knife-windows 0.8.6 → 1.0.0.rc.0

data/spec/unit/knife/core/windows_bootstrap_context_spec.rb

@@ -25,6 +25,18 @@ describe Chef::Knife::Core::WindowsBootstrapContext do
      allow(Chef::Knife::Core::WindowsBootstrapContext).to receive(:new).and_return(mock_bootstrap_context)
    end
 
+  describe "validation_key", :chef_gte_12_only do
+    before do
+      mock_bootstrap_context.instance_variable_set(:@config, Mash.new(:validation_key => "C:\\chef\\key.pem"))
+    end
+
+    it "should return false if validation_key does not exist" do
+      allow(::File).to receive(:expand_path)
+      allow(::File).to receive(:exist?).and_return(false)
+      expect(mock_bootstrap_context.validation_key).to eq(false)
+    end
+  end
+
   describe "latest_current_windows_chef_version_query" do
     it "returns the major version of the current version of Chef" do
       stub_const("Chef::VERSION", '11.1.2')
@@ -51,4 +63,39 @@ describe Chef::Knife::Core::WindowsBootstrapContext do
       end
     end
   end
+
+  describe "msi_url" do
+    context "when config option is not set" do
+      before do
+        expect(mock_bootstrap_context).to receive(:latest_current_windows_chef_version_query).and_return("&v=something")
+      end
+
+      it "returns a chef.io msi url with minimal url parameters" do
+        reference_url = "https://www.chef.io/chef/download?p=windows&v=something"
+        expect(mock_bootstrap_context.msi_url).to eq(reference_url)
+      end
+
+      it "returns a chef.io msi url with provided url parameters substituted" do
+        reference_url = "https://www.chef.io/chef/download?p=windows&pv=machine&m=arch&DownloadContext=ctx&v=something"
+        expect(mock_bootstrap_context.msi_url('machine', 'arch', 'ctx')).to eq(reference_url)
+      end
+    end
+
+    context "when msi_url config option is set" do
+      let(:custom_url) { "file://something" }
+
+      before do
+        mock_bootstrap_context.instance_variable_set(:@config, Mash.new(:msi_url => custom_url))
+      end
+
+      it "returns the overriden url" do
+        expect(mock_bootstrap_context.msi_url).to eq(custom_url)
+      end
+
+      it "doesn't introduce any unnecessary query parameters if provided by the template" do
+        expect(mock_bootstrap_context.msi_url('machine', 'arch', 'ctx')).to eq(custom_url)
+      end
+    end
+  end
+
 end

