knife-windows 1.7.0 → 1.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +26 -26
- data/CHANGELOG.md +139 -135
- data/DOC_CHANGES.md +22 -22
- data/Gemfile +13 -13
- data/README.md +404 -404
- data/RELEASE_NOTES.md +9 -9
- data/appveyor.yml +39 -39
- data/ci.gemfile +16 -16
- data/knife-windows.gemspec +26 -26
- data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb +246 -246
- data/lib/chef/knife/bootstrap_windows_base.rb +443 -443
- data/lib/chef/knife/bootstrap_windows_ssh.rb +116 -116
- data/lib/chef/knife/bootstrap_windows_winrm.rb +102 -102
- data/lib/chef/knife/core/windows_bootstrap_context.rb +378 -378
- data/lib/chef/knife/knife_windows_base.rb +33 -33
- data/lib/chef/knife/windows_cert_generate.rb +155 -155
- data/lib/chef/knife/windows_cert_install.rb +68 -68
- data/lib/chef/knife/windows_helper.rb +36 -36
- data/lib/chef/knife/windows_listener_create.rb +107 -107
- data/lib/chef/knife/winrm.rb +122 -122
- data/lib/chef/knife/winrm_base.rb +128 -128
- data/lib/chef/knife/winrm_knife_base.rb +307 -307
- data/lib/chef/knife/winrm_session.rb +98 -98
- data/lib/chef/knife/winrm_shared_options.rb +47 -47
- data/lib/chef/knife/wsman_endpoint.rb +44 -44
- data/lib/chef/knife/wsman_test.rb +118 -118
- data/lib/knife-windows/path_helper.rb +242 -234
- data/lib/knife-windows/version.rb +6 -6
- data/spec/assets/fake_trusted_certs/excluded.txt +2 -0
- data/spec/assets/fake_trusted_certs/github.pem +42 -0
- data/spec/assets/fake_trusted_certs/google.crt +41 -0
- data/spec/assets/win_fake_trusted_cert_script.txt +89 -0
- data/spec/assets/win_template_rendered_with_bootstrap_install_command.txt +223 -223
- data/spec/assets/win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt +223 -223
- data/spec/assets/win_template_rendered_without_bootstrap_install_command.txt +335 -335
- data/spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt +335 -335
- data/spec/assets/win_template_unrendered.txt +246 -246
- data/spec/dummy_winrm_connection.rb +21 -21
- data/spec/functional/bootstrap_download_spec.rb +236 -236
- data/spec/spec_helper.rb +94 -94
- data/spec/unit/knife/bootstrap_options_spec.rb +157 -157
- data/spec/unit/knife/bootstrap_template_spec.rb +98 -98
- data/spec/unit/knife/bootstrap_windows_winrm_spec.rb +423 -423
- data/spec/unit/knife/core/windows_bootstrap_context_spec.rb +213 -177
- data/spec/unit/knife/windows_cert_generate_spec.rb +90 -90
- data/spec/unit/knife/windows_cert_install_spec.rb +51 -51
- data/spec/unit/knife/windows_listener_create_spec.rb +76 -76
- data/spec/unit/knife/winrm_session_spec.rb +95 -95
- data/spec/unit/knife/winrm_spec.rb +500 -500
- data/spec/unit/knife/wsman_test_spec.rb +209 -209
- metadata +7 -3
@@ -1,128 +1,128 @@
|
|
1
|
-
#
|
2
|
-
# Author:: Seth Chisamore (<schisamo@chef.io>)
|
3
|
-
# Copyright:: Copyright (c) 2011-2016 Chef Software, Inc.
|
4
|
-
# License:: Apache License, Version 2.0
|
5
|
-
#
|
6
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
-
# you may not use this file except in compliance with the License.
|
8
|
-
# You may obtain a copy of the License at
|
9
|
-
#
|
10
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
-
#
|
12
|
-
# Unless required by applicable law or agreed to in writing, software
|
13
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
-
# See the License for the specific language governing permissions and
|
16
|
-
# limitations under the License.
|
17
|
-
#
|
18
|
-
|
19
|
-
require 'chef/knife'
|
20
|
-
require 'chef/encrypted_data_bag_item'
|
21
|
-
require 'kconv'
