Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9FB7A200B38 for ; Fri, 8 Jul 2016 20:46:45 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 9E4E7160A5A; Fri, 8 Jul 2016 18:46:45 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9B850160A77 for ; Fri, 8 Jul 2016 20:46:44 +0200 (CEST) Received: (qmail 50913 invoked by uid 500); 8 Jul 2016 18:46:43 -0000 Mailing-List: contact commits-help@brooklyn.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@brooklyn.apache.org Delivered-To: mailing list commits@brooklyn.apache.org Received: (qmail 50861 invoked by uid 99); 8 Jul 2016 18:46:43 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jul 2016 18:46:43 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id E3984DFFF8; Fri, 8 Jul 2016 18:46:42 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: aledsage@apache.org To: commits@brooklyn.apache.org Date: Fri, 08 Jul 2016 18:46:42 -0000 Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: [1/2] brooklyn-server git commit: Windows helper script Invoke-Command -Auth CredSSP archived-at: Fri, 08 Jul 2016 18:46:45 -0000 Repository: brooklyn-server Updated Branches: refs/heads/master 10613d16d -> 215682944 Windows helper script Invoke-Command -Auth CredSSP - change the location in classpath of the windows helpers Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/c54f8ca9 Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/c54f8ca9 Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/c54f8ca9 Branch: refs/heads/master Commit: c54f8ca90bf5b990d45ceac7bb873097c54dc088 Parents: a941963 Author: Valentin Aitken Authored: Wed May 25 23:16:38 2016 +0300 Committer: Valentin Aitken Committed: Mon Jun 27 13:17:51 2016 +0300 ---------------------------------------------------------------------- launcher/src/test/resources/mssql-test.yaml | 6 +- .../software/base/custom-enable-credssp.ps1 | 3 + .../software/winrm/utils/enable-credssp.ps1 | 134 +++++++++++++++++++ .../winrm/utils/invoke-command-credssp.ps1 | 112 ++++++++++++++++ 4 files changed, 254 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/c54f8ca9/launcher/src/test/resources/mssql-test.yaml ---------------------------------------------------------------------- diff --git a/launcher/src/test/resources/mssql-test.yaml b/launcher/src/test/resources/mssql-test.yaml index 8765c4f..75f7f89 100644 --- a/launcher/src/test/resources/mssql-test.yaml +++ b/launcher/src/test/resources/mssql-test.yaml @@ -35,6 +35,8 @@ services: - type: org.apache.brooklyn.entity.software.base.VanillaWindowsProcess brooklyn.config: templates.install: + classpath://org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1: "C:\\enable-credssp.ps1" + classpath://org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1: "C:\\invoke-command-credssp.ps1" classpath://org/apache/brooklyn/entity/database/mssql/ConfigurationFile.ini: "C:\\ConfigurationFile.ini" classpath://org/apache/brooklyn/entity/database/mssql/installmssql.ps1: "C:\\installmssql.ps1" classpath://org/apache/brooklyn/entity/database/mssql/configuremssql.ps1: "C:\\configuremssql.ps1" @@ -44,7 +46,9 @@ services: customize.command: powershell -command "C:\\configuremssql.ps1" launch.command: "C:\\launchmssql.bat" stop.command: "C:\\stopmssql.bat" - checkRunning.command: echo true + checkRunning.powershell.command: | + $service = Get-Service -Name MSSQLSERVER + If ( (-not $service) -or ($service.Status -ne 'Running') ) { exit 1 } ## NOTE: Values must be supplied for the following mssql.download.url: ${mssql.download.url} http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/c54f8ca9/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1 ---------------------------------------------------------------------- diff --git a/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1 b/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1 index b1fb570..3bb8369 100644 --- a/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1 +++ b/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1 @@ -23,6 +23,9 @@ function Custom-Enable-CredSSP { <# +.DEPRECATED +Please use classpath://org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1 + .SYNOPSIS Enables and configures CredSSP Authentication to be used in PowerShell remoting sessions http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/c54f8ca9/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1 ---------------------------------------------------------------------- diff --git a/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1 b/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1 new file mode 100644 index 0000000..5eeb97a --- /dev/null +++ b/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/enable-credssp.ps1 @@ -0,0 +1,134 @@ +#!ps1 +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# Resources: +# https://github.com/mwrock/boxstarter/blob/master/LICENSE.txt +# https://github.com/mwrock/boxstarter/blob/master/Boxstarter.Chocolatey/Enable-BoxstarterCredSSP.ps1 + +function Enable-CredSSP { +<# +.SYNOPSIS +Enables and configures CredSSP Authentication to be used in PowerShell remoting sessions + +.DESCRIPTION +Enabling CredSSP allows a caller from one remote session to authenticate on other remote +resources. This is known as credential delegation. By default, PowerShell sessions do not +use credSSP and therefore cannot bake a "second hop" to use other remote resources that +require their authentication token. + +This command will enable CredSSP and add all RemoteHostsToTrust to the CredSSP trusted +hosts list. It will also edit the users group policy to allow Fresh Credential Delegation. + +.PARAMETER RemoteHostsToTrust +A list of ComputerNames to add to the CredSSP Trusted hosts list. + +.OUTPUTS +A list of the original trusted hosts on the local machine. + +.EXAMPLE +Enable-CredSSP box1,box2 + + +#> + param( + [string[]] $RemoteHostsToTrust + ) + + Write-Host "Configuring CredSSP settings..." + # Required to be running for using CredSSP + winrm quickconfig -transport:http -quiet + + & winrm set winrm/config/service/auth '@{CredSSP="true"}' + If ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + & winrm set winrm/config/client/auth '@{CredSSP="true"}' + If ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + $Result=@{ + Success=$False; + PreviousCSSPTrustedHosts=$null; + PreviousFreshCredDelegationHostCount=0 + } + + $credssp = Get-WSManCredSSP + + $ComputersToAdd = @() + $idxHosts=$credssp[0].IndexOf(": ") + if($idxHosts -gt -1){ + $credsspEnabled=$True + $Result.PreviousCSSPTrustedHosts=$credssp[0].substring($idxHosts+2) + $hostArray=$Result.PreviousCSSPTrustedHosts.Split(",") + $RemoteHostsToTrust | ? { $hostArray -notcontains "wsman/$_" } | % { $ComputersToAdd += $_ } + } + else { + $ComputersToAdd = $RemoteHostsToTrust + } + + if($ComputersToAdd.Count -gt 0){ + try { + Enable-WSManCredSSP -DelegateComputer $ComputersToAdd -Role Client -Force -ErrorAction Stop | Out-Null + } + catch { + Write-Error "Enable-WSManCredSSP failed with: $_" -Verbose + return $result + } + } + + $key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows" + if (!(Test-Path "$key\CredentialsDelegation")) { + New-Item $key -Name CredentialsDelegation | Out-Null + } + $key = Join-Path $key "CredentialsDelegation" + New-ItemProperty -Path "$key" -Name "ConcatenateDefaults_AllowFresh" -Value 1 -PropertyType Dword -Force | Out-Null + New-ItemProperty -Path "$key" -Name "ConcatenateDefaults_AllowFreshNTLMOnly" -Value 1 -PropertyType Dword -Force | Out-Null + + $result.PreviousFreshNTLMCredDelegationHostCount = Set-CredentialDelegation $key 'AllowFreshCredentialsWhenNTLMOnly' $RemoteHostsToTrust + $result.PreviousFreshCredDelegationHostCount = Set-CredentialDelegation $key 'AllowFreshCredentials' $RemoteHostsToTrust + + $Result.Success=$True + return $Result +} + +function Set-CredentialDelegation($key, $subKey, $allowed){ + New-ItemProperty -Path "$key" -Name $subKey -Value 1 -PropertyType Dword -Force | Out-Null + $policyNode = Join-Path $key $subKey + if (!(Test-Path $policyNode)) { + md $policyNode | Out-Null + } + $currentHostProps=@() + (Get-Item $policyNode).Property | % { + $currentHostProps += (Get-ItemProperty -Path $policyNode -Name $_).