winrm-s 0.1.0.rc.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    MDRmZmUzNTQ4MDI3ZDc4YjY4MDcwMTk4NTY4ZWY3MmUzYTAwY2M5Nw==
+  data.tar.gz: !binary |-
+    YzgwZjhlN2UxNTZmNThlOGNjMWVkNDZhZjFhOGZjMTg5NzI3ODhmZQ==
+SHA512:
+  metadata.gz: !binary |-
+    NzAxNzMwNDE5ODIwZDQ1ZWVhMWI2MTE3MjZmNjNhOWNmYjE5MTgwNGI2OWQx
+    MzY0MjlhN2JlNDVjMDY3YzFlNTdlMjAzOWQ0Mzg0OTY0ZGMyZmE2NTg1ODJh
+    MmUyNmI0M2EyMzZkNTlhNjIzMWU5ZmQ0ZDVmNjI0NmU1ZWYxOTA=
+  data.tar.gz: !binary |-
+    MGM5NmI4ZTdhZjVkYzk2OTFhYWNiMmNlMzMwYjkyN2JhZmY2MDcwNjM3MmFm
+    MGU2NWU2Y2MzOWZjNWI1M2M2ZWFhMzFhNzYyN2Q1M2JkNTkzMGMzMmFkZWE0
+    OTUxY2M3ZTE5YjllZjhkNjhkYWQ1ODY5ZjgwN2UyNzU2MWI1NTA=

data/.gitignore

@@ -0,0 +1,27 @@
+.autotest
+coverage
+.DS_Store
+pkg
+*/tags
+*~
+
+# you should check in your Gemfile.lock in applications, and not in gems
+Gemfile.lock
+Gemfile.local
+
+# Do not check in the .bundle directory, or any of the files inside it. Those files are specific to each particular machine, and are used to persist installation options between runs of the bundle install command.
+.bundle
+
+# ignore some common Bundler 'binstubs' directory names
+# http://gembundler.com/man/bundle-exec.1.html
+b/
+binstubs/
+
+# RVM and RBENV ruby version files
+.rbenv-version
+.rvmrc
+
+# Documentation
+_site/*
+.yardoc/
+doc/

data/.rspec

@@ -0,0 +1,2 @@
+--color
+-fdocumentation

data/.travis.yml

@@ -0,0 +1,8 @@
+rvm:
+#  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+
+script: bundle exec rake spec

data/CHANGELOG.md

@@ -0,0 +1,11 @@
+# winrm-s  Change Log
+
+## Unreleased
+* Initial implementation
+
+Last Release: none
+-------------------
+
+
+
+

data/CONTRIBUTING.md

@@ -0,0 +1,5 @@
+# Contributing to winrm-s
+
+We are glad you want to contribute to winrm-s. Please see contribution guidelines for
+[Chef](http://wiki.opscode.com/display/chef/How+to+Contribute) for information on contributing to this project.
+

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+gemspec
+
+group :test, :development do
+  gem "rspec"
+  gem 'rake'
+  gem 'nokogiri', '~> 1.6.2'
+end

data/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,69 @@
+winrm-s
+=======
+
+`winrm-s` extends the functionality of the
+[WinRM gem](http://rubygems.org/gems/winrm) to support the Microsoft
+[Negotiate protocol](http://msdn.microsoft.com/en-us/library/windows/desktop/aa378748(v=vs.85).aspx)
+when authenticating to a remote [WinRM](http://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx) endpoint from a Windows system.
+
+This extended functionality is **only** supported when running on Microsoft
+Windows. This gem can still be used on other operating systems just like the
+`WinRM` gem, but the extended capabilities will not be available.
+
+Installation
+------------
+
+To install it, run:
+
+    gem install winrm-s
+
+Usage
+-----
+
+`winrm-s` provides the same interface as the `winrm` gem -- see `winrm`
+[documentation](https://github.com/WinRb/WinRM/blob/master/README.md) for `winrm-s` usage.
+
+* To use it, simply require `winrm` or `winrm-s`, depending on whether your code
+is running on Windows. The extended negotiate protocol is only available if
+you include `winrm-s`, which will only work on Windows.
+* When you use WinRM::WinRMWebService.new, be sure to specify the
+  `:sspinegotiate` parameter, along with a user name in the form `domain_name\user_name`
+  for the user name in order to make use of negotiate protocol. If the user
+  account is local to the remote system, you can use `.` for the domain. The
+  example further on demonstrates the negotiate use case.
+* All other use cases enabled by the `winrm` gem are also supported.
+
+Example
+-------
+Note the argument value of `:sspinegotiate` for transport option, and the
+explicit specification of a domain name, in this case `.`, in the user name:
+```ruby
+if RUBY_PLATFORM =~ /mswin|mingw32|windows/
+  require 'winrm-s' # only works on Windows, otherwise use require 'winrm'
+  endpoint = http://mywinrmhost:5985/wsman
+  winrm = WinRM::WinRMWebService.new(endpoint, :sspinegotiate, :user => ".\administrator", :pass => "adminpasswd")
+  winrm.cmd('ipconfig /all') do |stdout, stderr|
+    STDOUT.print stdout
+    STDERR.print stderr
+  end
+end
+```
+
+License
+-------
+
+Copyright:: Copyright (c) 2014 Chef Software, Inc.
+License:: Apache License, Version 2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+

