knife-windows 1.2.0 → 1.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +5 -5
- data/.travis.yml +23 -23
- data/CHANGELOG.md +104 -101
- data/DOC_CHANGES.md +14 -14
- data/Gemfile +12 -12
- data/LICENSE +201 -201
- data/README.md +376 -376
- data/RELEASE_NOTES.md +34 -34
- data/Rakefile +21 -21
- data/appveyor.yml +42 -42
- data/ci.gemfile +15 -15
- data/features/knife_help.feature +20 -20
- data/features/support/env.rb +5 -5
- data/knife-windows.gemspec +25 -26
- data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb +247 -247
- data/lib/chef/knife/bootstrap_windows_base.rb +415 -415
- data/lib/chef/knife/bootstrap_windows_ssh.rb +115 -115
- data/lib/chef/knife/bootstrap_windows_winrm.rb +95 -95
- data/lib/chef/knife/core/windows_bootstrap_context.rb +366 -362
- data/lib/chef/knife/knife_windows_base.rb +33 -33
- data/lib/chef/knife/windows_cert_generate.rb +155 -155
- data/lib/chef/knife/windows_cert_install.rb +68 -68
- data/lib/chef/knife/windows_helper.rb +36 -36
- data/lib/chef/knife/windows_listener_create.rb +107 -107
- data/lib/chef/knife/winrm.rb +122 -122
- data/lib/chef/knife/winrm_base.rb +113 -113
- data/lib/chef/knife/winrm_knife_base.rb +298 -298
- data/lib/chef/knife/winrm_session.rb +86 -86
- data/lib/chef/knife/winrm_shared_options.rb +47 -47
- data/lib/chef/knife/wsman_endpoint.rb +44 -44
- data/lib/chef/knife/wsman_test.rb +117 -95
- data/lib/knife-windows/path_helper.rb +234 -234
- data/lib/knife-windows/version.rb +6 -6
- data/spec/assets/win_template_rendered_with_bootstrap_install_command.txt +217 -217
- data/spec/assets/win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt +217 -217
- data/spec/assets/win_template_rendered_without_bootstrap_install_command.txt +329 -329
- data/spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt +329 -329
- data/spec/assets/win_template_unrendered.txt +246 -246
- data/spec/functional/bootstrap_download_spec.rb +234 -234
- data/spec/spec_helper.rb +93 -93
- data/spec/unit/knife/bootstrap_options_spec.rb +154 -150
- data/spec/unit/knife/bootstrap_template_spec.rb +92 -92
- data/spec/unit/knife/bootstrap_windows_winrm_spec.rb +295 -295
- data/spec/unit/knife/core/windows_bootstrap_context_spec.rb +177 -151
- data/spec/unit/knife/windows_cert_generate_spec.rb +90 -90
- data/spec/unit/knife/windows_cert_install_spec.rb +51 -51
- data/spec/unit/knife/windows_listener_create_spec.rb +76 -76
- data/spec/unit/knife/winrm_session_spec.rb +64 -64
- data/spec/unit/knife/winrm_spec.rb +516 -516
- data/spec/unit/knife/wsman_test_spec.rb +201 -178
- metadata +2 -16
@@ -1,113 +1,113 @@
|
|
1
|
-
#
|
2
|
-
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
3
|
-
# Copyright:: Copyright (c) 2011 Opscode, Inc.
|
4
|
-
# License:: Apache License, Version 2.0
|
5
|
-
#
|
6
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
-
# you may not use this file except in compliance with the License.
|
8
|
-
# You may obtain a copy of the License at
|
9
|
-
#
|
10
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
-
#
|
12
|
-
# Unless required by applicable law or agreed to in writing, software
|
13
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
-
# See the License for the specific language governing permissions and
|
16
|
-
# limitations under the License.
|
17
|
-
#
|
18
|
-
|
19
|
-
require 'chef/knife'
|
20
|
-
require 'chef/encrypted_data_bag_item'
|
21
|
-
require 'kconv'
