knife-windows 1.3.0 → 1.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (52) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +5 -5
  3. data/.travis.yml +26 -26
  4. data/CHANGELOG.md +112 -108
  5. data/DOC_CHANGES.md +14 -14
  6. data/Gemfile +12 -12
  7. data/LICENSE +201 -201
  8. data/README.md +391 -385
  9. data/RELEASE_NOTES.md +34 -34
  10. data/Rakefile +21 -21
  11. data/appveyor.yml +42 -42
  12. data/ci.gemfile +15 -15
  13. data/features/knife_help.feature +20 -20
  14. data/features/support/env.rb +5 -5
  15. data/knife-windows.gemspec +25 -25
  16. data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb +233 -247
  17. data/lib/chef/knife/bootstrap_windows_base.rb +449 -415
  18. data/lib/chef/knife/bootstrap_windows_ssh.rb +115 -115
  19. data/lib/chef/knife/bootstrap_windows_winrm.rb +95 -95
  20. data/lib/chef/knife/core/windows_bootstrap_context.rb +372 -366
  21. data/lib/chef/knife/knife_windows_base.rb +33 -33
  22. data/lib/chef/knife/windows_cert_generate.rb +155 -155
  23. data/lib/chef/knife/windows_cert_install.rb +68 -68
  24. data/lib/chef/knife/windows_helper.rb +36 -36
  25. data/lib/chef/knife/windows_listener_create.rb +107 -107
  26. data/lib/chef/knife/winrm.rb +122 -122
  27. data/lib/chef/knife/winrm_base.rb +117 -117
  28. data/lib/chef/knife/winrm_knife_base.rb +305 -303
  29. data/lib/chef/knife/winrm_session.rb +88 -87
  30. data/lib/chef/knife/winrm_shared_options.rb +47 -47
  31. data/lib/chef/knife/wsman_endpoint.rb +44 -44
  32. data/lib/chef/knife/wsman_test.rb +117 -117
  33. data/lib/knife-windows/path_helper.rb +234 -234
  34. data/lib/knife-windows/version.rb +6 -6
  35. data/spec/assets/win_template_rendered_with_bootstrap_install_command.txt +217 -217
  36. data/spec/assets/win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt +217 -217
  37. data/spec/assets/win_template_rendered_without_bootstrap_install_command.txt +329 -329
  38. data/spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt +329 -329
  39. data/spec/assets/win_template_unrendered.txt +246 -246
  40. data/spec/functional/bootstrap_download_spec.rb +241 -234
  41. data/spec/spec_helper.rb +94 -93
  42. data/spec/unit/knife/bootstrap_options_spec.rb +155 -155
  43. data/spec/unit/knife/bootstrap_template_spec.rb +98 -92
  44. data/spec/unit/knife/bootstrap_windows_winrm_spec.rb +341 -295
  45. data/spec/unit/knife/core/windows_bootstrap_context_spec.rb +177 -177
  46. data/spec/unit/knife/windows_cert_generate_spec.rb +90 -90
  47. data/spec/unit/knife/windows_cert_install_spec.rb +51 -51
  48. data/spec/unit/knife/windows_listener_create_spec.rb +76 -76
  49. data/spec/unit/knife/winrm_session_spec.rb +65 -65
  50. data/spec/unit/knife/winrm_spec.rb +516 -516
  51. data/spec/unit/knife/wsman_test_spec.rb +202 -202
  52. metadata +23 -4
@@ -1,303 +1,305 @@
1
- #
2
- # Author:: Steven Murawski (<smurawski@chef.io)
3
- # Copyright:: Copyright (c) 2015 Chef Software, Inc.
4
- # License:: Apache License, Version 2.0
5
- #
6
- # Licensed under the Apache License, Version 2.0 (the "License");
7
- # you may not use this file except in compliance with the License.
8
- # You may obtain a copy of the License at
9
- #
10
- # http://www.apache.org/licenses/LICENSE-2.0
11
- #
12
- # Unless required by applicable law or agreed to in writing, software
13
- # distributed under the License is distributed on an "AS IS" BASIS,
14
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
- # See the License for the specific language governing permissions and
16
- # limitations under the License.
