From a7b407eab6afa1e4fd6574199e7bc4c33b9465f2 Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Thu, 6 Dec 2018 15:09:57 +0000 Subject: [PATCH 1/8] Naive support for elevated support for puppet-server provisioner This commit just lifts the various bits out of the powershell provisioner. --- provisioner/puppet-server/elevated.go | 100 +++++++++++++++++ provisioner/puppet-server/provisioner.go | 137 ++++++++++++++++++++++- 2 files changed, 233 insertions(+), 4 deletions(-) create mode 100644 provisioner/puppet-server/elevated.go diff --git a/provisioner/puppet-server/elevated.go b/provisioner/puppet-server/elevated.go new file mode 100644 index 000000000..5890a2aa0 --- /dev/null +++ b/provisioner/puppet-server/elevated.go @@ -0,0 +1,100 @@ +package puppetserver + +import ( + "text/template" +) + +type elevatedOptions struct { + User string + Password string + TaskName string + TaskDescription string + LogFile string + XMLEscapedCommand string +} + +var elevatedTemplate = template.Must(template.New("ElevatedCommand").Parse(` +$name = "{{.TaskName}}" +$log = [System.Environment]::ExpandEnvironmentVariables("{{.LogFile}}") +$s = New-Object -ComObject "Schedule.Service" +$s.Connect() +$t = $s.NewTask($null) +$xml = [xml]@' + + + + {{.TaskDescription}} + + + + {{.User}} + Password + HighestAvailable + + + + IgnoreNew + false + false + true + false + false + + false + false + + true + true + false + false + false + PT24H + 4 + + + + cmd + /c {{.XMLEscapedCommand}} + + + +'@ +$logon_type = 1 +$password = "{{.Password}}" +if ($password.Length -eq 0) { + $logon_type = 5 + $password = $null + $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable) + $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI) + $node = $xml.SelectSingleNode("/ns:Task/ns:Principals/ns:Principal/ns:LogonType", $ns) + $node.ParentNode.RemoveChild($node) | Out-Null +} +$t.XmlText = $xml.OuterXml +if (Test-Path variable:global:ProgressPreference){$ProgressPreference="SilentlyContinue"} +$f = $s.GetFolder("\") +$f.RegisterTaskDefinition($name, $t, 6, "{{.User}}", $password, $logon_type, $null) | Out-Null +$t = $f.GetTask("\$name") +$t.Run($null) | Out-Null +$timeout = 10 +$sec = 0 +while ((!($t.state -eq 4)) -and ($sec -lt $timeout)) { + Start-Sleep -s 1 + $sec++ +} + +$line = 0 +do { + Start-Sleep -m 100 + if (Test-Path $log) { + Get-Content $log | select -skip $line | ForEach { + $line += 1 + Write-Output "$_" + } + } +} while (!($t.state -eq 3)) +$result = $t.LastTaskResult +if (Test-Path $log) { + Remove-Item $log -Force -ErrorAction SilentlyContinue | Out-Null +} +[System.Runtime.Interopservices.Marshal]::ReleaseComObject($s) | Out-Null +exit $result`)) diff --git a/provisioner/puppet-server/provisioner.go b/provisioner/puppet-server/provisioner.go index b7ec34ea7..4612606fe 100644 --- a/provisioner/puppet-server/provisioner.go +++ b/provisioner/puppet-server/provisioner.go @@ -3,18 +3,30 @@ package puppetserver import ( + "bytes" + "encoding/xml" "fmt" + "log" "os" "path/filepath" "strings" "github.com/hashicorp/packer/common" + "github.com/hashicorp/packer/common/uuid" + commonhelper "github.com/hashicorp/packer/helper/common" "github.com/hashicorp/packer/helper/config" "github.com/hashicorp/packer/packer" "github.com/hashicorp/packer/provisioner" "github.com/hashicorp/packer/template/interpolate" ) +var psEscape = strings.NewReplacer( + "$", "`$", + "\"", "`\"", + "`", "``", + "'", "`'", +) + type Config struct { common.PackerConfig `mapstructure:",squash"` ctx interpolate.Context @@ -63,6 +75,12 @@ type Config struct { // The directory from which the command will be executed. // Packer requires the directory to exist when running puppet. WorkingDir string `mapstructure:"working_directory"` + + // Instructs the communicator to run the remote script as a Windows + // scheduled task, effectively elevating the remote user by impersonating + // a logged-in user + ElevatedUser string `mapstructure:"elevated_user"` + ElevatedPassword string `mapstructure:"elevated_password"` } type guestOSTypeConfig struct { @@ -112,6 +130,7 @@ var guestOSTypeConfigs = map[string]guestOSTypeConfig{ type Provisioner struct { config Config + communicator packer.Communicator guestOSTypeConfig guestOSTypeConfig guestCommands *provisioner.GuestCommands } @@ -129,7 +148,17 @@ type ExecuteTemplate struct { WorkingDir string } +type EnvVarsTemplate struct { + WinRMPassword string +} + func (p *Provisioner) Prepare(raws ...interface{}) error { + // Create passthrough for winrm password so we can fill it in once we know + // it + p.config.ctx.Data = &EnvVarsTemplate{ + WinRMPassword: `{{.WinRMPassword}}`, + } + err := config.Decode(&p.config, &config.DecodeOpts{ Interpolate: true, InterpolateContext: &p.config.ctx, @@ -210,6 +239,7 @@ func (p *Provisioner) Prepare(raws ...interface{}) error { func (p *Provisioner) Provision(ui packer.Ui, comm packer.Communicator) error { ui.Say("Provisioning with Puppet...") + p.communicator = comm ui.Message("Creating Puppet staging directory...") if err := p.createDir(ui, comm, p.config.StagingDir); err != nil { return fmt.Errorf("Error creating staging directory: %s", err) @@ -269,6 +299,13 @@ func (p *Provisioner) Provision(ui packer.Ui, comm packer.Communicator) error { return err } + if p.config.ElevatedUser != "" { + command, err = p.createCommandTextPrivileged(command) + if err != nil { + return err + } + } + cmd := &packer.RemoteCmd{ Command: command, } @@ -321,10 +358,7 @@ func (p *Provisioner) createDir(ui packer.Ui, comm packer.Communicator, dir stri } func (p *Provisioner) removeDir(ui packer.Ui, comm packer.Communicator, dir string) error { - cmd := &packer.RemoteCmd{ - Command: fmt.Sprintf("rm -fr '%s'", dir), - } - + cmd := &packer.RemoteCmd{Command: p.guestCommands.RemoveDir(dir)} if