|
22
|
-
|
23
|
-
class Chef
|
24
|
-
class Knife
|
25
|
-
module WinrmBase
|
26
|
-
|
27
|
-
# It includes supported WinRM authentication protocol.
|
28
|
-
WINRM_AUTH_PROTOCOL_LIST ||= %w{basic negotiate kerberos}
|
29
|
-
|
30
|
-
# :nodoc:
|
31
|
-
# Would prefer to do this in a rational way, but can't be done b/c of
|
32
|
-
# Mixlib::CLI's design :(
|
33
|
-
def self.included(includer)
|
34
|
-
includer.class_eval do
|
35
|
-
|
36
|
-
deps do
|
37
|
-
require 'readline'
|
38
|
-
require 'chef/json_compat'
|
39
|
-
end
|
40
|
-
|
41
|
-
option :winrm_user,
|
42
|
-
:short => "-x USERNAME",
|
43
|
-
:long => "--winrm-user USERNAME",
|
44
|
-
:description => "The WinRM username",
|
45
|
-
:default => "Administrator",
|
46
|
-
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_user] = key }
|
47
|
-
|
48
|
-
option :winrm_password,
|
49
|
-
:short => "-P PASSWORD",
|
50
|
-
:long => "--winrm-password PASSWORD",
|
51
|
-
:description => "The WinRM password",
|
52
|
-
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_password] = key }
|
53
|
-
|
54
|
-
option :winrm_transport,
|
55
|
-
:short => "-t TRANSPORT",
|
56
|
-
:long => "--winrm-transport TRANSPORT",
|
57
|
-
:description => "The WinRM transport type. valid choices are [ssl, plaintext]",
|
58
|
-
:default => 'plaintext',
|
59
|
-
:proc => Proc.new { |transport| Chef::Config[:knife][:winrm_port] = '5986' if transport == 'ssl'
|
60
|
-
Chef::Config[:knife][:winrm_transport] = transport }
|
61
|
-
|
62
|
-
option :winrm_port,
|
63
|
-
:short => "-p PORT",
|
64
|
-
:long => "--winrm-port PORT",
|
65
|
-
:description => "The WinRM port, by default this is '5985' for 'plaintext' and '5986' for 'ssl' winrm transport",
|
66
|
-
:default => '5985',
|
67
|
-
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_port] = key }
|
68
|
-
|
69
|
-
option :kerberos_keytab_file,
|
70
|
-
:short => "-T KEYTAB_FILE",
|
71
|
-
:long => "--keytab-file KEYTAB_FILE",
|
72
|
-
:description => "The Kerberos keytab file used for authentication",
|
73
|
-
:proc => Proc.new { |keytab| Chef::Config[:knife][:kerberos_keytab_file] = keytab }
|
74
|
-
|
75
|
-
option :kerberos_realm,
|
76
|
-
:short => "-R KERBEROS_REALM",
|
77
|
-
:long => "--kerberos-realm KERBEROS_REALM",
|
78
|
-
:description => "The Kerberos realm used for authentication",
|
79
|
-
:proc => Proc.new { |realm| Chef::Config[:knife][:kerberos_realm] = realm }
|
80
|
-
|
81
|
-
option :kerberos_service,
|
82
|
-
:short => "-S KERBEROS_SERVICE",
|
83
|
-
:long => "--kerberos-service KERBEROS_SERVICE",
|
84
|
-
:description => "The Kerberos service used for authentication",
|
85
|
-
:proc => Proc.new { |service| Chef::Config[:knife][:kerberos_service] = service }
|
86
|
-
|
87
|
-
option :ca_trust_file,
|
88
|
-
:short => "-f CA_TRUST_FILE",
|
89
|
-
:long => "--ca-trust-file CA_TRUST_FILE",
|
90
|
-
:description => "The Certificate Authority (CA) trust file used for SSL transport",
|
91
|
-
:proc => Proc.new { |trust| Chef::Config[:knife][:ca_trust_file] = trust }
|
92
|
-
|
93
|
-
option :winrm_ssl_verify_mode,
|
94
|
-
:long => "--winrm-ssl-verify-mode SSL_VERIFY_MODE",
|
95
|
-
:description => "The WinRM peer verification mode. Valid choices are [verify_peer, verify_none]",
|
96
|
-
:default => :verify_peer,
|
97
|
-
:proc => Proc.new { |verify_mode| verify_mode.to_sym }
|
98
|
-
|
99
|
-
option :winrm_authentication_protocol,
|
100
|
-
:long => "--winrm-authentication-protocol AUTHENTICATION_PROTOCOL",
|
101
|
-
:description => "The authentication protocol used during WinRM communication. The supported protocols are #{WINRM_AUTH_PROTOCOL_LIST.join(',')}. Default is 'negotiate'.",
|
102
|
-
:default => "negotiate",
|
103
|
-
:proc => Proc.new { |protocol| Chef::Config[:knife][:winrm_authentication_protocol] = protocol }
|
104
|
-
|
105
|
-
option :session_timeout,
|
106
|
-
:long => "--session-timeout Minutes",
|
107
|
-
:description => "The timeout for the client for the maximum length of the WinRM session",
|
108
|
-
:default => 30
|
109
|
-
end
|
110
|
-
end
|
111
|
-
end
|
112
|
-
end
|
113
|
-
end
|
1
|
+
#
|
2
|
+
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
3
|
+
# Copyright:: Copyright (c) 2011 Opscode, Inc.
|
4
|
+
# License:: Apache License, Version 2.0
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
require 'chef/knife'
|
20
|
+
require 'chef/encrypted_data_bag_item'
|
21
|
+
require 'kconv'
