def execute(self, service, shared_data): osutils = osutils_factory.get_os_utils() if not self._check_winrm_service(osutils): return (base.PLUGIN_EXECUTE_ON_NEXT_BOOT, False) winrm_config = winrmconfig.WinRMConfig() winrm_config.set_auth_config(basic=CONF.winrm_enable_basic_auth) cert_manager = x509.CryptoAPICertManager() cert_thumbprint = cert_manager.create_self_signed_cert( self._cert_subject) protocol = winrmconfig.LISTENER_PROTOCOL_HTTPS if winrm_config.get_listener(protocol=protocol): winrm_config.delete_listener(protocol=protocol) winrm_config.create_listener(cert_thumbprint=cert_thumbprint, protocol=protocol) listener_config = winrm_config.get_listener(protocol=protocol) listener_port = listener_config.get("Port") rule_name = "WinRM %s" % protocol osutils.firewall_create_rule(rule_name, listener_port, osutils.PROTOCOL_TCP) return (base.PLUGIN_EXECUTION_DONE, False)
def execute(self, service, shared_data): user_name, password = self._get_credentials(service, shared_data) certs_data = service.get_client_auth_certs() if not certs_data: LOG.info("WinRM certificate authentication cannot be configured " "as a certificate has not been provided in the metadata") return base.PLUGIN_EXECUTION_DONE, False osutils = osutils_factory.get_os_utils() security_utils = security.WindowsSecurityUtils() # On Windows Vista, 2008, 2008 R2 and 7, changing the configuration of # the winrm service will fail with an "Access is denied" error if the # User Account Control remote restrictions are enabled. # The solution to this issue is to temporarily disable the User Account # Control remote restrictions. # https://support.microsoft.com/kb/951016 disable_uac_remote_restrictions = (osutils.check_os_version(6, 0) and not osutils.check_os_version(6, 2) and security_utils .get_uac_remote_restrictions()) try: if disable_uac_remote_restrictions: LOG.debug("Disabling UAC remote restrictions") security_utils.set_uac_remote_restrictions(enable=False) winrm_config = winrmconfig.WinRMConfig() winrm_config.set_auth_config(certificate=True) for cert_data in certs_data: cert_manager = x509.CryptoAPICertManager() cert_thumprint, cert_upn = cert_manager.import_cert( cert_data, store_name=x509.STORE_NAME_ROOT) if not cert_upn: LOG.error("WinRM certificate authentication cannot be " "configured as the provided certificate lacks a " "subject alt name containing an UPN (OID " "1.3.6.1.4.1.311.20.2.3)") continue if winrm_config.get_cert_mapping(cert_thumprint, cert_upn): winrm_config.delete_cert_mapping(cert_thumprint, cert_upn) LOG.info("Creating WinRM certificate mapping for user " "%(user_name)s with UPN %(cert_upn)s", {'user_name': user_name, 'cert_upn': cert_upn}) winrm_config.create_cert_mapping(cert_thumprint, cert_upn, user_name, password) finally: if disable_uac_remote_restrictions: LOG.debug("Enabling UAC remote restrictions") security_utils.set_uac_remote_restrictions(enable=True) return base.PLUGIN_EXECUTION_DONE, False
def execute(self, service, shared_data): osutils = osutils_factory.get_os_utils() security_utils = security.WindowsSecurityUtils() if not self._check_winrm_service(osutils): return base.PLUGIN_EXECUTE_ON_NEXT_BOOT, False # On Windows Vista, 2008, 2008 R2 and 7, changing the configuration of # the winrm service will fail with an "Access is denied" error if the # User Account Control remote restrictions are enabled. # The solution to this issue is to temporarily disable the User Account # Control remote restrictions. # https://support.microsoft.com/kb/951016 disable_uac_remote_restrictions = ( osutils.check_os_version(6, 0) and not osutils.check_os_version(6, 2) and security_utils.get_uac_remote_restrictions()) try: if disable_uac_remote_restrictions: LOG.debug("Disabling UAC remote restrictions") security_utils.set_uac_remote_restrictions(enable=False) winrm_config = winrmconfig.WinRMConfig() winrm_config.set_auth_config(basic=CONF.winrm_enable_basic_auth) cert_manager = x509.CryptoAPICertManager() cert_thumbprint = cert_manager.create_self_signed_cert( self._cert_subject) protocol = winrmconfig.LISTENER_PROTOCOL_HTTPS if winrm_config.get_listener(protocol=protocol): winrm_config.delete_listener(protocol=protocol) winrm_config.create_listener(cert_thumbprint=cert_thumbprint, protocol=protocol) listener_config = winrm_config.get_listener(protocol=protocol) listener_port = listener_config.get("Port") rule_name = "WinRM %s" % protocol osutils.firewall_create_rule(rule_name, listener_port, osutils.PROTOCOL_TCP) finally: if disable_uac_remote_restrictions: LOG.debug("Enabling UAC remote restrictions") security_utils.set_uac_remote_restrictions(enable=True) return base.PLUGIN_EXECUTION_DONE, False
def execute(self, service, shared_data): user_name, password = self._get_credentials(shared_data) certs_data = service.get_client_auth_certs() if not certs_data: LOG.info("WinRM certificate authentication cannot be configured " "as a certificate has not been provided in the metadata") return (base.PLUGIN_EXECUTION_DONE, False) winrm_config = winrmconfig.WinRMConfig() winrm_config.set_auth_config(certificate=True) for cert_data in certs_data: cert_manager = x509.CryptoAPICertManager() cert_thumprint, cert_upn = cert_manager.import_cert( cert_data, store_name=x509.STORE_NAME_ROOT) if not cert_upn: LOG.error("WinRM certificate authentication cannot be " "configured as the provided certificate lacks a " "subject alt name containing an UPN (OID " "1.3.6.1.4.1.311.20.2.3)") continue if winrm_config.get_cert_mapping(cert_thumprint, cert_upn): winrm_config.delete_cert_mapping(cert_thumprint, cert_upn) LOG.info( "Creating WinRM certificate mapping for user " "%(user_name)s with UPN %(cert_upn)s", { 'user_name': user_name, 'cert_upn': cert_upn }) winrm_config.create_cert_mapping(cert_thumprint, cert_upn, user_name, password) return (base.PLUGIN_EXECUTION_DONE, False)
def execute(self, service, shared_data): osutils = osutils_factory.get_os_utils() if not self._check_winrm_service(osutils): return base.PLUGIN_EXECUTE_ON_NEXT_BOOT, False listeners_config = self._get_winrm_listeners_config(service) if not listeners_config: LOG.info("No WinRM listener configuration provided") else: with self._check_uac_remote_restrictions(osutils): winrm_config = winrmconfig.WinRMConfig() winrm_config.set_auth_config( basic=CONF.winrm_enable_basic_auth) for listener_config in listeners_config: protocol = listener_config["protocol"].upper() cert_thumb = None if protocol == winrmconfig.LISTENER_PROTOCOL_HTTPS: cert_thumb = listener_config.get( "certificate_thumbprint") if not cert_thumb: cert_thumb = self._create_self_signed_certificate() LOG.info( "Configuring WinRM listener for protocol: " "%(protocol)s, certificate thumbprint: " "%(cert_thumb)s", { "protocol": protocol, "cert_thumb": cert_thumb }) self._configure_winrm_listener(osutils, winrm_config, protocol, cert_thumb) return base.PLUGIN_EXECUTION_DONE, False