err := cmd.StartWithUi(comm, ui); err != nil { return err } @@ -349,3 +383,98 @@ func (p *Provisioner) uploadDirectory(ui packer.Ui, comm packer.Communicator, ds return comm.UploadDir(dst, src, nil) } + +func getWinRMPassword(buildName string) string { + winRMPass, _ := commonhelper.RetrieveSharedState("winrm_password", buildName) + packer.LogSecretFilter.Set(winRMPass) + return winRMPass +} + +func (p *Provisioner) createCommandTextPrivileged(input string) (output string, err error) { + // OK so we need an elevated shell runner to wrap our command, this is + // going to have its own path generate the script and update the command + // runner in the process + path, err := p.generateElevatedRunner(input) + if err != nil { + return "", fmt.Errorf("Error generating elevated runner: %s", err) + } + + // Return the path to the elevated shell wrapper + output = fmt.Sprintf("powershell -executionpolicy bypass -file \"%s\"", path) + + return output, err +} + +func (p *Provisioner) generateElevatedRunner(command string) (uploadedPath string, err error) { + log.Printf("Building elevated command wrapper for: %s", command) + + var buffer bytes.Buffer + + // Output from the elevated command cannot be returned directly to the + // Packer console. In order to be able to view output from elevated + // commands and scripts an indirect approach is used by which the commands + // output is first redirected to file. The output file is then 'watched' + // by Packer while the elevated command is running and any content + // appearing in the file is written out to the console. Below the portion + // of command required to redirect output from the command to file is + // built and appended to the existing command string + taskName := fmt.Sprintf("packer-%s", uuid.TimeOrderedUUID()) + // Only use %ENVVAR% format for environment variables when setting the log + // file path; Do NOT use $env:ENVVAR format as it won't be expanded + // correctly in the elevatedTemplate + logFile := `%SYSTEMROOT%/Temp/` + taskName + ".out" + command += fmt.Sprintf(" > %s 2>&1", logFile) + + // elevatedTemplate wraps the command in a single quoted XML text string + // so we need to escape characters considered 'special' in XML. + err = xml.EscapeText(&buffer, []byte(command)) + if err != nil { + return "", fmt.Errorf("Error escaping characters special to XML in command %s: %s", command, err) + } + escapedCommand := buffer.String() + log.Printf("Command [%s] converted to [%s] for use in XML string", command, escapedCommand) + buffer.Reset() + + // Escape chars special to PowerShell in the ElevatedUser string + escapedElevatedUser := psEscape.Replace(p.config.ElevatedUser) + if escapedElevatedUser != p.config.ElevatedUser { + log.Printf("Elevated user %s converted to %s after escaping chars special to PowerShell", + p.config.ElevatedUser, escapedElevatedUser) + } + // Replace ElevatedPassword for winrm users who used this feature + p.config.ctx.Data = &EnvVarsTemplate{ + WinRMPassword: getWinRMPassword(p.config.PackerBuildName), + } + + p.config.ElevatedPassword, _ = interpolate.Render(p.config.ElevatedPassword, &p.config.ctx) + + // Escape chars special to PowerShell in the ElevatedPassword string + escapedElevatedPassword := psEscape.Replace(p.config.ElevatedPassword) + if escapedElevatedPassword != p.config.ElevatedPassword { + log.Printf("Elevated password %s converted to %s after escaping chars special to PowerShell", + p.config.ElevatedPassword, escapedElevatedPassword) + } + + // Generate command + err = elevatedTemplate.Execute(&buffer, elevatedOptions{ + User: escapedElevatedUser, + Password: escapedElevatedPassword, + TaskName: taskName, + TaskDescription: "Packer elevated task", + LogFile: logFile, + XMLEscapedCommand: escapedCommand, + }) + + if err != nil { + fmt.Printf("Error creating elevated template: %s", err) + return "", err + } + uuid := uuid.TimeOrderedUUID() + path := fmt.Sprintf(`C:/Windows/Temp/packer-elevated-shell-%s.ps1`, uuid) + log.Printf("Uploading elevated shell wrapper for command [%s] to [%s]", command, path) + err = p.communicator.Upload(path, &buffer, nil) + if err != nil { + return "", fmt.Errorf("Error preparing elevated powershell script: %s", err) + } + return path, err +} From 11be4ffc4b3bb3a8055c9cb623dfbf1f00d784df Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Thu, 6 Dec 2018 18:00:22 +0000 Subject: [PATCH 2/8] Attempt at generalising elevated support Refactor puppet-server provisioner to use it. --- provisioner/elevated.go | 192 +++++++++++++++++++++++ provisioner/puppet-server/elevated.go | 100 ------------ provisioner/puppet-server/provisioner.go | 99 ++---------- 3 files changed, 201 insertions(+), 190 deletions(-) create mode 100644 provisioner/elevated.go delete mode 100644 provisioner/puppet-server/elevated.go diff --git a/provisioner/elevated.go b/provisioner/elevated.go new file mode 100644 index 000000000..d34e97e0a --- /dev/null +++ b/provisioner/elevated.go @@ -0,0 +1,192 @@ +package provisioner + +import ( + "bytes" + "encoding/xml" + "fmt" + "log" + "strings" + "text/template" + + "github.com/hashicorp/packer/common/uuid" + "github.com/hashicorp/packer/packer" +) + +type ElevatedProvisioner interface { + Communicator() packer.Communicator + ElevatedUser() string + ElevatedPassword() string +} + +type elevatedOptions struct { + User string + Password string + TaskName string + TaskDescription string + LogFile string + XMLEscapedCommand string +} + +var psEscape = strings.NewReplacer( + "$", "`$", + "\"", "`\"", + "`", "``", + "'", "`'", +) + +var elevatedTemplate = template.Must(template.New("ElevatedCommand").Parse(` +$name = "{{.TaskName}}" +$log = [System.Environment]::ExpandEnvironmentVariables("{{.LogFile}}") +$s = New-Object -ComObject "Schedule.Service" +$s.Connect() +$t = $s.NewTask($null) +$xml = [xml]@' + + + + {{.TaskDescription}} + + + + {{.User}} + Password + HighestAvailable + + + + IgnoreNew + false + false + true + false + false + + false + false + + true + true + false + false + false + PT24H + 4 + + + + cmd + /c {{.XMLEscapedCommand}} + + + +'@ +$logon_type = 1 +$password = "{{.Password}}" +if ($password.Length -eq 0) { + $logon_type = 5 + $password = $null + $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable) + $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI) + $node = $xml.SelectSingleNode("/ns:Task/ns:Principals/ns:Principal/ns:LogonType", $ns) + $node.ParentNode.RemoveChild($node) | Out-Null +} +$t.XmlText = $xml.OuterXml +if (Test-Path variable:global:ProgressPreference){$ProgressPreference="SilentlyContinue"} +$f = $s.GetFolder("\") +$f.RegisterTaskDefinition($name, $t, 6, "{{.User}}", $password, $logon_type, $null) | Out-Null +$t = $f.GetTask("\$name") +$t.Run($null) | Out-Null +$timeout = 10 +$sec = 0 +while ((!($t.state -eq 4)) -and ($sec -lt $timeout)) { + Start-Sleep -s 1 + $sec++ +} + +$line = 0 +do { + Start-Sleep -m 100 + if (Test-Path $log) { + Get-Content $log | select -skip $line | ForEach { + $line += 1 + Write-Output "$_" + } + } +} while (!($t.state -eq 3)) +$result = $t.LastTaskResult +if (Test-Path $log) { + Remove-Item $log -Force -ErrorAction SilentlyContinue | Out-Null +} +[System.Runtime.Interopservices.Marshal]::ReleaseComObject($s) | Out-Null +exit $result`)) + +func GenerateElevatedRunner(command string, p ElevatedProvisioner) (uploadedPath string, err error) { + log.Printf("Building elevated command wrapper for: %s", command) + + var buffer bytes.Buffer + + // Output from the elevated command cannot be returned directly to the + // Packer console. In order to be able to view output from elevated + // commands and scripts an indirect approach is used by which the commands + // output is first redirected to file. The output file is then 'watched' + // by Packer while the elevated command is running and any content + // appearing in the file is written out to the console. Below the portion + // of command required to redirect output from the command to file is + // built and appended to the existing command string + taskName := fmt.Sprintf("packer-%s", uuid.TimeOrderedUUID()) + // Only use %ENVVAR% format for environment variables when setting the log + // file path; Do NOT use $env:ENVVAR format as it won't be expanded + // correctly in the elevatedTemplate + logFile := `%SYSTEMROOT%/Temp/` + taskName + ".out" + command += fmt.Sprintf(" > %s 2>&1", logFile) + + // elevatedTemplate wraps the command in a single quoted XML text string + // so we need to escape characters considered 'special' in XML. + err = xml.EscapeText(&buffer, []byte(command)) + if err != nil { + return "", fmt.Errorf("Error escaping characters special to XML in command %s: %s", command, err) + } + escapedCommand := buffer.String() + log.Printf("Command [%s] converted to [%s] for use in XML string", command, escapedCommand) + buffer.Reset() + + // Escape chars special to PowerShell in the ElevatedUser string + elevatedUser := p.ElevatedUser() + escapedElevatedUser := psEscape.Replace(elevatedUser) + if escapedElevatedUser != elevatedUser { + log.Printf("Elevated user %s converted to %s after escaping chars special to PowerShell", + elevatedUser, escapedElevatedUser) + } + + // Escape chars special to PowerShell in the ElevatedPassword string + elevatedPassword := p.ElevatedPassword() + escapedElevatedPassword := psEscape.Replace(elevatedPassword) + if escapedElevatedPassword != elevatedPassword { + log.Printf("Elevated password %s converted to %s after escaping chars special to PowerShell", + elevatedPassword, escapedElevatedPassword) + } + + // Generate command + err = elevatedTemplate.Execute(&buffer, elevatedOptions{ + User: escapedElevatedUser, + Password: escapedElevatedPassword, + TaskName: taskName, + TaskDescription: "Packer elevated task", + LogFile: logFile, + XMLEscapedCommand: escapedCommand, + }) + + if err != nil { + fmt.Printf("Error creating elevated template: %s", err) + return "", err + } + uuid := uuid.TimeOrderedUUID() + path := fmt.Sprintf(`C:/Windows/Temp/packer-elevated-shell-%s.ps1`, uuid) + log.Printf("Uploading elevated shell wrapper for command [%s] to [%s]", command, path) + err = p.Communicator().Upload(path, &buffer, nil) + if err != nil { + return "", fmt.Errorf("Error preparing elevated powershell script: %s", err) + } + + return fmt.Sprintf("powershell -executionpolicy bypass -file \"%s\"", path), err +} diff --git a/provisioner/puppet-server/elevated.go b/provisioner/puppet-server/elevated.go deleted file mode 100644 index 5890a2aa0..000000000 --- a/provisioner/puppet-server/elevated.go +++ /dev/null @@ -1,100 +0,0 @@ -package puppetserver - -import ( - "text/template" -) - -type elevatedOptions struct { - User string - Password string - TaskName string - TaskDescription string - LogFile string - XMLEscapedCommand string -} - -var elevatedTemplate = template.Must(template.New("ElevatedCommand").Parse(` -$name = "{{.TaskName}}" -$log = [System.Environment]::ExpandEnvironmentVariables("{{.LogFile}}") -$s = New-Object -ComObject "Schedule.Service" -$s.Connect() -$t = $s.NewTask($null) -$xml = [xml]@' - - - - {{.TaskDescription}} - - - - {{.User}} - Password - HighestAvailable - - - - IgnoreNew - false - false - true - false - false - - false - false - - true - true - false - false - false - PT24H - 4 - - - - cmd - /c {{.XMLEscapedCommand}} - - - -'@ -$logon_type = 1 -$password = "{{.Password}}" -if ($password.Length -eq 0) { - $logon_type = 5 - $password = $null - $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable) - $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI) - $node = $xml.SelectSingleNode("/ns:Task/ns:Principals/ns:Principal/ns:LogonType", $ns) - $node.ParentNode.RemoveChild($node) | Out-Null -} -$t.XmlText = $xml.OuterXml -if (Test-Path variable:global:ProgressPreference){$ProgressPreference="SilentlyContinue"} -$f = $s.GetFolder("\") -$f.RegisterTaskDefinition($name, $t, 6, "{{.User}}", $password, $logon_type, $null) | Out-Null -$t = $f.GetTask("\$name") -$t.Run($null) | Out-Null -$timeout = 10 -$sec = 0 -while ((!