winrm 1.5.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ad05b5c1fe16cfa1586a6a001022d0463e87d9cb
-  data.tar.gz: 07a2d85d2a0a9458049eaac2b23bbd68e518ae2d
+  metadata.gz: bc4d15623138a5d39c308936ad8e6738621317c0
+  data.tar.gz: 64064ba319d3d5d856ba346a383823ccd0054f40
 SHA512:
-  metadata.gz: c2181da8210604d6703c2f694c3388e9e8f670fba9673a3fac68b1b9d257e2f0e3412f810b3c94966a57e7035e1d1b153ee815a7b993694c71885925d6bff09e
-  data.tar.gz: 47d0c26bfab5a7f096091bf74f042ded6a25fe59683c83829907863176f5bbb337bb6b972fcc4e2d3d5977c150c65c81413c6044a23b75787b82ae8738e1fb38
+  metadata.gz: dab6833383b786a008734ef928a4f7ed2346b912f6e342fde139053053bede56296e097f17726e801b5ef7d0023ba9ee8b373ff7b5d545e78564c6ff13900f94
+  data.tar.gz: 5c7c43892944ed073c2cc66a6bf590e4164e052c6b6d596dec684408dd11594d3da8ea275f39d724d197571ce746ce65378a2e1f9a6394bae4955f4c09ed1efd

data/.rubocop.yml

@@ -1,7 +1,9 @@
 AllCops:
   Exclude:
     - 'appveyor.yml'
+    - 'scripts/**/*'
     - 'lib/winrm/winrm_service.rb'
+    - 'lib/winrm/http/transport.rb'
 
 Style/Encoding:
   Enabled: true

data/.travis.yml

@@ -5,3 +5,8 @@ rvm:
   - 2.1.0
 before_install:
   - gem update bundler
+
+# This prevents testing branches that are created just for PRs
+branches:
+  only:
+  - master

data/README.md

@@ -38,7 +38,13 @@ As of version 1.5.0 `WinRM::WinRMWebService` methods `cmd`, `run_cmd`, `powershe
 
 Use the `run_cmd` and `run_powershell_script` of the `WinRM::CommandExecutor` class instead. The `CommandExecutor` allows multiple commands to be run from the same WinRM shell providing a significant performance improvement when issuing multiple calls.
 
