+
+          @@ssl_warning_given = false
+
+          include Chef::Knife::WinrmBase
+          include Chef::Knife::WinrmSharedOptions
+
+          #Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
+          #Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
+          def configure_session
+            resolve_session_options
+            resolve_target_nodes
+            session_from_list
+          end
+
+          def resolve_target_nodes
+            @list = case config[:manual]
+                   when true
+                     @name_args[0].split(" ")
+                   when false
+                     r = Array.new
+                     q = Chef::Search::Query.new
+                     @action_nodes = q.search(:node, @name_args[0])[0]
+                     @action_nodes.each do |item|
+                       i = extract_nested_value(item, config[:attribute])
+                       r.push(i) unless i.nil?
+                     end
+                     r
+                   end
+             if @list.length == 0
+              if @action_nodes.length == 0
+                ui.fatal("No nodes returned from search!")
+              else
+                ui.fatal("#{@action_nodes.length} #{@action_nodes.length > 1 ? "nodes":"node"} found, " +
+                         "but does not have the required attribute (#{config[:attribute]}) to establish the connection. " +
+                         "Try setting another attribute to open the connection using --attribute.")
+              end
+              exit 10
+            end
+          end
+
+          def validate_password
+            if @session_opts[:user] and (not @session_opts[:password])
+              @session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
+            end
+          end
+
+          private
+
+          def session_from_list
+            @list.each do |item|
+              Chef::Log.debug("Adding #{item}")
+              @session_opts[:host] = item
+              create_winrm_session(@session_opts)
+            end
+          end
+
+          def create_winrm_session(options={})
+            session = Chef::Knife::WinrmSession.new(options)
+            @winrm_sessions ||= []
+            @winrm_sessions.push(session)
+          end
+
+          def resolve_session_options
+            resolve_winrm_basic_options
+            resolve_winrm_auth_settings
+            resolve_winrm_kerberos_options
+            resolve_winrm_transport_options
+            resolve_winrm_ssl_options
+          end
+
+          def resolve_winrm_basic_options
+            @session_opts = {}
+            @session_opts[:user] = locate_config_value(:winrm_user)
+            @session_opts[:password] = locate_config_value(:winrm_password)
+            @session_opts[:port] = locate_config_value(:winrm_port)
+
+            #30 min (Default) OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
+            @session_opts[:operation_timeout] = locate_config_value(:session_timeout).to_i * 60 if locate_config_value(:session_timeout)
+          end
+
+          def resolve_winrm_kerberos_options
+            if config.keys.any? {|k| k.to_s =~ /kerberos/ }
+              @session_opts[:transport] = :kerberos
+              @session_opts[:keytab] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
+              @session_opts[:realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
+              @session_opts[:service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
+            end
+          end
+
+          def resolve_winrm_transport_options
+            @session_opts[:disable_sspi] = true
+            @session_opts[:transport] = locate_config_value(:winrm_transport).to_sym unless @session_opts[:transport] == :kerberos
+            if negotiate_auth? && @session_opts[:transport] == :ssl
+                Chef::Log.debug("Trying WinRM communication with negotiate authentication and :ssl transport")
+            elsif use_windows_native_auth?
+              load_windows_specific_gems
+              @session_opts[:transport] = :sspinegotiate
+              @session_opts[:disable_sspi] = false
+            elsif negotiate_auth? && !Chef::Platform.windows?
+              ui.warn "The '--winrm-authentication-protocol = negotiate' with 'plaintext' transport is only supported when this tool is invoked from a Windows-based system."
+              ui.info "Try '--winrm-authentication-protocol = basic'"
+              exit 1
+            end
+          end
+
+          def resolve_winrm_ssl_options
+            @session_opts[:ca_trust_path] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
+            @session_opts[:no_ssl_peer_verification] = no_ssl_peer_verification?(@session_opts[:ca_trust_path])
+            warn_no_ssl_peer_verification if @session_opts[:no_ssl_peer_verification]
+          end
+
+          def resolve_winrm_auth_settings
+            winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
+            if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
+              ui.error "Invalid value '#{winrm_auth_protocol}' for --winrm-authentication-protocol option."
+              ui.info "Valid values are #{Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.join(",")}."
+              exit 1
+            end
+
+            if winrm_auth_protocol == "basic"
+              @session_opts[:basic_auth_only] = true
+            else
+              @session_opts[:basic_auth_only] = false
+            end
+          end
+
+          def no_ssl_peer_verification?(ca_trust_path)
+            ca_trust_path.nil? && (config[:winrm_ssl_verify_mode] == :verify_none)
+          end
+
+          def use_windows_native_auth?
+           Chef::Platform.windows? && @session_opts[:transport] != :ssl && negotiate_auth?
+          end
+
+          def load_windows_specific_gems
+            require 'winrm-s'
+            Chef::Log.debug("Applied 'winrm-s' monkey patch and trying WinRM communication with 'sspinegotiate'")
+          end
+
+          def get_password
+            @password ||= ui.ask("Enter your password: ") { |q| q.echo = false }
+          end
+
+          # returns true if winrm_authentication_protocol is 'negotiate'
+          def negotiate_auth?
+            locate_config_value(:winrm_authentication_protocol) == "negotiate"
+          end
+
+          def warn_no_ssl_peer_verification
+            if ! @@ssl_warning_given
+              @@ssl_warning_given = true
+              ui.warn(<<-WARN)
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
+connections are still encrypted, but knife is not able to detect forged replies
+or spoofing attacks.
+
+To fix this issue add an entry like this to your knife configuration file:
+
+```
+  # Verify all WinRM HTTPS connections (default, recommended)
+  knife[:winrm_ssl_verify_mode] = :verify_peer
+```
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+WARN
+                end
+              end
+
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/winrm_session.rb