($t.state -eq 4)) -and ($sec -lt $timeout)) { - Start-Sleep -s 1 - $sec++ -} - -$line = 0 -do { - Start-Sleep -m 100 - if (Test-Path $log) { - Get-Content $log | select -skip $line | ForEach { - $line += 1 - Write-Output "$_" - } - } -} while (!($t.state -eq 3)) -$result = $t.LastTaskResult -if (Test-Path $log) { - Remove-Item $log -Force -ErrorAction SilentlyContinue | Out-Null -} -[System.Runtime.Interopservices.Marshal]::ReleaseComObject($s) | Out-Null -exit $result`)) diff --git a/provisioner/puppet-server/provisioner.go b/provisioner/puppet-server/provisioner.go index 4612606fe..686bdf847 100644 --- a/provisioner/puppet-server/provisioner.go +++ b/provisioner/puppet-server/provisioner.go @@ -3,16 +3,12 @@ package puppetserver import ( - "bytes" - "encoding/xml" "fmt" - "log" "os" "path/filepath" "strings" "github.com/hashicorp/packer/common" - "github.com/hashicorp/packer/common/uuid" commonhelper "github.com/hashicorp/packer/helper/common" "github.com/hashicorp/packer/helper/config" "github.com/hashicorp/packer/packer" @@ -20,13 +16,6 @@ import ( "github.com/hashicorp/packer/template/interpolate" ) -var psEscape = strings.NewReplacer( - "$", "`$", - "\"", "`\"", - "`", "``", - "'", "`'", -) - type Config struct { common.PackerConfig `mapstructure:",squash"` ctx interpolate.Context @@ -300,7 +289,7 @@ func (p *Provisioner) Provision(ui packer.Ui, comm packer.Communicator) error { } if p.config.ElevatedUser != "" { - command, err = p.createCommandTextPrivileged(command) + command, err = provisioner.GenerateElevatedRunner(command, p) if err != nil { return err } @@ -390,91 +379,21 @@ func getWinRMPassword(buildName string) string { return winRMPass } -func (p *Provisioner) createCommandTextPrivileged(input string) (output string, err error) { - // OK so we need an elevated shell runner to wrap our command, this is - // going to have its own path generate the script and update the command - // runner in the process - path, err := p.generateElevatedRunner(input) - if err != nil { - return "", fmt.Errorf("Error generating elevated runner: %s", err) - } - - // Return the path to the elevated shell wrapper - output = fmt.Sprintf("powershell -executionpolicy bypass -file \"%s\"", path) - - return output, err +func (p *Provisioner) Communicator() packer.Communicator { + return p.communicator } -func (p *Provisioner) generateElevatedRunner(command string) (uploadedPath string, err error) { - log.Printf("Building elevated command wrapper for: %s", command) +func (p *Provisioner) ElevatedUser() string { + return p.config.ElevatedUser +} - var buffer bytes.Buffer - - // Output from the elevated command cannot be returned directly to the - // Packer console. In order to be able to view output from elevated - // commands and scripts an indirect approach is used by which the commands - // output is first redirected to file. The output file is then 'watched' - // by Packer while the elevated command is running and any content - // appearing in the file is written out to the console. Below the portion - // of command required to redirect output from the command to file is - // built and appended to the existing command string - taskName := fmt.Sprintf("packer-%s", uuid.TimeOrderedUUID()) - // Only use %ENVVAR% format for environment variables when setting the log - // file path; Do NOT use $env:ENVVAR format as it won't be expanded - // correctly in the elevatedTemplate - logFile := `%SYSTEMROOT%/Temp/` + taskName + ".out" - command += fmt.Sprintf(" > %s 2>&1", logFile) - - // elevatedTemplate wraps the command in a single quoted XML text string - // so we need to escape characters considered 'special' in XML. - err = xml.EscapeText(&buffer, []byte(command)) - if err != nil { - return "", fmt.Errorf("Error escaping characters special to XML in command %s: %s", command, err) - } - escapedCommand := buffer.String() - log.Printf("Command [%s] converted to [%s] for use in XML string", command, escapedCommand) - buffer.Reset() - - // Escape chars special to PowerShell in the ElevatedUser string - escapedElevatedUser := psEscape.Replace(p.config.ElevatedUser) - if escapedElevatedUser != p.config.ElevatedUser { - log.Printf("Elevated user %s converted to %s after escaping chars special to PowerShell", - p.config.ElevatedUser, escapedElevatedUser) - } +func (p *Provisioner) ElevatedPassword() string { // Replace ElevatedPassword for winrm users who used this feature p.config.ctx.Data = &EnvVarsTemplate{ WinRMPassword: getWinRMPassword(p.config.PackerBuildName), } - p.config.ElevatedPassword, _ = interpolate.Render(p.config.ElevatedPassword, &p.config.ctx) + elevatedPassword, _ := interpolate.Render(p.config.ElevatedPassword, &p.config.ctx) - // Escape chars special to PowerShell in the ElevatedPassword string - escapedElevatedPassword := psEscape.Replace(p.config.ElevatedPassword) - if escapedElevatedPassword != p.config.ElevatedPassword { - log.Printf("Elevated password %s converted to %s after escaping chars special to PowerShell", - p.config.ElevatedPassword, escapedElevatedPassword) - } - - // Generate command - err = elevatedTemplate.Execute(&buffer, elevatedOptions{ - User: escapedElevatedUser, - Password: escapedElevatedPassword, - TaskName: taskName, - TaskDescription: "Packer elevated