|
22
|
+
|
23
|
+
class Chef
|
24
|
+
class Knife
|
25
|
+
module WinrmBase
|
26
|
+
|
27
|
+
# It includes supported WinRM authentication protocol.
|
28
|
+
WINRM_AUTH_PROTOCOL_LIST ||= %w{basic negotiate kerberos}
|
29
|
+
|
30
|
+
# :nodoc:
|
31
|
+
# Would prefer to do this in a rational way, but can't be done b/c of
|
32
|
+
# Mixlib::CLI's design :(
|
33
|
+
def self.included(includer)
|
34
|
+
includer.class_eval do
|
35
|
+
|
36
|
+
deps do
|
37
|
+
require 'readline'
|
38
|
+
require 'chef/json_compat'
|
39
|
+
end
|
40
|
+
|
41
|
+
option :winrm_user,
|
42
|
+
:short => "-x USERNAME",
|
43
|
+
:long => "--winrm-user USERNAME",
|
44
|
+
:description => "The WinRM username",
|
45
|
+
:default => "Administrator",
|
46
|
+
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_user] = key }
|
47
|
+
|
48
|
+
option :winrm_password,
|
49
|
+
:short => "-P PASSWORD",
|
50
|
+
:long => "--winrm-password PASSWORD",
|
51
|
+
:description => "The WinRM password",
|
52
|
+
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_password] = key }
|
53
|
+
|
54
|
+
option :winrm_transport,
|
55
|
+
:short => "-t TRANSPORT",
|
56
|
+
:long => "--winrm-transport TRANSPORT",
|
57
|
+
:description => "The WinRM transport type. valid choices are [ssl, plaintext]",
|
58
|
+
:default => 'plaintext',
|
59
|
+
:proc => Proc.new { |transport| Chef::Config[:knife][:winrm_port] = '5986' if transport == 'ssl'
|
60
|
+
Chef::Config[:knife][:winrm_transport] = transport }
|
61
|
+
|
62
|
+
option :winrm_port,
|
63
|
+
:short => "-p PORT",
|
64
|
+
:long => "--winrm-port PORT",
|
65
|
+
:description => "The WinRM port, by default this is '5985' for 'plaintext' and '5986' for 'ssl' winrm transport",
|
66
|
+
:default => '5985',
|
67
|
+
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_port] = key }
|
68
|
+
|
69
|
+
option :kerberos_keytab_file,
|
70
|
+
:short => "-T KEYTAB_FILE",
|
71
|
+
:long => "--keytab-file KEYTAB_FILE",
|
72
|
+
:description => "The Kerberos keytab file used for authentication",
|
73
|
+
:proc => Proc.new { |keytab| Chef::Config[:knife][:kerberos_keytab_file] = keytab }
|
74
|
+
|
75
|
+
option :kerberos_realm,
|
76
|
+
:short => "-R KERBEROS_REALM",
|
77
|
+
:long => "--kerberos-realm KERBEROS_REALM",
|
78
|
+
:description => "The Kerberos realm used for authentication",
|
79
|
+
:proc => Proc.new { |realm| Chef::Config[:knife][:kerberos_realm] = realm }
|
80
|
+
|
81
|
+
option :kerberos_service,
|
82
|
+
:short => "-S KERBEROS_SERVICE",
|
83
|
+
:long => "--kerberos-service KERBEROS_SERVICE",
|
84
|
+
:description => "The Kerberos service used for authentication",
|
85
|
+
:proc => Proc.new { |service| Chef::Config[:knife][:kerberos_service] = service }
|
86
|
+
|
87
|
+
option :ca_trust_file,
|
88
|
+
:short => "-f CA_TRUST_FILE",
|
89
|
+
:long => "--ca-trust-file CA_TRUST_FILE",
|
90
|
+
:description => "The Certificate Authority (CA) trust file used for SSL transport",
|
91
|
+
:proc => Proc.new { |trust| Chef::Config[:knife][:ca_trust_file] = trust }
|
92
|
+
|
93
|
+
option :winrm_ssl_verify_mode,
|
94
|
+
:long => "--winrm-ssl-verify-mode SSL_VERIFY_MODE",
|
95
|
+
:description => "The WinRM peer verification mode. Valid choices are [verify_peer, verify_none]",
|
96
|
+
:default => :verify_peer,
|
97
|
+
:proc => Proc.new { |verify_mode| verify_mode.to_sym }
|
98
|
+
|
99
|
+
option :winrm_authentication_protocol,
|
100
|
+
:long => "--winrm-authentication-protocol AUTHENTICATION_PROTOCOL",
|
101
|
+
:description => "The authentication protocol used during WinRM communication. The supported protocols are #{WINRM_AUTH_PROTOCOL_LIST.join(',')}. Default is 'negotiate'.",
|
102
|
+
:default => "negotiate",
|
103
|
+
:proc => Proc.new { |protocol| Chef::Config[:knife][:winrm_authentication_protocol] = protocol }
|
104
|
+
|
105
|
+
option :session_timeout,
|
106
|
+
:long => "--session-timeout Minutes",
|
107
|
+
:description => "The timeout for the client for the maximum length of the WinRM session",