|
22
|
-
|
23
|
-
class Chef
|
24
|
-
class Knife
|
25
|
-
module WinrmBase
|
26
|
-
|
27
|
-
# It includes supported WinRM authentication protocol.
|
28
|
-
WINRM_AUTH_PROTOCOL_LIST ||= %w{basic negotiate kerberos}
|
29
|
-
|
30
|
-
# :nodoc:
|
31
|
-
# Would prefer to do this in a rational way, but can't be done b/c of
|
32
|
-
# Mixlib::CLI's design :(
|
33
|
-
def self.included(includer)
|
34
|
-
includer.class_eval do
|
35
|
-
|
36
|
-
deps do
|
37
|
-
require 'readline'
|
38
|
-
require 'chef/json_compat'
|
39
|
-
end
|
40
|
-
|
41
|
-
option :winrm_user,
|
42
|
-
:short => "-x USERNAME",
|
43
|
-
:long => "--winrm-user USERNAME",
|
44
|
-
:description => "The WinRM username",
|
45
|
-
:default => "Administrator",
|
46
|
-
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_user] = key }
|
47
|
-
|
48
|
-
option :winrm_password,
|
49
|
-
:short => "-P PASSWORD",
|
50
|
-
:long => "--winrm-password PASSWORD",
|
51
|
-
:description => "The WinRM password",
|
52
|
-
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_password] = key }
|
53
|
-
|
54
|
-
option :winrm_shell,
|
55
|
-
:long => "--winrm-shell SHELL",
|
56
|
-
:description => "The WinRM shell type. Valid choices are [cmd, powershell, elevated]. 'elevated' runs powershell in a scheduled task",
|
57
|
-
:default => :cmd,
|
58
|
-
:proc => Proc.new { |shell| shell.to_sym }
|
59
|
-
|
60
|
-
option :winrm_transport,
|
61
|
-
:short => "-t TRANSPORT",
|
62
|
-
:long => "--winrm-transport TRANSPORT",
|
63
|
-
:description => "The WinRM transport type. Valid choices are [ssl, plaintext]",
|
64
|
-
:default => 'plaintext',
|
65
|
-
:proc => Proc.new { |transport| Chef::Config[:knife][:winrm_port] = '5986' if transport == 'ssl'
|
66
|
-
Chef::Config[:knife][:winrm_transport] = transport }
|
67
|
-
|
68
|
-
option :winrm_port,
|
69
|
-
:short => "-p PORT",
|
70
|
-
:long => "--winrm-port PORT",
|
71
|
-
:description => "The WinRM port, by default this is '5985' for 'plaintext' and '5986' for 'ssl' winrm transport",
|
72
|
-
:default => '5985',
|
73
|
-
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_port] = key }
|
74
|
-
|
75
|
-
option :kerberos_keytab_file,
|
76
|
-
:short => "-T KEYTAB_FILE",
|
77
|
-
:long => "--keytab-file KEYTAB_FILE",
|
78
|
-
:description => "The Kerberos keytab file used for authentication",
|
79
|
-
:proc => Proc.new { |keytab| Chef::Config[:knife][:kerberos_keytab_file] = keytab }
|
80
|
-
|
81
|
-
option :kerberos_realm,
|
82
|
-
:short => "-R KERBEROS_REALM",
|
83
|
-
:long => "--kerberos-realm KERBEROS_REALM",
|
84
|
-
:description => "The Kerberos realm used for authentication",
|
85
|
-
:proc => Proc.new { |realm| Chef::Config[:knife][:kerberos_realm] = realm }
|
86
|
-
|
87
|
-
option :kerberos_service,
|
88
|
-
:short => "-S KERBEROS_SERVICE",
|
89
|
-
:long => "--kerberos-service KERBEROS_SERVICE",
|
90
|
-
:description => "The Kerberos service used for authentication",
|
91
|
-
:proc => Proc.new { |service| Chef::Config[:knife][:kerberos_service] = service }
|
92
|
-
|
93
|
-
option :ca_trust_file,
|
94
|
-
:short => "-f CA_TRUST_FILE",
|
95
|
-
:long => "--ca-trust-file CA_TRUST_FILE",
|
96
|
-
:description => "The Certificate Authority (CA) trust file used for SSL transport",
|
97
|
-
:proc => Proc.new { |trust| Chef::Config[:knife][:ca_trust_file] = trust }
|
98
|
-
|
99
|
-
option :winrm_ssl_verify_mode,
|
100
|
-
:long => "--winrm-ssl-verify-mode SSL_VERIFY_MODE",
|
101
|
-
:description => "The WinRM peer verification mode. Valid choices are [verify_peer, verify_none]",
|
102
|
-
:default => :verify_peer,
|
103
|
-
:proc => Proc.new { |verify_mode| verify_mode.to_sym }
|
104
|
-
|
105
|
-
option :ssl_peer_fingerprint,
|
106
|
-
:long => "--ssl-peer-fingerprint FINGERPRINT",
|
107
|
-
:description => "ssl Cert Fingerprint to bypass normal cert chain checks"
|
108
|
-
|
109
|
-
option :winrm_authentication_protocol,
|
110
|
-
:long => "--winrm-authentication-protocol AUTHENTICATION_PROTOCOL",
|
111
|
-
:description => "The authentication protocol used during WinRM communication. The supported protocols are #{WINRM_AUTH_PROTOCOL_LIST.join(',')}. Default is 'negotiate'.",
|
112
|
-
:default => "negotiate",
|
113
|
-
:proc => Proc.new { |protocol| Chef::Config[:knife][:winrm_authentication_protocol] = protocol }
|
114
|
-
|
115
|
-
option :session_timeout,
|
116
|
-
:long => "--session-timeout Minutes",
|
117
|
-
:description => "The timeout for the client for the maximum length of the WinRM session",
|
118
|
-
:default => 30
|
119
|
-
|
120
|
-
option :winrm_codepage,
|
121
|
-
:long => "--winrm-codepage Codepage",
|
122
|
-
:description => "The codepage to use for the winrm cmd shell",
|
123
|
-
:default => 65001
|
124
|
-
end
|
125
|
-
end
|
126
|
-
end
|
127
|
-
end
|
128
|
-
end
|
1
|
+
#
|
2
|
+
# Author:: Seth Chisamore (<schisamo@chef.io>)
|
3
|
+
# Copyright:: Copyright (c) 2011-2016 Chef Software, Inc.
|
4
|
+
# License:: Apache License, Version 2.0
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
require 'chef/knife'
|
20
|
+
require 'chef/encrypted_data_bag_item'
|
21
|
+
require 'kconv'
