winrm 2.2.3 → 2.3.0

data/lib/winrm/connection_opts.rb

@@ -1,91 +1,90 @@
-# -*- encoding: utf-8 -*-
-#
-# Copyright 2016 Shawn Neal <sneal@sneal.net>
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require 'securerandom'
-
-module WinRM
-  # WinRM connection options, provides defaults and validation.
-  class ConnectionOpts < Hash
-    DEFAULT_OPERATION_TIMEOUT = 60
-    DEFAULT_RECEIVE_TIMEOUT = DEFAULT_OPERATION_TIMEOUT + 10
-    DEFAULT_MAX_ENV_SIZE = 153600
-    DEFAULT_LOCALE = 'en-US'.freeze
-    DEFAULT_RETRY_DELAY = 10
-    DEFAULT_RETRY_LIMIT = 3
-
-    class << self
-      def create_with_defaults(overrides)
-        config = default.merge(overrides)
-        config = ensure_receive_timeout_is_greater_than_operation_timeout(config)
-        config.validate
-        config
-      end
-
-      private
-
-      def ensure_receive_timeout_is_greater_than_operation_timeout(config)
-        if config[:receive_timeout] < config[:operation_timeout]
-          config[:receive_timeout] = config[:operation_timeout] + 10
-        end
-        config
-      end
-
-      def default
-        config = ConnectionOpts.new
-        config[:session_id] = SecureRandom.uuid.to_s.upcase
-        config[:transport] = :negotiate
-        config[:locale] = DEFAULT_LOCALE
-        config[:max_envelope_size] = DEFAULT_MAX_ENV_SIZE
-        config[:operation_timeout] = DEFAULT_OPERATION_TIMEOUT
-        config[:receive_timeout] = DEFAULT_RECEIVE_TIMEOUT
-        config[:retry_delay] = DEFAULT_RETRY_DELAY
-        config[:retry_limit] = DEFAULT_RETRY_LIMIT
-        config
-      end
-    end
-
-    def validate
-      validate_required_fields
-      validate_data_types
-    end
-
-    private
-
-    def validate_required_fields
-      raise 'endpoint is a required option' unless self[:endpoint]
-      if self[:client_cert]
-        raise 'path to client key is required' unless self[:client_key]
-      else
-        raise 'user is a required option' unless self[:user]
-        raise 'password is a required option' unless self[:password]
-      end
-    end
-
-    def validate_data_types
-      validate_integer(:retry_limit)
-      validate_integer(:retry_delay)
-      validate_integer(:max_envelope_size)
-      validate_integer(:operation_timeout)
-      validate_integer(:receive_timeout, self[:operation_timeout])
-    end
-
-    def validate_integer(key, min = 0)
-      value = self[key]
-      raise "#{key} must be a Integer" unless value && value.is_a?(Integer)
-      raise "#{key} must be greater than #{min}" unless value > min
-    end
-  end
-end
+# Copyright 2016 Shawn Neal <sneal@sneal.net>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'securerandom'
+
+module WinRM
+  # WinRM connection options, provides defaults and validation.
+  class ConnectionOpts < Hash
+    DEFAULT_OPERATION_TIMEOUT = 60
+    DEFAULT_RECEIVE_TIMEOUT = DEFAULT_OPERATION_TIMEOUT + 10
+    DEFAULT_MAX_ENV_SIZE = 153600
+    DEFAULT_LOCALE = 'en-US'.freeze
+    DEFAULT_RETRY_DELAY = 10
+    DEFAULT_RETRY_LIMIT = 3
+
+    class << self
+      def create_with_defaults(overrides)
+        config = default.merge(overrides)
+        config = ensure_receive_timeout_is_greater_than_operation_timeout(config)
+        config.validate
+        config
+      end
+
+      private
+
+      def ensure_receive_timeout_is_greater_than_operation_timeout(config)
+        if config[:receive_timeout] < config[:operation_timeout]
+          config[:receive_timeout] = config[:operation_timeout] + 10
+        end
+        config
+      end
+
+      def default
+        config = ConnectionOpts.new
+        config[:session_id] = SecureRandom.uuid.to_s.upcase
+        config[:transport] = :negotiate
+        config[:locale] = DEFAULT_LOCALE
+        config[:max_envelope_size] = DEFAULT_MAX_ENV_SIZE
+        config[:operation_timeout] = DEFAULT_OPERATION_TIMEOUT
+        config[:receive_timeout] = DEFAULT_RECEIVE_TIMEOUT
+        config[:retry_delay] = DEFAULT_RETRY_DELAY
+        config[:retry_limit] = DEFAULT_RETRY_LIMIT
+        config
+      end
+    end
+
+    def validate
+      validate_required_fields
+      validate_data_types
+    end
+
+    private
+
+    def validate_required_fields
+      raise 'endpoint is a required option' unless self[:endpoint]
+
+      if self[:client_cert]
+        raise 'path to client key is required' unless self[:client_key]
+      else
+        raise 'user is a required option' unless self[:user]
+        raise 'password is a required option' unless self[:password]
+      end
+    end
+
+    def validate_data_types
+      validate_integer(:retry_limit)
+      validate_integer(:retry_delay)
+      validate_integer(:max_envelope_size)
+      validate_integer(:operation_timeout)
+      validate_integer(:receive_timeout, self[:operation_timeout])
+    end
+
+    def validate_integer(key, min = 0)
+      value = self[key]
+      raise "#{key} must be a Integer" unless value && value.is_a?(Integer)
+      raise "#{key} must be greater than #{min}" unless value > min
+    end
+  end
+end

data/lib/winrm/exceptions.rb

@@ -1,5 +1,3 @@
-# encoding: UTF-8
-#
 # Copyright 2010 Dan Wanek <dan.wanek@gmail.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -52,6 +50,20 @@ module WinRM
     end
   end
 
+  # A Fault returned in the SOAP response. The XML node contains Code, SubCode and Reason
+  class WinRMSoapFault < WinRMError
+    attr_reader :code
+    attr_reader :subcode
+    attr_reader :reason
+
+    def initialize(code, subcode, reason)
+      @code = code
+      @subcode = subcode
+      @reason = reason
+      super("[SOAP ERROR CODE: #{code} (#{subcode})]: #{reason}")
+    end
+  end
+
   # A Fault returned in the SOAP response. The XML node is a MSFT_WmiError
   class WinRMWMIError < WinRMError
     attr_reader :error_code

data/lib/winrm/http/response_handler.rb

@@ -1,96 +1,127 @@
-# encoding: UTF-8
-#
-# Copyright 2014 Shawn Neal <sneal@sneal.net>
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require 'rexml/document'
-require_relative '../wsmv/soap'
-
-module WinRM
-  # Handles the raw WinRM HTTP response. Returns the body as an XML doc
-  # or raises the appropriate WinRM error if the response is an error.