data/Rakefile

@@ -0,0 +1 @@
+require 'bundler/gem_tasks'

data/lib/winrm-s.rb

@@ -0,0 +1,30 @@
+#
+# Author:: Kaustubh Deorukhkar (<kaustubh@clogeny.com>)>
+# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'winrm'
+
+def windows?
+  !!(RUBY_PLATFORM =~ /mswin|mingw|windows/)
+end
+
+# Patch only on windows
+if windows?
+  require 'winrm/winrm_service_patch'
+else
+  raise "ERROR: winrm-s extensions to the winrm gem for the negotiate protocol are only supported on Windows. Require 'winrm' and not 'winrm-s' on non-Windows platforms."
+end

data/lib/winrm-s/version.rb

@@ -0,0 +1,22 @@
+#
+# Author:: Kaustubh Deorukhkar (<kaustubh@clogeny.com>)
+# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module WinrmS
+  VERSION = "0.1.0.rc.0"
+  MAJOR, MINOR, TINY = VERSION.split('.')
+end

data/lib/winrm/helpers/assert_patch.rb

@@ -0,0 +1,20 @@
+
+module PatchAssertions
+
+  def self.assert_major_version(library_name, expected_major, override_var_name)
+    supported_major_ver = ENV[override_var_name] || expected_major
+    loaded_ver = Gem.loaded_specs[library_name].version
+    loaded_major_ver = loaded_ver.to_s.match(/(^\d+\.\d+)\.(.*)$/)[1]
+    if loaded_major_ver.to_s != supported_major_ver.to_s
+      puts "Unsupported version of #{library_name}. The supported major version of library is #{library_name} version #{expected_major}. This code path monkey patches few methods in #{library_name} to support additional features. If you are aware of the impact of using #{loaded_ver}, this can be enabled by setting #{override_var_name} to the major version #{loaded_major_ver}"
+      exit 1
+    end
+  end
+
+  def self.assert_arity_of_patched_method(klass, method_name, expected_arity)
+    if klass.instance_method(method_name).arity != expected_arity
+      puts "Cannot patch method #{klass}::#{method_name} since your latest gem seems to have different method definition that cannot be safely patched. Please use the supported version of patched gem."
+      exit 1
+    end
+  end
+end

