add kerberos delegation

rundeck-plugins · Sep 17, 2020 · 143958f · 143958f
1 parent 8fc3e7f
commit 143958f
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 6 deletions.
diff --git a/contents/winrm-check.py b/contents/winrm-check.py
@@ -117,6 +117,7 @@
 
 krb5config = None
 kinit = "kinit"
+krbdelegation = False
 
 if args.hostname:
     hostname = args.hostname
@@ -182,6 +183,11 @@
 if "RD_CONFIG_KINIT" in os.environ:
     kinit = os.getenv("RD_CONFIG_KINIT")
 
+if "RD_CONFIG_KRBDELEGATION" in os.environ:
+    if os.getenv("RD_CONFIG_KRBDELEGATION") == "true":
+        krbdelegation = True
+    else:
+        krbdelegation = False
 
 endpoint=transport+'://'+hostname+':'+port
 
@@ -194,7 +200,7 @@
 log.debug("diabletls12:" + str(diabletls12))
 log.debug("krb5config:" + krb5config)
 log.debug("kinit command:" + kinit)
-
+log.debug("kerberos delegation:" + str(krbdelegation))
 
 if(certpath):
     log.debug("certpath:" + certpath)
@@ -240,6 +246,7 @@
 if authentication == "kerberos":
     k5bConfig = kerberosauth.KerberosAuth(krb5config=krb5config, log=log, kinit_command=kinit,username=username, password=password)
     k5bConfig.get_ticket()
+    arguments["kerberos_delegation"] = krbdelegation
 
 session = winrm.Session(target=endpoint,
                          auth=(username, password),

diff --git a/contents/winrm-exec.py b/contents/winrm-exec.py
@@ -111,6 +111,7 @@ def filter(self, record):
 certpath = None
 krb5config = None
 kinit = None
+krbdelegation = False
 forceTicket = False
 readtimeout = None
 operationtimeout = None
@@ -190,6 +191,12 @@ def filter(self, record):
 if "RD_CONFIG_KINIT" in os.environ:
     kinit = os.getenv("RD_CONFIG_KINIT")
 
+if "RD_CONFIG_KRBDELEGATION" in os.environ:
+    if os.getenv("RD_CONFIG_KRBDELEGATION") == "true":
+        krbdelegation = True
+    else:
+        krbdelegation = False
+
 log.debug("------------------------------------------")
 log.debug("endpoint:" + endpoint)
 log.debug("authentication:" + authentication)
@@ -198,14 +205,11 @@ def filter(self, record):
 log.debug("diabletls12:" + str(diabletls12))
 log.debug("krb5config:" + krb5config)
 log.debug("kinit command:" + kinit)
+log.debug("kerberos delegation:" + str(krbdelegation))
 log.debug("shell:" + shell)
 log.debug("readtimeout:" + str(readtimeout))
 log.debug("operationtimeout:" + str(operationtimeout))
 log.debug("exit Behaviour:" + exitBehaviour)
-
-
-
-
 log.debug("------------------------------------------")
 
 if not URLLIB_INSTALLED:
@@ -253,6 +257,7 @@ def filter(self, record):
 if authentication == "kerberos":
     k5bConfig = kerberosauth.KerberosAuth(krb5config=krb5config, log=log, kinit_command=kinit,username=username, password=password)
     k5bConfig.get_ticket()
+    arguments["kerberos_delegation"] = krbdelegation
 
 session = winrm.Session(target=endpoint,
                         auth=(username, password),

diff --git a/contents/winrm-filecopier.py b/contents/winrm-filecopier.py
@@ -243,6 +243,7 @@ def winrm_upload(self,
 diabletls12 = False
 kinit = None
 krb5config = None
+krbdelegation = False
 forceTicket = False
 
 if "RD_CONFIG_AUTHTYPE" in os.environ:
@@ -298,6 +299,12 @@ def winrm_upload(self,
 if "RD_CONFIG_KINIT" in os.environ:
     kinit = os.getenv("RD_CONFIG_KINIT")
 
+if "RD_CONFIG_KRBDELEGATION" in os.environ:
+    if os.getenv("RD_CONFIG_KRBDELEGATION") == "true":
+        krbdelegation = True
+    else:
+        krbdelegation = False
+
 endpoint = transport+'://'+args.hostname+':'+port
 
 arguments = {}
@@ -340,7 +347,7 @@ def winrm_upload(self,
 if authentication == "kerberos":
     k5bConfig = kerberosauth.KerberosAuth(krb5config=krb5config, log=log, kinit_command=kinit,username=username, password=password)
     k5bConfig.get_ticket()
-
+    arguments["kerberos_delegation"] = krbdelegation
 
 session = winrm.Session(target=endpoint,
                         auth=(username, password),

diff --git a/plugin.yaml b/plugin.yaml
@@ -165,6 +165,14 @@ providers:
         required: false
         renderingOptions:
           groupName: Kerberos
+      - name: krbdelegation
+        title: Kerberos Delegations
+        description: "Kerberos Delegation: if True, TGT is sent to target server to allow multiple hops"
+        type: Boolean
+        default: "false"
+        required: false
+        renderingOptions:
+          groupName: Kerberos
   - name: WinRMcpPython
     title: WinRM Python File Copier
     description: Copying files to remote Windows computer
@@ -283,6 +291,14 @@ providers:
         required: false
         renderingOptions:
           groupName: Kerberos
+      - name: krbdelegation
+        title: Kerberos Delegations
+        description: "Kerberos Delegation: if True, TGT is sent to target server to allow multiple hops"
+        type: Boolean
+        default: "false"
+        required: false
+        renderingOptions:
+          groupName: Kerberos
   - name: WinRMCheck
     title: WinRM Check Step
     description: Check the connection with a remote node using winrm-python
@@ -377,4 +393,12 @@ providers:
         required: false
         renderingOptions:
           groupName: Kerberos
+      - name: krbdelegation
+        title: Kerberos Delegations
+        description: "Kerberos Delegation: if True, TGT is sent to target server to allow multiple hops"
+        type: Boolean
+        default: "false"
+        required: false
+        renderingOptions:
+          groupName: Kerberos