|
22
|
+
|
23
|
+
class Chef
|
24
|
+
class Knife
|
25
|
+
module WinrmBase
|
26
|
+
|
27
|
+
# It includes supported WinRM authentication protocol.
|
28
|
+
WINRM_AUTH_PROTOCOL_LIST ||= %w{basic negotiate kerberos}
|
29
|
+
|
30
|
+
# :nodoc:
|
31
|
+
# Would prefer to do this in a rational way, but can't be done b/c of
|
32
|
+
# Mixlib::CLI's design :(
|
33
|
+
def self.included(includer)
|
34
|
+
includer.class_eval do
|
35
|
+
|
36
|
+
deps do
|
37
|
+
require 'readline'
|
38
|
+
require 'chef/json_compat'
|
39
|
+
end
|
40
|
+
|
41
|
+
option :winrm_user,
|
42
|
+
:short => "-x USERNAME",
|
43
|
+
:long => "--winrm-user USERNAME",
|
44
|
+
:description => "The WinRM username",
|
45
|
+
:default => "Administrator",
|
46
|
+
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_user] = key }
|
47
|
+
|
48
|
+
option :winrm_password,
|
49
|
+
:short => "-P PASSWORD",
|
50
|
+
:long => "--winrm-password PASSWORD",
|
51
|
+
:description => "The WinRM password",
|
52
|
+
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_password] = key }
|
53
|
+
|
54
|
+
option :winrm_shell,
|
55
|
+
:long => "--winrm-shell SHELL",
|
56
|
+
:description => "The WinRM shell type. Valid choices are [cmd, powershell, elevated]. 'elevated' runs powershell in a scheduled task",
|
57
|
+
:default => :cmd,
|
58
|
+
:proc => Proc.new { |shell| shell.to_sym }
|
59
|
+
|
60
|
+
option :winrm_transport,
|
61
|
+
:short => "-t TRANSPORT",
|
62
|
+
:long => "--winrm-transport TRANSPORT",
|
63
|
+
:description => "The WinRM transport type. Valid choices are [ssl, plaintext]",
|
64
|
+
:default => 'plaintext',
|
65
|
+
:proc => Proc.new { |transport| Chef::Config[:knife][:winrm_port] = '5986' if transport == 'ssl'
|
66
|
+
Chef::Config[:knife][:winrm_transport] = transport }
|
67
|
+
|
68
|
+
option :winrm_port,
|
69
|
+
:short => "-p PORT",
|
70
|
+
:long => "--winrm-port PORT",
|
71
|
+
:description => "The WinRM port, by default this is '5985' for 'plaintext' and '5986' for 'ssl' winrm transport",
|
72
|
+
:default => '5985',
|
73
|
+
:proc => Proc.new { |key| Chef::Config[:knife][:winrm_port] = key }
|
74
|
+
|
75
|
+
option :kerberos_keytab_file,
|
76
|
+
:short => "-T KEYTAB_FILE",
|
77
|
+
:long => "--keytab-file KEYTAB_FILE",
|
78
|
+
:description => "The Kerberos keytab file used for authentication",
|
79
|
+
:proc => Proc.new { |keytab| Chef::Config[:knife][:kerberos_keytab_file] = keytab }
|
80
|
+
|
81
|
+
option :kerberos_realm,
|
82
|
+
:short => "-R KERBEROS_REALM",
|
83
|
+
:long => "--kerberos-realm KERBEROS_REALM",
|
84
|
+
:description => "The Kerberos realm used for authentication",
|
85
|
+
:proc => Proc.new { |realm| Chef::Config[:knife][:kerberos_realm] = realm }
|
86
|
+
|
87
|
+
option :kerberos_service,
|
88
|
+
:short => "-S KERBEROS_SERVICE",
|
89
|
+
:long => "--kerberos-service KERBEROS_SERVICE",
|
90
|
+
:description => "The Kerberos service used for authentication",
|
91
|
+
:proc => Proc.new { |service| Chef::Config[:knife][:kerberos_service] = service }
|
92
|
+
|
93
|
+
option :ca_trust_file,
|
94
|
+
:short => "-f CA_TRUST_FILE",
|
95
|
+
:long => "--ca-trust-file CA_TRUST_FILE",
|
96
|
+
:description => "The Certificate Authority (CA) trust file used for SSL transport",
|
97
|
+
:proc => Proc.new { |trust| Chef::Config[:knife][:ca_trust_file] = trust }
|
98
|
+
|
99
|
+
option :winrm_ssl_verify_mode,
|
100
|
+
:long => "--winrm-ssl-verify-mode SSL_VERIFY_MODE",
|
101
|
+
:description => "The WinRM peer verification mode. Valid choices are [verify_peer, verify_none]",
|
102
|
+
:default => :verify_peer,
|
103
|
+
:proc => Proc.new { |verify_mode| verify_mode.to_sym }
|
104
|
+
|
105
|
+
option :ssl_peer_fingerprint,
|
106
|
+
:long => "--ssl-peer-fingerprint FINGERPRINT",
|
107
|
+
:description => "ssl Cert Fingerprint to bypass normal cert chain checks"
|
108
|
+
|
109
|
+
option :winrm_authentication_protocol,
|
110
|
+
:long => "--winrm-authentication-protocol AUTHENTICATION_PROTOCOL",
|
111
|
+
:description => "The authentication protocol used during WinRM communication. The supported protocols are #{WINRM_AUTH_PROTOCOL_LIST.join(',')}. Default is 'negotiate'.",
|
112
|
+
:default => "negotiate",
|
113
|
+
:proc => Proc.new { |protocol| Chef::Config[:knife][:winrm_authentication_protocol] = protocol }
|
114
|
+
|
115
|
+
option :session_timeout,
|
116
|
+
:long => "--session-timeout Minutes",
|
117
|
+
:description => "The timeout for the client for the maximum length of the WinRM session",