task", - LogFile: logFile, - XMLEscapedCommand: escapedCommand, - }) - - if err != nil { - fmt.Printf("Error creating elevated template: %s", err) - return "", err - } - uuid := uuid.TimeOrderedUUID() - path := fmt.Sprintf(`C:/Windows/Temp/packer-elevated-shell-%s.ps1`, uuid) - log.Printf("Uploading elevated shell wrapper for command [%s] to [%s]", command, path) - err = p.communicator.Upload(path, &buffer, nil) - if err != nil { - return "", fmt.Errorf("Error preparing elevated powershell script: %s", err) - } - return path, err + return elevatedPassword } From a42f8fac4db5ca9a34297a71ac25c6fc8e32896a Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Fri, 7 Dec 2018 11:08:11 +0000 Subject: [PATCH 3/8] Elevated support for puppet-masterless provisioner This should fix #5478. --- provisioner/puppet-masterless/provisioner.go | 56 ++++++++++++++++++-- 1 file changed, 52 insertions(+), 4 deletions(-) diff --git a/provisioner/puppet-masterless/provisioner.go b/provisioner/puppet-masterless/provisioner.go index 3254a6134..8368e37d3 100644 --- a/provisioner/puppet-masterless/provisioner.go +++ b/provisioner/puppet-masterless/provisioner.go @@ -10,6 +10,7 @@ import ( "strings" "github.com/hashicorp/packer/common" + commonhelper "github.com/hashicorp/packer/helper/common" "github.com/hashicorp/packer/helper/config" "github.com/hashicorp/packer/packer" "github.com/hashicorp/packer/provisioner" @@ -65,6 +66,12 @@ type Config struct { // The directory from which the command will be executed. // Packer requires the directory to exist when running puppet. WorkingDir string `mapstructure:"working_directory"` + + // Instructs the communicator to run the remote script as a Windows + // scheduled task, effectively elevating the remote user by impersonating + // a logged-in user + ElevatedUser string `mapstructure:"elevated_user"` + ElevatedPassword string `mapstructure:"elevated_password"` } type guestOSTypeConfig struct { @@ -117,6 +124,7 @@ var guestOSTypeConfigs = map[string]guestOSTypeConfig{ type Provisioner struct { config Config + communicator packer.Communicator guestOSTypeConfig guestOSTypeConfig guestCommands *provisioner.GuestCommands } @@ -135,7 +143,17 @@ type ExecuteTemplate struct { WorkingDir string } +type EnvVarsTemplate struct { + WinRMPassword string +} + func (p *Provisioner) Prepare(raws ...interface{}) error { + // Create passthrough for winrm password so we can fill it in once we know + // it + p.config.ctx.Data = &EnvVarsTemplate{ + WinRMPassword: `{{.WinRMPassword}}`, + } + err := config.Decode(&p.config, &config.DecodeOpts{ Interpolate: true, InterpolateContext: &p.config.ctx, @@ -240,6 +258,7 @@ func (p *Provisioner) Prepare(raws ...interface{}) error { func (p *Provisioner) Provision(ui packer.Ui, comm packer.Communicator) error { ui.Say("Provisioning with Puppet...") + p.communicator = comm ui.Message("Creating Puppet staging directory...") if err := p.createDir(ui, comm, p.config.StagingDir); err != nil { return fmt.Errorf("Error creating staging directory: %s", err) @@ -316,6 +335,13 @@ func (p *Provisioner) Provision(ui packer.Ui, comm packer.Communicator) error { return err } + if p.config.ElevatedUser != "" { + command, err = provisioner.GenerateElevatedRunner(command, p) + if err != nil { + return err + } + } + cmd := &packer.RemoteCmd{ Command: command, } @@ -432,10 +458,7 @@ func (p *Provisioner) createDir(ui packer.Ui, comm packer.Communicator, dir stri } func (p *Provisioner) removeDir(ui packer.Ui, comm packer.Communicator, dir string) error { - cmd := &packer.RemoteCmd{ - Command: fmt.Sprintf("rm -fr '%s'", dir), - } - + cmd := &packer.RemoteCmd{Command: p.guestCommands.RemoveDir(dir)} if err := cmd.StartWithUi(comm, ui); err != nil { return err } @@ -460,3 +483,28 @@ func (p *Provisioner) uploadDirectory(ui packer.Ui, comm packer.Communicator, ds return comm.UploadDir(dst, src, nil) } + +func getWinRMPassword(buildName string) string { + winRMPass, _ := commonhelper.RetrieveSharedState("winrm_password", buildName) + packer.LogSecretFilter.Set(winRMPass) + return winRMPass +} + +func (p *Provisioner) Communicator() packer.Communicator { + return p.communicator +} + +func (p *Provisioner) ElevatedUser() string { + return p.config.ElevatedUser +} + +func (p *Provisioner) ElevatedPassword() string { + // Replace ElevatedPassword for winrm users who used this feature + p.config.ctx.Data = &EnvVarsTemplate{ + WinRMPassword: getWinRMPassword(p.config.PackerBuildName), + } + + elevatedPassword, _ := interpolate.Render(p.config.ElevatedPassword, &p.config.ctx) + + return elevatedPassword +} From 2e4b00f59dd24b3a8e3943dc253d622cc639922b Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Fri, 7 Dec 2018 15:30:50 +0000 Subject: [PATCH 4/8] Refactor powershell provisioner Use the common elevated code instead. --- provisioner/powershell/elevated.go | 100 -------------------------- provisioner/powershell/provisioner.go | 84 +++------------------- 2 files changed, 11 insertions(+), 173 deletions(-) delete mode 100644 provisioner/powershell/elevated.go diff --git a/provisioner/powershell/elevated.go b/provisioner/powershell/elevated.go deleted file mode 100644 index be8dcdf62..000000000 --- a/provisioner/powershell/elevated.go +++ /dev/null @@ -1,100 +0,0 @@ -package powershell - -import ( - "text/template" -) - -type elevatedOptions struct { - User string - Password string - TaskName string - TaskDescription string - LogFile string - XMLEscapedCommand string -} - -var elevatedTemplate = template.Must(template.New("ElevatedCommand").Parse(` -$name = "{{.TaskName}}" -$log = [System.Environment]::ExpandEnvironmentVariables("{{.LogFile}}") -$s = New-Object -ComObject "Schedule.Service" -$s.Connect() -$t = $s.NewTask($null) -$xml = [xml]@' - - - - {{.TaskDescription}} - - - - {{.User}} - Password - HighestAvailable - - - - IgnoreNew - false - false - true - false - false - - false - false - - true - true - false - false - false - PT24H - 4 - - - - cmd - /c {{.XMLEscapedCommand}} - - - -'@ -$logon_type = 1 -$password = "{{.Password}}" -if ($password.Length -eq 0) { - $logon_type = 5 - $password = $null - $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable) - $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI) - $node = $xml.SelectSingleNode("/ns:Task/ns:Principals/ns:Principal/ns:LogonType", $ns) - $node.ParentNode.RemoveChild($node) | Out-Null -} -$t.XmlText = $xml.OuterXml -if (Test-Path variable:global:ProgressPreference){$ProgressPreference="SilentlyContinue"} -$f = $s.GetFolder("\") -$f.RegisterTaskDefinition($name, $t, 6, "{{.User}}", $password, $logon_type, $null) | Out-Null -$t = $f.GetTask("\$name") -$t.Run($null) | Out-Null -$timeout = 10 -$sec = 0 -while ((!($t.state -eq 4)) -and ($sec -lt $timeout)) { - Start-Sleep -s 1 - $sec++ -} - -$line = 0 -do { - Start-Sleep -m 100 - if (Test-Path $log) { - Get-Content $log | select -skip $line | ForEach { - $line += 1 - Write-Output "$_" - } - } -} while (!($t.state -eq 3)) -$result = $t.LastTaskResult -if (Test-Path $log) { - Remove-Item $log -Force -ErrorAction SilentlyContinue | Out-Null -} -[System.Runtime.Interopservices.Marshal]::ReleaseComObject($s) | Out-Null -exit $result`)) diff --git a/provisioner/powershell/provisioner.go b/provisioner/powershell/provisioner.go index ed35bdd01..fa4586fb3 100644 --- a/provisioner/powershell/provisioner.go +++ b/provisioner/powershell/provisioner.go @@ -4,8 +4,6 @@ package powershell import ( "bufio" - "bytes" - "encoding/xml" "errors" "fmt" "io/ioutil" @@ -20,6 +18,7 @@ import ( commonhelper "github.com/hashicorp/packer/helper/common" "github.com/hashicorp/packer/helper/config" "github.com/hashicorp/packer/packer" + "github.com/hashicorp/packer/provisioner" "github.com/hashicorp/packer/template/interpolate" ) @@ -498,90 +497,29 @@ func (p *Provisioner) createCommandTextPrivileged() (command string, err error) return "", fmt.Errorf("Error processing command: %s", err) } - // OK so we need an elevated shell runner to wrap our command, this is - // going to have its own path generate the script and update the command - // runner in the process - path, err := p.generateElevatedRunner(command) + command, err = provisioner.GenerateElevatedRunner(command, p) if err != nil { return "", fmt.Errorf("Error generating elevated runner: %s", err) } - // Return the path to the elevated shell wrapper - command = fmt.Sprintf("powershell -executionpolicy bypass -file \"%s\"", path) - return command, err } -func (p *Provisioner) generateElevatedRunner(command string) (uploadedPath string, err error) { - log.Printf("Building elevated command wrapper for: %s", command) +func (p *Provisioner) Communicator() packer.Communicator { + return p.communicator +} - var buffer bytes.Buffer +func (p *Provisioner) ElevatedUser() string { + return p.config.ElevatedUser +} - // Output from the elevated command cannot be returned directly to the - // Packer console. In order to be able to view output from elevated - // commands and scripts an indirect approach is used by which the commands - // output is first redirected to file. The output file is then 'watched' - // by Packer while the elevated command is running and any content - // appearing in the file is written out to the console. Below the portion - // of command required to redirect output from the command to file is - // built and appended to the existing command string - taskName := fmt.Sprintf("packer-%s", uuid.TimeOrderedUUID()) - // Only use %ENVVAR% format for environment variables when setting the log - // file path; Do NOT use $env:ENVVAR format as it won't be expanded - // correctly in the elevatedTemplate - logFile := `%SYSTEMROOT%/Temp/` + taskName + ".out" - command += fmt.Sprintf(" > %s 2>&1", logFile) - - // elevatedTemplate wraps the command in a single quoted XML text string - // so we need to escape characters considered 'special' in XML. - err = xml.EscapeText(&buffer, []byte(command)) - if err != nil { - return "", fmt.Errorf("Error escaping characters special to XML in command %s: %s", command, err) - } - escapedCommand := buffer.String() - log.Printf("Command [%s] converted to [%s] for use in XML string", command, escapedCommand) - buffer.Reset() - - // Escape chars special to PowerShell in the ElevatedUser string - escapedElevatedUser := psEscape.Replace(p.config.ElevatedUser) - if escapedElevatedUser != p.config.ElevatedUser { - log.Printf("Elevated user %s converted to %s after escaping chars special to PowerShell", - p.config.ElevatedUser, escapedElevatedUser) - } +func (p *Provisioner) ElevatedPassword() string { // Replace ElevatedPassword for winrm users who used this feature p.config.ctx.Data = &EnvVarsTemplate{ WinRMPassword: getWinRMPassword(p.config.PackerBuildName), } - p.config.ElevatedPassword, _ = interpolate.Render(p.config.ElevatedPassword, &p.config.ctx) + elevatedPassword, _ := interpolate.Render(p.config.ElevatedPassword, &p.config.ctx) - // Escape chars special to PowerShell in the ElevatedPassword string - escapedElevatedPassword := psEscape.Replace(p.config.ElevatedPassword) - if escapedElevatedPassword != p.config.ElevatedPassword { - log.Printf("Elevated password %s converted to %s after escaping chars special to PowerShell", - p.config.ElevatedPassword, escapedElevatedPassword) - } - - // Generate command - err = elevatedTemplate.Execute(&buffer, elevatedOptions{ - User: escapedElevatedUser, - Password: escapedElevatedPassword, - TaskName: taskName, - TaskDescription: "Packer elevated task", - LogFile: logFile, - XMLEscapedCommand: escapedCommand, - }) - - if