knife-winops 2.0.0

data/lib/chef/knife/winrm_base.rb

@@ -0,0 +1,128 @@
+#
+# Original knife-windows author:: Seth Chisamore (<schisamo@chef.io>)
+# Copyright:: Copyright (c) 2011-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife'
+require 'chef/encrypted_data_bag_item'
+require 'kconv'
+
+class Chef
+  class Knife
+    module WinrmBase
+
+      # It includes supported WinRM authentication protocol.
+      WINRM_AUTH_PROTOCOL_LIST ||= %w{basic negotiate kerberos}
+
+      # :nodoc:
+      # Would prefer to do this in a rational way, but can't be done b/c of
+      # Mixlib::CLI's design :(
+      def self.included(includer)
+        includer.class_eval do
+
+          deps do
+            require 'readline'
+            require 'chef/json_compat'
+          end
+
+          option :winrm_user,
+            :short => "-x USERNAME",
+            :long => "--winrm-user USERNAME",
+            :description => "The WinRM username",
+            :default => "Administrator",
+            :proc => Proc.new { |key| Chef::Config[:knife][:winrm_user] = key }
+
+          option :winrm_password,
+            :short => "-P PASSWORD",
+            :long => "--winrm-password PASSWORD",
+            :description => "The WinRM password",
+            :proc => Proc.new { |key| Chef::Config[:knife][:winrm_password] = key }
+
+          option :winrm_shell,
+            :long => "--winrm-shell SHELL",
+            :description => "The WinRM shell type. Valid choices are [cmd, powershell, elevated]. 'elevated' runs powershell in a scheduled task",
+            :default => :cmd,
+            :proc => Proc.new { |shell| shell.to_sym }
+
+          option :winrm_transport,
+            :short => "-w TRANSPORT",
+            :long => "--winrm-transport TRANSPORT",
+            :description => "The WinRM transport type. Valid choices are [ssl, plaintext]",
+            :default => 'plaintext',
+            :proc => Proc.new { |transport| Chef::Config[:knife][:winrm_port] = '5986' if transport == 'ssl'
+                                Chef::Config[:knife][:winrm_transport] = transport }
+
+          option :winrm_port,
+            :short => "-p PORT",
+            :long => "--winrm-port PORT",
+            :description => "The WinRM port, by default this is '5985' for 'plaintext' and '5986' for 'ssl' winrm transport",
+            :default => '5985',
+            :proc => Proc.new { |key| Chef::Config[:knife][:winrm_port] = key }
+
+          option :kerberos_keytab_file,
+            :short => "-T KEYTAB_FILE",
+            :long => "--keytab-file KEYTAB_FILE",
+            :description => "The Kerberos keytab file used for authentication",
+            :proc => Proc.new { |keytab| Chef::Config[:knife][:kerberos_keytab_file] = keytab }
+
+          option :kerberos_realm,
+            :short => "-R KERBEROS_REALM",
+            :long => "--kerberos-realm KERBEROS_REALM",
+            :description => "The Kerberos realm used for authentication",
+            :proc => Proc.new { |realm| Chef::Config[:knife][:kerberos_realm] = realm }
+
+          option :kerberos_service,
+            :short => "-S KERBEROS_SERVICE",
+            :long => "--kerberos-service KERBEROS_SERVICE",
+            :description => "The Kerberos service used for authentication",
+            :proc => Proc.new { |service| Chef::Config[:knife][:kerberos_service] = service }
+
+          option :ca_trust_file,
+            :short => "-f CA_TRUST_FILE",
+            :long => "--ca-trust-file CA_TRUST_FILE",
+            :description => "The Certificate Authority (CA) trust file used for SSL transport",
+            :proc => Proc.new { |trust| Chef::Config[:knife][:ca_trust_file] = trust }
+
+          option :winrm_ssl_verify_mode,
+            :long => "--winrm-ssl-verify-mode SSL_VERIFY_MODE",
+            :description => "The WinRM peer verification mode. Valid choices are [verify_peer, verify_none]",
+            :default => :verify_peer,
+            :proc => Proc.new { |verify_mode| verify_mode.to_sym }
+
+          option :ssl_peer_fingerprint,
+            :long => "--ssl-peer-fingerprint FINGERPRINT",
+            :description => "ssl Cert Fingerprint to bypass normal cert chain checks"
+
+          option :winrm_authentication_protocol,
+            :long => "--winrm-authentication-protocol AUTHENTICATION_PROTOCOL",
+            :description => "The authentication protocol used during WinRM communication. The supported protocols are #{WINRM_AUTH_PROTOCOL_LIST.join(',')}. Default is 'negotiate'.",
+            :default => "negotiate",
+            :proc => Proc.new { |protocol| Chef::Config[:knife][:winrm_authentication_protocol] = protocol }
+
+          option :session_timeout,
+            :long => "--session-timeout Minutes",
+            :description => "The timeout for the client for the maximum length of the WinRM session",
+            :default => 30
+
+          option :winrm_codepage,
+            :long => "--winrm-codepage Codepage",
+            :description => "The codepage to use for the winrm cmd shell",
+            :default => 65001
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/winrm_knife_base.rb

@@ -0,0 +1,315 @@
+#
+# Original knife-windows author:: Steven Murawski (<smurawski@chef.io)
+# Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+require 'chef/knife'
+require 'chef/knife/winrm_base'
+require 'chef/knife/winrm_shared_options'
+require 'chef/knife/knife_windows_base'
+
+class Chef
+  class Knife
+    module WinrmCommandSharedFunctions
+
+      FAILED_BASIC_HINT ||= "Hint: Please check winrm configuration 'winrm get winrm/config/service' AllowUnencrypted flag on remote server."
