From 48f8f724cf73367fd2b7376e0cc5fdb2aa1e808c Mon Sep 17 00:00:00 2001
From: "john.puskar" <jpuskar@us.ibm.com>
Date: Sun, 9 Apr 2017 13:26:53 -0400
Subject: [PATCH] Added parameters for kerberos, negotiate, credssp.

---
 README.md                                     | 11 ++-
 .../{winrmSSL => winrmssl}/ruby_openssl.rb    | 88 +++++++++++++++++--
 lib/puppet/type/winrmSSL.rb                   | 32 -------
 lib/puppet/type/winrmssl.rb                   | 58 ++++++++++++
 metadata.json                                 |  4 +-
 5 files changed, 150 insertions(+), 43 deletions(-)
 rename lib/puppet/provider/{winrmSSL => winrmssl}/ruby_openssl.rb (70%)
 delete mode 100644 lib/puppet/type/winrmSSL.rb
 create mode 100644 lib/puppet/type/winrmssl.rb

diff --git a/README.md b/README.md
index 74b46fc..f4a8774 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,12 @@ Setup WinRM over HTTPS and control some basic, essential settings. Also supports
 
 `auth_basic` (default true) Since you are HTTPS secured now, no harm in allowing Basic Auth.
 
+`auth_negotiate` (default true) Manages Negotiate authentication.
+
+`auth_kerberos` (default true) Manages Kerberos authentication.
+
+`auth_credssp` (default false) Manages CredSSP authentication.
+
 `disable_http` (default true) Removes the HTTP listener completely from WinRM so that plaintext transport is simply not available.
 
 ### Examples
@@ -24,13 +30,16 @@ Note that the following example uses the `new23d-puppetpem2p12` module for the `
 # read the path to the Puppet CA's .PEM file into a variable
 $ca_to_trust = $::puppet_config_localcacert
 
