Merge branch 'develop' into openbsd_kvm

2024-11-07 17:09:03 +00:00 · 2017-07-12 19:28:30 +02:00 · 2017-07-12 19:28:30 +02:00 · acbc7dacf5
commit acbc7dacf5
parent c9eade574c 5f01dccf8f
5 changed files with 41 additions and 10 deletions
--- a/doc/topics/cloud/windows.rst
+++ b/doc/topics/cloud/windows.rst
@ -48,6 +48,15 @@ from saltstack.com:

 .. __: https://repo.saltstack.com/windows/

+.. _new-pywinrm:
+
+Self Signed Certificates with WinRM
+===================================
+
+Salt-Cloud can use versions of ``pywinrm<=0.1.1`` or ``pywinrm>=0.2.1``.
+
+For versions greater than `0.2.1`, ``winrm_verify_ssl`` needs to be set to
+`False` if the certificate is self signed and not verifiable.

 Firewall Settings
 =================
@ -179,7 +188,8 @@ The default Windows user is `Administrator`, and the default Windows password
 is blank.

 If WinRM is to be used ``use_winrm`` needs to be set to `True`. ``winrm_port``
-can be used to specify a custom port (must be HTTPS listener).
+can be used to specify a custom port (must be HTTPS listener).  And
+``winrm_verify_ssl`` can be set to `False` to use a self signed certificate.


 Auto-Generated Passwords on EC2
--- a/doc/topics/releases/oxygen.rst
+++ b/doc/topics/releases/oxygen.rst
@ -49,6 +49,12 @@ environments (i.e. ``saltenvs``) have been added:
   ignore all tags and use branches only, and also to keep SHAs from being made
   available as saltenvs.

+Salt Cloud and Newer PyWinRM Versions
+-------------------------------------
+
+Versions of ``pywinrm>=0.2.1`` are finally able to disable validation of self
+signed certificates.  :ref:`Here<new-pywinrm>` for more information.
+
 Configuration Option Deprecations
 ---------------------------------

--- a/salt/cloud/clouds/ec2.py
+++ b/salt/cloud/clouds/ec2.py
@ -2328,6 +2328,9 @@ def wait_for_instance(
        use_winrm = config.get_cloud_config_value(
            'use_winrm', vm_, __opts__, default=False
        )
+        winrm_verify_ssl = config.get_cloud_config_value(
+            'winrm_verify_ssl', vm_, __opts__, default=True
+        )

        if win_passwd and win_passwd == 'auto':
            log.debug('Waiting for auto-generated Windows EC2 password')
@ -2399,7 +2402,8 @@ def wait_for_instance(
                                                          winrm_port,
                                                          username,
                                                          win_passwd,
-                                                          timeout=ssh_connect_timeout):
+                                                          timeout=ssh_connect_timeout,
+                                                          verify=winrm_verify_ssl):
                raise SaltCloudSystemExit(
                    'Failed to authenticate against remote windows host'
                )
--- a/salt/modules/gpg.py
+++ b/salt/modules/gpg.py
@ -1056,7 +1056,7 @@ def verify(text=None,

    signature
        Specify the filename of a detached signature.
-    .. versionadded:: Nitrogen
+    .. versionadded:: Oxygen

    CLI Example:

--- a/salt/utils/cloud.py
+++ b/salt/utils/cloud.py
@ -500,7 +500,10 @@ def bootstrap(vm_, opts):
            'winrm_port', vm_, opts, default=5986
        )
        deploy_kwargs['winrm_use_ssl'] = salt.config.get_cloud_config_value(
-        'winrm_use_ssl', vm_, opts, default=True
+            'winrm_use_ssl', vm_, opts, default=True
+        )
+        deploy_kwargs['winrm_verify_ssl'] = salt.config.get_cloud_config_value(
+            'winrm_verify_ssl', vm_, opts, default=True
        )

    # Store what was used to the deploy the VM
@ -826,7 +829,7 @@ def wait_for_winexesvc(host, port, username, password, timeout=900):
            )


-def wait_for_winrm(host, port, username, password, timeout=900, use_ssl=True):
+def wait_for_winrm(host, port, username, password, timeout=900, use_ssl=True, verify=True):
    '''
    Wait until WinRM connection can be established.
    '''
@ -836,14 +839,20 @@ def wait_for_winrm(host, port, username, password, timeout=900, use_ssl=True):
            host, port
        )
    )
+    transport = 'ssl'
+    if not use_ssl:
+        transport = 'plaintext'
    trycount = 0
    while True:
        trycount += 1
        try:
-            transport = 'ssl'
-            if not use_ssl:
-                transport = 'plaintext'
-            s = winrm.Session(host, auth=(username, password), transport=transport)
+            winrm_kwargs = {'target': host,
+                            'auth': (username, password),
+                            'transport': transport}
+            if not verify:
+                log.debug("SSL validation for WinRM disabled.")
+                winrm_kwargs['server_cert_validation'] = 'ignore'
+            s = winrm.Session(**winrm_kwargs)
            if hasattr(s.protocol, 'set_timeout'):
                s.protocol.set_timeout(15)
            log.trace('WinRM endpoint url: {0}'.format(s.url))
@ -991,6 +1000,7 @@ def deploy_windows(host,
                   use_winrm=False,
                   winrm_port=5986,
                   winrm_use_ssl=True,
+                   winrm_verify_ssl=True,
                   **kwargs):
    '''
    Copy the install files to a remote Windows box, and execute them
@ -1017,7 +1027,8 @@ def deploy_windows(host,
    if HAS_WINRM and use_winrm:
        winrm_session = wait_for_winrm(host=host, port=winrm_port,
                                       username=username, password=password,
-                                       timeout=port_timeout * 60, use_ssl=winrm_use_ssl)
+                                       timeout=port_timeout * 60, use_ssl=winrm_use_ssl,
+                                       verify=winrm_verify_ssl)
        if winrm_session is not None:
            service_available = True
    else: