winrm 1.6.1 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: aa96ea262bfb740bcf397684129464232f76321f
-  data.tar.gz: ca5894916562e3d5243c2099f8a439b10922d140
+  metadata.gz: 334ae5a75dc6e3249c316caa13eb582aa1930239
+  data.tar.gz: a8b620912892adef39c78d3f89c73a0530078404
 SHA512:
-  metadata.gz: 87d111e8d6597aeb11a24dcf2a33f569426c48bd91940c25e27f461c4ca2e4d2c939eaa518f1b479e35f163700559fa152a5346c0ffd71693f3021bedeb77dfa
-  data.tar.gz: f349d8858850cb6f3017b67cab69fc8c843f5d188eecaec95903e7f7bedb098160babfe7fa83e58d2b77999dc23c8a0d6891617d6c4d069daf8a2c1d8c7a2fe4
+  metadata.gz: fc00c205dfee32d1b15fb3940dfc2355a1bac7910793df0f42ba260da3cf2f8c19c42769a0646c1ad18e65825add9d5d42fa6f780fdf5634697f3fd06854fdf8
+  data.tar.gz: b5fd3e292e0042efa567a385a38de49335692e57f4ff2cd5210a19d7a15aa2fdb2540f899c682d61f88aa25c75560e2ba3a86f4698e4e54b1ca572bdc7c99408

data/appveyor.yml

@@ -12,16 +12,6 @@ environment:
     - ruby_version: "21"
       winrm_endpoint: http://localhost:5985/wsman
 
-    - ruby_version: "21"
-      winrm_auth_type: ssl
-      winrm_endpoint: https://localhost:5986/wsman
-      winrm_no_ssl_peer_verification: true
-
-    - ruby_version: "21"
-      winrm_auth_type: ssl
-      winrm_endpoint: https://localhost:5986/wsman
-      use_ssl_peer_fingerprint: true
-
 clone_folder: c:\projects\winrm
 clone_depth: 1
 branches:
@@ -35,6 +25,7 @@ install:
   - ps: winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"localhost`";CertificateThumbprint=`"$($env:winrm_cert)`"}"
   - ps: winrm set winrm/config/client/auth '@{Basic="true"}'
   - ps: winrm set winrm/config/service/auth '@{Basic="true"}'
+  - ps: winrm set winrm/config/service/auth '@{CbtHardeningLevel="Strict"}'
   - ps: winrm set winrm/config/service '@{AllowUnencrypted="true"}'
   - ps: $env:PATH="C:\Ruby$env:ruby_version\bin;$env:PATH"
   - ps: Write-Host $env:PATH

data/changelog.md

@@ -1,5 +1,9 @@
 # WinRM Gem Changelog
 
+# 1.7.0
+- Bump rubyntlm gem to 0.6.0 to get channel binding support for HTTPS fixing connections to endoints with `CbtHardeningLevel` set to `Strict`
+- Fix for parsing binary data in command output
+
 # 1.6.1
 - Use codepage 437 by default on os versions older than Windows 7 and Windows Server 2008 R2
 

data/lib/winrm/http/transport.rb

@@ -145,6 +145,7 @@ module WinRM
     class HttpNegotiate < HttpTransport
       def initialize(endpoint, user, pass, opts)
         super(endpoint)
+        require 'rubyntlm'
         no_sspi_auth!
 
         user_parts = user.split('\\')
@@ -156,9 +157,12 @@ module WinRM
         @ntlmcli = Net::NTLM::Client.new(user, pass, opts)
         @retryable = true
         no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
+        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
       end
 
       def send_request(message, auth_header = nil)
+        ssl_peer_fingerprint_verification!
         auth_header = init_auth if @ntlmcli.session.nil?
 
