knife-windows 0.8.0 → 0.8.2.rc.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NjhkMDIwNTZkZTE0MTIxOGEzY2M5ZGVmNjIzYzA2ZTU0MTkzYTRhZA==
+    ODBjZmJlOGYwMmU5MGMzY2VlYzIyNmJkODRiMjk0Mjg3NjJiYmVkMw==
   data.tar.gz: !binary |-
-    MGI0ZThlYWU2MzRlMjI5YzY5ZmVmOTRkNmRlM2ZkNzMxZTM0MjIwNA==
+    NTRlNWY5YWVkMDJiODE2YzhjMDcwNjg1ZjU1OWNmN2QzMjMyMmRiOA==
 SHA512:
   metadata.gz: !binary |-
-    ZjJmN2NhZTllNTQ3ZWVhYWQxMTM1NmFjYTQ1OWI2MGYxNzhlZjM5NzdkZmNm
-    NzE2MmMzNTQ3YzY5MjUxM2IzZWM1MzVmN2JjOGVmNWM1ZjM5NGNjODBmZjg2
-    NzE2NzNlMjc3ZDAwYzg2YWE3MWFjNDU4MWU5OTVkMTYwNjBlZTI=
+    YTc0MzA2NTc1ZmQ1MmZkMDAyYWJiNDk4NDIxYmJiZDlmNzJjYTlmYmJlMjU2
+    N2FjM2MyM2RlODY1ODFlMmI2NzI0MTU4NDA0MzliOTIxMDc3YzRiNDAyZTcy
+    NGZlOTg5OTdiNGU5ZjRmNWQxNmQ1YmVhZDVmYzdkNjQ5OGU2ODk=
   data.tar.gz: !binary |-
-    MjFkY2E5MTFmMDQ1YzI1YWE2ZWM2ZDY0MTlmMjg1MDBiYWU5ZTg4ZmY0YTdl
-    ODhlZDEzNjcxNGVmN2U3MDhkN2MyNjk0ZTU5MDE5OGZkMjYzN2EzZjE5MGY0
-    MzRjMjUyOGFkZmMzODk0MmExMzA4MzU0NTYwNjhhOGM3OWI3ZWM=
+    YmNiNGM0OWVlOWRmZjg4OGI5NmJiZWMxYzhmYmI5MDMwMzBmMTBmMDRhNzRm
+    MWE5NWQyOGEwMTM4MWU2NzJkNzdiNTZiYTUwNThmM2MwODNhMTc2NmQyZTcw
+    YzAyMmMwNjRkNzY1ZmZhNzJmMGFhMmU1NmVkNDEwMWMzOTY5NjI=

data/CHANGELOG.md

@@ -3,8 +3,11 @@
 ## Unreleased changes
 None.
 
+## Latest release: 0.8.2
+* [knife-windows #108](https://github.com/opscode/knife-windows/issues/108) Error: Unencrypted communication not supported if remote server does not require encryption
+
 ## Latest release: 0.8.0
-* [knife-windows #98](https://github.com/opscode/knife-windows/issues/96) Get winrm command exit code if it is not expected
+* [knife-windows #98](https://github.com/opscode/knife-windows/issues/98) Get winrm command exit code if it is not expected
 * [knife-windows #96](https://github.com/opscode/knife-windows/issues/96) Fix break from OS patch KB2918614
 * Remove the 'instance data' method of creating EC2 servers
 * Update winrm-s dependency along with em-winrm and winrm dependencies