|
118
|
+
:default => 30
|
119
|
+
|
120
|
+
option :winrm_codepage,
|
121
|
+
:long => "--winrm-codepage Codepage",
|
122
|
+
:description => "The codepage to use for the winrm cmd shell",
|
123
|
+
:default => 65001
|
124
|
+
end
|
125
|
+
end
|
126
|
+
end
|
127
|
+
end
|
128
|
+
end
|
@@ -1,307 +1,307 @@
|
|
1
|
-
#
|
2
|
-
# Author:: Steven Murawski (<smurawski@chef.io)
|
3
|
-
# Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
|
4
|
-
# License:: Apache License, Version 2.0
|
5
|
-
#
|
6
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
-
# you may not use this file except in compliance with the License.
|
8
|
-
# You may obtain a copy of the License at
|
9
|
-
#
|
10
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
-
#
|
12
|
-
# Unless required by applicable law or agreed to in writing, software
|
13
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
-
# See the License for the specific language governing permissions and
|
16
|
-
# limitations under the License.
|
17
|
-
#
|
18
|
-
|
19
|
-
|
20
|
-
require 'chef/knife'
|
21
|
-
require 'chef/knife/winrm_base'
|
22
|
-
require 'chef/knife/winrm_shared_options'
|
23
|
-
require 'chef/knife/knife_windows_base'
|
24
|
-
|
25
|
-
class Chef
|
26
|
-
class Knife
|
27
|
-
module WinrmCommandSharedFunctions
|
28
|
-
|
29
|
-
FAILED_BASIC_HINT ||= "Hint: Please check winrm configuration 'winrm get winrm/config/service' AllowUnencrypted flag on remote server."
|
30
|
-
FAILED_NOT_BASIC_HINT ||= <<-eos.gsub /^\s+/, ""
|
31
|
-
Hint: Make sure to prefix domain usernames with the correct domain name.
|
32
|
-
Hint: Local user names should be prefixed with computer name or IP address.
|
33
|
-
EXAMPLE: my_domain\\user_namer
|
34
|
-
eos
|
35
|
-
|
36
|
-
def self.included(includer)
|
37
|
-
includer.class_eval do
|
38
|
-
|
39
|
-
@@ssl_warning_given = false
|
40
|
-
|
41
|
-
include Chef::Knife::WinrmBase
|
42
|
-
include Chef::Knife::WinrmSharedOptions
|
43
|
-
include Chef::Knife::KnifeWindowsBase
|
44
|
-
|
45
|
-
def validate_winrm_options!
|
46
|
-
winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
|
47
|
-
|
48
|
-
if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
|
49
|
-
ui.error "Invalid value '#{winrm_auth_protocol}' for --winrm-authentication-protocol option."
|
50
|
-
ui.info "Valid values are #{Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.join(",")}."
|
51
|
-
exit 1
|
52
|
-
end
|
53
|
-
|
54
|
-
warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
|
55
|
-
end
|
56
|
-
|
57
|
-
#Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
|
58
|
-
#Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
|
59
|
-
def configure_session
|
60
|
-
validate_winrm_options!
|
61
|
-
resolve_session_options
|
62
|
-
resolve_target_nodes
|
63
|
-
session_from_list
|
64
|
-
end
|
65
|
-
|
66
|
-
def resolve_target_nodes
|
67
|
-
@list = case config[:manual]
|
68
|
-
when true
|
69
|
-
@name_args[0].split(" ")
|
70
|
-
when false
|
71
|
-
r = Array.new
|
72
|
-
q = Chef::Search::Query.new
|
73
|
-
@action_nodes = q.search(:node, @name_args[0])[0]
|
74
|
-
@action_nodes.each do |item|
|
75
|
-
i = extract_nested_value(item, config[:attribute])
|
76
|
-
r.push(i) unless i.nil?
|
77
|
-
end
|
78
|
-
r
|
79
|
-
end
|
80
|
-
|
81
|
-
if @list.length == 0
|
82
|
-
if @action_nodes.length == 0
|
83
|
-
ui.fatal("No nodes returned from search!")
|
84
|
-
else
|
85
|
-
ui.fatal("#{@action_nodes.length} #{@action_nodes.length > 1 ? "nodes":"node"} found, " +
|
86
|
-
"but does not have the required attribute (#{config[:attribute]}) to establish the connection. " +
|
87
|
-
"Try setting another attribute to open the connection using --attribute.")
|
88
|
-
end
|
89
|
-
exit 10
|
90
|
-
end
|
91
|
-
end
|
92
|
-
|
93
|
-
# TODO: Copied from Knife::Core:GenericPresenter. Should be extracted
|
94
|
-
def extract_nested_value(data, nested_value_spec)
|
95
|
-
nested_value_spec.split(".").each do |attr|
|
96
|
-
if data.nil?
|
97
|
-
nil # don't get no method error on nil
|
98
|
-
elsif data.respond_to?(attr.to_sym)
|
99
|
-
data = data.send(attr.to_sym)
|
100
|
-
elsif data.respond_to?(:[])
|
101
|
-
data = data[attr]
|
102
|
-
else
|
103
|
-
data = begin
|
104
|
-
data.send(attr.to_sym)
|
105
|
-
rescue NoMethodError
|
106
|
-
nil
|
107
|
-
end
|
108
|
-
end
|
109
|
-
end
|
110
|
-
( !data.kind_of?(Array) && data.respond_to?(:to_hash) ) ? data.to_hash : data
|
111
|
-
end
|
112
|
-
|
113
|
-
def run_command(command = '')
|
114
|
-
relay_winrm_command(command)
|
115
|
-
|
116
|
-
check_for_errors!
