knife-winops 2.0.0

data/lib/chef/knife/knife_windows_base.rb

@@ -0,0 +1,33 @@
+#
+# Original knife-windows author:: Aliasgar Batterywala (<aliasgar.batterywala@clogeny.com>)
+# Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class Knife
+    module KnifeWindowsBase
+
+      def locate_config_value(key)
+        key = key.to_sym
+        value = config[key] || Chef::Config[:knife][key] || default_config[key]
+        Chef::Log.debug("Looking for key #{key} and found value #{value}")
+        value
+      end
+
+    end
+  end
+end
+

data/lib/chef/knife/windows_cert_generate.rb

@@ -0,0 +1,155 @@
+# Original knife-windows author:: Mukta Aphale (<mukta.aphale@clogeny.com>)
+# Copyright:: Copyright (c) 2014-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/knife/winrm_base'
+require 'openssl'
+require 'socket'
+
+class Chef
+  class Knife
+    class WindowsCertGenerate < Knife
+
+      attr_accessor :thumbprint, :hostname
+
+      banner "knife windows cert generate FILE_PATH (options)"
+
+      option :hostname,
+        :short => "-H HOSTNAME",
+        :long => "--hostname HOSTNAME",
+        :description => "Use to specify the hostname for the listener.
+        For example, --hostname something.mydomain.com or *.mydomain.com.",
+        :required => true
+
+      option :output_file,
+        :short => "-o PATH",
+        :long => "--output-file PATH",
+        :description => "Specifies the file path at which to generate the 3 certificate files of type .pfx, .b64, and .pem. The default is './winrmcert'.",
+        :default => "winrmcert"
+
+      option :key_length,
+        :short => "-k LENGTH",
+        :long => "--key-length LENGTH",
+        :description => "Default is 2048",
+        :default => "2048"
+
+      option :cert_validity,
+        :short => "-cv MONTHS",
+        :long => "--cert-validity MONTHS",
+        :description => "Default is 24 months",
+        :default => "24"
+
+      option :cert_passphrase,
+        :short => "-cp PASSWORD",
+        :long => "--cert-passphrase PASSWORD",
+        :description => "Password for certificate."
+
+      def generate_keypair
+        OpenSSL::PKey::RSA.new(config[:key_length].to_i)
+      end
+
+      def prompt_for_passphrase
+        passphrase = ""
+        begin
+          print "Passphrases do not match.  Try again.\n" unless passphrase.empty?
+          print "Enter certificate passphrase (empty for no passphrase):"
+          passphrase = STDIN.gets
+          return passphrase.strip if passphrase == "\n"
+          print "Enter same passphrase again:"
+          confirm_passphrase = STDIN.gets
+        end until passphrase == confirm_passphrase
+        passphrase.strip
+      end
+
+      def generate_certificate rsa_key
+        @hostname = config[:hostname] if config[:hostname]
+
+        #Create a self-signed X509 certificate from the rsa_key (unencrypted)
+        cert = OpenSSL::X509::Certificate.new
+        cert.version = 2
+        cert.serial = Random.rand(65534) + 1 # 2 digit byte range random number for better security aspect
+
+        cert.subject = OpenSSL::X509::Name.parse "/CN=#{@hostname}"
+        cert.issuer = cert.subject
+        cert.public_key = rsa_key.public_key
+        cert.not_before = Time.now
+        cert.not_after = cert.not_before + 2 * 365 * config[:cert_validity].to_i * 60 * 60 # 2 years validity
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.subject_certificate = cert
+        ef.issuer_certificate = cert
+        cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+        cert.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
+        cert.add_extension(ef.create_extension("extendedKeyUsage", "1.3.6.1.5.5.7.3.1", false))
+        cert.sign(rsa_key, OpenSSL::Digest::SHA1.new)
+        @thumbprint = OpenSSL::Digest::SHA1.new(cert.to_der)
+        cert
+      end
+
+      def write_certificate_to_file(cert, file_path, rsa_key)
+        File.open(file_path + ".pem", "wb") { |f| f.print cert.to_pem }
+        config[:cert_passphrase] = prompt_for_passphrase unless config[:cert_passphrase]
+        pfx = OpenSSL::PKCS12.create("#{config[:cert_passphrase]}", "winrmcert", rsa_key, cert)
+        File.open(file_path + ".pfx", "wb") { |f| f.print pfx.to_der }
+        File.open(file_path + ".b64", "wb") { |f| f.print Base64.strict_encode64(pfx.to_der) }
+      end
+
+      def certificates_already_exist?(file_path)
+        certs_exists = false
+        %w{pem pfx b64}.each do |extn|
+          if !Dir.glob("#{file_path}.*#{extn}").empty?
+            certs_exists = true
+            break
+          end
+        end
+
+        if certs_exists
+          begin
+            confirm("Do you really want to overwrite existing certificates")
+          rescue SystemExit   # Need to handle this as confirming with N/n raises SystemExit exception
+            exit!
+          end
+        end
+      end
+
+      def run
+        STDOUT.sync = STDERR.sync = true
+
+        # takes user specified first cli value as a destination file path for generated cert.
+        file_path = @name_args.empty? ? config[:output_file].sub(/\.(\w+)$/,'') : @name_args.first
+
+        # check if certs already exists at given file path
+        certificates_already_exist? file_path
+
+        begin
+          filename = File.basename(file_path)
+          rsa_key = generate_keypair
+          cert = generate_certificate rsa_key
+          write_certificate_to_file cert, file_path, rsa_key
+          ui.info "Generated Certificates:"
+          ui.info "- #{filename}.pfx - PKCS12 format key pair. Contains public and private keys, can be used with an SSL server."
+          ui.info "- #{filename}.b64 - Base64 encoded PKCS12 key pair. Contains public and private keys, used by some cloud provider API's to configure SSL servers."
+          ui.info "- #{filename}.pem - Base64 encoded public certificate only. Required by the client to connect to the server."
+          ui.info "Certificate Thumbprint: #{@thumbprint.to_s.upcase}"
+        rescue => e
+          puts "ERROR: + #{e}"
+        end
+      end
+
+    end
+  end
+end
+