+#### NTLM/Negotiate
+```ruby
+winrm = WinRM::WinRMWebService.new(endpoint, :negotiate, :user => myuser, :pass => mypass)
+```
+
 #### Plaintext
+Note: It is strongly recommended that you use `:negotiate` instead of `:plaintext`. As the name infers, the `:plaintext` transport includes authentication credentials in plain text.
 ```ruby
 WinRM::WinRMWebService.new(endpoint, :plaintext, :user => myuser, :pass => mypass, :disable_sspi => true)
 
@@ -99,7 +105,7 @@ The `WinRMWebService` exposes a `logger` attribute and uses the [logging](https:
 winrm = WinRM::WinRMWebService.new(endpoint, :ssl, :user => myuser, :pass => mypass)
 
 # suppress warnings
-winrm.logger.warn = :error
+winrm.logger.level = :error
 
 # Log to a file
 winrm.logger.add_appenders(Logging.appenders.file('error.log'))

data/Rakefile

@@ -8,6 +8,14 @@ require 'bundler/gem_tasks'
 # Change to the directory of this file.
 Dir.chdir(File.expand_path('../', __FILE__))
 
+desc 'Open a Pry console for this library'
+task :console do
+  require 'pry'
+  require 'winrm'
+  ARGV.clear
+  Pry.start
+end
+
 RSpec::Core::RakeTask.new(:spec) do |task|
   task.pattern = 'spec/*_spec.rb'
   task.rspec_opts = ['--color', '-f documentation']

data/changelog.md

@@ -1,5 +1,11 @@
 # WinRM Gem Changelog
 
+# 1.6.0
+- Adding `:negotiate` transport providing NTLM/Negotiate encryption of WinRM requests and responses
+- Removed dependency on UUIDTools gem
+- Extending accepted error codes for retry behavior to include `Errno::ETIMEDOUT`
+- Correct deprecation warning for WinRMWebService.run_powershell_script
+
 # 1.5.0
 - Deprecating `WinRM::WinRMWebService` methods `cmd`, `run_cmd`, `powershell`, and `run_powershell_script` in favor of the `run_cmd` and `run_powershell_script` methods of the `WinRM::CommandExecutor` class. The `CommandExecutor` allows multiple commands to be run from the same WinRM shell providing a significant performance improvement when issuing multiple calls.
 - Added an `:ssl_peer_fingerprint` option to be used instead of `:no_ssl_peer_verification` and allows a specific certificate to be verified.

data/lib/winrm/command_executor.rb

@@ -226,7 +226,7 @@ module WinRM
 
     RESCUE_EXCEPTIONS_ON_ESTABLISH = lambda do
       [
-        Errno::EACCES, Errno::EADDRINUSE, Errno::ECONNREFUSED,
+        Errno::EACCES, Errno::EADDRINUSE, Errno::ECONNREFUSED, Errno::ETIMEDOUT,
         Errno::ECONNRESET, Errno::ENETUNREACH, Errno::EHOSTUNREACH,
         ::WinRM::WinRMHTTPTransportError, ::WinRM::WinRMAuthorizationError,
         HTTPClient::KeepAliveDisconnected,

data/lib/winrm/http/transport.rb

@@ -128,6 +128,7 @@ module WinRM
       end
     end
 
+
     # Plain text, insecure, HTTP transport
     class HttpPlaintext < HttpTransport
       def initialize(endpoint, user, pass, opts)
@@ -139,6 +140,89 @@ module WinRM
       end
     end
 
+
+    # NTLM/Negotiate, secure, HTTP transport
+    class HttpNegotiate < HttpTransport
+      def initialize(endpoint, user, pass, opts)
+        super(endpoint)
+        no_sspi_auth!
+
+        user_parts = user.split('\\')
+        if(user_parts.length > 1)
+          opts[:domain] = user_parts[0]
+          user = user_parts[1]
+        end
+
+        @ntlmcli = Net::NTLM::Client.new(user, pass, opts)
+        @retryable = true
+        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+      end
+
+      def send_request(message, auth_header = nil)
+        auth_header = init_auth if @ntlmcli.session.nil?
+
+        original_length = message.length
+
+        emessage = @ntlmcli.session.seal_message message
+        signature = @ntlmcli.session.sign_message message
+        seal = "\x10\x00\x00\x00#{signature}#{emessage}"
+
+        hdr = {
+          "Content-Type" => "multipart/encrypted;protocol=\"application/HTTP-SPNEGO-session-encrypted\";boundary=\"Encrypted Boundary\""
