knife-windows 1.1.4 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 12b2f640d26c3299271d30e0b81efa2d3ba1baeb
4
- data.tar.gz: 044058207473c385798cc53804bc868f9b95a518
3
+ metadata.gz: 599acd1f40e0ef8a031bbcb96ec118568b90157e
4
+ data.tar.gz: 72276b455ff6f6715792cb3f5d2df75403444fa3
5
5
  SHA512:
6
- metadata.gz: d97b93a2bee443dd25dfdc6581473372807d56ed25fa1b1de85a22c3833ebf071773dc0eab7aba35fc8dbf01a0e685095170f6dc37f5897ec778f162ee55ea75
7
- data.tar.gz: 84a0ec562d1bc403475b0bc499e5f21e2b57135df36d9c095cbc150ced5e6bb63a37d792d0390086beea8f81bb195d73fc44998c256c042cca7359488dd72038
6
+ metadata.gz: 3f5f3ed4dd0949f6f2f833f7700be47097eb651fb43d0989033c953dd4f7cb11ebeca824278267cfe85bf5e7f49de77e1daaa5a2b983eac9efbfaab7030486a5
7
+ data.tar.gz: cb991cacc4a6a6048e8d55dee16195ac3c37349d0cbf7ffcaf4d4ea4e9ebb42c39fb58e9992dd8aae9c54f6d69cb65e772d40bf0b9b3ccc350079c99d9fc17b7
data/CHANGELOG.md CHANGED
@@ -1,5 +1,8 @@
1
1
  # knife-windows Change Log
2
2
 
3
+ ## Release 1.2.0
4
+ * [knife-windows #334](https://github.com/chef/knife-windows/pull/334)Uses Negotiate authentication via winrm 1.6 on both windows and linux and drops winrm-s dependency
5
+
3
6
  ## Release 1.1.4
4
7
  * Bumps winrm-s and winrm dependencies to address a winrm-s incompatibility bug with winrm 1.5
5
8
 
data/DOC_CHANGES.md CHANGED
@@ -5,16 +5,10 @@ Example Doc Change:
5
5
  ### Headline for the required change
6
6
  Description of the required change.
7
7
  -->
8
- # knife-windows 1.1.0 doc changes
8
+ # knife-windows 1.2.0 doc changes
9
9
 
10
- ### Support for `http_proxy` setting for `winrm` and `bootstrap windows winrm` subcommands
10
+ ### Support for NTLM/Negotiate on both windows and linux
11
11
 
12
- Both the `knife winrm` and `knife bootstrap windows winrm` subcommands
13
- will honor the `http_proxy` configuration in the `knife.rb`
14
- configuration file.
15
-
16
- When this setting is configured, the `WinRM` traffic between the
17
- workstation executing `knife` and the remote node will flow through
18
- the proxy server configured with `http_proxy`. See the specific
19
- documentation for `http_proxy` for additional details.
12
+ This release makes no changes to the command line interface, but users should now be aware that Negotiate authentication and encryption over plaintext HTTP now works on linux in addition to windows.
20
13
 
14
+ Users who use knife-windows to bootstrap nodes over plaintext HTTP should also be aware that they no longer need, and in fact should not, configure base images enabling `basic_auth` or enabling `AllowUnencrypted` in their winrm configuration.
data/README.md CHANGED
@@ -282,16 +282,12 @@ remote system's certificate can subject knife commands to spoofing attacks.
282
282
  ## WinRM authentication
283
283
 
284
284
  The default authentication protocol for `knife-windows` subcommands that use
285
- WinRM is the Negotiate protocol. The following commands when executed on a
286
- Windows system show authentication for domain and local accounts respectively:
285
+ WinRM is the Negotiate protocol. The following commands show authentication for domain and local accounts respectively:
287
286
 
288
287
  knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
289
288
  knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
290
289
 
291
- The commands above are using the default plaintext transport for WinRM --
292
- the default of Negotiate authentication may not be fully supported on
293
- non-Windows systems using the plaintext transport. To work around this, the
294
- remote system can be configured with an SSL WinRM listener instead of a
290
+ The remote system may also be configured with an SSL WinRM listener instead of a
295
291
  plaintext listener. Then the above commands should be modified to use the SSL
296
292
  transport as follows using the `-t` (or `--winrm-transport`) option with the
297
293
  `ssl` argument:
@@ -299,20 +295,16 @@ transport as follows using the `-t` (or `--winrm-transport`) option with the
299
295
  knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
300
296
  knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
301
297
 