17
- #
18
-
19
-
20
- require 'chef/knife'
21
- require 'chef/knife/winrm_base'
22
- require 'chef/knife/winrm_shared_options'
23
- require 'chef/knife/knife_windows_base'
24
-
25
- class Chef
26
- class Knife
27
- module WinrmCommandSharedFunctions
28
-
29
- FAILED_BASIC_HINT ||= "Hint: Please check winrm configuration 'winrm get winrm/config/service' AllowUnencrypted flag on remote server."
30
- FAILED_NOT_BASIC_HINT ||= <<-eos.gsub /^\s+/, ""
31
- Hint: Make sure to prefix domain usernames with the correct domain name.
32
- Hint: Local user names should be prefixed with computer name or IP address.
33
- EXAMPLE: my_domain\\user_namer
34
- eos
35
-
36
- def self.included(includer)
37
- includer.class_eval do
38
-
39
- @@ssl_warning_given = false
40
-
41
- include Chef::Knife::WinrmBase
42
- include Chef::Knife::WinrmSharedOptions
43
- include Chef::Knife::KnifeWindowsBase
44
-
45
- def validate_winrm_options!
46
- winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
47
-
48
- if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
49
- ui.error "Invalid value '#{winrm_auth_protocol}' for --winrm-authentication-protocol option."
50
- ui.info "Valid values are #{Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.join(",")}."
51
- exit 1
52
- end
53
-
54
- warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
55
- end
56
-
57
- #Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
58
- #Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
59
- def configure_session
60
- validate_winrm_options!
61
- resolve_session_options
62
- resolve_target_nodes
63
- session_from_list
64
- end
65
-
66
- def resolve_target_nodes
67
- @list = case config[:manual]
68
- when true
69
- @name_args[0].split(" ")
70
- when false
71
- r = Array.new
72
- q = Chef::Search::Query.new
73
- @action_nodes = q.search(:node, @name_args[0])[0]
74
- @action_nodes.each do |item|
75
- i = extract_nested_value(item, config[:attribute])
76
- r.push(i) unless i.nil?
77
- end
78
- r
79
- end
80
-
81
- if @list.length == 0
82
- if @action_nodes.length == 0
83
- ui.fatal("No nodes returned from search!")
84
- else
85
- ui.fatal("#{@action_nodes.length} #{@action_nodes.length > 1 ? "nodes":"node"} found, " +
86
- "but does not have the required attribute (#{config[:attribute]}) to establish the connection. " +
87
- "Try setting another attribute to open the connection using --attribute.")
88
- end
89
- exit 10
90
- end
91
- end
92
-
93
- # TODO: Copied from Knife::Core:GenericPresenter. Should be extracted
94
- def extract_nested_value(data, nested_value_spec)
95
- nested_value_spec.split(".").each do |attr|
96
- if data.nil?
97
- nil # don't get no method error on nil
98
- elsif data.respond_to?(attr.to_sym)
99
- data = data.send(attr.to_sym)
100
- elsif data.respond_to?(:[])
101
- data = data[attr]
102
- else
103
- data = begin
104
- data.send(attr.to_sym)
105
- rescue NoMethodError
106
- nil
107
- end
108
- end
109
- end
110
- ( !data.kind_of?(Array) && data.respond_to?(:to_hash) ) ? data.to_hash : data
111
- end
112
-
113
- def run_command(command = '')
114
- relay_winrm_command(command)
115
-
116
- check_for_errors!