data/lib/winrm/http/auth.rb

@@ -0,0 +1,171 @@
+#
+# Author:: Kaustubh Deorukhkar (<kaustubh@clogeny.com>)
+# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'httpclient/auth'
+
+require 'winrm/helpers/assert_patch'
+
+def validate_patch
+  # The code below patches the httpclient library to add support
+  # for encrypt/decrypt as described below.
+  # Add few restriction to make sure the patched methods are still
+  # available, but still give a way to consciously use later versions
+  PatchAssertions.assert_major_version("httpclient", 2.4, "USE_HTTPCLIENT_MAJOR")
+  PatchAssertions.assert_arity_of_patched_method(HTTPClient::WWWAuth, "filter_request", 1)
+  PatchAssertions.assert_arity_of_patched_method(HTTPClient::WWWAuth, "filter_response", 2)
+  PatchAssertions.assert_arity_of_patched_method(HTTPClient::SSPINegotiateAuth, "set", -1)
+  PatchAssertions.assert_arity_of_patched_method(HTTPClient::SSPINegotiateAuth, "get", 1)
+end
+
+# Perform the patch validations
+validate_patch
+
+# Overrides the HTTPClient::WWWAuth code to add support for encryption/decryption
+# of data sent during the NTLM auth over negotiate.
+
+# Also Overrides HTTPClient::SSPINegotiateAuth to remember user credentials, original
+# library code relies on the current login user credentials on the client machine. 
+
+# Below code helps ruby client to perform auth using the credentials provided to
+# ruby client, and also enhances to use encrypted channel.
+
+class HTTPClient
+
+  class WWWAuth
+
+    # Filter API implementation.  Traps HTTP request and insert
+    # 'Authorization' header if needed.
+    def filter_request(req)
+      @authenticator.each do |auth|
+        next unless auth.set? # hasn't be set, don't use it
+        if cred = auth.get(req)
+          auth.encrypt_payload(req) if auth.respond_to?(:encrypt_payload)
+          req.header.set('Authorization', auth.scheme + " " + cred)
+          return
+        end
+      end
+    end
+
+    # Filter API implementation.  Traps HTTP response and parses
+    # 'WWW-Authenticate' header.
+    #
+    # This remembers the challenges for all authentication methods
+    # available to the client. On the subsequent retry of the request,
+    # filter_request will select the strongest method.
+    def filter_response(req, res)
+      command = nil
+      if res.status == HTTP::Status::UNAUTHORIZED
+        if challenge = parse_authentication_header(res, 'www-authenticate')
+          uri = req.header.request_uri
+          challenge.each do |scheme, param_str|
+            @authenticator.each do |auth|
+              next unless auth.set? # hasn't be set, don't use it
+              if scheme.downcase == auth.scheme.downcase
+                challengeable = auth.challenge(uri, param_str)
+                command = :retry if challengeable
+              end
+            end
+          end
+          # ignore unknown authentication scheme
+        end
+      elsif res.status == HTTP::Status::OK
+        decrypted_content = res.content
+        @authenticator.each do |auth|
+          next unless auth.set? # hasn't be set, don't use it
+          decrypted_content = auth.decrypt_payload(res.content) if auth.respond_to?(:encrypted_channel?) and auth.encrypted_channel?
+        end
+        # update with decrypted content
+        res.content.replace(decrypted_content) if res.content and !res.content.empty?
+      end
+      command
+    end
+  end
+
+  class SSPINegotiateAuth
+    # Override to remember creds
+    # Set authentication credential.
+    def set(uri, user, passwd)
+      # Check if user has domain specified in it.
+      if user
+        creds = user.split("\\")
+        creds.length.eql?(2) ? (@domain,@user = creds) : @user = creds[0]
+      end
+      @passwd = passwd
+    end
+
+    # Response handler: returns credential.
+    # See win32/sspi for negotiation state transition.
+    def get(req)
+      return nil unless SSPIEnabled || GSSAPIEnabled
+      target_uri = req.header.request_uri
+      domain_uri, param = @challenge.find { |uri, v|
+        Util.uri_part_of(target_uri, uri)
+      }
+
+      return nil unless param
+      state = param[:state]
+      authenticator = param[:authenticator]
+      authphrase = param[:authphrase]
+      case state
+      when :init
+        if SSPIEnabled
+          # Over-ride ruby win32 sspi to support encrypt/decrypt
+          require 'winrm/win32/sspi'
+          authenticator = param[:authenticator] = Win32::SSPI::NegotiateAuth.new(@user, @domain, @passwd)
+          @authenticator = authenticator #  **** Hacky remember as we need this for encrypt/decrypt
+          return authenticator.get_initial_token
+        else # use GSSAPI
+          authenticator = param[:authenticator] = GSSAPI::Simple.new(domain_uri.host, 'HTTP')
+          # Base64 encode the context token
+          return [authenticator.init_context].pack('m').gsub(/\n/,'')
+        end
+      when :response
+        @challenge.delete(domain_uri)
+        if SSPIEnabled
+          return authenticator.complete_authentication(authphrase)
+        else # use GSSAPI
+          return authenticator.init_context(authphrase.unpack('m').pop)
+        end
+      end
+      nil
+    end
+
+    def encrypted_channel?
+      @encrypted_channel
+    end
+
+    def encrypt_payload(req)
+      if SSPIEnabled
+        body = @authenticator.encrypt_payload(req.body)
+        req.http_body = HTTP::Message::Body.new
+        req.http_body.init_request(body)
+        req.http_header.body_size = body.length if body
+        # if body is encrypted update the header
+        if body.include? "HTTP-SPNEGO-session-encrypted"
+          @encrypted_channel = true
+          req.header.set('Content-Type', "multipart/encrypted;protocol=\"application/HTTP-SPNEGO-session-encrypted\";boundary=\"Encrypted Boundary\"")
+        end
+      end
+    end
+
+    def decrypt_payload(body)
+      body = @authenticator.decrypt_payload(body) if SSPIEnabled
+      body
+    end
+  end
+end

