knife-windows 1.1.4 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 12b2f640d26c3299271d30e0b81efa2d3ba1baeb
-  data.tar.gz: 044058207473c385798cc53804bc868f9b95a518
+  metadata.gz: 599acd1f40e0ef8a031bbcb96ec118568b90157e
+  data.tar.gz: 72276b455ff6f6715792cb3f5d2df75403444fa3
 SHA512:
-  metadata.gz: d97b93a2bee443dd25dfdc6581473372807d56ed25fa1b1de85a22c3833ebf071773dc0eab7aba35fc8dbf01a0e685095170f6dc37f5897ec778f162ee55ea75
-  data.tar.gz: 84a0ec562d1bc403475b0bc499e5f21e2b57135df36d9c095cbc150ced5e6bb63a37d792d0390086beea8f81bb195d73fc44998c256c042cca7359488dd72038
+  metadata.gz: 3f5f3ed4dd0949f6f2f833f7700be47097eb651fb43d0989033c953dd4f7cb11ebeca824278267cfe85bf5e7f49de77e1daaa5a2b983eac9efbfaab7030486a5
+  data.tar.gz: cb991cacc4a6a6048e8d55dee16195ac3c37349d0cbf7ffcaf4d4ea4e9ebb42c39fb58e9992dd8aae9c54f6d69cb65e772d40bf0b9b3ccc350079c99d9fc17b7

data/CHANGELOG.md

@@ -1,5 +1,8 @@
 # knife-windows Change Log
 
+## Release 1.2.0
+* [knife-windows #334](https://github.com/chef/knife-windows/pull/334)Uses Negotiate authentication via winrm 1.6 on both windows and linux and drops winrm-s dependency
+
 ## Release 1.1.4
 * Bumps winrm-s and winrm dependencies to address a winrm-s incompatibility bug with winrm 1.5
 

data/DOC_CHANGES.md

@@ -5,16 +5,10 @@ Example Doc Change:
 ### Headline for the required change
 Description of the required change.
 -->
-# knife-windows 1.1.0 doc changes
+# knife-windows 1.2.0 doc changes
 
-### Support for `http_proxy` setting for `winrm` and `bootstrap windows winrm` subcommands
+### Support for NTLM/Negotiate on both windows and linux
 
-Both the `knife winrm` and `knife bootstrap windows winrm` subcommands
-will honor the `http_proxy` configuration in the `knife.rb`
-configuration file.
-
-When this setting is configured, the `WinRM` traffic between the
-workstation executing `knife` and the remote node will flow through
-the proxy server configured with `http_proxy`. See the specific
-documentation for `http_proxy` for additional details.
+This release makes no changes to the command line interface, but users should now be aware that Negotiate authentication and encryption over plaintext HTTP now works on linux in addition to windows.
 
+Users who use knife-windows to bootstrap nodes over plaintext HTTP should also be aware that they no longer need, and in fact should not, configure base images enabling `basic_auth` or enabling `AllowUnencrypted` in their winrm configuration.

data/README.md

@@ -282,16 +282,12 @@ remote system's certificate can subject knife commands to spoofing attacks.
 ## WinRM authentication
 
 The default authentication protocol for `knife-windows` subcommands that use
-WinRM is the Negotiate protocol. The following commands when executed on a
-Windows system show authentication for domain and local accounts respectively:
+WinRM is the Negotiate protocol. The following commands show authentication for domain and local accounts respectively:
 
     knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
     knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
 
-The commands above are using the default plaintext transport for WinRM --
-the default of Negotiate authentication may not be fully supported on
-non-Windows systems using the plaintext transport. To work around this, the
-remote system can be configured with an SSL WinRM listener instead of a
+The remote system may also be configured with an SSL WinRM listener instead of a
 plaintext listener. Then the above commands should be modified to use the SSL
 transport as follows using the `-t` (or `--winrm-transport`) option with the
 `ssl` argument:
@@ -299,20 +295,16 @@ transport as follows using the `-t` (or `--winrm-transport`) option with the
     knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
     knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
 
-The commands using SSL above will work from any operating system, not
-just Windows.
-
 ### Troubleshooting authentication
 
-For development and testing purposes, unencrypted traffic with Basic
-authentication can make it easier to test connectivity. The configuration for
+Unencrypted traffic with Basic authentication should only be used for low level wire protocol debugging. The configuration for plain text connectivity to
 the remote system may be accomplished with the following PowerShell commands:
 
 ```powershell
 set-item wsman:\localhost\service\allowunencrypted $true
 set-item wsman:\localhost\service\auth\basic $true
 ```
-To test connectivity via `knife-windows` from another system, the default
+To use basic authentication connectivity via `knife-windows`, the default
 authentication protocol of Negotiate must be overridden using the
 `--winrm-authentication-protocol` option with the desired protocol, in this
 case Basic:
@@ -325,24 +317,13 @@ authentication; an account local to the remote system must be used.
 ### Platform WinRM authentication support
 
 `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
-for WinRM communication. However, some of these protocols
-may not work with `knife-windows` on non-Windows systems because
-`knife-windows` relies on operating system libraries such as GSSAPI to implement
-Windows authentication, and some versions of these libraries do not
-fully implement the protocols.
+for WinRM communication.
 