         original_length = message.length
@@ -183,6 +187,7 @@ module WinRM
         ].join("\r\n")
 
         resp = @httpcli.post(@endpoint, body, hdr)
+        verify_ssl_fingerprint(resp.peer_cert)
         if resp.status == 401 && @retryable
           @retryable = false
           send_request(message, init_auth)
@@ -217,22 +222,23 @@ module WinRM
         }
         @logger.debug "Sending HTTP POST for Negotiate Authentication"
         r = @httpcli.post(@endpoint, "", hdr)
+        verify_ssl_fingerprint(r.peer_cert)
         itok = r.header["WWW-Authenticate"].pop.split.last
-        auth3 = @ntlmcli.init_context itok
+        binding = r.peer_cert.nil? ? nil : Net::NTLM::ChannelBinding.create(r.peer_cert)
+        auth3 = @ntlmcli.init_context(itok, binding)
         { "Authorization" => "Negotiate #{auth3.encode64}" }
       end
     end
 
     # Uses SSL to secure the transport
-    class HttpSSL < HttpTransport
-      def initialize(endpoint, user, pass, ca_trust_path = nil, opts)
+    class BasicAuthSSL < HttpTransport
+      def initialize(endpoint, user, pass, opts)
         super(endpoint)
         @httpcli.set_auth(endpoint, user, pass)
-        @httpcli.ssl_config.set_trust_ca(ca_trust_path) unless ca_trust_path.nil?
-        no_sspi_auth! if opts[:disable_sspi]
-        basic_auth_only! if opts[:basic_auth_only]
+        basic_auth_only!
         no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
         @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
+        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
       end
     end
 

data/lib/winrm/version.rb

@@ -3,5 +3,5 @@
 # WinRM module
 module WinRM
   # The version of the WinRM library
-  VERSION = '1.6.1'
+  VERSION = '1.7.0'
 end

data/lib/winrm/winrm_service.rb

@@ -54,7 +54,6 @@ module WinRM
     end
 
     def init_negotiate_transport(opts)
-      require 'rubyntlm'
       HTTP::HttpNegotiate.new(opts[:endpoint], opts[:user], opts[:pass], opts)
     end
 
@@ -69,7 +68,11 @@ module WinRM
     end
 
     def init_ssl_transport(opts)
-      HTTP::HttpSSL.new(opts[:endpoint], opts[:user], opts[:pass], opts[:ca_trust_path], opts)
+      if opts[:basic_auth_only]
+        HTTP::BasicAuthSSL.new(opts[:endpoint], opts[:user], opts[:pass], opts)
+      else
+        HTTP::HttpNegotiate.new(opts[:endpoint], opts[:user], opts[:pass], opts)
+      end
     end
 
     # Operation timeout.
@@ -253,8 +256,19 @@ module WinRM
         REXML::XPath.match(resp_doc, "//#{NS_WIN_SHELL}:Stream").each do |n|
           next if n.text.nil? || n.text.empty?
 
-          # decode and strip off BOM which win 2008R2 applies
-          stream = { n.attributes['Name'].to_sym => Base64.decode64(n.text).force_encoding('utf-8').sub("\xEF\xBB\xBF", "") }
+          # decode and replace invalid unicode characters
+          decoded_text = Base64.decode64(n.text).force_encoding('utf-8')
+          if ! decoded_text.valid_encoding?
+            if decoded_text.respond_to?(:scrub!)        
+              decoded_text.scrub!
+            else
+              decoded_text = decoded_text.encode('utf-16', invalid: :replace, undef: :replace)
+                .encode('utf-8')
+            end
+          end
+
+          # remove BOM which 2008R2 applies
+          stream = { n.attributes['Name'].to_sym => decoded_text.sub('\xEF\xBB\xBF', '') }
           output[:data] << stream
           yield stream[:stdout], stream[:stderr] if block_given?
         end