data/lib/winrm/http/transport_patch.rb

@@ -0,0 +1,35 @@
+#
+# Author:: Kaustubh Deorukhkar (<kaustubh@clogeny.com>)
+# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module WinRM
+  module HTTP
+
+    class HttpSSPINegotiate < HttpTransport
+      def initialize(endpoint, user, pass, opts)
+        # Override the relevant functionality in httpclient to make sspi work.
+        require 'winrm/http/auth'
+        super(endpoint)
+        @httpcli.set_auth(nil, user, pass)
+        # Remove non-sspi auths
+        auths = @httpcli.www_auth.instance_variable_get('@authenticator')
+        auths.delete_if {|i| not i.is_a?(HTTPClient::SSPINegotiateAuth)}
+      end
+    end
+
+  end
+end # WinRM

data/lib/winrm/win32/sspi.rb

@@ -0,0 +1,256 @@
+
+require 'winrm/helpers/assert_patch'
+
+def validate_patch
+  # The code below patches the Win32::SSPI module from ruby core to add support
+  # for encrypt/decrypt as described below.
+  # Add few restrictions to make sure the patched methods are still
+  # available, but still give a way to consciously use later versions
+  PatchAssertions.assert_arity_of_patched_method(Win32::SSPI::NegotiateAuth, "initialize", -1)
+  PatchAssertions.assert_arity_of_patched_method(Win32::SSPI::NegotiateAuth, "complete_authentication", 1)
+  PatchAssertions.assert_arity_of_patched_method(Win32::SSPI::NegotiateAuth, "get_credentials", 0)
+end
+
+# Perform the patch validations
+validate_patch
+
+# Overrides and enhances the ruby core win32 sspi module to add support to
+# encrypt/decrypt data to be sent over channel, example using SSP Negotiate auth
+
+module Win32
+  module SSPI
+    # QueryContextAttributes attributes flags
+    SECPKG_ATTR_SIZES = 0x00000000
+
+    module API
+      QueryContextAttributes = Win32API.new("secur32", "QueryContextAttributes", 'pLp', 'L')
+      EncryptMessage = Win32API.new("secur32", "EncryptMessage", 'pLpL', 'L')
+      DecryptMessage = Win32API.new("secur32", "DecryptMessage", 'ppLp', 'L')
+    end
+
+    class SecPkgContext_Sizes
+      attr_accessor :cbMaxToken, :cbMaxSignature, :cbBlockSize, :cbSecurityTrailer
+
+      def initialize
+        @cbMaxToken = @cbMaxSignature = @cbBlockSize = @cbSecurityTrailer = 0
+      end
+
+      def cbMaxToken
+        @cbMaxToken = @struct.unpack("LLLL")[0] if @struct
+      end
+
+      def cbMaxSignature
+        @cbMaxSignature = @struct.unpack("LLLL")[1] if @struct
+      end
+
+      def cbBlockSize
+        @cbBlockSize = @struct.unpack("LLLL")[2] if @struct
+      end
+
+      def cbSecurityTrailer
+        @cbSecurityTrailer = @struct.unpack("LLLL")[3] if @struct
+      end
+
+      def to_p
+        @struct ||= [@cbMaxToken, @cbMaxSignature, @cbBlockSize, @cbSecurityTrailer].pack("LLLL")
+      end
+    end
+
+    #  SecurityBuffer for data to be encrypted
+    class EncryptedSecurityBuffer
+
+      SECBUFFER_DATA = 0x1    # Security buffer data
+      SECBUFFER_TOKEN = 0x2   # Security token
+      SECBUFFER_VERSION = 0
+
+      def initialize(data_buffer, sizes)
+        @original_msg_len = data_buffer.length
+        @cbSecurityTrailer = sizes.cbSecurityTrailer
+        @data_buffer = data_buffer
+        @security_trailer = "\0" * sizes.cbSecurityTrailer
+      end
+
+      def to_p
+        # Assumption is that when to_p is called we are going to get a packed structure. Therefore,
+        # set @unpacked back to nil so we know to unpack when accessors are next accessed.
+        @unpacked = nil
+        # Assignment of inner structure to variable is very important here. Without it,
+        # will not be able to unpack changes to the structure. Alternative, nested unpacks,
+        # does not work (i.e. @struct.unpack("LLP12")[2].unpack("LLP12") results in "no associated pointer")