data/DOC_CHANGES.md

@@ -6,32 +6,18 @@ Example Doc Change:
 Description of the required change.
 -->
 
-# knife-windows 0.8.0 doc changes
+# knife-windows 0.8.2 doc changes
 
 ### Negotiate / NTLM authentication support
-If `knife` is executed from a Windows system, it is no longer necessary to make
-additional configuration of the WinRM listener on the remote node to enable
-successful authentication from the workstation. It is sufficient to have a WinRM
-listener on the remote node configured according to the operating system's `winrm
-quickconfig` command default configuration because `knife-windows` now
-supports the Windows negotiate protocol including NTLM authentication, which
-matches the authentication requirements for the default WinRM listener configuration.
-
-If `knife` is executed on a non-Windows system, certificate authentication or Kerberos
-should be used instead via the `kerberos_service` and related options of the subcommands. 
-
-**NOTE**: In order to use NTLM / Negotiate to authenticate as the user
-  specified by the `--winrm-user` (`-x`) option, you must include the user's
-  Windows domain when specifying the user name using the format `domain\user`
-  where the backslash ('`\`') character separates the user from the domain. If
-  an account local to the node is being used to access, `.` may be used as the domain:
-
-    knife bootstrap windows winrm web1.cloudapp.net -r 'server::web' -x 'proddomain\webuser' -P 'super_secret_password'
-    knife bootstrap windows winrm db1.cloudapp.net -r 'server::db' -x '.\localadmin' -P 'super_secret_password'
-
-For development and testing purposes, unencrypted traffic with Basic authentication can make it easier to test connectivity:
-
-    winrm set winrm/config/service @{AllowUnencrypted="true"}
-    winrm set winrm/config/service/auth @{Basic="true"}
-
-
+If you are running `knife-windows` subcommands from a Windows workstation, you
+should not specify a username argument that includes a domain name (i.e. a
+name formatted like `domain\user`) unless the remote host has WinRM's
+`AllowUnencrypted` setting set to `$false` (the default setting on Windows if
+the `winrm quickconfig` command was used to enable WinRM). If you've modified
+the host to set this to `$true` instead of its default value and you run
+subcommands from a Windows workstation where the username specified to
+`knife-windows` contains a domain, the command will fail with an
+authentication error. To avoid this, omit the domain name (this will only work
+if the system is not joined to a domain, i.e. you were specifying the local
+workstation as the domain), or set `AllowUnencrypted` to `$false` which is a
+more secure setting.

data/RELEASE_NOTES.md

@@ -6,39 +6,57 @@ Example Note:
 ## Example Heading
 Details about the thing that changed that needs to get included in the Release Notes in markdown.
 -->
-# knife-windows 0.8.0 release notes:
-This release of knife-windows enables the Windows negotiate protocol to be
-used with the `winrm` and `bootstrap windows winrm` subcommands and also
-contains bug fixes and dependency updates.
+# knife-windows 0.8.2.rc.0 release notes:
+This release of knife-windows addresses a regression in knife-windows 0.8.0
+from previous releases where `knife winrm` and `knife bootstrap windows`
+commands fail due to inability to authenticate:
+[knife-windows #108](https://github.com/opscode/knife-windows/issues/108). 
 
-A thank you goes to contributor **Josh Mahowald** for contributing a fix to return nonzero exit codes.
+You can install the fix for this issue by upgrading to this new version using
+the `gem` command:
 
-Issues with `knife-windows` should be reported in the ticketing system at
-https://github.com/opscode/knife-windows/issues. Learn more about how you can
-contribute features and bug fixes to `knife-windows` in the [Chef Contributions document](http://docs.opscode.com/community_contributions.html).
+    gem install knife-windows --pre
 
-## Features added in knife-windows 0.8.0
+A thank you goes to **Richard Lavey** for reporting [knife-windows #108](https://github.com/opscode/knife-windows/issues/108).
 
-### NTLM / Negotiate authentication for `winrm` and `bootstrap`
-If `knife` is being used on a Windows workstation, it is no longer necessary
-to use Kerberos or to use certificate authentication to authenticate securely
-with a remote node in bootstrap or command execution scenarios. The `knife winrm` and `knife
-windows bootstrap` commands now support the use of NTLM to authenticate to remote
-nodes with the default WinRM listener configuration set by the operating
-system's `winrm quickconfig` command.
+## Impact of [knife-windows #108](https://github.com/opscode/knife-windows/issues/108)
 