data/spec/unit/knife/windows_cert_generate_spec.rb

@@ -0,0 +1,90 @@
+#
+# Author:: Mukta Aphale <mukta.aphale@clogeny.com>
+# Copyright:: Copyright (c) 2014 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+require 'chef/knife/windows_cert_generate'
+require 'openssl'
+
+describe Chef::Knife::WindowsCertGenerate do
+  before(:all) do
+    @certgen = Chef::Knife::WindowsCertGenerate.new(["-H","something.mydomain.com"])
+  end
+
+  it "generates RSA key pair" do
+    @certgen.config[:key_length] = 2048
+    key = @certgen.generate_keypair
+    expect(key).to be_instance_of OpenSSL::PKey::RSA
+  end
+
+  it "generates X509 certificate" do
+    @certgen.config[:domain] = "test.com"
+    @certgen.config[:cert_validity] = "24"
+    key = @certgen.generate_keypair
+    certificate = @certgen.generate_certificate key
+    expect(certificate).to be_instance_of OpenSSL::X509::Certificate
+  end
+
+  it "writes certificate to file" do
+    expect(File).to receive(:open).exactly(3).times
+    cert = double(OpenSSL::X509::Certificate.new)
+    key = double(OpenSSL::PKey::RSA.new)
+    @certgen.config[:cert_passphrase] = "password"
+    expect(OpenSSL::PKCS12).to receive(:create).with("password", "winrmcert", key, cert)
+    @certgen.write_certificate_to_file cert, "test", key
+  end
+
+  context "when creating certificate files" do
+    before do
+      @certgen.thumbprint = "TEST_THUMBPRINT"
+      allow(Dir).to receive(:glob).and_return([])
+      allow(@certgen).to receive(:generate_keypair)
+      allow(@certgen).to receive(:generate_certificate)
+      expect(@certgen.ui).to receive(:info).with("Generated Certificates:")
+      expect(@certgen.ui).to receive(:info).with("- winrmcert.pfx - PKCS12 format key pair. Contains public and private keys, can be used with an SSL server.")
+      expect(@certgen.ui).to receive(:info).with("- winrmcert.b64 - Base64 encoded PKCS12 key pair. Contains public and private keys, used by some cloud provider API's to configure SSL servers.")
+      expect(@certgen.ui).to receive(:info).with("- winrmcert.pem - Base64 encoded public certificate only. Required by the client to connect to the server.")
+      expect(@certgen.ui).to receive(:info).with("Certificate Thumbprint: TEST_THUMBPRINT")
+    end
+
+    it "writes out certificates" do
+      @certgen.config[:output_file] = 'winrmcert'
+  
+      expect(@certgen).to receive(:certificates_already_exist?).and_return(false)
+      expect(@certgen).to receive(:write_certificate_to_file)
+      @certgen.run
+    end
+  
+    it "prompts when certificates already exist" do
+      file_path = 'winrmcert'
+      @certgen.config[:output_file] = file_path
+
+      allow(Dir).to receive(:glob).and_return([file_path])
+      expect(@certgen).to receive(:confirm).with("Do you really want to overwrite existing certificates")
+      expect(@certgen).to receive(:write_certificate_to_file)
+      @certgen.run
+    end
+  
+    it "creates certificate on specified file path" do
+      file_path = "/tmp/winrmcert"
+      @certgen.name_args = [file_path]
+
+      expect(@certgen).to receive(:write_certificate_to_file) # FIXME: this should be testing that we get /tmp/winrmcert as the filename
+      @certgen.run
+    end
+  end
+end

data/spec/unit/knife/windows_cert_install_spec.rb

@@ -0,0 +1,35 @@
+#
+# Author:: Mukta Aphale <mukta.aphale@clogeny.com>
+# Copyright:: Copyright (c) 2014 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+require 'chef/knife/windows_cert_install'
+
+describe Chef::Knife::WindowsCertInstall do
+  before(:all) do
+    @certinstall = Chef::Knife::WindowsCertInstall.new
+  end
+
+  it "installs certificate" do
+    @certinstall.name_args = ["test-path"]
+    @certinstall.config[:cert_passphrase] = "your-secret!"
+    expect(@certinstall).to receive(:`).with("powershell.exe -Command \" 'your-secret!' | certutil -importPFX 'test-path' AT_KEYEXCHANGE\"")
+    expect(@certinstall.ui).to receive(:info).with("Certificate added to Certificate Store")
+    expect(@certinstall.ui).to receive(:info).with("Adding certificate to the Windows Certificate Store...")
+    @certinstall.run
+  end
+end