-  class ResponseHandler
-    # @param [String] The raw unparsed response body, if any
-    # @param [Integer] The HTTP response status code
-    def initialize(response_body, status_code)
-      @response_body = response_body
-      @status_code = status_code
-    end
-
-    # Processes the response from the WinRM service and either returns an XML
-    # doc or raises an appropriate error.
-    #
-    # @returns [REXML::Document] The parsed response body
-    def parse_to_xml
-      raise_if_error
-      response_xml
-    end
-
-    private
-
-    def response_xml
-      @response_xml ||= REXML::Document.new(@response_body)
-    rescue REXML::ParseException => e
-      raise WinRMHTTPTransportError.new(
-        "Unable to parse WinRM response: #{e.message}", @status_code)
-    end
-
-    def raise_if_error
-      return if @status_code == 200
-      raise_if_auth_error
-      raise_if_wsman_fault
-      raise_if_wmi_error
-      raise_transport_error
-    end
-
-    def raise_if_auth_error
-      raise WinRMAuthorizationError if @status_code == 401
-    end
-
-    def raise_if_wsman_fault
-      soap_errors = REXML::XPath.match(
-        response_xml,
-        "//#{WinRM::WSMV::SOAP::NS_SOAP_ENV}:Body/#{WinRM::WSMV::SOAP::NS_SOAP_ENV}:Fault/*")
-      return if soap_errors.empty?
-      fault = REXML::XPath.first(
-        soap_errors,
-        "//#{WinRM::WSMV::SOAP::NS_WSMAN_FAULT}:WSManFault")
-      raise WinRMWSManFault.new(fault.to_s, fault.attributes['Code']) unless fault.nil?
-    end
-
-    def raise_if_wmi_error
-      soap_errors = REXML::XPath.match(
-        response_xml,
-        "//#{WinRM::WSMV::SOAP::NS_SOAP_ENV}:Body/#{WinRM::WSMV::SOAP::NS_SOAP_ENV}:Fault/*")
-      return if soap_errors.empty?
-
-      error = REXML::XPath.first(
-        soap_errors,
-        "//#{WinRM::WSMV::SOAP::NS_WSMAN_MSFT}:MSFT_WmiError")
-      return if error.nil?
-
-      error_code = REXML::XPath.first(
-        error,
-        "//#{WinRM::WSMV::SOAP::NS_WSMAN_MSFT}:error_Code").text
-      raise WinRMWMIError.new(error.to_s, error_code)
-    end
-
-    def raise_transport_error
-      raise WinRMHTTPTransportError.new(
-        "Bad HTTP response returned from server. Body(if present):#{@response_body}",
-        @status_code
-      )
-    end
-  end
-end
+# Copyright 2014 Shawn Neal <sneal@sneal.net>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'rexml/document'
+require_relative '../wsmv/soap'
+
+module WinRM
+  # Handles the raw WinRM HTTP response. Returns the body as an XML doc
+  # or raises the appropriate WinRM error if the response is an error.
+  class ResponseHandler
+    # @param [String] The raw unparsed response body, if any
+    # @param [Integer] The HTTP response status code
+    def initialize(response_body, status_code)
+      @response_body = response_body
+      @status_code = status_code
+    end
+
+    # Processes the response from the WinRM service and either returns an XML
+    # doc or raises an appropriate error.
+    #
+    # @returns [REXML::Document] The parsed response body
+    def parse_to_xml
+      raise_if_error
+      response_xml
+    end
+
+    private
+
+    def response_xml
+      @response_xml ||= REXML::Document.new(@response_body)
+    rescue REXML::ParseException => e
+      raise WinRMHTTPTransportError.new(
+        "Unable to parse WinRM response: #{e.message}", @status_code
+      )
+    end
+
+    def raise_if_error
+      return if @status_code == 200
+
+      raise_if_auth_error
+      raise_if_wsman_fault
+      raise_if_wmi_error
+      raise_if_soap_fault
+      raise_transport_error
+    end
+
+    def raise_if_auth_error
+      raise WinRMAuthorizationError if @status_code == 401
+    end
+
+    def raise_if_wsman_fault
+      soap_errors = REXML::XPath.match(
+        response_xml,
+        "//*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'Fault']/*"
+      )
+      return if soap_errors.empty?
+
+      fault = REXML::XPath.first(
+        soap_errors,
+        "//*[local-name() = 'WSManFault']"
+      )
+      raise WinRMWSManFault.new(fault.to_s, fault.attributes['Code']) unless fault.nil?
