Light

chocolatey / c4b-ansible Goto Github PK

View Code? Open in Web Editor NEW

1.0 1.0 1.0 59 KB

PowerShell 37.71% Python 8.44% Jinja 53.86%

c4b-ansible's Introduction

THIS REPOSITORY IS DEPRECATED

See https://github.com/chocolatey/choco for further development

Chocolatey NuGet (like apt-get, but for Windows)

WEBSITE

Chocolatey.org

LICENSE

Apache 2.0 - see docs/legal (just LEGAL in the zip folder)

INFO

##Please see the wiki

SOURCE REQUIREMENTS

.NET Framework 4.0
PowerShell 2.0+

CREDITS

See docs/legal/CREDITS (just LEGAL/Credits in the zip folder)

c4b-ansible's People

Contributors

Watchers

Forkers

jborean93

c4b-ansible's Issues

win_powershell tasks with password should use no_log: true

Checklist

I have verified this is the correct repository for opening this issue.
I have verified no other issues exist related to my problem.
I have verified this is not an issue for a specific package.
I have verified this issue is not security related.
I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

Tasks that provide a password as a parameter should have no_log: true added to the task. Failing to do so means the password will be part of the module invocation and potentially embedded script output that tools like AWX always capture. These tasks should always have no_log: true set so that the output is not captured or displayed when run with a higher verbosity.

What is Expected?

The sensitive info is not shown.

How Did You Get This To Happen?

Ran the tasks, first one as an example

c4b-ansible/setup-nexus.yml

Lines 28 to 94 in 5c48718

 - name: Install Nexus Certificate 

 when: certificate_copy.changed 

 ansible.windows.win_powershell: 

 parameters: 

 NexusPort: "{{ nexus_port | default(8081) }}" 

 CertificatePath: "{{ certificate_copy.dest }}" 

 CertificatePassword: "{{ certificate_password }}" 

 script: | 

  param($NexusPort, $CertificatePath, $CertificatePassword) 

  # Check that the certificate and password match 

  try { 

  $null = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new( 

  $CertificatePath, 

  $CertificatePassword, 

  32 # EphemeralKeySet 

  ) 

  } catch { 

  $Ansible.Result = "Certificate and Password do not match" 

  $Ansible.Failed = $true 

  } 

  # Generate the Keystore file 

  $KeyStore = "C:\ProgramData\nexus\etc\ssl\keystore.jks" 

  $KeyTool = "C:\ProgramData\nexus\jre\bin\keytool.exe" 

  $XmlPath = 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml' 

  $Passkey = '{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters', 'digits'], length=32, seed=certificate_password+inventory_hostname) }}' 

  if (Test-Path $KeyStore) { 

  Remove-Item $KeyStore -Force 

  } 

  $CurrentAlias = ($($CertificatePassword | & $KeyTool -list -v -storetype PKCS12 -keystore $CertificatePath) -match "^Alias.*")[0].Split(':')[1].Trim() 

  & $KeyTool -importkeystore -srckeystore $CertificatePath -srcstoretype PKCS12 -srcstorepass $CertificatePassword -destkeystore $KeyStore -deststoretype JKS -alias $currentAlias -destalias jetty -deststorepass $passkey 

  & $KeyTool -keypasswd -keystore $KeyStore -alias jetty -storepass $passkey -keypass $CertificatePassword -new $passkey 

  # Update the Jetty XML Configuration 

  [xml]$Xml = Get-Content -Path $XmlPath 

  $Xml.Configure.New.Where{ 

  $_.id -match 'ssl' 

  }.Set.Where{ 

  $_.name -match 'password' 

  }.ForEach{ 

  $_.InnerText = $passkey 

  } 

  $Xml.Save($XmlPath) 

  # Update the Nexus Configuration 

  $configPath = "C:\ProgramData\sonatype-work\nexus3\etc\nexus.properties" 

  (Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath 

  @( 

  'jetty.https.stsMaxAge=-1' 

  "application-port-ssl=$NexusPort" 

  'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml' 

  ).ForEach{ 

  if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) { 

  $_ | Add-Content -Path $configPath 

  } 

  } 

  if ((Get-Service nexus).Status -eq 'Running') { 

  Restart-Service nexus 

  } else { 

  Start-Service nexus 

  }

will expose CertificatePassword is a verbosity of -vvv or higher is specified. Running in AWX will always capture this output.