|
117
|
-
|
118
|
-
# Knife seems to ignore the return value of this method,
|
119
|
-
# so we exit to force the process exit code for this
|
120
|
-
# subcommand if returns is set
|
121
|
-
exit @exit_code if @exit_code && @exit_code != 0
|
122
|
-
0
|
123
|
-
end
|
124
|
-
|
125
|
-
def relay_winrm_command(command)
|
126
|
-
Chef::Log.debug(command)
|
127
|
-
session_results = []
|
128
|
-
@winrm_sessions.each do |s|
|
129
|
-
begin
|
130
|
-
session_results << s.relay_command(command)
|
131
|
-
rescue WinRM::WinRMHTTPTransportError, WinRM::WinRMAuthorizationError => e
|
132
|
-
if authorization_error?(e)
|
133
|
-
if ! config[:suppress_auth_failure]
|
134
|
-
# Display errors if the caller hasn't opted to retry
|
135
|
-
ui.error "Failed to authenticate to #{s.host} as #{locate_config_value(:winrm_user)}"
|
136
|
-
ui.info "Response: #{e.message}"
|
137
|
-
ui.info get_failed_authentication_hint
|
138
|
-
raise e
|
139
|
-
end
|
140
|
-
@exit_code = 401
|
141
|
-
else
|
142
|
-
raise e
|
143
|
-
end
|
144
|
-
end
|
145
|
-
end
|
146
|
-
session_results
|
147
|
-
end
|
148
|
-
|
149
|
-
private
|
150
|
-
|
151
|
-
def get_failed_authentication_hint
|
152
|
-
if @session_opts[:basic_auth_only]
|
153
|
-
FAILED_BASIC_HINT
|
154
|
-
else
|
155
|
-
FAILED_NOT_BASIC_HINT
|
156
|
-
end
|
157
|
-
end
|
158
|
-
|
159
|
-
def authorization_error?(exception)
|
160
|
-
exception.is_a?(WinRM::WinRMAuthorizationError) ||
|
161
|
-
exception.message =~ /401/
|
162
|
-
end
|
163
|
-
|
164
|
-
def check_for_errors!
|
165
|
-
@winrm_sessions.each do |session|
|
166
|
-
session_exit_code = session.exit_code
|
167
|
-
unless success_return_codes.include? session_exit_code.to_i
|
168
|
-
@exit_code = session_exit_code.to_i
|
169
|
-
ui.error "Failed to execute command on #{session.host} return code #{session_exit_code}"
|
170
|
-
end
|
171
|
-
end
|
172
|
-
end
|
173
|
-
|
174
|
-
def success_return_codes
|
175
|
-
#Redundant if the CLI options parsing occurs
|
176
|
-
return [0] unless config[:returns]
|
177
|
-
return @success_return_codes ||= config[:returns].split(',').collect {|item| item.to_i}
|
178
|
-
end
|
179
|
-
|
180
|
-
def session_from_list
|
181
|
-
@list.each do |item|
|
182
|
-
Chef::Log.debug("Adding #{item}")
|
183
|
-
@session_opts[:host] = item
|
184
|
-
create_winrm_session(@session_opts)
|
185
|
-
end
|
186
|
-
end
|
187
|
-
|
188
|
-
def create_winrm_session(options={})
|
189
|
-
session = Chef::Knife::WinrmSession.new(options)
|
190
|
-
@winrm_sessions ||= []
|
191
|
-
@winrm_sessions.push(session)
|
192
|
-
end
|
193
|
-
|
194
|
-
def resolve_session_options
|
195
|
-
@session_opts = {
|
196
|
-
user: resolve_winrm_user,
|
197
|
-
password: locate_config_value(:winrm_password),
|
198
|
-
port: locate_config_value(:winrm_port),
|
199
|
-
operation_timeout: resolve_winrm_session_timeout,
|
200
|
-
basic_auth_only: resolve_winrm_basic_auth,
|
201
|
-
disable_sspi: resolve_winrm_disable_sspi,
|
202
|
-
transport: resolve_winrm_transport,
|
203
|
-
no_ssl_peer_verification: resolve_no_ssl_peer_verification,
|
204
|
-
ssl_peer_fingerprint: resolve_ssl_peer_fingerprint,
|
205
|
-
shell: locate_config_value(:winrm_shell),
|
206
|
-
codepage: locate_config_value(:winrm_codepage)
|
207
|
-
}
|
208
|
-
|
209
|
-
if @session_opts[:user] and (not @session_opts[:password])
|
210
|
-
@session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
|
211
|
-
end
|
212
|
-
|
213
|
-
if @session_opts[:transport] == :kerberos
|
214
|
-
@session_opts.merge!(resolve_winrm_kerberos_options)
|
215
|
-
end
|
216
|
-
|
217
|
-
@session_opts[:ca_trust_path] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
|
218
|
-
end
|
219
|
-
|
220
|
-
def resolve_winrm_user
|
221
|
-
user = locate_config_value(:winrm_user)
|
222
|
-
|
223
|
-
# Prefixing with '.\' when using negotiate
|
224
|
-
# to auth user against local machine domain
|
225
|
-
if resolve_winrm_basic_auth ||
|
226
|
-
resolve_winrm_transport == :kerberos ||
|
227
|
-
user.include?("\\") ||
|
228
|
-
user.include?("@")
|
229
|
-
user
|
230
|
-
else
|
231
|
-
".\\#{user}"
|
232
|
-
end
|
233
|
-
end
|
234
|
-
|
235
|
-
def resolve_winrm_session_timeout
|
236
|
-
#30 min (Default) OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
|
237
|
-
locate_config_value(:session_timeout).to_i * 60 if locate_config_value(:session_timeout)
|
238
|
-
end
|
239
|
-
|
240
|
-
def resolve_winrm_basic_auth
|
241
|
-
locate_config_value(:winrm_authentication_protocol) == "basic"
|
242
|
-
end
|
243
|
-
|
244
|
-
def resolve_winrm_kerberos_options
|
245
|
-
kerberos_opts = {}
|
246
|
-
kerberos_opts[:keytab] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
|
247
|
-
kerberos_opts[:realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
|
248
|
-
kerberos_opts[:service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
|
249
|
-
kerberos_opts
|
250
|
-
end
|
251
|
-
|
252
|
-
def resolve_winrm_transport
|
253
|
-
transport = locate_config_value(:winrm_transport).to_sym
|
254
|
-
if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
|
255
|
-
transport = :kerberos
|
256
|
-
elsif transport != :ssl && negotiate_auth?