data/spec/unit/knife/windows_listener_create_spec.rb

@@ -0,0 +1,61 @@
+#
+# Author:: Mukta Aphale <mukta.aphale@clogeny.com>
+# Copyright:: Copyright (c) 2014 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+require 'chef/knife/windows_listener_create'
+
+describe Chef::Knife::WindowsListenerCreate, :windows_only do
+  before(:all) do
+    @listener = Chef::Knife::WindowsListenerCreate.new
+  end
+
+  it "creates winrm listener" do
+    @listener.config[:hostname] = "host"
+    @listener.config[:cert_thumbprint] = "CERT-THUMBPRINT"
+    @listener.config[:port] = "5986"
+    expect(@listener).to receive(:`).with("winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=\"host\";CertificateThumbprint=\"CERT-THUMBPRINT\";Port=\"5986\"}")
+    expect(@listener.ui).to receive(:info).with("WinRM listener created with Port: 5986 and CertificateThumbprint: CERT-THUMBPRINT")
+    @listener.run
+  end
+
+  it "raise an error on command failure" do
+    @listener.config[:hostname] = "host"
+    @listener.config[:cert_thumbprint] = "CERT-THUMBPRINT"
+    @listener.config[:port] = "5986"
+    @listener.config[:basic_auth] = true
+    expect(@listener).to receive(:`).with("winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=\"host\";CertificateThumbprint=\"CERT-THUMBPRINT\";Port=\"5986\"}")
+    expect($?).to receive(:exitstatus).and_return(100)
+    expect(@listener.ui).to receive(:error).with("Error creating WinRM listener. use -VV for more details.")
+    expect(@listener.ui).to_not receive(:info).with("WinRM listener created with Port: 5986 and CertificateThumbprint: CERT-THUMBPRINT")
+    @listener.run
+  end
+
+  it "creates winrm listener with cert install option" do
+    @listener.config[:hostname] = "host"
+    @listener.config[:cert_thumbprint] = "CERT-THUMBPRINT"
+    @listener.config[:port] = "5986"
+    @listener.config[:cert_install] = true
+    allow(@listener).to receive(:get_cert_passphrase).and_return("your-secret!")
+    expect(@listener).to receive(:`).with("powershell.exe -Command \" 'your-secret!' | certutil  -importPFX 'true' AT_KEYEXCHANGE\"")
+    expect(@listener).to receive(:`).with("powershell.exe -Command \" echo (Get-PfxCertificate true).thumbprint \"")
+    expect(@listener.ui).to receive(:info).with("Certificate installed to Certificate Store")
+    expect(@listener.ui).to receive(:info).with("Certificate Thumbprint: ")
+    allow(@listener).to receive(:puts)
+    @listener.run
+  end
+end

data/spec/unit/knife/winrm_session_spec.rb

@@ -0,0 +1,47 @@
+#
+# Author:: Steven Murawski <smurawski@chef.io>
+# Copyright:: Copyright (c) 2015 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+
+Chef::Knife::Winrm.load_deps
+
+
+describe Chef::Knife::WinrmSession do
+  describe "#relay_command" do
+    before do
+      @service_mock = Object.new
+      @service_mock.define_singleton_method(:open_shell){}
+      @service_mock.define_singleton_method(:run_command){}
+      @service_mock.define_singleton_method(:cleanup_command){}
+      @service_mock.define_singleton_method(:get_command_output){|t,y| {}}
+      @service_mock.define_singleton_method(:close_shell){}
+      allow(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :plaintext)).and_call_original
+      allow(WinRM::WinRMWebService).to receive(:new).and_return(@service_mock)
+      @session = Chef::Knife::WinrmSession.new({transport: :plaintext})
+    end
+
+    it "run command and display commands output" do
+      expect(@service_mock).to receive(:open_shell).ordered
+      expect(@service_mock).to receive(:run_command).ordered
+      expect(@service_mock).to receive(:get_command_output).ordered.and_return({})
+      expect(@service_mock).to receive(:cleanup_command).ordered
+      expect(@service_mock).to receive(:close_shell).ordered
+      @session.relay_command("cmd.exe echo 'hi'")
+    end
+  end
+end

data/spec/unit/knife/winrm_spec.rb

@@ -51,6 +51,7 @@ describe Chef::Knife::Winrm do
     context "when there are some hosts found but they do not have an attribute to connect with" do
       before do
         @knife.config[:manual] = false
+        @knife.config[:winrm_password] = 'P@ssw0rd!'
         allow(@query).to receive(:search).and_return([[@node_foo, @node_bar]])
         @node_foo.automatic_attrs[:fqdn] = nil
         @node_bar.automatic_attrs[:fqdn] = nil
@@ -60,30 +61,154 @@ describe Chef::Knife::Winrm do
       it "should raise a specific error (KNIFE-222)" do
         expect(@knife.ui).to receive(:fatal).with(/does not have the required attribute/)
         expect(@knife).to receive(:exit).with(10)
-        @knife.configure_session
+        @knife.configure_chef
+        @knife.resolve_target_nodes
       end
     end
 