+      FAILED_NOT_BASIC_HINT ||= <<-eos.gsub /^\s+/, ""
+        Hint: Make sure to prefix domain usernames with the correct domain name.
+        Hint: Local user names should be prefixed with computer name or IP address.
+        EXAMPLE: my_domain\\user_namer
+      eos
+
+      def self.included(includer)
+        includer.class_eval do
+
+          @@ssl_warning_given = false
+
+          include Chef::Knife::WinrmBase
+          include Chef::Knife::WinrmSharedOptions
+          include Chef::Knife::KnifeWindowsBase
+
+          def validate_winrm_options!
+            winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
+
+            if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
+              ui.error "Invalid value '#{winrm_auth_protocol}' for --winrm-authentication-protocol option."
+              ui.info "Valid values are #{Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.join(",")}."
+              exit 1
+            end
+
+            warn_no_ssl_peer_verification if resolve_no_ssl_peer_verification
+          end
+
+          #Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
+          #Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
+          def configure_session
+            validate_winrm_options!
+            resolve_session_options
+            resolve_target_nodes
+            session_from_list
+          end
+
+          def resolve_target_nodes
+            @list = case config[:manual]
+                   when true
+                     @name_args[0].split(" ")
+                   when false
+                     r = Array.new
+                     q = Chef::Search::Query.new
+                     @action_nodes = q.search(:node, @name_args[0])[0]
+                     @action_nodes.each do |item|
+                       i = extract_nested_value(item, config[:attribute])
+                       r.push(i) unless i.nil?
+                     end
+                     r
+                   end
+
+             if @list.length == 0
+              if @action_nodes.length == 0
+                ui.fatal("No nodes returned from search!")
+              else
+                ui.fatal("#{@action_nodes.length} #{@action_nodes.length > 1 ? "nodes":"node"} found, " +
+                         "but does not have the required attribute (#{config[:attribute]}) to establish the connection. " +
+                         "Try setting another attribute to open the connection using --attribute.")
+              end
+              exit 10
+            end
+          end
+
+          # TODO: Copied from Knife::Core:GenericPresenter. Should be extracted
+          def extract_nested_value(data, nested_value_spec)
+            nested_value_spec.split(".").each do |attr|
+              if data.nil?
+                nil # don't get no method error on nil
+              elsif data.respond_to?(attr.to_sym)
+                data = data.send(attr.to_sym)
+              elsif data.respond_to?(:[])
+                data = data[attr]
+              else
+                data = begin
+                         data.send(attr.to_sym)
+                       rescue NoMethodError
+                         nil
+                       end
+              end
+            end
+            ( !data.kind_of?(Array) && data.respond_to?(:to_hash) ) ? data.to_hash : data
+          end
+
+          def run_command(command = '')
+            relay_winrm_command(command)
+            check_for_errors!