+        @sec_buffer = [@original_msg_len, SECBUFFER_DATA, @data_buffer, @cbSecurityTrailer, SECBUFFER_TOKEN, @security_trailer].pack("LLPLLP")
+        @struct ||= [SECBUFFER_VERSION, 2, @sec_buffer].pack("LLP")
+      end
+
+      def buffer
+        unpack
+        @buffer
+      end
+
+    private
+
+      # Unpacks the SecurityBufferDesc structure into member variables. We
+      # only want to do this once per struct, so the struct is deleted
+      # after unpacking.
+      def unpack
+        if ! @unpacked && @sec_buffer && @struct
+          dataBufferSize, dType, dataBuffer, tokenBufferSize, tType, tokenBuffer = @sec_buffer.unpack("LLPLLP")
+          dataBufferSize, dType, dataBuffer, tokenBufferSize, tType, tokenBuffer = @sec_buffer.unpack("LLP#{dataBufferSize}LLP#{tokenBufferSize}")
+          # Form the buffer stream as required by server
+          @buffer = [tokenBufferSize].pack("L")
+          @buffer << tokenBuffer << dataBuffer
+          @struct = nil
+          @sec_buffer = nil
+          @unpacked = true
+        end
+      end
+    end
+
+    class DecryptedSecurityBuffer
+
+      SECBUFFER_DATA = 0x1    # Security buffer data
+      SECBUFFER_TOKEN = 0x2   # Security token
+      SECBUFFER_VERSION = 0
+
+      def initialize(buffer)
+        # unpack to extract the msg and token
+        token_size, token_buffer, enc_buffer = buffer.unpack("L")
+        @original_msg_len = buffer.length - token_size - 4
+        @cbSecurityTrailer, @security_trailer, @data_buffer = buffer.unpack("La#{token_size}a#{@original_msg_len}")
+      end
+
+      def to_p
+        # Assumption is that when to_p is called we are going to get a packed structure. Therefore,
+        # set @unpacked back to nil so we know to unpack when accessors are next accessed.
+        @unpacked = nil
+        # Assignment of inner structure to variable is very important here. Without it,
+        # will not be able to unpack changes to the structure. Alternative, nested unpacks,
+        # does not work (i.e. @struct.unpack("LLP12")[2].unpack("LLP12") results in "no associated pointer")
+        @sec_buffer = [@original_msg_len, SECBUFFER_DATA, @data_buffer, @cbSecurityTrailer, SECBUFFER_TOKEN, @security_trailer].pack("LLPLLP")
+        @struct ||= [SECBUFFER_VERSION, 2, @sec_buffer].pack("LLP")
+      end
+
+      def buffer
+        unpack
+        @buffer
+      end
+
+    private
+
+      # Unpacks the SecurityBufferDesc structure into member variables. We
+      # only want to do this once per struct, so the struct is deleted
+      # after unpacking.
+      def unpack
+        if ! @unpacked && @sec_buffer && @struct
+          dataBufferSize, dType, dataBuffer, tokenBufferSize, tType, tokenBuffer = @sec_buffer.unpack("LLPLLP")
+          dataBufferSize, dType, dataBuffer, tokenBufferSize, tType, tokenBuffer = @sec_buffer.unpack("LLP#{dataBufferSize}LLP#{tokenBufferSize}")
+          @buffer = dataBuffer
+          @struct = nil
+          @sec_buffer = nil
+          @unpacked = true
+        end
+      end
+    end
+
+    class NegotiateAuth
+      # Override to remember password
+      # Creates a new instance ready for authentication as the given user in the given domain.
+      # Defaults to current user and domain as defined by ENV["USERDOMAIN"] and ENV["USERNAME"] if
+      # no arguments are supplied.
+      def initialize(user = nil, domain = nil, password = nil)
+        if user.nil? && domain.nil? && ENV["USERNAME"].nil? && ENV["USERDOMAIN"].nil?
+          raise "A username or domain must be supplied since they cannot be retrieved from the environment"
+        end
+        @user = user || ENV["USERNAME"]
+        @domain = domain || ENV["USERDOMAIN"]
+        @password = password
+      end
+
+      # Takes a token and gets the next token in the Negotiate authentication chain. Token can be Base64 encoded or not.