+    end
+
+    def raise_if_wmi_error
+      soap_errors = REXML::XPath.match(
+        response_xml,
+        "//*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'Fault']/*"
+      )
+      return if soap_errors.empty?
+
+      error = REXML::XPath.first(
+        soap_errors,
+        "//*[local-name() = 'MSFT_WmiError']"
+      )
+      return if error.nil?
+
+      error_code = REXML::XPath.first(
+        error,
+        "//*[local-name() = 'error_Code']"
+      ).text
+      raise WinRMWMIError.new(error.to_s, error_code)
+    end
+
+    def raise_if_soap_fault
+      soap_errors = REXML::XPath.match(
+        response_xml,
+        "//*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'Fault']/*"
+      )
+      return if soap_errors.empty?
+
+      code = REXML::XPath.first(
+        soap_errors,
+        "//*[local-name() = 'Code']/*[local-name() = 'Value']/text()"
+      )
+      subcode = REXML::XPath.first(
+        soap_errors,
+        "//*[local-name() = 'Subcode']/*[local-name() = 'Value']/text()"
+      )
+      reason = REXML::XPath.first(
+        soap_errors,
+        "//*[local-name() = 'Reason']/*[local-name() = 'Text']/text()"
+      )
+
+      raise WinRMSoapFault.new(code, subcode, reason) unless
+        code.nil? && subcode.nil? && reason.nil?
+    end
+
+    def raise_transport_error
+      raise WinRMHTTPTransportError.new(
+        "Bad HTTP response returned from server. Body(if present):#{@response_body}",
+        @status_code
+      )
+    end
+  end
+end

data/lib/winrm/http/transport.rb

@@ -1,427 +1,462 @@
-# encoding: UTF-8
-#
-# Copyright 2010 Dan Wanek <dan.wanek@gmail.com>
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require 'httpclient'
-require_relative 'response_handler'
-
-module WinRM
-  module HTTP
-    # A generic HTTP transport that utilized HTTPClient to send messages back and forth.
-    # This backend will maintain state for every WinRMWebService instance that is instantiated so it
-    # is possible to use GSSAPI with Keep-Alive.
-    class HttpTransport
-      attr_reader :endpoint
-
-      def initialize(endpoint, options)
-        @endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint
-        @httpcli = HTTPClient.new(agent_name: 'Ruby WinRM Client')
-        @logger = Logging.logger[self]
-        @httpcli.receive_timeout = options[:receive_timeout]
-      end
-
-      # Sends the SOAP payload to the WinRM service and returns the service's
-      # SOAP response. If an error occurrs an appropriate error is raised.
-      #
-      # @param [String] The XML SOAP message
-      # @returns [REXML::Document] The parsed response body
-      def send_request(message)
-        ssl_peer_fingerprint_verification!
-        log_soap_message(message)
-        hdr = { 'Content-Type' => 'application/soap+xml;charset=UTF-8',
-                'Content-Length' => message.bytesize }
-        # We need to add this header if using Client Certificate authentication
-        unless @httpcli.ssl_config.client_cert.nil?
-          hdr['Authorization'] = 'http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual'
-        end
-
-        resp = @httpcli.post(@endpoint, message, hdr)
-        log_soap_message(resp.http_body.content)
-        verify_ssl_fingerprint(resp.peer_cert)
-        handler = WinRM::ResponseHandler.new(resp.http_body.content, resp.status)
-        handler.parse_to_xml
-      end
-
-      # We'll need this to force basic authentication if desired
-      def basic_auth_only!
-        auths = @httpcli.www_auth.instance_variable_get('@authenticator')
-        auths.delete_if { |i| i.scheme !~ /basic/i }
-      end
-
-      # Disable SSPI Auth
-      def no_sspi_auth!
-        auths = @httpcli.www_auth.instance_variable_get('@authenticator')
-        auths.delete_if { |i| i.is_a? HTTPClient::SSPINegotiateAuth }
-      end
-
-      # Disable SSL Peer Verification
-      def no_ssl_peer_verification!
-        @httpcli.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
-      end
-
-      # SSL Peer Fingerprint Verification prior to connecting
-      def ssl_peer_fingerprint_verification!
-        return unless @ssl_peer_fingerprint && ! @ssl_peer_fingerprint_verified
-
-        with_untrusted_ssl_connection do |connection|
-          connection_cert = connection.peer_cert_chain.last
-          verify_ssl_fingerprint(connection_cert)
-        end
-        @logger.info("initial ssl fingerprint #{@ssl_peer_fingerprint} verified\n")
-        @ssl_peer_fingerprint_verified = true
-        no_ssl_peer_verification!
-      end
-
-      # Connect without verification to retrieve untrusted ssl context
-      def with_untrusted_ssl_connection
-        noverify_peer_context = OpenSSL::SSL::SSLContext.new
-        noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
-        tcp_connection = TCPSocket.new(@endpoint.host, @endpoint.port)
-        begin
-          ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_context)
-          ssl_connection.connect
-          yield ssl_connection
-        ensure
-          tcp_connection.close
-        end
-      end
-
-      # compare @ssl_peer_fingerprint to current ssl context
-      def verify_ssl_fingerprint(cert)
-        return unless @ssl_peer_fingerprint
-        conn_fingerprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s
-        return unless @ssl_peer_fingerprint.casecmp(conn_fingerprint) != 0
-        raise "ssl fingerprint mismatch!!!!\n"
-      end
-
-      protected
-
-      def body(message, length, type = 'application/HTTP-SPNEGO-session-encrypted')
-        [
-          '--Encrypted Boundary',
-          "Content-Type: #{type}",
-          "OriginalContent: type=application/soap+xml;charset=UTF-8;Length=#{length}",
-          '--Encrypted Boundary',
-          'Content-Type: application/octet-stream',
-          "#{message}--Encrypted Boundary--"
-        ].join("\r\n").concat("\r\n")
-      end
-
-      def log_soap_message(message)
-        return unless @logger.debug?