System Details

N/A

Installed Packages

N/A

Output Log

N/A

Additional Context

No response

Better support for self signed certificates

Checklist

I have verified this is the correct repository for opening this issue.
I have verified no other issues exist related to my request.

Is Your Feature Request Related To A Problem? Please describe.

Using a self signed certificate has problems as a few steps expect Windows to trust the certificate for the server. While this is a great default it would be nice if there was an option to ignore certificate errors for tasks that are connecting to the Nexus endpoint.

For example this is the first task that fails when using a self signed certificate

TASK [Set Nexus Password using Default Password] *************************************************************************************************************************************
task path: /home/jborean/dev/c4b-ansible/setup-nexus.yml:128
fatal: [ccm_server]: FAILED! =>
    changed: false
    elapsed: 0.1874127
    msg: 'Unhandled exception occurred when sending web request. Exception: The underlying
        connection was closed: Could not establish trust relationship for the SSL/TLS
        secure channel.'
    status_code: null
    url: https://server.chocolatey.test:8443/service/rest/v1/security/users/admin/change-password

Describe The Solution. Why is it needed?

This is more for testing when someone cannot get an actual trusted certificate. By exposing an option to have tasks ignore the cert checks things can work just as if a signed certificate was used.

Additional Context

N/A

Related Issues

No response

Install * Certificate tasks need better error handling

Checklist

I have verified this is the correct repository for opening this issue.
I have verified no other issues exist related to my problem.
I have verified this is not an issue for a specific package.
I have verified this issue is not security related.
I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

There are two tasks that create a Java keystore which need a bit more TLC around error handling. I had to spend some time trying to figure out why the web service was failing as the task thought it was successful but in reality it failed running some keytool commands.

My recommendation is to wrap each keytool invocation like

$keytool = '...'

$keytoolArgs = @('-list', '-v', '-storetype', 'PKCS12', 'keystore', $CertificatePath)

$stdout = $null
$stderr = . { $dataToPipe | & $keytool @keytoolArgs | Set-Variable stdout } 2>&1 | ForEach-Object ToString
if ($LASTEXITCODE) {
    $Ansible.Result = @{
        stdout = $stdout -join "`n"
        stderr = $stderr -join "`n"
        rc = $LASTEXITCODE
        msg = "Keytool failed to do ..., see stdout/stderr/rc for more detail"
    }
    $Ansible.Failed = $true
    return
}

# Repeat for the remaining keytool invocations

This avoids the stderr lines being reported as error records and you are now explicitly checking that keytool works and emitting the output if it failed. You could also look at just running it through separate win_command calls which might be a bit slower but it add automatic rc validation and captures the output for you explicitly.

What is Expected?

The tasks fail if any of the keytool.exe command failed.

How Did You Get This To Happen?

I used #8 to generate a self signed certificate with the AES encryption algorithm. This is unsupported by keytool that ships with Nexus but the task ignored any errors and continued on.

System Details

N/A

Installed Packages

N/A

Output Log

The task contains a lot of ErrorRecords due to stderr lines being written as an error record. While this doesn't contain the failure it shows how many error records are generated.