+        }
+        hdr.merge!(auth_header) if auth_header
+
+        body = [
+          "--Encrypted Boundary",
+          "Content-Type: application/HTTP-SPNEGO-session-encrypted",
+          "OriginalContent: type=application/soap+xml;charset=UTF-8;Length=#{original_length}",
+          "--Encrypted Boundary",
+          "Content-Type: application/octet-stream",
+          "#{seal}--Encrypted Boundary--",
+          ""
+        ].join("\r\n")
+
+        resp = @httpcli.post(@endpoint, body, hdr)
+        if resp.status == 401 && @retryable
+          @retryable = false
+          send_request(message, init_auth)
+        else
+          @retryable = true
+          decrypted_body = resp.body.empty? ? '' : winrm_decrypt(resp.body)
+          handler = WinRM::ResponseHandler.new(decrypted_body, resp.status)
+          handler.parse_to_xml()
+        end
+      end
+
+      private
+
+      def winrm_decrypt(str)
+        str.force_encoding('BINARY')
+        str.sub!(/^.*Content-Type: application\/octet-stream\r\n(.*)--Encrypted.*$/m, '\1')
+
+        signature = str[4..19]
+        message = @ntlmcli.session.unseal_message str[20..-1]
+        if @ntlmcli.session.verify_signature(signature, message)
+          message
+        else
+          raise WinRMWebServiceError, "Could not verify SOAP message."
+        end
+      end
+
+      def init_auth
+        @logger.debug "Initializing Negotiate for #{@service}"
+        auth1 = @ntlmcli.init_context
+        hdr = {"Authorization" => "Negotiate #{auth1.encode64}",
+               "Content-Type" => "application/soap+xml;charset=UTF-8"
+        }
+        @logger.debug "Sending HTTP POST for Negotiate Authentication"
+        r = @httpcli.post(@endpoint, "", hdr)
+        itok = r.header["WWW-Authenticate"].pop.split.last
+        auth3 = @ntlmcli.init_context itok
+        { "Authorization" => "Negotiate #{auth3.encode64}" }
+      end
+    end
+
     # Uses SSL to secure the transport
     class HttpSSL < HttpTransport
       def initialize(endpoint, user, pass, ca_trust_path = nil, opts)
@@ -209,15 +293,15 @@ module WinRM
             'protocol="application/HTTP-Kerberos-session-encrypted";' \
             'boundary="Encrypted Boundary"'
         }
-
-        body = <<-EOF
---Encrypted Boundary\r
-Content-Type: application/HTTP-Kerberos-session-encrypted\r
-OriginalContent: type=application/soap+xml;charset=UTF-8;Length=#{original_length + pad_len}\r
---Encrypted Boundary\r
-Content-Type: application/octet-stream\r
-#{emsg}--Encrypted Boundary\r
-        EOF
+        body = [
+          "--Encrypted Boundary",
+          "Content-Type: application/HTTP-Kerberos-session-encrypted",
+          "OriginalContent: type=application/soap+xml;charset=UTF-8;Length=#{original_length + pad_len}",
+          "--Encrypted Boundary",
+          "Content-Type: application/octet-stream",
+          "#{emsg}--Encrypted Boundary--",
+          ""
+        ].join("\r\n")
 
         resp = @httpcli.post(@endpoint, body, hdr)
         log_soap_message(resp.http_body.content)

data/lib/winrm/soap_provider.rb

@@ -17,7 +17,6 @@
 require 'httpclient'
 require 'builder'
 require 'gyoku'
-require 'uuidtools'
 require 'base64'
 
 # SOAP constants for WinRM

data/lib/winrm/version.rb

@@ -3,5 +3,5 @@
 # WinRM module
 module WinRM
   # The version of the WinRM library
-  VERSION = '1.5.0'
+  VERSION = '1.6.0'
 end

data/lib/winrm/winrm_service.rb

@@ -16,6 +16,7 @@
 
 require 'nori'
 require 'rexml/document'
+require 'securerandom'
 require 'winrm/command_executor'
 require_relative 'helpers/powershell_script'
 
@@ -36,6 +37,7 @@ module WinRM
     # @param [Hash] opts Misc opts for the various transports.
     #   @see WinRM::HTTP::HttpTransport
     #   @see WinRM::HTTP::HttpGSSAPI