data/spec/issue_184_spec.rb

@@ -0,0 +1,67 @@
+# encoding: UTF-8
+require 'winrm/winrm_service'
+require 'rexml/document'
+require 'erb'
+require 'base64'
+
+describe 'issue 184', unit: true do
+  let(:shell_id)    { 'shell-123' }
+  let(:command_id)  { 123 }
+  let(:test_data_xml_template) do
+    ERB.new(File.read('spec/stubs/responses/get_command_output_response.xml.erb'))
+  end
+  let(:service) do
+    WinRM::WinRMWebService.new(
+      'http://dummy/wsman',
+      :plaintext,
+      user: 'dummy',
+      pass: 'dummy')
+  end
+
+  describe 'response doc stdout with invalid UTF-8 characters' do
+    let(:test_data_stdout) { 'ffff' } # Base64-decodes to '}\xF7\xDF', an invalid sequence
+    let(:test_data_stderr) { '' }
+    let(:test_data_xml)    { test_data_xml_template.result(binding) }
+
+    before do
+      allow(service).to receive(:send_get_output_message).and_return(
+        REXML::Document.new(test_data_xml)
+      )
+    end
+
+    it 'does not raise an ArgumentError: invalid byte sequence in UTF-8' do
+      begin
+        expect(
+          service.get_command_output(shell_id, command_id)
+        ).not_to raise_error
+      rescue RSpec::Expectations::ExpectationNotMetError => e
+        expect(e.message).not_to include 'ArgumentError'
+      end
+    end
+
+    it 'does not have an empty stdout' do
+      expect(
+        service.get_command_output(shell_id, command_id)[:data][0][:stdout]
+      ).not_to be_empty
+    end
+  end
+
+  describe 'response doc stdout with valid UTF-8' do
+    let(:test_data_raw)    { '✓1234-äöü' }
+    let(:test_data_stdout) { Base64.encode64(test_data_raw) }
+    let(:test_data_stderr) { '' }
+    let(:test_data_xml)    { test_data_xml_template.result(binding) }
+
+    before do
+      allow(service).to receive(:send_get_output_message).and_return(
+        REXML::Document.new(test_data_xml)
+      )
+    end
+
+    it 'decodes to match input data' do
+      expect(
+        service.get_command_output(shell_id, command_id)[:data][0][:stdout]
+      ).to eq(test_data_raw)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -33,7 +33,6 @@ module ConnectionHelper
       config[:options][:ssl_peer_fingerprint] = ENV['winrm_cert']
     end
     config[:endpoint] = ENV['winrm_endpoint'] if ENV['winrm_endpoint']
-    config[:auth_type] = ENV['winrm_auth_type'] if ENV['winrm_auth_type']
   end
 
   def merge_config_option_from_environment(config, key)

data/spec/stubs/responses/get_command_output_response.xml.erb

@@ -0,0 +1,13 @@
+<s:Envelope xmlns:a='http://schemas.xmlsoap.org/ws/2004/08/addressing' xml:lang='en-US' xmlns:p='http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd' xmlns:rsp='http://schemas.microsoft.com/wbem/wsman/1/windows/shell' xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:w='http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd'>
+   <s:Header>
+   </s:Header>
+   <s:Body>
+      <rsp:ReceiveResponse>
+         <rsp:Stream CommandId='<%= command_id %>' Name='stdout'><%= test_data_stdout %></rsp:Stream>
+         <rsp:Stream CommandId='<%= command_id %>' End='true' Name='stderr'><%= test_data_stderr %></rsp:Stream>
+         <rsp:CommandState CommandId='<%= command_id %>' State='http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done'>
+            <rsp:ExitCode>0</rsp:ExitCode>
+         </rsp:CommandState>
+      </rsp:ReceiveResponse>
+   </s:Body>
+</s:Envelope>