     context "when there are nested attributes" do
       before do
         @knife.config[:manual] = false
+        @knife.config[:winrm_password] = 'P@ssw0rd!'
         allow(@query).to receive(:search).and_return([[@node_foo, @node_bar]])
         allow(Chef::Search::Query).to receive(:new).and_return(@query)
       end
 
       it "should use nested attributes (KNIFE-276)" do
         @knife.config[:attribute] = "ec2.public_hostname"
-        allow(@knife).to receive(:session_from_list)
-        @knife.configure_session
-
+        @knife.configure_chef
+        @knife.resolve_target_nodes
       end
     end
 
     describe Chef::Knife::Winrm do
+      context "when configuring the WinRM transport" do
+        before(:all) do
+          @winrm_session = Object.new
+          @winrm_session.define_singleton_method(:set_timeout){|timeout| ""}
+        end
+        after(:each) do
+          Chef::Config.configuration = @original_config
+          Chef::Config[:knife] = @original_knife_config if @original_knife_config
+        end
+
+        context "on windows workstations" do
+          let(:winrm_command_windows_http) { Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword',  'echo helloworld'])        }
+          it "should default to negotiate when on a Windows host" do
+            allow(Chef::Platform).to receive(:windows?).and_return(true)
+            expect(winrm_command_windows_http).to receive(:load_windows_specific_gems)
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :sspinegotiate)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with('http://localhost:5985/wsman', anything, anything).and_return(@winrm_session)
+            winrm_command_windows_http.configure_chef
+            winrm_command_windows_http.configure_session
+          end
+        end
+
+        context "on non-windows workstations" do
+          before do
+            allow(Chef::Platform).to receive(:windows?).and_return(false)
+          end
+
+          let(:winrm_command_http) { Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword', '-t', 'plaintext', '--winrm-authentication-protocol', 'basic', 'echo helloworld'])        }
+          it "should default to the http uri scheme" do
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :plaintext)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with('http://localhost:5985/wsman', anything, anything).and_return(@winrm_session)
+            winrm_command_http.configure_chef
+            winrm_command_http.configure_session
+          end
+
+          it "set operation timeout and verify default" do
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :plaintext)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with('http://localhost:5985/wsman', anything, anything).and_return(@winrm_session)
+            expect(@winrm_session).to receive(:set_timeout).with(1800)
+            winrm_command_http.configure_chef
+            winrm_command_http.configure_session
+          end
+
+          it "should set user specified winrm port" do
+            Chef::Config[:knife] = {winrm_port: "5988"}
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :plaintext)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with('http://localhost:5988/wsman', anything, anything).and_return(@winrm_session)
+            winrm_command_http.configure_chef
+            winrm_command_http.configure_session
+          end
+
+          let(:winrm_command_timeout) { Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword', '--winrm-authentication-protocol', 'basic', '--session-timeout', '10', 'echo helloworld'])        }
+
+          it "set operation timeout and verify 10 Minute timeout" do
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :plaintext)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with('http://localhost:5985/wsman', anything, anything).and_return(@winrm_session)
+            expect(@winrm_session).to receive(:set_timeout).with(600)
+            winrm_command_timeout.configure_chef
+            winrm_command_timeout.configure_session
+          end
+
+          let(:winrm_command_https) { Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword', '--winrm-transport', 'ssl', 'echo helloworld'])       }
+
+          it "should use the https uri scheme if the ssl transport is specified" do
+            Chef::Config[:knife] = {:winrm_transport => 'ssl'}
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :ssl)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with('https://localhost:5986/wsman', anything, anything).and_return(@winrm_session)
+            winrm_command_https.configure_chef
+            winrm_command_https.configure_session
+          end
+
+          it "should use the winrm port '5986' by default for ssl transport" do
+            Chef::Config[:knife] = {:winrm_transport => 'ssl'}
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :ssl)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with('https://localhost:5986/wsman', anything, anything).and_return(@winrm_session)
+            winrm_command_https.configure_chef
+            winrm_command_https.configure_session
+          end
+
+          it "should default to validating the server when the ssl transport is used" do
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :ssl)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with(anything, anything, hash_including(:no_ssl_peer_verification => false)).and_return(@winrm_session)
+            winrm_command_https.configure_chef
+            winrm_command_https.configure_session
+          end
+
+          let(:winrm_command_verify_peer) { Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword', '--winrm-transport', 'ssl', '--winrm-ssl-verify-mode', 'verify_peer', 'echo helloworld'])}
+          it "should validate the server when the ssl transport is used and the :winrm_ssl_verify_mode option is not configured to :verify_none" do
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :ssl)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with(anything, anything, hash_including(:no_ssl_peer_verification => false)).and_return(@winrm_session)
+            winrm_command_verify_peer.configure_chef
+            winrm_command_verify_peer.configure_session
+          end
+
+          let(:winrm_command_no_verify) { Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword', '--winrm-transport', 'ssl', '--winrm-ssl-verify-mode', 'verify_none', 'echo helloworld'])}
+
+          it "should not validate the server when the ssl transport is used and the :winrm_ssl_verify_mode option is set to :verify_none" do
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :ssl)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with(anything, anything, hash_including(:no_ssl_peer_verification => true)).and_return(@winrm_session)
+            winrm_command_no_verify.configure_chef
+            winrm_command_no_verify.configure_session
+          end
+
+          it "should provide warning output when the :winrm_ssl_verify_mode set to :verify_none to disable server validation" do
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :ssl)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with(anything, anything, hash_including(:no_ssl_peer_verification => true)).and_return(@winrm_session)
+            expect(winrm_command_no_verify).to receive(:warn_no_ssl_peer_verification)
+
+            winrm_command_no_verify.configure_chef
+            winrm_command_no_verify.configure_session
+          end
+
+          let(:winrm_command_ca_trust) { Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword', '--winrm-transport', 'ssl', '--ca-trust-file', '~/catrustroot', '--winrm-ssl-verify-mode', 'verify_none', 'echo helloworld'])}
+
+          it "should validate the server when the ssl transport is used and the :ca_trust_file option is specified even if the :winrm_ssl_verify_mode option is set to :verify_none" do
+            expect(Chef::Knife::WinrmSession).to receive(:new).with(hash_including(:transport => :ssl)).and_call_original
+            expect(WinRM::WinRMWebService).to receive(:new).with(anything, anything, hash_including(:no_ssl_peer_verification => false)).and_return(@winrm_session)
+            winrm_command_ca_trust.configure_chef
+            winrm_command_ca_trust.configure_session
+          end
+        end
+      end
+
       context "when executing the run command which sets the process exit code" do
         before(:each) do
-          Chef::Config[:knife] = {:winrm_transport => :http}
-          @winrm = Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword', 'echo helloworld'])
+          Chef::Config[:knife] = {:winrm_transport => 'plaintext'}
+          @winrm = Chef::Knife::Winrm.new(['-m', 'localhost', '-x', 'testuser', '-P', 'testpassword', '--winrm-authentication-protocol', 'basic', 'echo helloworld'])
         end
 
