winrm-elevated 1.1.0 → 1.2.2

data/lib/winrm-elevated.rb

@@ -1,18 +1,17 @@
-# encoding: UTF-8
-#
-# Copyright 2015 Shawn Neal <sneal@sneal.net>
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require 'winrm'
-require_relative 'winrm/shells/elevated'
+#
+# Copyright 2015 Shawn Neal <sneal@sneal.net>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'winrm' unless defined?(WinRM::Connection)
+require_relative 'winrm/shells/elevated'

data/lib/winrm-elevated/scripts/elevated_shell.ps1

@@ -1,116 +1,136 @@
-$username = '<%= username %>'
-$password = '<%= password %>'
-$script_file = '<%= script_path %>'
-
-$interactive = '<%= interactive_logon %>'
-$pass_to_use = $password
-$logon_type = 1
-$logon_type_xml = "<LogonType>Password</LogonType>"
-if($pass_to_use.length -eq 0) {
-  $pass_to_use = $null
-  $logon_type = 5
-  $logon_type_xml = ""
-}
-if($interactive -eq 'true') {
-  $logon_type = 3
-  $logon_type_xml = "<LogonType>InteractiveTokenOrPassword</LogonType>"
-}
-
-$task_name = "WinRM_Elevated_Shell"
-$out_file = [System.IO.Path]::GetTempFileName()
-$err_file = [System.IO.Path]::GetTempFileName()
-
-$task_xml = @'
-<?xml version="1.0" encoding="UTF-16"?>
-<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
-  <Principals>
-    <Principal id="Author">
-      <UserId>{username}</UserId>
-      {logon_type}
-      <RunLevel>HighestAvailable</RunLevel>
-    </Principal>
-  </Principals>
-  <Settings>
-    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
-    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
-    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
-    <AllowHardTerminate>true</AllowHardTerminate>
-    <StartWhenAvailable>false</StartWhenAvailable>
-    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
-    <IdleSettings>
-      <StopOnIdleEnd>false</StopOnIdleEnd>
-      <RestartOnIdle>false</RestartOnIdle>
-    </IdleSettings>
-    <AllowStartOnDemand>true</AllowStartOnDemand>
-    <Enabled>true</Enabled>
-    <Hidden>false</Hidden>
-    <RunOnlyIfIdle>false</RunOnlyIfIdle>
-    <WakeToRun>false</WakeToRun>
-    <ExecutionTimeLimit>PT24H</ExecutionTimeLimit>
-    <Priority>4</Priority>
-  </Settings>
-  <Actions Context="Author">
-    <Exec>
-      <Command>cmd</Command>
-      <Arguments>{arguments}</Arguments>
-    </Exec>
-  </Actions>
-</Task>
-'@
-
-$arguments = "/c powershell.exe -executionpolicy bypass -NoProfile -File $script_file &gt; $out_file 2&gt;$err_file"
-
-$task_xml = $task_xml.Replace("{arguments}", $arguments)
-$task_xml = $task_xml.Replace("{username}", $username)
-$task_xml = $task_xml.Replace("{logon_type}", $logon_type_xml)
-
-$schedule = New-Object -ComObject "Schedule.Service"
-$schedule.Connect()
-$task = $schedule.NewTask($null)
-$task.XmlText = $task_xml
-$folder = $schedule.GetFolder("\")
-$folder.RegisterTaskDefinition($task_name, $task, 6, $username, $pass_to_use, $logon_type, $null) | Out-Null
-
-$registered_task = $folder.GetTask("\$task_name")
-$registered_task.Run($null) | Out-Null
-
-$timeout = 10
-$sec = 0
-while ( (!($registered_task.state -eq 4)) -and ($sec -lt $timeout) ) {
-  Start-Sleep -s 1
-  $sec++
-}
-
-function SlurpOutput($file, $cur_line, $out_type) {
-  if (Test-Path $file) {
-    get-content $file | select -skip $cur_line | ForEach {
-      $cur_line += 1
-      if ($out_type -eq 'err') {
-        $host.ui.WriteErrorLine("$_")