data/lib/chef/knife/windows_cert_install.rb

@@ -0,0 +1,68 @@
+# Original knife-windows author:: Mukta Aphale (<mukta.aphale@clogeny.com>)
+# Copyright:: Copyright (c) 2014-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/knife/winrm_base'
+
+class Chef
+  class Knife
+    class WindowsCertInstall < Knife
+
+      banner "knife windows cert install CERT [CERT] (options)"
+
+      option :cert_passphrase,
+        :short => "-cp PASSWORD",
+        :long => "--cert-passphrase PASSWORD",
+        :description => "Password for certificate."
+
+      def get_cert_passphrase
+        print "Enter given certificate's passphrase (empty for no passphrase):"
+        passphrase = STDIN.gets
+        passphrase.strip
+      end
+
+      def run
+        STDOUT.sync = STDERR.sync = true
+
+        if Chef::Platform.windows?
+          if @name_args.empty?
+            ui.error "Please specify the certificate path. e.g-  'knife windows cert install <path>"
+            exit 1
+          end
+          file_path = @name_args.first
+          config[:cert_passphrase] = get_cert_passphrase unless config[:cert_passphrase]
+
+          begin
+            ui.info "Adding certificate to the Windows Certificate Store..."
+            result = %x{powershell.exe -Command " '#{config[:cert_passphrase]}' | certutil -importPFX '#{file_path}' AT_KEYEXCHANGE"}
+            if $?.exitstatus == 0
+              ui.info "Certificate added to Certificate Store"
+            else
+              ui.info "Error adding the certificate. Use -VV option for details"
+            end
+            Chef::Log.debug "#{result}"
+          rescue => e
+            puts "ERROR: + #{e}"
+          end
+        else
+          ui.error "Certificate can be installed on Windows system only"
+          exit 1
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/windows_helper.rb

@@ -0,0 +1,36 @@
+#
+# Original knife-windows author:: Chirag Jog (<chirag@clogeny.com>)
+# Copyright:: Copyright (c) 2013-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/knife/winrm'
+require 'chef/knife/bootstrap_windows_ssh'
+require 'chef/knife/bootstrap_windows_winrm'
+require 'chef/knife/wsman_test'
+
+class Chef
+  class Knife
+    class WindowsHelper < Knife
+
+      banner "#{BootstrapWindowsWinrm.banner}\n" +
+              "#{BootstrapWindowsSsh.banner}\n" +
+              "#{Winrm.banner}\n" +
+              "#{WsmanTest.banner}"
+    end
+  end
+end
+