-winrmSSL {$ca_to_trust:
+winrmssl {$ca_to_trust:
   ensure => present,
   issuer => $ca_to_trust,
   #port                => 5986,
   #maxmemorypershellmb => 1024,
   #maxtimeoutms        => 60000,
   #auth_basic          => true,
+  #auth_negotiate      => true,
+  #auth_kerberos       => true,
+  #auth_credssp        => false,
   #disable_http        => true
 }
 ```
diff --git a/lib/puppet/provider/winrmSSL/ruby_openssl.rb b/lib/puppet/provider/winrmssl/ruby_openssl.rb
similarity index 70%
rename from lib/puppet/provider/winrmSSL/ruby_openssl.rb
rename to lib/puppet/provider/winrmssl/ruby_openssl.rb
index 435ad33..7dde875 100644
--- a/lib/puppet/provider/winrmSSL/ruby_openssl.rb
+++ b/lib/puppet/provider/winrmssl/ruby_openssl.rb
@@ -1,11 +1,13 @@
 require 'openssl'
 require 'open3'
 
+# Modified by John Puskar
+# See diffs at https://github.com/jpuskar/puppet-winrmSSL
+
 Puppet::Type.type(:winrmssl).provide(:ruby_openssl) do
-  ## confines
-  confine osfamily: 'windows'
+  confine :osfamily => :windows
 
-  ## helpers
+  # helpers
   def _thumbprint
     # is the namevar/issuer a Filesystem Path, or a Distinguished Name (DN)?
     var_issuer_in_file = File.exist?(@resource[:issuer])
@@ -23,11 +25,9 @@ def _thumbprint
     # remove leading slash if found
     issuer_subject.gsub!(%r{^(\/)(.*)$}, '\2')
 
-    # var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.dnsnamelist -contains '#{Facter['fqdn'].value}' -and $_.hasprivatekey -and $_.enhancedkeyusagelist.friendlyname -contains 'Server Authentication'} ^| sort-object -property notafter -descending} )[0].thumbprint"
-    # var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.dnsnamelist -contains '#{Facter['fqdn'].value}' -and $_.hasprivatekey -and $_.enhancedkeyusagelist.objectid -contains '1.3.6.1.5.5.7.3.1'} ^| sort-object -property notafter -descending)[0].thumbprint"
-	var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.subject -eq 'CN=#{Facter['fqdn'].value}' -and $_.hasprivatekey} ^| sort-object -property notafter -descending)[0].thumbprint"
+    var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.subject -eq 'CN=#{Facter['fqdn'].value}' -and $_.hasprivatekey} ^| sort-object -property notafter -descending)[0].thumbprint"
     stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
-	stdin.close
+	  stdin.close
     var_rc = wait_thr.value.exitstatus
     var_stdout_raw = stdout.read
     var_stdout_raw.strip!
@@ -42,7 +42,7 @@ def _thumbprint
     var_thumbprint
   end
 
-  ## getters
+  # getters
   def certificatethumbprint
     var_cmd = 'winrm.cmd enumerate winrm/config/listener'
     var_rgx = %r{CertificateThumbprint = ([0-9A-F]{40,40})$}
@@ -115,6 +115,57 @@ def auth_basic
     var_state
   end
 
+  def auth_credssp
+    var_cmd = 'winrm.cmd get winrm/config/service/auth'
+    var_rgx = %r{CredSSP = true$}
+
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+    var_stdout = stdout.read
+
+    rgx_mth = var_rgx.match(var_stdout)
+    var_state = (!rgx_mth.nil?)
+
+    var_state = var_state.to_s.intern
+
+    var_state
+  end
+
+  def auth_kerberos
+    var_cmd = 'winrm.cmd get winrm/config/service/auth'
+    var_rgx = %r{Kerberos = true$}
+
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+    var_stdout = stdout.read
+
+    rgx_mth = var_rgx.match(var_stdout)
+    var_state = (!rgx_mth.nil?)
+
+    var_state = var_state.to_s.intern
+
+    var_state
+  end
+
+  def auth_negotiate
+    var_cmd = 'winrm.cmd get winrm/config/service/auth'
+    var_rgx = %r{Negotiate = true$}
+
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+    var_stdout = stdout.read
+
+    rgx_mth = var_rgx.match(var_stdout)
+    var_state = (!rgx_mth.nil?)
+
+    var_state = var_state.to_s.intern
+
+    var_state
+  end
+
   def maxmemorypershellmb
     var_cmd = 'winrm.cmd get winrm/config/winrs'
     var_rgx = %r{MaxMemoryPerShellMB = ([0-9]{1,})$}
@@ -178,6 +229,27 @@ def auth_basic=(var_param)
     var_rc = wait_thr.value.exitstatus
   end
 
+  def auth_credssp=(var_param)
+    var_cmd = "winrm set winrm/config/service/auth @{CredSSP=\"#{var_param}\"}"
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+  end
+
+  def auth_kerberos=(var_param)
+    var_cmd = "winrm set winrm/config/service/auth @{Kerberos=\"#{var_param}\"}"
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+  end
+
+  def auth_negotiate=(var_param)
+    var_cmd = "winrm set winrm/config/service/auth @{Negotiate=\"#{var_param}\"}"
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+  end
+
   def maxmemorypershellmb=(var_param)
     var_cmd = "winrm set winrm/config/winrs @{MaxMemoryPerShellMB=\"#{var_param}\"}"
     stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
diff --git a/lib/puppet/type/winrmSSL.rb b/lib/puppet/type/winrmSSL.rb
deleted file mode 100644
index a29e12b..0000000
--- a/lib/puppet/type/winrmSSL.rb
+++ /dev/null
@@ -1,32 +0,0 @@
-Puppet::Type.newtype(:winrmSSL) do
-  ensurable
-
-  newparam(:issuer, namevar: true) do
-  end
-
-  newproperty(:disable_http) do
-    newvalues(:true, :false)
-    defaultto :true
-  end
-
-  newproperty(:port) do
-    defaultto '5986'
-  end
-
-  newproperty(:auth_basic) do
-    newvalues(:true, :false)
-    defaultto :true
-  end
-
-  newproperty(:maxmemorypershellmb) do
-    defaultto '1024'
-  end
-
-  newproperty(:maxtimeoutms) do
-    defaultto '60000'
-  end
-
-  newproperty(:certificatethumbprint) do
-    defaultto ''
-  end
-end
diff --git a/lib/puppet/type/winrmssl.rb b/lib/puppet/type/winrmssl.rb
new file mode 100644
index 0000000..59a333d
--- /dev/null
+++ b/lib/puppet/type/winrmssl.rb
@@ -0,0 +1,58 @@
+# Modified by John Puskar
+# See diffs at https://github.com/jpuskar/puppet-winrmSSL
+
+Puppet::Type.newtype(:winrmssl) do
+  @doc = "Update winrm settings."
+  ensurable
+
+  newparam(:issuer, :namevar => true) do
+    desc "Subject name of the CA that winrm will trust for its HTTPS endpoint."
+  end
+
+  newproperty(:disable_http) do
+    desc "If set to true then the HTTP winrm listener will be disabled."
+    newvalues(:true, :false)
+    defaultto :true
+  end
+
+  newproperty(:port) do
+    desc "Port to use for the winrm listener."
+    defaultto '5986'
+  end
+
+  newproperty(:auth_basic) do
+    desc "If set to true then the winrm Basic authentication mode is enabled."
+    newvalues(:true, :false)
+    defaultto :true
+  end
+
+  newproperty(:auth_credssp) do
+    desc "If set to true then the winrm CredSSP authentication mode is enabled."
+    newvalues(:true, :false)
+    defaultto :false
+  end
+
+  newproperty(:auth_kerberos) do
+    desc "If set to true then the winrm Kerberos authentication mode is enabled."
+    newvalues(:true, :false)
+    defaultto :true
+  end
+
+  newproperty(:auth_negotiate) do
+    desc "If set to true then the winrm Negotiate authentication mode is enabled."
+    newvalues(:true, :false)
+    defaultto :true
+  end
+
+  newproperty(:maxmemorypershellmb) do
+    defaultto '1024'
+  end
+
+  newproperty(:maxtimeoutms) do
+    defaultto '60000'
+  end
+
+  newproperty(:certificatethumbprint) do
+    defaultto ''
+  end
+end
diff --git a/metadata.json b/metadata.json
index d9de792..f4b9816 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,7 +1,7 @@
 {
   "name": "new23d-winrmssl",
-  "version": "0.0.2",
-  "author": "new23d",
+  "version": "0.0.3",
+  "author": "new23d, jpuskar",
   "summary": "Setup WinRM over HTTPS and control some basic, essential settings. Also supports Puppet CA issued certificates.",
   "license": "Apache-2.0",
   "source": "https://github.com/new23d/puppet-winrmSSL.git",