|
108
|
+
:default => 30
|
109
|
+
end
|
110
|
+
end
|
111
|
+
end
|
112
|
+
end
|
113
|
+
end
|
@@ -1,298 +1,298 @@
|
|
1
|
-
#
|
2
|
-
# Author:: Steven Murawski (<smurawski@chef.io)
|
3
|
-
# Copyright:: Copyright (c) 2015 Chef Software, Inc.
|
4
|
-
# License:: Apache License, Version 2.0
|
5
|
-
#
|
6
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
-
# you may not use this file except in compliance with the License.
|
8
|
-
# You may obtain a copy of the License at
|
9
|
-
#
|
10
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
-
#
|
12
|
-
# Unless required by applicable law or agreed to in writing, software
|
13
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
-
# See the License for the specific language governing permissions and
|
16
|
-
# limitations under the License.
|
17
|
-
#
|
18
|
-
|
19
|
-
|
20
|
-
require 'chef/knife'
|
21
|
-
require 'chef/knife/winrm_base'
|
22
|
-
require 'chef/knife/winrm_shared_options'
|
23
|
-
require 'chef/knife/knife_windows_base'
|
24
|
-
|
25
|
-
class Chef
|
26
|
-
class Knife
|
27
|
-
module WinrmCommandSharedFunctions
|
28
|
-
|
29
|
-
FAILED_BASIC_HINT ||= "Hint: Please check winrm configuration 'winrm get winrm/config/service' AllowUnencrypted flag on remote server."
|
30
|
-
FAILED_NOT_BASIC_HINT ||= <<-eos.gsub /^\s+/, ""
|
31
|
-
Hint: Make sure to prefix domain usernames with the correct domain name.
|
32
|
-
Hint: Local user names should be prefixed with computer name or IP address.
|
33
|
-
EXAMPLE: my_domain\\user_namer
|
34
|
-
eos
|
35
|
-
|
36
|
-
def self.included(includer)
|
37
|
-
includer.class_eval do
|
38
|
-
|
39
|
-
@@ssl_warning_given = false
|
40
|
-
|
41
|
-
include Chef::Knife::WinrmBase
|
42
|
-
include Chef::Knife::WinrmSharedOptions
|
43
|
-
include Chef::Knife::KnifeWindowsBase
|
44
|
-
|
45
|
-
def validate_winrm_options!
|
46
|
-
winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
|
47
|
-
|
48
|
-
if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
|
49
|
-
ui.error "Invalid value '#{winrm_auth_protocol}' for --winrm-authentication-protocol option."
|
50
|
-
ui.info "Valid values are #{Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.join(",")}."
|
51
|
-
exit 1
|
52
|
-
end
|
53
|
-
|
54
|
-
warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
|
55
|
-
end
|
56
|
-
|
57
|
-
#Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
|
58
|
-
#Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
|
59
|
-
def configure_session
|
60
|
-
validate_winrm_options!
|
61
|
-
resolve_session_options
|
62
|
-
resolve_target_nodes
|
63
|
-
session_from_list
|
64
|
-
end
|
65
|
-
|
66
|
-
def resolve_target_nodes
|
67
|
-
@list = case config[:manual]
|
68
|
-
when true
|
69
|
-
@name_args[0].split(" ")
|
70
|
-
when false
|
71
|
-
r = Array.new
|
72
|
-
q = Chef::Search::Query.new
|
73
|
-
@action_nodes = q.search(:node, @name_args[0])[0]
|
74
|
-
@action_nodes.each do |item|
|
75
|
-
i = extract_nested_value(item, config[:attribute])
|
76
|
-
r.push(i) unless i.nil?
|
77
|
-
end
|
78
|
-
r
|
79
|
-
end
|
80
|
-
|
81
|
-
if @list.length == 0
|
82
|
-
if @action_nodes.length == 0
|
83
|
-
ui.fatal("No nodes returned from search!")
|
84
|
-
else
|
85
|
-
ui.fatal("#{@action_nodes.length} #{@action_nodes.length > 1 ? "nodes":"node"} found, " +
|
86
|
-
"but does not have the required attribute (#{config[:attribute]}) to establish the connection. " +
|
87
|
-
"Try setting another attribute to open the connection using --attribute.")
|
88
|
-
end
|
89
|
-
exit 10
|
90
|
-
end
|
91
|
-
end
|
92
|
-
|
93
|
-
# TODO: Copied from Knife::Core:GenericPresenter. Should be extracted
|
94
|
-
def extract_nested_value(data, nested_value_spec)
|
95
|
-
nested_value_spec.split(".").each do |attr|
|
96
|
-
if data.nil?
|
97
|
-
nil # don't get no method error on nil
|
98
|
-
elsif data.respond_to?(attr.to_sym)
|
99
|
-
data = data.send(attr.to_sym)
|
100
|
-
elsif data.respond_to?(:[])
|
101
|
-
data = data[attr]
|
102
|
-
else
|
103
|
-
data = begin
|
104
|
-
data.send(attr.to_sym)
|
105
|
-
rescue NoMethodError
|
106
|
-
nil
|
107
|
-
end
|
108
|
-
end
|
109
|
-
end
|
110
|
-
( !data.kind_of?(Array) && data.respond_to?(:to_hash) ) ? data.to_hash : data
|
111
|
-
end
|
112
|
-
|
113
|
-
def run_command(command = '')
|
114
|
-
relay_winrm_command(command)
|
115
|
-
|
116
|
-
check_for_errors!
