diff options
author | Jordan Borean <jborean93@gmail.com> | 2021-11-11 11:04:39 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-10 17:04:39 -0800 |
commit | 9985b8a9756c570811d0f221bc11ffc9354f291f (patch) | |
tree | 63c9ade93cd52a860a7537d0f1f7aab53fcad67f /examples | |
parent | 90de24da7be7a0e2d7fd173532222db0b116088d (diff) | |
download | ansible-9985b8a9756c570811d0f221bc11ffc9354f291f.tar.gz |
ansible-test pssa update and new rules (#76256)
Diffstat (limited to 'examples')
-rw-r--r-- | examples/scripts/ConfigureRemotingForAnsible.ps1 | 163 | ||||
-rw-r--r-- | examples/scripts/upgrade_to_ps3.ps1 | 27 |
2 files changed, 74 insertions, 116 deletions
diff --git a/examples/scripts/ConfigureRemotingForAnsible.ps1 b/examples/scripts/ConfigureRemotingForAnsible.ps1 index 7e039bb415..1fcbaabc37 100644 --- a/examples/scripts/ConfigureRemotingForAnsible.ps1 +++ b/examples/scripts/ConfigureRemotingForAnsible.ps1 @@ -66,28 +66,24 @@ Param ( [switch]$EnableCredSSP ) -Function Write-Log -{ +Function Write-ProgressLog { $Message = $args[0] Write-EventLog -LogName Application -Source $EventSource -EntryType Information -EventId 1 -Message $Message } -Function Write-VerboseLog -{ +Function Write-VerboseLog { $Message = $args[0] Write-Verbose $Message - Write-Log $Message + Write-ProgressLog $Message } -Function Write-HostLog -{ +Function Write-HostLog { $Message = $args[0] Write-Output $Message - Write-Log $Message + Write-ProgressLog $Message } -Function New-LegacySelfSignedCert -{ +Function New-LegacySelfSignedCert { Param ( [string]$SubjectName, [int]$ValidDays = 1095 @@ -125,14 +121,13 @@ Function New-LegacySelfSignedCert $SigOID = New-Object -ComObject X509Enrollment.CObjectId $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value) - [string[]] $AlternativeName += $hostnonFQDN + [string[]] $AlternativeName += $hostnonFQDN $AlternativeName += $hostFQDN $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames - foreach ($AN in $AlternativeName) - { + foreach ($AN in $AlternativeName) { $AltName = New-Object -ComObject X509Enrollment.CAlternativeName - $AltName.InitializeFromString(0x3,$AN) + $AltName.InitializeFromString(0x3, $AN) $IAlternativeNames.Add($AltName) } @@ -162,15 +157,14 @@ Function New-LegacySelfSignedCert return $parsed_cert.Thumbprint } -Function Enable-GlobalHttpFirewallAccess -{ +Function Enable-GlobalHttpFirewallAccess { Write-Verbose "Forcing global HTTP firewall access" # this is a fairly naive implementation; could be more sophisticated about rule matching/collapsing $fw = New-Object -ComObject HNetCfg.FWPolicy2 # try to find/enable the default rule first $add_rule = $false - $matching_rules = $fw.Rules | Where-Object { $_.Name -eq "Windows Remote Management (HTTP-In)" } + $matching_rules = $fw.Rules | Where-Object { $_.Name -eq "Windows Remote Management (HTTP-In)" } $rule = $null If ($matching_rules) { If ($matching_rules -isnot [Array]) { @@ -217,80 +211,71 @@ Function Enable-GlobalHttpFirewallAccess } # Setup error handling. -Trap -{ +Trap { $_ Exit 1 } $ErrorActionPreference = "Stop" # Get the ID and security principal of the current user account -$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent() -$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID) +$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() +$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID) # Get the security principal for the Administrator role -$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator +$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator # Check to see if we are currently running "as Administrator" -if (-Not $myWindowsPrincipal.IsInRole($adminRole)) -{ +if (-Not $myWindowsPrincipal.IsInRole($adminRole)) { Write-Output "ERROR: You need elevated Administrator privileges in order to run this script." Write-Output " Start Windows PowerShell by using the Run as Administrator option." Exit 2 } $EventSource = $MyInvocation.MyCommand.Name -If (-Not $EventSource) -{ +If (-Not $EventSource) { $EventSource = "Powershell CLI" } -If ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) -{ +If ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { New-EventLog -LogName Application -Source $EventSource } # Detect PowerShell version. -If ($PSVersionTable.PSVersion.Major -lt 3) -{ - Write-Log "PowerShell version 3 or higher is required." +If ($PSVersionTable.PSVersion.Major -lt 3) { + Write-ProgressLog "PowerShell version 3 or higher is required." Throw "PowerShell version 3 or higher is required." } # Find and start the WinRM service. Write-Verbose "Verifying WinRM service." -If (!