-When specifying the user name on the command-line or configuration, the format `domain\username` must be used for
-the negotiate protocol to be invoked. If the account is local to the node,
-'`.`' may be used for the domain. See the README.md for further detail.
+[knife-windows #108](https://github.com/opscode/knife-windows/issues/108) will affect a given user if all of the following are true:
+
+* You are running `knife-windows` subcommands on a Windows workstation
+* The remote node you're interacting with via `knife-windows` has a WinRM
+  configuration with the `WSMan:\localhost\Service\AllowUnencrypted` (in
+  PowerShell's WinRM settings drive provider)
+  
+In this situation, you will receive an authentication error message from
+the `knife winrm` or `knife bootstrap windows` command such as
+`Error: Unencrypted communication not supported`. To resolve this error,
+simply install this version of the gem as described earlier.
+
+If you are running the `knife` commands from a non-Windows operating system,
+[knife-windows #108](https://github.com/opscode/knife-windows/issues/108) does
+not affect you, so you don't need to upgrade just for this issue.
+
+## Reporting issues and contributing
+
+`knife-windows` issues like the one addressed in this release should be
+reported in the ticketing system at https://github.com/opscode/knife-windows/issues. You can learn more about how to contribute features and bug fixes to `knife-windows` in the [Chef Contributions document](http://docs.opscode.com/community_contributions.html).
+
+## Features added in knife-windows 0.8.2
+None.
+
+## Issues fixed in knife-windows 0.8.2
+[knife-windows #108](https://github.com/opscode/knife-windows/issues/108) Error: Unencrypted communication not supported if remote server does not require encryption
+
+The fix in this release will cause a behavior change from the 0.8.0 release:
+
+* As described in the [documentation changes](https://github.com/opscode/knife-windows/blob/0.8.0/DOC_CHANGES.md) for the 0.8.0 release of the `knife-windows`, the negotiate authentication
+  protocol will only be used in this 0.8.2 release if a domain is specified (you can specify '.' as
+  the domain if you want to use the local workstation as the domain). Due to a
+  defect in the 0.8.0 release, the negotiate protocol was being used even when
+  the domain was not specified.
 
 ## knife-windows on RubyGems and Github
 https://rubygems.org/gems/knife-windows
 https://github.com/opscode/knife-windows
 
-## Issues fixed in knife-windows 0.8.0
-* [knife-windows #98](https://github.com/opscode/knife-windows/issues/96) Get winrm command exit code if it is not expected
-* [knife-windows #96](https://github.com/opscode/knife-windows/issues/96) Fix break from OS patch KB2918614
-* Update winrm-s dependency along with em-winrm and winrm dependencies
-* Return failure codes from knife winrm even when `returns` is not set
-* Support Windows negotiate authentication protocol when running knife on Windows
-

data/lib/chef/knife/winrm.rb

@@ -74,10 +74,10 @@ class Chef
 
       end
 
-      def success_return_codes 
+      def success_return_codes
         #Redundant if the CLI options parsing occurs
-        return [0] unless config[:returns] 
-        return config[:returns].split(',').collect {|item| item.to_i} 
+        return [0] unless config[:returns]
+        return config[:returns].split(',').collect {|item| item.to_i}
       end
 
       # TODO: Copied from Knife::Core:GenericPresenter. Should be extracted
@@ -142,7 +142,10 @@ class Chef
           session_opts[:operation_timeout] = 1800 # 30 min OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
 
           ## If you have a \\ in your name you need to use NTLM domain authentication
-          if session_opts[:user].split("\\").length.eql?(2)
+          username_contains_domain = session_opts[:user].split("\\").length.eql?(2)
+
+          if username_contains_domain
+            # We cannot use basic_auth for domain authentication
             session_opts[:basic_auth_only] = false
           else
             session_opts[:basic_auth_only] = true
@@ -153,7 +156,9 @@ class Chef
             session_opts[:basic_auth_only] = false
           else
             session_opts[:transport] = (Chef::Config[:knife][:winrm_transport] || config[:winrm_transport]).to_sym
-            if Chef::Platform.windows? and session_opts[:transport] == :plaintext
+
+            if Chef::Platform.windows? && session_opts[:transport] == :plaintext && username_contains_domain
+              ui.warn("Switching to Negotiate authentication, Basic does not support Domain Authentication")
               # windows - force only encrypted communication
               require 'winrm-s'
               session_opts[:transport] = :sspinegotiate
@@ -164,7 +169,6 @@ class Chef
             if session_opts[:user] and
                 (not session_opts[:password])
               session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
-
             end
           end
 