|
117
|
-
|
118
|
-
# Knife seems to ignore the return value of this method,
|
119
|
-
# so we exit to force the process exit code for this
|
120
|
-
# subcommand if returns is set
|
121
|
-
exit @exit_code if @exit_code && @exit_code != 0
|
122
|
-
0
|
123
|
-
end
|
124
|
-
|
125
|
-
def relay_winrm_command(command)
|
126
|
-
Chef::Log.debug(command)
|
127
|
-
@winrm_sessions.each do |s|
|
128
|
-
begin
|
129
|
-
s.relay_command(command)
|
130
|
-
rescue WinRM::WinRMHTTPTransportError, WinRM::WinRMAuthorizationError => e
|
131
|
-
if authorization_error?(e)
|
132
|
-
if ! config[:suppress_auth_failure]
|
133
|
-
# Display errors if the caller hasn't opted to retry
|
134
|
-
ui.error "Failed to authenticate to #{s.host} as #{locate_config_value(:winrm_user)}"
|
135
|
-
ui.info "Response: #{e.message}"
|
136
|
-
ui.info get_failed_authentication_hint
|
137
|
-
raise e
|
138
|
-
end
|
139
|
-
@exit_code = 401
|
140
|
-
else
|
141
|
-
raise e
|
142
|
-
end
|
143
|
-
end
|
144
|
-
end
|
145
|
-
end
|
146
|
-
|
147
|
-
private
|
148
|
-
|
149
|
-
def get_failed_authentication_hint
|
150
|
-
if @session_opts[:basic_auth_only]
|
151
|
-
FAILED_BASIC_HINT
|
152
|
-
else
|
153
|
-
FAILED_NOT_BASIC_HINT
|
154
|
-
end
|
155
|
-
end
|
156
|
-
|
157
|
-
def authorization_error?(exception)
|
158
|
-
exception.is_a?(WinRM::WinRMAuthorizationError) ||
|
159
|
-
exception.message =~ /401/
|
160
|
-
end
|
161
|
-
|
162
|
-
def check_for_errors!
|
163
|
-
@winrm_sessions.each do |session|
|
164
|
-
session_exit_code = session.exit_code
|
165
|
-
unless success_return_codes.include? session_exit_code.to_i
|
166
|
-
@exit_code = session_exit_code.to_i
|
167
|
-
ui.error "Failed to execute command on #{session.host} return code #{session_exit_code}"
|
168
|
-
end
|
169
|
-
end
|
170
|
-
end
|
171
|
-
|
172
|
-
def success_return_codes
|
173
|
-
#Redundant if the CLI options parsing occurs
|
174
|
-
return [0] unless config[:returns]
|
175
|
-
return @success_return_codes ||= config[:returns].split(',').collect {|item| item.to_i}
|
176
|
-
end
|
177
|
-
|
178
|
-
def session_from_list
|
179
|
-
@list.each do |item|
|
180
|
-
Chef::Log.debug("Adding #{item}")
|
181
|
-
@session_opts[:host] = item
|
182
|
-
create_winrm_session(@session_opts)
|
183
|
-
end
|
184
|
-
end
|
185
|
-
|
186
|
-
def create_winrm_session(options={})
|
187
|
-
session = Chef::Knife::WinrmSession.new(options)
|
188
|
-
@winrm_sessions ||= []
|
189
|
-
@winrm_sessions.push(session)
|
190
|
-
end
|
191
|
-
|
192
|
-
def resolve_session_options
|
193
|
-
@session_opts = {
|
194
|
-
user: resolve_winrm_user,
|
195
|
-
password: locate_config_value(:winrm_password),
|
196
|
-
port: locate_config_value(:winrm_port),
|
197
|
-
operation_timeout: resolve_winrm_session_timeout,
|
198
|
-
basic_auth_only: resolve_winrm_basic_auth,
|
199
|
-
disable_sspi: resolve_winrm_disable_sspi,
|
200
|
-
transport: resolve_winrm_transport,
|
201
|
-
no_ssl_peer_verification: resolve_no_ssl_peer_verification
|
202
|
-
}
|
203
|
-
|
204
|
-
if @session_opts[:user] and (not @session_opts[:password])
|
205
|
-
@session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
|
206
|
-
end
|
207
|
-
|
208
|
-
if @session_opts[:transport] == :kerberos
|
209
|
-
@session_opts.merge!(resolve_winrm_kerberos_options)
|
210
|
-
end
|
211
|
-
|
212
|
-
@session_opts[:ca_trust_path] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
|
213
|
-
end
|
214
|
-
|
215
|
-
def resolve_winrm_user
|
216
|
-
user = locate_config_value(:winrm_user)
|
217
|
-
|
218
|
-
# Prefixing with '.\' when using negotiate
|
219
|
-
# to auth user against local machine domain
|
220
|
-
if resolve_winrm_basic_auth ||
|
221
|
-
resolve_winrm_transport == :kerberos ||
|
222
|
-
user.include?("\\") ||
|
223
|
-
user.include?("@")
|
224
|
-
user
|
225
|
-
else
|
226
|
-
".\\#{user}"
|
227
|
-
end
|
228
|
-
end
|
229
|
-
|
230
|
-
def resolve_winrm_session_timeout
|
231
|
-
#30 min (Default) OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
|
232
|
-
locate_config_value(:session_timeout).to_i * 60 if locate_config_value(:session_timeout)
|
233
|
-
end
|
234
|
-
|
235
|
-
def resolve_winrm_basic_auth
|
236
|
-
locate_config_value(:winrm_authentication_protocol) == "basic"
|
237
|
-
end
|
238
|
-
|
239
|
-
def resolve_winrm_kerberos_options
|
240
|
-
kerberos_opts = {}
|
241
|
-
kerberos_opts[:keytab] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
|
242
|
-
kerberos_opts[:realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
|
243
|
-
kerberos_opts[:service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
|
244
|
-
kerberos_opts
|
245
|
-
end
|
246
|
-
|
247
|
-
def resolve_winrm_transport
|
248
|
-
transport = locate_config_value(:winrm_transport).to_sym
|
249
|
-
if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
|
250
|
-
transport = :kerberos
|
251
|
-
elsif transport != :ssl && negotiate_auth?
