def test_build_session_cert_validate():
t_default = Transport(endpoint="Endpoint",
server_cert_validation='validate',
username='******',
password='******',
auth_method='basic',
)
t_ca_override = Transport(endpoint="Endpoint",
server_cert_validation='validate',
username='******',
password='******',
auth_method='basic',
ca_trust_path='overridepath',
)
try:
os.environ['REQUESTS_CA_BUNDLE'] = 'path_to_REQUESTS_CA_CERT'
t_default.build_session()
t_ca_override.build_session()
assert(t_default.session.verify == 'path_to_REQUESTS_CA_CERT')
assert(t_ca_override.session.verify == 'overridepath')
finally:
del os.environ['REQUESTS_CA_BUNDLE']
try:
os.environ['CURL_CA_BUNDLE'] = 'path_to_CURL_CA_CERT'
t_default.build_session()
t_ca_override.build_session()
assert(t_default.session.verify == 'path_to_CURL_CA_CERT')
assert (t_ca_override.session.verify == 'overridepath')
finally:
del os.environ['CURL_CA_BUNDLE']
def test_build_session_cert_ignore():
t_default = Transport(
endpoint="Endpoint",
server_cert_validation='ignore',
username='******',
password='******',
auth_method='basic',
)
t_ca_override = Transport(endpoint="Endpoint",
server_cert_validation='ignore',
username='******',
password='******',
auth_method='basic',
ca_trust_path='boguspath')
try:
os.environ['REQUESTS_CA_BUNDLE'] = 'path_to_REQUESTS_CA_CERT'
os.environ['CURL_CA_BUNDLE'] = 'path_to_CURL_CA_CERT'
t_default.build_session()
t_ca_override.build_session()
assert (isinstance(t_default.session.verify, bool)
and not t_default.session.verify)
assert (isinstance(t_ca_override.session.verify, bool)
and not t_ca_override.session.verify)
finally:
del os.environ['REQUESTS_CA_BUNDLE']
del os.environ['CURL_CA_BUNDLE']
def __init__(self,
endpoint,
transport='plaintext',
username=None,
password=None,
realm=None,
service=None,
keytab=None,
ca_trust_path=None,
cert_pem=None,
cert_key_pem=None,
timeout=None):
"""
@param string endpoint: the WinRM webservice endpoint
@param string transport: transport type, one of 'plaintext' (default), 'kerberos', 'ssl' # NOQA
@param string username: username
@param string password: password
@param string realm: the Kerberos realm we are authenticating to
@param string service: the service name, default is HTTP
@param string keytab: the path to a keytab file if you are using one
@param string ca_trust_path: Certification Authority trust path
@param string cert_pem: client authentication certificate file path in PEM format # NOQA
@param string cert_key_pem: client authentication certificate key file path in PEM format # NOQA
@param int timeout: how long to wait for a response from the server
"""
if timeout:
self.timeout = timeout
else:
self.timeout = Protocol.DEFAULT_TIMEOUT
self.max_env_sz = Protocol.DEFAULT_MAX_ENV_SIZE
self.locale = Protocol.DEFAULT_LOCALE
self.transport = Transport(endpoint=endpoint,
username=username,
password=password,
realm=realm,
service=service,
keytab=keytab,
ca_trust_path=ca_trust_path,
cert_pem=cert_pem,
cert_key_pem=cert_key_pem,
timeout=self.timeout)