117
-
118
- # Knife seems to ignore the return value of this method,
119
- # so we exit to force the process exit code for this
120
- # subcommand if returns is set
121
- exit @exit_code if @exit_code && @exit_code != 0
122
- 0
123
- end
124
-
125
- def relay_winrm_command(command)
126
- Chef::Log.debug(command)
127
- @winrm_sessions.each do |s|
128
- begin
129
- s.relay_command(command)
130
- rescue WinRM::WinRMHTTPTransportError, WinRM::WinRMAuthorizationError => e
131
- if authorization_error?(e)
132
- if ! config[:suppress_auth_failure]
133
- # Display errors if the caller hasn't opted to retry
134
- ui.error "Failed to authenticate to #{s.host} as #{locate_config_value(:winrm_user)}"
135
- ui.info "Response: #{e.message}"
136
- ui.info get_failed_authentication_hint
137
- raise e
138
- end
139
- @exit_code = 401
140
- else
141
- raise e
142
- end
143
- end
144
- end
145
- end
146
-
147
- private
148
-
149
- def get_failed_authentication_hint
150
- if @session_opts[:basic_auth_only]
151
- FAILED_BASIC_HINT
152
- else
153
- FAILED_NOT_BASIC_HINT
154
- end
155
- end
156
-
157
- def authorization_error?(exception)
158
- exception.is_a?(WinRM::WinRMAuthorizationError) ||
159
- exception.message =~ /401/
160
- end
161
-
162
- def check_for_errors!
163
- @winrm_sessions.each do |session|
164
- session_exit_code = session.exit_code
165
- unless success_return_codes.include? session_exit_code.to_i
166
- @exit_code = session_exit_code.to_i
167
- ui.error "Failed to execute command on #{session.host} return code #{session_exit_code}"
168
- end
169
- end
170
- end
171
-
172
- def success_return_codes
173
- #Redundant if the CLI options parsing occurs
174
- return [0] unless config[:returns]
175
- return @success_return_codes ||= config[:returns].split(',').collect {|item| item.to_i}
176
- end
177
-
178
- def session_from_list
179
- @list.each do |item|
180
- Chef::Log.debug("Adding #{item}")
181
- @session_opts[:host] = item
182
- create_winrm_session(@session_opts)
183
- end
184
- end
185
-
186
- def create_winrm_session(options={})
187
- session = Chef::Knife::WinrmSession.new(options)
188
- @winrm_sessions ||= []
189
- @winrm_sessions.push(session)
190
- end
191
-
192
- def resolve_session_options
193
- @session_opts = {
194
- user: resolve_winrm_user,
195
- password: locate_config_value(:winrm_password),
196
- port: locate_config_value(:winrm_port),
197
- operation_timeout: resolve_winrm_session_timeout,
198
- basic_auth_only: resolve_winrm_basic_auth,
199
- disable_sspi: resolve_winrm_disable_sspi,
200
- transport: resolve_winrm_transport,
201
- no_ssl_peer_verification: resolve_no_ssl_peer_verification,
202
- ssl_peer_fingerprint: resolve_ssl_peer_fingerprint
203
- }
204
-
205
- if @session_opts[:user] and (not @session_opts[:password])
206
- @session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
207
- end
208
-
209
- if @session_opts[:transport] == :kerberos
210
- @session_opts.merge!(resolve_winrm_kerberos_options)
211
- end
212
-
213
- @session_opts[:ca_trust_path] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
214
- end
215
-
216
- def resolve_winrm_user
217
- user = locate_config_value(:winrm_user)
218
-
219
- # Prefixing with '.\' when using negotiate
220
- # to auth user against local machine domain
221
- if resolve_winrm_basic_auth ||
222
- resolve_winrm_transport == :kerberos ||
223
- user.include?("\\") ||
224
- user.include?("@")
225
- user
226
- else
227
- ".\\#{user}"
228
- end
229
- end
230
-
231
- def resolve_winrm_session_timeout
232
- #30 min (Default) OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
233
- locate_config_value(:session_timeout).to_i * 60 if locate_config_value(:session_timeout)
234
- end
235
-
236
- def resolve_winrm_basic_auth
237
- locate_config_value(:winrm_authentication_protocol) == "basic"
238
- end
239
-
240
- def resolve_winrm_kerberos_options
241
- kerberos_opts = {}
242
- kerberos_opts[:keytab] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
243
- kerberos_opts[:realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
244
- kerberos_opts[:service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
245
- kerberos_opts
246
- end
247
-
248
- def resolve_winrm_transport
249
- transport = locate_config_value(:winrm_transport).to_sym
250
- if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
251
- transport = :kerberos
252
- elsif transport != :ssl && negotiate_auth?
