def execute(self, service, shared_data):
osutils = osutils_factory.get_os_utils()
if not self._check_winrm_service(osutils):
return (base.PLUGIN_EXECUTE_ON_NEXT_BOOT, False)
winrm_config = winrmconfig.WinRMConfig()
winrm_config.set_auth_config(basic=CONF.winrm_enable_basic_auth)
cert_manager = x509.CryptoAPICertManager()
cert_thumbprint = cert_manager.create_self_signed_cert(
self._cert_subject)
protocol = winrmconfig.LISTENER_PROTOCOL_HTTPS
if winrm_config.get_listener(protocol=protocol):
winrm_config.delete_listener(protocol=protocol)
winrm_config.create_listener(cert_thumbprint=cert_thumbprint,
protocol=protocol)
listener_config = winrm_config.get_listener(protocol=protocol)
listener_port = listener_config.get("Port")
rule_name = "WinRM %s" % protocol
osutils.firewall_create_rule(rule_name, listener_port,
osutils.PROTOCOL_TCP)
return (base.PLUGIN_EXECUTION_DONE, False)
def execute(self, service, shared_data):
user_name, password = self._get_credentials(service, shared_data)
certs_data = service.get_client_auth_certs()
if not certs_data:
LOG.info("WinRM certificate authentication cannot be configured "
"as a certificate has not been provided in the metadata")
return base.PLUGIN_EXECUTION_DONE, False
osutils = osutils_factory.get_os_utils()
security_utils = security.WindowsSecurityUtils()
# On Windows Vista, 2008, 2008 R2 and 7, changing the configuration of
# the winrm service will fail with an "Access is denied" error if the
# User Account Control remote restrictions are enabled.
# The solution to this issue is to temporarily disable the User Account
# Control remote restrictions.
# https://support.microsoft.com/kb/951016
disable_uac_remote_restrictions = (osutils.check_os_version(6, 0) and
not osutils.check_os_version(6, 2)
and security_utils
.get_uac_remote_restrictions())
try:
if disable_uac_remote_restrictions:
LOG.debug("Disabling UAC remote restrictions")
security_utils.set_uac_remote_restrictions(enable=False)
winrm_config = winrmconfig.WinRMConfig()
winrm_config.set_auth_config(certificate=True)
for cert_data in certs_data:
cert_manager = x509.CryptoAPICertManager()
cert_thumprint, cert_upn = cert_manager.import_cert(
cert_data, store_name=x509.STORE_NAME_ROOT)
if not cert_upn:
LOG.error("WinRM certificate authentication cannot be "
"configured as the provided certificate lacks a "
"subject alt name containing an UPN (OID "
"1.3.6.1.4.1.311.20.2.3)")
continue
if winrm_config.get_cert_mapping(cert_thumprint, cert_upn):
winrm_config.delete_cert_mapping(cert_thumprint, cert_upn)
LOG.info("Creating WinRM certificate mapping for user "
"%(user_name)s with UPN %(cert_upn)s",
{'user_name': user_name, 'cert_upn': cert_upn})
winrm_config.create_cert_mapping(cert_thumprint, cert_upn,
user_name, password)
finally:
if disable_uac_remote_restrictions:
LOG.debug("Enabling UAC remote restrictions")
security_utils.set_uac_remote_restrictions(enable=True)
return base.PLUGIN_EXECUTION_DONE, False
def execute(self, service, shared_data):
osutils = osutils_factory.get_os_utils()
security_utils = security.WindowsSecurityUtils()
if not self._check_winrm_service(osutils):