         after(:each) do
@@ -92,44 +217,44 @@ describe Chef::Knife::Winrm do
         end
 
         it "should return with 0 if the command succeeds" do
-          allow(@winrm).to receive(:winrm_command).and_return(0)
+          allow(@winrm).to receive(:exit)
+          allow(@winrm).to receive(:relay_winrm_command).and_return(0)
           exit_code = @winrm.run
           expect(exit_code).to be_zero
         end
 
         it "should exit the process with exact exit status if the command fails and returns config is set to 0" do
           command_status = 510
+          session_mock = Chef::Knife::WinrmSession.new({:transport => :plaintext, :host => 'localhost', :port => '5985'})
+
           @winrm.config[:returns] = "0"
           Chef::Config[:knife][:returns] = [0]
-          allow(@winrm).to receive(:winrm_command).and_return(command_status)
-          session_mock = EventMachine::WinRM::Session.new
-          allow(EventMachine::WinRM::Session).to receive(:new).and_return(session_mock)
-          allow(session_mock).to receive(:exit_codes).and_return({"thishost" => command_status})
-          begin
-            @winrm.run
-            expect(0).to eq(510)
-          rescue Exception => e
-            expect(e.status).to eq(command_status)
-          end
+
+          allow(@winrm).to receive(:relay_winrm_command)
+          allow(@winrm.ui).to receive(:error)
+          allow(Chef::Knife::WinrmSession).to receive(:new).and_return(session_mock)
+          allow(session_mock).to receive(:exit_code).and_return(command_status)
+          expect { @winrm.run_with_pretty_exceptions }.to raise_error(SystemExit) { |e| expect(e.status).to eq(command_status) }
         end
 