 The following table shows the authentication protocols that can be used with
 `knife-windows` depending on whether the knife workstation is a Windows
 system, the transport, and whether or not the target user is a domain user or
 local to the target Windows system.
 
-| Workstation OS / Account Scope | SSL                          | Plaintext                  |
-|--------------------------------|------------------------------|----------------------------|
-| Windows / Local                | Kerberos, Negotiate* , Basic | Kerberos, Negotiate, Basic |
-| Windows / Domain               | Kerberos, Negotiate          | Kerberos, Negotiate        |
-| Non-Windows / Local            | Kerberos, [Negotiate*](https://github.com/chef/knife-windows/issues/176) Basic | Kerberos, Basic |
-| Non-Windows / Domain           | Kerberos, Negotiate          | Kerberos                   |
-
 > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
 > winrm` subcommands invoked on any OS  platform when authenticating with the Negotiate protocol over
 > the SSL transport. The defect is tracked by
@@ -354,9 +335,7 @@ local to the target Windows system.
 > This is generally not an issue for bootstrap scenarios, where the
 > system has yet to be joined to any domain, but can be a problem for remote
 > management cases after the system is domain joined. Workarounds include using
-> a domain account instead, or enabling Basic authentication on the remote
-> system (unencrypted communication **does not** need to be enabled to make
-> Basic authentication function over SSL).
+> a domain account instead or bypassing SSL and using Negotiate authentication.
 
 ## General troubleshooting
 

data/knife-windows.gemspec

@@ -14,8 +14,7 @@ Gem::Specification.new do |s|
   s.description = s.summary
 
   s.required_ruby_version	= ">= 1.9.1"
-  s.add_dependency "winrm", "~> 1.5"
-  s.add_dependency "winrm-s", "~> 0.3.4"
+  s.add_dependency "winrm", "~> 1.6"
   s.add_dependency "nokogiri"
 
   s.add_development_dependency 'pry'

data/lib/chef/knife/winrm_knife_base.rb

@@ -51,17 +51,6 @@ class Chef
               exit 1
             end
 
-            if negotiate_auth? && !Chef::Platform.windows? && !(locate_config_value(:winrm_transport) == 'ssl')
-              ui.warn <<-eos.gsub /^\s+/, ""
-                You are using '--winrm-authentication-protocol negotiate' with 
-                '--winrm-transport plaintext' on a non-Windows system which results in
-                unencrypted traffic. To avoid this warning and secure communication,
-                use '--winrm-transport ssl' instead of the plaintext transport,
-                or execute this command from a Windows system which enables encrypted
-                communication over plaintext with the negotiate authentication protocol.
-              eos
-            end
-
             warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
           end
 
@@ -259,8 +248,8 @@ class Chef
             transport = locate_config_value(:winrm_transport).to_sym
             if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
               transport = :kerberos
-            elsif Chef::Platform.windows? && transport != :ssl && negotiate_auth?
-              transport = :sspinegotiate
+            elsif transport != :ssl && negotiate_auth?
+              transport = :negotiate
             end
 
             transport
@@ -271,7 +260,7 @@ class Chef
           end
 
           def resolve_winrm_disable_sspi
-            !Chef::Platform.windows? || resolve_winrm_transport == :ssl || !negotiate_auth?
+            resolve_winrm_transport != :negotiate
           end
 
           def get_password

data/lib/chef/knife/winrm_session.rb

@@ -41,7 +41,6 @@ class Chef
         Chef::Log.debug("Endpoint: #{endpoint}")
         Chef::Log.debug("Transport: #{options[:transport]}")
         
-        WinrmSession.load_windows_specific_gems if options[:transport] == :sspinegotiate
         @winrm_session = WinRM::WinRMWebService.new(@endpoint, options[:transport], opts)
         @winrm_session.set_timeout(options[:operation_timeout]) if options[:operation_timeout]
       end
@@ -83,12 +82,6 @@ class Chef
           Chef::Application.new.configure_proxy_environment_variables
         end
       end
-
-      def self.load_windows_specific_gems
-        #checking for windows in case testing on linux
-        require 'winrm-s'
-        Chef::Log.debug("Applied 'winrm-s' monkey patch and trying WinRM communication with 'sspinegotiate'")
-      end
     end
   end
 end

data/lib/knife-windows/version.rb

@@ -1,6 +1,6 @@
 module Knife
   module Windows
-    VERSION = "1.1.4"
+    VERSION = "1.2.0"
     MAJOR, MINOR, TINY = VERSION.split('.')
   end
 end

data/spec/unit/knife/winrm_session_spec.rb

@@ -38,15 +38,6 @@ describe Chef::Knife::WinrmSession do
   subject { Chef::Knife::WinrmSession.new(options) }
 