err != nil { - fmt.Printf("Error creating elevated template: %s", err) - return "", err - } - uuid := uuid.TimeOrderedUUID() - path := fmt.Sprintf(`C:/Windows/Temp/packer-elevated-shell-%s.ps1`, uuid) - log.Printf("Uploading elevated shell wrapper for command [%s] to [%s]", command, path) - err = p.communicator.Upload(path, &buffer, nil) - if err != nil { - return "", fmt.Errorf("Error preparing elevated powershell script: %s", err) - } - return path, err + return elevatedPassword } From 3585b8023f92a7336f723c56c547858e835e6bf9 Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Fri, 7 Dec 2018 15:36:30 +0000 Subject: [PATCH 5/8] Update docs for Puppet provisioners --- website/source/docs/provisioners/puppet-masterless.html.md | 5 +++++ website/source/docs/provisioners/puppet-server.html.md | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/website/source/docs/provisioners/puppet-masterless.html.md b/website/source/docs/provisioners/puppet-masterless.html.md index 8882907bb..fdd93138c 100644 --- a/website/source/docs/provisioners/puppet-masterless.html.md +++ b/website/source/docs/provisioners/puppet-masterless.html.md @@ -114,6 +114,11 @@ manifests you should use `manifest_file` instead. be run. If using Hiera files with relative paths, this option can be helpful. (default: `staging_directory`) +- `elevated_user` and `elevated_password` (string) - If specified, Puppet + will be run with elevated privileges using the given Windows user. See the + [powershell](/docs/provisioners/powershell.html) provider for the full + details. + ## Execute Command By default, Packer uses the following command (broken across multiple lines for diff --git a/website/source/docs/provisioners/puppet-server.html.md b/website/source/docs/provisioners/puppet-server.html.md index 29e559966..cef82ff68 100644 --- a/website/source/docs/provisioners/puppet-server.html.md +++ b/website/source/docs/provisioners/puppet-server.html.md @@ -100,6 +100,11 @@ listed below: be run. If using Hiera files with relative paths, this option can be helpful. (default: `staging_directory`) +- `elevated_user` and `elevated_password` (string) - If specified, Puppet + will be run with elevated privileges using the given Windows user. See the + [powershell](/docs/provisioners/powershell.html) provider for the full + details. + ## Execute Command By default, Packer uses the following command (broken across multiple lines for From 19bd28cd72a7ade96ab21986f568db4515bc9fa1 Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Fri, 7 Dec 2018 16:23:03 +0000 Subject: [PATCH 6/8] Fix/add tests --- packer/provisioner_mock.go | 12 +++++++ provisioner/elevated_test.go | 38 ++++++++++++++++++++++ provisioner/powershell/provisioner_test.go | 24 -------------- 3 files changed, 50 insertions(+), 24 deletions(-) create mode 100644 provisioner/elevated_test.go diff --git a/packer/provisioner_mock.go b/packer/provisioner_mock.go index 62b304ccb..0c7a25791 100644 --- a/packer/provisioner_mock.go +++ b/packer/provisioner_mock.go @@ -34,3 +34,15 @@ func (t *MockProvisioner) Provision(ui Ui, comm Communicator) error { func (t *MockProvisioner) Cancel() { t.CancelCalled = true } + +func (t *MockProvisioner) Communicator() Communicator { + return t.ProvCommunicator +} + +func (t *MockProvisioner) ElevatedUser() string { + return "user" +} + +func (t *MockProvisioner) ElevatedPassword() string { + return "password" +} diff --git a/provisioner/elevated_test.go b/provisioner/elevated_test.go new file mode 100644 index 000000000..ac8759ef2 --- /dev/null +++ b/provisioner/elevated_test.go @@ -0,0 +1,38 @@ +package provisioner + +import ( + "regexp" + "testing" + + "github.com/hashicorp/packer/packer" +) + +func testConfig() map[string]interface{} { + return map[string]interface{}{ + "inline": []interface{}{"foo", "bar"}, + } +} + +func TestProvisioner_GenerateElevatedRunner(t *testing.T) { + + // Non-elevated + config := testConfig() + p := new(packer.MockProvisioner) + p.Prepare(config) + comm := new(packer.MockCommunicator) + p.ProvCommunicator = comm + path, err := GenerateElevatedRunner("whoami", p) + + if err != nil { + t.Fatalf("Did not expect error: %s", err.Error()) + } + + if comm.UploadCalled != true { + t.Fatalf("Should have uploaded file") + } + + matched, _ := regexp.MatchString("C:/Windows/Temp/packer-elevated-shell.*", path) + if !matched { + t.Fatalf("Got unexpected file: %s", path) + } +} diff --git a/provisioner/powershell/provisioner_test.go b/provisioner/powershell/provisioner_test.go index b0a0a27ab..eef61bf8d 100644 --- a/provisioner/powershell/provisioner_test.go +++ b/provisioner/powershell/provisioner_test.go @@ -654,30 +654,6 @@ func TestProvision_uploadEnvVars(t *testing.T) { } } -func TestProvision_generateElevatedShellRunner(t *testing.T) { - - // Non-elevated - config := testConfig() - p := new(Provisioner) - p.Prepare(config) - comm := new(packer.MockCommunicator) - p.communicator = comm - path, err := p.generateElevatedRunner("whoami") - - if err != nil { - t.Fatalf("Did not expect error: %s", err.Error()) - } - - if comm.UploadCalled != true { - t.Fatalf("Should have uploaded file") - } - - matched, _ := regexp.MatchString("C:/Windows/Temp/packer-elevated-shell.