Merge pull request #6972 from aspectcapital/powershell-system-account

Allow Powershell provisioner to use service accounts
2018-11-12 14:52:55 -08:00 · 2018-11-12 14:52:55 -08:00 · 3d6b484989
parent cf293c3310 412119c27e
commit 3d6b484989
4 changed files with 24 additions and 10 deletions
--- a/provisioner/powershell/elevated.go
+++ b/provisioner/powershell/elevated.go
@ -19,11 +19,11 @@ $log = [System.Environment]::ExpandEnvironmentVariables("{{.LogFile}}")
 $s = New-Object -ComObject "Schedule.Service"
 $s.Connect()
 $t = $s.NewTask($null)
-$t.XmlText = @'
+$xml = [xml]@'
 <?xml version="1.0" encoding="UTF-16"?>
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
-	<Description>{{.TaskDescription}}</Description>
+    <Description>{{.TaskDescription}}</Description>
  </RegistrationInfo>
  <Principals>
    <Principal id="Author">
@ -59,9 +59,20 @@ $t.XmlText = @'
  </Actions>
 </Task>
 '@
+$logon_type = 1
+$password = "{{.Password}}"
+if ($password.Length -eq 0) {
+  $logon_type = 5
+  $password = $null
+  $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
+  $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI)
+  $node = $xml.SelectSingleNode("/ns:Task/ns:Principals/ns:Principal/ns:LogonType", $ns)
+  $node.ParentNode.RemoveChild($node) | Out-Null
+}
+$t.XmlText = $xml.OuterXml
 if (Test-Path variable:global:ProgressPreference){$ProgressPreference="SilentlyContinue"}
 $f = $s.GetFolder("\")
-$f.RegisterTaskDefinition($name, $t, 6, "{{.User}}", "{{.Password}}", 1, $null) | Out-Null
+$f.RegisterTaskDefinition($name, $t, 6, "{{.User}}", $password, $logon_type, $null) | Out-Null
 $t = $f.GetTask("\$name")
 $t.Run($null) | Out-Null
 $timeout = 10
--- a/provisioner/powershell/provisioner.go
+++ b/provisioner/powershell/provisioner.go
@ -190,11 +190,6 @@ func (p *Provisioner) Prepare(raws ...interface{}) error {
 			errors.New("Only one of script or scripts can be specified."))
 	}

-	if p.config.ElevatedUser != "" && p.config.ElevatedPassword == "" {
-		errs = packer.MultiErrorAppend(errs,
-			errors.New("Must supply an 'elevated_password' if 'elevated_user' provided"))
-	}
-
 	if p.config.ElevatedUser == "" && p.config.ElevatedPassword != "" {
 		errs = packer.MultiErrorAppend(errs,
 			errors.New("Must supply an 'elevated_user' if 'elevated_password' provided"))
--- a/provisioner/powershell/provisioner_test.go
+++ b/provisioner/powershell/provisioner_test.go
@ -148,8 +148,8 @@ func TestProvisionerPrepare_Elevated(t *testing.T) {
 	config["elevated_user"] = "vagrant"
 	err := p.Prepare(config)

-	if err == nil {
-		t.Fatal("should have error (only provided elevated_user)")
+	if err != nil {
+		t.Fatal("should not have error")
 	}

 	config["elevated_password"] = "vagrant"
--- a/website/source/docs/provisioners/powershell.html.md
+++ b/website/source/docs/provisioners/powershell.html.md
@ -120,6 +120,14 @@ Optional parameters:
    "elevated_password": "{{.WinRMPassword}}",
    ```

+    If you specify an empty `elevated_password` value then the PowerShell
+    script is run as a service account. For example:
+
+    ``` json
+    "elevated_user": "SYSTEM",
+    "elevated_password": "",
+    ```
+
 -   `remote_path` (string) - The path where the PowerShell script will be
    uploaded to within the target build machine. This defaults to
    `C:/Windows/Temp/script-UUID.ps1` where UUID is replaced with a dynamically