# Why is this commented?
# found it. It's because this logic was hidden in Transport.
"""
if transport == 'plaintext':
self.transport = HttpPlaintext(endpoint, username, password)
elif transport == 'kerberos':
self.transport = HttpKerberos(endpoint, realm, service, keytab)
elif transport == 'ssl':
self.transport = HttpSSL(
endpoint, username, password, cert_pem=cert_pem,
cert_key_pem=cert_key_pem)
else:
raise NotImplementedError()
"""
self.username = username
self.password = password
self.service = service
self.keytab = keytab
self.ca_trust_path = ca_trust_path
def test_build_session():
transport = Transport(
endpoint="Endpoint",
server_cert_validation='validate',
username='******',
password='******',
auth_method='basic',
)
os.environ['REQUESTS_CA_BUNDLE'] = 'path_to_REQUESTS_CA_CERT'
transport.build_session()
assert (transport.session.verify == 'path_to_REQUESTS_CA_CERT')
del os.environ['REQUESTS_CA_BUNDLE']
os.environ['CURL_CA_BUNDLE'] = 'path_to_CURL_CA_CERT'
transport.build_session()
assert (transport.session.verify == 'path_to_CURL_CA_CERT')
del os.environ['CURL_CA_BUNDLE']
def __init__(
self,
endpoint,
transport='plaintext',
username=None,
password=None,
realm=None,
service="HTTP",
keytab=None,
ca_trust_path='legacy_requests',
cert_pem=None,
cert_key_pem=None,
server_cert_validation='validate',
kerberos_delegation=False,
read_timeout_sec=DEFAULT_READ_TIMEOUT_SEC,
operation_timeout_sec=DEFAULT_OPERATION_TIMEOUT_SEC,
kerberos_hostname_override=None,
message_encryption='auto',
credssp_disable_tlsv1_2=False,
send_cbt=True,
proxy='legacy_requests',
):
"""
@param string endpoint: the WinRM webservice endpoint
@param string transport: transport type, one of 'plaintext' (default), 'kerberos', 'ssl', 'ntlm', 'credssp' # NOQA
@param string username: username
@param string password: password
@param string realm: unused
@param string service: the service name, default is HTTP
@param string keytab: the path to a keytab file if you are using one
@param string ca_trust_path: Certification Authority trust path. If server_cert_validation is set to 'validate':
'legacy_requests'(default) to use environment variables,
None to explicitly disallow any additional CA trust path
Any other value will be considered the CA trust path to use.
@param string cert_pem: client authentication certificate file path in PEM format # NOQA
@param string cert_key_pem: client authentication certificate key file path in PEM format # NOQA
@param string server_cert_validation: whether server certificate should be validated on Python versions that suppport it; one of 'validate' (default), 'ignore' #NOQA
@param bool kerberos_delegation: if True, TGT is sent to target server to allow multiple hops # NOQA
@param int read_timeout_sec: maximum seconds to wait before an HTTP connect/read times out (default 30). This value should be slightly higher than operation_timeout_sec, as the server can block *at least* that long. # NOQA
@param int operation_timeout_sec: maximum allowed time in seconds for any single wsman HTTP operation (default 20). Note that operation timeouts while receiving output (the only wsman operation that should take any significant time, and where these timeouts are expected) will be silently retried indefinitely. # NOQA
@param string kerberos_hostname_override: the hostname to use for the kerberos exchange (defaults to the hostname in the endpoint URL)
@param bool message_encryption_enabled: Will encrypt the WinRM messages if set to True and the transport auth supports message encryption (Default True).
@param string proxy: Specify a proxy for the WinRM connection to use. 'legacy_requests'(default) to use environment variables, None to disable proxies completely or the proxy URL itself.
"""
try:
read_timeout_sec = int(read_timeout_sec)
except ValueError as ve:
raise ValueError("failed to parse read_timeout_sec as int: %s" %
str(ve))
try:
operation_timeout_sec = int(operation_timeout_sec)
except ValueError as ve:
raise ValueError(
"failed to parse operation_timeout_sec as int: %s" % str(ve))
if operation_timeout_sec >= read_timeout_sec or operation_timeout_sec < 1:
raise WinRMError(
"read_timeout_sec must exceed operation_timeout_sec, and both must be non-zero"
)
self.read_timeout_sec = read_timeout_sec
self.operation_timeout_sec = operation_timeout_sec
self.max_env_sz = Protocol.DEFAULT_MAX_ENV_SIZE
self.locale = Protocol.DEFAULT_LOCALE
self.transport = Transport(
endpoint=endpoint,
username=username,
password=password,
realm=realm,
service=service,
keytab=keytab,
ca_trust_path=ca_trust_path,
cert_pem=cert_pem,
cert_key_pem=cert_key_pem,
read_timeout_sec=self.read_timeout_sec,
server_cert_validation=server_cert_validation,
kerberos_delegation=kerberos_delegation,
kerberos_hostname_override=kerberos_hostname_override,
auth_method=transport,
message_encryption=message_encryption,
credssp_disable_tlsv1_2=credssp_disable_tlsv1_2,
send_cbt=send_cbt,
proxy=proxy,
)
self.username = username
self.password = password
self.service = service
self.keytab = keytab
self.ca_trust_path = ca_trust_path
self.server_cert_validation = server_cert_validation
self.kerberos_delegation = kerberos_delegation
self.kerberos_hostname_override = kerberos_hostname_override
self.credssp_disable_tlsv1_2 = credssp_disable_tlsv1_2
def __init__(
self,
endpoint,
transport='plaintext',
username=None,
password=None,
realm=None,
service=None,
keytab=None,
ca_trust_path=None,
cert_pem=None,
cert_key_pem=None,
server_cert_validation='validate',
kerberos_delegation=False,
read_timeout_sec=DEFAULT_READ_TIMEOUT_SEC,
operation_timeout_sec=DEFAULT_OPERATION_TIMEOUT_SEC,
kerberos_hostname_override=None,
):
"""
@param string endpoint: the WinRM webservice endpoint
@param string transport: transport type, one of 'plaintext' (default), 'kerberos', 'ssl', 'ntlm', 'credssp' # NOQA
@param string username: username
@param string password: password
@param string realm: unused
@param string service: the service name, default is HTTP
@param string keytab: the path to a keytab file if you are using one
@param string ca_trust_path: Certification Authority trust path
@param string cert_pem: client authentication certificate file path in PEM format # NOQA
@param string cert_key_pem: client authentication certificate key file path in PEM format # NOQA
@param string server_cert_validation: whether server certificate should be validated on Python versions that suppport it; one of 'validate' (default), 'ignore' #NOQA
@param bool kerberos_delegation: if True, TGT is sent to target server to allow multiple hops # NOQA
@param int read_timeout_sec: maximum seconds to wait before an HTTP connect/read times out (default 30). This value should be slightly higher than operation_timeout_sec, as the server can block *at least* that long. # NOQA
@param int operation_timeout_sec: maximum allowed time in seconds for any single wsman HTTP operation (default 20). Note that operation timeouts while receiving output (the only wsman operation that should take any significant time, and where these timeouts are expected) will be silently retried indefinitely. # NOQA
@param string kerberos_hostname_override: the hostname to use for the kerberos exchange (defaults to the hostname in the endpoint URL)
"""
if operation_timeout_sec >= read_timeout_sec or operation_timeout_sec < 1:
raise WinRMError(
"read_timeout_sec must exceed operation_timeout_sec, and both must be non-zero"
)
self.read_timeout_sec = read_timeout_sec
self.operation_timeout_sec = operation_timeout_sec
self.max_env_sz = Protocol.DEFAULT_MAX_ENV_SIZE
self.locale = Protocol.DEFAULT_LOCALE
self.transport = Transport(
endpoint=endpoint,
username=username,
password=password,
realm=realm,
service=service,
keytab=keytab,
ca_trust_path=ca_trust_path,
cert_pem=cert_pem,
cert_key_pem=cert_key_pem,
read_timeout_sec=self.read_timeout_sec,
server_cert_validation=server_cert_validation,
kerberos_delegation=kerberos_delegation,
kerberos_hostname_override=kerberos_hostname_override,
auth_method=transport)
self.username = username
self.password = password
self.service = service
self.keytab = keytab
self.ca_trust_path = ca_trust_path
self.server_cert_validation = server_cert_validation
self.kerberos_delegation = kerberos_delegation
self.kerberos_hostname_override = kerberos_hostname_override