|
257
|
-
transport = :negotiate
|
258
|
-
end
|
259
|
-
|
260
|
-
transport
|
261
|
-
end
|
262
|
-
|
263
|
-
def resolve_no_ssl_peer_verification
|
264
|
-
locate_config_value(:ca_trust_file).nil? && config[:winrm_ssl_verify_mode] == :verify_none && resolve_winrm_transport == :ssl
|
265
|
-
end
|
266
|
-
|
267
|
-
def resolve_ssl_peer_fingerprint
|
268
|
-
locate_config_value(:ssl_peer_fingerprint)
|
269
|
-
end
|
270
|
-
|
271
|
-
def resolve_winrm_disable_sspi
|
272
|
-
resolve_winrm_transport != :negotiate
|
273
|
-
end
|
274
|
-
|
275
|
-
def get_password
|
276
|
-
@password ||= ui.ask("Enter your password: ") { |q| q.echo = false }
|
277
|
-
end
|
278
|
-
|
279
|
-
def negotiate_auth?
|
280
|
-
locate_config_value(:winrm_authentication_protocol) == "negotiate"
|
281
|
-
end
|
282
|
-
|
283
|
-
def warn_no_ssl_peer_verification
|
284
|
-
if ! @@ssl_warning_given
|
285
|
-
@@ssl_warning_given = true
|
286
|
-
ui.warn(<<-WARN)
|
287
|
-
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
288
|
-
SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
|
289
|
-
connections are still encrypted, but knife is not able to detect forged replies
|
290
|
-
or spoofing attacks.
|
291
|
-
|
292
|
-
To fix this issue add an entry like this to your knife configuration file:
|
293
|
-
|
294
|
-
```
|
295
|
-
# Verify all WinRM HTTPS connections (default, recommended)
|
296
|
-
knife[:winrm_ssl_verify_mode] = :verify_peer
|
297
|
-
```
|
298
|
-
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
299
|
-
WARN
|
300
|
-
end
|
301
|
-
end
|
302
|
-
|
303
|
-
end
|
304
|
-
end
|
305
|
-
end
|
306
|
-
end
|
307
|
-
end
|
1
|
+
#
|
2
|
+
# Author:: Steven Murawski (<smurawski@chef.io)
|
3
|
+
# Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
|
4
|
+
# License:: Apache License, Version 2.0
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
|
20
|
+
require 'chef/knife'
|
21
|
+
require 'chef/knife/winrm_base'
|
22
|
+
require 'chef/knife/winrm_shared_options'
|
23
|
+
require 'chef/knife/knife_windows_base'
|
24
|
+
|
25
|
+
class Chef
|
26
|
+
class Knife
|
27
|
+
module WinrmCommandSharedFunctions
|
28
|
+
|
29
|
+
FAILED_BASIC_HINT ||= "Hint: Please check winrm configuration 'winrm get winrm/config/service' AllowUnencrypted flag on remote server."
|
30
|
+
FAILED_NOT_BASIC_HINT ||= <<-eos.gsub /^\s+/, ""
|
31
|
+
Hint: Make sure to prefix domain usernames with the correct domain name.
|
32
|
+
Hint: Local user names should be prefixed with computer name or IP address.
|
33
|
+
EXAMPLE: my_domain\\user_namer
|
34
|
+
eos
|
35
|
+
|
36
|
+
def self.included(includer)
|
37
|
+
includer.class_eval do
|
38
|
+
|
39
|
+
@@ssl_warning_given = false
|
40
|
+
|
41
|
+
include Chef::Knife::WinrmBase
|
42
|
+
include Chef::Knife::WinrmSharedOptions
|
43
|
+
include Chef::Knife::KnifeWindowsBase
|
44
|
+
|
45
|
+
def validate_winrm_options!
|
46
|
+
winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
|
47
|
+
|
48
|
+
if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
|
49
|
+
ui.error "Invalid value '#{winrm_auth_protocol}' for --winrm-authentication-protocol option."
|
50
|
+
ui.info "Valid values are #{Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.join(",")}."
|
51
|
+
exit 1
|
52
|
+
end
|
53
|
+
|
54
|
+
warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
|
55
|
+
end
|
56
|
+
|
57
|
+
#Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
|
58
|
+
#Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
|
59
|
+
def configure_session
|
60
|
+
validate_winrm_options!