   describe "#initialize" do
-    context "when using sspinegotiate transport" do
-      let(:options) { { transport: :sspinegotiate } }
-
-      it "uses winrm-s" do
-        expect(Chef::Knife::WinrmSession).to receive(:load_windows_specific_gems)
-        subject
-      end
-    end
-
     context "when a proxy is configured" do
       let(:proxy_uri) { 'blah.com' }
 

data/spec/unit/knife/winrm_spec.rb

@@ -233,7 +233,7 @@ describe Chef::Knife::Winrm do
 
         it "defaults to negotiate when on a Windows host" do
           expect(Chef::Knife::WinrmSession).to receive(:new) do |opts|
-            expect(opts[:transport]).to eq(:sspinegotiate)
+            expect(opts[:transport]).to eq(:negotiate)
           end.and_return(winrm_session)
           subject.configure_session
         end
@@ -471,23 +471,22 @@ describe Chef::Knife::Winrm do
         allow(@winrm).to receive(:relay_winrm_command).and_return(0)
       end
 
-      it "sets sspinegotiate transport on windows for 'negotiate' authentication" do
+      it "sets negotiate transport on windows for 'negotiate' authentication" do
         @winrm.config[:winrm_authentication_protocol] = "negotiate"
         allow(Chef::Platform).to receive(:windows?).and_return(true)
         allow(Chef::Knife::WinrmSession).to receive(:new) do |opts|
           expect(opts[:disable_sspi]).to be(false)
-          expect(opts[:transport]).to be(:sspinegotiate)
+          expect(opts[:transport]).to be(:negotiate)
         end.and_return(session)
         @winrm.run
       end
 
-      it "does not have winrm opts transport set to sspinegotiate for unix" do
+      it "sets negotiate transport on unix for 'negotiate' authentication" do
         @winrm.config[:winrm_authentication_protocol] = "negotiate"
         allow(Chef::Platform).to receive(:windows?).and_return(false)
-        allow(@winrm).to receive(:exit)
         allow(Chef::Knife::WinrmSession).to receive(:new) do |opts|
-          expect(opts[:disable_sspi]).to be(true)
-          expect(opts[:transport]).to be(:plaintext)
+          expect(opts[:disable_sspi]).to be(false)
+          expect(opts[:transport]).to be(:negotiate)
         end.and_return(session)
         @winrm.run
       end
@@ -506,46 +505,12 @@ describe Chef::Knife::Winrm do
         @winrm.run
       end
 
-      it "applies winrm monkey patch on windows if 'negotiate' authentication and 'plaintext' transport is specified", :windows_only => true do
-        @winrm.config[:winrm_authentication_protocol] = "negotiate"
-        allow(Chef::Platform).to receive(:windows?).and_return(true)
-        allow(@winrm.ui).to receive(:warn)
-        @winrm.run
-      end
-
       it "raises an error if value is other than [basic, negotiate, kerberos]" do
         @winrm.config[:winrm_authentication_protocol] = "invalid"
         allow(Chef::Platform).to receive(:windows?).and_return(true)
         expect(@winrm.ui).to receive(:error)
         expect { @winrm.run }.to raise_error(SystemExit)
       end
-
-      it "skips the winrm monkey patch for 'basic' authentication" do
-        @winrm.config[:winrm_authentication_protocol] = "basic"
-        allow(Chef::Platform).to receive(:windows?).and_return(true)
-        @winrm.run
-      end
-
-      it "skips the winrm monkey patch for 'kerberos' authentication" do
-        @winrm.config[:winrm_authentication_protocol] = "kerberos"
-        allow(Chef::Platform).to receive(:windows?).and_return(true)
-        @winrm.run
-      end
-
-      it "skips the winrm monkey patch for 'ssl' transport and 'negotiate' authentication" do
-        @winrm.config[:winrm_authentication_protocol] = "negotiate"
-        @winrm.config[:winrm_transport] = "ssl"
-        allow(Chef::Platform).to receive(:windows?).and_return(true)
-        @winrm.run
-      end
-
-      it "prints a warning on linux for unencrypted negotiate authentication" do
-        @winrm.config[:winrm_authentication_protocol] = "negotiate"
-        @winrm.config[:winrm_transport] = "plaintext"
-        allow(Chef::Platform).to receive(:windows?).and_return(false)
-        expect(@winrm.ui).to receive(:warn).once
-        expect { @winrm.run }.to_not raise_error(SystemExit)
-      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: knife-windows
 version: !ruby/object:Gem::Version
-  version: 1.1.4
+  version: 1.2.0
 platform: ruby
 authors:
 - Seth Chisamore
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-15 00:00:00.000000000 Z
+date: 2016-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: winrm
@@ -16,28 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '1.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
-- !ruby/object:Gem::Dependency
-  name: winrm-s
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.3.4
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.3.4
+        version: '1.6'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement