brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aleds...@apache.org
Subject [1/2] brooklyn-server git commit: Windows helper script Invoke-Command -Auth CredSSP
Date Fri, 08 Jul 2016 18:46:42 GMT
Repository: brooklyn-server
Updated Branches:
  refs/heads/master 10613d16d -> 215682944


Windows helper script Invoke-Command -Auth CredSSP

- change the location in classpath of the windows helpers


Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/c54f8ca9
Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/c54f8ca9
Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/c54f8ca9

Branch: refs/heads/master
Commit: c54f8ca90bf5b990d45ceac7bb873097c54dc088
Parents: a941963
Author: Valentin Aitken <bostko@gmail.com>
Authored: Wed May 25 23:16:38 2016 +0300
Committer: Valentin Aitken <bostko@gmail.com>
Committed: Mon Jun 27 13:17:51 2016 +0300

----------------------------------------------------------------------
 launcher/src/test/resources/mssql-test.yaml     |   6 +-
 .../software/base/custom-enable-credssp.ps1     |   3 +
 .../software/winrm/utils/enable-credssp.ps1     | 134 +++++++++++++++++++
 .../winrm/utils/invoke-command-credssp.ps1      | 112 ++++++++++++++++
 4 files changed, 254 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/c54f8ca9/launcher/src/test/resources/mssql-test.yaml
----------------------------------------------------------------------
diff --git a/launcher/src/test/resources/mssql-test.yaml b/launcher/src/test/resources/mssql-test.yaml
index 8765c4f..75f7f89 100644
--- a/launcher/src/test/resources/mssql-test.yaml
+++ b/launcher/src/test/resources/mssql-test.yaml
@@ -35,6 +35,8 @@ services:
 - type: org.apache.brooklyn.entity.software.base.VanillaWindowsProcess
   brooklyn.config:
     templates.install:
+      classpath://org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1: "C:\\enable-credssp.ps1"
+      classpath://org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1: "C:\\invoke-command-credssp.ps1"
       classpath://org/apache/brooklyn/entity/database/mssql/ConfigurationFile.ini: "C:\\ConfigurationFile.ini"
       classpath://org/apache/brooklyn/entity/database/mssql/installmssql.ps1: "C:\\installmssql.ps1"
       classpath://org/apache/brooklyn/entity/database/mssql/configuremssql.ps1: "C:\\configuremssql.ps1"
@@ -44,7 +46,9 @@ services:
     customize.command: powershell -command "C:\\configuremssql.ps1"
     launch.command: "C:\\launchmssql.bat"
     stop.command: "C:\\stopmssql.bat"
-    checkRunning.command: echo true
+    checkRunning.powershell.command: |
+      $service = Get-Service -Name MSSQLSERVER
+      If ( (-not $service) -or ($service.Status -ne 'Running') ) { exit 1 }
 
     ## NOTE: Values must be supplied for the following
     mssql.download.url: ${mssql.download.url}

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/c54f8ca9/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1
----------------------------------------------------------------------
diff --git a/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1
b/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1
index b1fb570..3bb8369 100644
--- a/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1
+++ b/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1
@@ -23,6 +23,9 @@
 
 function Custom-Enable-CredSSP {
 <#
+.DEPRECATED
+Please use classpath://org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1
+
 .SYNOPSIS
 Enables and configures CredSSP Authentication to be used in PowerShell remoting sessions
 

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/c54f8ca9/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1
----------------------------------------------------------------------
diff --git a/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1
b/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1
new file mode 100644
index 0000000..5eeb97a
--- /dev/null
+++ b/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1
@@ -0,0 +1,134 @@
+#!ps1
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# Resources:
+#  https://github.com/mwrock/boxstarter/blob/master/LICENSE.txt
+#  https://github.com/mwrock/boxstarter/blob/master/Boxstarter.Chocolatey/Enable-BoxstarterCredSSP.ps1
+
+function Enable-CredSSP {
+<#
+.SYNOPSIS
+Enables and configures CredSSP Authentication to be used in PowerShell remoting sessions
+
+.DESCRIPTION
+Enabling CredSSP allows a caller from one remote session to authenticate on other remote
+resources. This is known as credential delegation. By default, PowerShell sessions do not
+use credSSP and therefore cannot bake a "second hop" to use other remote resources that
+require their authentication token.
+
+This command will enable CredSSP and add all RemoteHostsToTrust to the CredSSP trusted
+hosts list. It will also edit the users group policy to allow Fresh Credential Delegation.
+
+.PARAMETER RemoteHostsToTrust
+A list of ComputerNames to add to the CredSSP Trusted hosts list.
+
+.OUTPUTS
+A list of the original trusted hosts on the local machine.
+
+.EXAMPLE
+Enable-CredSSP box1,box2
+
+
+#>
+    param(
+    [string[]] $RemoteHostsToTrust
+    )
+
+    Write-Host "Configuring CredSSP settings..."
+    # Required to be running for using CredSSP
+    winrm quickconfig -transport:http -quiet
+
+    & winrm set winrm/config/service/auth '@{CredSSP="true"}'
+    If ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+
+    & winrm set winrm/config/client/auth '@{CredSSP="true"}'
+    If ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+
+    $Result=@{
+        Success=$False;
+        PreviousCSSPTrustedHosts=$null;
+        PreviousFreshCredDelegationHostCount=0
+    }
+
+    $credssp = Get-WSManCredSSP
+
+    $ComputersToAdd = @()
+    $idxHosts=$credssp[0].IndexOf(": ")
+    if($idxHosts -gt -1){
+        $credsspEnabled=$True
+        $Result.PreviousCSSPTrustedHosts=$credssp[0].substring($idxHosts+2)
+        $hostArray=$Result.PreviousCSSPTrustedHosts.Split(",")
+        $RemoteHostsToTrust | ? { $hostArray -notcontains "wsman/$_" } | % { $ComputersToAdd
+= $_ }
+    }
+    else {
+        $ComputersToAdd = $RemoteHostsToTrust
+    }
+
+    if($ComputersToAdd.Count -gt 0){
+        try {
+            Enable-WSManCredSSP -DelegateComputer $ComputersToAdd -Role Client -Force -ErrorAction
Stop | Out-Null
+        }
+        catch {
+            Write-Error "Enable-WSManCredSSP failed with: $_" -Verbose
+            return $result
+        }
+    }
+
+    $key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows"
+    if (!(Test-Path "$key\CredentialsDelegation")) {
+        New-Item $key -Name CredentialsDelegation | Out-Null
+    }
+    $key = Join-Path $key "CredentialsDelegation"
+    New-ItemProperty -Path "$key" -Name "ConcatenateDefaults_AllowFresh" -Value 1 -PropertyType
Dword -Force | Out-Null
+    New-ItemProperty -Path "$key" -Name "ConcatenateDefaults_AllowFreshNTLMOnly" -Value 1
-PropertyType Dword -Force | Out-Null
+
+    $result.PreviousFreshNTLMCredDelegationHostCount = Set-CredentialDelegation $key 'AllowFreshCredentialsWhenNTLMOnly'
$RemoteHostsToTrust
+    $result.PreviousFreshCredDelegationHostCount = Set-CredentialDelegation $key 'AllowFreshCredentials'
$RemoteHostsToTrust
+
+    $Result.Success=$True
+    return $Result
+}
+
+function Set-CredentialDelegation($key, $subKey, $allowed){
+    New-ItemProperty -Path "$key" -Name $subKey -Value 1 -PropertyType Dword -Force | Out-Null
+    $policyNode = Join-Path $key $subKey
+    if (!(Test-Path $policyNode)) {
+        md $policyNode | Out-Null
+    }
+    $currentHostProps=@()
+    (Get-Item $policyNode).Property | % {
+        $currentHostProps += (Get-ItemProperty -Path $policyNode -Name $_).($_)
+    }
+    $currentLength = $currentHostProps.Length
+    $idx=$currentLength
+    $allowed | ? { $currentHostProps -notcontains "wsman/$_"} | % {
+        ++$idx
+        New-ItemProperty -Path $policyNode -Name "$idx" -Value "wsman/$_" -PropertyType String
-Force | Out-Null
+    }
+
+    return $currentLength
+}
+
+$result = Enable-CredSSP $env:COMPUTERNAME,localhost
+if (-not $result.Success) {