TASK [Install Jenkins Certificate] ***************************************************************************************************************************************************
task path: /home/jborean/dev/c4b-ansible/setup-jenkins.yml:112
changed: [ccm_server] =>
    changed: true
    debug: []
    error:
    -   category_info:
            activity: ''
            category: NotSpecified
            category_id: 0
            reason: RemoteException
            target_name: 'Enter keystore password:  '
            target_type: String
        error_details: null
        exception: null
        fully_qualified_error_id: NativeCommandError
        output: |-
            keytool.exe : Enter keystore password:
            At line:12 char:42
            + ... ePassword | & $KeyTool -list -v -storetype PKCS12 -keystore $Certific ...
            +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                + CategoryInfo          : NotSpecified: (Enter keystore password:  :String) [], RemoteException
                + FullyQualifiedErrorId : NativeCommandError
        pipeline_iteration_info:
        - 1
        - 0
        script_stack_trace: 'at <ScriptBlock>, <No file>: line 12'
        target_object: 'Enter keystore password:  '
    -   category_info:
            activity: ''
            category: NotSpecified
            category_id: 0
            reason: RemoteException
            target_name: Importing keystore C:\choco-setup\jenkins.pfx to C:\ProgramData\Jenkins\.jenkins\keystore.jks...
            target_type: String
        error_details: null
        exception: null
        fully_qualified_error_id: NativeCommandError
        output: |-
            keytool.exe : Importing keystore C:\choco-setup\jenkins.pfx to C:\ProgramData\Jenkins\.jenkins\keystore.jks...
            At line:14 char:1
            + & $KeyTool -importkeystore -srckeystore $CertificatePath -srcstoretyp ...
            + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                + CategoryInfo          : NotSpecified: (Importing keyst...keystore.jks...:String) [], RemoteException
                + FullyQualifiedErrorId : NativeCommandError
        pipeline_iteration_info:
        - 0
        - 0
        script_stack_trace: 'at <ScriptBlock>, <No file>: line 14'
        target_object: Importing keystore C:\choco-setup\jenkins.pfx to C:\ProgramData\Jenkins\.jenkins\keystore.jks...
    -   category_info:
            activity: ''
            category: NotSpecified
            category_id: 0
            reason: RemoteException
            target_name: ''
            target_type: String
        error_details: null
        exception: null
        fully_qualified_error_id: NativeCommandErrorMessage
        output: ""
        pipeline_iteration_info:
        - 0
        - 0
        script_stack_trace: 'at <ScriptBlock>, <No file>: line 14'
        target_object: ''
    -   category_info:
            activity: ''
            category: NotSpecified
            category_id: 0
            reason: RemoteException
            target_name: 'Warning:'
            target_type: String
        error_details: null
        exception: null
        fully_qualified_error_id: NativeCommandErrorMessage
        output: |-
            Warning:
        pipeline_iteration_info:
        - 0
        - 0
        script_stack_trace: 'at <ScriptBlock>, <No file>: line 14'
        target_object: 'Warning:'
    -   category_info:
            activity: ''
            category: NotSpecified
            category_id: 0
            reason: RemoteException
            target_name: The JKS keystore uses a proprietary format. It is recommended
                to migrate to PKCS12 which is an industry standard format using "keytool
                -importkeystore -srckeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks
                -destkeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks -deststoretype
                pkcs12".
            target_type: String
        error_details: null
        exception: null
        fully_qualified_error_id: NativeCommandErrorMessage
        output: |-
            The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format
            using "keytool -importkeystore -srckeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks -destkeystore
            C:\ProgramData\Jenkins\.jenkins\keystore.jks -deststoretype pkcs12".
        pipeline_iteration_info:
        - 0
        - 0
        script_stack_trace: 'at <ScriptBlock>, <No file>: line 15'
        target_object: The JKS keystore uses a proprietary format. It is recommended to
            migrate to PKCS12 which is an industry standard format using "keytool -importkeystore
            -srckeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks -destkeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks
            -deststoretype pkcs12".
    host_err: ''
    host_out: ''
    information: []
    output: []
    result: {}
    verbose: []
    warning: []

Additional Context

No response

Support AES256-SHA1 PFX certificates

Checklist

I have verified this is the correct repository for opening this issue.
I have verified no other issues exist related to my request.

Is Your Feature Request Related To A Problem? Please describe.

Windows has supported AES256-SHA256 enveloped pfx files since Server 2019 and OpenSSL has defaulted to creating them since OpenSSL 3.0.0. Attempting to have keytool that ships with Nexus read a pfx with AES256-SHA256 will fail with

PS C:\Users\vagrant> C:\ProgramData\nexus\jre\bin\keytool.exe -list -v -storetype PKCS12 -keystore C:\choco-setup\nexus.pfx
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2079)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at sun.security.tools.keytool.Main.doCommands(Main.java:937)
        at sun.security.tools.keytool.Main.run(Main.java:377)
        at sun.security.tools.keytool.Main.main(Main.java:370)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

The password is definitely correct it's just that this version is unable to use this "newer" encryption method. By generating a 3DES pfx (what Windows does by default still) then things work just fine.