@@ -0,0 +1,72 @@
+#
+# Author:: Steven Murawski <smurawski@chef.io>
+# Copyright:: Copyright (c) 2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'winrm'
+
+class Chef
+  class Knife
+    class WinrmSession
+        attr_reader :host, :endpoint, :port, :output, :error, :exit_code
+        def initialize(options)
+          @host = options[:host]
+          @port = options[:port]
+          url = "#{options[:host]}:#{options[:port]}/wsman"
+          scheme = options[:transport] == :ssl ? 'https' : 'http'
+          @endpoint = "#{scheme}://#{url}"
+          opts = Hash.new
+          opts = {:user => options[:user], :pass => options[:password], :basic_auth_only => options[:basic_auth_only], :disable_sspi => options[:disable_sspi], :no_ssl_peer_verification => options[:no_ssl_peer_verification]}
+
+          options[:transport] == :kerberos ? opts.merge!({:service => options[:service], :realm => options[:realm], :keytab => options[:keytab]}) : opts.merge!({:ca_trust_path => options[:ca_trust_path]})
+
+          Chef::Log.debug("WinRM::WinRMWebService options: #{opts}")
+          Chef::Log.debug("Endpoint: #{endpoint}")
+          Chef::Log.debug("Transport: #{options[:transport]}")
+          @winrm_session = WinRM::WinRMWebService.new(@endpoint, options[:transport], opts)
+          @winrm_session.set_timeout(options[:operation_timeout]) if options[:operation_timeout]
+        end
+
+        def relay_command(command)
+          remote_id = @winrm_session.open_shell
+          command_id = @winrm_session.run_command(remote_id, command)
+          Chef::Log.debug("#{@host}[#{remote_id}] => :run_command[#{command}]")
+          session_result = get_output(remote_id, command_id)
+          @winrm_session.cleanup_command(remote_id, command_id)
+          Chef::Log.debug("#{@host}[#{remote_id}] => :command_cleanup[#{command}]")
+          @exit_code = session_result[:exitcode]
+          @winrm_session.close_shell(remote_id)
+          Chef::Log.debug("#{@host}[#{remote_id}] => :shell_close")
+        end
+
+        def get_output(remote_id, command_id)
+          @winrm_session.get_command_output(remote_id, command_id) do |out,error|
+            print_data(@host, out) if out
+            print_data(@host, error, :red) if error
+          end
+        end
+
+        def print_data(host, data, color = :cyan)
+          if data =~ /\n/
+            data.split(/\n/).each { |d| print_data(host, d, color) }
+          elsif !data.nil?
+            print Chef::Knife::Winrm.ui.color(host, color)
+            puts " #{data}"
+          end
+        end
+    end
+  end
+end

data/lib/chef/knife/winrm_shared_options.rb

@@ -0,0 +1,47 @@
+#
+# Author:: Steven Murawski (<smurawski@chef.io)
+# Copyright:: Copyright (c) 2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/encrypted_data_bag_item'
+require 'kconv'
+
+class Chef
+  class Knife
+    module WinrmSharedOptions
+
+      # Shared command line options for knife winrm and knife wsman test
+      def self.included(includer)
+        includer.class_eval do
+          option :manual,
+            :short => "-m",
+            :long => "--manual-list",
+            :boolean => true,
+            :description => "QUERY is a space separated list of servers",
+            :default => false
+
+          option :attribute,
+            :short => "-a ATTR",
+            :long => "--attribute ATTR",
+            :description => "The attribute to use for opening the connection - default is fqdn",
+            :default => "fqdn"
+        end
+      end
+
+    end
+  end
+end

data/lib/chef/knife/wsman_endpoint.rb

@@ -0,0 +1,44 @@
+#
+# Author:: Steven Murawski (<smurawski@chef.io)
+# Copyright:: Copyright (c) 2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class Knife
+    class WsmanEndpoint
+      attr_accessor :host
+      attr_accessor :wsman_port
+      attr_accessor :wsman_url
+      attr_accessor :product_version
+      attr_accessor :protocol_version
+      attr_accessor :product_vendor
+      attr_accessor :response_status_code
+      attr_accessor :error_message
+
+      def initialize(name, port, url)
+        @host = name
+        @wsman_port = port
+        @wsman_url = url
+      end
+
+      def to_hash
+        hash = {}
+        instance_variables.each {|var| hash[var.to_s.delete("@")] = instance_variable_get(var) }
+        hash
+      end
+    end
+  end
+end