-
-        xml_msg = REXML::Document.new(message)
-        formatter = REXML::Formatters::Pretty.new(2)
-        formatter.compact = true
-        formatter.write(xml_msg, @logger)
-        @logger.debug("\n")
-      rescue StandardError => e
-        @logger.debug("Couldn't log SOAP request/response: #{e.message} - #{message}")
-      end
-    end
-
-    # Plain text, insecure, HTTP transport
-    class HttpPlaintext < HttpTransport
-      def initialize(endpoint, user, pass, opts)
-        super(endpoint, opts)
-        @httpcli.set_auth(nil, user, pass)
-        no_sspi_auth! if opts[:disable_sspi]
-        basic_auth_only! if opts[:basic_auth_only]
-        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
-      end
-    end
-
-    # NTLM/Negotiate, secure, HTTP transport
-    class HttpNegotiate < HttpTransport
-      def initialize(endpoint, user, pass, opts)
-        super(endpoint, opts)
-        require 'rubyntlm'
-        no_sspi_auth!
-
-        user_parts = user.split('\\')
-        if user_parts.length > 1
-          opts[:domain] = user_parts[0]
-          user = user_parts[1]
-        end
-
-        @ntlmcli = Net::NTLM::Client.new(user, pass, opts)
-        @retryable = true
-        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
-        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
-        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
-      end
-
-      def send_request(message, auth_header = nil)
-        ssl_peer_fingerprint_verification!
-        auth_header = init_auth if @ntlmcli.session.nil?
-        log_soap_message(message)
-
-        hdr = {
-          'Content-Type' => 'multipart/encrypted;'\
-            'protocol="application/HTTP-SPNEGO-session-encrypted";boundary="Encrypted Boundary"'
-        }
-        hdr.merge!(auth_header) if auth_header
-
-        resp = @httpcli.post(@endpoint, body(seal(message), message.bytesize), hdr)
-        verify_ssl_fingerprint(resp.peer_cert)
-        if resp.status == 401 && @retryable
-          @retryable = false
-          send_request(message, init_auth)
-        else
-          @retryable = true
-          decrypted_body = winrm_decrypt(resp.body)
-          log_soap_message(decrypted_body)
-          WinRM::ResponseHandler.new(decrypted_body, resp.status).parse_to_xml
-        end
-      end
-
-      private
-
-      def seal(message)
-        emessage = @ntlmcli.session.seal_message message
-        signature = @ntlmcli.session.sign_message message
-        "\x10\x00\x00\x00#{signature}#{emessage}"
-      end
-
-      def winrm_decrypt(str)
-        return '' if str.empty?
-        str.force_encoding('BINARY')
-        str.sub!(%r{^.*Content-Type: application\/octet-stream\r\n(.*)--Encrypted.*$}m, '\1')
-
-        signature = str[4..19]
-        message = @ntlmcli.session.unseal_message str[20..-1]
-        if @ntlmcli.session.verify_signature(signature, message)
-          message
-        else
-          raise WinRMHTTPTransportError, 'Could not decrypt NTLM message.'
-        end
-      end
-
-      def init_auth
-        @logger.debug "Initializing Negotiate for #{@endpoint}"
-        auth1 = @ntlmcli.init_context
-        hdr = {
-          'Authorization' => "Negotiate #{auth1.encode64}",
-          'Content-Type' => 'application/soap+xml;charset=UTF-8'
-        }
-        @logger.debug 'Sending HTTP POST for Negotiate Authentication'
-        r = @httpcli.post(@endpoint, '', hdr)
-        verify_ssl_fingerprint(r.peer_cert)
-        auth_header = r.header['WWW-Authenticate'].pop
-        unless auth_header
-          msg = "Unable to parse authorization header. Headers: #{r.headers}\r\nBody: #{r.body}"
-          raise WinRMHTTPTransportError.new(msg, r.status_code)
-        end
-        itok = auth_header.split.last
-        binding = r.peer_cert.nil? ? nil : Net::NTLM::ChannelBinding.create(r.peer_cert)
-        auth3 = @ntlmcli.init_context(itok, binding)
-        { 'Authorization' => "Negotiate #{auth3.encode64}" }
-      end
-    end
-
-    # Uses SSL to secure the transport
-    class BasicAuthSSL < HttpTransport
-      def initialize(endpoint, user, pass, opts)
-        super(endpoint, opts)
-        @httpcli.set_auth(endpoint, user, pass)
-        basic_auth_only!
-        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
-        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
-        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
-      end
-    end
-
-    # Uses Client Certificate to authenticate and SSL to secure the transport
-    class ClientCertAuthSSL < HttpTransport
-      def initialize(endpoint, client_cert, client_key, key_pass, opts)
-        super(endpoint, opts)
-        @httpcli.ssl_config.set_client_cert_file(client_cert, client_key, key_pass)
-        @httpcli.www_auth.instance_variable_set('@authenticator', [])
-        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
-        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
-        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
-      end
-    end
-
-    # Uses Kerberos/GSSAPI to authenticate and encrypt messages
-    class HttpGSSAPI < HttpTransport
-      # @param [String,URI] endpoint the WinRM webservice endpoint
-      # @param [String] realm the Kerberos realm we are authenticating to
-      # @param [String<optional>] service the service name, default is HTTP
-      def initialize(endpoint, realm, opts, service = nil)
-        require 'gssapi'
-        require 'gssapi/extensions'
-
-        super(endpoint, opts)
-        # Remove the GSSAPI auth from HTTPClient because we are doing our own thing
-        no_sspi_auth!