253
- transport = :negotiate
254
- end
255
-
256
- transport
257
- end
258
-
259
- def resolve_no_ssl_peer_verification
260
- locate_config_value(:ca_trust_file).nil? && config[:winrm_ssl_verify_mode] == :verify_none && resolve_winrm_transport == :ssl
261
- end
262
-
263
- def resolve_ssl_peer_fingerprint
264
- locate_config_value(:ssl_peer_fingerprint)
265
- end
266
-
267
- def resolve_winrm_disable_sspi
268
- resolve_winrm_transport != :negotiate
269
- end
270
-
271
- def get_password
272
- @password ||= ui.ask("Enter your password: ") { |q| q.echo = false }
273
- end
274
-
275
- def negotiate_auth?
276
- locate_config_value(:winrm_authentication_protocol) == "negotiate"
277
- end
278
-
279
- def warn_no_ssl_peer_verification
280
- if ! @@ssl_warning_given
281
- @@ssl_warning_given = true
282
- ui.warn(<<-WARN)
283
- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
284
- SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
285
- connections are still encrypted, but knife is not able to detect forged replies
286
- or spoofing attacks.
287
-
288
- To fix this issue add an entry like this to your knife configuration file:
289
-
290
- ```
291
- # Verify all WinRM HTTPS connections (default, recommended)
292
- knife[:winrm_ssl_verify_mode] = :verify_peer
293
- ```
294
- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
295
- WARN
296
- end
297
- end
298
-
299
- end
300
- end
301
- end
302
- end
303
- end
1
+ #
2
+ # Author:: Steven Murawski (<smurawski@chef.io)
3
+ # Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
4
+ # License:: Apache License, Version 2.0
5
+ #
6
+ # Licensed under the Apache License, Version 2.0 (the "License");
7
+ # you may not use this file except in compliance with the License.
8
+ # You may obtain a copy of the License at
9
+ #
10
+ # http://www.apache.org/licenses/LICENSE-2.0
11
+ #
12
+ # Unless required by applicable law or agreed to in writing, software
13
+ # distributed under the License is distributed on an "AS IS" BASIS,
14
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
+ # See the License for the specific language governing permissions and
16
+ # limitations under the License.
17
+ #
18
+
19
+
20
+ require 'chef/knife'
21
+ require 'chef/knife/winrm_base'
22
+ require 'chef/knife/winrm_shared_options'
23
+ require 'chef/knife/knife_windows_base'
24
+
25
+ class Chef
26
+ class Knife
27
+ module WinrmCommandSharedFunctions
28
+
29
+ FAILED_BASIC_HINT ||= "Hint: Please check winrm configuration 'winrm get winrm/config/service' AllowUnencrypted flag on remote server."
30
+ FAILED_NOT_BASIC_HINT ||= <<-eos.gsub /^\s+/, ""
31
+ Hint: Make sure to prefix domain usernames with the correct domain name.
32
+ Hint: Local user names should be prefixed with computer name or IP address.
33
+ EXAMPLE: my_domain\\user_namer
34
+ eos
35
+
36
+ def self.included(includer)
37
+ includer.class_eval do
38
+
39
+ @@ssl_warning_given = false
40
+
41
+ include Chef::Knife::WinrmBase
42
+ include Chef::Knife::WinrmSharedOptions
43
+ include Chef::Knife::KnifeWindowsBase
44
+
45
+ def validate_winrm_options!
46
+ winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
47
+
48
+ if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
49
+ ui.error "Invalid value '#{winrm_auth_protocol}' for --winrm-authentication-protocol option."
50
+ ui.info "Valid values are #{Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.join(",")}."
51
+ exit 1
52
+ end
53
+
54
+ warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
55
+ end
56
+
57
+ #Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
58
+ #Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
59
+ def configure_session
60
+ validate_winrm_options!
61
+ resolve_session_options
62
+ resolve_target_nodes
63
+ session_from_list
64
+ end
65
+
66
+ def resolve_target_nodes
67
+ @list = case config[:manual]
68
+ when true
69
+ @name_args[0].split(" ")
70
+ when false
71
+ r = Array.new
72
+ q = Chef::Search::Query.new
73
+ @action_nodes = q.search(:node, @name_args[0])[0]
74
+ @action_nodes.each do |item|
75
+ i = extract_nested_value(item, config[:attribute])
76
+ r.push(i) unless i.nil?