($_) + } + $currentLength = $currentHostProps.Length + $idx=$currentLength + $allowed | ? { $currentHostProps -notcontains "wsman/$_"} | % { + ++$idx + New-ItemProperty -Path $policyNode -Name "$idx" -Value "wsman/$_" -PropertyType String -Force | Out-Null + } + + return $currentLength +} + +$result = Enable-CredSSP $env:COMPUTERNAME,localhost +if (-not $result.Success) { + Write-Error "Enabling CredSSP didn't succeed." + exit 1 +} else { + Write-Host "CredSSP enabled." +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/c54f8ca9/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1 ---------------------------------------------------------------------- diff --git a/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1 b/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1 new file mode 100644 index 0000000..c641857 --- /dev/null +++ b/software/base/src/main/resources/org/apache/brooklyn/software/winrm/utils/invoke-command-credssp.ps1 @@ -0,0 +1,112 @@ +[#ftl] +#!ps1 +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +Param([Parameter(Mandatory=$True)][String]$Command, [String[]] $ArgumentList, [switch] $LogOutputInFile, $ScriptBlockInCredSSP) +<# +.SYNOPSIS +Helper Script which executes commands through Invoke-Command -Authentication CredSSP + +.DESCRIPTION +By default, PowerShell sessions do not +use credSSP and therefore cannot bake a "second hop" to use other remote resources that +require their authentication token. +Microsoft: "CAUTION: Credential Security Support Provider (CredSSP) authentication, in which the user's credentials are passed to a remote computer to be authenticated, is designed for commands that require authentication on more than one resource, such as accessing a remote network share. This mechanism increases the security risk of the remote operation." +Passing parameters in powershell: https://technet.microsoft.com/en-us/magazine/jj554301.aspx + +.NOTES +The script may not work properly on a machine which has installed Active Directory. + +.PARAMETER Command +The command which you want to invoke through CredSSP + +.PARAMETER ArgumentList +A list of arguments you want to pass to $Command which will be executed. + +.PARAMETER LogOutputInFile +Redirect output to a file in $env:TEMP folder + +.OUTPUTS +The output of the command. + +.EXAMPLE + +If you are inside command prompt and you want to run a native command or a batch script with CredSSP: + +powershell -command C:\invoke-command-credssp.ps1 -Command C:\setup.exe "/q","/param2" + +.EXAMPLE + +If you are inside powershell and you want to run a native command or batch script with CredSSP: + +C:\Invoke-Command-Credssp.ps1 -Com C:\test.bat -ArgumentList ("/q",/"f") + +.EXAMPLE + +If you are in command prompt and want to run another powershell script with CredSSP: + +powershell -command "C:\Invoke-Command-Credssp -Command powershell -ArgumentList (\"-command\",\"c:\hi_params.ps1\")" + +.EXAMPLE + +If you are inside powershell and want to execute a powershell block through CredSSP. +Then you can use the special -ScriptBlock parameter. +Since -Command is threated as the most common case and it is made mandatory parameter, +Just pass an empty command and a Script-Block which you want to be executed through CredSSP + +C:\Invoke-Command-Credssp -Command "empty" -ScriptBlock {Write-Host "A script block which is using CredSSP..."; 0} + +#> + +$exitCode = 1 +Try { + $pass = '${attribute['windows.password']}' + $secpasswd = ConvertTo-SecureString $pass -AsPlainText -Force + $mycreds = New-Object System.Management.Automation.PSCredential ($($env:COMPUTERNAME + "\${location.user}"), $secpasswd) + + $exitCode = Invoke-Command -Credential $mycreds -ComputerName $env:COMPUTERNAME -ScriptBlock { + param($Command,$ArgumentList,$LogOutputInFile,$ScriptBlockInCredSSP) + $startProcArgs = If ($ArgumentList.Length -gt 0) { @{ArgumentList = $ArgumentList} } Else { @{} } + If ($ScriptBlockInCredSSP) { + $ScriptBlockInCredSSP = ([scriptblock]::Create($ScriptBlockInCredSSP)) + $r = & $ScriptBlockInCredSSP + if ($r -is [int]) { + Write-Host "ScriptBlock reported that its status is ($r)" + $r + } else { + Write-Host "ScriptBlock didn't report its status" + 0 + } + } ElseIf ($LogOutputInFile) { + $stdFilePathNoExt = "$($Env:TEMP)\$(Split-Path $Command -Leaf)_$((Get-Date).Ticks / 1000)" + $stdOutFile = "$($stdFilePathNoExt).stdout.log" + $stdErrFile = "$($stdFilePathNoExt).stderr.log" + $process = Start-Process $Command @startProcArgs -RedirectStandardOutput $stdOutFile -RedirectStandardError $stdErrFile -Wait -PassThru -NoNewWindow + $process.ExitCode + } Else { + $process = Start-Process $Command @startProcArgs -Wait -PassThru -NoNewWindow + $process.ExitCode + } + } -Authentication CredSSP -ArgumentList $Command,$ArgumentList,$LogOutputInFile.IsPresent,$ScriptBlockInCredSSP +} Catch { + Write-Error $_.Exception + Write-Host 'Exception logged' + exit 1 +} +exit $exitCode