302
- The commands using SSL above will work from any operating system, not
303
- just Windows.
304
-
305
298
  ### Troubleshooting authentication
306
299
 
307
- For development and testing purposes, unencrypted traffic with Basic
308
- authentication can make it easier to test connectivity. The configuration for
300
+ Unencrypted traffic with Basic authentication should only be used for low level wire protocol debugging. The configuration for plain text connectivity to
309
301
  the remote system may be accomplished with the following PowerShell commands:
310
302
 
311
303
  ```powershell
312
304
  set-item wsman:\localhost\service\allowunencrypted $true
313
305
  set-item wsman:\localhost\service\auth\basic $true
314
306
  ```
315
- To test connectivity via `knife-windows` from another system, the default
307
+ To use basic authentication connectivity via `knife-windows`, the default
316
308
  authentication protocol of Negotiate must be overridden using the
317
309
  `--winrm-authentication-protocol` option with the desired protocol, in this
318
310
  case Basic:
@@ -325,24 +317,13 @@ authentication; an account local to the remote system must be used.
325
317
  ### Platform WinRM authentication support
326
318
 
327
319
  `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
328
- for WinRM communication. However, some of these protocols
329
- may not work with `knife-windows` on non-Windows systems because
330
- `knife-windows` relies on operating system libraries such as GSSAPI to implement
331
- Windows authentication, and some versions of these libraries do not
332
- fully implement the protocols.
320
+ for WinRM communication.
333
321
 
334
322
  The following table shows the authentication protocols that can be used with
335
323
  `knife-windows` depending on whether the knife workstation is a Windows
336
324
  system, the transport, and whether or not the target user is a domain user or
337
325
  local to the target Windows system.
338
326
 
339
- | Workstation OS / Account Scope | SSL | Plaintext |
340
- |--------------------------------|------------------------------|----------------------------|
341
- | Windows / Local | Kerberos, Negotiate* , Basic | Kerberos, Negotiate, Basic |
342
- | Windows / Domain | Kerberos, Negotiate | Kerberos, Negotiate |
343
- | Non-Windows / Local | Kerberos, [Negotiate*](https://github.com/chef/knife-windows/issues/176) Basic | Kerberos, Basic |
344
- | Non-Windows / Domain | Kerberos, Negotiate | Kerberos |
345
-
346
327
  > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
347
328
  > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
348
329
  > the SSL transport. The defect is tracked by
@@ -354,9 +335,7 @@ local to the target Windows system.
354
335
  > This is generally not an issue for bootstrap scenarios, where the
355
336
  > system has yet to be joined to any domain, but can be a problem for remote
356
337
  > management cases after the system is domain joined. Workarounds include using
357
- > a domain account instead, or enabling Basic authentication on the remote
358
- > system (unencrypted communication **does not** need to be enabled to make
359
- > Basic authentication function over SSL).
338
+ > a domain account instead or bypassing SSL and using Negotiate authentication.
360
339
 
361
340
  ## General troubleshooting
362
341
 
@@ -14,8 +14,7 @@ Gem::Specification.new do |s|
14
14
  s.description = s.summary
15
15
 
16
16
  s.required_ruby_version = ">= 1.9.1"
17
- s.add_dependency "winrm", "~> 1.5"
18
- s.add_dependency "winrm-s", "~> 0.3.4"
17
+ s.add_dependency "winrm", "~> 1.6"
19
18
  s.add_dependency "nokogiri"
20
19
 
21
20
  s.add_development_dependency 'pry'
@@ -51,17 +51,6 @@ class Chef
51
51
  exit 1
52
52
  end
53
53
 
54
- if negotiate_auth? && !Chef::Platform.windows? && !(locate_config_value(:winrm_transport) == 'ssl')
55
- ui.warn <<-eos.gsub /^\s+/, ""
56
- You are using '--winrm-authentication-protocol negotiate' with
57
- '--winrm-transport plaintext' on a non-Windows system which results in
58
- unencrypted traffic. To avoid this warning and secure communication,
59
- use '--winrm-transport ssl' instead of the plaintext transport,
60
- or execute this command from a Windows system which enables encrypted
61
- communication over plaintext with the negotiate authentication protocol.
62
- eos
63
- end
64
-
65
54
  warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
66
55
  end
67
56
 