*", path) - if !matched { - t.Fatalf("Got unexpected file: %s", path) - } -} - func TestRetryable(t *testing.T) { config := testConfig() From 451709b9568f76027e6beae109263f4ee579868c Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Thu, 13 Dec 2018 10:25:12 +0000 Subject: [PATCH 7/8] Elevated support for chef-client provisioner Fixes #4661 --- provisioner/chef-client/provisioner.go | 48 +++++++++++++++++++ .../docs/provisioners/chef-client.html.md | 5 ++ 2 files changed, 53 insertions(+) diff --git a/provisioner/chef-client/provisioner.go b/provisioner/chef-client/provisioner.go index 8a3bff170..6d451ace4 100644 --- a/provisioner/chef-client/provisioner.go +++ b/provisioner/chef-client/provisioner.go @@ -14,6 +14,7 @@ import ( "github.com/hashicorp/packer/common" "github.com/hashicorp/packer/common/uuid" + commonhelper "github.com/hashicorp/packer/helper/common" "github.com/hashicorp/packer/helper/config" "github.com/hashicorp/packer/packer" "github.com/hashicorp/packer/provisioner" @@ -50,6 +51,8 @@ type Config struct { ChefEnvironment string `mapstructure:"chef_environment"` ClientKey string `mapstructure:"client_key"` ConfigTemplate string `mapstructure:"config_template"` + ElevatedUser string `mapstructure:"elevated_user"` + ElevatedPassword string `mapstructure:"elevated_password"` EncryptedDataBagSecretPath string `mapstructure:"encrypted_data_bag_secret_path"` ExecuteCommand string `mapstructure:"execute_command"` GuestOSType string `mapstructure:"guest_os_type"` @@ -76,6 +79,7 @@ type Config struct { type Provisioner struct { config Config + communicator packer.Communicator guestOSTypeConfig guestOSTypeConfig guestCommands *provisioner.GuestCommands } @@ -94,6 +98,10 @@ type ConfigTemplate struct { ValidationKeyPath string } +type EnvVarsTemplate struct { + WinRMPassword string +} + type ExecuteTemplate struct { ConfigPath string JsonPath string @@ -111,6 +119,12 @@ type KnifeTemplate struct { } func (p *Provisioner) Prepare(raws ...interface{}) error { + // Create passthrough for winrm password so we can fill it in once we know + // it + p.config.ctx.Data = &EnvVarsTemplate{ + WinRMPassword: `{{.WinRMPassword}}`, + } + err := config.Decode(&p.config, &config.DecodeOpts{ Interpolate: true, InterpolateContext: &p.config.ctx, @@ -221,6 +235,8 @@ func (p *Provisioner) Prepare(raws ...interface{}) error { func (p *Provisioner) Provision(ui packer.Ui, comm packer.Communicator) error { + p.communicator = comm + nodeName := p.config.NodeName if nodeName == "" { nodeName = fmt.Sprintf("packer-%s", uuid.TimeOrderedUUID()) @@ -551,6 +567,13 @@ func (p *Provisioner) executeChef(ui packer.Ui, comm packer.Communicator, config return err } + if p.config.ElevatedUser != "" { + command, err = provisioner.GenerateElevatedRunner(command, p) + if err != nil { + return err + } + } + ui.Message(fmt.Sprintf("Executing Chef: %s", command)) cmd := &packer.RemoteCmd{ @@ -676,6 +699,31 @@ func (p *Provisioner) processJsonUserVars() (map[string]interface{}, error) { return result, nil } +func getWinRMPassword(buildName string) string { + winRMPass, _ := commonhelper.RetrieveSharedState("winrm_password", buildName) + packer.LogSecretFilter.Set(winRMPass) + return winRMPass +} + +func (p *Provisioner) Communicator() packer.Communicator { + return p.communicator +} + +func (p *Provisioner) ElevatedUser() string { + return p.config.ElevatedUser +} + +func (p *Provisioner) ElevatedPassword() string { + // Replace ElevatedPassword for winrm users who used this feature + p.config.ctx.Data = &EnvVarsTemplate{ + WinRMPassword: getWinRMPassword(p.config.PackerBuildName), + } + + elevatedPassword, _ := interpolate.Render(p.config.ElevatedPassword, &p.config.ctx) + + return elevatedPassword +} + var DefaultConfigTemplate = ` log_level :info log_location STDOUT diff --git a/website/source/docs/provisioners/chef-client.html.md b/website/source/docs/provisioners/chef-client.html.md index 5c8eb086d..c0ae990b9 100644 --- a/website/source/docs/provisioners/chef-client.html.md +++ b/website/source/docs/provisioners/chef-client.html.md @@ -51,6 +51,11 @@ configuration is actually required. should use a custom configuration template. See the dedicated "Chef Configuration" section below for more details. +- `elevated_user` and `elevated_password` (string) - If specified, Chef will + be run with elevated privileges using the given Windows user. See the + [powershell](/docs/provisionders/powershell.html) provisioner for the full + details. + - `encrypted_data_bag_secret_path` (string) - The path to the file containing the secret for encrypted data bags. By default, this is empty, so no secret will be available. From 845d29b458718c93fd892c52737499a451bf9fdd Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Thu, 13 Dec 2018 10:32:36 +0000 Subject: [PATCH 8/8] s/provider/provisioner/ --- website/source/docs/provisioners/puppet-masterless.html.md | 2 +- website/source/docs/provisioners/puppet-server.html.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/source/docs/provisioners/puppet-masterless.html.md b/website/source/docs/provisioners/puppet-masterless.html.md index fdd93138c..61196eb86 100644 --- a/website/source/docs/provisioners/puppet-masterless.html.md +++ b/website/source/docs/provisioners/puppet-masterless.html.md @@ -116,7 +116,7 @@ manifests you should use `manifest_file` instead. - `elevated_user` and `elevated_password` (string) - If specified, Puppet will be run with elevated privileges using the given Windows user. See the - [powershell](/docs/provisioners/powershell.html) provider for the full + [powershell](/docs/provisioners/powershell.html) provisioner for the full details. ## Execute Command diff --git a/website/source/docs/provisioners/puppet-server.html.md b/website/source/docs/provisioners/puppet-server.html.md index cef82ff68..840d085ad 100644 --- a/website/source/docs/provisioners/puppet-server.html.md +++ b/website/source/docs/provisioners/puppet-server.html.md @@ -102,7 +102,7 @@ listed below: - `elevated_user` and `elevated_password` (string) - If specified, Puppet will be run with elevated privileges using the given Windows user. See the - [powershell](/docs/provisioners/powershell.html) provider for the full + [powershell](/docs/provisioners/powershell.html) provisioner for the full details. ## Execute Command