|
61
|
+
resolve_session_options
|
62
|
+
resolve_target_nodes
|
63
|
+
session_from_list
|
64
|
+
end
|
65
|
+
|
66
|
+
def resolve_target_nodes
|
67
|
+
@list = case config[:manual]
|
68
|
+
when true
|
69
|
+
@name_args[0].split(" ")
|
70
|
+
when false
|
71
|
+
r = Array.new
|
72
|
+
q = Chef::Search::Query.new
|
73
|
+
@action_nodes = q.search(:node, @name_args[0])[0]
|
74
|
+
@action_nodes.each do |item|
|
75
|
+
i = extract_nested_value(item, config[:attribute])
|
76
|
+
r.push(i) unless i.nil?
|
77
|
+
end
|
78
|
+
r
|
79
|
+
end
|
80
|
+
|
81
|
+
if @list.length == 0
|
82
|
+
if @action_nodes.length == 0
|
83
|
+
ui.fatal("No nodes returned from search!")
|
84
|
+
else
|
85
|
+
ui.fatal("#{@action_nodes.length} #{@action_nodes.length > 1 ? "nodes":"node"} found, " +
|
86
|
+
"but does not have the required attribute (#{config[:attribute]}) to establish the connection. " +
|
87
|
+
"Try setting another attribute to open the connection using --attribute.")
|
88
|
+
end
|
89
|
+
exit 10
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
# TODO: Copied from Knife::Core:GenericPresenter. Should be extracted
|
94
|
+
def extract_nested_value(data, nested_value_spec)
|
95
|
+
nested_value_spec.split(".").each do |attr|
|
96
|
+
if data.nil?
|
97
|
+
nil # don't get no method error on nil
|
98
|
+
elsif data.respond_to?(attr.to_sym)
|
99
|
+
data = data.send(attr.to_sym)
|
100
|
+
elsif data.respond_to?(:[])
|
101
|
+
data = data[attr]
|
102
|
+
else
|
103
|
+
data = begin
|
104
|
+
data.send(attr.to_sym)
|
105
|
+
rescue NoMethodError
|
106
|
+
nil
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|
110
|
+
( !data.kind_of?(Array) && data.respond_to?(:to_hash) ) ? data.to_hash : data
|
111
|
+
end
|
112
|
+
|
113
|
+
def run_command(command = '')
|
114
|
+
relay_winrm_command(command)
|
115
|
+
|
116
|
+
check_for_errors!
|
117
|
+
|
118
|
+
# Knife seems to ignore the return value of this method,
|
119
|
+
# so we exit to force the process exit code for this
|
120
|
+
# subcommand if returns is set
|
121
|
+
exit @exit_code if @exit_code && @exit_code != 0
|
122
|
+
0
|
123
|
+
end
|
124
|
+
|
125
|
+
def relay_winrm_command(command)
|
126
|
+
Chef::Log.debug(command)
|
127
|
+
session_results = []
|
128
|
+
@winrm_sessions.each do |s|
|
129
|
+
begin
|
130
|
+
session_results << s.relay_command(command)
|
131
|
+
rescue WinRM::WinRMHTTPTransportError, WinRM::WinRMAuthorizationError => e
|
132
|
+
if authorization_error?(e)
|
133
|
+
if ! config[:suppress_auth_failure]
|
134
|
+
# Display errors if the caller hasn't opted to retry
|
135
|
+
ui.error "Failed to authenticate to #{s.host} as #{locate_config_value(:winrm_user)}"
|
136
|
+
ui.info "Response: #{e.message}"
|
137
|
+
ui.info get_failed_authentication_hint
|
138
|
+
raise e
|
139
|
+
end
|
140
|
+
@exit_code = 401
|
141
|
+
else
|
142
|
+
raise e
|
143
|
+
end
|
144
|
+
end
|
145
|
+
end
|
146
|
+
session_results
|
147
|
+
end
|
148
|
+
|
149
|
+
private
|
150
|
+
|
151
|
+
def get_failed_authentication_hint
|
152
|
+
if @session_opts[:basic_auth_only]
|
153
|
+
FAILED_BASIC_HINT
|
154
|
+
else
|
155
|
+
FAILED_NOT_BASIC_HINT
|
156
|
+
end
|
157
|
+
end
|
158
|
+
|
159
|
+
def authorization_error?(exception)
|
160
|
+
exception.is_a?(WinRM::WinRMAuthorizationError) ||
|
161
|
+
exception.message =~ /401/
|
162
|
+
end
|
163
|
+
|
164
|
+
def check_for_errors!
