ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-10-11 19:04:02 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

winrm: added flag handler for kinit to request forwardable ticket when delegation is set (#37815)

Browse source
This commit is contained in:
Jordan Borean 2018-04-10 11:00:19 +10:00 committed by Matt Davis
commit 22f2388ef1
1 changed files with 14 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

18
lib/ansible/plugins/connection/winrm.py
View file

@ -115,6 +115,7 @@ except ImportError:
from ansible.errors import AnsibleError, AnsibleConnectionFailure from ansible.errors import AnsibleError, AnsibleConnectionFailure
from ansible.errors import AnsibleFileNotFound from ansible.errors import AnsibleFileNotFound
from ansible.module_utils.parsing.convert_bool import boolean
from ansible.module_utils.six.moves.urllib.parse import urlunsplit from ansible.module_utils.six.moves.urllib.parse import urlunsplit
from ansible.module_utils._text import to_bytes, to_native, to_text from ansible.module_utils._text import to_bytes, to_native, to_text
from ansible.module_utils.six import binary_type from ansible.module_utils.six import binary_type
@ -269,12 +270,22 @@ class Connection(ConnectionBase):
os.environ["KRB5CCNAME"] = krb5ccname os.environ["KRB5CCNAME"] = krb5ccname
krb5env = dict(KRB5CCNAME=krb5ccname) krb5env = dict(KRB5CCNAME=krb5ccname)
# stores various flags to call with kinit, we currently only use this
# to set -f so we can get a forward-able ticket (cred delegation)
kinit_flags = []
if boolean(self.get_option('_extras').get('ansible_winrm_kerberos_delegation', False)):
kinit_flags.append('-f')
kinit_cmdline = [self._kinit_cmd]
kinit_cmdline.extend(kinit_flags)
kinit_cmdline.append(principal)
# pexpect runs the process in its own pty so it can correctly send # pexpect runs the process in its own pty so it can correctly send
# the password as input even on MacOS which blocks subprocess from # the password as input even on MacOS which blocks subprocess from
# doing so. Unfortunately it is not available on the built in Python # doing so. Unfortunately it is not available on the built in Python
# so we can only use it if someone has installed it # so we can only use it if someone has installed it
if HAS_PEXPECT: if HAS_PEXPECT:
kinit_cmdline = "%s %s" % (self._kinit_cmd, principal) kinit_cmdline = " ".join(kinit_cmdline)
password = to_text(password, encoding='utf-8', password = to_text(password, encoding='utf-8',
errors='surrogate_or_strict') errors='surrogate_or_strict')
@ -283,11 +294,10 @@ class Connection(ConnectionBase):
events = { events = {
".*:": password + "\n" ".*:": password + "\n"
} }
# technically this is the stdout but to match subprocess we wil call # technically this is the stdout but to match subprocess we will
# it stderr # call it stderr
stderr, rc = pexpect.run(kinit_cmdline, withexitstatus=True, events=events, env=krb5env, timeout=60) stderr, rc = pexpect.run(kinit_cmdline, withexitstatus=True, events=events, env=krb5env, timeout=60)
else: else:
kinit_cmdline = [self._kinit_cmd, principal]
password = to_bytes(password, encoding='utf-8', password = to_bytes(password, encoding='utf-8',
errors='surrogate_or_strict') errors='surrogate_or_strict')