+  Write-Error "Enabling CredSSP didn't succeed."
+  exit 1
+} else {
+  Write-Host "CredSSP enabled."
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/c54f8ca9/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1
----------------------------------------------------------------------
diff --git a/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1
b/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1
new file mode 100644
index 0000000..c641857
--- /dev/null
+++ b/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1
@@ -0,0 +1,112 @@
+[#ftl]
+#!ps1
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+Param([Parameter(Mandatory=$True)][String]$Command, [String[]] $ArgumentList, [switch] $LogOutputInFile,
$ScriptBlockInCredSSP)
+<#
+.SYNOPSIS
+Helper Script which executes commands through Invoke-Command -Authentication CredSSP
+
+.DESCRIPTION
+By default, PowerShell sessions do not
+use credSSP and therefore cannot bake a "second hop" to use other remote resources that
+require their authentication token.
+Microsoft: "CAUTION: Credential Security Support Provider (CredSSP) authentication, in which
the user's credentials are passed to a remote computer to be authenticated, is designed for
commands that require authentication on more than one resource, such as accessing a remote
network share. This mechanism increases the security risk of the remote operation."
+Passing parameters in powershell: https://technet.microsoft.com/en-us/magazine/jj554301.aspx
+
+.NOTES
+The script may not work properly on a machine which has installed Active Directory.
+
+.PARAMETER Command
+The command which you want to invoke through CredSSP
+
+.PARAMETER ArgumentList
+A list of arguments you want to pass to $Command which will be executed.
+
+.PARAMETER LogOutputInFile
+Redirect output to a file in $env:TEMP folder
+
+.OUTPUTS
+The output of the command.
+
+.EXAMPLE
+
+If you are inside command prompt and you want to run a native command or a batch script with
CredSSP:
+
+powershell -command C:\invoke-command-credssp.ps1 -Command C:\setup.exe "/q","/param2"
+
+.EXAMPLE
+
+If you are inside powershell and you want to run a native command or batch script with CredSSP:
+
+C:\Invoke-Command-Credssp.ps1 -Com C:\test.bat -ArgumentList ("/q",/"f")
+
+.EXAMPLE
+
+If you are in command prompt and want to run another powershell script with CredSSP:
+
+powershell -command "C:\Invoke-Command-Credssp -Command powershell -ArgumentList (\"-command\",\"c:\hi_params.ps1\")"
+
+.EXAMPLE
+
+If you are inside powershell and want to execute a powershell block through CredSSP.
+Then you can use the special -ScriptBlock parameter.
+Since -Command is threated as the most common case and it is made mandatory parameter,
+Just pass an empty command and a Script-Block which you want to be executed through CredSSP
+
+C:\Invoke-Command-Credssp -Command "empty" -ScriptBlock {Write-Host "A script block which
is using CredSSP..."; 0}
+
+#>
+
+$exitCode = 1
+Try {
+  $pass = '${attribute['windows.password']}'
+  $secpasswd = ConvertTo-SecureString $pass -AsPlainText -Force
+  $mycreds = New-Object System.Management.Automation.PSCredential ($($env:COMPUTERNAME +
"\${location.user}"), $secpasswd)
+
+  $exitCode = Invoke-Command -Credential $mycreds -ComputerName $env:COMPUTERNAME -ScriptBlock
{
+    param($Command,$ArgumentList,$LogOutputInFile,$ScriptBlockInCredSSP)
+    $startProcArgs = If ($ArgumentList.Length -gt 0) { @{ArgumentList = $ArgumentList} }
Else { @{} }
+    If ($ScriptBlockInCredSSP) {
+      $ScriptBlockInCredSSP = ([scriptblock]::Create($ScriptBlockInCredSSP))
+      $r = & $ScriptBlockInCredSSP
+      if ($r -is [int]) {
+        Write-Host "ScriptBlock reported that its status is ($r)"
+        $r
+      } else {
+        Write-Host "ScriptBlock didn't report its status"
+        0
+      }
+    } ElseIf ($LogOutputInFile) {
+      $stdFilePathNoExt = "$($Env:TEMP)\$(Split-Path $Command -Leaf)_$((Get-Date).Ticks /
1000)"
+      $stdOutFile = "$($stdFilePathNoExt).stdout.log"
+      $stdErrFile = "$($stdFilePathNoExt).stderr.log"
+      $process = Start-Process $Command @startProcArgs -RedirectStandardOutput $stdOutFile
-RedirectStandardError $stdErrFile -Wait -PassThru -NoNewWindow
+      $process.ExitCode
+    } Else {
+      $process = Start-Process $Command @startProcArgs -Wait -PassThru -NoNewWindow
+      $process.ExitCode
+    }
+  } -Authentication CredSSP -ArgumentList $Command,$ArgumentList,$LogOutputInFile.IsPresent,$ScriptBlockInCredSSP
+} Catch {
+  Write-Error $_.Exception
+  Write-Host 'Exception logged'
+  exit 1
+}
+exit $exitCode


Mime
View raw message