@@ -259,8 +248,8 @@ class Chef
259
248
  transport = locate_config_value(:winrm_transport).to_sym
260
249
  if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
261
250
  transport = :kerberos
262
- elsif Chef::Platform.windows? && transport != :ssl && negotiate_auth?
263
- transport = :sspinegotiate
251
+ elsif transport != :ssl && negotiate_auth?
252
+ transport = :negotiate
264
253
  end
265
254
 
266
255
  transport
@@ -271,7 +260,7 @@ class Chef
271
260
  end
272
261
 
273
262
  def resolve_winrm_disable_sspi
274
- !Chef::Platform.windows? || resolve_winrm_transport == :ssl || !negotiate_auth?
263
+ resolve_winrm_transport != :negotiate
275
264
  end
276
265
 
277
266
  def get_password
@@ -41,7 +41,6 @@ class Chef
41
41
  Chef::Log.debug("Endpoint: #{endpoint}")
42
42
  Chef::Log.debug("Transport: #{options[:transport]}")
43
43
 
44
- WinrmSession.load_windows_specific_gems if options[:transport] == :sspinegotiate
45
44
  @winrm_session = WinRM::WinRMWebService.new(@endpoint, options[:transport], opts)
46
45
  @winrm_session.set_timeout(options[:operation_timeout]) if options[:operation_timeout]
47
46
  end
@@ -83,12 +82,6 @@ class Chef
83
82
  Chef::Application.new.configure_proxy_environment_variables
84
83
  end
85
84
  end
86
-
87
- def self.load_windows_specific_gems
88
- #checking for windows in case testing on linux
89
- require 'winrm-s'
90
- Chef::Log.debug("Applied 'winrm-s' monkey patch and trying WinRM communication with 'sspinegotiate'")
91
- end
92
85
  end
93
86
  end
94
87
  end
@@ -1,6 +1,6 @@
1
1
  module Knife
2
2
  module Windows
3
- VERSION = "1.1.4"
3
+ VERSION = "1.2.0"
4
4
  MAJOR, MINOR, TINY = VERSION.split('.')
5
5
  end
6
6
  end
@@ -38,15 +38,6 @@ describe Chef::Knife::WinrmSession do
38
38
  subject { Chef::Knife::WinrmSession.new(options) }
39
39
 
40
40
  describe "#initialize" do
41
- context "when using sspinegotiate transport" do
42
- let(:options) { { transport: :sspinegotiate } }
43
-
44
- it "uses winrm-s" do
45
- expect(Chef::Knife::WinrmSession).to receive(:load_windows_specific_gems)
46
- subject
47
- end
48
- end
49
-
50
41
  context "when a proxy is configured" do
51
42
  let(:proxy_uri) { 'blah.com' }
52
43
 
@@ -233,7 +233,7 @@ describe Chef::Knife::Winrm do
233
233
 
234
234
  it "defaults to negotiate when on a Windows host" do
235
235
  expect(Chef::Knife::WinrmSession).to receive(:new) do |opts|
236
- expect(opts[:transport]).to eq(:sspinegotiate)
236
+ expect(opts[:transport]).to eq(:negotiate)
237
237
  end.and_return(winrm_session)
238
238
  subject.configure_session
239
239
  end
@@ -471,23 +471,22 @@ describe Chef::Knife::Winrm do
471
471
  allow(@winrm).to receive(:relay_winrm_command).and_return(0)
472
472
  end
473
473
 
474
- it "sets sspinegotiate transport on windows for 'negotiate' authentication" do
474
+ it "sets negotiate transport on windows for 'negotiate' authentication" do
475
475
  @winrm.config[:winrm_authentication_protocol] = "negotiate"
476
476
  allow(Chef::Platform).to receive(:windows?).and_return(true)
477
477
  allow(Chef::Knife::WinrmSession).to receive(:new) do |opts|
478
478
  expect(opts[:disable_sspi]).to be(false)
479
- expect(opts[:transport]).to be(:sspinegotiate)
479
+ expect(opts[:transport]).to be(:negotiate)
480
480
  end.and_return(session)
481
481
  @winrm.run
482
482
  end
483
483
 