-        service ||= 'HTTP'
-        @service = "#{service}/#{@endpoint.host}@#{realm}"
-        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
-        init_krb
-      end
-
-      # Sends the SOAP payload to the WinRM service and returns the service's
-      # SOAP response. If an error occurrs an appropriate error is raised.
-      #
-      # @param [String] The XML SOAP message
-      # @returns [REXML::Document] The parsed response body
-      def send_request(message)
-        resp = send_kerberos_request(message)
-
-        if resp.status == 401
-          @logger.debug 'Got 401 - reinitializing Kerberos and retrying one more time'
-          init_krb
-          resp = send_kerberos_request(message)
-        end
-
-        handler = WinRM::ResponseHandler.new(winrm_decrypt(resp.http_body.content), resp.status)
-        handler.parse_to_xml
-      end
-
-      private
-
-      # Sends the SOAP payload to the WinRM service and returns the service's
-      # HTTP response.
-      #
-      # @param [String] The XML SOAP message
-      # @returns [Object] The HTTP response object
-      def send_kerberos_request(message)
-        log_soap_message(message)
-        original_length = message.bytesize
-        pad_len, emsg = winrm_encrypt(message)
-        req_length = original_length + pad_len
-        hdr = {
-          'Connection' => 'Keep-Alive',
-          'Content-Type' => 'multipart/encrypted;' \
-            'protocol="application/HTTP-Kerberos-session-encrypted";boundary="Encrypted Boundary"'
-        }
-
-        resp = @httpcli.post(
-          @endpoint,
-          body(emsg, req_length, 'application/HTTP-Kerberos-session-encrypted'),
-          hdr
-        )
-        log_soap_message(resp.http_body.content)
-        resp
-      end
-
-      def init_krb
-        @logger.debug "Initializing Kerberos for #{@service}"
-        @gsscli = GSSAPI::Simple.new(@endpoint.host, @service)
-        token = @gsscli.init_context
-        auth = Base64.strict_encode64 token
-
-        hdr = {
-          'Authorization' => "Kerberos #{auth}",
-          'Connection' => 'Keep-Alive',
-          'Content-Type' => 'application/soap+xml;charset=UTF-8'
-        }
-        @logger.debug 'Sending HTTP POST for Kerberos Authentication'
-        r = @httpcli.post(@endpoint, '', hdr)
-        itok = r.header['WWW-Authenticate'].pop
-        itok = itok.split.last
-        itok = Base64.strict_decode64(itok)
-        @gsscli.init_context(itok)
-      end
-
-      # rubocop:disable Metrics/MethodLength
-      # rubocop:disable Metrics/AbcSize
-
-      # @return [String] the encrypted request string
-      def winrm_encrypt(str)
-        @logger.debug "Encrypting SOAP message:\n#{str}"
-        iov_cnt = 3
-        iov = FFI::MemoryPointer.new(GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * iov_cnt)
-
-        iov0 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(FFI::Pointer.new(iov.address))
-        iov0[:type] = (GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_HEADER | \
-          GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_FLAG_ALLOCATE)
-
-        iov1 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(
-          FFI::Pointer.new(iov.address + (GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * 1)))
-        iov1[:type] = GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_DATA
-        iov1[:buffer].value = str
-
-        iov2 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(
-          FFI::Pointer.new(iov.address + (GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * 2)))
-        iov2[:type] = (GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_PADDING | \
-          GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_FLAG_ALLOCATE)
-
-        conf_state = FFI::MemoryPointer.new :uint32
-        min_stat = FFI::MemoryPointer.new :uint32
-
-        GSSAPI::LibGSSAPI.gss_wrap_iov(
-          min_stat,
-          @gsscli.context,
-          1,
-          GSSAPI::LibGSSAPI::GSS_C_QOP_DEFAULT,
-          conf_state,
-          iov,
-          iov_cnt)
-
-        token = [iov0[:buffer].length].pack('L')
-        token += iov0[:buffer].value
-        token += iov1[:buffer].value
-        pad_len = iov2[:buffer].length
-        token += iov2[:buffer].value if pad_len > 0
-        [pad_len, token]
-      end
-
-      # @return [String] the unencrypted response string
-      def winrm_decrypt(str)
-        @logger.debug "Decrypting SOAP message:\n#{str}"
-        iov_cnt = 3
-        iov = FFI::MemoryPointer.new(GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * iov_cnt)
-
-        iov0 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(FFI::Pointer.new(iov.address))
-        iov0[:type] = (GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_HEADER | \
-          GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_FLAG_ALLOCATE)
-
-        iov1 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(
-          FFI::Pointer.new(iov.address + (GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * 1)))
-        iov1[:type] = GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_DATA
-
-        iov2 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(
-          FFI::Pointer.new(iov.address + (GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * 2)))
-        iov2[:type] = GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_DATA
-
-        str.force_encoding('BINARY')
-        str.sub!(%r{^.*Content-Type: application\/octet-stream\r\n(.*)--Encrypted.*$}m, '\1')
-
-        len = str.unpack('L').first
-        iov_data = str.unpack("LA#{len}A*")
-        iov0[:buffer].value = iov_data[1]
-        iov1[:buffer].value = iov_data[2]
-
-        min_stat = FFI::MemoryPointer.new :uint32
-        conf_state = FFI::MemoryPointer.new :uint32
-        conf_state.write_int(1)
-        qop_state = FFI::MemoryPointer.new :uint32
-        qop_state.write_int(0)
-
-        maj_stat = GSSAPI::LibGSSAPI.gss_unwrap_iov(
-          min_stat, @gsscli.context, conf_state, qop_state, iov, iov_cnt)
-
-        @logger.debug "SOAP message decrypted (MAJ: #{maj_stat}, " \
-          "MIN: #{min_stat.read_int}):\n#{iov1[:buffer].value}"
-
-        iov1[:buffer].value
-      end
-      # rubocop:enable Metrics/MethodLength
-      # rubocop:enable Metrics/AbcSize
-    end
-  end
-end # WinRM
+# Copyright 2010 Dan Wanek <dan.wanek@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'httpclient'
+require_relative 'response_handler'
+
+module WinRM
+  module HTTP
+    # A generic HTTP transport that utilized HTTPClient to send messages back and forth.