|
165
|
+
@winrm_sessions.each do |session|
|
166
|
+
session_exit_code = session.exit_code
|
167
|
+
unless success_return_codes.include? session_exit_code.to_i
|
168
|
+
@exit_code = session_exit_code.to_i
|
169
|
+
ui.error "Failed to execute command on #{session.host} return code #{session_exit_code}"
|
170
|
+
end
|
171
|
+
end
|
172
|
+
end
|
173
|
+
|
174
|
+
def success_return_codes
|
175
|
+
#Redundant if the CLI options parsing occurs
|
176
|
+
return [0] unless config[:returns]
|
177
|
+
return @success_return_codes ||= config[:returns].split(',').collect {|item| item.to_i}
|
178
|
+
end
|
179
|
+
|
180
|
+
def session_from_list
|
181
|
+
@list.each do |item|
|
182
|
+
Chef::Log.debug("Adding #{item}")
|
183
|
+
@session_opts[:host] = item
|
184
|
+
create_winrm_session(@session_opts)
|
185
|
+
end
|
186
|
+
end
|
187
|
+
|
188
|
+
def create_winrm_session(options={})
|
189
|
+
session = Chef::Knife::WinrmSession.new(options)
|
190
|
+
@winrm_sessions ||= []
|
191
|
+
@winrm_sessions.push(session)
|
192
|
+
end
|
193
|
+
|
194
|
+
def resolve_session_options
|
195
|
+
@session_opts = {
|
196
|
+
user: resolve_winrm_user,
|
197
|
+
password: locate_config_value(:winrm_password),
|
198
|
+
port: locate_config_value(:winrm_port),
|
199
|
+
operation_timeout: resolve_winrm_session_timeout,
|
200
|
+
basic_auth_only: resolve_winrm_basic_auth,
|
201
|
+
disable_sspi: resolve_winrm_disable_sspi,
|
202
|
+
transport: resolve_winrm_transport,
|
203
|
+
no_ssl_peer_verification: resolve_no_ssl_peer_verification,
|
204
|
+
ssl_peer_fingerprint: resolve_ssl_peer_fingerprint,
|
205
|
+
shell: locate_config_value(:winrm_shell),
|
206
|
+
codepage: locate_config_value(:winrm_codepage)
|
207
|
+
}
|
208
|
+
|
209
|
+
if @session_opts[:user] and (not @session_opts[:password])
|
210
|
+
@session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
|
211
|
+
end
|
212
|
+
|
213
|
+
if @session_opts[:transport] == :kerberos
|
214
|
+
@session_opts.merge!(resolve_winrm_kerberos_options)
|
215
|
+
end
|
216
|
+
|
217
|
+
@session_opts[:ca_trust_path] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
|
218
|
+
end
|
219
|
+
|
220
|
+
def resolve_winrm_user
|
221
|
+
user = locate_config_value(:winrm_user)
|
222
|
+
|
223
|
+
# Prefixing with '.\' when using negotiate
|
224
|
+
# to auth user against local machine domain
|
225
|
+
if resolve_winrm_basic_auth ||
|
226
|
+
resolve_winrm_transport == :kerberos ||
|
227
|
+
user.include?("\\") ||
|
228
|
+
user.include?("@")
|
229
|
+
user
|
230
|
+
else
|
231
|
+
".\\#{user}"
|
232
|
+
end
|
233
|
+
end
|
234
|
+
|
235
|
+
def resolve_winrm_session_timeout
|
236
|
+
#30 min (Default) OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
|
237
|
+
locate_config_value(:session_timeout).to_i * 60 if locate_config_value(:session_timeout)
|
238
|
+
end
|
239
|
+
|
240
|
+
def resolve_winrm_basic_auth
|
241
|
+
locate_config_value(:winrm_authentication_protocol) == "basic"
|
242
|
+
end
|
243
|
+
|
244
|
+
def resolve_winrm_kerberos_options
|
245
|
+
kerberos_opts = {}
|
246
|
+
kerberos_opts[:keytab] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
|
247
|
+
kerberos_opts[:realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
|
248
|
+
kerberos_opts[:service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
|
249
|
+
kerberos_opts
|
250
|
+
end
|
251
|
+
|
252
|
+
def resolve_winrm_transport
|
253
|
+
transport = locate_config_value(:winrm_transport).to_sym
|
254
|
+
if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
|
255
|
+
transport = :kerberos
|
256
|
+
elsif transport != :ssl && negotiate_auth?
|
257
|
+
transport = :negotiate
|
258
|
+
end
|
259
|
+
|
260
|
+
transport
|
261
|
+
end
|
262
|
+
|
263
|
+
def resolve_no_ssl_peer_verification
|
264
|
+
locate_config_value(:ca_trust_file).nil? && config[:winrm_ssl_verify_mode] == :verify_none && resolve_winrm_transport == :ssl
|
265
|
+
end
|
266
|
+
|
267
|
+
def resolve_ssl_peer_fingerprint
|
268
|
+
locate_config_value(:ssl_peer_fingerprint)
|
269
|
+
end
|
270
|
+
|
271
|
+
def resolve_winrm_disable_sspi
|
272
|
+
resolve_winrm_transport != :negotiate
|
273
|
+
end
|
274
|
+
|
275
|
+
def get_password
|
276
|
+
@password ||= ui.ask("Enter your password: ") { |q| q.echo = false }
|
277
|
+
end
|
278
|
+
|
279
|
+
def negotiate_auth?
|
280
|
+
locate_config_value(:winrm_authentication_protocol) == "negotiate"
|
281
|
+
end
|
282
|
+
|
283
|
+
def warn_no_ssl_peer_verification
|
284
|
+
if ! @@ssl_warning_given
|
285
|
+
@@ssl_warning_given = true
|
286
|
+
ui.warn(<<-WARN)
|
287
|
+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
288
|
+
SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
|
289
|
+
connections are still encrypted, but knife is not able to detect forged replies
|
290
|
+
or spoofing attacks.
|
291
|
+
|
292
|
+
To fix this issue add an entry like this to your knife configuration file:
|
293
|
+
|
294
|
+
```
|
295
|
+
# Verify all WinRM HTTPS connections (default, recommended)
|
296
|
+
knife[:winrm_ssl_verify_mode] = :verify_peer
|
297
|
+
```
|
298
|
+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
299
|
+
WARN
|
300
|
+
end
|
301
|
+
end
|
302
|
+
|
303
|
+
end
|
304
|
+
end
|
305
|
+
end
|
306
|
+
end
|
307
|
+
end
|