+    #   @see WinRM::HTTP::HttpNegotiate
     #   @see WinRM::HTTP::HttpSSL
     def initialize(endpoint, transport = :kerberos, opts = {})
       @endpoint = endpoint
@@ -44,20 +46,32 @@ module WinRM
       @locale = DEFAULT_LOCALE
       setup_logger
       configure_retries(opts)
-      case transport
-      when :kerberos
-        require 'gssapi'
-        require 'gssapi/extensions'
-        @xfer = HTTP::HttpGSSAPI.new(endpoint, opts[:realm], opts[:service], opts[:keytab], opts)
-      when :plaintext
-        @xfer = HTTP::HttpPlaintext.new(endpoint, opts[:user], opts[:pass], opts)
-      when :ssl
-        @xfer = HTTP::HttpSSL.new(endpoint, opts[:user], opts[:pass], opts[:ca_trust_path], opts)
-      else
-        raise "Invalid transport '#{transport}' specified, expected: kerberos, plaintext, ssl."
+      begin
+        @xfer = send "init_#{transport}_transport", opts.merge({endpoint: endpoint})
+      rescue NoMethodError => e
+        raise "Invalid transport '#{transport}' specified, expected: negotiate, kerberos, plaintext, ssl."
       end
     end
 
+    def init_negotiate_transport(opts)
+      require 'rubyntlm'
+      HTTP::HttpNegotiate.new(opts[:endpoint], opts[:user], opts[:pass], opts)
+    end
+
+    def init_kerberos_transport(opts)
+      require 'gssapi'
+      require 'gssapi/extensions'
+      HTTP::HttpGSSAPI.new(opts[:endpoint], opts[:realm], opts[:service], opts[:keytab], opts)
+    end
+
+    def init_plaintext_transport(opts)
+      HTTP::HttpPlaintext.new(opts[:endpoint], opts[:user], opts[:pass], opts)
+    end
+
+    def init_ssl_transport(opts)
+      HTTP::HttpSSL.new(opts[:endpoint], opts[:user], opts[:pass], opts[:ca_trust_path], opts)
+    end
+
     # Operation timeout.
     # 
     # Unless specified the client receive timeout will be 10s + the operation
@@ -319,7 +333,7 @@ module WinRM
     # @param [String] an existing and open shell id to reuse
     # @return [Hash] :stdout and :stderr
     def run_powershell_script(script_file, &block)
-      logger.warn("WinRM::WinRMWebService#run_powershell_script is deprecated. Use WinRM::CommandExecutor#run_cmd instead")
+      logger.warn("WinRM::WinRMWebService#run_powershell_script is deprecated. Use WinRM::CommandExecutor#run_powershell_script instead")
       create_executor do |executor|
         executor.run_powershell_script(script_file, &block)
       end
@@ -427,7 +441,7 @@ module WinRM
         "#{NS_ADDRESSING}:Address" => 'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous',
           :attributes! => {"#{NS_ADDRESSING}:Address" => {'mustUnderstand' => true}}},
         "#{NS_WSMAN_DMTF}:MaxEnvelopeSize" => @max_env_sz,
-        "#{NS_ADDRESSING}:MessageID" => "uuid:#{UUIDTools::UUID.random_create.to_s.upcase}",
+        "#{NS_ADDRESSING}:MessageID" => "uuid:#{SecureRandom.uuid.to_s.upcase}",
         "#{NS_WSMAN_DMTF}:Locale/" => '',
         "#{NS_WSMAN_MSFT}:DataLocale/" => '',
         "#{NS_WSMAN_DMTF}:OperationTimeout" => @timeout,
@@ -459,6 +473,7 @@ module WinRM
       # another Receive request.
       # http://msdn.microsoft.com/en-us/library/cc251676.aspx
       if e.fault_code == '2150858793'
+        logger.debug("[WinRM] retrying receive request after timeout")
         retry
       else
         raise

data/spec/issue_59_spec.rb

@@ -5,11 +5,19 @@ describe 'issue 59', integration: true do
   end
 
   describe 'long running script without output' do
+    let(:logged_output) { StringIO.new }
+    let(:logger)        { Logging.logger(logged_output) }
+
     it 'should not error' do
-      out = @winrm.powershell('$ProgressPreference="SilentlyContinue";sleep 60; Write-Host "Hello"')
+      @winrm.set_timeout(1)
+      @winrm.logger = logger
+
+      out = @winrm.powershell('$ProgressPreference="SilentlyContinue";sleep 3; Write-Host "Hello"')
+