+      # The token can include the "Negotiate" header and it will be stripped.
+      # Does not indicate if SEC_I_CONTINUE or SEC_E_OK was returned.
+      # Token returned is Base64 encoded w/ all new lines removed.
+      def complete_authentication(token)
+        raise "This object is no longer usable because its resources have been freed." if @cleaned_up
+
+        # Nil token OK, just set it to empty string
+        token = "" if token.nil?
+
+        if token.include? "Negotiate"
+          # If the Negotiate prefix is passed in, assume we are seeing "Negotiate <token>" and get the token.
+          token = token.split(" ").last
+        end
+
+        if token.include? B64_TOKEN_PREFIX
+          # indicates base64 encoded token
+          token = token.strip.unpack("m")[0]
+        end
+
+        outputBuffer = SecurityBuffer.new
+        result = SSPIResult.new(API::InitializeSecurityContext.call(@credentials.to_p, @context.to_p, nil,
+          REQUEST_FLAGS, 0, SECURITY_NETWORK_DREP, SecurityBuffer.new(token).to_p, 0,
+          @context.to_p,
+          outputBuffer.to_p, @contextAttributes, TimeStamp.new.to_p))
+
+        if result.ok? then
+          @auth_successful = true
+          return encode_token(outputBuffer.token)
+        else
+          raise "Error: #{result.to_s}"
+        end
+      ensure
+        # need to make sure we don't clean up if we've already cleaned up.
+        # XXX - clean up later since encrypt/decrypt needs this
+        # clean_up unless @cleaned_up
+      end
+
+      def encrypt_payload(body)
+        if @auth_successful
+          # Approach - http://msdn.microsoft.com/en-us/magazine/cc301890.aspx
+          sizes = SecPkgContext_Sizes.new
+          result = SSPIResult.new(API::QueryContextAttributes.call(@context.to_p, SECPKG_ATTR_SIZES, sizes.to_p))
+
+          outputBuffer = EncryptedSecurityBuffer.new(body, sizes)
+          result = SSPIResult.new(API::EncryptMessage.call(@context.to_p, 0, outputBuffer.to_p, 0 ))
+          encrypted_msg = outputBuffer.buffer
+
+          body = <<-EOF
+--Encrypted Boundary\r
+Content-Type: application/HTTP-SPNEGO-session-encrypted\r
+OriginalContent: type=application/soap+xml;charset=UTF-8;Length=#{encrypted_msg.length - sizes.cbSecurityTrailer - 4}\r
+--Encrypted Boundary\r
+Content-Type: application/octet-stream\r
+#{encrypted_msg}--Encrypted Boundary\r
+EOF
+        end
+        body
+      end
+
+      def decrypt_payload(body)
+        if @auth_successful
+
+          matched_data = /--Encrypted Boundary\s+Content-Type:\s+application\/HTTP-SPNEGO-session-encrypted\s+OriginalContent:\s+type=\S+Length=(\d+)\s+--Encrypted Boundary\s+Content-Type:\s+application\/octet-stream\s+([\S\s]+)--Encrypted Boundary/.match(body)
+          raise "Error: Unencrypted communication not supported. Please check winrm configuration winrm/config/service AllowUnencrypted flag." if matched_data.nil?
+
+          encrypted_msg = matched_data[2]
+
+          outputBuffer = DecryptedSecurityBuffer.new(encrypted_msg)
+          result = SSPIResult.new(API::DecryptMessage.call(@context.to_p, outputBuffer.to_p, 0, 0 ))
+          body = outputBuffer.buffer
+        end
+        body
+      end
+
+      private
+      # ** Override to add password support
+      # Gets credentials based on user, domain or both. If both are nil, an error occurs
+      def get_credentials
+        @credentials = CredHandle.new
+        ts = TimeStamp.new
+        @identity = Identity.new @user, @domain, @password
+        result = SSPIResult.new(API::AcquireCredentialsHandle.call(nil, "Negotiate", SECPKG_CRED_OUTBOUND, nil, @identity.to_p,
+          nil, nil, @credentials.to_p, ts.to_p))
+        raise "Error acquire credentials: #{result}" unless result.ok?
+      end
+    end
+  end
+end

