Light refactorting and additional auth parameters

README.md

@@ -14,6 +14,12 @@ Setup WinRM over HTTPS and control some basic, essential settings. Also supports
 
 `auth_basic` (default true) Since you are HTTPS secured now, no harm in allowing Basic Auth.
 
+`auth_negotiate` (default true) Manages Negotiate authentication.
+
+`auth_kerberos` (default true) Manages Kerberos authentication.
+
+`auth_credssp` (default false) Manages CredSSP authentication.
+
 `disable_http` (default true) Removes the HTTP listener completely from WinRM so that plaintext transport is simply not available.
 
 ### Examples
@@ -24,13 +30,16 @@ Note that the following example uses the `new23d-puppetpem2p12` module for the `
 # read the path to the Puppet CA's .PEM file into a variable
 $ca_to_trust = $::puppet_config_localcacert
 
-winrmSSL {$ca_to_trust:
+winrmssl {$ca_to_trust:
   ensure => present,
   issuer => $ca_to_trust,
   #port                => 5986,
   #maxmemorypershellmb => 1024,
   #maxtimeoutms        => 60000,
   #auth_basic          => true,
+  #auth_negotiate      => true,
+  #auth_kerberos       => true,
+  #auth_credssp        => false,
   #disable_http        => true
 }
 ```

lib/puppet/provider/winrmSSL/ruby_openssl.rb → lib/puppet/provider/winrmssl/ruby_openssl.rb

@@ -1,11 +1,13 @@
 require 'openssl'
 require 'open3'
 
+# Modified by John Puskar
+# See diffs at https://github.com/jpuskar/puppet-winrmSSL
+
 Puppet::Type.type(:winrmssl).provide(:ruby_openssl) do
-  ## confines
-  confine osfamily: 'windows'
+  confine :osfamily => :windows
 
-  ## helpers
+  # helpers
   def _thumbprint
     # is the namevar/issuer a Filesystem Path, or a Distinguished Name (DN)?
     var_issuer_in_file = File.exist?(@resource[:issuer])
@@ -23,11 +25,9 @@ def _thumbprint
     # remove leading slash if found
     issuer_subject.gsub!(%r{^(\/)(.*)$}, '\2')
 
-    # var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.dnsnamelist -contains '#{Facter['fqdn'].value}' -and $_.hasprivatekey -and $_.enhancedkeyusagelist.friendlyname -contains 'Server Authentication'} ^| sort-object -property notafter -descending} )[0].thumbprint"
-    # var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.dnsnamelist -contains '#{Facter['fqdn'].value}' -and $_.hasprivatekey -and $_.enhancedkeyusagelist.objectid -contains '1.3.6.1.5.5.7.3.1'} ^| sort-object -property notafter -descending)[0].thumbprint"
-	var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.subject -eq 'CN=#{Facter['fqdn'].value}' -and $_.hasprivatekey} ^| sort-object -property notafter -descending)[0].thumbprint"
+    var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.subject -eq 'CN=#{Facter['fqdn'].value}' -and $_.hasprivatekey} ^| sort-object -property notafter -descending)[0].thumbprint"
     stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
-	stdin.close
+	  stdin.close
     var_rc = wait_thr.value.exitstatus
     var_stdout_raw = stdout.read
     var_stdout_raw.strip!
@@ -42,7 +42,7 @@ def _thumbprint
     var_thumbprint
   end
 
-  ## getters
+  # getters
   def certificatethumbprint
     var_cmd = 'winrm.cmd enumerate winrm/config/listener'
     var_rgx = %r{CertificateThumbprint = ([0-9A-F]{40,40})$}
@@ -115,6 +115,57 @@ def auth_basic
     var_state
   end
 
+  def auth_credssp
+    var_cmd = 'winrm.cmd get winrm/config/service/auth'
+    var_rgx = %r{CredSSP = true$}
+
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+    var_stdout = stdout.read
+
+    rgx_mth = var_rgx.match(var_stdout)
+    var_state = (!rgx_mth.nil?)
+
+    var_state = var_state.to_s.intern
+
+    var_state
+  end
+
