m

.github/workflows/windows.yaml

@@ -9,10 +9,9 @@ on:
     paths-ignore: ['**.md', '**.erb']
 
 env:
-  BOLT_WINRM_USER: roddypiper
+  CI_USER: roddypiper
   BOLT_WINRM_HOST: localhost
-  BOLT_WINRM_PORT: 5985
-  BOLT_WINRM_SSL_PORT: 5986
+  BOLT_WINRM_PASSWORD: BoltonWindows1
   BOLT_WINRM_SMB_PORT: 445
   RUBY_VERSION: 25-x64
 
@@ -23,6 +22,7 @@ jobs:
     runs-on: windows-latest
     env:
       WINDOWS_AGENTS: true
+      BOLT_WINRM_PORT: 35986
     steps:
       - name: Checkout repository
         uses: actions/checkout@v1
@@ -55,10 +55,12 @@ jobs:
       - name: Pre-test setup
         shell: powershell
         run: |
-          docker-compose -f spec\docker-compose-windev.yml build
-          docker-compose -f spec\docker-compose-windev.yml up -d
-          . scripts\ci.ps1
-          Set-ActiveRubyFromPuppet
+          Enable-PSRemoting
+          winrm "set" "winrm/config/client/auth" "@{Certificate=`"true`"}"
+          #winrm "set" "winrm/config/client" "@{AllowUnencrypted=`"true`"}"
+          # docker-compose prints stdout to stderr, which causes this to fail with no errors
+          try { docker-compose -f spec\docker-compose-windev.yml up -d --build }
+          catch [System.Management.Automation.RuntimeException] { exit 0 }
       - name: Run tests
         shell: powershell
         run: bundle exec rake integration:windows_agents
@@ -100,9 +102,12 @@ jobs:
       - name: Pre-test setup
         shell: powershell
         run: |
-          docker-compose -f spec\docker-compose-windev.yml build
-          docker-compose -f spec\docker-compose-windev.yml up -d
-          . scripts\ci.ps1
+          Enable-PSRemoting
+          winrm "set" "winrm/config/client/auth" "@{Certificate=`"true`"}"
+          #winrm "set" "winrm/config/client" "@{AllowUnencrypted=`"true`"}"
+          # docker-compose prints stdout to stderr, which causes this to fail with no errors
+          try { docker-compose -f spec\docker-compose-windev.yml up -d --build }
+          catch [System.Management.Automation.RuntimeException] { exit 0 }
       - name: Run tests
         shell: powershell
         run: bundle exec rake windows_ci

scripts/ci.ps1

@@ -1,158 +1,6 @@
 $InformationPreference = 'Continue'
 $ErrorActionPreference = 'Stop'
 