|
252
|
-
transport = :negotiate
|
253
|
-
end
|
254
|
-
|
255
|
-
transport
|
256
|
-
end
|
257
|
-
|
258
|
-
def resolve_no_ssl_peer_verification
|
259
|
-
locate_config_value(:ca_trust_file).nil? && config[:winrm_ssl_verify_mode] == :verify_none && resolve_winrm_transport == :ssl
|
260
|
-
end
|
261
|
-
|
262
|
-
def resolve_winrm_disable_sspi
|
263
|
-
resolve_winrm_transport != :negotiate
|
264
|
-
end
|
265
|
-
|
266
|
-
def get_password
|
267
|
-
@password ||= ui.ask("Enter your password: ") { |q| q.echo = false }
|
268
|
-
end
|
269
|
-
|
270
|
-
def negotiate_auth?
|
271
|
-
locate_config_value(:winrm_authentication_protocol) == "negotiate"
|
272
|
-
end
|
273
|
-
|
274
|
-
def warn_no_ssl_peer_verification
|
275
|
-
if ! @@ssl_warning_given
|
276
|
-
@@ssl_warning_given = true
|
277
|
-
ui.warn(<<-WARN)
|
278
|
-
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
279
|
-
SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
|
280
|
-
connections are still encrypted, but knife is not able to detect forged replies
|
281
|
-
or spoofing attacks.
|
282
|
-
|
283
|
-
To fix this issue add an entry like this to your knife configuration file:
|
284
|
-
|
285
|
-
```
|
286
|
-
# Verify all WinRM HTTPS connections (default, recommended)
|
287
|
-
knife[:winrm_ssl_verify_mode] = :verify_peer
|
288
|
-
```
|
289
|
-
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
290
|
-
WARN
|
291
|
-
end
|
292
|
-
end
|
293
|
-
|
294
|
-
end
|
295
|
-
end
|
296
|
-
end
|
297
|
-
end
|
298
|
-
end
|
1
|
+
#
|
2
|
+
# Author:: Steven Murawski (<smurawski@chef.io)
|
3
|
+
# Copyright:: Copyright (c) 2015 Chef Software, Inc.
|
4
|
+
# License:: Apache License, Version 2.0
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
|
20
|
+
require 'chef/knife'
|
21
|
+
require 'chef/knife/winrm_base'
|
22
|
+
require 'chef/knife/winrm_shared_options'
|
23
|
+
require 'chef/knife/knife_windows_base'
|
24
|
+
|
25
|
+
class Chef
|
26
|
+
class Knife
|
27
|
+
module WinrmCommandSharedFunctions
|
28
|
+
|
29
|
+
FAILED_BASIC_HINT ||= "Hint: Please check winrm configuration 'winrm get winrm/config/service' AllowUnencrypted flag on remote server."
|
30
|
+
FAILED_NOT_BASIC_HINT ||= <<-eos.gsub /^\s+/, ""
|
31
|
+
Hint: Make sure to prefix domain usernames with the correct domain name.
|
32
|
+
Hint: Local user names should be prefixed with computer name or IP address.
|
33
|
+
EXAMPLE: my_domain\\user_namer
|
34
|
+
eos
|
35
|
+
|
36
|
+
def self.included(includer)
|
37
|
+
includer.class_eval do
|
38
|
+
|
39
|
+
@@ssl_warning_given = false
|
40
|
+
|
41
|
+
include Chef::Knife::WinrmBase
|
42
|
+
include Chef::Knife::WinrmSharedOptions
|
43
|
+
include Chef::Knife::KnifeWindowsBase
|
44
|
+
|
45
|
+
def validate_winrm_options!
|
46
|
+
winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
|
47
|
+
|
48
|
+
if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
|
49
|
+
ui.error "Invalid value '#{winrm_auth_protocol}' for --winrm-authentication-protocol option."
|
50
|
+
ui.info "Valid values are #{Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.join(",")}."
|
51
|
+
exit 1
|
52
|
+
end
|
53
|
+
|
54
|
+
warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
|
55
|
+
end
|
56
|
+
|
57
|
+
#Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
|
58
|
+
#Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
|
59
|
+
def configure_session
|
60
|
+
validate_winrm_options!
|
61
|
+
resolve_session_options
|
62
|
+
resolve_target_nodes
|
63
|
+
session_from_list
|
64
|
+
end
|
65
|
+
|
66
|
+
def resolve_target_nodes
|
67
|
+
@list = case config[:manual]
|
68
|
+
when true
|
69
|
+
@name_args[0].split(" ")
|
70
|
+
when false
|
71
|
+
r = Array.new
|
72
|
+
q = Chef::Search::Query.new
|
73
|
+
@action_nodes = q.search(:node, @name_args[0])[0]
|
74
|
+
@action_nodes.each do |item|
|
75
|
+
i = extract_nested_value(item, config[:attribute])
|
76
|
+
r.push(i) unless i.nil?
|
77
|
+
end
|
78
|
+
r
|
79
|
+
end
|
80
|
+
|
81
|
+
if @list.length == 0
|
82
|
+
if @action_nodes.length == 0
|
83
|
+
ui.fatal("No nodes returned from search!")
|
84
|
+
else
|
85
|
+
ui.fatal("#{@action_nodes.length} #{@action_nodes.length > 1 ? "nodes":"node"} found, " +
|
86
|
+
"but does not have the required attribute (#{config[:attribute]}) to establish the connection. " +
|
87
|
+
"Try setting another attribute to open the connection using --attribute.")
|
88
|
+
end
|
89
|
+
exit 10
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
# TODO: Copied from Knife::Core:GenericPresenter. Should be extracted
|
94
|
+
def extract_nested_value(data, nested_value_spec)
|
95
|
+
nested_value_spec.split(".").each do |attr|
|
96
|
+
if data.nil?
|
97
|
+
nil # don't get no method error on nil
|
98
|
+
elsif data.respond_to?(attr.to_sym)
|
99
|
+
data = data.send(attr.to_sym)
|
100
|
+
elsif data.respond_to?(:[])
|
101
|
+
data = data[attr]
|
102
|
+
else
|
103
|
+
data = begin
|
104
|
+
data.send(attr.to_sym)
|
105
|
+
rescue NoMethodError
|
106
|
+
nil
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|
110
|
+
( !data.kind_of?(Array) && data.respond_to?(:to_hash) ) ? data.to_hash : data
|
111
|
+
end
|
112
|
+
|
113
|
+
def run_command(command = '')
|
114
|
+
relay_winrm_command(command)
|
115
|
+
|
116
|
+
check_for_errors!
|
117
|
+
|
118
|
+
# Knife seems to ignore the return value of this method,
|
119
|
+
# so we exit to force the process exit code for this
|
120
|
+
# subcommand if returns is set
|
121
|
+
exit @exit_code if @exit_code && @exit_code != 0
|
122
|
+
0
|
123
|
+
end
|
124
|
+
|
125
|
+
def relay_winrm_command(command)
|
126
|
+
Chef::Log.debug(command)
|
127
|
+
@winrm_sessions.each do |s|
|
128
|
+
begin
|
129
|
+
s.relay_command(command)
|
130
|
+
rescue WinRM::WinRMHTTPTransportError, WinRM::WinRMAuthorizationError => e
|
131
|
+
if authorization_error?(e)
|
132
|
+
if ! config[:suppress_auth_failure]
|
133
|
+
# Display errors if the caller hasn't opted to retry
|
134
|
+
ui.error "Failed to authenticate to #{s.host} as #{locate_config_value(:winrm_user)}"
|
135
|
+
ui.info "Response: #{e.message}"
|
136
|
+
ui.info get_failed_authentication_hint
|
137
|
+
raise e
|
138
|
+
end
|
139
|
+
@exit_code = 401
|
140
|
+
else
|
141
|
+
raise e
|
142
|
+
end
|
143
|
+
end
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
147
|
+
private
|
148
|
+
|
149
|
+
def get_failed_authentication_hint
|
150
|
+
if @session_opts[:basic_auth_only]
|
151
|
+
FAILED_BASIC_HINT
|
152
|
+
else
|
153
|
+
FAILED_NOT_BASIC_HINT
|
154
|
+
end
|
155
|
+
end
|
156
|
+
|
157
|
+
def authorization_error?(exception)
|
158
|
+
exception.is_a?(WinRM::WinRMAuthorizationError) ||
|
159
|
+
exception.message =~ /401/
|
160
|
+
end
|
161
|
+
|
162
|
+
def check_for_errors!