-      } else {
-        $host.ui.WriteLine("$_")
-      }
-    }
-  }
-  return $cur_line
-}
-
-$err_cur_line = 0
-$out_cur_line = 0
-do {
-  Start-Sleep -m 100
-  $out_cur_line = SlurpOutput $out_file $out_cur_line 'out'
-  $err_cur_line = SlurpOutput $err_file $err_cur_line 'err'
-} while (!($registered_task.state -eq 3))
-
-# We'll make a best effort to clean these files
-# But a reboot could possibly end the task while the process
-# still runs and locks the file. If we can't delete we don't want to fail
-try { Remove-Item $out_file -ErrorAction Stop } catch {}
-try { Remove-Item $err_file -ErrorAction Stop } catch {}
-try { Remove-Item $script_file -ErrorAction Stop } catch {}
-
-$exit_code = $registered_task.LastTaskResult
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($schedule) | Out-Null
-
-exit $exit_code
+$username = '<%= username %>'
+$password = '<%= password %>'
+$script_file = '<%= script_path %>'
+
+$interactive = '<%= interactive_logon %>'
+$pass_to_use = $password
+$logon_type = 1
+$logon_type_xml = "<LogonType>Password</LogonType>"
+if($pass_to_use.length -eq 0) {
+  $pass_to_use = $null
+  $logon_type = 5
+  $logon_type_xml = ""
+}
+if($interactive -eq 'true') {
+  $logon_type = 3
+  $logon_type_xml = "<LogonType>InteractiveTokenOrPassword</LogonType>"
+}
+
+$task_name = "WinRM_Elevated_Shell_" + [guid]::NewGuid()
+$out_file = [System.IO.Path]::GetTempFileName()
+$err_file = [System.IO.Path]::GetTempFileName()
+
+$task_xml = @'
+<?xml version="1.0" encoding="UTF-16"?>
+<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
+  <Principals>
+    <Principal id="Author">
+      <UserId>{username}</UserId>
+      {logon_type}
+      <RunLevel>HighestAvailable</RunLevel>
+    </Principal>
+  </Principals>
+  <Settings>
+    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
+    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
+    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
+    <AllowHardTerminate>true</AllowHardTerminate>
+    <StartWhenAvailable>false</StartWhenAvailable>
+    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
+    <IdleSettings>
+      <StopOnIdleEnd>false</StopOnIdleEnd>
+      <RestartOnIdle>false</RestartOnIdle>
+    </IdleSettings>
+    <AllowStartOnDemand>true</AllowStartOnDemand>
+    <Enabled>true</Enabled>
+    <Hidden>false</Hidden>
+    <RunOnlyIfIdle>false</RunOnlyIfIdle>
+    <WakeToRun>false</WakeToRun>
+    <ExecutionTimeLimit>PT24H</ExecutionTimeLimit>
+    <Priority>4</Priority>
+  </Settings>
+  <Actions Context="Author">
+    <Exec>
+      <Command>cmd</Command>
+      <Arguments>{arguments}</Arguments>
+    </Exec>
+  </Actions>
+</Task>
+'@
+
+$arguments = "/c powershell.exe -executionpolicy bypass -NoProfile -File $script_file &gt; $out_file 2&gt;$err_file"
+
+$task_xml = $task_xml.Replace("{arguments}", $arguments)
+$task_xml = $task_xml.Replace("{username}", $username)
+$task_xml = $task_xml.Replace("{logon_type}", $logon_type_xml)
+
+try {
+    $schedule = New-Object -ComObject "Schedule.Service"
+    $schedule.Connect()
+    $task = $schedule.NewTask($null)
+    $task.XmlText = $task_xml
+    $folder = $schedule.GetFolder("\")
+    $folder.RegisterTaskDefinition($task_name, $task, 6, $username, $pass_to_use, $logon_type, $null) | Out-Null
+
+    $registered_task = $folder.GetTask("\$task_name")
+    $registered_task.Run($null) | Out-Null