-function Set-CACert
-{
-  $uri = 'https://curl.haxx.se/ca/cacert.pem'
-  $CACertFile = Join-Path -Path $ENV:AppData -ChildPath 'RubyCACert.pem'
-
-  $retryArgs = @{
-    SuccessMessage = "Succeeded in downloading CA bundle from $uri"
-    FailMessage    = "Failed to download CA bundle from $uri"
-    Retries        = 5
-    Timeout        = 1
-    Script         = {
-      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      Invoke-WebRequest -Uri $uri -UseBasicParsing -OutFile $CACertFile | Out-Null
-    }
-  }
-
-  # only download CA file if not present - throw on failures
-  If (-Not (Test-Path -Path $CACertFile)) { Invoke-ScriptBlockWithRetry @retryArgs }
-
-  Write-Information "Setting CA Certificate store set to $CACertFile.."
-  $ENV:SSL_CERT_FILE = $CACertFile
-  [System.Environment]::SetEnvironmentVariable('SSL_CERT_FILE', $CACertFile, [System.EnvironmentVariableTarget]::Machine)
-}
-
-function Install-Puppetfile
-{
-  Set-CACert
-
-  # Forge connections may fail intermittently
-  $retryArgs = @{
-    SuccessMessage = 'Succeeded in installing Puppetfile'
-    FailMessage    = 'Failed to install required modules from Forge'
-    Retries        = 10
-    Timeout        = 2
-    Script         = { bundle exec r10k puppetfile install }
-  }
-
-  Invoke-ScriptBlockWithRetry @retryArgs
-}
-
-function New-RandomPassword
-{
-  Add-Type -AssemblyName System.Web
-  "&aA4" + [System.Web.Security.Membership]::GeneratePassword(10, 3)
-}
-
-function New-LocalAdmin($userName, $password)
-{
-  $userArgs = @{
-    Name     = $userName
-    Password = (ConvertTo-SecureString -String $password -Force -AsPlainText)
-  }
-
-  $user = New-LocalUser @userArgs
-  Write-Information ($user | Format-List | Out-String)
-  Add-LocalGroupMember -Group 'Remote Management Users' -Member $user
-  Add-LocalGroupMember -Group Administrators -Member $user
-}
-
-function Install-Certificate($path, $password)
-{
-  $importArgs = @{
-    FilePath          = $path
-    CertStoreLocation = 'cert:\\LocalMachine\\My'
-    Password          = (ConvertTo-SecureString -String $password -Force -AsPlainText)
-  }
-
-  return (Import-PfxCertificate @importArgs)
-}
-
-#function Grant-WinRMHttpsAccess($certThumbprint)
-#{
-#  $winRMArgs = @{
-#    ResourceURI = 'winrm/config/Listener'
-#    SelectorSet = @{ Address = '*'; Transport = 'HTTPS'; }
-#    ValueSet    = @{ Hostname = 'boltserver'; CertificateThumbprint = $certThumbprint }
-#  }
-#  $instance = Set-WSManInstance @winRMArgs
-#  Write-Information ($instance | Format-List | Out-String)
-#}
-
-#function Set-WinRMHostConfiguration
-#{
-#  # configure WinRM to use cert.pfx for SSL
-#  $cert = Install-Certificate -Path 'spec/fixtures/ssl/cert.pfx' -Password 'bolt'
-#  Write-Information ($cert | Format-List | Out-String)
-#  Grant-WinRMHttpsAccess -CertThumbprint $cert.Thumbprint
-#}
-
-function Invoke-ScriptBlockWithRetry([ScriptBlock]$script, $failMessage, $successMessage, $retries = 15, $timeout = 1)
-{
-  $retried = 0
-
-  Do
-  {
-    try {
-      $script.Invoke()
-      Write-Information "$successMessage after $($retried + 1) attempt(s)"
-      return $true
-    }
-    catch
-    {
-      $retried++
-      Start-Sleep -Seconds $timeout
-    }
-  } While ($retried -lt $retries)
-
-  throw "ERROR: $failMessage in $retried retries`n$($Error[0])"
-
-}
-
-#function Test-WinRMConfiguration($userName, $password, $retries = 15, $timeout = 1)
-#{
-#  $retryArgs = @{
-#    FailMessage    = 'Failed to establish WinRM connection over SSL'
-#    SuccessMessage = "Successfully established WinRM connection with $userName"
-#    Retries        = $retries
-#    Timeout        = $timeout
-#    Script         = {
-#      $pass = ConvertTo-SecureString $password -AsPlainText -Force
-#      $sessionArgs = @{
-#        ComputerName = 'localhost'
-#        Credential   = New-Object System.Management.Automation.PSCredential ($userName, $pass)
-#        UseSSL       = $true
-#        SessionOption = New-PSSessionOption -SkipRevocationCheck -SkipCACheck
-#      }
-#
-#      if (New-PSSession @sessionArgs) { return $true }
-#    }
-#  }
-#
-#  Invoke-ScriptBlockWithRetry @retryArgs
-#}
-
-# Ensure Puppet Ruby 5 / 6 takes precedence over system Ruby
-function Set-ActiveRubyFromPuppet
-{
-  # https://github.com/puppetlabs/puppet-specifications/blob/master/file_paths.md
-  $path = @(
-    "${ENV:ProgramFiles}\Puppet Labs\Puppet\sys\ruby\bin",
-    "${ENV:ProgramFiles}\Puppet Labs\Puppet\puppet\bin",
-    $ENV:Path
-  ) -join ';'
-
-  [System.Environment]::SetEnvironmentVariable('Path', $path, [System.EnvironmentVariableTarget]::Machine)
-}
-
-$Pass = New-RandomPassword
-$User = @{ UserName = $ENV:BOLT_WINRM_USER; Password = $Pass }
-New-LocalAdmin @User
-#Enable-PSRemoting
-#Set-WSManQuickConfig -Force
-#Set-WinRMHostConfiguration
-#Test-WinRMConfiguration @User | Out-Null
-#Write-Output "::set-env name=BOLT_WINRM_PASSWORD::$pass"
+Enable-PSRemoting
+winrm "set" "winrm/config/client/auth" "@{Basic=`"true`"}"
+winrm "set" "winrm/config/client" "@{AllowUnencrypted=`"true`"}"

spec/Dockerfile.winagent

@@ -0,0 +1,7 @@
+FROM mcr.microsoft.com/windows/servercore:ltsc2019
+
+COPY fixtures/scripts/windev/setup.ps1 ./
+COPY fixtures/scripts/windev/agent.ps1 ./
+RUN powershell ./setup.ps1
+RUN powershell ./agent.ps1
+CMD ["powershell", "Start-Sleep", "-s 1000000"]