484
- it "does not have winrm opts transport set to sspinegotiate for unix" do
484
+ it "sets negotiate transport on unix for 'negotiate' authentication" do
485
485
  @winrm.config[:winrm_authentication_protocol] = "negotiate"
486
486
  allow(Chef::Platform).to receive(:windows?).and_return(false)
487
- allow(@winrm).to receive(:exit)
488
487
  allow(Chef::Knife::WinrmSession).to receive(:new) do |opts|
489
- expect(opts[:disable_sspi]).to be(true)
490
- expect(opts[:transport]).to be(:plaintext)
488
+ expect(opts[:disable_sspi]).to be(false)
489
+ expect(opts[:transport]).to be(:negotiate)
491
490
  end.and_return(session)
492
491
  @winrm.run
493
492
  end
@@ -506,46 +505,12 @@ describe Chef::Knife::Winrm do
506
505
  @winrm.run
507
506
  end
508
507
 
509
- it "applies winrm monkey patch on windows if 'negotiate' authentication and 'plaintext' transport is specified", :windows_only => true do
510
- @winrm.config[:winrm_authentication_protocol] = "negotiate"
511
- allow(Chef::Platform).to receive(:windows?).and_return(true)
512
- allow(@winrm.ui).to receive(:warn)
513
- @winrm.run
514
- end
515
-
516
508
  it "raises an error if value is other than [basic, negotiate, kerberos]" do
517
509
  @winrm.config[:winrm_authentication_protocol] = "invalid"
518
510
  allow(Chef::Platform).to receive(:windows?).and_return(true)
519
511
  expect(@winrm.ui).to receive(:error)
520
512
  expect { @winrm.run }.to raise_error(SystemExit)
521
513
  end
522
-
523
- it "skips the winrm monkey patch for 'basic' authentication" do
524
- @winrm.config[:winrm_authentication_protocol] = "basic"
525
- allow(Chef::Platform).to receive(:windows?).and_return(true)
526
- @winrm.run
527
- end
528
-
529
- it "skips the winrm monkey patch for 'kerberos' authentication" do
530
- @winrm.config[:winrm_authentication_protocol] = "kerberos"
531
- allow(Chef::Platform).to receive(:windows?).and_return(true)
532
- @winrm.run
533
- end
534
-
535
- it "skips the winrm monkey patch for 'ssl' transport and 'negotiate' authentication" do
536
- @winrm.config[:winrm_authentication_protocol] = "negotiate"
537
- @winrm.config[:winrm_transport] = "ssl"
538
- allow(Chef::Platform).to receive(:windows?).and_return(true)
539
- @winrm.run
540
- end
541
-
542
- it "prints a warning on linux for unencrypted negotiate authentication" do
543
- @winrm.config[:winrm_authentication_protocol] = "negotiate"
544
- @winrm.config[:winrm_transport] = "plaintext"
545
- allow(Chef::Platform).to receive(:windows?).and_return(false)
546
- expect(@winrm.ui).to receive(:warn).once
547
- expect { @winrm.run }.to_not raise_error(SystemExit)
548
- end
549
514
  end
550
515
  end
551
516
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: knife-windows
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.4
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Seth Chisamore
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-01-15 00:00:00.000000000 Z
11
+ date: 2016-01-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: winrm
@@ -16,28 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '1.5'
19
+ version: '1.6'
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '1.5'
27
- - !ruby/object:Gem::Dependency
28
- name: winrm-s
29
- requirement: !ruby/object:Gem::Requirement
30
- requirements:
31
- - - "~>"
32
- - !ruby/object:Gem::Version
33
- version: 0.3.4
34
- type: :runtime
35
- prerelease: false
36
- version_requirements: !ruby/object:Gem::Requirement
37
- requirements:
38
- - - "~>"
39
- - !ruby/object:Gem::Version
40
- version: 0.3.4
26
+ version: '1.6'
41
27
  - !ruby/object:Gem::Dependency
42
28
  name: nokogiri
43
29
  requirement: !ruby/object:Gem::Requirement