       expect(out).to have_exit_code 0
       expect(out).to have_stdout_match(/Hello/)
       expect(out).to have_no_stderr
+      expect(logged_output.string).to match(/retrying receive request/)
     end
   end
 end

data/spec/transport_spec.rb

@@ -0,0 +1,44 @@
+# encoding: UTF-8
+require 'rubyntlm'
+require 'winrm/http/transport'
+
+describe WinRM::HTTP::HttpNegotiate, unit: true do
+  describe '#init' do
+    let(:endpoint) { 'some_endpoint' }
+    let(:domain) { 'some_domain' }
+    let(:user) { 'some_user' }
+    let(:password) { 'some_password' }
+    let(:options) { {} }
+
+    context 'user is not domain prefixed' do
+      it 'does not pass a domain to the NTLM client' do
+        expect(Net::NTLM::Client).to receive(:new).with(user, password, options)
+        WinRM::HTTP::HttpNegotiate.new(endpoint, user, password, options)
+      end
+    end
+
+    context 'user is domain prefixed' do
+      it 'passes prefixed domain to the NTLM client' do
+        expect(Net::NTLM::Client).to receive(:new) do |passed_user, passed_password, passed_options|
+          expect(passed_user).to eq user
+          expect(passed_password).to eq password
+          expect(passed_options[:domain]).to eq domain
+        end
+        WinRM::HTTP::HttpNegotiate.new(endpoint, "#{domain}\\#{user}", password, options)
+      end
+    end
+
+    context 'option is passed with a domain' do
+      let(:options) { { domain: domain } }
+
+      it 'passes domain option to the NTLM client' do
+        expect(Net::NTLM::Client).to receive(:new) do |passed_user, passed_password, passed_options|
+          expect(passed_user).to eq user
+          expect(passed_password).to eq password
+          expect(passed_options[:domain]).to eq domain
+        end
+        WinRM::HTTP::HttpNegotiate.new(endpoint, user, password, options)
+      end
+    end
+  end
+end

data/winrm.gemspec

@@ -28,8 +28,7 @@ Gem::Specification.new do |s|
   s.required_ruby_version = '>= 1.9.0'
   s.add_runtime_dependency 'gssapi', '~> 1.2'
   s.add_runtime_dependency 'httpclient', '~> 2.2', '>= 2.2.0.2'
-  s.add_runtime_dependency 'rubyntlm', '~> 0.4.0'
-  s.add_runtime_dependency 'uuidtools', '~> 2.1.2'
+  s.add_runtime_dependency 'rubyntlm', '~> 0.5.0', '>= 0.5.3'
   s.add_runtime_dependency 'logging', ['>= 1.6.1', '< 3.0']
   s.add_runtime_dependency 'nori', '~> 2.0'
   s.add_runtime_dependency 'gyoku', '~> 1.0'
@@ -37,4 +36,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rspec', '~> 3.2'
   s.add_development_dependency 'rake', '~> 10.3'
   s.add_development_dependency 'rubocop', '~> 0.28'
+  s.add_development_dependency 'pry'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: winrm
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - Dan Wanek
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-11 00:00:00.000000000 Z
+date: 2016-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gssapi
@@ -51,28 +51,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.4.0
-- !ruby/object:Gem::Dependency
-  name: uuidtools
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
+        version: 0.5.0
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.1.2
+        version: 0.5.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.2
+        version: 0.5.0
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.3
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -177,6 +169,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.28'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: |2
       Ruby library for Windows Remote Management
 email:
@@ -229,6 +235,7 @@ files:
 - spec/stubs/responses/soap_fault_v1.xml
 - spec/stubs/responses/soap_fault_v2.xml
 - spec/stubs/responses/wmi_error_v2.xml
+- spec/transport_spec.rb
 - spec/winrm_options_spec.rb
 - spec/winrm_primitives_spec.rb
 - spec/wql_spec.rb