data/lib/chef/knife/windows_listener_create.rb

@@ -0,0 +1,107 @@
+# Original knife-windows author:: Mukta Aphale (<mukta.aphale@clogeny.com>)
+# Copyright:: Copyright (c) 2014-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/knife/winrm_base'
+require 'openssl'
+
+class Chef
+  class Knife
+    class WindowsListenerCreate < Knife
+
+      banner "knife windows listener create (options)"
+
+      option :cert_install,
+        :short => "-c CERT_PATH",
+        :long => "--cert-install CERT_PATH",
+        :description => "Adds specified certificate to the Windows Certificate Store's Local Machine personal store before creating listener."
+
+      option :port,
+        :short => "-p PORT",
+        :long => "--port PORT",
+        :description => "Specify port. Default is 5986",
+        :default => "5986"
+
+      option :hostname,
+        :short => "-h HOSTNAME",
+        :long => "--hostname HOSTNAME",
+        :description => "Hostname on the listener. Default is blank",
+        :default => ""
+
+      option :cert_thumbprint,
+        :short => "-t THUMBPRINT",
+        :long => "--cert-thumbprint THUMBPRINT",
+        :description => "Thumbprint of the certificate. Required only if --cert-install option is not used."
+
+      option :cert_passphrase,
+        :short => "-cp PASSWORD",
+        :long => "--cert-passphrase PASSWORD",
+        :description => "Password for certificate."
+
+      def get_cert_passphrase
+        print "Enter given certificate's passphrase (empty for no passphrase):"
+        passphrase = STDIN.gets
+        passphrase.strip
+      end
+
+      def run
+        STDOUT.sync = STDERR.sync = true
+
+        if Chef::Platform.windows?
+          begin
+            if config[:cert_install]
+              config[:cert_passphrase] = get_cert_passphrase unless config[:cert_passphrase]
+              result = %x{powershell.exe -Command " '#{config[:cert_passphrase]}' | certutil  -importPFX '#{config[:cert_install]}' AT_KEYEXCHANGE"}
+              if $?.exitstatus
+                ui.info "Certificate installed to Certificate Store"
+                result = %x{powershell.exe -Command " echo (Get-PfxCertificate #{config[:cert_install]}).thumbprint "}
+                ui.info "Certificate Thumbprint: #{result}"
+                config[:cert_thumbprint] = result.strip
+              else
+                ui.error "Error installing certificate to Certificate Store"
+                ui.error result
+                exit 1
+              end
+            end
+
+            unless config[:cert_thumbprint]
+              ui.error "Please specify the --cert-thumbprint"
+              exit 1
+            end
+
+            result = %x{winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="#{config[:hostname]}";CertificateThumbprint="#{config[:cert_thumbprint]}";Port="#{config[:port]}"}}
+            Chef::Log.debug result
+
+            if ($?.exitstatus == 0)
+              ui.info "WinRM listener created with Port: #{config[:port]} and CertificateThumbprint: #{config[:cert_thumbprint]}"
+            else
+              ui.error "Error creating WinRM listener. use -VV for more details."
+              exit 1
+            end
+
+          rescue => e
+            puts "ERROR: + #{e}"
+          end
+        else
+          ui.error "WinRM listener can be created on Windows system only"
+          exit 1
+        end
+      end
+
+    end
+  end
+end

data/lib/chef/knife/winrm.rb

@@ -0,0 +1,127 @@
+#
+# Original knife-windows author:: Seth Chisamore (<schisamo@chef.io>)
+# Copyright:: Copyright (c) 2011-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/knife/winrm_knife_base'
+require 'chef/knife/windows_cert_generate'
+require 'chef/knife/windows_cert_install'
+require 'chef/knife/windows_listener_create'
+require 'chef/knife/winrm_session'
+require 'chef/knife/knife_windows_base'
+
+class Chef
+  class Knife
+    class Winrm < Knife
+
+      include Chef::Knife::WinrmCommandSharedFunctions
+      include Chef::Knife::KnifeWindowsBase
+
+      deps do
+        require 'readline'
+        require 'chef/search/query'
+      end
+
+      attr_writer :password
+
+      banner "knife winrm QUERY COMMAND (options)"
+
+      option :returns,
+       :long => "--returns CODES",
+       :description => "A comma delimited list of return codes which indicate success",
+       :default => "0"
+
+      def run
+        STDOUT.sync = STDERR.sync = true
+
+        configure_session
+        exit_status = execute_remote_command
+        if exit_status != 0
+          exit exit_status
+        else
+          exit_status
+        end
+      end
+
+      def execute_remote_command
+        case @name_args[1]
+        when "interactive"
+          interactive
+        else
+          run_command(@name_args[1..-1].join(" "))
+        end
+      end
+
+      private
+
+      def interactive
+        puts "WARN: Deprecated functionality. This will not be supported in future knife-winops releases."
+        puts "Connected to #{ui.list(session.servers.collect { |s| ui.color(s.host, :cyan) }, :inline, " and ")}"
+        puts
+        puts "To run a command on a list of servers, do:"
+        puts "  on SERVER1 SERVER2 SERVER3; COMMAND"
+        puts "  Example: on latte foamy; echo foobar"
+        puts
+        puts "To exit interactive mode, use 'quit!'"
+        puts
+        while 1
+          command = read_line
+          case command
+          when 'quit!'
+            puts 'Bye!'
+            break
+          when /^on (.+?); (.+)$/
+            raw_list = $1.split(" ")
+            server_list = Array.new
+            @winrm_sessions.each do |session_server|
+              server_list << session_server if raw_list.include?(session_server.host)
+            end
+            command = $2
+            relay_winrm_command(command, server_list)
+          else
+            relay_winrm_command(command)
+          end
+        end
+      end
+
+      # Present the prompt and read a single line from the console. It also
+      # detects ^D and returns "exit" in that case. Adds the input to the
+      # history, unless the input is empty. Loops repeatedly until a non-empty
+      # line is input.
+      def read_line
+        loop do
+          command = reader.readline("#{ui.color('knife-winrm>', :bold)} ", true)
+
+          if command.nil?
+            command = "exit"
+            puts(command)
+          else
+            command.strip!
+          end
+
+          unless command.empty?
+            return command
+          end
+        end
+      end
+
+      def reader
+        Readline
+      end
+    end
+  end
+end