+    # This backend will maintain state for every WinRMWebService instance that is instantiated so it
+    # is possible to use GSSAPI with Keep-Alive.
+    class HttpTransport
+      attr_reader :endpoint
+
+      def initialize(endpoint, options)
+        @endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint
+        @httpcli = HTTPClient.new(agent_name: 'Ruby WinRM Client')
+        @logger = Logging.logger[self]
+        @httpcli.receive_timeout = options[:receive_timeout]
+      end
+
+      # Sends the SOAP payload to the WinRM service and returns the service's
+      # SOAP response. If an error occurrs an appropriate error is raised.
+      #
+      # @param [String] The XML SOAP message
+      # @returns [REXML::Document] The parsed response body
+      def send_request(message)
+        ssl_peer_fingerprint_verification!
+        log_soap_message(message)
+        hdr = { 'Content-Type' => 'application/soap+xml;charset=UTF-8',
+                'Content-Length' => message.bytesize }
+        # We need to add this header if using Client Certificate authentication
+        unless @httpcli.ssl_config.client_cert.nil?
+          hdr['Authorization'] = 'http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual'
+        end
+
+        resp = @httpcli.post(@endpoint, message, hdr)
+        log_soap_message(resp.http_body.content)
+        verify_ssl_fingerprint(resp.peer_cert)
+        handler = WinRM::ResponseHandler.new(resp.http_body.content, resp.status)
+        handler.parse_to_xml
+      end
+
+      # We'll need this to force basic authentication if desired
+      def basic_auth_only!
+        auths = @httpcli.www_auth.instance_variable_get('@authenticator')
+        auths.delete_if { |i| i.scheme !~ /basic/i }
+      end
+
+      # Disable SSPI Auth
+      def no_sspi_auth!
+        auths = @httpcli.www_auth.instance_variable_get('@authenticator')
+        auths.delete_if { |i| i.is_a? HTTPClient::SSPINegotiateAuth }
+      end
+
+      # Disable SSL Peer Verification
+      def no_ssl_peer_verification!
+        @httpcli.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+
+      # SSL Peer Fingerprint Verification prior to connecting
+      def ssl_peer_fingerprint_verification!
+        return unless @ssl_peer_fingerprint && !@ssl_peer_fingerprint_verified
+
+        with_untrusted_ssl_connection do |connection|
+          connection_cert = connection.peer_cert_chain.last
+          verify_ssl_fingerprint(connection_cert)
+        end
+        @logger.info("initial ssl fingerprint #{@ssl_peer_fingerprint} verified\n")
+        @ssl_peer_fingerprint_verified = true
+        no_ssl_peer_verification!
+      end
+
+      # Connect without verification to retrieve untrusted ssl context
+      def with_untrusted_ssl_connection
+        noverify_peer_context = OpenSSL::SSL::SSLContext.new
+        noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        tcp_connection = TCPSocket.new(@endpoint.host, @endpoint.port)
+        begin
+          ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_context)
+          ssl_connection.connect
+          yield ssl_connection
+        ensure
+          tcp_connection.close
+        end
+      end
+
+      # compare @ssl_peer_fingerprint to current ssl context
+      def verify_ssl_fingerprint(cert)
+        return unless @ssl_peer_fingerprint
+
+        conn_fingerprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s
+        return unless @ssl_peer_fingerprint.casecmp(conn_fingerprint) != 0
+
+        raise "ssl fingerprint mismatch!!!!\n"
+      end
+
+      protected
+
+      def body(message, length, type = 'application/HTTP-SPNEGO-session-encrypted')
+        [
+          '--Encrypted Boundary',
+          "Content-Type: #{type}",
+          "OriginalContent: type=application/soap+xml;charset=UTF-8;Length=#{length}",
+          '--Encrypted Boundary',
+          'Content-Type: application/octet-stream',
+          "#{message}--Encrypted Boundary--"
+        ].join("\r\n").concat("\r\n")
+      end
+
+      def log_soap_message(message)
+        return unless @logger.debug?
+
+        xml_msg = REXML::Document.new(message)
+        formatter = REXML::Formatters::Pretty.new(2)
+        formatter.compact = true
+        formatter.write(xml_msg, @logger)
+        @logger.debug("\n")
+      rescue StandardError => e
+        @logger.debug("Couldn't log SOAP request/response: #{e.message} - #{message}")
+      end
+    end
+
+    # Plain text, insecure, HTTP transport
+    class HttpPlaintext < HttpTransport
+      def initialize(endpoint, user, pass, opts)
+        super(endpoint, opts)
+        @httpcli.set_auth(nil, user, pass)
+        no_sspi_auth! if opts[:disable_sspi]
+        basic_auth_only! if opts[:basic_auth_only]
+        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+      end
+    end
+
+    # NTLM/Negotiate, secure, HTTP transport
+    class HttpNegotiate < HttpTransport
+      def initialize(endpoint, user, pass, opts)
+        super(endpoint, opts)
+        require 'rubyntlm'
+        no_sspi_auth!