return base.PLUGIN_EXECUTE_ON_NEXT_BOOT, False
# On Windows Vista, 2008, 2008 R2 and 7, changing the configuration of
# the winrm service will fail with an "Access is denied" error if the
# User Account Control remote restrictions are enabled.
# The solution to this issue is to temporarily disable the User Account
# Control remote restrictions.
# https://support.microsoft.com/kb/951016
disable_uac_remote_restrictions = (
osutils.check_os_version(6, 0)
and not osutils.check_os_version(6, 2)
and security_utils.get_uac_remote_restrictions())
try:
if disable_uac_remote_restrictions:
LOG.debug("Disabling UAC remote restrictions")
security_utils.set_uac_remote_restrictions(enable=False)
winrm_config = winrmconfig.WinRMConfig()
winrm_config.set_auth_config(basic=CONF.winrm_enable_basic_auth)
cert_manager = x509.CryptoAPICertManager()
cert_thumbprint = cert_manager.create_self_signed_cert(
self._cert_subject)
protocol = winrmconfig.LISTENER_PROTOCOL_HTTPS
if winrm_config.get_listener(protocol=protocol):
winrm_config.delete_listener(protocol=protocol)
winrm_config.create_listener(cert_thumbprint=cert_thumbprint,
protocol=protocol)
listener_config = winrm_config.get_listener(protocol=protocol)
listener_port = listener_config.get("Port")
rule_name = "WinRM %s" % protocol
osutils.firewall_create_rule(rule_name, listener_port,
osutils.PROTOCOL_TCP)
finally:
if disable_uac_remote_restrictions:
LOG.debug("Enabling UAC remote restrictions")
security_utils.set_uac_remote_restrictions(enable=True)
return base.PLUGIN_EXECUTION_DONE, False
def execute(self, service, shared_data):
user_name, password = self._get_credentials(shared_data)
certs_data = service.get_client_auth_certs()
if not certs_data:
LOG.info("WinRM certificate authentication cannot be configured "
"as a certificate has not been provided in the metadata")
return (base.PLUGIN_EXECUTION_DONE, False)
winrm_config = winrmconfig.WinRMConfig()
winrm_config.set_auth_config(certificate=True)
for cert_data in certs_data:
cert_manager = x509.CryptoAPICertManager()
cert_thumprint, cert_upn = cert_manager.import_cert(
cert_data, store_name=x509.STORE_NAME_ROOT)
if not cert_upn:
LOG.error("WinRM certificate authentication cannot be "
"configured as the provided certificate lacks a "
"subject alt name containing an UPN (OID "
"1.3.6.1.4.1.311.20.2.3)")
continue
if winrm_config.get_cert_mapping(cert_thumprint, cert_upn):
winrm_config.delete_cert_mapping(cert_thumprint, cert_upn)
LOG.info(
"Creating WinRM certificate mapping for user "
"%(user_name)s with UPN %(cert_upn)s", {
'user_name': user_name,
'cert_upn': cert_upn
})
winrm_config.create_cert_mapping(cert_thumprint, cert_upn,
user_name, password)
return (base.PLUGIN_EXECUTION_DONE, False)
def execute(self, service, shared_data):
osutils = osutils_factory.get_os_utils()
if not self._check_winrm_service(osutils):
return base.PLUGIN_EXECUTE_ON_NEXT_BOOT, False
listeners_config = self._get_winrm_listeners_config(service)
if not listeners_config:
LOG.info("No WinRM listener configuration provided")
else:
with self._check_uac_remote_restrictions(osutils):
winrm_config = winrmconfig.WinRMConfig()
winrm_config.set_auth_config(
basic=CONF.winrm_enable_basic_auth)
for listener_config in listeners_config:
protocol = listener_config["protocol"].upper()
cert_thumb = None
if protocol == winrmconfig.LISTENER_PROTOCOL_HTTPS:
cert_thumb = listener_config.get(
"certificate_thumbprint")
if not cert_thumb:
cert_thumb = self._create_self_signed_certificate()
LOG.info(
"Configuring WinRM listener for protocol: "
"%(protocol)s, certificate thumbprint: "
"%(cert_thumb)s", {
"protocol": protocol,
"cert_thumb": cert_thumb
})
self._configure_winrm_listener(osutils, winrm_config,
protocol, cert_thumb)
return base.PLUGIN_EXECUTION_DONE, False