         it "should exit the process with non-zero status if the command fails and returns config is set to 0" do
           command_status = 1
           @winrm.config[:returns] = "0,53"
           Chef::Config[:knife][:returns] = [0,53]
-          allow(@winrm).to receive(:winrm_command).and_return(command_status)
-          session_mock = EventMachine::WinRM::Session.new
-          allow(EventMachine::WinRM::Session).to receive(:new).and_return(session_mock)
-          allow(session_mock).to receive(:exit_codes).and_return({"thishost" => command_status})
+          allow(@winrm).to receive(:relay_winrm_command).and_return(command_status)
+          allow(@winrm.ui).to receive(:error)
+          session_mock = Chef::Knife::WinrmSession.new({:transport => :plaintext, :host => 'localhost', :port => '5985'})
+          allow(Chef::Knife::WinrmSession).to receive(:new).and_return(session_mock)
+          allow(session_mock).to receive(:exit_code).and_return(command_status)
           expect { @winrm.run_with_pretty_exceptions }.to raise_error(SystemExit) { |e| expect(e.status).to eq(command_status) }
         end
 
         it "should exit the process with a zero status if the command returns an expected non-zero status" do
           command_status = 53
           Chef::Config[:knife][:returns] = [0,53]
-          allow(@winrm).to receive(:winrm_command).and_return(command_status)
-          session_mock = EventMachine::WinRM::Session.new
-          allow(EventMachine::WinRM::Session).to receive(:new).and_return(session_mock)
+          allow(@winrm).to receive(:relay_winrm_command).and_return(command_status)
+          session_mock = Chef::Knife::WinrmSession.new({:transport => :plaintext, :host => 'localhost', :port => '5985'})
+          allow(Chef::Knife::WinrmSession).to receive(:new).and_return(session_mock)
           allow(session_mock).to receive(:exit_codes).and_return({"thishost" => command_status})
           exit_code = @winrm.run
           expect(exit_code).to be_zero
@@ -137,82 +262,123 @@ describe Chef::Knife::Winrm do
 
         it "should exit the process with a zero status if the command returns an expected non-zero status" do
           command_status = 53
-          Chef::Config[:knife][:returns] = [0,53]
-          allow(@winrm).to receive(:winrm_command).and_return(command_status)
-          session_mock = EventMachine::WinRM::Session.new
-          allow(EventMachine::WinRM::Session).to receive(:new).and_return(session_mock)
+          @winrm.config[:returns] = '0,53'
+          allow(@winrm).to receive(:relay_winrm_command).and_return(command_status)
+          session_mock = Chef::Knife::WinrmSession.new({:transport => :plaintext, :host => 'localhost', :port => '5985'})
+          allow(Chef::Knife::WinrmSession).to receive(:new).and_return(session_mock)
           allow(session_mock).to receive(:exit_codes).and_return({"thishost" => command_status})
           exit_code = @winrm.run
           expect(exit_code).to be_zero
         end
 
         it "should exit the process with 100 if command execution raises an exception other than 401" do
-          allow(@winrm).to receive(:winrm_command).and_raise(WinRM::WinRMHTTPTransportError.new('500', '500'))
+          allow(@winrm).to receive(:relay_winrm_command).and_raise(WinRM::WinRMHTTPTransportError.new('', '500'))
+          allow(@winrm.ui).to receive(:error)
           expect { @winrm.run_with_pretty_exceptions }.to raise_error(SystemExit) { |e| expect(e.status).to eq(100) }
         end
 