+
+        user_parts = user.split('\\')
+        if user_parts.length > 1
+          opts[:domain] = user_parts[0]
+          user = user_parts[1]
+        end
+
+        @ntlmcli = Net::NTLM::Client.new(user, pass, opts)
+        @retryable = true
+        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
+        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
+      end
+
+      def send_request(message)
+        ssl_peer_fingerprint_verification!
+        init_auth if @ntlmcli.session.nil?
+        log_soap_message(message)
+
+        hdr = {
+          'Content-Type' => 'multipart/encrypted;'\
+            'protocol="application/HTTP-SPNEGO-session-encrypted";boundary="Encrypted Boundary"'
+        }
+
+        resp = @httpcli.post(@endpoint, body(seal(message), message.bytesize), hdr)
+        verify_ssl_fingerprint(resp.peer_cert)
+        if resp.status == 401 && @retryable
+          @retryable = false
+          init_auth
+          send_request(message)
+        else
+          @retryable = true
+          decrypted_body = winrm_decrypt(resp)
+          log_soap_message(decrypted_body)
+          WinRM::ResponseHandler.new(decrypted_body, resp.status).parse_to_xml
+        end
+      end
+
+      private
+
+      def seal(message)
+        emessage = @ntlmcli.session.seal_message message
+        signature = @ntlmcli.session.sign_message message
+        "\x10\x00\x00\x00#{signature}#{emessage}"
+      end
+
+      def winrm_decrypt(resp)
+        # OMI server doesn't always respond to encrypted messages with encrypted responses over SSL
+        return resp.body if resp.header['Content-Type'].first =~ %r{\Aapplication\/soap\+xml}i
+        return '' if resp.body.empty?
+
+        str = resp.body.force_encoding('BINARY')
+        str.sub!(%r{^.*Content-Type: application\/octet-stream\r\n(.*)--Encrypted.*$}m, '\1')
+
+        signature = str[4..19]
+        message = @ntlmcli.session.unseal_message str[20..-1]
+        return message if @ntlmcli.session.verify_signature(signature, message)
+
+        raise WinRMHTTPTransportError, 'Could not decrypt NTLM message.'
+      end
+
+      def issue_challenge_response(negotiate)
+        auth_header = {
+          'Authorization' => "Negotiate #{negotiate.encode64}",
+          'Content-Type' => 'application/soap+xml;charset=UTF-8'
+        }
+
+        # OMI Server on Linux requires an empty payload with the new auth header to proceed
+        # because the config check for max payload size will otherwise break the auth handshake
+        # given the OMI server does not support that check
+        @httpcli.post(@endpoint, '', auth_header)
+
+        # return an empty hash of headers for subsequent requests to use
+        {}
+      end
+
+      def init_auth
+        @logger.debug "Initializing Negotiate for #{@endpoint}"
+        auth1 = @ntlmcli.init_context
+        hdr = {
+          'Authorization' => "Negotiate #{auth1.encode64}",
+          'Content-Type' => 'application/soap+xml;charset=UTF-8'
+        }
+        @logger.debug 'Sending HTTP POST for Negotiate Authentication'
+        r = @httpcli.post(@endpoint, '', hdr)
+        verify_ssl_fingerprint(r.peer_cert)
+        auth_header = r.header['WWW-Authenticate'].pop
+        unless auth_header
+          msg = "Unable to parse authorization header. Headers: #{r.headers}\r\nBody: #{r.body}"
+          raise WinRMHTTPTransportError.new(msg, r.status_code)
+        end
+        itok = auth_header.split.last
+        auth3 = @ntlmcli.init_context(itok, channel_binding(r))
+        issue_challenge_response(auth3)
+      end
+
+      def channel_binding(response)
+        if response.peer_cert.nil?
+          nil
+        else
+          cert = if RUBY_PLATFORM == 'java'
+                   OpenSSL::X509::Certificate.new(response.peer_cert.cert.getEncoded)
+                 else
+                   response.peer_cert
+                 end
+          Net::NTLM::ChannelBinding.create(OpenSSL::X509::Certificate.new(cert))
+        end
+      end
+    end
+
+    # Uses SSL to secure the transport
+    class BasicAuthSSL < HttpTransport
+      def initialize(endpoint, user, pass, opts)
+        super(endpoint, opts)
+        @httpcli.set_auth(endpoint, user, pass)
+        basic_auth_only!
+        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
+        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
+      end
+    end
+
+    # Uses Client Certificate to authenticate and SSL to secure the transport
+    class ClientCertAuthSSL < HttpTransport
+      def initialize(endpoint, client_cert, client_key, key_pass, opts)
+        super(endpoint, opts)
+        @httpcli.ssl_config.set_client_cert_file(client_cert, client_key, key_pass)
+        @httpcli.www_auth.instance_variable_set('@authenticator', [])
+        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
+        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
+      end
+    end
+
+    # Uses Kerberos/GSSAPI to authenticate and encrypt messages
+    class HttpGSSAPI < HttpTransport
+      # @param [String,URI] endpoint the WinRM webservice endpoint
+      # @param [String] realm the Kerberos realm we are authenticating to
+      # @param [String<optional>] service the service name, default is HTTP
+      def initialize(endpoint, realm, opts, service = nil)
+        require 'gssapi'
+        require 'gssapi/extensions'
+
+        super(endpoint, opts)
+        # Remove the GSSAPI auth from HTTPClient because we are doing our own thing
+        no_sspi_auth!
+        service ||= 'HTTP'
+        @service = "#{service}/#{@endpoint.host}@#{realm}"
+        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+        init_krb
+      end
+
+      # Sends the SOAP payload to the WinRM service and returns the service's
+      # SOAP response. If an error occurrs an appropriate error is raised.