data/lib/winrm/winrm_service_patch.rb

@@ -0,0 +1,34 @@
+
+require 'winrm/http/transport_patch'
+
+module WinRM
+  class WinRMWebService
+
+    # Override winrm to support sspinegotiate option.
+
+    # @param [String,URI] endpoint the WinRM webservice endpoint
+    # @param [Symbol] transport either :kerberos(default)/:ssl/:plaintext
+    # @param [Hash] opts Misc opts for the various transports.
+    #   @see WinRM::HTTP::HttpTransport
+    #   @see WinRM::HTTP::HttpGSSAPI
+    #   @see WinRM::HTTP::HttpSSL
+    def initialize(endpoint, transport = :kerberos, opts = {})
+      @endpoint = endpoint
+      @timeout = DEFAULT_TIMEOUT
+      @max_env_sz = DEFAULT_MAX_ENV_SIZE 
+      @locale = DEFAULT_LOCALE
+      case transport
+      when :kerberos
+        require 'gssapi'
+        # TODO: check fo keys and throw error if missing
+        @xfer = HTTP::HttpGSSAPI.new(endpoint, opts[:realm], opts[:service], opts[:keytab], opts)
+      when :plaintext
+        @xfer = HTTP::HttpPlaintext.new(endpoint, opts[:user], opts[:pass], opts)
+      when :sspinegotiate
+        @xfer = HTTP::HttpSSPINegotiate.new(endpoint, opts[:user], opts[:pass], opts)
+      when :ssl
+        @xfer = HTTP::HttpSSL.new(endpoint, opts[:user], opts[:pass], opts[:ca_trust_path], opts)
+      end
+    end
+  end
+end

data/spec/functional/sspi_nego_encrypt_decrypt_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+def assert_prerequisites
+  if windows?
+    require 'winrm-s'
+    ["test_winrm_endpoint", "test_winrm_user", "test_winrm_pass"].each do |env_var|
+      raise "\n\nError: Please set the environment variable: #{env_var}\n\n" if ENV[env_var].nil?
+    end
+  end
+end
+
+
+describe "Test sspinegotiate with encrypt/decrypt via WinRM", :windows_and_func_spec_enabled do
+  before(:all) do
+    assert_prerequisites
+    # Remember the user setting.
+    winrm_cfg = %x{winrm get winrm/config/service -format:xml}
+    doc = Nokogiri::XML(winrm_cfg)
+    @original_allowunencrypted_val = doc.at_css("cfg|Service cfg|AllowUnencrypted").text.to_s
+  end
+
+  before do
+    %x{winrm set winrm/config/service @{AllowUnencrypted="false"}}
+    @winrm = WinRM::WinRMWebService.new(ENV["test_winrm_endpoint"], :sspinegotiate, :user => ENV["test_winrm_user"], :pass => ENV["test_winrm_pass"])
+  end
+
+  after(:all) do
+    %x{winrm set winrm/config/service @{AllowUnencrypted="#{@original_allowunencrypted_val}"}}
+  end
+
+  it 'should run a CMD command string' do
+    output = @winrm.run_cmd('ipconfig /all')
+    expect(output[:exitcode]).to be_zero
+    expect(output[:data]).not_to be_empty
+  end
+
+  it 'should run a CMD command with proper arguments' do
+    output = @winrm.run_cmd('ipconfig', %w{/all})
+    expect(output[:exitcode]).to be_zero
+    expect(output[:data]).not_to be_empty
+  end
+
+  it 'should run a CMD command with block' do
+    outvar = ''
+    @winrm.run_cmd('ipconfig', %w{/all}) do |stdout, stderr|
+      outvar << stdout
+    end
+    expect(outvar).to match(/Windows IP Configuration/)
+  end
+
+  describe "Negative test:" do
+    before do
+      %x{winrm set winrm/config/service @{AllowUnencrypted="true"}}
+    end
+    after do
+      %x{winrm set winrm/config/service @{AllowUnencrypted="false"}}
+    end
+
+    describe "when AllowUnencrypted is set to true" do
+      it "should raise an exception" do
+        expect{@winrm.run_cmd('ipconfig')}.to raise_exception
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,21 @@
+$:.unshift File.expand_path('../../lib', __FILE__)
+
+require 'nokogiri'
+
+def windows?
+  !!(RUBY_PLATFORM =~ /mswin|mingw|windows/)
+end
+
+def unix?
+  !windows?
+end
+
+def windows_and_func_spec_enabled?
+  windows? and ENV["enable_winrms_func_spec"]
+end
+
+RSpec.configure do |config|
+  config.filter_run_excluding :windows_only => true unless windows?
+  config.filter_run_excluding :windows_and_func_spec_enabled => true unless windows_and_func_spec_enabled?
+  config.filter_run_excluding :unix_only => true unless unix?
+end