         it "should exit the process with 100 if command execution raises a 401" do
-          allow(@winrm).to receive(:winrm_command).and_raise(WinRM::WinRMHTTPTransportError.new('401', '401'))
+          allow(@winrm).to receive(:relay_winrm_command).and_raise(WinRM::WinRMHTTPTransportError.new('', '401'))
+          allow(@winrm.ui).to receive(:info)
+          allow(@winrm.ui).to receive(:error)
           expect { @winrm.run_with_pretty_exceptions }.to raise_error(SystemExit) { |e| expect(e.status).to eq(100) }
         end
 
         it "should exit the process with 0 if command execution raises a 401 and suppress_auth_failure is set to true" do
           @winrm.config[:suppress_auth_failure] = true
-          allow(@winrm).to receive(:winrm_command).and_raise(WinRM::WinRMHTTPTransportError.new('401', '401'))
+          allow(@winrm).to receive(:relay_winrm_command).and_raise(WinRM::WinRMHTTPTransportError.new('', '401'))
           exit_code = @winrm.run_with_pretty_exceptions
           expect(exit_code).to eq(401)
         end
 
-        context "validate sspinegotiate transport option" do
+        context "when winrm_authentication_protocol specified" do
           before do
-            Chef::Config[:knife] = {:winrm_transport => :plaintext}
-            allow(@winrm).to receive(:winrm_command).and_return(0)
+            Chef::Config[:knife] = {:winrm_transport => 'plaintext'}
+            allow(@winrm).to receive(:relay_winrm_command).and_return(0)
           end
 
-          it "should have winrm opts transport set to sspinegotiate for windows" do
+          it "set sspinegotiate transport on windows for 'negotiate' authentication" do
+            @winrm.config[:winrm_authentication_protocol] = "negotiate"
             @winrm.config[:winrm_user] = "domain\\testuser"
             allow(Chef::Platform).to receive(:windows?).and_return(true)
             allow(@winrm).to receive(:require).with('winrm-s').and_return(true)
-            expect(@winrm.session).to receive(:use).with("localhost", {:user=>"domain\\testuser", :password=>"testpassword", :port=>nil, :operation_timeout=>1800, :basic_auth_only=>false, :transport=>:sspinegotiate, :disable_sspi=>false})
+            expect(@winrm).to receive(:create_winrm_session).with({:user=>"domain\\testuser", :password=>"testpassword", :port=>"5985", :no_ssl_peer_verification => false, :basic_auth_only=>false, :operation_timeout=>1800, :transport=>:sspinegotiate, :disable_sspi=>false, :host=>"localhost"})
+            exit_code = @winrm.run
+          end
+
+          it "should not have winrm opts transport set to sspinegotiate for unix" do
+            @winrm.config[:winrm_authentication_protocol] = "negotiate"
+            allow(Chef::Platform).to receive(:windows?).and_return(false)
+            allow(@winrm).to receive(:exit)
+            expect(@winrm).to receive(:create_winrm_session).with({:user=>"testuser", :password=>"testpassword", :port=>"5985", :no_ssl_peer_verification=>false, :basic_auth_only=>false, :operation_timeout=>1800, :transport=>:plaintext, :disable_sspi=>true, :host=>"localhost"})
             exit_code = @winrm.run
           end
 
-          it "should use the winrm monkey patch for windows" do
+          it "apply winrm monkey patch on windows if 'negotiate' authentication and 'plaintext' transport is specified", :windows_only => true do
+            @winrm.config[:winrm_authentication_protocol] = "negotiate"
             @winrm.config[:winrm_user] = "domain\\testuser"
             allow(Chef::Platform).to receive(:windows?).and_return(true)
-            expect(@winrm).to receive(:require).with('winrm-s')
+            allow(@winrm.ui).to receive(:warn)
+            expect(@winrm).to receive(:require).with('winrm-s').and_call_original
+            exit_code = @winrm.run
+          end
 