+  def auth_kerberos
+    var_cmd = 'winrm.cmd get winrm/config/service/auth'
+    var_rgx = %r{Kerberos = true$}
+
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+    var_stdout = stdout.read
+
+    rgx_mth = var_rgx.match(var_stdout)
+    var_state = (!rgx_mth.nil?)
+
+    var_state = var_state.to_s.intern
+
+    var_state
+  end
+
+  def auth_negotiate
+    var_cmd = 'winrm.cmd get winrm/config/service/auth'
+    var_rgx = %r{Negotiate = true$}
+
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+    var_stdout = stdout.read
+
+    rgx_mth = var_rgx.match(var_stdout)
+    var_state = (!rgx_mth.nil?)
+
+    var_state = var_state.to_s.intern
+
+    var_state
+  end
+
   def maxmemorypershellmb
     var_cmd = 'winrm.cmd get winrm/config/winrs'
     var_rgx = %r{MaxMemoryPerShellMB = ([0-9]{1,})$}
@@ -178,6 +229,27 @@ def auth_basic=(var_param)
     var_rc = wait_thr.value.exitstatus
   end
 
+  def auth_credssp=(var_param)
+    var_cmd = "winrm set winrm/config/service/auth @{CredSSP=\"#{var_param}\"}"
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+  end
+
+  def auth_kerberos=(var_param)
+    var_cmd = "winrm set winrm/config/service/auth @{Kerberos=\"#{var_param}\"}"
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+  end
+
+  def auth_negotiate=(var_param)
+    var_cmd = "winrm set winrm/config/service/auth @{Negotiate=\"#{var_param}\"}"
+    stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)
+    stdin.close
+    var_rc = wait_thr.value.exitstatus
+  end
+
   def maxmemorypershellmb=(var_param)
     var_cmd = "winrm set winrm/config/winrs @{MaxMemoryPerShellMB=\"#{var_param}\"}"
     stdin, stdout, stderr, wait_thr = Open3.popen3(var_cmd)

lib/puppet/type/winrmssl.rb

@@ -0,0 +1,58 @@
+# Modified by John Puskar
+# See diffs at https://github.com/jpuskar/puppet-winrmSSL
+
+Puppet::Type.newtype(:winrmssl) do
+  @doc = "Update winrm settings."
+  ensurable
+
+  newparam(:issuer, :namevar => true) do
+    desc "Subject name of the CA that winrm will trust for its HTTPS endpoint."
+  end
+
+  newproperty(:disable_http) do
+    desc "If set to true then the HTTP winrm listener will be disabled."
+    newvalues(:true, :false)
+    defaultto :true
+  end
+
+  newproperty(:port) do
+    desc "Port to use for the winrm listener."
+    defaultto '5986'
+  end
+
+  newproperty(:auth_basic) do
+    desc "If set to true then the winrm Basic authentication mode is enabled."
+    newvalues(:true, :false)
+    defaultto :true
+  end
+
+  newproperty(:auth_credssp) do
+    desc "If set to true then the winrm CredSSP authentication mode is enabled."
+    newvalues(:true, :false)
+    defaultto :false
+  end
+
+  newproperty(:auth_kerberos) do
+    desc "If set to true then the winrm Kerberos authentication mode is enabled."
+    newvalues(:true, :false)
+    defaultto :true
+  end
+
+  newproperty(:auth_negotiate) do
+    desc "If set to true then the winrm Negotiate authentication mode is enabled."
+    newvalues(:true, :false)
+    defaultto :true
+  end
+
+  newproperty(:maxmemorypershellmb) do
+    defaultto '1024'
+  end
+
+  newproperty(:maxtimeoutms) do
+    defaultto '60000'
+  end
+
+  newproperty(:certificatethumbprint) do
+    defaultto ''
+  end
+end

metadata.json

@@ -1,7 +1,7 @@
 {
   "name": "new23d-winrmssl",
-  "version": "0.0.2",
-  "author": "new23d",
+  "version": "0.0.3",
+  "author": "new23d, jpuskar",
   "summary": "Setup WinRM over HTTPS and control some basic, essential settings. Also supports Puppet CA issued certificates.",
   "license": "Apache-2.0",
   "source": "https://github.com/new23d/puppet-winrmSSL.git",