(Get-Service "WinRM")) -{ - Write-Log "Unable to find the WinRM service." +If (!(Get-Service "WinRM")) { + Write-ProgressLog "Unable to find the WinRM service." Throw "Unable to find the WinRM service." } -ElseIf ((Get-Service "WinRM").Status -ne "Running") -{ +ElseIf ((Get-Service "WinRM").Status -ne "Running") { Write-Verbose "Setting WinRM service to start automatically on boot." Set-Service -Name "WinRM" -StartupType Automatic - Write-Log "Set WinRM service to start automatically on boot." + Write-ProgressLog "Set WinRM service to start automatically on boot." Write-Verbose "Starting WinRM service." Start-Service -Name "WinRM" -ErrorAction Stop - Write-Log "Started WinRM service." + Write-ProgressLog "Started WinRM service." } # WinRM should be running; check that we have a PS session config. -If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) -{ - If ($SkipNetworkProfileCheck) { - Write-Verbose "Enabling PS Remoting without checking Network profile." - Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop - Write-Log "Enabled PS Remoting without checking Network profile." - } - Else { - Write-Verbose "Enabling PS Remoting." - Enable-PSRemoting -Force -ErrorAction Stop - Write-Log "Enabled PS Remoting." - } +If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) { + If ($SkipNetworkProfileCheck) { + Write-Verbose "Enabling PS Remoting without checking Network profile." + Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop + Write-ProgressLog "Enabled PS Remoting without checking Network profile." + } + Else { + Write-Verbose "Enabling PS Remoting." + Enable-PSRemoting -Force -ErrorAction Stop + Write-ProgressLog "Enabled PS Remoting." + } } -Else -{ +Else { Write-Verbose "PS Remoting is already enabled." } @@ -310,8 +295,7 @@ if ($token_value -ne 1) { # Make sure there is a SSL listener. $listeners = Get-ChildItem WSMan:\localhost\Listener -If (!($listeners | Where-Object {$_.Keys -like "TRANSPORT=HTTPS"})) -{ +If (!($listeners | Where-Object { $_.Keys -like "TRANSPORT=HTTPS" })) { # We cannot use New-SelfSignedCertificate on 2012R2 and earlier $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" @@ -329,15 +313,13 @@ If (!($listeners | Where-Object {$_.Keys -like "TRANSPORT=HTTPS"})) Write-Verbose "Enabling SSL listener." New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset - Write-Log "Enabled SSL listener." + Write-ProgressLog "Enabled SSL listener." } -Else -{ +Else { Write-Verbose "SSL listener is already active." # Force a new SSL cert on Listener if the $ForceNewSSLCert - If ($ForceNewSSLCert) - { + If ($ForceNewSSLCert) { # We cannot use New-SelfSignedCertificate on 2012R2 and earlier $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays @@ -361,45 +343,37 @@ Else } # Check for basic authentication. -$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object {$_.Name -eq "Basic"} +$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object { $_.Name -eq "Basic" } -If ($DisableBasicAuth) -{ - If (($basicAuthSetting.Value) -eq $true) - { +If ($DisableBasicAuth) { + If (($basicAuthSetting.Value) -eq $true) { Write-Verbose "Disabling basic auth support." Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false - Write-Log "Disabled basic auth support." + Write-ProgressLog "Disabled basic auth support." } - Else - { + Else { Write-Verbose "Basic auth is already disabled." } } -Else -{ - If (($basicAuthSetting.Value) -eq $false) - { +Else { + If (($basicAuthSetting.Value) -eq $false) { Write-Verbose "Enabling basic auth support." Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true - Write-Log "Enabled basic auth support." + Write-ProgressLog "Enabled basic auth support." } - Else - { + Else { Write-Verbose "Basic auth is already enabled." } } # If EnableCredSSP if set to true -If ($EnableCredSSP) -{ +If ($EnableCredSSP) { # Check for CredSSP authentication - $credsspAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object {$_.Name -eq "CredSSP"} - If (($credsspAuthSetting.Value) -eq $false) - { + $credsspAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object { $_.Name -eq "CredSSP" } + If (($credsspAuthSetting.Value) -eq $false) { Write-Verbose "Enabling CredSSP auth support." Enable-WSManCredSSP -role server -Force - Write-Log "Enabled CredSSP auth support." + Write-ProgressLog "Enabled CredSSP auth support." } } @@ -410,44 +384,37 @@ If ($GlobalHttpFirewallAccess) { # Configure firewall to allow WinRM HTTPS connections. $fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" $fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any -If ($fwtest1.count -lt 5) -{ +If ($fwtest1.count -lt 5) { Write-Verbose "Adding firewall rule to allow WinRM HTTPS." netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow - Write-Log "Added firewall rule to allow WinRM HTTPS." + Write-ProgressLog "Added firewall rule to allow WinRM HTTPS." } -ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)) -{ +ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)) { Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile." netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any - Write-Log "Updated firewall rule to allow WinRM HTTPS for any profile." + Write-ProgressLog "Updated firewall rule to allow WinRM HTTPS for any profile." } -Else -{ +Else { Write-Verbose "Firewall rule already exists to allow WinRM HTTPS." } # Test a remoting connection to localhost, which should work. -$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue +$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { $using:env:COMPUTERNAME } -ErrorVariable httpError -ErrorAction SilentlyContinue $httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue -If ($httpResult -and $httpsResult) -{ +If ($httpResult -and $httpsResult) { Write-Verbose "HTTP: Enabled | HTTPS: Enabled" } -ElseIf ($httpsResult -and !$httpResult) -{ +ElseIf ($httpsResult -and !$httpResult) { Write-Verbose "HTTP: Disabled | HTTPS: Enabled" } -ElseIf ($httpResult -and !$httpsResult) -{ +ElseIf ($httpResult -and !$httpsResult) { Write-Verbose "HTTP: Enabled | HTTPS: Disabled" } -Else -{ - Write-Log "Unable to establish an HTTP or HTTPS remoting session." +Else { + Write-ProgressLog "Unable to establish an HTTP or HTTPS remoting session." Throw "Unable to establish an HTTP or HTTPS remoting session." } Write-VerboseLog "PS Remoting has been successfully configured for Ansible." diff --git a/examples/scripts/upgrade_to_ps3.ps1 b/examples/scripts/upgrade_to_ps3.ps1 index 359b835d5c..64867bede8 100644 --- a/examples/scripts/upgrade_to_ps3.ps1 +++ b/examples/scripts/upgrade_to_ps3.ps1 @@ -18,24 +18,21 @@ # 6.3 is 2012 R2 -if ($PSVersionTable.psversion.Major -ge 3) -{ +if ($PSVersionTable.psversion.Major -ge 3) { Write-Output "Powershell 3 Installed already; You don't need this" Exit } $powershellpath = "C:\powershell" -function download-file -{ +function download-file { param ([string]$path, [string]$local) $client = new-object system.net.WebClient $client.Headers.Add("user-agent", "PowerShell") $client.downloadfile($path, $local) } -if (!(test-path $powershellpath)) -{ +if (!(test-path $powershellpath)) { New-Item -ItemType directory -Path $powershellpath } @@ -53,8 +50,7 @@ if (!(test-path $powershellpath)) #You may need to reboot after the .NET install if so just run the script again. # If the Operating System is above 6.2, then you already have PowerShell Version > 3 -if ([Environment]::OSVersion.Version.Major -gt 6) -{ +if ([Environment]::OSVersion.Version.Major -gt 6) { Write-Output "OS is new; upgrade not needed." Exit } @@ -64,25 +60,20 @@ $osminor = [environment]::OSVersion.Version.Minor $architecture = $ENV:PROCESSOR_ARCHITECTURE -if ($architecture -eq "AMD64") -{ +if ($architecture -eq "AMD64") { $architecture = "x64" } -else -{ +else { $architecture = "x86" } -if ($osminor -eq 1) -{ +if ($osminor -eq 1) { $DownloadUrl = "http://download.microsoft.com/download/E/7/6/E76850B8-DA6E-4FF5-8CCE-A24FC513FD16/Windows6.1-KB2506143-" + $architecture + ".msu" } -elseif ($osminor -eq 0) -{ +elseif ($osminor -eq 0) { $DownloadUrl = "http://download.microsoft.com/download/E/7/6/E76850B8-DA6E-4FF5-8CCE-A24FC513FD16/Windows6.0-KB2506146-" + $architecture + ".msu" } -else -{ +else { # Nothing to do; In theory this point will never be reached. Exit } |