+          it "raise an error if value is other than [basic, negotiate, kerberos]" do
+            @winrm.config[:winrm_authentication_protocol] = "invalid"
+            @winrm.config[:winrm_user] = "domain\\testuser"
+            allow(Chef::Platform).to receive(:windows?).and_return(true)
+            expect(@winrm.ui).to receive(:error)
+            expect(@winrm).to receive(:exit)
             exit_code = @winrm.run
           end
 
-          context "when domain name not given" do
-            it "should skip winrm monkey patch for windows" do
-              @winrm.config[:winrm_user] = "testuser"
-              allow(Chef::Platform).to receive(:windows?).and_return(true)
-              expect(@winrm).to_not receive(:require).with('winrm-s')
+          it "skip winrm monkey patch for 'basic' authentication" do
+            @winrm.config[:winrm_authentication_protocol] = "basic"
+            @winrm.config[:winrm_user] = "domain\\testuser"
+            allow(Chef::Platform).to receive(:windows?).and_return(true)
+            expect(@winrm).to_not receive(:require).with('winrm-s')
+            exit_code = @winrm.run
+          end
 
-              exit_code = @winrm.run
-            end
+          it "skip winrm monkey patch for 'kerberos' authentication" do
+            @winrm.config[:winrm_authentication_protocol] = "kerberos"
+            @winrm.config[:winrm_user] = "domain\\testuser"
+            allow(Chef::Platform).to receive(:windows?).and_return(true)
+            expect(@winrm).to_not receive(:require).with('winrm-s')
+            exit_code = @winrm.run
           end
 
-          context "when local domain name given"  do
-            it "should use the winrm monkey patch for windows" do
-              @winrm.config[:winrm_user] = ".\\testuser"
-              allow(Chef::Platform).to receive(:windows?).and_return(true)
-              expect(@winrm).to receive(:require).with('winrm-s')
+          it "skip winrm monkey patch for 'ssl' transport and 'negotiate' authentication" do
+            @winrm.config[:winrm_authentication_protocol] = "negotiate"
+            @winrm.config[:winrm_transport] = "ssl"
+            @winrm.config[:winrm_user] = "domain\\testuser"
+            allow(Chef::Platform).to receive(:windows?).and_return(true)
+            expect(@winrm).to_not receive(:require).with('winrm-s')
+            exit_code = @winrm.run
+          end
 
-              exit_code = @winrm.run
-            end
+          it "disable sspi and skip winrm monkey patch for 'ssl' transport and 'basic' authentication" do
+            @winrm.config[:winrm_authentication_protocol] = "basic"
+            @winrm.config[:winrm_transport] = "ssl"
+            @winrm.config[:winrm_user] = "domain\\testuser"
+            @winrm.config[:winrm_port] = "5986"
+            allow(Chef::Platform).to receive(:windows?).and_return(true)
+            expect(@winrm).to receive(:create_winrm_session).with({:user=>"domain\\testuser", :password=>"testpassword", :port=>"5986", :no_ssl_peer_verification=>false, :basic_auth_only=>true, :operation_timeout=>1800, :transport=>:ssl, :disable_sspi=>true, :host=>"localhost"})
+            expect(@winrm).to_not receive(:require).with('winrm-s')
+            exit_code = @winrm.run
           end
 
-          it "should not have winrm opts transport set to sspinegotiate for unix" do
+          it "raise error on linux for 'negotiate' authentication" do
+            @winrm.config[:winrm_authentication_protocol] = "negotiate"
+            @winrm.config[:winrm_transport] = "plaintext"
+            @winrm.config[:winrm_user] = "domain\\testuser"
+            allow(@winrm).to receive(:exit)
             allow(Chef::Platform).to receive(:windows?).and_return(false)
-
-            expect(@winrm.session).to receive(:use).with("localhost", {:user=>"testuser", :password=>"testpassword", :port=>nil, :operation_timeout=>1800, :basic_auth_only=>true, :transport=>:plaintext, :disable_sspi=>true})
+            expect(@winrm).to_not receive(:require).with('winrm-s')
+            expect(@winrm.ui).to receive(:warn)
             exit_code = @winrm.run
           end
         end
-
       end
     end
   end