data/spec/unit/platform_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+
+describe "Test if patch is applied on Platform" do
+
+  describe 'Windows is succesfully patched for transport sspinegotiate', :windows_only do
+    before do
+      require 'winrm-s'
+      @winrm = WinRM::WinRMWebService.new("http://mywinrmhost:5985/wsman", :sspinegotiate, :user => "test_winrm_user", :pass => "test_winrm_pass")
+    end
+
+    it 'HTTP::HttpSSPINegotiate class should exist' do
+      expect{WinRM::HTTP::HttpSSPINegotiate}.not_to raise_exception
+    end
+
+    it 'should patch httpclient to contain encrypt/decrypt methods' do
+      expect(HTTPClient::SSPINegotiateAuth.new).to respond_to(:encrypt_payload)
+      expect(HTTPClient::SSPINegotiateAuth.new).to respond_to(:decrypt_payload)
+    end
+
+  end
+
+  describe 'Winrm cannot be patched for unix', :unix_only do
+    it 'require winrm-s should raise exception' do
+      expect{require 'winrm-s'}.to raise_exception
+    end
+  end
+end

data/winrm-s.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "winrm-s/version"
+
+Gem::Specification.new do |s|
+  s.name        = "winrm-s"
+  s.version     = WinrmS::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README.md", "LICENSE" ]
+  s.authors     = ["Kaustubh Deorukhkar"]
+  s.email       = ["dev@getchef.com", "kaustubh@clogeny.com"]
+  s.homepage    = "https://github.com/opscode/winrm-s"
+  s.summary     = %q{Gem that extends the functionality of the WinRM gem to support the Microsoft Negotiate protocol when authenticating to a remote WinRM endpoint from a Windows system}
+  s.description = s.summary
+
+  s.add_dependency "winrm", "~> 1.1.3"
+
+  %w(rspec-core rspec-expectations rspec-mocks rspec_junit_formatter).each { |gem| s.add_development_dependency gem }
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

metadata

@@ -0,0 +1,144 @@
+--- !ruby/object:Gem::Specification
+name: winrm-s
+version: !ruby/object:Gem::Version
+  version: 0.1.0.rc.0
+platform: ruby
+authors:
+- Kaustubh Deorukhkar
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-06-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: winrm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.3
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Gem that extends the functionality of the WinRM gem to support the Microsoft
+  Negotiate protocol when authenticating to a remote WinRM endpoint from a Windows
+  system
+email:
+- dev@getchef.com
+- kaustubh@clogeny.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.md
+- LICENSE
+files:
+- .gitignore
+- .rspec
+- .travis.yml
+- CHANGELOG.md
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/winrm-s.rb
+- lib/winrm-s/version.rb
+- lib/winrm/helpers/assert_patch.rb
+- lib/winrm/http/auth.rb
+- lib/winrm/http/transport_patch.rb
+- lib/winrm/win32/sspi.rb
+- lib/winrm/winrm_service_patch.rb
+- spec/functional/sspi_nego_encrypt_decrypt_spec.rb
+- spec/spec_helper.rb
+- spec/unit/platform_spec.rb
+- winrm-s.gemspec
+homepage: https://github.com/opscode/winrm-s
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.1.11
+signing_key: 
+specification_version: 4
+summary: Gem that extends the functionality of the WinRM gem to support the Microsoft
+  Negotiate protocol when authenticating to a remote WinRM endpoint from a Windows
+  system
+test_files:
+- spec/functional/sspi_nego_encrypt_decrypt_spec.rb
+- spec/spec_helper.rb
+- spec/unit/platform_spec.rb
+has_rdoc: true