+            @exit_code
+          end
+
+          def relay_winrm_command(command)
+            Chef::Log.debug(command)
+            @session_results = []
+
+            queue = Queue.new
+            @winrm_sessions.each { |s| queue << s }
+            # These nils will kill the Threads once no more sessions are left
+            locate_config_value(:concurrency).times { queue << nil }
+
+            threads = []
+            locate_config_value(:concurrency).times do
+              threads << Thread.new do
+                while session = queue.pop
+                  run_command_in_thread(session, command)
+                end
+              end
+            end
+            threads.map(&:join)
+            @session_results
+          end
+
+          private
+
+          def run_command_in_thread(s, command)
+            @session_results << s.relay_command(command)
+          rescue WinRM::WinRMHTTPTransportError, WinRM::WinRMAuthorizationError => e
+            if authorization_error?(e)
+              if ! config[:suppress_auth_failure]
+                # Display errors if the caller hasn't opted to retry
+                ui.error "Failed to authenticate to #{s.host} as #{locate_config_value(:winrm_user)}"
+                ui.info "Response: #{e.message}"
+                ui.info get_failed_authentication_hint
+                raise e
+              end
+            else
+              raise e
+            end
+          end
+
+          def get_failed_authentication_hint
+            if @session_opts[:basic_auth_only]
+              FAILED_BASIC_HINT
+            else
+              FAILED_NOT_BASIC_HINT
+            end
+          end
+
+          def authorization_error?(exception)
+            exception.is_a?(WinRM::WinRMAuthorizationError) ||
+              exception.message =~ /401/
+          end
+
+          def check_for_errors!
+            @exit_code ||= 0
+            @winrm_sessions.each do |session|
+              session_exit_code = session.exit_code
+              unless success_return_codes.include? session_exit_code.to_i
+                @exit_code = [@exit_code, session_exit_code.to_i].max
+                ui.error "Failed to execute command on #{session.host} return code #{session_exit_code}"
+              end
+            end
+          end
+
+          def success_return_codes
+            #Redundant if the CLI options parsing occurs
+            return [0] unless config[:returns]
+            return @success_return_codes ||= config[:returns].split(',').collect {|item| item.to_i}
+          end
+
+          def session_from_list
+            @list.each do |item|
+              Chef::Log.debug("Adding #{item}")
+              @session_opts[:host] = item
+              create_winrm_session(@session_opts)
+            end
+          end
+
+          def create_winrm_session(options={})
+            session = Chef::Knife::WinrmSession.new(options)
+            @winrm_sessions ||= []
+            @winrm_sessions.push(session)
+          end
+
+          def resolve_session_options
+            @session_opts = {
+              user: resolve_winrm_user,
+              password: locate_config_value(:winrm_password),
+              port: locate_config_value(:winrm_port),
+              operation_timeout: resolve_winrm_session_timeout,
+              basic_auth_only: resolve_winrm_basic_auth,
+              disable_sspi: resolve_winrm_disable_sspi,
+              transport: resolve_winrm_transport,
+              no_ssl_peer_verification: resolve_no_ssl_peer_verification,
+              ssl_peer_fingerprint: resolve_ssl_peer_fingerprint,
+              shell: locate_config_value(:winrm_shell),
+              codepage: locate_config_value(:winrm_codepage)
+            }
+
+            if @session_opts[:user] and (not @session_opts[:password])
+              @session_opts[:password] = Chef::Config[:knife][:winrm_password] = config[:winrm_password] = get_password
+            end
+
+            if @session_opts[:transport] == :kerberos
+              @session_opts.merge!(resolve_winrm_kerberos_options)
+            end
+
+            @session_opts[:ca_trust_path] = locate_config_value(:ca_trust_file) if locate_config_value(:ca_trust_file)
+          end
+
+          def resolve_winrm_user
+            user = locate_config_value(:winrm_user)
+
+            # Prefixing with '.\' when using negotiate
+            # to auth user against local machine domain
+            if resolve_winrm_basic_auth ||
+              resolve_winrm_transport == :kerberos ||
+              user.include?("\\") ||
+              user.include?("@")
+              user
+            else
+              ".\\#{user}"
+            end
+          end
+
+          def resolve_winrm_session_timeout
+            #30 min (Default) OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
+            locate_config_value(:session_timeout).to_i * 60 if locate_config_value(:session_timeout)
+          end
+
+          def resolve_winrm_basic_auth
+            locate_config_value(:winrm_authentication_protocol) == "basic"
+          end
+
+          def resolve_winrm_kerberos_options
+            kerberos_opts = {}
+            kerberos_opts[:keytab] = locate_config_value(:kerberos_keytab_file) if locate_config_value(:kerberos_keytab_file)
+            kerberos_opts[:realm] = locate_config_value(:kerberos_realm) if locate_config_value(:kerberos_realm)
+            kerberos_opts[:service] = locate_config_value(:kerberos_service) if locate_config_value(:kerberos_service)
+            kerberos_opts
+          end
+
+          def resolve_winrm_transport
+            transport = locate_config_value(:winrm_transport).to_sym
+            if config.any? {|k,v| k.to_s =~ /kerberos/ && !v.nil? }
+              transport = :kerberos
+            elsif transport != :ssl && negotiate_auth?