data/lib/knife-windows/version.rb

@@ -1,6 +1,6 @@
 module Knife
   module Windows
-    VERSION = "0.8.0"
+    VERSION = "0.8.2.rc.0"
     MAJOR, MINOR, TINY = VERSION.split('.')
   end
 end

data/spec/unit/knife/winrm_spec.rb

@@ -56,7 +56,7 @@ describe Chef::Knife::Winrm do
         @node_bar.automatic_attrs[:fqdn] = nil
         allow(Chef::Search::Query).to receive(:new).and_return(@query)
       end
-    
+
       it "should raise a specific error (KNIFE-222)" do
         expect(@knife.ui).to receive(:fatal).with(/does not have the required attribute/)
         expect(@knife).to receive(:exit).with(10)
@@ -70,7 +70,7 @@ describe Chef::Knife::Winrm do
         allow(@query).to receive(:search).and_return([[@node_foo, @node_bar]])
         allow(Chef::Search::Query).to receive(:new).and_return(@query)
       end
-    
+
       it "should use nested attributes (KNIFE-276)" do
         @knife.config[:attribute] = "ec2.public_hostname"
         allow(@knife).to receive(:session_from_list)
@@ -170,20 +170,41 @@ describe Chef::Knife::Winrm do
           end
 
           it "should have winrm opts transport set to sspinegotiate for windows" do
+            @winrm.config[:winrm_user] = "domain\\testuser"
             allow(Chef::Platform).to receive(:windows?).and_return(true)
             allow(@winrm).to receive(:require).with('winrm-s').and_return(true)
-
-            expect(@winrm.session).to receive(:use).with("localhost", {:user=>"testuser", :password=>"testpassword", :port=>nil, :operation_timeout=>1800, :basic_auth_only=>true, :transport=>:sspinegotiate, :disable_sspi=>false})
+            expect(@winrm.session).to receive(:use).with("localhost", {:user=>"domain\\testuser", :password=>"testpassword", :port=>nil, :operation_timeout=>1800, :basic_auth_only=>false, :transport=>:sspinegotiate, :disable_sspi=>false})
             exit_code = @winrm.run
           end
 
-          it "should have winrm monkey patched for windows" do
+          it "should use the winrm monkey patch for windows" do
+            @winrm.config[:winrm_user] = "domain\\testuser"
             allow(Chef::Platform).to receive(:windows?).and_return(true)
             expect(@winrm).to receive(:require).with('winrm-s')
 
             exit_code = @winrm.run
           end
 
+          context "when domain name not given" do
+            it "should skip winrm monkey patch for windows" do
+              @winrm.config[:winrm_user] = "testuser"
+              allow(Chef::Platform).to receive(:windows?).and_return(true)
+              expect(@winrm).to_not receive(:require).with('winrm-s')
+
+              exit_code = @winrm.run
+            end
+          end
+
+          context "when local domain name given"  do
+            it "should use the winrm monkey patch for windows" do
+              @winrm.config[:winrm_user] = ".\\testuser"
+              allow(Chef::Platform).to receive(:windows?).and_return(true)
+              expect(@winrm).to receive(:require).with('winrm-s')
+
+              exit_code = @winrm.run
+            end
+          end
+
           it "should not have winrm opts transport set to sspinegotiate for unix" do
             allow(Chef::Platform).to receive(:windows?).and_return(false)
 
@@ -195,4 +216,4 @@ describe Chef::Knife::Winrm do
       end
     end
   end
-end  
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: knife-windows
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.8.2.rc.0
 platform: ruby
 authors:
 - Seth Chisamore
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-06 00:00:00.000000000 Z
+date: 2014-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: winrm-s
@@ -102,9 +102,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.1
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.1.11