|
163
|
+
@winrm_sessions.each do |session|
|
164
|
+
session_exit_code = session.exit_code
|
165
|
+
unless success_return_codes.include? session_exit_code.to_i
|
166
|
+
@exit_code = session_exit_code.to_i
|
167
|
+
ui.error "Failed to execute command on #{session.host} return code #{session_exit_code}"
|
168
|
+
end
|
169
|
+
end
|
170
|
+
end
|
171
|
+
|
172
|
+
def success_return_codes
|
173
|
+
#Redundant if the CLI options parsing occurs
|
174
|
+
return [0] unless config[:returns]
|
175
|
+
return @success_return_codes ||= config[:returns].split(',').collect {|item| item.to_i}
|
176
|
+
end
|
177
|
+
|
178
|
+
def session_from_list
|
179
|
+
@list.each do |item|
|
180
|
+
Chef::Log.debug("Adding #{item}")
|
181
|
+
@session_opts[:host] = item
|
182
|
+
create_winrm_session(@session_opts)
|
183
|
+
end
|
184
|
+
end
|
185
|
+
|
186
|
+
def create_winrm_session(options={})
|
187
|
+
session = Chef::Knife::WinrmSession.new(options)
|
188
|
+
@winrm_sessions ||= []
|
189
|
+
@winrm_sessions.push(session)
|
190
|
+
end
|
191
|
+
|
192
|
+
def resolve_session_options
|
193
|
+
@session_opts = {
|
194
|
+
user: resolve_winrm_user,
|
195
|
+
password: locate_config_value(:winrm_password),
|
196
|
+
port: locate_config_value(:winrm_port),
|
197
|
+
operation_timeout: resolve_winrm_session_timeout,
|
198
|
+
basic_auth_only: resolve_winrm_basic_auth,
|
199
|
+
disable_sspi: resolve_winrm_disable_sspi,
|
200
|
+
transport: resolve_winrm_transport,
|
201
|
+
no_ssl_peer_verification: resolve_no_ssl_peer_verification
|
202
|
+
}
|
203
|
+
|
204
|
+
if @session_opts[:user] and (not @session_opts[:password])
|
205
|
+
@session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
|
206
|
+
end
|
207
|
+
|
208
|
+
if @session_opts[:transport] == :kerberos
|
209
|
+
@session_opts.merge!(resolve_winrm_kerberos_options)
|
210
|
+
end
|
211
|
+
|
212
|
+
@session_opts[:ca_trust_path] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
|
213
|
+
end
|
214
|
+
|
215
|
+
def resolve_winrm_user
|
216
|
+
user = locate_config_value(:winrm_user)
|
217
|
+
|
218
|
+
# Prefixing with '.\' when using negotiate
|
219
|
+
# to auth user against local machine domain
|
220
|
+
if resolve_winrm_basic_auth ||
|
221
|
+
resolve_winrm_transport == :kerberos ||
|
222
|
+
user.include?("\\") ||
|
223
|
+
user.include?("@")
|
224
|
+
user
|
225
|
+
else
|
226
|
+
".\\#{user}"
|
227
|
+
end
|
228
|
+
end
|
229
|
+
|
230
|
+
def resolve_winrm_session_timeout
|
231
|
+
#30 min (Default) OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
|
232
|
+
locate_config_value(:session_timeout).to_i * 60 if locate_config_value(:session_timeout)
|
233
|
+
end
|
234
|
+
|
235
|
+
def resolve_winrm_basic_auth
|
236
|
+
locate_config_value(:winrm_authentication_protocol) == "basic"
|
237
|
+
end
|
238
|
+
|
239
|
+
def resolve_winrm_kerberos_options
|
240
|
+
kerberos_opts = {}
|
241
|
+
kerberos_opts[:keytab] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
|
242
|
+
kerberos_opts[:realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
|
243
|
+
kerberos_opts[:service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
|
244
|
+
kerberos_opts
|
245
|
+
end
|
246
|
+
|
247
|
+
def resolve_winrm_transport
|
248
|
+
transport = locate_config_value(:winrm_transport).to_sym
|
249
|
+
if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
|
250
|
+
transport = :kerberos
|
251
|
+
elsif transport != :ssl && negotiate_auth?
|
252
|
+
transport = :negotiate
|
253
|
+
end
|
254
|
+
|
255
|
+
transport
|
256
|
+
end
|
257
|
+
|
258
|
+
def resolve_no_ssl_peer_verification
|
259
|
+
locate_config_value(:ca_trust_file).nil? && config[:winrm_ssl_verify_mode] == :verify_none && resolve_winrm_transport == :ssl
|
260
|
+
end
|
261
|
+
|
262
|
+
def resolve_winrm_disable_sspi
|
263
|
+
resolve_winrm_transport != :negotiate
|
264
|
+
end
|
265
|
+
|
266
|
+
def get_password
|
267
|
+
@password ||= ui.ask("Enter your password: ") { |q| q.echo = false }
|
268
|
+
end
|
269
|
+
|
270
|
+
def negotiate_auth?
|
271
|
+
locate_config_value(:winrm_authentication_protocol) == "negotiate"
|
272
|
+
end
|
273
|
+
|
274
|
+
def warn_no_ssl_peer_verification
|
275
|
+
if ! @@ssl_warning_given
|
276
|
+
@@ssl_warning_given = true
|
277
|
+
ui.warn(<<-WARN)
|
278
|
+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
279
|
+
SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
|
280
|
+
connections are still encrypted, but knife is not able to detect forged replies
|
281
|
+
or spoofing attacks.
|
282
|
+
|
283
|
+
To fix this issue add an entry like this to your knife configuration file:
|
284
|
+
|
285
|
+
```
|
286
|
+
# Verify all WinRM HTTPS connections (default, recommended)
|
287
|
+
knife[:winrm_ssl_verify_mode] = :verify_peer
|
288
|
+
```
|
289
|
+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
290
|
+
WARN
|
291
|
+
end
|
292
|
+
end
|
293
|
+
|
294
|
+
end
|
295
|
+
end
|
296
|
+
end
|
297
|
+
end
|
298
|
+
end
|