+              transport = :negotiate
+            end
+
+            transport
+          end
+
+          def resolve_no_ssl_peer_verification
+            locate_config_value(:ca_trust_file).nil? && config[:winrm_ssl_verify_mode] == :verify_none && resolve_winrm_transport == :ssl
+          end
+
+          def resolve_ssl_peer_fingerprint
+            locate_config_value(:ssl_peer_fingerprint)
+          end
+
+          def resolve_winrm_disable_sspi
+            resolve_winrm_transport != :negotiate
+          end
+
+          def get_password
+            @password ||= ui.ask("Enter your password: ") { |q| q.echo = false }
+          end
+
+          def negotiate_auth?
+            locate_config_value(:winrm_authentication_protocol) == "negotiate"
+          end
+
+          def warn_no_ssl_peer_verification
+            if ! @@ssl_warning_given
+              @@ssl_warning_given = true
+              ui.warn(<<-WARN)
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
+connections are still encrypted, but knife is not able to detect forged replies
+or spoofing attacks.
+
+To fix this issue add an entry like this to your knife configuration file:
+
+```
+  # Verify all WinRM HTTPS connections (default, recommended)
+  knife[:winrm_ssl_verify_mode] = :verify_peer
+```
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+WARN
+                end
+              end
+
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/winrm_session.rb

@@ -0,0 +1,101 @@
+#
+# Original knife-windows author:: Steven Murawski <smurawski@chef.io>
+# Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/application'
+require 'winrm'
+require 'winrm-elevated'
+
+class Chef
+  class Knife
+    class WinrmSession
+      attr_reader :host, :endpoint, :port, :output, :error, :exit_code
+
+      def initialize(options)
+        configure_proxy
+
+        @host = options[:host]
+        @port = options[:port]
+        @user = options[:user]
+        @shell_args = [ options[:shell] ]
+        @shell_args << { codepage: options[:codepage] } if options[:shell] == :cmd
+        url = "#{options[:host]}:#{options[:port]}/wsman"
+        scheme = options[:transport] == :ssl ? 'https' : 'http'
+        @endpoint = "#{scheme}://#{url}"
+
+        opts = Hash.new
+        opts = {
+          user: @user,
+          password: options[:password],
+          basic_auth_only: options[:basic_auth_only],
+          disable_sspi: options[:disable_sspi],
+          no_ssl_peer_verification: options[:no_ssl_peer_verification],
+          ssl_peer_fingerprint: options[:ssl_peer_fingerprint],
+          endpoint: endpoint,
+          transport: options[:transport]
+        }
+        options[:transport] == :kerberos ? opts.merge!({:service => options[:service], :realm => options[:realm]}) : opts.merge!({:ca_trust_path => options[:ca_trust_path]})
+        opts[:operation_timeout] = options[:operation_timeout] if options[:operation_timeout]
+        Chef::Log.debug("WinRM::WinRMWebService options: #{opts}")
+        Chef::Log.debug("Endpoint: #{endpoint}")
+        Chef::Log.debug("Transport: #{options[:transport]}")
+
+        @winrm_session = WinRM::Connection.new(opts)
+        @winrm_session.logger = Chef::Log
+
+        transport = @winrm_session.send(:transport)
+        http_client = transport.instance_variable_get(:@httpcli)
+        Chef::HTTP::DefaultSSLPolicy.new(http_client.ssl_config).set_custom_certs
+      end
+
+      def relay_command(command)
+        session_result = WinRM::Output.new
+        @winrm_session.shell(*@shell_args) do |shell|
+          shell.username = @user.split("\\").last if shell.respond_to?(:username)
+          session_result = shell.run(command) do |stdout, stderr|
+            print_data(@host, stdout) if stdout
+            print_data(@host, stderr, :red) if stderr
+          end
+        end
+        @exit_code = session_result.exitcode
+        session_result
+      rescue WinRM::WinRMHTTPTransportError, WinRM::WinRMAuthorizationError => e
+        @exit_code = 401
+        raise e
+      end
+
+      private
+
+      def print_data(host, data, color = :cyan)
+        if data =~ /\n/
+          data.split(/\n/).each { |d| print_data(host, d, color) }
+        elsif !data.nil?
+          print Chef::Knife::Winrm.ui.color(host, color)
+          puts " #{data}"
+        end
+      end
+
+      def configure_proxy
+        if Chef::Config.respond_to?(:export_proxies)
+          Chef::Config.export_proxies
+        else
+          Chef::Application.new.configure_proxy_environment_variables
+        end
+      end
+    end
+  end
+end