+
+    $timeout = 10
+    $sec = 0
+    while ( (!($registered_task.state -eq 4)) -and ($sec -lt $timeout) ) {
+        Start-Sleep -s 1
+        $sec++
+    }
+} catch {
+    Write-Error -ErrorRecord $PSItem
+    exit $PSItem.Exception.HResult
+}
+
+function SlurpOutput($file, $cur_line, $out_type) {
+  if (Test-Path $file) {
+    get-content $file | Select-Object -skip $cur_line | ForEach-Object {
+      $cur_line += 1
+      if ($out_type -eq 'err') {
+        $host.ui.WriteErrorLine("$_")
+      } else {
+        $host.ui.WriteLine("$_")
+      }
+    }
+  }
+  return $cur_line
+}
+
+$err_cur_line = 0
+$out_cur_line = 0
+$timeout = <%= execution_timeout %>
+$startDate = Get-Date
+do {
+  Start-Sleep -m 100
+  $out_cur_line = SlurpOutput $out_file $out_cur_line 'out'
+  $err_cur_line = SlurpOutput $err_file $err_cur_line 'err'
+} while( (!($registered_task.state -eq 3)) -and ($startDate.AddSeconds($timeout) -gt (Get-Date)) )
+
+# We'll make a best effort to clean these files
+# But a reboot could possibly end the task while the process
+# still runs and locks the file. If we can't delete we don't want to fail
+try { Remove-Item $out_file -ErrorAction Stop } catch {}
+try { Remove-Item $err_file -ErrorAction Stop } catch {}
+try { Remove-Item $script_file -ErrorAction Stop } catch {}
+
+$exit_code = $registered_task.LastTaskResult
+
+try {
+  # Clean current task
+  $folder.DeleteTask($task_name, 0)
+  # Clean old tasks if required
+  $old_tasks_filter_date = [datetime]::Now.AddSeconds(<%= -1 * execution_timeout %>)
+  $old_tasks_to_kill = $folder.GetTasks(0) | Select Name,LastRunTime | Where-Object {
+    ($_.Name -like "WinRM_Elevated_Shell*") -and ($_.LastRunTime -le $old_tasks_filter_date) -and ($_.Name -ne $task_name)
+  }
+  $old_tasks_to_kill | ForEach-Object { try { $folder.DeleteTask($_.Name, 0) } catch {} }
+}
+catch {}
+
+[System.Runtime.Interopservices.Marshal]::ReleaseComObject($schedule) | Out-Null
+
+exit $exit_code

data/lib/winrm/shells/elevated.rb

@@ -1,104 +1,101 @@
-# encoding: UTF-8
-#
-# Copyright 2015 Shawn Neal <sneal@sneal.net>
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require 'erubis'
-require 'winrm'
-require 'winrm-fs'
-require 'securerandom'
-
-module WinRM
-  module Shells
-    # Runs PowerShell commands elevated via a scheduled task
-    class Elevated
-      # Create a new elevated shell
-      # @param connection_opts [ConnectionOpts] The WinRM connection options
-      # @param transport [HttpTransport] The WinRM SOAP transport
-      # @param logger [Logger] The logger to log diagnostic messages to
-      def initialize(connection_opts, transport, logger)
-        @logger = logger
-        @username = connection_opts[:user]
-        @password = connection_opts[:password]
-        @interactive_logon = false
-        @shell = Powershell.new(connection_opts, transport, logger)
-        @winrm_file_transporter = WinRM::FS::Core::FileTransporter.new(@shell)
-      end
-
-      # @return [String] The admin user name to execute the scheduled task as
-      attr_accessor :username
-
-      # @return [String] The admin user password
-      attr_accessor :password
-
-      # @return [Bool] Using an interactive logon
-      attr_accessor :interactive_logon
-
-      # Run a command or PowerShell script elevated without any of the
-      # restrictions that WinRM puts in place.