Describe The Solution. Why is it needed?

Unfortunately I don't know the solution. It might be that the keystore is created locally or with a newer version of keytool than the one that Nexus ships with. It could be that Nexus also needs to run with a newer JRE. In either case JRE 8 is quite old and probably should be looked into even if it doesn't fix the problem.

Additional Context

To generate some certs with OpenSSL you can run the following with OpenSSL v3.0.0+:

openssl ecparam \
    -name secp384r1 \
    -genkey \
    -noout \
    -out cert.key

openssl req \
    -new \
    -x509 \
    -out cert.pem \
    -key cert.key \
    -days 365 \
    -subj "/CN=server.chocolatey.test" \
    -addext "subjectAltName = DNS:server.chocolatey.test"

openssl pkcs12 \
    -export \
    -out aes256.pfx \
    -inkey cert.key \
    -in cert.pem

openssl pkcs12 \
    -export \
    -certpbe PBE-SHA1-3DES \
    -keypbe PBE-SHA1-3DES \
    -macalg SHA1 \
    -out 3des.pfx \
    -inkey cert.key \
    -in cert.pem

This will generate 2 pfx files aes256.pfx and 3des.pfx. The latter works fine with keytool that Nexus ships with but the former will fail saying the password is incorrect.

Related Issues

No response

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

	- name: Install Nexus Certificate
	when: certificate_copy.changed
	ansible.windows.win_powershell:
	parameters:
	NexusPort: "{{ nexus_port \| default(8081) }}"
	CertificatePath: "{{ certificate_copy.dest }}"
	CertificatePassword: "{{ certificate_password }}"
	script: \|
	param($NexusPort, $CertificatePath, $CertificatePassword)

	# Check that the certificate and password match
	try {
	$null = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new(
	$CertificatePath,
	$CertificatePassword,
	32 # EphemeralKeySet
	)
	} catch {
	$Ansible.Result = "Certificate and Password do not match"
	$Ansible.Failed = $true
	}

	# Generate the Keystore file
	$KeyStore = "C:\ProgramData\nexus\etc\ssl\keystore.jks"
	$KeyTool = "C:\ProgramData\nexus\jre\bin\keytool.exe"
	$XmlPath = 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml'
	$Passkey = '{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters', 'digits'], length=32, seed=certificate_password+inventory_hostname) }}'

	if (Test-Path $KeyStore) {
	Remove-Item $KeyStore -Force
	}

	$CurrentAlias = ($($CertificatePassword \| & $KeyTool -list -v -storetype PKCS12 -keystore $CertificatePath) -match "^Alias.*")[0].Split(':')[1].Trim()

	& $KeyTool -importkeystore -srckeystore $CertificatePath -srcstoretype PKCS12 -srcstorepass $CertificatePassword -destkeystore $KeyStore -deststoretype JKS -alias $currentAlias -destalias jetty -deststorepass $passkey
	& $KeyTool -keypasswd -keystore $KeyStore -alias jetty -storepass $passkey -keypass $CertificatePassword -new $passkey

	# Update the Jetty XML Configuration
	[xml]$Xml = Get-Content -Path $XmlPath
	$Xml.Configure.New.Where{
	$_.id -match 'ssl'
	}.Set.Where{
	$_.name -match 'password'
	}.ForEach{
	$_.InnerText = $passkey
	}
	$Xml.Save($XmlPath)

	# Update the Nexus Configuration
	$configPath = "C:\ProgramData\sonatype-work\nexus3\etc\nexus.properties"
	(Get-Content $configPath) \| Where-Object {$_ -notmatch "application-port-ssl="} \| Set-Content $configPath

	@(
	'jetty.https.stsMaxAge=-1'
	"application-port-ssl=$NexusPort"
	'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml'
	).ForEach{
	if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) {
	$_ \| Add-Content -Path $configPath
	}
	}

	if ((Get-Service nexus).Status -eq 'Running') {
	Restart-Service nexus
	} else {
	Start-Service nexus
	}