77
+ end
78
+ r
79
+ end
80
+
81
+ if @list.length == 0
82
+ if @action_nodes.length == 0
83
+ ui.fatal("No nodes returned from search!")
84
+ else
85
+ ui.fatal("#{@action_nodes.length} #{@action_nodes.length > 1 ? "nodes":"node"} found, " +
86
+ "but does not have the required attribute (#{config[:attribute]}) to establish the connection. " +
87
+ "Try setting another attribute to open the connection using --attribute.")
88
+ end
89
+ exit 10
90
+ end
91
+ end
92
+
93
+ # TODO: Copied from Knife::Core:GenericPresenter. Should be extracted
94
+ def extract_nested_value(data, nested_value_spec)
95
+ nested_value_spec.split(".").each do |attr|
96
+ if data.nil?
97
+ nil # don't get no method error on nil
98
+ elsif data.respond_to?(attr.to_sym)
99
+ data = data.send(attr.to_sym)
100
+ elsif data.respond_to?(:[])
101
+ data = data[attr]
102
+ else
103
+ data = begin
104
+ data.send(attr.to_sym)
105
+ rescue NoMethodError
106
+ nil
107
+ end
108
+ end
109
+ end
110
+ ( !data.kind_of?(Array) && data.respond_to?(:to_hash) ) ? data.to_hash : data
111
+ end
112
+
113
+ def run_command(command = '')
114
+ relay_winrm_command(command)
115
+
116
+ check_for_errors!
117
+
118
+ # Knife seems to ignore the return value of this method,
119
+ # so we exit to force the process exit code for this
120
+ # subcommand if returns is set
121
+ exit @exit_code if @exit_code && @exit_code != 0
122
+ 0
123
+ end
124
+
125
+ def relay_winrm_command(command)
126
+ Chef::Log.debug(command)
127
+ session_results = []
128
+ @winrm_sessions.each do |s|
129
+ begin
130
+ session_results << s.relay_command(command)
131
+ rescue WinRM::WinRMHTTPTransportError, WinRM::WinRMAuthorizationError => e
132
+ if authorization_error?(e)
133
+ if ! config[:suppress_auth_failure]
134
+ # Display errors if the caller hasn't opted to retry
135
+ ui.error "Failed to authenticate to #{s.host} as #{locate_config_value(:winrm_user)}"
136
+ ui.info "Response: #{e.message}"
137
+ ui.info get_failed_authentication_hint
138
+ raise e
139
+ end
140
+ @exit_code = 401
141
+ else
142
+ raise e
143
+ end
144
+ end
145
+ end
146
+ session_results
147
+ end
148
+
149
+ private
150
+
151
+ def get_failed_authentication_hint
152
+ if @session_opts[:basic_auth_only]
153
+ FAILED_BASIC_HINT
154
+ else
155
+ FAILED_NOT_BASIC_HINT
156
+ end
157
+ end
158
+
159
+ def authorization_error?(exception)
160
+ exception.is_a?(WinRM::WinRMAuthorizationError) ||
161
+ exception.message =~ /401/
162
+ end
163
+
164
+ def check_for_errors!