spec/Dockerfile.windev

@@ -1,6 +1,6 @@
 FROM mcr.microsoft.com/windows/servercore:ltsc2019
 
-ADD fixtures/ssl/cert.pfx C:\cert.pfx
-ADD fixtures/scripts/windev/setup.ps1 C:\setup.ps1
-RUN powershell C:\setup.ps1
-# TODO: Remove file? Do we care?
+COPY fixtures/ssl/cert.pfx ./
+COPY fixtures/scripts/windev/setup.ps1 ./
+RUN powershell ./setup.ps1
+CMD ["powershell", "Start-Sleep", "-s 1000000"]

spec/docker-compose-windev.yml

@@ -4,8 +4,16 @@ services:
     build:
       context: .
       dockerfile: Dockerfile.windev
-    image: windows_node
+    hostname: boltserver
     ports:
       - "25985:5985"
-      - "2455:455"
-    container_name: windows_node
+      - "25986:5986"
+
+  windows_agent:
+    build:
+      context: .
+      dockerfile: Dockerfile.winagent
+    hostname: boltserver
+    ports:
+      - "35985:5985"
+      - "35986:5986"

spec/fixtures/scripts/windev/setup.ps1

@@ -1,14 +1,23 @@
+# Disable password complexity requirements
+secedit /export /cfg c:\secpol.cfg
+(gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
+secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
+rm -force c:\secpol.cfg -confirm:$false
+
 # add the bolt user account
-($user = New-LocalUser -Name bolt -Password (ConvertTo-SecureString -String bolt -Force -AsPlainText)) | Format-List
+New-LocalUser -Name bolt -Password (ConvertTo-SecureString -String bolt -Force -AsPlainText)
 # add the bolt user to the 'Remote Management Users' group
-Add-LocalGroupMember -Group 'Remote Management Users' -Member $user
-Add-LocalGroupMember -Group 'Administrators' -Member $user
+Add-LocalGroupMember -Group 'Remote Management Users' -Member "bolt"
+Add-LocalGroupMember -Group 'Administrators' -Member "bolt"
 
 # import the certificate to be used for the winrm-ssl
 ($cert = Import-PfxCertificate -FilePath C:\\cert.pfx -CertStoreLocation cert:\\LocalMachine\\My -Password (ConvertTo-SecureString -String bolt -Force -AsPlainText)) | Format-List
 
 # add the winrm-ssl listener
 New-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address='*';Transport='HTTPS'} -ValueSet @{Hostname='boltserver';CertificateThumbprint=$cert.Thumbprint} | Format-List
 
-# add a firewall rule allowing access to the winrm-ssl port (TCP port 5986)
-New-NetFirewallRule -DisplayName 'Windows Remote Management (HTTPS-In)' -Direction Inbound -Protocol TCP -LocalPort 5986 -Action Allow | Format-List
+Enable-PSRemoting
+Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
+winrm "set" "winrm/config/service/auth" "@{Basic=`"true`"}"
+winrm "set" "winrm/config/service/auth" "@{Certificate=`"true`"}"
+#winrm "set" "winrm/config/service/" "@{AllowUnencrypted=`"true`"}"

spec/integration/apply_spec.rb

@@ -430,8 +430,7 @@ def task_plugin_inventory
     def config
       { 'modulepath' => File.join(__dir__, '../fixtures/apply'),
         'winrm' => {
-          'ssl' => false,
-          'ssl-verify' => false,
+          'cacert' => File.join(__dir__, '../fixtures/ssl/ca.pem'),
           'user' => conn_info('winrm')[:user],
           'password' => conn_info('winrm')[:password]
         } }

spec/integration/winrm_spec.rb

@@ -14,10 +14,11 @@
   let(:uri) { conn_uri('winrm') }
   let(:password) { conn_info('winrm')[:password] }
   let(:user) { conn_info('winrm')[:user] }
+  let(:cacert) { File.join(__dir__, '../fixtures/ssl/ca.pem') }
 
   context 'when using CLI options' do
     let(:config_flags) {
-      %W[--targets #{uri} --no-ssl --no-ssl-verify --format json --modulepath #{modulepath}
+      %W[--targets #{uri} --cacert #{cacert} --format json --modulepath #{modulepath}
          --password #{password}]
     }
 
@@ -93,8 +94,7 @@
         'winrm' => {
           'user' => user,
           'password' => password,
-          'ssl' => false,
-          'ssl-verify' => false
+          'cacert' => cacert
         }
       }
     }

spec/lib/bolt_spec/conn.rb

@@ -19,7 +19,7 @@ def conn_info(transport)
       when 'ssh'
         default_port = 20022
       when 'winrm'
-        default_port = 25985
+        default_port = 25986
       when 'docker'
         default_user = ''
         default_password = ''