-      #
-      # @param [String] The command or PS script to wrap in a scheduled task
-      #
-      # @return [WinRM::Output] :stdout and :stderr
-      def run(command, &block)
-        # if an IO object is passed read it, otherwise assume the contents of the file were passed
-        script_text = command.respond_to?(:read) ? command.read : command
-
-        script_path = upload_elevated_shell_script(script_text)
-        wrapped_script = wrap_in_scheduled_task(script_path, username, password)
-        @shell.run(wrapped_script, &block)
-      end
-
-      # Closes the shell if one is open
-      def close
-        @shell.close
-      end
-
-      private
-
-      def upload_elevated_shell_script(script_text)
-        elevated_shell_path = 'c:/windows/temp/winrm-elevated-shell-' + SecureRandom.uuid + '.ps1'
-        with_temp_file(script_text) do |temp_file|
-          @winrm_file_transporter.upload(temp_file, elevated_shell_path)
-        end
-        elevated_shell_path
-      end
-
-      def with_temp_file(script_text)
-        file = Tempfile.new(['winrm-elevated-shell', 'ps1'])
-        file.write(script_text)
-        file.write("\r\n$Host.SetShouldExit($LASTEXITCODE)")
-        file.fsync
-        file.close
-        yield file.path
-      ensure
-        file.close
-        file.unlink
-      end
-
-      def elevated_shell_script_content
-        IO.read(File.expand_path('../../../winrm-elevated/scripts/elevated_shell.ps1', __FILE__))
-      end
-
-      def wrap_in_scheduled_task(script_path, username, password)
-        Erubis::Eruby.new(elevated_shell_script_content).result(
-          username: username,
-          password: password,
-          script_path: script_path,
-          interactive_logon: interactive_logon
-        )
-      end
-    end
-  end
-end
+#
+# Copyright 2015 Shawn Neal <sneal@sneal.net>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'erubi'
+require 'winrm' unless defined?(WinRM::Connection)
+require 'winrm-fs'
+require 'securerandom' unless defined?(SecureRandom)
+require 'stringio'
+
+module WinRM
+  module Shells
+    # Runs PowerShell commands elevated via a scheduled task
+    class Elevated
+      # Create a new elevated shell
+      # @param connection_opts [ConnectionOpts] The WinRM connection options
+      # @param transport [HttpTransport] The WinRM SOAP transport
+      # @param logger [Logger] The logger to log diagnostic messages to
+      def initialize(connection_opts, transport, logger)
+        @logger = logger
+        @username = connection_opts[:user]
+        @password = connection_opts[:password]
+        @interactive_logon = false
+        @shell = Powershell.new(connection_opts, transport, logger)
+        @winrm_file_transporter = WinRM::FS::Core::FileTransporter.new(@shell)
+        @execution_timeout = 86_400
+      end
+
+      # @return [String] The admin user name to execute the scheduled task as
+      attr_accessor :username
+
+      # @return [String] The admin user password
+      attr_accessor :password
+
+      # @return [Bool] Using an interactive logon
+      attr_accessor :interactive_logon
+
+      # @return [Integer] Timeout for the task to be executed
+      attr_accessor :execution_timeout
+
+      # Run a command or PowerShell script elevated without any of the
+      # restrictions that WinRM puts in place.
+      #
+      # @param [String] The command or PS script to wrap in a scheduled task
+      #
+      # @return [WinRM::Output] :stdout and :stderr
+      def run(command, &block)
+        # if an IO object is passed read it, otherwise assume the contents of the file were passed
+        script_text = command.respond_to?(:read) ? command.read : command
+
+        script_path = upload_elevated_shell_script(script_text)
+        wrapped_script = wrap_in_scheduled_task(script_path, username, password)
+        @shell.run(wrapped_script, &block)
+      end
+
+      # Closes the shell if one is open
+      def close
+        @shell.close
+      end
+
+      private
+
+      def upload_elevated_shell_script(script_text)
+        elevated_shell_path = 'c:/windows/temp/winrm-elevated-shell-' + SecureRandom.uuid + '.ps1'
+        script_text_with_exit = "#{script_text}\r\n$Host.SetShouldExit($LASTEXITCODE)"
+        @winrm_file_transporter.upload(StringIO.new(script_text_with_exit), elevated_shell_path)
+        elevated_shell_path
+      end
+
+      def elevated_shell_script_content
+        IO.read(File.expand_path('../../winrm-elevated/scripts/elevated_shell.ps1', __dir__))
+      end
+
+      def wrap_in_scheduled_task(script_path, username, password)
+        context = {
+          username: username,
+          password: password,
+          script_path: script_path,
+          interactive_logon: interactive_logon,
+          execution_timeout: execution_timeout
+        }
+
+        b = binding
+        locals = context.collect { |k, _| "#{k} = context[#{k.inspect}]; " }
+        b.eval(locals.join)
+        b.eval(Erubi::Engine.new(elevated_shell_script_content).src)
+      end
+    end
+  end
+end