165
+ @winrm_sessions.each do |session|
166
+ session_exit_code = session.exit_code
167
+ unless success_return_codes.include? session_exit_code.to_i
168
+ @exit_code = session_exit_code.to_i
169
+ ui.error "Failed to execute command on #{session.host} return code #{session_exit_code}"
170
+ end
171
+ end
172
+ end
173
+
174
+ def success_return_codes
175
+ #Redundant if the CLI options parsing occurs
176
+ return [0] unless config[:returns]
177
+ return @success_return_codes ||= config[:returns].split(',').collect {|item| item.to_i}
178
+ end
179
+
180
+ def session_from_list
181
+ @list.each do |item|
182
+ Chef::Log.debug("Adding #{item}")
183
+ @session_opts[:host] = item
184
+ create_winrm_session(@session_opts)
185
+ end
186
+ end
187
+
188
+ def create_winrm_session(options={})
189
+ session = Chef::Knife::WinrmSession.new(options)
190
+ @winrm_sessions ||= []
191
+ @winrm_sessions.push(session)
192
+ end
193
+
194
+ def resolve_session_options
195
+ @session_opts = {
196
+ user: resolve_winrm_user,
197
+ password: locate_config_value(:winrm_password),
198
+ port: locate_config_value(:winrm_port),
199
+ operation_timeout: resolve_winrm_session_timeout,
200
+ basic_auth_only: resolve_winrm_basic_auth,
201
+ disable_sspi: resolve_winrm_disable_sspi,
202
+ transport: resolve_winrm_transport,
203
+ no_ssl_peer_verification: resolve_no_ssl_peer_verification,
204
+ ssl_peer_fingerprint: resolve_ssl_peer_fingerprint
205
+ }
206
+
207
+ if @session_opts[:user] and (not @session_opts[:password])
208
+ @session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
209
+ end
210
+
211
+ if @session_opts[:transport] == :kerberos
212
+ @session_opts.merge!(resolve_winrm_kerberos_options)
213
+ end
214
+
215
+ @session_opts[:ca_trust_path] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
216
+ end
217
+
218
+ def resolve_winrm_user
219
+ user = locate_config_value(:winrm_user)
220
+
221
+ # Prefixing with '.\' when using negotiate
222
+ # to auth user against local machine domain
223
+ if resolve_winrm_basic_auth ||
224
+ resolve_winrm_transport == :kerberos ||
225
+ user.include?("\\") ||
226
+ user.include?("@")
227
+ user
228
+ else
229
+ ".\\#{user}"
230
+ end
231
+ end
232
+
233
+ def resolve_winrm_session_timeout
234
+ #30 min (Default) OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
235
+ locate_config_value(:session_timeout).to_i * 60 if locate_config_value(:session_timeout)
236
+ end
237
+
238
+ def resolve_winrm_basic_auth
239
+ locate_config_value(:winrm_authentication_protocol) == "basic"
240
+ end
241
+
242
+ def resolve_winrm_kerberos_options
243
+ kerberos_opts = {}
244
+ kerberos_opts[:keytab] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
245
+ kerberos_opts[:realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
246
+ kerberos_opts[:service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
247
+ kerberos_opts
248
+ end
249
+
250
+ def resolve_winrm_transport
251
+ transport = locate_config_value(:winrm_transport).to_sym
252
+ if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
253
+ transport = :kerberos
254
+ elsif transport != :ssl && negotiate_auth?
255
+ transport = :negotiate
256
+ end
257
+
258
+ transport
259
+ end
260
+
261
+ def resolve_no_ssl_peer_verification
262
+ locate_config_value(:ca_trust_file).nil? && config[:winrm_ssl_verify_mode] == :verify_none && resolve_winrm_transport == :ssl
263
+ end
264
+
265
+ def resolve_ssl_peer_fingerprint
266
+ locate_config_value(:ssl_peer_fingerprint)
267
+ end
268
+
269
+ def resolve_winrm_disable_sspi
270
+ resolve_winrm_transport != :negotiate
271
+ end
272
+
273
+ def get_password
274
+ @password ||= ui.ask("Enter your password: ") { |q| q.echo = false }
275
+ end
276
+
277
+ def negotiate_auth?
278
+ locate_config_value(:winrm_authentication_protocol) == "negotiate"
279
+ end
280
+
281
+ def warn_no_ssl_peer_verification
282
+ if ! @@ssl_warning_given
283
+ @@ssl_warning_given = true
284
+ ui.warn(<<-WARN)
285
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
286
+ SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
287
+ connections are still encrypted, but knife is not able to detect forged replies
288
+ or spoofing attacks.
289
+
290
+ To fix this issue add an entry like this to your knife configuration file:
291
+
292
+ ```
293
+ # Verify all WinRM HTTPS connections (default, recommended)
294
+ knife[:winrm_ssl_verify_mode] = :verify_peer
295
+ ```
296
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
297
+ WARN
298
+ end
299
+ end
300
+
301
+ end
302
+ end
303
+ end
304
+ end
305
+ end