diff --git a/communicator/winrm/communicator.go b/communicator/winrm/communicator.go index 90b9fe9155..18112851d5 100644 --- a/communicator/winrm/communicator.go +++ b/communicator/winrm/communicator.go @@ -62,6 +62,9 @@ func (c *Communicator) Connect(o terraform.UIOutput) error { params := winrm.DefaultParameters params.Timeout = formatDuration(c.Timeout()) + if c.connInfo.NTLM == true { + params.TransportDecorator = func() winrm.Transporter { return &winrm.ClientNTLM{} } + } client, err := winrm.NewClientWithParameters( c.endpoint, c.connInfo.User, c.connInfo.Password, params) @@ -78,6 +81,7 @@ func (c *Communicator) Connect(o terraform.UIOutput) error { " Password: %t\n"+ " HTTPS: %t\n"+ " Insecure: %t\n"+ + " NTLM: %t\n"+ " CACert: %t", c.connInfo.Host, c.connInfo.Port, @@ -85,6 +89,7 @@ func (c *Communicator) Connect(o terraform.UIOutput) error { c.connInfo.Password != "", c.connInfo.HTTPS, c.connInfo.Insecure, + c.connInfo.NTLM, c.connInfo.CACert != "", )) } @@ -213,6 +218,10 @@ func (c *Communicator) newCopyClient() (*winrmcp.Winrmcp, error) { MaxOperationsPerShell: 15, // lowest common denominator } + if c.connInfo.NTLM == true { + config.TransportDecorator = func() winrm.Transporter { return &winrm.ClientNTLM{} } + } + if c.connInfo.CACert != "" { config.CACertBytes = []byte(c.connInfo.CACert) } diff --git a/communicator/winrm/communicator_test.go b/communicator/winrm/communicator_test.go index d903fbc2e7..f6a0499329 100644 --- a/communicator/winrm/communicator_test.go +++ b/communicator/winrm/communicator_test.go @@ -155,6 +155,73 @@ func TestScriptPath(t *testing.T) { } } +func TestNoTransportDecorator(t *testing.T) { + wrm := newMockWinRMServer(t) + defer wrm.Close() + + r := &terraform.InstanceState{ + Ephemeral: terraform.EphemeralState{ + ConnInfo: map[string]string{ + "type": "winrm", + "user": "user", + "password": "pass", + "host": wrm.Host, + "port": strconv.Itoa(wrm.Port), + "timeout": "30s", + }, + }, + } + + c, err := New(r) + if err != nil { + t.Fatalf("error creating communicator: %s", err) + } + + err = c.Connect(nil) + if err != nil { + t.Fatalf("error connecting communicator: %s", err) + } + defer c.Disconnect() + + if c.client.TransportDecorator != nil { + t.Fatal("bad TransportDecorator: expected nil, got non-nil") + } +} + +func TestTransportDecorator(t *testing.T) { + wrm := newMockWinRMServer(t) + defer wrm.Close() + + r := &terraform.InstanceState{ + Ephemeral: terraform.EphemeralState{ + ConnInfo: map[string]string{ + "type": "winrm", + "user": "user", + "password": "pass", + "host": wrm.Host, + "port": strconv.Itoa(wrm.Port), + "use_ntlm": "true", + "timeout": "30s", + }, + }, + } + + c, err := New(r) + if err != nil { + t.Fatalf("error creating communicator: %s", err) + } + + err = c.Connect(nil) + if err != nil { + t.Fatalf("error connecting communicator: %s", err) + } + defer c.Disconnect() + + if c.client.TransportDecorator == nil { + t.Fatal("bad TransportDecorator: expected non-nil, got nil") + } +} + func TestScriptPath_randSeed(t *testing.T) { // Pre GH-4186 fix, this value was the deterministic start the pseudorandom // chain of unseeded math/rand values for Int31(). diff --git a/communicator/winrm/provisioner.go b/communicator/winrm/provisioner.go index 1482042456..94e0170e1d 100644 --- a/communicator/winrm/provisioner.go +++ b/communicator/winrm/provisioner.go @@ -37,6 +37,7 @@ type connectionInfo struct { Port int HTTPS bool Insecure bool + NTLM bool `mapstructure:"use_ntlm"` CACert string `mapstructure:"cacert"` Timeout string ScriptPath string `mapstructure:"script_path"` diff --git a/communicator/winrm/provisioner_test.go b/communicator/winrm/provisioner_test.go index b86576bf37..e2494657fd 100644 --- a/communicator/winrm/provisioner_test.go +++ b/communicator/winrm/provisioner_test.go @@ -16,6 +16,7 @@ func TestProvisioner_connInfo(t *testing.T) { "host": "127.0.0.1", "port": "5985", "https": "true", + "use_ntlm": "true", "timeout": "30s", }, }, @@ -41,6 +42,9 @@ func TestProvisioner_connInfo(t *testing.T) { if conf.HTTPS != true { t.Fatalf("expected: %v: got: %v", true, conf) } + if conf.NTLM != true { + t.Fatalf("expected: %v: got: %v", true, conf) + } if conf.Timeout != "30s" { t.Fatalf("expected: %v: got: %v", "30s", conf) } diff --git a/terraform/eval_validate.go b/terraform/eval_validate.go index 16bca3587c..3e5a84ce65 100644 --- a/terraform/eval_validate.go +++ b/terraform/eval_validate.go @@ -157,6 +157,7 @@ func (n *EvalValidateProvisioner) validateConnConfig(connConfig *ResourceConfig) // For type=winrm only (enforced in winrm communicator) HTTPS interface{} `mapstructure:"https"` Insecure interface{} `mapstructure:"insecure"` + NTLM interface{} `mapstructure:"use_ntlm"` CACert interface{} `mapstructure:"cacert"` } diff --git a/website/docs/provisioners/connection.html.markdown b/website/docs/provisioners/connection.html.markdown index 10954f4d1b..b86b2fea4f 100644 --- a/website/docs/provisioners/connection.html.markdown +++ b/website/docs/provisioners/connection.html.markdown @@ -92,6 +92,8 @@ provisioner "file" { * `insecure` - Set to `true` to not validate the HTTPS certificate chain. +* `use_ntlm` - Set to `true` to use NTLM authentication, rather than default (basic authentication), removing the requirement for basic authentication to be enabled within the target guest. Further reading for remote connection authentication can be found [here](https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx). + * `cacert` - The CA certificate to validate against.