+      #
+      # @param [String] The XML SOAP message
+      # @returns [REXML::Document] The parsed response body
+      def send_request(message)
+        resp = send_kerberos_request(message)
+
+        if resp.status == 401
+          @logger.debug 'Got 401 - reinitializing Kerberos and retrying one more time'
+          init_krb
+          resp = send_kerberos_request(message)
+        end
+
+        handler = WinRM::ResponseHandler.new(winrm_decrypt(resp.http_body.content), resp.status)
+        handler.parse_to_xml
+      end
+
+      private
+
+      # Sends the SOAP payload to the WinRM service and returns the service's
+      # HTTP response.
+      #
+      # @param [String] The XML SOAP message
+      # @returns [Object] The HTTP response object
+      def send_kerberos_request(message)
+        log_soap_message(message)
+        original_length = message.bytesize
+        pad_len, emsg = winrm_encrypt(message)
+        req_length = original_length + pad_len
+        hdr = {
+          'Connection' => 'Keep-Alive',
+          'Content-Type' => 'multipart/encrypted;' \
+            'protocol="application/HTTP-Kerberos-session-encrypted";boundary="Encrypted Boundary"'
+        }
+
+        resp = @httpcli.post(
+          @endpoint,
+          body(emsg, req_length, 'application/HTTP-Kerberos-session-encrypted'),
+          hdr
+        )
+        log_soap_message(resp.http_body.content)
+        resp
+      end
+
+      def init_krb
+        @logger.debug "Initializing Kerberos for #{@service}"
+        @gsscli = GSSAPI::Simple.new(@endpoint.host, @service)
+        token = @gsscli.init_context
+        auth = Base64.strict_encode64 token
+
+        hdr = {
+          'Authorization' => "Kerberos #{auth}",
+          'Connection' => 'Keep-Alive',
+          'Content-Type' => 'application/soap+xml;charset=UTF-8'
+        }
+        @logger.debug 'Sending HTTP POST for Kerberos Authentication'
+        r = @httpcli.post(@endpoint, '', hdr)
+        itok = r.header['WWW-Authenticate'].pop
+        itok = itok.split.last
+        itok = Base64.strict_decode64(itok)
+        @gsscli.init_context(itok)
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/AbcSize
+
+      # @return [String] the encrypted request string
+      def winrm_encrypt(str)
+        @logger.debug "Encrypting SOAP message:\n#{str}"
+        iov_cnt = 3
+        iov = FFI::MemoryPointer.new(GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * iov_cnt)
+
+        iov0 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(FFI::Pointer.new(iov.address))
+        iov0[:type] = (GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_HEADER | \
+          GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_FLAG_ALLOCATE)
+
+        iov1 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(
+          FFI::Pointer.new(iov.address + (GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * 1))
+        )
+        iov1[:type] = GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_DATA
+        iov1[:buffer].value = str
+
+        iov2 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(
+          FFI::Pointer.new(iov.address + (GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * 2))
+        )
+        iov2[:type] = (GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_PADDING | \
+          GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_FLAG_ALLOCATE)
+
+        conf_state = FFI::MemoryPointer.new :uint32
+        min_stat = FFI::MemoryPointer.new :uint32
+
+        GSSAPI::LibGSSAPI.gss_wrap_iov(
+          min_stat,
+          @gsscli.context,
+          1,
+          GSSAPI::LibGSSAPI::GSS_C_QOP_DEFAULT,
+          conf_state,
+          iov,
+          iov_cnt
+        )
+
+        token = [iov0[:buffer].length].pack('L')
+        token += iov0[:buffer].value
+        token += iov1[:buffer].value
+        pad_len = iov2[:buffer].length
+        token += iov2[:buffer].value if pad_len > 0
+        [pad_len, token]
+      end
+
+      # @return [String] the unencrypted response string
+      def winrm_decrypt(str)
+        @logger.debug "Decrypting SOAP message:\n#{str}"
+        iov_cnt = 3
+        iov = FFI::MemoryPointer.new(GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * iov_cnt)
+
+        iov0 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(FFI::Pointer.new(iov.address))
+        iov0[:type] = (GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_HEADER | \
+          GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_FLAG_ALLOCATE)
+
+        iov1 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(
+          FFI::Pointer.new(iov.address + (GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * 1))
+        )
+        iov1[:type] = GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_DATA
+
+        iov2 = GSSAPI::LibGSSAPI::GssIOVBufferDesc.new(
+          FFI::Pointer.new(iov.address + (GSSAPI::LibGSSAPI::GssIOVBufferDesc.size * 2))
+        )
+        iov2[:type] = GSSAPI::LibGSSAPI::GSS_IOV_BUFFER_TYPE_DATA
+
+        str.force_encoding('BINARY')
+        str.sub!(%r{^.*Content-Type: application\/octet-stream\r\n(.*)--Encrypted.*$}m, '\1')
+
+        len = str.unpack('L').first
+        iov_data = str.unpack("LA#{len}A*")
+        iov0[:buffer].value = iov_data[1]
+        iov1[:buffer].value = iov_data[2]
+
+        min_stat = FFI::MemoryPointer.new :uint32
+        conf_state = FFI::MemoryPointer.new :uint32
+        conf_state.write_int(1)
+        qop_state = FFI::MemoryPointer.new :uint32
+        qop_state.write_int(0)
+
+        maj_stat = GSSAPI::LibGSSAPI.gss_unwrap_iov(
+          min_stat, @gsscli.context, conf_state, qop_state, iov, iov_cnt
+        )
+
+        @logger.debug "SOAP message decrypted (MAJ: #{maj_stat}, " \
+          "MIN: #{min_stat.read_int}):\n#{iov1[:buffer].value}"
+
+        iov1[:buffer].value
+      end
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/AbcSize
+    end
+  end
+end
+# WinRM