data/spec/transport_spec.rb

@@ -42,3 +42,83 @@ describe WinRM::HTTP::HttpNegotiate, unit: true do
     end
   end
 end
+
+describe 'WinRM connection', integration: true do
+  let(:winrm_connection) do
+    endpoint = config[:endpoint].dup
+    if auth_type == :ssl
+      endpoint.sub!('5985', '5986')
+      endpoint.sub!('http', 'https')
+    end
+    winrm = WinRM::WinRMWebService.new(
+      endpoint, auth_type, options)
+    winrm.logger.level = :error
+    winrm
+  end
+  let(:options) do
+    opts = {}
+    opts[:user] = config[:options][:user]
+    opts[:pass] = config[:options][:pass]
+    opts[:basic_auth_only] = basic_auth_only
+    opts[:no_ssl_peer_verification] = no_ssl_peer_verification
+    opts[:ssl_peer_fingerprint] = ssl_peer_fingerprint
+    opts
+  end
+  let(:basic_auth_only) { false }
+  let(:no_ssl_peer_verification) { false }
+  let(:ssl_peer_fingerprint) { nil }
+
+  subject(:output) do
+    executor = winrm_connection.create_executor
+    executor.run_cmd('ipconfig')
+  end
+
+  shared_examples 'a valid_connection' do
+    it 'has a 0 exit code' do
+      expect(subject).to have_exit_code 0
+    end
+
+    it 'includes command output' do
+      expect(subject).to have_stdout_match(/Windows IP Configuration/)
+    end
+
+    it 'has no errors' do
+      expect(subject).to have_no_stderr
+    end
+  end
+
+  context 'HttpPlaintext' do
+    let(:basic_auth_only) { true }
+    let(:auth_type) { :plaintext }
+
+    it_behaves_like 'a valid_connection'
+  end
+
+  context 'HttpNegotiate' do
+    let(:auth_type) { :negotiate }
+
+    it_behaves_like 'a valid_connection'
+  end
+
+  context 'BasicAuthSSL', skip: ENV['winrm_cert'].nil? do
+    let(:basic_auth_only) { true }
+    let(:auth_type) { :ssl }
+    let(:no_ssl_peer_verification) { true }
+
+    it_behaves_like 'a valid_connection'
+  end
+
+  context 'Negotiate over SSL', skip: ENV['winrm_cert'].nil? do
+    let(:auth_type) { :ssl }
+    let(:no_ssl_peer_verification) { true }
+
+    it_behaves_like 'a valid_connection'
+  end
+
+  context 'SSL fingerprint', skip: ENV['winrm_cert'].nil? do
+    let(:auth_type) { :ssl }
+    let(:ssl_peer_fingerprint) { ENV['winrm_cert'] }
+
+    it_behaves_like 'a valid_connection'
+  end
+end

data/winrm.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |s|
   s.required_ruby_version = '>= 1.9.0'
   s.add_runtime_dependency 'gssapi', '~> 1.2'
   s.add_runtime_dependency 'httpclient', '~> 2.2', '>= 2.2.0.2'
-  s.add_runtime_dependency 'rubyntlm', '~> 0.5.0', '>= 0.5.3'
+  s.add_runtime_dependency 'rubyntlm', '~> 0.6.0'
   s.add_runtime_dependency 'logging', ['>= 1.6.1', '< 3.0']
   s.add_runtime_dependency 'nori', '~> 2.0'
   s.add_runtime_dependency 'gyoku', '~> 1.0'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: winrm
 version: !ruby/object:Gem::Version
-  version: 1.6.1
+  version: 1.7.0
 platform: ruby
 authors:
 - Dan Wanek
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-08 00:00:00.000000000 Z
+date: 2016-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gssapi
@@ -51,20 +51,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.5.3
+        version: 0.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.5.3
+        version: 0.6.0
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -224,12 +218,14 @@ files:
 - spec/command_executor_spec.rb
 - spec/config-example.yml
 - spec/exception_spec.rb
+- spec/issue_184_spec.rb
 - spec/issue_59_spec.rb
 - spec/matchers.rb
 - spec/output_spec.rb
 - spec/powershell_spec.rb
 - spec/response_handler_spec.rb
 - spec/spec_helper.rb
+- spec/stubs/responses/get_command_output_response.xml.erb
 - spec/stubs/responses/open_shell_v1.xml
 - spec/stubs/responses/open_shell_v2.xml
 - spec/stubs/responses/soap_fault_v1.xml